Introduction
As organizations increasingly adopt cloud-native environments, the need for secure, scalable, and efficient networking solutions becomes more critical. In response to this demand, BMC Helix Innovation Suite is excited to announce support for Cilium starting from version 23.3.03. Cilium is an open-source, cloud-native solution that delivers advanced networking, security, and observability for workloads, powered by the revolutionary Linux kernel technology, eBPF (Extended Berkeley Packet Filter).
What is eBPF?
eBPF is a game-changing technology that originated in the Linux kernel. It enables you to attach custom programs to various kernel hooks placed at different points in the networking stack. This can be done without disrupting the kernel’s source code or needing to load additional kernel modules.
As Liz Rice, Chief Open Source Officer at Isovalent, aptly describes:
“eBPF is like JavaScript for the Linux kernel. It lets you program the kernel dynamically, adding logic without the need to modify or recompile the kernel itself.”
This dynamic programmability is what makes eBPF so powerful. By leveraging eBPF, Cilium provides kernel-level visibility and control over network traffic, allowing for real-time security, observability, and efficient traffic routing without the need for traditional, resource-heavy methods.
Key Features of Cilium Built on eBPF
Pod-to-Pod Encryption
Encryption is a requirement for many compliance frameworks, and Kubernetes doesn’t natively offer pod-to-pod encryption. Cilium addresses this by providing two options for encrypting traffic between Cilium-managed endpoints: IPsec and WireGuard.
Both Transparent Encryption implementations are easy to enable, but WireGuard offers some distinct advantages, including automatic key management and rotation. In Isovalent’s benchmark testing, WireGuard demonstrated significantly higher throughput, though IPsec performed better in terms of latency and CPU consumption.
For more details on the benchmarking results, please refer to this documentation.
Packet Processing
Traditional networking in Kubernetes typically relies on iptables to manage packet filtering and routing, which can become inefficient, especially at scale. Iptables is processed in a linear fashion; as the number of rules grows, so does the time required to process each packet, which results in latency and performance degradation. Cilium, by leveraging eBPF, bypasses these issues by allowing the kernel to run custom programs directly in response to network events.
Load Balancing
Unlike kube-proxy, Cilium leverages eBPF for high-performance load balancing, eliminating the need for traditional proxies. This approach avoids the limitations and complexity associated with large iptables rule sets, offering more efficient traffic management.
In contrast, traditional service meshes like Istio or Linkerd use sidecars—separate containers running alongside each pod—to intercept and manage traffic. While this provides decent functionality, it introduces additional complexity and can create performance bottlenecks due to the overhead of managing traffic through multiple layers of containers.
Network Observability with Hubble
Hubble captures detailed logs of all network interactions, enabling in-depth analysis of network behavior, troubleshooting, and detection of potential security threats. The UI provides a real-time, graphical service map that visualizes the flow of network traffic and the relationships between components such as services, pods, and namespaces within a Kubernetes cluster. Additionally, it visualizes most of the data from the network flow logs. For example, to narrow down traffic from the platform-fts pod, you can simply click on the pod in the UI, and it will display the relationships and traffic flows associated with it as shown below:
Similarly, for the Mid-Tier pod, you can interact with the UI by clicking on the pod, which will highlight the network relationships and traffic flows between this pod and other components within the cluster.
Alternatively, we can use the Hubble command line interface which is essentially the equivalent of clicking on the pod in the Hubble UI. Both approaches allow you to observe the network traffic associated with that specific pod but with the CLI we can apply more specific filters and commands, such as monitoring only ingress or egress traffic, specific ports, or protocols.
For example, to check all traffic for the platform-fts-pod:
Or if you want to stream traffic logs continuously between namespaces:
Requirements for Using Cilium with Helix Innovation Suite
To implement Cilium in your Helix Innovation Suite environment (as of version 1.16), it is essential to ensure that your worker nodes meet the following prerequisites:
Your nodes should be running on either AMD64 or AArch64 architecture.
Linux kernel >= 5.4 or equivalent (e.g., 4.18 on RHEL 8.6)
Most recent Linux distributions support Cilium.
Installation
The two most popular tools to install Cilium in a Kubernetes environment are cilium-cli and Helm.
cilium-cli: This tool provides a quick and easy installation of Cilium with minimal configuration. It is designed to be straightforward, requiring only a few commands to get Cilium up and running.
Helm: While it requires a little more effort, Helm for Cilium provides greater flexibility to fine-tune configurations.
There are also some K8s distributions such as OpenShift or K3s which allow you to deploy Cilium as part of the installation.
Conclusion
Cilium has revolutionized networking within Kubernetes by leveraging eBPF to offer a high-performance, efficient, and scalable solution for both security and observability. Unlike traditional networking solutions like kube-proxy, Cilium simplifies traffic management through the dynamic use of eBPF programs, improving performance and reducing complexity. Its ability to support pod-to-pod encryption using WireGuard or IPsec addresses a significant gap in Kubernetes, meeting stringent security and compliance requirements. Furthermore, the integration with Hubble for real-time monitoring and network visibility provides invaluable insights into service communication, making troubleshooting easier and more effective.
