Cilium
Required knowledge for the CKS certification.
Cilium is an advanced networking, security, and observability platform for Kubernetes that leverages eBPF (Extended Berkeley Packet Filter) to provide high-performance networking, transparent encryption, network policies, and deep visibility into traffic flows.
It replaces traditional kube-proxy, CNI plugins, and service meshes with a modern, programmable data plane that integrates tightly with Kubernetes.
Usage
1. Install Cilium
Use the Cilium CLI to install it into your cluster:
cilium install
Check Cilium status:
cilium status
2. Define Network Policies with Cilium
Example: Allow only frontend pods to access the backend.
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-frontend
spec:
endpointSelector:
matchLabels:
app: backend
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
Apply the policy:
kubectl apply -f allow-frontend.yaml
3. Enable Transparent Encryption
Enable encryption between nodes using WireGuard or IPsec:
cilium config set enable-ipsec true
Or using Helm:
helm upgrade cilium cilium/cilium --set encryption.enabled=true
4. Observe Network Flows
Use Hubble, Cilium's observability engine:
cilium hubble enable
cilium hubble ui
You can visualize:
- Service-to-service communication
- DNS queries
- Allowed/denied flows
- Identity and label-based flows
Best Practices
- Replace kube-proxy with Cilium to simplify architecture and reduce latency.
- Use identity-aware network policies for more granular control than standard Kubernetes
NetworkPolicy. - Enable Hubble to monitor and audit all traffic and security events.
- Use transparent encryption to secure node-to-node traffic with zero changes to workloads.
- Regularly test your policies using Cilium’s connectivity test suite.
Resources
- Official Documentation: https://docs.cilium.io
- Cilium GitHub Repository: https://github.com/cilium/cilium
- Policy Examples: https://docs.cilium.io/en/stable/policy/language/