Supercharging OpenShift and KubeVirt with Cilium and eBPF
Introduction
Cloud-native platforms are no longer just about running containers—they’re about running everything at scale: containers, virtual machines, and the networking fabric that connects them. Enterprises need platforms that deliver performance, security, and simplicity without adding operational burden. Red Hat OpenShift provides that foundation, and with OpenShift Virtualization powered by KubeVirt, organizations can run containers and VMs side by side.
But today’s workloads demand more. Networking must be programmable, secure, and observable in real time. That’s where Cilium, built to leverage the power of eBPF, comes in. By shifting networking and security deep into the Linux kernel, Cilium delivers high-performance networking, micro-segmentation, and deep visibility at scale. And when paired with identity frameworks like SPIFFE/SPIRE, OpenShift platforms move closer to true zero-trust networking across containers, VMs, and clusters.
What is Cilium and Why eBPF Matters
At its core, Cilium is a software-defined networking (SDN) and security solution designed for cloud-native environments. Its foundation is eBPF-enabled; eBPF is a Linux kernel technology that enables dynamic programming of the kernel without requiring changes to its source code.
Key capabilities of eBPF include:
Programmable Networking – Real-time packet processing for faster, more efficient data flows.
Dynamic Security Policies – Enforcement of granular, identity-based rules at the kernel level.
Enhanced Observability – Deep visibility into application and network behaviors with minimal overhead.
Together, these make Cilium a powerful complement to Kubernetes and OpenShift.
Where OpenShift Networking Struggles
OpenShift offers robust container orchestration, but networking at scale introduces pain points:
Scalability – Ensuring high-performance networking as clusters grow.
Security – Implementing granular, multi-tenant isolation without adding friction.
Virtualization – Combining VMs and containers seamlessly under OpenShift Virtualization.
Traditional networking stacks—often reliant on iptables—become brittle and inefficient at scale. Cilium, powered by eBPF, solves this by shifting critical networking and security functions into the kernel, improving both performance and manageability.
High-Performance Networking
Cilium enhances OpenShift’s networking stack by shifting packet processing into the Linux kernel through eBPF. This reduces the overhead associated with iptables, cutting latency and improving throughput across clusters of any size. In practice, this means smoother communication between pods and services, even in complex OpenShift environments.
Beyond internal performance, Cilium also brings eBGP (External Border Gateway Protocol) support directly into the kernel. With eBGP, OpenShift clusters can integrate seamlessly with external networks, simplifying hybrid and multi-cloud routing. Enterprises no longer need to rely on fragile workarounds—Cilium makes advanced routing a first-class citizen of the platform.
Security at Scale
One of the biggest challenges in Kubernetes and OpenShift is enforcing security consistently as clusters scale. Cilium, powered by eBPF, takes a modern approach with identity-based enforcement tied directly to Kubernetes labels. Instead of relying on IP addresses, which are ephemeral in containerized environments, policies follow workloads wherever they go.
Cilium also supports transparent encryption, protecting traffic between pods and namespaces without adding significant performance costs. Combined with dynamic policy enforcement that adapts as workloads are created or moved, Cilium enables OpenShift operators to implement fine-grained, zero-trust security in multi-tenant environments without being overwhelmed by complexity.
Observability and Debugging
Networking issues are among the most complex problems to debug in Kubernetes. Cilium addresses this challenge directly by leveraging eBPF’s visibility into kernel-level events. Operators gain access to real-time flow metrics and tracing without needing intrusive instrumentation.
With Hubble, Cilium’s native observability platform, teams can visualize traffic paths, perform root cause analysis, and monitor policy enforcement across the entire OpenShift environment. This deep visibility extends to both pod-to-pod and pod-to-VM traffic, which is especially valuable when OpenShift Virtualization comes into play. For platform teams, this means less guesswork and faster resolution of performance or security incidents.
While these capabilities enhance networking across the cluster, their value becomes even clearer when OpenShift Virtualization is introduced.
Accelerating OpenShift Virtualization with Cilium
Integrating KubeVirt
OpenShift Virtualization, powered by KubeVirt, allows organizations to manage virtual machines alongside containers. But running mixed workloads introduces new networking and security challenges. OpenShift Virtualization with Cilium bridges this gap by providing unified networking across pods and VMs, allowing them to operate under the same policies and observability framework.
Because eBPF optimizes packet handling at the kernel level, it also reduces I/O overhead for virtualized workloads. This results in better resource efficiency, ensuring that both VMs and containers share infrastructure without bottlenecks. For platform teams, this means simpler management and more predictable performance, regardless of the type of workload running.
