An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI – Part 3 https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-3/ #Azure #AKS #Kubernetes #Cilium

Cilium deprecated external workload? Deploy HAProxy Ingress in DMZ w/ BGP+BIRD. Pod CIDR export, firewalld hardening, AlmaLinux-ready. Secure & tested! 👇

https://devopstales.github.io/kubernetes/k8s-dmz-bgp-external-haproxy/

#Kubernetes #BGP #HAProxy #NetworkSecurity #DevOps #Cilium

An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI – Part 2 https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-2/ #Azure #AKS #Kubernetes #Cilium

An experiment – Enable Cilium native routing on Azure Kubernetes Service BYOCNI – Part 1 https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-1/ #Azure #AKS #Kubernetes #Cilium

One last oddity from my NetworkPolicy project over the last few days.....

I am getting the following in my hubble logs:

Feb 22 20:48:28.333: :: (ID:16777244) <> ff02::1:ff99:2a81 (ID:16777244) Unknown L3 target address DROPPED (ICMPv6 NeighborSolicitation)
Feb 22 20:48:29.325: fe80::b85f:80ff:fed7:6193 (ID:2435) <> ff02::16 (ID:16777244) Invalid source ip DROPPED (ICMPv6 143(0))
Feb 22 20:48:29.325: fe80::b85f:80ff:fed7:6193 (ID:2435) <> ff02::2 (ID:16777244) Invalid source ip DROPPED (ICMPv6 RouterSolicitation)
Feb 22 20:49:43.117: :: (ID:9705) <> ff02::16 (ID:16777244) Invalid source ip DROPPED (ICMPv6 143(0))
Feb 22 20:49:43.213: :: (ID:16777244) <> ff02::1:ffaf:3d08 (ID:16777244) Unknown L3 target address DROPPED (ICMPv6 NeighborSolicitation)

@rachel The Hubble-generated dashboards (from cilium/hubble) tend to work better than third-party ones. The official Grafana integration at grafana.com/grafana/dashboards/16611 is solid for flow visibility.

For DNS-specific monitoring, dashboard 16612 covers Hubble DNS metrics well.

Avoid anything built for pre-1.14 Cilium — the metric names changed significantly.

#kubernetes #cilium #grafana #monitoring

Well... I have setup my demo lab on cheap mini pc and mikrotik router without much preparation in maybe 2 hours.

now tune the scripts, maybe throw in terraform/tofu instead of semi-manual vm creation (talos is installed automatically via PXE)

#talos #kubernetes #k8s #cilium #pxe #proxmox #nerd

Finally resurrected my talos homelab cluster. Did not get much attention after my vacation last summer.
Moved the rack, no clean shutdown, different network, everything broken.. 🙈
Next: upgrades and fix headscale setup.
#talos #k8s #kubernetes #cilium #nerd #homelab

Phew. For some reason, Cilium major updates are the one update in my Homelab which always has me biting my nails. But it looks like all went well, and I'm now on 1.19.

#HomeLab #Cilium

Happy to contribute to #Cilium (#documentation).

Good tools deserve good docs. ✨

https://github.com/cilium/cilium/pull/44204

Let's see where this goes!

RE: https://infosec.exchange/@alexandreborges/115906084679720718

Interesting tool built with the cilium lib.

"Features

• The Phantom Protocol: Critical services (SSH, databases, admin panels) are completely invisible to network scans. Access requires Single Packet Authorization (SPA).
• The Mirage: Randomized fake services on non-existent ports confuse port scanners and reconnaissance tools.
• The Portal: Suspicious traffic is transparently redirected to honeypots, capturing attacker behavior."

#ebpf #cilium #linux

@homelab #talos #k8s #cilium

Posted part two of my homelab k8s cluster series:

https://unixorn.github.io/post/homelab/k8s/02-k8s-cilium-r53-and-cert-manager/

This one covers using cert-manager to create certificates for domains hosted on Route 53 and setting up a basic https service using Cilium and also automatically redirecting http to https.

I set up a #talos #k8s cluster with #cilium on #proxmox over the holiday break.

I documented how to set one up on my blog at https://unixorn.github.io/post/homelab/k8s/01-talos-with-cilium-cni-on-proxmox/

#selfhosted #homelab @homelab

This is part one of a series.

Cilium native routing means the same L2 and has to know how to route Pod IPs - okay so you make the Pod CIDR _inside_ of the LAN subnet? It's v6 so clashes are unlikely, we can gamble on that.

...but I have the nodes BGP peering with the router. Which means each node advertises (and gets a route table entry in the router) with the `/80` that is their Pod range.

That means anything _else_ on the LAN subnet that falls inside those `/80`s will get routed to the node as a gateway right?

You can't say, reserve a range for pods in the LAN subnet and downsize it from `/64` cause then SLAAC won't work right?

Very confused about how native routing is supposed to work.

#Cilium #CiliumCNI

Just published a deep dive on locking down my self-hosted #Mastodon instance on bare metal #Kubernetes. 🛡️

I used #Cilium Network Policies to implement a Zero Trust model—blocking internal LAN access while allowing federation. The post covers: ✅ Safely deploying with PolicyAuditMode ✅ Troubleshooting MinIO (toServices vs toEndpoints) ✅ Handling Redis via FQDN

Read the full write-up: https://wael.nasreddine.com/kubernetes/mastodon-locking-down-with-net.html

#kubernetes #cilium #sre #infosec

"Kubernetes is overkill for a Home Lab", exhibit 493 (made up number): I'm trying to make Pi-Hole egress to the internet via the loadbalancer IP, rather than the node IP (default). To do that, I need to implement Cilium Egress Gateway, which is horribly complicated, and will be used for a one-off. But if I don't do so, I need to review all my firewall rules, which only allow very few IP addresses in my network to query external DNS servers. Ugh. I'm starting to reconsider my sanity. What am I getting myself into? :picardfacepalm:

Edit: nothing like a good night of sleep. I found a solution using traffic policies in my router, so I no longer need the complexity of the k8s egress gateway. 👍

#HomeLab #TalosLinux #Kubernetes #Cilium #PiHole @homelab

Use node initialization taints on Azure Kubernetes Service with Cilium https://www.danielstechblog.io/use-node-initialization-taints-on-azure-kubernetes-service-with-cilium/ #Azure #AzureKubernetesService #Kubernetes #Cilium

@maxheadroom nee, wegen #cilium 🐝 I guess

'A Cilium Introduction: Back to Bee-Sics - Nico Vibert & Dan Finneran, Isovalent' https://www.youtube.com/watch?v=KZzNm5ntRbo (2024) #cilium #k8s

Cilium’s new Hubble flow policy log field https://www.danielstechblog.io/ciliums-new-hubble-flow-policy-log-field/ #Kubernetes #Cilium #AzureKubernetesService #AzureDataExplorer