|
| 1 | +# Swiftv2 Cilium Setup Guide |
| 2 | + |
| 3 | +## Steps |
| 4 | +### Clone repo + checkout branch for *.yamls |
| 5 | +``` |
| 6 | +git clone https://github.com/Azure/azure-container-networking.git |
| 7 | +git checkout jpayne3506/conflist-generation < TODO Change before merge > |
| 8 | +``` |
| 9 | + |
| 10 | +### Apply cilium config |
| 11 | +``` |
| 12 | +export DIR=1.17 |
| 13 | +export CILIUM_VERSION_TAG=v1.17.7-250927 |
| 14 | +export CILIUM_IMAGE_REGISTRY=mcr.microsoft.com/containernetworking |
| 15 | +kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-chained-config.yaml |
| 16 | +``` |
| 17 | + |
| 18 | +- Remove `kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"` from configmap if kube-proxy is current on nodes |
| 19 | + |
| 20 | +### Apply cilium Agent + Operator |
| 21 | +``` |
| 22 | +kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-operator/files |
| 23 | +kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-agent/files |
| 24 | +``` |
| 25 | + |
| 26 | +### Apply/Edit CNS configmap |
| 27 | +``` |
| 28 | +kubectl apply -f test/integration/manifests/cnsconfig/azcnichainedciliumconfigmap.yaml |
| 29 | +``` |
| 30 | + |
| 31 | +!!!! TODO !!!! |
| 32 | +ProgramSNATIPTables |
| 33 | + - What does this do? |
| 34 | + - Do we need it? |
| 35 | + - Managed cilium comes up without this set |
| 36 | +Remove `#### Must have configmap values` |
| 37 | + - Leveraging conflist installer for generic approach |
| 38 | +#### Must have configmap values |
| 39 | +``` |
| 40 | +"ProgramSNATIPTables": false |
| 41 | +"CNIConflistScenario": "azurecni-chained-cilium" |
| 42 | +"CNIConflistFilepath": "/etc/cni/net.d/05-azure-chained-cilium.conflist" |
| 43 | +``` |
| 44 | + |
| 45 | +### Update CNS image |
| 46 | +Leverage a cns build from branch or use `acnpublic.azurecr.io/azure-cns:v1.7.5-2-g94c36c070` < TODO Change before merge > |
| 47 | +- This will install our chained conflist through the use of `"CNIConflistScenario": "azurecni-chained-cilium"` and it will be installed on the node here `"CNIConflistFilepath": "/etc/cni/net.d/05-azure-chained-cilium.conflist"` |
| 48 | + |
| 49 | +> NOTE: if your current conflist file name starts with `05` then change our previous filename to one with higher priority to ensure that it is consumed on restart. I.e. `03-azure-chained-cilium.conflist` |
| 50 | +
|
| 51 | +### If kube-proxy was present |
| 52 | +#### Remove kube-proxy |
| 53 | +> NOTE: Reapply `kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"` to cilium configmap if previously removed |
| 54 | +
|
| 55 | +This can be done either by editing the node-selectors or deleting the ds. Both work... |
| 56 | + |
| 57 | +#### Restart Cilium |
| 58 | +kubectl rollout restart ds -n kube-system cilium |
| 59 | + |
| 60 | + |
| 61 | +### Quick Summary |
| 62 | +- Apply/Edit Cilium Config with |
| 63 | + - `cni-chaining-mode: generic-veth` |
| 64 | + - remove `kube-proxy-replacement-healthz-bind-address` |
| 65 | + - You do not need to remove if node does not have kube-proxy enabled |
| 66 | + - If applied before agent is in ready state then no need to restart agent |
| 67 | +- Apply Agent + Operator |
| 68 | +- Apply/Edit CNS config with |
| 69 | + - "ProgramSNATIPTables": false |
| 70 | + - "CNIConflistScenario": "azurecni-chained-cilium" |
| 71 | + - "CNIConflistFilepath": "/etc/cni/net.d/05-azure-chained-cilium.conflist" |
| 72 | +- Update CNS image with build from branch or < TODO IMAGE NAME > |
| 73 | + - This will install chained conflist |
| 74 | + |
| 75 | +#### If kube-proxy was present |
| 76 | +- Reapply `kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"` to cilium configmap |
| 77 | +- Remove Kube-proxy |
| 78 | +- Restart Cilium |
| 79 | + |
| 80 | + |
| 81 | +## Quick Vaildation testing |
| 82 | +- Create pods from deploy |
| 83 | + - test/integration/manifests/swiftv2/mt-deploy.yaml |
| 84 | + - Creates `container-*` pods on default namespace |
| 85 | +- Create Cilium Network Policies |
| 86 | + - test/integration/manifests/cilium/netpol/default-allow.yaml |
| 87 | + - Will only allow cilium managed endpoints to transmit traffic through default namespace |
| 88 | +- Check Cilium Management with |
| 89 | + - `kubectl get cep -A` |
| 90 | + - `kubectl get cnp -A` |
| 91 | +- Check connectivity |
| 92 | + - exec -it <container-*> -- sh |
| 93 | + - ip a |
| 94 | + - look for delegatedNIC IP |
| 95 | + - ping <IP> |
| 96 | + - confirm CNP working by attempting to ping coredns pods |
| 97 | + - should fail if both are being maintained by cilium |
| 98 | + - confirm with `kubectl get cep -A` |
| 99 | + |
| 100 | + |
| 101 | + |
| 102 | + |
| 103 | +Managed Cil setup |
| 104 | +- Watcher deployment |
| 105 | + - CIL DS |
| 106 | + - RBAC |
| 107 | + - CM |
| 108 | + - Overwritten by DS |
| 109 | +- Conflist installer |
| 110 | + - CONFLIST |
| 111 | + |
| 112 | + |
| 113 | + |
| 114 | + |
| 115 | +AZCNI Cil setup |
| 116 | +- Deploy from test/integration/manifests/cilium/v1.17 |
| 117 | + - CIL DS |
| 118 | + - RBAC |
| 119 | + - CM |
| 120 | + - custom for sv2 test/integration/manifests/cilium/v1.17/cilium-config/cilium-chained-config.yaml |
| 121 | +- Conflist installer |
| 122 | + - CONFLIST |
0 commit comments