Cilium: Kubernetes Service Mesh Solution - Simplified Networking for improved Security

Cilium: Kubernetes Service Mesh Solution - Simplified Networking for improved Security

Jayakumar Sakthivel's photo
Jayakumar Sakthivel
·

4 min read

Introduction

Kubernetes has revolutionized the way we deploy and manage containerized applications. However, managing networking in Kubernetes can be a challenging task, especially as your clusters grow in complexity. This is where Cilium comes into play. In this blog post, we'll walk you through a simple Cilium implementation demo to showcase how it helps achieve namespace isolation and discuss why it might be the right choice compared to other service meshes.

What is Cilium?

Cilium is open-source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Why Cilium?

Even Though Kubernetes has a default CNI, it doesn’t provide many features. If a developer needs more features like namespace isolation, IP filtering, traffic mirroring, or changing load balancing algorithms, then other network plugins should be used.

Cilium is, conversely, not relying on IP table rules. Instead, it was using a Linux kernel technology called eBPF.

eBPF

  • eBPF originated in the Linux kernel, which can run sandboxed programs in an operating system kernel.

  • It can take care of Networking, security, and observation.

  • Using an eBPF program gives you monitoring and tracing standards with more granular detail and kernel context than other options.

Key features of Cilium

  • eBPF-based Data Plane

  • Layer & Load Balancing

  • API-Aware Security Policies

  • Kubernetes Native Integration

  • Network Visibility and Monitoring

  • Multi-cluster and Multi-Cloud Support

  • Service Mesh Integration

  • Scalability

Namespace Isolation in Kubernetes

To achieve namespace isolation in Kubernetes using Cilium, you need to follow these steps:

Installation of Cilium

Step 1: Make sure your cluster is set up for the installation of cilium.

Step 2: Try to install Cilium using the helm chart

helm repo add cilium https://helm.cilium.io/

The helm chart can be used and pulled up in your local if you wish to modify it.

helm pull cilium/cilium
helm install cilium cilium/cilium -n kube-system

The cilium CLI makes installing the cilium simple,

Note: Replace this <cilium-version> with your version

wget https://github.com/cilium/cilium-cli/releases/download/<cilium-version>/cilium-linux-amd64.tar.gz
cilium install --version <cilium-version>
cilium status

Step 3: After Successful installation, you can see the cilium pods are running in the kube-system namespace.

Step 4: Using the YAML file below, create a new namespace called nginx and deploy the Nginx service there.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: NodePort

Step 5: Make sure the nginx deployment and service is up and running

Step 6: Create another two namespaces app1 and app2 and deploy the nginx service in those namespaces.

Step 7: Create a cilium network policy that should permit all ingresses and egresses for the nginx namespace, prohibit all other ingresses and egresses for app1 and app2, and only allow traffic from the nginx namespace to reach the apps.

Here, I am providing a policy based on the before architecture, you can craft a new policy here, https://editor.networkpolicy.io/

Step 8: Make a new file policy. Copy the following policy into YAML using the Vim editor. Recognise that because this policy operates at the namespace level, you should apply it to specific namespaces like app1 and app2.

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: ns-policy
spec:
  endpointSelector: {}
  ingress:
    - fromEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: nginx
      toPorts:
        - ports:
            - port: "80"
        - ports:
            - port: "443"
  egress:
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
          rules:
            dns:
              - matchPattern: "*"

kubectl apply -f policy.yaml -n app1

Step 9: SSH into the nginx pod in the nginx namespace and try to curl the nginx service in the app1 namespace it will show the HTML response

kubectl exec -it <pod-name> -n nginx -- /bin/bash
curl nginx-service.app1.svc.cluster.local

So, From the nginx namespace, you can able to curl the service in the app1 namespace

Step 10: SSH into the nginx pod in the app1 namespace and try to curl the nginx-service in the app2 namespace it will fail to curl, thus we can now verify the network policy is working

Summary

This blog equips you with the know-how to harness Cilium's service mesh capabilities in Kubernetes. Simplify networking, enhance security, and achieve namespace isolation effortlessly with Cilium. Dive in and supercharge your containerized applications today!

Do follow and Subscribe to my newsletter for the latest updates.

Did you find this article valuable?

Support Jk's Blog by becoming a sponsor. Any amount is appreciated!

cilium#ServiceMeshSecurityKubernetesnetworking