Explore Cilium's vocabulary — eBPF-based networking, L7 network policies, Hubble observability, and sidecar-free service mesh.
0 / 5 completed
1 / 5
At standup, a new platform engineer asks what eBPF programs are in Cilium's context. Which answer is correct?
eBPF programs run directly inside the Linux kernel in a sandboxed, verified environment. Cilium uses them to attach to kernel hook points (TC, XDP, socket) and implement packet forwarding, load balancing, network policy enforcement, and observability — all without user-space proxies like kube-proxy or per-pod sidecar processes.
2 / 5
In a PR review, a colleague asks how CiliumNetworkPolicy differs from standard Kubernetes NetworkPolicy. What is correct?
CiliumNetworkPolicy goes beyond standard NetworkPolicy in two key ways: (1) L7 awareness — rules can match HTTP methods/paths, Kafka topics, DNS FQDNs, and more; (2) identity-based enforcement using Cilium's security identity derived from pod labels, rather than ephemeral IP addresses, making policies stable across pod restarts.
3 / 5
An incident reveals that Hubble is not showing network flows. What is Hubble and why might flows be missing?
Hubble is Cilium's integrated observability platform. It captures every network flow seen by the Cilium agent and makes them available via gRPC (hubble observe) and a web UI. Flows will be missing if the --enable-hubble agent flag is absent, the Hubble relay deployment is not running, or the Hubble listener socket is not accessible.
4 / 5
During a design review, the team asks how kube-proxy replacement works with Cilium. What is correct?
With kubeProxyReplacement: true, Cilium implements all Service types (ClusterIP, NodePort, LoadBalancer, ExternalIPs) using eBPF maps and XDP (for early packet processing). This eliminates all kube-proxy iptables chains, reducing network latency and CPU overhead — especially beneficial at scale with thousands of Services.
5 / 5
In a code review of a Cilium service mesh deployment, a teammate mentions sidecar-free service mesh mode. What does this mean?
Cilium's sidecar-free service mesh replaces the traditional per-pod Envoy sidecar with a per-node Envoy proxy managed by Cilium. Using CiliumEnvoyConfig CRDs, you get L7 load balancing, mTLS, HTTP retries, and observability without injecting sidecars into every pod — dramatically reducing the per-pod memory and CPU overhead of a full service mesh.