Cilium, eBPF, and Modern Kubernetes Networking with Bill Mulligan
Software Engineering Daily Podcast Recap
Published:
Guests: Bill Mulligan, Gregor Vand
What Happened
Modern cloud native systems are increasingly dependent on dynamic and distributed infrastructure, where traditional networking assumptions no longer hold true. The Linux kernel was originally designed for static IPs and linear rule processing, which presents scaling issues in Kubernetes environments. Modifying the Linux kernel to accommodate these needs is both slow and risky.
Bill Mulligan explains how eBPF (Extended Berkeley Packet Filter) is a revolutionary technology that allows for safe, sandboxed programs to run within the Linux kernel without requiring modifications to the kernel source code. This technology serves as the foundation for Cilium, an open-source cloud native networking platform that provides secure connectivity between workloads in Kubernetes.
Cilium, initiated by Thomas Graff in 2015, leverages eBPF to replace traditional networking components such as iptables and Kube Proxy. By shifting from IP-based to identity-based networking, Cilium allows for dynamic container management without the need for constant rule updates, significantly reducing churn and overhead in Kubernetes clusters.
The podcast highlights how Cilium's architecture separates the control plane from the data plane, allowing the network's data path to function independently. This separation permits Cilium to efficiently manage networking across multiple Kubernetes clusters and integrate advanced network policy features, including layer 3, 4, and 7 policies.
Gregor Vand, a security-focused technologist, discusses the challenges faced by traditional service meshes and how Cilium's integration of Service Mesh with layer 7 network policies offers a more holistic approach to networking. Cilium is able to bypass traditional Linux kernel networking stacks, providing scalable and efficient networking solutions.
Hubble, a component of the Cilium ecosystem, uses eBPF for enhanced observability, providing network flow logs and a user interface to visualize traffic. This tool has proven valuable in reducing troubleshooting time for users like the ESNET Energy Science Network.
Cilium's roadmap includes increased support for IPv6 and the integration of VMs into Kubernetes environments, as seen with projects like Kubevirt. New features like NetKit, developed by Daniel Borkman, aim to eliminate container networking overhead by allowing direct packet transfer from the network interface card to the container.
Isovalent, the company behind Cilium, continues to innovate by enabling Cilium to connect Kubernetes clusters to external VMs and offering resources such as hands-on labs and community engagement channels to support users and contributors.
Key Insights
- The dynamic nature of modern cloud native systems makes traditional networking methods obsolete. Traditional Linux networking was designed for static IPs and doesn't scale well with the containerized environments of Kubernetes.
- eBPF allows safe kernel programming without modifying the kernel source code, enabling technologies like Cilium to improve Kubernetes networking. This is akin to how JavaScript enables dynamic web pages without altering the underlying browser software.
- Cilium uses eBPF to replace iptables and Kube Proxy, shifting from IP-based to identity-based networking. This reduces the need for constant rule updates, thereby decreasing churn and overhead in Kubernetes clusters.
- Hubble, part of the Cilium ecosystem, provides powerful observability tools that reduce troubleshooting time. This has been particularly beneficial to users like the ESNET Energy Science Network, allowing for quick identification and resolution of network issues.