Installing Cilium as CNI for Kubernetes Cluster

To install Cilium as a CNI (Container Network Interface) plugin in a Kubernetes cluster, you can follow the steps below. The process typically uses Helm, which is a package manager for Kubernetes, to install Cilium and configure it for the cluster. This process also configures networking, security policies, and observability features like Hubble.

Prerequisites

• Kubernetes Cluster: A running Kubernetes cluster (either local with minikube, cloud-based with managed Kubernetes, or custom).
• kubectl: The Kubernetes command-line tool configured to interact with your cluster.
• Helm: The package manager for Kubernetes. If Helm is not installed, you can follow the official Helm installation guide.

Step-by-Step Installation Guide

Step 1: Add the Cilium Helm Repository

Start by adding the official Cilium Helm repository to your Helm setup:

helm repo add cilium https://helm.cilium.io/
helm repo update

This adds the Cilium Helm chart to Helm's list of repositories, ensuring you have access to the latest versions of Cilium.

Step 2: Install Cilium via Helm

You can now install Cilium using Helm. Use the following command to install Cilium in your Kubernetes cluster:

helm install cilium cilium/cilium --version  \
  --namespace kube-system \
  --set kubeProxyReplacement=strict \
  --set cni.enabled=true \
  --set operator.enabled=true

Explanation of options:

• --namespace kube-system: Cilium is installed in the kube-system namespace, which is typically used for system components.
• --set kubeProxyReplacement=strict: This option enables Cilium to replace the standard Kubernetes kube-proxy with eBPF-based proxying for better performance.
• --set cni.enabled=true: This enables the CNI functionality, making Cilium handle the pod networking.
• --set operator.enabled=true: This deploys the Cilium operator, which manages the lifecycle of Cilium resources.

Step 3: Verify Cilium Installation

To check if Cilium has been successfully installed, you can verify that the pods are running in the kube-system namespace:

kubectl get pods -n kube-system -l k8s-app=cilium

You should see pods like cilium-agent and cilium-operator running. It may take a minute or two for the pods to fully start.

Example output:

NAME               READY   STATUS    RESTARTS   AGE
cilium-abc123      1/1     Running   0          2m
cilium-operator-xyz 1/1   Running   0          2m

Step 4: Verify Cilium is Running as the CNI

To confirm that Cilium is functioning as the CNI, check the nodes in your cluster and verify that the CNI configuration is set up:

kubectl get nodes -o wide

In the "INTERNAL-IP" column, check if the Cilium CNI is listed. If Cilium is properly installed, the CNI pod will handle the network interfaces.

Step 5: Enable Hubble for Observability (Optional)

Cilium also provides Hubble, a monitoring and observability platform, which allows you to observe network traffic and security events. To install Hubble, you can use Helm as well:

kubectl create namespace hubble
helm install hubble cilium/hubble --namespace=hubble

After Hubble is installed, you can access the Hubble UI by port-forwarding or exposing it through a LoadBalancer service. For quick access, use port forwarding:

kubectl port-forward service/hubble-ui -n hubble 12000:80

Now, you can access the Hubble UI by navigating to http://localhost:12000 in your browser.

Step 6: Test Networking

Once Cilium is installed, you can create some test workloads (pods or services) and test pod-to-pod networking, service discovery, and any security policies you might want to enforce. For example, you can deploy a sample app:

kubectl run nginx --image=nginx --restart=Always

Then, test connectivity between pods by executing into one pod and pinging another pod.

kubectl exec -it  -- ping

Step 7: Configure Network Policies (Optional)

Cilium supports Kubernetes Network Policies out of the box. You can define and enforce policies based on IP addresses, ports, or even application-layer metadata (e.g., HTTP routes, gRPC calls).

Here’s a simple example of a Network Policy that allows traffic between pods labeled app=frontend and app=backend:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
spec:
  podSelector:
    matchLabels:
      app: frontend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: backend

Apply this policy with:

kubectl apply -f network-policy.yaml

Conclusion

You've successfully installed Cilium as a CNI plugin in your Kubernetes cluster. Now you can benefit from high-performance networking, identity-based security policies, and deep observability for your containerized applications. The installation process is simple with Helm, and you can extend its capabilities further with Hubble for monitoring and troubleshooting your network traffic.

By leveraging eBPF technology, Cilium provides an efficient and scalable networking solution, making it a great fit for modern Kubernetes workloads.