github.com/cilium/cilium@v1.16.2/Documentation/network/concepts/ipam/crd.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _concepts_ipam_crd: 8 9 ########## 10 CRD-Backed 11 ########## 12 13 The CRD-backed IPAM mode provides an extendable interface to control the IP 14 address management via a Kubernetes Custom Resource Definition (CRD). This 15 allows to delegate IPAM to external operators or make it user configurable per 16 node. 17 18 ************ 19 Architecture 20 ************ 21 22 .. image:: crd_arch.png 23 :align: center 24 25 When this mode is enabled, each Cilium agent will start watching for a 26 Kubernetes custom resource ``ciliumnodes.cilium.io`` with a name matching the 27 Kubernetes node on which the agent is running. 28 29 Whenever the custom resource is updated, the per node allocation pool is 30 updated with all addresses listed in the ``spec.ipam.available`` field. When an 31 IP is removed that is currently allocated, the IP will continue to be used but 32 will not be available for re-allocation after release. 33 34 Upon allocation of an IP in the allocation pool, the IP is added to the 35 ``status.ipam.inuse`` field. 36 37 .. note:: 38 39 The node status update is limited to run at most once every 15 seconds. 40 Therefore, if several pods are scheduled at the same time, the update of the 41 status section can lag behind. 42 43 ************* 44 Configuration 45 ************* 46 47 The CRD-backed IPAM mode is enabled by setting ``ipam: crd`` in the 48 ``cilium-config`` ConfigMap or by specifying the option ``--ipam=crd``. When 49 enabled, the agent will wait for a ``CiliumNode`` custom resource matching the 50 Kubernetes node name to become available with at least one IP address listed as 51 available. When connectivity health-checking is enabled, at least two IP 52 addresses must be available. 53 54 While waiting, the agent will print the following log message: 55 56 :: 57 58 Waiting for initial IP to become available in '<node-name>' custom resource 59 60 61 For a practical tutorial on how to enable CRD IPAM mode with Cilium, see the 62 section :ref:`gsg_ipam_crd`. 63 64 Privileges 65 ========== 66 67 In order for the custom resource to be functional, the following additional 68 privileges are required. These privileges are automatically granted when using 69 the standard Cilium deployment artifacts: 70 71 .. code-block:: yaml 72 73 apiVersion: rbac.authorization.k8s.io/v1 74 kind: ClusterRole 75 metadata: 76 name: cilium 77 rules: 78 - apiGroups: 79 - cilium.io 80 resources: 81 - ciliumnodes 82 - ciliumnodes/status 83 verbs: 84 - '*' 85 86 ************** 87 CRD Definition 88 ************** 89 90 The CiliumNode custom resource is modeled after a standard Kubernetes resource 91 and is split into a ``spec`` and ``status`` section: 92 93 .. code-block:: go 94 95 type CiliumNode struct { 96 [...] 97 98 // Spec is the specification of the node 99 Spec NodeSpec `json:"spec"` 100 101 // Status it the status of the node 102 Status NodeStatus `json:"status"` 103 } 104 105 IPAM Specification 106 ================== 107 108 The ``spec`` section embeds an IPAM specific field which allows to define the 109 list of all IPs which are available to the node for allocation: 110 111 .. code-block:: go 112 113 // AllocationMap is a map of allocated IPs indexed by IP 114 type AllocationMap map[string]AllocationIP 115 116 // NodeSpec is the configuration specific to a node 117 type NodeSpec struct { 118 // [...] 119 120 // IPAM is the address management specification. This section can be 121 // populated by a user or it can be automatically populated by an IPAM 122 // operator 123 // 124 // +optional 125 IPAM IPAMSpec `json:"ipam,omitempty"` 126 } 127 128 // IPAMSpec is the IPAM specification of the node 129 type IPAMSpec struct { 130 // Pool is the list of IPs available to the node for allocation. When 131 // an IP is used, the IP will remain on this list but will be added to 132 // Status.IPAM.InUse 133 // 134 // +optional 135 Pool AllocationMap `json:"pool,omitempty"` 136 } 137 138 // AllocationIP is an IP available for allocation or already allocated 139 type AllocationIP struct { 140 // Owner is the owner of the IP, this field is set if the IP has been 141 // allocated. It will be set to the pod name or another identifier 142 // representing the usage of the IP 143 // 144 // The owner field is left blank for an entry in Spec.IPAM.Pool 145 // and filled out as the IP is used and also added to 146 // Status.IPAM.InUse. 147 // 148 // +optional 149 Owner string `json:"owner,omitempty"` 150 151 // Resource is set for both available and allocated IPs, it represents 152 // what resource the IP is associated with, e.g. in combination with 153 // AWS ENI, this will refer to the ID of the ENI 154 // 155 // +optional 156 Resource string `json:"resource,omitempty"` 157 } 158 159 IPAM Status 160 =========== 161 162 The ``status`` section contains an IPAM specific field. The IPAM status reports 163 all used addresses on that node: 164 165 .. code-block:: go 166 167 // NodeStatus is the status of a node 168 type NodeStatus struct { 169 // [...] 170 171 // IPAM is the IPAM status of the node 172 // 173 // +optional 174 IPAM IPAMStatus `json:"ipam,omitempty"` 175 } 176 177 // IPAMStatus is the IPAM status of a node 178 type IPAMStatus struct { 179 // InUse lists all IPs out of Spec.IPAM.Pool which have been 180 // allocated and are in use. 181 // 182 // +optional 183 InUse AllocationMap `json:"used,omitempty"` 184 }