cilium - HTTP, gRPC, and Kafka Aware Security and Networking for Containers with BPF and XDP

  •        39

Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. Cilium is integrated into common orchestration frameworks such as Kubernetes and Mesos. A new Linux kernel technology called BPF is at the foundation of Cilium. It supports dynamic insertion of BPF bytecode into the Linux kernel at various integration points such as: network IO, application sockets, and tracepoints to implement security, networking and visibility logic. BPF is highly efficient and flexible. To learn more about BPF, read more in our extensive BPF and XDP Reference Guide.

https://github.com/cilium/cilium

Tags
Implementation
License
Platform

   




Related Projects

Weave - Simple, Resilient Multi-host Docker Networking

  •    Go

Weave is a simple, portable and reliable way to network and manage containers and microservices. It provides a simple and resilient network for your application that is portable across data centers and public clouds. Weave Net creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery.

amazon-vpc-cni-k8s - Networking plugin repository for pod networking in Kubernetes using Elastic Network Interfaces on AWS

  •    Go

Networking plugin for pod networking in Kubernetes using Elastic Network Interfaces on AWS. Alpha This is an experimental release as part of the Amazon EKS Preview. Interfaces and functionality may change. Expect bugs (and please help us squash them). DO NOT use for production workloads.

cni - Container Network Interface - networking for Linux containers

  •    Go

There is a community sync meeting for users and developers every 1-2 months. The next meeting will help on a Google Hangout and the link is in the agenda (Notes from previous meeting are also in this doc). The next meeting will be held on Wednesday, January 30th, 2019 at 4:00pm UTC / 11:00am EDT / 8:00am PDT Add to Calendar.

multus-cni - Multi-homed pod cni

  •    Go

Please check the CNI documentation for more information on container networking. Multus may be deployed as a Daemonset, and is provided in this guide along with Flannel. Flannel is deployed as a pod-to-pod network that is used as our "default network". Each network attachment is made in addition to this default network.

Kong - The Microservice API Gateway

  •    Lua

Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway, API Middleware or in some cases Service Mesh). Backed by the battle-tested NGINX with a focus on high performance, Kong was made available as an open-source platform in 2015. Under active development, Kong is used in production at thousands of organizations from startups, Global 5000 and Government organizations.


pipeline - Pipeline enables developers to go from commit to scale in minutes by turning Kubernetes into a feature rich application platform integrating CI/CD, centralized logging, monitoring, enterprise-grade security and autoscaling

  •    Go

Banzai Pipeline, or simply Pipeline is a tabletop reef break located in Hawaii, Oahu's North Shore. The most famous and infamous reef in the universe is the benchmark by which all other waves are measured. Pipeline enables developers to go from commit to scale in minutes by turning Kubernetes into a feature rich application platform integrating CI/CD, centralized logging, monitoring, enterprise-grade security, cost management and autoscaling.

kube-ovn - An OVN-based Kubernetes Network Fabric for Enterprises

  •    Go

Kube-OVN integrates the OVN-based Network Virtualization with Kubernetes. It offers an advanced Container Network Fabric for Enterprises. The Switch, Router, Firewall showed in the diagram below are all distributed on all Nodes. There is no single point of failure for in cluster network.

scope - Monitoring, visualisation & management for Docker & Kubernetes

  •    Go

Weave Scope automatically generates a map of your application, enabling you to intuitively understand, monitor, and control your containerized, microservices-based application. Choose an overview of your container infrastructure, or focus on a specific microservice. Easily identify and correct issues to ensure the stability and performance of your containerized applications.

kubefwd - Bulk port forwarding Kubernetes services for local development.

  •    Go

Read Kubernetes Port Forwarding for Local Development for background and a detailed guide to kubefwd. kubefwd is a command line utility built to port forward some or all pods within a Kubernetes namespace. kubefwd uses the same port exposed by the service and forwards it from a loopback IP address on your local workstation. kubefwd temporally adds domain entries to your /etc/hosts file with the service names it forwards.

netplugin - Container networking for various use cases

  •    Go

Getting-started videos are available on YouTube. This will provide you with a minimal experience of uploading the intent and seeing the netplugin system act on it. It will create a network on your host that lives behind an OVS bridge and has its own unique interfaces.

kube-router - Kube-router, a turnkey solution for Kubernetes networking.

