Focus on the user and all else will follow.
This tenet stands as the cornerstone of Google’s philosophy and indeed, it should hold the primary position for all of us in the tech industry. I will admit that I sometimes get distracted by shiny new features, impressive performance outcomes or compelling use cases. Given that my role is to teach others about Cilium, user empathy should instead be my primary concern.
So help me – who are you, dear Cilium user? How did you even end up here, reading this post?
Were you introduced to Cilium because your company follows a Cloud Native-centric approach to application deployment and leverages the numerous managed services that default to Cilium as the Kubernetes Container Network Interface (CNI)?
Did you start using Cilium because it addressed a particular security imperative, such as enforcing mutual authentication between microservices or securing transit traffic through encryption?
Or are you just here because you like our bees?
While delving into the demographics of actual Cilium users, we found that attempting to encapsulate our user base within a single persona would be inadequate.
The reasons why you might start using Cilium are manifold but we tried to narrow down the type of Cilium users to five distinct personae.
For each of these categories, we’ve created a Learning Path that lets you build up your knowledge of Cilium by taking a series of labs that are not only adapted to your background but in a logical order.
In addition, many of the labs include a final exam. When passing the lab, you will receive a badge you can share on social media. So far this year, thousands of badges have been attributed, with the Getting Started with Cilium, Cilium Ingress Controller and Cilium Network Policies badges leading the charts.
Here are some of the badges you might receive on completion of a lab:
Whether you are a newcomer to Cilium or already comfortable with the cloud native platform, we hope you find the Learning Paths useful.
Let’s review each role, starting with the Cloud Network Engineer.
Cloud Network Engineer Track
I’ll start with the one I can the most identify with: the Cloud Network Engineer.
Many network engineers are evolving their skillset from traditional hardware-based routing to cloud networking.
Cloud networking is a broad category that would include virtual private cloud (VPC) networking, connectivity between VPCs, multi-cloud and transit gateway networking, network automation and NetDevOps practices. It would also include Kubernetes-networking such as CNI, Ingress/Gateway API and Service Mesh tools and connecting Kubernetes clusters to traditional networks using BGP or Egress Gateway.
It’s very likely that Cloud Network Engineers will start using Cilium along their journey to becoming cloud native networking experts.
With this track, you’ll start by learning about Network Policies in Kubernetes and how Cilium provides advanced Layer 7 enforcement. You will then learn how to use BGP and Egress Gateway to connect your Kubernetes cluster to the rest of your network. You will also learn how Cilium can now also assign IP addresses to your Kubernetes Services and advertise them locally over Layer 2 (avoiding you the need to install a tool such as MetalLB). Finally, you will explore how Cilium lets you use IPv6 on Kubernetes and how to connect multiple clusters together using Cluster Mesh.
Getting Started with Cilium | 30 minutes |
BGP | 30 minutes |
Load Balancer IP Address Management | 45 minutes |
Advanced BGP Features | 30 minutes |
Cilium LoadBalancer IPAM and L2 Service Announcement | 30 minutes |
Cluster Mesh | 60 minutes |
IPv6 Networking and Observability | 30 minutes |
Egress Gateway | 20 minutes |
Isovalent Enterprise for Cilium: Connectivity Visibility | 30 minutes |
SecOps Engineer Track
Next one up: the SecOps Engineer. We appreciate that condensing security professionals down to a single persona is simplistic so we will focus on engineers working on securing cloud native environments and applications. That would include responsibilities such as securing Kubernetes clusters (using Kubernetes Network Policies or Cilium’s advanced Cilium Network Policies), ensuring confidentiality (through the use of transparent encryption), integrity (by leveraging mutual authentication) and connecting with existing firewalls (with the Egress Gateway feature).
Let’s also include engineers who are tasked with container runtime security observability and enforcement – they will likely find Tetragon appealing.
You will start this track by familiarizing yourself with Kubernetes & Cilium Network Policies, before diving into several Tetragon labs focused on preventing malicious attacks and observing traffic at the runtime level. You will then explore security service mesh use cases such as encryption and mTLS-based mutual authentication before looking at other interesting security use cases such as Egress Gateway and Host Firewall. You will conclude with our longest and toughest lab that will take you from a cluster where all traffic is allowed to a zero-trust environment.
Getting Started with Cilium | 30 minutes |
Isovalent Enterprise for Cilium: Network Policies | 45 minutes |
Getting Started with Tetragon | 30 minutes |
Isovalent Enterprise for Cilium: Security Visibility | 20 minutes |
Isovalent Enterprise for Cilium: TLS Visibility | 20 minutes |
Transparent Encryption | 30 minutes |
Mutual Authentication with Cilium | 45 minutes |
Host Firewall | 30 minutes |
Egress Gateway | 20 minutes |
Zero Trust | 60 minutes |
Platform Engineer Track
We chose “Platform Engineer” as an all-encompassing title for engineers that are perhaps less specialized than the previous two roles but have a broader set of skills and responsibilities.
