The Open Source Tool Cilium for providing secured network connections between containerized applications is in version 1.9 appeared. The release works with the Maglev Load Balancer from Google and introduces Deny Network Policies to set up guidelines for complete blocking of certain connections. In addition, Cilium is now using any VM or Bare metal nodes.
Balance act to the right backend
The version 1 published in June.8 brought already a fundamental extension for Load Balancing by putting on the Express Data Path (XDP) anchored in the Linux kernel to relieve the CPU. The current release should improve communication to the backend and relies on the Maglev Load Balancer developed by Google.
The previous load balancing approach via the Cilium or Kube proxy ensures for failure-safe communication in the cluster, but not guaranteed to a consistent backend. The Load Balancer elects a random path about the nodes and apparently ensures that traffic remains stable. If a knot has dropped, the Load Balancer turns out a new path randomly. However, the load balancing knot has no information about the originally elected backend and elects potentially a new one, which could lead to the communication between the client and the new backend from scratch.
Maglev tries to restore the connection to the original backend during the failure of load balancing nodes.
Maglev uses a Hashing algorithm for a lookup table so that each load balancing node has a consistent view of the backends. In the way, a replacement which can be used in the failure of a node can establish the connection to the originating backend. The price for more stable communication and improved resilience is a high memory requirement for the lookup tables. Therefore, next to the new Maglev Datapath for the EBPF Load Balancer (Advanced Berkeley Packet Filter) can still use the Random path.
You can not get in here!
Another innovation is the Deny-Based Network Policy, which delivers all other network guidelines. To completely block administrators, individual sources or goals are completely blocked and, for example, react to attacks of certain entities.
Cilium can completely refuse to communicate the communication via the guideline.
Noteworthy is that version 1.9 recently integrated workloads outside of a Kubernetes cluster. In the way, Cilium manages arbitrary nodes on physical servers or in the form of Virtual Machines. In addition, the release improves the interaction with OpenShift, and the documentation contains a special guide for installation on the Kubernetes distribution Openshift OKD.
Cilium secures connections between containers
The Open Source Tool Cilium offers hedged network connections between containerized applications. It is compatible with the Container Networking Interface (CNI) and offers numerous additional functions among other things to implement policies as well as for services and load balancing. In August, Google for the Kubernetes Engine (GKE) was called a DataPlane V2, which sets EBPF and Cilium.
More innovations in version 1.9 Like Mutual TLS authentication for the observability platform Hubble can be found in the Cilium blog.