MR
Uploaded byMichal Rostecki
768 views

Kubernetes Networking with Cilium - Deep Dive

The document discusses Kubernetes networking using Cilium, a CNI plugin that leverages BPF to enhance network performance and security. It covers various filtering methods such as L3 and L4, as well as features like cluster mesh and multi-cluster support, and highlights the advantages of Cilium over traditional iptables, including improvements in Istio performance. Additionally, it outlines specific use cases and configurations for routing and policy enforcement within Kubernetes environments.

Embed presentation

Downloaded 43 times
Kubernetes Networking with Cilium Deep Dive Michal Rostecki Software Engineer mrostecki@suse.de mrostecki@opensuse.org
22 BPF
3 What is BPF?
4 Linux network has many abstraction layers Application Layer System Call Interface Sockets Protocols TCP UDP Traffic Shaping sk_buff Network drivers
5 BPF allows to hook into them Application Layer System Call Interface Sockets Protocols TCP UDP Traffic Shaping sk_buff Network drivers XDP – DMA to the NIC BPF – after kernel parses the packet BPF – System Call tracing BPF – sockmap, sockops
6 BPF goes into firewalls 0 10 20 30 40 50 60 70 iptables nftables bpfilter (host driver) bpfilter (hardware offload) Mpps
7 BPF goes into... ● Load balancers - katran ● perf ● systemd ● Suricata ● Open vSwitch - AF_XDP ● And many many others
88 Cilium
9 What is Cilium?
10 Cilium as CNI plugin Node A Pod A Cilium + BPF Node B Cilium + BPF Container eth0 Pod B Container eth0 Pod C Container eth0
11 Networking modes Use case: Cilium handling routing between nodes Encapsulation Use case: Using cloud provider routers, using BGP routing daemon Direct routing Node A Node B Node C VXLAN VXLAN VXLAN Node A Node B Node C Cloud or BGP routing
12 L3 filtering – label based, ingress Pod Labels: role=frontend IP: 10.0.0.1 Pod Labels: role=frontend IP: 10.0.0.2 Pod IP: 10.0.0.5 Pod Labels: role=backend IP: 10.0.0.3 Pod Labels: role=frontend IP: 10.0.0.4 allow deny
13 L3 filtering – label based, ingress apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow frontends to access backends" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend ingress: - fromEndpoints: - matchLabels: class: frontend
14 L3 filtering – CIDR based, egress IP: 10.0.1.1 Subnet: 10.0.1.0/24 IP: 10.0.2.1 Subnet: 10.0.2.0/24 allow deny Cluster A Pod Labels: role=backend IP: 10.0.0.1 Any IP not belonging to 10.0.1.0/24
15 L3 filtering – CIDR based, egress apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow backends to access 10.0.1.0/24" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend egress: - toCIDR: - IP: “10.0.1.0/24”
16 L4 filtering Pod Labels: role=backend IP: 10.0.0.1 allow deny TCP/80 Any other port
17 L4 filtering apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow to access backends only on TCP/80" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend ingress: - toPorts: - ports: - port: “80” protocol: “TCP”
18 L7 filtering – API Aware Security Pod Labels: role=api IP: 10.0.0.1 GET /articles/{id} GET /private Pod IP: 10.0.0.5
19 L7 filtering – API Aware Security endpointSelector: matchLabels: role: backend ingress: - toPorts: - ports: - port: “80” protocol: “TCP” rules: http: - method: "GET" path: "/article/$"
20 Standalone proxy, L7 filtering Node A Pod A Cilium + BPF Envoy Generating BPF programs for L7 filtering through libcilium.so Node B Pod B Cilium + BPF Envoy Generating BPF programs for L7 filtering through libcilium.so Generating BPF programs for L3/L4 filtering Generating BPF programs for L3/L4 filtering
21 Features
22 Cluster Mesh Cluster A Cluster B Node A Pod A Cilium + BPF Node B Cilium + BPF Container eth0 Pod B Container eth0 Pod C Container eth0 External etcd
23 Istio without Cilium Node A Pod A App container Application socket Envoy Socket eth0 loopback CNI driver Node B Pod B App container Application socket Envoy Socket eth0 loopback CNI driver Here packets need to go through the whole kernel network abstraction. Using TCP protocol. Performance loss.
24 Istio with Cilium and sockmap Node A Pod A App container Application socket Cilium+BPF Envoy Socket eth0 Node B Pod B App container Application socket Cilium+BPF Envoy Socket eth0
25 Kubernetes Services ● Hash table. BPF, Cilium ● Linear list. ● All rules in the chain have to be replaced as a whole. Iptables, kube-proxy Key Key Key Value Value Value Rule 1 Rule 2 Rule n ... Search O(1) Insert O(1) Delete O(1) Search O(n) Insert O(1) Delete O(n)
26 Kubernetes Services – benchmark 1 100 1000 2000 2768 0 100 200 300 400 500 600 700 Cilium (BPF) kube-proxy (iptables) Number of services in cluster usec
27 CNI chaining Policy enforement, load balancing, multi-cluster IP allocation, configuring network interface, encapsulation/routing
28 Native support for AWS ENI
2929 To sum it up
30 Why Cilium is awesome? ● It makes disadvantages of iptables disappear. And always gets the best from the Linux kernel. ● Cluster Mesh / multi-cluster. ● Makes Istio faster. ● Offers L7 API Aware filtering as a Kubernetes resource. ● Integrates with the other popular CNI plugins – Calico, Flannel, Weave, Lyft, AWS CNI.
Kubernetes Networking with Cilium - Deep Dive

