Network policy with Cilium and Linkerd Layer7 #11653
-
|
I have a Kubernetes cluster with linkerd and cilium installed on it. I want deploy network policy on the layer 3, 4 and 7. For the layer 3,4, I use Cilium but for l7, both Cilium and Linkerd can be used. What is the better approach to do L7 filtering ? Using only Linkerd (Linkerd better), using only Cilium (Cilium better) or both can be complementary ? Using Cilium filtering based on ebpf (kernel linux) and Linkerd filtering based on proxies should be usable in the same time, isn't it ? Even if it seems to be redundant. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
As I understand it, Cilium CNI supports only L4 policies. L7 policies in Cilium require adding Cilium mesh, which runs set of per-node Envoy proxies to every host, an approach that we consider to have lower security and worse operational characteristics. So our recommendation is L4 policies in Cilium CNI and L7 policies with Linkerd. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, I confirm my mistake. Cilium needs a proxy to do L7 layer so it is not useful compared to Linkerd. Thanks for your response. |
Beta Was this translation helpful? Give feedback.
As I understand it, Cilium CNI supports only L4 policies. L7 policies in Cilium require adding Cilium mesh, which runs set of per-node Envoy proxies to every host, an approach that we consider to have lower security and worse operational characteristics.
So our recommendation is L4 policies in Cilium CNI and L7 policies with Linkerd.