Cilium CNCF Graduation Could Mean Better Observability, Security with eBPF
eBPF (extended Berkeley packet filter) is a powerful technology that operates directly within the Linux kernel, offering robust hooks for extending runtime observability, security, and networking capabilities across various deployment environments. While eBPF has gained widespread adoption, organizations are encouraged to leverage tools and layers built on eBPF to effectively harness its functionality. For instance, Gartner advises that most enterprises lack the expertise to directly utilize eBPF and should opt for tools configured with eBPF and extended layers of functionality.
In the open source domain, Cilium is one such tool that organizations are increasingly relying on. This week it achieved graduation status, signifying a significant milestone and paving the way for further development and utilization. Cilium offers additional capabilities with eBPF to help secure the network connectivity between runtimes deployed on Docker and Kubernetes, as well as other environments, including bare metal and virtual machines. Isovalent, which created Cilium and donated it to the CNCF, and the contributors are also, in parallel, developing Cilium capabilities to offer network observability and network security functionality through Cilium sub-projects consisting of Hubble and Tetragon, respectively.
This graduation certifies that Cilium — created by Isovalent, which offers eBPF-based solutions for network security and observability — has successfully passed stringent third-party security audits and received a recommendation for graduation by the CNCF Technical Oversight Committee (TOC), while the CNCF says the project has been instrumental in allowing for CNCF projects to include GPL-licensed eBPF code to run in the kernel. After becoming an incubating CNCF project in October 2021, Cilium is the second-most active CNCF project in terms of the number of commits, behind only Kubernetes, according to Cilium documentation. The Cilium repo has 651 contributors, which does not include Hubble, the Cilium/eBPF library, Tetragon and other related projects. There are also 19,991 closed pull requests in the main Cilium repo.
“I would agree that Cilium has become the ‘go-to’ container network interface (CNI), and the first networking plugin to graduate,” Liz Rice, chief open source officer for Isovalent, told The New Stack. “But I think one of the reasons why it has gained so much adoption is that it’s not just about networking — you also get observability.”
Cilium has shown its viability as a “highly reliable CNI solution” suitable for production environments, Saiyam Pathak, field CTO at managed Kubernetes service provider Civo and a CNCF Ambassador, told The New Stack. “Cilium boasts a proven track record of success at scale, making it an ideal candidate for handling large-scale operations. The project’s graduation underscores its maturity and the rigorous security audits it has successfully completed,” Pathak told The New Stack. “This achievement reflects the project’s genuine excellence in the realm of CNIs. Kubernetes has established itself as the de facto platform for container orchestration, and Cilium is rapidly becoming the de facto CNI solution of choice for Kubernetes.”
In this way, Cilium offers monitoring and observability of network actions, allowing users to debug their network issues, Rice explained. It can also be used to implement network security policies, not limited to Kubernetes network policies but also Layer 7 network policies across other environments as well.
“Cilium offers much more than just network capabilities — you can start with basic connectivity, and it becomes more useful as your project grows,” Rice said.
What Is eBPF?
For those who may not be familiar with eBPF, it can be described as offering elements like program verification, helper calls, eBPF maps, predefined hooks, function and tail calls that originate from the Linux kernel and extend across any connected runtime or environment (at least in theory). It runs in a closed (or sandboxed, to use industry parlance) environment and cannot be written to across the programs running in it.
The power of eBPF largely lies in its computing efficiency since it is directly tied to the Linux kernel. “eBPF allows us to dynamically load programs into the kernel and modify its behavior,” Rice said.
As a key security feature, the eBPF Verifier checks the code and only grants eBPF write privileges after verifying that the program is licensed under GPL, to help ensure its security and compatibility.
“The reason why eBPF is so revolutionary is that in the past, the only way to modify the kernel was through kernel modules. The verifier in eBPF provides a level of safety when running new BPF programs that you simply don’t have with kernel modules,” Rice said. “Many organizations steer clear of kernel modules because they can cause severe issues in a production cluster. So it’s all about having the ability to make these bespoke changes, whether you’re observing events or seeking to manipulate the behavior of the network stack or interfaces in a customized manner that suits individual users.”
Cilium offers the following features, according to its documentation:
* Secure connectivity within Kubernetes, across clusters, and to existing infrastructure using different network topologies (overlays, direct routing, native cloud provider integrations)
* Implementation of zero trust security principles with network policies and transparent encryption.
* Achieving compliance standards such as PCI, FedRAMP and SOC2 (segmentation, encryption and authentication)
* Gaining security-relevant observability by enriching an existing SIEM with Kubernetes infrastructure data.
* Scalable and efficient load-balancing, Ingress, and API Gateway functionality.
* Built-in sidecar-free service mesh capabilities for L7 load-balancing, canary rollouts, mTLS and distributed tracing
Still, with its hooks, Cilium remains a work in progress for the future development of its observability and purely security capabilities beyond its proven capability as CNI plugin for network observability and monitoring. Among the risks — and with security tools that make use of eBPF — is a proliferation of false positives for vulnerabilities and a lack of visibility to prioritize threats based on severity when vulnerabilities and threats are detected through the eBPF hooks. In other words, Cilium, like all open source and enterprise tools, has limitations for observability and security, but that is what the project is largely addressing these days. Much work is also going into the enterprise-hardened edition of Cilium, Isovalent Enterprise for Cilium.
Again, eBPF itself is primarily about networking. It excels in terms of network security, especially when it comes to container firewalling, thanks to the efficiency of eBPF. It can serve as a robust network firewall. Meanwhile, “When we consider the broader security plan within the Tetragon framework (currently in beta), it shows great promise in enhancing runtime security using the capabilities of eBPF,” Rice said. “This includes processes monitoring file access, memory access, and additional runtime security measures. However, there is still ongoing development in this area. And I think this holds true for the broader field of security in general.”
Meanwhile, Isovalent will continue to make “substantial investments in open source projects.” Cilium itself comprises several components, including Tetragon and Hubble.”We consistently explore and innovate using BPF capabilities, further building upon open source projects,” Rice said. “Furthermore, we offer various compelling features and solutions tailored for enterprise clients.”