Containerization: Cilium 1.12 offers service mesh alternative to Istio

With or without a sidecar

With the release of the new version, the Cilium Service Mesh is officially considered stable and released for productive use. In addition to Istio, users should thus receive another service mesh alternative that can be used without a sidecar and also allows a number of control plane options, as Isovalent CTO and Cilium developer Thomas Graf emphasizes in the blog post announcing Cilium 1.12 . Like the ClusterMesh function for managing cross-cluster services, the Cilium Service Mesh also uses the native resources of Kubernetes and is based on the proven data plane from Envoy Proxy and the kernel sandboxing technology eBPF.

With CiliumEnvoyConfig (CEC), a new low-level abstraction is also available that allows direct programming of Envoy proxies for more complex L7 application scenarios via Custom Resource Definitions (CRDs) in Kubernetes. In future releases, the Cilium team intends to add more control plane options like the Kubernetes Gateway API to also ensure extended compatibility with service meshes like Istio, which have already embarked on the path towards the Gateway API.

The Egress Gateway, previously only available as a beta, has now also reached stable status in Cilium 1.12. Connections to external legacy workloads can also be forwarded via dedicated gateway nodes. To ensure integration with firewalls that require static IP addresses, the IP addresses can be masked accordingly. In combination with ClusterMesh, external workload requests that arrive on other clusters in the mesh can also be processed.

Keep safety in mind

Other innovations in Cilium 1.12 include the Tetragon component, which is intended to provide more extensive security observability on the basis of eBPF, for example to be able to react specifically to security-related events. More details and a complete overview of all changes in the new Cilium release can be found in the CNCF blog post and on the project website.