Isovalent Enterprise for Cilium 1.16 – High-Performance Networking With Per-Flow Encryption, End-To-End Multi-Cluster Visibility, BGPV2, and BFD for BGP
Isovalent Enterprise for Cilium 1.16 has landed! The theme of the release is “Faster, Stronger, Smarter” – faster for the blazing performances you will get with improvements to network policy performance and ELF Loader Logic, stronger for all the security and operational improvements, such as Per-Flow Selective Encryption and Port Range support in network policies and smarter for all the new traffic engineering features such as Kubernetes Service Traffic Distribution, Egress IPAM and Hubble + Timescape Multi-Cluster support!
This blog post covers the major new additions in this enterprise release.
What Is New in Isovalent Enterprise for Cilium 1.16?
Networking
- Cilium netkit: Container-network throughput and latency as fast as host-network (more details)
- Service traffic distribution: Kubernetes 1.30 Service Traffic Distribution is the successor to topology-aware routing (more details)
- BGPv2: Fresh new API for Cilium’s BGP feature (more details)
- BGP ClusterIP advertisement: BGP advertisements of ExternalIP and Cluster IP Services (more details)
- Node IPAM Service LB: Ability to assign IP addresses from the nodes themselves to Kubernetes services, providing alternative access to services from outside of the cluster (more details)
- BFD for BGP: Detect link or neighbor loss faster, forcing traffic to take an alternate path and greatly reducing downtime (more details)
- Egress Gateway IPAM: Specify a list of CIDRs to be used as Egress IPs to be assigned to the Egress Gateways (more details)
- Per-pod fixed MAC address: Addressing use-cases such as software that is licenced based on a known MAC address (more details)
Service Mesh & Ingress/Gateway API
- Gateway API GAMMA support: East-west traffic management for the cluster via Gateway API (more details)
- Gateway API 1.1 support: Cilium now supports Gateway API 1.1 (more details)
- Gateway API support for more protocol options: Cilium Gateway API supports new protocol options such as
proxyProtocol
,ALPN
andappProtocol
(more details) - Local ExternalTrafficPolicy support for Ingress/Gateway API: External traffic can now be routed to node-local endpoints, preserving the client source IP address (more details)
- L7 Envoy Proxy as dedicated DaemonSet: With a dedicated DaemonSet, Envoy and Cilium can have a separate life-cycle from each other. Now on by default for new installs (more details)
- Host Network mode & Envoy listeners on subset of nodes: Cilium Gateway API Gateway/Ingress can now be deployed on the host network and on selected nodes (more details)
Security
- Per-Flow Encryption: Selectively encrypt traffic between workloads (more details)
- Port Range support in Network Policies: This long-awaited feature has been implemented into Cilium (more details)
- Network Policy validation status:
kubectl describe cnp <name>
will be able to tell if the Cilium Network Policy is valid or invalid (more details) - CIDRGroups support for Egress and Deny rules: Add support for matching CiliumCIDRGroups in Egress and Deny policy rules (more details)
- Select nodes as the target of Cilium Network Policies: With new ToNodes/FromNodes selectors, traffic can be allowed or denied based on the labels of the target Node in the cluster (more details)
- FIPS Compliant Cilium Images: Isovalent customers can now use specific built FIPS compliant Cilium Images (more details)
Day 2 Operations and Scale
- Introduction of Cilium Feature Gates: Provide operators enhanced control over experimental features (more details)
- Improved DNS-based network policy performance: Reduction of up to 5x reduction in tail latency for DNS-based network policies (more details)
- New ELF loader logic: With this new loader logic, the median memory usage of Cilium was decreased by 24% (more details)
Hubble & Observability
- Hubble Timescape: New Alternative deployment architecture for shorter retention time of hubble flows, multi-cluster and multiple buckets support (more details)
- Hubble UI Enterprise: Multi-cluster support, HTTP and Mutual Authentication Policies in Network Policy Editor (more details)
- Filtering Hubble flows by node labels: Filter Hubble flows observed on nodes matching the given label (more details)
- Improvements for egress traffic path observability: Enhancements to Cilium Metrics and Hubble flow data for traffic that traverses Egress Gateways, allowing better troubleshooting of this popular Cilium feature (more details)
Networking
Cilium netkit
Status: Beta
Containerization has always come at a performance cost, with the most visible one on networking velocity. A standard container networking architecture could result in a 35% drop in network performance compared to the host. How could we bridge that gap?
