Use Cilium for NetworkPolicy
This page shows how to use Cilium for NetworkPolicy.
For background on Cilium, read the Introduction to Cilium.
- Before you begin
- Deploying Cilium on Minikube for Basic Testing
- Deploying Cilium for Production Use
- Understanding Cilium components
- What's next
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:
To check the version, enter
Deploying Cilium on Minikube for Basic Testing
To get familiar with Cilium easily you can follow the Cilium Kubernetes Getting Started Guide to perform a basic DaemonSet installation of Cilium in minikube.
To start minikube, minimal version required is >= v0.33.1, run the with the following arguments:
minikube version: v0.33.1
minikube start --network-plugin=cni --memory=4096
For minikube you can deploy this simple “all-in-one” YAML file that includes DaemonSet configurations for Cilium, and the necessary configurations to connect to the etcd instance deployed in minikube as well as appropriate RBAC settings:
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/kubernetes/1.14/cilium-minikube.yaml
configmap/cilium-config created daemonset.apps/cilium created clusterrolebinding.rbac.authorization.k8s.io/cilium created clusterrole.rbac.authorization.k8s.io/cilium created serviceaccount/cilium created
The remainder of the Getting Started Guide explains how to enforce both L3/L4 (i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security policies using an example application.
Deploying Cilium for Production Use
For detailed instructions around deploying Cilium for production, see: Cilium Kubernetes Installation Guide This documentation includes detailed requirements, instructions and example production DaemonSet files.
Understanding Cilium components
Deploying a cluster with Cilium adds Pods to the
kube-system namespace. To see
this list of Pods run:
kubectl get pods --namespace=kube-system
You’ll see a list of Pods similar to this:
NAME READY STATUS RESTARTS AGE cilium-6rxbd 1/1 Running 0 1m ...
There are two main components to be aware of:
ciliumPod runs on each node in your cluster and enforces network policy on the traffic to/from Pods on that node using Linux BPF.
- For production deployments, Cilium should leverage a key-value store (e.g., etcd). The Cilium Kubernetes Installation Guide will provide the necessary steps on how to install this required key-value store as well how to configure it in Cilium.
Once your cluster is running, you can follow the Declare Network Policy to try out Kubernetes NetworkPolicy with Cilium. Have fun, and if you have questions, contact us using the Cilium Slack Channel.
Was this page helpful?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.