Cilium launches eBPF-powered Kubernetes service mesh

Cilium has added a service mesh to the latest release of its open source network connectivity software, Cilium 1.12, as it looks to give developers more flexibility over how they control, monitor, and load balance their cloud-native applications.

Despite all of their utility, service meshes are also notoriously complex to operate at enterprise scale, leading to something of an arms race to find the right balance between simplicity and performance, with existing solutions like Linkerd, Istio, Microsoft’s Open Service Mesh (OSM), and many others all vying for developers’ attention.

How is the Cilium service mesh different?

The Cilium Service Mesh has been built using native Kubernetes resources, and can be run without the need for a separate “sidecar” container for certain functionality like logging and auditing, while also complementing the popular existing sidecar-based method.

It does this by combining the extended Berkley Packet Filter (eBPF) technology, which enables developers to safely embed programs in any piece of software, including operating system kernels, with the popular Envoy service proxy.

“Cilium Service Mesh is all about choice,” Thomas Graf, the Cilium creator and Isovalent cofounder, said in a statement. “Enterprises want the ability to choose sidecars or sidecar-less, and they want a high-performance data plane powered by eBPF and Envoy that allows them to choose the best control plane for their use case.”

To sidecar, or not to sidecar, that is the question

With the Cilium 1.12 launch, Cilium is making the case that eBPF can be used to improve service performance by removing the inefficiencies created by a sidecar.

Whether and when to use a sidecar or not will come down to the specific needs of the user, but by providing both options in parallel, Cilium hopes to allow developers to make better decisions regarding these tradeoffs for themselves.

“Cilium’s argument is that eBPF can be used to improve performance, and I would expect other vendors to harness that technology accordingly,” Forrester analyst David Mooter said.

However, while other vendors might start with the sidecar and augment that with capabilities enabled by eBPF, Cilium is betting on an eBPF-first approach. “If they can prove that eBPF can do this 100%, that would shake things up,” Mooter added.

What else is in Cilium 1.12?

In addition to the new service mesh, Cilium 1.12 also includes:

• A fully compliant Kubernetes Ingress controller—powered by Envoy and eBPF for security and visibility.
• ClusterMesh enhancements—to treat services running on multiple clusters as a single global service. With added service affinity, services can also be configured to prefer endpoints in the local or remote cluster.
• Egress Gateway and additional support for external workloads—to forward connections to external, legacy workloads through specific Gateway nodes, and masquerade them with predictable IP addresses to allow integration with legacy firewalls that require static IP addresses.
• Cilium Tetragon—to detect and and respond to security-significant events, such as process execution events, system call activity, and I/O activity including network and file access.