Cilium is a networking, observability, and security solution with an eBPF-based dataplane. It provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay mode. It is L7-protocol aware and can enforce network policies on L3-L7 using an identity based security model that is decoupled from network addressing.
Cilium implements distributed load balancing for traffic between pods and to external services, and is able to fully replace kube-proxy, using efficient hash tables in eBPF allowing for almost unlimited scale. It also supports advanced functionality like integrated ingress and egress gateway, bandwidth management and service mesh, and provides deep network and security visibility and monitoring.
A new Linux kernel technology called eBPF is at the foundation of Cilium. It supports dynamic insertion of eBPF bytecode into the Linux kernel at various integration points such as: network IO, application sockets, and tracepoints to implement security, networking and visibility logic. eBPF is highly efficient and flexible. To learn more about eBPF, visit eBPF.io.
The Cilium community maintains minor stable releases for the last three minor Cilium versions. Older Cilium stable versions from minor releases prior to that are considered EOL.
For upgrades to new minor releases please consult the Cilium Upgrade Guide.
Listed below are the actively maintained release branches along with their latest patch release, corresponding image pull tags and their release notes:
| v1.17 | 2025-06-18 | quay.io/cilium/cilium:v1.17.5 |
Release Notes |
| v1.16 | 2025-06-18 | quay.io/cilium/cilium:v1.16.11 |
Release Notes |
| v1.15 | 2025-06-18 | quay.io/cilium/cilium:v1.15.18 |
Release Notes |
Cilium images are distributed for AMD64 and AArch64 architectures.
Starting with Cilium version 1.13.0, all images include a Software Bill of Materials (SBOM). The SBOM is generated in SPDX format. More information on this is available on Cilium SBOM.
For development and testing purpose, the Cilium community publishes snapshots, early release candidates (RC) and CI container images build from the main branch. These images are not for use in production.
For testing upgrades to new development releases please consult the latest development build of the Cilium Upgrade Guide.
Listed below are branches for testing along with their snapshots or RC releases, corresponding image pull tags and their release notes where applicable:
| main | daily | quay.io/cilium/cilium-ci:latest |
N/A |
| v1.18.0-rc.0 | 2025-07-01 | quay.io/cilium/cilium:v1.18.0-rc.0 |
Release Notes |
Cilium as a CNI plugin provides a fast, scalable, and secure networking layer for Kubernetes clusters. Built on eBPF, it offers several deployment options:
- Overlay networking: encapsulation-based virtual network spanning all hosts with support for VXLAN and Geneve. It works on almost any network infrastructure as the only requirement is IP connectivity between hosts which is typically already given.
- Native routing mode: Use of the regular routing table of the Linux host. The network is required to be capable of routing the IP addresses of the application containers. It integrates with cloud routers, routing daemons, and IPv6-native infrastructure.
- Flexible routing options: Cilium can automate route learning and advertisement in common topologies such as using L2 neighbor discovery when nodes share a layer 2 domain, or BGP when routing across layer 3 boundaries.
Each mode is designed for maximum interoperability with existing infrastructure while minimizing operational burden.
Cilium implements distributed load balancing for traffic between application containers and to/from external services. The load balancing is implemented in eBPF using efficient hashtables enabling high service density and low latency at scale.
- East-west load balancing rewrites service connections at the socket
level (
connect()), avoiding the overhead of per-packet NAT and fully replacing kube-proxy. - North-south load balancing supports XDP for high-throughput scenarios and layer 4 load balancing including Direct Server Return (DSR), and Maglev consistent hashing.
Cilium Cluster Mesh enables secure, seamless connectivity across multiple Kubernetes clusters. For operators running hybrid or multi-cloud environments, Cluster Mesh ensures a consistent security and connectivity experience.
- Global service discovery: Workloads across clusters can discover and connect to services as if they were local. This enables fault tolerance, like automatically failing over to backends in another cluster, and exposes shared services like logging, auth, or databases across environments.
- Unified identity model: Security policies are enforced based on identity, not IP address, across all clusters.
Cilium Network Policy provides identity-aware enforcement across L3-L7. Typical container firewalls secure workloads by filtering on source IP addresses and destination ports. This concept requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster.
In order to avoid this situation which limits scale, Cilium assigns a security identity to groups of application containers which share identical security policies. The identity is then associated with all network packets emitted by the application containers, allowing to validate the identity at the receiving node.
- Identity-based security removes reliance on brittle IP addresses.
- L3/L4 policies restrict traffic based on labels, protocols, and ports.
- DNS-based policies: Allow or deny traffic to FQDNs or wildcard domains
- (e.g.,
api.example.com,*.trusted.com). This is especially useful for securing egress traffic to third-party services.
- L7-aware policies allow filtering by HTTP method, URL path, gRPC call,
and more:
- Example: Allow only GET requests to
/public/.*. - Enforce the presence of headers like
X-Token: [0-9]+.
- Example: Allow only GET requests to
CIDR-based egress and ingress policies are also supported for controlling access to external IPs, ideal for integrating with legacy systems or regulatory boundaries.
With Cilium Service Mesh, operators gain the benefits of fine-grained traffic control, encryption, observability, access control, without the cost and complexity of traditional proxy-based designs. Key features include:
- Mutual authentication with automatic identity-based encryption between workloads using IPSec or WireGuard.
- L7-aware policy enforcement for security and compliance.
- Deep integration with the Kubernetes Gateway API : Acts as a Gateway API compliant data plane, allowing you to declaratively manage ingress, traffic splitting, and routing behavior using Kubernetes-native CRDs.
Observability is built into Cilium from the ground up, providing rich visibility that helps operators diagnose and understand system behavior including:
- Hubble: A fully integrated observability platform that offers real-time service maps, flow visibility with identity and label metadata, and DNS-aware filtering and protocol-specific insights
- Metrics and alerting: Integration with Prometheus, Grafana, and other monitoring systems.
- Drop reasons and audit trails: Get actionable insights into why traffic was dropped, including policy or port violations and issues like failed DNS lookups.
- Why Cilium?
- Getting Started
- Architecture and Concepts
- Installing Cilium
- Frequently Asked Questions
- Contributing
Join the Cilium Slack channel to chat with Cilium developers and other Cilium users. This is a good place to learn about Cilium, ask questions, and share your experiences.
See Special Interest groups for a list of all SIGs and their meeting times.
The Cilium developer community hangs out on Zoom to chat. Everybody is welcome.
- Weekly, Wednesday, 5:00 pm Europe/Zurich time (CET/CEST), usually equivalent to 8:00 am PT, or 11:00 am ET. Meeting Notes and Zoom Info
- Third Wednesday of each month, 9:00 am Japan time (JST). APAC Meeting Notes and Zoom Info
We host a weekly community YouTube livestream called eCHO which (very loosely!) stands for eBPF & Cilium Office Hours. Join us live, catch up with past episodes, or head over to the eCHO repo and let us know your ideas for topics we should cover.
The Cilium project is governed by a group of Maintainers and Committers. How they are selected and govern is outlined in our governance document.
A list of adopters of the Cilium project who are deploying it in production, and of their use cases, can be found in file USERS.md.
The Cilium user space components are licensed under the Apache License, Version 2.0. The BPF code templates are dual-licensed under the General Public License, Version 2.0 (only) and the 2-Clause BSD License (you can use the terms of either license, at your option).