github.com/cilium/cilium@v1.16.2/Documentation/installation/kind.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _gs_kind: 8 9 *********************** 10 Installation Using Kind 11 *********************** 12 13 This guide uses `kind <https://kind.sigs.k8s.io/>`_ to demonstrate deployment 14 and operation of Cilium in a multi-node Kubernetes cluster running locally on 15 Docker. 16 17 Install Dependencies 18 ==================== 19 20 .. include:: kind-install-deps.rst 21 22 Configure kind 23 ============== 24 25 .. include:: kind-configure.rst 26 27 Create a cluster 28 ================ 29 30 .. include:: kind-create-cluster.rst 31 32 .. _kind_install_cilium: 33 34 Install Cilium 35 ============== 36 37 .. include:: k8s-install-download-release.rst 38 .. include:: kind-preload.rst 39 40 Then, install Cilium release via Helm: 41 42 .. parsed-literal:: 43 44 helm install cilium |CHART_RELEASE| \\ 45 --namespace kube-system \\ 46 --set image.pullPolicy=IfNotPresent \\ 47 --set ipam.mode=kubernetes 48 49 .. note:: 50 51 To enable Cilium's Socket LB (:ref:`kubeproxy-free`), cgroup v2 needs to be 52 enabled, and Kind nodes need to run in separate `cgroup namespaces 53 <https://man7.org/linux/man-pages/man7/cgroup_namespaces.7.html>`__, 54 and these namespaces need to be different from the cgroup namespace 55 of the underlying host so that Cilium can attach BPF programs at the right 56 cgroup hierarchy. To verify this, run the following commands, and ensure 57 that the cgroup values are different: 58 59 .. code-block:: shell-session 60 61 $ docker exec kind-control-plane ls -al /proc/self/ns/cgroup 62 lrwxrwxrwx 1 root root 0 Jul 20 19:20 /proc/self/ns/cgroup -> 'cgroup:[4026532461]' 63 64 $ docker exec kind-worker ls -al /proc/self/ns/cgroup 65 lrwxrwxrwx 1 root root 0 Jul 20 19:20 /proc/self/ns/cgroup -> 'cgroup:[4026532543]' 66 67 $ ls -al /proc/self/ns/cgroup 68 lrwxrwxrwx 1 root root 0 Jul 19 09:38 /proc/self/ns/cgroup -> 'cgroup:[4026531835]' 69 70 71 One way to enable cgroup v2 is to set the kernel parameter 72 ``systemd.unified_cgroup_hierarchy=1``. To enable cgroup namespaces, a container 73 runtime needs to configured accordingly. For example in Docker, 74 dockerd's ``--default-cgroupns-mode`` has to be set to ``private``. 75 76 Another requirement for the Socket LB on Kind to properly function is that either cgroup v1 77 controllers ``net_cls`` and ``net_prio`` are disabled (or cgroup v1 altogether is disabled 78 e.g., by setting the kernel parameter ``cgroup_no_v1="all"``), or the host kernel 79 should be 5.14 or more recent to include this `fix 80 <https://github.com/torvalds/linux/commit/8520e224f547cd070c7c8f97b1fc6d58cff7ccaa>`__. 81 82 See the `Pull Request <https://github.com/cilium/cilium/pull/16259>`__ for more details. 83 84 .. include:: k8s-install-validate.rst 85 86 .. include:: next-steps.rst 87 88 Attaching a Debugger 89 ==================== 90 91 Cilium's Kind configuration enables access to Delve debug server instances running 92 in the agent and operator Pods by default. See :ref:`gs_debugging` to learn how 93 to use it. 94 95 Troubleshooting 96 =============== 97 98 Unable to contact k8s api-server 99 -------------------------------- 100 101 In the :ref:`Cilium agent logs <ts_agent_logs>` you will see:: 102 103 level=info msg="Establishing connection to apiserver" host="https://10.96.0.1:443" subsys=k8s 104 level=error msg="Unable to contact k8s api-server" error="Get https://10.96.0.1:443/api/v1/namespaces/kube-system: dial tcp 10.96.0.1:443: connect: no route to host" ipAddr="https://10.96.0.1:443" subsys=k8s 105 level=fatal msg="Unable to initialize Kubernetes subsystem" error="unable to create k8s client: unable to create k8s client: Get https://10.96.0.1:443/api/v1/namespaces/kube-system: dial tcp 10.96.0.1:443: connect: no route to host" subsys=daemon 106 107 As Kind is running nodes as containers in Docker, they're sharing your host machines' kernel. 