Security¶

Overview¶

Cilium provides a security model built on identity-based policies rather than IP addresses. Pods with identical label selectors share a numeric security identity that is embedded in packet metadata via eBPF, enabling policy enforcement at the receiving node without IP lookups. Cilium enforces policies at L3, L4, and L7 using eBPF programs, supports transparent encryption (WireGuard, IPsec, ztunnel), integrates with Tetragon for runtime security, and provides deep flow visibility through Hubble.

Identity-Based Security Model¶

Unlike traditional firewalls that filter on source/destination IP addresses, Cilium assigns a security identity to groups of pods sharing identical security-relevant labels:

Identity allocation -- the Cilium agent computes a numeric identity from a pod's label set. Pods with identical labels get the same identity.
Identity in packets -- the identity is carried in packet metadata (eBPF context, VXLAN/Geneve options, or IPv6 flow label) so every packet is tagged with its source identity.
Policy enforcement -- eBPF programs at TC hooks compare the source identity against the policy map for the destination. No IP lookup required.
Identity CRD -- identities are stored as CiliumIdentity CRDs in the Kubernetes API, synchronized across nodes.

Advantage over IP-based policies

Identity-based policy is inherently resilient to IP changes from pod restarts, scaling events, and node rescheduling. Policy rules remain valid as long as labels are unchanged.

Network Policy CRDs¶

Kubernetes NetworkPolicy¶

Cilium fully implements the Kubernetes NetworkPolicy resource. These are automatically translated into eBPF policy rules.

CiliumNetworkPolicy (cilium.io/v2)¶

CiliumNetworkPolicy extends the Kubernetes model with advanced matching:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "l7-visibility-tls"
spec:
  description: "L7 policy with TLS visibility"
  endpointSelector:
    matchLabels:
      org: empire
      class: mediabot
  egress:
  - toFQDNs:
    - matchName: "httpbin.org"
    toPorts:
    - ports:
      - port: "443"
        protocol: "TCP"
      terminatingTLS:
        secret:
          namespace: "kube-system"
          name: "httpbin-tls-data"
      originatingTLS:
        secret:
          namespace: "kube-system"
          name: "tls-orig-data"
      rules:
        http:
        - {}
  - toPorts:
    - ports:
      - port: "53"
        protocol: ANY
      rules:
        dns:
        - matchPattern: "*"

Key capabilities of CiliumNetworkPolicy:

FQDN-based rules -- toFQDNs / fromFQDNs allow policies based on domain names. Cilium monitors DNS responses and dynamically maps FQDNs to IPs.
L7 (HTTP/gRPC/Kafka) rules -- deep packet inspection for HTTP method/path, gRPC method, Kafka topic, and other application-layer attributes.
DNS-aware rules -- toPorts with rules.dns for fine-grained DNS query filtering.
TLS visibility -- originatingTLS and terminatingTLS enable L7 inspection of TLS-encrypted traffic by injecting Cilium as a man-in-the-middle with stored certificates.
CIDR rules -- toCIDRSet / fromCIDRSet for IP-block-based ingress/egress rules.
Entity rules -- toEntities / fromEntities for matching against special Cilium entities (host, remote-node, cluster, world).

CiliumClusterwideNetworkPolicy¶

Non-namespaced variant that applies across all namespaces. Equivalent to Calico's GlobalNetworkPolicy. Useful for cluster-wide default-deny and baseline security policies.

Default Deny¶

A cluster-wide default-deny policy can be enforced with:

apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: "default-deny-all"
spec:
  endpointSelector: {}
  ingressDeny:
  - fromEntities: ["all"]
  egressDeny:
  - toEntities: ["all"]

Transparent Encryption¶

Cilium supports three modes of transparent encryption for pod-to-pod and node-to-node traffic:

Mode	How it works	Requirements
WireGuard	In-kernel WireGuard tunnel. Each node gets a WireGuard key pair. Public keys are distributed via Kubernetes Secrets.	Kernel 5.6+ or `wireguard.ko` module
IPsec	Uses Linux XFRM framework with per-node keys. Keys are stored as Kubernetes Secrets and rotated automatically.	Linux kernel XFRM support
ztunnel (Beta)	Per-node proxy (from Istio ambient mesh) that handles mTLS for all traffic. No sidecars required.	Cilium mesh mode enabled

Enable WireGuard encryption via Helm:

helm install cilium cilium/cilium \
  --set encryption.enabled=true \
  --set encryption.type=wireguard

WireGuard vs IPsec

WireGuard is recommended for new deployments. It has a smaller codebase, simpler key management, and better performance (ChaCha20-Poly1305) than IPsec. IPsec is retained for environments with existing IPsec infrastructure or compliance requirements.