Over the past seven years, Isovalent developers have added several features to reduce this performance penalty.
With the introduction of Cilium netkit, you can finally achieve performance parity between host and container.
Cilium is the first public project providing built-in support for netkit, a Linux network device introduced in the 6.7 kernel release and developed by Isovalent engineers. Expect to hear about developments of this feature in later releases of Isovalent Enterprise.
To learn more, read our deep dive into the journey into high-performance container networking, with netkit the final frontier.
Cilium netkit: The Final Frontier in Container Networking Performance
Learn how Cilium can now provide host-level performance.
Read Deep DiveService Traffic Distribution
Isovalent Enterprise for Cilium 1.16 will support Kubernetes’ new “Traffic Distribution for Services” model, which aims to provide topology-aware traffic engineering. It can be considered the successor to features such as Topology-Aware Routing and Topology-Aware Hints.
Introduced in Kubernetes 1.30, Service Traffic Distribution enables users to express preferences on traffic policy for a Kubernetes Service. Currently, the only supported value is “PreferClose,” which indicates a preference for routing traffic to endpoints that are topologically proximate to the client.
Users can optimise performance, cost and reliability by keeping the traffic within a local zone..
Introduced in Kubernetes 1.30, Service Traffic Distribution can be enabled directly in the Service specification (rather than using annotations as was the case with Topology-Aware Hints & Routing):
In the demo below, we have 6 backend pods across two Availability Zones. By default, traffic to the Service is distributed across all 6 pods, regardless of their location.
When enabling Traffic Distribution, you can see that the traffic from the client is only sent to the 3 pods in the same AZ. When no local backend is unavailable, traffic is forwarded to backends outside the local zone.
Alongside Service Traffic Distribution support, Cilium is also introducing tooling to monitor traffic inter- and intra-zones. Given that Service Traffic Distribution and its predecessors all derive the zones from labels placed on the nodes, users can now monitor cross-zone traffic using Hubble’s new node labels capabilities, described later in this blog post, and identify ways to reduce cost and latency.
BGPv2
Most applications running Kubernetes clusters need to talk to external networks. In self-managed Kubernetes environments, BGP is often used to advertise networks used by Kubernetes Pods and Services, to make applications accessible from traditional workloads.
Cilium has natively supported BGP since the 1.10 release. It’s quickly become a popular feature as users appreciate not having to install a separate BGP daemon to connect their clusters to the rest of the network. We’ve seen thousands of users taking our “BGP on Cilium” and “Advanced BGP on Cilium” labs and collecting badges along the way.
What we’ve noticed recently is an acceleration of its adoption in scenarios such as:
- Users needing to access KubeVirt-managed Virtual Machines running on Red Hat OpenShift clusters
- Users connecting their external network fabric (such as Cisco ACI) to Kubernetes clusters
Expect some content on both architectures in the coming weeks and months.
However, this fast adoption of BGP is a victim of its own success. The current method to deploy BGP on Cilium is through a single CustomResourceDefinition CiliumBGPPeeringPolicy, which comes with a couple of drawbacks:
- We need to explicitly enumerate per-neighbor settings, even when they match between multiple peers
- All Peers currently get the same advertisement (there’s no control such as concepts such as prefix-list)
Simply put, while the CRD worked in simple topologies, sophisticated networking topologies require a better set of abstractions, similar to what most of the popular BGP daemons use (e.g., peer templates, route maps, etc.…).
To provide users with the flexibility they need, Cilium 1.16 is introducing a new API – BGPv2 APIs.
Instead of a single CRD, you will be able to use a new set of CRDs to define complex network policies and configurations, making management more modular and scalable within Cilium.
CiliumBGPClusterConfig
: Defines BGP instances and peer configurations applied to multiple nodes.CiliumBGPPeerConfig
: A common set of BGP peering settings that can be used across multiple peers.CiliumBGPAdvertisements
: Defines prefixes that are injected into the BGP routing table.CiliumBGPNodeConfigOverride
: Defines node-specific BGP configuration to provide a finer control.
Here is a sample BGP configuration – you can find it in the containerlab examples in this repo.
For those already running the existing BGPv1 feature: note that the v1 APIs will still be available in Cilium 1.16 but they will eventually be deprecated. Migration recommendations and tooling to help you move to v2 are on the roadmap.
