Pod Rate Limiting with Cilium – Deep Dive

Posted on by Nico

I wrote a deep dive on Isovalent.com on Cilium implements traffic rate-limiting on Kubernetes Pods. It was a pretty lengthy process to write this up but I enjoyed reading up white papers on Quality of Service and Linux networking to be as accurate as possible.

I had recorded a brief demo on this topic a few weeks ago but if you want to learn more, read this!

A few more additional notes as I couldn’t quite fit it all in in the blog post:

  • There’s a lot of innovation happening in the networking space that starts – or at least is implemented first – in the Linux networking kernel stack. That’s something I didn’t appreciate until I started working on Cilium full time.
  • The rate-limit feature is interesting and researching it took me back to the times where I was either learning QoS when I was studying for my CCIE or when I was actually implementing it.
  • Networking in the Kubernetes world is similar but different to the old traditional Cisco world. What I find especially interesting here is, as I said in the first part of the post, we already had some Kubernetes-native mechanisms to address compute contention in Kubernetes but doing the same of networking was much harder.
  • Writing a blog post like this can be challenging because the readers can have very different background. How can I simultaneously address the DevOps engineer, the network architect, the Linux expert ? It’s just about impossible to find a common language… Just know that I tried to make it easy to read for everyone who might have a requirement to implement some kind of traffic policing/shaping on Kubernetes.
  • The feature I am describing enforces egress traffic limit, based on Bytes per seconds. This is different from Service Mesh traffic limit, which might be based on API call limitations for some example.
  • The blog post was inspired by a KubeCon session I saw in Valencia earlier this year and follows a similar storyline.
  • It’s not a feature you can just test on Kind unfortunately – you’re going to need some real HW for this.
  • I had lots of folks reviewing this blog post – thanks to all of them – so hopefully it’s accurate but if you spot any mistakes, just drop me a message.
  • The next deep dive blog post I have coming up on Isovalent.com is a deep dive on BBR on Cilium. That’s pretty cool and again it gave me up the opportunity to learn and do some research some bleeding edge tech.

Thanks for reading.

Leave a comment

Published by Nico