Back to Resources

eBPF-Powered Network Policies in Cilium for API-Aware Security

14 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Inadequacy of L3/L4 Policies in a Microservices World

For years, Kubernetes NetworkPolicy has been the standard for network segmentation. It operates primarily at L3 (IP addresses) and L4 (ports), allowing us to define rules like "pods with label app=frontend can connect to pods with label app=api on TCP port 8080." While this was a monumental step up from flat, open-by-default cluster networks, it's a blunt instrument in the context of modern, API-driven microservices.

Consider a typical billing-service exposing a REST API on port 9000. This service might have several endpoints:

  • POST /v1/invoices (Create a new invoice)
  • GET /v1/invoices/{id} (Retrieve an invoice)
  • DELETE /v1/invoices/{id} (Delete an invoice)
  • GET /internal/metrics (Expose Prometheus metrics)

    • A traditional NetworkPolicy can only grant access to the entire billing-service on port 9000. If the reporting-service needs to fetch invoice data, we must grant it access to this port. However, this implicitly grants it the ability to also call the POST and DELETE endpoints, violating the principle of least privilege. Furthermore, the sensitive /internal/metrics endpoint becomes accessible to any pod that can reach the service port.

    This all-or-nothing access model at the port level creates a significant attack surface. A compromised reporting-service could potentially wreak havoc by deleting invoices. The common workaround has been to implement authorization logic within the application code or to deploy a service mesh like Istio or Linkerd, which uses sidecar proxies to intercept, inspect, and enforce policies on L7 traffic. While effective, service meshes introduce significant operational complexity, resource overhead (CPU/memory per sidecar), and increased network latency due to the extra hop through the user-space proxy.

    This is where Cilium's eBPF-powered approach provides a compelling, high-performance alternative. By attaching eBPF (extended Berkeley Packet Filter) programs directly to kernel hooks (e.g., socket operations, traffic control ingress/egress), Cilium can parse application-layer protocols like HTTP, gRPC, and Kafka inside the kernel. This allows for incredibly granular, API-aware policy enforcement without the need for user-space proxies, dramatically reducing overhead and latency.

    Core Mechanism: L7 Policy Enforcement via Kernel-Level Parsing

    Before diving into policy examples, it's crucial to understand how Cilium achieves this. When a CiliumNetworkPolicy with L7 rules is applied, the Cilium agent compiles and loads specific eBPF programs into the kernel on each node where a relevant pod is running.

  • Traffic Interception: The eBPF programs are attached to the socket or tc (Traffic Control) layer. When a pod sends or receives a packet, these programs are executed.
  • Protocol Parsing: Unlike traditional packet filters that only look at IP/TCP headers, Cilium's eBPF programs contain logic to parse L7 protocols. They can reassemble TCP segments into a stream and identify, for example, an HTTP request line (GET /v1/users/123 HTTP/1.1), headers (X-Request-ID: ...), or a gRPC method call.
  • Policy Decision: The eBPF program compares the parsed L7 data against the rules defined in the CiliumNetworkPolicy. This decision (ALLOW/DENY) is made directly in the kernel's context.
  • Enforcement: If the request is denied, the eBPF program can simply drop the packets, preventing them from ever reaching the application's socket buffer. The client receives a connection reset. If allowed, the packets continue up the network stack as normal.

    • This kernel-level enforcement is the key to Cilium's performance. There is no context switching between kernel and user space for policy decisions, and no extra network hop through a sidecar proxy. The entire operation happens within the kernel's data path.

    Deep Dive: Crafting Advanced API-Aware Policies

    Let's move from theory to practice. We will explore several production-grade scenarios using the CiliumNetworkPolicy Custom Resource Definition (CRD), which extends the standard Kubernetes NetworkPolicy.

    Scenario 1: Path and Method-Based Access Control for a REST API

    Problem: We have a user-service and an auth-service. The auth-service needs to create new users, but nothing else. The user-service exposes the following endpoints:

  • POST /v1/users (Create user)
  • GET /v1/users/{id} (Get user)
  • PUT /v1/users/{id} (Update user)

    • Solution: We will create a CiliumNetworkPolicy that selects the user-service pods and only allows ingress traffic from auth-service pods specifically for the POST /v1/users endpoint.

    yaml
    apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: user-service-api-policy
  namespace: production
spec:
  endpointSelector:
    matchLabels:
      app: user-service
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: auth-service
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: "POST"
          path: "/v1/users"

    Dissection of the Policy:

  • endpointSelector: This policy applies to all pods in the production namespace with the label app: user-service.
  • ingress: We are defining rules for incoming traffic.
  • fromEndpoints: This rule block applies only to traffic originating from pods with the label app: auth-service.
  • toPorts: The policy applies to traffic destined for port 8080.
  • rules.http: This is the L7 magic. We specify a list of HTTP rules. In this case, we have a single rule.

    • - method: "POST": The HTTP method must be POST.

    - path: "/v1/users": The request path must be exactly /v1/users.

