{"id":15161434,"url":"https://github.com/aanm-org/cilium","last_synced_at":"2025-06-29T01:33:19.940Z","repository":{"id":245243983,"uuid":"604844866","full_name":"aanm-org/cilium","owner":"aanm-org","description":"eBPF-based Networking, Security, and Observability","archived":false,"fork":false,"pushed_at":"2025-01-10T15:41:49.000Z","size":297927,"stargazers_count":2,"open_issues_count":28,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-01-31T04:26:07.337Z","etag":null,"topics":["bpf","cncf","cni","containers","ebpf","k8s","kernel","kubernetes","kubernetes-networking","loadbalancing","monitoring","networking","observability","security","troubleshooting","xdp"],"latest_commit_sha":null,"homepage":"https://cilium.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aanm-org.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY-INSIGHTS.yml","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-21T22:58:32.000Z","updated_at":"2025-01-10T15:41:54.000Z","dependencies_parsed_at":"2024-09-10T23:13:11.976Z","dependency_job_id":"0d276d0b-b659-4755-a8ef-caa10820f133","html_url":"https://github.com/aanm-org/cilium","commit_stats":{"total_commits":33217,"total_committers":1013,"mean_commits":32.79072063178677,"dds":0.9068850287503387,"last_synced_commit":"d8603069e3909681ec1c08ed18333339649fcfb5"},"previous_names":["aanm-org/cilium"],"tags_count":651,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aanm-org%2Fcilium","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aanm-org%2Fcilium/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aanm-org%2Fcilium/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aanm-org%2Fcilium/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aanm-org","download_url":"https://codeload.github.com/aanm-org/cilium/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238039755,"owners_count":19406395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","cncf","cni","containers","ebpf","k8s","kernel","kubernetes","kubernetes-networking","loadbalancing","monitoring","networking","observability","security","troubleshooting","xdp"],"created_at":"2024-09-27T00:20:38.272Z","updated_at":"2025-02-10T00:32:22.353Z","avatar_url":"https://github.com/aanm-org.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":".. raw:: html\n\n   \u003cpicture\u003e\n      \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo.png\" width=\"350\" alt=\"Cilium Logo\"\u003e\n      \u003cimg src=\"https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-dark.png\" width=\"350\" alt=\"Cilium Logo\"\u003e\n   \u003c/picture\u003e\n\n|cii| |go-report| |clomonitor| |artifacthub| |slack| |go-doc| |rtd| |apache| |bsd| |gpl| |fossa| |gateway-api| |codespaces|\n\nCilium is a networking, observability, and security solution with an eBPF-based\ndataplane. It provides a simple flat Layer 3 network with the ability to span\nmultiple clusters in either a native routing or overlay mode. It is L7-protocol\naware and can enforce network policies on L3-L7 using an identity based security\nmodel that is decoupled from network addressing.\n\nCilium implements distributed load balancing for traffic between pods and to\nexternal services, and is able to fully replace kube-proxy, using efficient\nhash tables in eBPF allowing for almost unlimited scale. It also supports\nadvanced functionality like integrated ingress and egress gateway, bandwidth\nmanagement and service mesh, and provides deep network and security visibility and monitoring.\n\nA new Linux kernel technology called eBPF_ is at the foundation of Cilium. It\nsupports dynamic insertion of eBPF bytecode into the Linux kernel at various\nintegration points such as: network IO, application sockets, and tracepoints to\nimplement security, networking and visibility logic. eBPF is highly efficient\nand flexible. To learn more about eBPF, visit `eBPF.io`_.\n\n.. image:: Documentation/images/cilium-overview.png\n   :alt: Overview of Cilium features for networking, observability, service mesh, and runtime security\n\nStable Releases\n===============\n\nThe Cilium community maintains minor stable releases for the last three minor\nCilium versions. Older Cilium stable versions from minor releases prior to that\nare considered EOL.\n\nFor upgrades to new minor releases please consult the `Cilium Upgrade Guide`_.