K8s Cilium eBPF網路策略實戰:零信任Pod安全的5個核心模式

技术架构

2026年的Kubernetes網路已經全面進入eBPF時代。Cilium作為CNCF畢業專案,憑藉核心級可程式設計網路能力,已成為零信任Pod安全的事實標準。從傳統的iptables到eBPF資料面,從L3/L4網路策略到L7應用層過濾,從單集群到Cluster Mesh多集群網路——Cilium正在重新定義雲原生網路的邊界。本文將深入5個核心實戰模式,帶你從安裝到生產級部署,全面掌握Cilium eBPF網路策略。

核心概念

概念 說明 傳統方案對比
eBPF 核心可程式設計沙箱,無需修改核心原始碼即可擴展網路功能 iptables規則鏈,規則數增長時O(n)匹配
Cilium 基於eBPF的K8s CNI外掛,提供網路、安全、可觀測性 Calico/Flannel,僅L3/L4策略
身份標籤(Identity) 基於Label的安全身份,而非IP位址 基於IP的NetworkPolicy
L7策略 HTTP/gRPC應用層過濾,精確到API路徑 僅L4埠級過濾
Cluster Mesh 多集群網路互聯,跨集群Pod直通 VPN/閘道轉發
Hubble Cilium網路可觀測性平台,即時流量視覺化 tcpdump/Wireshark手動抓包

問題分析:傳統K8s網路策略的5大痛點

痛點1:iptables效能瓶頸——大規模集群中iptables規則數可達數萬條,每次規則變更觸發全量替換,網路延遲抖動嚴重。

痛點2:僅L3/L4策略粒度不足——原生NetworkPolicy只能控制埠級存取,無法區分GET /api/usersDELETE /api/users

痛點3:基於IP的安全策略脆弱——Pod重建後IP變化,基於IP的防火牆規則瞬間失效,零信任無從談起。

痛點4:多集群網路割裂——跨集群服務通訊依賴Ingress/閘道轉發,延遲高、策略難統一。

痛點5:網路故障排查黑盒——Pod間通訊失敗只能靠tcpdump逐跳排查,缺乏端到端流量視覺化。

模式一:Cilium基礎安裝與eBPF網路原理

eBPF網路原理

eBPF程式掛載在核心網路鉤子上(xdp、tc、cgroup等),在資料包到達協議棧之前就完成處理,避免了iptables的規則鏈遍歷開銷:

資料包進入 → XDP(eBPF) → tc ingress(eBPF) → 協議棧 → tc egress(eBPF) → 發出
                 ↓              ↓                              ↓
           DDoS防護       策略匹配/路由                  策略匹配/NAT

Helm安裝Cilium(替換kube-proxy)

# cilium-values.yaml
# Cilium Helm安裝配置,替換kube-proxy模式
kubeProxyReplacement: true
operator:
  replicas: 2

# eBPF映射表大小(大規模集群調優)
bpf:
  mapDynamicSizeRatio: 0.0025
  lbMapMax: 65536
  ctMapMax: 524288

# 自動偵測節點網路
autoDirectNodeRoutes: true
tunnel: vxlan

# 身份分配模式
identityAllocationMode: kvstore

# 監控與可觀測
hubble:
  enabled: true
  listenAddress: ":4244"
  metrics:
    enabled:
      - dns
      - drop
      - tcp
      - flow
      - port-distribution
      - http
  relay:
    enabled: true
    replicas: 2
  ui:
    enabled: true

# 資源限制
resources:
  requests:
    cpu: 200m
    memory: 256Mi
  limits:
    cpu: "1"
    memory: 1Gi

# 安全上下文
securityContext:
  capabilities:
    add:
      - NET_ADMIN
      - SYS_MODULE
#!/bin/bash
# install-cilium.sh
# Cilium安裝腳本

set -euo pipefail

CLUSTER_NAME="prod-cluster"
NAMESPACE="kube-system"

echo "=== Step 1: 新增Cilium Helm倉庫 ==="
helm repo add cilium https://helm.cilium.io/
helm repo update

echo "=== Step 2: 取得API Server位址 ==="
API_SERVER_IP=$(kubectl get endpoints kubernetes -o jsonpath='{.subsets[0].addresses[0].ip}')
API_SERVER_PORT=$(kubectl get endpoints kubernetes -o jsonpath='{.subsets[0].ports[0].port}')

