bpf: add nodeport XDP acceleration to helm and kube-proxy-free guide

Add an initial paragraph on configuring nodeport XDP acceleration to the kube-proxy-free guide as well as Helm support. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
cilium · Apr 8, 2020 · 4b3f591 · 4b3f591
1 parent 1f89c94
commit 4b3f591
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 2 deletions.
diff --git a/Documentation/gettingstarted/kubeproxy-free.rst b/Documentation/gettingstarted/kubeproxy-free.rst
@@ -305,6 +305,40 @@ mode would look as follows:
         --set global.k8sServiceHost=API_SERVER_IP \\
         --set global.k8sServicePort=API_SERVER_PORT
 
+NodePort XDP Acceleration
+*************************
+
+Cilium has built-in support for accelerating NodePort, ExternalIPs and LoadBalancer
+services for the case where the arriving request needs to be pushed back out of the
+node when the backend is located on a remote node. This ability to act as a hairpin
+load balancer can be handled by Cilium at the XDP (eXpress Data Path) layer where BPF
+is operating directly in the networking driver instead of a higher layer.
+
+The mode setting ``global.nodePort.acceleration`` allows to enable this acceleration
+through the options ``native`` or ``generic``. The option ``none`` is the default
+and disables the acceleration. The setting of ``global.nodePort.acceleration=native``
+should **always** be preferred over ``generic`` since the latter is a fallback only
+suitable for testing drivers which do not have XDP support. Therefore ``generic``
+mode should only be used for testing, but not in production environments. The majority
+of drivers supporting 10G or higher rates also support ``native`` XDP on a recent
+kernel. For cloud based deployments most of these drivers have SR-IOV variants that
+support native XDP as well.
+
+The ``global.nodePort.acceleration`` setting is supported for DSR, SNAT and hybrid
+modes and can be enabled as follows for ``nodePort.mode=dsr`` in this example:
+
+.. parsed-literal::
+
+    helm install cilium |CHART_RELEASE| \\
+        --namespace kube-system \\
+        --set global.tunnel=disabled \\
+        --set global.autoDirectNodeRoutes=true \\
+        --set global.kubeProxyReplacement=strict \\
+        --set global.nodePort.acceleration=native \\
+        --set global.nodePort.mode=dsr \\
+        --set global.k8sServiceHost=API_SERVER_IP \\
+        --set global.k8sServicePort=API_SERVER_PORT
+
 NodePort Device and Range
 *************************
 
@@ -329,8 +363,6 @@ prevent a NodePort service from hijacking traffic of a host local application
 which source port matches the service port. To disable the modification of
 the reserved ports, set ``global.nodePort.autoProtectPortRanges`` to ``false``.
 
-
-
 Container hostPort support
 **************************
 

diff --git a/Documentation/spelling_wordlist.txt b/Documentation/spelling_wordlist.txt
@@ -498,6 +498,7 @@ sig
 skb
 sockmap
 src
+SR-IOV
 ssl
 stacktrace
 stap

diff --git a/install/kubernetes/cilium/charts/config/templates/configmap.yaml b/install/kubernetes/cilium/charts/config/templates/configmap.yaml
@@ -313,6 +313,9 @@ data:
 {{- end }}
 {{- if .Values.global.nodePort.mode }}
   node-port-mode: {{ .Values.global.nodePort.mode | quote }}
+{{- end }}
+{{- if .Values.global.nodePort.acceleration }}
+  node-port-acceleration: {{ .Values.global.nodePort.acceleration | quote }}
 {{- end }}
   enable-auto-protect-node-port-range: {{ .Values.global.nodePort.autoProtectPortRange | quote }}
 {{- end }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
@@ -277,6 +277,9 @@ global:
     # mode is the mode of NodePort feature
     mode: "hybrid"
 
+    # acceleration is the option to accelerate NodePort via XDP
+    acceleration: "none"
+
     # Append NodePort range to ip_local_reserved_ports if clash with ephemeral
     # ports is detected
     autoProtectPortRange: true