[KubeCon EU 2026, Observability Day] Cilium Updates

Transcript

1. Cilium Cilium Tetragon Scalable, Secure, Efficient Networking L3L7 Security Observability

   & Runtime Enforcement Hubble Network Observability

2. Cilium 1.19 🎂 10 years https://isovalent.com/blog/post/cilium-11 9-ztunnel-transparent-encryption-multi-p ool-ipam-goes-stable-ipv6-progress-and -more/ https://hackmd.io/Zi1PI9dCTPSzqfiKwaCrBA

3. 1. IP Tracing # Inject a trace ID via IP

   Option type 136 into specific packets helm install cilium cilium/cilium \ --version 1.19.1 \ --set hubble.relay.enabled=true \ --set bpf.monitorTraceIPOption=136 # Hubble tracks packets across nodes, NAT and hops with specific trace ID hubble observe --ip-trace-id 13345 Jan 28 00:08:22.005: default/client-85c885449-hpvdx:35401 (ID:836) -> default/server-95f7c6d6-lhdch:80 (ID:17084) to-endpoint FORWARDED (IP Trace ID: 13345; TCP Flags: SYN) Jan 28 00:08:23.005: default/client-85c885449-hpvdx:35401 (ID:836) -> default/server-95f7c6d6-lhdch:80 (ID:17084) to-endpoint FORWARDED (IP Trace ID: 13345; TCP Flags: SYN) https://docs.cilium.io/en/stable/observability/hubble/ip-packet-tracing/

4. 1. IP Tracing

5. 1. IP Tracing

6. 1. IP Tracing

7. 1. IP Tracing

8. 1. IP Tracing

9. • Feature: Hubble writes flows to a file with rotation,

   size limits, and filter support. • Output: ◦ Aggregation groups repeated flows by identity+verdict and more over a time window. ◦ 10–100x reduction in log volume without losing signal. # Example of hubble.export.dynamic array config enabled: true config: content: - aggregationInterval: 25s fieldAggregate: - source.namespace - source.pod_name - destination.namespace fieldMask: - time - source.namespace - source.pod_name - destination.namespace - destination.pod_name - l4 - IP - node_name - is_reply - verdict - drop_reason_desc filePath: /var/run/cilium/evts-agg.log includeFilters: - source_pod: - default/ - destination_pod: - default/ name: agg2 2. FlowLog Aggregation

10. 2. FlowLog Aggregation $ kubectl exec -n kube-system ds/cilium --

    tail -f /var/run/cilium/hubble/events-agg2.log {"flow":{"source":{"namespace":"default","pod_name":"test-server"},"destination ":{"namespace":"default"},"aggregate":{"egress_flow_count":25}}} {"flow":{"source":{"namespace":"default","pod_name":"tmp-client"},"destination" :{"namespace":"default"},"aggregate":{"egress_flow_count":25}}}

11. Feature: Hubble can now filter traffic in the CLI by

    encryption status Use case: Critical for compliance and WireGuard/IPsec strict-mode audits # Show only encrypted flows hubble observe –encrypted # Show only unencrypted flows hubble observe –unencrypted 3. Filter by encryption status

12. 3. Filter by encryption status

13. 3. Filter by encryption status

14. 3. Filter by encryption status

15. 4. Support for VRRP and IGMP Host Firewall + Hubble

    Visibility • No ports = invisible to classic firewall rules ◦ VRRP and IGMP sit below the transport layer • Host firewall enforces security on traffic entering/leaving the node itself (not pod-to-pod, bare-metal NICs, keepalived VIPs, multicast joins) • Before 1.19: host firewall couldn't match them, Hubble showed them as "unknown" • Now: protocol-only rule, no ports needed hubble observe --protocol VRRP hubble observe --protocol IGMP # Example of Network Policy for VRRP apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "allow-extended-egress-worker-node" # … egress: - toPorts: - ports: - port: "443" protocol: TCP - port: "0" protocol: VRRP

16. Cilium 1.19 Updates • IP tracing with ID • FlowLog

    Aggregation • Encrypted/Unencrypted flows • Support and visibility for VRRP and IGMP 🧪 Checkout the demos and go further github.com/doniacld/kc26-obs-day-cilium-1-19

17. Developer Meetings Cilium Weekly Developer Meeting Every Wednesday, 08:00 US-Pacific

    SIG Scalability Meeting Fourth Thursday of the month, 08:00 PT SIG Policy Meeting Second Tuesday of every month, 08:00 PT SIG Community Meeting Monthly on the first and third Thursday at 8am PT Monthly Tetragon community meetings 2nd Mondays, 6:00 pm Europe/Paris time Zoom info & agenda on cilium/cilium or Cilium slack

18. Cilium at KubeCon 👋 Let’s meet at Cilium Kiosk 📍Project

    Pavillion P-23A Cilium Up & Running Book Panel Discussion & Book Signing 📍 Isovalent Booth 730 📆 Tuesday, 17:30 - 18:30 CET Download the book