Cilium at Ten: Community Scale, Survey Signals, and the 1.19 Technical Thread#
What This Episode Is Worth Keeping#
This is not a feature launch; it is a founder roundtable + community survey reveal + AMA. If you care why Cilium went from a single .gitignore in 2015 to a top-tier CNCF project today, or want to cross-check spoken roadmap against published 1.19 docs, the episode still has archival value: on-screen milestone numbers, LinkedIn survey top answers, and Daniel Borkmann on Big TCP / BBR and Thomas Graf on ztunnel, L7, and 2.0 make a useful entry for reading “community narrative” alongside official documentation. Side stories such as an NGINX strategy typo or benchmarking NodePort with Quake 3 cannot be verified on their own, but they help explain how maintainers think about data-plane evolution. There was no live terminal demo in this session; commands below come from official docs and can be reproduced on your own cluster.
A Ten-Year Scale: From First Commit to CNCF Scale#
On December 16, 2015, Thomas Graf pushed Cilium’s initial commit on GitHub (7fa3c60, including .gitignore and LICENSE). The CNCF project page records Cilium joining as an Incubating project on 2021-10-13 and graduating on 2023-10-11.
On-screen milestones in the show (point-in-time snapshots, not live APIs) included: 1,000+ contributors (slides once showed 1,012), second in CNCF by total contributions, 45k+ GitHub stars, 546,000+ total contributions since joining CNCF (up 142% since 2021), 50,000+ PRs across the repo, and contributors in 82 countries. Host Liz Rice also noted some figures may already be stale—consistent with GitHub stars and contributor counts drifting over time; cite a statistics date when writing. “Second in CNCF contributions,” “546k / 82 countries / 50k PRs,” and similar figures were not independently re-exported from DevStats in this write-up; for rigorous citations see Cilium DevStats.
Figure: slide Milestones — first commit December 2015, 1,000+ contributors, second in CNCF contributions, 45k+ GitHub stars (on-screen text).
Figure: slide Milestones (cont’d) — Total Contributions 546,000+, Total PRs 50,000+, Global Reach 82 countries (on-screen text).
Resources
What the Community Survey Said (Guessing Results, Not Official Adoption Rates)#
The show used a “Survey says…” format to reveal answers collected beforehand on LinkedIn and social media. Rankings below are from that community survey readout; do not present them as official product statistics or adoption rates.
| Question | Top directions revealed on screen |
|---|---|
| What Cilium replaced | Other CNI → kube-proxy → Service mesh / Ingress |
| Most-used features in production | Networking (generalized CNI) → Network policy → Hubble UI → kube-proxy replacement |
| “Biggest problem” solved | Network policies that work → Observability → Performance → Service mesh complexity |
| How people first heard of it | Blog/article → Conference → … → YouTube and eCHO |
The enterprise name-guessing segment showed Adobe, Microsoft, OpenAI on screen; USERS.md can be checked for self-reported users (including Adobe, Microsoft, etc.). OpenAI does not appear on that list (as of the public USERS.md). Anecdotally, founders mentioned replacing Calico, kube-proxy, Ingress, standalone service meshes, and more—aligned with survey directions but still presenter/community narrative.
Figure: Survey says — Network policies that work, Observability/visibility, Performance issues, Service mesh complexity (on-screen text).
Resources
Big TCP, the eBPF Path, and What Landed in 1.19#
In the AMA, @eBPFCilium asked about eBPF’s role in Big TCP; Daniel Borkmann explained that Big TCP relies on the kernel aggregating larger packets; if traffic still goes through the traditional host stack, socket association can be “orphaned” and TCP backpressure breaks—you need paths such as eBPF Host-Routing to get the performance gains described in the docs. He said Cilium’s side is on the order of 256K packets; current stable docs list GSO/GRO limits as 192k—treat the documentation as authoritative and note 256K as spoken, not aligned with docs.
Cilium 1.19 (spoken as “around early February”) aligns with v1.19.0 release (2026-02-04), including Ztunnel Beta, Gateway API improvements, and Helm charts published via OCI. Spoken “enhanced mutual TLS” maps in release notes to new ztunnel paths; legacy Mutual Authentication is off by default—read release notes for migration; do not read it simply as “the old SPIRE flow, strengthened.”
Figure: audience question — what role eBPF plays in Big TCP and which eBPF programs are used (chat text).
When enabling Big TCP with Host-Routing, docs require (Cilium 1.19.x stable) kernel: IPv6 BIG TCP ≥ 5.19, IPv4 BIG TCP ≥ 6.3.
