Cilium eBPF Networking

Run Cilium for K8s networking, security, and observability. Generates CiliumNetworkPolicy, ClusterMesh configs, Hubble flow filters, BGP peering, Ingress, and L7 policies via Envoy.

This skill covers Cilium (CNCF graduated): writing L3/L4 and L7-aware CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, kubeproxy-free mode, ClusterMesh for cross-cluster services, Hubble for flow observability and service maps, BGP control plane for on-prem, Gateway API and Ingress controller, transparent encryption with WireGuard/IPSec, and Tetragon for runtime security. Includes migration from Calico/Flannel and tuning for large clusters.

When to use

Use when adopting Cilium as your CNI, writing fine-grained network policies, debugging traffic with Hubble, or enabling kube-proxy replacement.

Examples

L7 HTTP policy

Restrict API methods between pods

Write a CiliumNetworkPolicy that allows the frontend pod to call only GET /api/v1/products and POST /api/v1/orders on the catalog service, blocking everything else at L7

Hubble flow audit

Investigate denied traffic

Show me the Hubble CLI commands to list all dropped flows in the payments namespace in the last 10 minutes grouped by source pod, and the JSON output filter to spot policy mismatches