Cilium Logo
Advocate Plumbing ↗️ CNCF Graduated Runtime / Cloud Native Network

Cilium

Official Website Documentation

License: Apache-2.0

🚀

Rawkode's Take

Personal opinion, not gospel

eBPF-powered networking that replaces kube-proxy, provides incredible observability with Hubble, and makes service mesh sidecars optional. The future of K8s networking.

🌶️

If you're still running Calico in 2024, you're leaving performance and observability on the table.

First Used 2020-06
Last Used Present
Confidence Deep XP
Videos 2

CNCF Project

Cloud Native Computing Foundation

Accepted: 2021-10-13
Incubating: 2021-10-13
Graduated: 2023-10-11
Dev Stats

Community

Join the conversation

Twitter/X Slack

Videos about Cilium

Introduction to Cilium (Part II)

Introduction to Cilium (Part II)

 Introduction to Cilium

Introduction to Cilium

Complete Guide

Comprehensive documentation, best practices, and getting started tutorials

Cilium is an open-source, cloud-native networking, security, and observability solution. It provides a modern approach to securing and connecting container workloads by leveraging eBPF (extended Berkeley Packet Filter) technology. This enables deep visibility and control over network traffic and application behavior at the Linux kernel level, providing significant performance benefits and enabling advanced security policies based on application identities rather than network addresses.

Cilium offers several key benefits, including network policy enforcement, service mesh functionality, load balancing, observability, and security for microservices architectures. Its main use cases involve securing Kubernetes clusters, providing fine-grained network policies based on application identities, implementing service mesh features without sidecars in some cases, and enabling advanced observability for debugging and troubleshooting distributed applications.

Cilium represents the future of Kubernetes networking and security. By leveraging eBPF (extended Berkeley Packet Filter), Cilium delivers unparalleled performance, deep observability, and advanced security features that traditional solutions simply cannot match.

What is Cilium?

Cilium is a cloud-native networking, observability, and security solution built on eBPF. It serves as a CNI (Container Network Interface) plugin for Kubernetes, providing networking between pods while adding powerful features for security, load balancing, and observability.

The eBPF Advantage: eBPF allows Cilium to run custom programs directly in the Linux kernel, providing visibility and control at the packet level without the overhead of traditional iptables or userspace proxies.

Why Cilium?

Traditional Networking vs. Cilium

Traditional Approach (iptables/netfilter):

  • Linear performance degradation as rules increase
  • IP-based policies only
  • Limited visibility into application protocols
  • Performance overhead from context switching

Cilium with eBPF:

  • Constant-time lookups regardless of rules
  • Identity-based policies (who, not where)
  • Protocol-aware (HTTP, gRPC, DNS, Kafka)
  • Kernel-level processing with minimal overhead

Key Benefits

  1. Performance: Up to 10x faster than iptables for large-scale deployments
  2. Security: Identity-based policies using labels, not IPs
  3. Observability: Deep insights into network flows and application protocols
  4. Service Mesh: Sidecar-free service mesh capabilities
  5. Multi-Cluster: Native multi-cluster networking with Cluster Mesh

Core Features

Network Policy Enforcement

Cilium enables fine-grained network policies based on:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: l3-l4-policy
spec:
  endpointSelector:
    matchLabels:
      app: backend
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP

Layer 7 (HTTP) Policies:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: l7-http-policy
spec:
  endpointSelector:
    matchLabels:
      app: api
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: web
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/api/v1/.*"

Service Mesh Without Sidecars

Cilium Service Mesh provides service mesh features without sidecar proxies:

  • Load Balancing: Advanced L4/L7 load balancing
  • mTLS: Transparent encryption between services
  • Traffic Management: Canary deployments, A/B testing
  • Observability: Network flow metrics and tracing
apiVersion: cilium.io/v2
kind: CiliumEnvoyConfig
metadata:
  name: envoy-lb-listener
spec:
  services:
  - name: my-service
    namespace: default
  resources:
  - "@type": type.googleapis.com/envoy.config.listener.v3.Listener
    name: envoy-lb-listener
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            virtual_hosts:
            - name: backend
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route: { cluster: "my-service" }

Hubble: Network Observability

Hubble provides deep network and application observability:

Terminal window
# Install Hubble CLI
cilium hubble enable --ui


# View network flows
hubble observe


# Filter by namespace
hubble observe --namespace kube-system


# Filter by pod
hubble observe --pod kube-system/coredns


# View HTTP flows
hubble observe --protocol http


# View DNS queries
hubble observe --protocol dns

Cluster Mesh: Multi-Cluster Networking

Connect multiple Kubernetes clusters with transparent service discovery and security:

Terminal window
# Enable Cluster Mesh
cilium clustermesh enable


# Connect clusters
cilium clustermesh connect --context cluster1 --destination-context cluster2

Services in cluster1 can now access services in cluster2 as if they were local!

