cilium 安装

发表于 分类于 阅读次数:

cilium 命令安装

1
2
3
4
5
6
7
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

cilium 安装 helm 参数说明

  • version v1.15.0-rc.0 版本 查看版本https://helm.cilium.io/
  • k8sServiceHost master vip 地址
  • k8sServicePort master vip 端口
  • ipv4NativeRoutingCIDR 可指定集群任意节点ip 或者 pod cidr地址
  • ipam.mode 默认cluster-pool 参数 kubernetes 从 k8s v1.Node 对象的 podCIDR 字段读取可用 IP 池 alibabacloud, azure, eni 各大公有云自己定制的 ipam 插件
  • ipam.operator.clusterPoolIPv4PodCIDRList 当然ipam.mode 配置为cluster-pool 参数生效 指定 POD cidr 地址
  • l2podAnnouncements.interface 指定使用网卡
  • bandwidthManager.bbr 内核大于5.5才能使用
  • 其它参数 请参考 https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium

helm cilium 安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# 添加 cilium helm源
helm repo add cilium https://helm.cilium.io/
# 更新添加helm源
helm repo update
# 安装 cilium
helm install cilium cilium/cilium --version 1.15.0-rc.0 \
      --namespace=kube-system \
      --set k8sServiceHost=127.0.0.1 \
      --set k8sServicePort=6443 \
      --set nodeinit.enabled=true \
      --set routingMode=native \
      --set tunnel=disabled \
      --set rollOutCiliumPods=true \
      --set bpf.masquerade=true \
      --set bpfClockProbe=true \
      --set bpf.preallocateMaps=true \
      --set bpf.tproxy=true \
      --set bpf.hostLegacyRouting=false \
      --set autoDirectNodeRoutes=true \
      --set localRedirectPolicy=true \
      --set enableCiliumEndpointSlice=true \
      --set enableK8sEventHandover=true \
      --set externalIPs.enabled=true \
      --set hostPort.enabled=true \
      --set socketLB.enabled=true \
      --set nodePort.enabled=true \
      --set sessionAffinity=true \
      --set annotateK8sNode=true \
      --set nat46x64Gateway.enabled=false \
      --set ipv6.enabled=false \
      --set pmtuDiscovery.enabled=true \
      --set enableIPv6BIGTCP=false \
      --set sctp.enabled=true \
      --set wellKnownIdentities.enabled=true \
      --set hubble.enabled=false \
      --set ipv4NativeRoutingCIDR=10.80.0.0/12 \
      --set ipam.mode=kubernetes \
      --set ipam.operator.clusterPoolIPv4PodCIDRList[0]="10.80.0.0/12" \
      --set installNoConntrackIptablesRules=true \
      --set enableIPv4BIGTCP=true \
      --set egressGateway.enabled=false \
      --set endpointRoutes.enabled=false \
      --set kubeProxyReplacement=true \
      --set highScaleIPcache.enabled=false \
      --set l2announcements.enabled=true \
      --set k8sClientRateLimit.qps=30 \
      --set k8sClientRateLimit.burst=40 \
      --set l2podAnnouncements.interface=eth0 \
      --set l2announcements.leaseDuration=3s \
      --set l2announcements.leaseRenewDeadline=1s \
      --set l2announcements.leaseRetryPeriod=200ms \
      --set image.useDigest=false \
      --set operator.image.useDigest=false \
      --set operator.rollOutPods=true \
      --set authentication.enabled=false \
      --set bandwidthManager.enabled=true \
      --set bandwidthManager.bbr=true

查看 安装状态

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cilium status
root@Qist:/tmp# cilium status
    /¯¯\
 /¯¯\__/¯¯\    Cilium:             OK
 \__/¯¯\__/    Operator:           OK
 /¯¯\__/¯¯\    Envoy DaemonSet:    disabled (using embedded mode)
 \__/¯¯\__/    Hubble Relay:       disabled
    \__/       ClusterMesh:        disabled

DaemonSet              cilium             Desired: 7, Ready: 7/7, Available: 7/7
Deployment             cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
Containers:            cilium             Running: 7
                       cilium-operator    Running: 2
Cluster Pods:          26/26 managed by Cilium
Helm chart version:    1.15.0-rc.0
Image versions         cilium             quay.io/cilium/cilium:v1.15.0-rc.0: 7
                       cilium-operator    quay.io/cilium/operator-generic:v1.15.0-rc.0: 2

测试集群是否正常

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
cat <<EOF | kubectl create -f -
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: net-tools
  labels:
    k8s-app: net-tools
spec:
  selector:
    matchLabels:
      k8s-app: net-tools
  template:
    metadata:
      labels:
        k8s-app: net-tools
    spec:
      tolerations:
        - effect: NoSchedule
          operator: Exists
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoExecute
          operator: Exists
      containers:
        - name: net-tools
          image: juestnow/net-tools
          command:
            - /bin/sh
            - "-c"
            - set -e -x; tail -f /dev/null
          resources:
            limits:
              memory: 30Mi
            requests:
              cpu: 50m
              memory: 20Mi
      dnsConfig:
        options:
          - name: single-request-reopen

EOF

root@Qist:/tmp# kubectl -n default get pod -o wide
NAME              READY   STATUS    RESTARTS        AGE   IP            NODE           NOMINATED NODE   READINESS GATES
net-tools-29chz   1/1     Running   2 (5d18h ago)   14d   10.80.3.70    k8s-node-3     <none>           <none>
net-tools-2ngh4   1/1     Running   2 (5d16h ago)   14d   10.80.1.74    k8s-master-3   <none>           <none>
net-tools-7lsf2   1/1     Running   2 (5d16h ago)   14d   10.80.2.20    k8s-master-2   <none>           <none>
net-tools-lpnfk   1/1     Running   2 (5d16h ago)   14d   10.80.6.251   k8s-node-1     <none>           <none>
net-tools-p4bbq   1/1     Running   2 (5d16h ago)   14d   10.80.0.63    k8s-master-1   <none>           <none>
net-tools-sdkhr   1/1     Running   2 (5d18h ago)   14d   10.80.5.232   k8s-node-4     <none>           <none>
net-tools-sgjm2   1/1     Running   2 (5d16h ago)   14d   10.80.4.229   k8s-node-2     <none>           <none>
# 进入 任意pod 测试网络是否联通
kubectl -n default exec -ti net-tools-29chz /bin/sh
/ # ping 10.80.1.74
PING 10.80.1.74 (10.80.1.74): 56 data bytes
64 bytes from 10.80.1.74: seq=0 ttl=62 time=1.399 ms
--- 10.80.1.74 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.399/1.399/1.399 ms

/ # dig www.qq.com

; <<>> DiG 9.14.8 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8279
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e8e82d67cca18f90 (echoed)
;; QUESTION SECTION:
;www.qq.com.                    IN      A

;; ANSWER SECTION:
www.qq.com.             30      IN      CNAME   ins-r23tsuuf.ias.tencent-cloud.net.
ins-r23tsuuf.ias.tencent-cloud.net. 30 IN A     121.14.77.221
ins-r23tsuuf.ias.tencent-cloud.net. 30 IN A     121.14.77.201

;; Query time: 30 msec
;; SERVER: 10.66.0.2#53(10.66.0.2)
;; WHEN: Wed Jan 17 02:21:42 UTC 2024
;; MSG SIZE  rcvd: 209

/ # ping www.baidu.com -c3
PING www.baidu.com (183.2.172.42): 56 data bytes
64 bytes from 183.2.172.42: seq=0 ttl=50 time=7.681 ms
64 bytes from 183.2.172.42: seq=1 ttl=50 time=7.655 ms
64 bytes from 183.2.172.42: seq=2 ttl=50 time=7.747 ms

--- www.baidu.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7.655/7.694/7.747 ms
# 测试网络正常