\n\nListed below are the actively maintained release branches along with their latest\npatch release, corresponding image pull tags and their release notes:\n\n+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+\n| `v1.16 \u003chttps://github.com/cilium/cilium/tree/v1.16\u003e`__ | 2024-08-13 | ``quay.io/cilium/cilium:v1.16.1``  | `Release Notes \u003chttps://github.com/cilium/cilium/releases/tag/v1.16.1\u003e`__  |\n+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+\n| `v1.15 \u003chttps://github.com/cilium/cilium/tree/v1.15\u003e`__ | 2024-08-12 | ``quay.io/cilium/cilium:v1.15.8``  | `Release Notes \u003chttps://github.com/cilium/cilium/releases/tag/v1.15.8\u003e`__  |\n+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+\n| `v1.14 \u003chttps://github.com/cilium/cilium/tree/v1.14\u003e`__ | 2024-08-12 | ``quay.io/cilium/cilium:v1.14.14`` | `Release Notes \u003chttps://github.com/cilium/cilium/releases/tag/v1.14.14\u003e`__ |\n+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+\n\nArchitectures\n-------------\n\nCilium images are distributed for AMD64 and AArch64 architectures.\n\nSoftware Bill of Materials\n--------------------------\n\nStarting with Cilium version 1.13.0, all images include a Software Bill of\nMaterials (SBOM). The SBOM is generated in `SPDX`_ format. More information\non this is available on `Cilium SBOM`_.\n\n.. _`SPDX`: https://spdx.dev/\n.. _`Cilium SBOM`: https://docs.cilium.io/en/latest/configuration/sbom/\n\nDevelopment\n===========\n\nFor development and testing purpose, the Cilium community publishes snapshots,\nearly release candidates (RC) and CI container images build from the `main\nbranch \u003chttps://github.com/cilium/cilium/commits/main\u003e`_. These images are\nnot for use in production.\n\nFor testing upgrades to new development releases please consult the latest\ndevelopment build of the `Cilium Upgrade Guide`_.\n\nListed below are branches for testing along with their snapshots or RC releases,\ncorresponding image pull tags and their release notes where applicable:\n\n+----------------------------------------------------------------------------+------------+-----------------------------------------+------------------------------------------------------------------------------------------------+\n| `main \u003chttps://github.com/cilium/cilium/commits/main\u003e`__                   | daily      | ``quay.io/cilium/cilium-ci:latest``     | N/A                                                                                            |\n+----------------------------------------------------------------------------+------------+-----------------------------------------+------------------------------------------------------------------------------------------------+\n| `v1.17.0-pre.0 \u003chttps://github.com/cilium/cilium/commits/v1.17.0-pre.0\u003e`__ | 2024-09-05 | ``quay.io/cilium/cilium:v1.17.0-pre.0`` | `Pre Release Candidate Notes \u003chttps://github.com/cilium/cilium/releases/tag/v1.17.0-pre.0\u003e`__  |\n+----------------------------------------------------------------------------+------------+-----------------------------------------+------------------------------------------------------------------------------------------------+\n\nFunctionality Overview\n======================\n\n.. begin-functionality-overview\n\nProtect and secure APIs transparently\n-------------------------------------\n\nAbility to secure modern application protocols such as REST/HTTP, gRPC and\nKafka. Traditional firewalls operate at Layer 3 and 4. A protocol running on a\nparticular port is either completely trusted or blocked entirely. Cilium\nprovides the ability to filter on individual application protocol requests such\nas:\n\n- Allow all HTTP requests with method ``GET`` and path ``/public/.*``. Deny all\n  other requests.\n- Allow ``service1`` to produce on Kafka topic ``topic1`` and ``service2`` to\n  consume on ``topic1``. Reject all other Kafka messages.\n- Require the HTTP header ``X-Token: [0-9]+`` to be present in all REST calls.\n\nSee the section `Layer 7 Policy`_ in our documentation for the latest list of\nsupported protocols and examples on how to use it.\n\nSecure service to service communication based on identities\n-----------------------------------------------------------\n\nModern distributed applications rely on technologies such as application\ncontainers to facilitate agility in deployment and scale out on demand. This\nresults in a large number of application containers being started in a short\nperiod of time. Typical container firewalls secure workloads by filtering on\nsource IP addresses and destination ports. This concept requires the firewalls\non all servers to be manipulated whenever a container is started anywhere in\nthe cluster.