diff --git a/cilium-linux-amd64.tar.gz b/cilium-linux-amd64.tar.gz new file mode 100644 index 00000000..e7feb9cc Binary files /dev/null and b/cilium-linux-amd64.tar.gz differ diff --git a/cilium-linux-amd64.tar.gz.sha256sum b/cilium-linux-amd64.tar.gz.sha256sum new file mode 100644 index 00000000..1b9f820f --- /dev/null +++ b/cilium-linux-amd64.tar.gz.sha256sum @@ -0,0 +1 @@ +67e59489b7ad17dea8eb8cc930435105dff3a4575643ad62567fb2c5ae80d246 cilium-linux-amd64.tar.gz diff --git a/generate-cilium-prompt.txt b/generate-cilium-prompt.txt new file mode 100644 index 00000000..8c56456d --- /dev/null +++ b/generate-cilium-prompt.txt @@ -0,0 +1,19 @@ +Implement a complete production-ready eBPF network monitoring stack using Cilium and Hubble. + +Create: + +- infrastructure/k8s/cilium/install.yaml +- infrastructure/k8s/cilium/network-policies.yaml +- infrastructure/monitoring/hubble-config.yaml + +Requirements: +- Deploy Cilium as the eBPF CNI. +- Enable Hubble, Hubble Relay, and Hubble UI. +- Enable Prometheus metrics. +- Configure RBAC, Services, ConfigMaps, Deployments, DaemonSets, and ServiceAccounts. +- Create production-ready CiliumNetworkPolicies including default deny, DNS, kube-apiserver, monitoring, ingress controller, frontend→backend, backend→database, and intra-namespace communication. +- Configure service map generation. +- Configure anomaly detection metrics (packet drops, policy denials, DNS failures, TCP retransmissions, HTTP errors). +- Configure Prometheus scraping and alert rules. +- Use Kubernetes stable APIs compatible with Kubernetes v1.30+. +- Generate complete, production-ready YAML with comments and no placeholders. diff --git a/infrastructure/k8s/cilium/hubble-config.yaml b/infrastructure/k8s/cilium/hubble-config.yaml new file mode 100644 index 00000000..e69de29b diff --git a/infrastructure/k8s/cilium/install.yaml b/infrastructure/k8s/cilium/install.yaml new file mode 100644 index 00000000..f2afb34d --- /dev/null +++ b/infrastructure/k8s/cilium/install.yaml @@ -0,0 +1,250 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + app.kubernetes.io/name: cilium + app.kubernetes.io/component: networking +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium + namespace: kube-system + labels: + app.kubernetes.io/name: cilium +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-operator + namespace: kube-system + labels: + app.kubernetes.io/name: cilium-operator +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hubble-relay + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hubble-ui + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium +rules: +- apiGroups: [""] + resources: + - pods + - nodes + - namespaces + - services + - endpoints + - configmaps + - secrets + verbs: + - get + - list + - watch +- apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: ["cilium.io"] + resources: + - ciliumnetworkpolicies + - ciliumclusterwidenetworkpolicies + - ciliumendpoints + - ciliumidentities + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cilium-config + namespace: kube-system +data: + kube-proxy-replacement: "strict" + enable-ipv4: "true" + enable-ipv6: "false" + + enable-bpf-masquerade: "true" + bpf-lb-acceleration: native + + routing-mode: native + tunnel: disabled + + enable-hubble: "true" + + hubble-metrics: > + dns, + drop, + tcp, + flow, + port-distribution, + icmp, + http, + policy, + policy-verdict + + hubble-listen-address: ":4244" + + enable-hubble-open-metrics: "true" + + hubble-disable-tls: "false" + + monitor-aggregation: medium + + enable-l7-proxy: "true" + + enable-endpoint-health-checking: "true" + + enable-health-check-nodeport: "true" + + enable-policy: "default" + + policy-audit-mode: "false" + + debug: "false" + + auto-direct-node-routes: "true" + + enable-bandwidth-manager: "true" + + enable-local-redirect-policy: "true" + + enable-service-topology: "true" + + enable-ipsec: "false" + + enable-wireguard: "false" + + prometheus-serve-addr: ":9962" + + operator-prometheus-serve-addr: ":9963" +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: cilium + namespace: kube-system + labels: + app.kubernetes.io/name: cilium +spec: + selector: + matchLabels: + k8s-app: cilium + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + k8s-app: cilium + spec: + serviceAccountName: cilium + + hostNetwork: true + + priorityClassName: system-node-critical + + tolerations: + - operator: Exists + + containers: + - name: cilium-agent + image: quay.io/cilium/cilium:v1.19.5 + imagePullPolicy: IfNotPresent + + securityContext: + privileged: true + + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + + command: + - cilium-agent + + args: + - --config-dir=/tmp/cilium/config-map + + ports: + - containerPort: 9962 + name: prometheus + + - containerPort: 4244 + name: hubble + + volumeMounts: + - name: cilium-config + mountPath: /tmp/cilium/config-map + + - name: bpf + mountPath: /sys/fs/bpf + + - name: cgroup + mountPath: /run/cilium/cgroupv2 + + - name: lib-modules + mountPath: /lib/modules + readOnly: true + + livenessProbe: + httpGet: + path: /healthz + port: 9879 + + readinessProbe: + httpGet: + path: /healthz + port: 9879 + + volumes: + - name: cilium-config + configMap: + name: cilium-config + + - name: bpf + hostPath: + path: /sys/fs/bpf + + - name: cgroup + hostPath: + path: /run/cilium/cgroupv2 + + - name: lib-modules + hostPath: + path: /lib/modules \ No newline at end of file diff --git a/infrastructure/k8s/cilium/network-policies.yml b/infrastructure/k8s/cilium/network-policies.yml new file mode 100644 index 00000000..e69de29b