https://blog.zwindler.fr/en/tags/security/Recent content in Security on Zwindler's ReflectionHugo -- gohugo.ioenLicensed under CC BY-SA 4.0Tue, 19 May 2026 12:00:00 +0200https://blog.zwindler.fr/en/2026/05/19/nodes/proxy-get-one-kubernetes-permission-too-many/Tue, 19 May 2026 12:00:00 +0200https://blog.zwindler.fr/en/2026/05/19/nodes/proxy-get-one-kubernetes-permission-too-many/<img src="https://blog.zwindler.fr/2026/05/node_proxy_RCE.webp" alt="Featured image of post nodes/proxy GET: One Kubernetes permission too many" /><h2 id="tldr">TL;DR </h2><p>This is a bit old now, but I still wanted to share a quick write-up on the topic.</p> <p>Back in January, a cybersecurity researcher reported a Kubernetes flaw that generated quite a buzz. It had been a while since we had a Kube vulnerability that got people talking this much, at least from Denis&rsquo;s memory (yes, I talk about myself in the third person).</p> <p>Honestly, it&rsquo;s pretty wild: the <code>nodes/proxy GET</code> RBAC permission allows any <strong>ServiceAccount</strong> to execute code inside <strong>any Pod in the cluster</strong>, without leaving a single trace in the audit logs. That&rsquo;s unfortunate, especially when you have ServiceAccounts named <code>rook-ceph-system</code> that also happen to have read access to all Secrets in the cluster.</p> <p>This article details the issue, how to check if you are vulnerable, the fixes to apply, and the preventive measures you can put in place if you can&rsquo;t patch right away.</p> <h2 id="the-problem-websocket--kubelet--un-audited-exec">The problem: WebSocket + Kubelet = un-audited exec </h2><p>The vulnerability was documented by Graham Helton in <a class="link" href="https://grahamhelton.com/blog/nodes-proxy-rce" target="_blank" rel="noopener" >this article</a>. Here is how it works.</p> <p>The Kubernetes API exposes a <code>nodes/proxy</code> subresource that proxies HTTP requests to each node&rsquo;s Kubelet. The Kubelet itself exposes an API on port 10250, specifically the <code>/exec</code> endpoint which allows executing commands inside a container.</p> <p>The issue comes from how the Kubelet handles authorizations for WebSocket connections:</p> <ol> <li><code>kubectl exec</code> uses a WebSocket connection, whose handshake is an HTTP <code>GET</code></li> <li>The Kubelet maps this initial <code>GET</code> to the <code>get</code> RBAC verb</li> <li>It checks <code>nodes/proxy GET</code>, then authorizes the operation</li> <li><strong>No secondary check</strong> is performed for the <code>CREATE</code> verb normally required for <code>/exec</code></li> </ol> <p>Result: any ServiceAccount with <code>nodes/proxy GET</code> can execute commands in any Pod in the cluster, <strong>including system Pods</strong> (<code>etcd</code>, <code>kube-apiserver</code>, etc.).</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Exploitation via websocat</span> </span></span><span class="line"><span class="cl">websocat --insecure <span class="se">\ </span></span></span><span class="line"><span class="cl"> --header <span class="s2">&#34;Authorization: Bearer </span><span class="nv">$TOKEN</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --protocol <span class="s2">&#34;v4.channel.k8s.io&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s2">&#34;wss://</span><span class="nv">$NODE_IP</span><span class="s2">:10250/exec/default/nginx/nginx?output=1&amp;error=1&amp;command=id&#34;</span> </span></span></code></pre></div><p>And that&rsquo;s not all. <strong>Commands executed via this method do not generate any Kubernetes audit logs</strong> (well, assuming you even collect them 🙈). The access goes directly through the Kubelet, which does not report events back to the API server.</p> <p>The official Kubernetes status on this: <strong>Won&rsquo;t Fix</strong>. It is a &ldquo;design behavior&rdquo; (note the quotes), addressed via a feature gate (<a class="link" href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md" target="_blank" rel="noopener" >KEP-2862</a>, see below).</p> <p>Ouch.</p> <h2 id="the-audit-vulnerable-serviceaccounts-on-our-clusters">The Audit: Vulnerable ServiceAccounts on our clusters </h2><p>In January 2026, following the publication of Graham Helton&rsquo;s article, a lot of people had to urgently audit their clusters. You can either manually audit all your Roles / ClusterRoles, or use a <a class="link" href="https://gist.github.com/grahamhelton/f5c8ce265161990b0847ac05a74e466a" target="_blank" rel="noopener" >detection script</a> provided by the researcher.</p> <p>As an example, here are three relatively common components that make great candidates for a juicy privilege escalation:</p> <table> <thead> <tr> <th>Component</th> <th>ClusterRole</th> <th>ServiceAccounts</th> </tr> </thead> <tbody> <tr> <td><strong>OpenTelemetry Collector</strong></td> <td><code>otel-otelcol-k8sobjects</code></td> <td><code>opentelemetry-collector-daemonset-collector</code>, <code>opentelemetry-collector-deployment-collector</code></td> </tr> <tr> <td><strong>OpenTelemetry Operator</strong></td> <td><code>otel-operator-resources</code> / <code>opentelemetry-operator-manager</code></td> <td><code>opentelemetry-operator</code></td> </tr> <tr> <td><strong>Rook-Ceph</strong></td> <td><code>rook-ceph-global</code>, <code>rook-ceph-mgr-cluster</code></td> <td><code>rook-ceph-system</code>, <code>rook-ceph-mgr</code></td> </tr> </tbody> </table> <p>Note: there are many more. Graham Helton added an &ldquo;Appendix: Affected Helm Charts&rdquo; section at the end of his article, referencing AT LEAST 69 affected Helm charts according to him.</p> <h3 id="the-critical-case-rook-ceph-system">The critical case: rook-ceph-system </h3><p>In the official chart, the <code>rook-ceph-system</code> ServiceAccount combined two particularly dangerous permissions:</p> <ol> <li><strong><code>nodes/proxy GET</code></strong> - the RCE</li> <li><strong><code>secrets GET/LIST/WATCH</code></strong> across the <strong>entire cluster</strong></li> </ol> <p>Accessible secrets can include LUKS keys for volume encryption, Ceph admin keyrings, dashboard passwords&hellip; this kind of access makes it a prime target for an attacker.</p> <p>The attack scenario: a compromise of the <code>rook-ceph-operator</code> Pod (via CVE, supply chain, or a malicious image) would allow reading all Ceph secrets, and then executing code in any Pod (including <code>etcd</code>), leading to a full compromise of the cluster and encrypted data.</p> <p>To manually check if a ServiceAccount is vulnerable:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl auth can-i get nodes --subresource<span class="o">=</span>proxy <span class="se">\ </span></span></span><span class="line"><span class="cl"> --as<span class="o">=</span>system:serviceaccount:&lt;namespace&gt;:&lt;serviceaccount&gt; </span></span></code></pre></div><h2 id="examples-of-fixes-to-apply">Examples of fixes to apply </h2><h3 id="rook-ceph-upstream-fix">Rook-Ceph: Upstream fix </h3><p>For Rook-Ceph, the fix came from upstream: PR <a class="link" href="https://github.com/rook/rook/pull/16979" target="_blank" rel="noopener" >rook/rook#16979</a> removed <code>nodes/proxy</code> from ClusterRoles. This fix is included in Rook v1.19.1, so updating the affected clusters was enough.</p> <p>After updating, checking across all clusters:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl get clusterroles rook-ceph-global -o yaml <span class="p">|</span> grep -A3 nodes/proxy </span></span><span class="line"><span class="cl"><span class="c1"># -&gt; nothing</span> </span></span></code></pre></div><h3 id="otel--otel-operator">OTel / OTel operator </h3><p>For OpenTelemetry, the situation is potentially more complex. If you are using <code>otel-operator</code> and <strong>OtelCollector</strong> Custom Resources, you likely have to manage your own RBAC manifests <strong>yourself</strong>.</p> <p>Having had to do it myself, it&rsquo;s quite painful. Depending on your collector type and the receivers you enabled, you need to cross-reference multiple documents on the official OTel and otel-operator websites.</p> <p>Upstream merged a conditional approach in <a class="link" href="https://github.com/open-telemetry/opentelemetry-helm-charts/pull/2083" target="_blank" rel="noopener" >open-telemetry/opentelemetry-helm-charts#2083</a> based on the Kubernetes version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Upstream approach (opentelemetry-helm-charts#2083)</span><span class="w"> </span></span></span><span class="line"><span class="cl">{{- <span class="l">if semverCompare &#34;&gt;=1.33-0&#34; .Capabilities.KubeVersion.Version }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/pods</span><span class="w"> </span></span></span><span class="line"><span class="cl">{{- <span class="l">else }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/proxy</span><span class="w"> </span></span></span><span class="line"><span class="cl">{{- <span class="l">end }}</span><span class="w"> </span></span></span></code></pre></div><p>Here again, if all your clusters are up to date, you can simply replace <code>nodes/proxy</code> with <code>nodes/pods</code> directly (without the condition).</p> <p><strong><code>otel-collector-crb.yaml</code></strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Before</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/proxy </span><span class="w"> </span><span class="c"># &lt;- RCE risk</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/spec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/stats</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># After</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># nodes/pods replaces nodes/proxy (RCE risk, see [https://grahamhelton.com/blog/nodes-proxy-rce](https://grahamhelton.com/blog/nodes-proxy-rce))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Requires K8s &gt;= 1.33 (KEP-2862 fine-grained kubelet authz)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/pods</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/spec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/stats</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span></code></pre></div><p><strong><code>otel-operator-rbac.yaml</code></strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Before</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/proxy </span><span class="w"> </span><span class="c"># &lt;- RCE risk</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># After</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># nodes/pods replaces nodes/proxy (RCE risk, see [https://grahamhelton.com/blog/nodes-proxy-rce](https://grahamhelton.com/blog/nodes-proxy-rce))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Requires K8s &gt;= 1.33 (KEP-2862 fine-grained kubelet authz)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">nodes/pods</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">get</span><span class="w"> </span></span></span></code></pre></div><h2 id="preventive-measures">Preventive Measures </h2><h3 id="kep-2862-fine-grained-kubelet-api-authorization">KEP-2862: Fine-Grained Kubelet API Authorization </h3><p>As teased earlier, the real long-term solution is <a class="link" href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md" target="_blank" rel="noopener" >KEP-2862</a> (Fine-Grained Kubelet API Authorization). It introduces granular subresources (<code>nodes/pods</code>, <code>nodes/metrics</code>, <code>nodes/stats</code>, <code>nodes/log</code>, etc.) allowing precise access without using <code>nodes/proxy</code>.</p> <table> <thead> <tr> <th>K8s Version</th> <th>KEP-2862 Status</th> </tr> </thead> <tbody> <tr> <td>1.32</td> <td>Alpha</td> </tr> <tr> <td>1.33</td> <td><strong>Beta, enabled by default</strong> - <code>nodes/proxy GET</code> no longer grants access to <code>/exec</code></td> </tr> <tr> <td>1.36</td> <td>GA (locked to enabled)</td> </tr> </tbody> </table> <p>But this requires going through EVERY chart in use and checking all deployed manifests now <strong>and in the future</strong>.</p> <h3 id="ciliumnetworkpolicy-blocking-the-kubelet-port">CiliumNetworkPolicy: Blocking the Kubelet port </h3><p>While waiting for the K8s upgrade, or as defense-in-depth, you can block access to port 10250 from the affected pods using NetworkPolicies (or CiliumNetworkPolicy if you use Cilium as your CNI plugin).</p> <p><strong>Warning</strong>: This only applies to components that do <em>not</em> need to access the Kubelet. The OTel collector potentially needs it to gather Kubelet metrics. In that case, you have no choice but to fix the RBAC.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">cilium.io/v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">CiliumNetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-kubelet-api-access</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;namespace&gt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpointSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">&lt;app-label&gt;</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;value&gt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egressDeny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">toEntities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">host</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">remote-node</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">toPorts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10250&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span></code></pre></div><h3 id="kyverno-blocking-the-creation-of-new-roles-with-nodesproxy">Kyverno: Blocking the creation of new Roles with nodes/proxy </h3><p>To prevent any regression (remember, we need to protect ourselves <strong>in the future</strong>), we can add a Kyverno <code>ClusterPolicy</code> that rejects the creation or modification of a <code>ClusterRole</code> or <code>Role</code> containing <code>nodes/proxy</code>.