Isovalent Cilium Enterprise 1.10: Timescape, Runtime Observability & Enforcement, Hubble RBAC

Oct 21, 2021Cilium

We are proud to announce Isovalent Cilium Enterprise 1.10. As you know, Isovalent Cilium Enterprise solves networking, security, and observability challenges in modern cloud native environments, and the 1.10 release comes with many new features in these spaces.

With this release we add four major new features: Timescape, Improved RBAC for Hubble, Additional Runtime Visibility & Enforcement, and Enhanced TCP & Network Metrics. Let’s take a look in more detail into what is currently happening in the world of Isovalent Cilium Enterprise and what the developers are working on. In this post we’ll give you an overview – look out for a deep dive on each of these features in future posts!

Hubble Timescape

hubble ui timescape

As more and more business critical workloads are deployed on Kubernetes, security analysts and cluster operators are challenged to filter and understand an ever growing number of events.

With this release of Isovalent Cilium Enterprise we are proud to introduce you to Hubble Timescape: an observability and analytics platform to store & query all the observability data that Cilium and Hubble are able to collect. This includes data such as network flows, syscalls, network policy violations, TLS events, alerts, audit events, and much more. Timescape then allows querying this historical data and gives us and our customers great flexibility to implement advanced analytics on top of billions of events at very low cost.

Part of Timescape is a CLI helping you filter the data for defined use cases like compliance: how about a query to quickly identify a weak TLS version? Or a weak TLS cipher? Or to get a list of all spawned shells in your cluster? Or a handy overview of all processes executed in containers long after the container itself was deployed? Expose pre-filtered and meaningful data to your SIEM, supporting it to become even more efficient.

Process Context for Syscall Visibility & Enforcement

Security teams need to observe applications and processes for sensitive system calls as part of threat detection – especially in cloud native environments. The ability to reveal and block such calls can help Security Teams to prevent malware from performing read or writes to sensitive files, sending or receiving data, mounting file systems, changing firewall rules and other critical operations.

process tree

However, monitoring and enforcement should happen without adding any performance penalty, and should provide Kubernetes Identity aware Information about the process and the particular system call.

By using eBPF, Isovalent Cilium Enterprise is able to efficiently trace generic events, attach a BPF hook to them and then observe and enforce all the system calls that Security Teams are interested in. It can directly collect and filter out the appropriate observability data on kernel level, enrich it with identity information and export it to userspace as JSON formatted security events.

Improved RBAC for Hubble

rbac improvements

Cloud native goes hand in hand with scale. Sooner or later this includes multiple tenants, teams and thus different degrees of rights and responsibilities. Here, security operators need to ensure that users of namespace A cannot see traffic and resources of namespace B. Kubernetes provides basic RBAC capabilities, but real world use cases quickly have more advanced needs.

With the 1.10 release we redesigned the architecture of RBAC in Isovalent Cilium Enterprise: users no longer need to be assigned one group for each Kubernetes namespace they should have access to. Instead, a more powerful policy mechanism based on roles and bindings was introduced.

Isovalent Cilium Enterprise leverages OpenID as a framework for implementing permissions and fine grained access. This is also integrated into the UI, allowing customers to expose the Hubble UI more openly without it being accessible to unauthorized users.

Zero-Overhead TCP & Network Metrics

tcp metrics

In the old days of pre-containerization, IP addresses tied directly back to an application and Netflow provided valuable insights into network activity for a given app. In cloud native, understanding which pods talk to which services and external entitities is essential to understanding network performance and security events.

With Isovalent Cilium Enterprise 1.10, we add enhanced TCP & Network Metrics collected with eBPF at the socket level. As this does not require any datapath processing, there is no additional network latency or other overhead when collecting the metrics. By combining TCP Metrics and deep process visibility, we can go beyond traditional approaches such as Netflow and identify which applications made connections to internal and external services along with the data transmitted and received. Isovalent Cilium Enterprise monitors sockets at each container in your cluster, giving you network identity and rich process visibility that includes the container, binary executed, and Kubernetes metadata for each network connection.

This data enables network and security observability per application so you can quickly identify the top talkers on your network as well as identify any suspicious connections made to or from your services.

Next steps

If you want to learn more about Isovalent Cilium Enterprise, the open source project Cilium or the underlying technology eBPF, you can get started here:

About Isovalent

Isovalent is the company founded by the creators of Cilium and eBPF. Isovalent builds open-source software and enterprise solutions solving networking, security, and observability needs for modern cloud native infrastructure. The flagship technology Cilium is the choice of leading global organizations including Adobe, AWS, Capital One, Datadog, GitLab, Google, and many more. Isovalent is headquartered in Mountain View, CA and is backed by Andreessen Horowitz, Google and Cisco Investments. To learn more, visit isovalent.com or follow @isovalent.

Author

Roland Wolters

Technical Marketing Manager Isovalent