This is a needed configuration option for users that want to combine
Cilium alongside with a ServiceMesh. Cilium by default will LB requests
at CNI layer meaning that the Sidecars of ServiceMesh Proxy are not able
to apply LB by themselves thus loosing the capability of applying their
features for traffic management.
Ref issue: https://github.com/istio/istio/issues/35531
Signed-off-by: dntosas <ntosas@gmail.com>
Annotations is pretty useful when you need third-party tool to add additional behavior
for a k8s resource.
Lots of auto-discovery tools are based on this annotations.
CNI chaining allows to use Cilium in combination with other CNI plugins.
With Cilium CNI chaining, the base network connectivity and IP address management is managed by the non-Cilium CNI plugin, but Cilium attaches eBPF programs to the network devices created by the non-Cilium plugin to provide L3/L4 network visibility, policy enforcement and other advanced features.
https://docs.cilium.io/en/v1.9/gettingstarted/cni-chaining/#cni-chaining
In our case, to be able to use the `HostPort` feature in our cluster, we need to enable the `portmap` plugin.
- Cilium versions 1.10.4 and 1.9.10 now auto-mount the bpf file-system automatically
- Also remove redundant capabilities (these are already automatically granted by virtue of this being a privileged container)
In this commit, we enable users to choose WireGuard as their prefered
encryption type, leveraging this new feature from Cilium.
Ref: https://cilium.io/blog/2021/05/20/cilium-110#wireguard
Signed-off-by: dntosas <ntosas@gmail.com>
When EnablePromethesMetrics is enabled the
required metrics endpoints are exposed but
no annotations is included in the agents.
This commit includes the prometheus.io/scrape
and prometheus.io/port annotations that
prometheus scrappers can use for auto-discovery
Co-authored-by: tchatzig <t.chatzigeorgiou@thebeat.co>
After upgrading Cilium to 1.8 via kops one of our clusters had a total
outage due to cilium reporting errors as below:
```
level=error msg="endpoint regeneration failed" containerID= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=592 error="Failed to load tc filter: exit status 1" identity=40147 ipv4= ipv6= k8sPodName=/ subsys=endpoint
```
upon searching Cilium slack we found the below thread:
https://cilium.slack.com/archives/C1MATJ5U5/p1616400216167600
which recommended setting `enable-host-reachable-services` to true will
address the problems. We set the field and it fixed our issues too,
however we observed that kops does not have a means to configure this
hence this PR.
We will like to have this backported after it has been merged.
Cilium as a CNI is a critical component for the cluster so it would be safe
to have some guaranteed resources as well as allowing the users to
define them based on their needs.
In this commit, we init default requested resources and add the
capability of user-defined values.
Signed-off-by: dntosas <ntosas@gmail.com>
Adding support for 'secret-name' flag
Adding instructions to enable encryption
Updating docs for cli
Addressing comments
Adding ciliumpassword subcommand to 'kops create secret'
Updating command to generate ciliumpassword secret
Ole Markus With