我的书签
添加书签
移除书签Using kube-router to run BGP
This guide explains how to configure Cilium and kube-router to co-operate to use kube-router for BGP peering and route propagation and Cilium for policy enforcement and load-balancing.
Note
This is a beta feature. Please provide feedback and file a GitHub issue if you experience any problems.
Deploy kube-router
Download the kube-router DaemonSet template:
curl -LO https://raw.githubusercontent.com/cloudnativelabs/kube-router/v1.2/daemonset/generic-kuberouter-only-advertise-routes.yaml
Open the file generic-kuberouter-only-advertise-routes.yaml and edit the args: section. The following arguments are required to be set to exactly these values:
- "--run-router=true"- "--run-firewall=false"- "--run-service-proxy=false"- "--enable-cni=false"- "--enable-pod-egress=false"
The following arguments are optional and may be set according to your needs. For the purpose of keeping this guide simple, the following values are being used which require the least preparations in your cluster. Please see the kube-router user guide for more information.
- "--enable-ibgp=true"- "--enable-overlay=true"- "--advertise-cluster-ip=true"- "--advertise-external-ip=true"- "--advertise-loadbalancer-ip=true"
The following arguments are optional and should be set if you want BGP peering with an external router. This is useful if you want externally routable Kubernetes Pod and Service IPs. Note the values used here should be changed to whatever IPs and ASNs are configured on your external router.
- "--cluster-asn=65001"- "--peer-router-ips=10.0.0.1,10.0.2"- "--peer-router-asns=65000,65000"
Apply the DaemonSet file to deploy kube-router and verify it has come up correctly:
$ kubectl apply -f generic-kuberouter-only-advertise-routes.yaml$ kubectl -n kube-system get pods -l k8s-app=kube-routerNAME READY STATUS RESTARTS AGEkube-router-n6fv8 1/1 Running 0 10mkube-router-nj4vs 1/1 Running 0 10mkube-router-xqqwc 1/1 Running 0 10mkube-router-xsmd4 1/1 Running 0 10m
Deploy Cilium
In order for routing to be delegated to kube-router, tunneling/encapsulation must be disabled. This is done by setting the tunnel=disabled in the ConfigMap cilium-config or by adjusting the DaemonSet to run the cilium-agent with the argument --tunnel=disabled. Moreover, in the same ConfigMap, we must explicitly set ipam: kubernetes since kube-router pulls the pod CIDRs directly from K8s:
# Encapsulation mode for communication between nodes# Possible values:# - disabled# - vxlan (default)# - genevetunnel: "disabled"ipam: "kubernetes"
You can then install Cilium according to the instructions in section Requirements.
Ensure that Cilium is up and running:
$ kubectl -n kube-system get pods -l k8s-app=ciliumNAME READY STATUS RESTARTS AGEcilium-fhpk2 1/1 Running 0 45mcilium-jh6kc 1/1 Running 0 44mcilium-rlx6n 1/1 Running 0 44mcilium-x5x9z 1/1 Running 0 45m
Verify Installation
Verify that kube-router has installed routes:
$ kubectl -n kube-system exec -ti cilium-fhpk2 -- ip route list scope globaldefault via 172.0.32.1 dev eth0 proto dhcp src 172.0.50.227 metric 102410.2.0.0/24 via 10.2.0.172 dev cilium_host src 10.2.0.17210.2.1.0/24 via 172.0.51.175 dev eth0 proto 1710.2.2.0/24 dev tun-172011760 proto 17 src 172.0.50.22710.2.3.0/24 dev tun-1720186231 proto 17 src 172.0.50.227
In the above example, we see three categories of routes that have been installed:
- Local PodCIDR: This route points to all pods running on the host and makes these pods available to *
10.2.0.0/24 via 10.2.0.172 dev cilium_host src 10.2.0.172 - BGP route: This type of route is installed if kube-router determines that the remote PodCIDR can be reached via a router known to the local host. It will instruct pod to pod traffic to be forwarded directly to that router without requiring any encapsulation. *
10.2.1.0/24 via 172.0.51.175 dev eth0 proto 17 - IPIP tunnel route: If no direct routing path exists, kube-router will fall back to using an overlay and establish an IPIP tunnel between the nodes. *
10.2.2.0/24 dev tun-172011760 proto 17 src 172.0.50.227*10.2.3.0/24 dev tun-1720186231 proto 17 src 172.0.50.227
Validate the Installation
Cilium CLI
Manually
Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).
Linux
macOS
Other
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}sha256sum --check cilium-linux-amd64.tar.gz.sha256sumsudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/binrm cilium-linux-amd64.tar.gz{,.sha256sum}
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-darwin-amd64.tar.gz{,.sha256sum}shasum -a 256 -c cilium-darwin-amd64.tar.gz.sha256sumsudo tar xzvfC cilium-darwin-amd64.tar.gz /usr/local/binrm cilium-darwin-amd64.tar.gz{,.sha256sum}
See the full page of releases.
To validate that Cilium has been properly installed, you can run
$ cilium status --wait/¯¯\/¯¯\__/¯¯\ Cilium: OK\__/¯¯\__/ Operator: OK/¯¯\__/¯¯\ Hubble: disabled\__/¯¯\__/ ClusterMesh: disabled\__/DaemonSet cilium Desired: 2, Ready: 2/2, Available: 2/2Deployment cilium-operator Desired: 2, Ready: 2/2, Available: 2/2Containers: cilium-operator Running: 2cilium Running: 2Image versions cilium quay.io/cilium/cilium:v1.9.5: 2cilium-operator quay.io/cilium/operator-generic:v1.9.5: 2
Run the following command to validate that your cluster has proper network connectivity:
$ cilium connectivity testℹ️ Monitor aggregation detected, will skip some flow validation steps✨ [k8s-cluster] Creating namespace for connectivity check...(...)---------------------------------------------------------------------------------------------------------------------📋 Test Report---------------------------------------------------------------------------------------------------------------------✅ 69/69 tests successful (0 warnings)
Congratulations! You have a fully functional Kubernetes cluster with Cilium. 🎉
You can monitor as Cilium and all required components are being installed:
$ kubectl -n kube-system get pods --watchNAME READY STATUS RESTARTS AGEcilium-operator-cb4578bc5-q52qk 0/1 Pending 0 8scilium-s8w5m 0/1 PodInitializing 0 7scoredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57scoredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s
It may take a couple of minutes for all components to come up:
cilium-operator-cb4578bc5-q52qk 1/1 Running 0 4m13scilium-s8w5m 1/1 Running 0 4m12scoredns-86c58d9df4-4g7dd 1/1 Running 0 13mcoredns-86c58d9df4-4l6b2 1/1 Running 0 13m
You can deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this.
kubectl create ns cilium-test
Deploy the check with:
kubectl apply -n cilium-test -f https://raw.githubusercontent.com/cilium/cilium/v1.10/examples/kubernetes/connectivity-check/connectivity-check.yaml
It will deploy a series of deployments which will use various connectivity paths to connect to each other. Connectivity paths include with and without service load-balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure of the test:
$ kubectl get pods -n cilium-testNAME READY STATUS RESTARTS AGEecho-a-76c5d9bd76-q8d99 1/1 Running 0 66secho-b-795c4b4f76-9wrrx 1/1 Running 0 66secho-b-host-6b7fc94b7c-xtsff 1/1 Running 0 66shost-to-b-multi-node-clusterip-85476cd779-bpg4b 1/1 Running 0 66shost-to-b-multi-node-headless-dc6c44cb5-8jdz8 1/1 Running 0 65spod-to-a-79546bc469-rl2qq 1/1 Running 0 66spod-to-a-allowed-cnp-58b7f7fb8f-lkq7p 1/1 Running 0 66spod-to-a-denied-cnp-6967cb6f7f-7h9fn 1/1 Running 0 66spod-to-b-intra-node-nodeport-9b487cf89-6ptrt 1/1 Running 0 65spod-to-b-multi-node-clusterip-7db5dfdcf7-jkjpw 1/1 Running 0 66spod-to-b-multi-node-headless-7d44b85d69-mtscc 1/1 Running 0 66spod-to-b-multi-node-nodeport-7ffc76db7c-rrw82 1/1 Running 0 65spod-to-external-1111-d56f47579-d79dz 1/1 Running 0 66spod-to-external-fqdn-allow-google-cnp-78986f4bcf-btjn7 1/1 Running 0 66s
Note
If you deploy the connectivity check to a single node cluster, pods that check multi-node functionalities will remain in the Pending state. This is expected since these pods need at least 2 nodes to be scheduled successfully.
Once done with the test, remove the cilium-test namespace:
kubectl delete ns cilium-test
