Help Center> Ubiquitous Cloud Native Service> User Guide> UCS Clusters> On-Premises Clusters> Managing an On-Premises Cluster> Managing On-Premises Cluster Networks> Cilium Overview
Updated on 2024-04-15 GMT+08:00
View PDF

Cilium Overview

Why Cilium?

Cilium is a high-performance and high-reliability solution for securing network connectivity between containers. At the foundation of Cilium lies a technology rooted in the Linux kernel, namely the extended Berkley Packet Filter (eBPF). Cilium supports multiple transport layer protocols, such as TCP, UDP, and HTTP, and provides multiple security features, such as access control at the application layer and support for service mesh. Cilium also supports Kubernetes network policies and provides global networking and service discovery to help administrators better manage and deploy cloud-native applications.

Cilium uses eBPF to monitor network traffic inside the kernel in real time, which enables efficient, secure packet exchange. eBPF shines in many scenarios such as network functions virtualization, container networks, and edge computing. It helps enterprises improve network performance and security and provides better infrastructure support for cloud-native applications.

Basic Functions

  • Network connectivity: Cilium allocates a unique IP address to each container for communications between containers. Cilium also supports multiple network protocols.
  • Network intrusion detection: Cilium can integrate third-party network intrusion detection services, such as Snort, to detect network traffic.
  • Automatic security policy management: Cilium automatically creates security policies for each container using the Kubernetes custom resource definition (CRD) mechanism to ensure container security.
  • Load balancing: Cilium provides multiple load balancing algorithms to route traffic across containers.
  • Service discovery: Cilium uses the Kubernetes service detection mechanism to automatically detect services in containers and register the services with Kubernetes APIs for other containers to access.

Constraints

Only new on-premises clusters support Cilium. Existing on-premises clusters do not support Cilium even after they are upgraded.

Cilium Underlay

Add the following settings to the on-premises cluster configuration file cluster-[Cluster name].yaml.

CILIUM_NETWORK_MODE: underlay

Example:

Advantages

  • If Cilium works with underlay, Cilium sends all packets that are not sent to other containers to the routing system of the Linux kernel. This means that the packets will be forwarded by a route, as if the local process sends the data packets, which reduces the encapsulation and conversion of the packets. This method is better used when the traffic is heavy.
  • ipv4-native-routing-cidr is automatically configured so that Cilium automatically enables IP forwarding in the Linux kernel.

Dependency

The network of the host running Cilium can use the IP address allocated to the pod or other workloads to forward traffic. The source and destination address check of the node must be disabled, and the security group of the node must allow traffic from and to the container CIDR block over the port and using the protocol of the node.

Enabling BGP for Cilium

Add the following settings to the on-premises cluster configuration file cluster-[Cluster name].yaml.

CILIUM_BGP_ENABLE: true
CILIUM_BGP_PEER_ADDRESS: IP address of the switch to be interconnected
CILIUM_BGP_PEER_ASN: BGP ASN of the switch to be interconnected (64512-65535)
LOAD_BALANCER_CIDR: Load balancer CIDR block that needs to be broadcast and can be used by open-source add-ons such as MetalLB

Example:

Configure the IP address of the node that needs to be exposed as the neighbor address on the BGP network where the host is located. The default ASN of the container is 65010.

The BGP capability of Cilium is to advertise node container routes at the node granularity so that services out of the cluster can directly access the pods in the cluster.