We recommend you start any new BGP deployments with the new v2 APIs.
BGP ClusterIP Advertisement
In addition to the new BGP APIs, Cilium 1.16 introduces support for new service advertisements. In prior releases, Cilium BGP could already announce the PodCIDR prefixes (for various IPAM scenarios) and LoadBalancer IP services. In 1.16, ExternalIP and ClusterIP Services can also be advertised.
The latter might seem like an anti-pattern: ClusterIP Services are designed for internal access only. But there were 2 reasons why this feature was requested:
- Many users are migrating from other CNIs to Cilium, and some CNIs already support ClusterIP advertisements.
- ClusterIP services automatically get a DNS record like svc.namespace.svc.cluster.example. So, by synchronizing your Kubernetes Services upstream, you could access your services via their name from outside the cluster.
In the demo below, we start before configuring the BGP session. You can see the deathstar service’s IP, label, and the BGP config. Note how we now advertise ClusterIP Services but only those with the empire label. We end by checking that the BGP sessions have come up and that the backbone router can see the prefix.
Node IPAM Service LB
For users that cannot use BGP or Cilium’s L2 Announcement (a feature particularly appreciated for development environments and a great replacement for MetalLB), Cilium 1.16 is introducing another alternative to access services from outside the cluster: Node IPAM Service LB.
Similar to the ServiceLB feature available for the lightweight distribution K3S, Node IPAM Service LB assigns IP Addresses from the nodes themselves to the Kubernetes Services.
Enable the node IPAM feature with the nodeIPAM.enabled=true flag and make sure your Service has the loadBalancerClass set to io.cilium/node:
Once the service is created, it will receive an IP address from the node itself. This option is likely to be useful in small environments.
BFD for BGP
Status: Beta
Bidirectional Forwarding Detection (BFD) enhances the stability of BGP (Border Gateway Protocol) by providing rapid failure detection between upstream routers.
Integrated into Isovalent Enterprise for Cilium, BFD proactively monitors BGP sessions and detects connectivity issues on bidirectional links within milliseconds. When deployed in a platform, BFD minimizes downtime by enabling swift failovers, essential for high-availability and low-latency environments. This feature ensures that even minor network disruptions are detected early, helping maintain stable, resilient connectivity across clusters, which is crucial for applications with stringent uptime requirements.
Read our technical walkthrough of this new feature, and watch the below video from Nico.
Egress Gateway IPAM
Status: Limited
This update to Egress Gateway in Isovalent Enterprise for Cilium allows users additional control of the IP Addressing distributed to their Egress Gateway nodes, removing the complexity of manually targeting each Egress Gateway node with specific configuration when it comes to IP address management.
The IPAM feature allows you to specify an IP pool in the IsovalentEgressGatewayPolicy
from which Cilium leases egress IPs and assigns them to the selected egress interfaces.
The IP pool should be specified in the egressCIDRs
field of the IsovalentEgressGatewayPolicy
and may be composed of one or more CIDRs:
In the policy example below, you can see the new addition of the key egressCIDR
.
The Cilium operator is in charge of performing the egress IPs allocation to the active egress gateways. Each egress gateway is assigned a different egress IP.
A successful allocation from the operator is reflected in the IsovalentEgressGatewayPolicy
status.
Cilium Egress Gateway
Get hands on and learn how Cilium’s Egress Gateway enables controlled, secure connectivity from Kubernetes pods to external workloads by assigning specific nodes for outbound traffic, addressing traditional firewall constraints in enterprise environments
Start LabPer-pod fixed MAC address
Some applications require software licenses to be based on network interface MAC addresses.
With Cilium 1.16, you can set a specific MAC address for your pods, which should make licensing and reporting easier.
Simply add a specific annotation to your pod with the MAC address value:
For more information, check out the very short demo below:
Service mesh & Ingress/Gateway API
Gateway API GAMMA Support
The Cilium Service Mesh announcement back in 2021 had wide ramifications. It made our industry entirely reconsider the concept of a service mesh and reflect on the widely-accepted sidecar-based architecture. Why did we need a service mesh in the first place? Was it for traffic observability? To encrypt the traffic within our cluster? Ingress and L7 load-balancing? And do we really need a sidecar proxy in each one of our pods?
It turns out that Cilium could already do a lot of these things natively: network policies, encryption, observability, tracing. When Cilium added support for Ingress and Gateway API to manage traffic coming into the cluster (North-South), it further alleviated the need to install and manage additional third-party tools ; simplifying the life of platform operators.
One of the remaining areas of improvements for Cilium Service Mesh capabilities was traffic management within the cluster: it was possible through customizing the onboard Envoy proxy but it required advanced knowledge of the proxy.
With Cilium 1.16, Cilium Gateway API can now be used for sophisticated East-West traffic management – within the cluster – by leveraging the standard Kubernetes Gateway API GAMMA.
GAMMA stands for “Gateway API for Mesh Management and Administration”. It provides a consistent model for east-west traffic management for the cluster, such as path-based routing and load-balancing internally within the cluster.
Let’s review a GAMMA configuration:
You will notice that, instead of attaching a route to a (North/South) Gateway like we’ve done so far when using Gateway API for traffic entering our cluster, we can now attach the route to a parent Service, called echo, using the parentRefs field.
Traffic bound to this parent service will be intercepted by Cilium and routed through the per-node Envoy proxy.
Note how we will forward traffic to the /v1 path to the echo-v1 service and the same for v2. This is how we can, for example, do a/b or green/blue canary testing for internal apps.
To learn more, try the newly updated Advanced Gateway API lab, and check out the below video:
Gateway API enhancements
In addition to GAMMA support, Cilium 1.16’s Gateway API implementation has been boosted with multiple enhancements:
Gateway API 1.1 support:
in Gateway API 1.1, several features are graduating to Standard Channel (GA), notably including support for GAMMA (mentioned above) and GRPCRoute (supported in Cilium since Cilium 1.15). Features on the Standard release channel denotes a high level of confidence in the API surface and provides guarantees of backward compatibility.
New protocol options support:
Cilium 1.16 Gateway API now support new protocol options:
proxyProtocol
: Some Load Balancing solutions use the HAProxy Proxy Protocol to pass source IP information along. With this new feature, Cilium will be able to pass PROXY protocol and will provide another option to preserve the source IP (another one is highlighted below).ALPN
: Application-Layer Protocol Negotiation is a TLS extension required for HTTP/2. As gRPC is built on HTTP/2, when you enable TLS for gRPC you will also need ALPN to negotiate whether both client and server support HTTP/2.appProtocol
: Kubernetes 1.20 introducedappProtocol
support for Kubernetes Services, enabling users to specify an application protocol for a particular port.
Local ExternalTrafficPolicy support for Ingress/Gateway API:
When external clients access applications running in your cluster, it’s sometimes useful to preserve the original client source IP for various reasons such as observability and security. Kubernetes Services can be configured with the externalTrafficPolicy
set to Local
to ensure the client source IP is maintained.
In Cilium 1.16, the Cilium-managed Ingress/Gateway API LoadBalancer Services’ external traffic policies can be configured globally via Helm flags or via dedicated Ingress annotation.
Envoy enhancements
Every Cilium release brings improvements to its usage of Envoy, the lightweight cloud native proxy. Envoy has been a core component of Cilium’s architecture for years and has always been relied upon to provide Layer 7 functionalities to complement eBPF’s L3/L4 capabilities.
Cilium 1.16 introduces some subtle changes to Envoy’s use within Cilium:
Envoy as a DaemonSet is now the default option:
Introduced in Cilium 1.14, the Envoy DaemonSet deployment option was introduced as an alternative to embedding Envoy within the Cilium agent. This option decouples Envoy from the Cilium agent, providing more opacity between the Cilium and Envoy lifecycles. In Cilium 1.16, Envoy as a DaemonSet is now the default for new installations.
Host Network mode & Envoy listeners on subset of nodes
Host network mode allows you to expose the Cilium Gateway API Gateway directly on the host network. This is useful in cases where a LoadBalancer Service is unavailable, such as in development environments or environments with cluster-external load balancers.
Alongside this feature, you can use a new option to only expose the Gateway/Ingress functionality on a subset of nodes, rather than on all of them.
This will deploy the Gateway API Envoy listener only on the Cilium Nodes matching the configured labels. An empty selector selects all nodes and continues to expose the functionality on all Cilium nodes. Note both of these features are also available for the Cilium Ingress Controller.
