github.com/cilium/cilium@v1.16.2/Documentation/configuration/per-node-config.rst

github.com/cilium/cilium@v1.16.2/Documentation/configuration/per-node-config.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _per-node-configuration:
     8  
     9  **********************
    10  Per-node configuration
    11  **********************
    12  
    13  The Cilium agent process (a.k.a. DaemonSet) supports setting configuration
    14  on a per-node basis. This allows overriding :ref:`cilium-config-configmap`
    15  for a node or set of nodes. It is managed by CiliumNodeConfig objects.
    16  
    17  This feature is useful for:
    18  
    19  - Gradually rolling out changes.
    20  - Selectively enabling features that require specific hardware:
    21  
    22      * :ref:`XDP acceleration`
    23      * :ref:`ipv6_big_tcp`
    24  
    25  CiliumNodeConfig objects
    26  ------------------------
    27  
    28  A CiliumNodeConfig object allows for overriding ConfigMap / Agent arguments.
    29  It consists of a set of fields and a label selector. The label selector
    30  defines to which nodes the configuration applies. As is the standard with
    31  Kubernetes, an empty LabelSelector (e.g. ``{}``) selects all nodes.
    32  
    33  .. note::
    34      Creating or modifying a CiliumNodeConfig will not cause changes to take effect
    35      until pods are deleted and re-created (or their node is restarted).
    36  
    37  
    38  Example: selective XDP enablement
    39  ---------------------------------
    40  
    41  To enable :ref:`XDP acceleration` only on nodes with necessary
    42  hardware, one would label the relevant nodes and override their configuration.
    43  
    44  .. code-block:: yaml
    45  
    46      apiVersion: cilium.io/v2
    47      kind: CiliumNodeConfig
    48      metadata:
    49        namespace: kube-system
    50        name: enable-xdp
    51      spec:
    52        nodeSelector:
    53          matchLabels:
    54            io.cilium.xdp-offload: "true"
    55        defaults:
    56          bpf-lb-acceleration: native
    57  
    58  Example: KubeProxyReplacement Rollout
    59  -------------------------------------
    60  
    61  To roll out :ref:`kube-proxy replacement <kubeproxy-free>` in a gradual manner,
    62  you may also wish to use the CiliumNodeConfig feature. This will label all migrated
    63  nodes with ``io.cilium.migration/kube-proxy-replacement: true``
    64  
    65  .. warning::
    66  
    67      You must have installed Cilium with the Helm values ``k8sServiceHost`` and
    68      ``k8sServicePort``. Otherwise Cilium will not be able to reach the Kubernetes
    69      APIServer after kube-proxy is uninstalled.
    70  
    71      You can apply these two values to a running cluster via ``helm upgrade``.
    72  
    73  #. Patch kube-proxy to only run on unmigrated nodes.
    74  
    75      .. code-block:: shell-session
    76  
    77          kubectl -n kube-system patch daemonset kube-proxy --patch '{"spec": {"template": {"spec": {"affinity": {"nodeAffinity": {"requiredDuringSchedulingIgnoredDuringExecution": {"nodeSelectorTerms": [{"matchExpressions": [{"key": "io.cilium.migration/kube-proxy-replacement", "operator": "NotIn", "values": ["true"]}]}]}}}}}}}'
    78  
    79  #. Configure Cilium to use kube-proxy replacement on migrated nodes
    80  
    81      .. code-block:: shell-session
    82  
    83          cat <<EOF | kubectl apply --server-side -f -
    84          apiVersion: cilium.io/v2
    85          kind: CiliumNodeConfig
    86          metadata:
    87            namespace: kube-system
    88            name: kube-proxy-replacement
    89          spec:
    90            nodeSelector:
    91              matchLabels:
    92                io.cilium.migration/kube-proxy-replacement: true
    93            defaults:
    94              kube-proxy-replacement: true
    95              kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256"
    96  
    97          EOF
    98  
    99  #. Select a node to migrate. Optionally, cordon and drain that node:
   100  
   101      .. code-block:: shell-session
   102  
   103          export NODE=kind-worker
   104          kubectl label node $NODE --overwrite 'io.cilium.migration/kube-proxy-replacement=true'
   105          kubectl cordon $NODE
   106  
   107  #. Delete Cilium DaemonSet to reload configuration:
   108  
   109      .. code-block:: shell-session
   110  
   111          kubectl -n kube-system delete pod -l k8s-app=cilium --field-selector spec.nodeName=$NODE
   112  
   113  #. Ensure Cilium has the correct configuration:
   114  
   115      .. code-block:: shell-session
   116  
   117          kubectl -n kube-system exec $(kubectl -n kube-system get pod -l k8s-app=cilium --field-selector spec.nodeName=$NODE -o name) -c cilium-agent -- \
   118              cilium config get kube-proxy-replacement
   119          true
   120  
   121  #. Uncordon node
   122  
   123      .. code-block:: shell-session
   124  
   125          kubectl uncordon $NODE
   126  
   127  #. Cleanup: set default to kube-proxy-replacement:
   128  
   129      .. code-block:: shell-session
   130  
   131          cilium config set --restart=false kube-proxy-replacement true
   132          cilium config set --restart=false kube-proxy-replacement-healthz-bind-address "0.0.0.0:10256"
   133          kubectl -n kube-system delete ciliumnodeconfig kube-proxy-replacement
   134  
   135  #. Cleanup: delete kube-proxy daemonset, unlabel nodes
   136  
   137      .. code-block:: shell-session
   138  
   139          kubectl -n kube-system delete daemonset kube-proxy
   140          kubectl label node --all --overwrite 'io.cilium.migration/kube-proxy-replacement-'