github.com/cilium/cilium@v1.16.2/Documentation/installation/k8s-install-helm.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _k8s_install_helm: 8 9 *********************** 10 Installation using Helm 11 *********************** 12 13 This guide will show you how to install Cilium using `Helm 14 <https://helm.sh/>`_. This involves a couple of additional steps compared to 15 the :ref:`k8s_quick_install` and requires you to manually select the best 16 datapath and IPAM mode for your particular environment. 17 18 Install Cilium 19 ============== 20 21 .. include:: k8s-install-download-release.rst 22 23 .. tabs:: 24 25 .. group-tab:: Generic 26 27 These are the generic instructions on how to install Cilium into any 28 Kubernetes cluster using the default configuration options below. Please 29 see the other tabs for distribution/platform specific instructions which 30 also list the ideal default configuration for particular platforms. 31 32 **Default Configuration:** 33 34 =============== =============== ============== 35 Datapath IPAM Datastore 36 =============== =============== ============== 37 Encapsulation Cluster Pool Kubernetes CRD 38 =============== =============== ============== 39 40 .. include:: requirements-generic.rst 41 42 **Install Cilium:** 43 44 Deploy Cilium release via Helm: 45 46 .. parsed-literal:: 47 48 helm install cilium |CHART_RELEASE| \\ 49 --namespace kube-system 50 51 .. group-tab:: GKE 52 53 .. include:: requirements-gke.rst 54 55 **Install Cilium:** 56 57 Extract the Cluster CIDR to enable native-routing: 58 59 .. code-block:: shell-session 60 61 NATIVE_CIDR="$(gcloud container clusters describe "${NAME}" --zone "${ZONE}" --format 'value(clusterIpv4Cidr)')" 62 echo $NATIVE_CIDR 63 64 Deploy Cilium release via Helm: 65 66 .. parsed-literal:: 67 68 helm install cilium |CHART_RELEASE| \\ 69 --namespace kube-system \\ 70 --set nodeinit.enabled=true \\ 71 --set nodeinit.reconfigureKubelet=true \\ 72 --set nodeinit.removeCbrBridge=true \\ 73 --set cni.binPath=/home/kubernetes/bin \\ 74 --set gke.enabled=true \\ 75 --set ipam.mode=kubernetes \\ 76 --set ipv4NativeRoutingCIDR=$NATIVE_CIDR 77 78 The NodeInit DaemonSet is required to prepare the GKE nodes as nodes are added 79 to the cluster. The NodeInit DaemonSet will perform the following actions: 80 81 * Reconfigure kubelet to run in CNI mode 82 * Mount the eBPF filesystem 83 84 .. group-tab:: AKS 85 86 .. include:: ../installation/requirements-aks.rst 87 88 **Install Cilium:** 89 90 Deploy Cilium release via Helm: 91 92 .. parsed-literal:: 93 94 helm install cilium |CHART_RELEASE| \\ 95 --namespace kube-system \\ 96 --set aksbyocni.enabled=true \\ 97 --set nodeinit.enabled=true 98 99 .. note:: 100 101 Installing Cilium via helm is supported only for AKS BYOCNI cluster and 102 not for Azure CNI Powered by Cilium clusters. 103 104 .. group-tab:: EKS 105 106 .. include:: requirements-eks.rst 107 108 **Patch VPC CNI (aws-node DaemonSet)** 109 110 Cilium will manage ENIs instead of VPC CNI, so the ``aws-node`` 111 DaemonSet has to be patched to prevent conflict behavior. 112 113 .. code-block:: shell-session 114 115 kubectl -n kube-system patch daemonset aws-node --type='strategic' -p='{"spec":{"template":{"spec":{"nodeSelector":{"io.cilium/aws-node-enabled":"true"}}}}}' 116 117 **Install Cilium:** 118 119 Deploy Cilium release via Helm: 120 121 .. parsed-literal:: 122 123 helm install cilium |CHART_RELEASE| \\ 124 --namespace kube-system \\ 125 --set eni.enabled=true \\ 126 --set ipam.mode=eni \\ 127 --set egressMasqueradeInterfaces=eth0 \\ 128 --set routingMode=native 129 130 .. note:: 131 132 This helm command sets ``eni.enabled=true`` and ``routingMode=native``, 133 meaning that Cilium will allocate a fully-routable AWS ENI IP address 134 for each pod, similar to the behavior of the `Amazon VPC CNI plugin 135 <https://docs.aws.amazon.com/eks/latest/userguide/pod-networking.html>`_. 