Cilium provides eBPF-based networking, observability, and security for container workloads. It enables users to secure network connectivity between application services deployed using Linux container management platforms like Kubernetes.
Cilium is built upon a Linux kernel technology known as eBPF. This technology allows for the real-time integration of robust security, visibility, and network control logic directly into the Linux kernel.
eBPF serves as the foundation for delivering high-performance networking, multi-cluster and multi-cloud functionality, advanced load balancing, transparent encryption, comprehensive network security features, seamless observability, and a host of other capabilities.
The project contains multiple components:
- cilium-agent: This component runs on every node in the cluster and receives configuration information through APIs or Kubernetes. It manages eBPF programs that enable the Linux kernel to control network access in and out of containers, and it responds to events from the orchestration system, like Kubernetes, to handle workload and container start/stop operations.
- Cilium CLI client: The CLI client is a command-line tool that works alongside the Cilium agent on the same node. It interacts with the agent’s REST API, allowing users to inspect the local agent’s status and state. It also provides tools to access and validate eBPF maps directly.
- Cilium operator: The operator is responsible for managing tasks that need to be executed once for the entire cluster rather than on a per-node basis. While not essential for network policy decisions or forwarding, it handles cluster-wide configurations and operations.
- CNI plugin: When Kubernetes schedules or terminates a pod on a node, it invokes the cilium-cni plugin. This plugin communicates with the node’s Cilium API to configure the appropriate datapaths for the pod’s networking, policy enforcement, and load balancing requirements.
Earlier this week, the CNCF, which is the organization that hosts the project, announced that Cilium has reached Graduated status. It is also currently the CNCF’s second most active project after Kubernetes, in terms of commits.