Photo by Alexander Ant on Unsplash

Cilium: A Beginner’s Guide To Improve Security

by | 21.10.2021 | Engineering

A continuation from the previous series on eBPF and security concerns; it cannot be reiterated enough number of times how important it is for developers to ensure the safety and security of their applications. With the ever expanding reach of cloud and software related to cloud native applications, the solution that most applications propose if observation, tracking and tracing suspicious behavior.
This week we will explore a tool used by tech giants- Cilium, a networking tool that provides interface solutions for cloud native environments and an enhanced networking layer for Kubernetes using eBPF. Selected by the CNCF Technical Oversight Committee (TOC) as an incubating project, it has become a favorite of big cloud providers since its release.

What Exactly Does Cilium Do?

Organizations placed in the financial services sector, cloud, hyperscalers, and enterprises were the first ones to adopt Cilium for running operations concerning deep security, performance, scalability, and observability. It has been supported by the open source community with updates and packaged versions ever since its inception.
Cilium works in the form of a networking plugin, which can then be integrated at a lower level in an application along with an orchestration system. From a technical perspective, Cilium has the main goal of making an application more interpretable, usable and most importantly controllable. It’s main methodology can be summarized in the following steps:-

  1. The users first write the code for an agent written in golang that connects to all the nodes in an application to insert its metadata and resources. The agent is then combined with the internal orchestration platform for the application such as Kubernetes.
  2. A datapath is generated that functions as a component to utilize the BPF (Berkley Packet Filter) functionality in the Linux kernel. This acts as the front for performing networking, policy enforcement, tracing and load balancing.
  3. A collection of userspace proxies are thus created from the kernel to provide application protocol level filtering while the program completes the in-kernel version of the Cilium program.

Cilium is best paired along with Kubernetes and has found use among organizations including Adobe, Datadog, GitLab, SAP and more. It has also become a central tool for cloud applications including Alibaba, AWS and Google Cloud.
The kernels and interfaces are all highly scalable with a terminal overhead that can be applied even across clusters. Much of this is achieved from the potential of eBPF where teams can implement scanning and tracking strategies without affecting work loads. It also offers connectivity for scanning critical workloads for security assessments. Cilium is also designed to support high level network policy, well defined encryption and integration with standard security tools.

Cilium Overview Source: Cilium


Cilium Functionalities & Failures: The Pros & Cons

One of the advantages that Cilium offers over other CNI type plugins is the reduced overhead when managing and transferring kernels for tracing and scanning over larger networks. While there are some CNI plugins on the market that are heavily dependent on every Kubernetes cluster in the node to manage networking and address needs, Cilium takes the charge by utilizing eBPF to handle such needs more efficiently. Cilium developers understand the importance of looking over address lookup and scaling issues for thousands of nodes, as an application grows larger.
Despite being a new player in the field for online native cloud security, it has managed to create packages and other pipeline programs for connecting with established tools, making it a great multipurpose compatible tool. Combined with a well defined interface for dealing with service requests and a simple command structure through Golang, Cilium is an excellent tool to have in one’s palette.
Some critics have however pointed at certain native support features common with platforms like Istio service mesh, which yet have to find their way into Cilium. Cilium seems to lack the role based access control schemes that are common with other platforms for dealing with traffic and firewall policies. Performance overhead issues are also common with Cilium caused by additional latency overheads being applied to the kernel. This has caused certain users to note intermittent timeouts and crashes with Cilium, especially when dealing with multiple access platforms.

Cilium Features Source: Cilium

The Tools That Cilium Uses

Here are some of the more important components and elements that should be considered with more significance when embarking on using Cilium for the first time:-

  1. Agent: The agent is the component that runs on all Kubernetes worker nodes and all other workload applications that have servers. This is where the core eBPF platform is found connects with all other major Cilium components.
  2. Network Plugins (CNI): The CNI plugin serves as the centerpiece for providing network access for Kubernetes clusters and other orchestration systems. The plugin mainly uses the CNI specification for supporting plugin implementation.
  3. Hubble: Hubble is the observability center that provides the users with information about the network and additional security logs and metrics. Users will also find tracing data and important interfaces to know about the health of their application.
  4. ClusterMesh: ClusterMesh is the platforming component that helps users setup a network or service mesh which can be expanded through multiple clusters and external workload. These can be applied through virtual machines or typical light servers.
  5. Load Balancer: The load balancer offers scanning and tracing applications that can apply assessment methods on clusters to implement Kubernetes services.
Cilium and Kubernetes Source: Cilium

Final Notes and Review


To conclude, Cilium is a great application that performs all the major features of a CNI type plugin and tracing application to improve security needs for cloud native products. It’s ability to gain industry acceptance in such a short time is highly commendable but also indicative of a common problem observed among open source plugins and packages, the lack of community support. In a race to make itself unique, some might be deterred by Cilium’s lack of features shared by some of the larger names.
Nevertheless, the best way to get through a new release or tool is to explore all the major facets it has to offer and by taking a short test drive by checking out documentations, community forums and online tutorials. As always, tune in next week as we bring you another major release tied to the cloud.

Happy Learning!

CommunityNew

The DevOps Awareness Program

Subscribe to the newsletter

Join 100+ cloud native ethusiasts

#wearep3r

Join the community Slack

Discuss all things Kubernetes, DevOps and Cloud Native

Related articles6

Introduction to GitOps

Introduction to GitOps

GitOps serves to make the process of development and operations more developer-centric. It applies DevOps practices with Git as a single source of truth for infrastructure automation and deployment, hence the name “Git Ops.” But before getting deeper into what is...

Kaniko: How Users Can Make The Best Use of Docker

Kaniko: How Users Can Make The Best Use of Docker

Whether you love or hate containers, there are only a handful of ways to work with them properly that ensures proper application use with Docker. While there do exist a handful of solutions on the web and on the cloud to deal with all the needs that come with running...

How to clean up disk space occupied by Docker images?

How to clean up disk space occupied by Docker images?

Docker has revolutionised containers even if they weren't the first to walk the path of containerisation. The ease and agility docker provide makes it the preferred engine to explore for any beginner or enterprise looking towards containers. The one problem most of...

Parsing Packages with Porter

Parsing Packages with Porter

Porter works as a containerized tool that helps users to package the elements of any existing application or codebase along with client tools, configuration resources and deployment logic in a single bundle. This bundle can be further moved, exported, shared and distributed with just simple commands.

eBPF – The Next Frontier In Linux (Introduction)

eBPF – The Next Frontier In Linux (Introduction)

The three great giants of the operating system even today are well regarded as Linux, Windows and Mac OS. But when it comes to creating all purpose and open source applications, Linux still takes the reign as a crucial piece of a developer’s toolkit. However, you...

Falco: A Beginner’s Guide

Falco: A Beginner’s Guide

Falco shines through in resolving these issues by detecting and alerting any behaviour that makes Linux system calls. This system of alerting rules is made possible with the use of Sysdig’s filtering expressions to detect potentially suspicious activity. Users can also specify alerts for specific calls, arguments related to the calls and through the properties of the calling process.