Software Engineering Daily
Episode: Cilium, eBPF, and Modern Kubernetes Networking
Guest: Bill Mulligan (Cilium Maintainer @ Isovalent)
Date: March 26, 2026
Overview
This episode explores how eBPF (extended Berkeley Packet Filter) is transforming Linux kernel development and enabling cloud-native networking with Cilium, one of the most widely adopted Kubernetes networking projects. With Bill Mulligan, maintainer at Isovalent (the creators of Cilium), the discussion delves into the origins and technical innovations of eBPF and Cilium, compares classic and modern networking approaches, outlines Cilium’s feature set, community impact, and looks ahead at the trajectory of cloud-native networking.
Key Discussion Points and Insights
1. Bill Mulligan’s Journey to Cilium
- Non-traditional background:
- Started in biochemistry and social science, transitioned to tech and cloud-native startups (02:20).
- Pathway to Isovalent:
- Experience at CNCF (Cloud Native Computing Foundation).
- Joined Isovalent as Cilium gained traction in the Kubernetes community (02:20–03:27).
2. CNCF, Isovalent, and Project Governance
- CNCF (Cloud Native Computing Foundation):
- Sub-foundation of the Linux Foundation. Hosts core cloud-native projects, especially Kubernetes and its ecosystem (03:40).
- Cilium’s Relationship with Isovalent:
- Cilium originated at Isovalent, then donated to CNCF for neutral governance. Isovalent builds commercial products around Cilium (03:40–05:16).
- Commit history:
- First Cilium commit in Dec 2015, now almost a decade of open source development (05:16).
3. Demystifying eBPF
- What is eBPF?
- “eBPF is to the kernel what JavaScript is to the browser.” (06:23)
- Lets users safely run sandboxed programs directly in the kernel, enabling dynamic and programmable infrastructure without needing to patch or upgrade the kernel itself (06:23–11:50).
- Why is eBPF revolutionary?
- eBPF allows features to be rapidly developed and deployed compared to slow, conservative kernel releases.
- Ensures safety via verification: programs are checked to ensure they won’t crash the kernel.
- Real-world stake: CrowdStrike Windows kernel incident cited as an example of why safety is critical (11:50).
Notable Quote:
"What eBPF allows you to do is to actually add functionality on the fly into the Linux kernel."
— Bill Mulligan [08:50]
4. The Origins and Strengths of Cilium
- Containerization needs new networking:
- Traditional Linux networking (IP tables, static IPs) ill-suited for Kubernetes’ ever-changing, ephemeral world (14:47).
- Cilium’s innovations:
- Replaces iptables and kube-proxy with fast, hash-map-based eBPF programs for massive scalability (14:47–19:50).
- Shifts from IP-based to identity/label-based policy — making policies more robust and manageable as containers churn.
Notable Quote:
"Cilium switched the whole networking model from this IP-based model to this identity-based model...so as we kind of rotate the containers behind these labels, it doesn’t actually matter."
— Bill Mulligan [17:22]
- Analogy to IAM:
- Identity-based approach is similar to modern access management in cloud platforms: “You probably give them one identity to something like Okta, and then Okta provides the identity out to all the other services.” (20:14)
5. Cilium Feature Set
Network Policies
- Why are they important?
- Secure workload isolation, tenant separation — e.g., Bloomberg’s data studio use case (23:25).
- Advanced capabilities:
- Layer 7 (application layer) policies, multi-cluster policy, broader and deeper control versus basic CNIs (23:25–27:11).
Notable Quote:
"Kubernetes gives you basic network policy. And Cilium allows you to do much more advanced use cases around network policy."
— Bill Mulligan [26:19]
Service Mesh
- Definition and critique:
- Service Mesh: networking, observability, security features at layer 7 to support microservices.
- Bill’s take: Service Mesh is a “nebulous” term—"Service mesh, I think, can’t be its own standing lone category. You need to think of it in the context of your whole networking stack." (27:26–33:41)
- Cilium unsurprisingly covers most service mesh features natively; what’s often missing from other meshes is the holistic, full-stack context that Cilium provides.
Notable Quote:
"People aren’t trying to solve 'Service Mesh' as a problem. What they’re trying to solve is, okay, we need to do layer 7 routing…layer 7 network security. That’s the actual problem you’re trying to solve."
— Bill Mulligan [31:19]
Observability with Hubble
- What is Hubble?
- Real-time network observability built on eBPF; exposes fine-grained flow logs, visual maps, and debugging insight (34:13).
- Why users love it:
- Example: ESNet cited Hubble as reducing days of troubleshooting to 30 seconds [34:13].
- Surfaces not just valid flows, but crucially where traffic is dropped (policies, misconfigs).
