How-To

AllCommunityHow-ToReleaseTechnology
Dec 11, 2020

Cilium Zero Trust Networking Protections Against CVE-2020-8554

You've probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you're unfamiliar, a MITM vulnerability works by redirecting a victim's legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim's data before sending it to its intended destination. There have been several MITM vulnerabilities in Kubernetes, most of which take advantage of the default overly-permissive CAP_NET_RAW permissions in Kubernetes. However this vulnerability is unique in two ways:1. MITM attacks generally make use of common types of network vulnerabilities, whereas this vulnerability affects the API layer of Kubernetes itself. 2. Unlike most vulnerabilities that are assigned a Common Vulnerabilities and Exposures (CVE), there's no patch or hotfix you can deploy to protect your environment. This vulnerability is also unique in another way:if you're running Cilium without kube-proxy, you aren't vulnerable to it at all. Let's talk about how.

How-To
Multitenancy and Network Security in Kubernetes with Cilium
Jul 27, 2020

Multitenancy and Network Security in Kubernetes with Cilium

Multitenancy is a common pattern in Kubernetes. Many organizations deploy Kubernetes-as-a-Service, where one cluster houses many tenants and workloads. This pattern might sound familiar, as cloud computing services like AWS, Azure, and GCP have enabled multiple customers (tenants) to run their business-critical workloads in a single cluster for years.

How-To
How Cilium Protects Against Common Network Attacks
Jun 29, 2020

How Cilium Protects Against Common Network Attacks

Recently a vulnerability was discovered by Etienne Champetier that impacted several Kubernetes CNIs. The vulnerability worked by having an attacker pod send rogue IPv6 “Router Advertisement” packets to the host worker node, causing the node to route its IPv6 traffic through the attackers pod (commonly known as “Man-In-The-Middle”). Fortunately for users of Cilium, this vulnerability didn’t impact their environments because of several built-in and on-by-default security features provided by Cilium.In this blog post, we’ll discuss how on-by-default Cilium features automatically protect against these common types of network attacks.

How-To
Apr 29, 2020

Building a Multi-node Environment with Cilium and K3s in Twenty Minutes or Less

In this guide, we will walk through the steps required to build a multi-node Kubernetes cluster on your local workstation or laptop using K3s and Cilium. Then we'll show how you can use Hubble to inspect traffic in the cluster and visualize data exposed by the superpowers of eBPF and Cilium. We will also show you how to restrict the flow of traffic between applications. Finally, we will see how Cilium and Hubble can provide detailed information to help you solve problems related to compliance and regulations.

How-To
Debugging and Monitoring DNS issues in Kubernetes
Dec 18, 2019

Debugging and Monitoring DNS issues in Kubernetes

DNS is a common cause for outages and incidents in Kubernetes clusters. For real-world stories, swing by Kubernetes Failure Stories. How do you debug and troubleshoot DNS issues? How do you know a problem is related to DNS? This guide provides a step by step tutorial on how to systematically troubleshoot DNS issues in Kubernetes clusters. We will be using [Hubble] to identify and inspect DNS issues as well as set up monitoring so we can locate DNS issues early on to react even before incidents occur.

How-To
Deep Dive into Cilium Multi-cluster
Mar 18, 2019

Deep Dive into Cilium Multi-cluster

This is a deep dive into ClusterMesh, Cilium's multi-cluster implementation.

How-To
Analyzing the CNI performance benchmark
Dec 03, 2018

Analyzing the CNI performance benchmark

This blog post documents the investigation we have done so far of what looked like a performance regression of HTTP/FTP traffic over pure TCP.

How-To
Cilium How-To: Install with Kubernetes on Ubuntu 18.04
Sep 26, 2018

Cilium How-To: Install with Kubernetes on Ubuntu 18.04

Cilium provides API-aware network security for cloud-native applications. Here's a How-To guide to get you going easily with Kubernetes and Cilium on Ubuntu 18.04 LTS.

How-To
Jul 17, 2018

Prometheus Metrics for Kubernetes Networking Using Cilium

In Kubernetes deployments, Prometheus is a popular monitoring system and time-series database for storing health and performance metrics of all the components. Equally popular is Grafana for plotting the metrics. In this post, we will provide steps to setup Prometheus and Grafana for understanding important Cilium metrics related to the security and health of service interactions in a Kubernetes cluster.

How-To

Community

  • Slack

    For live conversation and quick questions, join the Cilium Slack workspace. Don’t forget to say hi!

    Join slack workspace

  • X

    Follow Cilium on X for the latest news and announcements.

    Follow Cilium on X

  • Github

    Cilium uses GitHub tags to maintain a list of asked questions.

    Join Github