    With this policy in place, the auth-service can successfully execute POST /v1/users. However, if it attempts to execute GET /v1/users/some-id or any other request, the eBPF program in the kernel on the user-service's node will inspect the HTTP request, find no matching rule, and drop the packets. The auth-service will receive a connection error. This enforcement happens before the user-service application code is even aware a request was made.

    Scenario 2: Header-Based Policy for Differentiated Access

    Problem: A metrics-aggregator service needs to scrape a custom metrics endpoint (/private/metrics) on multiple services. To ensure these sensitive endpoints are only accessed by the legitimate scraper, we require the scraper to send a specific HTTP header: X-Internal-Scraper: true.

    Solution: We can craft a policy that enforces the presence and value of this header.

    yaml
    apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: secure-private-metrics-endpoints
  namespace: production
spec:
  endpointSelector:
    matchLabels:
      # Apply to any service that exposes these metrics
      metrics.internal/scrape: "true"
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: metrics-aggregator
    toPorts:
    - ports:
      - port: "9090"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/private/metrics"
          headers:
          - "X-Internal-Scraper: true"

    Dissection of the Policy:

  • endpointSelector: We use a custom label metrics.internal/scrape: "true" to apply this policy to any pod that should have its metrics endpoint secured.
  • fromEndpoints: Only the metrics-aggregator is allowed.
  • rules.http.headers: This is the key addition. It's a list of strings, where each string represents a required header. The format is Header-Name: Value. Cilium's eBPF parser will now inspect the HTTP headers of incoming requests on port 9090.

    • A request from metrics-aggregator like GET /private/metrics with the header X-Internal-Scraper: true will be allowed. A request without the header, or with a different value, will be dropped at the kernel level.

    This pattern is incredibly powerful for implementing machine-to-machine authentication/authorization without modifying application code.

    Scenario 3: Securing gRPC Traffic Based on Service and Method

    Problem: Securing gRPC is notoriously difficult with L3/L4 policies because all gRPC methods for a given service are typically multiplexed over a single HTTP/2 connection on a single port. We have an order-service and a shipping-service. The shipping-service should only be allowed to call the UpdateOrderStatus method on the order-service, not CreateOrder or CancelOrder.

    Solution: Cilium can parse gRPC, which is layered on top of HTTP/2. The gRPC service and method are encoded in the HTTP/2 :path pseudo-header (e.g., /proto.OrderService/UpdateOrderStatus). We can write a policy to match this path.

    yaml
    apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: grpc-order-service-policy
  namespace: production
spec:
  endpointSelector:
    matchLabels:
      app: order-service
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: shipping-service
    toPorts:
    - ports:
      - port: "50051"
        protocol: TCP
      rules:
        http:
        # gRPC methods are POST requests over HTTP/2
        - method: "POST"
          path: "/proto.OrderService/UpdateOrderStatus"

    Dissection of the Policy:

    • The policy structure is identical to the REST API example.
  • The critical piece is the path value. We are matching the fully qualified gRPC method name, which is transported as the HTTP/2 path.
  • This policy now precisely allows the shipping-service to call only one specific RPC method on the order-service. Any attempt to call CreateOrder will result in a request with the path /proto.OrderService/CreateOrder, which will not match the policy and will be dropped. This provides function-level authorization enforced at the kernel level.

    • Production Patterns and Performance Considerations

    Implementing these policies in production requires more than just writing YAML. Here are some advanced considerations.

    Policy Granularity vs. Performance Overhead

    While eBPF is highly performant, it is not free. Every L7 rule you add increases the complexity of the eBPF program that must be executed for each packet of a matching flow.

  • Rule Complexity: A simple path match like /v1/users is extremely fast. A rule with a complex regex in the path (which Cilium supports) will consume more CPU cycles per packet in the kernel.
  • Number of Rules: A policy with hundreds of HTTP rules will result in a larger, more complex eBPF program that takes longer to execute.

    • Benchmarking and Monitoring:

    It's crucial to monitor the impact. Cilium exposes Prometheus metrics that can reveal this overhead. Key metrics to watch include:

  • cilium_policy_evaluation_duration_seconds: Histogram of the time taken to evaluate policy for a packet.
  • cilium_drop_bytes_total and cilium_forward_bytes_total: Monitor these with labels for policy decisions to see how much traffic is being dropped or forwarded by specific policies.

    • In a performance-critical environment, you might run benchmarks (e.g., using wrk or ghz) with and without L7 policies applied to quantify the latency impact. Typically, the latency addition is in the microseconds range, far less than a user-space proxy, but it's non-zero and can be exacerbated by overly complex rules.

    Pattern: Start with coarser L7 policies (e.g., path prefixes like /api/v1/.*) and only add highly granular rules for the most critical, sensitive endpoints. Avoid using complex regex in hot data paths if possible.

    Policy-as-Code with GitOps

    These complex CiliumNetworkPolicy manifests should be treated as code. They should be stored in Git and deployed via a GitOps controller like Argo CD or Flux. This provides:

  • Auditability: A full Git history of who changed which policy and when.
  • Automated Rollout: Changes are automatically applied to the cluster when a PR is merged.
  • Consistency: The Git repository is the single source of truth for the cluster's security posture.

