Over the last 2 months, we have released two new versions of Cilium:
This is a brief recap of some of the functionality that has been added that we believe is noteworthy. A lot of additional work has gone into these releases, in particular a heavily improved CI system and a lot of bug fixes. Thanks everyone for providing very valuable feedback and bug reports! For the full list of changes, please refer to the Release Notes, linked above.
With the release of v0.10, we have expanded our Kubernetes integration as well as included several new features around network policy and simplicity for users.
- CIDR-based network policy for ingress & egress: this allows the lock down of containers with IP-based filtering. Controlling access to and from external services/endpoints limits the ability of a compromised container to exfiltrate data. Documentation and examples can be found here: http://docs.cilium.io/en/stable/policy/#layer-3-ip-cidr-based.
- We’ve expanded our Kubernetes capabilities by allowing policies to be applied and enforced between ports/pods in different namespaces. The standard Kubernetes NetworkPolicy resource allows either selected pods in the same namespace or an entire different namespace to consume the pods specified in the policy. CiliumNetworkPolicy allows a more specific policy where pod X can be consumed from pod Z in namespace Y.
- The Kubernetes CiliumNetworkPolicy resource have been updated to support multiple rules in a single import (relevant for Kubernetes < 1.7). This is useful if multiple rules need to be applied in a single transaction.
- We have introduced a simplified overlay mode that uses Kubernetes node resources to automatically build a mesh of encapsulation tunnels without any further configuration required. You can find more information here: http://docs.cilium.io/en/stable/concepts/#overlay-network-mode.
- Automatic NAT rule when accessing external networks. This step was required to be performed manually before and is now done automatically. This behaviour can be disabled by running the
cilium-agentwith the optional field
- Support for arbitrary cluster address prefix sizes. The cluster address block is the subnet from which all network endpoints in the cluster are allocated. Previously, Cilium required fixed /8 prefix to be configured.
In Cilium release v0.11, we have included support for the latest features in Kubernetes 1.7, enhanced tools for tracing and statuses, and provided L7 policy examples in our Mesos Getting Started Guide (www.cilium.io/try-mesos).
- CRD Support: with the deprecation of the ThirdPartyResource (TPR) in Kubernetes 1.8 and the introduction of the CustomResourceDefinition (CRD), only Kubernetes 1.7.x supports TPRs and CRDs independently. Starting in Cilium v0.11, the CiliumNetworkPolicy supports CRDs. Please note: parallel usage of CRDs and TPRs leads to unexpected behaviour and is not supported (https://github.com/kubernetes/kubernetes/issues/49424). See
cilium.link/migrate-tprfor more details on migrating from TPR to CRD. In order to avoid confusion and to avoid accidentally using TPR and CRD in parallel, we have limited the use of TPR to resource version cilium.io/v1 and CRD to resource version cilium.io/v2. Upgrade your CiliumNetworkPolicy resources to cilium.io/v2 in order to use CRD. Keep them at cilium.io/v1 to stay on TPR (more details here: http://cilium.readthedocs.io/en/stable/install/#migrating-cilium-tpr-to-crd).
- Enhancements have been made to Cilium policy tracing to include traces based on security identities, endpoint IDs and Kubernetes YAML resources, such as pod names.
- Furthermore, the Kubernetes CiliumNetworkPolicy resource has a policy enforcement status with relevant information per node that can be viewed via
kubectl get ciliumnetworkpolicies -o json.
In Cilium v0.10, we implemented the CNI 0.2.x specification to enable Mesos integration. In Cilium v0.11, we provided L7 policy examples in our Mesos Getting Started Guide.
If you’re using Mesos and want to try out Cilium L7 policy enforcement, try our Getting Started Guide (www.cilium.io/try-mesos) for a quick intro to our functionality in a self-contained Mesos environment. All you need is somewhere to install a Vagrant VM and we help you get set up with the rest!
As always, we’re here to help with any questions on Cilium Slack or file any issues for the project on github. You can tweet to us @ciliumproject and follow us on Twitter for more updates. Stay tuned for upcoming blogs on XDP and our Troubleshooting series!
~ The Cilium Team