Unlike traditional service meshes and CNIs, Cilium enhances Kubernetes with:
✅ High-performance networking (eBPF-powered)
✅ Deep observability (metrics, tracing, Hubble)
✅ Zero-trust security (identity-aware policies)
✅ Simplified operations (unifying CNI, service mesh, and gateway)
Proven in Production:
This cluster handles real-world traffic, efficiently managing both north-south (ingress/egress) and east-west (service-to-service) communication at scale.
After installing your AWS EKS Cluster follow the steps below to install Cilium while retaining AWS CNI for IPAM, also replacing the default kube-proxy for unlock advanced features.
# 1. apply the GatewayAPI manifests
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
# 2. delete aws eks kube-proxy
kubectl delete -n kube-system daemonset/kube-proxy
# 3. define AWS_CLUSTER_NAME
export AWS_CLUSTER_NAME="production"
# 4. generate values.yaml for Cilium Helm
cat <<EOF > values.yaml
cni:
chainingMode: "aws-cni" # Use AWS CNI chaining mode to work alongside with AWS CNI
exclusive: false # Allow Cilium to work alongside AWS CNI
enableIPv4Masquerade: false
routingMode: "native"
endpointRoutes:
enabled: true
encryption:
enabled: true
nodeEncryption: true
type: "wireguard"
strictMode:
enabled: false
hostServices:
enabled: true
nodePort:
enabled: true
externalIPs:
enabled: true
gatewayAPI:
enabled: true
kubeProxyReplacement: true
k8sServiceHost: $(aws eks describe-cluster --name $AWS_CLUSTER_NAME --query "cluster.endpoint" --output text | sed s/'https:\/\/'//)
k8sServicePort: 443
hubble:
enabled: true
ui:
enabled: true
relay:
enabled: true
EOF
# 5. install cilium
helm install -f values.yaml cilium cilium/cilium -n kube-system --version 1.17.2
Top comments (0)