Cilium Reference: eBPF CNI, L7 HTTP Policy, DNS Egress & Hubble Network Observability
Published
•1 min readCilium patterns for eBPF-based K8s networking.
The feature that makes Cilium different: L7 NetworkPolicy
Standard K8s NetworkPolicy can only filter by IP/port. Cilium goes further:
kind: CiliumNetworkPolicy
spec:
endpointSelector:
matchLabels: {app: my-api}
ingress:
- fromEndpoints:
- matchLabels: {role: frontend}
toPorts:
- ports: [{port: "8080"}]
rules:
http:
- method: GET
path: /api/.* # allow only GET /api/* — deny everything else
That's application-layer authorization enforced in the kernel, with zero sidecar needed.
DNS egress policy — control what your pods can call externally
egress:
- toFQDNs:
- matchName: api.stripe.com
- matchPattern: "*.internal.example.com"
toPorts:
- ports: [{port: "443"}]
All other outbound DNS/TCP connections are blocked. This is how you enforce zero-trust egress without a service mesh.
Hubble: see EVERY packet drop in real time
cilium hubble port-forward &
hubble observe --verdict DROPPED # shows all policy violations
# Output: source pod → destination pod, reason: POLICY_DENIED
When traffic mysteriously stops working after a NetworkPolicy change, this is how you find out exactly which pods are being dropped and why — in seconds.
Install with kube-proxy replacement
helm install cilium cilium/cilium --set kubeProxyReplacement=true \ # replaces kube-proxy with eBPF
--set hubble.relay.enabled=true --set hubble.ui.enabled=true
Full reference (Cilium vs Calico vs Flannel table, Kafka topic-level policy, connectivity test, BPF map inspection, upgrade rolling restart): releaserun.com/cilium-reference