What Cilium Does
- CNI Plugin: Container Network Interface for Kubernetes pod networking
- Network Policies: L3-L7 policies (HTTP, gRPC, Kafka) beyond Kubernetes NetworkPolicy
- Service Mesh: Sidecar-free service mesh using eBPF (alternative to Istio)
- Load Balancing: High-performance L4/L7 load balancing for Services
- Observability: Deep network visibility via Hubble (connections, policies, DNS)
- Encryption: Transparent IPsec or WireGuard encryption between nodes
- Cluster Mesh: Multi-cluster networking across regions/clouds
- Egress Gateway: Route egress traffic through specific gateway nodes
- eBPF-based: Kernel-level packet processing, no sidecars, no iptables
Architecture
┌─────────────────────────────────────────┐
│ Kubernetes Pod │
│ ┌─────────┐ │
│ │ App │ │
│ └────┬────┘ │
└───────┼─────────────────────────────────┘
│
┌────▼────────────────┐
│ Linux Kernel │
│ ┌─────────────┐ │
│ │ eBPF Programs│ │
│ │ - Routing │ │
│ │ - Policy │ │
│ │ - Load balance│ │
│ │ - Encryption │ │
│ └─────────────┘ │
└─────────────────────┘
│
┌────▼──────┐ ┌──────────┐
│ Cilium │────▶│ Hubble │
│ Agent │ │(Observe) │
└───────────┘ └──────────┘Installation
Quick Install
# Install Cilium CLI
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
# Install Cilium
cilium install --version 1.14.0
# Install Hubble observability
cilium hubble enable --ui
cilium hubble port-forward &Helm Install
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --namespace kube-system
--set kubeProxyReplacement=strict
--set k8sServiceHost=$API_SERVER_IP
--set k8sServicePort=$API_SERVER_PORT
--set hubble.relay.enabled=true
--set hubble.ui.enabled=trueKey Features
L7 Network Policies
# Allow only specific HTTP methods/paths
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-specific-api
spec:
endpointSelector:
matchLabels:
app: backend-api
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: /api/v1/public/.*
- method: POST
path: /api/v1/users
headers:
- "X-API-Key: required"Hubble Observability
# Real-time flow monitoring
hubble observe --since 1m
# Filter by namespace and verdict
hubble observe --namespace production --verdict DROPPED
# Track DNS queries
hubble observe --type dns
# HTTP traffic with details
hubble observe --type http --output json
# Which pods talk to each other?
hubble observe --from-label app=frontend --to-label app=backendHubble UI provides a visual service map showing all traffic flows:
[frontend] ──HTTP──▶ [backend] ──MySQL──▶ [database]
│ │
│ │
└────────────DNS────▶ [coredns] ◀───┘Encryption Between Nodes
# WireGuard encryption for all inter-node traffic
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cilium
spec:
values:
encryption:
enabled: true
type: wireguard
nodeEncryption: trueCluster Mesh
Connect multiple Kubernetes clusters:
# Enable cluster mesh
cilium clustermesh enable --context cluster1
cilium clustermesh enable --context cluster2
# Connect clusters
cilium clustermesh connect --context cluster1 --destination-context cluster2
# Services in cluster2 are now accessible from cluster1
# via standard Kubernetes DNSLoad Balancer Replacement
Cilium can replace kube-proxy entirely with eBPF-based service load balancing:
cilium install --set kubeProxyReplacement=strict
# Benefits:
# - Higher performance (no iptables)
# - Lower latency
# - Socket-level load balancing
# - Direct Server Return (DSR)Why eBPF?
Traditional Kubernetes networking uses iptables, which has limitations:
iptables rules grow linearly with services
→ 1000 services = 10,000+ iptables rules
→ Each packet traverses all rules
→ Significant CPU overhead
eBPF (Cilium):
→ In-kernel, hash-based lookup
→ Constant time regardless of service count
→ 10-100x performance improvement
→ No iptables at all (optional)Cilium vs Alternatives
| Feature | Cilium | Calico | Flannel | Istio |
|---|---|---|---|---|
| CNI | Yes | Yes | Yes | Uses CNI |
| eBPF | Native | Optional | No | No |
| Network Policy | L3-L7 | L3-L4 | No | L7 (mesh) |
| Service Mesh | Yes (sidecar-free) | No | No | Yes (sidecar) |
| Observability | Hubble | Flow logs | No | Kiali |
| Encryption | WireGuard/IPsec | WireGuard | No | mTLS |
| Multi-cluster | ClusterMesh | Federation | No | Multi-cluster |
| Performance | Very high | High | Medium | Medium (sidecars) |
Hubble Metrics & Prometheus
# Enable Prometheus metrics
cilium install --set prometheus.enabled=true
--set operator.prometheus.enabled=true
--set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,http}"
# Scrape in Prometheus
- job_name: cilium
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_label_k8s_app]
action: keep
regex: cilium常见问题
Q: Cilium 和 Istio 怎么选? A: Istio 是成熟的功能完整服务网格,但基于 sidecar 有性能和资源开销。Cilium Service Mesh 使用 eBPF 实现 sidecar-free 架构,性能更高但功能略少。如果你追求极致性能和低资源使用,选 Cilium。如果需要完整的流量管理和安全策略,Istio 更成熟。
Q: 需要哪个内核版本? A: Cilium 需要 Linux 内核 4.19+(完整功能需要 5.10+)。大多数现代发行版(Ubuntu 22.04+、RHEL 9+)都满足要求。K8s 托管服务(EKS、GKE、AKS)默认内核都支持。
Q: 学习曲线陡吗? A: 基础使用(CNI + Network Policy)不难,类似其他 CNI。高级功能(eBPF 调试、Hubble 分析、Cluster Mesh)需要一定学习投入。官方文档和教程非常详尽。
来源与致谢
- GitHub: cilium/cilium — 24.1K+ ⭐ | Apache-2.0
- 官网: cilium.io