Isovalent library

Videos

WireGuard Node-To-Node Encryption on Cilium

In this video, learn about a new feature: Cilium Transparent Encryption with WireGuard can now encrypt traffic node-to-node!

Nico Vibert
Nico Vibert
Blogs

A Deep Dive into Cilium Gateway API: The Future of Ingress Traffic Routing

In this blog post, learn what the Cilium Gateway API is and how the Gateway API project came to be and the issues it solves.

Sachin Jha
Sachin Jha
Blogs

Tutorial: Getting Started with the Cilium Gateway API

In this tutorial, you will learn how to install, configure and manage the Cilium Gateway API to route traffic into your Kubernetes cluster.

Nico Vibert
Nico Vibert
Videos

Cilium Gateway API – TLS Termination

In this video, Senior Technical Marketing Engineer Nico Vibert walks you through how Cilium Gateway API can route HTTPS traffic into your cluster.

Nico Vibert
Nico Vibert
Videos

Egress Gateway High Availability

In this video, learn with Raymond de Jong how Egress Gateway HA can provide enterprise users resilience for their egress gateway traffic.

Raymond de Jong
Raymond de Jong
Videos

Cilium BIG TCP

With Cilium 1.13 comes a new exciting feature that enables faster performance and lower latency through the network stack: BIG TCP.

Nico Vibert
Nico Vibert
Videos

Cilium Gateway API – HTTP Header Modifier

In this short video, Senior Technical Marketing Engineer Nico Vibert walks you through how to use Cilium Gateway API to modify HTTP headers.

Nico Vibert
Nico Vibert
Blogs

Cilium 1.13 – Gateway API, mTLS datapath, Service Mesh, BIG TCP, SBOM, SNI NetworkPolicy, …

Announcing Cilium 1.13 - Gateway API, mTLS datapath, Service Mesh, BIG TCP, SBOM, SNI NetworkPolicy - and many more features!

Thomas Graf
Thomas Graf
Blogs

BIG Performances with BIG TCP on Cilium

With Cilium 1.13, you can now leverage BIG TCP with IPv6 to improve performance through the Linux network stack.

Nico Vibert
Nico Vibert
Earn a badge
Lab
Labs

Cilium IPv6 Networking and Observability

Learn how simple IPv6 can be installed and operated with Cilium and Hubble. With Kubernetes’ IPv6 support improving in recent releases and Dual Stack Generally Available in Kubernetes 1.23, it’s time to learn about IPv6 on Kubernetes. You might be wondering “How on Earth am I going to be able to operate this?” Good news – you’re in the right place. This lab will walk you through how to deploy a IPv4/IPv6 Dual Stack Kubernetes cluster and install Cilium and Hubble to benefit from their networking and observability capabilities. In particular, visibility of IPv6 flows is absolutely essential. IPv6’s slow adoption is primarily caused by fears it would be hard to operate and manage. As you will see, a tool such as Hubble will help operators visualize and understand their IPv6 network better.

Videos

Cilium Gateway API – Mini Demo

In this brief demo, we introduce a new Cilium 1.13 feature: support for Kubernetes Gateway API !

Nico Vibert
Nico Vibert
Videos

Ingress To Gateway Migration – Mini-Demo

In this brief demo, we test a new tool called Ingress2Gateway that lets you convert Kubernetes Ingress resources to Gateway API resources.

Nico Vibert
Nico Vibert
Videos

Cilium L7 Load-Balancing with K8S Services – Mini Demo

In Cilium 1.13, you can now use Cilium’s embedded Envoy proxy to achieve load-balancing for L7 services, with a simple annotation.

Nico Vibert
Nico Vibert
Earn a badge
Lab
Labs

Cilium Enterprise: Zero Trust Visibility

Creating the right Network Policies can be difficult. In this lab, you will use Hubble metrics to build a Network Policy Verdict dashboard in Grafana showing which flows need to be allowed in your policy approach.

