CPG – Generate Cilium network policies from dropped Hubble flows

1 points by soulkyu 3 hours ago

I run Cilium with default-deny on a few clusters. Every time a new service deploys, something gets blocked, and I end up in the same loop: read Hubble logs, find the dropped flow, write the CiliumNetworkPolicy YAML, apply, wait, repeat.

I wrote CPG to skip that loop. It connects to Hubble Relay, streams denied flows, and generates the policy files. TCP/UDP, ICMP, reserved entities, CIDR — it handles what I've needed so far. If a policy already exists on disk, it merges the new rules in without duplicates.

It's a CLI tool in Go. You can also install it as a kubectl plugin via krew (PR pending). It auto port-forwards to hubble-relay, so there's zero setup beyond having Cilium running.

Built most of this with Claude as copilot, so fair warning on that front.

Would be curious to hear if others have a different approach to the default-deny policy bootstrapping.

Here is the link : https://github.com/SoulKyu/cpg

JumpingVPN2027 2 hours ago

Interesting approach.

Out of curiosity — how do you maintain a stable session identity if the underlying transport path changes (for example NAT rebinding or relay migration)?

Is it tied to a cryptographic token or internal session state?