DevOps · Flashcard

Why does Cilium enforce policy by identity rather than by IP address?

  • APod IPs churn as pods reschedule — a label-based identity stays stable and scales far better
  • BIP addresses are not visible in eBPF — the datapath can only read labels, never packet headers
  • CIdentities are required by Kubernetes — the NetworkPolicy API forbids matching on IP ranges
  • DIP-based rules cannot be encrypted — only identity-based rules can travel over WireGuard tunnels

Why this is the answer

Pod IPs are ephemeral and recycle rapidly, so IP-based rules churn and explode in number; a label-derived identity is stable and scales with workloads, not pods. eBPF can absolutely read IP headers, the K8s API does allow ipBlock, and encryption is independent of whether a rule is identity- or IP-based.

Official docs
Study in Gnoseed →