Egress gateways provide a way to route all outbound traffic from certain pods through a specific node with a predictable IP address. This predictable IP can be useful for scenarios where the traffic destination requires a known source IP, for instance, when working with legacy systems or firewall rules.

All endpoint IPs and corresponding identities are mirrored to the kvstore by the agent on the node where the endpoint is launched, to allow peer nodes to configure egress policies to endpoints backed by these IPs.

All endpoint IPs and corresponding identities are mirrored to the kvstore by the agent on the node where the endpoint is launched, to allow peer nodes to configure egress policies to endpoints backed by these IPs.

Because eBPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration.

This shift toward highly dynamic microservices presents both a challenge and an opportunity in terms of securing connectivity between microservices. Traditional Linux network security approaches (e.g., iptables) filter on IP address and TCP/UDP ports, but IP addresses frequently churn in dynamic microservices environments.

An additional challenge is the ability to provide accurate visibility as traditional systems are using IP addresses as primary identification vehicle which may have a drastically reduced lifetime of just a few seconds in microservices architectures.

Cilium retains the ability to transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems

Overlay networking: encapsulation-based virtual network spanning all hosts with support for VXLAN and Geneve. It works on almost any network infrastructure as the only requirement is IP connectivity between hosts which is typically already given. Native routing mode: Use of the regular routing table of the Linux host. The network is required to be capable of routing the IP addresses of the application containers. It integrates with cloud routers, routing daemons, and IPv6-native infrastructure. Flexible routing options: Cilium can automate route learning and advertisement in common topologies such as using L2 neighbor discovery when nodes share a layer 2 domain, or BGP when routing across layer 3 boundaries.

Cilium Cluster Mesh enables secure, seamless connectivity across multiple Kubernetes clusters.

router_asn (integer) – Autonomous System Number (ASN) identifying a BGP virtual router instance. If not specified, all virtual router instances are selected.

GET /node/ids

/fqdn/cache

The code, using outdated and inexpensive AI models, produced results with glaring mistakes. For instance, it hallucinated the size of contracts, frequently misreading them and inflating their value. It concluded more than a thousand were each worth $34 million, when in fact some were for as little as $35,000.

The Disaster Relief Fund portion of FEMA has migrated their financial management to FEMA GO as well, meaning DOGE has the names, addresses, and social security numbers for anyone who has applied for disaster relief, according to sources within FEMA.

Indeed, former SSA Acting Commissioner Michelle King resigned in February after refusing to hand over unprecedented amounts of sensitive, protected information—

nterprise Data Warehouse, Numident, Master Beneficiary Record, and Supplemental Security Record.

Beginning around March 14, 2025, DOGE officials were given improper and excessive access to multiple schemas and databases inside the Enterprise Data Warehouse (EDW),

PSNAP and SNAP MI

Additionally, these profiles concerningly included equipment pin access and write access. 36 Equipment pin access means that instead of a user accessing data through a personal pin identifier, which would make the accessor’s actions traceable to a user, an equipment pin i

March 17, 2025, the EDW team discovered that users had been given access to data that was reportedly not authorized through normal approval channels. 38

March 20, 2025, the Social Security Administration received the TRO prohibiting DOGE and its affiliates from access to SSA’s data and revoked VPN access accordingly. 39 The following day, on Friday, March 21, 2025, the EDW team initially complied with proper procedures by revoking data access through the established SAM request process. 40 However, within 24 hours of the court-ordered revocation, DOGE officials appeared to have circumvented the judicial mandate. On the evening of Friday, March 21, 2025, according to information later received by Mr. Borges, senior career EDW officials who have system administrative privileges received instructions to undo the court-ordered access restrictions for two DOGE employees. 41

the requested access was for new and expanded privileges beyond the privileges that were in place at the time of the TRO, totaling forty-two different profiles, including specifically identified privileges that should not have been granted.

