docs: 添加 Cilium eBPF L4 负载均衡方案文档

[changluyi]

Summary

• 添加 Cilium eBPF L4 负载均衡方案文档（中英文双语）
• 介绍如何在 ACP 4.2+ 集群中部署 Cilium CNI
• 利用 eBPF 实现高性能四层负载均衡，支持源 IP 透传

内容概要

• 环境要求（内核版本、端口、内核配置）
• ACP 4.2+ Cilium 部署步骤
• 创建透传的 L4 负载均衡
• 验证方法

Test plan

• 文档格式检查通过
• 链接可访问

Summary by CodeRabbit

• Documentation
  • Added end-to-end EN/ZH guide for deploying Cilium eBPF L4 LoadBalancer with source-IP preservation in ACP 4.2+ Custom network mode.
  • Details prerequisites (OS/kernel, network and port requirements), cluster creation and Cilium installation workflow, and temporary permission steps during install.
  • Describes disabling kube-proxy, VIP allocation and L2 ARP failover configuration, and verification steps for LoadBalancer IP assignment and source-IP preservation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad0c8bc4-3d29-4fa9-b015-bccf2ae740f4

📥 Commits

Reviewing files that changed from the base of the PR and between 53f012d and 016cd99.

📒 Files selected for processing (1)

• docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

✅ Files skipped from review due to trivial changes (1)

• docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

---

Walkthrough

Added English and Chinese solution guides documenting end-to-end steps to deploy Cilium (ACP 4.2+ in Custom network mode) and configure an eBPF L4 LoadBalancer with source IP preservation, including prerequisites, temporary RBAC, kube-proxy cleanup, VIP allocation, L2 ARP failover resources, and verification.

Changes

Cohort / File(s)

Summary

Solution Documentation docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md, docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

New bilingual deployment guides. Add prerequisites (ACP version, network mode, OS/kernel constraints, required ports and kernel settings), ACP marketplace installation steps including temporary ClusterPluginInstance RBAC, kube-proxy backup/delete and BroadcastJob cleanup, CiliumLoadBalancerIPPool and CiliumL2AnnouncementPolicy manifests, VIP L2 placement requirement, and verification steps. Pay attention to temporary RBAC, kube-proxy image discovery for cleanup, and VIP being on the same L2 as nodes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• fanzy618
• tyzhou111

Poem

🐰 I hopped through docs in English and 汉语,

VIPs settle where the same L2 lies,
Kube‑proxy swept away with a tidy sigh,
Cilium whispers eBPF, source IPs stay nigh,
A little rabbit cheers beneath network skies 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'docs: 添加 Cilium eBPF L4 负载均衡方案文档' accurately describes the primary change—adding bilingual documentation for a Cilium eBPF L4 load-balancing solution with source IP preservation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md (2)

80-91: Reduce RBAC permissions from wildcard to specific verbs.

The temporary RBAC configuration grants wildcard permissions (verbs: ["*"]) which is overly permissive, even temporarily. Consider restricting to only the necessary verbs.

🔒 Proposed fix to use specific permissions

 rules:
 - apiGroups: ["cluster.alauda.io"]
   resources: ["clusterplugininstances"]
-  verbs: ["*"]
+  verbs: ["get", "list", "create", "update", "patch"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
around lines 80 - 91, The ClusterRole cilium-clusterplugininstance-admin grants
wildcard verbs ["*"] for apiGroups "cluster.alauda.io" and resources
"clusterplugininstances"; replace the wildcard with an explicit minimal verbs
list required by the component (e.g., get, list, watch, create, update, patch,
delete) or an even smaller subset if some actions are unnecessary—edit the
ClusterRole resource in the tmp.yaml to remove verbs: ["*"] and add the specific
verbs needed.

---

10-10: Consider clarifying "S2 方案" terminology.