echo "API Server: ${API_SERVER_IP}:${API_SERVER_PORT}"

echo "=== Step 3: 安裝Cilium ==="
helm install cilium cilium/cilium \
  --namespace ${NAMESPACE} \
  --values cilium-values.yaml \
  --set kubeProxyReplacement=true \
  --set hubble.enabled=true \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true \
  --wait

echo "=== Step 4: 等待Cilium就緒 ==="
kubectl -n ${NAMESPACE} rollout status ds/cilium --timeout=300s
kubectl -n ${NAMESPACE} rollout status deploy/cilium-operator --timeout=120s

echo "=== Step 5: 驗證eBPF程式載入 ==="
kubectl -n ${NAMESPACE} exec ds/cilium -- cilium bpf lb list
kubectl -n ${NAMESPACE} exec ds/cilium -- cilium status

echo "=== Step 6: 驗證kube-proxy替換 ==="
kubectl -n ${NAMESPACE} exec ds/cilium -- cilium service list

echo "=== Step 7: 狀態檢查 ==="
cilium status --wait

echo "✅ Cilium安裝完成!"

驗證eBPF資料面

#!/bin/bash
# verify-ebpf.sh
# 驗證eBPF資料面工作正常

echo "=== 檢查Cilium eBPF程式 ==="
kubectl -n kube-system exec ds/cilium -- cilium bpf tunnel list
kubectl -n kube-system exec ds/cilium -- cilium bpf ct list global

echo "=== 檢查身份映射 ==="
kubectl -n kube-system exec ds/cilium -- cilium identity list

echo "=== 網路連通性測試 ==="
kubectl run test-net --image=cilium/cilium:latest --restart=Never -- sleep infinity
kubectl exec test-net -- curl -s https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces

echo "=== 頻寬基準測試 ==="
kubectl run iperf3-server --image=networkstatic/iperf3 --restart=Never -- iperf3 -s
kubectl run iperf3-client --image=networkstatic/iperf3 --restart=Never -- sleep infinity
CLIENT_POD=$(kubectl get pods -l run=iperf3-client -o jsonpath='{.items[0].metadata.name}')
SERVER_IP=$(kubectl get pod iperf3-server -o jsonpath='{.status.podIP}')
kubectl exec ${CLIENT_POD} -- iperf3 -c ${SERVER_IP} -t 10 -P 4

echo "✅ eBPF資料面驗證完成!"

模式二:L3/L4網路策略與身份標籤

Cilium身份標籤機制

Cilium使用Label計算安全身份(Identity),而非依賴IP位址。相同Label的Pod共享同一Identity,策略匹配基於Identity而非IP:

Pod(app=api, env=prod) → Identity: 1001 → 策略允許 Identity:1001 → Identity:2001
Pod(app=web, env=prod) → Identity: 2001

基礎L3/L4網路策略

# cilium-l3-l4-policy.yaml
# L3/L4網路策略:基於身份標籤的零信任存取控制
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: api-server-policy
  namespace: production
spec:
  description: "API服務僅允許前端和內部服務存取,拒絕其他所有流量"
  endpointSelector:
    matchLabels:
      app: api-server
      env: production
  ingress:
    # 規則1:允許前端Pod存取API的8080埠
    - fromEndpoints:
        - matchLabels:
            app: web-frontend
            env: production
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              - method: GET
                path: "/api/v1/.*"
              - method: POST
                path: "/api/v1/.*"

    # 規則2:允許內部微服務存取gRPC埠
    - fromEndpoints:
        - matchLabels:
            app: internal-service
            env: production
      toPorts:
        - ports:
            - port: "9090"
              protocol: TCP

    # 規則3:允許Prometheus監控抓取
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: prometheus
      toPorts:
        - ports:
            - port: "9090"
              protocol: TCP
              endPort: 9091

  egress:
    # 允許存取資料庫
    - toEndpoints:
        - matchLabels:
            app: postgres
            env: production
      toPorts:
        - ports:
            - port: "5432"
              protocol: TCP

    # 允許DNS解析
    - toEndpoints:
        - matchLabels:
            k8s:io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP

    # 允許外部API呼叫
    - toFQDNs:
        - matchName: "api.stripe.com"
        - matchPattern: "*.amazonaws.com"
      toPorts:
        - ports:
            - port: "443"
              protocol: TCP
---
# 預設拒絕策略(零信任基礎)
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: default-deny-all
spec:
  description: "預設拒絕所有入站流量,零信任基礎策略"
  endpointSelector: {}
  ingressDeny:
    - fromRequires:
        - {}
---
# 命名空間隔離策略
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: namespace-isolation
spec:
  description: "命名空間級別隔離,僅允許同命名空間通訊"
  endpointSelector:
    matchLabels: {}
  ingress:
    - fromEndpoints:
        - matchLabels: {}

基於實體的網路策略

# entity-based-policy.yaml
# 基於實體的網路策略:控制集群內外流量
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: entity-policy
spec:
  description: "控制Pod與集群實體之間的網路存取"
  endpointSelector:
    matchLabels:
      app: api-server
  ingress:
    # 允許來自集群內部的流量
    - fromEntities:
        - cluster
        - host
        - remote-node
  egress:
    # 允許存取集群外部
    - toEntities:
        - world
    # 允許存取K8s API Server
    - toEntities:
        - kube-apiserver

模式三:L7應用層策略(HTTP/gRPC過濾)

HTTP層精細存取控制

# cilium-l7-policy.yaml
# L7應用層策略:HTTP/gRPC精細過濾
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: l7-api-policy
  namespace: production
spec:
  description: "L7策略:HTTP方法+路徑精確控制,實現API級零信任"
  endpointSelector:
    matchLabels:
      app: api-server
      env: production
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: web-frontend
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              # 允許唯讀API
              - method: GET
                path: "/api/v1/users(/.*)?"
              - method: GET
                path: "/api/v1/products(/.*)?"
              - method: GET
                path: "/api/v1/orders(/.*)?"
              # 允許建立訂單
              - method: POST
                path: "/api/v1/orders"
              # 拒絕刪除操作(不在此列表中的請求將被拒絕)
---
# gRPC方法級過濾
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: grpc-policy
  namespace: production
spec:
  description: "gRPC方法級存取控制"
  endpointSelector:
    matchLabels:
      app: order-service
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: api-gateway
      toPorts:
        - ports:
            - port: "50051"
              protocol: TCP
          rules:
            http:
              - method: POST
                path: "/order.OrderService/GetOrder"
              - method: POST
                path: "/order.OrderService/ListOrders"
              - method: POST
                path: "/order.OrderService/CreateOrder"
---
# HTTP Header過濾策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: header-filter-policy
  namespace: production
spec:
  description: "基於HTTP Header的存取控制"
  endpointSelector:
    matchLabels:
      app: internal-api
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: gateway
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              - method: GET
                path: "/internal/.*"
                headers:
                  - "X-Internal-Token: ^secret-token-.*$"
---
# Kafka協議感知策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: kafka-policy
  namespace: production
spec:
  description: "Kafka主題級存取控制"
  endpointSelector:
    matchLabels:
      app: kafka-broker
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: order-processor
      toPorts:
        - ports:
            - port: "9092"
              protocol: TCP
          rules:
            kafka:
              - role: produce
                topic: orders
              - role: consume
                topic: orders
    - fromEndpoints:
        - matchLabels:
            app: analytics
      toPorts:
        - ports:
            - port: "9092"
              protocol: TCP
          rules:
            kafka:
              - role: consume
                topic: orders

L7策略驗證腳本

#!/bin/bash
# verify-l7-policy.sh
# 驗證L7應用層策略

echo "=== 測試HTTP GET允許 ==="
kubectl exec deploy/web-frontend -- curl -s -o /dev/null -w "%{http_code}" http://api-server:8080/api/v1/users
# 期望: 200

echo ""
echo "=== 測試HTTP DELETE拒絕 ==="
kubectl exec deploy/web-frontend -- curl -s -o /dev/null -w "%{http_code}" -X DELETE http://api-server:8080/api/v1/users/123
# 期望: 403

echo ""
echo "=== 測試無Header存取拒絕 ==="
kubectl exec deploy/gateway -- curl -s -o /dev/null -w "%{http_code}" http://internal-api:8080/internal/config
# 期望: 403

echo ""
echo "=== 測試帶Token Header允許 ==="
kubectl exec deploy/gateway -- curl -s -o /dev/null -w "%{http_code}" -H "X-Internal-Token: secret-token-abc" http://internal-api:8080/internal/config
# 期望: 200

echo ""
echo "=== 檢查Cilium L7策略狀態 ==="
kubectl -n kube-system exec ds/cilium -- cilium policy get
kubectl -n kube-system exec ds/cilium -- cilium policy select

echo "✅ L7策略驗證完成!"