136 137 This mode depends on a set of :ref:`ec2privileges` from the EC2 API. 138 139 Cilium can alternatively run in EKS using an overlay mode that gives 140 pods non-VPC-routable IPs. This allows running more pods per 141 Kubernetes worker node than the ENI limit but includes the following caveats: 142 143 1. Pod connectivity to resources outside the cluster (e.g., VMs in the VPC 144 or AWS managed services) is masqueraded (i.e., SNAT) by Cilium to use the 145 VPC IP address of the Kubernetes worker node. 146 2. The EKS API Server is unable to route packets to the overlay network. This 147 implies that any `webhook <https://kubernetes.io/docs/reference/access-authn-authz/webhook/>`_ 148 which needs to be accessed must be host networked or exposed through a service 149 or ingress. 150 151 To set up Cilium overlay mode, follow the steps below: 152 153 1. Excluding the lines for ``eni.enabled=true``, ``ipam.mode=eni`` and 154 ``routingMode=native`` from the helm command will configure Cilium to use 155 overlay routing mode (which is the helm default). 156 2. Flush iptables rules added by VPC CNI 157 158 .. code-block:: shell-session 159 160 iptables -t nat -F AWS-SNAT-CHAIN-0 \\ 161 && iptables -t nat -F AWS-SNAT-CHAIN-1 \\ 162 && iptables -t nat -F AWS-CONNMARK-CHAIN-0 \\ 163 && iptables -t nat -F AWS-CONNMARK-CHAIN-1 164 165 Some Linux distributions use a different interface naming convention. 166 If you use masquerading with the option ``egressMasqueradeInterfaces=eth0``, 167 remember to replace ``eth0`` with the proper interface name. 168 169 .. group-tab:: OpenShift 170 171 .. include:: requirements-openshift.rst 172 173 **Install Cilium:** 174 175 Cilium is a `Certified OpenShift CNI Plugin <https://access.redhat.com/articles/5436171>`_ 176 and is best installed when an OpenShift cluster is created using the OpenShift 177 installer. Please refer to :ref:`k8s_install_openshift_okd` for more information. 178 179 .. group-tab:: RKE 180 181 .. include:: requirements-rke.rst 182 183 .. group-tab:: k3s 184 185 .. include:: requirements-k3s.rst 186 187 **Install Cilium:** 188 189 .. parsed-literal:: 190 191 helm install cilium |CHART_RELEASE| \\ 192 --namespace $CILIUM_NAMESPACE \\ 193 --set operator.replicas=1 194 195 .. group-tab:: Rancher Desktop 196 197 **Configure Rancher Desktop:** 198 199 To install Cilium on `Rancher Desktop <https://rancherdesktop.io>`_, 200 perform the following steps: 201 202 .. include:: rancher-desktop-configure.rst 203 204 **Install Cilium:** 205 206 .. parsed-literal:: 207 208 helm install cilium |CHART_RELEASE| \\ 209 --namespace $CILIUM_NAMESPACE \\ 210 --set operator.replicas=1 \\ 211 --set cni.binPath=/usr/libexec/cni 212 213 .. group-tab:: Talos Linux 214 215 To install Cilium on `Talos Linux <https://www.talos.dev/>`_, 216 perform the following steps. 217 218 .. include:: k8s-install-talos-linux.rst 219 220 .. group-tab:: Alibaba ACK 221 222 .. include:: ../installation/alibabacloud-eni.rst 223 224 .. admonition:: Video 225 :class: attention 226 227 If you'd like to learn more about Cilium Helm values, check out `eCHO episode 117: A Tour of the Cilium Helm Values <https://www.youtube.com/watch?v=ni0Uw4WLHYo>`__. 228 229 .. include:: k8s-install-restart-pods.rst 230 231 .. include:: k8s-install-validate.rst 232 233 .. include:: next-steps.rst