Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add experimental Cilium CNI provider #760

Merged
merged 1 commit into from
Jun 22, 2020
Merged

Add experimental Cilium CNI provider #760

merged 1 commit into from
Jun 22, 2020

Conversation

dghubble
Copy link
Member

@dghubble dghubble commented Jun 16, 2020
edited
Loading

  • Accept experimental CNI networking mode "cilium"
  • Run Cilium v1.8.0-rc4 with overlay vxlan tunnels and a minimal set of features. We're interested in:
    • IPAM: Divide pod_cidr into /24 subnets per node
    • CNI networking pod-to-pod, pod-to-external
    • BPF masquerade
    • NetworkPolicy as defined by Kubernetes (no L7 Policy)
  • Continue using kube-proxy with Cilium probe mode
  • Firewall changes:
    • Require UDP 8472 for vxlan (Linux kernel default) between nodes
    • Optional ICMP echo(8) between nodes for host reachability (health)
    • Optional TCP 4240 between nodes for endpoint reachability (health)

Known Issues:

Enable by setting networking = "cilium"

Warning: This is experimental. It is not listed in docs and may be changed or removed without a deprecation notice

Related:

@dghubble dghubble force-pushed the experimental-cilium-cni branch 4 times, most recently from c01721b to e6c7463 Compare June 18, 2020 03:00
@dghubble
Copy link
Member Author

Fedora CoreOS 32 updates to systemd 245 which changes rp_filter default cilium/cilium#12217

@dghubble dghubble force-pushed the experimental-cilium-cni branch 2 times, most recently from a4cf528 to 29f914f Compare June 22, 2020 03:40
@dghubble
Add experimental Cilium CNI provider
e9c8520 
* Accept experimental CNI `networking` mode "cilium"
* Run Cilium v1.8.0-rc4 with overlay vxlan tunnels and a
minimal set of features. We're interested in:
  * IPAM: Divide pod_cidr into /24 subnets per node
  * CNI networking pod-to-pod, pod-to-external
  * BPF masquerade
  * NetworkPolicy as defined by Kubernetes (no L7 Policy)
* Continue using kube-proxy with Cilium probe mode
* Firewall changes:
  * Require UDP 8472 for vxlan (Linux kernel default) between nodes
  * Optional ICMP echo(8) between nodes for host reachability
    (health)
  * Optional TCP 4240 between nodes for endpoint reachability (health)

Known Issues:

* Containers with `hostPort` don't listen on all host addresses,
these workloads must use `hostNetwork` for now
cilium/cilium#12116
* Erroneous warning on Fedora CoreOS
cilium/cilium#10256

Note: This is experimental. It is not listed in docs and may be
changed or removed without a deprecation notice

Related:

* poseidon/terraform-render-bootstrap#192
* cilium/cilium#12217
@dghubble dghubble force-pushed the experimental-cilium-cni branch from 29f914f to e9c8520 Compare June 22, 2020 03:42
@dghubble dghubble merged commit e9c8520 into master Jun 22, 2020
@dghubble dghubble deleted the experimental-cilium-cni branch June 22, 2020 04:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dghubble