Isovalent Enterprise for Cilium

Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads, fueled by the revolutionary Kernel technology eBPF

— cilium.io Website

isovalent cilium

VSHN Managed OpenShift provides Cilium by default in its enterprise version Isovalent Enterprise for Cilium. To learn more about Cilium, check out "What is Cilium?".

Isovalent Enterprise for Cilium addresses the complex workflows related to security automation, forensics, compliance, role-based access control, and integration with legacy infrastructure that arise as platform teams engage with application and security teams within an enterprise organization.

— Isovalent Website

Resources:

cilium enterprise marketecture

Why using Cilium?

Using Cilium as the default Container Network Interface (CNI) in VSHN Managed OpenShift provides several compelling advantages:

Enhanced Security

Cilium leverages eBPF to provide highly efficient network security policies. This means stronger protection at both the network and application layers, safeguarding your Kubernetes environment against a wide range of security threats.

Improved Performance

By implementing a direct datapath, Cilium reduces latency and increases throughput, delivering superior performance compared to traditional CNIs. This is particularly beneficial for high-load applications and services.

Advanced Network Visibility

Cilium offers deep visibility into network traffic, enabling real-time monitoring and troubleshooting. This feature is invaluable for maintaining the health and performance of your Kubernetes clusters.

Multi-Cluster Networking

It supports seamless multi-cluster networking, making it easier to connect and manage multiple Kubernetes clusters, regardless of their location. This is essential for large-scale, distributed deployments.

Extensive Compatibility

Cilium is designed to be fully compatible with existing Kubernetes environments. It integrates smoothly with various cloud-native technologies, ensuring a hassle-free adoption in your Kubernetes ecosystem.

Features

Basic

The following features are part of the basic feature set which is included by default:

Networking
  • Cilium as default Container Network Interface (CNI) plugin

  • Cilium L3/L4 network policy, including both standard Kubernetes Network Policies and CiliumNetworkPolicies

  • BGP Service Announcement

  • Static Egress Gateway with High-Availability

Observability
  • Hubble flow observability events

  • Hubble flow metrics for consumption via external platforms like Prometheus

  • Multi-node Hubble querying for cluster-wide visibility via CLI + API (Hubble Relay)

  • L7 visibility

Advanced Networking and Observability

These features or configuration adjustments must be specifically requested. Activation and configuration of these features will imply additional engineering costs and recurring costs per vCPU, see Pricing.

Advanced Hubble features
  • Visualization of network connectivity ("service map") and network policies ("network policy editor")

  • Visualization of runtime behavior ("process ancestry tree")

  • Single-sign-on (SSO) and Role-based Access Control capabilities

  • Export of Hubble event data to SIEM via standard mechanism

  • TLS compliance monitoring

Advanced Networking
  • Cilium Cluster Mesh for multi-cluster routing, load-balancing, observability, and network policy.

  • Cilium transparent encryption using IPsec or Wireguard.

  • Cilium Gateway

  • Bandwidth Manager

  • Cilium L7 Service Mesh and East/West Gateway API

  • External VM Support

Tetragon

eBPF-based Security Observability and Runtime Enforcement.

Tetragon is a flexible Kubernetes-aware security observability and runtime enforcement tool that applies policy and filtering directly with eBPF, allowing for reduced observation overhead, tracking of any process, and real-time enforcement of policies.

— tetragon.io Website

Tetragon implementation and configuration must be specifically requested. Activation and configuration of this feature will imply additional engineering costs and recurring costs per vCPU, see Pricing.

Unsupported

All features marked as "Beta" by Isovalent or non-standard configuration adjustments are not supported by VSHN, but can still be activated or changed, although are neither monitored, backed up nor maintained. No guarantees are given, use them at your own risk.

Default Configuration

  • Latest supported Isovalent Enterprise for Cilium version

  • Default Kubernetes CNI plugin (Replacing potential default plugin of distribution)

Pricing

When using Cilium advanced feature sets, the following costs per Worker-vCPU are added:

Feature Set Best Effort Guaranteed Availability

Networking and Observability

CHF 5.00

CHF 12.00

Tetragon

CHF 12.00

CHF 30.00

Per Worker-vCPU per 30 days, billed by the hour. Please note that the same Service Level applies like the underlying cluster.