Cilium is a powerful networking plugin for Kubernetes that provides security, observability, and high performance. It is built using the eBPF technology and can be configured to meet specific use cases and requirements. This explanation will cover the possible configuration options for Cilium and provide examples for each option.
- RBAC Kubernetes API Extension: Cilium provides a specific API extension for Kubernetes at
/apis/cilium.io/v2/namespaces/{namespace}/ciliumnetworkpolicies. This API can be used to configure network policies for Cilium. Here is an example of how to use this API:
{
"apiVersion": "cilium.io/v2",
"kind": "CiliumNetworkPolicy",
"metadata": {
"name": "example-policy",
"namespace": "default"
},
"spec": {
"endpointSelector": {
"matchLabels": {
"app": "example"
}
},
"ingress": [
{
"fromEndpoints": [
{
"matchLabels": {
"app": "other-example"
}
}
],
"toPorts": [
{
"port": "80",
"protocol": "TCP"
}
]
}
]
}
}
Source: https://learnk8s.io/rbac-kubernetes
- Bandwidth Manager: Cilium provides a bandwidth manager that can be used to limit the bandwidth usage of pods. This feature can be enabled during installation using the
-set bandwidthManager=trueflag. Here is an example of how to enable the bandwidth manager:
NATIVE_CIDR = $( gcloud container clusters describe "${NAME}" --zone "us-west2-a" --format 'value(clusterIpv4Cidr)' )
echo $NATIVE_CIDR
helm search repo cilium
helm install cilium cilium/cilium --set bandwidthManager=true
Source: https://isovalent.com/blog/post/addressing-bandwidth-exhaustion-with-cilium-bandwidth-manager
- Cilium Network Policy: Cilium provides a network policy provider for Kubernetes that can be used to enforce network policies. Here is an example of how to install Cilium using its CLI tool:
curl -LO https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz
cilium install
Source: https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy
- Cilium L7 Policy: Cilium provides an L7 policy extension for its Envoy proxy that can be used to enforce L7 policies. Here is an example of how to use the Cilium L7 policy:
"http_filters": [
{
"name": "cilium.l7policy",
"typed_config": {
"@type": "type.googleapis.com/cilium.L7Policy",
"access_log_path": "/var/run/cilium/access_log.sock"
}
},
{
"name": "envoy.filters.http.router"
}
]
Source: https://www.solo.io/blog/exploring-cilium-layer-7-capabilities-compared-to-istio
These are some of the possible configuration options for Cilium. For more information, please refer to the official documentation.
Sources:
- https://learnk8s.io/rbac-kubernetes
- https://isovalent.com/blog/post/addressing-bandwidth-exhaustion-with-cilium-bandwidth-manager
- https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy
- https://www.solo.io/blog/exploring-cilium-layer-7-capabilities-compared-to-istio
