Supported Solo distributions of Cilium
Learn about the benefits of using a Solo distribution of Cilium image in conjunction with a service mesh managed by Gloo Mesh Enterprise.
About
The Solo distribution of Cilium is a hardened Cilium enterprise image, which maintains support for security patches to address Common Vulnerabilities and Exposures (CVEs) and other security fixes.
Keep in mind that Gloo Mesh Enterprise offers security patching support only with Solo distributions of Cilium versions, not community Cilium versions. Solo distributions of Cilium versions support the same patch versions as community Cilium. You can review community Cilium patch versions in the Cilium release documentation. To get the backported Cilium support, you must run the latest Gloo Mesh Enterprise patch version.
To download the Solo distribution of a Cilium image, you must be a registered user and be able to log in to the Solo Support Center. Open the Cilium images built by Solo.io support article. When prompted, log in to the Support Center with your Solo account credentials.
The following versions of Gloo Mesh Enterprise are supported with the compatible Solo versions of Cilium. Later versions of the open source project that are released after Gloo Mesh Enterprise might also work, but are not tested as part of the Gloo Mesh Enterprise release.
| Gloo Mesh Enterprise | Release date | Supported Solo distributions of Cilium versions tested by Solo |
|---|---|---|
| 2.5 | 09 Jan 2024 | Cilium 1.12 - 1.14 on Kubernetes 1.22 - 1.28 |
| 2.4 | 28 Aug 2023 | Cilium 1.12 - 1.13 on Kubernetes 1.21 - 1.27 |
| 2.3 | 17 Apr 2023 | Cilium 1.12 on Kubernetes 1.20 - 1.25 |
| 2.2 | 20 Jan 2023 | Cilium 1.12 on Kubernetes 1.19 - 1.24 |
If you plan to run Istio with sidecar injection and the Cilium CNI in tunneling mode (VXLAN or GENEVE) on an Amazon EKS cluster, see Considerations for running Cilium and Istio on EKS.
Benefits
Gloo Mesh Enterprise gives you access to Solo distributions of Cilium images. The Solo distribution of Cilium is a hardened Cilium enterprise image, which maintains support for security patches to address Common Vulnerabilities and Exposures (CVEs) and other security fixes. Cilium provides connectivity, security, and observability for containerized workloads with a Cilium-based container network interface (CNI) plug-in that leverages the Linux kernel technology eBPF.
Review the following benefits that a Solo distribution of Cilium image provides as a standalone container network interface (CNI), and when used in conjunction with your Gloo Mesh Enterprise service mesh.
Standalone CNI
| Benefit | Description |
|---|---|
| Control traffic with policies | With Solo distributions of Cilium, you get advanced app security without modifying the app code or the configuration of your containers. When you apply Gloo access policies, Gloo automatically translates these policies into Layer 3, 4, or 7 policies to control network traffic in the cluster before traffic reaches your workload. You can also leverage container, pod, and service metadata in addition to protocols, such as HTTP, TCP, or UDP to create identity and application-aware networking rules. To protect your services even further, you can set up Gloo workspaces, enable service isolation, or use a Solo distribution of Cilium image with a service mesh that is managed by Gloo Mesh Enterprise. |
| Multitenancy and zero trust with workspaces | With Gloo workspaces, you can define the boundary of Kubernetes resources that your team has access to. These resources can be spread across namespaces or clusters. Gloo access policies are automatically translated and applied within the workspace’s boundaries. You can optionally turn on service isolation to prevent services from one workspace to be able to communicate with services in a different workspace. |
| Enhanced performance | Instead of using iptables rules to route traffic in a cluster, Solo distributions of Cilium use the kernel technology eBPF to shorten the data path of a packet. With eBPF, packets to and from apps can be directly forwarded and written to the socket of the target app. This setup reduces network latency and the necessary packet processing in the kernel as the TCP/IP stack in the OSI network model is bypassed. In addition, you decrease CPU and memory overhead on your cluster worker nodes, and can use the freed up resources to manage cluster workloads more efficiently. |
| N-4 version support for Cilium | Solo distributions of Cilium includes n-4 Cilium version support with security patches to address Common Vulnerabilities and Exposures (CVEs), starting with the first release of the distributions. |
| Built-in observability tools | The Solo distribution of Cilium is fully built in to the Gloo Mesh Enterprise stack, which provides out-of-the-box observability tools, such as the Gloo UI and Prometheus. You can use these tools to gain visibility into the communication and behavior of services, monitor network traffic, and debug network policies. |
| Central Gloo management | Leverage the Gloo management plane to automatically translate Gloo access policies into Cilium network policies, and to deploy and configure the Cilium agent across clusters. |
Gloo Mesh-managed service mesh
Although Cilium has support for Layer 7 policies, these policies require starting an Envoy proxy process in the Cilium agent to enforce the policy. The Envoy proxy intercepts the traffic to and from each pod, which is similar to how Gloo Mesh Enterprise intercepts traffic by using Envoy sidecars (Istio sidecar architecture) or ztunnels (Istio sidecarless architecture).
