Enabling Cilium in the Gloo Application Networking Platform

Cilium Announcement Blog

Today I am excited to announce enterprise support from Solo.io for Cilium to complement our Gloo Mesh platform offering. Existing Gloo Mesh users can take advantage of this support at no additional charge. If you plan to use a CNI with Gloo Mesh other than Cilium, we will support integration with a “batteries included but swappable” manner. In other words, we will also support integrations with other CNIs like Calico and OpenShift. 

Solo.io is the world’s leader in application-networking solutions as well as a leading innovator in this space. Bringing Cilium into our product allows us to provide a deep stack of cloud-networking solutions aimed at securing and simplifying microservice and multi-workload deployments across any cloud. 

Gloo Mesh uses Istio as the core service-mesh technology to enable connectivity, security, observability, and policy enforcement across workloads. Gloo Mesh already provides production support for upstream Istio including builds for FIPS and ARM environments. Gloo Mesh also layers a next-generation, battle-tested API gateway on top of Istio with capabilities like OIDC, API Keys, LDAP, WAF, request transformation, SOAP, DLP, and more. In fact, our users appreciate the unification of North/South and East/West functionality with this API Gateway and use it to replace legacy API gateways like Apigee and Kong. Lastly, Gloo Mesh uses eBPF to get deeper observability metrics and for Istio to accelerate connectivity between workloads and Istio sidecar proxies. 

The intersection between Gloo Mesh’s layer 7 capabilities and eBPF in Layers 3 and 4 is where we’ve found a strong complementary story with Cilium. We’ve found our users want a stronger integration between what a service mesh provides and what the CNI provides. This announcement of Cilium means our customers can take advantage of the same high-quality support and enterprise builds that we have for Istio but now for the CNI layer at no additional charge. Additionally, Gloo Mesh can leverage the CNI layer to provide deeper improvements and integration in the following areas:

  • Persona and tenant-specific traffic and security policies
  • Identity-based policies at L7 that maintain consistency with L3 and L4
  • Take advantage of kernel-offloading in the data path where it makes sense
  • Continued innovation in the service-mesh ecosystem

Multi-tenancy

Gloo Mesh currently supports the concept of workspaces, which allows teams to group and self-service their traffic, resilience, security, and observability policies without affecting other teams. Workspaces define a tuple of namespaces striped across multiple clusters with a very simple high-level definition. By supporting Cilium (or integrating with other CNIs like Calico, OpenShift, VPC CNI, etc) we can take the workspace concept one layer deeper. We can have strict tenancy rules at L3 and L4 as directed by the higher-level workspace construct.

Consistent identity based policies

Gloo Mesh (through Istio and deeper Spire integration) supports SPIFFE as the workload identity mechanism and allows users to write security policies in terms of these identities to account for regulatory and compliance restrictions. With Cilium at the lower levels (and supported by most of the CNIs as well), we can achieve consistent networking policies at L3/L4 and L7 derived from the SPIFFE identities used in the mesh.

General optimizations by the Kernel

Cilium uses eBPF and XDP to optimize container networking (setup, redirect, filtering, etc) which can be leveraged by workloads that use the Istio sidecar proxy. Additionally, we gain deeper control over connection handling, load balancing, and redirect even before traffic reaches the workloads. This can provide a more efficient enforcement of policies, rather than having to do so at L7.

Innovation in the service mesh ecosystem

Last December we wrote a blog detailing our efforts to enable options for running a service mesh including where a sidecar may not be the only deployment architecture. At SoloCon in March, we talked more about how integrating with the CNI can make a deployment like this realistic. Supporting Cilium helps bring this closer to reality. 

We at Solo.io are extremely excited about this announcement and look forward to pushing the boundaries of service mesh and application-networking with our customers and users. If you’re interested in Cilium and Service Mesh, get in touch with our team and check out our free workshops (that have been delivered to 10K users already!) along with an option for certification. If you’re interested in service mesh, CNI, eBPF, Envoy Proxy, Web Assembly, GraphQL and working with world-class experts in this space, join us! We are hiring for all positions.

To learn more about how Cilium can enable your company’s cloud-native journey: