Migrating to Cilium for Better Networking, Visibility and Security
Challenge
G DATA CyberDefense is a German software company that offers computer security services to its clients. They specialize in endpoint protection and cybersecurity services, including penetration testing. Additionally, the company provides SaaS solutions, such as “Verdict as a Service” and an email protection gateway.
G DATA initially developed their Kubernetes platform using Calico for networking. After a few months, they started looking for an alternative solution because Calico didn’t offer the necessary level of visibility for enforcing network policies. They aimed to find a solution that not only provided the required visibility but also utilized eBPF for performance.
Solution
After evaluating their options, G DATA chose Cilium as their preferred solution for networking, observability, and security to benefit from its enhanced capabilities with Hubble and network policy visibility.
Cilium not only improved G DATA’s network security and visibility but also streamlined its development process. It allows their development teams to self service network policies without needing to involve the IT team.
Impact
Cilium significantly improved G DATA’s network visibility and security posture. It also boosted developer productivity by speeding up their development process, allowing them to deliver new features to their customers more quickly.
Projects used
By the numbers
25
Clusters with Cilium
1500+
ArgoCD applications
4000+
Network policies
At the beginning of their Kubernetes journey, G DATA’s team initially used Calico for the networking layer. However, a few months into the implementation, they encountered limitations because Calico didn’t offer the level of network policy visibility they required, which is especially important in the security sector.
“Because we are a security company, we do a lot of execution and analysis of malware in our Kubernetes clusters. We needed to enforce network policies to safeguard our infrastructure and enforcing them without any visibility isn’t that easy. Calico was hard to configure because sometimes you don’t know what is wrong. If you can already see what’s wrong, that helps a lot.”
Jan Jansen, Platform Engineer, G DATA
Faced with these challenges, they began searching for a solution that could provide them with network policy visibility. They were also interested in bringing the power of eBPF to their clusters. After conducting their research, they chose Cilium. Their decision was influenced by the discovery that many cloud providers had adopted Cilium, its utilization of eBPF, and its alignment with the capabilities they required at the time.
“We started using Kubernetes four years ago and we used Calico for just one or two months before deciding we needed a different solution. In our research, we found out that many cloud providers were already using Cilium. We also saw that Cilium used eBPF and had great network policy visualization. We were in the early stage and saw that Calico wasn’t working for us, we looked for a different solution, found Cilium and stuck with it.”
Jan Jansen, Platform Engineer, G DATA
After choosing Cilium, G DATA replaced Calico with Cilium by migrating all the clusters they had at the time.
“We had around five to ten clusters at the time and migrated one cluster at a time because it wasn’t a problem if we had 10 minutes of downtime. We just did a hard switch between the network layers and then from there, we stayed with Cilium.
Now, we run nearly all of our clusters with Cluster API for auto-provisioning. Using Cilium for all of our networking needs gives us great consistency across clouds and on-prem.”
Jan Jansen, Platform Engineer, G DATA
G DATA currently employs a team of 5 people to manage their hybrid cloud Kubernetes platform spanning both bare metal servers and multiple cloud providers. Their infrastructure includes two bare metal data centers and extends to two cloud providers, encompassing about 25 clusters using Cilium for networking.
Observability Tailored to Developers with Hubble
During their comparison of Calico and Cilium, another factor that led G DATA to choose Cilium was Hubble. They appreciated Hubble’s ability to offer observability to their developers without the necessity of granting them cluster access.
“With Hubble, you can give developers access to the network visibility in a much better way. We don’t have to give them full cluster access to see the networking issues.”
Jan Jansen, Platform Engineer, G DATA
Improving Developer Self Service Security with Cilium
Cilium has now become a crucial component of G DATA’s Kubernetes platform, addressing its security, networking, and observability needs. Furthermore, Cilium has reduced the security “mental overhead” and significantly enhanced the ability of their developers to deliver new features to customers. Finally, using Cilium for network policy provided G DATA with a self-service platform which significantly improved their developers’ productivity.
“In our platform, we have a diverse application set. Every team can choose to work in the programming language of their choice – we have Java, C#, Python, and Go. With Kubernetes and Cilium, we can streamline the process so that not everyone has to manage security stuff. Previously, we had to contact our IT department and submit a ticket for them to manually make changes to the network policy. Now developers can self-service which speeds up the development process for the application teams and also increases our security on the backend.
In the beginning, it was hard for our developers to write network policies because we were in our early Kubernetes adoption phase. Everyone had to learn a lot of stuff in Kubernetes and then also had to learn how to write network policies. Cilium helped reduce the mental overhead and helped speed up our development process so that we can bring new features to customers faster.”
Jan Jansen, Platform Engineer, G DATA
Expanding Cilium’s Networking Beyond Kubernetes
Since Cilium is now a key part of their platform, G DATA is exploring additional use ways to take advantage of it. They plan to replace their MetalLB layer two load balancer with Cilium’s load balancer and are also evaluating Cilium’s Gateway API.
“We are looking into replacing our MetalLB layer two load balancer with Cilium. We also started to use Gateway API with CIlium to understand how Gateway API works and how to get started with it.”
Jan Jansen, Platform Engineer, G DATA