Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: refactor AKS installation instructions
BYOCNI was initially introduced as the preferred installation method for Cilium on AKS clusters in d8259c1, at the cost of doubling the number of AKS tabs in Getting Started and Helm guides. Since then: - More tabs have been added, making it even more complex to navigate the options. - BYOCNI is now GA (Azure CLI version 2.39.0). - [Azure CNI Powered by Cilium](https://learn.microsoft.com/en-us/azure/aks/azure-cni-powered-by-cilium) has been announced, further complexifying the Cilium on AKS landscape. In order to reduce bloat and streamline AKS installation instructions, we refactor the AKS instructions in a single tab. We use this opportunity to strongly encourage users to use BYOCNI, and prepare for Azure IPAM legacy retirement. Even though we could very add it into the current structure, Azure CNI Powered by Cilium has not been introduced as another installation option here, because the Cilium distribution used in this case is maintained and controlled by AKS, and not by the Cilium community. We felt this was sensible considering there is already a similar situation with GKE's Dataplane V2 and it is not listed in Cilium documentation either. [ Full details of edits since the diff is a bit hard to parse: - Getting Started Guides: - We had 2 separate AKS tabs for creating AKS clusters (one for BYOCNI and one for Azure IPAM), now we have only one AKS tab and it only explains how to create a cluster for BYOCNI. This is the only set of instructions that was removed, and it was done intentionally so as to just silently encourage users that don't have a cluster yet to use BYOCNI. - We had 2 separate AKS tabs for installing Cilium in an AKS cluster (one for BYOCNI and one for Azure IPAM) but they actually contained the exact same installation instructions. This is because the Cilium CLI is responsible for automatically detecting which mode to use based on the cluster type. Now we have only one AKS tab with the installation instructions up front, and then sub-tabs for both modes with the rest of the previous info we had (requirements + limitations). - So putting the 2 together, if it happens that someone already had an AKS cluster and did not create it with BYOCNI, it'll still work, and if someone actually does want to use Azure IPAM intentionally, they can still figure it out based on the requirements. - Helm: - We had 2 separate AKS tabs for installing Cilium in an AKS cluster (one for BYOCNI and one for Azure IPAM). Now we have only one AKS tab with sub-tabs for both modes with all the previous info we had (installation instructions + requirements + limitations). - Both: - BYOCNI is made even more explicit as the preferred option for installing Cilium on AKS, since it's now GA on AKS. - Azure IPAM has been re-dubbed Legacy Azure IPAM to double down on that, and also in preparation for the fact we might want to stop maintaining it. ] Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
- Loading branch information
1 parent
5008dbc
commit ac49ee7
Showing
6 changed files
with
109 additions
and
175 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 22 additions & 45 deletions
67
Documentation/installation/requirements-aks-azure-ipam.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,65 +1,42 @@ | ||
To install Cilium on `Azure Kubernetes Service (AKS) <https://docs.microsoft.com/en-us/azure/aks/>`_ | ||
with Azure integration via :ref:`Azure IPAM<ipam_azure>`, perform the following | ||
steps: | ||
|
||
**Default Configuration:** | ||
|
||
=============== =================== ============== | ||
Datapath IPAM Datastore | ||
=============== =================== ============== | ||
Direct Routing Azure IPAM Kubernetes CRD | ||
=============== =================== ============== | ||
|
||
.. note:: | ||
|
||
:ref:`Azure IPAM<ipam_azure>` offers integration with the Azure stack but is | ||
not the preferred way to run Cilium on AKS. If you do not require Azure IPAM, | ||
we recommend you to switch to the AKS (BYOCNI) installation. | ||
|
||
.. tip:: | ||
|
||
If you want to chain Cilium on top of the Azure CNI, refer to the guide | ||
:ref:`chaining_azure`. | ||
|
||
**Requirements:** | ||
|
||
* The AKS cluster must be created with ``--network-plugin azure`` for | ||
compatibility with Cilium. The Azure network plugin will be replaced with | ||
Cilium by the installer. | ||
* The AKS cluster must be created with ``--network-plugin azure``. The | ||
Azure network plugin will be replaced with Cilium by the installer. | ||
|
||
**Limitations:** | ||
|
||
* All VMs and VM scale sets used in a cluster must belong to the same resource | ||
group. | ||
* All VMs and VM scale sets used in a cluster must belong to the same | ||
resource group. | ||
|
||
* Adding new nodes to node pools might result in application pods being | ||
scheduled on the new nodes before Cilium is ready to properly manage them. | ||
The only way to fix this is either by making sure application pods are not | ||
scheduled on new nodes before Cilium is ready, or by restarting any unmanaged | ||
pods on the nodes once Cilium is ready. | ||
scheduled on the new nodes before Cilium is ready to properly manage | ||
