Kubernetes Networking Deep Dive
Container Network InterfaceCNI
Cilium Overview
In this lesson, we’ll dive into Cilium, the Container Network Interface (CNI) solution used throughout this course. Developed by Isovalent, Cilium is available as an open source edition and a paid subscription. We’ll focus on the open source version.
CNCF Project and Adoption
Cilium is part of the Cloud Native Computing Foundation landscape. Originally released in 2015, it has seen rapid adoption—boasting nearly 20,000 stars on GitHub as of this recording.
Unified Networking, Observability & Security
Cilium delivers a single platform for:
- Networking
- Observability
- Security
Additionally, Cilium can function as:
- A service mesh
- A load balancer between services
- An encryption provider
Its flexibility and advanced capabilities make it ideal for modern cloud-native deployments.
How Cilium Works
At its core, Cilium leverages eBPF to implement a high-performance, Layer 3 network that is protocol-aware at Layer 7. It can replace kube-proxy and enforce network policies at Layers 3, 4, and 7.
Note
By using eBPF, Cilium achieves features like bandwidth management and fine-grained policy enforcement without kernel modifications.
eBPF Overview
eBPF (Extended Berkeley Packet Filter) is a Linux kernel technology that allows sandboxed programs to run safely in kernel space. Developers can inject custom logic at runtime—without adding kernel modules or changing kernel source code.
Use Case | Description |
---|---|
High-performance networking | Packet processing directly in the kernel |
Load balancing | Efficient traffic distribution |
Security enforcement | Stateful firewalls and IDS |
Packet filtering | Fine-grained packet selection |
Profiling & tracing | In-kernel observability and performance insights |
Cilium Agent
On every Kubernetes node, a Cilium agent manages the eBPF programs that handle container networking, security policies, and observability hooks.
Hubble: Observability & Security
Hubble is a distributed networking and security observability platform built on Cilium and eBPF. It provides visibility into:
- Pod-to-pod communications
- Service dependency maps
- Security events
- Multi-cluster traffic flows
Warning
Enabling Hubble in production requires careful consideration of resource usage and data retention policies.
Advanced Network Policies
Cilium supports both Layer 3/4 and Layer 7 policies, using workload identities derived from Kubernetes labels instead of IP addresses:
Layer | Controls | Protocols |
---|---|---|
3 & 4 | IP, CIDR, port-based allow/deny | TCP, UDP, ICMP |
7 | API-aware filtering and routing | HTTP, gRPC, Kafka |
Next Steps
Having covered Cilium’s architecture and components, the next step is to install and configure it in your Kubernetes cluster. Follow the Cilium Documentation for setup instructions and best practices.
Links and References
Watch Video
Watch video content