Cilium Mesh – One Mesh to Join Them All
We now have thrilling information to share. Cilium has quickly change into the usual in Kubernetes networking thanks because of its superior safety, efficiency, and distinctive scalability. With the rise within the adoption of Cilium, increasingly prospects have requested to deliver Cilium to the world of digital machines and servers.
At present, we’re excited to announce Cilium Mesh. Cilium Mesh connects Kubernetes workloads, digital machines, and bodily servers working within the cloud, on-premises, or on the edge. It’s a pure evolution of Cilium. It builds on the robust Kubernetes networking basis with identity-based safety and deep observability and combines it with the extremely scalable multi-cluster management aircraft Cilium Cluster Mesh. A brand new transit gateway that may be deployed as a digital equipment into any community to attach workloads in current networks with Kubernetes or workloads behind different transit gateways.
What’s Cilium Mesh?
Cilium Mesh is a brand new common networking layer to attach workloads and machines throughout cloud, on-prem, and edge. It consists of a Kubernetes networking part (CNI), a multi-cluster connectivity aircraft (Cluster Mesh), and a transit gateway to attach with current networks.
Cilium Mesh combines all the current Cilium parts right into a single, purposeful mesh to attach workloads throughout cloud, on-prem, and edge:
- Kubernetes Networking (CNI): The CNI plugin of Cilium runs on any Kubernetes employee node and is suitable with Kubernetes working within the cloud, on-prem, and on the edge. A Cilium-enriched Kubernetes node robotically positive aspects can connectivity to all different Kubernetes nodes and any gateway within the mesh.
- Cluster Mesh: The Cilium Cluster Mesh features because the management aircraft and offers the flexibility to mesh a number of clusters collectively. It offers the performance to span community safety, encryption, service discovery, load-balancing, and observability companies throughout all clusters.
- Ingress & Egress Gateway: The ingress and egress performance of Cilium is suitable with Cilium Mesh. Cilium-enriched Kubernetes nodes can act as Ingress or Gateway API nodes for outdoor site visitors to enter the mesh. Equally, Cilium-enriched Kubernetes nodes can act as egress gateways for site visitors to depart the mesh by way of explicit nodes and outlined supply IP addresses.
- Service Mesh: All Cilium nodes and gateways have the potential to carry out L7 companies to offer service mesh performance together with L7 load-balancing, Canary Rollouts, mTLS (Cilium 1.14), and Tracing. Service mesh performance may be configured utilizing the APIs: Ingress, Gateway API, Kubernetes Providers, and Envoy CRD.
As a part of Isovalent Cilium Enterprise, the next further parts are included:
- Isovalent Transit Gateway: A brand new part that enables the deployment of a digital equipment with a Cilium Gateway put in. The Isovalent Transit Gateway can robotically appeal to site visitors in on-prem networks utilizing BGP and in VPCs utilizing VPC routing. It’s also geared up with its personal management aircraft to have the ability to run outdoors of Kubernetes whereas hooking into Cilium Mesh.
- Isovalent Cluster Mesh: An enhanced model of Cilium Cluster Mesh. The improved model helps connecting clusters and gateways with overlapping IP addresses. Moreover, the overlay may be served utilizing SRv6 to construct a section routing mesh utilizing IPv6.
- Isovalent Egress Gateway HA: An enhanced model of the Cilium Egress Gateway with the flexibility to be deployed in a extremely out there (HA) model. This permits egress nodes to fail with out impacting the efficiency, uptime, and reliability of the mesh.
- Isovalent Ingress & LoadBalancer: An enhanced model of the Cilium Standalone Ingress & LoadBalancer at L3-L7 with the potential of working outdoors of Kubernetes. The shipped management aircraft helps hooking into Cilium Mesh to implement Kubernetes companies of kind LoadBalancer together with the announcement of service IPs utilizing BGPs in addition to full Gateway API assist.
Why Cilium Mesh?
