Cilium ๐: Kubernetes Network and Security enabler
What is Cilium?
Cilium is an open-source networking and security project designed for modern containerised applications, particularly in the context of orchestration platforms like Kubernetes. It focuses on providing enhanced networking features, security, and observability for microservices and container-based workloads, fueled by the revolutionary Kernel technology eBPF.
What is eBPF?
eBPF stands for "extended Berkeley Packet Filter." It's a powerful and flexible framework within the Linux kernel that allows for programmable and efficient packet filtering, tracing, and more. Originally designed as an extension to the traditional Berkeley Packet Filter (BPF), eBPF has evolved into a versatile and extensible technology that plays a crucial role in various aspects of systems and networking.
Traditionally, operating system has been a place to enforce security, implement observability and networking functionality due to the kernel's privileged ability to oversee and control the processes take place in the device/system. This makes the OS hard to innovate and restricted to growth. On the other hand, eBPF allows sandboxed programs to run within the operating system which change the formula fundamentally.
Today, eBPF is used extensively in wide variety of use cases such as providing high performance networking, impose fine-grained security to egress/ingress data at low overhead and load balancing.
Cilium โค๏ธ eBPF
Cilium and eBPF are closely related, with Cilium leveraging eBPF to enhance networking and security features for containerised environments. eBPF acts as the underlying technology that allows Cilium to provide programmable and efficient control over network and security aspects within the Linux kernel.
Cilium utilizes eBPF to implement many of its features. eBPF programs within Cilium are responsible for tasks like packet filtering, network visibility, and dynamic security enforcement.
Cilium in k8s
Cilium, an advanced open-source project, seamlessly integrates with Kubernetes, transforming the dynamics of networking and security. At its core, Cilium optimises pod-to-pod communication by implementing micro-segmentation, providing meticulous control over service communication and fortifying security at the pod level. This aligns with Kubernetes networking policies, establishing a robust and secure communication framework.
The integration with Kubernetes services enhances service communication through load balancing and dynamic service discovery, ensuring even traffic distribution and heightened system availability. Notably, Cilium's support for service mesh integration, including the popular Envoy proxy, empowers developers and operators with advanced traffic management, encryption, and observability features crucial for modern, cloud-native architectures.
Cilium's commitment to identity-aware security sets it apart by seamlessly integrating with Kubernetes service identity mechanisms. This extends security controls beyond traditional IP addresses, aligning with the principles of the zero-trust paradigm.
With dynamic policy enforcement, Cilium adapts security policies in real-time to changes in the Kubernetes environment, crucial in dynamic landscapes where containers and microservices scale dynamically across nodes. Observability is strengthened through Cilium's use of the extended Berkeley Packet Filter (eBPF), providing detailed insights into network activity and performance within the Kubernetes cluster.
Cilium's compatibility and scalability, seamlessly integrating with various Kubernetes networking models, make it a pivotal solution for orchestrating secure and efficient communication in the ever-evolving Kubernetes landscape.
Real case illustration
Assuming we have a k8s cluster hosting a frontend application consisting pods serving web traffic and a backend application pods handling backend operations. We want to ensure secure communication between them by enforce network policies to restrict access to specific services.
Frontend application
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
spec:
replicas: 2
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
containers:
- name: {{frontend_image}}
image: {{frontend_image}}:latest
ports:
- containerPort: 8080
Backend application
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
replicas: 2
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
spec:
containers:
- name: {{backend_image}}
image: {{backend_image}}:latest
ports:
- containerPort: 9090
Cillium network policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: frontend-backend-communication
spec:
endpointSelector:
matchLabels:
app: frontend
ingress:
- fromEndpoints:
matchLabels:
app: backend
toPorts:
- ports:
- port: 9090
protocol: TCP
As you can see above, we only allow frontend pods to communicate to backend pods over a specific port number.
Furthermore, we can also implement zero trust using Cilium
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: zero-trust
spec:
egress:
- toEndpoints:
- matchLabels:
name: secret-pods
ingress:
- fromEndpoints:
- matchLabels:
name: secret-pods
The above code snippet shows the network policy deny all inbound and outbound traffic expect specific set of pods with name secret-pods
Conclusion
Cilium's integration with Kubernetes reinforces the Zero Trust model by ensuring that trust is never assumed based on network location alone. Its micro-segmentation feature provides fine-grained control over communication, aligning with the principle of least privilege.
Support for service mesh and identity-aware security enhances verification measures, and dynamic policy enforcement adapts security controls in real-time, resonating with the continuous verification aspect of Zero Trust.
Cilium becomes a pivotal element in implementing Zero Trust within Kubernetes, fostering a security approach where trust is earned through explicit policies and continuous scrutiny.