k8s-cilium

Cilium & Hubble Network Observability

Manage eBPF-based networking using kubectl-mcp-server's Cilium tools (8 tools).

When to Apply

Use this skill when:

User mentions: "Cilium", "Hubble", "eBPF", "network policy", "flow"
Operations: network policy management, traffic observation, L7 filtering
Keywords: "network security", "traffic flow", "dropped packets", "connectivity"

Priority Rules

Priority Rule Impact Tools

1 Detect Cilium installation first CRITICAL cilium_detect_tool

2 Check agent status for health HIGH cilium_status_tool

3 Use Hubble for flow debugging HIGH hubble_flows_query_tool

4 Start with default deny MEDIUM CiliumNetworkPolicy

Quick Reference

Task Tool Example

Detect Cilium cilium_detect_tool

cilium_detect_tool()

Agent status cilium_status_tool

cilium_status_tool()

List policies cilium_policies_list_tool

cilium_policies_list_tool(namespace)

Query flows hubble_flows_query_tool

hubble_flows_query_tool(namespace)

Check Installation

cilium_detect_tool()

Cilium Status

cilium_status_tool()

Network Policies

List Policies

cilium_policies_list_tool(namespace="default")

Get Policy Details

cilium_policy_get_tool(name="allow-web", namespace="default")

Create Cilium Network Policy

kubectl_apply(manifest=""" apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-web namespace: default spec: endpointSelector: matchLabels: app: web ingress:

fromEndpoints:
- matchLabels: app: frontend toPorts:
- ports:
  - port: "80" protocol: TCP egress:
toEndpoints:
- matchLabels: app: database toPorts:
- ports:
  - port: "5432" protocol: TCP """)

Endpoints

cilium_endpoints_list_tool(namespace="default")

Identities

cilium_identities_list_tool()

Nodes

cilium_nodes_list_tool()

Hubble Flow Observability

hubble_flows_query_tool( namespace="default", pod="my-pod", last="5m" )

hubble_flows_query_tool( namespace="default", verdict="DROPPED" )

hubble_flows_query_tool( namespace="default", type="l7" )

Create L7 Policy

kubectl_apply(manifest=""" apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: api-policy namespace: default spec: endpointSelector: matchLabels: app: api ingress:

fromEndpoints:
- matchLabels: app: frontend toPorts:
- ports:
  - port: "8080" protocol: TCP rules: http:
    - method: GET path: "/api/v1/.*"
    - method: POST path: "/api/v1/users" """)

Cluster Mesh

kubectl_apply(manifest=""" apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: allow-cross-cluster spec: endpointSelector: matchLabels: app: shared-service ingress:

fromEntities:
- cluster
- remote-node """)

Troubleshooting Workflows

Pod Can't Reach Service

cilium_status_tool() cilium_endpoints_list_tool(namespace) cilium_policies_list_tool(namespace) hubble_flows_query_tool(namespace, pod, verdict="DROPPED")

Policy Not Working

cilium_policy_get_tool(name, namespace) cilium_endpoints_list_tool(namespace) hubble_flows_query_tool(namespace)

Network Performance Issues

cilium_status_tool() cilium_nodes_list_tool() hubble_flows_query_tool(namespace, type="l7")

Best Practices

Start with default deny: Create baseline deny-all policy
Use labels consistently: Policies rely on label selectors
Monitor with Hubble: Observe flows before/after policy changes
Test in staging: Verify policies don't break connectivity

Prerequisites

Cilium: Required for all Cilium tools cilium install

Related Skills

k8s-networking - Standard K8s networking
k8s-security - Security policies
k8s-service-mesh - Istio service mesh

Safety Notice

Copy this and send it to your AI assistant to learn

Source Transparency

Related Skills

k8s-troubleshoot

k8s-storage

k8s-helm

k8s-core