CoursesRuntime & eBPF securityEnforcement: Tetragon & Cilium

Cilium network policy & Hubble

Identity-based L3–L7, default-deny, encryption.

Advanced35 min · lesson 11 of 15

Runtime security is not only about processes — it is about what a compromised workload can reach. Cilium, the eBPF-based CNI, provides identity-aware network policy and observability that constrain lateral movement and reveal east-west traffic.

Identity-based, L3–L7 network policy

Cilium enforces network policy on workload identity derived from labels rather than fragile pod IPs, so a policy follows the workload as pods churn and reschedule. It spans L3/L4 (which identities may talk on which ports) up to L7 (which HTTP methods and paths, which Kafka topics, which DNS names), letting you express "the frontend may call the API’s /checkout via POST, and nothing else". A default-deny policy blocks all pod-to-pod traffic until explicitly allowed — zero-trust east-west that sharply limits how far a compromised pod can move.

default-deny plus a scoped L7 allow
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata: { name: api-ingress }
spec:
endpointSelector: { matchLabels: { app: api } }
ingress:
- fromEndpoints: [{ matchLabels: { app: frontend } }]
toPorts:
- ports: [{ port: "8080", protocol: TCP }]
rules:
http:
- method: "POST"
path: "/checkout" # frontend may ONLY POST /checkout to api
# With a cluster default-deny in place, every other flow is blocked.

Visibility and encryption

Cilium’s Hubble gives flow-level observability — a live service map of who talks to what, with L7 detail — without instrumenting applications, which is invaluable both for writing tight policies and for investigating an incident. Cilium can also transparently encrypt pod-to-pod traffic with WireGuard or IPsec, so east-west confidentiality does not depend on every app implementing TLS. Together with Tetragon for process enforcement, Cilium gives you runtime control across both the network and process dimensions from a single eBPF foundation.

Cilium runtime network control
constrain
default-deny + identity policy
limit lateral movement
L7 rules
methods, paths, DNS, Kafka
see + protect
Hubble
flow map without app changes
transparent encryption
WireGuard/IPsec east-west
Identity-based policy contains a compromised pod; Hubble reveals what it tried to reach. Pair with Tetragon for full runtime coverage.
Without default-deny, a foothold roams freely
A cluster with no network policy lets any compromised pod reach every service — the classic path from one vulnerable app to the whole cluster. Establish a default-deny baseline and open only declared flows, so a foothold is boxed in rather than a launchpad for lateral movement.