github.com/zhyoulun/cilium@v1.6.12/Documentation/intro.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _intro: 8 9 ###################### 10 Introduction to Cilium 11 ###################### 12 13 What is Cilium? 14 =============== 15 16 Cilium is open source software for transparently securing the network 17 connectivity between application services deployed using Linux container 18 management platforms like Docker and Kubernetes. 19 20 At the foundation of Cilium is a new Linux kernel technology called BPF, which 21 enables the dynamic insertion of powerful security visibility and control logic 22 within Linux itself. Because BPF runs inside the Linux kernel, Cilium 23 security policies can be applied and updated without any changes to the 24 application code or container configuration. 25 26 Why Cilium? 27 =========== 28 29 The development of modern datacenter applications has shifted to a 30 service-oriented architecture often referred to as *microservices*, wherein a 31 large application is split into small independent services that communicate 32 with each other via APIs using lightweight protocols like HTTP. Microservices 33 applications tend to be highly dynamic, with individual containers getting 34 started or destroyed as the application scales out / in to adapt to load changes 35 and during rolling updates that are deployed as part of continuous delivery. 36 37 This shift toward highly dynamic microservices presents both a challenge and an 38 opportunity in terms of securing connectivity between microservices. 39 Traditional Linux network security approaches (e.g., iptables) filter on IP 40 address and TCP/UDP ports, but IP addresses frequently churn in dynamic 41 microservices environments. The highly volatile life cycle of containers causes 42 these approaches to struggle to scale side by side with the application as load 43 balancing tables and access control lists carrying hundreds of thousands of 44 rules that need to be updated with a continuously growing frequency. Protocol 45 ports (e.g. TCP port 80 for HTTP traffic) can no longer be used to 46 differentiate between application traffic for security purposes as the port is 47 utilized for a wide range of messages across services. 48 49 An additional challenge is the ability to provide accurate visibility as 50 traditional systems are using IP addresses as primary identification vehicle 51 which may have a drastically reduced lifetime of just a few seconds in 52 microservices architectures. 53 54 By leveraging Linux BPF, Cilium retains the ability to transparently insert 55 security visibility + enforcement, but does so in a way that is based on 56 service / pod / container identity (in contrast to IP address identification in 57 traditional systems) and can filter on application-layer (e.g. HTTP). As a 58 result, Cilium not only makes it simple to apply security policies in a highly 59 dynamic environment by decoupling security from addressing, but can also 60 provide stronger security isolation by operating at the HTTP-layer in addition 61 to providing traditional Layer 3 and Layer 4 segmentation. 62 63 The use of BPF enables Cilium to achieve all of this in a way that is highly 64 scalable even for large-scale environments. 65 66 Functionality Overview 67 ====================== 68 69 .. include:: ../README.rst 70 :start-after: begin-functionality-overview 71 :end-before: end-functionality-overview