What’s New With Cilium and What’s Next?
The cloud-native ecosystem continues to evolve, with large open source projects like Kubernetes and OpenTelemetry continuing to see significant contributions and production usage. Another project is Cilium, the eBPF-based technology unlocking a new era of kernel-centric network engineering.
Although Cilium is a bit newer on the scene, it has seen a massive uptick in recent years. At the time of writing, the CNCF-graduated project is the second-highest active project in terms of commits, only behind Kubernetes. And, ongoing efforts, specifically around platform agnosticism and runtime security, are poised to bring Cilium, and eBPF for that matter, into new use cases.
I recently sat down with Liz Rice, chief open-source officer at Isovalent and Cilium contributor (or committer), to explore what’s new with Cilium and what’s around the corner for the project. Below, we’ll briefly review eBPF for newcomers and see what’s on the horizon for Cilium and the cloud-native open source ecosystem.
eBPF: The Doorway to the Linux Kernel
To understand Cilium, we really have to dive a little deeper to see how extended Berkeley Packet Filter (eBPF) has revolutionized how we interact with the Linux kernel, the ubiquitous software at the root of servers and consumer hardware. Before eBPF came along, working with the Linux kernel and extracting metrics was very challenging due to its rigid, pre-determined format.
However, with eBPF, one can more easily run sandboxed programs in the Linux kernel without modifying kernel code. You can truly “hook into almost any aspect of the kernel,” says Rice. This allows mechanisms for far greater flexibility and dynamic operations. “What was previously static is now dynamic and programmable,” she says.
From a networking perspective, this is great for observability, says Rice, since you can more easily customize capabilities for particular applications. eBPF also aids the process of programming and writing kernel modules, explains Rice. There are also stability benefits, as the eBPF verifier runs analysis to ensure it’s safe to run modules to avoid crashing machines.
However, this doesn’t mean that using eBPF is foolproof. It can be challenging to distinguish malicious network packets from intentional ones. As such, says Rice, we need to treat eBPF like root privileges by carefully determining what is run and who is allowed to run it.
How Cilium Extends eBPF
eBPF took us a long way in making the Linux kernel more accessible. And arguably, it is already opening up a new breed of software-defined networking infrastructure. However, it does have certain usability limitations, notes Rice. “If you start writing eBPF, it very quickly becomes like kernel programming,” she says.
Most DevOps or platform engineers who desire this sort of granular accessibility don’t know the complexity of kernel behaviors, Rice explains. So, Cilium enables that low-level connectivity and programming, bringing it closer to the world of containers and Kubernetes. For example, Cilium can be implemented in Kubernetes using a container network interface (CNI) plugin with a script to deploy a Helm chart within a cluster.
The world of Kubernetes is quite ephemeral—pods come and go and IP addresses change dynamically. “The old model of associating workloads with IP addresses and port numbers doesn’t work in the Kubernetes world,” says Rice. By using eBPF, on the other hand, systems can bypass the network and reap operational benefits. “eBPF allows us to shortcut network functions and become much more performant.”
For instance, once such practical implementation is a sidecarless model. A logging tool, for example, might be implemented as a sidecar and duplicated within a container in every pod. However, by using eBPF, since we’re instrumenting the kernel, we only need a single proxy per node, thereby reducing significant resources in the process, explains Rice.
The Ongoing Developments Around Cilium
Cilium maintainers currently have their sights set on some lofty goals. First and foremost is enabling “connectivity with any workload anywhere,” says Rice. As she notes, some workloads may not be within Kubernetes but may be virtual machines or other legacy deployments. The goal is to enable Cilium to provide a seamless layer to connect with network policies and observability solutions, including service mesh, regardless of the technology in use.
Another big concentration at the moment is around Cilium’s Tetragon, which will address runtime security head-on. In the security world, much effort is placed on shift-left practices and vulnerability scanning. Although these techniques are helpful, they are only designed to discover known vulnerabilities, notes Rice.
Tetragon will bring runtime security capabilities equivalent to firewalls to better highlight unknown threats. It will do so by examining executables, privileges, files and network connections to spot potentially malicious behaviors. “In the past, people have been reluctant to deploy runtime security controls in this mode,” admits Rice. However, she now believes this is viable given the bespoke programmability of ePBF, plus the guardrails of the Cilium project and example use cases to model.
Advancing the Cloud-Native Open Source Ecosystem
The current state of cloud-native security is mired with supply chain threats. One such threat is the risk of attackers stealing credentials and impersonating real contributors to popular open-source projects.
Such a hack is possible, especially given that the number of secrets accidentally left exposed is surprisingly high. For instances where you can’t distinguish between genuine and malicious contributors, doubling down on runtime security could prevent this kind of attack, says Rice.
Outside of cybersecurity threats, the business side of open source has come under question lately due to recent licensing changes, lack of funding for projects and other economic instabilities. Although Rice admits cloud technology companies need proprietary software to run their businesses, she remains optimistic about the future of open source. “I’m a huge believer in open source software for common, public tools,” says Rice.
As evidence, more and more government and public sector groups are embracing open source as a more sustainable way to operate, ditching proprietary IT systems stuck in the past. “Politicians are increasingly recognizing the value of OSS,” says Rice.
Hopefully, once the benefits of pivotal open source technologies like eBPF and Cilium are understood, OSS will continue to be advocated for (and supported) by the powers that be — perhaps even through government aid. Regardless, the Cilium community appears confident and active in their cause of innovating the next generation of kernel-based networking infrastructure.