Cilium

Cilium network policy extends the capabilities of Kubernetes Network Policy. You can learn more about Cilium through an interactive course. Highly recommended labs include:

• Getting Started with Cilium
• Discovery: SecOps Engineer
• Discovery: Cloud Network Engineer
• Cilium Ingress Controller
• Cilium Gateway API
• Golden Signals with Hubble and Grafana
• Mutual Authentication with Cilium
• Migrating from Calico

In addition to Cilium, there are two important projects:

• Hubble for Network Observability
• Tetragon for eBPF-based Security Observability and Runtime Enforcement

These tools collectively enhance the security and observability of your system.

For working with network policies in Kubernetes, I recommend using the Network Policy Editor, which helps visualize configurations.

Below are examples demonstrating the usage of Cilium network policies.

How to allow / deny traffic from other namespace ?

Check traffic flow from podinfo to podtato:

kubectl exec -it deployments/podinfo -c netshoot -- /bin/zsh
curl podtato-head-entry.podtato:9000

Output:

<html>
  <head>
    <title>Hello Podtato!</title>
    <link rel="stylesheet" href="./assets/css/styles.css"/>
    <link rel="stylesheet" href="./assets/css/custom.css"/>
  </head>
  <body style="background-color: #849abd;color: #faebd7;">
    <main class="container">
      <div class="text-center">
        <h1>Hello from <i>pod</i>tato head!</h1>
        <div style="width:700px; height:800px; margin:auto; position:relative;">
          <img src="./assets/images/body/body.svg" style="position:absolute;margin-top:80px;margin-left:200px;">
          <img src="./parts/hat/hat.svg" style="position:absolute;margin-left:200px;margin-top:0px;">
          <img src="./parts/left-arm/left-arm.svg" style="position:absolute;top:100px;left:-50px;">
          <img src="./parts/right-arm/right-arm.svg" style="position:absolute;top:100px;left:450px;">
          <img src="./parts/left-leg/left-leg.svg" style="position:absolute;top:480px;left: -0px;" >
          <img src="./parts/right-leg/right-leg.svg" style="position:absolute;top:480px;left: 400px;">
        </div>
        <h2> Version v0.1.0 </h2>
      </div>
    </main>
  </body>
</html>#

Check traffic flow from podtato to podinfo:

kubectl -n podtato exec -it deployments/podtato-head-entry -c netshoot -- /bin/zsh
curl podinfo.default:9898

Output:

{
  "hostname": "podinfo-7f9d98d56d-src4s",
  "version": "6.7.1",
  "revision": "6b7aab8a10d6ee8b895b0a5048f4ab0966ed29ff",
  "color": "#34577c",
  "logo": "https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif",
  "message": "greetings from podinfo v6.7.1",
  "goos": "linux",
  "goarch": "arm64",
  "runtime": "go1.23.2",
  "num_goroutine": "8",
  "num_cpu": "8"
}#

Define network policy to allow ingress and block egress traffic:

cat <<EOF | kubectl apply -f -
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-access-podtato-by-podinfo
  namespace: podtato
spec:
  endpointSelector: {}
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: podinfo
          matchExpressions:
            - key: io.kubernetes.pod.namespace
              operator: Exists
      toPorts:
        - ports:
            - port: "9000"
  egress:
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
          rules:
            dns:
              - matchPattern: "*"
EOF

Check policy:

kubectl -n podtato get ciliumnetworkpolicies.cilium.io

NAME                              AGE
allow-access-podtato-by-podinfo   9s

Check traffic flow from podinfo to podtato:

kubectl exec -it deployments/podinfo -c netshoot -- /bin/zsh
curl podtato-head-entry.podtato:9000

Output:

<html>
  <head>
    <title>Hello Podtato!</title>
    <link rel="stylesheet" href="./assets/css/styles.css"/>
    <link rel="stylesheet" href="./assets/css/custom.css"/>
  </head>
  <body style="background-color: #849abd;color: #faebd7;">
    <main class="container">
      <div class="text-center">
        <h1>Hello from <i>pod</i>tato head!</h1>
        <div style="width:700px; height:800px; margin:auto; position:relative;">
          <img src="./assets/images/body/body.svg" style="position:absolute;margin-top:80px;margin-left:200px;">
          <img src="./parts/hat/hat.svg" style="position:absolute;margin-left:200px;margin-top:0px;">
          <img src="./parts/left-arm/left-arm.svg" style="position:absolute;top:100px;left:-50px;">
          <img src="./parts/right-arm/right-arm.svg" style="position:absolute;top:100px;left:450px;">
          <img src="./parts/left-leg/left-leg.svg" style="position:absolute;top:480px;left: -0px;" >
          <img src="./parts/right-leg/right-leg.svg" style="position:absolute;top:480px;left: 400px;">
        </div>
        <h2> Version v0.1.0 </h2>
      </div>
    </main>
  </body>
</html>#

Check traffic flow from podtato to podinfo:

kubectl -n podtato exec -it deployments/podtato-head-entry -c netshoot -- /bin/zsh
curl podinfo.default:9898 --connect-timeout 10

Output:

curl: (28) Failed to connect to podinfo.default port 9898 after 10002 ms: Timeout was reached