Cilium, eBPF, and Modern Kubernetes Networking with Bill Mulligan

The episode opens by framing the limitations of traditional Linux networking for cloud‑native workloads. Bill Mulligan explains that eBPF—a programmable, sandboxed extension to the Linux kernel—lets developers inject custom logic without altering kernel source code. This capability is the foundation of Cilium, an open‑source CNI that graduated to the CNCF and is now backed commercially by Isovalent. By moving networking control into the kernel, Cilium addresses the scalability challenges of Kubernetes clusters where containers appear and disappear at massive scale.

Technically, Cilium swaps out iptables and the default kube‑proxy with eBPF‑driven datapaths. Instead of linear rule scans, eBPF maps provide O(1) lookups, dramatically reducing latency and boosting throughput—real‑world tests show up to 40% performance gains in large clusters. Moreover, Cilium shifts from static IP‑based policies to identity‑based rules tied to Kubernetes labels, eliminating constant rule churn as pods are recreated. This model simplifies zero‑trust networking, enabling fine‑grained security policies that follow workloads regardless of their IP address.

Beyond performance, the conversation highlights how eBPF’s built‑in verifier guarantees safety, preventing crashes that could cripple entire fleets—a concern underscored by historic kernel incidents. The programmable nature of eBPF also opens doors for observability, tracing, and load‑balancing extensions, positioning Cilium as a central piece of the modern cloud‑native stack. As more organizations adopt Kubernetes at scale, the shift toward programmable kernels promises faster, more secure, and more adaptable infrastructure, cementing Cilium’s role in the evolving landscape of container networking.