Hi Team I’m trying to restrict pod egress traffic using DNS-based rules in Cilium network policies on a DOKS cluster.
With the default Cilium installation on DOKS, DNS-based policies do not work because Cilium requires the --enable-l7-proxy flag to be enabled. Since Cilium is managed by DOKS, there is currently no supported way to enable this flag.
Could you enable L7 proxy support by default in a future DOKS Cilium release or make cilium settings configurable.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Interesting use case.
Since Cilium is managed as part of the DOKS control plane, most of those configuration flags aren’t exposed to users today. I’m not sure if enabling --enable-l7-proxy is something that can currently be customized in managed clusters.
It might be worth reaching out to DigitalOcean support to see if this is something the team is considering for future DOKS Cilium releases or if there’s a recommended workaround:
Heya,
On top of what’s already been mentioned, If you need actual DNS-based filtering, you can run an egress proxy (Squid or Envoy) as a pod in the cluster and funnel your workload traffic through it. More overhead to manage, but it’s completely independent of Cilium’s L7 support.
Regards
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.