Cilium — Network Control & Data Plane

Kubernetes

Network

Published

May 21, 2025

Modified

May 21, 2025

Overview

Cilium¹ integrates with Kubernetes networking & security through a CNI plugin

Foundation of Cilium is a Linux kernel technology called eBPF²

…eBPF can run sandboxed programs in an operating system kernel
…enables users to dynamically extend the capabilities of the kernel
Leveraging Linux eBPF Cilium can…
- …provide security visibility & enforcement based on service & pod identity
- …facilitate traditional layer 3 and layer 4 segmentation
- …filter an application layer (e.g. HTTP) …decouple security from addressing

Functionality of Cilium with Kubernetes³…

…CNI plugin to provide pod networking with multi-cluster support
- …full replacement kube-proxy
- …includes ClusterIP …load-balanced pod-to-pod communication
- …network policy based isolation of pod-to-pod L3/4 communication
Extension of network policy with CRDs…
- …L7 policy enforcement on ingress/egress (e.g. HTTP protocol)
- …egress support for CIDRs to secure access to external services

IP Address Manager

IPAM (IP Address Manager)

>>> cilium config view | grep cluster-pool
cluster-pool-ipv4-cidr                 10.0.0.0/8
cluster-pool-ipv4-mask-size            24
ipam                                   cluster-pool

…each Kubernetes node will have a 24-bit subnet

Network Policy

Configure network policies natively with Kubernetes…

NetworkPolicy⁴ …L3/4 policies at ingress/egress of pods
CiliumNetworkPolicy …policies at L3-7 for ingress/egress
- …functionality which is not yet supported in NetworkPolicy
CiliumClusterwideNetworkPolicy …policies non-namespaced & cluster-scoped

Load Balancer

LB IPAM⁵ Assign IP addresses to Services of type LoadBalancer…

In conjunction with advertisement over…
- Cilium BGP Control Plane
- Cilium L2 Announcements/L2 Aware LB

L2 Announcements

Make services visible and reachable on the local are network

Footnotes

Cilium Project
https://github.com/cilium/cilium
https://docs.cilium.io/en/stable ↩︎
eBPF https://ebpf.io ↩︎
Kubernetes, Cilium Documentation
https://docs.cilium.io/en/stable/network/kubernetes/intro/↩︎
NetworkPolicy, Kubernetes Documentation
https://kubernetes.io/docs/concepts/services-networking/network-policies/↩︎
LoadBalancer IP Address Management, Cilium Documentation
https://docs.cilium.io/en/stable/network/lb-ipam ↩︎

--- title: 'Cilium — Network Control & Data Plane' categories: - Kubernetes - Network date: 2025/05/21 date-modified: 2025/05/21 toc-expand: 3 --- # Overview Cilium[^fG41sa] integrates with Kubernetes networking & security through a CNI plugin [^fG41sa]: Cilium Project <https://github.com/cilium/cilium> <https://docs.cilium.io/en/stable> Foundation of Cilium is a Linux kernel technology called eBPF[^0OLa1] [^0OLa1]: eBPF <https://ebpf.io> * …eBPF can run sandboxed programs in an operating system kernel * …enables users to dynamically extend the capabilities of the kernel * Leveraging Linux eBPF Cilium can… - …provide security visibility & enforcement based on service & pod identity - …facilitate traditional layer 3 and layer 4 segmentation - …filter an application layer (e.g. HTTP) …decouple security from addressing Functionality of Cilium with Kubernetes[^hG3dF]… [^hG3dF]: Kubernetes, Cilium Documentation <https://docs.cilium.io/en/stable/network/kubernetes/intro/> * …CNI plugin to provide pod networking with multi-cluster support - …**full replacement `kube-proxy`** - …includes ClusterIP …load-balanced pod-to-pod communication - …network policy based isolation of pod-to-pod L3/4 communication * **Extension of network policy with CRDs**… - …L7 policy enforcement on ingress/egress (e.g. HTTP protocol) - …egress support for CIDRs to secure access to external services ## IP Address Manager **IPAM** (IP Address Manager) ```bash >>> cilium config view | grep cluster-pool cluster-pool-ipv4-cidr 10.0.0.0/8 cluster-pool-ipv4-mask-size 24 ipam cluster-pool ``` - …each Kubernetes node will have a 24-bit subnet ## Network Policy Configure network policies natively with Kubernetes… - `NetworkPolicy`[^rT4d1] …L3/4 policies at ingress/egress of pods - `CiliumNetworkPolicy` …policies at L3-7 for ingress/egress - …functionality which is not yet supported in `NetworkPolicy` - `CiliumClusterwideNetworkPolicy` …policies non-namespaced & cluster-scoped [^rT4d1]: NetworkPolicy, Kubernetes Documentation <https://kubernetes.io/docs/concepts/services-networking/network-policies/> ## Load Balancer LB IPAM[^rt54D] Assign IP addresses to Services of type `LoadBalancer`… [^rt54D]: LoadBalancer IP Address Management, Cilium Documentation <https://docs.cilium.io/en/stable/network/lb-ipam> - In conjunction with advertisement over… - Cilium BGP Control Plane - Cilium L2 Announcements/L2 Aware LB ## L2 Announcements Make services visible and reachable on the local are network