This module enables advanced network security and observability in OpenChoreo using Cilium.
- Project boundary isolation in runtime using
CiliumNetworkPolicies - Egress control based on FQDN, HTTP paths, etc (Coming Soon)
- Cilium must be installed on the dataplane Kubernetes clusters and configured as the Container Network Interface (CNI) plugin.
- OpenChoreo must be installed with the observability plane enabled and with observability-metrics-prometheus community module installed if you want network observability.
-
After the prerequisites are met, configure your Cilium installation in the dataplane Kubernetes cluster with the following values to enable HTTP metrics observability.
Example using Helm:
helm upgrade --install cilium oci://quay.io/cilium/charts/cilium \ --version 1.19.4 \ --namespace kube-system \ --reuse-values \ -f - <<EOF hubble: enabled: true metrics: enabled: - "httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction,source_pod,destination_pod" - dns - drop - tcp serviceMonitor: enabled: true relay: enabled: true envoy: enabled: true EOF
Example using Cilium CLI:
cilium upgrade \ --version 1.19.4 \ --namespace kube-system \ --reuse-values \ --helm-set hubble.enabled=true \ --helm-set hubble.metrics.enabled="{httpV2:exemplars=true;labelsContext=source_ip\,source_namespace\,source_workload\,destination_ip\,destination_namespace\,destination_workload\,traffic_direction\,source_pod\,destination_pod,dns,drop,tcp}" \ --helm-set hubble.metrics.serviceMonitor.enabled=true \ --helm-set hubble.relay.enabled=true \ --helm-set envoy.enabled=true -
Add the annotation
openchoreo.dev/networkpolicyprovider: ciliumto theDataPlaneorClusterDataPlaneresources which points to the kubernetes cluster with Cilium configured.
Example:
kubectl annotate clusterdataplanes.openchoreo.dev default openchoreo.dev/networkpolicyprovider=cilium --overwrite- Add
HUBBLE_RELAY_ADDRenvironment variable to OpenChoreo Cluster Agent system component to query from hubble relay.
Example:
helm upgrade --install openchoreo-data-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-data-plane \
--version 1.2.0 \
--namespace openchoreo-data-plane \
--create-namespace \
--reuse-values \
--set "clusterAgent.extraEnvs[0].name=HUBBLE_RELAY_ADDR" \
--set "clusterAgent.extraEnvs[0].value=hubble-relay.kube-system:80"Verify that the annotation has correctly been set in the DataPlane/ClusterDataPlane resources.
Example:
kubectl describe clusterdataplanes.openchoreo.dev default | grep "openchoreo.dev/networkpolicyprovider"Verify if CiliumNetworkPolicy resources are generated instead of NetworkPolicy resources in dataplane cluster
Example:
kubectl get ciliumnetworkpolicies.cilium.io -AThis module integrates Cilium, OpenChoreo, and observability-metrics-prometheus (an OpenChoreo community module), and is compatible with the following versions.
| Component | Compatible Version | Notes |
|---|---|---|
| Cilium | 1.19.x |
|
| OpenChoreo | >=1.1.x |
Requires 1.2.x for Wirelogs |
| Observability-Metrics-Prometheus | 0.6.x |
OpenChoreo community module |



