Posted November 10, 2020

I am very excited to announce our partnership with Isovalent in their journey to redefine networking and security. Isovalent is the driving force behind both eBPF and Cilium, projects in Linux that provide a software networking layer for modern cloud architectures. Cilium has rapidly become a leading technology in the Kubernetes ecosystem, providing the network data plane for the Google Kubernetes Engine (GKE), and gaining adoption among other leading cloud native end users, including Adobe, DataDog, GitLab, and DigitalOcean. 

So what is all the fuss about? Let me explain. 

For decades, networks have been defined in terms of the individual endpoints they connect. With workloads running on physical machines, we wired physical switches, load-balancers, and firewalls, and defined connectivity in terms of the IP addresses assigned to each machine. When we shifted to connecting virtual machines (VMs), we created virtual switches, virtual load-balancers, and virtual firewalls, but again thought of connectivity in terms of individual VM endpoints. 

In modern systems we rarely think about connecting machines and wires, or virtual machines, or even containers, really. Instead, we’re concerned with connecting microservices, cloud services, APIs, and the higher level protocols and systems used to connect them. The past was IP addresses, ports, vNICs and VLANS. Now, it is service identity, gRPC, Kafka, distributed data stores, remote APIs, etc. 

Kubernetes has emerged as the cloud’s operating system, stitching together nodes (the majority of them Linux) and enabling microservices. But Kubernetes breaks a lot of the old school networking and security tooling that assumed an immutable physical server. And so, simply, we need a new networking and security layer that provides cloud native visibility, security, and control of these high level abstractions in a way that is secure, seamless to deploy, and does not compromise application performance. That new layer is Cilium. 

Cilium is built around eBPF and runs within the Linux kernel, making it seamless to deploy and highly performant. Linux is the operating system for many of the nodes underlying Kubernetes. And wherever there’s Linux, security comes down to a kernel being asked to do something. Until recently, that kernel, while powerful, was relatively unintelligent, with layers of complexity built on top.

With eBPF, it’s possible to write a program and embed it directly into the kernel. A common analogy: eBPF brings to the Linux kernel what JavaScript brought to the browser. With eBPF, you can see and control what is happening at the API level, showing the remote API calls being invoked and the data that they are being passed. Cilium + eBPF is far more than API-aware visibility, it’s a fundamentally more powerful way to do networking in cloud environments, from traditional configurations on up, that allows for more robust program tracing, observability, and monitoring. But it’s hard to provide a full technical overview of something as foundational as eBPF and Cilium in a blog post such as this, so rather than attempt to do that, I strongly recommend you watch this video from Isovalent Cofounder Thomas Graf.

Building something like Cilium, and an enterprise offering around it, is no small feat. There are few teams in the industry who have the right combined background of low-level networking, Linux kernel intervals, large distributed systems, and open source community building to pull it off. We believe that the team at Isovalent is hands down the most equipped for the job, not just because of their work creating eBPF and Cilium, but because they have decades of experiences in the foundational technologies that led up to it.

Dan Wendlandt along with Thomas, the cofounders of Isovalent, are two of the most respected talents in the software defined networking space. Thomas, the CTO, is one of the leading engineers and architects of networking in Linux in the world. He’s also the original creator of Cilium, and along with Isovalent’s Daniel Borkmann, was foundational in turning eBPF into an industry-wide movement.

I first met Dan, the CEO, when we were both at Stanford. At the time I was TA’ing an undergraduate networking course and he was the top student in the class. Dan joined me in the very earliest days at Nicira, where we built out a software networking layer for virtualized data centers, which became a multi-billion dollar product line within VMware. 

Dan, Thomas, and I have been working in this space for over a decade and we’ve always shared as our north star a belief that networking and security must be decoupled from low-level abstractions, like IPs and ports, and instead operate at a higher layer that aligns with how developers, DeVOps, and SecOPs teams already think about their applications. Until just recently, the supporting technologies simply didn’t exist for such a solution. But that all changed with Kubernetes and eBPF. 

With Isovalent, Dan and Thomas have put together the best team in the industry to develop the best networking and security technologies for Kubernetes. We strongly believe they are well on their way to upending networking yet again. 

 

***