More Related Content

PDF
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
PDF
Cloud Native Networking & Security with Cilium & eBPF
byRaphaël PINSON
 
PDF
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
PDF
Cilium - Network security for microservices
byThomas Graf
 
PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
PDF
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
PDF
Introduction to eBPF
byRogerColl2
 
PDF
Introduction to eBPF and XDP
bylcplcp1
 
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
Cloud Native Networking & Security with Cilium & eBPF
byRaphaël PINSON
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
Cilium - Network security for microservices
byThomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
Introduction to eBPF
byRogerColl2
 
Introduction to eBPF and XDP
bylcplcp1
 

What's hot

PDF
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
byOpen Source Consulting
 
PPTX
Introduction to the Container Network Interface (CNI)
byWeaveworks
 
PPTX
Kubernetes PPT.pptx
byssuser0cc9131
 
PDF
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
PDF
Cilium - overview and recent updates
byMichal Rostecki
 
PDF
Introduction to Kubernetes Workshop
byBob Killen
 
PDF
eBPF - Observability In Deep
byMydbops
 
PDF
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
PDF
Kubernetes Basics
byEueung Mulyana
 
PDF
Container Network Interface: Network Plugins for Kubernetes and beyond
byKubeAcademy
 
PDF
Deep dive into Kubernetes Networking
bySreenivas Makam
 
PDF
Kubernetes Networking
byCJ Cullen
 
PDF
Red Hat OpenShift Operators - Operators ABC
byRobert Bohne
 
PDF
Operator Framework Overview
byRob Szumski
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
PPTX
Kubernetes Networking 101
byWeaveworks
 
PDF
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
byEdureka!
 
PDF
Kubernetes 101
byCrevise Technologies
 
ODP
eBPF maps 101
bySUSE Labs Taipei
 
PPTX
DevOps with Kubernetes
byEastBanc Tachnologies
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
byOpen Source Consulting
 
Introduction to the Container Network Interface (CNI)
byWeaveworks
 
Kubernetes PPT.pptx
byssuser0cc9131
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
byContainerDay Security 2023
 
Cilium - overview and recent updates
byMichal Rostecki
 
Introduction to Kubernetes Workshop
byBob Killen
 
eBPF - Observability In Deep
byMydbops
 
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
Kubernetes Basics
byEueung Mulyana
 
Container Network Interface: Network Plugins for Kubernetes and beyond
byKubeAcademy
 
Deep dive into Kubernetes Networking
bySreenivas Makam
 
Kubernetes Networking
byCJ Cullen
 
Red Hat OpenShift Operators - Operators ABC
byRobert Bohne
 
Operator Framework Overview
byRob Szumski
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
Kubernetes Networking 101
byWeaveworks
 
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...
byEdureka!
 
Kubernetes 101
byCrevise Technologies
 
eBPF maps 101
bySUSE Labs Taipei
 
DevOps with Kubernetes
byEastBanc Tachnologies
 

Similar to Kubernetes Networking with Cilium - Deep Dive

PDF
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
PDF
Cilium - API-aware Networking and Security for Containers based on BPF
byThomas Graf
 
PDF
cilium-public.pdf
bySanjeev Rampal
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PPTX
Comparison of existing cni plugins for kubernetes
byAdam Hamsik
 
PDF
Evolution of kube-proxy (Brussels, Fosdem 2020)
byLaurent Bernaille
 
PDF
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
PDF
Cilium - BPF & XDP for containers
byDocker, Inc.
 
PDF
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
PDF
Explore the World of Cilium, Tetragon & eBPF
byRaphaël PINSON
 
PDF
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
PDF
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
PDF
Cilium:: Application-Aware Microservices via BPF
byCynthia Thomas
 
PDF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
PDF
Kubernetes Networking 101 kubecon EU 2022
byssuser1490e8
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
PPTX
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
byUA DevOps Conference
 
PDF
Cilium: Seattle Kubernetes MeetUp Dec 2017
byCynthia Thomas
 
PPTX
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
Cilium - API-aware Networking and Security for Containers based on BPF
byThomas Graf
 
cilium-public.pdf
bySanjeev Rampal
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
Comparison of existing cni plugins for kubernetes
byAdam Hamsik
 
Evolution of kube-proxy (Brussels, Fosdem 2020)
byLaurent Bernaille
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
Cilium - BPF & XDP for containers
byDocker, Inc.
 
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
Explore the World of Cilium, Tetragon & eBPF
byRaphaël PINSON
 
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
Cilium:: Application-Aware Microservices via BPF
byCynthia Thomas
 
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
Kubernetes Networking 101 kubecon EU 2022
byssuser1490e8
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
СТАНІСЛАВ КОЛЕНКІН «Cilium – Network security for microservices. Let’s see ho...
byUA DevOps Conference
 
Cilium: Seattle Kubernetes MeetUp Dec 2017
byCynthia Thomas
 
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 

Recently uploaded

PDF
AI/ML Infra Meetup | Bringing Data to GPUs Anywhere + Get Low-Latency on Obje...
byAlluxio, Inc.
 
PDF
NYC ACE 12-Nov-2025-Combined Presentation.pdf
byAUGNYC
 
PPTX
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
PDF
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
PDF
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
PDF
Hyperon Chain – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
Startup Core Architecture: A Simple Practical Guide
byShiv Technolabs Pvt. Ltd.
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PDF
Oracle AI Database 26ai _ AI-Native Database for Enterprises.pdf
byAstuteBusiness
 
PPTX
The Sync Strikes Back: Tales from the MOPs Trenches
bybbedford2
 
PDF
virtual CISO service by Reflect Security
byreflectsecsol
 
PDF
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
PDF
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
PDF
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
PPTX
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
PPTX
Harnessing BUSY Software for Smart Business Management.pptx
byMoving Cloud
 
PPTX
Working of Minimax Algorithm with Alpha-Beta Pruning.pptx
byMuhammadHassanArshad2
 
PPTX
BI and Reporting Software Turning Clinic Data Into Smarter, More Compassionat...
byEasy Clinic
 
PDF
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
PDF
Threat Hunting with Garuda: From Manual Analysis to AI-Driven Hunting By Monn...
byCysinfo Cyber Security Community
 
AI/ML Infra Meetup | Bringing Data to GPUs Anywhere + Get Low-Latency on Obje...
byAlluxio, Inc.
 
NYC ACE 12-Nov-2025-Combined Presentation.pdf
byAUGNYC
 
Detecting Bad Apples: Understanding macOS Malware TTPs by Surya Teja
byCysinfo Cyber Security Community
 
AI/ML Infra Meetup | Unlock the Future of Generative AI: TorchTitan's Latest ...
byAlluxio, Inc.
 
