Cilium’s Helm chart offers a staggering number of options, but a few key values can drastically alter your cluster’s networking behavior and performance.
Let’s see this in action. Imagine you’re deploying Cilium with basic observability enabled and a few network policies. Your values.yaml might look something like this:
# Enable Hubble UI for network observability
hubble:
ui:
enabled: true
port: 12080
# Enable network policy enforcement
enable-policy: "kubernetes"
# Set the IPAM mode to Kubernetes (default)
ipam:
mode: "kubernetes"
# Configure egress gateway for outbound traffic
egressGateway:
enabled: true
# Use a specific node selector for egress gateway pods
nodeSelector:
"kubernetes.io/os": "linux"
# Enable automatic service load balancing
service:
।bpf: true
# Enable NodePort service type
nodePort:
।bpf: true
# Enable ClusterIP service type
clusterIP:
।bpf: true
# Enable NodeLocal DNS cache
dns:
।bpf: true
।bpf-dns-proxy: true
।bpf-host-routing: true
# Enable IPv6 dual-stack support
ipv6:
enabled: true
# Enable CNI masquerading for outbound traffic
।bpf:
।bpf-conntrack: true
।bpf-nat: true
।bpf-nat-mask: "24"
।bpf-masquerade: true
# Enable kvstore
kvstore:
enabled: true
।bpf-etcd: true
।bpf-etcd-endpoints: "your-etcd-endpoint:2379"
# Enable Prometheus metrics
prometheus:
enabled: true
।bpf-scrape-node-metrics: true
# Enable WireGuard encryption for pod-to-pod traffic
।bpf:
।bpf-tunnel: "wireguard"
।bpf-wireguard-।bpf-interface: "cilium_wg0"
# Set the cluster name
cluster:
name: "my-production-cluster"
# Enable CRD installation
crds:
enabled: true
# Set the replica count for the Cilium agent
।bpf-agent:
।bpf-replicaCount: 3
# Set the replica count for the operator
operator:
।bpf-replicaCount: 2
# Enable Cilium's health check mechanism
।bpf:
।bpf-health-।bpf-check: true
This configuration sets up Cilium for a production environment by enabling essential features like Hubble for observability, network policy enforcement, efficient service load balancing using BPF, and even WireGuard encryption for enhanced security. It also configures essential components like the IPAM mode, egress gateway, and NodeLocal DNS caching.
The core problem Cilium solves is providing advanced, cloud-native networking capabilities that go beyond what traditional CNI plugins offer. It leverages eBPF (extended Berkeley Packet Filter) to move networking and security logic directly into the Linux kernel, enabling high performance and rich feature sets without requiring kernel modules or complex agents. This means faster packet processing, fine-grained visibility, and dynamic security policy enforcement at the network layer.
Internally, Cilium’s BPF Datapath is the heart of its operation. When packets enter or leave a node, they pass through a chain of eBPF programs attached to various network hooks. These programs can inspect, modify, and even drop packets based on rich context, including Kubernetes labels, service information, and network policies. For example, when a pod tries to communicate with another pod, an eBPF program on the sending node might look up the destination pod’s labels and check if a network policy allows the communication. If allowed, it might then encapsulate the packet (e.g., using VXLAN or WireGuard) before sending it across the network. On the receiving node, another eBPF program decapsulates the packet and delivers it to the correct pod.
When it comes to managing IP addresses for your pods, Cilium offers several IP Address Management (IPAM) modes. The default kubernetes mode relies on Kubernetes’ own IPAM, which is simple but can be less efficient at scale. The cluster-pool mode, on the other hand, allows you to pre-allocate large IP address ranges to Cilium, which then manages them internally. This is generally more performant for large clusters as it reduces the overhead of repeated requests to the Kubernetes API for IP assignments. You specify this by setting ipam.mode: cluster-pool and then defining the pools with ipam.clusterPool.।bpf-cidr: "10.0.0.0/8". This allows Cilium to manage a vast pool of IPs efficiently.
The ।bpf.।bpf-masquerade setting is crucial for ensuring that pods can reach external services. When ।bpf-masquerade is enabled, Cilium modifies the source IP address of outbound packets from pods to be the IP address of the node. This is necessary because many external networks do not know how to route traffic originating from the private IP addresses of pods. By masquerading the source IP as the node’s IP, the traffic appears to originate from the node itself, allowing for successful communication. The ।bpf.।bpf-nat-mask value controls the subnet mask used for this masquerading, often set to /24 to ensure that traffic from a subnet on the node is treated as coming from that subnet.
When you enable hubble.ui.enabled: true, Cilium deploys a UI component that visualizes network traffic flows. This isn’t just a passive monitor; it leverages the eBPF programs to collect detailed flow data, including source and destination IPs, ports, protocols, and crucially, the Kubernetes identities (labels) of the communicating endpoints. This allows you to see not just that traffic is flowing, but what is flowing and why, based on your Kubernetes-native security policies. You can then filter these flows by policy, service, or namespace, providing unparalleled visibility into your cluster’s network behavior.
The kvstore configuration, especially when set to ।bpf-etcd: true with ।bpf-etcd-endpoints pointing to your etcd cluster, is how Cilium nodes synchronize their state. This is vital for distributed systems like Kubernetes. Cilium uses etcd to store information about services, endpoints, and network policies. When a change occurs (e.g., a new service is created or a policy is updated), this information is written to etcd, and all Cilium agents watch etcd for these updates. This distributed consensus mechanism ensures that all nodes have a consistent view of the network state, enabling seamless communication and policy enforcement across the cluster.
If you’re enabling ipv6.enabled: true, Cilium will configure itself to support IPv6 networking alongside IPv4, creating a dual-stack environment. This means pods and services can be assigned both IPv4 and IPv6 addresses, allowing them to communicate using either protocol. Cilium’s eBPF programs are designed to handle this dual-stack traffic efficiently, making routing decisions based on the IP version of the packet. This is essential for environments that are transitioning to or fully utilizing IPv6.
One of the most powerful, yet often overlooked, aspects of Cilium is its ability to perform network policy enforcement directly within the eBPF programs. This means that instead of relying on iptables rules that can become complex and slow to update, Cilium’s eBPF programs can make per-packet decisions based on rich Kubernetes metadata like labels. When a network policy is defined, Cilium translates these policies into eBPF bytecode. This bytecode is then loaded into the kernel and attached to network hooks. When a packet arrives, the eBPF program inspects its headers and associated metadata, comparing it against the loaded policy rules. If the packet violates the policy, the eBPF program can drop it directly in the kernel, preventing it from reaching its destination. This approach is significantly faster and more scalable than traditional userspace policy enforcement mechanisms.
After successfully configuring and deploying Cilium with these key options, the next challenge you’ll likely encounter is managing and optimizing ingress traffic into your cluster.