Merge pull request #8551 from olemarkus/docs-networking-cilium-bpf-eni

Update cilium docs with note about eni and bpf nodeport
kubernetes · Mar 13, 2020 · 1ab724e · 1ab724e
2 parents e902c45 + cd29da7
commit 1ab724e
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 6 deletions.
diff --git a/docs/networking.md b/docs/networking.md
@@ -445,7 +445,7 @@ In case of any issues the directory `/var/log/aws-routed-eni` contains the log f
 
 ### Cilium Example for CNI and Network Policy
 
-Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
+The Cilium CNI uses a Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within the Linux kernel.
 
 #### Installing Cilium on a new Cluster
 
@@ -485,20 +485,46 @@ $ kops create cluster \
 
 You can adjust Cilium agent configuration with most options that are available in [cilium-agent command reference](http://cilium.readthedocs.io/en/stable/cmdref/cilium-agent/).
 
-E.g enabling logstash integration would require you to change above block to
+The following command will launch your cluster with desired Cilium configuration
 
+```console
+$ kops update cluster myclustername.mydns.io --yes
 ```
+
+##### Enabling BPF NodePort
+
+As of Kops 1.18 you can safely enable Cilium NodePort.
+
+In this mode, the cluster is fully functional without kube-proxy, with Cilium replacing kube-proxy's NodePort implementation using BPF.
+Read more about this in the [Cilium docs](https://docs.cilium.io/en/stable/gettingstarted/nodeport/)
+
+Be aware that you need to use an AMI with at least Linux 4.19.57 for this feature to work.
+
+```
+  kubeProxy:
+    enabled: false
   networking:
     cilium:
-      logstash: true
+      enableNodePort: true
 ```
 
-The following command will create your cluster with desired Cilium configuration
+##### Enabling Cilium ENI IPAM
 
-```console
-$ kops update cluster myclustername.mydns.io --yes
+As of Kops 1.18, you can have Cilium provision AWS managed adresses and attach them directly to Pods much like Lyft VPC and AWS VPC. See [the Cilium docs for more information](https://docs.cilium.io/en/v1.6/concepts/ipam/eni/)
+
+When using ENI IPAM you need to disable masquerading in Cilium as well.
+
+```
+  networking:
+    cilium:
+      disableMasquerade: true
+      ipam: eni
 ```
 
+Note that since Cilium Operator is the entity that interacts with the EC2 API to provision and attaching ENIs, we force it to run on the master nodes when this IPAM is used.
+
+Also note that this feature has only been tested on the default kops AMIs.
+
 #### Getting help with Cilium
 
 For problems with deploying Cilium please post an issue to Github:

diff --git a/docs/releases/1.18-NOTES.md b/docs/releases/1.18-NOTES.md
@@ -8,6 +8,8 @@
 
 * [containerd](https://github.com/containerd/containerd/blob/master/README.md) can now be selected as an alternate container runtime for Kubernetes. Use the `--container-runtime containerd` flag to create such a cluster.
 
+* Cilium CNI can now use AWS networking natively through the AWS ENI IPAM mode. Kops can also run a Kubernetes cluster entirely without kube-proxy using Cilium's BPF NodePort implementation
+
 # Breaking changes
 
 * Terraform users on AWS may need to rename some resources in their state file in order to prepare for Terraform 0.12 support. See Required Actions below.