Available with limitations inCE, BE, SE

Available without limitations in:  SE+, EE

The module has 8 alerts.

The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/cni-cilium resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cni-cilium
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable cni-cilium

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cni-cilium
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable cni-cilium

The module is configured using the ModuleConfig custom resource named cni-cilium (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cni-cilium resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cni-cilium
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.activeL2NeighborDiscoveryEnabled
      boolean

      Enables the Cilium L2 neighbor discovery mechanism, which helps ensure that ARP table entries are kept up-to-date on all cluster nodes.

      Default: true

    • settings.bpfLBMode
      string

      eBPF LoadBalancer mode:

      • SNAT — traffic from the client to the pod (and back) passes through NAT, and accordingly the sender’s address is lost.
      • DSR — traffic from the client to the pod passes with the sender’s address preserved, and back - according to the routing rules (bypassing the balancer). This mode saves network traffic and reduces delays, but only works for TCP traffic.
      • Hybrid — TCP traffic is processed in DSR mode, and UDP traffic is processed in SNAT mode.

      Default: "Hybrid"

      Allowed values: SNAT, Hybrid, DSR

    • settings.createNodeRoutes
      boolean

      Create routes to Pods on other Nodes.

      All Nodes must be located in the same L2 domain.

    • settings.debugLogging
      boolean

      Enabled debug logging for Cilium components.

      Default: false

    • settings.labelsRegex
      array of strings

      Cilium creates security identifiers based on the k8s entity labels. The more labels are involved in this process, the higher the access granularity that can be achieved. However, in large clusters, excessive granularity can create a heavy load. You can use the labelsRegex option to explicitly specify which labels are to be used for security policies, and which labels are to be neglected. Refer to the documentation to learn more about reducing the identity cardinality

      Each label must be specified by a RegExp expression in YAML quoted string format. Note that special characters must be escaped.

      Example:

      labelsRegex:
- k8s:!app\.kubernetes\.io
- k8s:io\.cilium\.k8s\.policy
    • settings.masqueradeMode
      string

      Cilium masquerade work mode for pods traffic leaving the cluster.

      • BPF - use cilium BPF. Basic operation mode.

        In this mode, masquerade will not be used if the destination IP address is within the podSubnetCIDR or InternalIP/ExternalIP of any of the cluster nodes.

      • Netfilter - use kernel Netfilter(iptables/nf_tables).

        In this mode, masquerade will not be used if the destination IP address is within the podSubnetCIDR or InternalIP/ExternalIP of any of the cluster nodes.

      In BPF mode, if ExternalIP other than InternalIP is specified for a cluster node, and that IP address is not currently assigned to any interface on the node, it will not be reachable from neighboring nodes from pods network. The Netfilter mode allows you to bypass this limitation, but some other features stop working, such as EgressGateway`.

      Default: "BPF"

      Allowed values: Netfilter, BPF

    • settings.policyAuditMode
      boolean

      Do not enforce any Network Policy. Just log allowed/disallowed connections.

      Default: false

    • settings.resourcesManagement

      Settings for CPU and memory requests and limits by cilium agent pods.

      Examples:

      resourcesManagement:
  mode: VPA
  vpa:
    mode: Auto
    cpu:
      min: 50m
      max: 2
      limitRatio: 1.5
    memory:
      min: 256Mi
      max: 2Gi
      limitRatio: 1.5

      resourcesManagement:
  mode: Static
  static:
    requests:
      cpu: 55m
      memory: 256Mi
    limits:
      cpu: 2
      memory: 2Gi
      • settings.resourcesManagement.mode
        string

        Resource management mode:

        • Static is a classic one. In it, you specify requests/limits. The parameters of this mode are defined in the static parameter section;
        • VPA mode uses VPA. You can configure this mode by modifying parameters in the vpa parameter section.

        Default: "VPA"

        Allowed values: VPA, Static

      • settings.resourcesManagement.static
        object

        Resource management options for the Static mode.

        • settings.resourcesManagement.static.limits
          object

          Configuring CPU and memory limits.

          • settings.resourcesManagement.static.limits.cpu

            Configuring CPU limits.

          • settings.resourcesManagement.static.limits.memory

            Configuring memory limits.

        • settings.resourcesManagement.static.requests
          object

          Resource requests settings for pods.

          • settings.resourcesManagement.static.requests.cpu

            Configuring CPU requests.

          • settings.resourcesManagement.static.requests.memory

            Configuring memory requests.

      • settings.resourcesManagement.vpa
        object

        Resource management options for the VPA mode.

        • settings.resourcesManagement.vpa.cpu
          object

          CPU-related VPA settings.

          • settings.resourcesManagement.vpa.cpu.limitRatio
            number

            The CPU limits/requests ratio.

            This ratio is used for calculating the initial CPU limits for a pod.

            If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.

          • settings.resourcesManagement.vpa.cpu.max

            The maximum value that the VPA can set for the CPU requests.

            Default: 4

          • settings.resourcesManagement.vpa.cpu.min

            The minimum value that the VPA can set for the CPU requests.

            Default: 100m

        • settings.resourcesManagement.vpa.memory
          object

          Memory-related VPA settings.

          • settings.resourcesManagement.vpa.memory.limitRatio
            number

            The memory limits/requests ratio.

            This ratio is used for calculating the initial memory limits for a pod.

            If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.

          • settings.resourcesManagement.vpa.memory.max

            The maximum memory requests the VPA can set.

            Default: 4Gi

          • settings.resourcesManagement.vpa.memory.min

            The minimum memory requests the VPA can set.

            Default: 128Mi

        • settings.resourcesManagement.vpa.mode
          string

          VPA operating mode.

          Default: "Initial"

          Allowed values: Initial, Auto

    • settings.svcSourceRangeCheck
      boolean

      For services of the loadBalancer type, enables checking the source IP for compliance with loadBalancer.sourceRanges. The check is not performed if access is made from within the cluster or the sourceRanges parameter is empty/not specified. Some cloud providers support filtering of incoming traffic based on the sourceRanges parameter in their loadBalancer implementations. In such cases, the cilium documentation recommends disabling the svcSourceRangeCheck option.

      Do not enable if another balancer or any type of SNAT is running in front of the services.

      Default: false

    • settings.tunnelMode
      string

      Tunnel mode.

      Note! After changing the parameter, it is necessary to restart all nodes, otherwise, there may be problems with the availability of Pods!

      Note! VXLAN mode is not compatible with following bpfLBMode modes: Hybrid, DSR. bpfLBMode will be overriden to SNAT if the tunnelMode is VXLAN.

      Default: "Disabled"

      Allowed values: Disabled, VXLAN