Prerequisites: cni, ebpf, kube-proxy, daemonset
Cilium is the networking layer devata runs. It does two jobs at once: it is the cni that gives every pod its address and connects pods across nodes, and it is the replacement for kube-proxy that makes service routing work. It runs as a daemonset, one copy per node, and does its routing in the kernel with ebpf instead of writing iptables rules.
Confirm it has taken over kube-proxy’s role on devata:
kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacementIt reports True. That single setting, kubeProxyReplacement, is the entire reason kube-proxy could be deleted from this cluster without anything breaking: Cilium was already handling Service routing, so kube-proxy had been doing nothing but consuming resources before it was removed. The same is true of Flannel, which Cilium’s CNI side made redundant. See the eBPF routing table Cilium keeps:
kubectl -n kube-system exec ds/cilium -- cilium-dbg service list | headEach line maps a Service address to its backends, the job kube-proxy did with iptables chains, held in eBPF maps instead. Cilium also ships Hubble, its observability layer, which lets you watch this traffic flow at the identity level rather than by raw IP; it is the source of the “Hubble answers” you rely on when devata is healthy.
Reference: Cilium docs, kube-proxy replacement.