我的书签
添加书签
移除书签Installation using kubeadm
This guide describes deploying Cilium on a Kubernetes cluster created with kubeadm.
For installing kubeadm on your system, please refer to the official kubeadm documentation The official documentation also describes additional options of kubeadm which are not mentioned here.
If you are interested in using Cilium’s kube-proxy replacement, please follow the Kubernetes Without kube-proxy guide and skip this one.
Create the cluster
Initialize the control plane via executing on it:
kubeadm init
Note
If you want to use Cilium’s kube-proxy replacement, kubeadm needs to skip the kube-proxy deployment phase, so it has to be executed with the --skip-phases=addon/kube-proxy option:
kubeadm init --skip-phases=addon/kube-proxy
For more information please refer to the Kubernetes Without kube-proxy guide.
Afterwards, join worker nodes by specifying the control-plane node IP address and the token returned by kubeadm init:
kubeadm join <..>
Deploy Cilium
Note
Make sure you have Helm 3 installed. Helm 2 is no longer supported.
Setup Helm repository:
helm repo add cilium https://helm.cilium.io/
Deploy Cilium release via Helm:
helm install cilium cilium/cilium --version 1.10.2 --namespace kube-system
Validate the Installation
Cilium CLI
Manually
Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).
Linux
macOS
Other
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}sha256sum --check cilium-linux-amd64.tar.gz.sha256sumsudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/binrm cilium-linux-amd64.tar.gz{,.sha256sum}
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-darwin-amd64.tar.gz{,.sha256sum}shasum -a 256 -c cilium-darwin-amd64.tar.gz.sha256sumsudo tar xzvfC cilium-darwin-amd64.tar.gz /usr/local/binrm cilium-darwin-amd64.tar.gz{,.sha256sum}
See the full page of releases.
To validate that Cilium has been properly installed, you can run
$ cilium status --wait/¯¯\/¯¯\__/¯¯\ Cilium: OK\__/¯¯\__/ Operator: OK/¯¯\__/¯¯\ Hubble: disabled\__/¯¯\__/ ClusterMesh: disabled\__/DaemonSet cilium Desired: 2, Ready: 2/2, Available: 2/2Deployment cilium-operator Desired: 2, Ready: 2/2, Available: 2/2Containers: cilium-operator Running: 2cilium Running: 2Image versions cilium quay.io/cilium/cilium:v1.9.5: 2cilium-operator quay.io/cilium/operator-generic:v1.9.5: 2
Run the following command to validate that your cluster has proper network connectivity:
$ cilium connectivity testℹ️ Monitor aggregation detected, will skip some flow validation steps✨ [k8s-cluster] Creating namespace for connectivity check...(...)---------------------------------------------------------------------------------------------------------------------📋 Test Report---------------------------------------------------------------------------------------------------------------------✅ 69/69 tests successful (0 warnings)
Congratulations! You have a fully functional Kubernetes cluster with Cilium. 🎉
You can monitor as Cilium and all required components are being installed:
$ kubectl -n kube-system get pods --watchNAME READY STATUS RESTARTS AGEcilium-operator-cb4578bc5-q52qk 0/1 Pending 0 8scilium-s8w5m 0/1 PodInitializing 0 7scoredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57scoredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s
It may take a couple of minutes for all components to come up:
cilium-operator-cb4578bc5-q52qk 1/1 Running 0 4m13scilium-s8w5m 1/1 Running 0 4m12scoredns-86c58d9df4-4g7dd 1/1 Running 0 13mcoredns-86c58d9df4-4l6b2 1/1 Running 0 13m
You can deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this.
kubectl create ns cilium-test
Deploy the check with:
kubectl apply -n cilium-test -f https://raw.githubusercontent.com/cilium/cilium/v1.10/examples/kubernetes/connectivity-check/connectivity-check.yaml
It will deploy a series of deployments which will use various connectivity paths to connect to each other. Connectivity paths include with and without service load-balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure of the test:
$ kubectl get pods -n cilium-testNAME READY STATUS RESTARTS AGEecho-a-76c5d9bd76-q8d99 1/1 Running 0 66secho-b-795c4b4f76-9wrrx 1/1 Running 0 66secho-b-host-6b7fc94b7c-xtsff 1/1 Running 0 66shost-to-b-multi-node-clusterip-85476cd779-bpg4b 1/1 Running 0 66shost-to-b-multi-node-headless-dc6c44cb5-8jdz8 1/1 Running 0 65spod-to-a-79546bc469-rl2qq 1/1 Running 0 66spod-to-a-allowed-cnp-58b7f7fb8f-lkq7p 1/1 Running 0 66spod-to-a-denied-cnp-6967cb6f7f-7h9fn 1/1 Running 0 66spod-to-b-intra-node-nodeport-9b487cf89-6ptrt 1/1 Running 0 65spod-to-b-multi-node-clusterip-7db5dfdcf7-jkjpw 1/1 Running 0 66spod-to-b-multi-node-headless-7d44b85d69-mtscc 1/1 Running 0 66spod-to-b-multi-node-nodeport-7ffc76db7c-rrw82 1/1 Running 0 65spod-to-external-1111-d56f47579-d79dz 1/1 Running 0 66spod-to-external-fqdn-allow-google-cnp-78986f4bcf-btjn7 1/1 Running 0 66s
Note
If you deploy the connectivity check to a single node cluster, pods that check multi-node functionalities will remain in the Pending state. This is expected since these pods need at least 2 nodes to be scheduled successfully.
Once done with the test, remove the cilium-test namespace:
kubectl delete ns cilium-test
