kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
website/content/en/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy.md

3.3 KiB
Raw Blame History

reviewers title content_template weight
danwent
aanm
Use Cilium for NetworkPolicy templates/task 20

{{% capture overview %}} This page shows how to use Cilium for NetworkPolicy.

For background on Cilium, read the Introduction to Cilium. {{% /capture %}}

{{% capture prerequisites %}}

{{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}

{{% /capture %}}

{{% capture steps %}}

Deploying Cilium on Minikube for Basic Testing

To get familiar with Cilium easily you can follow the Cilium Kubernetes Getting Started Guide to perform a basic DaemonSet installation of Cilium in minikube.

As Cilium requires a standalone etcd instance, for minikube you can deploy it by running:

kubectl create -n kube-system -f https://raw.githubusercontent.com/cilium/cilium/v1.3/examples/kubernetes/addons/etcd/standalone-etcd.yaml

After etcd is up and running you can deploy Cilium Kubernetes descriptor which is a simple ''all-in-one'' YAML file that includes DaemonSet configurations for Cilium, to connect to the etcd instance previously deployed as well as appropriate RBAC settings:

$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.3/examples/kubernetes/1.12/cilium.yaml
configmap/cilium-config created
daemonset.apps/cilium created
clusterrolebinding.rbac.authorization.k8s.io/cilium created
clusterrole.rbac.authorization.k8s.io/cilium created
serviceaccount/cilium created

The remainder of the Getting Started Guide explains how to enforce both L3/L4 (i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security policies using an example application.

Deploying Cilium for Production Use

For detailed instructions around deploying Cilium for production, see: Cilium Kubernetes Installation Guide This documentation includes detailed requirements, instructions and example production DaemonSet files.

{{% /capture %}}

{{% capture discussion %}}

Understanding Cilium components

Deploying a cluster with Cilium adds Pods to the kube-system namespace. To see this list of Pods run:

kubectl get pods --namespace=kube-system

You'll see a list of Pods similar to this:

NAME            READY   STATUS    RESTARTS   AGE
cilium-6rxbd    1/1     Running   0          1m
...

There are two main components to be aware of:

  • One cilium Pod runs on each node in your cluster and enforces network policy on the traffic to/from Pods on that node using Linux BPF.
  • For production deployments, Cilium should leverage a key-value store (e.g., etcd). The Cilium Kubernetes Installation Guide will provide the necessary steps on how to install this required key-value store as well how to configure it in Cilium.

{{% /capture %}}

{{% capture whatsnext %}} Once your cluster is running, you can follow the Declare Network Policy to try out Kubernetes NetworkPolicy with Cilium. Have fun, and if you have questions, contact us using the Cilium Slack Channel. {{% /capture %}}