Security
Per-Flow Selective Encryption
Status: Beta
Isovalent Enterprise for Cilium 1.16 introduces a new security and performance enhancement: Selective Encryption! Hundreds of Cilium users already leverage Cilium’s native ability to encrypt traffic flows within a Kubernetes cluster or between clusters, for confidentiality and regulatory purposes. But Cilium Transparent Encryption has traditionally been all-or-nothing: it either encrypts all the traffic (which obviously comes with overhead) or none of it. There are however many users who only wanted to encrypt the traffic for a specific application and rely on application encryption (HTTPS/TLS) when required.
With Selective Encryption, we’re introducing the ability to selectively encrypt specific traffic based on objects like namespaces and pod labels, using a Isovalent Encryption policy that should look and feel like a Cilium Network Policy:
To learn more, watch the below video recorded by Nico, and also follow along in our updated lab “Cilium Transparent Encryption with IPSec and WireGuard“
Cilium Transparent Encryption with IPSec and WireGuard
This lab guides you through implementing transparent pod-to-pod encryption in Kubernetes using Cilium’s IPsec and WireGuard options, simplifying compliance and security by eliminating the need for complex Service Mesh or in-application encryption.
Start LabPort Range Support in Network Policies
Cilium 1.16 supports a long-awaited feature: support for port ranges in network policies.
Before this, network policies would require you to list ports one by one in your network rule, even if they were contiguous.
The Port Range feature, announced in Kubernetes 1.21 and promoted to Stable in Kubernetes 1.25, lets you target a range of ports instead of a single port in a Network Policy, using the endPort keyword.
In the demo below, we start by verifying we have access from a client across to 3 servers listening on ports 8080, 8081 and 8082. It’s successful until we deployed a Cilium Network Policy only allowing the 8080-8081 range, thereafter access to 8082 is blocked.
Access is successful again after expanding the range to 8080-8082.
This feature is available with Kubernetes Network Policies and the more advanced Cilium Network Policies.
Network Policy Validation Status
Sometimes, Cilium cannot detect and alert when Network Policies are semantically incorrect until after deployment.
The demo below shows that even though our network policy is missing a field, it seems accepted. The only way to find out it was rejected is by checking the verbose agent logs, which is not an ideal user experience.
Cilium 1.16 adds information about the network policy validation condition in the operator. This means that, as you can see in the demo, you can easily find the status of the policy – valid or invalid – by checking the object with kubectl describe cnp
.
CIDRGroups support for Egress and Ingress/Egress Deny Rules
Another feature designed to simplify the creation and management of network policy: in Cilium 1.16, you can now use CiliumCIDRGroups in Egress and Ingress/Egress Deny Policy rules. A CiliumCIDRGroup is a list of CIDRs that can be referenced as a single entity in Cilium Network Policies and Cilium Cluster Network Policies.
To consume this enhancement, first create a CIDR Group as per the YAML example below:
You can then use the meta name from the CiliumCIDRGroup
within the policy as below for Egress Policies:
Select Nodes as the Target of Cilium Network Policies
The feature adds the ability to provide Cilium Network Policies with the ability to use Node Labels with the policy selector statements. Before the Cilium 1.16 release, users who needed to filter traffic from/to Kubernetes nodes in their cluster using Network Policies would need to use either the “remote-node” entity or a CIDR-based policy. Using either of these methods had its pitfalls, such as remote-node
selecting all nodes in a cluster mesh configuration.
Before Cilium 1.16, to target nodes in a Cilium Network Policy, you would use a policy as the example below:
Now, with this new feature, which allows nodes to be selectable by their labels instead of CIDR and/or remote-node entity, you can configure the helm value nodeSelectorLabels=true
and use a policy such as the example below, which allows pods with the label env: prod
, to communicate with control-plane nodes:
The following extraVar can be configured to select which node labels are used for node identity.
FIPS-compliant Cilium Images
In today’s regulatory landscape, industries such as finance, healthcare, and government must meet rigorous compliance standards to ensure data integrity and security. Federal Information Processing Standards (FIPS) compliance is especially critical, as it certifies that cryptographic algorithms meet stringent federal security requirements.
With the release of Isovalent Enterprise for Cilium 1.16, customers with stringent compliance needs can now confidently integrate industry-leading security measures into their operations with our FIPS-compliant Cilium images.
If your organization requires robust, FIPS-compliant solutions to meet critical security standards, contact our team to learn how we can support your compliance journey.