Support
For those seeking Cilium support, there are several options and resources available:
For enterprise-grade support, Cilium offers tailored assistance through its Cilium Enterprise Support package. This typically includes access to premium support features, such as expert consultation, troubleshooting, and advanced setup configurations for production environments. You can access Cilium Enterprise support via Cilium’s official website or by contacting Isovalent directly.
The Cilium Slack Community is a valuable resource for quick questions, networking, and community-driven help. It’s open to anyone interested in Cilium, from beginners to experts. Joining the Slack community can help you connect with others, share knowledge, and get peer support. You can join the community here.
Resources
eBPF: To deepen your understanding of eBPF and how it powers Cilium, you can explore eBPF resources here
System Requirements: Cilium has specific hardware and software requirements to ensure efficient operation in Kubernetes environments. For more details, check out Cilium’s system requirements documentation.
CNI Performance Benchmarking: For insights into Cilium’s performance as a CNI, you can explore benchmarking results and performance insights available on Cilium’s benchmarking page.
Kubernetes without Kube-Proxy: For more on this, refer to Cilium’s documentation on running Kubernetes without kube-proxy.
Welcome to Our Customer Stories Podcast: Real Voices, Real Success
Dive deep into the world of our customers with our engaging podcast series, "Customer Stories." In each episode, we shine a spotlight on the diverse experiences and remarkable achievements of the people and businesses using our products.
What You'll Discover:
Why Listen?
Whether you're a current customer looking for new ideas, a potential user curious about real-world applications, or simply interested in business innovation, our podcast offers something for everyone. Each episode is carefully crafted to be both informative and entertaining, providing you with actionable takeaways and thought-provoking discussions.
Join Our Community: Subscribe now to never miss an episode. By tuning in regularly, you'll become part of a growing community of forward-thinkers and problem-solvers. Share your thoughts, connect with guests, and join the conversation on our social media channels.
Tune in to our podcasts now:
Unlock the benefits of migrating to BMC Helix Operations Management, a cloud-native containerized microservices architecture. Here’s why migrating from TrueSight Operations Management (TSOM) to BMC Helix Operations Management (BHOM) will benefit you:
• Faster Performance: Get lightning-speed operations.
• Flexible Scalability: Easily adjust your infrastructure based on your needs with a consumption-based model.
• Continuous Uptime: Guarantee high availability for your enterprise.
• Quick Access to Features: Get upgrades and new capabilities swiftly, managed by our SaaS Operations team.
• Cost Efficiency: Cut down on procurement and maintenance costs.
• Smooth Data Migration: Transition seamlessly from TSOM with our toolkit and support from the Customer Success team.
To learn more, enroll in BMC Helix Operations Management Migration: Essential Subscription that offers 19 hours of learning. The subscription introduces you to the TSOM to BHOM migration process through a migration utility toolkit that contains the following tools:
• TSOM Health Check Tool
• Event Migration Utility
• TSOM Policy Migration
• PATROL Agent Migration Tool
The subscription Learning Path includes two web-based trainings (WBTs), an instructor-led training (ILT), followed by a Certified Associate Online Exam.
For any further details, post a comment or contact us at education@bmc.com. To get regular updates on BMC Education offerings, please join the BMC Education group on Communities.
@Kristen Sanders @Nidhi Gupta @Lisa Kraas @Mike West @Robert Mohn @Geoffrey Bergren @Divya Singh
BMC Helix ITSM Insights is a module of BMC Helix that delivers value by providing AI Service Management capabilities to use in combination with your BMC Helix ITSM instances. BMC Helix ITSM Insights enables the transition from traditional ITSM to intelligent, agile, and highly automated Service Management.
This online course gives ITSM users the knowledge to work with ITSM Insights cases, such as proactive problem management and real-time incident correlation.
Now available for BMC Partners and customers!
Click here for the Abstract and Course Registration.
How do we design effective and safe APIs?
APIs have increasingly become the backbone of modern software.
𝗧𝗼 𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 some of the 𝗸𝗲𝘆 𝗽𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀 and 𝗯𝗲𝘀𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 𝗼𝗳 𝗔𝗣𝗜 𝗱𝗲𝘀𝗶𝗴𝗻, Let's 𝗮𝗻𝗮𝗹𝘆𝘇𝗲 𝗮 𝘀𝗼𝗰𝗶𝗮𝗹 𝗺𝗲𝗱𝗶𝗮 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗲𝘅𝗮𝗺𝗽𝗹𝗲:
Clarity is key when creating APIs.
Adopting simple resource names, like /users for accessing user profiles and /posts for retrieving user posts, streamlines the development process and reduces mental strain.
It's important to maintain a standard of consistency in API design.
For consistency and readability, use plural resource names, such as GET /users/{userId}/friends vs. /friend), to avoid ambiguity in API requests.
Interlinking resources, like taking comments on a post using GET /posts/{postId}/comments, simplifies the retrieval of related data. It provides a more streamlined and well-organized user experience.
Security is a must-have.
To secure the API endpoints, employ authentication methods like X-AUTH-TOKEN and X-SIGNATURE, and use authorization headers for verifying user permissions.
Using versioning and communicating version updates is another important practice.
Endpoints like GET /v2/users/{userId}/posts allow API versioning to maintain functionality regardless of updates.
This approach ensures backward compatibility and a smooth transition for users and us.
This technique is important for performance.
Paginate large datasets, like feeds or comment lists, with GET /posts?page=5&pageSize=20 to enhance data delivery and UX.
Maintaining API reliability is necessary. Idempotency ensures that operations like profile updates (PUT /users/{userId}/profile) achieve their intended result, regardless of how often they are executed.
These practices are very important, but there’s still much more to API design.
Thorough documentation, robust monitoring and logging, and consistent error handling are just a few more of the many essential habits required for designing effective and safe APIs.
Adopting these principles and practices enables us to develop secure and performant APIs that deliver good user experiences.
An API gateway acts as a single entry point for clients, handling request routing, response composition, and protocol translation. It simplifies client interactions with microservices and offers additional features like rate limiting, authentication, monitoring, and more.
𝗧𝗼 𝗯𝗲𝘁𝘁𝗲𝗿 𝘂𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 𝗵𝗼𝘄 𝗮𝗻 𝗔𝗣𝗜 𝗴𝗮𝘁𝗲𝘄𝗮𝘆 𝘄𝗼𝗿𝗸𝘀, 𝗹𝗲𝘁'𝘀 𝗹𝗼𝗼𝗸 𝗮𝘁 𝗵𝗼𝘄 𝗶𝘁 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗲𝘀 𝗮 𝗿𝗲𝗾𝘂𝗲𝘀𝘁:
𝟭) 𝗜𝗻𝗶𝘁𝗶𝗮𝗹 𝗿𝗲𝗾𝘂𝗲𝘀𝘁 𝗵𝗮𝗻𝗱𝗹𝗶𝗻𝗴
Client requests are sent to the API gateway, which acts as the entry point for all incoming API traffic, rather than directly accessing the backend services.
𝟮) 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻
The API gateway processes and validates the request’s attributes to ensure it’s correctly formatted.
𝟯) 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗵𝗲𝗰𝗸𝘀
It then performs checks against allow-lists and deny-lists to filter out unauthorized or harmful requests.
𝟰) 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗮𝘂𝘁𝗵𝗼𝗿𝗶𝘇𝗮𝘁𝗶𝗼𝗻
The API gateway validates the request, checking for proper authentication (e.g., verifying tokens or credentials) and ensuring the client has the necessary permissions (authorization) to access the requested resources.
𝟱) 𝗥𝗮𝘁𝗲 𝗹𝗶𝗺𝗶𝘁𝗶𝗻𝗴
Rate limiting rules are enforced; if the request exceeds the allowed limit, it’s rejected.
𝟲) 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗱𝗶𝘀𝗰𝗼𝘃𝗲𝗿𝘆 𝗮𝗻𝗱 𝗿𝗼𝘂𝘁𝗶𝗻𝗴
Once passing basic checks, the API gateway then finds the relevant service to route the request to by matching the path.
𝟳) 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹 𝘁𝗿𝗮𝗻𝘀𝗹𝗮𝘁𝗶𝗼𝗻
The API gateway transforms the request into the appropriate protocol and sends it to the service.
𝟴) 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗮𝗴𝗴𝗿𝗲𝗴𝗮𝘁𝗶𝗼𝗻
If the request requires data from multiple services, the API gateway aggregates the responses. It sends requests to each relevant service, collects the results, and composes them into a single, cohesive response.
𝟵) 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘆
The gateway sends the processed response back to the client, ensuring it’s delivered in the expected format and within an optimal timeframe.
𝟭𝟬) 𝗟𝗼𝗴𝗴𝗶𝗻𝗴, 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴, 𝗳𝗮𝘂𝗹𝘁 𝗵𝗮𝗻𝗱𝗹𝗶𝗻𝗴, 𝗮𝗻𝗱 𝗰𝗮𝗰𝗵𝗶𝗻𝗴
Throughout this process, the API gateway logs each request and response and monitors key metrics such as latency, error rates, and throughput. These logs and metrics help in troubleshooting, scaling, and optimizing the system. It also deals with faults (circuit break), and provides response caching.
An API gateway is a powerful tool that not only simplifies client interactions with microservices but also enhances security, performance, and reliability through comprehensive request processing and monitoring..
How can we automate the health and performance of our APIs? Postman Monitors is a great way to do this.
Happy Learning!!!