vault
โˆž
webpack
webstorm
ansible
+
+
phoenix
+
circle
+
+
+
=
+
+
+
+
hapi
ts
+
qwik
+
+
+
+
objc
+
+
+
+
+
++
*
+
ocaml
+
โˆฉ
+
+
+
+
+
+
+
pinecone
!
%
dask
symfony
+
+
junit
spring
+
+
+
+=
+
$
+
rb
astro
terraform
+
keras
+
gin
echo
+
+
+
kotlin
+
fastapi
+
||
+
โˆ‰
grafana
node
+
+
+
+
dask
โˆช
dask
+
couchdb
Back to Blog
๐ŸŒ Cilium eBPF Networking on AlmaLinux 9: Complete Guide
almalinux cilium ebpf

๐ŸŒ Cilium eBPF Networking on AlmaLinux 9: Complete Guide

Published Sep 6, 2025

Master cloud-native networking with Cilium on AlmaLinux 9! Learn eBPF-powered CNI, Hubble observability, network policies, and service mesh with practical examples.

5 min read
0 views
Table of Contents

๐ŸŒ Cilium eBPF Networking on AlmaLinux 9: Complete Guide

Welcome to the future of Kubernetes networking! ๐Ÿš€ Today weโ€™ll set up Cilium on AlmaLinux 9, unleashing the power of eBPF for blazing-fast, secure networking! Letโ€™s revolutionize your cluster! โœจ๐Ÿ”ฅ

๐Ÿค” Why is Cilium Important?

Imagine networking thatโ€™s 10x faster and smarter! ๐ŸŽฏ Thatโ€™s Ciliumโ€™s magic! Hereโ€™s why itโ€™s revolutionary:

  • โšก Lightning Performance - eBPF bypasses iptables for incredible speed!
  • ๐Ÿ” Deep Observability - See every packet with Hubbleโ€™s X-ray vision
  • ๐Ÿ›ก๏ธ Identity-Based Security - Protect based on service identity, not IPs
  • ๐ŸŒ Multi-Cluster - Connect clusters across clouds seamlessly
  • ๐Ÿ“Š Service Mesh - Built-in L7 load balancing without sidecars
  • ๐Ÿ” Transparent Encryption - Automatic WireGuard encryption
  • ๐ŸŽจ Network Policies - Advanced L3-L7 policies with DNS awareness
  • ๐Ÿš€ No Overhead - Kernel-native performance with eBPF

๐ŸŽฏ What You Need

Before we supercharge your networking, gather these:

  • โœ… AlmaLinux 9 server (8GB RAM minimum, 16GB recommended)
  • โœ… Kubernetes cluster 1.16+ (K3s, K8s, or any flavor)
  • โœ… Kernel 4.19+ (5.4+ recommended for all features)
  • โœ… Helm 3.0+ installed
  • โœ… kubectl configured
  • โœ… Multi-node cluster (3+ nodes for production)
  • โœ… Root or sudo access
  • โœ… Ready for networking magic! ๐ŸŽ‰

๐Ÿ“ Step 1: Prepare AlmaLinux for Cilium

Letโ€™s prepare your system for eBPF awesomeness! ๐Ÿ› ๏ธ

Verify System Requirements

# Check kernel version (needs 4.19+, ideally 5.4+)
uname -r  # AlmaLinux 9 has 5.14+, perfect!

# Check for eBPF support
ls /sys/fs/bpf  # Should exist
mount | grep bpf  # Should show bpf filesystem

# Install required packages
sudo dnf install -y \
  kernel-devel-$(uname -r) \
  kernel-headers-$(uname -r) \
  bpftool \
  iproute-tc

# Enable IP forwarding (required)
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Disable swap (Kubernetes requirement)
sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab

Prepare Kubernetes Cluster

# Remove existing CNI if present (like Flannel)
kubectl delete -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml 2>/dev/null || true

# Clean up CNI configuration
sudo rm -rf /etc/cni/net.d/*

# Label nodes for Cilium
kubectl label nodes --all kubernetes.io/hostname-

# Verify cluster is ready
kubectl get nodes  # Should show NotReady (no CNI yet)
kubectl get pods -A  # CoreDNS should be pending