Tetragon Runtime Security¶

Tetragon is an eBPF-based runtime security component that complements Cilium's network security:

Process execution -- traces process creation (execve, fork) and termination events in real time.
File access -- monitors file open, read, write, and permission change operations.
Network sockets -- tracks TCP connect, accept, bind, and close events at the kernel level.
TracingPolicy CRDs -- define what to monitor and enforce via declarative Kubernetes resources:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "monitor-sensitive-files"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 1
      type: "file"
    selectors:
    - matchNames:
      - namespace: "default"
    matchActions:
    - action: Sigkill

Real-time enforcement -- can terminate processes that match suspicious patterns (e.g., reading /etc/shadow from a container).
Low overhead -- uses kernel tracepoints and kprobes rather than userspace agents, minimizing performance impact.

Tetragon operates independently of Cilium's CNI datapath and can be deployed in clusters running other CNI plugins.

Hubble Flow Visibility¶

Hubble provides deep network observability that is critical for security auditing and incident response:

Flow logging -- every packet is logged with source/destination identity, verdict (forwarded/denied/dropped), L4 protocol, and L7 metadata (HTTP method/path, DNS query, gRPC method).
Policy drop visibility -- when a packet is denied by policy, Hubble records which policy rule triggered the drop, making debugging straightforward.
DNS monitoring -- logs all DNS queries and responses, useful for detecting data exfiltration and unauthorized domain access.
Service map -- Hubble UI provides a visual graph of service-to-service communication, highlighting denied flows in red.
hubble observe CLI -- filter flows by pod, namespace, identity, verdict, label, or L7 protocol:

hubble observe --from-pod default/frontend --to-pod default/backend --verdict DROPPED

Hubble metrics -- Prometheus-compatible metrics for flow rates, policy drops per namespace, DNS latency, and HTTP response codes.
Hubble exporter -- exports flows to external SIEM/logging systems for long-term retention and compliance.

Security Policy Layers¶

Layer	Enforcement Point	Capabilities
L3/L4	TC eBPF (ingress/egress)	Identity-based allow/deny by label, CIDR, FQDN, port, protocol
L4+ NAT	Socket BPF / TC eBPF	Service load balancing, kube-proxy replacement
L7 HTTP	Envoy proxy (embedded in Cilium agent)	HTTP method/path/header filtering, URL regex
L7 gRPC	Envoy proxy	gRPC method filtering
L7 Kafka	Envoy proxy	Kafka topic, API key filtering
L7 DNS	TC eBPF	DNS query pattern filtering
TLS	Envoy proxy with stored certs	TLS termination for L7 inspection
Runtime	Tetragon (tracepoints/kprobes)	Process, file, and socket event monitoring and enforcement
Encryption	WireGuard / IPsec / ztunnel	Transparent pod-to-pod and node-to-node encryption

Threat Model¶

Threat	Mitigation
Lateral pod movement	Default-deny CiliumClusterwideNetworkPolicy, identity-based rules
Unauthorized egress	FQDN-based egress policies, DNS filtering, CIDR rules
Unencrypted inter-node traffic	WireGuard or IPsec transparent encryption
Pod identity spoofing	Identity embedded in eBPF packet metadata; cannot be forged by pods
Compromised container	Tetragon runtime enforcement (process kill, file access alerts)
Data exfiltration	DNS monitoring, L7 policy, Hubble flow logging
Supply chain / compromised image	Network isolation + Tetragon process monitoring
Blind spots after incidents	Hubble full flow logging with policy verdicts