Merge pull request #14676 from johngmyers/cilium-doc

Update documentation and validation for Cilium
2022-12-05 20:42:38 -08:00 · 2022-12-05 20:42:38 -08:00 · c5c02c2ee3
parent a9f765f477 0edfac7fdd
commit c5c02c2ee3
3 changed files with 17 additions and 8 deletions
--- a/docs/networking.md
+++ b/docs/networking.md
@ -20,6 +20,7 @@ As of kOps 1.26 the default network provider is Cilium. Prior to that the defaul
 | Calico           |          1.6 |   1.11 |          - |               - |
 | Canal            |         1.12 |      - |          - |               - |
 | Cilium           |          1.9 |   1.15 |          - |               - |
+| Cilium ENI       |         1.18 |   1.26 |          - |               - |
 | Flannel udp      |        1.5.2 |      - |          - |               - |
 | Flannel vxlan    |        1.8.0 |      - |          - |               - |
 | Kopeio           |          1.5 |      - |          - |               - |
--- a/docs/networking/cilium.md
+++ b/docs/networking/cilium.md
@ -27,7 +27,7 @@ kops create cluster \

 ### Using etcd for agent state sync

-This feature is in beta state as of kOps 1.18.
+{{ kops_feature_table(kops_added_beta='1.18', kops_added_default='1.26') }}

 By default, Cilium will use CRDs for synchronizing agent state. This can cause performance problems on larger clusters. As of kOps 1.18, kOps can manage an etcd cluster using etcd-manager dedicated for cilium agent state sync. The [Cilium docs](https://docs.cilium.io/en/stable/gettingstarted/k8s-install-external-etcd/) contains recommendations for when this must be enabled.

@ -99,7 +99,7 @@ Also be aware that while enabling this on an existing cluster is safe, disabling
      enableNodePort: true
 ```

-If you are migrating an existing cluster, you need to manually roll the cilium DaemonSet before rolling the cluster:
+If you are migrating an existing cluster, you need to manually rolling-update the cilium DaemonSet before rolling-updating the cluster:

 ```
 kops update cluster
@ -108,9 +108,9 @@ kubectl rollout restart ds/cilium -n kube-system
 kops rolling-update cluster --yes
 ```

-### Enabling Cilium ENI IPAM
+### Enabling Cilium ENI IPAM (IPv4 only)

-{{ kops_feature_table(kops_added_default='1.18') }}
+{{ kops_feature_table(kops_added_beta='1.18', kops_added_default='1.26') }}

 You can have Cilium provision AWS managed addresses and attach them directly to Pods much like AWS VPC. See [the Cilium docs for more information](https://docs.cilium.io/en/v1.6/concepts/ipam/eni/)

@ -135,12 +135,12 @@ Note that since Cilium Operator is the entity that interacts with the EC2 API to

 Also note that this feature has only been tested on the default kOps AMIs.

-#### Enabling Encryption in Cilium
+#### Enabling Encryption in Cilium (IPv4 only)

-##### ipsec
+##### IPsec
 {{ kops_feature_table(kops_added_default='1.19', k8s_min='1.17') }}

-As of kOps 1.19, it is possible to enable encryption for Cilium agent.
+As of kOps 1.19, it is possible to enable encryption for Cilium agent in IPv4 clusters.
 In order to enable encryption, you must first generate the pre-shared key using this command:
 ```bash
 cat <<EOF | kops create secret ciliumpassword -f -
@ -155,7 +155,7 @@ Once the secret has been created, encryption can be enabled by setting `enableEn
      enableEncryption: true
 ```

-##### wireguard
+##### WireGuard
 {{ kops_feature_table(kops_added_default='1.22', k8s_min='1.17') }}

 Cilium can make use of the [wireguard protocol for transparent encryption](https://docs.cilium.io/en/v1.10/gettingstarted/encryption-wireguard/). Take care to familiarise yourself with the [limitations](https://docs.cilium.io/en/v1.10/gettingstarted/encryption-wireguard/#limitations).
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@ -1015,7 +1015,15 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 		allErrs = append(allErrs, IsValidValue(fldPath.Child("bpfLBAlgorithm"), &v.BPFLBAlgorithm, []string{"random", "maglev"})...)
 	}

+	if v.EnableEncryption && c.IsIPv6Only() {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableEncryption"), "encryption is not supported on IPv6 clusters"))
+	}
+
 	if v.EncryptionType != "" {
+		if !v.EnableEncryption {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("encryptionType"), "encryptionType requires enableEncryption"))
+		}
+
 		encryptionType := string(v.EncryptionType)
 		allErrs = append(allErrs, IsValidValue(fldPath.Child("encryptionType"), &encryptionType, []string{"ipsec", "wireguard"})...)