k8s-cilium
Cilium and Hubble network observability for Kubernetes. Use when managing network policies, observing traffic flows, or troubleshooting connectivity with eBPF-based networking.
Best use case
k8s-cilium is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Cilium and Hubble network observability for Kubernetes. Use when managing network policies, observing traffic flows, or troubleshooting connectivity with eBPF-based networking.
Teams using k8s-cilium should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/k8s-cilium/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How k8s-cilium Compares
| Feature / Agent | k8s-cilium | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Cilium and Hubble network observability for Kubernetes. Use when managing network policies, observing traffic flows, or troubleshooting connectivity with eBPF-based networking.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Cilium & Hubble Network Observability
Manage eBPF-based networking using kubectl-mcp-server's Cilium tools (8 tools).
## When to Apply
Use this skill when:
- User mentions: "Cilium", "Hubble", "eBPF", "network policy", "flow"
- Operations: network policy management, traffic observation, L7 filtering
- Keywords: "network security", "traffic flow", "dropped packets", "connectivity"
## Priority Rules
| Priority | Rule | Impact | Tools |
|----------|------|--------|-------|
| 1 | Detect Cilium installation first | CRITICAL | `cilium_detect_tool` |
| 2 | Check agent status for health | HIGH | `cilium_status_tool` |
| 3 | Use Hubble for flow debugging | HIGH | `hubble_flows_query_tool` |
| 4 | Start with default deny | MEDIUM | CiliumNetworkPolicy |
## Quick Reference
| Task | Tool | Example |
|------|------|---------|
| Detect Cilium | `cilium_detect_tool` | `cilium_detect_tool()` |
| Agent status | `cilium_status_tool` | `cilium_status_tool()` |
| List policies | `cilium_policies_list_tool` | `cilium_policies_list_tool(namespace)` |
| Query flows | `hubble_flows_query_tool` | `hubble_flows_query_tool(namespace)` |
## Check Installation
```python
cilium_detect_tool()
```
## Cilium Status
```python
cilium_status_tool()
```
## Network Policies
### List Policies
```python
cilium_policies_list_tool(namespace="default")
```
### Get Policy Details
```python
cilium_policy_get_tool(name="allow-web", namespace="default")
```
### Create Cilium Network Policy
```python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-web
namespace: default
spec:
endpointSelector:
matchLabels:
app: web
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "80"
protocol: TCP
egress:
- toEndpoints:
- matchLabels:
app: database
toPorts:
- ports:
- port: "5432"
protocol: TCP
""")
```
## Endpoints
```python
cilium_endpoints_list_tool(namespace="default")
```
## Identities
```python
cilium_identities_list_tool()
```
## Nodes
```python
cilium_nodes_list_tool()
```
## Hubble Flow Observability
```python
hubble_flows_query_tool(
namespace="default",
pod="my-pod",
last="5m"
)
hubble_flows_query_tool(
namespace="default",
verdict="DROPPED"
)
hubble_flows_query_tool(
namespace="default",
type="l7"
)
```
## Create L7 Policy
```python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: api-policy
namespace: default
spec:
endpointSelector:
matchLabels:
app: api
ingress:
- fromEndpoints:
- matchLabels:
app: frontend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/api/v1/.*"
- method: POST
path: "/api/v1/users"
""")
```
## Cluster Mesh
```python
kubectl_apply(manifest="""
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: allow-cross-cluster
spec:
endpointSelector:
matchLabels:
app: shared-service
ingress:
- fromEntities:
- cluster
- remote-node
""")
```
## Troubleshooting Workflows
### Pod Can't Reach Service
```python
cilium_status_tool()
cilium_endpoints_list_tool(namespace)
cilium_policies_list_tool(namespace)
hubble_flows_query_tool(namespace, pod, verdict="DROPPED")
```
### Policy Not Working
```python
cilium_policy_get_tool(name, namespace)
cilium_endpoints_list_tool(namespace)
hubble_flows_query_tool(namespace)
```
### Network Performance Issues
```python
cilium_status_tool()
cilium_nodes_list_tool()
hubble_flows_query_tool(namespace, type="l7")
```
## Best Practices
1. **Start with default deny**: Create baseline deny-all policy
2. **Use labels consistently**: Policies rely on label selectors
3. **Monitor with Hubble**: Observe flows before/after policy changes
4. **Test in staging**: Verify policies don't break connectivity
## Prerequisites
- **Cilium**: Required for all Cilium tools
```bash
cilium install
```
## Related Skills
- [k8s-networking](../k8s-networking/SKILL.md) - Standard K8s networking
- [k8s-security](../k8s-security/SKILL.md) - Security policies
- [k8s-service-mesh](../k8s-service-mesh/SKILL.md) - Istio service meshRelated Skills
k8s-vind
Manage vCluster (virtual Kubernetes clusters) instances using vind. Use when creating, managing, or operating lightweight virtual clusters for development, testing, or multi-tenancy.
k8s-troubleshoot
Debug Kubernetes pods, nodes, and workloads. Use when pods are failing, containers crash, nodes are unhealthy, or users mention debugging, troubleshooting, or diagnosing Kubernetes issues.
k8s-storage
Kubernetes storage management for PVCs, storage classes, and persistent volumes. Use when provisioning storage, managing volumes, or troubleshooting storage issues.
k8s-service-mesh
Manage Istio service mesh for traffic management, security, and observability. Use for traffic shifting, canary releases, mTLS, and service mesh troubleshooting.
k8s-security
Audit Kubernetes RBAC, enforce policies, and manage secrets. Use for security reviews, permission audits, policy enforcement with Kyverno/Gatekeeper, and secret management.
k8s-rollouts
Progressive delivery with Argo Rollouts and Flagger. Use when implementing canary deployments, blue-green deployments, or traffic shifting strategies.
k8s-policy
Kubernetes policy management with Kyverno and Gatekeeper. Use when enforcing security policies, validating resources, or auditing policy compliance.
k8s-operations
kubectl operations for applying, patching, deleting, and executing commands on Kubernetes resources. Use when modifying resources, running commands in pods, or managing resource lifecycle.
k8s-networking
Kubernetes networking management for services, ingresses, endpoints, and network policies. Use when configuring connectivity, load balancing, or network isolation.
k8s-multicluster
Manage multiple Kubernetes clusters, switch contexts, and perform cross-cluster operations. Use when working with multiple clusters, comparing environments, or managing cluster lifecycle.
k8s-kubevirt
Virtual machine management with KubeVirt on Kubernetes. Use when creating, managing, or troubleshooting VMs running on Kubernetes clusters.
k8s-kind
Manage kind (Kubernetes IN Docker) local clusters. Use when creating, testing, or developing with local Kubernetes clusters in Docker containers.