We’re excited to announce that we now support Cilium in Gcore Managed Kubernetes. Cilium provides advanced networking and security capabilities, making it easier to manage large-scale Kubernetes deployments. It also offers flexible and robust network policy management, which is especially useful for organizations with strict security requirements. In this article, we’ll explore key Cilium features and benefits, compare it to Calico—another container network interface (CNI) that we support—and explain how to enable Cilium in Gcore Managed Kubernetes.
What Is Cilium?
Cilium is a CNI that provides powerful networking, security, and observability capabilities for container orchestration systems like Kubernetes. It’s based on eBPF (Extended Berkeley Packet Filter) technology, which allows it to handle networking functions at a high speed with minimal overhead. eBPF allows programs to run directly in the Linux kernel and offers broad functionality beyond basic filtering. As a result, Cilium enables the effortless management of clusters, with a larger number of pods and nodes than CNIs based on previous-generation technologies like iptables.
Cilium CNI is an open-source CNCF (Cloud Native Computing Foundation) project that reached the “Graduated” maturity level in 2023, indicating its stability for production environments. It has increasingly been integrated into managed Kubernetes services.
Key Features of Cilium
Cilium offers three main sets of features, respectively addressing networking, security, and observability. The most important elements of each are as follows.
Networking
- High performance: Enables the creation and removal of thousands of containers in seconds, allowing the management of large and dynamic container environments.
- L7 network policies: Supports OSI Layer 7 network policies for ingress and egress traffic based on application protocols such as HTTP and TCP. Traditional L3 and L4 policies are also supported.
- Layer 4 load balancer: Offers high-performance load balancing based on BGP, XDP, and eBPF.
- Gateway API: Enables advanced routing capabilities beyond the limitations of the Ingress API, such as header modification, traffic splitting, and URL rewriting. Gateway API also provides a fully functional, no-sidecar service mesh, eliminating the need for additional tools like Istio, and their associated recourse overhead.
Security
- Policy enforcement modes: Offers three levels of rule enforcement for how endpoints accept traffic, from less restrictive to more restrictive. These are suitable for organizations with varying security requirements.
- Inter-node traffic control: Supports cluster-wide, non-namespaced policies that allow you to specify nodes as source and destination. This makes it easy to filter traffic between different node groups.
- Transparent encryption: Enables pod-to-pod encryption. Features can be added, such as datapath encryption via in-kernel IPsec or WireGuard and automatic key rotation with overlapping keys.
Observability
- Service map: Supports integration with Hubble, which provides real-time monitoring of traffic and service interactions visually represented through a dynamic service connection diagram. Support for an out-of-the-box Hubble UI will be introduced in 2024.
- Metrics and tracing export: Enables a solution that empowers users to monitor and streamline their Kubernetes environments.
What Types of Workloads Can Benefit from Cilium?
Let’s take a look at some examples of workloads that can benefit significantly from using Cilium CNI.
Microservices: Cilium’s L7 awareness and granular security policies are well-suited for enforcing communication control between tightly coupled microservices that use API-level security for protocols, like HTTP and gRPC. Its eBPF-based performance helps maintain low latency and high throughput in highly dynamic microservice environments such as messaging systems and authentification-authorization services.
Security-sensitive workloads: Cilium’s identity-based security and advanced network policies strengthen security for workloads that require robust protection, such as financial services, government applications, and healthcare.
High-performance computing (HPC): Cilium’s efficient network processing and low latency provide benefits for HPC workloads that require fast and trusted communication between nodes. Examples of such workloads include analytical systems and database management systems.
Cilium vs. iptables-Based Calico
In Gcore Managed Kubernetes, we also provide another popular CNI: Calico, which is built on top of iptables. Calico, while simple and reliable, does not perform as well in large-scale clusters and lacks many of Cilium’s advanced features.
Calico adds complicated logic to container networking, like iptables PREROUTING, POSTROUTING, and FORWARD. In contrast, the eBPF implemented in Cilium doesn’t have extra layers of network abstraction; it works in the Linux kernel itself, which makes it very fast. Here is a comparison between iptables-based networking and eBPF-based networking that shows the additional logic in Calico.
As a result, Cilium passes more traffic with less delay than Calico, given the same resources and conditions. This enhanced throughput is a particular advantage for applications that require access to extensive data, media streaming services, and data upload/download services.
Until now, we couldn’t support deployments with more than 110 pods per node because of Calico’s technical limitations. With Cilium, we can support three times that number. Given that we offer Gcore Bare Metal worker nodes, this is a huge benefit for customers who prefer to run large Kubernetes clusters on bare metal servers.
However, if Calico meets your needs, you can still use it in your Gcore Managed Kubernetes clusters.
How to Enable Cilium in Gcore Managed Kubernetes
Select Cilium as your CNI when creating a Kubernetes cluster. The process is as follows:
- Log in to the Gcore Customer Portal. If you are not registered, sign up using your email, Google, or GitHub account.
- From the vertical menu on the left, select Cloud, open the Kubernetes tab, and click Create Cluster.
- In the “CNI Provider” section, select Cilium:
- Complete the cluster setup and click Create Cluster. If you need more information on how to configure a cluster, please refer to our Managed Kubernetes documentation.
- Once you have connected to your cluster, you can configure the necessary Cilium policies and use them in your Gcore Managed Kubernetes installation. For example, here is a policy to use a simple ingress rule to allow communication between endpoints with frontend and backend labels:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "l3-rule"
spec:
endpointSelector:
matchLabels:
role: backend
ingress:
- fromEndpoints:
- matchLabels:
role: frontend
See the Cilium documentation and GitHub for more examples of policies that you can customize to your needs.
You can also use Network Policy Editor, which provides a simple and user-friendly interface. It allows you to create policies and use the corresponding YAMLs in your Kubernetes clusters.
Future Plans: Hubble + Cilium
We plan to integrate out-of-the-box support for Hubble into Cilium later this year. Hubble, an open-source tool developed specifically for Cilium, automatically detects all services within a cluster and maps their interactions. This service map is accessible through any web browser. Using Hubble’s visualizations, you can gain a deeper understanding of service interdependencies and behaviors within your cluster, enabling quicker identification and resolution of network interaction issues.
We’ll keep you posted as the feature is released and explain its benefits in more detail.
Conclusion
We’re constantly working to enhance our offerings with the latest technologies to meet the evolving needs of our customers. Cilium represents one of these significant advancements. It integrates seamlessly into Gcore Managed Kubernetes, enabling our customers to use advanced networking and security capabilities without complex configuration or setup.
Gcore Managed Kubernetes takes care of setting up and maintaining Kubernetes cluster for you. Our team manages master nodes (control plane) while you maintain full control over your worker nodes. Choose from Virtual Instances and Bare Metal Servers as worker nodes, including those powered by GPU accelerators to boost your AI/ML workloads. We provide free, production-grade cluster management with a 99.9% SLA for your peace of mind.
