Cilium is a CNI plugin for Kubernetes that uses eBPF to implement networking, load balancing, observability, and security directly in the Linux kernel. Instead of iptables chains and kube-proxy, Cilium attaches eBPF programs at tc, XDP, and socket hooks to route packets between pods, enforce NetworkPolicy, and load-balance Services. On kernels with sufficient support it can replace kube-proxy entirely.
The implementation centers on a per-node agent (cilium-agent, written in Go) that compiles and loads eBPF programs, and a set of CRDs: CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy add Layer 7 (HTTP, Kafka, gRPC, DNS) policy on top of standard NetworkPolicy; CiliumEndpoint tracks per-pod identity; CiliumBGPPeeringPolicy speaks BGP directly from the node for integration with physical networks. Hubble is the observability layer — it taps the same eBPF datapath to produce flow logs, service maps, and metrics with near-zero overhead. Cluster Mesh connects multiple Kubernetes clusters into a single service namespace, and the Cilium Service Mesh provides sidecarless mTLS and L7 traffic management using the Envoy proxy embedded in the agent.
Cilium graduated from the CNCF in October 2023 and is the CNI underneath GKE Dataplane V2, EKS, AKS Azure CNI Powered by Cilium, and most new self-managed clusters. It competes with Calico, Flannel, and Antrea; in practice it has become the default choice for anyone building a new Kubernetes cluster today because of the combined networking, observability, and security story that eBPF enables. The commercial sponsor is Isovalent, acquired by Cisco in 2024.