implementation successfully

cilium-linux-amd64.tar.gz.sha256sum

@@ -0,0 +1 @@
+67e59489b7ad17dea8eb8cc930435105dff3a4575643ad62567fb2c5ae80d246  cilium-linux-amd64.tar.gz

generate-cilium-prompt.txt

@@ -0,0 +1,19 @@
+Implement a complete production-ready eBPF network monitoring stack using Cilium and Hubble.
+
+Create:
+
+- infrastructure/k8s/cilium/install.yaml
+- infrastructure/k8s/cilium/network-policies.yaml
+- infrastructure/monitoring/hubble-config.yaml
+
+Requirements:
+- Deploy Cilium as the eBPF CNI.
+- Enable Hubble, Hubble Relay, and Hubble UI.
+- Enable Prometheus metrics.
+- Configure RBAC, Services, ConfigMaps, Deployments, DaemonSets, and ServiceAccounts.
+- Create production-ready CiliumNetworkPolicies including default deny, DNS, kube-apiserver, monitoring, ingress controller, frontend→backend, backend→database, and intra-namespace communication.
+- Configure service map generation.
+- Configure anomaly detection metrics (packet drops, policy denials, DNS failures, TCP retransmissions, HTTP errors).
+- Configure Prometheus scraping and alert rules.
+- Use Kubernetes stable APIs compatible with Kubernetes v1.30+.
+- Generate complete, production-ready YAML with comments and no placeholders.

infrastructure/k8s/cilium/install.yaml

@@ -0,0 +1,250 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+  labels:
+    app.kubernetes.io/name: cilium
+    app.kubernetes.io/component: networking
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cilium
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: cilium
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cilium-operator
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: cilium-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hubble-relay
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hubble-ui
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cilium
+rules:
+- apiGroups: [""]
+  resources:
+    - pods
+    - nodes
+    - namespaces
+    - services
+    - endpoints
+    - configmaps
+    - secrets
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups: ["networking.k8s.io"]
+  resources:
+    - networkpolicies
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups: ["cilium.io"]
+  resources:
+    - ciliumnetworkpolicies
+    - ciliumclusterwidenetworkpolicies
+    - ciliumendpoints
+    - ciliumidentities
+  verbs:
+    - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cilium
+subjects:
+- kind: ServiceAccount
+  name: cilium
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cilium
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cilium-config
+  namespace: kube-system
+data:
+  kube-proxy-replacement: "strict"
+  enable-ipv4: "true"
+  enable-ipv6: "false"
+
+  enable-bpf-masquerade: "true"
+  bpf-lb-acceleration: native
+
+  routing-mode: native
+  tunnel: disabled
+
+  enable-hubble: "true"
+
+  hubble-metrics: >
+    dns,
+    drop,
+    tcp,
+    flow,
+    port-distribution,
+    icmp,
+    http,
+    policy,
+    policy-verdict
+
+  hubble-listen-address: ":4244"
+
+  enable-hubble-open-metrics: "true"
+
+  hubble-disable-tls: "false"
+
+  monitor-aggregation: medium
+
+  enable-l7-proxy: "true"
+
+  enable-endpoint-health-checking: "true"
+
+  enable-health-check-nodeport: "true"
+
+  enable-policy: "default"
+
+  policy-audit-mode: "false"
+
+  debug: "false"
+
+  auto-direct-node-routes: "true"
+
+  enable-bandwidth-manager: "true"
+
+  enable-local-redirect-policy: "true"
+
+  enable-service-topology: "true"
+
+  enable-ipsec: "false"
+
+  enable-wireguard: "false"
+
+  prometheus-serve-addr: ":9962"
+
+  operator-prometheus-serve-addr: ":9963"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cilium
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: cilium
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cilium
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: cilium
+    spec:
+      serviceAccountName: cilium
+
+      hostNetwork: true
+
+      priorityClassName: system-node-critical
+
+      tolerations:
+      - operator: Exists
+
+      containers:
+      - name: cilium-agent
+        image: quay.io/cilium/cilium:v1.19.5
+        imagePullPolicy: IfNotPresent
+
+        securityContext:
+          privileged: true
+
+        env:
+        - name: K8S_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+
+        - name: CILIUM_K8S_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+
+        command:
+        - cilium-agent
+
+        args:
+        - --config-dir=/tmp/cilium/config-map
+
+        ports:
+        - containerPort: 9962
+          name: prometheus
+
+        - containerPort: 4244
+          name: hubble
+
+        volumeMounts:
+        - name: cilium-config
+          mountPath: /tmp/cilium/config-map
+
+        - name: bpf
+          mountPath: /sys/fs/bpf
+
+        - name: cgroup
+          mountPath: /run/cilium/cgroupv2
+
+        - name: lib-modules
+          mountPath: /lib/modules
+          readOnly: true
+
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9879
+
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 9879
+
+      volumes:
+      - name: cilium-config
+        configMap:
+          name: cilium-config
+
+      - name: bpf
+        hostPath:
+          path: /sys/fs/bpf
+
+      - name: cgroup
+        hostPath:
+          path: /run/cilium/cgroupv2
+
+      - name: lib-modules
+        hostPath:
+          path: /lib/modules