# Cilium — eBPF-Powered Cloud Native Networking & Security

> Cilium provides high-performance networking, observability, and security for Kubernetes using eBPF. CNI plugin, service mesh, and network policy — all kernel-level.

## Install

Save in your project root:

## Quick Use

```bash
# Install Cilium CLI
brew install cilium-cli

# Install Cilium in your Kubernetes cluster
cilium install

# Verify installation
cilium status --wait
cilium connectivity test
```

## Intro

**Cilium** is an open-source cloud-native networking, observability, and security platform powered by eBPF (extended Berkeley Packet Filter). By operating at the Linux kernel level, Cilium provides unprecedented performance and visibility for Kubernetes clusters — implementing CNI, service mesh, and network policies without the overhead of traditional iptables-based solutions.

With 24.1K+ GitHub stars and Apache-2.0 license, Cilium is a CNCF graduated project used by Google, Datadog, Capital One, and thousands of organizations for production Kubernetes networking at scale.

## What Cilium Does

- **CNI Plugin**: Container Network Interface for Kubernetes pod networking
- **Network Policies**: L3-L7 policies (HTTP, gRPC, Kafka) beyond Kubernetes NetworkPolicy
- **Service Mesh**: Sidecar-free service mesh using eBPF (alternative to Istio)
- **Load Balancing**: High-performance L4/L7 load balancing for Services
- **Observability**: Deep network visibility via Hubble (connections, policies, DNS)
- **Encryption**: Transparent IPsec or WireGuard encryption between nodes
- **Cluster Mesh**: Multi-cluster networking across regions/clouds
- **Egress Gateway**: Route egress traffic through specific gateway nodes
- **eBPF-based**: Kernel-level packet processing, no sidecars, no iptables

## Architecture

```
┌─────────────────────────────────────────┐
│  Kubernetes Pod                          │
│  ┌─────────┐                             │
│  │  App    │                             │
│  └────┬────┘                             │
└───────┼─────────────────────────────────┘
        │
   ┌────▼────────────────┐
   │  Linux Kernel       │
   │  ┌─────────────┐    │
   │  │ eBPF Programs│   │
   │  │ - Routing    │   │
   │  │ - Policy     │   │
   │  │ - Load balance│  │
   │  │ - Encryption │   │
   │  └─────────────┘    │
   └─────────────────────┘
        │
   ┌────▼──────┐     ┌──────────┐
   │ Cilium    │────▶│  Hubble  │
   │ Agent     │     │(Observe) │
   └───────────┘     └──────────┘
```

## Installation

### Quick Install

```bash
# Install Cilium CLI
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin

# Install Cilium
cilium install --version 1.14.0

# Install Hubble observability
cilium hubble enable --ui
cilium hubble port-forward &
```

### Helm Install

```bash
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --namespace kube-system 
  --set kubeProxyReplacement=strict 
  --set k8sServiceHost=$API_SERVER_IP 
  --set k8sServicePort=$API_SERVER_PORT 
  --set hubble.relay.enabled=true 
  --set hubble.ui.enabled=true
```

## Key Features

### L7 Network Policies

```yaml
# Allow only specific HTTP methods/paths
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-specific-api
spec:
  endpointSelector:
    matchLabels:
      app: backend-api
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: frontend
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              - method: GET
                path: /api/v1/public/.*
              - method: POST
                path: /api/v1/users
                headers:
                  - "X-API-Key: required"
```

### Hubble Observability

```bash
# Real-time flow monitoring
hubble observe --since 1m

# Filter by namespace and verdict
hubble observe --namespace production --verdict DROPPED

# Track DNS queries
hubble observe --type dns

# HTTP traffic with details
hubble observe --type http --output json

# Which pods talk to each other?
hubble observe --from-label app=frontend --to-label app=backend
```

