Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.
This shift toward highly dynamic microservices presents both a challenge and an opportunity in terms of securing connectivity between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments.
An additional challenge is the ability to provide accurate visibility as traditional systems are using IP addresses as primary identification vehicle which may have a drastically reduced lifetime of just a few seconds in microservices architectures.
Cilium retains the ability to transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems
Overlay networking: encapsulation-based virtual network spanning all hosts with support for VXLAN and Geneve. It works on almost any network infrastructure as the only requirement is IP connectivity between hosts which is typically already given.
Native routing mode: Use of the regular routing table of the Linux host. The network is required to be capable of routing the IP addresses of the application containers. It integrates with cloud routers, routing daemons, and IPv6-native infrastructure.
Flexible routing options: Cilium can automate route learning and advertisement in common topologies such as using L2 neighbor discovery when nodes share a layer 2 domain, or BGP when routing across layer 3 boundaries.
Cilium Cluster Mesh enables secure, seamless connectivity across multiple Kubernetes clusters.
