and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing cilium cilium/cilium --version $CILIUM_VERSION \\ --namespace $CILIUM_NAMESPACE \\ --set hubble.tls.auto.method="cronJob" \\ --set hubble.listenAddress=":4244" \\ --set hubble.relay.enabled=true cilium cilium/cilium --version $CILIUM_VERSION \\ --namespace $CILIUM_NAMESPACE \\ --set hubble.tls.auto.method="cronJob" \\ --set hubble.listenAddress=":4244" \\ --set hubble.relay.enabled=true

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing standalone.enabled to true and optionally provide a volume to mount Hubble UI client certificates if TLS is enabled on Hubble Relay server side. Below is an example deploying Hubble UI as standalone, with this to false as Hubble relay is already installed enabled: false tls: server: # set this to true if tls is enabled on Hubble relay server side enabled: true ui: # enable

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing Inspecting TLS Encrypted Connections with Cilium This document serves as an introduction for how network security teams can use Cilium to transparently inspect TLS-encrypted connections. This TLS-aware inspection visibility and policy to function even for connections where client to server communication is protected by TLS, such as when a client accesses the API service via HTTPS. This capability is similar to what is possible

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd

and HTTP-Aware Policy Enforcement Locking down external access with DNS-based policies Inspecting TLS Encrypted Connections with Cilium Securing a Kafka cluster How to secure gRPC Getting Started Securing restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd

how to prepare your Kubernetes environment. For CoreDNS: Enable reverse lookups In order for the TLS cer�ficates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to automa�c management of the etcd cluster including compac�on, restart on quorum loss, and automa�c use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd In case you are not using a TLS-enabled etcd, comment out the configura�on op�ons in the ConfigMap referring to the key loca�ons like this: # In case you want to use TLS in etcd, uncomment the 'ca-file'

restarting the pods to reset the CrashLoopBackoff time. CoreDNS: Enable reverse lookups In order for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to management of the etcd cluster including compaction, restart on quorum loss, and automatic use of TLS. There are several disadvantages which can become of relevance as you scale up your clusters: etcd kvstore. Consul is not supported by cluster mesh at this point. It is highly recommended to use a TLS protected etcd cluster with Cilium. The server certificate of etcd must whitelist the host name *.mesh