The module has 8 alerts.
The module is not enabled by default in any bundles.
The module is configured using the ModuleConfig custom resource named cni-cilium
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/cni-cilium
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cni-cilium
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- settings
- settings.bpfLBMode
eBPF LoadBalancer mode:
SNAT
— traffic from the client to the pod (and back) passes through NAT, and accordingly the sender’s address is lost.DSR
— traffic from the client to the pod passes with the sender’s address preserved, and back - according to the routing rules (bypassing the balancer). This mode saves network traffic and reduces delays, but only works for TCP traffic.Hybrid
— TCP traffic is processed in DSR mode, and UDP traffic is processed in SNAT mode.
Default:
"Hybrid"
Allowed values:
SNAT
,Hybrid
,DSR
- settings.createNodeRoutes
Create routes to Pods on other Nodes.
All Nodes must be located in the same L2 domain.
- settings.debugLogging
Enabled debug logging for Cilium components.
Default:
false
- settings.labelsRegex
Cilium creates security identifiers based on the k8s entity labels. The more labels are involved in this process, the higher the access granularity that can be achieved. However, in large clusters, excessive granularity can create a heavy load. You can use the
labelsRegex
option to explicitly specify which labels are to be used for security policies, and which labels are to be neglected. Refer to the documentation to learn more about reducing the identity cardinalityEach label must be specified by a RegExp expression in YAML quoted string format. Note that special characters must be escaped.
Example:
labelsRegex: - k8s:!app\.kubernetes\.io - k8s:io\.cilium\.k8s\.policy
- settings.masqueradeMode
Cilium masquerade work mode for pods traffic leaving the cluster.
-
BPF
- use cilium BPF. Basic operation mode.In this mode, masquerade will not be used if the destination IP address is within the
podSubnetCIDR
orInternalIP
/ExternalIP
of any of the cluster nodes. -
Netfilter
- use kernel Netfilter(iptables/nf_tables).In this mode, masquerade will not be used if the destination IP address is within the
podSubnetCIDR
orInternalIP
/ExternalIP
of any of the cluster nodes.
In
BPF
mode, ifExternalIP
other thanInternalIP
is specified for a cluster node, and that IP address is not currently assigned to any interface on the node, it will not be reachable from neighboring nodes from pods network. TheNetfilter
mode allows you to bypass this limitation, but some other features stop working, such asEgressGateway
`.Default:
"BPF"
Allowed values:
Netfilter
,BPF
-
- settings.policyAuditMode
Do not enforce any Network Policy. Just log allowed/disallowed connections.
Default:
false
- settings.resourcesManagement
Settings for CPU and memory requests and limits by cilium agent pods.
Examples:
resourcesManagement: mode: VPA vpa: mode: Auto cpu: min: 50m max: 2 limitRatio: 1.5 memory: min: 256Mi max: 2Gi limitRatio: 1.5
resourcesManagement: mode: Static static: requests: cpu: 55m memory: 256Mi limits: cpu: 2 memory: 2Gi
- settings.resourcesManagement.mode
Resource management mode:
Default:
"VPA"
Allowed values:
VPA
,Static
- settings.resourcesManagement.static
Resource management options for the
Static
mode.- settings.resourcesManagement.static.limits
Configuring CPU and memory limits.
- settings.resourcesManagement.static.limits.cpu
Configuring CPU limits.
- settings.resourcesManagement.static.limits.memory
Configuring memory limits.
- settings.resourcesManagement.static.requests
Resource requests settings for pods.
- settings.resourcesManagement.static.requests.cpu
Configuring CPU requests.
- settings.resourcesManagement.static.requests.memory
Configuring memory requests.
- settings.resourcesManagement.vpa
Resource management options for the
VPA
mode.- settings.resourcesManagement.vpa.cpu
CPU-related VPA settings.
- settings.resourcesManagement.vpa.cpu.limitRatio
The CPU limits/requests ratio.
This ratio is used for calculating the initial CPU limits for a pod.
If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.
- settings.resourcesManagement.vpa.cpu.max
The maximum value that the VPA can set for the CPU requests.
Default:
4
- settings.resourcesManagement.vpa.cpu.min
The minimum value that the VPA can set for the CPU requests.
Default:
100m
- settings.resourcesManagement.vpa.memory
Memory-related VPA settings.
- settings.resourcesManagement.vpa.memory.limitRatio
The memory limits/requests ratio.
This ratio is used for calculating the initial memory limits for a pod.
If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.
- settings.resourcesManagement.vpa.memory.max
The maximum memory requests the VPA can set.
Default:
4Gi
- settings.resourcesManagement.vpa.memory.min
The minimum memory requests the VPA can set.
Default:
128Mi
- settings.resourcesManagement.vpa.mode
VPA operating mode.
Default:
"Initial"
Allowed values:
Initial
,Auto
- settings.svcSourceRangeCheck
For services of the
loadBalancer
type, enables checking the source IP for compliance with loadBalancer.sourceRanges. The check is not performed if access is made from within the cluster or thesourceRanges
parameter is empty/not specified. Some cloud providers support filtering of incoming traffic based on thesourceRanges
parameter in their loadBalancer implementations. In such cases, the cilium documentation recommends disabling thesvcSourceRangeCheck
option.Do not enable if another balancer or any type of SNAT is running in front of the services.
Default:
false
- settings.tunnelMode
Tunnel mode.
Note! After changing the parameter, it is necessary to restart all nodes, otherwise, there may be problems with the availability of Pods!
Note! VXLAN mode is not compatible with following bpfLBMode modes: Hybrid, DSR. bpfLBMode will be overriden to SNAT if the tunnelMode is VXLAN.
Default:
"Disabled"
Allowed values:
Disabled
,VXLAN