I like when people ask if you can change the #CNI in a #kubernetes cluster on the fly, without destroying and recreating the cluster. Well, you *can* but is it simple, non-expensive, and not time-consuming? No. It's also very dependent on your specific application deployments.

https://cilium.io/blog/2023/09/07/db-schenker-migration-to-cilium/

#epbf #cilium

I have no idea if my cluster is very faster, but it is now kube-proxy free and passing the Cilium multi-node connectivity tests!

#k3s #cilium

DID IT!!!!!!!!!!!!!!

Karpenter couldn't recognize the k3s nodes because their node provider-id was k3s://... instead of aws:////$az/$instance_id

The screen shot is Karpenter recognizing Machines that have joined the cluster as Nodes, with Cilium attached to each node.

#k3s #cilium

Okay, looks like it. Cilium happily hands out 10.0.0.0/8 addresses.

And it seems that you can't "just remove" cilium either. "cilium uninstall" removes the cilium pods, but it doesn't change anything for newly created pods or existing pods.

So days since I nuked my Kubernetes cluster: 0. 😅

#HomeLab #Cilium #Kubernetes

Is it possible that Cilium completely ignores the "podSubnet" config I set with kubeadm when I set up my cluster?

It is definitely handing out Pod IPs outside that CIDR range. I guess I now get to find out how well the cluster reacts to me removing Cilium and reinstalling it.

#HomeLab #Cilium #Kubernetes

Wow, just solved a long standing problem with cilium's incompatibility with the k3d docker image.

By building nix in a multi-stage Earthly build, I was able to simply copy /nix to k3d's image, and symlink util-linux and bash-interactive packages to /bin.

#nix #cilium

Linkerd 2.14 has multi-cluster support for shared flat networks.

I've been using shared VPC subnets and Tailscale to create a shared flat network.

Let's see if Linkerd can work on top of a Cilium CNI connected via Tailscale as external/internal IP.

Even Buoyant thinks this is an awesome idea.
- https://buoyant.io/blog/kubernetes-network-policies-with-cilium-and-linkerd
- https://buoyant.io/blog/announcing-linkerd-2-14-flat-network-multicluster-gateway-api-conformance

#linkerd #cilium #tailscale

SecurityOnline: cilium v1.14.1 releases: eBPF-based Networking, Security, and Observability https://securityonline.info/cilium-ebpf-based-networking-security-and-observability/ #Defense #Cilium

I have completed the Security Summer School 2023 program by successfully finishing the following labs.
✅Isovalent Enterprise for Cilium: Network Policies
✅Cilium Transparent Encryption with IPSec and WireGuard
✅Cilium Enterprise: Zero Trust Visibility
#isovalent #cilium

Completed Cilium Enterprise: Zero Trust Visibility lab and got a new badge from Isovalent!
#cilium #isovalent #zerotrust #kubernetes
https://www.credly.com/badges/c417fdb5-09dd-4b4c-9de5-3fb4e501dd55/public_url

Completed Cilium Transparent Encryption with IPSec and WireGuard lab and got a new badge from Isovalent!
https://www.credly.com/badges/d8cdaae7-b307-48c5-bad6-021f8980b603/public_url

✅ Installing Cilium and setting up IPsec for transparent encryption
✅ Managing Day 2 operations with IPsec on Cilium
✅ Setting up pod to pod transparent encryption using Cilium WireGuard
✅ Setting up node to node transparent encryption using Cilium WireGuard
#cilium #ipsec #wireguard #isovalent

SecurityOnline: cilium v1.14 releases: eBPF-based Networking, Security, and Observability https://securityonline.info/cilium-ebpf-based-networking-security-and-observability/ #Defense #Cilium

@SerhiyMakarenko #cilium. It's actually awesome. I’ve tried all the major ones over the years and I’m pretty happy with what cilium provides (it's like a good chunk of #istio service mesh but purely within your CNI)

I wanted to try migrating one of my #K8S clusters from #Calico to #Cilium today, but I'm also worried about how many things are going to break in the process 😅

Mon été avec #Cilium et #EKS https://medium.com/@littel.jo/mon-%C3%A9t%C3%A9-avec-cilium-et-eks-partie-1-99a66ed6671f #kubernetes #networking

Here's how you do it: pull in the #cilium hubble flows from prometheus (actually victoriametrics), transform labels to fields, transform add computed fields for all that grafana expects: https://grafana.com/docs/grafana/latest/panels-visualizations/visualizations/node-graph/#data-api

Painfully slow. OOMs.

#cilium's hubble actually tells you which side of the policy is rejecting the traffic! In here it's lemmy not accepting the traffic from lemmy-ui.

Level-up your security skills with team Isovalent virtual Security Summer School composed of 3 sessions with hands-on workshops and learn how Cilium, Tetragon, and Hubble help improve Kubernetes security.

Earn a swag box by completing all 3 sessions!

Sign up here: https://isovalent.com/events/2023-07-security-summer-school/
#isovalent #cilium #tetragon #hubble #kubernetes #security

I'm giving up on the #cilium multicluster peering. It's an amazing ide on paper—you can have traffic flow freely between clusters and write network policies that span all the endpoints.

In practice, it's wonky and fragile, e.g. my web cluster failed to get the endpoints from the ingress cluster for DAYS now, meaning the web's network policies will just reject traffic.

Yes, restarting cilium-agent by hand helps. But seriously? Why is that thing so fragile!

REX : #Kubernetes, #kubeadm, #Ubuntu 22.04 et #cilium - mes petites galères récentes

https://blog.zwindler.fr/2023/06/06/kubeadm-ubuntu-cilium-mes-petites-galeres/