Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Enable Cilium WireGuard Pod Encryption

Introduction

In today’s highly distributed and security-conscious cloud-native environments, securing inter-pod communication within a Kubernetes cluster is paramount. While Kubernetes Network Policies provide crucial firewall-like rules, they don’t inherently encrypt the traffic itself. This leaves a significant gap, especially when data traverses untrusted networks or regulatory compliance demands end-to-end encryption. Traditional approaches often involve complex service mesh configurations or VPN solutions, adding overhead and operational complexity.

Enter Cilium with its integrated WireGuard encryption. Cilium, a powerful CNI (Container Network Interface) powered by eBPF, goes beyond basic networking by offering advanced features like network policy enforcement, load balancing, and observability. Its WireGuard integration provides transparent, performant, and secure pod-to-pod encryption across your cluster with minimal configuration. This means your sensitive data is encrypted in transit between pods, protecting it from eavesdropping, even if an attacker gains access to the underlying network infrastructure. This guide will walk you through enabling and verifying this critical security feature, transforming your Kubernetes network into a fortress.

TL;DR: Transparent Pod-to-Pod Encryption with Cilium WireGuard

Secure your Kubernetes inter-pod communication using Cilium’s built-in WireGuard encryption. This guide covers installation, enabling encryption, and verification.

  • Install Cilium with WireGuard: Use Helm to deploy Cilium, ensuring encryption.enabled=true and encryption.type=wireguard.
  • Verify Encryption: Use cilium status and cilium encrypt status to confirm WireGuard is active.
  • Test Traffic: Deploy test applications and use tcpdump to observe encrypted traffic between pods.
  • Key Commands:
# Add Cilium Helm repository
helm repo add cilium https://helm.cilium.io/

# Install Cilium with WireGuard encryption
helm install cilium cilium/cilium --version 1.15.5 \
  --namespace kube-system \
  --set encryption.enabled=true \
  --set encryption.type=wireguard \
  --set ipam.mode=kubernetes \
  --set k8sServiceHost=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed -e 's/^https:\/\///' -e 's/:.*$//') \
  --set k8sServicePort=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed -e 's/^https:\/\/[^:]*://')

# Verify Cilium status
cilium status

# Verify WireGuard encryption status
cilium encrypt status

# Observe encrypted traffic (example)
kubectl exec -it <pod-name> -- tcpdump -i eth0 -n -vvv port 51871

Prerequisites

Before diving into enabling WireGuard encryption with Cilium, ensure you have the following:

  • Kubernetes Cluster: A running Kubernetes cluster (v1.25+ recommended). This guide assumes you have kubectl configured to interact with your cluster. You can use any cloud provider (AWS EKS, GCP GKE, Azure AKS) or a local cluster like Kind or Minikube.
  • Helm: Helm v3+ installed on your local machine. Helm is used for deploying Cilium.
  • Cilium CLI: The Cilium CLI tool installed. This is essential for interacting with your Cilium deployment and verifying its status. You can find installation instructions on the Cilium documentation site.
  • Root/Sudo Access: On worker nodes, if you need to perform low-level network debugging (e.g., using tcpdump directly on the host).
  • Basic Kubernetes Knowledge: Familiarity with Kubernetes concepts like Pods, Deployments, Services, and Namespaces.
  • Understanding of CNI: A basic understanding of what a CNI does in Kubernetes.

Step-by-Step Guide: Transparent Pod-to-Pod Encryption with Cilium WireGuard

Step 1: Install Cilium with WireGuard Encryption

The first step is to install Cilium as your CNI plugin, enabling WireGuard encryption during the initial deployment. Cilium leverages eBPF to manage network policies and traffic, and its WireGuard integration provides a highly efficient and secure way to encrypt inter-node traffic. By default, Cilium might not have encryption enabled, so we explicitly set the necessary Helm values.

When installing Cilium, we specify encryption.enabled=true and encryption.type=wireguard. This tells Cilium to configure WireGuard tunnels between all nodes in the cluster. Each node will generate its own WireGuard key pair, and Cilium will automatically manage the key exchange and tunnel establishment. This transparent approach means your applications don’t need to be aware of the underlying encryption, making it a seamless security upgrade. For more advanced network security, consider combining this with Kubernetes Network Policies to define granular traffic rules.

