github.com/cilium/cilium@v1.16.2/Documentation/network/kubernetes/intro.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _k8s_intro: 8 9 ************ 10 Introduction 11 ************ 12 13 What does Cilium provide in your Kubernetes Cluster? 14 ==================================================== 15 16 The following functionality is provided as you run Cilium in your Kubernetes 17 cluster: 18 19 * :term:`CNI` plugin support to provide pod_connectivity_ with 20 `multi_host_networking`. 21 * Identity based implementation of the `NetworkPolicy` resource to isolate :term:`pod<Pod>` 22 to pod connectivity on Layer 3 and 4. 23 * An extension to NetworkPolicy in the form of a :term:`CustomResourceDefinition` 24 which extends policy control to add: 25 26 * Layer 7 policy enforcement on ingress and egress for the following 27 application protocols: 28 29 * HTTP 30 * Kafka 31 * Egress support for CIDRs to secure access to external services 32 * Enforcement to external headless services to automatically restrict to the 33 set of Kubernetes endpoints configured for a service. 34 * ClusterIP implementation to provide distributed load-balancing for pod to pod 35 traffic. 36 * Fully compatible with existing kube-proxy model 37 38 .. admonition:: Video 39 :class: attention 40 41 If you'd like to learn more about Kubernetes networking and Cilium, check out `eCHO episode 99: Explain Kubernetes Networking and Cilium to Network Engineers <https://www.youtube.com/watch?v=kMPKzb_kW68>`__. 42 43 .. _pod_connectivity: 44 45 Pod-to-Pod Connectivity 46 ======================= 47 48 In Kubernetes, containers are deployed within units referred to as :term:`Pods<Pod>`, which 49 include one or more containers reachable via a single IP address. With Cilium, 50 each Pod gets an IP address from the node prefix of the Linux node running the 51 Pod. See :ref:`address_management` for additional details. In the absence of any 52 network security policies, all Pods can reach each other. 53 54 Pod IP addresses are typically local to the Kubernetes cluster. If pods need to 55 reach services outside the cluster as a client, the network traffic is 56 automatically masqueraded as it leaves the node. 57 58 Service Load-balancing 59 ====================== 60 61 Kubernetes has developed the Services abstraction which provides the user the 62 ability to load balance network traffic to different pods. This abstraction 63 allows the pods reaching out to other pods by a single IP address, a virtual IP 64 address, without knowing all the pods that are running that particular service. 65 66 Without Cilium, kube-proxy is installed on every node, watches for endpoints 67 and services addition and removal on the kube-master which allows it to apply 68 the necessary enforcement on iptables. Thus, the received and sent traffic from 69 and to the pods are properly routed to the node and port serving for that 70 service. For more information you can check out the kubernetes user guide for 71 `Services <https://kubernetes.io/docs/concepts/services-networking/service/>`_. 72 73 When implementing ClusterIP, Cilium acts on the same principles as kube-proxy, 74 it watches for services addition or removal, but instead of doing the 75 enforcement on the iptables, it updates eBPF map entries on each node. For more 76 information, see the `Pull Request 77 <https://github.com/cilium/cilium/pull/109>`__. 78 79 Further Reading 80 =============== 81 82 The Kubernetes documentation contains more background on the `Kubernetes 83 Networking Model 84 <https://kubernetes.io/docs/concepts/cluster-administration/networking/>`_ and 85 `Kubernetes Network Plugins 86 <https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/>`_. 87