Cilium – The CNI to use for Kubernetes in 2023
Kubernetes has become the standard for container orchestration, and with good reason. It offers a scalable, reliable, and resilient platform for deploying and managing containerized applications. However, as the number of containers and services within a cluster grows, managing network connectivity becomes increasingly complex. This is where Cilium CNI comes in, providing a comprehensive networking solution for Kubernetes that addresses these challenges.
What is Cilium CNI?
Cilium CNI is a networking plugin for Kubernetes that provides a rich set of features for managing network connectivity within a cluster. It is built on top of the Linux kernel’s eBPF (extended Berkeley Packet Filter) technology, which allows for highly efficient packet filtering and manipulation.
Cilium CNI uses eBPF to implement a number of key features, including:
- Service-aware networking: Cilium CNI automatically creates and manages network policies for Kubernetes services, ensuring that traffic is properly routed and secured.
- Layer 7 load balancing: Cilium CNI provides layer 7 load balancing capabilities, allowing traffic to be distributed based on application-layer attributes such as HTTP headers and cookies.
- Network security: Cilium CNI implements network security policies using eBPF, enabling fine-grained control over network traffic and preventing unauthorized access.
- Network observability: Cilium CNI provides rich observability capabilities, including network flow visualization, connection tracking, and tracing.
Next, some further aspects of this CNI regarding scalability, network policy enforcement, etc..
Scalability
Scalability is a critical aspect of any networking solution, and Cilium CNI is designed with scalability in mind. Cilium leverages the eBPF (extended Berkeley Packet Filter) technology to provide high-performance network security and visibility, while minimizing the impact on the host kernel.
Cilium uses eBPF to create a programmable data path in the Linux kernel, which allows it to intercept and filter network traffic with high efficiency. This approach allows Cilium to scale to thousands of nodes and hundreds of thousands of endpoints, while still providing fast and reliable network performance.
Network Policy Enforcement
Network policy enforcement is another important aspect of Cilium CNI, and it is critical for ensuring that your Kubernetes clusters are secure and compliant. Cilium provides advanced network policy enforcement capabilities, including support for Kubernetes Network Policies and Cilium Network Policies.
With Cilium CNI, you can enforce policies at the application layer, which allows you to implement fine-grained controls based on the application-level context. This approach is more efficient than traditional IP-based policy enforcement, as it allows you to enforce policies based on application-level metadata, rather than just IP addresses.
Load Balancing
Load balancing is another key performance aspect of Cilium CNI, and it is essential for ensuring that your Kubernetes services are highly available and responsive. Cilium provides built-in support for service load balancing, which allows you to distribute traffic across multiple pods in a service.
Cilium’s load balancing approach is highly efficient and scalable, as it uses eBPF to intercept and load balance traffic at the kernel level. This approach eliminates the need for additional load balancers or proxies, which can introduce additional latency and complexity.
Observability
Observability is an important aspect of any networking solution, and Cilium CNI provides advanced observability capabilities to help you diagnose and troubleshoot issues in your Kubernetes clusters. Cilium provides real-time visibility into network traffic and security events, and it allows you to generate detailed network flow and security policy audit logs.
Cilium’s observability features are highly scalable and efficient, as they leverage eBPF to collect and analyze network traffic and security events in real-time. This approach allows you to monitor and diagnose issues in your Kubernetes clusters with high efficiency and accuracy.
Cilium with Big TCP
TCP is a reliable, connection-oriented protocol used for transmitting data over networks. However, TCP is not optimized for high-latency and lossy networks, which can result in slow and inefficient data transfer. Big TCP is a modified version of TCP that is designed to improve the performance of TCP connections over networks with high latency and packet loss.
Big TCP achieves this by increasing the default TCP send and receive buffer sizes, as well as implementing various optimizations such as packet coalescing and early retransmission. These optimizations help to reduce the number of round-trip delays required for data transmission, resulting in improved performance over high-latency and lossy networks. Just reflect this by a traffic jam in the morning where people mostly have the same destination to work and travel by car. By traveling to work, the most cars would probably only have one or two persons included. Imagine every car replaced by a bus filled up to 50 people traveling the same way. As a result, more people could be delivered to the same destination in an equal time.
