我的书签
添加书签
移除书签Installation using Kops
As of kops 1.9 release, Cilium can be plugged into kops-deployed clusters as the CNI plugin. This guide provides steps to create a Kubernetes cluster on AWS using kops and Cilium as the CNI plugin. Note, the kops deployment will automate several deployment features in AWS by default, including AutoScaling, Volumes, VPCs, etc.
Kops offers several out-of-the-box configurations of Cilium including Kubernetes Without kube-proxy, AWS ENI, and dedicated etcd cluster for Cilium. This guide will just go through a basic setup.
Prerequisites
- aws cli
- kubectl
- aws account with permissions: * AmazonEC2FullAccess * AmazonRoute53FullAccess * AmazonS3FullAccess * IAMFullAccess * AmazonVPCFullAccess
Installing kops
Linux
MacOS
curl -LO https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-linux-amd64chmod +x kops-linux-amd64sudo mv kops-linux-amd64 /usr/local/bin/kops
brew update && brew install kops
Setting up IAM Group and User
Assuming you have all the prerequisites, run the following commands to create the kops user and group:
$ # Create IAM group named kops and grant access$ aws iam create-group --group-name kops$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --group-name kops$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonRoute53FullAccess --group-name kops$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --group-name kops$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/IAMFullAccess --group-name kops$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonVPCFullAccess --group-name kops$ aws iam create-user --user-name kops$ aws iam add-user-to-group --user-name kops --group-name kops$ aws iam create-access-key --user-name kops
kops requires the creation of a dedicated S3 bucket in order to store the state and representation of the cluster. You will need to change the bucket name and provide your unique bucket name (for example a reverse of FQDN added with short description of the cluster). Also make sure to use the region where you will be deploying the cluster.
$ aws s3api create-bucket --bucket prefix-example-com-state-store --region us-west-2 --create-bucket-configuration LocationConstraint=us-west-2$ export KOPS_STATE_STORE=s3://prefix-example-com-state-store
The above steps are sufficient for getting a working cluster installed. Please consult kops aws documentation for more detailed setup instructions.
Cilium Prerequisites
- Ensure the System Requirements are met, particularly the Linux kernel and key-value store versions.
The default AMI satisfies the minimum kernel version required by Cilium, which is what we will use in this guide.
Creating a Cluster
- Note that you will need to specify the
--master-zonesand--zonesfor creating the master and worker nodes. The number of master zones should be * odd (1, 3, …) for HA. For simplicity, you can just use 1 region. - To keep things simple when following this guide, we will use a gossip-based cluster. This means you do not have to create a hosted zone upfront. cluster
NAMEvariable must end withk8s.localto use the gossip protocol. If creating multiple clusters using the same kops user, then make the cluster name unique by adding a prefix such ascom-company-emailid-.
$ export NAME=com-company-emailid-cilium.k8s.local$ kops create cluster --state=${KOPS_STATE_STORE} --node-count 3 --topology private --master-zones us-west-2a,us-west-2b,us-west-2c --zones us-west-2a,us-west-2b,us-west-2c --networking cilium --cloud-labels "Team=Dev,Owner=Admin" ${NAME} --yes
You may be prompted to create a ssh public-private key pair.
$ ssh-keygen
(Please see Deleting a Cluster)
Validate the Installation
Cilium CLI
Manually
Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).
Linux
macOS
Other
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}sha256sum --check cilium-linux-amd64.tar.gz.sha256sumsudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/binrm cilium-linux-amd64.tar.gz{,.sha256sum}
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-darwin-amd64.tar.gz{,.sha256sum}shasum -a 256 -c cilium-darwin-amd64.tar.gz.sha256sumsudo tar xzvfC cilium-darwin-amd64.tar.gz /usr/local/binrm cilium-darwin-amd64.tar.gz{,.sha256sum}
See the full page of releases.