</p> <p>Luckily, there are ready-to-use examples on the official Kyverno website:</p> <ul> <li><a class="link" href="https://kyverno.io/policies/other-vpol/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/" target="_blank" rel="noopener" >validating variant</a></li> <li><a class="link" href="https://kyverno.io/policies/other-cel/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy/" target="_blank" rel="noopener" >CEL variant</a></li> </ul> <p>Note : <a class="link" href="https://github.com/kyverno/policies/issues/1492" target="_blank" rel="noopener" >there probably is a hole in the official Kyverno policy, I opened an issue</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">restrict-nodes-proxy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Audit </span><span class="w"> </span><span class="c"># switch to Enforce after validation</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">background</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-nodes-proxy-in-clusterroles</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ClusterRole</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">names</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;system:kubelet-api-admin&#34;</span><span class="w"> </span><span class="c"># built-in K8s, unmodifiable</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> nodes/proxy grants RCE capability via Kubelet WebSocket exec. </span></span></span><span class="line"><span class="cl"><span class="sd"> Use nodes/pods (requires K8s &gt;= 1.33, KEP-2862) instead.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deny</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">conditions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;nodes/proxy&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operator</span><span class="p">:</span><span class="w"> </span><span class="l">AnyIn</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;{{ request.object.rules[].resources[] }}&#34;</span><span class="w"> </span></span></span></code></pre></div><p>Deployment is done in two stages: first in <code>Audit</code> mode to ensure there are no remaining vulnerable manifests (which you should fix <strong>before</strong> blocking), then in <code>Enforce</code> mode to actually block them.</p> <h3 id="monitoring-the-audit-log">Monitoring the Audit Log </h3><p>Even if commands executed <em>via</em> the Kubelet leave no trace, we can monitor <strong>SubjectAccessReviews</strong> to detect attempts at enumerating <code>nodes/proxy</code> permissions.</p> <p>The configuration in the Kubernetes audit policy:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># audit-policy.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Request</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;create&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;authorization.k8s.io&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;subjectaccessreviews&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></div><p>Then a Prometheus/Alertmanager alert on SARs related to <code>nodes/proxy</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-promql" data-lang="promql"><span class="line"><span class="cl"><span class="c1"># Detect SARs targeting nodes/proxy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="kr">increase</span><span class="o">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">apiserver_audit_event_total</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nl">verb</span><span class="o">=</span><span class="p">&#34;</span><span class="s">create</span><span class="p">&#34;,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nl">resource</span><span class="o">=</span><span class="p">&#34;</span><span class="s">subjectaccessreviews</span><span class="p">&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}[</span><span class="s">5m</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="o">)</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span></span></span></code></pre></div><h2 id="references">References </h2><ul> <li><a class="link" href="https://grahamhelton.com/blog/nodes-proxy-rce" target="_blank" rel="noopener" >Kubernetes RCE via nodes/proxy GET</a> - Graham Helton</li> <li><a class="link" href="https://gist.github.com/grahamhelton/f5c8ce265161990b0847ac05a74e466a" target="_blank" rel="noopener" >Detection Script</a></li> <li><a class="link" href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md" target="_blank" rel="noopener" >KEP-2862 Fine-Grained Kubelet API Authorization</a></li> <li><a class="link" href="https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes" target="_blank" rel="noopener" >Kubernetes RBAC Good Practices - nodes/proxy</a></li> <li><a class="link" href="https://github.com/rook/rook/pull/16979" target="_blank" rel="noopener" >rook/rook#16979</a> - Fix upstream Rook-Ceph</li> <li><a class="link" href="https://github.com/open-telemetry/opentelemetry-helm-charts/pull/2083" target="_blank" rel="noopener" >open-telemetry/opentelemetry-helm-charts#2083</a> - Fix upstream OTel</li> </ul>https://blog.zwindler.fr/en/2026/03/15/flannel-and-networkpolicies-how-to-add-support-with-cilium-in-cni-chaining-mode/Sun, 15 Mar 2026 18:00:00 +0200https://blog.zwindler.fr/en/2026/03/15/flannel-and-networkpolicies-how-to-add-support-with-cilium-in-cni-chaining-mode/<img src="https://blog.zwindler.fr/2026/03/flannel-cilium-chaining.webp" alt="Featured image of post Flannel and NetworkPolicies: how to add support with Cilium in CNI chaining mode" /><h2 id="flannel-flannel-flannel">Flannel, flannel, flannel&hellip; </h2><p>Flannel is a simple and popular CNI 😢.</p> <p>It&rsquo;s the default CNI in k3s, the one half the kubeadm tutorials use, and you&rsquo;ll find it in quite a few managed offerings too.</p> <p>OK, it&rsquo;s simple, it routes packets between pods, it supports VXLAN and WireGuard, it takes 2 minutes to set up. What more could you ask for?</p> <p>Well, exactly. There&rsquo;s one thing flannel does <strong>not</strong> do: NetworkPolicies. (And that&rsquo;s a big deal).</p> <blockquote> <p>Flannel is focused on networking. For network policy, other projects such as Calico can be used.</p> </blockquote> <p><strong>[Edit]</strong> Contrary to what I wrote here, flannel actually does support NetworkPolicies and has for at least 2 years, via the reference implementation <a class="link" href="https://github.com/kubernetes-sigs/kube-network-policies" target="_blank" rel="noopener" >kube-network-policies</a> from the Kubernetes project. The option isn&rsquo;t prominently featured in the README and is probably not more recommended for production, but it does exist. See the <a class="link" href="https://github.com/flannel-io/flannel/blob/master/Documentation/netpol.md" target="_blank" rel="noopener" >official documentation</a>.</p> <p>And the trap is that if you haven&rsquo;t read that one little line in the <strong>README.md</strong>, nothing tells you explicitly.</p> <p>You can perfectly well create <code>NetworkPolicy</code> objects in your cluster, <code>kubectl apply</code> won&rsquo;t complain, <code>kubectl get netpol</code> will happily list them. Except&hellip; they&rsquo;re not enforced. Traffic still flows. Your deny-all doesn&rsquo;t deny anything at all.</p> <h2 id="lets-verify-to-be-sure">Let&rsquo;s verify to be sure </h2><p>Before solving anything, let&rsquo;s verify the problem exists. Starting from the prerequisite that we have a Kubernetes cluster with flannel as the CNI and everything is working, we&rsquo;ll deploy two pods in two different namespaces: a client (curl) and a server (nginx).</p> <p>Let&rsquo;s check that the client can reach the server:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n netpol-test-a client -- <span class="se">\ </span></span></span><span class="line"><span class="cl"> curl -s --max-time <span class="m">5</span> http://server.netpol-test-b.svc.cluster.local </span></span></code></pre></div><p>We get the nginx welcome page. So far, so normal. Now, let&rsquo;s apply a <em>deny-all</em> NetworkPolicy on the server&rsquo;s namespace:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># 01-deny-all-ingress.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deny-all-ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">netpol-test-b</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f 01-deny-all-ingress.yaml </span></span></code></pre></div><p>And let&rsquo;s test again:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n netpol-test-a client -- <span class="se">\ </span></span></span><span class="line"><span class="cl"> curl -s --max-time <span class="m">5</span> http://server.netpol-test-b.svc.cluster.local </span></span></code></pre></div><p><strong>Result: the nginx page still shows up.</strong> The NetworkPolicy was created (<code>kubectl get netpol -n netpol-test-b</code> shows it), but it&rsquo;s not enforced. Traffic flows as if nothing happened.</p> <p>This is the expected behavior with flannel (by default). Flannel only does L3 routing (VXLAN or WireGuard overlay). It doesn&rsquo;t implement a NetworkPolicy controller. The objects exist in etcd, but nobody translates them into filtering rules.</p> <p>Let&rsquo;s clean up the policy before moving on:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl delete -f 01-deny-all-ingress.yaml </span></span></code></pre></div><h2 id="alternatives-for-adding-support">Alternatives for adding support </h2><p>For a long time I thought this was just the way it was. I still think it&rsquo;s not a good choice for any production.</p> <p>BUT recently, I discovered that it was possible to chain CNIs within the same cluster, and thus have one CNI handling most tasks (here Flannel) and another one taking care of other tasks, such as enforcing NetworkPolicies.