About the Project
The Cilium Policy Advisor (CPA) was created to solve a practical problem: generating least-privilege Cilium Network Policies is difficult, time-consuming, and often inaccurate when done manually. Kubernetes environments produce large volumes of network flow logs, and understanding them—especially with eBPF-powered observability from Hubble—requires careful analysis. This project automates that entire process.
Inspiration
I was motivated by how powerful Cilium and eBPF are, but how hard it is for teams to translate raw Hubble logs into correct network policies. Even small applications can produce hundreds of flows, and writing policy YAML by hand can lead to errors or overly permissive rules. I wanted to build a tool that could observe traffic, analyze it, and produce the policy automatically.
What I Learned
This project required understanding several concepts across the full stack.
Technical Skills Learned
How eBPF and Hubble capture Kubernetes network flows
How Cilium Network Policies are structured
Building a frontend dashboard with React and Vite
Creating REST APIs using Node.js and Express
Calling Python scripts from Node using child processes
Parsing real flow logs in Python
Designing SQL tables for flows, policies, and versions
Conceptual Learnings
I applied the principle of least privilege and expressed it as:
LeastPrivilege ( 𝐹
)
min { 𝑃 ∣ 𝑃 permits all flows in 𝐹 } LeastPrivilege(F)=min{P∣P permits all flows in F}
This helped define the logic for generating the smallest policy that still allows every observed communication.
How I Built It
The system follows a multi-layer architecture:
React Frontend Displays flow data, YAML output, communication maps, and history. Communicates with the backend through REST APIs.
Node.js Backend Receives requests, stores data, and triggers Python scripts. Uses Express for API routing and SQL for persistence.
Python Analyzer Processes raw Hubble logs in JSON format. Extracts namespaces, pod labels, ports, protocols, and HTTP paths. Groups flows by communication patterns. Generates CiliumNetworkPolicy YAML.
SQL Database Stores flow histories, generated policies, and version information.
This pipeline turns raw network data into structured, minimal, and valid security policies.
Challenges Faced
Some of the major challenges included:
Handling the variety of formats in real Hubble flow logs
Ensuring Node.js and Python communicated reliably
Designing a schema that supports history and versioning
Structuring the YAML so it complies fully with Cilium standards
Coordinating multiple languages and components in one project
Presenting complex data cleanly in the React dashboard
These challenges improved my understanding of backend design, observability tools, and secure network policy generation.
Log in or sign up for Devpost to join the conversation.