Version 1.9 of the open source tool Cilium for providing secure network connections between containerized applications has been released. The release works with Google’s Maglev Load Balancer and introduces Deny Network Policies to set guidelines to completely block certain connections. In addition, Cilium can now be used on any VM or bare metal node.

Balancing act to the correct backend Version 1.8, released in June, already brought with it a fundamental extension for load balancing by relying on the eXpress Data Path (XDP) anchored in the Linux kernel to relieve the CPU. The current release is supposed to improve the communication to the backend and relies on the Maglev Load Balancer developed by Google.

The previous load balancing approach via Cilium or Although kube-proxy ensures fail-safe communication in the cluster, it is not guaranteed to have a consistent backend. The load balancer chooses a random path through the nodes and apparently makes sure that the traffic remains stable. If a node fails, the load balancer again chooses a new path at random. However, the load balancing node has no information about the originally selected backend and potentially selects a new one, which can mean that the communication between the client and the new backend has to start over.

Maglev tries if the load fails Balancing node to restore the connection to the original backend.

(Image: Cilium)

Maglev uses a hashing algorithm for a lookup table so that each load balancing node has a has a consistent view of the backends. In this way, if a node fails, a replacement can establish the connection to the original backend. The price for the more stable communication and improved resilience is a higher memory requirement for the lookup tables. Therefore, in addition to the new maglev Datapath for the eBPF Load Balancer (extended Berkeley Packet Filter) still the random – path

You can’t get in here! Another innovation is the Deny-based Network Policy, which overrides all other network policies. This allows administrators to completely block individual sources or targets and thus react, for example, to attacks from certain entities.

Cilium can use the Refuse communication completely.

(Image: Cilium)

It is also worth mentioning that version 1.9 can now integrate workloads outside of a Kubernetes cluster. In this way, Cilium manages any number of nodes on physical servers or in the form of virtual machines. The release also improves the interaction with OpenShift, and the documentation recently contains a special guide for installation on the Kubernetes distribution OpenShift OKD.

Cilium secures connections between containers The open source tool Cilium offers secure network connections between containerized applications. It is compatible with the Container Networking Interface (CNI) and offers numerous additional functions, among other things for the implementation of policies as well as for services and load balancing. In August, Google announced a Dataplane V2 for the Kubernetes Engine (GKE) that relies on eBPF and Cilium.

Other new features in version 1.9 such as the mutual TLS authentication for the Hubble observability platform can be found on the Cilium blog.

(rme)