# Add the Cilium Helm repository
helm repo add cilium https://helm.cilium.io/
helm repo update

# Determine your Kubernetes API server host and port
K8S_API_SERVER_HOST=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed -e 's/^https:\/\///' -e 's/:.*$//')
K8S_API_SERVER_PORT=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed -e 's/^https:\/\/[^:]*://' -e 's/\/.*$//')

# Install Cilium with WireGuard encryption enabled
# Use a specific version for stability, e.g., 1.15.5
helm install cilium cilium/cilium --version 1.15.5 \
  --namespace kube-system \
  --set encryption.enabled=true \
  --set encryption.type=wireguard \
  --set ipam.mode=kubernetes \
  --set k8sServiceHost=$K8S_API_SERVER_HOST \
  --set k8sServicePort=$K8S_API_SERVER_PORT \
  --set tunnel=vxlan \
  --set hubble.enabled=true \
  --set hubble.ui.enabled=true \
  --set hubble.relay.enabled=true \
  --set prometheus.enabled=true \
  --set operator.prometheus.enabled=true \
  --set serviceMonitor.enabled=true \
  --wait

Verify Step 1

After the Helm installation completes, verify that the Cilium pods are running and healthy. You should see Cilium agent pods (one per node) and a Cilium operator pod in the kube-system namespace. This indicates that Cilium has successfully deployed and is ready to take over networking for your cluster.

kubectl get pods -n kube-system -l k8s-app=cilium

Expected Output:

NAME                                   READY   STATUS    RESTARTS   AGE
cilium-xxxx                            1/1     Running   0          2m
cilium-yyyy                            1/1     Running   0          2m
cilium-operator-zzzz-wwww              1/1     Running   0          2m

Step 2: Verify Cilium and WireGuard Status

Once Cilium is installed, it’s crucial to confirm that both Cilium itself and its WireGuard encryption component are operational. The Cilium CLI provides powerful commands to inspect the health and configuration of your CNI. This step ensures that the encryption tunnels are correctly established between your nodes.

The cilium status command gives a high-level overview of the Cilium agent’s health, including its connectivity to the Kubernetes API and the status of its eBPF programs. More importantly, cilium encrypt status specifically checks the WireGuard encryption setup. It will display the WireGuard public keys for each node and confirm that the tunnels are active. This is your primary confirmation that pod-to-pod traffic encryption is enabled and working as expected. This also provides insights that can be further explored using eBPF Observability with Hubble.

# Port-forward the Cilium agent to access its CLI
# Get the name of a Cilium pod
CILIUM_POD=$(kubectl get pod -n kube-system -l k8s-app=cilium -o jsonpath='{.items[0].metadata.name}')

# Exec into the Cilium pod and run status commands
kubectl exec -it -n kube-system $CILIUM_POD -- cilium status

# Verify encryption status
kubectl exec -it -n kube-system $CILIUM_POD -- cilium encrypt status

Verify Step 2

The output of cilium status should show all components as OK or Enabled. The cilium encrypt status output should list all nodes and indicate that encryption is Enabled and show the WireGuard public keys for each node, along with the number of encrypted connections.

Expected Output for cilium status:

Defaulted container "cilium-agent" out of: cilium-agent, install-cni-binaries (init)
KVStore:                Ok   etcd: 1/1 connected
Kubernetes:             Ok   [v1.27.3]
CNI Chaining:           none
Cilium:                 Ok   [v1.15.5]
NodeMonitor:            Ok
Cilium health:          Ok
ClusterMesh:            Disabled
All controller:         Ok
Proxy:                  Ok   (Direct routing)
Host firewall:          Disabled
Cluster ID:             1
Cluster Name:           default
Egress gateway:         Disabled
Encryption:             Wireguard (encryption is enabled)
    Current:            Wireguard
    Key:                0x1
    State:              Enabled
    Node:               node-1 (10.0.0.1)
    ...