This emergency restoration of access raises concerns that the TRO may have been violated and may have also violated federal statutes, potentially including: 18 U.S.C. § 1030 (Computer Fraud and Abuse Act) by facilitating unauthorized access to protected computer systems; 5 U.S.C. § 552a (Privacy Act of 1974) by providing unauthorized access to systems of records containing personally identifiable information without proper justification or approval; 44 U.S.C. § 3551 et seq. (Federal Information Security Modernization Act) by circumventing established security controls and procedures designed to protect federal information systems; 5 U.S.C. Appendix (Inspector General Act) as proper oversight procedures were systematically bypassed, potentially impeding the Inspector General's ability to conduct effective audits and investigations of the agency's operations; and potentially constituted 18 U.S.C. § 371

(Conspiracy) to circumvent a federal court order.

On June 10, 2025, John Solley asked SSA CIO professionals to create a cloud environment 46 to which SSA’s Numerical Identification System or “NUMIDENT” data could be transferred. 47 T

On June 11, 2025, the request appeared to have changed to a request to transfer NUMIDENT to a test environment.

ater that morning, it became clear that DOGE’s request again changed, at this point, they wanted full administrative access to the cloud environment.

ne 10-11 request to have administrative access to “their own Virtual Private Cloud (VPC, “cloud”) within the SSA Amazon Web Services – Agency Cloud Infrastructure (AWS-ACI).”

he requested VPC project does not have an “Authority to Operate (ATO)” 54 to ensure proper security controls are in place;

evelopers (presumably DOGE) planned to import NUMIDENT into the cloud, and because AWS-ACI is an extension of the SSA network, any other SSA production data and PII could also be imported; “unauthorized access to the NUMIDENT would be considered catastrophic impact to SSA beneficiaries and SSA programs” (emphasis added);

Because (DOGE) developers, and not DIS, would have administrative access to this cloud, developers would be able to create publicly accessible services, meaning that they would have the ability to allow public access to the system and therefore the data in the system;

ranting (DOGE) developers administrative access would allow them to initiate any AWS service though agency policy required that only DIS could manage such services, meaning that the developers could install services in the cloud not approved for government use. 55

he risk assessment recommended that the cloud project 1) not use production data, 2

irst, whether DOGE could have administrative access to the requested cloud environment, and second, whether NUMIDENT production data should be moved to this cloud environment.

On June 24, 2025, CIO professionals confirmed that DOGE was given administrative access to the cloud. 60

On June 25, 2025, CIO officials elevated a further developed request to Michael Russo. 61 At this point, it appeared that John Solly was requesting that NUMIDENT production data be copied from an environment managed by DIS, per policy, to the DOGE specific cloud environment that lacked independent security controls, and that this requested access bypassed proper SAM protocol.

In late June 2025, it was reported to Mr. Borges that no verified audit or oversight mechanisms existed over the DOGE cloud environment set up outside of DIS control, and no one outside the former DOGE group had insight into code being executed against SSA’s live production data

On July 15, 2025, Aram Moghaddassi authorized a “Provisional Authorization to Operate” apparently for the NUMIDENT cloud project stating, “I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation.”

Moghaddassi circumvented independent security monitoring and authorized himself to “assume the risk” of holding a copy of the American public’s social security data in a potentially unsecured cloud environment. In reality, it is the American people who assume the risk.

Placing production NUMIDENT data in cloud environments without independent security controls violates these maintenance requirements. This action also potentially violated 18 U.S.C. § 1030, the Computer Fraud and Abuse Act, by facilitating unauthorized access to protected computer systems.

On August 6, 2025, Mr. Borges made internal disclosures to his superiors regarding the concerns outlined above. In that discussion, Mr. Borges commented that re-issuance of Social Security Numbers to all who possess one was a potential worst case outcome, and one of his superiors noted that possibility, underscoring the risk to the public.

