Virtualization Technology News and Information
Article
RSS
VMblog Expert Interview with Shedrack Akintayo, Cilium and eBPF Community Manager at Isovalent

inteview-isovalent-akintayo 

Cilum has emerged as one of the most popular open source projects in cloud native infrastructure, joining the likes of Kubernetes and OpenTelemetry at the very top of the "hot" list. VMblog's expert interview welcomes Cilium developer advocate Shedrack Akintayo, who shares some perspectives on the rise of the project that recently became the CNCF's first graduated project in the Cloud Native Networking category.

VMblog:  There is a tremendous amount of excitement around the Cilium project for cloud native platform engineering. How has Cilium extended the power of eBPF, and why was this a right-time, right-place technology that has taken off to such a degree?

Shedrack Akintayo:  In 2014, the Linux networking ecosystem experienced a wave of innovation that reshaped it. During this period, the ecosystem was focused on building various networking protocols and models including software-defined networking. At the same time, Kubernetes made its first commit and containerization was taking off. With these new improvements in the ecosystem, the pre-existing Linux networking, observability, and security tools became unable to keep up with the dynamic needs of containerised and orchestrated applications. 

eBPF had also just been merged into the Linux kernel, bringing programmability and flexibility to this decades-old technology. Some of the key architects behind the revolutionary technology wanted to bring the power of eBPF to end users, leading to the creation of the Cilium project. The main goal for Cilium was to introduce a new networking layer that was programmable, scalable, and secure by default to keep up with the needs of IT infrastructure.

The initial implementation of Cilium was as an eBPF-based Container Networking Interface (CNI) to provide connectivity for container workloads. As the cloud native ecosystem grew, Cilium's use cases evolved, expanding to include a myriad of capabilities like service mesh, BGP, network encryption, etc. Each new capability added was a testament to Cilium's evolving nature, constantly adapting to meet the complex demands and challenges that cloud native networking, observability, and security presented.

Cilium's evolution is a great example of innovation spurred by necessity and an evolving journey towards creating a platform that meets the requirements of the cloud native world.

VMblog:  What are the classes of cloud native use cases and problems that Cilium is taming? Tell Vmblog readers more about the environments and specific needs that Cilium addresses.

Akintayo:  Transitioning from legacy systems to cloud native introduces all kinds of challenges:  securing customer data, maintaining high performance, keeping up with customer demands and scale, and avoiding outages and degradation of customer service. Cilium provides a single connectivity layer where it's possible to address all of these types of "day 2" problems for Kubernetes and cloud native in a network platform layer.

As enterprise cloud native environments grow, the network becomes the natural place for these problems to be solved. For example, Cilium offers a high-performance layer 4 load balancer designed to efficiently handle the networking demands of high traffic environments. Cilium's Kube-proxy replacement can also provide enhanced networking speed and scalability for enterprises building on Kubernetes. These are some of the features of Cilium helping ensure that as the enterprises grows, the networking solutions evolve equally.

Enterprises seeking to optimize their Kubernetes deployments for high-performance networking can reap significant benefits from adopting Cilium. Cilium's unique architecture enables it to operate directly within the Linux kernel, resulting in substantial performance improvements. This translates into faster application response times, reduced delays for data-intensive workloads, enhanced throughput for high-bandwidth applications, and support for larger-scale deployments. 

VMblog:  Who are some major eBPF users, and what are their use cases?

Akintayo:  Major organizations and projects such as Meta, Netflix, and Google use eBPF across their organization for its ability to enhance system performance, give granular observability, and provide better security. Additionally, its wide adoption and contributions from various organizations underline its importance and the pivotal role it plays in modern technology solutions.

There are many other examples. Meltwater, a global media intelligence company, uses Cilium as the default container network interface across all of their Kubernetes clusters, for better performance and network visibility. Trendyol, a leading e-commerce platform in Turkey, is another interesting use case. They are managing three to five thousand nodes within a single cluster and use Cilium as their CNI - and they've cited a 40 per cent increase in network performance.

VMblog:  Tell us about the intersection of networking and security, and how Cilium's control of the network fabric translates into new security frontiers.

In a microservices-based system, observability is the key to discovering the intricacies of network operations and debugging when things go wrong. Cilium provides in-depth observability with Hubble, paving the way for a clear understanding of network traffic. This, in turn, simplifies troubleshooting and performance optimization, acting as a catalyst in diagnosing and resolving network-related issues.

By harnessing the power of eBPF, Cilium also enables the dynamic insertion of powerful security visibility and controls that weren't previously possible. Kubernetes provides limited default security and observability resources, and ships without a dedicated runtime security model. In this absence of a standard open source runtime security platform, early Kubernetes adopters have been forced to use proprietary security agents that come with major compute and memory performance overhead and cloud costs, while also failing to capture the lower-level, runtime security data emitted closest to the kernel.

Cilium recently launched Tetragon, which is an eBPF-based security observability and runtime enforcement platform designed to give security and operations teams richer telemetry data for runtime security, while eliminating the performance overhead of traditional security agents. Tetragon is built around eBPF and uses in-kernel filtering and aggregation logic, providing deep visibility without traditional agents or application changes. It gives platform and security teams a powerful observability layer that can introspect the entire system ranging from low-level kernel visibility to track file accesses, network activity, or capability changes, all the way up into the application layers covering aspects such as function calls into vulnerable libraries, tracing process execution, or understanding HTTP requests made.

##
Published Thursday, January 18, 2024 7:35 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2024>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910