k8s-cilium
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCilium & Hubble Network Observability
Cilium & Hubble 网络可观测性
Manage eBPF-based networking using kubectl-mcp-server's Cilium tools (8 tools).
使用kubectl-mcp-server的Cilium工具(共8个)管理基于eBPF的网络。
When to Apply
适用场景
Use this skill when:
- User mentions: "Cilium", "Hubble", "eBPF", "network policy", "flow"
- Operations: network policy management, traffic observation, L7 filtering
- Keywords: "network security", "traffic flow", "dropped packets", "connectivity"
在以下场景使用本技能:
- 用户提及:"Cilium"、"Hubble"、"eBPF"、"network policy"、"flow"
- 操作:网络策略管理、流量观测、L7过滤
- 关键词:"network security"、"traffic flow"、"dropped packets"、"connectivity"
Priority Rules
优先级规则
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect Cilium installation first | CRITICAL | |
| 2 | Check agent status for health | HIGH | |
| 3 | Use Hubble for flow debugging | HIGH | |
| 4 | Start with default deny | MEDIUM | CiliumNetworkPolicy |
| 优先级 | 规则 | 影响级别 | 工具 |
|---|---|---|---|
| 1 | 先检测Cilium安装情况 | 关键 | |
| 2 | 检查Agent状态以确认健康度 | 高 | |
| 3 | 使用Hubble进行流量调试 | 高 | |
| 4 | 从默认拒绝策略开始 | 中 | CiliumNetworkPolicy |
Quick Reference
快速参考
| Task | Tool | Example |
|---|---|---|
| Detect Cilium | | |
| Agent status | | |
| List policies | | |
| Query flows | | |
| 任务 | 工具 | 示例 |
|---|---|---|
| 检测Cilium | | |
| Agent状态 | | |
| 列出策略 | | |
| 查询流量 | | |
Check Installation
检查安装情况
python
cilium_detect_tool()python
cilium_detect_tool()Cilium Status
Cilium状态
python
cilium_status_tool()python
cilium_status_tool()Network Policies
网络策略
List Policies
列出策略
python
cilium_policies_list_tool(namespace="default")python
cilium_policies_list_tool(namespace="default")Get Policy Details
获取策略详情
python
cilium_policy_get_tool(name="allow-web", namespace="default")python
cilium_policy_get_tool(name="allow-web", namespace="default")Create Cilium Network Policy
创建Cilium网络策略
python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-web
namespace: default
spec:
endpointSelector:
matchLabels:
app: web
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "80"
protocol: TCP
egress:
- toEndpoints:
- matchLabels:
app: database
toPorts:
- ports:
- port: "5432"
protocol: TCP
""")python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-web
namespace: default
spec:
endpointSelector:
matchLabels:
app: web
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "80"
protocol: TCP
egress:
- toEndpoints:
- matchLabels:
app: database
toPorts:
- ports:
- port: "5432"
protocol: TCP
""")Endpoints
端点
python
cilium_endpoints_list_tool(namespace="default")python
cilium_endpoints_list_tool(namespace="default")Identities
身份标识
python
cilium_identities_list_tool()python
cilium_identities_list_tool()Nodes
节点
python
cilium_nodes_list_tool()python
cilium_nodes_list_tool()Hubble Flow Observability
Hubble流量可观测性
python
hubble_flows_query_tool(
namespace="default",
pod="my-pod",
last="5m"
)
hubble_flows_query_tool(
namespace="default",
verdict="DROPPED"
)
hubble_flows_query_tool(
namespace="default",
type="l7"
)python
hubble_flows_query_tool(
namespace="default",
pod="my-pod",
last="5m"
)
hubble_flows_query_tool(
namespace="default",
verdict="DROPPED"
)
hubble_flows_query_tool(
namespace="default",
type="l7"
)Create L7 Policy
创建L7策略
python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-policy
namespace: default
spec:
endpointSelector:
matchLabels:
app: api
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/api/v1/.*"
- method: POST
path: "/api/v1/users"
""")python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-policy
namespace: default
spec:
endpointSelector:
matchLabels:
app: api
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/api/v1/.*"
- method: POST
path: "/api/v1/users"
""")Cluster Mesh
集群网格
python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-cross-cluster
spec:
endpointSelector:
matchLabels:
app: shared-service
ingress:
- fromEntities:
- cluster
- remote-node
""")python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-cross-cluster
spec:
endpointSelector:
matchLabels:
app: shared-service
ingress:
- fromEntities:
- cluster
- remote-node
""")Troubleshooting Workflows
故障排查流程
Pod Can't Reach Service
Pod无法访问服务
python
cilium_status_tool()
cilium_endpoints_list_tool(namespace)
cilium_policies_list_tool(namespace)
hubble_flows_query_tool(namespace, pod, verdict="DROPPED")python
cilium_status_tool()
cilium_endpoints_list_tool(namespace)
cilium_policies_list_tool(namespace)
hubble_flows_query_tool(namespace, pod, verdict="DROPPED")Policy Not Working
策略不生效
python
cilium_policy_get_tool(name, namespace)
cilium_endpoints_list_tool(namespace)
hubble_flows_query_tool(namespace)python
cilium_policy_get_tool(name, namespace)
cilium_endpoints_list_tool(namespace)
hubble_flows_query_tool(namespace)Network Performance Issues
网络性能问题
python
cilium_status_tool()
cilium_nodes_list_tool()
hubble_flows_query_tool(namespace, type="l7")python
cilium_status_tool()
cilium_nodes_list_tool()
hubble_flows_query_tool(namespace, type="l7")Best Practices
最佳实践
- Start with default deny: Create baseline deny-all policy
- Use labels consistently: Policies rely on label selectors
- Monitor with Hubble: Observe flows before/after policy changes
- Test in staging: Verify policies don't break connectivity
- 从默认拒绝开始:创建基线的拒绝所有策略
- 一致使用标签:策略依赖标签选择器
- 用Hubble监控:在策略变更前后观测流量
- 在预发布环境测试:验证策略不会破坏连接
Prerequisites
前置条件
- Cilium: Required for all Cilium tools
bash
cilium install
- Cilium:所有Cilium工具都需要安装Cilium
bash
cilium install
Related Skills
相关技能
- k8s-networking - Standard K8s networking
- k8s-security - Security policies
- k8s-service-mesh - Istio service mesh
- k8s-networking - 标准K8s网络
- k8s-security - 安全策略
- k8s-service-mesh - Istio服务网格