On August 11, 2025, Mr. Borges contacted Edward Coristine, John Solly, and Mickie Tyquiengco, the Executive Officer in the OICO Front Office, to request information about data security concerns including: • The safety of SSA datasets in the cloud, particularly the AWS based VPCs between June and July 2025, which would encompass the NUMIDENT cloud project initiated by John Solly on June 10, 2025;

That same day, in response to Mr. Borges’ August 8, 2025 request for information about concerns raised, a CIO employee confirmed that while two cloud access accounts owned by Aaram Moghaddassi were created per SSA policy, they are not managed by the Division of Infrastructure Services (DIS), are self-administered, and include access to both test and live data environments. 67

serves to support Mr. Borges’ reasonable belief that the creation of the DOGE specific, self-administered cloud environment lacking independent security controls and hosting a copy of NUMIDENT constitutes an abuse of authority, gross mismanagement, substantial and specific threat to public health and safety,

Moreover, to date, Mr. Borges has not received a response to his August 7, 2025 request for information from Coristine

Furthermore, Mr. Borges is aware that the Office of General Counsel has advised employees not to respond to his inquiries.

There is panic among the employees," said one of the employees. "My office has been in turmoil since this afternoon's email … people are concerned about the data."

Tim Bearese, the NLRB's acting press secretary, did not respond to NPR's questions about DOGE visiting the agency. Earlier this week, Bearese denied that NLRB granted DOGE access to its systems and said DOGE had not requested access to the agency's systems. Bearese said the agency conducted an investigation after Berulis raised his concerns but "determined that no breach of agency systems occurred."

DogeSA_2d5c3e0446f9@nlrb.microsoft.com

OGE’s unprecedented access to the most sensitive information about tens of millions of people across the country has resulted in at least 16 lawsuits that allege violations of six privacy protections — the most common being the Privacy Act of 1974 — across eight federal agencies.

DOGE has given conflicting information about what data it has accessed, who has that access, and most importantly — why.

In one order last week blocking DOGE's access to Social Security data, U.S. District Judge Ellen Lipton Hollander of Maryland said the government "never identified or articulated even a single reason for which the DOGE Team needs unlimited access to SSA's entire record systems, thereby exposing personal, confidential, sensitive, and private information that millions of Americans entrusted to their government."

On Monday, a federal judge in Maryland temporarily halted DOGE from accessing data of millions of union members in a lawsuit against the Office of Personnel Management, the Treasury Department and Education Department after finding the agencies shared private information with DOGE affiliates "who had no need to know the vast amount of sensitive personal information to which they were granted access."

In the Social Security Administration lawsuit, Hollander found several DOGE staffers "were granted access to SSA systems before their background checks were completed or their inter-agency detail agreements were finalized." One of those is Bobba, who was given access to the master data warehouse at SSA that includes the Master Beneficiary Record, Supplemental Security Record and Numident files containing "extensive information about anyone with a social security number," according to filings in the case.

Not even lawyers for the government can account for when and how DOGE staffers received access to sensitive databases. In a Labor Department lawsuit, Judge John D. Bates notes that "defendants themselves acknowledge inconsistencies across their evidence" regarding DOGE

sent an email with a spreadsheet containing PII to two United States General Services Administration officials," according to an audit of his email account submitted in one court filing.

"a real possibility exists that sensitive information has already been shared outside of the Treasury Department, in potential violation of federal law."

Members of Elon Musk’s Department of Government Efficiency (DOGE) paid a visit to Washington D.C. headquarters of the National Labor Relations Board this morning to meet with agency leadership, following a whistleblower report alleging that DOGE misappropriated sensitive case information regarding labor disputes from the agency, according to two people familiar with the meeting

acting NLRB general counsel William Cowen told agency staffers in an email Tuesday afternoon that DOGE has not been in contact with the agency, and that the agency does not have evidence to support the whistleblower’s claims. “The NLRB has had no official contact with any DOGE personnel. We have not granted DOGE access to any agency systems, nor has DOGE requested access to agency system… At this point in time, we have no evidence of any unauthorized or unusual activity on agency systems,”

“All I know is that two to three people from DOGE are meeting with agency heads right now,”

confirming that the meeting had taken place and announcing that DOGE will continue to be involved at the agency for the foreseeable future. “Two DOGE representatives will be detailed to the agency from GSA part-time for several months,”

acting NLRB general counsel William Cowen told agency staffers in an email Tuesday afternoon that DOGE has not been in contact with the agency, and that the agency does not have evidence to support the whistleblower’s claims. “The NLRB has had no official contact with any DOGE personnel. We have not granted DOGE access to any agency systems, nor has DOGE requested access to agency system… At this point in time, we have no evidence of any unauthorized or unusual activity on agency systems

