PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2026-02-25T23:00:00+00:00

Cilium at Ten Years: Stronger Encryption, Safer Policies, and Clearer Visibility for Large Clusters

Cilium 1.19 has been released, marking ten years of development for the eBPF-based networking and security project. There isn’t a flagship feature in this release; instead, it focuses on security hardening, tightening encryption, refining network policy behaviour, and improving scalability for large Kubernetes clusters. By Matt Saunders

InfoQ Homepage

News

Cilium at Ten Years: Stronger Encryption, Safer Policies, and Clearer Visibility for Large Clusters

DevOps

Cilium at Ten Years: Stronger Encryption, Safer Policies, and Clearer Visibility for Large Clusters

Feb 25, 2026

min read

Matt Saunders

Write for InfoQ

Feed your curiosity.
Help 550k+ global
senior developers
each month stay ahead.Get in touch

Listen to this article - 0:00

0:00

0:00

  • Reading list

Cilium 1.19 has been released, marking ten years of development for the eBPF-based networking and security project. There isn’t a flagship feature in this release; instead, it focuses on security hardening, tightening encryption, refining network policy behaviour, and improving scalability for large Kubernetes clusters.

The Cilium post on LinkedIn describes 1.19 as a special release celebrating 10 years since the first commit, with over 2,900 commits from 1,000+ developers. The 2025 annual Cilium report explains how Cilium has quietly become the dominant CNI in production Kubernetes environments, with over 60 per cent of surveyed deployments using Cilium and more than 75 per cent relying on Cilium-based data planes once managed services such as Azure CNI powered by Cilium and GKE Datapath V2 are included. The report suggests that this is thanks to organisations deliberately selecting it based on technical merits, rather than platform defaults, with advocates citing performance, eBPF-based observability via Hubble, and advanced policy semantics as the main reasons for adoption. This aligns with the emphasis in 1.19 on stricter encryption modes, safer cross cluster defaults and deeper traffic tracing. The report also show that contribution levels have stabilised at around 10,000 pull requests per year, and that Cilium is now the second-largest CNCF project by contributions behind only Kubernetes.

A second theme in the report is the extension of Cilium and its related projects into new domains, particularly AI workloads and unified networking across Kubernetes and virtual machines. Large organisations such as Microsoft, Google, and TikTok are reported to use Cilium to power some of the largest AI training clusters and IPv6-only data centre deployments, while case studies from firms like ESnet and Nutanix highlight the value of consistent observability and policy controls across heterogeneous environments. The same document positions Tetragon as an emerging runtime security layer, complementing the 1.19 focus on stricter encryption.

The 1.19 release introduces strict modes for both IPsec and WireGuard. This change shifts encryption from a best-effort option to a hard requirement between nodes. In strict mode, unencrypted inter-node traffic is dropped. This satisfies internal policies that financial and public sector environments may have, aiming to remove reliance on implicit trust within a cluster network. The project’s summary notes that this change is primarily for "regulated or zero trust environments." LinkedIn discussions frame it as bringing Cilium's data plane behaviour closer to what security teams expect from modern service meshes. This comes after a longer history of community debate, includinga Reddit thread where one user described earlier Cilium architectures as forcing operators to "undermine cluster security" when trying to fit them into strict mTLS models. This indicates that the project is now responding directly to earlier criticism.

The release has a new beta integration of Ztunnel. Ztunnel enables transparent encryption and authentication of TCP connections between workloads without needing sidecar proxies. In the 1.19 release materials, the maintainers describe how namespaces can be enrolled into Ztunnel so that workloads can gain mutual authentication without application changes, again bringing Cilium closer to service-mesh ideals. There is an implied rethink of earlier design choices in the decision to disable the existing mutual authentication feature by default and to point users needing mTLS towards the Ztunnel path. Other similar projects, like Istio, still rely on sidecar-based deployment. Comments from practitioners on Reddit emphasise the appeal of lighter-weight approaches that reduce per-pod overhead and configuration complexity, even if they are still in beta.

There's a change in default semantics for multi-clustered setups when network policies do not specify a cluster. In Cilium 1.19.0, such selectors now default to allowing traffic only from the local cluster. This reduces the risk that a misconfigured policy will unintentionally expose services across a Cluster Mesh deployment. The release also introduces multi-level DNS wildcard matches and the option for Cilium to return ICMPv4 "Destination unreachable" responses when policies deny connections. Together, these aim to make policies both more expressive and easier to debug. Kafka protocol match fields and the ToRequires and FromRequires policy fields have been deprecated to remove underused complexity. This helps operators focus on patterns actually deployed at scale.

From an operational perspective, the promotion of Multi Pool IPAM to stable status has received positive feedback, especially from users working in large or segmented address spaces. In this release, Multi Pool IPAM is documented as working with both IPsec and direct routing, and is ready for broader production use. Users on Reddit who previously reported that Cilium's advanced features were "a lot of work to get in place and running well" now have a clearer path to allocate addresses across multiple pools. This is critical in hybrid or multi-tenant clusters. The addition of IPv6 as a tunnel-underlay option in dual-stack clusters and more granular control over IP masquerading are often mentioned in the same discussions. These changes increase the range of topologies that Cilium can support without resorting to fragile workarounds.

Observability improvements in Hubble, Cilium's observability component, comprise the final cluster of changes that appear repeatedly in community commentary. Hubble now allows tracing packets using IP options for specific flows and filtering traffic in the command line by encryption status. It can also tag drop events with the exact network policy that caused them. These changes address long-standing complaints that eBPF-based data planes can be difficult to reason about during incidents.

Cilium 1.19.1 is available now, and more details are on the Cilium website.

About the Author

****Matt Saunders****

Show moreShow less

This content is in the DevOps topic

Related Topics:

DevOps

Clusters

Network Security

Networking

Kubernetes

Encryption

Related Editorial

Popular across InfoQ

Anthropic Study: AI Coding Assistance Reduces Developer Skill Mastery by 17%

Google Brings its Developer Documentation into the Age of AI Agents

Uforwarder: Uber’s Scalable Kafka Consumer Proxy for Efficient Event-Driven Microservices

[...]

Original source

📄 cilium-annual-report-2025-final.pdf

Reply