Repository files navigation

Cilium is a networking, observability, and security solution with an eBPF-baseddataplane. It provides a simple flat Layer 3 network with the ability to spanmultiple clusters in either a native routing or overlay mode. It is L7-protocolaware and can enforce network policies on L3-L7 using an identity based securitymodel that is decoupled from network addressing.

Cilium implements distributed load balancing for traffic between pods and toexternal services, and is able to fully replace kube-proxy, using efficienthash tables in eBPF allowing for almost unlimited scale. It also supportsadvanced functionality like integrated ingress and egress gateway, bandwidthmanagement and service mesh, and provides deep network and security visibility and monitoring.

A new Linux kernel technology calledeBPF is at the foundation of Cilium. Itsupports dynamic insertion of eBPF bytecode into the Linux kernel at variousintegration points such as: network IO, application sockets, and tracepoints toimplement security, networking and visibility logic. eBPF is highly efficientand flexible. To learn more about eBPF, visiteBPF.io.

The Cilium community maintains minor stable releases for the last three minorCilium versions. Older Cilium stable versions from minor releases prior to thatare considered EOL.

For upgrades to new minor releases please consult theCilium Upgrade Guide.

Listed below are the actively maintained release branches along with their latestpatch release, corresponding image pull tags and their release notes:

Cilium images are distributed for AMD64 and AArch64 architectures.

Starting with Cilium version 1.13.0, all images include a Software Bill ofMaterials (SBOM). The SBOM is generated inSPDX format. More informationon this is available onCilium SBOM.

For development and testing purpose, the Cilium community publishes snapshots,early release candidates (RC) and CI container images build from themainbranch. These images arenot for use in production.

For testing upgrades to new development releases please consult the latestdevelopment build of theCilium Upgrade Guide.

Listed below are branches for testing along with their snapshots or RC releases,corresponding image pull tags and their release notes where applicable:

Cilium as a CNI plugin provides afast, scalable, and secure networking layer for Kubernetes clusters. Builton eBPF, it offers several deployment options:

• Overlay networking: encapsulation-based virtual network spanning allhosts with support for VXLAN and Geneve. It works on almost any networkinfrastructure as the only requirement is IP connectivity between hostswhich is typically already given.
• Native routing mode: Use of the regular routing table of the Linuxhost. The network is required to be capable of routing the IP addressesof the application containers. It integrates with cloud routers, routingdaemons, and IPv6-native infrastructure.
• Flexible routing options: Cilium can automate route learning andadvertisement in common topologies such as using L2 neighbor discoverywhen nodes share a layer 2 domain, or BGP when routing across layer 3boundaries.

Each mode is designed for maximum interoperability with existinginfrastructure while minimizing operational burden.

Cilium implements distributed load balancing for traffic between applicationcontainers and to/from external services. The load balancing is implementedin eBPF using efficient hashtables enabling high service density and lowlatency at scale.

• East-west load balancing rewrites service connections at the socketlevel (connect()), avoiding the overhead of per-packet NAT and fullyreplacing kube-proxy.
• North-south load balancing supports XDP for high-throughput scenariosandlayer 4 load balancingincluding Direct Server Return (DSR), and Maglev consistent hashing.

CiliumCluster Mesh enablessecure, seamless connectivity across multiple Kubernetes clusters. Foroperators running hybrid or multi-cloud environments, Cluster Mesh ensuresa consistent security and connectivity experience.

• Global service discovery: Workloads across clusters can discover andconnect to services as if they were local. This enables fault tolerance,like automatically failing over to backends in another cluster, andexposes shared services like logging, auth, or databases acrossenvironments.
• Unified identity model: Security policies are enforced based onidentity, not IP address, across all clusters.

CiliumNetwork Policyprovides identity-aware enforcement across L3-L7. Typical containerfirewalls secure workloads by filtering on source IP addresses anddestination ports. This concept requires the firewalls on all servers to bemanipulated whenever a container is started anywhere in the cluster.

In order to avoid this situation which limits scale, Cilium assigns asecurity identity to groups of application containers which share identicalsecurity policies. The identity is then associated with all network packetsemitted by the application containers, allowing to validate the identity atthe receiving node.

• Identity-based security removes reliance on brittle IP addresses.
• L3/L4 policies restrict traffic based on labels, protocols, and ports.

• DNS-based policies: Allow or deny traffic to FQDNs or wildcard domains

  (e.g.,api.example.com,*.trusted.com). This is especially usefulfor securing egress traffic to third-party services.

• L7-aware policies allow filtering by HTTP method, URL path, gRPC call,and more:
  • Example: Allow only GET requests to/public/.*.
  • Enforce the presence of headers likeX-Token: [0-9]+.

CIDR-based egress and ingress policies are also supported for controllingaccess to external IPs, ideal for integrating with legacy systems orregulatory boundaries.

With CiliumService Mesh,operators gain the benefits of fine-grained traffic control, encryption, observability,access control, without the cost and complexity of traditional proxy-baseddesigns. Key features include:

• Mutual authentication with automatic identity-based encryption betweenworkloads using IPSec or WireGuard.
• L7-aware policy enforcement for security and compliance.
• Deep integration with the Kubernetes Gateway API : Acts as aGateway API compliant dataplane, allowing you to declaratively manage ingress, traffic splitting, androuting behavior using Kubernetes-native CRDs.

Observability is built into Cilium from the ground up, providing richvisibility that helps operators diagnose and understand system behaviorincluding:

• Hubble: A fully integrated observability platform that offersreal-time service maps, flow visibility with identity and label metadata,and DNS-aware filtering and protocol-specific insights
• Metrics and alerting: Integration with Prometheus, Grafana, and othermonitoring systems.
• Drop reasons and audit trails: Get actionable insights into why trafficwas dropped, including policy or port violations and issues like failedDNS lookups.

• Why Cilium?
• Getting Started
• Architecture and Concepts
• Installing Cilium
• Frequently Asked Questions
• Contributing

Join the CiliumSlack channel to chat withCilium developers and other Cilium users. This is a good place to learn aboutCilium, ask questions, and share your experiences.

SeeSpecial Interest groups for a list of all SIGs and their meeting times.

The Cilium developer community hangs out on Zoom to chat. Everybody is welcome.

• Weekly, Wednesday,5:00 pmEurope/Zurich time (CET/CEST),usually equivalent to 8:00 am PT, or 11:00 am ET.Meeting Notes and Zoom Info
• Third Wednesday of each month, 9:00 amJapan time (JST).APAC Meeting Notes and Zoom Info

We host a weekly communityYouTube livestream called eCHO which (very loosely!) stands for eBPF & Cilium Office Hours. Join us live, catch up with past episodes, or head over to theeCHO repo and let us know your ideas for topics we should cover.

The Cilium project is governed by a group ofMaintainers and Committers.How they are selected and govern is outlined in ourgovernance document.

A list of adopters of the Cilium project who are deploying it in production, and of their use cases,can be found in fileUSERS.md.

The Cilium user space components are licensed under theApache License, Version 2.0.The BPF code templates are dual-licensed under theGeneral Public License, Version 2.0 (only)and the2-Clause BSD License(you can use the terms of either license, at your option).