c12s-kubespray/docs/cilium.md

# Cilium

## Kube-proxy replacement with Cilium

Cilium can run without kube-proxy by setting `cilium_kube_proxy_replacement`
to `strict`.

Without kube-proxy, cilium needs to know the address of the kube-apiserver
and this must be set globally for all cilium components (agents and operators).
Hence, in this configuration in Kubespray, Cilium will always contact
the external loadbalancer (even from a node in the control plane)
and if there is no external load balancer It will ignore any local load
balancer deployed by Kubespray and **only contacts the first master**.

## Choose Cilium version

```yml
cilium_version: v1.11.0
```

## Add variable to config

Use following variables:

Example:

```yml
cilium_config_extra_vars:
  enable-endpoint-routes: true
```

## Change Identity Allocation Mode

Cilium assigns an identity for each endpoint. This identity is used to enforce basic connectivity between endpoints.

Cilium currently supports two different identity allocation modes:

- "crd" stores identities in kubernetes as CRDs (custom resource definition).
  - These can be queried with `kubectl get ciliumid`
- "kvstore" stores identities in an etcd kvstore.

## Install Cilium Hubble

k8s-net-cilium.yml:

```yml
cilium_enable_hubble: true ## enable support hubble in cilium
cilium_hubble_install: true ## install hubble-relay, hubble-ui
cilium_hubble_tls_generate: true ## install hubble-certgen and generate certificates
```

To validate that Hubble UI is properly configured, set up a port forwarding for hubble-ui service:

```shell script
kubectl port-forward -n kube-system svc/hubble-ui 12000:80
```

and then open [http://localhost:12000/](http://localhost:12000/).

## Hubble metrics

```yml
cilium_enable_hubble_metrics: true
cilium_hubble_metrics:
  - dns
  - drop
  - tcp
  - flow
  - icmp
  - http
```  

[More](https://docs.cilium.io/en/v1.9/operations/metrics/#hubble-exported-metrics)
Fix cilium strict kube proxy replacement in HA (#6473) * Update the cilium svc proxy test to HA mode Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> * Fix cilium strict kube-proxy in HA Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> * Add a single global endpoint variable Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> * Add cilium docs about kube-proxy replacement Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> * Fix issues in docs Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr> 2020-08-06 07:14:55 +00:00			`# Cilium`

			`## Kube-proxy replacement with Cilium`

			Cilium can run without kube-proxy by setting `cilium_kube_proxy_replacement`
			to `strict`.

			`Without kube-proxy, cilium needs to know the address of the kube-apiserver`
			`and this must be set globally for all cilium components (agents and operators).`
			`Hence, in this configuration in Kubespray, Cilium will always contact`
			`the external loadbalancer (even from a node in the control plane)`
			`and if there is no external load balancer It will ignore any local load`
			`balancer deployed by Kubespray and only contacts the first master.`
Upgrade cilium role (#7521) * Upgrade cilium roles * Del old test result * Add hubble ui examples * Refactor hubble metrics * Markdown fix pipeline errors * yamllint check and fix * refactor install from https://github.com/kubernetes-sigs/kubespray/pull/7520 * Docs syntax change (fix) * Cilium set default 1.8.9 * Update cilium version in Readme 2021-04-30 15:09:59 +00:00
			`## Choose Cilium version`

			```yml
Add identity_allocation_mode support for Cilium (#8430) Co-authored-by: Emin Aktaş <eminaktas34@gmail.com> Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com> Signed-off-by: necatican <necaticanyildirim@gmail.com> Co-authored-by: Emin Aktaş <eminaktas34@gmail.com> Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com> 2022-01-16 17:29:28 +00:00			`cilium_version: v1.11.0`
Upgrade cilium role (#7521) * Upgrade cilium roles * Del old test result * Add hubble ui examples * Refactor hubble metrics * Markdown fix pipeline errors * yamllint check and fix * refactor install from https://github.com/kubernetes-sigs/kubespray/pull/7520 * Docs syntax change (fix) * Cilium set default 1.8.9 * Update cilium version in Readme 2021-04-30 15:09:59 +00:00			```

			`## Add variable to config`

			`Use following variables:`

			`Example:`

			```yml
			`cilium_config_extra_vars:`
			`enable-endpoint-routes: true`
			```

Add identity_allocation_mode support for Cilium (#8430) Co-authored-by: Emin Aktaş <eminaktas34@gmail.com> Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com> Signed-off-by: necatican <necaticanyildirim@gmail.com> Co-authored-by: Emin Aktaş <eminaktas34@gmail.com> Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com> 2022-01-16 17:29:28 +00:00			`## Change Identity Allocation Mode`

			`Cilium assigns an identity for each endpoint. This identity is used to enforce basic connectivity between endpoints.`

			`Cilium currently supports two different identity allocation modes:`

			`- "crd" stores identities in kubernetes as CRDs (custom resource definition).`
			- These can be queried with `kubectl get ciliumid`
			`- "kvstore" stores identities in an etcd kvstore.`

Upgrade cilium role (#7521) * Upgrade cilium roles * Del old test result * Add hubble ui examples * Refactor hubble metrics * Markdown fix pipeline errors * yamllint check and fix * refactor install from https://github.com/kubernetes-sigs/kubespray/pull/7520 * Docs syntax change (fix) * Cilium set default 1.8.9 * Update cilium version in Readme 2021-04-30 15:09:59 +00:00			`## Install Cilium Hubble`

			`k8s-net-cilium.yml:`

			```yml
			`cilium_enable_hubble: true ## enable support hubble in cilium`
			`cilium_hubble_install: true ## install hubble-relay, hubble-ui`
			`cilium_hubble_tls_generate: true ## install hubble-certgen and generate certificates`
			```

			`To validate that Hubble UI is properly configured, set up a port forwarding for hubble-ui service:`

			```shell script
			`kubectl port-forward -n kube-system svc/hubble-ui 12000:80`
			```

			`and then open [http://localhost:12000/](http://localhost:12000/).`

			`## Hubble metrics`

			```yml
			`cilium_enable_hubble_metrics: true`
			`cilium_hubble_metrics:`
			`- dns`
			`- drop`
			`- tcp`
			`- flow`
			`- icmp`
			`- http`
			```

			`[More](https://docs.cilium.io/en/v1.9/operations/metrics/#hubble-exported-metrics)`