Join eCHO livestream - eBPF & Cilium Office Hours - every Friday!

Microservices-aware Security for Kubernetes on AWS

Cilium is open source software for transparently providing and securing the network and API connectivity for containers. Cilium is deployed as a daemonset on all worker nodes. Cilium works with both AWS EKS and self-hosted Kubernetes clusters on AWS.

Open Source
Powered by BPF

Get Started with Cilium for Kubernetes on AWS

At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Because BPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

DNS-based control for AWS services
For controlling access to AWS services such as S3, DynamoDB, RDS, etc. DNS-based policies can be used. Cilium will automatically track the DNS to IP resolution and enforce that only allowed pods are able to access the services.
API-Aware Policies for Granular Security
Cilium supports API-level access control for HTTP, Elasticsearch, Kafka, Cassandra, Memcached, and many other common protocols. The parameters of the API calls such as HTTP URLs, HTTP verbs, etc. can be used to provide granular access control for AWS services such as S3, DynamoDB, ElastiCache.
Access Control for VPC Subnets
When pods need access to services running in another AWS VPCs and subnets, access can be restricted using CIDR(L3) and port (L4) based policies.
Identity-driven security
For communications within the cluster, Cilium uses Kubernetes labels to identify services and control their interactions with each other. Since the IPs and ports can change frequently for cluster services, the identity-driven security provides more stable and consistent security enforcement.
Connect and Secure Multiple Kubernetes Clusters
Cilium Cluster Mesh connects multiple AWS Kubernetes clusters and enables secure communication for the pods and services across clusters, without requiring any ingress controllers or load balancer between the clusters.