IT Get in touch

Cilium 1.6: Kubernetes networking based on eBPF

Cilium 1.6 (November 2019) by Isovalent (Thomas Graf): Kubernetes CNI built on eBPF, iptables bypass for performance, L3-L7 network policies, observability with Hubble, integrated service mesh. CNCF Incubating.

Open SourceWebCyber Security
Open SourceWebCyber Security CiliumeBPFCNIKubernetesNetworkingIsovalentCloudOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, certified email, email infrastructure, network services and Linux systems. Open Source infrastructure support and management.

Discover →Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Kubernetes networking from eBPF

Kubernetes handles pod-to-pod networking via CNI plugins. Traditional implementations (Flannel, Calico, Weave) rely on iptables/netfilter and standard Linux routing. As clusters grow to thousands of pods, iptables becomes a bottleneck (O(n) over rules).

Cilium — launched in 2015 by Thomas Graf and team (company Isovalent) — reimplements networking, security, load balancing directly in eBPF. Version 1.6 on 11 November 2019 is considered production-ready. Apache 2.0 licence. CNCF Incubating from 2021 (Graduated 2023).

eBPF as kernel-level runtime

eBPF (extended Berkeley Packet Filter) is a safe runtime inside the Linux kernel where verified programs execute without context switch. Cilium uses eBPF for:

  • Packet filtering and routing directly in kernel, iptables bypass
  • Network policies implemented as eBPF programs attached to XDP or tc interfaces
  • kube-proxy-free load balancing — replaces iptables-based kube-proxy
  • Transparent encryption (IPsec, WireGuard)
  • Observabilitytc hooks observe all packets

L3-L7 Network Policies

Standard Kubernetes NetworkPolicies are limited to L3/L4 (IP, port). Cilium extends to L7: policies understanding HTTP (path, method, headers), gRPC (service, method), Kafka (topic), DNS.

CiliumNetworkPolicy example:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-get-only
spec:
  endpointSelector:
    matchLabels:
      app: api
  ingress:
  - toPorts:
    - ports:
      - port: "8080"
      rules:
        http:
        - method: "GET"
          path: "/api/v1/.*"

Hubble

Hubble (part of Cilium from 2019) is the observability subsystem: sees all cluster traffic with flow-level granularity, exposes Prometheus metrics and tracing. Web UI shows communication graph across services.

ClusterMesh

In 2019 Cilium introduces ClusterMesh: secure connection across multiple Kubernetes clusters, with cross-cluster service discovery and policy enforcement. Useful for multi-region, disaster recovery, federated deployments.

Adoption

Cilium is the default CNI of:

  • Google GKE Dataplane V2 (2020)
  • AWS EKS (option, 2022)
  • OpenShift (supported)
  • Alibaba Cloud, Datadog Cloud
  • Large on-premise K8s installations: Adobe, Cloudflare, Capital One, Bell Canada

In the Italian context

As of 2019-2020 Cilium is explored by:

  • Banks and insurance with multi-tenant K8s clusters
  • Italian cloud providers as premium option
  • System integrators offering managed K8s

Adoption grows in the following three years with eBPF maturity and Cilium commoditisation in public clouds.

References: Cilium 1.6 (11 November 2019). Isovalent (Thomas Graf, co-founder). Apache 2.0 licence. CNCF Incubating (2021) → Graduated (2023). eBPF runtime. Hubble observability. ClusterMesh. GKE Dataplane V2 integration (2020), EKS optional.

Need support? Under attack? Service Status
Need support? Under attack? Service Status