模式四:Cluster Mesh多集群網路

Cluster Mesh架構

Cluster A (us-west)          Cluster B (eu-central)
┌─────────────────┐          ┌─────────────────┐
│  Pod: api-server │◄────────►│  Pod: api-server │
│  Identity: 1001  │          │  Identity: 1001  │
│  Service: global  │          │  Service: global  │
└─────────────────┘          └─────────────────┘
        │                            │
        └──────── etcd同步 ──────────┘

Cluster Mesh配置

# cluster-mesh-config.yaml
# Cluster Mesh多集群網路配置
# 集群A: us-west
apiVersion: v1
kind: ConfigMap
metadata:
  name: cilium-clustermesh
  namespace: kube-system
data:
  cluster-id: "1"
  cluster-name: "us-west"
---
# 集群B: eu-central
apiVersion: v1
kind: ConfigMap
metadata:
  name: cilium-clustermesh
  namespace: kube-system
data:
  cluster-id: "2"
  cluster-name: "eu-central"
---
# 全域Service(跨集群負載均衡)
apiVersion: v1
kind: Service
metadata:
  name: global-api-server
  namespace: production
  annotations:
    service.cilium.io/global: "true"
    service.cilium.io/affinity: "local"
spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: 8080
  selector:
    app: api-server
---
# 跨集群網路策略
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: cross-cluster-policy
  namespace: production
spec:
  description: "跨集群網路策略:允許us-west和eu-central互訪"
  endpointSelector:
    matchLabels:
      app: api-server
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: api-server
            io.cilium.k8s.policy.cluster: us-west
        - matchLabels:
            app: api-server
            io.cilium.k8s.policy.cluster: eu-central
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
#!/bin/bash
# setup-cluster-mesh.sh
# Cluster Mesh設定腳本

set -euo pipefail

CLUSTER_A="us-west"
CLUSTER_B="eu-central"
CONTEXT_A="kind-${CLUSTER_A}"
CONTEXT_B="kind-${CLUSTER_B}"

echo "=== Step 1: 在兩個集群啟用Cluster Mesh ==="
kubectl --context ${CONTEXT_A} -n kube-system exec ds/cilium -- \
  cilium clustermesh enable --cluster-id 1 --cluster-name ${CLUSTER_A}

kubectl --context ${CONTEXT_B} -n kube-system exec ds/cilium -- \
  cilium clustermesh enable --cluster-id 2 --cluster-name ${CLUSTER_B}

echo "=== Step 2: 等待Cluster Mesh API就緒 ==="
kubectl --context ${CONTEXT_A} -n kube-system rollout status deploy/clustermesh-apiserver --timeout=120s
kubectl --context ${CONTEXT_B} -n kube-system rollout status deploy/clustermesh-apiserver --timeout=120s

echo "=== Step 3: 連接兩個集群 ==="
kubectl --context ${CONTEXT_A} -n kube-system exec ds/cilium -- \
  cilium clustermesh connect --destination-context ${CONTEXT_B}

echo "=== Step 4: 驗證集群連接狀態 ==="
kubectl --context ${CONTEXT_A} -n kube-system exec ds/cilium -- \
  cilium clustermesh status

kubectl --context ${CONTEXT_B} -n kube-system exec ds/cilium -- \
  cilium clustermesh status

echo "=== Step 5: 測試跨集群服務發現 ==="
kubectl --context ${CONTEXT_A} run test-cross-cluster \
  --image=cilium/cilium:latest --restart=Never -- \
  curl -s http://global-api-server.production.svc.cluster.local:8080/health

echo "=== Step 6: 驗證全域Service ==="
kubectl --context ${CONTEXT_A} get svc global-api-server -n production -o yaml
kubectl --context ${CONTEXT_B} get svc global-api-server -n production -o yaml

echo "✅ Cluster Mesh設定完成!"

