Bringing Zero Trust and Observability to VMs in Kubernetes with KubeVirt and Cilium
While most companies are traversing the journey from virtual machines to containers, they do so at their own speed. As with any significant technology change, technical debt and time are the limits to moving from one architecture to another.
Moving away from 80 million virtual machines – and that’s only counting VMs running on VMware – won’t happen overnight.
While Kubernetes users have recently turned to KubeVirt to simultaneously manage Kubernetes Pods and virtual machines, they quickly ran into a challenge: how to connect, secure and manage them together?
In this post, we’ll dive into how you can leverage Cilium to bring cutting-edge security and performance to your VMs and containers, ensuring your infrastructure is future-proof and ready to tackle the most demanding workloads.
Running virtual machines on Kubernetes with KubeVirt
At its core, Kubernetes is a container orchestration platform that is extensible to allow integration with various infrastructure components, such as storage and networking, and platforms, such as virtualization hypervisors and cloud providers.
Although solely focused on containers when released, as an open source project, the community has built further extensibility to cover additional use cases. The most obvious has been “Can I use Kubernetes for virtual machines?”. The most prominent project is KubeVirt, with support from several vendors, including Red Hat, who adopted this into their OpenShift Virtualization offering. This blog post will focus on KubeVirt as the extension to Kubernetes to provide virtual machines, combined with Isovalent Enterprise for Cilium as the software-defined networking platform.
KubeVirt technology addresses the needs of development teams that have adopted or want to adopt Kubernetes but possess existing Virtual Machine-based workloads that cannot be easily containerized.
Within a Kubernetes environment, scheduling, networking and storage for all workloads, containers or virtual machines are handled by Kubernetes. KubeVirt handles the virtualization functionality necessary to run virtual machines on the Kubernetes nodes. Below is a simplified diagram of the KubeVirt Architecture running in tandem with Kubernetes. (Image source).
The benefit of running virtual machines with Kubernetes follows the same path as running virtual machines on a traditional hypervisor offering. This includes better resource management and allocation of the underlying node itself; the flexibility of using the Kubernetes APIs for orchestration and management of the workload, regardless of whether it’s a pod running containers or a virtual machine instance; the ability for application owners to develop applications against the necessary resources, using the same toolset and knowledge, and not having to interact with distinctively different platforms.
Virtual machine networking With KubeVirt
The KubeVirt project integrates with the Kubernetes CNI to provide networking for virtual machines. This approach allows for greater flexibility within existing Kubernetes constructs rather than introducing a separate network stack specifically for virtual machines. This implementation enables virtual machines to benefit from the same powerful Isovalent Enterprise for Cilium networking features already in use for containers, such as security policies and observability, without requiring any additional network stack.
Addressing container and virtual machine networking complexity with the Isovalent Platform
For organizations with stringent security and availability requirements, we recommend Isovalent Enterprise for Cilium.
Isovalent customers rely on us to accelerate cloud-native adoption through enterprise-grade stability and exceptional customer support. S&P Global broke down networking and developer silos with Cilium during their shift to a 100% cloud strategy, ensuring secure and reliable multi-cloud Kubernetes operations. Similarly, Schuberg Philis, a Dutch IT company, integrated Cilium to deliver a zero-trust security platform, helping customers seamlessly migrate PCI-DSS compliant workloads from on-prem to the cloud.
At a glance, Isovalent Enterprise for Cilium offers:
| Enterprise-hardened Cilium Versions and Testing | ✅ |
| 24×7 Enterprise Grade Support SLA | ✅ |
| Proactive Support Environment Reviews | ✅ |
| Exclusive Cilium + Hubble Technical Training | ✅ |
| Dedicated Solutions Architect | ✅ |
| Replica Customer Testing Environments | ✅ |
Demonstrating secure and scalable networking with KubeVirt and Cilium
Deploying your Kubernetes cluster with Cilium and then enabling KubeVirt remains simple, with no significant changes to the deployment methods already described in the existing documentation. One small note is that the helm value socketLB.hostNamespaceOnly=true should be configured to ensure compatibility with KubeVirt’s networking implementation for virtual machine devices.
The video below demonstrates a virtual machine running side by side with containers in a Kubernetes environment. In this demo, we cover the following features:
- Communication between containers and virtual machines
- Observability of virtual machine Traffic using Hubble
- Ingress access to resources running on the virtual machine from outside of the cluster using Gateway API
- Zero Trust implementation using Cilium Network Policies to create security boundaries
- Live migration of the virtual machine between Kubernetes nodes
You can also follow along from the video with this new Isovalent Lab covering the same steps.
Cilium Micro-Segmentation for Virtual Machines with KubeVirt
In this lab, you will learn how to leverage KubeVirt to run virtual machines alongside containers in Kubernetes, while using Cilium for secure, scalable networking.
Start Lab
Learn more
The challenge of securing workloads across both virtual machines and containers has become a critical concern. For organizations running hybrid environments, balancing performance, flexibility, and security is an operational necessity and is no longer a theoretical discussion. This is where Isovalent Enterprise for Cilium steps in, offering unrivaled micro-segmentation, eBPF-powered visibility, and security that seamlessly spans both containers and virtual machines, whether you’re orchestrating them with KubeVirt or OpenShift Virtualization.
- Request a Demo – Schedule a demo session with an Isovalent Solution Architect.
- Explore the Isovalent resource library – Find guides, tutorials, and interactive labs on Isovalent, Cilium, and eBPF.
Dean Lewis is a Senior Technical Marketing Engineer at Isovalent – the company behind the open-source cloud native solution Cilium.
Dean had a varied background working in the technology fields, from support to operations to architectural design and delivery at IT Solutions Providers based in the UK, before moving to VMware and focusing on cloud management and cloud native, which remains as his primary focus. You can find Dean in the past and present speaking at various Technology User Groups and Industry Conferences, as well as his personal blog.