    • Example Argo CD Application:

    yaml
    apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: cilium-policies
  namespace: argocd
spec:
  project: default
  source:
    repoURL: 'https://github.com/my-org/k8s-security-policies.git'
    path: 'policies/production'
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: production # Note: Cilium policies can be namespaced or cluster-wide
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

    This setup ensures that the security policies for the production namespace are continuously synchronized with the state defined in your Git repository.

    Observability with Hubble

    Debugging network policies, especially L7 policies, can be challenging. A request might fail, and it's not immediately obvious if the cause is the application, a standard network issue, or a network policy drop.

    Cilium's observability component, Hubble, is indispensable here. It leverages the same eBPF data source to provide deep visibility into network flows and policy decisions.

    To debug a failing request from auth-service to user-service, you can use the Hubble CLI:

    bash
    # See all traffic from auth-service, including policy verdicts
hubble observe --from-pod production/auth-service-67f7d7d9d-abcde -f

# Example output for a denied request
# Feb 10 15:30:01.123 [eth0] K8S production/auth-service-67f7d7d9d-abcde -> production/user-service-5c6b8b8f8f-xyzde (world) Policy denied
# L4: TCP 34567 -> 8080
# L7: HTTP/1.1 GET /v1/users/42

    The output explicitly states Policy denied and shows the exact L7 request that was blocked. This reduces debugging time from hours to seconds. The Hubble UI provides a graphical representation of these flows and policy decisions, which is excellent for visualizing the security posture of your application.

    Handling Advanced Edge Cases

    Edge Case 1: L7 Policies with mTLS Encrypted Traffic

    A common question is: How can Cilium enforce L7 policies if traffic is encrypted with mTLS? This is where the eBPF approach differs fundamentally from a sidecar proxy.

  • Sidecar Approach (e.g., Istio): The sidecar terminates the client's TLS connection, inspects the decrypted traffic, applies the policy, and then (optionally) re-encrypts it with a new TLS connection to the application container. This works but introduces latency and complexity.
  • Cilium's eBPF Approach: Cilium's eBPF programs operate at the socket layer, before the data is passed to the user-space TLS library for encryption (on the sending pod) and after it has been decrypted by the TLS library (on the receiving pod). The data is in plaintext when it crosses the socket read/write system call boundary, and this is where eBPF hooks in.

    • This means Cilium can enforce L7 policies on mTLS traffic transparently without terminating the TLS connection itself. The mTLS session is established end-to-end between the application containers, preserving its security integrity, while Cilium enforces policy on the plaintext data as it enters or leaves the socket buffer. This is a significant performance and security advantage.

    Edge Case 2: Policy Application on Existing Connections

    What happens if you apply a new, more restrictive policy while a long-lived TCP connection (e.g., a database connection or a WebSocket) is already established?

    Cilium's behavior here is well-defined. Policies are applied to new connections. By default, existing connections are not immediately terminated when a new policy would have blocked their establishment. This prevents disruptive session terminations. However, any new L7 requests sent over that existing connection will be evaluated against the new policy. For example, if an existing HTTP keep-alive connection is in place, and you apply a policy that denies a new path, the next GET request for that path over the existing connection will be dropped.

    For scenarios requiring immediate termination, you would need to orchestrate this at a higher level, for instance by gracefully restarting the pods to force new connections that will be subject to the new policy.

    Edge Case 3: DNS-based Egress Policies (`toFQDNs`)

    For egress traffic, you often want to allow connections to external services based on their DNS name, not their ever-changing IP addresses (e.g., api.stripe.com). Cilium handles this with toFQDNs rules.

    yaml
    apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: egress-to-stripe
  namespace: production
spec:
  endpointSelector:
    matchLabels:
      app: payment-processor
  egress:
  - toFQDNs:
    - matchName: "api.stripe.com"
    toPorts:
    - ports:
      - port: "443"
        protocol: TCP

    How it works:

    • The Cilium agent intercepts DNS requests from the pod.
  • When it sees a request for api.stripe.com, it caches the resulting IP addresses (e.g., 54.186.12.34).
  • It then dynamically updates the eBPF IP maps in the kernel, effectively programming the kernel to allow egress traffic from the payment-processor pod to the IP 54.186.12.34.
    • It manages the TTL of the DNS entry, automatically updating the allowed IPs when they change.

    This provides a robust way to control egress traffic without hardcoding IP addresses, a common requirement in secure environments.

    Conclusion

    By moving L7 traffic parsing and policy enforcement from user-space proxies into the Linux kernel with eBPF, Cilium offers a paradigm shift in how we secure cloud-native applications. It allows senior engineers to define and enforce true zero-trust, API-aware security policies with minimal performance overhead and operational complexity compared to traditional service mesh architectures. While standard Kubernetes NetworkPolicy provides a baseline, CiliumNetworkPolicy delivers the granularity required by modern microservices. Mastering these advanced policy patterns, understanding the performance trade-offs, and integrating them into a robust GitOps and observability workflow is a critical skill for building secure, scalable, and efficient systems on Kubernetes.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles