github.com/cilium/cilium@v1.16.2/Documentation/installation/k8s-install-talos-linux.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _talos_linux_install: 8 9 **Prerequisites / Limitations** 10 11 - Cilium's Talos Linux support is only tested with Talos versions ``>=1.5.0``. 12 - As Talos `does not allow loading Kernel modules`_ by Kubernetes workloads, ``SYS_MODULE`` needs to be dropped from the Cilium default capability list. 13 14 .. _`does not allow loading Kernel modules`: https://www.talos.dev/latest/learn-more/process-capabilities/ 15 16 .. note:: 17 18 The official Talos Linux documentation already covers many different Cilium deployment 19 options inside their `Deploying Cilium CNI guide`_. Thus, this guide will only focus on 20 the most recommended deployment option, from a Cilium perspective: 21 22 - Deployment via official `Cilium Helm chart`_ 23 - Cilium `Kube-Proxy replacement<kubeproxy-free>` enabled 24 - Reuse the ``cgroupv2`` mount that Talos already provides 25 - `Kubernetes Host Scope<k8s_hostscope>` IPAM mode as Talos, by default, assigns ``PodCIDRs`` to ``v1.Node`` resources 26 27 .. _`Cilium Helm chart`: https://github.com/cilium/charts 28 .. _`Deploying Cilium CNI guide`: https://www.talos.dev/v1.6/kubernetes-guides/network/deploying-cilium/ 29 30 **Configure Talos Linux** 31 32 Before installing Cilium, there are two `Talos Linux Kubernetes configurations`_ that 33 need to be adjusted: 34 35 #. Ensuring no other CNI is deployed via ``cluster.network.cni.name: none`` 36 #. Disabling Kube-Proxy deployment via ``cluster.proxy.disabled: true`` 37 38 Prepare a ``patch.yaml`` file: 39 40 .. code-block:: yaml 41 42 cluster: 43 network: 44 cni: 45 name: none 46 proxy: 47 disabled: true 48 49 Next, generate the configuration files for the Talos cluster by using the 50 ``talosctl gen config`` command: 51 52 .. code-block:: shell-session 53 54 talosctl gen config \ 55 my-cluster https://mycluster.local:6443 \ 56 --config-patch @patch.yaml 57 58 .. _`Talos Linux Kubernetes configurations`: https://www.talos.dev/latest/reference/configuration/v1alpha1/config/#Config.cluster 59 60 **Install Cilium** 61 62 To run Cilium with `Kube-Proxy replacement<kubeproxy-free>` enabled, it's required 63 to configure ``k8sServiceHost`` and ``k8sServicePort``, and point them to the 64 Kubernetes API. Luckily, Talos Linux provides KubePrism_ which allows it to access 65 the Kubernetes API in a convenient way, which solely relies on host networking without 66 using an external loadbalancer. This KubePrism_ endpoint can be accessed from every 67 Talos Linux node on ``localhost:7445``. 68 69 .. parsed-literal:: 70 71 helm install cilium |CHART_RELEASE| \\ 72 --namespace $CILIUM_NAMESPACE \\ 73 --set ipam.mode=kubernetes \\ 74 --set=kubeProxyReplacement=true \\ 75 --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \\ 76 --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \\ 77 --set=cgroup.autoMount.enabled=false \\ 78 --set=cgroup.hostRoot=/sys/fs/cgroup \\ 79 --set=k8sServiceHost=localhost \\ 80 --set=k8sServicePort=7445 81 82 .. _KubePrism: https://www.talos.dev/v1.6/kubernetes-guides/configuration/kubeprism/