Cilium CNI can be used with Big TCP to provide improved network performance and reliability in Kubernetes clusters. Cilium CNI is a network plugin for Kubernetes that provides advanced networking and security capabilities, including service load balancing, network policy enforcement, and observability.
To use Cilium CNI with Big TCP, you will need to enable the Big TCP feature in Cilium. This can be done by setting the cilium.tcp.bpf.big
flag to true when deploying Cilium.
Once Cilium is deployed with Big TCP enabled, you can create Kubernetes pods and services as usual, and Cilium will automatically handle the networking and security aspects. If you have applications that require high-performance TCP connections over high-latency and lossy networks, you should see an improvement in performance with Big TCP enabled.
Cilium CNI with Big TCP provides several performance benefits that can help you achieve better network performance and scalability in your Kubernetes clusters. Some of these benefits include:
- Higher Throughput: Big TCP can handle higher throughput than traditional TCP, which can help improve application performance and reduce latency.
- Lower Latency: Big TCP’s design allows for lower latency than traditional TCP, which can help improve application response times.
- Scalability: Cilium CNI with Big TCP is highly scalable, thanks to its eBPF-based architecture, which allows it to handle large-scale data transfers with ease.
- Reduced CPU Overhead: Big TCP offloads some of the processing tasks to the kernel, reducing CPU overhead and improving overall performance.
- Improved Network Efficiency: Big TCP’s design allows for more efficient use of network resources, improving overall network efficiency and reducing congestion.
Using eBPF based host routing
Cilium CNI uses eBPF-based host routing to bypass iptables, a traditional Linux firewall utility. Iptables uses a chain-based model to process packets, which can be resource-intensive and slow down network traffic. Cilium CNI uses eBPF-based host routing to perform network filtering and routing directly in the kernel, bypassing the iptables chain-based model.
With eBPF-based host routing, Cilium CNI can perform network filtering and routing much faster and more efficiently than iptables. This results in improved network performance and reduced latency, making Cilium CNI an ideal choice for modern, high-performance Kubernetes environments.
Cilium CNI with eBPF-based host routing provides several benefits that can help you achieve better network performance and security in your Kubernetes clusters. Some of these benefits include:
- Faster Network Filtering: Cilium CNI’s eBPF-based host routing can perform network filtering much faster than iptables, resulting in improved network performance and reduced latency.
- More Efficient Network Routing: With eBPF-based host routing, Cilium CNI can perform network routing much more efficiently than traditional routing methods, reducing network congestion and improving overall network efficiency.
- Improved Security: Cilium CNI’s eBPF-based host routing provides advanced network security features, such as network policy enforcement and observability, which can help you protect your Kubernetes environment against security threats.
- Better Scalability: Cilium CNI’s eBPF-based host routing is highly scalable, thanks to its eBPF-based architecture, which allows it to handle large-scale data transfers with ease.
- Reduced CPU Overhead: eBPF offloads some of the processing tasks to the kernel, reducing CPU overhead and improving overall performance.
Conclusion
Cilium CNI with Big TCP and eBPF-based host routing is a powerful combination for improving the performance and reliability of Kubernetes networking. By leveraging the advanced networking and security capabilities of Cilium, and the performance optimizations of Big TCP, you can achieve better network performance and observability in your Kubernetes clusters. If you have applications that require high-performance TCP connections over high-latency and lossy networks, you should definitely consider using Cilium CNI with Big TCP and running in eBPF-based host routing that allows Cilium CNI to bypass iptables. Cilium leverages eBPF to provide high-performance networking and security, while minimizing the impact on the host kernel. Cilium’s advanced network policy enforcement, load balancing, and observability features make it an ideal solution for modern Kubernetes environments.
Within one of the next blog posts a performance overview will be provided.