\n\nIn order to avoid this situation which limits scale, Cilium assigns a security\nidentity to groups of application containers which share identical security\npolicies. The identity is then associated with all network packets emitted by\nthe application containers, allowing to validate the identity at the receiving\nnode. Security identity management is performed using a key-value store.\n\nSecure access to and from external services\n-------------------------------------------\n\nLabel based security is the tool of choice for cluster internal access control.\nIn order to secure access to and from external services, traditional CIDR based\nsecurity policies for both ingress and egress are supported. This allows to\nlimit access to and from application containers to particular IP ranges.\n\nSimple Networking\n-----------------\n\nA simple flat Layer 3 network with the ability to span multiple clusters\nconnects all application containers. IP allocation is kept simple by using host\nscope allocators. This means that each host can allocate IPs without any\ncoordination between hosts.\n\nThe following multi node networking models are supported:\n\n* **Overlay:** Encapsulation-based virtual network spanning all hosts.\n  Currently, VXLAN and Geneve are baked in but all encapsulation formats\n  supported by Linux can be enabled.\n\n  When to use this mode: This mode has minimal infrastructure and integration\n  requirements. It works on almost any network infrastructure as the only\n  requirement is IP connectivity between hosts which is typically already\n  given.\n\n* **Native Routing:** Use of the regular routing table of the Linux host.\n  The network is required to be capable to route the IP addresses of the\n  application containers.\n\n  When to use this mode: This mode is for advanced users and requires some\n  awareness of the underlying networking infrastructure. This mode works well\n  with:\n\n  - Native IPv6 networks\n  - In conjunction with cloud network routers\n  - If you are already running routing daemons\n\nLoad Balancing\n--------------\n\nCilium implements distributed load balancing for traffic between application\ncontainers and to external services and is able to fully replace components\nsuch as kube-proxy. The load balancing is implemented in eBPF using efficient\nhashtables allowing for almost unlimited scale.\n\nFor north-south type load balancing, Cilium's eBPF implementation is optimized\nfor maximum performance, can be attached to XDP (eXpress Data Path), and supports\ndirect server return (DSR) as well as Maglev consistent hashing if the load\nbalancing operation is not performed on the source host.\n\nFor east-west type load balancing, Cilium performs efficient service-to-backend\ntranslation right in the Linux kernel's socket layer (e.g. at TCP connect time)\nsuch that per-packet NAT operations overhead can be avoided in lower layers.\n\nBandwidth Management\n--------------------\n\nCilium implements bandwidth management through efficient EDT-based (Earliest Departure\nTime) rate-limiting with eBPF for container traffic that is egressing a node. This\nallows to significantly reduce transmission tail latencies for applications and to\navoid locking under multi-queue NICs compared to traditional approaches such as HTB\n(Hierarchy Token Bucket) or TBF (Token Bucket Filter) as used in the bandwidth CNI\nplugin, for example.\n\nMonitoring and Troubleshooting\n------------------------------\n\nThe ability to gain visibility and troubleshoot issues is fundamental to the\noperation of any distributed system. While we learned to love tools like\n``tcpdump`` and ``ping`` and while they will always find a special place in our\nhearts, we strive to provide better tooling for troubleshooting. This includes\ntooling to provide:\n\n- Event monitoring with metadata: When a packet is dropped, the tool doesn't\n  just report the source and destination IP of the packet, the tool provides\n  the full label information of both the sender and receiver among a lot of\n  other information.\n\n- Metrics export via Prometheus: Key metrics are exported via Prometheus for\n  integration with your existing dashboards.\n\n- Hubble_: An observability platform specifically written for Cilium. It\n  provides service dependency maps, operational monitoring and alerting,\n  and application and security visibility based on flow logs.\n\n.. _Hubble: https://github.com/cilium/hubble/\n.. _`Layer 7 Policy`: https://docs.cilium.io/en/stable/security/policy/language/#layer-7-examples\n\n.. end-functionality-overview\n\nGetting Started\n===============\n\n* `Why Cilium?`_\n* `Getting Started`_\n* `Architecture and Concepts`_\n* `Installing Cilium`_\n* `Frequently Asked Questions`_\n* Contributing_\n\nWhat is eBPF and XDP?\n=====================\n\nBerkeley Packet Filter (BPF) is a Linux kernel bytecode interpreter originally\nintroduced to filter network packets, e.g. for tcpdump and socket filters. The\nBPF instruction set and surrounding architecture have recently been\nsignificantly reworked with additional data structures such as hash tables and\narrays for keeping state as well as additional actions to support packet\nmangling, forwarding, encapsulation, etc. Furthermore, a compiler back end for\nLLVM allows for programs to be written in C and compiled into BPF instructions.\nAn in-kernel verifier ensures that BPF programs are safe to run and a JIT\ncompiler converts the BPF bytecode to CPU architecture-specific instructions\nfor native execution efficiency. BPF programs can be run at various hooking\npoints in the kernel such as for incoming packets, outgoing packets, system\ncalls, kprobes, uprobes, tracepoints, etc.\n\nBPF continues to evolve and gain additional capabilities with each new Linux\nrelease. Cilium leverages BPF to perform core data path filtering, mangling,\nmonitoring and redirection, and requires BPF capabilities that are in any Linux\nkernel version 4.8.0 or newer (the latest current stable Linux kernel is\n4.14.x).\n\nMany Linux distributions including CoreOS, Debian, Docker's LinuxKit, Fedora,\nopenSUSE and Ubuntu already ship kernel versions \u003e= 4.8.x. You can check your Linux\nkernel version by running ``uname -a``. If you are not yet running a recent\nenough kernel, check the Documentation of your Linux distribution on how to run\nLinux kernel 4.9.x or later.\n\nTo read up on the necessary kernel versions to run the BPF runtime, see the\nsection Prerequisites_.\n\n.. image:: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/bpf-overview.png\n    :align: center\n\nXDP is a further step in evolution and enables running a specific flavor of BPF\nprograms from the network driver with direct access to the packet's DMA buffer.\nThis is, by definition, the earliest possible point in the software stack,\nwhere programs can be attached to in order to allow for a programmable, high\nperformance packet processor in the Linux kernel networking data path.\n\nFurther information about BPF and XDP targeted for developers can be found in\nthe `BPF and XDP Reference Guide`_.\n\nTo know more about Cilium, its extensions and use cases around Cilium and BPF\ntake a look at `Further Readings \u003cFURTHER_READINGS.rst\u003e`_ section.\n\nCommunity\n=========\n\nSlack\n-----\n\nJoin the Cilium `Slack channel \u003chttps://slack.cilium.io\u003e`_ to chat with\nCilium developers and other Cilium users. This is a good place to learn about\nCilium, ask questions, and share your experiences.\n\nSpecial Interest Groups (SIG)\n-----------------------------\n\nSee `Special Interest groups\n\u003chttps://docs.cilium.io/en/stable/community/community/#special-interest-groups\u003e`_ for a list of all SIGs and their meeting times.\n\nDeveloper meetings\n------------------\nThe Cilium developer community hangs out on Zoom to chat. Everybody is welcome.\n\n* Weekly, Wednesday,\n  5:00 pm `Europe/Zurich time \u003chttps://time.is/Canton_of_Zurich\u003e`__ (CET/CEST),\n  usually equivalent to 8:00 am PT, or 11:00 am ET. `Join Zoom`_\n* Third Wednesday of each month, 9:00 am `Japan time \u003chttps://time.is/Tokyo\u003e`__ (JST). `Join Zoom`_\n\neBPF \u0026 Cilium Office Hours livestream\n-------------------------------------\nWe host a weekly community `YouTube livestream called eCHO \u003chttps://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYBWvuQ\u003e`_ which (very loosely!) stands for eBPF \u0026 Cilium Office Hours. Join us live, catch up with past episodes, or head over to the `eCHO repo \u003chttps://github.com/isovalent/eCHO\u003e`_ and let us know your ideas for topics we should cover.\n\nGovernance\n----------\nThe Cilium project is governed by a group of `Maintainers and Committers \u003chttps://raw.githubusercontent.com/cilium/cilium/main/MAINTAINERS.md\u003e`__.\nHow they are selected and govern is outlined in our `governance document \u003chttps://github.com/cilium/community/blob/main/GOVERNANCE.md\u003e`__.