Cilium — Operations

Scope

Production deployment, eBPF datapath management, network policy operations, Hubble observability, and troubleshooting.

Deployment Patterns

Installation Methods

Method	Use Case	Notes
Helm	Production	Most flexible, recommended for prod
cilium CLI	Dev/quick setup	cilium install
Managed (GKE, EKS)	Cloud-native	Uses cloud CNI integration
Standalone	Non-K8s eBPF	Runtime enforcement without K8s

# Production Helm install
helm install cilium cilium/cilium --version 1.17.x \
  --namespace kube-system \
  --set kubeProxyReplacement=true \
  --set k8sServiceHost=${API_SERVER_IP} \
  --set k8sServicePort=6443 \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true \
  --set bpf.masquerade=true \
  --set ipam.mode=kubernetes

kube-proxy Replacement

Cilium can fully replace kube-proxy using eBPF for service load balancing:

# Verify kube-proxy replacement
cilium status | grep KubeProxyReplacement
# Should show: KubeProxyReplacement: True

Network Policy

CiliumNetworkPolicy (L3/L4/L7)

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: allow-http-frontend
spec:
  endpointSelector:
    matchLabels:
      app: backend
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: GET
          path: "/api/.*"

Hubble Observability

# Enable Hubble
cilium hubble enable --ui

# Observe live flows
hubble observe --namespace default --follow
hubble observe --verdict DROPPED --follow

# Service map
hubble observe --output json | hubble map

Troubleshooting

Symptom	Diagnosis	Fix
Pod connectivity fails	cilium status, cilium connectivity test	Check BPF maps, restart agent
Policy not enforced	cilium endpoint list, check labels	Verify label selectors match
High CPU on agent	cilium metrics	Tune BPF map sizes, check conntrack
Hubble flows missing	hubble status	Enable Hubble relay, check port 4245
DNS resolution issues	cilium monitor --type l7	Check DNS proxy, CoreDNS connectivity

Upgrade Procedure

# Pre-flight check
cilium connectivity test

# Upgrade via Helm
helm upgrade cilium cilium/cilium --version 1.17.x --namespace kube-system --reuse-values

# Post-upgrade validation
cilium status --wait
cilium connectivity test