Videos

Cilium Shared LB – Mini Demo

In Cilium 1.13, Ingress Resource can now share Kubernetes LoadBalancer Resources. Watch the mini demo to learn more!

Nico Vibert
Nico Vibert
Videos

Cilium Traffic Splitting – Mini Demo

Cilium 1.13 comes with a fully integrated with a HTTP traffic splitting engine!

Nico Vibert
Nico Vibert
Videos

InternalTrafficPolicy on Cilium – Mini Demo

In this mini-demo, you will learn about internalTrafficPolicy support on Cilium! This feature was added with Cilium 1.13.

Nico Vibert
Nico Vibert
Videos

Cilium LB IPAM – Mini Demo

In this mini-demo, you will get an insight into Load-Balancer IP Address Management support on Cilium! This feature was added with Cilium 1.13.

Nico Vibert
Nico Vibert
Videos

Cilium SCTP – Mini Demo

In this mini-demo, you will get an insight into SCTP support on Cilium! This feature was added with Cilium 1.13.

Nico Vibert
Nico Vibert
Labs

SCTP on Cilium

SCTP (Stream Control Transmission Protocol) is a transport-layer protocol used for communication between applications. It is similar to TCP, but it provides additional features such as multi-homing and message fragmentation. Applications that require reliable, ordered delivery of data, but also need the ability to handle multiple streams of data simultaneously can use SCTP. SCTP is primarily used by service providers and mobile operators. While SCTP support for Kubernetes Services, Endpoint and NetworkPolicy was introduced in Kubernetes 1.12, you still need a CNI to support it. Good news: basic support for SCTP was introduced in Cilium 1.13!

Earn a badge
Lab
Labs

Cilium LoadBalancer IPAM and BGP Service Advertisement

BGP support was initially introduced in Cilium 1.10 and subsequent improvements have been made since, such as the recent introduction of IPv6 support in Cilium 1.12. In Cilium 1.13, that support was enhanced with the introduction of Load Balancer IPAM and BGP Service address advertisements. In this lab, you will learn about both these new features and how they can simplify your network connectivity operations.

Blogs

Tutorial: Tips and Tricks to install Cilium

Ever wonder how to install a specific version of Cilium? Or whether to use Helm or the cilium-cli? Let's look at the many ways to install Cilium.

Nico Vibert
Nico Vibert
Videos

Cluster Mesh Service Affinity

In this video, Senior Technical Marketing Engineer Nico Vibert walks through a new feature with Cilium 1.12 - the ability to specify service affinity for meshed cluster load balancing.

Nico Vibert
Nico Vibert
Videos

SRv6 on Cilium – An Introductory Demo

In this demo, Isovalent Staff Software Engineer Louis DeLosSantos walks through an introductory demo of SRv6 on Cilium, for a L3VPN use case. The demo was first shown live during eBPF Day North America 2022.

Louis DeLosSantos
Louis DeLosSantos
Videos

Cluster Mesh

Workloads usually across multiple Kubernetes clusters - on premises and clouds. How do you bring them together? With Cluster Mesh! This video by our Raymond de Jong briefly explains the concept, the requirements, and walks through a demo of the capabilities.

Raymond de Jong
Raymond de Jong
Videos

Isovalent Cilium Enterprise – Network Policies

Network Policies - the basics, the gotchas, how to create, how to apply them, and everything else that is to know about them! Duffie Cooley will guide you through eBPF powered Cilium network policies, how Hubble can help you with them, and why DNS and L7 transparency so incredible important.

Duffie Cooley
Videos

Video: BBR Support for Pods

Tune in to our experts Nikolay Aleksandrov (speaker) and Daniel Borkmann comparing BBR-based congestion control to Linux' default CUBIC for Pods. The BBR-based congestion control for Pods has been added in Cilium 1.12 as a new feature for Cilium's Bandwidth Manager and for the first time enables Pods to use BBR in practice. Using a real-world adaptive video streaming use case they will compare two different network conditions - high-speed long-haul links with large BDP and last mile networks at the edge of Internet - and discuss the results.

Nikolay Aleksandrov
Videos

Cilium Tech Talks – HA FQDN

Of course we cannot talk about networks without DNS. In the end it is always DNS what causes trouble. This is especially true when the CNI is down, or being upgraded: customers will lose DNS resolution! But that means the apps can’t resolve URLs to send the traffic to the correct destination. Isovalent provides full high availability of the DNS resolution. This includes “traffic” being available all the time, even when the CNI is down. Ops teams don’t have to worry about downtimes anymore, because their DNS based security model still follows the deny-all security models and denies all traffic that is not explicitly allowed. In this demo you will see how HA DNS proxy takes care of that.

Youssef Azrak
Youssef Azrak
Videos

Cilium Tech Talks – Egress Gateway

Integrating Kubernetes clusters in a legacy networking environment can be a challenge, especially when legacy firewalls are involved. Join us to learn how Cilium Enterprise allows you to define highly-available groups of egress nodes and IP addresses, making it possible to fit Kubernetes egress traffic pretty much to any security policy that may be in place in your infrastructure.

Raphael Pinson
Raphael Pinson
Videos

Getting Started with Cilium Monitoring with Grafana

In this video, Nico Vibert introduces monitoring key metrics of Cilium and Hubble, by leveraging Prometheus and Grafana.

Nico Vibert
Nico Vibert
Videos

IPv6 Networking and Observability with Cilium and Hubble

In this video, Senior Technical Marketing Engineer Nico Vibert will walk you through how to deploy a IPv4/IPv6 Dual Stack Kubernetes cluster and install Cilium and Hubble to benefit from their networking and observability capabilities.

Nico Vibert
Nico Vibert
Videos

AKS Bring Your Own CNI (BYOCNI) and Cilium

In this short video, Senior Technical Marketing Engineer Nico Vibert deploys a AKS cluster without a CNI to ease the installation of Cilium.

Nico Vibert
Nico Vibert
Videos

Cilium Transparent Encryption with IPsec and WireGuard

In this video, Senior Technical Marketing Engineer Nico Vibert walks through two methods to encrypt data in transit between Kubernetes Pods: Cilium Transparent Encryption with IPsec or WireGuard.

Nico Vibert
Nico Vibert
Videos

BGP on Cilium

In this video, Senior Technical Marketing Engineer Nico Vibert walks through BGP enhancements in Cilium 1.12, with the integration with GoBGP. This new version also introduces support for BGP over IPv6.

Nico Vibert
Nico Vibert
Videos

Pod Traffic Rate Limiting with Cilium Bandwidth Manager

In this short video, Senior Technical Marketing Engineer Nico Vibert walks you through how to use Cilium Bandwidth Manager to rate-limit the traffic sent by your Kubernetes Pods. Great to address potential contention issues !

Nico Vibert
Nico Vibert
How eBPF will solve Service Mesh
White papers

How eBPF will solve Service Mesh

Service mesh is a concept describing the requirements of modern cloud native applications with regards to communication, visibility, and security. Current implementations of this concept involve running sidecar proxies in each workload or pod. This is a pretty inefficient way of solving these requirements. In this white paper we will look at an alternative to the sidecar model that provides a transparent service mesh with high efficiency at low complexity, with the help of eBPF.

Building a secure and maintainable PaaS
Case studies

Building a secure and maintainable PaaS

Capital One needed to scale their PaaS to multiple teams - but required secure network isolation, visibility and minimal performance overhead. Isovalent Cilium Enterprise met all requirements and scaled past the iptables limits. Hubble’s additional observability capabilities helped their teams to do more from the start.

Building a scalable Kubernetes platform
Case studies

Building a scalable Kubernetes platform

Isovalent helped PostFinance to build a scalable Kubernetes platform to run mission-critical banking software in production. By migrating to Cilium as the default CNI for kubernetes, they were able to solve their challenges regarding scale, observability and latency. The network was made visible, improving troubleshooting, enabling forensic analysis and transparently encrypt network traffic.

