Cilium in Kubernetes

2024-09-09

Advanced Kubernetes Networking with Cilium on Kind

Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

Prerequisites

Ensure the following are installed:

• Docker Desktop
• kind

Cluster Setup

Option 1: Create cluster manually

kind-config.yaml - as you can see, we have disableDefaultCNI set to true. This is to ensure that Cilium is used as the CNI provider.

Copy
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker
networking:
  disableDefaultCNI: true

Copy
kind create cluster --config=kind-config.yaml

Install Cilium

Copy
cilium version --client           # Verify cilium client is installed
cilium install --version 1.16.1   # Install Cilium into the cluster
cilium status                     # Verify Cilium DaemonSets are running
kubectl get nodes -A              # Nodes should now be Ready with CNI

Run Cilium Connectivity Tests

Copy
cilium connectivity test

Example Output Snippet:

Copy

✨ [kind-kind] Creating namespace cilium-test for connectivity check...
✨ [kind-kind] Deploying echo-same-node service...
...
✅ [cilium-test] All 59 tests (608 actions) successful, 41 tests skipped, 1 scenarios skipped.

Enable and Use Hubble (Observability)

Enable Hubble:

Copy
cilium hubble enable

Check status:

Copy
cilium status

Copy
Expected output:

/\_/\      Cilium:             OK
\_/ \_/    Operator:           OK
/\_/\      Envoy DaemonSet:    OK
\_/ \_/    Hubble Relay:       OK
...

Port-forward for local Hubble Relay access:

Copy
cilium hubble port-forward &
kubectl port-forward -n kube-system svc/hubble-relay --address 127.0.0.1 4245:80

Use Hubble:

Copy
hubble status
hubble observe

Simulate Network Traffic with Star Wars App

Copy
kubectl apply -f apps/apps.yaml

kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

Observe traffic:

hubble observe --pod deathstar --protocol http
hubble observe --pod deathstar --verdict DROPPED

Clean Up

kind delete clusters -A

This guide walked you through running Cilium + Hubble on a local kind cluster, testing end-to-end connectivity and observing network traffic with eBPF-powered visibility. This setup can form the foundation of more advanced policy testing, multi-cluster setups, or observability pipelines.