Expected Output for cilium encrypt status:

Defaulted container "cilium-agent" out of: cilium-agent, install-cni-binaries (init)
Encryption:
  Wireguard:
    Enabled:            true
    Key:                0x1
    Interface:          cilium_wg0
    Port:               51871
    Nodes:
      node-1 (10.0.0.1):
        Public Key:     <node-1-public-key>
        Endpoint:       10.0.0.1:51871
        Allowed IPs:    [10.0.0.1/32, 10.42.0.0/16] # Example pod CIDR
        Handshake:      1 minute ago
        Transfer:       100 MiB received, 50 MiB sent
      node-2 (10.0.0.2):
        Public Key:     <node-2-public-key>
        Endpoint:       10.0.0.2:51871
        Allowed IPs:    [10.0.0.2/32, 10.42.0.0/16]
        Handshake:      2 minutes ago
        Transfer:       80 MiB received, 60 MiB sent

Step 3: Deploy Test Applications

To confirm the encryption is working, we need to deploy some applications that communicate with each other. We’ll create two simple Nginx deployments, ensuring they land on different nodes to guarantee inter-node traffic, which is where WireGuard encryption primarily applies. This setup allows us to observe traffic crossing the encrypted tunnels.

We’ll create two deployments, app-a and app-b, each with a single Nginx pod. By using node selectors or affinity rules, we can try to force them onto different nodes. If you have a single-node cluster, the encryption will still be active, but inter-pod traffic on the same node typically uses eBPF-based socket acceleration and might not traverse the WireGuard tunnel in the same way. For real-world scenarios, multiple nodes are essential to fully test WireGuard’s capabilities.

# app-a.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-a
  labels:
    app: app-a
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-a
  template:
    metadata:
      labels:
        app: app-a
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: app-a-service
spec:
  selector:
    app: app-a
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
# app-b.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-b
  labels:
    app: app-b
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-b
  template:
    metadata:
      labels:
        app: app-b
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

kubectl apply -f app-a.yaml
kubectl apply -f app-b.yaml

# Wait for pods to be ready
kubectl wait --for=condition=ready pod -l app=app-a --timeout=300s
kubectl wait --for=condition=ready pod -l app=app-b --timeout=300s

Verify Step 3

Confirm that both app-a and app-b pods are running. Note down their IP addresses and the nodes they are running on. Ideally, they should be on different nodes to demonstrate inter-node encryption.

kubectl get pods -o wide -l app=app-a
kubectl get pods -o wide -l app=app-b

Expected Output:

NAME                      READY   STATUS    RESTARTS   AGE   IP             NODE       NOMINATED NODE   READINESS GATES
app-a-xxxxxxxxx-yyyyy     1/1     Running   0          2m    10.42.0.10     node-1     <none>           <none>

NAME                      READY   STATUS    RESTARTS   AGE   IP             NODE       NOMINATED NODE   READINESS GATES
app-b-zzzzzzzzz-wwwwww    1/1     Running   0          2m    10.42.1.15     node-2     <none>           <none>

From this output, we can see app-a is on node-1 with IP 10.42.0.10 and app-b is on node-2 with IP 10.42.1.15. This setup is perfect for testing inter-node WireGuard encryption.

Step 4: Generate Traffic and Observe Encryption

Now that our applications are deployed, we’ll generate traffic between them and use tcpdump to observe the network packets. The key is to look for traffic on the WireGuard port (default 51871 UDP) and confirm that the payload is encrypted, appearing as random data rather than plain HTTP.

We will exec into app-a and attempt to curl app-b-service. Simultaneously, we’ll run tcpdump on the node where app-a is located (or on the WireGuard interface if you have direct node access). The WireGuard protocol wraps the original IP packets in UDP datagrams, encrypts them, and sends them over the configured port. You won’t see the original HTTP request; instead, you’ll see UDP packets on port 51871 containing the encrypted data.

# Get the pod name for app-a
APP_A_POD=$(kubectl get pod -l app=app-a -o jsonpath='{.items[0].metadata.name}')

# Get the pod name for app-b
APP_B_POD=$(kubectl get pod -l app=app-b -o jsonpath='{.items[0].metadata.name}')

# Get the IP address of app-b
APP_B_IP=$(kubectl get pod -l app=app-b -o jsonpath='{.items[0].status.podIP}')

# Get the node where app-a is running
APP_A_NODE=$(kubectl get pod $APP_A_POD -o jsonpath='{.spec.nodeName}')

# Install tcpdump in app-a pod (if not already present or if you don't have host access)
# This might fail if the base image doesn't have package manager or permissions.
# Alternative: Run tcpdump directly on the node.
kubectl exec -it $APP_A_POD -- bash -c "apt-get update && apt-get install -y tcpdump"

echo "Running curl from app-a to app-b-service..."
# In a separate terminal, run tcpdump on the node where app-a is
echo "In a NEW TERMINAL, SSH to node: $APP_A_NODE and run: sudo tcpdump -i any -n -vvv port 51871"
echo "Or, if you can run tcpdump inside the pod, use: "
echo "kubectl exec -it $APP_A_POD -- tcpdump -i eth0 -n -vvv host $APP_B_IP"
echo "Then press Enter to continue with curl..."
read -p "Press Enter to continue..."

# Now, trigger traffic from app-a to app-b-service
kubectl exec -it $APP_A_POD -- curl -s http://app-b-service

echo "Traffic generated. Now observe the tcpdump output."

Verify Step 4

When you run tcpdump (either inside the pod or on the node), you should observe UDP packets on port 51871. These packets will contain seemingly random data, which is the encrypted traffic. You should not see any cleartext HTTP requests if the traffic is flowing between nodes and being encrypted by WireGuard.

Expected tcpdump Output (example on host node, looking at WireGuard interface cilium_wg0 or any interface):

# Example of running tcpdump on the node where app-a is
# sudo tcpdump -i cilium_wg0 -n -vvv
# OR to see UDP encapsulation on the physical interface
# sudo tcpdump -i eth0 -n -vvv port 51871

# Output might look like this (showing UDP packets on WireGuard port):
15:30:00.123456 IP 10.0.0.1.51871 > 10.0.0.2.51871: UDP, length 116
15:30:00.123500 IP 10.0.0.2.51871 > 10.0.0.1.51871: UDP, length 92
15:30:00.123600 IP 10.0.0.1.51871 > 10.0.0.2.51871: UDP, length 116
...

If you were to inspect the payload of these UDP packets, you would find encrypted data, confirming that WireGuard is actively securing your pod-to-pod communication. The curl command should return the default Nginx welcome page, indicating successful communication over the encrypted tunnel.

Production Considerations

Deploying Cilium WireGuard encryption in a production environment requires careful planning and consideration to ensure robustness, performance, and maintainability.

  • Performance Impact: While WireGuard is known for its high performance and low overhead, encryption/decryption does consume CPU resources. For high-throughput applications, monitor CPU usage on your nodes. eBPF offloading (if supported by your NIC and kernel) can further reduce CPU overhead.
  • Kernel Module: WireGuard typically requires the wireguard kernel module. Ensure your node images include it or that it can be loaded dynamically. Most modern Linux distributions have it available. Check the Cilium system requirements for specifics.
  • Firewall Rules: If you have external firewalls or security groups configured for your Kubernetes nodes (e.g., AWS Security Groups, GCP Firewall Rules), ensure that UDP port 51871 (the default WireGuard port) is open between all Kubernetes nodes. Failure to do so will break inter-node communication.
  • Monitoring and Observability: Integrate Cilium metrics into your existing monitoring stack (Prometheus, Grafana). Cilium exposes detailed metrics about its operation, including encryption status and traffic flow. eBPF Observability with Hubble can provide deep insights into encrypted traffic flows, even though the payload is encrypted.
  • Key Rotation: Cilium automatically manages WireGuard keys. However, understand how Cilium handles key rotation and potential impacts during upgrades or node replacements. Refer to the Cilium WireGuard documentation for details.
  • IPAM Mode: We used ipam.mode=kubernetes which relies on Kubernetes for IP address management. For larger clusters or more advanced networking, consider other IPAM modes like Cilium ENI (AWS) or Azure IPAM for native cloud integration.
  • Tunneling vs. Direct Routing: We set tunnel=vxlan for simplicity. In some cloud environments, you might prefer tunnel=disabled (direct routing) for better performance, assuming your underlying network can route pod IPs directly. However, direct routing can complicate network policies if not handled carefully.
  • Upgrade Strategy: Plan your Cilium upgrade strategy carefully. Always test upgrades in a staging environment. Ensure that WireGuard encryption remains active and stable throughout the upgrade process.
  • Integration with Service Mesh: If you are also running a service mesh like Istio Ambient Mesh, understand how its mTLS (mutual TLS) encryption interacts with Cilium’s WireGuard encryption. Typically, WireGuard encrypts the entire IP packet at the network layer, while mTLS encrypts application-layer traffic. They can complement each other, providing defense-in-depth.
  • Cost Optimization: While not directly related to WireGuard encryption, optimizing your cluster’s resource utilization with tools like Karpenter for cost optimization can help manage the operational costs of your secure cluster.

Troubleshooting

Here are some common issues you might encounter when setting up Cilium WireGuard encryption and their solutions.

Issue 1: Cilium Pods Not Starting/Healthy

Problem: Cilium agent pods are stuck in Pending, CrashLoopBackOff, or NotReady state.

Solution:

  1. Check logs: Get logs from the Cilium agent pod. 
    kubectl logs -n kube-system <cilium-pod-name> -c cilium-agent
  2. Node Requirements: Ensure your nodes meet Cilium’s system requirements, especially kernel version and necessary kernel modules.
  3. Resource Limits: Check if the pods are being OOM-killed (Out Of Memory) or CPU throttled. Adjust resource requests/limits if necessary.
  4. CNI Conflict: Ensure no other CNI is installed or conflicting. Cilium must be the sole CNI.

Issue 2: cilium encrypt status Shows “Disabled” or “Error”

Problem: The encryption status command indicates WireGuard is not enabled or has an error.

Solution:

  1. Helm Values: Double-check your Helm installation command to ensure --set encryption.enabled=true and --set encryption.type=wireguard were correctly applied. 
    helm get values cilium -n kube-system -o yaml | grep encryption
  2. Cilium Agent Logs: Look for WireGuard-specific errors in the Cilium agent logs. 
    kubectl logs -n kube-system <cilium-pod-name> -c cilium-agent | grep -i wireguard
  3. Kernel Module: Verify the WireGuard kernel module is loaded on your nodes. SSH to a node and run: 
    lsmod | grep wireguard

    If not loaded, try sudo modprobe wireguard. You might need to install the wireguard-dkms package on some distributions.

Issue 3: Pods on Different Nodes Cannot Communicate

Problem: Applications deployed on different nodes cannot ping or connect to each other, but same-node communication works.

Solution:

  1. Firewall Rules: This is the most common cause. Ensure UDP port 51871 (Cilium’s default WireGuard port) is open between all Kubernetes nodes in your cloud provider’s firewall settings (e.g., Security Groups, Network Security Groups, Firewall Rules).
  2. cilium encrypt status: Verify the encryption status again. If WireGuard is not active or reporting issues for specific nodes, it indicates a problem with the tunnel establishment.
  3. Node Connectivity: Ensure basic IP connectivity between nodes is working (e.g., ping node IPs).
  4. Cilium Tunneling: Check the Cilium agent logs for errors related to VXLAN or WireGuard tunnel establishment.

Issue 4: High CPU Usage on Nodes

Problem: Nodes running Cilium with WireGuard show unexpectedly high CPU utilization.

Solution:

  1. Workload Analysis: Identify if specific high-traffic applications are causing the load. Encryption/decryption consumes CPU, and very high network throughput can push CPU usage up.
  2. Kernel Version: Ensure you are running a recent Linux kernel (5.6+) for optimal WireGuard performance and potential eBPF offloading.
  3. eBPF Offloading: If your network cards support it, explore eBPF offloading for further performance gains. This requires specific hardware and drivers.
  4. Monitor Cilium Metrics: Use Cilium’s Prometheus metrics to get detailed insights into CPU usage related to eBPF programs and network activity.

Issue 5: tcpdump Shows Cleartext Traffic on WireGuard Port

Problem: You run tcpdump on port 51871 and see intelligible data, or traffic is not on port 51871 at all.

Solution:

  1. Correct Interface: Ensure you are capturing on the correct interface. If capturing on the node’s main interface (e.g., eth0), you should see UDP packets on port 51871. If capturing on the cilium_wg0 interface, you should see the decrypted IP traffic.
  2. Inter-Node Traffic: Confirm the traffic is actually flowing between two pods on different nodes. Same-node traffic might not traverse the WireGuard tunnel in the same way, as Cilium can optimize it with eBPF directly.
  3. cilium encrypt status: Re-verify that WireGuard encryption is unequivocally enabled and healthy on both source and destination nodes.
  4. Cilium Restart: In some rare cases, restarting the Cilium agent pods might resolve transient issues. 
    kubectl rollout restart -n kube-system ds/cilium

FAQ Section

Q1: What is the performance overhead of Cilium WireGuard encryption?

A1: WireGuard is designed for high performance and low overhead, making it an excellent choice for Kubernetes. It typically uses modern cryptographic primitives that are highly optimized. While there’s always some CPU cost associated with encryption/decryption, it’s generally much lower than other VPN solutions like OpenVPN or IPsec. The actual overhead depends on your traffic volume, CPU capabilities, and kernel version. Benchmarking your specific workloads is recommended for precise figures.

Q2: Does WireGuard encrypt all traffic in the cluster?

A2: Cilium’s WireGuard integration primarily encrypts inter-node pod-to-pod traffic. Traffic between pods on the same node is often handled directly by eBPF, bypassing the WireGuard tunnel for efficiency. Traffic to external services (outside the cluster) is not encrypted by WireGuard unless specifically routed through an egress gateway configured for encryption. Additionally, traffic to the Kubernetes API server is typically secured by mTLS, not WireGuard.

Q3: Can I use Cilium WireGuard with a Service Mesh like Istio?

A3: Yes, you can. Cilium WireGuard and a service mesh like Istio (or Istio Ambient Mesh) operate at different layers. WireGuard encrypts traffic at Layer 3/4 (network layer) between nodes, providing secure tunnels for all network packets. Service meshes provide mTLS (mutual TLS) encryption at Layer 7 (application layer) between service proxies. They complement each other, offering defense-in-depth: WireGuard secures the underlying network transport, while mTLS secures the application communication itself.

Q4: How does Cilium manage WireGuard keys? Is it secure?

A4: Cilium automatically generates WireGuard key pairs for each node and securely exchanges them using the Kubernetes API server as a trusted source. Node public keys are stored as Kubernetes secrets or annotations (depending on the configuration) and are only accessible by authorized Cilium agents. This automated key management simplifies operations significantly compared to manual WireGuard setups and is considered secure within the Kubernetes trust model.

Q5: What happens if a node loses its WireGuard configuration or key?

A5: If a node loses its WireGuard configuration or key, Cilium will detect the inconsistency. The Cilium agent on that node will attempt to re-establish the WireGuard tunnel by regenerating keys if necessary and re-exchanging them with other nodes via the Kubernetes API. During this recovery period, inter-node traffic to/from that specific node might be temporarily interrupted or unencrypted until the tunnel is re-established. Consistent monitoring with cilium encrypt status and Cilium logs can help detect such issues quickly.

Cleanup Commands

To remove Cilium and the test applications, follow these steps:

# Delete test applications

kubectl delete -f app-a.yaml

kubectl delete -f app-b.yaml


# Uninstall Cilium using Helm

helm uninstall cilium --namespace kube-system


# Clean up Cilium-related resources that Helm might not remove (optional, but good for a clean slate)

# This might vary based on your Kubernetes version and cloud provider.

# Use with caution!

kubectl get crd -o name | grep cilium | xargs -r kubectl delete

kubectl delete ValidatingWebhookConfiguration cilium-validating-webhook

kubectl delete MutatingWebhookConfiguration cilium-mutating-webhook

kubectl delete ClusterRole cilium ClusterRoleBinding cilium

kubectl delete ClusterRole cilium-operator ClusterRoleBinding cilium-operator

kubectl delete ServiceAccount

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *