Skip to content
Permalink
Browse files

Update Cilium related docs (#18563)

* Extend Cilium CNI plugin description

Mention that it works on top of other CNI plugins due to the CNI
chaining [1].

[1]: http://docs.cilium.io/en/v1.6/gettingstarted/cni-chaining/

Signed-off-by: Martynas Pumputis <m@lambda.lt>

* Update Cilium installation steps for kubeadm

- Use the latest v1.6 Cilium.
- By default, Cilium no longer needs/deploys ETCD store.

Signed-off-by: Martynas Pumputis <m@lambda.lt>

* Update Cilium NetworkPolicy guide

- Update minikube min version requirement.
- Use Cilium v1.6.
- Remove the etcd store bits, as Cilium v1.6 no longer depend on
  it by default.

Signed-off-by: Martynas Pumputis <m@lambda.lt>

* Update Cilium installation steps for kubeadm

- How to run without kube-proxy.

Signed-off-by: Martynas Pumputis <m@lambda.lt>

Co-authored-by: Martynas Pumputis <m@lambda.lt>
  • Loading branch information
2 people authored and k8s-ci-robot committed Jan 13, 2020
1 parent 7969a84 commit 5cb0e3d7b4708cf190ce27764bd7c0ed867b400b
@@ -23,7 +23,7 @@ Add-ons in each section are sorted alphabetically - the ordering does not imply
* [ACI](https://www.github.com/noironetworks/aci-containers) provides integrated container networking and network security with Cisco ACI.
* [Calico](https://docs.projectcalico.org/latest/getting-started/kubernetes/) is a secure L3 networking and network policy provider.
* [Canal](https://github.com/tigera/canal/tree/master/k8s-install) unites Flannel and Calico, providing networking and network policy.
* [Cilium](https://github.com/cilium/cilium) is a L3 network and network policy plugin that can enforce HTTP/API/L7 policies transparently. Both routing and overlay/encapsulation mode are supported.
* [Cilium](https://github.com/cilium/cilium) is a L3 network and network policy plugin that can enforce HTTP/API/L7 policies transparently. Both routing and overlay/encapsulation mode are supported, and it can work on top of other CNI plugins.
* [CNI-Genie](https://github.com/Huawei-PaaS/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, Romana, or Weave.
* [Contiv](http://contiv.github.io) provides configurable networking (native L3 using BGP, overlay using vxlan, classic L2, and Cisco-SDN/ACI) for various use cases and a rich policy framework. Contiv project is fully [open sourced](http://github.com/contiv). The [installer](http://github.com/contiv/install) provides both kubeadm and non-kubeadm based installation options.
* [Contrail](http://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/), based on [Tungsten Fabric](https://tungsten.io), is an open source, multi-cloud network virtualization and policy management platform. Contrail and Tungsten Fabric are integrated with orchestration systems such as Kubernetes, OpenShift, OpenStack and Mesos, and provide isolation modes for virtual machines, containers/pods and bare metal workloads.
@@ -125,7 +125,7 @@ BCF was recognized by Gartner as a visionary in the latest [Magic Quadrant](http
providing and transparently securing network connectivity between application
containers. Cilium is L7/HTTP aware and can enforce network policies on L3-L7
using an identity based security model that is decoupled from network
addressing.
addressing, and it can be used in combination with other CNI plugins.

### CNI-Genie from Huawei

@@ -319,23 +319,12 @@ kubectl apply -f https://docs.projectcalico.org/v3.8/manifests/canal.yaml
{{% /tab %}}

{{% tab name="Cilium" %}}
For more information about using Cilium with Kubernetes, see [Kubernetes Install guide for Cilium](https://docs.cilium.io/en/stable/kubernetes/).

For Cilium to work correctly, you must pass `--pod-network-cidr=10.217.0.0/16` to `kubeadm init`.

These commands will deploy Cilium with its own etcd managed by etcd operator.

_Note_: If you are running kubeadm in a single node please untaint it so that
etcd-operator pods can be scheduled in the control-plane node.

```shell
kubectl taint nodes <node-name> node-role.kubernetes.io/master:NoSchedule-
```

To deploy Cilium you just need to run:

```shell
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/kubernetes/1.14/cilium.yaml
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.6/install/kubernetes/quick-install.yaml
```

Once all Cilium pods are marked as `READY`, you start using your cluster.
@@ -349,6 +338,10 @@ NAME READY STATUS RESTARTS AGE
cilium-drxkl 1/1 Running 0 18m
```

Cilium can be used as a replacement for kube-proxy, see [Kubernetes without kube-proxy](https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free).

For more information about using Cilium with Kubernetes, see [Kubernetes Install guide for Cilium](https://docs.cilium.io/en/stable/kubernetes/).

{{% /tab %}}

{{% tab name="Contiv-VPP" %}}
@@ -10,7 +10,7 @@ weight: 20
{{% capture overview %}}
This page shows how to use Cilium for NetworkPolicy.

For background on Cilium, read the [Introduction to Cilium](https://cilium.readthedocs.io/en/stable/intro).
For background on Cilium, read the [Introduction to Cilium](https://docs.cilium.io/en/stable/intro).
{{% /capture %}}

{{% capture prerequisites %}}
@@ -23,36 +23,45 @@ For background on Cilium, read the [Introduction to Cilium](https://cilium.readt
## Deploying Cilium on Minikube for Basic Testing

To get familiar with Cilium easily you can follow the
[Cilium Kubernetes Getting Started Guide](https://cilium.readthedocs.io/en/stable/gettingstarted/minikube/)
[Cilium Kubernetes Getting Started Guide](https://docs.cilium.io/en/stable/gettingstarted/minikube/)
to perform a basic DaemonSet installation of Cilium in minikube.

To start minikube, minimal version required is >= v0.33.1, run the with the
To start minikube, minimal version required is >= v1.3.1, run the with the
following arguments:

```shell
minikube version
```
```
minikube version: v0.33.1
minikube version: v1.3.1
```

```shell
minikube start --network-plugin=cni --memory=4096
```

Mount the BPF filesystem:

```shell
minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf
```

For minikube you can deploy this simple ''all-in-one'' YAML file that includes
DaemonSet configurations for Cilium, and the necessary configurations to connect
to the etcd instance deployed in minikube as well as appropriate RBAC settings:
DaemonSet configurations for Cilium as well as appropriate RBAC settings:

```shell
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.5/examples/kubernetes/1.14/cilium-minikube.yaml
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.6/install/kubernetes/quick-install.yaml
```
```
configmap/cilium-config created
daemonset.apps/cilium created
clusterrolebinding.rbac.authorization.k8s.io/cilium created
clusterrole.rbac.authorization.k8s.io/cilium created
serviceaccount/cilium created
serviceaccount/cilium-operator created
clusterrole.rbac.authorization.k8s.io/cilium created
clusterrole.rbac.authorization.k8s.io/cilium-operator created
clusterrolebinding.rbac.authorization.k8s.io/cilium created
clusterrolebinding.rbac.authorization.k8s.io/cilium-operator created
daemonset.apps/cilium create
deployment.apps/cilium-operator created
```

The remainder of the Getting Started Guide explains how to enforce both L3/L4
@@ -62,7 +71,7 @@ policies using an example application.
## Deploying Cilium for Production Use

For detailed instructions around deploying Cilium for production, see:
[Cilium Kubernetes Installation Guide](https://cilium.readthedocs.io/en/stable/kubernetes/intro/)
[Cilium Kubernetes Installation Guide](https://docs.cilium.io/en/stable/kubernetes/intro/)
This documentation includes detailed requirements, instructions and example
production DaemonSet files.

@@ -86,14 +95,8 @@ cilium-6rxbd 1/1 Running 0 1m
...
```

There are two main components to be aware of:

- One `cilium` Pod runs on each node in your cluster and enforces network policy
A `cilium` Pod runs on each node in your cluster and enforces network policy
on the traffic to/from Pods on that node using Linux BPF.
- For production deployments, Cilium should leverage a key-value store
(e.g., etcd). The [Cilium Kubernetes Installation Guide](https://cilium.readthedocs.io/en/stable/kubernetes/intro/)
will provide the necessary steps on how to install this required key-value
store as well how to configure it in Cilium.

{{% /capture %}}

0 comments on commit 5cb0e3d

Please sign in to comment.
You can’t perform that action at this time.