Cilium CNI для enterprise Kubernetes: eBPF networking без sidecar'ов
Меня зовут Семёнов Евгений Сергеевич, директор АйТи Фреш. Cilium — default CNI для major cloud providers в 2026, использует eBPF для high-performance networking без kernel bypass. L3/L4/L7 load balancing, network policies, service mesh capabilities — всё на уровне kernel. Рассказываю о миграции с Calico на Cilium для production кластера с 200+ подами.
Cilium vs традиционные CNI
Cilium революционизирует Kubernetes networking через eBPF:
- eBPF-based — работает в kernel space, no iptables overhead
- L7 Load Balancing — HTTP/gRPC load balancing без sidecar'ов
- Identity-based Security — network policies по service identity
- Multi-cluster Networking — Cluster Mesh для multi-region
- Hubble Observability — network flows visibility из коробки
Установка Cilium в existing кластер
# 1. Install Cilium CLI
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
# 2. Install Cilium with enterprise features
cilium install \
--helm-set kubeProxyReplacement=strict \
--helm-set operator.replicas=2 \
--helm-set hubble.enabled=true \
--helm-set hubble.relay.enabled=true \
--helm-set hubble.ui.enabled=true \
--helm-set prometheus.enabled=true \
--helm-set operator.prometheus.enabled=true
# 3. Verify installation
cilium status --wait
cilium connectivity testEnterprise network policies с Cilium
# L3/L4 Network Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: backend-policy
namespace: production
spec:
endpointSelector:
matchLabels:
app: backend
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
- fromEndpoints:
- matchLabels:
app: prometheus
toPorts:
- ports:
- port: "9090"
protocol: TCP
rules:
http:
- method: "GET"
path: "/metrics"
# L7 HTTP Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-l7-policy
spec:
endpointSelector:
matchLabels:
app: api-server
ingress:
- fromEndpoints:
- matchLabels:
app: web-frontend
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "GET"
path: "/api/v1/.*"
- method: "POST"
path: "/api/v1/users"
headers:
- "Content-Type: application/json"Нужна помощь с Cilium CNI?
Внедрили Cilium в 25+ enterprise кластеров. Поможем с migration planning, network policies, troubleshooting performance issues.
Service Mesh без sidecar'ов
Cilium Service Mesh обеспечивает L7 capabilities без Envoy sidecar'ов:
# Enable Cilium Service Mesh
helm upgrade cilium cilium/cilium \
--namespace kube-system \
--reuse-values \
--set serviceAccount.name=cilium \
--set envoy.enabled=true
# L7 Load Balancing configuration
apiVersion: cilium.io/v2alpha1
kind: CiliumL2LoadBalancer
metadata:
name: api-lb
spec:
selector:
matchLabels:
app: api-server
loadBalancer:
algorithm: round_robin
healthCheck:
path: /health
port: 8080
interval: 10s
ports:
- protocol: HTTP
port: 80
backend: 8080Monitoring Cilium с Hubble
# Enable Hubble observability
hubble observe --namespace production
hubble observe --protocol http
# Grafana dashboard queries
# Network policy drops
rate(hubble_drop_total{reason="Policy denied"}[5m])
# L7 HTTP requests by service
rate(hubble_http_requests_total[5m]) by (source_app, destination_app)
# Cilium eBPF map usage
cilium_bpf_map_capacity{map_name!=""}