108 If the socket LB wasn't disabled, the eBPF programs attached by Cilium may be out of date 109 and no longer routing api-server requests to the current ``kind-control-plane`` container. 110 111 Recreating the kind cluster and using the helm command :ref:`kind_install_cilium` will detach the 112 inaccurate eBPF programs. 113 114 Crashing Cilium agent pods 115 -------------------------- 116 117 Check if Cilium agent pods are crashing with following logs. This may indicate 118 that you are deploying a kind cluster in an environment where Cilium is already 119 running (for example, in the Cilium development VM). This can also happen if you 120 have other overlapping BPF ``cgroup`` type programs attached to the parent ``cgroup`` 121 hierarchy of the kind container nodes. In such cases, either tear down Cilium, or manually 122 detach the overlapping BPF ``cgroup`` programs running in the parent ``cgroup`` hierarchy 123 by following the `bpftool documentation <https://manpages.ubuntu.com/manpages/focal/man8/bpftool-cgroup.8.html>`_. 124 For more information, see the `Pull Request <https://github.com/cilium/cilium/pull/16259>`__. 125 126 :: 127 128 level=warning msg="+ bpftool cgroup attach /var/run/cilium/cgroupv2 connect6 pinned /sys/fs/bpf/tc/globals/cilium_cgroups_connect6" subsys=datapath-loader 129 level=warning msg="Error: failed to attach program" subsys=datapath-loader 130 level=warning msg="+ RETCODE=255" subsys=datapath-loader 131 132 .. _gs_kind_cluster_mesh: 133 134 Cluster Mesh 135 ============ 136 137 With Kind we can simulate Cluster Mesh in a sandbox too. 138 139 Kind Configuration 140 ------------------ 141 142 This time we need to create (2) ``config.yaml``, one for each kubernetes cluster. 143 We will explicitly configure their ``pod-network-cidr`` and ``service-cidr`` to not overlap. 144 145 Example ``kind-cluster1.yaml``: 146 147 .. code-block:: yaml 148 149 kind: Cluster 150 apiVersion: kind.x-k8s.io/v1alpha4 151 nodes: 152 - role: control-plane 153 - role: worker 154 - role: worker 155 - role: worker 156 networking: 157 disableDefaultCNI: true 158 podSubnet: "10.0.0.0/16" 159 serviceSubnet: "10.1.0.0/16" 160 161 Example ``kind-cluster2.yaml``: 162 163 .. code-block:: yaml 164 165 kind: Cluster 166 apiVersion: kind.x-k8s.io/v1alpha4 167 nodes: 168 - role: control-plane 169 - role: worker 170 - role: worker 171 - role: worker 172 networking: 173 disableDefaultCNI: true 174 podSubnet: "10.2.0.0/16" 175 serviceSubnet: "10.3.0.0/16" 176 177 Create Kind Clusters 178 -------------------- 179 180 We can now create the respective clusters: 181 182 .. code-block:: shell-session 183 184 kind create cluster --name=cluster1 --config=kind-cluster1.yaml 185 kind create cluster --name=cluster2 --config=kind-cluster2.yaml 186 187 Setting up Cluster Mesh 188 ------------------------ 189 190 We can deploy Cilium, and complete setup by following the Cluster Mesh guide 191 with :ref:`gs_clustermesh`. For Kind, we'll want to deploy the ``NodePort`` service into the ``kube-system`` namespace.