Networking with Cilium

Overview

Cilium is the Container Network Interface (CNI) provider for the cluster, offering advanced networking, security, and observability features. It replaces kube-proxy and provides native support for the Kubernetes Gateway API.

Key Features

Kube-proxy replacement: Uses eBPF for efficient packet processing
VXLAN tunneling: Overlay network for pod-to-pod communication
Gateway API support: Native integration with Kubernetes Gateway API
Network policies: Advanced security and traffic control

Configuration

The Cilium configuration is defined in cilium-values.yaml:

cilium-values.yaml

cluster:
  name: kubernetes
operator:
  replicas: 1
routingMode: tunnel
tunnelProtocol: vxlan
gatewayAPI:
  enabled: true

Configuration Parameters

cluster.name

string

default:"kubernetes"

The cluster name used by Cilium for identification

operator.replicas

integer

default:"1"

Number of Cilium operator replicas to run

routingMode

string

default:"tunnel"

Routing mode for pod traffic. Options: tunnel, native

tunnelProtocol

string

default:"vxlan"

Tunneling protocol when using tunnel routing mode. Options: vxlan, geneve

gatewayAPI.enabled

boolean

default:"true"

Enable Gateway API support for advanced traffic management

Routing Modes

Tunnel Mode (VXLAN)
Native Routing

Tunnel mode encapsulates pod traffic using VXLAN, providing an overlay network that works in most environments:

routingMode: tunnel
tunnelProtocol: vxlan

Advantages:

Works with any network infrastructure
No BGP or routing protocol required
Simplified network configuration

Use case: Default mode for most deployments

Native routing mode uses the underlying network’s routing capabilities:

routingMode: native

Advantages:

Better performance (no encapsulation overhead)
Lower CPU usage
Direct network visibility

Requirements:

Requires L3 network configuration
Often used with BGP

Use case: Advanced deployments with BGP peering

Network Policies

Cilium supports standard Kubernetes NetworkPolicy resources for controlling traffic between pods:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-frontend
  namespace: backend
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: frontend

Verifying Cilium Status

Check Cilium pods

Verify that Cilium pods are running:

kubectl get pods -n kube-system -l k8s-app=cilium

Expected output:

NAME           READY   STATUS    RESTARTS   AGE
cilium-xxxxx   1/1     Running   0          5d
cilium-yyyyy   1/1     Running   0          5d

Check Cilium operator

Verify the Cilium operator is running:

kubectl get pods -n kube-system -l name=cilium-operator

Test connectivity

Verify pod-to-pod connectivity:

kubectl run test-pod --image=busybox --rm -it -- wget -O- http://kubernetes.default.svc.cluster.local

Gateway API Integration

With Gateway API enabled, Cilium provides native support for Gateway resources:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: example-route
spec:
  parentRefs:
    - name: my-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api
      backendRefs:
        - name: api-service
          port: 8080

Gateway API support is enabled in the Cilium configuration and works seamlessly with the kgateway controller.

Troubleshooting

Check Cilium status

kubectl exec -n kube-system ds/cilium -- cilium status

View Cilium logs

kubectl logs -n kube-system -l k8s-app=cilium --tail=100

Connectivity test

Run Cilium’s connectivity test:

kubectl exec -n kube-system ds/cilium -- cilium connectivity test

Best Practices

Use tunnel mode (VXLAN) for most deployments unless you have specific native routing requirements
Monitor Cilium operator logs for any issues
Implement NetworkPolicies for security between namespaces
Enable Gateway API for advanced traffic management capabilities

Changing the routing mode or tunnel protocol requires recreating pods and may cause temporary network disruption.

Getting Started

Setup & Deployment

Architecture

Infrastructure Components

Observability

Applications

Operations

Overview

Key Features

Configuration

Configuration Parameters

Routing Modes

Network Policies

Verifying Cilium Status

Gateway API Integration

Troubleshooting

Check Cilium status

View Cilium logs

Connectivity test

Best Practices

Build docs developers (and LLMs) love

Getting Started

Setup & Deployment

Architecture

Infrastructure Components

Observability

Applications

Operations

​Overview

​Key Features

​Configuration

​Configuration Parameters

​Routing Modes

​Network Policies

​Verifying Cilium Status

​Gateway API Integration

​Troubleshooting

​Check Cilium status

​View Cilium logs

​Connectivity test

​Best Practices

Build docs developers (and LLMs) love

Overview

Key Features

Configuration

Configuration Parameters

Routing Modes

Network Policies

Verifying Cilium Status

Gateway API Integration

Troubleshooting

Check Cilium status

View Cilium logs

Connectivity test

Best Practices