跨集群容錯移轉測試

#!/bin/bash
# test-cross-cluster-failover.sh
# 跨集群容錯移轉測試

CLUSTER_A="us-west"
CLUSTER_B="eu-central"
CONTEXT_A="kind-${CLUSTER_A}"
CONTEXT_B="kind-${CLUSTER_B}"

echo "=== 基線測試:正常跨集群存取 ==="
for i in $(seq 1 10); do
  RESULT=$(kubectl --context ${CONTEXT_A} exec deploy/test-client -- \
    curl -s http://global-api-server.production.svc.cluster.local:8080/cluster-name)
  echo "Request ${i}: ${RESULT}"
done

echo ""
echo "=== 模擬集群B故障 ==="
kubectl --context ${CONTEXT_B} scale deploy api-server -n production --replicas=0

echo "=== 驗證流量自動切換到集群A ==="
for i in $(seq 1 10); do
  RESULT=$(kubectl --context ${CONTEXT_A} exec deploy/test-client -- \
    curl -s http://global-api-server.production.svc.cluster.local:8080/cluster-name)
  echo "Failover Request ${i}: ${RESULT}"
done

echo "=== 恢復集群B ==="
kubectl --context ${CONTEXT_B} scale deploy api-server -n production --replicas=3

echo "✅ 容錯移轉測試完成!"

模式五:Hubble可觀測性與網路追蹤

Hubble部署與配置

# hubble-values.yaml
# Hubble可觀測性配置
hubble:
  enabled: true
  listenAddress: ":4244"
  metrics:
    enabled:
      - dns:query
      - drop
      - tcp
      - flow
      - port-distribution
      - http:method;path;status
      - icmp
    serviceMonitor:
      enabled: true
    dashboards:
      enabled: true
      namespace: monitoring
  relay:
    enabled: true
    replicas: 2
    rollOutPods: true
  ui:
    enabled: true
    replicas: 1
    rollOutPods: true
    ingress:
      enabled: true
      className: nginx
      hosts:
        - hubble.example.com
      tls:
        secretName: hubble-tls

Hubble CLI網路追蹤

#!/bin/bash
# hubble-observability.sh
# Hubble可觀測性與網路追蹤

echo "=== 即時流量監控 ==="
hubble observe --since 1m --output json | jq -r '
  select(.source.namespace == "production") |
  "\(.timestamp) \(.source.pod_name) → \(.destination.pod_name) \(.event.type) \(.l7.protocol // "L4") \(.l7.method // "") \(.l7.path // "") \(.response_status // "")"
'

echo ""
echo "=== 追蹤特定Pod的流量 ==="
hubble observe --pod api-server-7d9f8b6c4-x2k1p --since 5m

echo ""
echo "=== 偵測被拒絕的流量 ==="
hubble observe --since 10m --type trace --verdict DROPPED | head -50

echo ""
echo "=== HTTP流量分析 ==="
hubble observe --since 5m --protocol http --output json | jq -r '
  "\(.source.pod_name) → \(.destination.pod_name) [\(.l7.method)] \(.l7.path) → \(.l7.response_code)"
' | sort | uniq -c | sort -rn | head -20

echo ""
echo "=== DNS查詢監控 ==="
hubble observe --since 5m --protocol dns --output json | jq -r '
  "\(.source.pod_name) → \(.l7.dns.query) \(.l7.dns.rcode // "OK")"
' | sort | uniq -c | sort -rn | head -20

echo ""
echo "=== 網路延遲分析 ==="
hubble observe --since 5m --type trace --output json | jq -r '
  select(.latency_ns != null) |
  "\(.source.pod_name) → \(.destination.pod_name) latency: \(.latency_ns / 1000000)ms"
' | sort -t: -k2 -n | tail -20

echo "✅ Hubble可觀測性分析完成!"

Hubble Prometheus指標

# hubble-prometheus-rules.yaml
# Hubble告警規則
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  name: hubble-alerts
  namespace: monitoring
spec:
  groups:
    - name: hubble-network
      rules:
        # 高丟包率告警
        - alert: CiliumHighDropRate
          expr: |
            rate(hubble_drop_total{verdict="DROPPED"}[5m]) > 10
          for: 5m
          labels:
            severity: warning
          annotations:
            summary: "Cilium偵測到高丟包率"
            description: "命名空間 {{ $labels.namespace }} 中的Pod {{ $labels.source_pod }} 丟包率超過10/s"

        # DNS解析失敗告警
        - alert: CiliumDNSFailures
          expr: |
            rate(hubble_dns_responses_total{rcode="NXDOMAIN"}[5m]) > 5
          for: 5m
          labels:
            severity: warning
          annotations:
            summary: "DNS解析失敗率異常"
            description: "命名空間 {{ $labels.namespace }} DNS NXDOMAIN回應超過5/s"

        # TCP連線重置告警
        - alert: CiliumTCPResets
          expr: |
            rate(hubble_tcp_flags_total{flag="RST"}[5m]) > 50
          for: 5m
          labels:
            severity: critical
          annotations:
            summary: "TCP RST封包異常"
            description: "命名空間 {{ $labels.namespace }} TCP RST封包超過50/s"

        # 跨集群延遲告警
        - alert: CiliumCrossClusterLatency
          expr: |
            histogram_quantile(0.99, rate(hubble_flows_processed_duration_seconds_bucket{source_cluster!=""}[5m])) > 0.5
          for: 10m
          labels:
            severity: warning
          annotations:
            summary: "跨集群網路延遲過高"
            description: "P99延遲超過500ms"

踩坑指南

坑1:Cilium安裝後Pod無法通訊

# ❌ 錯誤:未正確配置tunnel模式,節點網路不相容
tunnel: disabled
autoDirectNodeRoutes: false

# ✅ 正確:根據網路環境選擇tunnel模式
# 雲環境(VPC支援路由)
tunnel: disabled
autoDirectNodeRoutes: true
directRoutingSkipUnreachable: true

# 通用環境(VXLAN覆蓋網路)
tunnel: vxlan
tunnelPort: 8473

坑2:L7策略不生效

# ❌ 錯誤:L7策略缺少toPorts定義,Cilium無法注入代理
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: bad-l7-policy
spec:
  endpointSelector:
    matchLabels:
      app: api-server
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: frontend
      rules:
        http:
          - method: GET
            path: "/api/.*"

# ✅ 正確:L7規則必須在toPorts下定義
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: good-l7-policy
spec:
  endpointSelector:
    matchLabels:
      app: api-server
  ingress:
    - fromEndpoints:
        - matchLabels:
            app: frontend
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
          rules:
            http:
              - method: GET
                path: "/api/.*"

坑3:Cluster Mesh連線失敗

# ❌ 錯誤:etcd憑證未正確同步
cilium clustermesh connect --destination-context other-cluster

# ✅ 正確:先確保etcd憑證正確,再連線
# 檢查Cluster Mesh API Server狀態
kubectl -n kube-system get deploy/clustermesh-apiserver
kubectl -n kube-system logs deploy/clustermesh-apiserver

# 確保憑證Secret存在
kubectl -n kube-system get secret clustermesh-apiserver-server-certs
kubectl -n kube-system get secret clustermesh-apiserver-remote-certs

# 使用正確的連線方式
cilium clustermesh connect \
  --destination-context other-cluster \
  --destination-name other-cluster

坑4:Hubble UI無法顯示流量

# ❌ 錯誤:Hubble Relay無法連線到Cilium Agent
hubble:
  relay:
    enabled: true
    # 缺少dialTimeout配置導致超時

# ✅ 正確:配置Hubble Relay超時和重試
hubble:
  relay:
    enabled: true
    dialTimeout: "5s"
    retryTimeout: "30s"
    maxFlows: 10000
    sortBufferLenMax: 1000
    sortBufferFlushInterval: "1s"
    port: 4245
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 500m
        memory: 512Mi

坑5:eBPF程式載入失敗

# ❌ 錯誤:核心版本不相容,直接安裝
helm install cilium cilium/cilium

# ✅ 正確:先檢查核心相容性
# 檢查核心版本(需要 >= 5.4,推薦 >= 5.10)
uname -r

# 檢查eBPF特性支援
kubectl -n kube-system exec ds/cilium -- cilium-dbg features

# 如果核心版本較低,啟用相容模式
helm install cilium cilium/cilium \
  --set bpf.preallocateMaps=false \
  --set bpf.tproxy=false \
  --set hostFirewall.enabled=false

# 檢查eBPF程式載入狀態
kubectl -n kube-system exec ds/cilium -- cilium-dbg bpf lb list
kubectl -n kube-system exec ds/cilium -- cilium-dbg status

