A continuation from the previous series on eBPF and security concerns; it cannot be reiterated enough number of times how important it is for developers to ensure the safety and security of their applications. With the ever expanding reach of cloud and software related to cloud native applications, the solution that most applications propose if observation, tracking and tracing suspicious behavior.
This week we will explore a tool used by tech giants- Cilium, a networking tool that provides interface solutions for cloud native environments and an enhanced networking layer for Kubernetes using eBPF. Selected by the CNCF Technical Oversight Committee (TOC) as an incubating project, it has become a favorite of big cloud providers since its release.
What Exactly Does Cilium Do?
Organizations placed in the financial services sector, cloud, hyperscalers, and enterprises were the first ones to adopt Cilium for running operations concerning deep security, performance, scalability, and observability. It has been supported by the open source community with updates and packaged versions ever since its inception.
Cilium works in the form of a networking plugin, which can then be integrated at a lower level in an application along with an orchestration system. From a technical perspective, Cilium has the main goal of making an application more interpretable, usable and most importantly controllable. It’s main methodology can be summarized in the following steps:-
- The users first write the code for an agent written in golang that connects to all the nodes in an application to insert its metadata and resources. The agent is then combined with the internal orchestration platform for the application such as Kubernetes.
- A datapath is generated that functions as a component to utilize the BPF (Berkley Packet Filter) functionality in the Linux kernel. This acts as the front for performing networking, policy enforcement, tracing and load balancing.
- A collection of userspace proxies are thus created from the kernel to provide application protocol level filtering while the program completes the in-kernel version of the Cilium program.
Cilium is best paired along with Kubernetes and has found use among organizations including Adobe, Datadog, GitLab, SAP and more. It has also become a central tool for cloud applications including Alibaba, AWS and Google Cloud.
The kernels and interfaces are all highly scalable with a terminal overhead that can be applied even across clusters. Much of this is achieved from the potential of eBPF where teams can implement scanning and tracking strategies without affecting work loads. It also offers connectivity for scanning critical workloads for security assessments. Cilium is also designed to support high level network policy, well defined encryption and integration with standard security tools.
Cilium Functionalities & Failures: The Pros & Cons
One of the advantages that Cilium offers over other CNI type plugins is the reduced overhead when managing and transferring kernels for tracing and scanning over larger networks. While there are some CNI plugins on the market that are heavily dependent on every Kubernetes cluster in the node to manage networking and address needs, Cilium takes the charge by utilizing eBPF to handle such needs more efficiently. Cilium developers understand the importance of looking over address lookup and scaling issues for thousands of nodes, as an application grows larger.
Despite being a new player in the field for online native cloud security, it has managed to create packages and other pipeline programs for connecting with established tools, making it a great multipurpose compatible tool. Combined with a well defined interface for dealing with service requests and a simple command structure through Golang, Cilium is an excellent tool to have in one’s palette.
Some critics have however pointed at certain native support features common with platforms like Istio service mesh, which yet have to find their way into Cilium. Cilium seems to lack the role based access control schemes that are common with other platforms for dealing with traffic and firewall policies. Performance overhead issues are also common with Cilium caused by additional latency overheads being applied to the kernel. This has caused certain users to note intermittent timeouts and crashes with Cilium, especially when dealing with multiple access platforms.
Cilium Features Source: Cilium
Here are some of the more important components and elements that should be considered with more significance when embarking on using Cilium for the first time:-
- Agent: The agent is the component that runs on all Kubernetes worker nodes and all other workload applications that have servers. This is where the core eBPF platform is found connects with all other major Cilium components.
- Network Plugins (CNI): The CNI plugin serves as the centerpiece for providing network access for Kubernetes clusters and other orchestration systems. The plugin mainly uses the CNI specification for supporting plugin implementation.
- Hubble: Hubble is the observability center that provides the users with information about the network and additional security logs and metrics. Users will also find tracing data and important interfaces to know about the health of their application.
- ClusterMesh: ClusterMesh is the platforming component that helps users setup a network or service mesh which can be expanded through multiple clusters and external workload. These can be applied through virtual machines or typical light servers.
- Load Balancer: The load balancer offers scanning and tracing applications that can apply assessment methods on clusters to implement Kubernetes services.
Final Notes and Review
To conclude, Cilium is a great application that performs all the major features of a CNI type plugin and tracing application to improve security needs for cloud native products. It’s ability to gain industry acceptance in such a short time is highly commendable but also indicative of a common problem observed among open source plugins and packages, the lack of community support. In a race to make itself unique, some might be deterred by Cilium’s lack of features shared by some of the larger names.
Nevertheless, the best way to get through a new release or tool is to explore all the major facets it has to offer and by taking a short test drive by checking out documentations, community forums and online tutorials. As always, tune in next week as we bring you another major release tied to the cloud.