Speak with an Isovalent Solution Architect Today
Get connected with one of our Cilium experts today and see Isovalent Cilium Enterprise in action.
Get in touchDay 2 Operations and Scale
Introduction of Cilium Feature Gates
In the upcoming Isovalent Enterprise for Cilium 1.16 release, we’re introducing feature gates to give operators more control over beta, limited, and unsupported features. This change enables teams to safely experiment with new functionalities in a controlled manner, ensuring that only intended features are activated within their environment. While the current release will provide warnings if feature gates aren’t configured, future versions will require them for Cilium to start.
Feature gates empower operators to manage feature availability more precisely, aligning with evolving security and reliability standards.
Below is an example of the output created when trying to install a feature that is not stable with 1.16.
Furthermore, this is also captured in the Cilium Agent logs.
In the future Isovalent Enterprise for Cilium 1.17 release, the feature gates warning will block the installation of features that are not approved, with a bypass needed as part of your installation configuration.
Improved DNS-Based Network Policy Performance
One of the reasons Cilium Network Policies are so popular with cluster administrators are their ability to filter based on Fully-Qualified Domain Names (FQDN).
DNS-aware Cilium Network Policies enable users to permit traffic based on specific FQDNs, for example, by using the toFQDN
selector in network policies to only allow traffic to, for example, my-remote-service.com
. It’s supported by using a DNS proxy that is responsible for intercepting DNS traffic and recording IP addresses seen in the responses.
DNS-Based Network policies are extremely useful when implementing API security; improving this feature’s performance ultimately offers a better developer and end-user experience.
With this latest release, Cilium 1.16 has significantly improved CPU and memory usage and, even more crucially, up to 5x reduction in tail latency.
The implementation of toFQDNs selectors in policies has been overhauled to improve performance when many different IPs are observed for a selector: Instead of creating cidr
identities for each allowed IP, IPs observed in DNS lookups are now labelled with the selectors toFQDNs
matching them.
This reduces tail latency significantly for FQDNs with a highly dynamic set of IPs, such as e.g. content delivery networks and cloud object storage services. As you can see from the below graphs, with these enhancements, there is a 5x improvement in tail latency.
Elegantly, upon upgrade or downgrade, Cilium will automatically migrate its internal state for toFQDNs
policy entries.
That’s not the only performance improvement in Cilium 1.16. Let’s dive into another enhancement.
New ELF Loader Logic
Theoretically, we must recompile the BPF for an endpoint whenever its configuration changes. Compiling is a fairly expensive process, so a mechanism named “ELF templating / substitution” had been developed to avoid recompilation in the most common cases. This substitution process was, however, sub-optimal. In Cilium 1.16, it has been improved, resulting into noticeable memory gains:
Hubble and Observability
A New Hubble Timescape Deployment Mode
Hubble Timescape delivers in-depth observability for Cilium by tracking application interactions, security events, and dependencies, enabling users to analyze, troubleshoot, and identify anomalies within Kubernetes clusters. Designed to scale, Timescape also supports extensive historical data retention for long-term analysis.
With Hubble Timescape 1.4, the new Timescape Lite deployment mode is introduced, offering a simplified, single-StatefulSet deployment without the need for additional storage or microservices, ideal for short-term flow visibility. Users can start with Timescape Lite and seamlessly upgrade to the full Timescape deployment as data retention needs grow.
Configuration is deployable via Helm, including Lite-specific parameters for quick setup.
Configuration is deployable via Helm, including Lite-specific parameters for quick setup.
Hubble Timescape now supports multi-cluster environments, enabling events to be stored across one or multiple object storage buckets, with the Timescape ingester capable of processing data from multiple sources. We recommend deploying a single Hubble Timescape instance within a dedicated monitoring cluster and configuring it to ingest data from multiple buckets or specified bucket prefixes. Multi-cluster mode is not supported for use with Hubble Timescape Lite.
Hubble UI Enterprise Improvements
Starting from version 1.4, Hubble UI Enterprise introduces two major features: multi-cluster support and the ability to create Cilium Network Policies with HTTP rules.
When using Hubble for visibility across your Kubernetes environement, in previous versions you would need a Hubble UI instance per cluster. With Multi-Cluster support, Hubble UI Enterprise provides visualization of service map and flow tables from multiple clusters, when used in conjunction with Hubble Timescape.
