CNI Plugin

Linkerd installs can be configured to run aCNI plugin that rewrites eachpod's iptables rules automatically. Rewriting iptables is required for routingnetwork traffic through the pod's linkerd-proxy container. When the CNI pluginis enabled, individual pods no longer need to include an init container thatrequires the NET_ADMIN capability to perform rewriting. This can be useful inclusters where that capability is restricted by cluster administrators.

Installation

Usage of the Linkerd CNI plugin requires that the linkerd-cni DaemonSet besuccessfully installed on your cluster first, before installing the Linkerdcontrol plane.

Using the CLI

To install the linkerd-cni DaemonSet, run:

  1. linkerd install-cni | kubectl apply -f -

Once the DaemonSet is up and running, all subsequent installs that include alinkerd-proxy container (including the Linkerd control plane), no longer needto include the linkerd-init container. Omission of the init container iscontrolled by the —linkerd-cni-enabled flag at control plane install time.

Install the Linkerd control plane, with:

  1. linkerd install --linkerd-cni-enabled | kubectl apply -f -

This will set a cniEnabled flag in the global linkerd-config ConfigMap. Allsubsequent proxy injections will read this field and omit init containers.

Using Helm

First ensure that your Helm local cache is updated:

  1. helm repo update
  3. helm search linkerd2-cni
  4. NAME                      CHART VERSION  APP VERSION    DESCRIPTION
  5. linkerd-edge/linkerd2-cni   20.1.1       edge-20.1.1    A helm chart containing the resources needed by the Linke...
  6. linkerd-stable/linkerd2-cni  2.7.0       stable-2.7.0   A helm chart containing the resources needed by the Linke...

Run the following commands to install the CNI DaemonSet:

  1. # install the CNI plugin first
  2. helm install --name=linkerd2-cni linkerd2/linkerd2-cni
  4. # ensure the plugin is installed and ready
  5. linkerd check --pre --linkerd-cni-enabled

At that point you are ready to install Linkerd with CNI enabled.You can follow Installing Linkerd with Helm to do so.

Additional configuration

The linkerd install-cni command includes additional flags that you can use tocustomize the installation. See linkerd install-cni —help for moreinformation. Note that many of the flags are similar to the flags that can beused to configure the proxy when running linkerd inject. If you change adefault when running linkerd install-cni, you will want to ensure that youmake a corresponding change when running linkerd inject.

The most important flags are:

  • —dest-cni-net-dir: This is the directory on the node where the CNIConfiguration resides. It defaults to: /etc/cni/net.d.
  • —dest-cni-bin-dir: This is the directory on the node where the CNI Pluginbinaries reside. It defaults to: /opt/cni/bin.
  • —cni-log-level: Setting this to debug will allow more verbose logging.In order to view the CNI Plugin logs, you must be able to see the kubeletlogs. One way to do this is to log onto the node and usejournalctl -t kubelet. The string linkerd-cni: can be used as a search tofind the plugin log output.

Upgrading the CNI plugin

Since the CNI plugin is basically stateless, there is no need for a separateupgrade command. If you are using the CLI to upgrade the CNI plugin you canjust do:

  1. linkerd install-cni   | kubectl apply --prune -l  linkerd.io/cni-resource=true -f -

Keep in mind that if you are upgrading the plugin from an experimental version,you need to uninstall and install it again.