-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Cilium #852
Comments
One of our major blockers right now is that we cant get node-local-dns to work without running cilium We have written a null_resource that deletes kube-proxy but Azure is "kind enough" to install it for us again. There is a feature that currently is in preview https://learn.microsoft.com/en-us/azure/aks/configure-kube-proxy where we can disable kube-proxy all together. We are also waiting for the terraform provider to support configuring kube-proxy. On the other hand, we have verified that linkerd is working as intended on-top of cilium. |
If we would like to enable a preview feature we could probably do it by using: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_provider_registration This feature is very low risk since we only disable the usage of kube-proxy in our cluster. |
Moving to blocked due to: cilium/cilium#22838 |
Information regarding node-local-dns: Initially we had missed that in order for node-local-dns to work, we need set up a Local Redirect Policy for cilium to be able to route DNS traffic to it. There is a description here on how to do it: https://cloud.yandex.com/en/docs/managed-kubernetes/operations/cilium-node-local-dns In order to enable local redirect in cilium we have to run cilium with |
We found one problem in AWS related to running without kube-proxy. The ingress-nginx deployment is using We have experimented with not using hostNetwork but then get problem with that the K8S API Server cannot reach the webhooks, e.g, we get problem like this:
With We have made some experiments without host network to check the behaviour:
Both ways made it possible for the API server to reach the Webhook endpoints but we ran into cert problems due to URL mismatch in both cases as expected Possible ways forward:
|
Implement Cilium in Azure and AWS
Tasks
Work is ongoing in #798
The text was updated successfully, but these errors were encountered: