How do I install Cilium — eBPF-Powered Cloud Native Networking & Security?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Cilium — eBPF-Powered Cloud Native Networking & Security

What Cilium Does

CNI Plugin: Container Network Interface for Kubernetes pod networking
Network Policies: L3-L7 policies (HTTP, gRPC, Kafka) beyond Kubernetes NetworkPolicy
Service Mesh: Sidecar-free service mesh using eBPF (alternative to Istio)
Load Balancing: High-performance L4/L7 load balancing for Services
Observability: Deep network visibility via Hubble (connections, policies, DNS)
Encryption: Transparent IPsec or WireGuard encryption between nodes
Cluster Mesh: Multi-cluster networking across regions/clouds
Egress Gateway: Route egress traffic through specific gateway nodes
eBPF-based: Kernel-level packet processing, no sidecars, no iptables

Architecture

┌─────────────────────────────────────────┐
│  Kubernetes Pod                          │
│  ┌─────────┐                             │
│  │  App    │                             │
│  └────┬────┘                             │
└───────┼─────────────────────────────────┘
        │
   ┌────▼────────────────┐
   │  Linux Kernel       │
   │  ┌─────────────┐    │
   │  │ eBPF Programs│   │
   │  │ - Routing    │   │
   │  │ - Policy     │   │
   │  │ - Load balance│  │
   │  │ - Encryption │   │
   │  └─────────────┘    │
   └─────────────────────┘
        │
   ┌────▼──────┐     ┌──────────┐
   │ Cilium    │────▶│  Hubble  │
   │ Agent     │     │(Observe) │
   └───────────┘     └──────────┘

Installation

Quick Install

# Install Cilium CLI
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin

# Install Cilium
cilium install --version 1.14.0

# Install Hubble observability
cilium hubble enable --ui
cilium hubble port-forward &

Helm Install

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --namespace kube-system 
  --set kubeProxyReplacement=strict 
  --set k8sServiceHost=$API_SERVER_IP 
  --set k8sServicePort=$API_SERVER_PORT 
  --set hubble.relay.enabled=true 
  --set hubble.ui.enabled=true

Key Features

L7 Network Policies

# Allow only specific HTTP methods/paths
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-specific-api
spec:
  endpointSelector:
    matchLabels:
      app: backend-api
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: frontend
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              - method: GET
                path: /api/v1/public/.*
              - method: POST
                path: /api/v1/users
                headers:
                  - "X-API-Key: required"

Hubble Observability

# Real-time flow monitoring
hubble observe --since 1m

# Filter by namespace and verdict
hubble observe --namespace production --verdict DROPPED

# Track DNS queries
hubble observe --type dns

# HTTP traffic with details
hubble observe --type http --output json

# Which pods talk to each other?
hubble observe --from-label app=frontend --to-label app=backend

Hubble UI provides a visual service map showing all traffic flows:

[frontend] ──HTTP──▶ [backend] ──MySQL──▶ [database]
    │                                    │
    │                                    │
    └────────────DNS────▶ [coredns] ◀───┘

Encryption Between Nodes

# WireGuard encryption for all inter-node traffic
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: cilium
spec:
  values:
    encryption:
      enabled: true
      type: wireguard
      nodeEncryption: true

Cluster Mesh

Connect multiple Kubernetes clusters:

# Enable cluster mesh
cilium clustermesh enable --context cluster1
cilium clustermesh enable --context cluster2

# Connect clusters
cilium clustermesh connect --context cluster1 --destination-context cluster2

# Services in cluster2 are now accessible from cluster1
# via standard Kubernetes DNS

Load Balancer Replacement

Cilium can replace kube-proxy entirely with eBPF-based service load balancing:

cilium install --set kubeProxyReplacement=strict

# Benefits:
# - Higher performance (no iptables)
# - Lower latency
# - Socket-level load balancing
# - Direct Server Return (DSR)

Why eBPF?

Traditional Kubernetes networking uses iptables, which has limitations:

iptables rules grow linearly with services
  → 1000 services = 10,000+ iptables rules
  → Each packet traverses all rules
  → Significant CPU overhead

eBPF (Cilium):
  → In-kernel, hash-based lookup
  → Constant time regardless of service count
  → 10-100x performance improvement
  → No iptables at all (optional)

Cilium vs Alternatives

Feature	Cilium	Calico	Flannel	Istio
CNI	Yes	Yes	Yes	Uses CNI
eBPF	Native	Optional	No	No
Network Policy	L3-L7	L3-L4	No	L7 (mesh)
Service Mesh	Yes (sidecar-free)	No	No	Yes (sidecar)
Observability	Hubble	Flow logs	No	Kiali
Encryption	WireGuard/IPsec	WireGuard	No	mTLS
Multi-cluster	ClusterMesh	Federation	No	Multi-cluster
Performance	Very high	High	Medium	Medium (sidecars)

Hubble Metrics & Prometheus

# Enable Prometheus metrics
cilium install --set prometheus.enabled=true 
  --set operator.prometheus.enabled=true 
  --set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,http}"

# Scrape in Prometheus
- job_name: cilium
  kubernetes_sd_configs:
    - role: pod
  relabel_configs:
    - source_labels: [__meta_kubernetes_pod_label_k8s_app]
      action: keep
      regex: cilium

FAQ

Q: Cilium or Istio — which should I choose? A: Istio is a mature, full-featured service mesh, but its sidecar-based model has performance and resource overhead. Cilium Service Mesh uses eBPF to provide a sidecar-free architecture with higher performance but slightly fewer features. If you want maximum performance and low resource usage, pick Cilium. If you need comprehensive traffic management and security policies, Istio is more mature.

Q: What kernel version is required? A: Cilium requires Linux kernel 4.19+ (5.10+ for full features). Most modern distributions (Ubuntu 22.04+, RHEL 9+) meet this requirement. Managed K8s services (EKS, GKE, AKS) all ship with supported kernels by default.

Q: Is the learning curve steep? A: Basic usage (CNI + Network Policy) isn't hard and is similar to other CNIs. Advanced features (eBPF debugging, Hubble analysis, Cluster Mesh) require some investment to learn. The official docs and tutorials are very thorough.

Sources & Credits

GitHub: cilium/cilium — 24.1K+ ⭐ | Apache-2.0
Official site: cilium.io