Cilium Kubernetes Ingress

Cilium使用标准的Kubernetes Ingress 资源定义，采用 ingressClassName ，可用于基于路径的路由( path-based routing ) 和 TLS 终结(termination)。

备注

ingress controller创建一种负载均衡类型的服务，所以环境必须支持

准备工作

• Cilium 必须以 kubeProxyReplacement 配置成 partial 或 strict ，这个配置我已经在 Cilium完全取代kube-proxy运行Kubernetes 完成

• 支持Ingress的Kubernetes版本至少是 1.19

备注

我在部署Ingress之前，先完成了 升级Cilium 升级到最新版本 1.12.1

安装

• 使用 helm 的参数 ingressController.enabled 激活 Cilium Ingress Controller:

helm upgrade cilium激活ingress controller

helm upgrade cilium cilium/cilium --version 1.12.1 \
    --namespace kube-system \
    --reuse-values \
    --set ingressController.enabled=true

输出显示:

helm upgrade cilium激活ingress controller 输出显示

Release "cilium" has been upgraded. Happy Helming!
NAME: cilium
LAST DEPLOYED: Thu Aug 18 21:30:25 2022
NAMESPACE: kube-system
STATUS: deployed
REVISION: 7
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble Relay and Hubble UI.

Your release version is 1.12.1.

For any further help, visit https://docs.cilium.io/en/v1.12/gettinghelp

• 然后滚动重启 cilium-operator 和每个节点上的 cilium DaemonSet :

cilium激活ingress controller后重启cilium-operator和cilium ds

kubectl -n kube-system rollout restart deployment/cilium-operator
kubectl -n kube-system rollout restart ds/cilium

• 如果只想使用 Envoy负载均衡/反向代理 流量管理功能但不需要Ingress支持，则只需要激活 --enable-envoy-config ( 我没有执行这个命令 ):

helm upgrade cilium激活envoy流量管理但不使用ingress

helm upgrade cilium cilium/cilium --version 1.12.1 \
    --namespace kube-system \
    --reuse-values \
    --set-string extraConfig.enable-envoy-config=true
kubectl -n kube-system rollout restart deployment/cilium-operator
kubectl -n kube-system rollout restart ds/cilium

• 然后检查Cilium agent和operato状态:

  cilium status
  

• 安装最新版本的 Cilium CLI:

安装cilium cli

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

• 安装最新hubble客户端:

安装hubble客户端

export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
HUBBLE_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then HUBBLE_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}

参考

• Cilium docs: Kubernetes Ingress Support