IT Get in touch

Cilium 1.6: Kubernetes networking based on eBPF

Cilium 1.6 (November 2019) by Isovalent (Thomas Graf): Kubernetes CNI built on eBPF, iptables bypass for performance, L3-L7 network policies, observability with Hubble, integrated service mesh.

Open SourceWebCybersecurity
Open SourceWebCybersecurity CiliumeBPFCNIKubernetesNetworkingIsovalentCloudOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, PEC, email infrastructure, network services and Linux systems. Open Source infrastructure support and management.

Discover → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Kubernetes networking from eBPF

Kubernetes handles pod-to-pod networking via CNI plugins. Traditional implementations (Flannel, Calico, Weave) rely on iptables/netfilter and standard Linux routing. As clusters grow to thousands of pods, iptables becomes a bottleneck (O(n) over rules).

Cilium — launched in 2015 by Thomas Graf and team (company Isovalent) — reimplements networking, security, load balancing directly in eBPF. Version 1.6 on 11 November 2019 is considered production-ready. Apache 2.0 licence.

eBPF as kernel-level runtime

eBPF (extended Berkeley Packet Filter) is a safe runtime inside the Linux kernel where verified programs execute without context switch. Cilium uses eBPF for:

  • Packet filtering and routing directly in kernel, iptables bypass
  • Network policies implemented as eBPF programs attached to XDP or tc interfaces
  • kube-proxy-free load balancing — replaces iptables-based kube-proxy
  • Transparent encryption (IPsec, WireGuard)
  • Observabilitytc hooks observe all packets

L3-L7 Network Policies

Standard Kubernetes NetworkPolicies are limited to L3/L4 (IP, port). Cilium extends to L7: policies understanding HTTP (path, method, headers), gRPC (service, method), Kafka (topic), DNS.

CiliumNetworkPolicy example:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-get-only
spec:
  endpointSelector:
    matchLabels:
      app: api
  ingress:
  - toPorts:
    - ports:
      - port: "8080"
      rules:
        http:
        - method: "GET"
          path: "/api/v1/.*"

Hubble

Hubble (part of Cilium from 2019) is the observability subsystem: sees all cluster traffic with flow-level granularity, exposes Prometheus metrics and tracing. Web UI shows communication graph across services.

ClusterMesh

In 2019 Cilium introduces ClusterMesh: secure connection across multiple Kubernetes clusters, with cross-cluster service discovery and policy enforcement. Useful for multi-region, disaster recovery, federated deployments.

Adoption

Cilium is chosen by large on-premise K8s installations (Adobe, Cloudflare, Capital One, Bell Canada) and by cloud providers evaluating it as the default CNI.

In the Italian context

As of 2019 Cilium is explored by:

  • Banks and insurance with multi-tenant K8s clusters
  • Italian cloud providers as premium option
  • System integrators offering managed K8s

References: Cilium 1.6 (11 November 2019). Isovalent (Thomas Graf, co-founder). Apache 2.0 licence. eBPF runtime. Hubble observability. ClusterMesh.

Need support? Under attack? Service Status
Need support? Under attack? Service Status