networking
Cilium Resource Requirements Calculator
Calculate Cilium CNI agent RAM and CPU requirements per node. Includes Hubble observability overhead, WireGuard encryption, and BPF map memory for network policies.
Cilium eBPF Architecture and Resource Planning
Cilium implements Kubernetes networking (CNI), network policies, and optionally service mesh functionality using eBPF — programs that run in the Linux kernel without requiring sidecar proxies.
DaemonSet Architecture
Cilium runs one agent per node as a DaemonSet. Each agent:
- ›Loads and manages eBPF programs for pod networking
- ›Maintains BPF maps for endpoint state and policy
- ›Communicates with the Cilium Operator (control plane)
node: cilium-agent (DaemonSet)
├── eBPF programs (kernel space)
├── BPF maps: endpoints, policies, NAT, LB
└── Hubble ring buffer (optional)BPF Map Memory
BPF maps live in kernel memory (not counted against pod limits). Scale with:
- ›Number of endpoints (pods) on the node
- ›Number of network policies
- ›Number of services (ClusterIP, LoadBalancer)
Hubble Flow Observability
Hubble captures all network flows via a per-node ring buffer:
# View live flows
hubble observe --namespace default# Get HTTP latency metrics hubble observe --protocol http --verdict FORWARDED ```
Encryption Options
# values.yaml (Helm)
encryption:
enabled: true
type: wireguard # or ipsecWireGuard is preferred — it's built into the Linux kernel (5.6+) and requires no additional IKE daemon.
Frequently Asked Questions
How does Cilium use BPF maps?
Cilium compiles each network policy into eBPF programs and stores endpoint state in BPF maps. Each network policy adds ~2 MB of BPF map memory per node. 100 policies across 10 nodes = ~2 GB of BPF map memory cluster-wide. BPF maps are in kernel memory, separate from pod memory limits.
What is Hubble and should I enable it?
Hubble is Cilium's built-in observability layer — it captures network flows (L3/L4/L7) from eBPF and makes them available via CLI, UI, and Prometheus metrics. It adds ~80 MB RAM per node agent and a central relay (~200 MB). For production clusters, enabling Hubble is recommended — it provides Kubernetes-native network visibility without extra agents.
Does WireGuard affect pod-to-pod throughput?
WireGuard adds ~0.05 vCPU overhead per node for encryption/decryption. On modern CPUs with AES-NI, throughput impact is minimal (<5% for typical workloads). WireGuard is significantly more efficient than IPSec for Cilium's node-to-node encryption use case.
How much RAM should I reserve for Cilium per node?
Base: 100 MB. Add: Hubble (+80 MB), WireGuard (+30 MB), encryption (+20 MB), network policies (× 2 MB each). For a production node with Hubble and 20 policies: ~320 MB reserved for Cilium. Set this as a resource request on the DaemonSet.