Skip to content

Installing Cilium on Kubernetes

This guide explains how to deploy Cilium as a Kubernetes CNI and enable Hubble observability.

In this guide, you’ll learn how to deploy Cilium as your Kubernetes CNI and enable Hubble observability. We cover both the Cilium CLI and Helm methods, validate network connectivity, and demonstrate how to watch live network flows.

kindCilium.yaml
1
2
3
4
5
6
7
8
9
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker
networking:
  disableDefaultCNI: true

kind create cluster --config=kindCilium.yaml

helm repo add cilium https://helm.cilium.io/
helm repo update

helm install cilium cilium/cilium --namespace kube-system
NAME: cilium
LAST DEPLOYED: Fri Mar 13 03:27:50 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
DESCRIPTION: Install complete
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble.

Your release version is 1.19.1.

For any further help, visit https://docs.cilium.io/en/v1.19/gettinghelp

Prerequisites

  • A running Kubernetes cluster (v1.18+).
  • kubectl configured to your target context.
  • Cilium CLI (cilium) installed.
  • Hubble CLI (hubble) installed.

1. Installation Methods Compared

Method Command Example Best For
Cilium CLI cilium install --version 1.15.4 --wait Rapid installs and upgrades
Helm helm upgrade cilium cilium/cilium --version 1.15.4 --namespace kube-system --reuse-values … Advanced customizations and overrides

Mixing CLI and Helm installations without --reuse-values can lead to configuration drift. Always double-check your values before upgrading.

2. Install Cilium with the CLI

At the time of writing, v1.15.4 is the latest stable release. Run:

cilium install --version 1.15.4 --wait

The --wait flag blocks until all Cilium pods and operators are ready.

Verify status:

cilium status

Expected output:

Cilium:
    OK
Operator:
    OK
Envoy Daemon Set:
    disabled (using embedded mode)
Hubble Relay:
    disabled
ClusterMesh:
    disabled

Deployment
    cilium-operator      Desired: 1, Ready: 1/1, Available: 1/1
DaemonSet
    cilium              Desired: 2, Ready: 2/2, Available: 2/2
...

3. Validate Network Connectivity

Before enabling Hubble, confirm that Cilium networking works end-to-end:

cilium connectivity test

This can take a few minutes. A timeout like:

Connectivity test failed: timeout reached waiting for deployment cilium-test/client3 to become ready

indicates a readiness issue in one of the test pods.

4. Enable Hubble Observability via Helm

To add Hubble Relay and UI, upgrade your Cilium release in the kube-system namespace:

helm repo add cilium https://helm.cilium.io/
helm repo update
helm upgrade cilium cilium/cilium --version 1.15.4 \
  --namespace kube-system \
  --reuse-values \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true

Re-check Cilium’s status:

cilium status

You should now see:

Hubble Relay:      OK
Hubble UI:         OK
...
Cluster Pods:      X/Y managed by Cilium

5. Port-Forward Hubble Relay & Check Status

Port-forward the Relay service locally:

cilium hubble port-forward

This sets up:

kubectl port-forward -n kube-system svc/hubble-relay --address 127.0.0.1 4245:80

In a new terminal, query Hubble’s health:

hubble status

Sample output:

Healthcheck (via localhost:4245):
Current/Max Flows: 5,818/8,190 (71.04%)
Flows/s: 22.83
Connected Nodes: 2/2

6. Observe Live Network Flows

Stream live traffic and events:

hubble observe

Example event:

Jul 29 20:37:53.947: 10.0.0.77:46164 (host) <-- kube-system/coredns-... to-stack FORWARDED (TCP Flags: ACK, FIN)
...

You have successfully installed Cilium CNI and enabled Hubble observability on your Kubernetes cluster. Next, explore Cilium network policies and advanced Hubble filtering to secure and monitor traffic in production.