About the Project

The Cilium Policy Advisor (CPA) was created to solve a practical problem: generating least-privilege Cilium Network Policies is difficult, time-consuming, and often inaccurate when done manually. Kubernetes environments produce large volumes of network flow logs, and understanding them—especially with eBPF-powered observability from Hubble—requires careful analysis. This project automates that entire process.

Inspiration

I was motivated by how powerful Cilium and eBPF are, but how hard it is for teams to translate raw Hubble logs into correct network policies. Even small applications can produce hundreds of flows, and writing policy YAML by hand can lead to errors or overly permissive rules. I wanted to build a tool that could observe traffic, analyze it, and produce the policy automatically.

What I Learned

This project required understanding several concepts across the full stack.

Technical Skills Learned

How eBPF and Hubble capture Kubernetes network flows

How Cilium Network Policies are structured

Building a frontend dashboard with React and Vite

Creating REST APIs using Node.js and Express

Calling Python scripts from Node using child processes

Parsing real flow logs in Python

Designing SQL tables for flows, policies, and versions

Conceptual Learnings

I applied the principle of least privilege and expressed it as:

LeastPrivilege ( 𝐹

)

min ⁡ { 𝑃    ∣    𝑃 permits all flows in 𝐹 } LeastPrivilege(F)=min{P∣P permits all flows in F}

This helped define the logic for generating the smallest policy that still allows every observed communication.

How I Built It

The system follows a multi-layer architecture:

React Frontend Displays flow data, YAML output, communication maps, and history. Communicates with the backend through REST APIs.

Node.js Backend Receives requests, stores data, and triggers Python scripts. Uses Express for API routing and SQL for persistence.

Python Analyzer Processes raw Hubble logs in JSON format. Extracts namespaces, pod labels, ports, protocols, and HTTP paths. Groups flows by communication patterns. Generates CiliumNetworkPolicy YAML.

SQL Database Stores flow histories, generated policies, and version information.

This pipeline turns raw network data into structured, minimal, and valid security policies.

Challenges Faced

Some of the major challenges included:

Handling the variety of formats in real Hubble flow logs

Ensuring Node.js and Python communicated reliably

Designing a schema that supports history and versioning

Structuring the YAML so it complies fully with Cilium standards

Coordinating multiple languages and components in one project

Presenting complex data cleanly in the React dashboard

These challenges improved my understanding of backend design, observability tools, and secure network policy generation.

Share this project:

Updates