Cilium

eBPF-based networking, observability, and security for Kubernetes

Cilium delivers high-performance networking, deep observability, and identity-based security for cloud-native workloads using eBPF technology to replace traditional kernel networking components.

Overview

Modern Cloud-Native Networking

Cilium is a CNCF graduated project that provides networking, observability, and security for Kubernetes environments through an eBPF-based dataplane. It offers a flat Layer 3 network capable of spanning multiple clusters via native routing or overlay modes, with L7-protocol awareness and identity-based security policies decoupled from network addressing.

Capabilities and Architecture

Built on eBPF—a Linux kernel technology that dynamically inserts bytecode at network IO, socket, and tracepoint integration points—Cilium delivers efficient, flexible infrastructure logic. It implements distributed load balancing using eBPF hash tables for near-unlimited scale, fully replacing kube-proxy. Advanced features include integrated ingress/egress gateways, bandwidth management, service mesh capabilities, and comprehensive network visibility.

Deployment Options

Cilium supports overlay networking (VXLAN/Geneve), native routing with cloud router integration, and flexible routing via L2 neighbor discovery or BGP. Load balancing operates at both east-west (socket-level connection rewriting) and north-south (XDP, L4 with DSR and Maglev hashing) layers. The project maintains three stable minor releases, distributes AMD64 and AArch64 images, and includes SBOM artifacts starting from version 1.13.0.

Highlights

eBPF-based dataplane for high-performance networking without kernel module dependencies

Identity-based L3-L7 security policies independent of network addressing

Distributed load balancing with kube-proxy replacement and XDP acceleration

Multi-cluster networking with native routing, overlay, and BGP support

Pros

Highly efficient eBPF implementation enables near-unlimited scale with low latency
CNCF graduated project with active community and three maintained stable releases
Comprehensive feature set covering networking, security, observability, and service mesh
Flexible deployment modes work with existing infrastructure (overlay, native routing, BGP)

Considerations

Requires modern Linux kernel with eBPF support, limiting compatibility with older systems
Complexity increases with advanced features like multi-cluster and service mesh configurations
Learning curve for teams unfamiliar with eBPF concepts and identity-based security models
Resource overhead may be higher than simpler CNI plugins for basic use cases

Managed products teams compare with

When teams consider Cilium, these hosted platforms usually appear on the same shortlist.

Datadog

Observability platform for metrics, logs, and traces

Dynatrace

All‑in‑one observability with AI‑assisted root cause

New Relic

Application performance monitoring platform for tracking application health, performance, and user experience

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

Kubernetes clusters requiring high-performance networking and advanced load balancing
Organizations needing L7-aware security policies and deep network observability
Multi-cluster deployments spanning cloud providers or on-premises infrastructure
Teams replacing kube-proxy for improved scalability and reduced per-packet overhead

Not ideal when

Environments running legacy Linux kernels without eBPF support
Simple single-cluster setups where basic CNI functionality suffices
Teams lacking expertise to manage and troubleshoot eBPF-based networking
Resource-constrained edge deployments where minimal overhead is critical

How teams use it

Kubernetes CNI with kube-proxy Replacement

Achieve scalable, low-latency service networking using socket-level load balancing and efficient eBPF hash tables instead of traditional per-packet NAT.

Multi-Cluster Networking

Span flat Layer 3 networks across multiple Kubernetes clusters using native routing or overlay modes with automated route learning via BGP or L2 discovery.

Identity-Based Security Enforcement

Implement L3-L7 network policies based on workload identity rather than IP addresses, enabling portable security rules across dynamic cloud environments.

High-Throughput Ingress Gateway

Handle north-south traffic at scale using XDP acceleration, L4 load balancing with Direct Server Return, and Maglev consistent hashing for external service access.

Tech snapshot

Go88%

C10%

Shell1%

Makefile1%

Python1%

Dockerfile1%

Frequently asked questions

What Linux kernel versions does Cilium require?

Cilium requires a modern Linux kernel with eBPF support. Specific version requirements depend on the features enabled; consult the official documentation for detailed compatibility matrices.

Can Cilium replace kube-proxy entirely?

Yes, Cilium can fully replace kube-proxy by implementing distributed load balancing at the socket level using eBPF, eliminating per-packet NAT overhead and enabling better scalability.

What deployment modes does Cilium support?

Cilium supports overlay networking (VXLAN/Geneve), native routing with cloud provider integration, and flexible routing using L2 neighbor discovery or BGP for layer 3 boundaries.

How does identity-based security differ from traditional network policies?

Identity-based security enforces policies based on workload identity rather than IP addresses, allowing rules to remain valid as pods move or scale across the cluster without address changes.

Which architectures are supported?

Cilium distributes container images for both AMD64 and AArch64 architectures, with Software Bill of Materials (SBOM) included starting from version 1.13.0.

Project at a glance

Active

Visit site View repo

Stars: 23,919
Watchers: 23,919
Forks: 3,639

LicenseApache-2.0

Repo age10 years old

Last commit13 hours ago

Self-hostingSupported

Primary languageGo

Last synced 5 hours ago