However, Cilium Layer 7 capabilities are limited in terms of establishing service identity, supporting policies, encrypting data, and providing multitenancy. For more information, check out this blog.
To overcome these limitations, you can use a Solo distribution of Cilium in combination with your service mesh that is managed by Gloo Mesh Enterprise. With this approach, you get advanced security controls, connectivity, and observability through Layer 3-7 of the OSI networking model while optimizing the performance in your service mesh with eBPF.
Review the following table for an overview of benefits when using a Solo distribution of Cilium and Gloo Mesh Enterprise. Note that you get these benefits in addition to the benefits that are provided by a standalone CNI installation that uses a Solo distribution of Cilium.
| Benefit | Description |
|---|---|
| Defense-in-depth | When using a Solo distribution of Cilium with a service mesh that is managed by Gloo Mesh Enterprise, you can create a multi-layer defense mechanism that protects your apps from being compromised. Gloo Mesh offers a variety of Layer 7 traffic policies that you can apply to your service mesh in addition to the Layer 3/4 network policies that Cilium offers to increase the security posture of your apps. For example, you can create L7 policies such as external auth, rate limiting, fault injection, outlier detection, retries, timeouts, mirroring, transformation, WAF, Wasm, and more. By using Gloo Mesh and a Solo distribution of Cilium together, you can address many different attack vectors. If one layer is compromised, your apps are still protected by policies that are enforced on other layers. |
| Pod identity | Gloo Mesh uses X.509 certificates to establish pod identity. Pods must present a valid Kubernetes service account token to the Istio control plane that is managed by Gloo Mesh in order to receive the certificate. Certificates are automatically rotated and renewed every 12 hours. |
| Mutual TLS (mTLS) | Gloo Mesh uses Istio’s mutual TLS capabilities to automatically encrypt traffic between pods and provide pod authentication. You can optionally use Gloo Mesh’s external auth policies to apply request authentication and integrate with your preferred identity provider. |
| Request authorization | To further secure your service mesh, use Gloo Mesh’s access and external auth policies to specify what services in the mesh can talk to each other. |
| Multitenancy and zero trust with Gloo workspaces | The Solo distribution of Cilium and Gloo Mesh fully integrate into the Gloo Mesh Enterprise stack which provides Gloo workspaces to enable multitenancy support in your cluster. With workspaces, you can define the boundary of Kubernetes resources that your team has access to. These resources can be spread across namespaces or clusters. The Solo distribution of Cilium and Gloo Mesh policies are automatically translated and applied within the workspace’s boundaries. |
| Multicluster mesh and multicluster routing | With Gloo Mesh Enterprise and central Gloo management, you can onboard workloads in multiple clusters to your service mesh, and use Gloo custom resources, such as traffic or network policies to secure network traffic between clusters. |