Skip to content

Add cilium support in Kubespray #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rarescosma wants to merge 5 commits into from
Closed

Add cilium support in Kubespray #28

rarescosma wants to merge 5 commits into from

Conversation

@rarescosma
Copy link

@rarescosma rarescosma commented Jul 1, 2025
edited
Loading

PoC that Cilium is a viable CNI plugin for Kubespray, but boy there were a lot of hoops to jump through:

  • On the base of our current release (2.27) cilium is still being installed using "homegrown" Kubespray templates. Upstream has changed this to use cilium-cli for installation, which internally uses helm which means we finally get access to a values.yaml template which we can modify. This is included in the v2.28.0 upstream release.
  • A couple of fixes were cherry-picked to avoid connectivity issues in clusters that have installed cilium using the old method vs. the cli+helm-powered method.
    - Added extra values sections to enable the "policy audit mode" (because our built-in network policies were blocking traffic to the Kube API server and all hell broke loose - need further investigation on why this happens on apps apply).
    - Added extra values section to enable ServiceMonitors for the cilium agent pods and operator pods so the pretty Grafana dashboards added by Haorui are now showing pretty graphs.
  • The values overrides are now handled in the parent repo

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes https://github.com/elastisys/ck8s-issue-tracker/issues/535

Special notes for your reviewer:

Worth knowing that the first few commits in the PR are cherry-picks, so not really in scope for change requests.

The only deviation from upstream (with high chances of getting upstreamed) is in this commit: 1d70e40

Also, might be worth reviewing in tandem with: elastisys/compliantkubernetes-kubespray#445

Does this PR introduce a user-facing change?:

@rarescosma rarescosma self-assigned this Jul 1, 2025
@rarescosma rarescosma added the help wanted Extra attention is needed label Jul 1, 2025
@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from 8c569c2 to 8a61324 Compare July 1, 2025 16:30
@rarescosma rarescosma changed the base branch from release-2.27.0-ck8s to master July 1, 2025 16:30
@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from 8a61324 to d331994 Compare July 2, 2025 07:08
@rarescosma rarescosma marked this pull request as ready for review July 2, 2025 08:46
@rarescosma rarescosma requested review from Ajarmar and Xartos July 2, 2025 08:47
@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from d331994 to e264e4a Compare July 2, 2025 10:42
@Xartos
Copy link

Xartos commented Jul 3, 2025

Question: Did you use master as the base or did you use the release-2.27.0-ck8s as base? Because that's the one that we are using for the 2.27 release

@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from e264e4a to a294ea2 Compare July 3, 2025 07:03
@rarescosma
Copy link
Author

rarescosma commented Jul 3, 2025

Question: Did you use master as the base or did you use the release-2.27.0-ck8s as base? Because that's the one that we are using for the 2.27 release

I used release-2.27.0-ck8s initially, then switched to master.

@Xartos
Copy link

Xartos commented Jul 9, 2025

Question: Did you use master as the base or did you use the release-2.27.0-ck8s as base? Because that's the one that we are using for the 2.27 release

I used release-2.27.0-ck8s initially, then switched to master.

You should probably switch to the release branch in that case since that's where this will be used

@rarescosma rarescosma changed the base branch from master to release-2.27.0-ck8s July 9, 2025 06:48
@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from a294ea2 to 2e2a6fc Compare July 9, 2025 06:55
@rarescosma
Copy link
Author

rarescosma commented Jul 14, 2025

You should probably switch to the release branch in that case since that's where this will be used

Switched back to the release-2.27.0-ck8s branch as base.

@rarescosma rarescosma changed the title Experimental cilium support Add cilium support in Kubespray Jul 16, 2025
@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from 2e2a6fc to 1d70e40 Compare July 16, 2025 03:08
@rarescosma rarescosma added enhancement New feature or request and removed help wanted Extra attention is needed labels Jul 16, 2025
@rarescosma
Copy link
Author

rarescosma commented Jul 16, 2025

Opened kubernetes-sigs#12408 for upstreaming the generic hooks required for this task.

k8s-ci-robot and others added 5 commits July 16, 2025 07:08
@k8s-ci-robot @rarescosma
cilium: Refactor Cilium CNI installation
276c47f 
Refactor Cilium CNI installation
@tico88612 @rarescosma
cilium: add option to remove old resources
ca9cff7 
Give users two options: besides skip Cilium, add
`cilium_remove_old_resources`, default is `false`, when set to `true`,
it will remove the content of the old version, but it will cause the
downtime, need to be careful to use.

Signed-off-by: ChengHao Yang <[email protected]>
@tico88612 @rarescosma
cilium: if release exists, the action will set upgrade
e78bf26 
`cilium install` is equivalent to `helm install`, it will failed if
cilium relase exist. `cilium version` can know the release exist without
helm binary

Signed-off-by: ChengHao Yang <[email protected]>
@rarescosma
cilium: add missing cilium-cli checksums
1f86f88
@rarescosma
cilium: add pre apply hooks
f6503cd
@rarescosma rarescosma force-pushed the rares/experimental-cilium branch from 1d70e40 to f6503cd Compare July 16, 2025 04:08
@rarescosma
Copy link
Author

rarescosma commented Jul 17, 2025

Opened kubernetes-sigs#12408 for upstreaming the generic hooks required for this task.

Apparently there is another PR in the upstream pipes that will allow for generic helm values for cilium: kubernetes-sigs#12375 so we can take advantage of that instead of using hooks.

@rarescosma
Copy link
Author

rarescosma commented Jul 17, 2025

Closing in favor of #30 which consists entirely of cherry-picks and backports.

@rarescosma rarescosma closed this Jul 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xartos Xartos Awaiting requested review from Xartos

@Ajarmar Ajarmar Awaiting requested review from Ajarmar

Assignees

@rarescosma rarescosma

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rarescosma @Xartos @k8s-ci-robot @tico88612