Cilium Integration
eBPF-powered network observability for Kubernetes. Monitor policy enforcement, DNS visibility, Hubble flow telemetry, and service mesh latency — no sidecars required.
How It Works
Enable Cilium & Hubble Metrics
Configure Cilium to expose Prometheus metrics and enable Hubble for flow-level telemetry. TigerOps deploys ServiceMonitors for cilium-agent, cilium-operator, and hubble-relay pods across all nodes.
Deploy TigerOps via Helm
Install the TigerOps Helm chart with the Cilium integration enabled. The chart configures metric scraping with the correct Hubble port (9965), Cilium agent port (9962), and operator port (9963).
Configure L7 Policy & DNS Visibility
Enable L7 protocol visibility in Cilium CiliumNetworkPolicy rules. TigerOps ingests Hubble DNS query metrics, HTTP request rates per identity pair, and policy verdict distributions from the Hubble relay.
Set Network Policy & Latency Alerts
Define alert rules for policy drop rates per endpoint, DNS query failure spikes, and east-west service latency regressions. TigerOps correlates Cilium policy drops with Kubernetes network policy changes.
What You Get Out of the Box
eBPF Network Policy Enforcement Metrics
Track policy verdict counts (forwarded, dropped, redirected) per Cilium endpoint identity pair. Monitor drop rates per CiliumNetworkPolicy rule and correlate policy drops with recent NetworkPolicy or CiliumNetworkPolicy changes.
DNS Visibility & Query Analytics
Monitor DNS query rates, NXDOMAIN rates, and DNS policy enforcement verdicts per pod identity. Identify pods generating anomalous DNS query volumes or attempting to resolve blocked domains via Cilium DNS proxy.
Hubble Flow Telemetry & Service Map
Ingest Hubble L3-L7 flow metrics to build per-service request rate, error rate, and latency (RED metrics) for every service-to-service connection in the mesh. No sidecar required — powered by eBPF.
Cilium Agent & Node Health
Monitor per-node cilium-agent health, BPF map pressure, endpoint regeneration latency, and ipcache update rates. Alert when BPF maps approach capacity limits that can cause packet drops.
Service Mesh Latency & mTLS Status
Track east-west service latency percentiles, mTLS handshake success rates, and certificate rotation events from Cilium service mesh (without Envoy sidecar). Monitor Envoy proxy metrics when L7 load balancing is enabled.
AI-Powered Network Anomaly Detection
TigerOps AI baselines per-identity-pair flow rates and policy verdict distributions. Sudden increases in policy drops, novel DNS resolution patterns, or unusual east-west traffic volumes trigger intelligent network anomaly alerts.
TigerOps Helm Values for Cilium & Hubble
Enable Hubble flow telemetry, policy drop alerting, and DNS visibility collection for Cilium.
# TigerOps Helm values for Cilium integration
# helm repo add tigerops https://charts.atatus.net
# helm install tigerops tigerops/tigerops -f values.yaml
global:
apiKey: "${TIGEROPS_API_KEY}"
remoteWriteEndpoint: https://ingest.atatus.net/api/v1/write
cilium:
enabled: true
# Cilium agent metrics (per-node DaemonSet)
agent:
metricsPort: 9962
scrapeInterval: 15s
# Enable additional metric sets
metrics:
- +bpf
- +policy
- +drop
# Cilium operator metrics
operator:
metricsPort: 9963
scrapeInterval: 30s
# Hubble relay for flow telemetry
hubble:
enabled: true
relay:
metricsPort: 9965
scrapeInterval: 15s
# L7 protocol visibility (requires CiliumNetworkPolicy l7 rules)
l7Visibility:
enabled: true
protocols:
- HTTP
- DNS
- Kafka
# Cluster Mesh monitoring
clusterMesh:
enabled: false # set true if Cluster Mesh is deployed
alerts:
policyDropRatePerSecond: 10
dnsNXDomainRatePct: 20
bpfMapPressurePct: 80
agentRestarts: 2
hubbleDroppedFlowsPct: 5Common Questions
Does TigerOps require Hubble to be enabled for Cilium monitoring?
Hubble is required for flow-level telemetry (L3-L7 RED metrics, DNS visibility, service map). Basic Cilium agent health, BPF map metrics, and policy enforcement counters are available from cilium-agent Prometheus metrics without Hubble. We recommend enabling Hubble for full observability.
How does TigerOps correlate Cilium policy drops with Kubernetes network policies?
TigerOps watches Kubernetes NetworkPolicy and CiliumNetworkPolicy change events via the Kubernetes API. When a policy drop rate spike occurs, TigerOps checks for NetworkPolicy changes in the preceding 10-minute window and surfaces any correlating policy modifications as a probable cause.
What is the performance impact of enabling Hubble for flow metrics collection?
Hubble uses a per-node ring buffer to record flows. TigerOps scrapes aggregated metrics from the Hubble relay rather than individual flows, minimizing overhead. The cilium-agent CPU overhead from Hubble metrics aggregation is typically under 2% on production nodes.
Does TigerOps support Cilium Cluster Mesh for multi-cluster network visibility?
Yes. TigerOps collects Cilium Cluster Mesh metrics including remote cluster connectivity health, cross-cluster identity sync latency, and inter-cluster flow rates from Hubble. Cross-cluster service dependencies are visualized in the TigerOps service map.
Can TigerOps monitor Cilium Gateway API (Envoy-based ingress/egress) metrics?
Yes. When Cilium Gateway API is enabled, TigerOps scrapes the embedded Envoy listener metrics including downstream request rates, upstream connection health, and listener error rates. These are correlated with the corresponding HTTPRoute and Gateway objects.
See Every Packet Decision Your Cilium Cluster Makes
Policy enforcement, DNS anomalies, east-west service latency, and BPF map health — eBPF-powered observability with AI root cause analysis.