DEV Community

Alex Spinov
Alex Spinov

Posted on

Cilium Has a Free API — eBPF-Powered Networking for Kubernetes

#kubernetes #networking #api #devops

Cilium is the CNCF networking project that uses eBPF to provide networking, security, and observability for Kubernetes. It powers networking at companies like Google, AWS, and Datadog.

Cilium exposes a free API for managing network policies, endpoints, and service maps — all without iptables.

Why Use the Cilium API?

  • eBPF networking — kernel-level packet processing, no iptables overhead
  • Network policies — L3/L4/L7 policies with DNS and HTTP awareness
  • Service mesh — built-in service mesh without sidecars
  • Hubble observability — real-time flow visibility (see companion article)

Quick Setup

1. Install Cilium 

cilium install
cilium status --wait
Enter fullscreen mode Exit fullscreen mode

2. Check Cluster Status 

cilium status
# Shows: agent health, operator health, cluster connectivity

# Via API
curl -s --unix-socket /var/run/cilium/cilium.sock http://localhost/v1/healthz | jq '.overall'
Enter fullscreen mode Exit fullscreen mode

3. List Endpoints 

# All endpoints (pods) managed by Cilium
curl -s --unix-socket /var/run/cilium/cilium.sock \
  http://localhost/v1/endpoints | jq '.[] | {id: .id, pod: .status.external-identifiers.pod-name, state: .status.state, identity: .status.identity.id}' | head -20
Enter fullscreen mode Exit fullscreen mode

4. Network Policies 

# List all network policies
curl -s --unix-socket /var/run/cilium/cilium.sock \
  http://localhost/v1/policy | jq '.policy.revision'

# Apply L7 HTTP policy via kubectl
kubectl apply -f - <<EOF
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-get-only
spec:
  endpointSelector:
    matchLabels:
      app: myapi
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: GET
          path: "/api/.*"
EOF
Enter fullscreen mode Exit fullscreen mode

5. Service Map 

# Get service dependencies
curl -s --unix-socket /var/run/cilium/cilium.sock \
  http://localhost/v1/service | jq '.[] | {id: .spec.id, frontend: .spec.frontend-address, backends: [.spec.backend-addresses[]?.ip]}'
Enter fullscreen mode Exit fullscreen mode

Python Example 

import requests_unixsocket
import json

session = requests_unixsocket.Session()
SOCK = "http+unix://%2Fvar%2Frun%2Fcilium%2Fcilium.sock"

# Get endpoints
endpoints = session.get(f"{SOCK}/v1/endpoints").json()
for ep in endpoints[:5]:
    pod = ep.get('status',{}).get('external-identifiers',{}).get('pod-name','N/A')
    state = ep.get('status',{}).get('state','N/A')
    print(f"Pod: {pod} | State: {state}")

# Get policy status
policy = session.get(f"{SOCK}/v1/policy").json()
print(f"Policy revision: {policy['policy']['revision']}")
Enter fullscreen mode Exit fullscreen mode

Key Endpoints

Use Case Endpoint Method
Health check /v1/healthz GET
List endpoints /v1/endpoints GET
Get endpoint /v1/endpoints/{id} GET
Network policy /v1/policy GET/PUT
Service map /v1/service GET
IP cache /v1/ip GET
Metrics /metrics (Prometheus) GET

Need custom data extraction or scraping solution? I build production-grade scrapers for any website. Email: Spinov001@gmail.com | My Apify Actors

Top comments (0)