\n\nAdopters\n--------\nA list of adopters of the Cilium project who are deploying it in production, and of their use cases,\ncan be found in file `USERS.md \u003chttps://github.com/cilium/cilium/blob/main/USERS.md\u003e`__.\n\nRoadmap\n-------\nCilium maintains a `public roadmap \u003chttps://docs.cilium.io/en/latest/community/roadmap/\u003e`__. It gives a high-level view of the main priorities for the project, the maturity of different features and projects, and how to influence the project direction.\n\nLicense\n=======\n\n.. _apache-license: LICENSE\n.. _bsd-license: bpf/LICENSE.BSD-2-Clause\n.. _gpl-license: bpf/LICENSE.GPL-2.0\n\nThe Cilium user space components are licensed under the\n`Apache License, Version 2.0 \u003capache-license_\u003e`__.\nThe BPF code templates are dual-licensed under the\n`General Public License, Version 2.0 (only) \u003cgpl-license_\u003e`__\nand the `2-Clause BSD License \u003cbsd-license_\u003e`__\n(you can use the terms of either license, at your option).\n\n.. _`Cilium Upgrade Guide`: https://docs.cilium.io/en/stable/operations/upgrade/\n.. _`Why Cilium?`: https://docs.cilium.io/en/stable/overview/intro\n.. _`Getting Started`: https://docs.cilium.io/en/stable/#getting-started\n.. _`Architecture and Concepts`: https://docs.cilium.io/en/stable/overview/component-overview/\n.. _`Installing Cilium`: https://docs.cilium.io/en/stable/gettingstarted/k8s-install-default/\n.. _`Frequently Asked Questions`: https://github.com/cilium/cilium/issues?utf8=%E2%9C%93\u0026q=is%3Aissue+label%3Akind%2Fquestion+\n.. _Contributing: https://docs.cilium.io/en/stable/contributing/development/\n.. _Prerequisites: https://docs.cilium.io/en/stable/operations/system_requirements/\n.. _`BPF and XDP Reference Guide`: https://docs.cilium.io/en/stable/bpf/\n.. _`eBPF`: https://ebpf.io\n.. _`eBPF.io`: https://ebpf.io\n.. _`Join Zoom`: https://zoom.us/j/596609673\n\n.. |go-report| image:: https://goreportcard.com/badge/github.com/cilium/cilium\n    :alt: Go Report Card\n    :target: https://goreportcard.com/report/github.com/cilium/cilium\n\n.. |go-doc| image:: https://godoc.org/github.com/cilium/cilium?status.svg\n    :alt: GoDoc\n    :target: https://godoc.org/github.com/cilium/cilium\n\n.. |rtd| image:: https://readthedocs.org/projects/docs/badge/?version=latest\n    :alt: Read the Docs\n    :target: https://docs.cilium.io/\n\n.. |apache| image:: https://img.shields.io/badge/license-Apache-blue.svg\n    :alt: Apache licensed\n    :target: apache-license_\n\n.. |bsd| image:: https://img.shields.io/badge/license-BSD-blue.svg\n    :alt: BSD licensed\n    :target: bsd-license_\n\n.. |gpl| image:: https://img.shields.io/badge/license-GPL-blue.svg\n    :alt: GPL licensed\n    :target: gpl-license_\n\n.. |slack| image:: https://img.shields.io/badge/slack-cilium-brightgreen.svg?logo=slack\n    :alt: Join the Cilium slack channel\n    :target: https://slack.cilium.io\n\n.. |cii| image:: https://bestpractices.coreinfrastructure.org/projects/1269/badge\n    :alt: CII Best Practices\n    :target: https://bestpractices.coreinfrastructure.org/projects/1269\n\n.. |clomonitor| image:: https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/cilium/badge\n    :alt: CLOMonitor\n    :target: https://clomonitor.io/projects/cncf/cilium\n\n.. |artifacthub| image:: https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cilium\n    :alt: Artifact Hub\n    :target: https://artifacthub.io/packages/helm/cilium/cilium\n\n.. |fossa| image:: https://app.fossa.com/api/projects/custom%2B162%2Fgit%40github.com%3Acilium%2Fcilium.git.svg?type=shield\n    :alt: FOSSA Status\n    :target: https://app.fossa.com/projects/custom%2B162%2Fgit%40github.com%3Acilium%2Fcilium.git?ref=badge_shield\n\n.. |gateway-api| image:: https://img.shields.io/badge/Gateway%20API%20Conformance%20v1.0.0-Cilium-green\n    :alt: Gateway API Status\n    :target: https://github.com/kubernetes-sigs/gateway-api/blob/main/conformance/reports/v1.0.0/cilium.yaml\n\n.. |codespaces| image:: https://img.shields.io/badge/Open_in_GitHub_Codespaces-gray?logo=github\n    :alt: Github Codespaces\n    :target: https://github.com/codespaces/new?hide_repo_select=true\u0026ref=master\u0026repo=48109239\u0026machine=standardLinux32gb\u0026location=WestEurope\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faanm-org%2Fcilium","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faanm-org%2Fcilium","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faanm-org%2Fcilium/lists"}