The title references "S2 方案" (S2 solution) which may not be immediately clear to all readers. Consider adding a brief explanation of what "S2" refers to in this context, or removing it if it's internal terminology.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
at line 10, 标题中出现的“S2 方案”术语可能不够清晰；在文档顶部标题行（"# 基于 eBPF 的高性能容器网络 Cilium CNI 和 eBPF
实现的高性能四层负载均衡（支持源 IP 可见的 S2
方案）"）处，添加一段简短说明以解释“S2”代表的具体含义或替换为更通用的描述，例如在标题后紧接一行括号内或在引言段落中用一句话说明“S2”为何种架构/方案，确保读者能立刻理解该术语；如果“S2”为内部简称且无必要，则直接移除以避免歧义。

docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md (1)

81-91: Reduce RBAC permissions from wildcard to specific verbs.

The temporary RBAC grants wildcard permissions (verbs: ["*"]), which is overly permissive even temporarily. Consider using only the required verbs.

🔒 Proposed fix for more restrictive permissions

 rules:
 - apiGroups: ["cluster.alauda.io"]
   resources: ["clusterplugininstances"]
-  verbs: ["*"]
+  verbs: ["get", "list", "create", "update", "patch"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
around lines 81 - 91, The ClusterRole cilium-clusterplugininstance-admin
currently uses verbs: ["*"] for apiGroup "cluster.alauda.io" and resource
"clusterplugininstances"; replace the wildcard with explicit, minimal verbs
required by the controller (e.g.
["get","list","watch","create","update","patch"] as a starting point and omit
"delete" unless the component actually needs it), update the manifest block that
creates the ClusterRole to use those specific verbs, and verify functionality
and apply the least-privilege set after testing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Line 174: The kube-proxy image reference "image:
registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5" is outdated; update that
image tag to a current kube-proxy release (e.g., v1.35.x or v1.34.x) consistent
with the version chosen in Step 1, and verify the container image registry/name
remains "registry.alauda.cn:60070/tkestack/kube-proxy" while only changing the
tag to the selected newer version.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Line 173: Replace the hardcoded example image tag
"registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5" with a current version or
an explicit placeholder; e.g., update to
"registry.alauda.cn:60070/tkestack/kube-proxy:v1.35.x" or use a template
placeholder like "{{KUBE_PROXY_IMAGE}}" and keep the existing comment about
replacing it for the target environment so readers aren’t confused by an
outdated example.

---

Nitpick comments:
In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Around line 81-91: The ClusterRole cilium-clusterplugininstance-admin
currently uses verbs: ["*"] for apiGroup "cluster.alauda.io" and resource
"clusterplugininstances"; replace the wildcard with explicit, minimal verbs
required by the controller (e.g.
["get","list","watch","create","update","patch"] as a starting point and omit
"delete" unless the component actually needs it), update the manifest block that
creates the ClusterRole to use those specific verbs, and verify functionality
and apply the least-privilege set after testing.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Around line 80-91: The ClusterRole cilium-clusterplugininstance-admin grants
wildcard verbs ["*"] for apiGroups "cluster.alauda.io" and resources
"clusterplugininstances"; replace the wildcard with an explicit minimal verbs
list required by the component (e.g., get, list, watch, create, update, patch,
delete) or an even smaller subset if some actions are unnecessary—edit the
ClusterRole resource in the tmp.yaml to remove verbs: ["*"] and add the specific
verbs needed.
- Line 10: 标题中出现的“S2 方案”术语可能不够清晰；在文档顶部标题行（"# 基于 eBPF 的高性能容器网络 Cilium CNI 和 eBPF
实现的高性能四层负载均衡（支持源 IP 可见的 S2
方案）"）处，添加一段简短说明以解释“S2”代表的具体含义或替换为更通用的描述，例如在标题后紧接一行括号内或在引言段落中用一句话说明“S2”为何种架构/方案，确保读者能立刻理解该术语；如果“S2”为内部简称且无必要，则直接移除以避免歧义。

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 940dc40f-96fe-49f5-b6ba-b9a2013c2aa4

📥 Commits

Reviewing files that changed from the base of the PR and between a867802 and 5e1790c.

📒 Files selected for processing (2)

• docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md
• docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md