Cilium
eBPF-powered CNI plugin providing networking, security, and observability for Kubernetes and cloud-native workloads.
Overview
Cilium is the leading eBPF-based CNI for Kubernetes. It replaces traditional iptables-based networking with kernel-level eBPF programs, delivering 30–40% higher throughput, built-in L7 policy enforcement, a sidecar-free service mesh, and deep observability via Hubble. It is a CNCF Graduated project and the default CNI in many managed Kubernetes offerings.
Key Facts
| Attribute |
Detail |
| Repository |
github.com/cilium/cilium |
| Stars |
~22k+ ⭐ |
| Latest Version |
v1.19.2 (March 20, 2026); v1.20 in development |
| Language |
Go, C (eBPF programs) |
| License |
Apache 2.0 |
| Governance |
CNCF Graduated |
| Kernel Requirement |
Linux ≥5.8 (recommended ≥5.10) |
Evaluation
| Pros |
Cons |
| eBPF: 30–40% faster than iptables |
Requires Linux kernel ≥5.8 |
| Hubble: deep network observability |
Higher complexity than Flannel |
| Tetragon: kernel-level runtime security |
Requires CAP_BPF / CAP_SYS_ADMIN |
| Sidecar-free service mesh |
Steeper learning curve |
| L3/L4/L7 network policies |
Resource overhead (eBPF maps) |
| Socket-level load balancing |
Migration from iptables-based CNIs non-trivial |
| CNCF Graduated, massive community |
|
Architecture
flowchart TB
subgraph Node["Kubernetes Node"]
subgraph Kernel["Linux Kernel"]
eBPF["eBPF Programs\n(TC, XDP, socket)"]
Maps["eBPF Maps\n(hash tables, LRU)"]
end
Agent["Cilium Agent\n(DaemonSet)"]
Hubble["Hubble\n(observability)"]
end
subgraph CP["Control Plane"]
Operator["Cilium Operator"]
ETCD_C["Cilium etcd\nor CRDs"]
end
Agent -->|"loads"| eBPF
Agent -->|"updates"| Maps
Agent -->|"watches"| CP
eBPF -->|"flow events"| Hubble
style Kernel fill:#f9a825,color:#000
style CP fill:#7b1fa2,color:#fff
Key Features
| Feature |
Detail |
| eBPF data plane |
O(1) hash lookups replace linear iptables chains |
| Hubble |
Flow logs, service maps, DNS visibility, Prometheus metrics |
| Tetragon |
Runtime security: process, file, network monitoring at kernel level |
| Network Policy |
L3/L4 + L7 (HTTP, gRPC, Kafka, DNS) |
| Service mesh |
Sidecar-free, per-node Envoy or kernel-only |
| Cluster mesh |
Multi-cluster connectivity with global services |
| BGP |
Native BGP peering for bare-metal load balancing |
| Bandwidth manager |
EDT-based rate limiting in eBPF |
| Encryption |
WireGuard or IPsec between nodes |
| Gateway API |
Native Kubernetes Gateway API support |
Sources