Cilium

Cilium is an open source, cloud native solution for providing, securing, and observing network connectivity between workloads, fueled by the revolutionary Kernel technology eBPF.

For this cluster cilium is used as a CNI and LoadBalancer. (ToDo: Gateway API) Additionally the LoadBalancers IP is equal to the host IP.

Deploying Cilium CNI

There are multiple ways to deploy cilium on Talos Linux. In this context helm is used for the deployment with the following values. Note that the values are designed for a single node cluster.

kubeProxyReplacement: true
securityContext:
  capabilities:
    ciliumAgent: ['CHOWN', 'KILL', 'NET_ADMIN', 'NET_RAW', 'IPC_LOCK', 'SYS_ADMIN', 'SYS_RESOURCE', 'DAC_OVERRIDE', 'FOWNER', 'SETGID', 'SETUID']
    cleanCiliumState: ['NET_ADMIN', 'SYS_ADMIN', 'SYS_RESOURCE']
cgroup:
  autoMount:
    enabled: false
  hostRoot: "/sys/fs/cgroup"
ingressController:
  enabled: true
  default: true
  loadbalancerMode: shared
  service:
    type: LoadBalancer
operator:
  replicas: 1
gatewayAPI:
  enabled: true
  # enableAlpn: true
  # enableAppProtocol: true
k8sServiceHost: localhost
k8sServicePort: 7445
nodeIPAM:
  enabled: true
ipam:
  mode: kubernetes
defaultLBServiceIPAM: nodeipam
hubble:
  relay:
    enabled: true
  ui:
    enabled: true
    ingress:
      enabled: true
      hosts: 
        - hubble.westfall.thorados.de

To get something like k3s where the LoadBalancer gets the hosts IP address cilium has an equivalent feature called node IPAM.

Installing cilium via helm can be done as follows:

helm repo add cilium https://helm.cilium.io/
helm upgrade --install \
    cilium \
    cilium/cilium \
    --version 1.18.0 \
    --namespace kube-system \
    -f cilium-values.yaml \
    --create-namespace

cilium LoadBalancer IP control node

If the cilium service for the ingress controller should get an IP address on control nodes the following label has to be removed from the control node. This can be done by editing the controlplane.yaml file:

machine:
  nodeLabels:
    node.kubernetes.io/exclude-from-external-load-balancers:
      $patch: delete

cilium LoadBalancer pathType

One thing i found that i understand at the moment is the pathType in combination with cilium as ingress controller. If it is set to implementationspecific for some deployment i only get a white blank page inside the browser. If pathType is set to Prefix everything works.

Sources

• cilium LoadBalancer IP
• Deploying Cilium CNI
• cilium helm reference
• install cilium
• cilum nodeIPAM
• cilium LoadBalancer
• cilium hubble