Cilium Mesh is a pure evolution of Cilium to increase the attain of Cilium-based networking and safety. The datapath of Cilium has all the time been generic and relevant to make use of instances past Kubernetes. In reality, a number of customers have been utilizing Cilium as a pure vSwitch in environments comparable to OpenStack. With Cilium Mesh, we’re formally enlarging the scope of Cilium to greater than Kubernetes.
What does Cilium Mesh deliver to Multi- & Hybrid-Cloud Networking?
Bringing a Kubernetes and cloud native networking resolution to enterprise and cloud networking brings a variety of benefits:
- Trendy Zero-Belief Safety: Distributed firewalling and micro-segmentation, clear encryption, and mTLS-based end-to-end authentication make up trendy cloud native safety rules to construct zero-trust based mostly safety. Cilium Mesh makes it trivial to determine these safety rules not solely in Kubernetes however lengthen them to current infrastructure. As well as, the fashionable eBPF-based runtime safety layer Tetragon enriches a SIEM with deep safety observability knowledge on networking and runtime.
- Deep Finish-to-Finish Observability: Cilium’s Hubble has set new requirements in community observability and monitoring. With Cilium Mesh, the eBPF-based observability stack of Cilium turns into out there in current networks. Observability knowledge is made out there utilizing trendy requirements comparable to Prometheus and may be visualized utilizing highly effective instruments comparable to Grafana. Conventional requirements comparable to sFLow and NetFlow are nonetheless supported as wanted.
- Multi-Cloud Aligned: Cilium has been chosen by all main cloud suppliers for a minimum of one in all their managed Kubernetes platforms. Due to this, Cilium is deeply built-in into all public cloud networking layers. On the identical time, it’s a logical abstraction and thus offers portability throughout all cloud suppliers and into on-prem networking. Cilium is aligned on open supply requirements and thus preferrred because the foundational networking layer of the longer term.
- DevOps & GitOps Alignment: All facets of Cilium Mesh are optimized for contemporary platforming engineering and DevOps groups. All parts may be deployed in a completely automated approach and all facets of the mesh may be configured utilizing an API.
- Extremely Scalable Management Airplane: The trendy Cilium management aircraft is absolutely distributed and has been constructed for container workloads to simply scale horizontally.
How do I configure Cilium Mesh?
For these accustomed to Cilium Cluster Mesh, Cilium Mesh is constructed on its basis. It’s utilizing the Kubernetes API as its management aircraft which is well-proven, acquainted to trendy platform engineering groups, and offers preferrred properties for a distributed management aircraft.
The API for the transit gateway remains to be in improvement. The next instance reveals an early instance of the right way to expose nginx working in Kubernetes by way of a transit gateway. Afterwards, the pod may be accessed by way of a service VIP or a service DNS title:
apiVersion: v1
form: Service
metadata:
title: nginx
annotations:
io.cilium/global-service: "true"
io.cilium/portal: "true"
spec:
kind: LoadBalancer
ports:
- port: 80
selector:
run: nginx
The site visitors may be secured utilizing community insurance policies:
apiVersion: "cilium.io/v2"
form: CiliumNetworkPolicy
metadata:
title: "l3-rule"
spec:
endpointSelector:
matchLabels:
run: nginx
ingress:
- fromEndpoints:
- matchLabels:
shopper: good
Observability throughout Infrastructure
Cilium offers intensive observability capabilities together with the flexibility to stream observability knowledge to Hubble UI, Prometheus & Grafana, and most SIEMs. This functionality extends to Cilium Mesh to offer visibility into all workloads throughout cloud and on-prem infrastructure.
I need to see a Demo!
Nice. In case you are at KubeCon, cease by the Isovalent sales space for a private demo. Should you can’t make it to KubeCon, attain out to us, and we’re glad to schedule a private demo with you.
We’re additionally working with current prospects to check the preview of Cilium Mesh performance. In case you are to get entangled in testing present variations of Cilium Mesh and supply suggestions, get in contact with us by requesting a demo.