Jay Taylor's notes

back to listing index

Cilium 1.0: Bringing the BPF Revolution to Kubernetes Networking and Security — Cilium

[web search]
Original source (cilium.io)
Tags: linux iptables firewall bpf linux-kernel cilium.io
Clipped on: 2018-05-06
Image (Asset 1/7) alt= $ vim cilium.yaml [provide etcd or consul address]
$ kubectl create -f cilium.yaml
$ kubectl create -f demo_app.yaml
$ kubectl create -f http_policy.yaml
$ kubectl exec -ti xwing-68c6cb4b4b-red5 -- curl -s -XPUT deathstar/v1/exhaust-port
Access denied
$

The above example is a summary of the hands-on minikube tutorial that walks through applying a HTTP aware network policy step by step. More tutorials can be found in the getting started section.

For further information on installing Cilium, see the Kubernetes Quick Installation Guide or refer to the full list of installation guides

The Roadmap Ahead

Cilium 1.0 is an exciting milestone for all of us but we are already deep into the planning of Cilium 1.1. So what is on the roadmap for 1.1 and beyond?

  • Multi Cluster Service Routing: The simplicity of Cilium’s networking model and the decoupling of addressing and policy allows for easy expansion across clusters. With this expansion, Cilium will start supporting Kubernetes service routing across multiple clusters without requiring complex proxy or Ingress solutions while providing the full set of identity based and API aware security.

  • Integration with OpenTracing, Jaeger and Zipkin: The minimal overhead of BPF makes it the ideal technology to provide tracing and telemetry functionality without imposing additional system load.

  • Policy support for additional API protocols: We already have several additional application protocols in mind that we will support in future releases to further improve security.

  • CRI support: Repeatedly requested by various members of the community, we are looking forward to supporting CRI to properly abstract the container runtime.

  • Non container workloads: The BPF datapath is not limited to container abstractions, it just happened to be the first use case we focused on. Future versions will provide APIs and documentation on how to integrate with native Linux tasks, VMs and how to bridge the identity based security space to existing worlds using IP addresses that cannot be migrated.

You can find the details of the 1.1 release planning in this github issue. Feel free to comment or open GitHub issues if you would like to see particular functionality in future Cilium releases.

Image (Asset 2/7) alt=GuidesImage (Asset 3/7) alt=ChannelImage (Asset 4/7) alt=on TwitterImage (Asset 5/7) alt=on GitHub