cilium/cilium
Security
Trust boundaries
graph TD
User[Users / Workloads]
Pod[Pod netns]
Agent[cilium-agent on host]
Kernel[Linux kernel]
APIServer[kube-apiserver]
Op[cilium-operator]
Mesh[Other clusters]
User --> Pod
Pod -->|veth| Agent
Agent --> Kernel
Agent --> APIServer
Op --> APIServer
Mesh -.->|mTLS via clustermesh| AgentThe agent is the trust boundary on each node:
- Pod isolation is enforced by Linux network namespaces plus Cilium-loaded BPF programs. A compromised pod cannot bypass policy without escalating out of its netns.
- Agent privilege: the agent runs in the host network namespace with
CAP_SYS_ADMIN,CAP_NET_ADMIN,CAP_BPF, and access to bpffs. A compromised agent has full control of the node's network. The threat model assumes nodes are trusted and the agent is part of the cluster's TCB. - Operator privilege: the operator runs as a regular pod with permissions limited to managing Cilium CRDs. It does not have node privilege.
- API server access: authenticated and authorized via Kubernetes RBAC. The Helm chart ships a minimal
ClusterRolefor the agent.
Reporting vulnerabilities
SECURITY.md is the canonical reporting policy:
- Email security@cilium.io to report a vulnerability privately.
- Public disclosure happens after coordinated patches are released across supported branches.
- The Cilium security team coordinates CVE assignment.
The CLOMonitor and Core Infrastructure Initiative badges (README.rst) summarise the project's security posture.
Supply chain
- Dependencies: vendored under
vendor/so builds are reproducible. - Renovate:
renovate.json5automates dependency updates. - Image signing: every image is signed with Cosign.
- SBOM: every image since v1.13.0 contains an SPDX SBOM (
Documentation/configuration/sbom.rst). - License:
LICENSEfor userspace;bpf/LICENSE.GPL-2.0andbpf/LICENSE.BSD-2-Clausefor BPF templates. FOSSA tracks third-party license compliance.
Defense in depth
- Identity-based policy: policy is expressed against label-derived identities, decoupling policy from IP allocation.
- Default-deny on policy match: once any policy applies to an endpoint, that endpoint becomes default-deny in the matching direction (matches Kubernetes NetworkPolicy semantics).
- Mutual auth: features/service-mesh.md details the auth handshake using SPIFFE-derived identities.
- Encryption: WireGuard or IPSec for node-to-node (features/encryption.md).
- Audit mode: policies can be tested without enforcement (
AuditMode: trueon a CNP) so operators can validate before going live. - Hubble drop visibility: every drop carries a structured reason and pod metadata for incident response.
- Host firewall: Cilium can enforce policy on the host network namespace too (
hostFirewall.enabled), preventing arbitrary processes on the node from sidestepping pod policy. - CIS benchmarks:
Documentation/security/covers compliance considerations.
Operational hardening
- Run multiple operator replicas with leader election; none of them are in the data path.
- Restrict who can write Cilium CRDs via RBAC; CNP/CCNP write access is effectively firewall management.
- Enable the agent's TLS for the Hubble Relay endpoint and the Cluster Mesh apiserver — both default to mTLS.
- Watch the
cilium_agent_health_statusmetric and thecilium-healthprobe results; degradation is often the earliest sign of a misconfiguration.
Auth and Cluster Mesh
- Cluster Mesh uses mTLS between agents and remote cluster etcds. Certificates are generated by
cilium clustermesh enableand rotated by recreating the Secret. - Mutual auth between workloads uses identity-derived SPIFFE IDs. Operators integrate with external CAs through
auth.identityIssuer. - The
clustermesh-apiserverexposes etcd via a LoadBalancer or NodePort service; restrict access via firewall rules in addition to mTLS.
Common misconfigurations
- Forgetting to enable
kubeProxyReplacement: truewhile still relying on Cilium for service load balancing — only some service traffic bypasses kube-proxy. - Mixing tunnel and native routing without configuring the underlay correctly — native routing requires routable pod CIDRs.
- Disabling
policyEnforcementMode: defaultwithout understanding that it changes the default-deny semantics. - Forgetting the host firewall: if
hostFirewall.enabled: false(default), node-network processes are not gated by Cilium policy.
References
SECURITY.mdSECURITY-INSIGHTS.ymlDocumentation/security/- features/identity-and-security.md
- features/encryption.md
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.