Cilium: Next-Generation Kubernetes Networking
Cilium uses eBPF (extended Berkeley Packet Filter) to provide networking, observability, and security for Kubernetes. It operates at the Linux kernel level — faster than iptables, more powerful than traditional CNI plugins.
Why Cilium Over Traditional CNI
- eBPF-based — kernel-level packet processing, no iptables chains
- Identity-based security — policies based on pod labels, not IPs
- Transparent encryption — WireGuard or IPsec between nodes
- Service mesh — built-in L7 load balancing without sidecars
- Hubble — deep network observability
The Free API (CRDs + CLI)
# Network policy — L3/L4/L7
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-access
spec:
endpointSelector:
matchLabels:
app: api-server
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: /api/v1/.*
# Cilium CLI
cilium status
cilium connectivity test
cilium hubble port-forward
# Hubble observability
hubble observe --namespace default
hubble observe --verdict DROPPED
hubble observe --protocol http --http-status 500
Hubble: Network Observability
Hubble provides real-time visibility into network flows:
# See all HTTP requests
hubble observe --protocol http -o json | jq .flow.l7.http
# DNS queries
hubble observe --protocol dns
# Dropped packets (security issues)
hubble observe --verdict DROPPED --namespace production
Real-World Use Case
A platform serving 100K RPS replaced Calico with Cilium. Results: 40% lower latency on service-to-service calls, built-in WireGuard encryption (no VPN needed), and Hubble dashboards replaced 3 separate monitoring tools.
Quick Start
cilium install
cilium status --wait
cilium hubble enable --ui
cilium connectivity test
Resources
Need automated infrastructure data? Check out my tools on Apify or email spinov001@gmail.com for custom DevOps solutions.
Top comments (0)