Accelerating the Journey to Cloud Native Microservices
White papers

Accelerating the Journey to Cloud Native Microservices

Enterprises adopting cloud native technologies quickly realize that legacy approaches are useless in efficiently rolling our business applications. Cilium enables Kubernetes architects to solve challenges as addressing security & compliance requirements, providing advanced connectivity and ensuring identity-aware observability for platform and application teams.

Labs

Cilium Host Firewall

Ever since its inception, Cilium has supported Kubernetes Network Policies to enforce traffic control to and from pods at L3/L4. But Cilium Network Policies even go even further: by leveraging eBPF, it can provide greater visibility into packets and enforce traffic policies at L7 and can filter traffic based on criteria such as FQDN, protocol (such as kafka, grpc), etc… Creating and manipulating these Network Policies is done declaratively using YAML manifests. What if we could apply the Kubernetes Network Policy operating model to our hosts? Wouldn’t it be nice to have a consistent security model across not just our pods, but also the hosts running the pods? Let’s look at how the Cilium Host Firewall can achieve this. In this lab, we will install SSH on the nodes of a Kind cluster, then create Cluster-wide Network Policies to regulate how the nodes can be accessed using SSH. The Control Plane node will be used as a bastion to access the other nodes in the cluster.

Earn a badge
Lab
Labs

Cilium Gateway API

In this short lab, you will learn about Gateway API, a new Kubernetes standard on how to route traffic into a Kubernetes cluster. The Gateway API is the next generation of the Ingress API. Gateway API addresses some the Ingress limitations by providing an extensible, role-based and generic model to configure advanced L7 traffic routing capabilities into a Kubernetes cluster. In this lab, you will learn how you can use the Cilium Gateway API functionality to route HTTP and HTTPS traffic into your Kubernetes-hosted application.

Blogs

Tutorial: Transparent Encryption with IPsec and WireGuard

In this tutorial, you'll learn how easy it is to encrypt Kubernetes traffic using Cilium Transparent Encryption with IPsec and WireGuard.

Nico Vibert
Nico Vibert
Labs

Getting started with eBPF

eBPF is the new standard to program Linux kernel capabilities in a safe and efficient manner without requiring to change kernel source code or loading kernel modules. It has enabled a new generation of high performance tooling to be developed covering networking, security, and observability use cases. The best way to learn about eBPF is to read the book “What is eBPF” by Liz Rice. And the best way to have your first experience with eBPF programming is to walk through this lab, which takes the opensnoop example out of the book and teaches you to handle an eBPF tool, watch it loading its components and even add your own tracing into the source eBPF code.

Earn a badge
Lab
Labs

Cilium Service Mesh

You already know that Cilium accelerates networking, and provides security and observability in Kubernetes, using the power of eBPF. Now Cilium is bringing those eBPF strengths to the world of Service Mesh. Cilium Service Mesh features eBPF-powered connectivity, traffic management, security and observability. In this lab, you will learn how you can use Cilium to deploy Ingressresources to dynamically configure the Envoy proxy provided with the Cilium agent. And all of the above without any Envoy sidecar injection into your pods!

Earn a badge
Lab
Labs

Getting Started with Cilium

Cilium is an open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration. In this track, we provide you a fully fledged Cilium installation on a small cluster, together with a few challenges to solve. See yourself how Cilium works, and how it can help you securing your moon-sized battlestation in a “Star Wars”-inspired challenge.

