github.com/cilium/cilium@v1.16.2/Documentation/installation/alibabacloud-eni.rst

github.com/cilium/cilium@v1.16.2/Documentation/installation/alibabacloud-eni.rst (about)

     1  To install Cilium on `ACK (Alibaba Cloud Container Service for Kubernetes) <https://www.alibabacloud.com/help/doc-detail/86745.htm>`_, perform the following steps:
     2  
     3  **Disable ACK CNI (ACK Only):**
     4  
     5  If you are running an ACK cluster, you should delete the ACK CNI.
     6  
     7  .. only:: not (epub or latex or html)
     8  
     9      WARNING: You are looking at unreleased Cilium documentation.
    10      Please use the official rendered version released here:
    11      https://docs.cilium.io
    12  
    13  Cilium will manage ENIs instead of the ACK CNI, so any running DaemonSet from
    14  the list below has to be deleted to prevent conflicts.
    15  
    16  - ``kube-flannel-ds``
    17  - ``terway``
    18  - ``terway-eni``
    19  - ``terway-eniip``
    20  
    21  .. note::
    22  
    23      If you are using ACK with Flannel (DaemonSet ``kube-flannel-ds``),
    24      the Cloud Controller Manager (CCM) will create a route (Pod CIDR) in VPC.
    25      If your cluster is a Managed Kubernetes you cannot disable this behavior.
    26      Please consider creating a new cluster.
    27  
    28  .. code-block:: shell-session
    29  
    30     kubectl -n kube-system delete daemonset <terway>
    31  
    32  The next step is to remove CRD below created by ``terway*`` CNI
    33  
    34  .. code-block:: shell-session
    35  
    36      kubectl delete crd \
    37          ciliumclusterwidenetworkpolicies.cilium.io \
    38          ciliumendpoints.cilium.io \
    39          ciliumidentities.cilium.io \
    40          ciliumnetworkpolicies.cilium.io \
    41          ciliumnodes.cilium.io \
    42          bgpconfigurations.crd.projectcalico.org \
    43          clusterinformations.crd.projectcalico.org \
    44          felixconfigurations.crd.projectcalico.org \
    45          globalnetworkpolicies.crd.projectcalico.org \
    46          globalnetworksets.crd.projectcalico.org \
    47          hostendpoints.crd.projectcalico.org \
    48          ippools.crd.projectcalico.org \
    49          networkpolicies.crd.projectcalico.org
    50  
    51  
    52  **Create AlibabaCloud Secrets:**
    53  
    54  Before installing Cilium, a new Kubernetes Secret with the AlibabaCloud Tokens needs to
    55  be added to your Kubernetes cluster. This Secret will allow Cilium to gather
    56  information from the AlibabaCloud API which is needed to implement ToGroups policies.
    57  
    58  **AlibabaCloud Access Keys:**
    59  
    60  To create a new access token the `following guide can be used
    61  <https://www.alibabacloud.com/help/doc-detail/93691.htm>`_.
    62  These keys need to have certain `RAM Permissions
    63  <https://ram.console.aliyun.com/overview>`_:
    64  
    65  .. code-block:: json
    66  
    67      {
    68        "Version": "1",
    69        "Statement": [{
    70            "Action": [
    71              "ecs:CreateNetworkInterface",
    72              "ecs:DescribeNetworkInterfaces",
    73              "ecs:AttachNetworkInterface",
    74              "ecs:DetachNetworkInterface",
    75              "ecs:DeleteNetworkInterface",
    76              "ecs:DescribeInstanceAttribute",
    77              "ecs:DescribeInstanceTypes",
    78              "ecs:AssignPrivateIpAddresses",
    79              "ecs:UnassignPrivateIpAddresses",
    80              "ecs:DescribeInstances",
    81              "ecs:DescribeSecurityGroups"
    82            ],
    83            "Resource": [
    84              "*"
    85            ],
    86            "Effect": "Allow"
    87          },
    88          {
    89            "Action": [
    90              "vpc:DescribeVSwitches",
    91              "vpc:ListTagResources",
    92              "vpc:DescribeVpcs"
    93            ],
    94            "Resource": [
    95              "*"
    96            ],
    97            "Effect": "Allow"
    98          }
    99        ]
   100      }
   101  
   102  
   103  As soon as you have the access tokens, the following secret needs to be added,
   104  with each empty string replaced by the associated value as a base64-encoded string:
   105  
   106  .. code-block:: yaml
   107  
   108      apiVersion: v1
   109      kind: Secret
   110      metadata:
   111        name: cilium-alibabacloud
   112        namespace: kube-system
   113      type: Opaque
   114      data:
   115        ALIBABA_CLOUD_ACCESS_KEY_ID: ""
   116        ALIBABA_CLOUD_ACCESS_KEY_SECRET: ""
   117  
   118  
   119  The base64 command line utility can be used to generate each value, for example:
   120  
   121  .. code-block:: shell-session
   122  
   123      $ echo -n "access_key" | base64
   124      YWNjZXNzX2tleQ==
   125  
   126  This secret stores the AlibabaCloud credentials, which will be used to
   127  connect to the AlibabaCloud API.
   128  
   129  .. code-block:: shell-session
   130  
   131      $ kubectl create -f cilium-secret.yaml
   132  
   133  
   134  **Install Cilium:**
   135  
   136  Install Cilium release via Helm:
   137  
   138  .. parsed-literal::
   139  
   140     helm install cilium |CHART_RELEASE| \\
   141       --namespace kube-system \\
   142       --set alibabacloud.enabled=true \\
   143       --set ipam.mode=alibabacloud \\
   144       --set enableIPv4Masquerade=false \\
   145       --set routingMode=native
   146  
   147  .. note::
   148  
   149     You must ensure that the security groups associated with the ENIs (``eth1``,
   150     ``eth2``, ...) allow for egress traffic to go outside of the VPC. By default,
   151     the security groups for pod ENIs are derived from the primary ENI
   152     (``eth0``).
   153  
   154