Module: Pangea::Kubernetes::NetworkBackends::Cilium

Includes:
Base
Defined in:
lib/pangea/kubernetes/network_backends/cilium.rb

Overview

Cilium — eBPF-based CNI with service mesh and L7 observability. Supports ENI mode (AWS VPC IPs) and overlay mode (VXLAN/Geneve). Hubble provides per-request latency histograms without app instrumentation.

Class Method Summary collapse

Methods included from Base

included

Class Method Details

.backend_nameObject 



13
14
15
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 13

def backend_name
  :cilium
end

.compatible_backendsObject 



17
18
19
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 17

def compatible_backends
  %i[aws gcp azure hcloud aws_nixos gcp_nixos azure_nixos]
end

.create_network_iam(ctx, name, config, tags) ⇒ Object

IRSA for Cilium operator on EKS.



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 30

def create_network_iam(ctx, name, config, tags)
  return nil unless config[:compute_backend] == :aws

  # Cilium operator needs permissions for ENI management
  ctx.extend(Pangea::Resources::AWS) unless ctx.respond_to?(:aws_iam_role)

  policy_doc = JSON.generate({
    Version: '2012-10-17',
    Statement: [{
      Effect: 'Allow',
      Action: [
        'ec2:DescribeNetworkInterfaces',
        'ec2:DescribeSubnets',
        'ec2:DescribeVpcs',
        'ec2:DescribeSecurityGroups',
        'ec2:CreateNetworkInterface',
        'ec2:AttachNetworkInterface',
        'ec2:DeleteNetworkInterface',
        'ec2:ModifyNetworkInterfaceAttribute',
        'ec2:AssignPrivateIpAddresses',
        'ec2:UnassignPrivateIpAddresses',
        'ec2:CreateTags',
      ],
      Resource: '*',
    }],
  })

  policy = ctx.aws_iam_policy(:"#{name}-cilium-operator", {
    name: "#{name}-cilium-operator",
    policy: policy_doc,
    tags: tags.merge(Component: 'cilium'),
  })

  { policy: policy }
end

.helm_values(config) ⇒ Object 



70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 70

def helm_values(config)
  mode = config[:cilium_mode] || :eni
  values = {
    'ipam' => { 'mode' => mode.to_s },
    'hubble' => {
      'enabled' => true,
      'relay' => { 'enabled' => true },
      'ui' => { 'enabled' => false }, # No GUI, MCP-queryable via Grafana
      'metrics' => {
        'enabled' => [
          'dns', 'drop', 'tcp', 'flow',
          'icmp', 'http', 'port-distribution',
          'httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload',
        ],
      },
    },
    'prometheus' => { 'enabled' => true },
    'operator' => { 'prometheus' => { 'enabled' => true } },
  }

  # ENI mode: use AWS VPC IPs (compatible with existing /20 pod subnets)
  if mode == :eni
    values['eni'] = {
      'enabled' => true,
      'awsEnablePrefixDelegation' => true,
    }
    values['tunnel'] = 'disabled'
  end

  values
end

.l7_observable?Boolean

Returns:

  • (Boolean) 


25
26
27
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 25

def l7_observable?
  true # Hubble
end

.mesh_capable?Boolean

Returns:

  • (Boolean) 


21
22
23
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 21

def mesh_capable?
  true
end

.nixos_profileObject 



66
67
68
 
# File 'lib/pangea/kubernetes/network_backends/cilium.rb', line 66

def nixos_profile
  'cilium-mesh'
end