website/content/en/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md

---
reviewers:
- danwent
- aanm
title: Use Cilium for NetworkPolicy
content_type: task
weight: 20
---

<!-- overview -->
This page shows how to use Cilium for NetworkPolicy.

For background on Cilium, read the [Introduction to Cilium](https://docs.cilium.io/en/stable/intro).


## {{% heading "prerequisites" %}}


{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}


<!-- steps -->
## Deploying Cilium on Minikube for Basic Testing

To get familiar with Cilium easily you can follow the
[Cilium Kubernetes Getting Started Guide](https://docs.cilium.io/en/stable/gettingstarted/minikube/)
to perform a basic DaemonSet installation of Cilium in minikube.

To start minikube, minimal version required is >= v1.3.1, run the with the
following arguments:

```shell
minikube version
```
```
minikube version: v1.3.1
```

```shell
minikube start --network-plugin=cni --memory=4096
```

Mount the BPF filesystem:

```shell
minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf
```

For minikube you can deploy this simple ''all-in-one'' YAML file that includes
DaemonSet configurations for Cilium as well as appropriate RBAC settings:

```shell
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.8/install/kubernetes/quick-install.yaml
```
```
configmap/cilium-config created
serviceaccount/cilium created
serviceaccount/cilium-operator created
clusterrole.rbac.authorization.k8s.io/cilium created
clusterrole.rbac.authorization.k8s.io/cilium-operator created
clusterrolebinding.rbac.authorization.k8s.io/cilium created
clusterrolebinding.rbac.authorization.k8s.io/cilium-operator created
daemonset.apps/cilium create
deployment.apps/cilium-operator created
```

The remainder of the Getting Started Guide explains how to enforce both L3/L4
(i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security
policies using an example application.

## Deploying Cilium for Production Use

For detailed instructions around deploying Cilium for production, see:
[Cilium Kubernetes Installation Guide](https://docs.cilium.io/en/stable/concepts/kubernetes/intro/)
This documentation includes detailed requirements, instructions and example
production DaemonSet files.


<!-- discussion -->
##  Understanding Cilium components

Deploying a cluster with Cilium adds Pods to the `kube-system` namespace. To see
this list of Pods run:

```shell
kubectl get pods --namespace=kube-system
```

You'll see a list of Pods similar to this:

```console
NAME            READY   STATUS    RESTARTS   AGE
cilium-6rxbd    1/1     Running   0          1m
...
```

A `cilium` Pod runs on each node in your cluster and enforces network policy
on the traffic to/from Pods on that node using Linux BPF.


## {{% heading "whatsnext" %}}

Once your cluster is running, you can follow the
[Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/)
to try out Kubernetes NetworkPolicy with Cilium.
Have fun, and if you have questions, contact us using the
[Cilium Slack Channel](https://cilium.herokuapp.com/).
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`---`
In front matter, change approvers to reviewers. (#7433) 2018-02-18 19:29:37 +00:00			`reviewers:`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`- danwent`
admin-cluster/network-policy-provider: update Cilium documentation (#11214) Signed-off-by: André Martins <aanm90@gmail.com> 2018-11-24 16:17:45 +00:00			`- aanm`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`title: Use Cilium for NetworkPolicy`
add en pages 2020-05-30 19:10:23 +00:00			`content_type: task`
Add weights, move files: Tasks>AdminClust>NetPol. (#8634) * Add weights, move files: Tasks>AdminClust>NetPol. * Update _index.md 2018-05-20 03:54:51 +00:00			`weight: 20`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`---`

add en pages 2020-05-30 19:10:23 +00:00			`<!-- overview -->`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`This page shows how to use Cilium for NetworkPolicy.`

Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`For background on Cilium, read the [Introduction to Cilium](https://docs.cilium.io/en/stable/intro).`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00
add en pages 2020-05-30 19:10:23 +00:00
			`## {{% heading "prerequisites" %}}`

Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00			`{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00

add en pages 2020-05-30 19:10:23 +00:00
			`<!-- steps -->`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`## Deploying Cilium on Minikube for Basic Testing`

			`To get familiar with Cilium easily you can follow the`
Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`[Cilium Kubernetes Getting Started Guide](https://docs.cilium.io/en/stable/gettingstarted/minikube/)`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`to perform a basic DaemonSet installation of Cilium in minikube.`

Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`To start minikube, minimal version required is >= v1.3.1, run the with the`
network-policy-provider: updating cilium documentation for v1.4.0 (#12627) Signed-off-by: André Martins <aanm90@gmail.com> 2019-02-15 05:50:21 +00:00			`following arguments:`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00
			```shell
Code snippents shouldn't include the command prompt (#12779) 2019-03-07 09:31:05 +00:00			`minikube version`
			```
			```
Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`minikube version: v1.3.1`
Code snippents shouldn't include the command prompt (#12779) 2019-03-07 09:31:05 +00:00			```

			```shell
			`minikube start --network-plugin=cni --memory=4096`
admin-cluster/network-policy-provider: update Cilium documentation (#11214) Signed-off-by: André Martins <aanm90@gmail.com> 2018-11-24 16:17:45 +00:00			```

Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`Mount the BPF filesystem:`

			```shell
			`minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf`
			```

network-policy-provider: updating cilium documentation for v1.4.0 (#12627) Signed-off-by: André Martins <aanm90@gmail.com> 2019-02-15 05:50:21 +00:00			`For minikube you can deploy this simple ''all-in-one'' YAML file that includes`
Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`DaemonSet configurations for Cilium as well as appropriate RBAC settings:`
admin-cluster/network-policy-provider: update Cilium documentation (#11214) Signed-off-by: André Martins <aanm90@gmail.com> 2018-11-24 16:17:45 +00:00
			```shell
update kubeadm Cilium related docs Signed-off-by: André Martins <aanm90@gmail.com> 2020-06-16 14:16:39 +00:00			`kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.8/install/kubernetes/quick-install.yaml`
Code snippents shouldn't include the command prompt (#12779) 2019-03-07 09:31:05 +00:00			```
			```
admin-cluster/network-policy-provider: update Cilium documentation (#11214) Signed-off-by: André Martins <aanm90@gmail.com> 2018-11-24 16:17:45 +00:00			`configmap/cilium-config created`
			`serviceaccount/cilium created`
Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			`serviceaccount/cilium-operator created`
			`clusterrole.rbac.authorization.k8s.io/cilium created`
			`clusterrole.rbac.authorization.k8s.io/cilium-operator created`
			`clusterrolebinding.rbac.authorization.k8s.io/cilium created`
			`clusterrolebinding.rbac.authorization.k8s.io/cilium-operator created`
			`daemonset.apps/cilium create`
			`deployment.apps/cilium-operator created`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			```

updating cilium links Signed-off-by: André Martins <andre@cilium.io> 2017-12-03 17:25:59 +00:00			`The remainder of the Getting Started Guide explains how to enforce both L3/L4`
			`(i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security`
			`policies using an example application.`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00
			`## Deploying Cilium for Production Use`

			`For detailed instructions around deploying Cilium for production, see:`
Fix outbound link to Cilium K8s Installation Guide Updated the outbound link to Intro to Cilium K8s and Installation Guide to reflect the new link on the Cilium site. 2020-09-15 02:57:40 +00:00			`[Cilium Kubernetes Installation Guide](https://docs.cilium.io/en/stable/concepts/kubernetes/intro/)`
updating cilium links Signed-off-by: André Martins <andre@cilium.io> 2017-12-03 17:25:59 +00:00			`This documentation includes detailed requirements, instructions and example`
			`production DaemonSet files.`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00

add en pages 2020-05-30 19:10:23 +00:00
			`<!-- discussion -->`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`## Understanding Cilium components`

updating cilium links Signed-off-by: André Martins <andre@cilium.io> 2017-12-03 17:25:59 +00:00			Deploying a cluster with Cilium adds Pods to the `kube-system` namespace. To see
			`this list of Pods run:`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00
			```shell
			`kubectl get pods --namespace=kube-system`
			```

			`You'll see a list of Pods similar to this:`

			```console
admin-cluster/network-policy-provider: update Cilium documentation (#11214) Signed-off-by: André Martins <aanm90@gmail.com> 2018-11-24 16:17:45 +00:00			`NAME READY STATUS RESTARTS AGE`
			`cilium-6rxbd 1/1 Running 0 1m`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00			`...`
			```

Update Cilium related docs (#18563) * Extend Cilium CNI plugin description Mention that it works on top of other CNI plugins due to the CNI chaining [1]. [1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/ Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - Use the latest v1.6 Cilium. - By default, Cilium no longer needs/deploys ETCD store. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium NetworkPolicy guide - Update minikube min version requirement. - Use Cilium v1.6. - Remove the etcd store bits, as Cilium v1.6 no longer depend on it by default. Signed-off-by: Martynas Pumputis <m@lambda.lt> * Update Cilium installation steps for kubeadm - How to run without kube-proxy. Signed-off-by: Martynas Pumputis <m@lambda.lt> Co-authored-by: Martynas Pumputis <m@lambda.lt> 2020-01-13 12:35:36 +00:00			A `cilium` Pod runs on each node in your cluster and enforces network policy
updating cilium links Signed-off-by: André Martins <andre@cilium.io> 2017-12-03 17:25:59 +00:00			`on the traffic to/from Pods on that node using Linux BPF.`
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00

add en pages 2020-05-30 19:10:23 +00:00
			`## {{% heading "whatsnext" %}}`

updating cilium links Signed-off-by: André Martins <andre@cilium.io> 2017-12-03 17:25:59 +00:00			`Once your cluster is running, you can follow the`
			`[Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/)`
			`to try out Kubernetes NetworkPolicy with Cilium.`
			`Have fun, and if you have questions, contact us using the`
			`[Cilium Slack Channel](https://cilium.herokuapp.com/).`
add en pages 2020-05-30 19:10:23 +00:00
Convert site to Hugo (#8316) This commit converts content and layout to use Hugo. 2018-05-05 16:00:51 +00:00
Add Cilium to list of network policy plugins in docs (#4725) Signed-off-by: Dan Wendlandt <dan@covalent.io> 2017-08-21 23:47:06 +00:00