Cilium - Kernel Native Security with BPF and XDP for Containers
Submitted by Shantanu Deshpande (@shantanudeshpande) on Friday, 16 March 2018
Section: Full talk Technical level: Intermediate
As good as the affair of containers and microservices has been so far, there’s always been a concern about security. But, security hasn’t evolved along with containers, did it? Enters Cilium, which leverages BPF for securing network connectivity between application services deployed with containers.
Cilium is an open source project which can be used for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At it’s heart,Cilium uses a new linux kernel technology called BPF. By leveraging Linux BPF, Cilium retains the ability to transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter on application-layer (e.g. HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment by decoupling security from addressing, but can also provide stronger security isolation by operating at the HTTP-layer in addition to providing traditional Layer 3 and Layer 4 segmentation.
A curious DevOps maniac with deep interests in Linux, containers, virtualization, Cloud, Machine Learning, DL, AI. Meetup organizer at Rancher Pune, India. Docker Mentor. A Pink Floydist, and a Platonist. Contributor in cilium project.