Within Hubble UI enterprise the former “flows” tab has been renamed to “Connections” and now displays connections information at three different levels:
- Cluster level: shows all clusters and how they connect (where applicable) with each other
- Namespace level: shows all namespaces in a cluster and connections between them and external ones (host, other cluster, etc)
- Service level: this is the original Hubble UI view that Hubble UI is known for.
The second feature update to Hubble UI Enterprise brings the creation of Network Policies using HTTP rule and also Mutual Authentication to the Network Policy Editor, further expanding policy options for users.
With this addition, the Network Policy Editor now supports key elements of Cilium’s Layer 3 to Layer 7 policy capabilities, offering users enhanced control over HTTP traffic management and simplifying policy creation for common configurations.
When using the Network Policy Editor, clicking an endpoint in the service map will provide the ability to creating a HTTP Rule, as can be seen in the screenshot below. By clicking to Add an HTTP Rule
, the dialog box will expand with additional inputs for the necessary HTTP Rules aligned to the configurations available within the Cilium Network Policy CRD.
Once applied, the network policy editor will display an updated Cilium Network Policy that includes the HTTP rule, which can be uploaded to the Kubernetes environment.
Rules created for intra-cluster communications between workloads can also be enabled for Mutual Authentication using the network policy editor using a simple toggle. Below within a policy that allows traffic between any workloads within the namespace that have the label app=veducate
, the Mutual Authentication toggle has been enabled. The resulting network policy will have authentication.mode=required
present.
Additional recent enhancements to Hubble UI Enterprise include updated tooltips across configurable components, providing clear explanations of accepted data formats and details within dialog value boxes.
Filtering Hubble Flows by Node Labels
Hubble now captures the node labels for flows, allowing you to filter by particular nodes in your cluster. This can be helpful for Kubernetes deployments across availability zones and help to identify cross-availability zone traffic between workloads regardless of their source or destination namespaces, for example.
With Hubble providing this level of visibility, it will help platform owners identify misconfigured services that allow cross-AZ traffic and cause an increase in costs from the cloud provider. Typically, most deployments should be set to local preferred traffic, with remote traffic set as a fallback, meaning all traffic should be localised within the same AZ, only traversing the AZ when the service fails.
Below is a recording showing how to use these new filters to view cross-availability zone traffic.
Improvements for egress traffic path observability
The Cilium Egress Gateway feature allows you to select defined exit routes on your network for your containers. This feature is particularly useful when traffic leaving your cluster transits via external traffic management devices. These devices need to understand the specific endpoints from which traffic originates. The Egress Gateway feature works by implementing deterministic source NAT for all traffic that traverses through a node; allocating a predictable IP to traffic coming from a particular Pod or a specific namespace.
In Cilium 1.16, several enhancements are implemented to aid better observability for traffic using Egress Gateway nodes.
The first is the creation of additional metrics within the Cilium Agent, which tracks the number of allocated ports in each NAT connection tuple: {source_ip, endpoint_ip, endpoint_port}. These additional statistics help monitor the saturation of the endpoint connections based on the allocation of source ports.
he Cilium Metric nat_endpoint_max_connection
has also been implemented to monitor these statistics in your alerting platform.
Hubble flow data has been further updated with Egress Gateway traffic paths in mind. Earlier in this blog post, we’ve already covered the ability to capture and filter traffic flows based on Node Label, so let’s look at two further new filters.
In the below Hubble flow output, the pod xwing is contacting an external device on IP address 172.18.0.7; this traffic is subject to address translation by the Egress Gateway.
The new fields implemented are:
- IP.source_xlated
- node_labels
- interface
Here is a JSON output of a flow recorded by Hubble:
These additional fields are further combined with updates to the Hubble CLI, which includes the following new arguments;
In the example below, we filter all traffic using the specific node label in our environment to identify egress gateway nodes. The traffic has been translated to the IP address 172.18.0.42.
In the recording below, you can see these new features to extend Egress Gateway Observability in action.
Core Isovalent Enterprise for Cilium features
Advanced Networking Capabilities
In addition to all the core networking features available in the open source edition of Cilium, Isovalent Enterprise for Cilium also includes advanced routing and connectivity features popular with large enterprises and Telco, including:
- Multi Networking and the ability to connect a pod to multiple networks
- Fully managed eBPF-based multicast
- Segment Routing version 6 (SRv6) L3 VPN support
- Overlapping PodCIDR support for Cluster Mesh
- Phantom Services for Cluster Mesh
Platform Observability, Forensics, and Auditing
Isovalent Enterprise for Cilium includes advanced observability and auditing capabilities designed for platform teams. With Role-Based Access Control (RBAC), teams can provide users access to network data and dashboards specific to their applications and namespaces.
