SkillsApr 10, 2026·3 min read

Cilium — eBPF-Powered Cloud Native Networking & Security

Cilium provides high-performance networking, observability, and security for Kubernetes using eBPF. CNI plugin, service mesh, and network policy — all kernel-level.

AI Open Source · Community

Agent ready

Review-first install path

This asset needs a review step. The copied prompt tells the agent to dry-run, show the writes, then proceed only after confirmation.

Needs Confirmation · 64/100Policy: confirm

Agent surface

Any MCP/CLI agent

Kind

Skill

Install

Single

Trust

Trust: Established

Entrypoint

step-1.md

Review-first command

npx -y tokrepo@latest install 30500e42-3535-11f1-9bc6-00163e2b0d79 --target codex

Dry-run first, confirm the writes, then run this command.

TL;DR

Cilium uses eBPF to deliver high-performance Kubernetes networking, observability, and security at the kernel level.

§01

What it is

Cilium is an open-source cloud-native networking, observability, and security platform powered by eBPF (extended Berkeley Packet Filter). As a CNCF graduated project, it operates at the Linux kernel level to implement CNI, service mesh, and network policies without the overhead of traditional iptables-based solutions.

Cilium is designed for platform engineers and Kubernetes operators who need high-performance pod networking with deep L3-L7 visibility and policy enforcement.

§02

How it saves time or tokens

Cilium replaces multiple separate tools. Instead of running a CNI plugin plus Istio for service mesh plus a separate network policy engine, Cilium handles all three in one eBPF-powered stack. The sidecar-free service mesh approach eliminates per-pod proxy overhead, reducing both resource consumption and operational complexity.

§03

How to use

Install the Cilium CLI:

brew install cilium-cli

Install Cilium in your Kubernetes cluster:

cilium install
cilium status --wait

Verify connectivity:

cilium connectivity test

§04

Example

# L7 network policy: allow only GET requests to /api/v1/public
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-public-api
spec:
  endpointSelector:
    matchLabels:
      app: backend
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: frontend
      toPorts:
        - ports:
            - port: '8080'
              protocol: TCP
          rules:
            http:
              - method: GET
                path: '/api/v1/public'

§05

Related on TokRepo

DevOps tools — infrastructure and Kubernetes tooling
Security tools — network security and policy enforcement resources

§06

Common pitfalls

Running Cilium on kernels older than 4.19 where eBPF features are incomplete
Forgetting to remove the existing CNI plugin before installing Cilium, causing conflicts
Enabling Hubble observability without allocating sufficient resources for the Hubble Relay component

Frequently Asked Questions

What is eBPF and why does Cilium use it?+

eBPF (extended Berkeley Packet Filter) lets programs run inside the Linux kernel without modifying kernel source code. Cilium uses eBPF to intercept and filter network packets at the kernel level, achieving higher performance than user-space proxies or iptables rules.

How does Cilium compare to Istio?+

Cilium provides a sidecar-free service mesh using eBPF, while Istio injects an Envoy sidecar proxy into each pod. Cilium has lower resource overhead and simpler operations. Istio offers more mature traffic management features like circuit breaking and fault injection.

Can Cilium replace kube-proxy?+

Yes. Cilium can fully replace kube-proxy for Kubernetes service load balancing using eBPF. This removes the iptables dependency and improves performance at scale with large numbers of services.

What is Hubble in the Cilium ecosystem?+

Hubble is the observability layer built on top of Cilium. It provides real-time network flow visibility, DNS monitoring, HTTP request tracing, and service dependency maps. Hubble UI offers a graphical interface for exploring network flows.

Does Cilium support multi-cluster networking?+

Yes. Cilium Cluster Mesh connects multiple Kubernetes clusters with pod-to-pod connectivity, shared services, and unified network policies across clusters without requiring a VPN or overlay between clusters.

Citations (3)

Cilium GitHub Repository— Cilium is a CNCF graduated project
Cilium Documentation— eBPF-based networking and security
eBPF.io— eBPF technology overview

Related on TokRepo

DevOps tools Security tools Monitoring tools

Discussion

No comments yet. Be the first to share your thoughts.

Related Assets

Calico — Kubernetes Networking and Network Security

A high-performance networking and network policy engine for Kubernetes that provides pod networking, network policy enforcement, and optional eBPF data plane for zero-overhead observability.

Skills

AI Open Source

Falco — Cloud Native Runtime Security & Threat Detection

Falco is an open-source runtime security tool that detects abnormal activity in containers and hosts using eBPF and syscalls. Real-time threat detection for Kubernetes.

Skills

Script Depot

Tetragon — eBPF-Based Security Observability for Kubernetes

Tetragon provides real-time security observability and runtime enforcement using eBPF, giving deep visibility into process, file, and network activity in Kubernetes.

Skills

Script Depot

Tracee — eBPF Runtime Security and Forensics for Linux

Tracee by Aqua Security uses eBPF to trace system events at the OS level, detecting suspicious behavior in containers and hosts for runtime security and forensics.

Skills

AI Open Source