Cilium 1.0 Advances Container Networking With Improved Security

The open-source effort aims to replace the decades-old IPtables model for Linux networking with a more modern approach for containers that improves performance and security.


For last two decades, the IPtables technology has been the cornerstone of Linux networking implementations, including new container models. On April 24, the open-source Cilium 1.0 release was launched, providing a new alternative to IPtables by using BPF (Berkeley Packet Filter), which improves both networking and security.

The Cilium project's GitHub code repository defines the effort as Linux Native, HTTP Aware Network Security for Containers. Cilium development has been driven to date by stealth startup Covalent, which is led by CEO Dan Wendlandt, who well-known in the networking community for his work at VMware on software-defined networking, and CTO Thomas Graf, who is a core Linux kernel networking developer.

"I actually helped to develop a lot of the legacy networking tooling like IPtables and routing, and at some point I realized that all of that doesn't really fit into this new world of microservices," Graf said. "At the same time, the new technology that is BPF has been coming up, and I connected the dots and that's where Cilium started two years ago."

BPF provides a low-level interface to enable data packet transmission and control and is already used in Linux to enable security with the SECCOMP policy controls. For container deployments, there are already two core networking elements that have been used by organizations. For Docker environments, Docker includes the libnetwork stack, while Kubernetes has the Container Networking Interface (CNI), which provides an abstraction for networking protocols. Graf said that Cilium can plug into either libnetwork or CNI.

"All the other libnetwork plugins are built on relatively old Linux components like Linux-bridge and IPtables, while Cilium is using BPF which is next-generation networking technology," Graf said.

Graf added that among the advantages that BPF provides is more scalability, performance and layer 7 application security. Security policies in Cilium can be defined in a Kubernetes YAML (Yet Another Markup Language) file.

"So instead of defining what IPs and ports can talk to each other, the user would specify which pods can talk to each other based on labels," he said. "Then on top of that, the user can specify which ports the pods can talk to and even what API calls are allowed."


Among the capabilities that Cilium 1.0 includes is a feature known as sockmap. Graf explained that there has long been an assumption that networking has to be done at the data packet level.

"At some point we realized that as long as you're staying on one node or server, there's not really a point to any TCP/IP or anything like that because everything is in the same node," he said. "So basically what sockmap does is it brings networking all the way up to the socket level."

By doing networking at the socket level, rather than at the data packet level, Graf said that sockmap enables a short data path and improved performance.

Security by Default

Graf explained that the default mode for Cilium is for everything to be locked down. He added that each individual connection needs to expressly be whitelisted. Cilium is also compatible with the IPsec VPN technology to help organizations create a secure mesh of container nodes. As part of a technology preview in Cilium 1.0, Graf said that there is also support for mutually authenticated Transport Layer Security (TLS), to further improve authentication security. 

There is also a growing movement within the broader container and cloud-native computing industry to help define identity for workloads. Among the open-source efforts is the Secure Production Identity Framework for Everyone (SPIFFE) project, which officially became a Cloud Native Computing Foundation (CNCF) project on March 29.

"Cilium doesn't care where the identity comes from right now, but we aware of the efforts at the CNCF and working to make sure we are compatible," Graf said.

Cilium Microscope

Another core element of the Cilium 1.0 release is a feature called Microscope, which provides visibility. Standard approaches to networking visibility tend to rely on IP addresses, which Graf noted isn't useful in a microservices world, where many workloads are stateless.

"What we have done with microscope is bring visibility up to the level that where it makes sense for a user that is running containers," Graf said. "So instead of showing packets, with source and destination IPs, we're showing container labels, we're showing service names, and we're showing layer seven connectivity."


Cilium development has been led by Covalent, which is a venture-backed startup. Covalent CEO Dan Wendlandt told eWEEK that currently there isn't a publicly available enterprise edition of Cilium, but the company is already working with enterprises.

"What we're committed to is that core functionality is fully open-source," Wendlandt said. "Looking to the future there are organizational challenges around securing microservices environments, and that's where we'll look for our commercial offering to help companies manage security policies over time."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.