We appreciate it is a loose interpretation of what a Platform Engineer might do.
Seen as an evolution beyond the DevOps model, platform engineering refers to the process of “designing, building and maintaining workflows and tools for software engineering organizations to drive consistency and speed up common tasks” (as per this excellent article in The New Stack).
Call it “Platform Engineer”, “Full Stack Engineer”, “DevOps Engineer” – regardless of the semantics, this user category is essentially for engineers whose role entails building, operating, connecting and securing Kubernetes clusters.
The Platform Engineer learning path is a shorter track that focus on the must-have Cilium features – you will start with the “Getting Started with Cilium” lab where you will learn about one of the most common use cases for Cilium (Network Policies) before diving into ingress routing (with the Gateway API) and multi-cluster connectivity. You will then learn about a couple of advanced Isovalent Enterprise for Cilium features that would help you create network policies from actual traffic and visualize it on a service map.
Getting Started with Cilium | 30 minutes |
Gateway API | 45 minutes |
Cluster Mesh | 30 minutes |
Isovalent Enterprise for Cilium: Network Policies | 20 minutes |
Isovalent Enterprise for Cilium: Connectivity Visibility | 30 minutes |
Platform Ops (Service Mesh Management) Track
This next category might be the most controversial one – feel free to disagree with me. It refers to engineers who may have responsibilities for managing a Service Mesh.
It’s still not clear to me who manages a Service Mesh. Is it the application developers that are working on the applications and would know the dependencies between each micro-services? Is it the network administrators that need to route and load-balance traffic into the cluster? Is it the security architects that need to enforce security requirements like encryption and mutual authentication?
Is it all of the above?
In this track, you will learn about how Cilium addresses a multitude of service mesh use cases – without you having to install and manage a dedicated one. For example, you will learn how Cilium natively provides Ingress and L7 load balancing with an Ingress controller and Gateway API support. You will also learn how Cilium can encrypt the traffic in transit and enforce mutual authentication between workloads. Finally, you will learn about some of the observability insights you can gain when combining Cilium, Hubble and Grafana.
Getting Started with Cilium | 30 minutes |
Ingress Controller | 30 minutes |
Transparent Encryption | 30 minutes |
Mutual Authentication with Cilium | 45 minutes |
Gateway API | 30 minutes |
Advanced Gateway API Use Cases | 30 minutes |
L7 Kubernetes Annotations | 30 minutes |
Isovalent Enterprise for Cilium: Connectivity Visibility | 30 minutes |
Golden Signals with Hubble and Grafana | 60 minutes |
Cloud Architect Track
The final category we’re proposing is “Cloud Architect” and it might be the most common one.
This learning track focuses on features that are particularly important to engineers using Cilium in cloud environments. Given that Cilium comes in different flavours whether you are using GKE, AKS or EKS, not all these features will be applicable to each managed Kubernetes Services. But it should give you a good idea of features that are particularly relevant to operating Cilium in cloud environments.
You will start by learning about Cilium Network Policies (that’s often the first reason why users would deploy Cilium in managed cloud services) before diving into routing and security use cases (like Ingress, encryption and mutual authentication) that are natively available in Cilium. You will also learn about how Cilium can support your cloud networking and connectivity requirements with cluster mesh, IPv6 support and Egress Gateway.
Getting Started with Cilium | 30 minutes |
Isovalent Enterprise for Cilium: Network Policies | 45 minutes |
Ingress Controller | 30 minutes |
Transparent Encryption | 30 minutes |
Mutual Authentication with Cilium | 45 minutes |
Cluster Mesh | 60 minutes |
IPv6 Networking and Observability | 30 minutes |
Egress Gateway | 20 minutes |
Isovalent Enterprise for Cilium: Connectivity Visibility | 30 minutes |
I hope you find these various learning paths adapted relevant to your role. If I’ve missed a category, please let me know – you can find me on LinkedIn or on the Cilium Slack.
Meanwhile, look out for our bees at the upcoming KubeCon North America 2024 in Chicago!
Prior to joining Isovalent, Nico worked in many different roles—operations and support, design and architecture, and technical pre-sales—at companies such as HashiCorp, VMware, and Cisco.
In his current role, Nico focuses primarily on creating content to make networking a more approachable field and regularly speaks at events like KubeCon, VMworld, and Cisco Live.