Cilium
eBPF-based CNI providing networking, security, and observability for Kubernetes.
About
Cilium is an eBPF-powered CNI plugin that replaces kube-proxy and provides advanced networking, network policy enforcement, and cluster observability via Hubble. It is used in this cluster as the sole CNI and kube-proxy replacement, with native routing (routingMode: native), WireGuard node-to-node encryption, L2 announcements for LoadBalancer IPs, and Hubble UI for network flow visibility.
AlternativeTo
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| Calico | Yes | Yes | Mature CNI; eBPF dataplane available but less integrated |
| Flannel | Yes | Partial | Simple overlay; no network policy without additional tooling |
| Canal | Yes | Partial | Flannel + Calico network policy |
Installation
Architecture
HelmRelease cilium in namespace kube-system, chart version 1.19.2 from https://helm.cilium.io. Deployed in native routing mode with pod CIDR 10.100.0.0/16, kube-proxy replacement enabled (kubeProxyReplacement: true), WireGuard encryption, BBR bandwidth manager, and L2 announcements. Hubble relay and UI enabled (1 replica). Operator runs 2 replicas. Envoy sidecar disabled.
Security
The cilium-agent DaemonSet requires elevated capabilities: NET_ADMIN, NET_RAW, SYS_ADMIN, SYS_RESOURCE, IPC_LOCK, CHOWN, KILL, DAC_OVERRIDE, FOWNER, SETGID, SETUID. The cleanCiliumState init container requires NET_ADMIN, SYS_ADMIN, SYS_RESOURCE. This is required for eBPF program loading and network stack manipulation. Talos-specific cgroupv2 configuration: auto-mount disabled, hostRoot set to /sys/fs/cgroup.
Updates
Managed by Renovate. Chart version is semver-pinned (1.19.2).
Administration
Usage
Cilium handles all pod-to-pod and pod-to-service networking in the cluster. CiliumNetworkPolicy and standard NetworkPolicy resources can be created to restrict traffic between namespaces and pods. L2 announcements allow LoadBalancer services to get IPs announced via ARP on the local network. Hubble UI is available for real-time network flow inspection and troubleshooting.
Metadata
- HelmRelease:
cilium@1.19.2