https://marktaguiad.dev/tags/cilium/ Recent content in Cilium on marktaguiad.dev Hugo en-us marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad.dev Tue, 28 Apr 2026 00:00:00 +0000 https://marktaguiad.dev/post/k8s-cilium-policy-dos/ Tue, 28 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-policy-dos/ <p><code>CiliumNetworkPolicy</code> (CNP) is the most commonly used policy type in Cilium.</p> <p>It is namespace-scoped, meaning the policy applies only within the namespace where it is created.</p> <p>This is the policy most teams use for real-world application security because it enables zero-trust controls at Layer 3, Layer 4, and Layer 7.</p> <p>If Kubernetes NetworkPolicy is a basic firewall, CiliumNetworkPolicy is the full application-aware policy engine.</p> <p>What discussed and showed here is similar with <code>CiliumClusterwideNetworkPolicy</code>, the only difference it the policy is cluster wide. Read more on that topic and how to combine these policies.</p> https://marktaguiad.dev/post/k8s-cilium-policy-uno/ Sun, 26 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-policy-uno/ <p>When people first start working with Cilium policies, the easiest way to understand them is to group them into two simple ideas:</p> <ol> <li>Who can talk to what?</li> <li>What they’re allowed to do once connected?</li> </ol> <p>That mental model maps directly to how Cilium builds policy enforcement—from basic workload isolation all the way up to application-aware HTTP filtering.</p> <p>If you already think in terms of namespace rules and Layer 7 rules like HTTP GET/POST like we did in <a href="https://marktaguiad.dev/post/k8s-istio-uno/">Istio</a>, you’re already on the right track. Cilium simply expands that model into something much more powerful and much more granular.</p> https://marktaguiad.dev/post/k8s-cilium-gateway/ Sat, 25 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-gateway/ <p>Cilium Gateway API support is a modern replacement for traditional Kubernetes Ingress controllers.</p> <p>Instead of relying on standalone ingress proxies, Cilium integrates Gateway API directly into the networking stack using <strong>eBPF</strong> and <strong>Envoy</strong>, enabling:</p> <ul> <li>HTTP / HTTPS routing</li> <li>TLS passthrough</li> <li>TLS termination</li> <li>Traffic splitting</li> <li>Header manipulation</li> <li>Standards-based ingress with Kubernetes Gateway API</li> </ul> <p>Cilium’s operator acts as the Gateway API controller and manages:</p> <ul> <li><code>GatewayClass</code></li> <li><code>Gateway</code></li> <li><code>HTTPRoute</code></li> <li>LoadBalancer Services</li> <li>eBPF traffic routing</li> </ul> <p>This is similar with Istio Gateway, for our example let&rsquo;s use the same deployments/apps.</p> https://marktaguiad.dev/post/k8s-cilium-clustermesh/ Fri, 24 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-clustermesh/ <p>Cilium is a Kubernetes CNI built on eBPF, replacing the traditional iptables-heavy networking model with kernel-level packet processing. Instead of relying on large iptables chains for routing, filtering, and service load balancing, Cilium injects eBPF programs directly into the Linux kernel datapath for lower latency and better scalability.</p> <p>This would require a whole book in explaining eBPF, so we will not dwell in that. Let&rsquo;s focus first on connecting two Kubernetes Cluster.</p>