What AI and cloud consulting services does Luca Berton offer?

Luca Berton provides expert consulting in AI/ML platform strategy, multi-tenant GPU orchestration on OpenShift AI, MLOps enablement, cloud infrastructure design, Kubernetes workshops, and Ansible & Python training.

What is Ansible Pilot?

Ansible Pilot is the leading resource for Ansible automation learning, featuring a YouTube channel with 6.1K subscribers and 1M+ views, plus AnsiblePilot.com with 648K total users.

How can I book a consultation with Luca Berton?

Schedule a free consultation through Calendly at calendly.com/lucaberton or visit lucaberton.com/contact.

Cilium and eBPF: Next-Generation Kubernetes Networking and Security

What Is Cilium?

Cilium provides networking, observability, and security for Kubernetes using eBPF — programs that run inside the Linux kernel. It replaces kube-proxy, iptables, and sidecars with kernel-level efficiency. CNCF Graduated, 21K+ GitHub stars.

Why eBPF Changes Everything

Traditional Kubernetes networking:

Packet → iptables rules (thousands!) → kube-proxy → service routing → pod

With Cilium eBPF:

Packet → eBPF program (kernel) → pod

Result: 40% lower latency, 60% less CPU at scale.

Key Capabilities

1. Replace kube-proxy

# Cilium Helm values
kubeProxyReplacement: true
k8sServiceHost: "api-server.example.com"
k8sServicePort: 6443

No more iptables chains — eBPF handles service routing in-kernel.

2. Network Policies (L3-L7)

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: payment-ingress
spec:
  endpointSelector:
    matchLabels:
      app: payment-service
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: api-gateway
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              - method: POST
                path: "/api/v1/payments"  # L7 HTTP filtering!

Cilium can filter at HTTP level — not just IP/port.

3. Transparent Encryption (WireGuard)

# Enable WireGuard encryption between all pods
encryption:
  enabled: true
  type: wireguard

All pod-to-pod traffic encrypted without application changes or sidecars.

4. Service Mesh (No Sidecars)

# Cilium replaces Istio sidecars with eBPF
meshConfig:
  enabled: true
  # L7 features without sidecar injection
  # mTLS, retries, timeouts, traffic splitting

No sidecar overhead — 0 extra memory per pod, 0 extra latency.

5. Hubble (Observability)

# See all network flows in real-time
hubble observe --namespace payments

# Service dependency map
hubble observe --verdict FORWARDED -o json | jq '.destination_service'

Installation

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium \
  --namespace kube-system \
  --set kubeProxyReplacement=true \
  --set hubble.enabled=true \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true \
  --set encryption.enabled=true \
  --set encryption.type=wireguard

Performance Comparison

Metric	iptables/kube-proxy	Cilium eBPF
Service routing latency	150μs	90μs
Network policy evaluation	50μs per rule	5μs (compiled)
Memory (10K services)	500MB (iptables rules)	50MB
CPU at 100K connections	15%	5%
Throughput	30 Gbps	45 Gbps

Who Uses Cilium?

Google GKE Dataplane V2 — default networking
AWS EKS Anywhere — supported CNI
Azure AKS — powered by Cilium
Every major cloud Kubernetes offering supports Cilium