The document discusses Cilium, a network security solution for microservices that integrates with Istio and leverages BPF for enhanced performance and visibility. It details features such as identity-based security, multi-cluster connectivity, and the limitations of various Cilium map types. Additionally, it highlights Cilium's role as a CNI plugin and its capabilities in service mesh integration and load balancing.

1. Cilium - Network security for
microservices. Let's see how it works with
Istio.
by Stanislav Kolenkin

2. Introduction
2
BPF - Next Generation Datapath
• Replaces iptables, fast, flexible, powerful
• Packet, API, process visibility
Cloud Native security
• Identity-based
• API & DNS Aware
Servicemesh Integration
• Uses Envoy and co-operates with Istio
• Secures and accelerates sidecar proxies
Multi cluster and Multi Cloud
• Connects multiple clusters across providers

3. BPF
3

4. BPF
4

5. BPF
BPF is revolutionizing:
• Tracing/Profiling
• Networking
• Security
5

6. BPF
6

7. BPF
7

8. BPF
8

9. BPF
9

10. BPF
10

11. BPF
11

12. 12

13. BPF
13

14. BPF
14

15. BPF Map Limitation in Cilium
15
Map Name Scope Default Limit Scale Implications
Connection Tracking node or endpoint 1M TCP/256K UDP Max 1M concurrent TCP connections,
max 256K expected UDP answers
Endpoints node 64k Max 64k local endpoints + host IPs
per node
IP cache node 512K Max 256K endpoints (IPv4+IPv6), max
512k endpoints (IPv4 or IPv6) across
all clusters
Load Balancer node 64k Max 64k cumulative backends across
all services across all clusters
Policy endpoint 16k Max 16k allowed identity + port +
protocol pairs for specific endpoint
Proxy Map node 512k Max 512k concurrent redirected TCP
connections to proxy
Tunnel node 64k Max 32k nodes (IPv4+IPv6) or 64k
nodes (IPv4 or IPv6) across all
clusters

16. Cilium
16

17. Cilium as CNI Plugin
17

18. Cilium as CNI Plugin
18

19. LB: Kubernetes Service Implementation
19

20. Kubernetes Iptables Rules Overview
20

21. Kubernetes Iptables Rules Overview
21

22. Tradition API Unaware security
22

23. API Aware security
23

24. Identity based security
24

25. Cluster mesh
25

26. Cluster mesh use cases: High Availability
26

27. Cluster mesh use cases: Shared Services
27

28. Cluster mesh use cases: Splitting Stateful and
Stateless services
28

29. Service mesh Integration
29

30. Istio integration
31

31. Sidecar Injection (Transparent)
32

32. Transparent Sidecar Injection with Cilium
33

33. Sidecar Injection performance
34

34. Cilium sumary
36
• CNI and CMM plugin
− Kubernetes, Docker, Mesos
• Security
− Secures ingress, east-west, and egress
− Label, DNS or CIDR based. Identity enforcement.
− API aware (HTTP, Kafka, gRPC)
• Load-balancing
• Servicemesh integration
• Multi cluster / Multi Cloud Provider
− Connect multiple clusters with label based policy enforcement

35. Thank you for your attention!
Questions?

36. CONTACTS:
Email: stas.kolenkin@gmail.com