github.com/cilium/cilium@v1.16.2/Documentation/network/bgp.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _bgp: 8 9 ************************************* 10 MetalLB BGP ControlPlane (deprecated) 11 ************************************* 12 13 .. warning:: 14 This feature will only receive security updates and bug fixes. It is recommended 15 to use the :ref:`BGP Control Plane <bgp_control_plane>` feature instead whenever 16 possible. More details are available at :gh-issue:`22246`. 17 18 BGP provides a way to advertise routes using traditional networking protocols 19 to allow Cilium-managed services to be accessible outside the cluster. 20 21 This document explains how to configure Cilium's native support for announcing 22 ``LoadBalancer`` IPs of ``Services`` and a Kubernetes node's Pod CIDR range via BGP. 23 It leverages `MetalLB's <https://metallb.universe.tf/>`_ simple and effective 24 implementation of IP allocation and the minimal BGP protocol support to do this. 25 The configuration for Cilium is the same as MetalLB's configuration. 26 27 Specifically, if a ``Service`` of type ``LoadBalancer`` is created, Cilium will 28 allocate an IP for it from a specified pool. Once the IP is allocated, the 29 Agents will announce via BGP depending on the ``Service``'s 30 ``ExternalTrafficPolicy``. See MetalLB's `documentation 31 <https://metallb.universe.tf/usage/#bgp>`_ on this specific topic. 32 33 .. include:: ../beta.rst 34 35 Deploy Cilium 36 ============= 37 38 .. include:: ../installation/k8s-install-download-release.rst 39 40 BGP support is enabled by providing the BGP configuration via a ConfigMap and 41 by setting a few Helm values. Otherwise, BGP is disabled by default. 42 43 Here's an example ConfigMap: 44 45 .. code-block:: yaml 46 47 apiVersion: v1 48 kind: ConfigMap 49 metadata: 50 name: bgp-config 51 namespace: kube-system 52 data: 53 config.yaml: | 54 peers: 55 - peer-address: 10.0.0.1 56 peer-asn: 64512 57 my-asn: 64512 58 address-pools: 59 - name: default 60 protocol: bgp 61 addresses: 62 - 192.0.2.0/24 63 64 Here are the required Helm values: 65 66 .. parsed-literal:: 67 68 helm install cilium |CHART_RELEASE| \\ 69 --namespace kube-system \\ 70 --set bgp.enabled=true \\ 71 --set bgp.announce.loadbalancerIP=true 72 --set bgp.announce.podCIDR=true 73 74 At least one ``bgp.announce.*`` value is required if ``bgp.enabled=true`` is set. 75 76 Verify that Cilium Agent pod is running. 77 78 .. code-block:: shell-session 79 80 $ kubectl -n kube-system get pods -l k8s-app=cilium 81 NAME READY STATUS RESTARTS AGE 82 cilium-5ngzd 1/1 Running 0 3m19s 83 84 Create LoadBalancer and backend pods 85 ==================================== 86 87 Apply the following ``LoadBalancer`` ``Service`` and its corresponding 88 backends: 89 90 .. code-block:: yaml 91 92 apiVersion: v1 93 kind: Service 94 metadata: 95 name: test-lb 96 spec: 97 type: LoadBalancer 98 ports: 99 - port: 80 100 targetPort: 80 101 protocol: TCP 102 name: http 103 selector: 104 svc: test-lb 105 --- 106 apiVersion: apps/v1 107 kind: Deployment 108 metadata: 109 name: nginx 110 spec: 111 selector: 112 matchLabels: 113 svc: test-lb 114 template: 115 metadata: 116 labels: 117 svc: test-lb 118 spec: 119 containers: 120 - name: web 121 image: nginx 122 imagePullPolicy: IfNotPresent 123 ports: 124 - containerPort: 80 125 readinessProbe: 126 httpGet: 127 path: / 128 port: 80 129 130 Observe that the Operator allocates an external IP for ``test-lb``: 131 132 .. code-block:: shell-session 133 134 $ kubectl get svc 135 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE 136 kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 4d23h 137 test-lb LoadBalancer 172.20.0.5 192.0.2.154 80:30724/TCP 10s 138 139 Verify that the backend is running: 140 141 .. code-block:: shell-session 142 143 $ kubectl get pods | grep nginx 144 nginx 1/1 Running 0 16s 145 146 Validate BGP announcements 147 ========================== 148 149 To see whether Cilium is announcing the external IP of the ``Service`` or the Pod CIDR range of your 150 Kubernetes nodes, check the node's routing table that's running your BGP router. 151 152 Alternatively, you can run ``tcpdump`` inside the Cilium pod (it'll need to be 153 ``apt install``'d) to see BGP messages like so: 154 155 .. code-block:: shell-session 156 157 root@kind-worker:/home/cilium# tcpdump -n -i any tcp port 179 158 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 159 listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 160 17:03:19.380682 IP 172.20.0.2.43261 > 10.0.0.1.179: Flags [P.], seq 2930402899:2930402918, ack 2731344744, win 502, options [nop,nop,TS val 4080796863 ecr 4108836857], length 19: BGP 161 17:03:19.385065 IP 10.0.0.1.179 > 172.20.0.2.43261: Flags [P.], seq 1:20, ack 19, win 509, options [nop,nop,TS val 4108866857 ecr 4080796863], length 19: BGP 162 163 Verify that traffic to the external IP is directed to the backends: 164 165 .. code-block:: shell-session 166 167 $ # Exec / SSH into BGP router 168 $ curl 192.0.2.154