Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started
Networking 2017

Cilium 0.9: eBPF Networking Matures for Kubernetes

K8s Guru
3 min read
#cilium #ebpf #cni #network-policy #security
Cilium 0.9: eBPF Networking Matures for Kubernetes

Table of Contents

Introduction

On December 14, 2017, the Cilium team announced Cilium 0.9, the final milestone before 1.0. Built on the Linux kernel’s extended Berkeley Packet Filter (eBPF) technology, Cilium offers identity-aware networking and observability for Kubernetes workloads without iptables bottlenecks. Version 0.9 refined core features—making it feasible to run Cilium in production proofs-of-concept ahead of the 1.0 GA.

Release Highlights

  • Stable eBPF Datapath: 0.9 hardens the eBPF-based L3/L4 routing pipeline with faster policy compilation, incremental updates and IPv6 dual-stack support.
  • Layer 7 Policy Enforcement: HTTP-aware policies graduate from beta, allowing admins to restrict traffic by method, path and header (e.g., allow GET /healthz only).
  • Kube-Proxy Replacement (beta): Native services implementation via eBPF removes kube-proxy dependency, reducing latency and improving scalability.
  • Transparent Encryption Preview: Integrates IPsec-based pod encryption without overlay tunnels, keeping eBPF datapaths intact.
  • Prometheus & Metrics: New /metrics endpoint exposes policy verdicts, flow drops and connection tracking stats for observability stacks.

Deploying Cilium 0.9 on Kubernetes

  1. Enable a Linux kernel with eBPF features (4.9+ recommended) and mount the BPF filesystem:

    sudo mount bpffs /sys/fs/bpf -t bpf

  2. Apply the release manifest tuned for kubeadm clusters:

    kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/v0.9/install/kubernetes/daemonset.yaml

  3. Label nodes that need encryption or host firewall rules, then set policy enforcement to default-deny and incrementally add rules.

  4. Monitor cilium-agent logs and cilium status output to confirm BPF maps, health checks and service load-balancers are active.

Sample CiliumNetworkPolicy

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: payments-api
spec:
  endpointSelector:
    matchLabels:
      app: payments
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: checkout
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: "POST"
          path: "/v1/charge"

This policy allows only POST requests from the checkout service to the payments API—something traditional NetworkPolicy cannot express.

Operational Considerations

  • Ensure kernel support for CONFIG_BPF and related features; managed clouds (GKE, EKS) may need dedicated node images.
  • Use cilium monitor and cilium hubble (tech preview) to inspect flows and debug policy decisions.
  • Integrate with identity providers by labeling pods with io.cilium.k8s.policy.serviceaccount for fine-grained policy contexts.
  • When enabling kube-proxy replacement, drain nodes gradually to avoid service disruption; fall back to kube-proxy via ConfigMap toggle if needed.

Looking Ahead

The roadmap to Cilium 1.0 (targeted for early 2018) focuses on:

  • High Availability of the key-value store (etcd v3) backing security identities.
  • CLI/UX improvements including cilium status --verbose machine-readable output.
  • Enhanced visibility via Hubble collector and Grafana dashboards.
  • Expanded Layer 7 support for Kafka and gRPC-aware policies.

Cilium 0.9 established eBPF networking as a practical option for Kubernetes, combining performance, policy depth and observability in one CNI.

Summary

AspectDetails
Release DateDecember 14, 2017
Key InnovationsHardened eBPF datapath, L7 policy GA, kube-proxy replacement preview, encryption
SignificancePositioned Cilium for 1.0 GA and showcased eBPF as the future of Kubernetes networking