Cilium - service mesh without sidecar explained!

Cilium is an open-source, lightweight network, and security solution for containers and microservices. It uses the Linux kernel’s BPF (Berkeley Packet Filter) technology to provide transparency, visibility, and security for containers and microservices. Cilium provides a flexible way to containerize and microservice-ify applications without being tied to any specific orchestration solution.

CNCF has announced the availability of the first stable release of a new exciting option to run Cilium as a service mesh completely without sidecars while supporting a variety of different control plane options. It complements the already existing sidecar-based Istio integration that has been available as part of Cilium so far.

Wait, first understand the service mesh

By Definition,

service mesh is a dedicated infrastructure layer for facilitating service-to-service communications between services or microservices, using a proxy

What if you wanted to control, monitor, and secure all microservice communication? A service mesh comes into play in this situation.

A service mesh is a tool that provides an abstraction layer for microservices. They provide intelligent routing, resiliency, and load-balancing capabilities between services with better fault tolerance than traditional solutions.

What service mesh does is essentially manages the traffic flow between multiple microservices primarily using a sidecar proxy.

Traffic flow management between microservices

There are many benefits from using a service mesh including increased security by providing communication encryption, simplified debugging processes through observability tools, as well as higher availability due to smart failover features and horizontal scalability with distributed tracing across containers or machines.

For a deeper dive into service meshes, check out “What is a Service Mesh?”

Cilium Service Mesh Intro:

Cilium has evolved into a service mesh, just a little different from those we’re used to seeing. We are used to service meshes that run a sidecar alongside your application pod and proxy all incoming and outgoing traffic. They manage TLS, service discovery, retries, load balancing, etc. All in all, they make our lives a lot easier since we don’t need to manage all this logic inside our application code.

Cilium Service Mesh provides:

1. Sidecar-free path

• use eBPF when possible, fallback to Envoy
• Native performance and latency
• MTLS support for any network traffic

2. Envoy CRD

3. You can bring the control plane of your choice

4. Observability integration

Why “Cilium Service Mesh” over others?

The Cilium service mesh now offers a side-car (Istio Integration) or side-car free option.

Evolution of Service

Cilium Service Mesh is an evolution in the service mesh because it is provided in a kernel.

Thomas Graf, Founder of Cilium says:

“Enterprises want the ability to choose sidecars or sidecar-less, and they want a high-performance data plane powered by eBPF and Envoy that allows them to choose the best control plane for their use case. By combining the well-proven Envoy proxy with kernel-level eBPF technology, Cilium Service Mesh is giving enterprises the best possible service mesh performance, while also allowing them to choose between a sidecar or sidecar-less model.”

So, that means users now have the option to run a service mesh with sidecars or without them thanks to this initial version of Cilium Service Mesh. When to best use which model depends on various factors including overhead, resource management, failure domain, and security considerations. In fact, the trade-offs are quite similar to virtual machines and containers. VMs provide stricter isolation. Containers are lighter, able to share resources and offer fair distribution of the available resources. As a result, containers often boost deployment density at the expense of more difficult resource management and security issues. With Cilium Service Mesh, you have both options available in your platform and can even run a mix of the two.

Cilium Service Mesh on top of the existing networking, security, and observability function of Cilium. It gives users choice:

• Control Plane: Choice of control plane options for the ideal balance of complexity and richness. From simpler options such as Ingress and Gateway API, to richer options with Istio, to the full power of Envoy via the Envoy CRD.
• Sidecar vs Sidecar-free: Choice of a datapath with or without sidecars. Sidecars with VM-style resource isolation at increased overhead and cost, or container-style shared resources at the cost of requiring to manage the shared resource usage.

End note: Cilium is a new way of looking at service mesh and it comes with tons of added benefits. Surely, it is not as mature as the old players like Istio, but given their roadmaps, I believe there’s a new wave coming.

Learning Resources:

https://www.youtube.com/@CloudNativeIslamabad

Contact me here to get my services:

https://www.fiverr.com/ethsoliditydev/develop-a-smart-contract-in-solidity-for-ethereum-blockchain