Cilium can be integrated with Docker in two ways:

  • via the CNI interface. This method is used by Kubernetes and Mesos.
  • via Docker’s libnetwork plugin interface, if networking is to be managed by the Docker runtime. This method is used, for example, by Docker Compose.

To run Cilium with Docker’s libnetwork, it needs a single logical Docker network of type cilium with an IPAM-driver of type cilium. The IPAM-driver delegates control over IPv4 and IPv6 address management and network connectivity to Cilium for all containers attached to this network. Each Docker container is allocated an IP address from the node prefix of the node running that container.

When deployed with Docker, each Linux node must also run a cilium-docker agent that receives libnetwork calls from Docker and then communicates with the Cilium Agent to control container networking.

Security policies controlling connectivity between the Docker containers can be written in terms of the Docker container labels passed to Docker when creating the container. These policies can be created and updated via the Cilium agent API or by using the Cilium CLI client.

Follow this guide for a step by step introduction on how to use Cilium with Docker Compose: