diff --git a/cli/Dockerfile b/cli/Dockerfile
index 4add00a0e518396ca1d7cc6f65be0b644e3854e1..d7777c80a86efc28b658b97ed801c4803675ce0e 100644
--- a/cli/Dockerfile
+++ b/cli/Dockerfile
@@ -53,6 +53,15 @@ ENV SOPS_RELEASE=${SOPS_RELEASE}
 RUN curl -L https://github.com/mozilla/sops/releases/download/${SOPS_RELEASE}/sops-${SOPS_RELEASE}.linux > ./sops \
     && install -o root -g root -m 0755 sops /usr/local/bin/sops
 
+# Cilium CLI cache
+FROM docker.io/library/fedora:34 as cilium
+ARG CILIUM_RELEASE=latest
+ENV CILIUM_RELEASE=${CILIUM_RELEASE}
+
+RUN curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/${CILIUM_RELEASE}/download/cilium-linux-amd64.tar.gz{,.sha256sum} && \
+  sha256sum --check cilium-linux-amd64.tar.gz.sha256sum && \
+  tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
+
 # Actual start of container build
 FROM docker.io/library/fedora:34
 
@@ -89,12 +98,14 @@ COPY --from=hcloud /usr/local/bin/hcloud /usr/local/bin/hcloud
 COPY --from=helm /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=flux /usr/local/bin/flux /usr/local/bin/flux
 COPY --from=sops /usr/local/bin/sops /usr/local/bin/sops
+COPY --from=cilium /usr/local/bin/cilium /usr/local/bin/cilium
 
 RUN true \
     && echo "command -v flux >/dev/null && . <(flux completion bash)" >> /root/.bashrc \
     && echo "command -v kubectl >/dev/null && . <(kubectl completion bash)" >> /root/.bashrc \
     && echo "command -v helm >/dev/null && . <(helm completion bash)" >> /root/.bashrc \
     && echo "command -v hcloud >/dev/null && . <(hcloud completion bash)" >> /root/.bashrc \
+    && echo "command -v cilium >/dev/null && . <(cilium completion bash)" >> /root/.bashrc \
     && true
 
 # Create workspace
diff --git a/infrastructure/cilium/kustomization.yaml b/infrastructure/cilium/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7da405581f5d2452017bc318b2b1b1e5fd4e055d
--- /dev/null
+++ b/infrastructure/cilium/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - repository.yaml
+  - release.yaml
diff --git a/infrastructure/cilium/release.yaml b/infrastructure/cilium/release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0725c9acded2cea2ee863e0c64af00eaf6eb7870
--- /dev/null
+++ b/infrastructure/cilium/release.yaml
@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cilium
+  namespace: kube-system
+spec:
+  releaseName: cilium
+  chart:
+    spec:
+      chart: cilium
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+      version: 1.10.4
+  interval: 5m
+  values:
+    l7Proxy: false
+    encryption:
+      enabled: true
+      type: wireguard
+    hubble:
+      relay:
+        enabled: false
+      ui:
+        enabled: false
+    prometheus:
+      enabled: true
+    operator:
+      prometheus:
+        enabled: true
diff --git a/infrastructure/cilium/repository.yaml b/infrastructure/cilium/repository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..16b7b954066068ea5bd70d9fd0fa349ecfa93824
--- /dev/null
+++ b/infrastructure/cilium/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: cilium
+spec:
+  interval: 30m
+  url: https://helm.cilium.io/
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 8d3320ce61a30f8fd6d5a46290dace185f23a941..6c97dbb921ac26fa918d74239c606d0a68f0de1c 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - cilium
   # kyverno
   - hcloud-csi
   - rook
diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index 39e8b028ebaaccd37281e4a13382634ad9529c1b..2bec9c95f03210815cd00d7ab6b00276202e0da7 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -54,6 +54,34 @@ resource "hcloud_firewall" "k8s-node" {
       port            = "9000-9999"
       source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
   }
+  rule {
+    description     = "Prometheus operator metrics"
+    direction       = "in"
+    protocol        = "tcp"
+    port            = "8472"
+    source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+    description     = "Cilium VXLAN"
+    direction       = "in"
+    protocol        = "udp"
+    port            = "8472"
+    source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+    description     = "Cilium health checks"
+    direction       = "in"
+    protocol        = "tcp"
+    port            = "4240"
+    source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+    description     = "Cilium Wireguard"
+    direction       = "in"
+    protocol        = "udp"
+    port            = "51871"
+    source_ips      = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+  }
 }