Network and API connectivity project Cilium has been released in version 1.7, providing users with a UI for observability platform Hubble and the option to apply cluster-wide network policies.
Cilium is an open source project developed by US startup Isovalent to provide and secure network connectivity and load balancing for workloads such as application containers or processes. It is based on a virtual machine-like construct called Berkeley Packet Filter (BPF) which can be found in the Linux kernel.
The software can be seen as one of the so-called cloud-native projects and comes with integrations for Kubernetes, containerd, CNI, and libnetwork. It is used by companies such as Adobe and Datadog.
For the current release, the Cilium team added cluster-wide network policies to the project. Those are meant to facilitate the configuration of baseline policies for all namespaces in a cluster to reduce management overhead amongst other things.
The devs also went on to improve the kube-proxy replacement in eBPF, moving the feature introduced in the last minor version update from beta to being generally available. It was added to handle certain types of Kubernetes services in a more performant, reliable manner.
In Cilium 1.7, the replacement is now also able to work with services exposed via an external IP, causes less latency, and comes with Direct Server Return for Kubernetes services implemented. The latter preserves the client source IP address, helps to prevent uneven load balancing and reduces latency when answering client requests, since it doesn’t have to take the route it used to get to the endpoint.
Cilium now also provides a deeper level of insight with ways to configure Envoy TLS certificates via Kubernetes resources or local files and layer 7 visibility annotations for pods. The first, still in beta, feature, allows the observation of HTTP calls and enforcement of API-aware policies on TLS encrypted sessions. Meanwhile, the annotations help users to learn about a system’s network traffic, which can help to improve policies.
They also can be used by the new observability tool Hubble, which the Cilium team previewed while working on the 1.7 release. The tool now comes with an open source UI, which presumably is meant to drive adoption forward, giving users more options to customise and extend the interface according to their project’s needs. Additional information can be found in the release announcement.