# Cilium — eBPF-Powered Cloud Native Networking & Security > Cilium provides high-performance networking, observability, and security for Kubernetes using eBPF. CNI plugin, service mesh, and network policy — all kernel-level. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use ```bash # Install Cilium CLI brew install cilium-cli # Install Cilium in your Kubernetes cluster cilium install # Verify installation cilium status --wait cilium connectivity test ``` ## Intro **Cilium** is an open-source cloud-native networking, observability, and security platform powered by eBPF (extended Berkeley Packet Filter). By operating at the Linux kernel level, Cilium provides unprecedented performance and visibility for Kubernetes clusters — implementing CNI, service mesh, and network policies without the overhead of traditional iptables-based solutions. With 24.1K+ GitHub stars and Apache-2.0 license, Cilium is a CNCF graduated project used by Google, Datadog, Capital One, and thousands of organizations for production Kubernetes networking at scale. ## What Cilium Does - **CNI Plugin**: Container Network Interface for Kubernetes pod networking - **Network Policies**: L3-L7 policies (HTTP, gRPC, Kafka) beyond Kubernetes NetworkPolicy - **Service Mesh**: Sidecar-free service mesh using eBPF (alternative to Istio) - **Load Balancing**: High-performance L4/L7 load balancing for Services - **Observability**: Deep network visibility via Hubble (connections, policies, DNS) - **Encryption**: Transparent IPsec or WireGuard encryption between nodes - **Cluster Mesh**: Multi-cluster networking across regions/clouds - **Egress Gateway**: Route egress traffic through specific gateway nodes - **eBPF-based**: Kernel-level packet processing, no sidecars, no iptables ## Architecture ``` ┌─────────────────────────────────────────┐ │ Kubernetes Pod │ │ ┌─────────┐ │ │ │ App │ │ │ └────┬────┘ │ └───────┼─────────────────────────────────┘ │ ┌────▼────────────────┐ │ Linux Kernel │ │ ┌─────────────┐ │ │ │ eBPF Programs│ │ │ │ - Routing │ │ │ │ - Policy │ │ │ │ - Load balance│ │ │ │ - Encryption │ │ │ └─────────────┘ │ └─────────────────────┘ │ ┌────▼──────┐ ┌──────────┐ │ Cilium │────▶│ Hubble │ │ Agent │ │(Observe) │ └───────────┘ └──────────┘ ``` ## Installation ### Quick Install ```bash # Install Cilium CLI curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin # Install Cilium cilium install --version 1.14.0 # Install Hubble observability cilium hubble enable --ui cilium hubble port-forward & ``` ### Helm Install ```bash helm repo add cilium https://helm.cilium.io/ helm install cilium cilium/cilium --namespace kube-system --set kubeProxyReplacement=strict --set k8sServiceHost=$API_SERVER_IP --set k8sServicePort=$API_SERVER_PORT --set hubble.relay.enabled=true --set hubble.ui.enabled=true ``` ## Key Features ### L7 Network Policies ```yaml # Allow only specific HTTP methods/paths apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-specific-api spec: endpointSelector: matchLabels: app: backend-api ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: "8080" protocol: TCP rules: http: - method: GET path: /api/v1/public/.* - method: POST path: /api/v1/users headers: - "X-API-Key: required" ``` ### Hubble Observability ```bash # Real-time flow monitoring hubble observe --since 1m # Filter by namespace and verdict hubble observe --namespace production --verdict DROPPED # Track DNS queries hubble observe --type dns # HTTP traffic with details hubble observe --type http --output json # Which pods talk to each other? hubble observe --from-label app=frontend --to-label app=backend ``` Hubble UI provides a visual service map showing all traffic flows: ``` [frontend] ──HTTP──▶ [backend] ──MySQL──▶ [database] │ │ │ │ └────────────DNS────▶ [coredns] ◀───┘ ``` ### Encryption Between Nodes ```yaml # WireGuard encryption for all inter-node traffic apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: cilium spec: values: encryption: enabled: true type: wireguard nodeEncryption: true ``` ### Cluster Mesh Connect multiple Kubernetes clusters: ```bash # Enable cluster mesh cilium clustermesh enable --context cluster1 cilium clustermesh enable --context cluster2 # Connect clusters cilium clustermesh connect --context cluster1 --destination-context cluster2 # Services in cluster2 are now accessible from cluster1 # via standard Kubernetes DNS ``` ### Load Balancer Replacement Cilium can replace kube-proxy entirely with eBPF-based service load balancing: ```bash cilium install --set kubeProxyReplacement=strict # Benefits: # - Higher performance (no iptables) # - Lower latency # - Socket-level load balancing # - Direct Server Return (DSR) ``` ## Why eBPF? Traditional Kubernetes networking uses iptables, which has limitations: ``` iptables rules grow linearly with services → 1000 services = 10,000+ iptables rules → Each packet traverses all rules → Significant CPU overhead eBPF (Cilium): → In-kernel, hash-based lookup → Constant time regardless of service count → 10-100x performance improvement → No iptables at all (optional) ``` ## Cilium vs Alternatives | Feature | Cilium | Calico | Flannel | Istio | |---------|--------|--------|---------|-------| | CNI | Yes | Yes | Yes | Uses CNI | | eBPF | Native | Optional | No | No | | Network Policy | L3-L7 | L3-L4 | No | L7 (mesh) | | Service Mesh | Yes (sidecar-free) | No | No | Yes (sidecar) | | Observability | Hubble | Flow logs | No | Kiali | | Encryption | WireGuard/IPsec | WireGuard | No | mTLS | | Multi-cluster | ClusterMesh | Federation | No | Multi-cluster | | Performance | Very high | High | Medium | Medium (sidecars) | ## Hubble Metrics & Prometheus ```bash # Enable Prometheus metrics cilium install --set prometheus.enabled=true --set operator.prometheus.enabled=true --set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,http}" # Scrape in Prometheus - job_name: cilium kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_label_k8s_app] action: keep regex: cilium ``` ## FAQ **Q: Cilium or Istio — which should I choose?** A: Istio is a mature, full-featured service mesh, but its sidecar-based model has performance and resource overhead. Cilium Service Mesh uses eBPF to provide a sidecar-free architecture with higher performance but slightly fewer features. If you want maximum performance and low resource usage, pick Cilium. If you need comprehensive traffic management and security policies, Istio is more mature. **Q: What kernel version is required?** A: Cilium requires Linux kernel 4.19+ (5.10+ for full features). Most modern distributions (Ubuntu 22.04+, RHEL 9+) meet this requirement. Managed K8s services (EKS, GKE, AKS) all ship with supported kernels by default. **Q: Is the learning curve steep?** A: Basic usage (CNI + Network Policy) isn't hard and is similar to other CNIs. Advanced features (eBPF debugging, Hubble analysis, Cluster Mesh) require some investment to learn. The official docs and tutorials are very thorough. ## Sources & Credits - GitHub: [cilium/cilium](https://github.com/cilium/cilium) — 24.1K+ ⭐ | Apache-2.0 - Official site: [cilium.io](https://cilium.io) --- Source: https://tokrepo.com/en/workflows/cilium-ebpf-powered-cloud-native-networking-security-30500e42 Author: AI Open Source