Use Cilium for NetworkPolicy

This page shows how to use Cilium for NetworkPolicy.

For background on Cilium, read the Introduction to Cilium.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:

To check the version, enter kubectl version.

Deploying Cilium on Minikube for Basic Testing

To get familiar with Cilium easily you can follow the Cilium Kubernetes Getting Started Guide to perform a basic DaemonSet installation of Cilium in minikube.

To start minikube, minimal version required is >= v1.5.2, run the with the following arguments:

  1. minikube version
  1. minikube version: v1.5.2
  1. minikube start --network-plugin=cni

For minikube you can install Cilium using its CLI tool. Cilium will automatically detect the cluster configuration and will install the appropriate components for a successful installation:

  1. curl -LO https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
  2. sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
  3. rm cilium-linux-amd64.tar.gz
  4. cilium install
  1. 🔮 Auto-detected Kubernetes kind: minikube
  2.  Running "minikube" validation checks
  3.  Detected minikube version "1.20.0"
  4. ℹ️  Cilium version not set, using default version "v1.10.0"
  5. 🔮 Auto-detected cluster name: minikube
  6. 🔮 Auto-detected IPAM mode: cluster-pool
  7. 🔮 Auto-detected datapath mode: tunnel
  8. 🔑 Generating CA...
  9. 2021/05/27 02:54:44 [INFO] generate received request
  10. 2021/05/27 02:54:44 [INFO] received CSR
  11. 2021/05/27 02:54:44 [INFO] generating key: ecdsa-256
  12. 2021/05/27 02:54:44 [INFO] encoded CSR
  13. 2021/05/27 02:54:44 [INFO] signed certificate with serial number 48713764918856674401136471229482703021230538642
  14. 🔑 Generating certificates for Hubble...
  15. 2021/05/27 02:54:44 [INFO] generate received request
  16. 2021/05/27 02:54:44 [INFO] received CSR
  17. 2021/05/27 02:54:44 [INFO] generating key: ecdsa-256
  18. 2021/05/27 02:54:44 [INFO] encoded CSR
  19. 2021/05/27 02:54:44 [INFO] signed certificate with serial number 3514109734025784310086389188421560613333279574
  20. 🚀 Creating Service accounts...
  21. 🚀 Creating Cluster roles...
  22. 🚀 Creating ConfigMap...
  23. 🚀 Creating Agent DaemonSet...
  24. 🚀 Creating Operator Deployment...
  25.  Waiting for Cilium to be installed...

The remainder of the Getting Started Guide explains how to enforce both L3/L4 (i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security policies using an example application.

Deploying Cilium for Production Use

For detailed instructions around deploying Cilium for production, see: Cilium Kubernetes Installation Guide This documentation includes detailed requirements, instructions and example production DaemonSet files.

Understanding Cilium components

Deploying a cluster with Cilium adds Pods to the kube-system namespace. To see this list of Pods run:

  1. kubectl get pods --namespace=kube-system -l k8s-app=cilium

You’ll see a list of Pods similar to this:

  1. NAME           READY   STATUS    RESTARTS   AGE
  2. cilium-kkdhz   1/1     Running   0          3m23s
  3. ...

A cilium Pod runs on each node in your cluster and enforces network policy on the traffic to/from Pods on that node using Linux BPF.

What’s next

Once your cluster is running, you can follow the Declare Network Policy to try out Kubernetes NetworkPolicy with Cilium. Have fun, and if you have questions, contact us using the Cilium Slack Channel.