install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/rohitg00/kubectl-mcp-server/k8s-cilium" ~/.claude/skills/comeonoliver-skillshub-k8s-cilium && rm -rf "$T"
manifest:
skills/rohitg00/kubectl-mcp-server/k8s-cilium/SKILL.mdsource content
Cilium & Hubble Network Observability
Manage eBPF-based networking using kubectl-mcp-server's Cilium tools (8 tools).
When to Apply
Use this skill when:
- User mentions: "Cilium", "Hubble", "eBPF", "network policy", "flow"
- Operations: network policy management, traffic observation, L7 filtering
- Keywords: "network security", "traffic flow", "dropped packets", "connectivity"
Priority Rules
| Priority | Rule | Impact | Tools |
|---|---|---|---|
| 1 | Detect Cilium installation first | CRITICAL | |
| 2 | Check agent status for health | HIGH | |
| 3 | Use Hubble for flow debugging | HIGH | |
| 4 | Start with default deny | MEDIUM | CiliumNetworkPolicy |
Quick Reference
| Task | Tool | Example |
|---|---|---|
| Detect Cilium | | |
| Agent status | | |
| List policies | | |
| Query flows | | |
Check Installation
cilium_detect_tool()
Cilium Status
cilium_status_tool()
Network Policies
List Policies
cilium_policies_list_tool(namespace="default")
Get Policy Details
cilium_policy_get_tool(name="allow-web", namespace="default")
Create Cilium Network Policy
kubectl_apply(manifest=""" apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-web namespace: default spec: endpointSelector: matchLabels: app: web ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: "80" protocol: TCP egress: - toEndpoints: - matchLabels: app: database toPorts: - ports: - port: "5432" protocol: TCP """)
Endpoints
cilium_endpoints_list_tool(namespace="default")
Identities
cilium_identities_list_tool()
Nodes
cilium_nodes_list_tool()
Hubble Flow Observability
hubble_flows_query_tool( namespace="default", pod="my-pod", last="5m" ) hubble_flows_query_tool( namespace="default", verdict="DROPPED" ) hubble_flows_query_tool( namespace="default", type="l7" )
Create L7 Policy
kubectl_apply(manifest=""" apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: api-policy namespace: default spec: endpointSelector: matchLabels: app: api ingress: - fromEndpoints: - matchLabels: app: frontend toPorts: - ports: - port: "8080" protocol: TCP rules: http: - method: GET path: "/api/v1/.*" - method: POST path: "/api/v1/users" """)
Cluster Mesh
kubectl_apply(manifest=""" apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: name: allow-cross-cluster spec: endpointSelector: matchLabels: app: shared-service ingress: - fromEntities: - cluster - remote-node """)
Troubleshooting Workflows
Pod Can't Reach Service
cilium_status_tool() cilium_endpoints_list_tool(namespace) cilium_policies_list_tool(namespace) hubble_flows_query_tool(namespace, pod, verdict="DROPPED")
Policy Not Working
cilium_policy_get_tool(name, namespace) cilium_endpoints_list_tool(namespace) hubble_flows_query_tool(namespace)
Network Performance Issues
cilium_status_tool() cilium_nodes_list_tool() hubble_flows_query_tool(namespace, type="l7")
Best Practices
- Start with default deny: Create baseline deny-all policy
- Use labels consistently: Policies rely on label selectors
- Monitor with Hubble: Observe flows before/after policy changes
- Test in staging: Verify policies don't break connectivity
Prerequisites
- Cilium: Required for all Cilium tools
cilium install
Related Skills
- k8s-networking - Standard K8s networking
- k8s-security - Security policies
- k8s-service-mesh - Istio service mesh