錯誤排查表

錯誤現象 可能原因 排查命令 解決方案
Pod無法跨節點通訊 tunnel配置錯誤 cilium bpf tunnel list 檢查tunnel模式,確保VXLAN埠8473開放
Cilium Pod CrashLoopBackOff 核心版本不相容 dmesg | grep -i bpf 升級核心至5.10+或啟用相容模式
L7策略不生效 缺少toPorts定義 cilium policy get L7規則必須巢狀在toPorts.ports.rules下
Cluster Mesh連線超時 etcd憑證過期 kubectl logs -n kube-system deploy/clustermesh-apiserver 重新產生憑證:cilium clustermesh enable
Hubble無流量資料 Relay連線Agent失敗 kubectl logs -n kube-system deploy/hubble-relay 檢查dialTimeout和Agent埠4244
DNS解析失敗 eBPF DNS代理異常 cilium bpf ct list global | grep 53 檢查DNS策略,確保kube-dns標籤正確
網路延遲突增 eBPF map滿 cilium bpf ct list global | wc -l 增大ctMapMax,啟用GC
Service無法存取 kube-proxy殘留衝突 iptables -L -n | grep KUBE 徹底清理iptables規則,確認kube-proxy已移除
身份分配衝突 KVStore後端異常 cilium identity list 檢查etcd連線,重啟cilium-operator
跨集群Pod不可達 全域Service未配置 kubectl get svc -o yaml | grep global 新增service.cilium.io/global: "true"註解

進階優化

1. eBPF Map調優

# 大規模集群eBPF Map配置
bpf:
  mapDynamicSizeRatio: 0.0025
  ctMapMax: 524288        # 連線追蹤表
  ctTcpMax: 262144        # TCP連線追蹤
  ctAnyMax: 262144        # 非TCP連線追蹤
  lbMapMax: 65536         # 負載均衡映射
  lbServiceMapMax: 65536
  lbBackendMapMax: 65536
  natMapMax: 524288        # NAT映射
  neighMapMax: 524288      # 鄰居表
  policyMapMax: 16384      # 策略映射
  fragmentsMapMax: 8192    # 分片映射

2. 頻寬管理(EDT)

# 基於eBPF的頻寬管理
bandwidthManager:
  enabled: true
  bbr: true               # 啟用BBR擁塞控制
# 為Pod設定頻寬限制
kubectl annotate pod api-server-xxx \
  kubernetes.io/egress-bandwidth=100M \
  kubernetes.io/ingress-bandwidth=100M

3. Big TCP優化

# 大規模TCP優化(核心5.19+)
bpf:
  tcpRto: 100ms           # TCP重傳超時
  tproxy: true
kubeProxyReplacement:
  true
hostPort:
  enabled: true
externalIPs:
  enabled: true
nodePort:
  enabled: true
hostLegacyRouting:
  enabled: false

4. eBPF Host Routing

# 宿主機路由優化
bpf:
  hostLegacyRouting: false  # 使用eBPF替代宿主機路由
  lbExternalClusterIP: true
autoDirectNodeRoutes: true

5. 安全加固

# Cilium安全加固配置
securityContext:
  capabilities:
    add:
      - NET_ADMIN
      - SYS_MODULE
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault
  readOnlyRootFilesystem: true

# 啟用加密
encryption:
  enabled: true
  type: wireguard
  nodeEncryption: true

對比表

特性 Cilium eBPF Calico Flannel Weave
資料面 eBPF iptables/eBPF VXLAN VXLAN
L3/L4策略
L7策略 ✅ HTTP/gRPC/Kafka
可觀測性 ✅ Hubble
Cluster Mesh
kube-proxy替換
頻寬管理 ✅ EDT/BBR
WireGuard加密
FQDN策略
大規模效能 O(1) O(n) O(n) O(n)
核心要求 ≥5.4 ≥4.9 ≥3.10 ≥3.10

💡 總結:Cilium eBPF網路策略代表了K8s網路安全的未來方向。從L3/L4身份標籤到L7應用層過濾,從單集群零信任到Cluster Mesh多集群互聯,從Hubble即時可觀測到eBPF效能最佳化——5個核心模式建構了完整的雲原生網路安全體系。記住:零信任不是一種產品,而是一種架構理念,Cilium是實現這一理念的最佳工具

線上工具推薦

  • JSON格式化 — 格式化Cilium策略JSON輸出,排查策略配置
  • cURL轉程式碼 — 將Hubble API查詢轉為程式碼,整合可觀測性
  • 雜湊計算 — 計算策略簽名雜湊,驗證配置完整性

本站提供瀏覽器本地工具,免註冊即可試用 →

#Cilium#eBPF#K8s网络#网络策略#2026#技术架构