Labs

Security Observability with eBPF and Cilium Tetragon

Security Observability is a new paradigm that utilizes eBPF, a Linux kernel technology, to allow Security and DevOps teams, SREs, Cloud Engineers, and Solution Architects to gain real-time visibility into Kubernetes and helps to secure your production environment with Cilium Tetragon. Cilium Tetragon is an open source Security Observability and Runtime Enforcement tool from the makers of Cilium. It captures different process and network event types through a user-supplied configuration to enable security observability on arbitrary hook points in the kernel; then translates these events into actionable signals for a Security Team. The best way to learn about Security Observability and Cilium Tetragon is to read the book “Security Observability with eBPF” by Jed Salazar and Natalia Reka Ivanko. And the best way to have your first experience with Cilium Tetragon is to walk through this lab, which takes the Real World Attack example out of the book and teaches you how to detect a container escape step by step!

Labs

Isovalent Cilium Enterprise: TLS Visibility

In this scenario, we are going to show how Isovalent Cilium Enterprise can provide visibility into TLS traffic. In Security Audits, a company or team has to verify their application protects data in transit and doesn’t leak information during communication, especially when data leaves a sensitive internal network. Mechanisms like TLS ensure that data is encrypted in transit, but verifying that a TLS configuration is secure becomes a challenge for most companies. In this lab, you will learn how Isovalent Cilium Enterprise can 1) identify the version of TLS being used, informing us if an obsolete and insecure version is being used, 2) report on the cipher being used and 3) export events in JSON format to SIEM.

Labs

Isovalent Cilium Enterprise: Security Visibility

In this scenario, we are going to simulate the exploitation of a nodejs application, with the attacker spawning a reverse shell inside of a container and moving laterally within the Kubernetes environment.   We will demonstrate how the combined Process and Network Event Data: identify the suspicious Late Process Execution tie the suspicious processes to a randomly generated External Domain Name trace the Lateral Movement and Data Exfiltration of the attacker post-exploit

Labs

Isovalent Cilium Enterprise: Connectivity Visibility

This lab provides an introduction to Isovalent Cilium Enterprise capabilities related to connectivity observability. This track primarily focuses on Hubble Flow events that provide label-aware, DNS-aware, and API-aware visibility for network connectivity within a Kubernetes environment.

Labs

Cilium Egress Gateway

Kubernetes changes the way we think about networking. In an ideal Kubernetes world, the network would be entirely flat and all routing and security between the applications would be controlled by the Pod network, using Network Policies. In many Enterprise environments, though, the applications hosted on Kubernetes need to communicate with workloads living outside the Kubernetes cluster, which are subject to connectivity constraints and security enforcement. Because of the nature of these networks, traditional firewalling usually relies on static IP addresses (or at least IP ranges). This can make it difficult to integrate a Kubernetes cluster, which has a varying —and at times dynamic— number of nodes into such a network. Cilium’s Egress Gateway feature changes this, by allowing you to specify which nodes should be used by a pod in order to reach the outside world.

Labs

Cilium Transparent Encryption with IPSec and WireGuard

Encryption is required for many compliance frameworks. Kubernetes doesn’t natively offer pod-to-pod encryption. To offer encryption capabilities, it’s often required to implement it directly into your applications or deploy a Service Mesh. Both options add complexity and operational headaches. Cilium actually provides two options to encrypt traffic between Cilium-managed endpoints: IPsec and WireGuard. In this lab, you will be installing and testing both features and will get to experience how easy it is to encrypt data in transit with Cilium.

Earn a badge
Lab
Labs

Cilium Cluster Mesh

With the rise of Kubernetes adoption, an increasing number of clusters is deployed for various needs, and it is becoming common for companies to have clusters running on multiple cloud providers, as well as on-premise. Kubernetes Federation has for a few years brought the promise of connecting these clusters into multi-zone layers, but latency issues are more often than not preventing such architectures. Cilium Cluster Mesh allows you to connect the networks of multiple clusters in such as way that pods in each cluster can discover and access services in all other clusters of the mesh, provided all the clusters run Cilium as their CNI. This allows to effectively join multiple clusters into a large unified network, regardless of the Kubernetes distribution each of them is running. In this lab, we will see how to set up Cilium Cluster Mesh, and the benefits from such an architecture.