  •    Go

Kube-router is a turnkey solution for Kubernetes networking with aim to provide operational simplicity and high performance.kube-router does it all.

gvisor - Container Runtime Sandbox

  •    Go

gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

ambassador - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy

  •    Python

Ambassador is an open source Kubernetes-native API Gateway built on Envoy, designed for microservices. Ambassador essentially serves as an Envoy ingress controller, but with many more features. Ambassador deploys the Envoy Proxy for L7 traffic management. Configuration of Ambassador is via Kubernetes annotations. Ambassador relies on Kubernetes for scaling and resilience. For more on Ambassador's architecture and motivation, read this blog post.

felix - Project Calico's per-host agent Felix, responsible for programming routes and security policy

  •    Go

This repository contains the source code for Project Calico's per-host daemon, Felix. The best place to ask a question or get help from the community is the calico-users #slack. We also have an IRC channel.

kumuluz - Lightweight open-source framework for developing microservices using standard Java EE technologies and migrating Java EE to cloud-native architecture

  •    Java

KumuluzEE is a lightweight framework for developing microservices using standard Java/JavaEE/JakartaEE/EE4J technologies, extending them with Node.js, Go and other languages, and migrating existing applications to microservices and cloud-native architecture. KumuluzEE packages microservices as standalone JARs. KumuluzEE microservices are lightweight and optimized for size and start-up time. They fit perfectly with Docker containers. KumuluzEE microservices are fully compatible with Kubernetes.

Rancher - Complete container management platform

  •    Go

Rancher is an open source project that provides a complete platform for operating Docker in production. It provides infrastructure services such as multi-host networking, global and local load balancing, and volume snapshots. It integrates native Docker management capabilities such as Docker Machine and Docker Swarm. It offers a rich user experience that enables devops admins to operate Docker in production at large scale.

Telepresence - Local development against a remote Kubernetes or OpenShift cluster

  •    Python

Telepresence substitutes a two-way network proxy for your normal pod running in the Kubernetes cluster. This pod proxies data from your Kubernetes environment (e.g., TCP connections, environment variables, volumes) to the local process. The local process has its networking transparently overridden so that DNS calls and TCP connections are routed through the proxy to the remote Kubernetes cluster.

geard - geard is no longer maintained - see OpenShift 3 and Kubernetes

  •    Go

The geard agent exposes operations on containers needed for large scale orchestration in production environments, and tries to map those operations closely to the underlying concepts in Docker and systemd. It supports linking containers into logical groups (applications) across multiple hosts with iptables based local networking, shared environment files, and SSH access to containers. It is also a test bed for prototyping related container services that may eventually exist as Docker plugins, such as routing, event notification, and efficient idling and network activation.The gear daemon and local commands must run as root to interface with the Docker daemon over its Unix socket and systemd over DBus.

sysdig-inspect - Sysdig Inspect - A powerful opensource interface for container troubleshooting and security investigation

  •    Javascript

Inspect's user interface is designed to intuitively navigate the data-dense sysdig captures that contain granular system, network, and application activity of a Linux system. Sysdig Inspect helps you understand trends, correlate metrics and find the needle in the haystack. It comes packed with features designed to support both performance and security investigations, with deep container introspection. To use Sysdig Inspect, you need capture files collected on Linux with sysdig.

kubeless - Kubernetes Native Serverless Framework

  •    Go

kubeless is a Kubernetes-native serverless framework that lets you deploy small bits of code without having to worry about the underlying infrastructure plumbing. It leverages Kubernetes resources to provide auto-scaling, API routing, monitoring, troubleshooting and more. Kubeless stands out as we use a Custom Resource Definition to be able to create functions as custom kubernetes resources. We then run an in-cluster controller that watches these custom resources and launches runtimes on-demand. The controller dynamically injects the functions code into the runtimes and make them available over HTTP or via a PubSub mechanism.