Skip to content

Integration with Cilium

Cilium is an eBPF-based networking and security component. Kube-OVN uses the CNI Chaining mode to enhance existing features. Users can use both the rich network abstraction capabilities of Kube-OVN and the monitoring and security capabilities that come with eBPF.

By integrating Cilium, Kube-OVN users can have the following gains:

  • Richer and more efficient security policies.
  • Hubble-based monitoring and UI.

Prerequisites

  1. Linux kernel version above 4.19 or other compatible kernel for full eBPF capability support.
  2. Install Helm in advance to prepare for the installation of Cilium, please refer to Installing Helm to deploy Helm.

Configure Kube-OVN

In order to fully utilize the security capabilities of Cilium, you need to disable the networkpolicy feature within Kube-OVN and adjust the CNI configuration priority.

Change the following variables in the install.sh script:

ENABLE_NP=false
CNI_CONFIG_PRIORITY=10

If the deployment is complete, you can adjust the args of kube-ovn-controller:

args:
- --enable-np=false

Modify the kube-ovn-cni args to adjust the CNI configuration priority:

args:
- --cni-conf-name=10-kube-ovn.conflist

Adjust the Kube-OVN cni configuration name on each node:

mv /etc/cni/net.d/01-kube-ovn.conflist /etc/cni/net.d/10-kube-ovn.conflist

Deploy Cilium

Create the chaining.yaml configuration file to use Cilium's generic-veth mode:

apiVersion: v1
kind: ConfigMap
metadata:
  name: cni-configuration
  namespace: kube-system
data:
  cni-config: |-
    {
      "name": "generic-veth",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "kube-ovn",
          "server_socket": "/run/openvswitch/kube-ovn-daemon.sock",
          "ipam": {
              "type": "kube-ovn",
              "server_socket": "/run/openvswitch/kube-ovn-daemon.sock"
          }
        },
        {
          "type": "portmap",
          "snat": true,
          "capabilities": {"portMappings": true}
        },
        {
          "type": "cilium-cni"
        }
      ]
    }

Installation the chaining config:

kubectl apply -f chaining.yaml

Deploying Cilium with Helm:

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.11.6 \
    --namespace kube-system \
    --set cni.chainingMode=generic-veth \
    --set cni.customConf=true \
    --set cni.configMap=cni-configuration \
    --set tunnel=disabled \
    --set enableIPv4Masquerade=false \
    --set enableIdentityMark=false

Confirm that the Cilium installation was successful:

# cilium  status
    /¯¯\
 /¯¯\__/¯¯\    Cilium:         OK
 \__/¯¯\__/    Operator:       OK
 /¯¯\__/¯¯\    Hubble:         disabled
 \__/¯¯\__/    ClusterMesh:    disabled
    \__/

DaemonSet         cilium             Desired: 2, Ready: 2/2, Available: 2/2
Deployment        cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
Containers:       cilium             Running: 2
                  cilium-operator    Running: 2
Cluster Pods:     8/11 managed by Cilium
Image versions    cilium             quay.io/cilium/cilium:v1.10.5@sha256:0612218e28288db360c63677c09fafa2d17edda4f13867bcabf87056046b33bb: 2
                  cilium-operator    quay.io/cilium/operator-generic:v1.10.5@sha256:2d2f730f219d489ff0702923bf24c0002cd93eb4b47ba344375566202f56d972: 2

微信群 Slack Twitter Support

Last update: May 8, 2023
Created: June 30, 2022

Comments

Back to top