Skip to content

Commit

Permalink
Partial Cilium 1.16+ Support & Add vars for configuring cilium IP loa…
Browse files Browse the repository at this point in the history 
…d balancer pools and bgp v1 & v2 apis (#11620)

* Add vars for configuring cilium IP load balancer pools and bgp peer policies

* Cilium 1.16+ Support - Add vars for configuring cilium bgpv2 api & handle cilium_kube_proxy_replacement unsupported values
  • Loading branch information
@logicsys
logicsys authored Nov 19, 2024
1 parent e330ffa commit b854196
Show file tree
Hide file tree
Showing 16 changed files with 550 additions and 5 deletions.
136 changes: 135 additions & 1 deletion docs/CNI/cilium.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,144 @@ cilium_pool_mask_size Specifies the size allocated to node.ipam.podCIDRs from cl
cilium_pool_mask_size_ipv6: "120"
```
### IP Load Balancer Pools
Cilium's IP Load Balancer Pools can be configured with the `cilium_loadbalancer_ip_pools` variable:

```yml
cilium_loadbalancer_ip_pools:
- name: "blue-pool"
cidrs:
- "10.0.10.0/24"
```

For further information, check [LB IPAM documentation](https://docs.cilium.io/en/stable/network/lb-ipam/)

### BGP Control Plane

Cilium's BGP Control Plane can be enabled by setting `cilium_enable_bgp_control_plane` to `true`.:

```yml
cilium_enable_bgp_control_plane: true
```

For further information, check [BGP Peering Policy documentation](https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v1/)

### BGP Control Plane Resources (New bgpv2 API v1.16+)

Cilium BGP control plane is managed by a set of custom resources which provide a flexible way to configure BGP peers, policies, and advertisements.

Cilium's BGP Instances can be configured with the `cilium_bgp_cluster_configs` variable:

```yml
cilium_bgp_cluster_configs:
- name: "cilium-bgp"
spec:
bgpInstances:
- name: "instance-64512"
localASN: 64512
peers:
- name: "peer-64512-tor1"
peerASN: 64512
peerAddress: '10.47.1.1'
peerConfigRef:
name: "cilium-peer"
nodeSelector:
matchExpressions:
- {key: somekey, operator: NotIn, values: ['never-used-value']}
```

Cillium's BGP Peers can be configured with the `cilium_bgp_peer_configs` variable:

```yml
cilium_bgp_peer_configs:
- name: cilium-peer
spec:
# authSecretRef: bgp-auth-secret
gracefulRestart:
enabled: true
restartTimeSeconds: 15
families:
- afi: ipv4
safi: unicast
advertisements:
matchLabels:
advertise: "bgp"
- afi: ipv6
safi: unicast
advertisements:
matchLabels:
advertise: "bgp"
```

Cillium's BGP Advertisements can be configured with the `cilium_bgp_advertisements` variable:

```yml
cilium_bgp_advertisements:
- name: bgp-advertisements
labels:
advertise: bgp
spec:
advertisements:
- advertisementType: "PodCIDR"
attributes:
communities:
standard: [ "64512:99" ]
- advertisementType: "Service"
service:
addresses:
- ClusterIP
- ExternalIP
- LoadBalancerIP
selector:
matchExpressions:
- {key: somekey, operator: NotIn, values: ['never-used-value']}
```

Cillium's BGP Node Config Overrides can be configured with the `cilium_bgp_node_config_overrides` variable:

```yml
cilium_bgp_node_config_overrides:
- name: bgpv2-cplane-dev-multi-homing-worker
spec:
bgpInstances:
- name: "instance-65000"
routerID: "192.168.10.1"
localPort: 1790
peers:
- name: "peer-65000-tor1"
localAddress: fd00:10:0:2::2
- name: "peer-65000-tor2"
localAddress: fd00:11:0:2::2
```

For further information, check [BGP Control Plane Resources documentation](https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v2/)

### BGP Peering Policies (Legacy < v1.16)

Cilium's BGP Peering Policies can be configured with the `cilium_bgp_peering_policies` variable:

