cilium-expert_skill

This skill helps you design and implement secure, high-performance Cilium-based networking and security for Kubernetes clusters, with observability and
  • Shell

25

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill martinholovsky/claude-skills-generator --skill cilium-expert

  • SKILL.md39.4 KB

Overview

This skill is an expert advisor for Cilium eBPF-based networking and security in Kubernetes clusters. It helps design, deploy, and troubleshoot Cilium as a CNI, create identity-aware network policies (L3/L4/L7), and configure service mesh and observability with Hubble. Use it to build high-performance, zero-trust cluster networking with production-grade reliability and monitoring.

How this skill works

I inspect cluster CNI configuration, Cilium agent/operator status, eBPF datapath health, Hubble telemetry, and policy definitions to identify misconfigurations and optimization opportunities. I validate kernel and feature prerequisites, review IPAM and datapath modes (tunnel vs native routing), and analyze policy audit logs and flow traces to recommend concrete fixes. I provide stepwise changes for safe rollout: test and audit policy changes, tune resource limits, and plan rolling upgrades with rollback points.

When to use it

  • Installing or replacing the cluster CNI with Cilium or enabling kube-proxy replacement
  • Implementing zero-trust default-deny namespaces and least-privilege policies
  • Designing L7 HTTP/gRPC/Kafka policies and DNS/FQDN-based egress controls
  • Troubleshooting connectivity, policy denies, dropped flows, or eBPF errors
  • Deploying Cilium Service Mesh, mTLS, or multi-cluster ClusterMesh setups

Best practices

  • Enable Hubble and use audit mode before enforcing new policies to avoid accidental outages
  • Prefer identity (labels, SPIFFE) over IPs; write connectivity tests before policy rollout (TDD first)
  • Start with default-deny and explicitly allow DNS and API server access
  • Optimize eBPF programs and policy selectors to reduce map lookups and cardinality
  • Use WireGuard or mTLS for sensitive traffic and tune Hubble sampling to control observability overhead

Example use cases

  • Lock down a production namespace with default-deny CiliumNetworkPolicy and allow only required service paths
  • Create L7 path- and header-based policies for an API gateway enforcing API keys and content types
  • Enable WireGuard to transparently encrypt pod-to-pod traffic across nodes
  • Connect multi-cluster services via ClusterMesh and expose a global Service with cross-cluster policies
  • Investigate high CPU on nodes by analyzing eBPF map sizes, connection tracking, and Hubble flow rates

FAQ

If misconfigured, CNI changes can impact the cluster. Follow staged rollout: validate kernel/features, enable kube-proxy replacement in a subset, run connectivity tests, and use audit mode for policies.

When should I use L7 policies versus L3/L4?

Use L7 selectively for API enforcement, headers, or path filtering. L7 has higher overhead; prefer L3/L4 identity rules for broad segmentation and reserve L7 for sensitive endpoints.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational