Introduction
Kubernetes networking has evolved significantly over time. Traditional Container Network Interfaces (CNIs) rely heavily on iptables, which can introduce performance and scalability challenges.
With VMware Kubernetes Service (VKS), you can now leverage Cilium CNI, an eBPF-powered networking solution that delivers high performance, advanced security, and deep observability.
In this blog, we will walk through how to deploy a VKS cluster using Cilium CNI in a simple and practical way.
What You’ll Learn
- What Cilium CNI is and how it works
- Why Cilium is a better alternative to traditional CNIs
- How to deploy a VKS cluster with Cilium
- How to verify and validate the deployment
- Key benefits and real-world use cases
What is Cilium CNI?
Cilium is the network plugin (CNI) for your Kubernetes cluster. It runs pod networking and firewall-style rules using eBPF in the Linux kernel instead of lots of traditional iptables rules.
Unlike traditional CNIs:
- No heavy reliance on iptables
- Faster packet processing
- More intelligent traffic handling
Why Use Cilium in VKS?
Using Cilium in VKS provides:
- High performance with eBPF
- Advanced L3–L7 security policies
- Deep observability with Hubble
- Better scalability for large clusters
Installation Prerequisites
To provision VKS clusters with Cilium, your environment must meet the following requirements:
- VKS version 3.6 or later
- VKr version 1.35 or later
- VKS Standard Package repository (v3.6.0+20260320 or later) containing the Cilium add-on
Deploying and Validating Cilium on VKS Cluster
In this example my VKS Cluster name is vks-cluster-01 and VKS Cluster namespace is cilium-cni-demo.
Step1 : Create a file named cilium-addoninstall.yaml with the following content.
Apply it on the Supervisor
Step2 : Create a file named cilium-addonconfig.yaml with the following content.
AddonConfig resource allows you to override the default settings of packages.
In following example, we are Enabling Hubble Relay and UI.
Step3 : Create a file named vks-cluster-with-cilium.yaml with the following content.
Step4 : Validation of Cilium Addon and Related Objects
Generate VKS Cluster(vks-cluster-01-kubeconfig) Kubeconfig file and run following command to check Cilium pods status
Step5 : Validating Cilium Cluster Status Using Cilium CLI
Cilium provides a powerful CLI tool called cilium that helps you check cluster health, connectivity, and overall status.
Install Cilium CLI
bash
Switch to VKS Cluster Context
Key Takeaways
- Cilium CNI brings modern Kubernetes networking to VKS using eBPF, eliminating the limitations of traditional iptables-based CNIs
- It delivers high performance and low latency, making it ideal for production-grade and large-scale environments
- Built-in observability with Hubble provides deep visibility into service-to-service communication
- Supports advanced security policies (L3–L7), enabling fine-grained control over application traffic
- Seamless integration with VKS through standard packages simplifies deployment and lifecycle management
- The Cilium CLI makes it easy to validate cluster health, connectivity, and troubleshoot issues
- Cilium is a strong choice for organizations looking to build secure, scalable, and future-ready Kubernetes platforms
Disclaimer
This blog is for informational and educational purposes only. The configurations, examples, and architectural guidance provided are based on general best practices and publicly available references.
Always validate configurations in a non-production environment before applying them to live systems. Features and integrations may vary depending on the versions of VKS, VKr, Supervisor and vCenter Server being used. The author is not responsible for any unintended impact caused by the use of this information in production environments.