Cilium

The Cilium CNI uses a Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within the Linux kernel.

Installing Cilium on a new Cluster

To use the Cilium, specify the following in the cluster spec.

  1. networking:
  2. cilium: {}

The following command sets up a cluster using Cilium.

  1. export ZONES=mylistofzones
  2. kops create cluster \
  3. --zones $ZONES \
  4. --networking cilium\
  5. --yes \
  6. --name cilium.example.com

Configuring Cilium

Using etcd for agent state sync

BetaDefault
kOps 1.18kOps 1.26

By default, Cilium will use CRDs for synchronizing agent state. This can cause performance problems on larger clusters. As of kOps 1.18, kOps can manage an etcd cluster using etcd-manager dedicated for cilium agent state sync. The Cilium docs contains recommendations for when this must be enabled.

For new clusters you can use the cilium-etcd networking provider:

  1. export ZONES=mylistofzones
  2. kops create cluster \
  3. --zones $ZONES \
  4. --networking cilium-etcd \
  5. --yes \
  6. --name cilium.example.com

For existing clusters, add the following to spec.etcdClusters: Make sure instanceGroup match the other etcd clusters. You should also enable auto compaction.

  1. - etcdMembers:
  2. - instanceGroup: master-az-1a
  3. name: a
  4. - instanceGroup: master-az-1b
  5. name: b
  6. - instanceGroup: master-az-1c
  7. name: c
  8. manager:
  9. env:
  10. - name: ETCD_AUTO_COMPACTION_MODE
  11. value: revision
  12. - name: ETCD_AUTO_COMPACTION_RETENTION
  13. value: "2500"
  14. name: cilium

It is important that you perform a rolling update on the entire cluster so that all the nodes can connect to the new etcd cluster.

  1. kops update cluster
  2. kops update cluster --yes
  3. kops rolling-update cluster --force --yes

Then enable etcd as kvstore:

  1. networking:
  2. cilium:
  3. etcdManaged: true

Enabling BPF NodePort

As of kOps 1.19, BPF NodePort is enabled by default for new clusters if the kubernetes version is 1.12 or newer. It can be safely enabled as of kOps 1.18.

In this mode, the cluster is fully functional without kube-proxy, with Cilium replacing kube-proxy’s NodePort implementation using BPF. Read more about this in the Cilium docs - kubeproxy free and Cilium docs - NodePort

Be aware that you need to use an AMI with at least Linux 4.19.57 for this feature to work.

Also be aware that while enabling this on an existing cluster is safe, disabling this is disruptive and requires you to run kops rolling-upgrade cluster --cloudonly.

  1. kubeProxy:
  2. enabled: false
  3. networking:
  4. cilium:
  5. enableNodePort: true

If you are migrating an existing cluster, you need to manually rolling-update the cilium DaemonSet before rolling-updating the cluster:

  1. kops update cluster
  2. kops update cluster --yes
  3. kubectl rollout restart ds/cilium -n kube-system
  4. kops rolling-update cluster --yes

Enabling Cilium ENI IPAM (IPv4 only)

BetaDefault
kOps 1.18kOps 1.26

You can have Cilium provision AWS managed addresses and attach them directly to Pods much like AWS VPC. See the Cilium docs for more information

Enable this by setting --networking=cilium-eni (as of kOps 1.26) or by specifying the following in the cluster spec:

  1. networking:
  2. cilium:
  3. ipam: eni

In kOps versions before 1.22, when using ENI IPAM you need to explicitly disable masquerading in Cilium as well.

  1. networking:
  2. cilium:
  3. disableMasquerade: true
  4. ipam: eni

Note that since Cilium Operator is the entity that interacts with the EC2 API to provision and attaching ENIs, we force it to run on the master nodes when this IPAM is used.

Also note that this feature has only been tested on the default kOps AMIs.

Enabling Encryption in Cilium (IPv4 only)

IPsec
IntroducedMinimum K8s Version
kOps 1.19k8s 1.17

As of kOps 1.19, it is possible to enable encryption for Cilium agent in IPv4 clusters. In order to enable encryption, you must first generate the pre-shared key using this command:

  1. cat <<EOF | kops create secret ciliumpassword -f -
  2. keys: $(echo "3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null| xxd -p -c 64)) 128")
  3. EOF

The above command will create a dedicated secret for cilium and store it in the kOps secret store. Once the secret has been created, encryption can be enabled by setting enableEncryption option in spec.networking.cilium to true:

  1. networking:
  2. cilium:
  3. enableEncryption: true
WireGuard
IntroducedMinimum K8s Version
kOps 1.22k8s 1.17

Cilium can make use of the wireguard protocol for transparent encryption. Take care to familiarise yourself with the limitations.

  1. networking:
  2. cilium:
  3. enableEncryption: true
  4. enableL7Proxy: false
  5. encryptionType: wireguard

Resources in Cilium

IntroducedMinimum K8s Version
kOps 1.21k8s 1.20

As of kOps 1.20, it is possible to choose your own values for Cilium Agents + Operator. Example:

  1. networking:
  2. cilium:
  3. cpuRequest: "25m"
  4. memoryRequest: "128Mi"

Hubble

IntroducedMinimum K8s Version
kOps 1.20.1k8s 1.20

Hubble is the observability layer of Cilium and can be used to obtain cluster-wide visibility into the network and security layer of your Kubernetes cluster. See the Hubble documentation for more information.

Hubble can be enabled by adding the following to the spec:

  1. networking:
  2. cilium:
  3. hubble:
  4. enabled: true

This will enable Hubble in the Cilium agent as well as install hubble-relay. kOps will also configure mTLS between the Cilium agent and relay. Note that since the Hubble UI does not support TLS, the relay is not configured to listen on a secure port.

The Hubble UI has to be installed separatly.

Hubble UI

Hubble UI brings a dashboard on top of Hubble observability layer. It allows viewing service map and TCP flows directly inside a browser.

When Cilium is intalled and managed by kOps, Cilium cli should not be used as the configuration it produces conflicts with the configuration managed by kOps (certificates are not managed the same way). For this reason, deploying Hubble UI can be tricky.

Fortunately, recent versions of the Cilium Helm chart allow standalone install of Hubble UI. See Helm (Standalone install) tab in Hubble UI documentation.

Basically, it requires to disable all components in the chart (they are already managed by kOps) except Hubble UI, and setting hubble.ui.standalone.enabled to true.

A minimal command line install should look like this:

  1. helm upgrade --install --namespace kube-system --repo https://helm.cilium.io cilium cilium --version 1.11.1 --values - <<EOF
  2. agent: false
  3. operator:
  4. enabled: false
  5. cni:
  6. install: false
  7. hubble:
  8. enabled: false
  9. relay:
  10. enabled: false
  11. ui:
  12. # enable Hubble UI
  13. enabled: true
  14. standalone:
  15. # enable Hubble UI standalone deployment
  16. enabled: true
  17. # ...
  18. EOF

Note that you can create an ingress resource for Hubble UI by configuring the hubble.ui.ingress stanza. See Cilium Helm chart documentation for more information.

Getting help

For problems with deploying Cilium please post an issue to Github:

For support with Cilium Network Policies you can reach out on Slack or Github: