How to send Cilium metrics to Azure Managed Prometheus https://www.danielstechblog.io/how-to-send-cilium-metrics-to-azure-managed-prometheus/ #AKS #Azure #Kubernetes #Cilium #Prometheus
#Cilium
Putting aside the question of *which* node should be advertising a given service via BGP - *what* would it advertise? Services /can/ have multiple IPs but that's not usually the case. It's primarily a single ClusterIP to indirect backends right?
Okay so *somehow* the IP gets advertised but what range do you put on it?
The entire service CIDR sure is convenient but then what? All services hit the same node and get converted to in-cluster IP forwarding? Can you even advertise a range with multiple gateways? Probably. But this is also playing roulette with nodes not having a backend on them. Even if you made the route advertisement only the nodes with backends for the service, it'd be quite a weighty way to do the indirection, and you're now moving that indirection *outside* the cluster - which is cool but seems to violate the idea that services should be internal-only.
@hugo Halp
So the default kubernetes service has no `selector` in spec, which, according to the v1 `Service` spec:
> If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify.
But fetching endpoints (or endpointslices rather) yields none for the default service. This would explain the CNI not doing anything about the Service. Does not explain the lack of service routing for ones that *do* have endpointSlices
Am I missing some Cilium option to make it manage the endpoint?
My service CIDR is set to something under my prefix but outside the layer 3 subnet. Kubernetes is assigning IPs nominally but Cilium doesn't seem to be implementing them?
Nothing in the route table, but it shouuuuld be BPF implementation anyway right? Idk how to verify it's absence though - bpftool and tc output is cryptic and there's a lot in here
Felt like I was thrashing semi-blindly with my CNI config so i read the Kubernetes/Cilium for network engineers book. Couple new tidbits but looks like I am stuck waiting till 2026 for the proper O'Reilly one.
Meantime - labs I guess
Jam-packed talk full of crazy stuff with IPv6 SRV.
I think I understood like maybe a half of it.
Level up your Kubernetes security! 🚀 Our practical guide to Advanced Network Segmentation with Cilium is here. Learn how to build robust security policies and supercharge your microservices. A must-read for cloud-native devs! 🔐
http://bytesectorx.blogspot.com/2025/05/advanced-network-segmentation-with.html
#Cilium #eBPF #NetworkSegmentation #ZeroTrust #KubernetesSecurity #CloudNative #InfoSec
Migrated to Cilium from Flannel on my home lab which runs Talos Linux 🎉
https://mstdn.dk/ was down for about half an hour this morning, as I stupidly and/or naively had enabled automatic updates for #Cilium, the software handling the #Kubernetes network layer. I'm unsure what exactly is broken in release 1.17.4, but deployments were failing with InvalidImageName and from the looks of it, the container layer was unable to resolve the tag to a specific image. Rolling back AND PINNING THE VERSION to 1.17.3 fixed the issue. Sorry about that.
Now back to breakfast.
🛰️ Mit #Cilium Netzwerkverkehr bis auf API-Ebene kontrollieren? Im dritten Teil seiner Reihe zeigt Dominik Guhr, wie du mit eBPF, Deny Policies & Service Maps Sicherheitsregeln sichtbar und effektiv machst – und Stolperfallen vermeidest.
🔗 https://www.innoq.com/de/articles/2025/04/cilium-kubernetes-3/
Cilium question:
How are `ClusterIP` type services supposed to be routed when Kube-Proxy is replaced?
Like Service Cluster IP Range must be set in the K8s API server configuration, so the IPAM for that is well outside of Cilium's so... is it supposed to be natively routable? Everything says CIDR overlaps are a no-no.
The pod routing table contains nothing about the ClusterIP, though default routing should be okay `traceroute` shows it hitting the node's cluster IP and then just... nothing.
Is eBPF supposed to be doing DNAT?
I don't get it and I'm so close!
Took a while but I've discovered what I want/need for IPv6 dynamic iBGP peering with Cilium just isn't possible without hacking around OPNsense a bit.
Well, at least I *know* now it's not doable. Tweaking settings semi-blindly and poking logs wasn't exactly fulfilling.
As is par for the course I've found the GitHub issue for it closed by a stalebot.
> Many customers choose to combine the L3/L4 features of Cilium with the L4/L7 and encryption features of Istio for a defense-in-depth strategy.
Those poor bastards / Like hell they do!
🚀 Netzwerkmonitoring, Security und Observability – direkt im Kubernetes-Kernel dank eBPF.
Dominik Guhr zeigt dir in seiner neuen Artikelreihe, wie du mit #Cilium einen lokalen Kubernetes-Cluster aufsetzt – und ihn einsatzbereit für Observability und Security machst. Neben den Grundlagen lernst du unter anderem, wie Cilium-Netzwerkregeln erstellt und in Echtzeit überwacht werden.
👉 Jetzt lesen: https://www.innoq.com/de/articles/2025/12/cilium-kubernetes-1/
Недостатки Istio по сравнению с Cilium: подробное объяснение
В этой статье мы разберём основные недостатки Istio в сравнении с Cilium Service Mesh, чтобы даже начинающий разработчик мог понять, в чём разница и почему некоторые команды выбирают Cilium вместо Istio.
Provide additional metadata information to Cilium for IP addresses outside of the Kubernetes cluster scope https://www.danielstechblog.io/provide-additional-metadata-information-to-cilium-for-ip-addresses-outside-of-the-kubernetes-cluster-scope/ #Azure #AKS #Cilium #Kubernetes
YES! Generally Available: Azure CNI Overlay Dual-stack with Cilium Dataplane SUPPORT #aks #kubernetes #Azure #cilium https://azure.microsoft.com/updates?id=486814
Public Preview: Cilium WireGuard Encryption Support in AKS #kubernetes #cilium #Azure #aks #wireguard 👇 https://azure.microsoft.com/en-us/updates
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst