Documentation
What is AWS ENI & AWS VPC CNI plugin?
AWS ENI — Cilium 1.16.0 documentation
The AWS ENI allocator is specific to Cilium deployments running in the AWS
https://docs.cilium.io/en/stable/network/concepts/ipam/eni/#ipam-eni
AWS VPC CNI plugin — Cilium 1.16.0 documentation
This guide explains how to set up Cilium in combination with the AWS VPC CNI
https://docs.cilium.io/en/stable/installation/cni-chaining-aws-cni/
VPC CNI Custom Networking - Amazon EKS Blueprints for Terraform
Custom networking addresses the IP exhaustion issue by assigning the node and Pod IPs from secondary VPC address spaces (CIDR).
https://aws-ia.github.io/terraform-aws-eks-blueprints/snippets/vpc-cni-custom-networking/
Wireguard /w Cilium - Amazon EKS Blueprints for Terraform
This pattern demonstrates Cilium configured in CNI chaining mode with the VPC CNI and with Wireguard transparent encryption enabled on an Amazon EKS cluster.
https://aws-ia.github.io/terraform-aws-eks-blueprints/patterns/wireguard-with-cilium/
Understanding CNI, Kube-proxy and Service Mesh
At the Intersection of Cilium CNI and Service Mesh - Who Has the Right of Way? - Christine Kim
Don’t miss out!
https://youtu.be/ZykwwHt5hYY?si=Wu706fChwk6GdTzm
Kubernetes Components
A Kubernetes cluster consists of the components that are a part of the control plane and a set of machines called nodes.
https://kubernetes.io/docs/concepts/overview/components/#kube-proxy
Kube-Proxy and CNI: The Hidden Components of Kubernetes Networking - Blog
Explore the essential yet often overlooked components of Kubernetes networking.
https://seifrajhi.github.io/blog/kubernetes-networking/
CNI
CNI (Container Network Interface), a
https://www.cni.dev
Demystifying Kubernetes Networking
Despite being in Spanish(use subtitles to translate), it is the best video I have watched that tackles
- Load Balancers in K8S
- Ingress/Gateway/Gateway class
- Kubeproxy
- Service Mesh
- Side cars
From CNI to Service Mesh Demystifying Kubernetes Networking
Kubernetes is a powerful tool for deploying microservices applications offering features such as auto-scaling and multi-tenancy among others.
https://youtu.be/UJsaWrcR7q4?si=UEN6D9Bz_GyeWfVN
eBPF, Cilium and Hubble
What are Cilium and Hubble?
Cilium is an open source software for providing, securing, and observing network connectivity between container workloads.
https://isitobservable.io/observability/service-mesh/what-are-cilium-hubble
Youtube Videos
Cilium Kubernetes CNI Provider, Part 1: Overview of eBPF and Cilium and the Installation Process
In this multi-part series, we will take a look at Cilium.
https://youtu.be/aLq3O3l2LF4?si=wC9pJRBVDo3Lsp7O
Cilium Kubernetes CNI Provider, Part 2: Security Policies and Observability Leveraging Hubble
In this multi-part series, we will take a look at Cilium.
https://youtu.be/5EcVrm01rAU?si=aYBJmrRsu66XrJ7Q
Cloud DeMISTified: Kubernetes Networking with Cilium Demo
In this episode of the Cloud DeMISTified series, Isovalent TME Nico Vibert walks the Cables2Clouds podcast through how to consume the Isovalent free labs on https://isovalent.
https://www.youtube.com/watch?v=-0eXstgFMjY&t=2515s
Migrating to AWS
YouTube Videos
eCHO Episode 106: Live Migration to Cilium in AWS
Whether you are just starting to learn about eBPF, you’re looking for further material or you’re a seasoned contributor to major eBPF projects, the eBPF & Cilium Community is here to support you.
https://www.youtube.com/watch?v=kurMo3r4Ol4
How to migrate from the Amazon VPC CNI to Cilium in K8s • Federico & Simone • PlatformCon 2022
In this talk, Federico Hernandez and Simone Sciarrati will dive into how they performed the migration of the networking component for Meltwater’s production Kubernetes clusters - from the AWS VPC CNI plugin to Cilium.
https://youtu.be/6Sks_Th99t0?si=ZrypE5TGtSdTboOG
https://www.youtube.com/watch?v=w6S6baRHHu8&list=PLDg_GiBbAx-kDXqDYimwytMLh2kAHyMPd&t=182s
Blogs
Episode 106 - HackMD
With Dan Finneran
https://hackmd.io/@Echo-Live/106
Cilium: Installing Cilium in EKS with no Kube-Proxy
Cilium in EKS and no KPR
https://medium.com/@amitmavgupta/cilium-installing-cilium-in-eks-with-no-kube-proxy-86f54a56c360
Architecting for Resilience: Crafting Opinionated EKS Clusters with Karpenter & Cilium Cluster Mesh — Part 1
Welcome to the future of digital ecosystems, where robustness meets unparalleled innovation!