Getting Started with Cilium

Installation

Prerequisites:

  • Kubernetes cluster (1.21+)
  • Linux kernel 4.9.17+ (5.10+ recommended)

Install Cilium CLI:

Terminal window
# Install Cilium CLI
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz{,.sha256sum}
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}

Install Cilium on your cluster:

Terminal window
# Install Cilium
cilium install


# Wait for Cilium to be ready
cilium status --wait


# Run connectivity test
cilium connectivity test

Verify Installation

Terminal window
# Check Cilium status
kubectl -n kube-system get pods -l k8s-app=cilium


# View Cilium agent logs
kubectl -n kube-system logs -l k8s-app=cilium --tail=100

Enable Hubble UI

Terminal window
# Enable Hubble
cilium hubble enable --ui


# Access Hubble UI
cilium hubble ui
# Opens http://localhost:12000

Common Use Cases

1. Zero Trust Security

Implement identity-based security policies:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: default-deny
spec:
  endpointSelector: {}
  ingress:
  - {}
  egress:
  - {}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-specific
spec:
  endpointSelector:
    matchLabels:
      app: myapp
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend

2. Service Mesh Migration

Adopt service mesh features incrementally without sidecars:

  • Start with Cilium CNI for networking
  • Enable mTLS for service-to-service encryption
  • Add L7 policies for HTTP/gRPC traffic management
  • Implement traffic splitting for canary deployments

3. Multi-Cloud Networking

Connect clusters across cloud providers:

Terminal window
# Cluster1 (AWS)
cilium install --set cluster.name=aws-cluster --set cluster.id=1


# Cluster2 (GCP)
cilium install --set cluster.name=gcp-cluster --set cluster.id=2


# Connect them
cilium clustermesh enable
cilium clustermesh connect

4. Advanced Load Balancing

Replace kube-proxy with eBPF-based load balancing:

Terminal window
cilium install --set kubeProxyReplacement=strict

Benefits:

  • Better performance (eBPF vs. iptables)
  • Direct server return (DSR)
  • Maglev consistent hashing
  • Source IP preservation

Best Practices

Network Policy Strategy

  1. Default Deny: Start with default-deny and whitelist what’s needed
  2. Namespace Isolation: Use namespace selectors for broader policies
  3. Incremental Adoption: Apply policies gradually to avoid breaking services
  4. Testing: Use policy audit mode before enforcement
# Audit mode (log but don't enforce)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: audit-policy
  annotations:
    policy.cilium.io/mode: "audit"
spec:
  endpointSelector:
    matchLabels:
      app: myapp
  ingress:
  - fromEndpoints:
    - matchLabels:
        role: frontend

Performance Tuning

  1. Enable eBPF Host Routing: Bypass iptables entirely
  2. Use Native Routing: When possible, use native routing mode
  3. Maglev Hashing: Enable for consistent load balancing
  4. Bandwidth Manager: Enable for fair queuing and better network utilization
# Helm values for performance
config:
  enableIPv4Masquerade: false
  enableBPFMasquerade: true
  kubeProxyReplacement: "strict"
  loadBalancer:
    algorithm: "maglev"
  bandwidthManager:
    enabled: true

Security Hardening

  1. Enable WireGuard Encryption: Transparent encryption for all pod traffic
  2. DNS Policies: Control DNS queries from pods
  3. TLS Inspection: Inspect encrypted traffic (carefully!)
  4. Runtime Security: Integrate with Tetragon for runtime enforcement
Terminal window
# Enable WireGuard encryption
cilium install --set encryption.enabled=true --set encryption.type=wireguard

Cilium vs. Alternatives

Cilium vs. Calico

FeatureCiliumCalico
TechnologyeBPFiptables/eBPF
PerformanceExcellentGood
L7 PoliciesNativeVia Istio
Service MeshBuilt-inRequires Istio
ObservabilityHubble (excellent)Limited
Learning CurveModerateLower

Cilium vs. Istio

FeatureCiliumIstio
ArchitectureeBPF in kernelSidecar proxies
PerformanceMinimal overhead10-30% overhead
ComplexityLowerHigher
FeaturesNetworking + MeshService Mesh only
MaturityMature (CNCF Graduated)Very mature

Troubleshooting

Terminal window
# Check Cilium status
cilium status


# View agent logs
kubectl -n kube-system logs -l k8s-app=cilium


# Connectivity test
cilium connectivity test


# Monitor policy verdicts
hubble observe --verdict DROPPED


# Debug specific pod
kubectl exec -n kube-system ds/cilium -- cilium endpoint list


# Check eBPF maps
kubectl exec -n kube-system ds/cilium -- cilium bpf lb list

Learning Path

Beginner

  1. Understand eBPF basics and benefits
  2. Install Cilium on a test cluster
  3. Deploy simple applications with network policies
  4. Explore Hubble UI for network observability
  5. Learn basic troubleshooting

Intermediate

  1. Implement L7 (HTTP/gRPC) policies
  2. Enable and configure Hubble
  3. Replace kube-proxy with Cilium
  4. Set up Cluster Mesh for multi-cluster
  5. Implement service mesh features

Advanced

  1. Performance tuning and optimization
  2. Advanced security with Tetragon
  3. Custom eBPF programs
  4. Multi-cloud networking architecture
  5. Contribute to Cilium project

Conclusion

Cilium represents the cutting edge of Kubernetes networking and security. By leveraging eBPF, it delivers performance, visibility, and security capabilities that weren’t possible with traditional solutions.

Whether you’re looking to improve network performance, implement zero-trust security, or adopt service mesh features without the overhead of sidecars, Cilium is worth serious consideration.

Start with basic networking, add policies incrementally, and gradually explore advanced features like service mesh and multi-cluster networking.

Ready to see Cilium in action? Check out our hands-on videos and tutorials below for real-world examples and advanced configurations.