</p> <p>This is actually the principle behind Canal, which I knew by name but had never explored. In fact, it&rsquo;s nothing more than a manifest that deploys Flannel as the main CNI with Calico for NetworkPolicy enforcement!</p> <blockquote> <p>Canal was the name of Tigera and CoreOS&rsquo;s project to integrate Calico and flannel.</p> </blockquote> <p>Note: <a class="link" href="https://github.com/projectcalico/canal?tab=readme-ov-file" target="_blank" rel="noopener" >the GitHub project was archived in October 2025</a> but in theory it should still work, if you can find the correct documentation (I couldn&rsquo;t, the links are broken, but I didn&rsquo;t really look that hard either).</p> <p>So you get the idea: we&rsquo;re going to add a component that will <strong>watch</strong> NetworkPolicy objects and translate them into effective filtering rules (iptables, eBPF, nftables&hellip;), <strong>without touching the existing flannel setup</strong>. This is called &ldquo;CNI chaining&rdquo; or &ldquo;policy-only&rdquo; mode.</p> <p>There are several solutions:</p> <p><strong>Calico (Canal)</strong>; Historically, the flannel + Calico combination is called &ldquo;Canal&rdquo;, which I just mentioned. <strong>But</strong> the official Canal manifest bundles its own flannel in the same DaemonSet as calico-node. If your flannel is already installed and managed (by you, by an operator, by a provider&hellip;), you probably don&rsquo;t want to replace it. And the Tigera operator (the &ldquo;official&rdquo; Helm method) doesn&rsquo;t support policy-only deployment on an existing flannel either. In short, it&rsquo;s doable but requires some effort. Can&rsquo;t be bothered.</p> <p><strong>kube-router</strong>; kube-router can run in firewall-only mode (<code>--run-firewall=true</code>) and only needs iptables/ipset. This is actually what k3s uses by default for NetworkPolicies. It&rsquo;s the lightest solution (supposedly ~50 MB of RAM per node). Make sure your kernel has the <code>ip_set</code> module, otherwise it won&rsquo;t work.</p> <p><strong>Cilium in CNI chaining mode</strong>; This is the solution I chose and that we&rsquo;ll detail here. Cilium attaches to the veth interfaces created by flannel and adds its eBPF programs for policy enforcement. No dependency on iptables or ipset, and as a bonus we get Hubble for network observability.</p> <h2 id="installing-cilium-in-cni-chaining-mode">Installing Cilium in CNI chaining mode </h2><h3 id="prerequisites">Prerequisites </h3><ul> <li>A working Kubernetes cluster with flannel</li> <li><code>helm</code> v3+</li> <li>A kernel &gt;= 4.19 (ideally &gt;= 5.10 for all eBPF features)</li> </ul> <h3 id="retrieve-flannels-cni-configuration">Retrieve flannel&rsquo;s CNI configuration </h3><p>Cilium in chaining mode needs to know the existing CNI configuration. Let&rsquo;s retrieve it from a node:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl debug node/<span class="k">$(</span>kubectl get nodes -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.items[0].metadata.name}&#39;</span><span class="k">)</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -it --image<span class="o">=</span>busybox -- cat /host/etc/cni/net.d/10-flannel.conflist </span></span></code></pre></div><p>On my cluster, this gives:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;cbr0&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;cniVersion&#34;</span><span class="p">:</span> <span class="s2">&#34;0.3.1&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;plugins&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;flannel&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;delegate&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;hairpinMode&#34;</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;isDefaultGateway&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;type&#34;</span><span class="p">:</span> <span class="s2">&#34;portmap&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;capabilities&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;portMappings&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p><strong>Note the <code>name</code> field</strong> (here <code>cbr0</code>). We&rsquo;ll need it.