--- reviewers: - danwent title: Use Cilium for NetworkPolicy content_template: templates/task weight: 20 --- {{% capture overview %}} This page shows how to use Cilium for NetworkPolicy. For background on Cilium, read the [Introduction to Cilium](https://cilium.readthedocs.io/en/latest/intro). {{% /capture %}} {{% capture prerequisites %}} {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}} {{% /capture %}} {{% capture steps %}} ## Deploying Cilium on Minikube for Basic Testing To get familiar with Cilium easily you can follow the [Cilium Kubernetes Getting Started Guide](https://docs.cilium.io/en/latest/gettingstarted/minikube/) to perform a basic DaemonSet installation of Cilium in minikube. Installation in a minikube setup uses a simple ''all-in-one'' YAML file that includes DaemonSet configurations for Cilium, to connect to the minikube's etcd instance as well as appropriate RBAC settings: ```shell $ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/master/examples/kubernetes/cilium.yaml configmap "cilium-config" created secret "cilium-etcd-secrets" created serviceaccount "cilium" created clusterrolebinding "cilium" created daemonset "cilium" created clusterrole "cilium" created ``` The remainder of the Getting Started Guide explains how to enforce both L3/L4 (i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security policies using an example application. ## Deploying Cilium for Production Use For detailed instructions around deploying Cilium for production, see: [Cilium Kubernetes Installation Guide](https://cilium.readthedocs.io/en/latest/kubernetes/install/) This documentation includes detailed requirements, instructions and example production DaemonSet files. {{% /capture %}} {{% capture discussion %}} ## Understanding Cilium components Deploying a cluster with Cilium adds Pods to the `kube-system` namespace. To see this list of Pods run: ```shell kubectl get pods --namespace=kube-system ``` You'll see a list of Pods similar to this: ```console NAME DESIRED CURRENT READY NODE-SELECTOR AGE cilium 1 1 1 2m ... ``` There are two main components to be aware of: - One `cilium` Pod runs on each node in your cluster and enforces network policy on the traffic to/from Pods on that node using Linux BPF. - For production deployments, Cilium should leverage the key-value store cluster (e.g., etcd) used by Kubernetes, which typically runs on the Kubernetes master nodes. The [Cilium Kubernetes Installation Guide](https://cilium.readthedocs.io/en/latest/kubernetes/install/) includes an example DaemonSet which can be customized to point to this key-value store cluster. The simple ''all-in-one'' DaemonSet for minikube requires no such configuration because it automatically connects to the minikube's etcd instance. {{% /capture %}} {{% capture whatsnext %}} Once your cluster is running, you can follow the [Declare Network Policy](/docs/tasks/administer-cluster/declare-network-policy/) to try out Kubernetes NetworkPolicy with Cilium. Have fun, and if you have questions, contact us using the [Cilium Slack Channel](https://cilium.herokuapp.com/). {{% /capture %}}