Open-Source Wikis

/

Cilium

/

Security

cilium/cilium

Security

Trust boundaries

graph TD
    User[Users / Workloads]
    Pod[Pod netns]
    Agent[cilium-agent on host]
    Kernel[Linux kernel]
    APIServer[kube-apiserver]
    Op[cilium-operator]
    Mesh[Other clusters]

    User --> Pod
    Pod -->|veth| Agent
    Agent --> Kernel
    Agent --> APIServer
    Op --> APIServer
    Mesh -.->|mTLS via clustermesh| Agent

The agent is the trust boundary on each node:

  • Pod isolation is enforced by Linux network namespaces plus Cilium-loaded BPF programs. A compromised pod cannot bypass policy without escalating out of its netns.
  • Agent privilege: the agent runs in the host network namespace with CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_BPF, and access to bpffs. A compromised agent has full control of the node's network. The threat model assumes nodes are trusted and the agent is part of the cluster's TCB.
  • Operator privilege: the operator runs as a regular pod with permissions limited to managing Cilium CRDs. It does not have node privilege.
  • API server access: authenticated and authorized via Kubernetes RBAC. The Helm chart ships a minimal ClusterRole for the agent.

Reporting vulnerabilities

SECURITY.md is the canonical reporting policy:

  • Email security@cilium.io to report a vulnerability privately.
  • Public disclosure happens after coordinated patches are released across supported branches.
  • The Cilium security team coordinates CVE assignment.

The CLOMonitor and Core Infrastructure Initiative badges (README.rst) summarise the project's security posture.

Supply chain

  • Dependencies: vendored under vendor/ so builds are reproducible.
  • Renovate: renovate.json5 automates dependency updates.
  • Image signing: every image is signed with Cosign.
  • SBOM: every image since v1.13.0 contains an SPDX SBOM (Documentation/configuration/sbom.rst).
  • License: LICENSE for userspace; bpf/LICENSE.GPL-2.0 and bpf/LICENSE.BSD-2-Clause for BPF templates. FOSSA tracks third-party license compliance.

Defense in depth

  • Identity-based policy: policy is expressed against label-derived identities, decoupling policy from IP allocation.
  • Default-deny on policy match: once any policy applies to an endpoint, that endpoint becomes default-deny in the matching direction (matches Kubernetes NetworkPolicy semantics).
  • Mutual auth: features/service-mesh.md details the auth handshake using SPIFFE-derived identities.
  • Encryption: WireGuard or IPSec for node-to-node (features/encryption.md).
  • Audit mode: policies can be tested without enforcement (AuditMode: true on a CNP) so operators can validate before going live.
  • Hubble drop visibility: every drop carries a structured reason and pod metadata for incident response.
  • Host firewall: Cilium can enforce policy on the host network namespace too (hostFirewall.enabled), preventing arbitrary processes on the node from sidestepping pod policy.
  • CIS benchmarks: Documentation/security/ covers compliance considerations.

Operational hardening

  • Run multiple operator replicas with leader election; none of them are in the data path.
  • Restrict who can write Cilium CRDs via RBAC; CNP/CCNP write access is effectively firewall management.
  • Enable the agent's TLS for the Hubble Relay endpoint and the Cluster Mesh apiserver — both default to mTLS.
  • Watch the cilium_agent_health_status metric and the cilium-health probe results; degradation is often the earliest sign of a misconfiguration.

Auth and Cluster Mesh

  • Cluster Mesh uses mTLS between agents and remote cluster etcds. Certificates are generated by cilium clustermesh enable and rotated by recreating the Secret.
  • Mutual auth between workloads uses identity-derived SPIFFE IDs. Operators integrate with external CAs through auth.identityIssuer.
  • The clustermesh-apiserver exposes etcd via a LoadBalancer or NodePort service; restrict access via firewall rules in addition to mTLS.

Common misconfigurations

  • Forgetting to enable kubeProxyReplacement: true while still relying on Cilium for service load balancing — only some service traffic bypasses kube-proxy.
  • Mixing tunnel and native routing without configuring the underlay correctly — native routing requires routable pod CIDRs.
  • Disabling policyEnforcementMode: default without understanding that it changes the default-deny semantics.
  • Forgetting the host firewall: if hostFirewall.enabled: false (default), node-network processes are not gated by Cilium policy.

References

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – Cilium wiki | Factory