Cilium’s Past Points to Its Future
Cilium is obviously undergoing a lot of changes as a dynamic and popular open source project that heavily utilizes eBPF, but its original reason remains in check: a tool that offers security, observability and networking capabilities. Its capabilities — or hooks — extend from the kernel to throughout the network, including cloud, on-premises or other infrastructures. This definition covers a lot of things, while Cilium should continue to adapt and extend as infrastructure needs change.
@isovalent’s @tgraf__ ‘s « Cilium Vision » has a lot of future but the core design remains in place. @KubeCon_ @thenewstack pic.twitter.com/eWCPk3eqDX
— BC Gain (@bcamerongain) March 19, 2024
In this article, we look at Cilium’s future, and that largely involves extending everywhere, not just Kubernetes, of course, and containers, but through the VMs, edge use cases and other environments. And, of course, the acquisition or Cisco’s acquisition and its integration with other tools will play a role in its future as well.
But what was its original reason for being? As its creator, who wrote the first lines of Cilium code, Thomas Graf, who is CTO of Isovalent, described during his KubeCon + CloudNativeCon Europe talk in March what he called four pillars, which have not changed.
Referring back to a talk he gave at LinuxCon in Toronto in 2016 when Graf was first beginning to describe the Cilium project, as a way to provide fast IPv6 container networking with eBPF. The four pillars then — like now — as Graf described are:
- Scalability, for containers “because we could no longer just think about VMs” and policy and address.
- Extensibility: “Because back then user space networking was the thing and was taking over” so bringing “back kernel relevancy” was necessary and to be “as extensible in the kernel as we can in user space networking.”
- Simplicity
- Performance: “Because of course, we want packets to move fast,” Graf said.
And while dating back to his original talk in 2016, Graf said ‘“this is still exactly how Cilium looks today”:
Cilum’s development, as a CNCF project, has particularly honed in Kubernetes, for connectivity, firewall management and monitoring for clusters. As Nico Vibert, a senior staff technical marketing engineer at Isovalent, wrote in his ebook “KubernetesNetworking and Cilium: An Instruction Manual for the Network Engineer,” Kubernetes remains a very difficult animal to manage and Cilium offers an open source option to facilitate the arduous task. “Despite my CCIE [Cisco Certified Internetwork Expert] and almost 20 years working in the networking industry, I found Kubernetes networking confusing.” However, Kubernetes networking aspects and on what’s now become the de facto networking platform for Kubernetes: Cilium.
Optimal CNI
“At the start of a networking project, operators and architects of Kubernetes clusters must select a CNI [Container Network Interface] that provides the required networking, security, and observability features… and the one that tends to win in most CNI evaluations is the Cilium project,” Vibert wrote.
Indeed, seeking to design an optimal CNI for Kubernetes has been a stated goal of the Cilium creators since its early stages of development. “The mission was very, very simple: Bring eBPF to Kubernetes and become the best possible CNI,” Graf said. “That was essentially a mission division that we’re still driving towards.”
But the world is not only about Kubernetes. Organizations typically mix and match different environments, often across different cloud environments and on-premises. “We want to bring Cilium essentially to the rest of the world as well. So the simplicity, the scale, security, not requiring a dozen different tools. We want to bring that to the outside of Kubernetes for your VMs, for your servers, for your edge, for your multicloud connectivity,” Graf said. “You should be thinking about just Cilium when you think connectivity: how to do that securely, how to do that scalable, whether it’s for containers, for Kubernetes, for a bunch of servers, for VMs. Cilium, that’s our vision for the future: Cilium should become the standard or the next generation networking layer.”
Cilium remains part of a large infrastructure, typically, and does not exist as another one of these so-called single panes of glass, etc. This integration and collaboration is in conjunction with a lot of different other complicated layers, typically with cloud native infrastructures. As its applicability continues to segue into other different environments, the project involves a lot of integration and integration development work.
Layer Level
On a layer level for networking, Cilium covers Layer 4, the transport layer, and Layer 7, the application layer for its use. At the same time, its integration with Cisco will be something to consider in a number of ways. As Torsten Volk, an analyst for Enterprise Management Associates (EMA), recently explained, Cisco’s acquisition of Isovalent means that both will collectively cover Splunk and AppDynamics integration, Cisco ACI integration, Intersight integration and Tetration integration across the Cisco platforms.
“The integration of Cilium with Cisco’s broad portfolio through the acquisition of Isovalent has strategic implications on multiple levels. In addition to expanding Cisco’s capabilities in network and security observability by leveraging eBPF technology it also enhances the company’s ability to deliver integrated solutions across its existing platforms such as Splunk, AppDynamics, and Intersight,” Volk said. “The acquisition enables Cisco to offer more comprehensive infrastructure management and observability solutions which are crucial for the performance and security of modern, complex infrastructure environments. This integration brings in a move toward a more unified approach to infrastructure management, aligning with the industry trend toward converged, intelligent solutions that can support dynamic, cloud native apps.”
As far as layer three goes, it does cover that to some aspects, but that’s where the work was done, again, by integrating Cilium with other different types of projects with the eBPF, particularly for policy. For layer 3 specifically, there’s a lot of overlap and utilization with Calico, which Tigera has developed, and as Graf described, “they definitely got it right.”
Volk said he agreed because Cilium’s integration with other eBPF-centric projects for layer 3 functionality, particularly in policy enforcement, is a strategic move that enhances the granularity and flexibility of network management in cloud-native environments. “The utilization of Calico for layer 3, as developed by Tigera, complements Cilium’s capabilities, allowing for a robust approach to network segmentation and security policies. The endorsement of Calico’s approach by experts in the field underscores its effectiveness in managing complex networking challenges inherent in modern distributed systems,” Volk said. “It is recognized that the combination of these technologies provides a comprehensive solution that aligns with industry needs for scalable, secure, and efficient network operations.”
Previously, networking required that “you had to take a class on how to do subnet addressing and all of that to even get two pods to connect to each other,” Graf explained. While Cilium provides multi-networking, its core concept for Layer 3 is that “everybody can talk to everybody,” Graf said. “Then you take policy to segment what you want. We also want to have policy separate away from addressing.”
