Cilium — eBPF 驱动的云原生网络
Cilium 核心优势
Cilium 基于 Linux eBPF 技术,在内核层面实现网络功能,完全绕过 iptables:
- 极高性能:eBPF 在内核执行,无用户态切换开销
- L7 可见性:理解 HTTP、gRPC、Kafka 等应用层协议
- 替代 kube-proxy:eBPF 实现 Service 负载均衡
- 透明加密:WireGuard/IPSec 节点间加密
- Hubble 可观测:实时网络流量可视化
安装
bash
# 使用 Helm 安装
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium \
--namespace kube-system \
--set kubeProxyReplacement=true \
--set k8sServiceHost=192.168.1.100 \
--set k8sServicePort=6443 \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true \
--set encryption.enabled=true \
--set encryption.type=wireguard
# 验证安装
cilium status
cilium connectivity testL7 网络策略
yaml
# 只允许 GET /api/users,拒绝其他请求
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-policy
spec:
endpointSelector:
matchLabels:
app: api-server
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: /api/users
- method: POST
path: /api/users
headers:
- Authorization: Bearer.*Hubble 可观测性
bash
# 安装 Hubble CLI
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz
# 实时观察流量
hubble observe --namespace production
hubble observe --pod my-pod --follow
# 查看 HTTP 流量
hubble observe --protocol http --namespace production
# 查看被拒绝的流量
hubble observe --verdict DROPPED
# 访问 Hubble UI
kubectl port-forward -n kube-system svc/hubble-ui 12000:80BGP 控制平面
yaml
# Cilium BGP 配置(替代 MetalLB)
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPPeeringPolicy
metadata:
name: bgp-peering
spec:
nodeSelector:
matchLabels:
kubernetes.io/os: linux
virtualRouters:
- localASN: 65001
exportPodCIDR: true
neighbors:
- peerAddress: 192.168.1.1/32
peerASN: 65000
serviceSelector:
matchLabels:
expose-via-bgp: "true"性能对比
| 场景 | iptables | Cilium eBPF |
|---|---|---|
| Service 查找 | O(n) 线性 | O(1) 哈希 |
| 1000 Service 延迟 | ~100μs | ~10μs |
| 规则更新时间 | 秒级 | 毫秒级 |
| CPU 开销 | 高 | 低 |