Posted Updated 3 minutes read (About 523 words)

RKE2 Cilium without kube-proxy

集群如果使用 Cilium 作为 cni 的话,可以实现 Kubernetes Without kube-proxy。

Cilium 的 kube-proxy 替代程序依赖于 socket-LB 功能,需要使用 v4.19.57、v5.1.16、v5.2.0 或更高版本的 Linux 内核。Linux 内核 v5.3 和 v5.8 增加了其他功能,Cilium 可利用这些功能进一步优化 kube-proxy 替代实现。

已有的 RKE2 Cilium 集群,可以通过下面的步骤开启此功能。

在 Rancher 通过 Yaml 编辑集群:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
spec:
  kubernetesVersion: v1.27.16+rke2r2
  rkeConfig:
    chartValues:
      rke2-cilium:
        # 如果有外部 LB 指向 kube-apiserver,可以设置为 VIP 地址
        k8sServiceHost: 127.0.0.1
        k8sServicePort: 6443
        # 关键参数,开启 Cilium kube-proxy 替代功能
        kubeProxyReplacement: true
    machineGlobalConfig:
      cni: cilium
      # 关闭 kube-proxy
      disable-kube-proxy: true

待 Provisioning 结束后,需要重启所有节点的 rke2-server or rke2-agent:

1
2
systemctl restart rke2-server
systemctl restart rke2-agent

这个时候 agent 节点就不会有 kube-proxy pod 了,但 server 节点的需要手动移除 kube-proxy Yaml 文件:

1
mv /var/lib/rancher/rke2/agent/pod-manifests/kube-proxy.yaml ~/kube-proxy.yaml

这个时候集群已经没有 kube-proxy pod,然后清除之前生成的 iptables 规则:

1
iptables -F && iptables -X && iptables -Z && iptables -F -t nat && iptables -X -t nat && iptables -Z -t nat

最后,重启 Cilium:

1
kubectl -n kube-system rollout restart ds cilium

检查 KubeProxyReplacement 配置是否生效:

1
2
3
root@test001:~# kubectl -n kube-system exec ds/cilium -c cilium-agent -- cilium-dbg status | grep KubeProxyReplacement
KubeProxyReplacement:    True   [eth0   172.16.0.2 fe80::216:3eff:fe08:5140 (Direct Routing)]
root@test001:~#

获取更多细节配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@test001:~# kubectl -n kube-system exec ds/cilium -c cilium-agent -- cilium-dbg status --verbose
...
KubeProxyReplacement Details:
  Status:                 True
  Socket LB:              Enabled
  Socket LB Tracing:      Enabled
  Socket LB Coverage:     Full
  Devices:                eth0   172.16.0.2 fe80::216:3eff:fe08:5140 (Direct Routing)
  Mode:                   SNAT
  Backend Selection:      Random
  Session Affinity:       Enabled
  Graceful Termination:   Enabled
  NAT46/64 Support:       Disabled
  XDP Acceleration:       Disabled
  Services:
  - ClusterIP:      Enabled
  - NodePort:       Enabled (Range: 30000-32767)
  - LoadBalancer:   Enabled
  - externalIPs:    Enabled
  - HostPort:       Enabled
...

查看是否还有 kube-proxy 的 iptables 规则:

1
iptables-save | grep KUBE-SVC

创建一个 Workload 和 Service 进行 ClusterIP/NodePort 测试,能正常通信即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
root@test001:~# kubectl get pod -n kube-system | grep kube-proxy

root@test001:~# kubectl get svc nginx
NAME    TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
nginx   NodePort   10.43.38.171   <none>        80:32048/TCP   26h

root@test001:~# curl 10.43.38.171 -I
HTTP/1.1 200 OK
...

root@test001:~# curl 127.0.0.1:32048 -I
HTTP/1.1 200 OK
...

RKE2 Cilium without kube-proxy

https://warnerchen.github.io/2024/10/31/RKE2-Cilium-without-kube-proxy/

Author

Warner Chen

Posted on

2024-10-31

Updated on

2024-11-02

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ansible1
calico1
cisco1
container2
containerd1
docker1
elk1
etcd3
istio2
jenkins1
k8s10
kafka1
linux3
mysql1
nexus1
prometheus1
redis1
suse10
web1
zookeeper1
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×