nebius/cilium

nebius/cilium

Description: eBPF-based Networking, Security, and Observability

Language: Go

License: Apache-2.0

Stars: 0

Forks: 0

Open issues: 0

Created: 2024-01-22T15:04:09Z

Pushed: 2026-01-27T12:41:16Z

Default branch: main

Fork: yes

Parent repository: cilium/cilium

Archived: no

README: .. raw:: html

|cii| |go-report| |clomonitor| |artifacthub| |slack| |go-doc| |rtd| |apache| |bsd| |gpl| |fossa| |gateway-api| |codespaces|

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.

Cilium implements distributed load balancing for traffic between pods and to external services, and is able to fully replace kube-proxy, using efficient hash tables in eBPF allowing for almost unlimited scale. It also supports advanced functionality like integrated ingress and egress gateway, bandwidth management and service mesh, and provides deep network and security visibility and monitoring.

A new Linux kernel technology called eBPF_ is at the foundation of Cilium. It supports dynamic insertion of eBPF bytecode into the Linux kernel at various integration points such as: network IO, application sockets, and tracepoints to implement security, networking and visibility logic. eBPF is highly efficient and flexible. To learn more about eBPF, visit eBPF.io_.

.. image:: Documentation/images/cilium-overview.png :alt: Overview of Cilium features for networking, observability, service mesh, and runtime security

.. raw:: html

Stable Releases ===============

The Cilium community maintains minor stable releases for the last three minor Cilium versions. Older Cilium stable versions from minor releases prior to that are considered EOL.

For upgrades to new minor releases please consult the Cilium Upgrade Guide_.

Listed below are the actively maintained release branches along with their latest patch release, corresponding image pull tags and their release notes:

+---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ | v1.18 __ | 2026-01-13 | `quay.io/cilium/cilium:v1.18.6 | Release Notes __ | +---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ | v1.17 __ | 2026-01-13 | quay.io/cilium/cilium:v1.17.12 | Release Notes __ | +---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+ | v1.16 __ | 2026-01-13 | quay.io/cilium/cilium:v1.16.19 | Release Notes `__ | +---------------------------------------------------------+------------+------------------------------------+----------------------------------------------------------------------------+

Architectures -------------

Cilium images are distributed for AMD64 and AArch64 architectures.

Software Bill of Materials --------------------------

Starting with Cilium version 1.13.0, all images include a Software Bill of Materials (SBOM). The SBOM is generated in SPDX_ format. More information on this is available on Cilium SBOM_.

.. _SPDX: https://spdx.dev/ .. _Cilium SBOM: https://docs.cilium.io/en/latest/configuration/sbom/

Development ===========

For development and testing purpose, the Cilium community publishes snapshots, early release candidates (RC) and CI container images build from the main branch _. These images are not for use in production.

For testing upgrades to new development releases please consult the latest development build of the Cilium Upgrade Guide_.

Listed below are branches for testing along with their snapshots or RC releases, corresponding image pull tags and their release notes where applicable:

+----------------------------------------------------------------------------+------------+-----------------------------------------+---------------------------------------------------------------------------------+ | main __ | daily | `quay.io/cilium/cilium-ci:latest | N/A | +----------------------------------------------------------------------------+------------+-----------------------------------------+---------------------------------------------------------------------------------+ | v1.19.0-rc.0 __ | 2026-01-15 | quay.io/cilium/cilium:v1.19.0-rc.0 | Release Notes `__ | +----------------------------------------------------------------------------+------------+-----------------------------------------+---------------------------------------------------------------------------------+

Functionality Overview ======================

.. begin-functionality-overview

CNI (Container Network Interface) ---------------------------------

Cilium as a CNI plugin _ provides a fast, scalable, and secure networking layer for Kubernetes clusters. Built on eBPF, it offers several deployment options:

• Overlay networking: encapsulation-based virtual network spanning all

hosts with support for VXLAN and Geneve. It works on almost any network infrastructure as the only requirement is IP connectivity between hosts which is typically already given.

• Native routing mode: Use of the regular routing table of the Linux

host. The network is required to be capable of routing the IP addresses of the application containers. It integrates with cloud routers, routing daemons, and IPv6-native infrastructure.

• Flexible routing options: Cilium can automate route learning and

advertisement in common topologies such as using L2 neighbor discovery when nodes share a layer 2 domain, or BGP when routing across layer 3 boundaries.

Each mode is designed for maximum interoperability with existing infrastructure while minimizing operational burden.

Load Balancing --------------

Cilium implements distributed load balancing for traffic between application containers and to/from external services. The load balancing is implemented in eBPF using efficient hashtables enabling high service density and low latency at scale.

• East-west load balancing rewrites service connections at the socket…