English
Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
Cilium 1.14 expands networking beyond Kubernetes, offers higher speeds
Articles / News
Cilium, an open-source networking, security and observability project, has released version 1.14 with an array of connectivity, security and observability updates. The Cilium 1.14 update also introduces new mesh capabilities, high-speed networking and security enhancements.
“Cilium is quickly growing beyond Kubernetes and beyond container networking,” Thomas Graf, founder of Cilium and CTO of Isovalent, told SDxCentral. “It is becoming an overall cloud-native connectivity platform meeting enterprise-grade standards.”
To date, Cilium has been largely used alongside the Kubernetes container orchestration platform, but the 1.14 release unshackles it to enable much broader networking use cases.
Cilium is an open-source project hosted by the Cloud Native Computing Foundation (CNCF), with commercial support from startup Isovalent (formerly known as Covalent). At the core of Cilium is the use of the eBPF (extended Berkeley Packet Filter), which is a Linux kernel technology that can be used for networking security and observability. The Cilium project got started in 2015 and has grown significantly over the years, now counting IKEA, the New York Times and Bloomberg among its users.
Cilium 1.14 provides support for a security capability known as mutual transport layer security (mTLS).
TLS is the de facto standard for encryption of data over a network, but it can often require a TLS certificate, and a separate certificate authority (CA) to run effectively. The mTLS approach is intended to be easier to deploy and enable.
Graf explained that prior to the new release, Cilium offered network-level encryption with IPsec and Wireguard, featuring node-to-node authentication. With the new update he said that Cilium now has service-level authentication and includes a SPIFFE/SPIRE stack that automatically generates certificates for all services and pods running in a Kubernetes cluster.
Transmission control protocol (TCP) is the foundation of modern internet-based networking and it has many attributes and extensions. Cilium 1.14 now provides support for a new high-speed networking capability known as BIG TCP. Graf said BIG TCP unlocks the ability to transmit high throughput through a single TCP connection. He noted that utilizing 100 Gb/s network cards with Linux and Cilium has been possible for a while but only if multiple parallel TCP connections were used to achieve the total throughput.
The maximum transmission unit (MTU) on the wire is often 1.5KB or 9KB. With BIG TCP, Graf said the maximum packet size in software can be up to 185KB and this greatly increases the throughput of a connection.
“With BIG TCP, a single TCP connection can achieve much higher individual throughput than before,” Graf said. “This is made possible by extending the maximum packet size that can be processed in the Linux and Cilium networking stack.”
Cilium’s newest release also integrates a capability the project refers to as the L2 Announcement Policy feature. L2 is a reference to layer 2, which is the data link layer in the Open Systems Interconnection (OSI) framework for network architecture.
Graf said the L2 Announcement Policy feature is useful when running Cilium as a load-balancer in on-premises environments. Graf explained that with the L2 announcement, Cilium can “advertise” a service IP address in a local L2 network by responding to Address Resolution Protocol (ARP) requests.
Even though Cilium is becoming increasingly capable for uses outside of Kubernetes workloads, Kubernetes is still at the foundation of its technology.
“We have become a service mesh and external load-balancer and are quickly expanding in networking for non-container workloads,” Graf said. “What ties all of these efforts together is the continued focus on a Kubernetes and platform engineering-centric approach.”