SWEBOK: the software engineering body of knowledge (SC25 Workshop Research So...
byHironori Washizaki
 
Hyperon Chain – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
Startup Core Architecture: A Simple Practical Guide
byShiv Technolabs Pvt. Ltd.
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
Oracle AI Database 26ai _ AI-Native Database for Enterprises.pdf
byAstuteBusiness
 
The Sync Strikes Back: Tales from the MOPs Trenches
bybbedford2
 
virtual CISO service by Reflect Security
byreflectsecsol
 
DSD-INT 2025 From Software to Impact - Water Quality Modelling for the UN Oce...
byDeltares
 
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
Harnessing BUSY Software for Smart Business Management.pptx
byMoving Cloud
 
Working of Minimax Algorithm with Alpha-Beta Pruning.pptx
byMuhammadHassanArshad2
 
BI and Reporting Software Turning Clinic Data Into Smarter, More Compassionat...
byEasy Clinic
 
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
Threat Hunting with Garuda: From Manual Analysis to AI-Driven Hunting By Monn...
byCysinfo Cyber Security Community
 
In this document
Powered by AI

An introduction to Kubernetes Networking focusing on Cilium, led by Michal Rostecki as a Software Engineer.

Overview of BPF (Berkeley Packet Filter), its functionalities including its integration with firewalls, load balancers, and various network components.

Discussion on Cilium as a Container Network Interface (CNI) plugin utilizing BPF for effective networking between pods, including L3 filtering based on labels.

Detailed explanation of L3 filtering in Cilium using CIDR and policies that allow or deny access based on specific criteria.

Implementing Layer 4 filtering in Cilium, showcasing policies that permit access on specific TCP ports.

Capabilities of L7 filtering in Cilium with examples of API aware security, including conditional rules for HTTP methods and paths.

Description of how Cilium implements filtering and security utilizing Envoy alongside BPF programs for advanced L3, L4, and L7 filtering.

Highlights unique features of Cilium including its Cluster Mesh capabilities and comparisons with Istio, emphasizing performance enhancements.

Explains the differences between how BPF with Cilium and kube-proxy with iptables manage Kubernetes services and their performance benchmarks.

Details on CNI chaining and the native support for AWS Elastic Network Interfaces to enable policy enforcement and routing.

Summary of the advantages Cilium offers, including its performance improvements, multi-cluster readiness, and compatibility with other CNIs.