To validate that Cilium has been properly installed, you can run
$ cilium status --wait/¯¯\/¯¯\__/¯¯\ Cilium: OK\__/¯¯\__/ Operator: OK/¯¯\__/¯¯\ Hubble: disabled\__/¯¯\__/ ClusterMesh: disabled\__/DaemonSet cilium Desired: 2, Ready: 2/2, Available: 2/2Deployment cilium-operator Desired: 2, Ready: 2/2, Available: 2/2Containers: cilium-operator Running: 2cilium Running: 2Image versions cilium quay.io/cilium/cilium:v1.9.5: 2cilium-operator quay.io/cilium/operator-generic:v1.9.5: 2
Run the following command to validate that your cluster has proper network connectivity:
$ cilium connectivity testℹ️ Monitor aggregation detected, will skip some flow validation steps✨ [k8s-cluster] Creating namespace for connectivity check...(...)---------------------------------------------------------------------------------------------------------------------📋 Test Report---------------------------------------------------------------------------------------------------------------------✅ 69/69 tests successful (0 warnings)
Congratulations! You have a fully functional Kubernetes cluster with Cilium. 🎉
You can monitor as Cilium and all required components are being installed:
$ kubectl -n kube-system get pods --watchNAME READY STATUS RESTARTS AGEcilium-operator-cb4578bc5-q52qk 0/1 Pending 0 8scilium-s8w5m 0/1 PodInitializing 0 7scoredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 8m57scoredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 8m57s
It may take a couple of minutes for all components to come up:
cilium-operator-cb4578bc5-q52qk 1/1 Running 0 4m13scilium-s8w5m 1/1 Running 0 4m12scoredns-86c58d9df4-4g7dd 1/1 Running 0 13mcoredns-86c58d9df4-4l6b2 1/1 Running 0 13m
You can deploy the “connectivity-check” to test connectivity between pods. It is recommended to create a separate namespace for this.
kubectl create ns cilium-test
Deploy the check with:
kubectl apply -n cilium-test -f https://raw.githubusercontent.com/cilium/cilium/v1.10/examples/kubernetes/connectivity-check/connectivity-check.yaml
It will deploy a series of deployments which will use various connectivity paths to connect to each other. Connectivity paths include with and without service load-balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure of the test:
$ kubectl get pods -n cilium-testNAME READY STATUS RESTARTS AGEecho-a-76c5d9bd76-q8d99 1/1 Running 0 66secho-b-795c4b4f76-9wrrx 1/1 Running 0 66secho-b-host-6b7fc94b7c-xtsff 1/1 Running 0 66shost-to-b-multi-node-clusterip-85476cd779-bpg4b 1/1 Running 0 66shost-to-b-multi-node-headless-dc6c44cb5-8jdz8 1/1 Running 0 65spod-to-a-79546bc469-rl2qq 1/1 Running 0 66spod-to-a-allowed-cnp-58b7f7fb8f-lkq7p 1/1 Running 0 66spod-to-a-denied-cnp-6967cb6f7f-7h9fn 1/1 Running 0 66spod-to-b-intra-node-nodeport-9b487cf89-6ptrt 1/1 Running 0 65spod-to-b-multi-node-clusterip-7db5dfdcf7-jkjpw 1/1 Running 0 66spod-to-b-multi-node-headless-7d44b85d69-mtscc 1/1 Running 0 66spod-to-b-multi-node-nodeport-7ffc76db7c-rrw82 1/1 Running 0 65spod-to-external-1111-d56f47579-d79dz 1/1 Running 0 66spod-to-external-fqdn-allow-google-cnp-78986f4bcf-btjn7 1/1 Running 0 66s
Note
If you deploy the connectivity check to a single node cluster, pods that check multi-node functionalities will remain in the Pending state. This is expected since these pods need at least 2 nodes to be scheduled successfully.
Once done with the test, remove the cilium-test namespace:
kubectl delete ns cilium-test
Deleting a Cluster
To undo the dependencies and other deployment features in AWS from the kops cluster creation, use kops to destroy a cluster immediately with the parameter --yes:
$ kops delete cluster ${NAME} --yes
Further reading on using Cilium with Kops
- See the kops networking documentation for more information on the configuration options kops offers.
- See the kops cluster spec documentation for a comprehensive list of all the options
Appendix: Details of kops flags used in cluster creation
The following section explains all the flags used in create cluster command.
--state=${KOPS_STATE_STORE}: KOPS uses an S3 bucket to store the state of your cluster and representation of your cluster--node-count 3: No. of worker nodes in the kubernetes cluster.--topology private: Cluster will be created with private topology, what that means is all masters/nodes will be launched in a private subnet in the VPC--master-zones eu-west-1a,eu-west-1b,eu-west-1c: The 3 zones ensure the HA of master nodes, each belonging in a different Availability zones.--zones eu-west-1a,eu-west-1b,eu-west-1c: Zones where the worker nodes will be deployed--networking cilium: Networking CNI plugin to be used - cilium. You can also usecilium-etcd, which will use a dedicated etcd cluster as key/value store instead of CRDs.--cloud-labels "Team=Dev,Owner=Admin": Labels for your cluster that will be applied to your instances${NAME}: Name of the cluster. Make sure the name ends with k8s.local for a gossip based cluster