- Traditional tooling falls short:
- TCPDump and similar tools are limited in the eBPF world; Hubble and “Packet, where are you?” (Peru) solve the new visibility gap (37:13–39:00).
Notable Quote:
"Hubble’s a godsend. It lets me — what used to take multiple days of engineering time, I can now solve in 30 seconds."
— Bill Mulligan quoting ESNet [34:13]
6. Cilium’s Architecture and Operation
- Cilium agent & operator:
- Runs as a daemonset, installs BPF programs per node; separation of control (agent/operator) from data plane (kernel BPF programs) (39:36–42:32).
- Layer 7 routing via Envoy:
- Envoy integrates for advanced application-layer tasks (42:32).
- Incremental rollout:
- Easy install in greenfield (managed K8s: often default; on-prem: Helm chart); supports CNI chaining for migration, enabling gradual adoption without downtime (43:10–48:27).
Notable Quote:
"The cool thing about Cilium is it’s not like a big bang...it actually allows a lot of incremental things."
— Bill Mulligan [44:44]
7. Open Source Trajectory and Community
- Massive contributor growth:
- 1,000 contributors as of October 2025 — third-largest CNCF project (after Kubernetes), now the second largest (49:00).
- Typical contributor:
- Often platform teams using Cilium in production and contributing fixes or missing capabilities (50:44).
- Governance and ecosystem:
- Contributions from end-users, platform engineers, and major cloud providers (Google, Microsoft).
8. The Roadmap (2026 and Beyond)
- IPv6:
- Real-world, large-scale adoption (by ESNet, TikTok) now driving parity and features (52:08).
- KubeVirt and VM integration:
- Cilium working towards networking VMs inside Kubernetes with high performance using NetKit (53:00).
- NetKit:
- Now available; reduces container and VM networking overhead by passing packets directly into workloads from the NIC (55:18–56:01).
- VM migration/connectivity:
- Bridging networking between K8s/container estate and legacy VM estate is a key investment area.
Memorable Quotes (with Timestamps)
-
eBPF as a paradigm shift:
“What eBPF allows you to do is to actually add functionality on the fly into the Linux kernel.” — Bill Mulligan [08:50] -
Why Cilium ditched IPs:
“Cilium switched the whole networking model from this IP-based model to this identity-based model...so as we kind of rotate the containers behind these labels, it doesn’t actually matter.” — Bill Mulligan [17:22] -
Hubble's impact:
“Hubble’s a godsend. It lets me — what used to take multiple days of engineering time, I can now solve it in 30 seconds.” — Bill Mulligan (quoting ESNet) [34:13] -
On Service Meshes:
“People aren’t trying to solve ‘Service Mesh’ as a problem. What they’re trying to solve is ... we need to do layer 7 routing ... layer 7 network security. That’s the actual problem you’re trying to solve.” — Bill Mulligan [31:19] -
On open source growth:
“Cilium is, depending on how you look at it, in the top three projects in the Cloud Native Computing Foundation...Now the second largest.” — Bill Mulligan [49:00]
Important Timestamps
- 03:40: Relationship between Cilium, Isovalent, and CNCF.
- 06:23: What is eBPF and why it matters.
- 11:50: Safety and verification in eBPF, classic vs. extended BPF history.
- 14:47: The shift from IPs to identity in networking.
- 23:25: How Cilium implements policy and why it excels.
- 27:19: Breaking down "service mesh" and Cilium's integration.
- 34:13: Hubble for observability and real-world troubleshooting.
- 39:36: Technical architecture: agent, operator, data plane, and Envoy.
- 43:10: Installation, migration, and CNI chaining.
- 49:00: Contributor count and open source stats.
- 52:08: Roadmap: IPv6, VMs, NetKit.
Getting Started and Next Steps
- Best way to learn Cilium:
- cilium.io for documentation, feature guides, outcome-based pages, and interactive labs (56:17–58:29).
- Labs include practical hands-on sessions (no cluster setup needed), like the famous "Death Star" network policy demo.
Notable Resources Mentioned:
- Cilium docs and website
- Cilium Slack for community
- In-depth interactive labs for learning
Final Thoughts
The conversation highlighted how cloud-native networking is undergoing a revolution driven by programmable kernels, eBPF, and flexible solutions like Cilium. The project’s identity-based approach, superb observability with Hubble, and migration-friendly architecture position it as both a pragmatic and forward-thinking solution for Kubernetes networking, with a future keenly focused on further performance, scalability, and seamless interoperability across infrastructure layers.
For anyone seeking to understand or adopt state-of-the-art Kubernetes networking, this episode offers clarity—bridging foundational tech, real user stories, and an eye toward the future.