# Helm example (from performance tuning doc pattern; adjust values for your environment)
helm upgrade cilium oci://quay.io/cilium/charts/cilium \
--namespace kube-system \
--reuse-values \
--set kubeProxyReplacement=true \
--set bpf.masquerade=true \
--set routingMode=native \
--set enableIPv4BIGTCP=true \
--set enableIPv6BIGTCP=true
kubectl -n kube-system exec ds/cilium -- cilium-dbg status
# Look for Host Routing: BPF, IPv4/IPv6 BIG TCP: enabled, etc.
Resources
- Performance tuning — BIG TCP / eBPF Host-Routing
- System requirements — kernel versions
- v1.19.0 Release Notes
- Helm OCI installation
ztunnel, Encryption, and IPv6 Design History#
Thomas Graf described ztunnel (encryption.type=ztunnel): transparent L4 mTLS on the node, with the control plane coordinated by the agent and local ztunnel; avoid mixing Cilium ztunnel nodes with Istio Ambient ztunnel nodes in one cluster—engineering judgment; public docs do not literally say “do not mix,” but Istio integration stresses avoiding conflicting configs. Important conflict: he mentioned propagating ztunnel identity via Cluster Mesh; ztunnel documentation states Cluster Mesh is incompatible with ztunnel (do not enable Cluster Mesh before install). For operations, treat them as mutually exclusive per docs.
helm install cilium oci://quay.io/cilium/charts/cilium \
--namespace kube-system \
--set encryption.enabled=true \
--set encryption.type=ztunnel
kubectl label namespace <your-ns> io.cilium/mtls-enabled=true
On IPv6: presenter view — early versions leaned IPv6-only (container scale and address-planning motivation), then IPv4 was strengthened under user pressure; “using IPv6 to address memory” reads more like a vision; Daniel Borkmann said DMA and similar paths are more common today—no known production-grade “IPv6 for memory addressing” scheme could be verified.
Resources
BBR, BGP, and Implementation Choices#
BBR: Daniel mentioned fixing lost TCP timestamps on the pod→host path; Bandwidth Manager documents similar issues on older kernels at netns transitions and requires eBPF Host-Routing with bandwidthManager.bbr=true. KubeCon Cubic vs BBR streaming comparisons are demo anecdotes.
kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep -i bandwidth
BGP: In chat, Tony Norlin described Cilium BGP letting components outside the CNI VXLAN fabric (e.g. external k8s control plane) communicate; BGP Control Plane advertises Pod/Service routes to routers—specific topology is the user’s scenario; no demo in this episode.
# Helm values snippet
bgpControlPlane:
enabled: true
Go: Thomas and André explained that Kubernetes ecosystem clients were mostly Go back then and kernel developers picked it up quickly; fine-grained agent memory control was hard, early CI used bash—all presenter views.
Resources
L7 Capability Boundaries and When “2.0” Might Appear#
Thomas Graf drew two lines: open source L7 network policy goes through node-side Envoy proxy (see Layer 7 Policies); Isovalent Enterprise eBPF L7 parsers (passive HTTP/DNS observability, low overhead) cannot replace a full proxy (no retry; L7 LB and similar need termination/flow control)—Enterprise product lines on docs.cilium.io have no open-source page that literally matches “L7 eBPF parser”; capability boundaries marked presenter view. Data-plane maturity notes (e.g. races only at very large scale) are maintainer experience with no standalone CVE.
On Cilium 2.0: no timeline; motivations include technical debt from long “seamless upgrades” and new Kubernetes needs for virtualization; no 2.0/10.0 branding for marketing alone—presenter view. Liz previewed future eCHO episodes may cover 1.19 features and cloud-native outlook—that is show scheduling, not a release commitment.
Resources
Unverified Boundaries (Read With Care)#
- Full community survey rankings, on-screen enterprise list vs real adoption rates
- Exact definitions behind P02 figures: 546k contributions, 82 countries, 50k PRs, CNCF “second”
- Big TCP 256K vs docs 192k; ztunnel + Cluster Mesh spoken vs docs mutual exclusion
- Enterprise L7 eBPF parser, Cilium 2.0 timing and motivations, Quake3/Datadog/Android anecdotes
- Complete timeline of IPv6-only early releases
If you only care about paths you can verify hands-on: install 1.19 via OCI → cilium-dbg status for Host Routing / BIG TCP / BandwidthManager → enable ztunnel or BGP as needed, and use the table above to separate “documentation” from “what was said on this show.”
