How Capital One used eBPF and Cilium to build a secure, maintainable PaaS

How Capital One used eBPF and Cilium to build a secure, maintainable PaaS

We are a bank. Everything is security first. We had to have a way to audit the network traffic down to the specific application that initiated the connection.
Bradley Whitfield, Capital One

Building out for multiple teams

Capital One built an internal PaaS called "Dragon" for its developers, based on Kubernetes. Dragon’s goal was to enable developers to ship code to production with little friction. This project was a great success in one commercial division so the plan was to extend it to other teams.

Building out for multiple teamsBuilding out for multiple teams

The Challenge

But: Dragon was not initially built as a multi-tenant platform! Scaling it up meant that the platform needed to meet these requirements:

Secure network isolationSecure network isolation
Maintenance and performance overhead reductionMaintenance and performance overhead reduction
Network visibility and auditingNetwork visibility and auditing
Scale past iptables limitsScale past iptables limits
eBPF and Cilium to the rescue

eBPF and Cilium to the rescue

The Capital One team found that eBPF, and with it Cilium, met their requirements. Capital One also found that Cilium was gaining adoption and had an enterprise version. Cilium had other features interesting to Capital One:

  • IPsec between nodes
  • Cluster Mesh, including cluster level Network Policies
  • Flexible Network Policies
  • Reduced iptables complexity, leading to reduced operational complexity
  • Layer 7 filter and outbound DNS name policies
  • Better troubleshooting policies with the Cilium CLI
Enhanced observability with Hubble

Enhanced observability with Hubble

Part of Cilium is Hubble, Cilium’s distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a transparent manner.

  • Durable audit log storage and enterprise SIEM integration into security workflows
  • Hubble UI service map, making network traffic flows visible to teams
  • Tracking network traffic down to the specific binary, crucial for threat hunting
  • Exporting network flow logs to logging stacks.
  • Hubble observe command, helping with overall troubleshooting
Multi-tenant capabilities for a multi-team future

Multi-tenant capabilities for a multi-team future

As a result, Capital One decided to use Isovalent Cilium Enterprise as their solution for their multi tenant clusters. It met the list of requirements, added many interesting features, provided extensive insight, while adding very little maintenance and performance overhead. It provided security and networking observability out of the box, the teams at Capital One didn’t have to write custom code.

By introducing Cilium into Dragon, Capital One was able to transform the PaaS to a multi-tenant platform, making it available to multiple teams, keeping it secure and providing team-specific observability.

Subscribe to newsletter

What’s Next?

How to learn more about Isovalent, Cilium and eBPF

Isovalent labs

Take one of our interactive hands-on labs

Try for free

Contact Sales

Let's engage around all things Cilium and eBPF

Contact sales