Learn about Cilium with interactive courses

Deep dive into Cilium and its features with labs provided by companies within the Cilium ecosystem

NetworkingFrom Isovalent

Cilium LoadBalancer IPAM and L2 Service Announcement

In Cilium 1.13, we introduced support for LoadBalancer IP Address Management (LB-IPAM) and the ability to allocate IP addresses to Kubernetes Services of the type LoadBalancer. Cloud providers natively provide this feature for managed Kubernetes Services and therefore this feature is more one for self-managed Kubernetes deployments or home labs. LB-IPAM works seamlessly with Cilium BGP: the IP addresses allocated by Cilium can be advertised to BGP peers to integrate your cluster with the rest of your network. For users who do not want to use BGP or that just want to make these IP addresses accessible over the local network, we are introducing a new feature called L2 Announcements in Cilium 1.14. When you deploy a L2 Announcement Policy, Cilium will start responding to ARP requests from local clients for ExternalIPs and/or LoadBalancer IPs. Typically, this would have required a tool like MetalLB but Cilium now natively supports this functionality. Try it in this new lab!

SecurityFrom Isovalent

Cilium Transparent Encryption with IPSec and WireGuard

Encryption is required for many compliance frameworks. Kubernetes doesn’t natively offer pod-to-pod encryption. To offer encryption capabilities, it’s often required to implement it directly into your applications or deploy a Service Mesh. Both options add complexity and operational headaches. Cilium actually provides two options to encrypt traffic between Cilium-managed endpoints: IPsec and WireGuard. In this lab, you will be installing and testing both features and will get to experience how easy it is to encrypt data in transit with Cilium.

Getting StartedFrom Isovalent

Getting Started with Cilium

Cilium is an open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration. In this track, we provide you a fully fledged Cilium installation on a small cluster, together with a few challenges to solve. See yourself how Cilium works, and how it can help you securing your moon-sized battlestation in a “Star Wars”-inspired challenge.

Getting StartedFrom Isovalent

Getting Started with Tetragon

Security Observability is a new paradigm that utilizes eBPF, a Linux kernel technology, to allow Security and DevOps teams, SREs, Cloud Engineers, and Solution Architects to gain real-time visibility into Kubernetes and helps to secure your production environment with Tetragon. Tetragon is an open source Security Observability and Runtime Enforcement tool from the makers of Cilium. It captures different process and network event types through a user-supplied configuration to enable security observability on arbitrary hook points in the kernel; then translates these events into actionable signals for a Security Team. The best way to learn about Security Observability and Cilium Tetragon is to read the book “Security Observability with eBPF” by Jed Salazar and Natalia Reka Ivanko. And the best way to have your first experience with Tetragon is to walk through this lab, which takes the Real World Attack example out of the book and teaches you how to detect a container escape step by step!

ObservabilityFrom Isovalent

Golden Signals with Hubble and Grafana

One of the most important thing when running applications in an environment like Kubernetes is to have good observability and deep insights. However, for many organizations it can be challenging to update existing applications to provide the observability you need. With Cilium, you can use the Hubble Layer 7 visibility functionality to get Prometheus metrics for your application without having to modify it at all. In this lab you will learn how Cilium can provide metrics for an existing application with and without tracing functionality, and how you can use Grafana dashboards provided by Cilium to gain insight into how your application is behaving.

Getting StartedFrom Linux Foundation

Introduction to Cilium

Get a practical introduction to using Cilium as the networking plug-in for Kubernetes, including installation, observability with Hubble, securing network connections, and multi-cluster support - all based on eBPF for scalability, performance, and security.

Getting StartedFrom Solo.io

Introduction to Cilium

Cilium is an open source software for providing, securing and observing network connectivity between container workloads - cloud native, and fueled by the revolutionary Kernel technology eBPF.

NetworkingFrom Isovalent

L7 Load-Balancing with Kubernetes Services + Annotations

Kubernetes does not natively support gRPC Load Balancing out of the box. Learn how to use Cilium’s embedded Envoy proxy to achieve load-balancing for L7 services, with a simple annotation.

NetworkingFrom Isovalent

Migrating From Calico

Learn how to migrate your cluster from Calico to Cilium using the new Cilium CRD CiliumNodeConfig. It allows running clusters to be migrated on a node-by-node basis, without disrupting existing traffic or requiring a complete cluster outage or rebuild.

NetworkingFrom Isovalent

Migrating to Cilium

Migrating to Cilium from another CNI is a very common task. But how do we minimize the impact during the migration? How do we ensure pods on the legacy CNI can still communicate to Cilium-managed during pods during the migration? How do we execute the migration safely, while avoiding a overly complex approach or using a separate tool such as Multus? With the use of the new Cilium CRD CiliumNodeConfig, running clusters can be migrated on a node-by-node basis, without disrupting existing traffic or requiring a complete cluster outage or rebuild. In this lab, you will migrate your cluster from an existing CNI to Cilium. While we use Flannel in this simple lab, you can leverage the same approach for other CNIs.

SecurityFrom Isovalent

Mutual Authentication with Cilium

Introduced in Cilium 1.14 is support for a much-requested feature: mutual authentication. From its inception, we looked at delivering an optimal effortless user experience to achieve mutual authentication. The result is simple: add 2 lines of YAML to your Cilium Network Policy, and that’s it – your workload communication is now secured with a mutual TLS handshake. Try it in this new Star Wars-inspired lab!

NetworkingFrom Isovalent

SCTP on Cilium

SCTP (Stream Control Transmission Protocol) is a transport-layer protocol used for communication between applications. It is similar to TCP, but it provides additional features such as multi-homing and message fragmentation. Applications that require reliable, ordered delivery of data, but also need the ability to handle multiple streams of data simultaneously can use SCTP. SCTP is primarily used by service providers and mobile operators. While SCTP support for Kubernetes Services, Endpoint and NetworkPolicy was introduced in Kubernetes 1.12, you still need a CNI to support it. Good news: basic support for SCTP was introduced in Cilium 1.13!