Cilium · Rate Limits
Cilium Rate Limits
Cilium APIs (cilium-agent REST API on the local Unix socket, Hubble gRPC Observer / Peer, Hubble Relay, Tetragon gRPC, and the Cilium Operator REST API) are local cluster APIs rather than multi-tenant SaaS endpoints. The project does not publish per-second rate limits — practical throughput is bounded by the agent / operator process, the underlying eBPF data path, the gRPC server settings on Hubble / Tetragon, and operator-defined ingress / authorization rules. Cilium itself can enforce L7 rate-limiting on application traffic via Envoy-based network policy — that is a workload-policy feature, not a self-imposed API limit.
3 Limits
eBPFKubernetesNetworkingObservabilitySecurityRate Limiting
Limits
cilium-agent local API node
no built-in rate limit; bounded by node CPU / memory and Unix-socket throughput
Served locally on each node; access is restricted by file-system permissions on the Unix-domain socket.
Hubble Observer gRPC cluster
gRPC server defaults; operator-tunable
Per-stream concurrency is controlled by Hubble Relay configuration and the underlying gRPC server settings.
Tetragon gRPC node
gRPC server defaults; operator-tunable
Tetragon does not impose an upstream rate limit; operators bound consumers via Kubernetes RBAC and gRPC server settings.
Policies
Backoff Strategy
gRPC clients should retry transient unavailability with exponential backoff and jitter; honor any deadline / cancellation propagated by the server.
Local Access Model
cilium-agent and the Cilium Operator API are local APIs intended for in-cluster / node-local use, secured by Unix-socket permissions and Kubernetes RBAC rather than per-second throttling.
Workload Rate Limiting
Cilium Network Policy can enforce L7 rate limits on application traffic via Envoy-based filters — a workload-policy feature distinct from API rate limits.