How Capital One used eBPF and Cilium to build a secure, maintainable PaaS
Building out for multiple teams
Capital One built an internal PaaS called "Dragon" for its developers, based on Kubernetes. Dragon’s goal was to enable developers to ship code to production with little friction. This project was a great success in one commercial division so the plan was to extend it to other teams.
But: Dragon was not initially built as a multi-tenant platform! Scaling it up meant that the platform needed to meet these requirements:
eBPF and Cilium to the rescue
The Capital One team found that eBPF, and with it Cilium, met their requirements. Capital One also found that Cilium was gaining adoption and had an enterprise version. Cilium had other features interesting to Capital One:
- IPsec between nodes
- Cluster Mesh, including cluster level Network Policies
- Flexible Network Policies
- Reduced iptables complexity, leading to reduced operational complexity
- Layer 7 filter and outbound DNS name policies
- Better troubleshooting policies with the Cilium CLI
Enhanced observability with Hubble
Part of Cilium is Hubble, Cilium’s distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a transparent manner.
- Durable audit log storage and enterprise SIEM integration into security workflows
- Hubble UI service map, making network traffic flows visible to teams
- Tracking network traffic down to the specific binary, crucial for threat hunting
- Exporting network flow logs to logging stacks.
- Hubble observe command, helping with overall troubleshooting
Multi-tenant capabilities for a multi-team future
As a result, Capital One decided to use Isovalent Cilium Enterprise as their solution for their multi tenant clusters. It met the list of requirements, added many interesting features, provided extensive insight, while adding very little maintenance and performance overhead. It provided security and networking observability out of the box, the teams at Capital One didn’t have to write custom code.
By introducing Cilium into Dragon, Capital One was able to transform the PaaS to a multi-tenant platform, making it available to multiple teams, keeping it secure and providing team-specific observability.