Isovalent Enterprise for Cilium
VSHN Managed OpenShift provides Cilium by default in its enterprise version Isovalent Enterprise for Cilium. To learn more about Cilium, check out "What is Cilium?".
Isovalent Enterprise for Cilium addresses the complex workflows related to security automation, forensics, compliance, role-based access control, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.
Resources:
-
Supercharge OpenShift with Isovalent Cilium Enterprise (PDF by Isovalent)
Secure & scalable connectivity for open hybrid cloud with eBPF superpowers. -
Accelerating the Journey to Cloud Native Microservices (PDF by Isovalent)
Overcoming the Networking, Observability and Security challenges that slow down adoption of production Kubernetes platforms. -
Isovalent Cilium Enterprise - Security Сompliance & Forensics (PDF by Isovalent)
Leverage the power of eBPF to secure your Kubernetes platform. -
Multi-Cluster Kubernetes Networking with Cilium (PDF by Isovalent)
-
Partnership announcement: Partnership with Isovalent
Why using Cilium?
Using Cilium as the default Container Network Interface (CNI) in VSHN Managed OpenShift provides several compelling advantages:
- Enhanced Security
-
Cilium leverages eBPF to provide highly efficient network security policies. This means stronger protection at both the network and application layers, safeguarding your Kubernetes environment against a wide range of security threats.
- Improved Performance
-
By implementing a direct datapath, Cilium reduces latency and increases throughput, delivering superior performance compared to traditional CNIs. This is particularly beneficial for high-load applications and services.
- Advanced Network Visibility
-
Cilium offers deep visibility into network traffic, enabling real-time monitoring and troubleshooting. This feature is invaluable for maintaining the health and performance of your Kubernetes clusters.
- Multi-Cluster Networking
-
It supports seamless multi-cluster networking, making it easier to connect and manage multiple Kubernetes clusters, regardless of their location. This is essential for large-scale, distributed deployments.
- Extensive Compatibility
-
Cilium is designed to be fully compatible with existing Kubernetes environments. It integrates smoothly with various cloud-native technologies, ensuring a hassle-free adoption in your Kubernetes ecosystem.
Features
Basic
The following features are part of the basic feature set which is included by default:
- Networking
-
-
Cilium as default Container Network Interface (CNI) plugin
-
Cilium L3/L4 network policy, including both standard Kubernetes Network Policies and CiliumNetworkPolicies
-
BGP Service Announcement
-
Static Egress Gateway with High-Availability
-
- Observability
-
-
Hubble flow observability events
-
Hubble flow metrics for consumption via external platforms like Prometheus
-
Multi-node Hubble querying for cluster-wide visibility via CLI + API (Hubble Relay)
-
L7 visibility
-
Advanced Networking and Observability
These features or configuration adjustments must be specifically requested. Activation and configuration of these features will imply additional engineering costs and recurring costs per vCPU, see Pricing.
- Advanced Hubble features
-
-
Visualization of network connectivity ("service map") and network policies ("network policy editor")
-
Visualization of runtime behavior ("process ancestry tree")
-
Single-sign-on (SSO) and Role-based Access Control capabilities
-
Export of Hubble event data to SIEM via standard mechanism
-
TLS compliance monitoring
-
- Advanced Networking
-
-
Cilium Cluster Mesh for multi-cluster routing, load-balancing, observability, and network policy.
-
Cilium transparent encryption using IPsec or Wireguard.
-
Cilium Gateway
-
Bandwidth Manager
-
Cilium L7 Service Mesh and East/West Gateway API
-
External VM Support
-
Tetragon
eBPF-based Security Observability and Runtime Enforcement.
Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.
Tetragon implementation and configuration must be specifically requested. Activation and configuration of this feature will imply additional engineering costs and recurring costs per vCPU, see Pricing.
Default Configuration
-
Latest supported Isovalent Enterprise for Cilium version
-
Default Kubernetes CNI plugin (Replacing potential default plugin of distribution)
Pricing
When using Cilium advanced feature sets, the following costs per Worker-vCPU are added:
Feature Set | Best Effort | Guaranteed Availability |
---|---|---|
Networking and Observability |
CHF 5.00 |
CHF 12.00 |
Tetragon |
CHF 12.00 |
CHF 30.00 |
Per Worker-vCPU per 30 days, billed by the hour. Please note that the same Service Level applies like the underlying cluster.