</p> <h3 id="create-the-chaining-configmap">Create the chaining ConfigMap </h3><p>We&rsquo;ll create a ConfigMap that takes the flannel config and adds the <code>cilium-cni</code> plugin in chaining mode:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ConfigMap</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cni-configuration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">kube-system</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cni-config</span><span class="p">:</span><span class="w"> </span><span class="p">|-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> { </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;name&#34;: &#34;cbr0&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;cniVersion&#34;: &#34;0.3.1&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;plugins&#34;: [ </span></span></span><span class="line"><span class="cl"><span class="sd"> { </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;type&#34;: &#34;flannel&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;delegate&#34;: { </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;hairpinMode&#34;: true, </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;isDefaultGateway&#34;: true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> }, </span></span></span><span class="line"><span class="cl"><span class="sd"> { </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;type&#34;: &#34;portmap&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;capabilities&#34;: { </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;portMappings&#34;: true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> }, </span></span></span><span class="line"><span class="cl"><span class="sd"> { </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;type&#34;: &#34;cilium-cni&#34;, </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;chaining-mode&#34;: &#34;generic-veth&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> ] </span></span></span><span class="line"><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span></code></pre></div><p><strong>Warning</strong>: the <code>name</code> field must match your flannel <em>conflist</em>. If yours is called <code>cni0</code> or something else, adjust accordingly.</p> <p>Before applying, also verify that your CNI uses <strong>veth</strong> interfaces (this is the default with flannel, but better safe than sorry). From a node:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ip -d link <span class="p">|</span> grep veth </span></span></code></pre></div><p>You should see veth-type interfaces corresponding to your pods, for example:</p> <pre tabindex="0"><code>103: lxcb3901b7f9c02@if102: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; ... veth addrgenmode eui64 numtxqueues 1 numrxqueues 1 </code></pre><p>If that&rsquo;s the case, Cilium&rsquo;s <code>generic-veth</code> mode will work. Let&rsquo;s apply:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f cilium-cni-configmap.yaml </span></span></code></pre></div><h3 id="install-cilium-via-helm">Install Cilium via Helm </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add cilium https://helm.cilium.io/ </span></span><span class="line"><span class="cl">helm repo update </span></span></code></pre></div><p>Here are the values for chaining mode:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># cilium-values.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">cni</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">chainingMode</span><span class="p">:</span><span class="w"> </span><span class="l">generic-veth</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">customConf</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">configMap</span><span class="p">:</span><span class="w"> </span><span class="l">cni-configuration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">install</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">routingMode</span><span class="p">:</span><span class="w"> </span><span class="l">native</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">enableIPv4Masquerade</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">enableIPv6Masquerade</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">hubble</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">relay</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ui</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></div><p>The important points:</p> <ul> <li><code>cni.chainingMode: generic-veth</code>, this is chaining mode, Cilium attaches to existing veth interfaces</li> <li><code>cni.customConf: true</code> + <code>cni.configMap</code>, we provide our own CNI config</li> <li><code>routingMode: native</code>, flannel handles routing, not Cilium</li> <li><code>enableIPv4Masquerade: false</code>, flannel handles masquerading</li> <li><code>hubble.enabled: true</code>, network observability, the big bonus of Cilium</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm install cilium cilium/cilium --version 1.19.1 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace kube-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> -f cilium-values.yaml </span></span></code></pre></div><p>Wait for everything to be ready:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl rollout status daemonset/cilium -n kube-system --timeout<span class="o">=</span>120s </span></span></code></pre></div><h3 id="verification">Verification </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n kube-system ds/cilium -- cilium status </span></span></code></pre></div><p>What we&rsquo;re looking for:</p> <pre tabindex="0"><code>Kubernetes: Ok 1.35 (v1.35.0) [linux/amd64] CNI Chaining: generic-veth Cilium: Ok 1.19.1 Hubble: Ok </code></pre><p>The <code>CNI Chaining: generic-veth</code> line confirms that Cilium is running in <em>chaining</em> mode and isn&rsquo;t replacing flannel.