github.com/cilium/cilium@v1.16.2/Documentation/network/node-ipam.rst

github.com/cilium/cilium@v1.16.2/Documentation/network/node-ipam.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _node_ipam:
     8  
     9  ************
    10  Node IPAM LB
    11  ************
    12  
    13  Node IPAM LoadBalancer is a feature inspired by k3s "ServiceLB" that allows you
    14  to "advertise" the node's IPs directly inside a Service LoadBalancer. This feature
    15  is especially useful if you don't control the network you are running on and can't
    16  use either the L2 or BGP capabilities of Cilium.
    17  
    18  It works by getting the Node addresses of the selected Nodes and advertising them.
    19  It will respect the ``.spec.ipFamilies`` to decide if IPv4 or IPv6 addresses
    20  shall be used and will use the ``ExternalIP`` addresses if any or the
    21  ``InternalIP`` addresses otherwise.
    22  
    23  If the Service has ``.spec.externalTrafficPolicy`` set to ``Cluster``, Node IPAM
    24  considers all nodes as candidates for selection. Otherwise, if
    25  ``.spec.externalTrafficPolicy`` is set to ``Local``, then Node IPAM considers
    26  all the Pods selected by the Service (via their EndpointSlices) as candidates.
    27  
    28  .. warning::
    29      Node IPAM does not work properly if ``.spec.externalTrafficPolicy`` is set
    30      to ``Local`` but no EndpointSlice (or dummy EndpointSlice) is linked to
    31      the corresponding Service.
    32  
    33      As a result, you **cannot** set ``.spec.externalTrafficPolicy`` to ``Local``
    34      with the Cilium implementations for GatewayAPI or Ingress, because Cilium
    35      currently uses a dummy Endpoints for the Service LoadBalancer (`see here
    36      <https://github.com/cilium/cilium/blob/495f228ad8791c89f0851e0abbad90f09b136f80/install/kubernetes/cilium/templates/cilium-ingress-service.yaml#L58>`__).
    37      Only the Cilium implementation is known to be affected by this limitation.
    38      Most other implementations are expected to work with this configuration.
    39      If they don't, check if the matching EndpointSlices look correct and/or
    40      try setting ``.spec.externalTrafficPolicy`` to ``Cluster``.
    41  
    42  To restrict the Nodes that should listen for incoming traffic, add annotation
    43  ``io.cilium.nodeipam/match-node-labels`` to the Service. The value of the
    44  annotation is a
    45  `Label Selector <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors>`__.
    46  
    47  Enable and use Node IPAM
    48  ------------------------
    49  
    50  To use this feature your service must be of type ``LoadBalancer`` and have the
    51  `loadBalancerClass <https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class>`__
    52  set to ``io.cilium/node``.
    53  
    54  Cilium's node IPAM is disabled by default.
    55  To install Cilium with the node IPAM, run:
    56  
    57  .. parsed-literal::
    58  
    59     helm install cilium |CHART_RELEASE| \\
    60       --namespace kube-system \\
    61       --set nodeIPAM.enabled=true
    62  
    63  To enable node IPAM on an existing installation, run:
    64  
    65  .. parsed-literal::
    66  
    67     helm upgrade cilium |CHART_RELEASE| \\
    68       --namespace kube-system \\
    69       --reuse-values \\
    70       --set nodeIPAM.enabled=true
    71     kubectl -n kube-system rollout restart deployment/cilium-operator