Chainguard Container for cilium-fips

Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads using eBPF

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/cilium-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Cilium FIPS Containers

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF (short for Extended Berkely Package Filter), which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Hubble is a fully distributed networking and security observability platform built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.

For details on how you can work with these Cilium FIPS container images, check out our guide on Getting Started with the Cilium Chainguard Containers on Chainguard Academy.

FIPS Support

The cilium-fips Chainguard Containers ship with FIPS-hardened cryptographic modules and libraries to meet federal compliance requirements. These images include validated redistributions of OpenSSL's FIPS provider module and use FIPS-approved algorithms for all cryptographic operations. The FIPS-enabled variants ensure that network encryption, certificate management, and security policy enforcement within Cilium components comply with FIPS 140-2 standards.

For more information on FIPS support in Chainguard Images, consult the guide on FIPS-enabled Chainguard Images on Chainguard Academy.

Chainguard offers several Cilium FIPS images, as described in the next sections.

cilium-agent-fips

Cilium agents serve as the core data-plane component of Cilium, deployed as a DaemonSet on every node within the cluster. These agents implement the Kubernetes Container Networking Interface (CNI) and are responsible for several critical functions:

• Network Policy Enforcement: Implements and enforces network security policies using eBPF programs loaded into the Linux kernel
• Load Balancing: Provides Layer 3, 4, and 7 load balancing capabilities for services
• Service Mesh Integration: Offers transparent service mesh functionality without requiring application changes
• IP Address Management (IPAM): Manages IP address allocation for pods across the cluster
• Network Connectivity: Establishes secure network connectivity between pods, both within and across nodes

Each agent contains an embedded Hubble server that provides deep visibility into network traffic, security events, and the overall health of the Kubernetes cluster. The agents communicate with the Cilium operator for cluster-wide coordination and with the Linux kernel through eBPF programs for high-performance data path operations.

cilium-operator-generic-fips

The Cilium operator serves as the centralized control plane component of Cilium, deployed as a single instance (or in high-availability mode) to manage cluster-wide operations. This generic operator variant is cloud-agnostic and provides several key functions:

• Resource Management: Creates, updates, and manages Cilium Custom Resource Definitions (CRDs) including CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy, and CiliumEndpoint resources
• Network Policy Compilation: Translates Kubernetes NetworkPolicy and Cilium-specific policies into eBPF programs that are distributed to agents
• Certificate Management: Handles TLS certificate lifecycle for secure communication between Cilium components

This generic variant works across different cloud providers and on-premises environments, making it suitable for multi-cloud or hybrid deployments where cloud-specific integrations are not required.

cilium-operator-aws-fips

The AWS-specific Cilium operator extends the core control plane functionality with deep integration into AWS services and infrastructure. In addition to all the capabilities of the generic operator, this variant provides specialized AWS features:

• ENI Management: Integrates with AWS Elastic Network Interface (ENI) allocation and management for advanced networking scenarios
• VPC Integration: Leverages AWS VPC routing and security groups for enhanced network isolation and policy enforcement
• AWS Load Balancer Integration: Coordinates with AWS Application Load Balancer (ALB) and Network Load Balancer (NLB) for service exposure
• IAM Integration: Utilizes AWS Identity and Access Management (IAM) roles and policies for secure access to AWS APIs
• EKS Optimization: Includes specific optimizations and integrations for Amazon Elastic Kubernetes Service (EKS) clusters

This operator is specifically designed for production workloads running on AWS infrastructure where native cloud integration is required for optimal performance, security, and operational efficiency.

cilium-hubble-relay-fips

Hubble Relay serves as the central aggregation and coordination service for network observability data across the entire Kubernetes cluster. It acts as an intermediary between the distributed Hubble servers (embedded in each Cilium agent) and observability clients, providing several critical functions:

• gRPC API Gateway: Exposes a unified gRPC API that clients can use to query network flows, security events, and service dependencies across the entire cluster
• Load Balancing: Distributes observability queries across multiple Hubble servers to ensure optimal performance and availability
• Data Filtering and Querying: Provides advanced filtering capabilities allowing users to query specific network flows, protocols, security events, or time ranges
• Multi-Cluster Support: In ClusterMesh deployments, aggregates observability data from multiple connected Kubernetes clusters

Hubble Relay is essential for any deployment requiring comprehensive network observability, enabling tools like the Hubble CLI and Hubble UI to provide insights into application connectivity, performance, and security across the entire infrastructure.

cilium-hubble-ui-fips

The Hubble UI is a modern, web-based visualization platform built as a ReactJS application and served through nginx. It provides an intuitive, graphical interface for network administrators, security teams, and developers who need to understand, monitor, and troubleshoot network connectivity and security policies in their Kubernetes environments.

cilium-hubble-ui-backend-fips

The Hubble UI Backend serves as the data processing and API layer that bridges the gap between raw network observability data and the user-friendly Hubble UI interface. This backend component is essential for the Hubble UI to function effectively, handling the computational complexity of processing network observability data while providing a clean, performant interface for the React-based frontend.

cilium-clustermesh-apiserver-fips

Cilium Cluster Mesh connects multiple Kubernetes clusters, allowing pods in one cluster to access services in others, as long as all clusters use Cilium as their CNI. This is achieved by deploying a clustermesh-apiserver to sync shared state across clusters:

• Multi-Cluster Service Discovery: Enables services in one cluster to discover and connect to services running in other clusters, creating a unified service mesh across cluster boundaries
• Cross-Cluster Load Balancing: Distributes traffic across service endpoints that span multiple clusters, providing high availability and optimal resource utilization
• Shared Identity Management: Synchronizes security identities across clusters, ensuring consistent network policy enforcement in multi-cluster scenarios
• Secure Communication: Establishes secure, encrypted communication channels between clusters using mutual TLS authentication
• Service Export/Import: Manages which services are exported from each cluster and which remote services are imported for local consumption

The ClusterMesh API Server is deployed as a LoadBalancer service in each participating cluster, enabling Cilium agents across clusters to establish secure connections and exchange routing information. This creates a transparent, scalable solution for multi-cluster deployments without requiring complex VPN setups or network overlays.

Documentation and Resources

Refer to the Cilium docs on cilium.io and their GitHub repository for more information about this software.

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.