</p> <p><strong>Important</strong>: pods that existed before Cilium was installed are not automatically managed by Cilium. You need to restart them so that Cilium can attach its eBPF programs. Remember to <code>kubectl rollout restart</code> your test workloads (or recreate them).</p> <h2 id="testing-networkpolicies">Testing NetworkPolicies </h2><p>This is the moment of truth. Let&rsquo;s re-apply our deny-all:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl apply -f 01-deny-all-ingress.yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n netpol-test-a client -- <span class="se">\ </span></span></span><span class="line"><span class="cl"> curl -s --max-time <span class="m">5</span> http://server.netpol-test-b.svc.cluster.local </span></span></code></pre></div><p><strong>Result: timeout</strong>! This time, the NetworkPolicy is properly enforced. Traffic is blocked.</p> <p>I followed up with the other classic NetworkPolicy scenarios, and everything works:</p> <ul> <li><strong>Selective ingress allow by namespace</strong>; by adding a policy that allows traffic from <code>netpol-test-a</code> only, curl works from that namespace but remains blocked from <code>default</code>. Namespace isolation works.</li> <li><strong>Deny-all egress</strong>; by blocking all outgoing traffic from the client, even DNS resolution is blocked (immediate timeout).</li> <li><strong>Selective egress allow</strong>; by allowing only DNS (port 53) and the server (port 80 in the <code>netpol-test-b</code> namespace), curl to the server works but <code>curl http://example.com</code> remains blocked.</li> </ul> <p>In short, ingress, egress, selective by namespace, everything works as expected.</p> <h2 id="bonus-hubble-network-observability">Bonus: Hubble, network observability </h2><p>This is for me the real advantage of Cilium over the alternatives. Hubble lets you see network flows and policy verdicts in real time:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">kubectl <span class="nb">exec</span> -n kube-system ds/cilium -- <span class="se">\ </span></span></span><span class="line"><span class="cl"> hubble observe --namespace netpol-test-b --last <span class="m">5</span> </span></span></code></pre></div><pre tabindex="0"><code>Mar 15 13:20:42.287: netpol-test-a/client:40066 (ID:9745) -&gt; netpol-test-b/server:80 (ID:22271) policy-verdict:none ALLOWED (TCP Flags: SYN) </code></pre><p>You can see the source pod, destination pod, port, Cilium identity, and policy verdict. When you&rsquo;re debugging a NetworkPolicy that isn&rsquo;t behaving as expected, this is incredibly useful.</p> <h2 id="how-much-does-it-cost-in-resources">How much does it cost in resources? </h2><p>On my cluster (3 nodes), here&rsquo;s what Cilium consumes right after installation:</p> <table> <thead> <tr> <th>Component</th> <th>Per node</th> <th>RAM</th> </tr> </thead> <tbody> <tr> <td>cilium agent</td> <td>yes (DaemonSet)</td> <td>~160 MB</td> </tr> <tr> <td>cilium-envoy</td> <td>yes (DaemonSet)</td> <td>~22 MB</td> </tr> <tr> <td>cilium-operator</td> <td>no (2 replicas)</td> <td>~42 MB</td> </tr> <tr> <td>hubble-relay</td> <td>no (1 replica)</td> <td>~16 MB</td> </tr> <tr> <td>hubble-ui</td> <td>no (1 replica)</td> <td>~21 MB</td> </tr> </tbody> </table> <p>That&rsquo;s roughly <strong>180 MB per node</strong> for the agent + envoy. I don&rsquo;t have a point of comparison with Calico or kube-router, but it seems acceptable to me, and being able to have full visibility into all network flows with Hubble more than justifies the overhead (in my opinion).</p> <h2 id="conclusion">Conclusion </h2><p>If you have no choice and have to work with flannel, and you want to plug the gaping security hole that is the lack of NetworkPolicy enforcement, know that it is possible to chain another CNI to handle it.</p> <p>Short of having it as CNI for everything, Cilium in CNI chaining mode (generic-veth) is a pretty nice solution to fill this gap. It doesn&rsquo;t touch the existing flannel setup, it grafts onto it. And as a bonus, you get Hubble for network observability, which is genuinely valuable.</p>