Officials were given hours to fire hundreds of employees, and workers were shut out of email as termination notices arrived. The terminations were part of a broader group of dismissals at the Department of Energy, where reportedly more than a thousand federal workers were terminated.

civilian agency that conducts a wide variety of nuclear security missions, including servicing the nation's nuclear weapons when they're not on missiles and bombers, and making extensive safety and security upgrades of the warheads.

Some workers were responsible for making sure emergency response plans were in place at sites like a giant facility in Texas, where thousands of dismantled warheads are stored. Others worked to prevent terrorists and rogue nations from acquiring weapons-grade plutonium or uranium. Many had "Q" clearances, the highest level security clearance at the Department of Energy.

In the final days leading up to the firings, managers drew up lists of essential workers and pleaded to keep them.

Multiple current and former employees at the agency told NPR that scores of people were notified verbally they were fired. Many had to clear out their desks on the spot. "It broke my heart," says one employee who was among those who left the agency's Washington, D.C., headquarters.

The NNSA termination letter did not appear to make any specific reference to the highly-classified nuclear mission conducted by the agency.

But others at the agency who were told they were terminated never received written notification.

Nuclear security is highly specialized, high-pressure work, but it's not particularly well paid, one employee told NPR. Given what's unfolded over the past 24 hours, "why would anybody want to take these jobs?" they asked.

Despite having the words "National" and "Security" in its title, it was not getting an exemption for national security, managers at the agency were told last Friday, according to an employee at NNSA

Just days before, officials in leadership had scrambled to write descriptions for the roughly 300 probationary employees at the agency who had joined the federal workforce less than two years ago.

Managers were given just 200 characters to explain why the jobs these workers did mattered.

"Per OPM [Office of Personnel Management] instructions, DOE finds that your further employment would not be in the public interest,"

two independent sources tell NPR

Luke Farritor, a 23-year-old former SpaceX intern, and Adam Ramada, a Miami-based venture capitalist, have had accounts on the computer systems for at least two weeks

these NNSA systems.

departed DOE in February

They were able to directly see Ramada and Farritor's names in the directories of the networks. The network directories are visible to thousands of employees involved in nuclear weapons work at facilities and laboratories throughout the U.S., but the networks themselves can only be accessed on specific terminals in secure rooms designated for the handling of classified information.

In February, CNN reported that DOGE employees, including Farritor, were seeking access to the secretive computer systems. At the time, Energy Secretary Chris Wright denied that they would be allowed on the networks.

first network, known as the NNSA Enterprise Secure Network, is used to transmit detailed "restricted data" about America's nuclear weapons designs and the special nuclear materials used in the weapons, among other things. The network is used to transfer this extremely sensitive technical information between the NNSA, the nation's nuclear weapons laboratories and the production facilities that store, maintain and upgrade the nation's nuclear arsenal.

Secret Internet Protocol Router Network (SIPRNet), is used by the Department of Defense to communicate with the Department of Energy about nuclear weapons. SIPRNet is also used more broadly for sharing information classified at the secret level, information that "could potentially damage or harm national security if it were to get out," explained a former career civil servant at the Department of Defense

remains unclear just how much access to classified data the two DOGE staffers actually have.

DOGE officials on DOE's classified systems would represent an escalation in DOGE's recent privileges inside the agency, but those accounts would not give them carte blanche access to all files hosted on those systems.

Hans Kristensen, director of the Nuclear Information Project at the Federation of American Scientists, which tracks America's nuclear program.

In a second statement later Monday evening, the spokesperson clarified that the accounts had been created but said they were never used by the DOGE staffers. "DOE is able to confirm that these accounts in question were never activated and have never been accessed," the email statement read.

Although large portions of the nuclear weapons budget are ultimately unclassified, a lot of classified details likely go into setting those numbers. "I don't think any of that would be open," he says.