How Capital One used eBPF and Cilium to build a secure, maintainable PaaS

Solution Highlight

”We are a bank. Everything is security first. We had to have a way to audit the network traffic down to the specific application that initiated the connection.”

Bradley Whitfield, Capital One

Building out for multiple teams

Capital One built an internal PaaS called "Dragon" for its developers, based on Kubernetes. Dragon’s goal was to enable developers to ship code to production with little friction. This project was a great success in one commercial division so the plan was to extend it to other teams.
Building out for multiple teams

The Challenge

But: Dragon was not initially built as a multi-tenant platform! Scaling it up meant that the platform needed to meet these requirements:

  • Secure network isolation
  • Network visibility and auditing
  • Maintenance and performance overhead reduction
  • Scale past iptables limits

eBPF and Cilium to the rescue

The Capital One team found that eBPF, and with it Cilium, met their requirements. Capital One also found that Cilium was gaining adoption and had an enterprise version. In addition, Cilium had other features interesting to Capital One:

  • IPsec between nodes
  • Cluster Mesh, including cluster level Network Policies
  • Flexible Network Policies
    • Reduced iptables complexity, leading to reduced operational complexity
    • Layer 7 filter and outbound DNS name policies
    • Better troubleshooting policies with the Cilium CLI
eBPF and Cilium to the rescue

Enhanced observability with Hubble

Part of Cilium is Hubble, Cilium’s distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a transparent manner.

Capital One quickly identified the enhanced observability Hubble could provide for their case:

  • Durable audit log storage and enterprise SIEM integration into security workflows
  • Tracking network traffic down to the specific binary, crucial for threat hunting.
  • Hubble observe command, helping with overall troubleshooting
  • Hubble UI service map, making network traffic flows visible to teams
  • Exporting network flow logs to logging stacks.

With these added capabilities teams were enabled to do more right from day one.

Multi-tenant capabilities for a multi-team future

As a result, Capital One decided to use Isovalent Cilium Enterprise as their solution for their multi tenant clusters. It met the list of requirements, added many interesting features, provided extensive insight, while adding very little maintenance and performance overhead. It provided security and networking observability out of the box, the teams at Capital One didn’t have to write custom code.

By introducing Cilium into Dragon, Capital One was able to transform the PaaS to a multi-tenant platform, making it available to multiple teams, keeping it secure and providing team-specific observability.

Multi-tenant capabilities for a multi-team future

Subscribe to newsletter

Get updates on webinars, blog posts, new releases and more!