Learn what Cilium host firewall is, how to set it up and some best practices around working with host policies...

Cilium is an innovative open-source project that redefines networking and security for containerized applications. By leveraging the power of eBPF (extended Berkeley Packet Filter), Cilium provides efficient networking and transparent security capabilities for modern cloud-native environments. Readers exploring Cilium can gain insights into advanced networking concepts, such as service mesh architectures, network policy enforcement, and distributed application security.

cilium

Cilium's host firewall extends Kubernetes network policies to secure the underlying nodes themselves using eBPF technology. It addresses the security gap where traditional Kubernetes network policies don't apply to host-level traffic like SSH, kubelet, or monitoring agents. The solution treats nodes as special endpoints with the 'reserved:host' label, allowing administrators to apply familiar declarative policies to control traffic to and from the nodes. Key features include audit mode for safe policy testing, integration with Hubble for traffic observation, and the ability to scope policies to specific nodes using nodeSelector. The implementation requires enabling the host firewall feature during Cilium installation and supports both L3/L4 rules while maintaining visibility through policy verdict logs.

Securing the Node: A Primer on Cilium’s Host Firewall