Kubernetes Ingress Support

Cilium uses the standard Kubernetes Ingress resource definition, with an ingressClassName of cilium. This can be used for path-based routing and for TLS termination.


The ingress controller creates a service of LoadBalancer type, so your environment will need to support this.

This is a step-by-step guide on how to enable the Ingress Controller in an existing K8s cluster with Cilium installed.


  • Cilium must be configured with kubeProxyReplacement as partial or strict. Please refer to kube-proxy replacement for more details.

  • The minimum supported Kubernetes version for Ingress is 1.19.


Cilium Ingress Controller can be enabled with helm flag ingressController.enabled set as true. Please refer to Installation using Helm for a fresh installation.

$ helm upgrade cilium cilium/cilium --version 1.12.4 \
    --namespace kube-system \
    --reuse-values \
    --set ingressController.enabled=true
$ kubectl -n kube-system rollout restart deployment/cilium-operator
$ kubectl -n kube-system rollout restart ds/cilium

If you only want to use envoy traffic management feature without Ingress support, you should only enable --enable-envoy-config flag.

$ helm upgrade cilium cilium/cilium --version 1.12.4 \
    --namespace kube-system \
    --reuse-values \
    --set-string extraConfig.enable-envoy-config=true
$ kubectl -n kube-system rollout restart deployment/cilium-operator
$ kubectl -n kube-system rollout restart ds/cilium

Next you can check the status of the Cilium agent and operator:

$ cilium status

Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

Hubble CLI is also used to observe the traffic in later steps.

Download the latest hubble release:

export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
if [ "$(uname -m)" = "aarch64" ]; then HUBBLE_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}

Supported Ingress Annotations



Default Value


Enable TCP keep-alive

1 (enabled)


TCP keep-alive idle time (in seconds)



TCP keep-alive probe intervals (in seconds)



TCP keep-alive probe max failures



Enable websocket

0 (disabled)

Additionally, cloud-provider specific annotations for the LoadBalancer service are supported. Please refer to the Kubernetes documentation for more details.


Please refer to one of the below examples on how to use and leverage Cilium’s Ingress features: