Networking Toolkit
Toolkit Track | 5 Modules | ~4.5 hours total
Overview
Section titled “Overview”The Networking Toolkit covers advanced Kubernetes networking beyond basic Services and Ingress. Cilium brings eBPF-powered networking with identity-based security and deep observability. Service mesh adds traffic management and mTLS for complex microservice architectures.
This toolkit builds on Security Principles and complements the Security Tools Toolkit.
Prerequisites
Section titled “Prerequisites”Before starting this toolkit:
- Kubernetes Services, Pods, and basic networking
- Security Principles Foundations
- Linux networking basics (TCP/IP, DNS)
- Container fundamentals
Modules
Section titled “Modules”| # | Module | Complexity | Time |
|---|---|---|---|
| 5.1 | Cilium | [COMPLEX] | 50-60 min |
| 5.2 | Service Mesh | [COMPLEX] | 50-60 min |
| 5.3 | DNS Deep Dive | [MEDIUM] | 40 min |
| 5.4 | MetalLB | [MEDIUM] | 35 min |
| 5.5 | Flannel | [MEDIUM] | 45-50 min |
| 5.6 | Calico | [COMPLEX] | 55-65 min |
| 5.7 | kube-router | [MEDIUM] | 40-45 min |
| 5.8 | Multus | [MEDIUM] | 40-45 min |
Learning Outcomes
Section titled “Learning Outcomes”After completing this toolkit, you will be able to:
- Deploy Cilium as CNI — Replace kube-proxy, enable eBPF networking
- Write network policies — Identity-based L3-L7 policies
- Observe network traffic — Hubble for flow visibility
- Understand service mesh — When to use Istio/Linkerd and when not to
- Configure mTLS — Zero-trust service-to-service communication
- Deploy Calico — BGP networking, policy tiers, WireGuard encryption, IPAM
Tool Selection Guide
Section titled “Tool Selection Guide”WHICH NETWORKING APPROACH?─────────────────────────────────────────────────────────────────
"I need basic network policies and a modern CNI"└──▶ Cilium (without service mesh) • Identity-based policies • eBPF performance • Hubble observability • Replaces kube-proxy
"I need mTLS and traffic management (canary, retries)"└──▶ Decide based on complexity: │ ├── Simple needs ──▶ Cilium Service Mesh (sidecar-free) │ ├── Medium needs ──▶ Linkerd (lightweight, Rust proxy) │ └── Complex needs ──▶ Istio (most features, most overhead)
COMPARISON:───────────────────────────────────────────────────────────────── Cilium Linkerd Istio─────────────────────────────────────────────────────────────────Proxy eBPF (kernel) Rust sidecar Envoy sidecarMemory/pod ~0 MB ~10 MB ~50-100 MBLatency overhead Minimal ~1ms ~2msComplexity Low Medium HighmTLS ✓ ✓ ✓L7 policies ✓ Limited AdvancedTraffic mgmt Basic Basic AdvancedLearning curve Medium Low HighThe Networking Stack
Section titled “The Networking Stack”┌─────────────────────────────────────────────────────────────────┐│ KUBERNETES NETWORKING STACK │├─────────────────────────────────────────────────────────────────┤│ ││ LAYER 7 - APPLICATION ││ ┌───────────────────────────────────────────────────────────┐ ││ │ Ingress Controller (nginx, traefik) │ ││ │ API Gateway │ ││ │ Service Mesh L7 policies (HTTP routing, auth) │ ││ └───────────────────────────────────────────────────────────┘ ││ │ ││ LAYER 4 - TRANSPORT ││ ┌───────────────────────────────────────────────────────────┐ ││ │ Services (ClusterIP, NodePort, LoadBalancer) │ ││ │ Service Mesh mTLS │ ││ │ Network Policies (TCP/UDP rules) │ ││ └───────────────────────────────────────────────────────────┘ ││ │ ││ LAYER 3 - NETWORK ││ ┌───────────────────────────────────────────────────────────┐ ││ │ CNI Plugin (Cilium, Calico, Flannel) │ ││ │ Pod-to-Pod networking │ ││ │ IP address management │ ││ └───────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘Study Path
Section titled “Study Path”Module 5.1: Cilium │ │ CNI + eBPF fundamentals │ Network policies │ Hubble observability ▼Module 5.2: Service Mesh │ │ When to use service mesh │ Istio core concepts │ mTLS and traffic management ▼[Toolkit Complete] → Scaling & Reliability ToolkitKey Concepts
Section titled “Key Concepts”eBPF vs Traditional Networking
Section titled “eBPF vs Traditional Networking”| Aspect | Traditional (iptables) | eBPF (Cilium) |
|---|---|---|
| Performance | O(n) rule matching | O(1) hash lookup |
| Visibility | Packet capture | Rich flow metadata |
| Updates | Slow, disruptive | Atomic, live |
| Identity | IP-based | Label-based |
Service Mesh Trade-offs
Section titled “Service Mesh Trade-offs”THE SERVICE MESH SPECTRUM─────────────────────────────────────────────────────────────────
No Mesh Cilium Mesh Linkerd Istio────────────────────────────────────────────────────────────────Simple Low overhead Balanced Full featuredNetworkPolicies eBPF-based Rust proxy Envoy proxyBasic observ. Good observ. Great observ. Best observ.No mTLS mTLS mTLS mTLS + AuthZNo traffic mgmt Basic Basic Advanced
← Less complexity More features →← Less overhead More overhead →Common Decisions
Section titled “Common Decisions”Do I Need Cilium?
Section titled “Do I Need Cilium?”| Scenario | Recommendation |
|---|---|
| Modern K8s, want best CNI | Yes, replaces default CNI |
| Need L7 policies | Yes, CiliumNetworkPolicy |
| Want to replace kube-proxy | Yes, eBPF handles Services |
| Using managed K8s with good CNI | Maybe, depends on requirements |
Do I Need Service Mesh?
Section titled “Do I Need Service Mesh?”| Scenario | Recommendation |
|---|---|
| < 10 services | Probably not |
| Need mTLS for compliance | Yes, or use Cilium mesh |
| Complex traffic management | Yes, Istio |
| Cost-sensitive, many pods | Avoid heavy meshes, consider Linkerd/Cilium |
Hands-On Focus
Section titled “Hands-On Focus”| Module | Key Exercise |
|---|---|
| Cilium | Deploy CNI, implement network policies, use Hubble |
| Service Mesh | Deploy Istio, enable mTLS, traffic routing |
| Calico | Deploy Calico on kind, tiered policies, BGP peering |
Related Tracks
Section titled “Related Tracks”- Before: Security Tools Toolkit — Security context
- Before: Security Principles — Theory
- Related: IaC Tools Toolkit — Terraform modules for Cilium, Istio
- Related: DevSecOps Discipline — Security practices
- After: Scaling & Reliability — Autoscaling
“Network security isn’t about blocking traffic—it’s about understanding traffic. Cilium and service mesh give you that understanding.”