Chainguard Container for cilium

Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads using eBPF.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/cilium:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Cilium images:

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Hubble is a fully distributed networking and security observability platform built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.

Several cilium images here:

cilium-agent

Cilium agents, the core data-plane component of Cilium, resides on every node within the cluster and implements the Kubernetes Container Networking Interface (CNI). It gathers configuration instructions through APIs or Kubernetes, defining the essential parameters for networking, network policies, load balancing, visibility, and monitoring.

Another key role for cilium agents is that embedded in them are the hubble servers, which provides visibility into network traffic and the overall health of a Kubernetes cluster.

cilium-operator-generic

The Cilium operator is the control plane component of Cilium. It is responsible for managing Cilium resources across the cluster, such as NetworkPolicy, or IP address management.

Cloud-specific flavors of the Cilium operator exists, but the image here is the generic flavor of the Cilium operator.

cilium-operator-aws

The Cilium operator is the control plane component of Cilium. It is responsible for managing Cilium resources across the cluster, such as NetworkPolicy, or IP address management.

This image is the AWS-specific flavor of the Cilium operator.

cilium-hubble-relay

The Hubble Relay aggregates the observability provided by the Hubble servers (embedded in the Cilium agents) across the nodes. In other words is the Hubble component that brings multi-node support. It leverages the Peer service to obtain information about Hubble instances and consume their gRPC API in order to provide a more rich API that covers events from across the entire cluster (or even multiple clusters in a ClusterMesh scenario).

cilium-hubble-ui-backend

The Hubble UI Backend component processes the data provided by the lower-level Hubble components (Relay, Server), and feed that to the Cilium Hubble UI.

cilium-hubble-ui

The Hubble UI, a ReactJS app served by nginx, visually depicts the network connectivity, policies, and dependencies of the cluster in a user-friendly manner.

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.