Cilium Network Policies
Cilium Network Policies extend the standard Kubernetes Network Policies by leveraging eBPF technology to provide enhanced security and fine-grained control over network traffic within your Kubernetes clusters. In Natron Managed Kubernetes Service, Cilium is used as the default Container Network Interface (CNI) plugin, enabling advanced network policy capabilities.
Key Features of Cilium Network Policies
- Layer 7 Policies: Cilium allows you to define network policies based on application-layer (Layer 7) protocols, such as HTTP, gRPC, and Kafka, enabling more granular control over traffic.
- Identity-Based Security: Cilium uses identity-based security policies, allowing you to define policies based on service identities rather than IP addresses, enhancing security in dynamic environments.
- Egress Policies: Cilium supports egress policies, enabling you to control outbound traffic from pods to external services.
- Global Policies: Cilium allows you to create global network policies that apply across multiple namespaces, simplifying policy management in large clusters.
- Policy Enforcement: Cilium provides robust policy enforcement with support for both allow and deny rules, ensuring that only authorized traffic is permitted.
Creating Cilium Network Policies
To create Cilium Network Policies, you can use standard Kubernetes manifests with Cilium-specific extensions. Here is an example of a Cilium Network Policy that allows HTTP traffic to a specific service:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-http
namespace: default
spec:
endpointSelector:
matchLabels:
app: my-app
ingress:
- fromEndpoints:
- matchLabels:
app: allowed-client
toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: GETYou can use the Cilium Network Policy Editor to help generate and validate your policies. This tool provides a user-friendly interface for creating Cilium Network Policies.
Applying Cilium Network Policies
To apply a Cilium Network Policy, save the policy manifest to a YAML file (e.g., cilium-network-policy.yaml) and use the following kubectl command:
kubectl apply -f cilium-network-policy.yamlMonitoring and Troubleshooting using Hubble
Cilium includes Hubble, a powerful observability tool that provides visibility into network flows and policy enforcement. You can use Hubble to monitor network traffic and troubleshoot issues related to Cilium Network Policies and see detailed metrics and flow logs.
Accessing Hubble
Hubble can be accessed via the Teleport Connect or the Teleport Web UI applications or by using the Hubble CLI.
Use Hubble to determine if and where traffic is being blocked by Cilium Network Policies, helping you to fine-tune your policies for optimal security and performance.