```yml
cilium_bgp_peering_policies:
- name: "01-bgp-peering-policy"
spec:
virtualRouters:
- localASN: 64512
exportPodCIDR: false
neighbors:
- peerAddress: '10.47.1.1/24'
peerASN: 64512
serviceSelector:
matchExpressions:
- {key: somekey, operator: NotIn, values: ['never-used-value']}
```

For further information, check [BGP Peering Policy documentation](https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v1/#bgp-peering-policy-legacy)

## Kube-proxy replacement with Cilium

Cilium can run without kube-proxy by setting `cilium_kube_proxy_replacement`
to `strict`.
to `strict` (< v1.16) or `true` (Cilium v1.16+ no longer accepts `strict`, however this is converted to `true` by kubespray when running v1.16+).

Without kube-proxy, cilium needs to know the address of the kube-apiserver
and this must be set globally for all Cilium components (agents and operators).
Expand Down
95 changes: 95 additions & 0 deletions inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,101 @@ cilium_l2announcements: false
# -- Enable native IP masquerade support in eBPF
# cilium_enable_bpf_masquerade: false

# -- Enable BGP Control Plane
# cilium_enable_bgp_control_plane: false

# -- Configure Loadbalancer IP Pools
# cilium_loadbalancer_ip_pools:
# - name: "blue-pool"
# cidrs:
# - "10.0.10.0/24"

# -- Configure BGP Instances (New bgpv2 API v1.16+)
# cilium_bgp_cluster_configs:
# - name: "cilium-bgp"
# spec:
# bgpInstances:
# - name: "instance-64512"
# localASN: 64512
# peers:
# - name: "peer-64512-tor1"
# peerASN: 64512
# peerAddress: '10.47.1.1'
# peerConfigRef:
# name: "cilium-peer"
# nodeSelector:
# matchExpressions:
# - {key: somekey, operator: NotIn, values: ['never-used-value']}

# -- Configure BGP Peers (New bgpv2 API v1.16+)
# cilium_bgp_peer_configs:
# - name: cilium-peer
# spec:
# # authSecretRef: bgp-auth-secret
# gracefulRestart:
# enabled: true
# restartTimeSeconds: 15
# families:
# - afi: ipv4
# safi: unicast
# advertisements:
# matchLabels:
# advertise: "bgp"
# - afi: ipv6
# safi: unicast
# advertisements:
# matchLabels:
# advertise: "bgp"

# -- Configure BGP Advertisements (New bgpv2 API v1.16+)
# cilium_bgp_advertisements:
# - name: bgp-advertisements
# labels:
# advertise: bgp
# spec:
# advertisements:
# # - advertisementType: "PodCIDR"
# # attributes:
# # communities:
# # standard: [ "64512:99" ]
# - advertisementType: "Service"
# service:
# addresses:
# - ClusterIP
# - ExternalIP
# - LoadBalancerIP
# selector:
# matchExpressions:
# - {key: somekey, operator: NotIn, values: ['never-used-value']}

# -- Configure BGP Node Config Overrides (New bgpv2 API v1.16+)
# cilium_bgp_node_config_overrides:
# - name: bgp-node-config-override
# spec:
# bgpInstances:
# - name: "instance-65000"
# routerID: "192.168.10.1"
# localPort: 1790
# peers:
# - name: "peer-65000-tor1"
# localAddress: fd00:10:0:2::2
# - name: "peer-65000-tor2"
# localAddress: fd00:11:0:2::2

# -- Configure BGP Peers (Legacy v1.16+)
# cilium_bgp_peering_policies:
# - name: "01-bgp-peering-policy"
# spec:
# virtualRouters:
# - localASN: 64512
# exportPodCIDR: false
# neighbors:
# - peerAddress: '10.47.1.1/24'
# peerASN: 64512
# serviceSelector:
# matchExpressions:
# - {key: somekey, operator: NotIn, values: ['never-used-value']}

# -- Configure whether direct routing mode should route traffic via
# host stack (true) or directly and more efficiently out of BPF (false) if
# the kernel supports it. The latter has the implication that it will also
Expand Down
2 changes: 1 addition & 1 deletion roles/kubespray-defaults/defaults/main/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ kubeadm_init_phases_skip_default: [ "addon/coredns" ]
kubeadm_init_phases_skip: >-
{%- if kube_network_plugin == 'kube-router' and (kube_router_run_service_proxy is defined and kube_router_run_service_proxy) -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
{%- elif kube_network_plugin == 'cilium' and (cilium_kube_proxy_replacement is defined and cilium_kube_proxy_replacement == 'strict') -%}
{%- elif kube_network_plugin == 'cilium' and (cilium_kube_proxy_replacement is defined and (cilium_kube_proxy_replacement == 'strict' or (cilium_kube_proxy_replacement | bool) or (cilium_kube_proxy_replacement | string | lower == 'true') )) -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
{%- elif kube_network_plugin == 'calico' and (calico_bpf_enabled is defined and calico_bpf_enabled) -%}
{{ kubeadm_init_phases_skip_default + ["addon/kube-proxy"] }}
Expand Down
22 changes: 22 additions & 0 deletions roles/network_plugin/cilium/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ cilium_tunnel_mode: vxlan
# LoadBalancer Mode (snat/dsr/hybrid) Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/#dsr-mode
cilium_loadbalancer_mode: snat

# -- Configure Loadbalancer IP Pools
cilium_loadbalancer_ip_pools: []

# Optional features
cilium_enable_prometheus: false
# Enable if you want to make use of hostPort mappings
Expand Down Expand Up @@ -277,6 +280,25 @@ cilium_monitor_aggregation_flags: "all"

cilium_enable_bpf_clock_probe: true

# -- Enable BGP Control Plane
cilium_enable_bgp_control_plane: false


# -- Configure BGP Instances (New bgpv2 API v1.16+)
cilium_bgp_cluster_configs: []

# -- Configure BGP Peers (New bgpv2 API v1.16+)
cilium_bgp_peer_configs: []

# -- Configure BGP Advertisements (New bgpv2 API v1.16+)
cilium_bgp_advertisements: []

# -- Configure BGP Node Config Overrides (New bgpv2 API v1.16+)
cilium_bgp_node_config_overrides: []

# -- Configure BGP Peers (Legacy < v1.16)
cilium_bgp_peering_policies: []

# -- Whether to enable CNP status updates.
cilium_disable_cnp_status_updates: true

Expand Down
Loading

0 comments on commit b854196

Please sign in to comment.