Cilium · Rate Limits

Cilium Rate Limits

Cilium APIs (cilium-agent REST API on the local Unix socket, Hubble gRPC Observer / Peer, Hubble Relay, Tetragon gRPC, and the Cilium Operator REST API) are local cluster APIs rather than multi-tenant SaaS endpoints. The project does not publish per-second rate limits — practical throughput is bounded by the agent / operator process, the underlying eBPF data path, the gRPC server settings on Hubble / Tetragon, and operator-defined ingress / authorization rules. Cilium itself can enforce L7 rate-limiting on application traffic via Envoy-based network policy — that is a workload-policy feature, not a self-imposed API limit.

Cilium Rate Limits is the machine-readable rate-limit profile for Cilium on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 3 rate-limit definitions, measuring varies.

The profile also includes 3 backoff/retry policies defined and response codes documented for unauthorized, forbidden, serverError, and gRPCUnavailable.

Tagged areas include eBPF, Kubernetes, Networking, Observability, and Security.

3 Limits
eBPFKubernetesNetworkingObservabilitySecurityRate Limiting

Limits

cilium-agent local API node
varies
no built-in rate limit; bounded by node CPU / memory and Unix-socket throughput
Served locally on each node; access is restricted by file-system permissions on the Unix-domain socket.
Hubble Observer gRPC cluster
varies
gRPC server defaults; operator-tunable
Per-stream concurrency is controlled by Hubble Relay configuration and the underlying gRPC server settings.
Tetragon gRPC node
varies
gRPC server defaults; operator-tunable
Tetragon does not impose an upstream rate limit; operators bound consumers via Kubernetes RBAC and gRPC server settings.

Policies

Backoff Strategy
gRPC clients should retry transient unavailability with exponential backoff and jitter; honor any deadline / cancellation propagated by the server.
Local Access Model
cilium-agent and the Cilium Operator API are local APIs intended for in-cluster / node-local use, secured by Unix-socket permissions and Kubernetes RBAC rather than per-second throttling.
Workload Rate Limiting
Cilium Network Policy can enforce L7 rate limits on application traffic via Envoy-based filters — a workload-policy feature distinct from API rate limits.

Sources