๐Ÿ”ง Step 2: Install Cilium CLI

Letโ€™s get the Cilium command-line tool! ๐ŸŽŠ

Install Cilium CLI

# Download latest Cilium CLI
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi

curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

# Verify checksum
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum

# Extract and install
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

# Verify installation
cilium version  # Shows CLI version

Install Hubble CLI

# Download Hubble CLI for observability
HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
HUBBLE_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then HUBBLE_ARCH=arm64; fi

curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}

# Verify and install
sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}

# Verify Hubble
hubble version  # Shows Hubble version

๐ŸŒŸ Step 3: Deploy Cilium

Time to unleash the eBPF power! ๐Ÿš€

# Install Cilium with default configuration
cilium install

# Wait for Cilium to be ready
cilium status --wait

# You should see:
#  /ยฏยฏ\
# /ยฏยฏ\__/ยฏยฏ\    Cilium:         OK
# \__/ยฏยฏ\__/    Operator:       OK
# /ยฏยฏ\__/ยฏยฏ\    Hubble:         disabled
# \__/ยฏยฏ\__/    ClusterMesh:    disabled
#    \__/

# Enable Hubble for observability
cilium hubble enable --ui

# Wait for Hubble to be ready
cilium status --wait

Alternative: Install with Helm

# Add Cilium Helm repository
helm repo add cilium https://helm.cilium.io/
helm repo update

# Create values file for customization
cat <<EOF > cilium-values.yaml
# eBPF configuration
bpf:
  masquerade: true
  clockProbe: true
  preallocateMaps: true

# Hubble configuration
hubble:
  enabled: true
  relay:
    enabled: true
  ui:
    enabled: true
    ingress:
      enabled: true
      hosts:
        - hubble.yourdomain.com

# Network configuration
tunnel: disabled  # Use native routing
ipam:
  mode: kubernetes
  
# Enable advanced features
l7Proxy: true
encryption:
  enabled: true
  type: wireguard

# Performance tuning
operator:
  replicas: 2
  
resources:
  limits:
    cpu: 1000m
    memory: 1Gi
  requests:
    cpu: 100m
    memory: 128Mi
EOF

# Install Cilium
helm install cilium cilium/cilium \
  --version 1.14.5 \
  --namespace kube-system \
  --values cilium-values.yaml

# Verify installation
kubectl -n kube-system get pods -l k8s-app=cilium

โœ… Step 4: Configure Network Policies

Letโ€™s secure your network with powerful policies! ๐Ÿ”’

Create L3/L4 Network Policy

# Create a namespace for testing
kubectl create namespace production

# Deploy sample application
kubectl apply -n production -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: webapp
spec:
  replicas: 3
  selector:
    matchLabels:
      app: webapp
  template:
    metadata:
      labels:
        app: webapp
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: webapp
spec:
  selector:
    app: webapp
  ports:
  - port: 80
EOF

# Create Cilium Network Policy
kubectl apply -n production -f - <<EOF
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: webapp-policy
spec:
  endpointSelector:
    matchLabels:
      app: webapp
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
  egress:
  - toEndpoints:
    - matchLabels:
        app: database
    toPorts:
    - ports:
      - port: "5432"
        protocol: TCP
  - toFQDNs:
    - matchPattern: "*.example.com"
    toPorts:
    - ports:
      - port: "443"
        protocol: TCP
EOF

# Verify policy is applied
kubectl -n production get cnp
cilium endpoint list

Create L7 Application Policy

# Create L7 policy with HTTP rules
kubectl apply -n production -f - <<EOF
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: api-l7-policy
spec:
  endpointSelector:
    matchLabels:
      app: api
  ingress:
  - fromEndpoints:
    - matchLabels:
        role: frontend
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/api/v1/users"
        - method: "POST"
          path: "/api/v1/users"
          headers:
          - 'Authorization: Bearer .*'
EOF

๐ŸŽฎ Quick Examples

Letโ€™s explore Ciliumโ€™s amazing features! ๐ŸŽฌ

Example 1: Access Hubble UI

# Port-forward Hubble UI
cilium hubble ui

# Access at http://localhost:12000
# You'll see beautiful service map!

# Or expose via NodePort
kubectl patch svc hubble-ui -n kube-system \
  -p '{"spec": {"type": "NodePort", "ports": [{"port": 80, "nodePort": 30080}]}}'

# Access at http://NODE_IP:30080

Example 2: Observe Network Flows

# Watch all flows in real-time
hubble observe

# Filter by namespace
hubble observe --namespace production

# See HTTP traffic
hubble observe --protocol http

# Watch specific pod
hubble observe --pod production/webapp-xxx

# See dropped packets (policy violations)
hubble observe --verdict DROPPED

# Export flows as JSON
hubble observe -o json | jq

Example 3: Enable Transparent Encryption

# Enable WireGuard encryption
cilium encrypt enable

# Verify encryption status
cilium encrypt status

# You should see:
# Encryption: Wireguard [NodeEncryption: Enabled, IPsec: Disabled]

# Check node-to-node encryption
kubectl exec -n kube-system ds/cilium -- cilium encrypt status

๐Ÿšจ Fix Common Problems

Hit a snag? Here are solutions! ๐Ÿ’ช

Problem 1: Nodes Not Ready

# Check Cilium status
cilium status

# If Cilium not running, check logs
kubectl -n kube-system logs ds/cilium

# Common fix: restart Cilium
kubectl -n kube-system rollout restart ds/cilium

# Verify eBPF programs loaded
sudo bpftool prog list | grep cilium

# Check for CNI configuration
ls -la /etc/cni/net.d/

Problem 2: Pods Cannot Communicate

# Run connectivity test
cilium connectivity test

# Check endpoint status
cilium endpoint list

# Verify network policies
kubectl get cnp -A

# Test pod-to-pod connectivity
kubectl run test --image=busybox --rm -it -- sh
# Inside pod:
nslookup kubernetes
ping another-pod-ip

# Check for policy drops
hubble observe --verdict DROPPED

Problem 3: Hubble Not Working

# Check Hubble relay status
kubectl -n kube-system get pods -l k8s-app=hubble-relay

# Restart Hubble
cilium hubble disable
cilium hubble enable

# Check Hubble API
hubble status

# Port-forward manually if needed
kubectl port-forward -n kube-system svc/hubble-relay 4245:80 &
hubble --server localhost:4245 status

๐Ÿ“‹ Simple Commands Summary

Your Cilium command toolkit! ๐Ÿ“š

CommandWhat It DoesWhen to Use
cilium installInstall Cilium CNIInitial setup
cilium statusCheck Cilium healthVerify installation
cilium hubble enableEnable observabilityAdd monitoring
hubble observeWatch network flowsDebug traffic
cilium connectivity testTest connectivityValidate setup
cilium endpoint listList all endpointsCheck pods
cilium policy getShow policiesDebug security
cilium encrypt enableEnable encryptionSecure traffic
cilium clustermesh enableMulti-clusterConnect clusters
cilium upgradeUpgrade CiliumUpdate version

๐Ÿ’ก Tips for Success

Master Cilium with these pro tips! ๐Ÿ†

Performance Optimization

  • โšก Use native routing mode for best performance
  • ๐ŸŽฏ Enable BPF host routing for node traffic
  • ๐Ÿ“Š Preallocate BPF maps for consistency
  • ๐Ÿš€ Tune MTU size for your network
  • ๐Ÿ’พ Monitor BPF map usage

Security Best Practices

  • ๐Ÿ” Always enable encryption in production
  • ๐Ÿ›ก๏ธ Start with deny-all network policies
  • ๐Ÿ“ Use L7 policies for API protection
  • ๐Ÿ” Monitor dropped packets regularly
  • ๐ŸŽฏ Use identity-based policies over IP-based

Observability Tips

  • ๐Ÿ“ˆ Set up Grafana dashboards for metrics
  • ๐Ÿ” Use Hubble CLI for troubleshooting
  • ๐Ÿ“Š Export flows to external systems
  • โš ๏ธ Set alerts for policy violations
  • ๐Ÿ“ Enable flow logs for audit

๐Ÿ† What You Learned

Incredible work! Youโ€™re now a Cilium expert! ๐ŸŽ‰ You can:

  • โœ… Install Cilium CNI on AlmaLinux 9
  • โœ… Configure eBPF-based networking
  • โœ… Enable Hubble observability platform
  • โœ… Create advanced network policies
  • โœ… Monitor network flows in real-time
  • โœ… Enable transparent encryption
  • โœ… Troubleshoot connectivity issues
  • โœ… Optimize network performance

๐ŸŽฏ Why This Matters

Youโ€™ve revolutionized your Kubernetes networking! ๐Ÿš€ With Cilium:

  • 10x Performance - eBPF bypasses iptables overhead
  • Complete Visibility - See every packet in your cluster
  • Identity Security - Protect services, not IP addresses
  • Zero Trust - Automatic encryption everywhere
  • Service Mesh - L7 load balancing without sidecars
  • Multi-Cloud - Connect clusters across providers
  • Future Proof - eBPF is the future of networking

Your cluster now has the most advanced networking stack available! No more iptables complexity, no more networking black boxes. Everything is fast, secure, and observable.

Keep exploring features like ClusterMesh for multi-cluster, BGP for advanced routing, and bandwidth management. Youโ€™re running the same technology as the worldโ€™s largest clouds! ๐ŸŒŸ

Remember: With great power comes great networking - Cilium delivers both! Happy networking! ๐ŸŽŠ๐ŸŒ


P.S. - Join the Cilium community, attend eBPF Summit, and share your networking wins! The future is eBPF-powered! โญ๐Ÿ™Œ