access to and from external services, tradi�onal CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from applica�on containers to par�cular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source: ENFORCEMENT ENFORCEMENT 108 Disabled kubernete k8s:org=empire Both ingress and egress policy enforcement is s�ll disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy (beta) BGP (beta) Egress Gateway (beta) Cluster Mesh Setting up Cluster Mesh Load-balancing & Service Discovery Network kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=empire Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges (beta) Kata Containers with Cilium Configuring IPAM modes Local Redirect Policy (beta) BGP (beta) Egress Gateway (beta) CiliumEndpointSlice (beta) Cluster Mesh Setting up Cluster Mesh Load-balancing & kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=empire Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=alliance Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

access to and from external services, traditional CIDR based security policies for both ingress and egress are supported. This allows to limit access to and from application containers to particular IP ranges kubectl -n kube-system exec cilium-1c2cz -- cilium endpoint list ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS namespace=default k8s:org=alliance Both ingress and egress policy enforcement is still disabled on all of these pods because no network policy has been imported

nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress veth pod 2 veth process kernel < 5.10 tailCall-> to-container: kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network stack netfilter pod2 kernel network stack tc ingress kernel network stack netfilter tc egress veth veth eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network stack netfilter 加速东西向 nodePort

between apps (allow for same customer, deny otherwise) ○ restrict connectivity for ingress (Envoy) and egress (public Internet with exceptions, e.g., SMTP) ○ allow connectivity to needed infrastructure (DNS)

important ● Has to be integrated with service discovery, etc Solution: ● Use BPF_CGROUP_INET_{EGRESS,INGRESS} ● If use-case allows, filter on socket level by BPF_CGROUP_INET6_{CONNECT,SENDMSG} ●