https://dev.to/aws-builders/architecting-for-resilience-crafting-opinionated-eks-clusters-with-karpenter-cilium-cluster-mesh-part-1-1b9a
Build secure Amazon EKS with Cilium and network encryption
Build “cheap and secure” Amazon EKS with Karpenter and Cilium
https://ruzickap.github.io/posts/cilium-amazon-eks/
Building robust platform for containers part 1 — Terraform, EKS & Cillium
Welcome to this blog post series where we will try to go through a robust way to create your robust platform for running container…
https://blog.raftech.nl/building-robust-platform-for-containers-part-1-terraform-eks-cillium-5822a13d3113
eBPF - Cilium on FHIR® - A Star Wars Story
Anakin Skywalker challenged the high ground and has been terribly injured on Mustafar.
https://community.intersystems.com/post/ebpf-cilium-fhir%C2%AE-star-wars-story
Transparent encryption of node to node traffic on Amazon EKS using WireGuard and Cilium | Amazon Web Services
Introduction As the move to cloud native architectures continues to accelerate, one of the common challenges we hear from our customers is that adopting security best practices in Kubernetes clusters can be challenging.
https://aws.amazon.com/blogs/containers/transparent-encryption-of-node-to-node-traffic-on-amazon-eks-using-wireguard-and-cilium/
Running a Single-Node Kubernetes Cluster on Your Laptop with Hyper-V
I recently upgraded my old laptop from 16GB to a whopping 64GB of RAM.
https://medium.com/@shih.chieh.cheng/running-a-single-node-kubernetes-cluster-on-your-laptop-with-hyper-v-e83836f25df1
Cilium & Argo CD on a Single-Node Kubernetes Cluster on Your Laptop — A Love Story of eBPF and…
After setting up a functional Kubernetes cluster in Blog 1, the cluster is just at the starting point.
https://medium.com/@shih.chieh.cheng/cilium-argo-cd-on-a-single-node-kubernetes-cluster-on-your-laptop-a-love-story-of-ebpf-and-44936ea38ff1
Cilium 1.12 - Ingress, Multi-Cluster, Service Mesh, External Workloads, ...
Introduction to eBPF and Cilium
Imagine being able to run programs directly at the core of your operating system—right within the kernel.
https://everythingdevops.dev/introduction-to-ebpf-and-cilium/
Practice Labs
eBPF
Getting started with eBPF - Isovalent
In this Isovalent lab, you will learn how to write your first eBPF code.
https://isovalent.com/labs/ebpf-getting-started/
Learning eBPF Tutorial - Isovalent
In this hands-on tutorial, learn with Liz Rice the basics of eBPF, including BPFtool, maps, eBPF for networking and the eBPF verifier.
https://isovalent.com/labs/ebpf-tutorial/
Gateway API
Cilium Gateway API - Isovalent
In this Isovalent lab, learn how to use Cilium Gateway API to route HTTP and HTTPS traffic into your Kubernetes-hosted application.
https://isovalent.com/labs/cilium-gateway-api/
Advanced Gateway API Use Cases - Isovalent
Learn about additional specific use cases for Cilium Gateway API: Traffic splitting, HTTP request header rewrite, and others.
https://isovalent.com/labs/cilium-gateway-api-advanced/
Functionalities
Discovery: Platform Engineer - Isovalent
This hands-on discovery lab is designed for Platform and DevOps Engineers.
https://isovalent.com/labs/discovery-platform-engineer/
Isovalent Enterprise for Cilium: Cilium Multi-Networking - Isovalent
In this hands-on lab, you will learn how to use Isovalent Enterprise for Cilium to connect your Pod to multiple networks!
https://isovalent.com/labs/cilium-multi-networking/
Discovery: Cloud Network Engineer - Isovalent
This hands-on discovery lab is designed for Cloud Network Engineers.
https://isovalent.com/labs/discovery-cloud-network-engineer/
Discovery: SecOps Engineer - Isovalent
This hands-on discovery lab is designed for SecOps Engineers.
https://isovalent.com/labs/discovery-secops-engineer/
Service Mesh
Blogs
From sidecars to sidecarless: Tracing the evolution of service mesh technologies with Istio and Cilium
Learn how technologies like Istio Ambient and Cilium revolutionize microservices networking, offering unprecedented capabilities in traffic management, observability, and security.
https://www.codecentric.de/wissens-hub/blog/sidecars-sidecarless-evolution-service-mesh-technologies-istio-cilium
Integrating Dapr with Cilium: A Sidecar-Less Service Mesh Approach combined with a powerful distributed application runtime
Cilium and Dapr can be harmonized to create a cutting-edge infrastructure that simplifies service management while enhancing scalability and reliability.
https://www.codecentric.de/wissens-hub/blog/integrating-dapr-with-cilium-a-sidecar-less-service-mesh-approach-combined-with-a-powerful-distributed-application-runtime
Cluster Mesh
YouTube
Cilium ClusterMesh in Action: Strengthening Security Across Distributed Kubernetes Clusters
Don’t miss out!
https://youtu.be/MSqI-gBiCrc?si=yHW7M4iF_120cq_I
Simplifying Multi-Cluster and Multi-Cloud Deployments with Cilium - Liz Rice, Isovalent
Don’t miss out!
https://youtu.be/qbB3TEiOb24?si=2aI1P87fMb4U7lLg
Security with Cilium
YouTube
Controlling Access to External APIs with Cilium - Luis Ramírez, SuperOrbital
Controlling Access to External APIs with Cilium - Luis Ramírez, SuperOrbital
https://youtu.be/eWJmIfX2E38?si=LsQcnTeUFerje6RA
GitHub - superorbital/ciliumcon-na-2023-l7-external-api-control: Configuring Cilium to limit access to external APIs with L7 Network Policies!
Configuring Cilium to limit access to external APIs with L7 Network Policies!
https://github.com/superorbital/ciliumcon-na-2023-l7-external-api-control
Installation
KinD
Installation Using Kind — Cilium 1.16.1 documentation
This guide uses kind to demonstrate deployment
https://docs.cilium.io/en/stable/installation/kind/
EKS
GitHub - aws-samples/cilium-service-mesh-on-eks
Contribute to aws-samples/cilium-service-mesh-on-eks development by creating an account on GitHub.
https://github.com/aws-samples/cilium-service-mesh-on-eks?tab=readme-ov-file
Getting Started with Cilium Service Mesh on Amazon EKS | Amazon Web Services
Cilium is an open source solution for providing, securing, and observing network connectivity between workloads, powered by the revolutionary kernel technology called extended Berkeley Packet Filter (eBPF).
https://aws.amazon.com/blogs/opensource/getting-started-with-cilium-service-mesh-on-amazon-eks/
==Alvin showcasing how to provision an eks cluster with Cilium as the default CNI and ArgoCD using terraform as infrastructure as code==
GitHub - alvo254/ekscape: duddle of cilium, eks, terraform and argocd
duddle of cilium, eks, terraform and argocd.
https://github.com/alvo254/ekscape
Amazon EKS introduces cluster creation flexibility for networking add-ons - AWS
Discover more about what’s new at AWS with Amazon EKS introduces cluster creation flexibility for networking add-ons
https://aws.amazon.com/about-aws/whats-new/2024/06/amazon-eks-cluster-creation-flexibility-networking-add-ons/
Terraform Registry
eCHO Episode 151: Bring Your Own CNI with Amazon EKS and Cilium
Whether you are just starting to learn about eBPF, you’re looking for further material or you’re a seasoned contributor to major eBPF projects, the eBPF & Cilium Community is here to support you.
https://www.youtube.com/watch?v=DnzwxDxgkvk&list=TLPQMzEwODIwMjTo5VEMEuVGmA&index=3
Cilium: Installing Cilium in EKS with no Kube-Proxy
Cilium in EKS and no KPR
https://medium.com/@amitmavgupta/cilium-installing-cilium-in-eks-with-no-kube-proxy-86f54a56c360
EKS & Isovalent Enterprise for Cilium - Reducing Operational Complexity Isovalent - Isovalent
This article shows how to initially deploy an EKS cluster without a preinstalled CNI plugin and then add Isovalent Enterprise for Cilium as the CNI plugin.
https://isovalent.com/blog/post/eks-isovalent-enterprise-for-cilium/
AKS
GitHub - amitmavgupta/azure-terraform: Create AKS clusters with Cilium and Isovalent
Create AKS clusters with Cilium and Isovalent.
https://github.com/amitmavgupta/azure-terraform
Using Cilium Gateway API with Argo Rollouts
rollouts-plugin-trafficrouter-gatewayapi/examples/cilium at main · argoproj-labs/rollouts-plugin-trafficrouter-gatewayapi
The Argo Rollouts plugin implementing the Kubernetes Gateway API specification for using different traffic providers in progressive delivery scenarios - argoproj-labs/rollouts-plugin-trafficrouter-.
https://github.com/argoproj-labs/rollouts-plugin-trafficrouter-gatewayapi/tree/main/examples/cilium
GitHub - xtineskim/argocon-cilium
Contribute to xtineskim/argocon-cilium development by creating an account on GitHub.
https://github.com/xtineskim/argocon-cilium
Lightning Talk: Git Going Fast with Cilium and Argo - Christine Kim, Isovalent
Lightning Talk: Git Going Fast with Cilium and Argo - Christine Kim, Isovalent
https://youtu.be/Ab9sctO-8Uk?si=-LJhySYPdsyd8o_1
*Security Onion & Wazuh
Try and install Cilium with Terraform resource argument aws_eks_cluster: **[bootstrap_self_managed_addons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#bootstrap_self_managed_addons)**
Construct of service
Construct of accessing a service
Construct of allowing a service to be accessed