**Cilium** is an open source networking, security, and observability solution for Kubernetes that uses **eBPF** (extended Berkeley Packet Filter) to hook directly into the Linux kernel — bypassing iptables entirely and delivering significantly higher performance with lower latency than traditional approaches. --- ### First Principle: Network policy enforcement should happen at the kernel level, not in userspace proxies. Traditional Kubernetes networking relies on kube-proxy and iptables for service routing, which don't scale well and add latency. Cilium replaces this with eBPF programs that run in the kernel — inspecting and manipulating packets at wire speed without userspace round-trips. --- ### Key Considerations - **eBPF Data Plane**: Cilium attaches eBPF programs to network hooks in the kernel — forwarding packets, enforcing policy, collecting metrics, and performing load balancing all in kernel space. - **Network Policy**: Implements Kubernetes NetworkPolicy plus Cilium-native policies that understand L7 (HTTP headers, gRPC methods, Kafka topics). - **Hubble (Observability)**: Cilium ships with Hubble — a distributed networking observability platform providing deep visibility into network flows, integrating with [[Grafana]] and [[Prometheus]]. - **Kube-proxy Replacement**: Cilium can fully replace kube-proxy using eBPF for service load balancing, with lower latency and better scalability. - **Encryption**: Supports transparent pod-to-pod encryption via WireGuard or IPsec without requiring a service mesh sidecar. - **vs [[Open vSwitch (OVS)]]**: OVS is the right choice for VM-based clouds. Cilium is the right choice for pure container (Kubernetes) environments. --- ### How It Fits ``` [[Kubernetes]] (container orchestration) → Cilium (eBPF networking + policy + observability) → Linux kernel eBPF hooks → Physical network ([[SONiC]] / [[FRRouting (FRR)]]) ``` [[Kubernetes]] | [[Open vSwitch (OVS)]] | [[OVN]] | [[Prometheus]] | [[Grafana]] | [[Open Source Hyperscaler MoC]]