🛠 Cilium as Container Network Interface k8s
Salute,
Today I want to share with you a description regarding CNI controls under Kubernetes. We'll take a look at the Cilium CNI plugin. But we will look at it more from the technical side.
Serves to provide network connectivity, security, and observability between workloads, like pods in Kubernetes. Works at the OS level. Cilium uses eBPF to flexibly and efficiently manage network traffic and security policies by configuring the pod network through eBPF programs in the host kernel. License type: Open-source Apache 2.0.
Features:
- Networking capabilities: CNI, LoadBalancer like CiliumClusterMesh
- Security policies based on identity-aware, traffic encryption, DDoS protection, DNS filtering, FIPS compliance
- Can be used via minikube or kind to test network policies and behavior
- CiliumNetworkPolicy can be used as manifests
- Policy work at the L7 application level for HTTP, gRPC, Kafka, etc., and not just at the L3/L4 network level
- CiliumNetworkPolicy themselves are declarative rules and you can configure default-deny mode
Application
helm repo add cilium https://helm.cilium.io/
# Installing Cilium in a Kubernetes cluster
helm install cilium cilium/cilium --version 1.14.4 \
--namespace kube-system\
--set cluster.name=my-cluster \
--set cluster.id=1
Policy & Deploy
deploy_cilium:
stage: deploy
image:
name: alpine/helm:latest
entrypoint: ['']
script:
- helm repo add cilium https://helm.cilium.io/
- helm upgrade --install cilium cilium/cilium
--version 1.14.4
--namespace kube-system
--set cluster.name=${CLUSTER_NAME}
--set cluster.id=1
--set hubble.relay.enabled=true
--set hubble.ui.enabled=true
security_policies:
stage: deploy
image:
name: bitnami/kubectl:latest
entrypoint: ['']
script:
- kubectl apply -f manifests/cilium-network-policies/
dependencies: []
CiliumNetworkPolicy example
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "l7-rule"
spec:
endpointSelector:
matchLabels:
app: myService
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: '80'
protocol: TCP
rules:
http:
- method: "GET" # Allow only GET requests
path: "/api/v1/data.*" # to all paths starting with /api/v1/data
- method: "POST"
path: "/api/v1/upload" # and specifically to this path
- method: "GET"
path: "/public/.*" # Allow access to public resources
"default-deny" policy for namespace
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-dns
namespace:production
spec:
endpointSelector: {} # All pods
egress:
- toEndpoints:
- matchLabels:
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
Total:
- Cilium completely replaces kube-proxy, implementing eBPF-based load balancing
- For applications with REST API or gRPC, Cilium allows you to implement a "least privilege" policy
- Cluster Mesh allows you to securely connect multiple Kubernetes clusters,
- Instead of filtering by IP addresses, it assigns a security identifier to groups of pods with the same labels, where it is built into each network packet, which allows you to check communication rights on the recipient node, regardless of where the pod is running
- Extends standard NetworkPolicy Kubernetes, allowing you to describe rules based on the HTTP, gRPC and Kafka protocols. This allows you to allow or deny specific API calls, HTTP methods (GET, POST) or URL paths
- Can automatically encrypt all traffic between pods in a cluster or even between clusters using IPsec or WireGuard
- Security of outgoing traffic can be implemented through policies tied to DNS names
#appsec #toolchain #containersecurity #reco #techsolution #paper