Thomas Graf on Cilium, the 1.6 Release, eBPF Security, & the Road Ahead

Cilium's Features and Capabilities

• Cilium is an internal high-performance service mesh that leverages eBPF, providing network and application layer security policies based on container pod identity. (36s)
• Cilium goes beyond layers 3 and 4 to understand API calls, allowing for restrictions on HTTP calls and database access at the table or key level. (2m27s)

Cilium's User Base and Release Cycle

• Cilium has a large user community that includes companies like Apple, Adobe, Palantir, Bell, TFG, Overstock, Figo, and MLB. (5m20s)
• Cilium's release cycle generally aligns with Kubernetes releases to ensure compatibility with the latest Kubernetes versions. (5m38s)

Cilium's Scalability and Performance

• Cilium 1.6 introduced policy scalability enhancements, enabling policy enforcement across numerous clusters and handling large-scale deployments with up to 100,000 pods. (8m39s)
• Cilium leverages eBPF and hash tables for efficient service entry retrieval, ensuring consistent latency regardless of the number of Kubernetes services. (10m54s)

Cilium's Load Balancing and AWS Integration

• Cilium's socket-based load balancing operates at the system call layer, translating addresses within the system call and eliminating the need for IP address translation during the TCP connection. (11m53s)
• Cilium 1.6 introduces a native AWS mode using an operator-based approach for IP allocation, enhancing scalability for users with large deployments on AWS, particularly those utilizing auto-scaling and running hundreds or thousands of nodes. (14m42s)

Cilium's Encryption and Visibility

• Cilium provides transparent encryption using IPsec and in the future WireGuard. This allows for encryption of all traffic between any part of a cluster regardless of the protocol being used. (17m10s)
• Cilium's ability to see everything before encryption allows it to provide extensive APIs for metrics and flow data, ensuring visibility is not lost despite the encryption. (17m51s)

Cilium's Security and eBPF

• Spectre and Meltdown exploits, while leveraging eBPF, were not eBPF specific bugs. Spectre and Meltdown were mitigated using L1 terminal fault patches. (20m6s)
• Cilium will be adding more features at the socket level and will continue to provide some of the value of a service mesh, such as layer 7 aware authorization and encryption. (23m4s)

Cilium's Future Development and Integration

• Cilium will not be providing layer 7 load balancing but will focus on providing transparent encryption across a large number of nodes and extensive local load balancing with multi-cluster logic. (23m26s)
• Cilium will be adding process-level security to Kubernetes, allowing users to define fine-grained security policies that can restrict what processes within a pod can communicate with each other and with external services. (24m21s)
• Cilium is not intended to replace service meshes and works well with other service meshes. (25m46s)
• Cilium can be used to accelerate Istio service mesh usage and reduce latency. (26m24s)
• Cilium provides options for managing and enforcing layer 7 policies, including integration with Istio. (26m14s)