Add Cilium as CNI plugin #4224
Add Cilium as CNI plugin #4224
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
size/XXL
k8s-ci-robot
added
size/XL
nebril
force-pushed
the
cilium-support
branch
from
e6ade79 to
0bfa5bc
Compare
|
You can spin up cluster with cilium networking as follows: image uses CoreOS to make sure kernel is new enough for Cilium to work properly |
|
/retest |
1 similar comment
|
/retest |
|
So how can we ensure that the user is running the correct kernel, which btw is not tested with e2e testing. |
|
@chrislovecnm you mean at the point of creating the cluster? I am trying to figure out if filtering output of Seems like images with I thought that Would stating in the docs explicitly that you have to run proper kernel in order for Cilium to work correctly be enough? |
|
@chrislovecnm ping. Do you have any other feedback about this PR? |
|
@nebril overall the PR looks good, I just completed a review, not sure how to handle the kernel stuff. I apologize how long the review process has been. @justinsb thoughts about how to handle the kernel dependency? I am wondering if we should output a message or just update the docs? For Cilium to run you need an image with kernel >=4.8, and I do not think we have any way to check for that. Also, I know that kernel version is significantly ahead of the e2e testing. What advice do you have? |
There was a problem hiding this comment.
A bunch of the dates in files will drop out if you rebase, I think. Otherwise, if there is no code changes, please back out the date changes.
Thanks for the new plugin, I think we have 9 now! As I mention on all new CNI plugins, please strive to keep the plugin updated, as we rely on the community for those updates.
Thanks again!
| @@ -1,7 +1,7 @@ | |||
| // +build !ignore_autogenerated | |||
|
|
|||
| /* | |||
| Copyright 2017 The Kubernetes Authors. | |||
| Copyright 2018 The Kubernetes Authors. | |||
There was a problem hiding this comment.
Can you rebase, and then probably want to re-run make apimachinery. I think these changes will be removed.
| name: cilium-config | ||
| namespace: kube-system | ||
| data: | ||
| # This etcd-config contains the etcd endpoints of your cluster. If you use |
There was a problem hiding this comment.
This seems to be using http etcd. There is an update for Calico to use TLS that is going in. You can either change the PR to output a message that you are using unencrypted etcd communication, and the etcd port is open, or figure out TLS.
| @@ -0,0 +1,285 @@ | |||
| kind: ConfigMap | |||
There was a problem hiding this comment.
Should we warn the user when they try to use cilium with k8s 1.7 for instance? It will not work.
| prometheus.io/port: "9090" | ||
| spec: | ||
| serviceAccountName: cilium | ||
| containers: |
There was a problem hiding this comment.
I would encourage adding the resource limits that say the weave manifest has. Or other applicable resource limits.
| spec: | ||
| serviceAccountName: cilium | ||
| containers: | ||
| - image: cilium/cilium:stable |
There was a problem hiding this comment.
Is there a version we can use? Like a numbered version? We have had problems with the latest or other non-number versioned tags, where the manifest needs to be updated to the latest version of the CNI provider.
We need to validate that as well ... |
nebril
force-pushed
the
cilium-support
branch
from
0bfa5bc to
ea5a8e8
Compare
|
@chrislovecnm Thanks for great review, I will try to address your comments and will let you know when it's done. |
nebril
force-pushed
the
cilium-support
branch
from
ea5a8e8 to
59b698d
Compare
|
@nebril PR needs rebase |
k8s-github-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
@chrislovecnm can you re-review this?
The issue I have with this comment is that Cilium is a CNI plugin which is basically the Kubernetes component, so limiting its resources seems like limiting for example kubelet or other k8s components. Are you sure this is required? |
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
|
/lgtm Thanks @nebril |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, nebril The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
I think this is fine to merge as an option. Just FYI @nebril I think using etcd directly is basically frowned upon - it's better to talk to the kubernetes API. Flannel and calico both started by talking directly to etcd and have moved / are moving to using the API instead. |
This change adds Cilium as an option to provide networking for kops-deployed cluster.
For Cilium to run you need an image with kernel >=4.8, I am testing on CoreOS image:
595879546273/CoreOS-stable-1576.4.0-hvm