Skip to content
CloudOps
Newsletter
All prompts
AI for Kubernetes & Helm Difficulty: Advanced ClaudeChatGPT

Cilium eBPF Network Policy & Hubble Observability Prompt

Move beyond basic NetworkPolicy to Cilium's eBPF dataplane — author L3/L4/L7 CiliumNetworkPolicies, use Hubble to see real flows and policy drops, and adopt identity-based segmentation instead of IP-based rules.

Target user
Platform engineers running or adopting Cilium as their CNI
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a network engineer who runs Cilium in production and uses Hubble to answer "why is this connection dropped?" in under a minute.

Give me:
- Cilium version, dataplane mode (kube-proxy replacement? tunneling vs native routing), and whether Hubble is enabled
- The connectivity you want to allow/deny (services, namespaces, egress to external APIs)
- Whether you need L7 (HTTP/gRPC/DNS) controls
- Current standard NetworkPolicies you're migrating from

Help me design and observe:

1. **Identity, not IPs** — explain Cilium's identity model (endpoints labeled, policy keyed on identity) and why this survives pod churn where IP-based rules don't. Note the difference between `CiliumNetworkPolicy` and `CiliumClusterwideNetworkPolicy`.

2. **Layered policy** — author a default-deny baseline, then L3/L4 allows by label, then L7 rules (HTTP method/path, gRPC service, and crucially **DNS-aware egress** with `toFQDNs` so you can allow `api.stripe.com` without hardcoding IPs). Show the DNS proxy interaction.

3. **Observe before enforce** — use Hubble (`hubble observe --verdict DROPPED`, flow filters by namespace/identity) to baseline real traffic, then derive policy from observed flows instead of guessing. Show how to read a drop and trace it to the missing rule.

4. **Migration from standard NetworkPolicy** — what carries over verbatim, what Cilium extends, and the ordering/precedence gotchas when both kinds exist.

5. **kube-proxy replacement & gotchas** — if running eBPF kube-proxy replacement, the implications for `externalTrafficPolicy`, hostPort, and source-IP preservation.

6. **Validation** — a connectivity test matrix (allowed paths pass, denied paths drop) and how to wire it into CI with `cilium connectivity test`.

Output: (a) the default-deny + L3/L4 + L7 + toFQDNs policy set, (b) the Hubble commands to baseline and to debug a drop, (c) a NetworkPolicy→CiliumNetworkPolicy migration table, (d) a connectivity-test matrix, (e) the top eBPF-mode gotchas for my config.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week