Optimizing KVM
KubeVirt utilizes KVM-based virtual machines for VM workloads. With Cilium in the mix, these workloads gain access to the same modern networking and security capabilities available to containers, enabling them to leverage the same capabilities as containers*. By applying consistent, enforceable policies across all pods, Cilium reduces the risk of security blind spots that often appear in hybrid environments.
On the performance side, eBPF streamlines networking I/O for VM-heavy workloads. The result is faster, more efficient data flow without the complexity of overlay hacks or manual configuration. Cilium effectively levels the playing field, as both VMs and containers benefit from the same high-performance network fabric.
*In KubeVirt VMs are hosted in pods
Advanced eBGP Support
Modern platforms rarely live in a single cluster. Enterprises run hybrid and multi-cloud deployments that need reliable routing between environments. Cilium’s eBGP integration enables OpenShift clusters to connect directly to external networks through kernel-level routing.
This simplifies complex hybrid setups, replacing fragile workarounds with a straightforward, scalable approach to multi-cloud networking. For organizations building global platforms, eBGP support ensures that connectivity between clusters, clouds, and on-premise environments is both secure and efficient.
Real-World Proof Points
Google Kubernetes Engine (GKE) + Cilium
Google’s decision to integrate Cilium into GKE underscores its value at the hyperscaler level. In multi-tenant environments where thousands of workloads compete for resources, Cilium’s eBPF-powered data path improves scalability and reduces network overhead. At the same time, its support for eBGP streamlines hybrid networking, making it easier for enterprises to connect GKE clusters with on-premise or multi-cloud environments. The lesson for OpenShift users: what works at Google scale can deliver similar advantages in enterprise-scale clusters.
Amazon EKS Anywhere + Cilium
Amazon has also adopted Cilium in EKS Anywhere, demonstrating how it enhances both security and performance in hybrid deployments. By shifting security enforcement into the kernel, Cilium enables dynamic, identity-based policies that adapt as workloads move. This reduces reliance on brittle, static firewall rules and gives operators finer-grained control. At the same time, enterprises experience reduced latency and more efficient resource utilization, demonstrating that eBPF can simplify networking while enhancing performance. For OpenShift and KubeVirt users, this demonstrates that Cilium is not just theory; it’s production-proven in real-world, large-scale deployments.
Strengthening Identity and Trust with SPIFFE and SPIRE
While Cilium and eBPF optimize performance, security enforcement, and observability, enterprises also need a consistent way to establish workload identity across containers, VMs, and clusters. This is where SPIFFE (Secure Production Identity Framework for Everyone) and SPIRE (SPIFFE Runtime Environment) come into play.
Workload Identity Beyond IPs
Traditionally, trust in distributed systems is tied to IP addresses or service accounts. In cloud-native platforms where pods, VMs, and workloads are ephemeral, these identifiers are brittle.
SPIFFE defines a standard for workload identity using cryptographically verifiable SPIFFE IDs.
SPIRE issues and rotates these identities automatically through SVIDs (X.509 or JSON Web Tokens, JWT).
This shifts trust from network location to workload identity, ensuring that every pod or VM is authenticated, regardless of where it runs.
Integrating with OpenShift and KubeVirt
Pods and VMs: Both containers and KubeVirt-managed virtual machines can receive SPIFFE IDs, ensuring consistent authentication across mixed workloads.
Multi-Tenant Security: Combine SPIRE-issued identities with Cilium’s eBPF-based enforcement to implement true identity-aware micro-segmentation.
Zero-Trust Foundations: Every workload must prove its identity (via SPIFFE) before network policy enforcement (via Cilium) allows communication.
Multi-Cluster and Hybrid Cloud
For enterprises operating across multiple OpenShift clusters or hybrid/multi-cloud deployments:
SPIRE Federation supports identity sharing across trust domains.
Coupled with Cilium’s eBGP support, this enables secure, authenticated communication across environments.
Conclusion
By layering SPIFFE/SPIRE into an OpenShift, Cilium, and KubeVirt stack, platform teams gain identity, trust, and zero-trust enforcement across containers, VMs, and clusters. The bottom line: if you’re serious about platform engineering at scale, this isn’t just a nice-to-have; it’s the blueprint for resilient, cloud-native infrastructure. In upcoming posts, I’ll share practical architectures and lessons learned from the field to help you put this into practice.