The Hubble Enterprise UI features a Network Policy Editor that enables easy creation of network policies based on actual traffic. Hubble Timescape offers time-travel analytics for historical observability data, extending beyond real-time insights available in Hubble OSS. Additionally, logs can be exported to SIEM platforms like Splunk or ELK for broader security and monitoring needs.
For more on Hubble enterprise features, explore the Hubble for the Enterprise blog or labs like the Network Policies Lab and Connectivity Visibility Lab.
Enterprise-Grade Resilience
Isovalent Enterprise for Cilium includes capabilities for organizations that require the highest level of availability. These include features such as High Availability for DNS-aware network policy (video) and High Availability for the Cilium Egress Gateway (video), as well as FIPs compliant images for those who need to meet the most stringent security compliance requirements.
Enterprise-Grade Support
Last but certainly not least, Isovalent Enterprise for Cilium includes enterprise-grade support from Isovalent’s experienced team of experts, ensuring that any issues are resolved promptly and efficiently. Customers also benefit from the help and training from professional services to deploy and manage Cilium in production environments.
Shortening time to value with Isovalent Enterprise for Cilium Support
In this brief you can learn why many leading Fortune 500 companies including Adobe, Goldman Sachs, IBM, JPMC, and Roche picked Isovalent to partner with them on their cloud native journey.
Download BriefConclusions
Since the previous enterprise release, many new end users have stepped forward to tell their stories of why and how they’re using Isovalent Enterprise for Cilium in production. These use cases cover multiple industries: software (Adobe), medical (Roche), and IT service and cloud providers (Schuberg Philis). Read below some of the testimonies:
Want to learn more about this release and Isovalent Enterprise platform? Join our webinar with Thomas Graf, creator of Cilium, and Nico Vibert, Senior Staff Technical Marketing Engineer to learn about the latest innovations in the leading Cloud Native Networking Platform Cilium and Isovalent’s Enterprise edition.
Cilium and Isovalent Enterprise for Cilium 1.16 Release Webinar
In this webinar, join Thomas Graf, founder of the Cilium project, and Nico Vibert, Senior Staff Technical Marketing Engineer to learn about the latest innovations in the leading Cloud Native Networking Platform Cilium and Isovalent’s Enterprise edition.
Register NowTo learn more about Isovalent Enterprise for Cilium 1.16, check out the following links:
- Follow up with our hands-on technical workshop, where you’ll get hands-on with these new features!
- Request a Demo – Schedule a demo session with an Isovalent Solution Architect
- Read more about the Cilium OSS 1.16 release
- Learn more about Isovalent & Cilium with our resource library – including guides, tutorials, and interactive labs
Feature Status
Here is a brief definition of the feature maturity levels in regards to Isovalent Enterprise for Cilium used in this blog post:
- Stable: A feature that is appropriate for production use in a variety of supported configurations due to significant hardening from testing and use.
- Limited: A feature that is appropriate for production use only in specific scenarios and in close consultation with the Isovalent team.
- Beta: A feature that is not appropriate for production use, but where user testing and feedback is requested. Customers should contact Isovalent support before considering Beta features.
Previous Releases
- Isovalent Enterprise for Cilium 1.15: eBPF-based IP Multicast, BGP support for Egress Gateway, Network Policy Change Tracker, and more!
- Isovalent Enterprise for Cilium 1.14: introducing Cilium Multi-Network
- Isovalent Enterprise for Cilium 1.13: SRv6 L3VPN, Overlapping CIDR Support, FromFQDN in Network Policy, Grafana plugin and more!
Find earlier release announcements on our blog.
Dean Lewis is a Senior Technical Marketing Engineer at Isovalent – the company behind the open-source cloud native solution Cilium.
Dean had a varied background working in the technology fields, from support to operations to architectural design and delivery at IT Solutions Providers based in the UK, before moving to VMware and focusing on cloud management and cloud native, which remains as his primary focus. You can find Dean in the past and present speaking at various Technology User Groups and Industry Conferences, as well as his personal blog.