Network security project for application services Cilium is now available in v1.4, introducing global services, IPVLAN support, and extending the DNS security policy model amongst other things.

Cilium was started to tackle the network security challenges associated with the rather dynamic microservice architectures and can be used in combination with popular projects such as Docker, Kubernetes, Istio (which has just gotten another update), and Mesos.

While other network security approaches concentrate on the network and transport layers, Cilium makes use of the Linux kernel’s Berkeley Packet Filter (BPF) to enforce visibility and security policies based on service, pod, or container ID and have a way of filtering on the application layer. Application code or container configurations don’t have to be changed to work with the project.

The current release takes the in v1.3 introduced basic pod IP routing capability to the next level by adding the concept of global services. It is based on standard Kubernetes services and lets users make services available in multiple clusters. To do so, the same name and namespace have to be used in each cluster and the service has to be marked with an annotation.

To make sure a failure in one doesn’t impact other clusters, replication works on a read-only basis and every cluster continues using its own etcd cluster. The control plane, which can be exposed via an internal Kubernetes load balancer for routing purposes, can be found on top of etcd.

Thanks to an extension of the security policy model in Cilium, pods accessing services outside a cluster should be more secure once updated. Since the model is now aware of DNS requests from and DNS responses to individual pods, it’s now possible to restrict privilege of the latter when performing DNS lookups and limit the communication following a lookup. Moreover the Cilium authorisation logging layer now logs DNS lookups and responses, which provides better insight into a pods activities.

To reduce latency, v1.4 includes a beta of a new datapath mode which is based on the IPvlan networking interface. More additions still in preview include a transparent encryption for service-to-service communication within and across clusters, which uses x.509 certificates and keys, and integration with the CoreOS network fabric Flannel.
AWS users can try to give the ability to set up policy rules based on AWS metadata (VPC names, security group names, EC2 labels, etc.) a spin, which is still in alpha at this point. A complete list of changes can be found in the announcement blog post. Cilium is open source, with its code licensed under the Apache License 2.0 and stored on GitHub.