Isovalent Cilium Enterprise

Cilium is an open source software for providing, securing and observing network connectivity between container workloads - cloud native, and fueled by the revolutionary Kernel technology eBPF.

— cilium.io Website

isovalent cilium

To learn more, check out "What is Cilium?".

APPUiO Managed uses Cilium by default in its commercial version from Isovalent - Isovalent Cilium Enterprise - it’s included in the price.

Isovalent Cilium Enterprise addresses the complex workflows related to security automation, forensics, compliance, role-based access control, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.

— Isovalent Website

Resources:

Supercharge OpenShift with Isovalent Cilium Enterprise (PDF by Isovalent)
Secure & scalable connectivity for open hybrid cloud with eBPF superpowers.
Accelerating the Journey to Cloud Native Microservices (PDF by Isovalent)
Overcoming the Networking, Observability and Security challenges that slow down adoption of production Kubernetes platforms.
Isovalent Cilium Enterprise - Security Сompliance & Forensics (PDF by Isovalent)
Leverage the power of eBPF to secure your Kubernetes platform.
Multi-Cluster Kubernetes Networking with Cilium (PDF by Isovalent)
APPUiO announcement: Partnership with Isovalent

cilium enterprise marketecture

Why using Cilium?

Security: Cilum offers advanced security features which aren’t available by any other Kubernetes networking add-on. These features go far further than just networking, thanks to eBPF.
Advanced Networking: By leveraging eBPF, Cilium enables many advanced networking use-cases which aren’t possible with traditional, iptables-based network plugins. It outperforms in speed, flexibility and security.
Observability: Cilium works directly in the Kernel and therefore brings insights into what’s actually going on - far more than possible with traditional observability tooling.

VSHN Supported Features and Configuration

Supported by default

These features and configurations are available out-of-the box and installed and configured by default.

Core Secure & Scalable Connectivity

Highly scalable IPv4 and IPv6 Kubernetes CNI
Kubernetes Label & CIDR Network Policies
DNS-aware Network Policies
Host Network Policies
Deny Network Policies

Advanced Secure & Scalable Connectivity

L7-Aware Network Policy & Visibility
TLS-termination for L7 Visibility

Ops-Centric Connectivity Observability

Hubble Cluster-wide Flow Visibility CLI / API
Hubble Service Map + Flow Visibility UI
Identity-aware Network Metrics (Prometheus)
HTTP/gRPC-aware Connectivity Metrics

Application Team Troubleshooting & Policy Workflows

Multi-tenant RBAC for Flows, Metrics, and UI
Advanced Policy Troubleshooting UI
Simplified Policy Creation Tools & APIs

Enterprise Distribution & Support

Enterprise-hardened Cilium Versions and Testing

Supported on request

These features or configuration adjustments must be specifically requested and some restrictions apply. Activation and configuration of these features imply additional engineering costs and can cause additional engineering costs for operating them (although no fixed additional recurring costs apply).

Core Secure & Scalable Connectivity

Overlay, Direct, and Cloud Provider Routing Modes
High-performance L3/L4 Pod Load-balancing (kube-proxy replacement)

Advanced Secure & Scalable Connectivity

Transparent IPsec Encryption
Multi-cluster Routing, Load-balancing & Security
Advanced L3/L4 External Load-balancing (including XDP-acceleration, Direct Server Return, Maglev)
Advanced Bandwidth Management for Pods through EDT (Earliest Departure Time) model
Non-containerized VM / Bare-metal Workloads
3rd-party BGP integrations (MetalLB, BIRD, etc.)

Ops-Centric Connectivity Observability

Historical Flow Data and Analytics

Application Team Troubleshooting & Policy Workflows

Historical Flow Data and Analytics
Automated Security Policy Approvals

SecOps Observability Workflows

Integration with External SIEM (Splunk, ELK, etc.) for Incident Investigation, Forensics + Audit
SIEM - Identity + DNS-aware Flow Data Export
SIEM - Process/Syscall Data Export
SIEM - TLS Handshake Compliance Monitoring
SIEM - Network Policy Compliance Monitoring
Identity-aware Tap/Mirror (IDS insertion)

Unsupported

These features or configuration adjustments are not supported by VSHN, but can still be activated or changed, although are neither monitored, backed up nor maintained. No guarantees are given, use them at your own risk.

Beta Features: All features marked as "Beta" by Isovalent.

Default Configuration

Latest supported Isovalent Cilium Enterprise version
Default Kubernetes CNI plugin (Replacing potential default plugin of distribution)