Coming Soon

Cilium deployment mode is not yet available. This page describes the planned architecture and will be updated when Cilium support ships. For the current supported setup, see Istio Deployment Mode.

Cilium Deployment Mode

In Cilium mode, CASA uses Cilium's node-level daemonset for both sidecar traffic interception and eBPF enforcement — no per-pod injection webhook is needed.

This is the planned production architecture, architecturally equivalent to Istio + eBPF but with tighter Cilium integration. Observability is provided by the Explorer UI in both modes.

How It Works

The Cilium node-level daemonset intercepts pod traffic cluster-wide — no per-pod sidecar injection required
Cilium enforces L4/L7 policies (deny-by-default; only declared endpoints may communicate)
The CASA sidecar handles L7 enforcement: token injection, token introspection, protocol enforcement
Custom eBPF programs extract JWTs from HTTP headers for observability

Prerequisites

Cilium 1.14+ installed in your cluster
CASA runtime installed via the casa-runtime Helm chart (includes all CASA components and subcharts)

Step 1: Label the Namespace

Enable CASA sidecar injection for your MAS namespace:

kubectl label namespace your-mas-namespace casa.io/injection=enabled

Step 2: Declare Network Policies via CASAPolicy

In Development

CASAPolicy is currently in development. When available, it will automatically manage network enforcement policies for your MAS workloads. See Concepts — CRDs for the full field reference.

Network policies for your MAS are declared using CASAPolicy CRDs. Example:

apiVersion: casa.io/v1alpha1
kind: CASAPolicy
metadata:
  name: agent-policy
  namespace: your-mas-namespace
spec:
  targetRef:
    kind: Deployment
    name: my-agent
  allowedProtocols:
  - mcp
  - a2a
  allowedEndpoints:
  - name: my-mcp-server
    namespace: your-mas-namespace
    port: 8080
  - name: casa-auth-service
    namespace: casa-runtime
    port: 8443
  llmEndpoint:
    fqdn: api.openai.com
    port: 443

Step 3: Verify CASAPolicy Status

Once CASAPolicy support ships, check that policies have been applied:

# List CASA policies in the namespace
kubectl get casap -n your-mas-namespace

# Describe a specific policy
kubectl describe casap agent-policy -n your-mas-namespace

Step 4: Verify

# Verify an agent cannot reach an unlisted endpoint
kubectl exec -n your-mas-namespace deploy/my-agent -- curl -s https://api.anthropic.com/
# Expected: connection refused / timeout (blocked by eBPF enforcement)

Observability

Token events, tool check decisions, and flow verdicts are visible in the Explorer UI:

kubectl -n casa-runtime port-forward svc/casa-ui-explorer 8080:80
# Open http://localhost:8080

eBPF JWT Observability

JWT extraction and flow logging with custom eBPF programs is experimental and will be bundled in a future chart version.

Next Steps

Configuration — CRDs Reference — full CASAPolicy field reference
Architecture — eBPF Enforcement — deep dive on the eBPF layer

How It Works​

Prerequisites​

Step 1: Label the Namespace​

Step 2: Declare Network Policies via CASAPolicy​

Step 3: Verify CASAPolicy Status​

Step 4: Verify​

Observability​

eBPF JWT Observability​

Next Steps​