github.com/imran-kn/cilium-fork@v1.6.9/Documentation/intro.rst

github.com/imran-kn/cilium-fork@v1.6.9/Documentation/intro.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      http://docs.cilium.io
     6  
     7  .. _intro:
     8  
     9  ######################
    10  Introduction to Cilium
    11  ######################
    12  
    13  What is Cilium?
    14  ===============
    15  
    16  Cilium is open source software for transparently securing the network
    17  connectivity between application services deployed using Linux container
    18  management platforms like Docker and Kubernetes.
    19  
    20  At the foundation of Cilium is a new Linux kernel technology called BPF, which
    21  enables the dynamic insertion of powerful security visibility and control logic
    22  within Linux itself.  Because BPF runs inside the Linux kernel, Cilium
    23  security policies can be applied and updated without any changes to the
    24  application code or container configuration.
    25  
    26  Why Cilium?
    27  ===========
    28  
    29  The development of modern datacenter applications has shifted to a
    30  service-oriented architecture often referred to as *microservices*, wherein a
    31  large application is split into small independent services that communicate
    32  with each other via APIs using lightweight protocols like HTTP.  Microservices
    33  applications tend to be highly dynamic, with individual containers getting
    34  started or destroyed as the application scales out / in to adapt to load changes
    35  and during rolling updates that are deployed as part of continuous delivery.
    36  
    37  This shift toward highly dynamic microservices presents both a challenge and an
    38  opportunity in terms of securing connectivity between microservices.
    39  Traditional Linux network security approaches (e.g., iptables) filter on IP
    40  address and TCP/UDP ports, but IP addresses frequently churn in dynamic
    41  microservices environments. The highly volatile life cycle of containers causes
    42  these approaches to struggle to scale side by side with the application as load
    43  balancing tables and access control lists carrying hundreds of thousands of
    44  rules that need to be updated with a continuously growing frequency. Protocol
    45  ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to
    46  differentiate between application traffic for security purposes as the port is
    47  utilized for a wide range of messages across services.
    48  
    49  An additional challenge is the ability to provide accurate visibility as
    50  traditional systems are using IP addresses as primary identification vehicle
    51  which may have a drastically reduced lifetime of just a few seconds in
    52  microservices architectures.
    53  
    54  By leveraging Linux BPF, Cilium retains the ability to transparently insert
    55  security visibility + enforcement, but does so in a way that is based on
    56  service / pod / container identity (in contrast to IP address identification in
    57  traditional systems) and can filter on application-layer (e.g. HTTP).  As a
    58  result, Cilium not only makes it simple to apply security policies in a highly
    59  dynamic environment by decoupling security from addressing, but can also
    60  provide stronger security isolation by operating at the HTTP-layer in addition
    61  to providing traditional Layer 3 and Layer 4 segmentation.
    62  
    63  The use of BPF enables Cilium to achieve all of this in a way that is highly
    64  scalable even for large-scale environments.
    65  
    66  Functionality Overview
    67  ======================
    68  
    69  .. include:: ../README.rst
    70       :start-after: begin-functionality-overview
    71       :end-before: end-functionality-overview