Kubernetes Networking with Cilium - Deep Dive

  • 1.
    Kubernetes Networking withCilium Deep Dive Michal Rostecki Software Engineer mrostecki@suse.de mrostecki@opensuse.org
  • 2.
  • 3.
  • 4.
    4 Linux network hasmany abstraction layers Application Layer System Call Interface Sockets Protocols TCP UDP Traffic Shaping sk_buff Network drivers
  • 5.
    5 BPF allows tohook into them Application Layer System Call Interface Sockets Protocols TCP UDP Traffic Shaping sk_buff Network drivers XDP – DMA to the NIC BPF – after kernel parses the packet BPF – System Call tracing BPF – sockmap, sockops
  • 6.
    6 BPF goes intofirewalls 0 10 20 30 40 50 60 70 iptables nftables bpfilter (host driver) bpfilter (hardware offload) Mpps
  • 7.
    7 BPF goes into... ● Loadbalancers - katran ● perf ● systemd ● Suricata ● Open vSwitch - AF_XDP ● And many many others
  • 8.
  • 9.
  • 10.
    10 Cilium as CNIplugin Node A Pod A Cilium + BPF Node B Cilium + BPF Container eth0 Pod B Container eth0 Pod C Container eth0
  • 11.
    11 Networking modes Use case: Ciliumhandling routing between nodes Encapsulation Use case: Using cloud provider routers, using BGP routing daemon Direct routing Node A Node B Node C VXLAN VXLAN VXLAN Node A Node B Node C Cloud or BGP routing
  • 12.
    12 L3 filtering –label based, ingress Pod Labels: role=frontend IP: 10.0.0.1 Pod Labels: role=frontend IP: 10.0.0.2 Pod IP: 10.0.0.5 Pod Labels: role=backend IP: 10.0.0.3 Pod Labels: role=frontend IP: 10.0.0.4 allow deny
  • 13.
    13 L3 filtering –label based, ingress apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow frontends to access backends" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend ingress: - fromEndpoints: - matchLabels: class: frontend
  • 14.
    14 L3 filtering –CIDR based, egress IP: 10.0.1.1 Subnet: 10.0.1.0/24 IP: 10.0.2.1 Subnet: 10.0.2.0/24 allow deny Cluster A Pod Labels: role=backend IP: 10.0.0.1 Any IP not belonging to 10.0.1.0/24
  • 15.
    15 L3 filtering –CIDR based, egress apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy description: "Allow backends to access 10.0.1.0/24" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend egress: - toCIDR: - IP: “10.0.1.0/24”
  • 16.
    16 L4 filtering Pod Labels: role=backend IP:10.0.0.1 allow deny TCP/80 Any other port
  • 17.
    17 L4 filtering apiVersion: "cilium.io/v2" kind:CiliumNetworkPolicy description: "Allow to access backends only on TCP/80" metadata: name: "frontend-backend" spec: endpointSelector: matchLabels: role: backend ingress: - toPorts: - ports: - port: “80” protocol: “TCP”
  • 18.
    18 L7 filtering –API Aware Security Pod Labels: role=api IP: 10.0.0.1 GET /articles/{id} GET /private Pod IP: 10.0.0.5
  • 19.
    19 L7 filtering –API Aware Security endpointSelector: matchLabels: role: backend ingress: - toPorts: - ports: - port: “80” protocol: “TCP” rules: http: - method: "GET" path: "/article/$"
  • 20.
    20 Standalone proxy, L7filtering Node A Pod A Cilium + BPF Envoy Generating BPF programs for L7 filtering through libcilium.so Node B Pod B Cilium + BPF Envoy Generating BPF programs for L7 filtering through libcilium.so Generating BPF programs for L3/L4 filtering Generating BPF programs for L3/L4 filtering
  • 21.
  • 22.
    22 Cluster Mesh Cluster ACluster B Node A Pod A Cilium + BPF Node B Cilium + BPF Container eth0 Pod B Container eth0 Pod C Container eth0 External etcd
  • 23.
    23 Istio without Cilium NodeA Pod A App container Application socket Envoy Socket eth0 loopback CNI driver Node B Pod B App container Application socket Envoy Socket eth0 loopback CNI driver Here packets need to go through the whole kernel network abstraction. Using TCP protocol. Performance loss.
  • 24.
    24 Istio with Ciliumand sockmap Node A Pod A App container Application socket Cilium+BPF Envoy Socket eth0 Node B Pod B App container Application socket Cilium+BPF Envoy Socket eth0
  • 25.
    25 Kubernetes Services ● Hash table. BPF,Cilium ● Linear list. ● All rules in the chain have to be replaced as a whole. Iptables, kube-proxy Key Key Key Value Value Value Rule 1 Rule 2 Rule n ... Search O(1) Insert O(1) Delete O(1) Search O(n) Insert O(1) Delete O(n)
  • 26.
    26 Kubernetes Services –benchmark 1 100 1000 2000 2768 0 100 200 300 400 500 600 700 Cilium (BPF) kube-proxy (iptables) Number of services in cluster usec
  • 27.
    27 CNI chaining Policy enforement,load balancing, multi-cluster IP allocation, configuring network interface, encapsulation/routing
  • 28.
  • 29.
  • 30.
    30 Why Cilium isawesome? ● It makes disadvantages of iptables disappear. And always gets the best from the Linux kernel. ● Cluster Mesh / multi-cluster. ● Makes Istio faster. ● Offers L7 API Aware filtering as a Kubernetes resource. ● Integrates with the other popular CNI plugins – Calico, Flannel, Weave, Lyft, AWS CNI.