Hubble UI provides a visual service map showing all traffic flows:
```
[frontend] ──HTTP──▶ [backend] ──MySQL──▶ [database]
    │                                    │
    │                                    │
    └────────────DNS────▶ [coredns] ◀───┘
```

### Encryption Between Nodes

```yaml
# WireGuard encryption for all inter-node traffic
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: cilium
spec:
  values:
    encryption:
      enabled: true
      type: wireguard
      nodeEncryption: true
```

### Cluster Mesh

Connect multiple Kubernetes clusters:

```bash
# Enable cluster mesh
cilium clustermesh enable --context cluster1
cilium clustermesh enable --context cluster2

# Connect clusters
cilium clustermesh connect --context cluster1 --destination-context cluster2

# Services in cluster2 are now accessible from cluster1
# via standard Kubernetes DNS
```

### Load Balancer Replacement

Cilium can replace kube-proxy entirely with eBPF-based service load balancing:

```bash
cilium install --set kubeProxyReplacement=strict

# Benefits:
# - Higher performance (no iptables)
# - Lower latency
# - Socket-level load balancing
# - Direct Server Return (DSR)
```

## Why eBPF?

Traditional Kubernetes networking uses iptables, which has limitations:
```
iptables rules grow linearly with services
  → 1000 services = 10,000+ iptables rules
  → Each packet traverses all rules
  → Significant CPU overhead

eBPF (Cilium):
  → In-kernel, hash-based lookup
  → Constant time regardless of service count
  → 10-100x performance improvement
  → No iptables at all (optional)
```

## Cilium vs Alternatives

| Feature | Cilium | Calico | Flannel | Istio |
|---------|--------|--------|---------|-------|
| CNI | Yes | Yes | Yes | Uses CNI |
| eBPF | Native | Optional | No | No |
| Network Policy | L3-L7 | L3-L4 | No | L7 (mesh) |
| Service Mesh | Yes (sidecar-free) | No | No | Yes (sidecar) |
| Observability | Hubble | Flow logs | No | Kiali |
| Encryption | WireGuard/IPsec | WireGuard | No | mTLS |
| Multi-cluster | ClusterMesh | Federation | No | Multi-cluster |
| Performance | Very high | High | Medium | Medium (sidecars) |

## Hubble Metrics & Prometheus

```bash
# Enable Prometheus metrics
cilium install --set prometheus.enabled=true 
  --set operator.prometheus.enabled=true 
  --set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,http}"

# Scrape in Prometheus
- job_name: cilium
  kubernetes_sd_configs:
    - role: pod
  relabel_configs:
    - source_labels: [__meta_kubernetes_pod_label_k8s_app]
      action: keep
      regex: cilium
```

## 常见问题

**Q: Cilium 和 Istio 怎么选？**
A: Istio 是成熟的功能完整服务网格，但基于 sidecar 有性能和资源开销。Cilium Service Mesh 使用 eBPF 实现 sidecar-free 架构，性能更高但功能略少。如果你追求极致性能和低资源使用，选 Cilium。如果需要完整的流量管理和安全策略，Istio 更成熟。

**Q: 需要哪个内核版本？**
A: Cilium 需要 Linux 内核 4.19+（完整功能需要 5.10+）。大多数现代发行版（Ubuntu 22.04+、RHEL 9+）都满足要求。K8s 托管服务（EKS、GKE、AKS）默认内核都支持。

**Q: 学习曲线陡吗？**
A: 基础使用（CNI + Network Policy）不难，类似其他 CNI。高级功能（eBPF 调试、Hubble 分析、Cluster Mesh）需要一定学习投入。官方文档和教程非常详尽。

## 来源与致谢

- GitHub: [cilium/cilium](https://github.com/cilium/cilium) — 24.1K+ ⭐ | Apache-2.0
- 官网: [cilium.io](https://cilium.io)

---
Source: https://tokrepo.com/en/workflows/30500e42-3535-11f1-9bc6-00163e2b0d79
Author: AI Open Source