them. The only way to fix this is either by making sure application pods | ||
are not scheduled on new nodes before Cilium is ready, or by restarting | ||
any unmanaged pods on the nodes once Cilium is ready. | ||
|
||
Ideally we would recommend node pools should be tainted with | ||
``node.cilium.io/agent-not-ready=true:NoExecute`` to ensure application pods | ||
will only be scheduled/executed once Cilium is ready to manage them (see | ||
:ref:`Considerations on node pool taints and unmanaged pods <taint_effects>` | ||
``node.cilium.io/agent-not-ready=true:NoExecute`` to ensure application | ||
pods will only be scheduled/executed once Cilium is ready to manage them | ||
(see :ref:`Considerations on node pool taints and unmanaged pods <taint_effects>` | ||
for more details), however this is not an option on AKS clusters: | ||
|
||
* It is not possible to assign custom node taints such as | ||
``node.cilium.io/agent-not-ready=true:NoExecute`` to system node pools, | ||
cf. `Azure/AKS#2578 <https://github.com/Azure/AKS/issues/2578>`_: only | ||
``CriticalAddonsOnly=true:NoSchedule`` is available for our use case. To | ||
make matters worse, it is not possible to assign taints to the initial node | ||
pool created for new AKS clusters, cf. | ||
``node.cilium.io/agent-not-ready=true:NoExecute`` to system node | ||
pools, cf. `Azure/AKS#2578 <https://github.com/Azure/AKS/issues/2578>`_: | ||
only ``CriticalAddonsOnly=true:NoSchedule`` is available for our use | ||
case. To make matters worse, it is not possible to assign taints to | ||
the initial node pool created for new AKS clusters, cf. | ||
`Azure/AKS#1402 <https://github.com/Azure/AKS/issues/1402>`_. | ||
|
||
* Custom node taints on user node pools cannot be properly managed at will | ||
anymore, cf. `Azure/AKS#2934 <https://github.com/Azure/AKS/issues/2934>`_. | ||
* Custom node taints on user node pools cannot be properly managed at | ||
will anymore, cf. `Azure/AKS#2934 <https://github.com/Azure/AKS/issues/2934>`_. | ||
|
||
* These issues prevent usage of our previously recommended scenario via | ||
replacement of initial system node pool with | ||
``CriticalAddonsOnly=true:NoSchedule`` and usage of additional user | ||
node pools with ``node.cilium.io/agent-not-ready=true:NoExecute``. | ||
|
||
We do not have a standard and foolproof alternative to recommend, hence the | ||
only solution is to craft a custom mechanism that will work in your | ||
environment to handle this scenario when adding new nodes to AKS clusters. | ||
We do not have a standard and foolproof alternative to recommend, hence | ||
the only solution is to craft a custom mechanism that will work in your | ||
environment to handle this scenario when adding new nodes to AKS | ||
clusters. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,5 @@ | ||
To install Cilium on `Azure Kubernetes Service (AKS) <https://docs.microsoft.com/en-us/azure/aks/>`_ | ||
in `Bring your own CNI <https://docs.microsoft.com/en-us/azure/aks/use-byo-cni?tabs=azure-cli>`_ | ||
mode, perform the following steps: | ||
|
||
**Default Configuration:** | ||
|
||
=============== =================== ============== | ||
Datapath IPAM Datastore | ||
=============== =================== ============== | ||
Encapsulation Cluster Pool Kubernetes CRD | ||
=============== =================== ============== | ||
|
||
.. note:: | ||
|
||
BYOCNI is the preferred way to run Cilium on AKS, however integration with | ||
the Azure stack via the :ref:`Azure IPAM<ipam_azure>` is not available. If | ||
you require Azure IPAM, refer to the AKS (Azure IPAM) installation. | ||
|
||
**Requirements:** | ||
|
||
* The AKS cluster must be created with ``--network-plugin none`` (BYOCNI). See | ||
the `Bring your own CNI documentation <https://docs.microsoft.com/en-us/azure/aks/use-byo-cni?tabs=azure-cli>`_ | ||
for more details about BYOCNI prerequisites / implications. | ||
* The AKS cluster must be created with ``--network-plugin none``. See the | ||
`Bring your own CNI <https://docs.microsoft.com/en-us/azure/aks/use-byo-cni?tabs=azure-cli>`_ | ||
documentation for more details about BYOCNI prerequisites / implications. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
**Default Configuration:** | ||
|
||
============================= =============== =================== ============== | ||
Mode (``--network-plugin``) Datapath IPAM Datastore | ||
============================= =============== =================== ============== | ||
BYOCNI (``none``) Encapsulation Cluster Pool Kubernetes CRD | ||
Legacy Azure IPAM (``azure``) Direct Routing Azure IPAM Kubernetes CRD | ||
============================= =============== =================== ============== | ||
|
||
Using `Bring your own CNI <https://docs.microsoft.com/en-us/azure/aks/use-byo-cni?tabs=azure-cli>`_ | ||
is the preferred way to run Cilium on `Azure Kubernetes Service (AKS) <https://docs.microsoft.com/en-us/azure/aks/>`_, | ||
however integration with the Azure stack via the :ref:`Azure IPAM<ipam_azure>` | ||
is not available and will only work with clusters not using BYOCNI. While still | ||
maintained for now, this mode is considered legacy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters