This module is responsible for providing a network between multiple nodes in a cluster using the cilium module.
Limitations
- This module currently supports only direct-routing mode.
- Service types
NodePortandLoadBalancerdo not work with hostNetwork endpoints in theDSRLB mode. Switch toSNATif it is required. HostPortPods will bind only to one interface IP. If there are multiple interfaces/IPs present, Cilium will select only one of them, preferring private IP space.- Kernel requirements.
- The
cni-ciliummodule requires a Linux kernel version >=4.9.17. - For the
cni-ciliummodule to work together with the istio, openvpn or node-local-dns module, a Linux kernel version >=5.7is required.
- The
- OS versions support.
A note about CiliumClusterwideNetworkPolicies
- Make sure that you deploy initial set of CiliumClusterwideNetworkPolicies with
policyAuditModeconfiguration options set totrue. Otherwise you are degrading cluster operation or even completely losing SSH connectivity to all Kubernetes Nodes. You can remove the option once allCiliumClusterwideNetworkPolicyobjects are applied and you’ve verified their effect in the Hubble UI. -
Make sure to deploy the following rule, otherwise control-plane will fail for up to 1 minute on
cilium-agentrestart. This happens due to conntrack table reset. Referencingkube-apiserverentity helps us to “circumvent” the bug.apiVersion: "cilium.io/v2" kind: CiliumClusterwideNetworkPolicy metadata: name: "allow-control-plane-connectivity" spec: ingress: - fromEntities: - kube-apiserver nodeSelector: matchLabels: node-role.kubernetes.io/control-plane: ""
A note about Cilium work mode change
If you change the Cilium operating mode (the tunnelMode parameter) from Disabled to VXLAN or vice versa, you must restart all nodes, otherwise there may be problems with the availability of Pods.