github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/gateway-api/host-network-mode.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 Host network mode 8 ***************** 9 10 .. note:: 11 Supported since Cilium 1.16+ 12 13 Host network mode allows you to expose the Cilium Gateway API Gateway directly 14 on the host network. 15 This is useful in cases where a LoadBalancer Service is unavailable, such 16 as in development environments or environments with cluster-external 17 loadbalancers. 18 19 .. note:: 20 * Enabling the Cilium Gateway API host network mode automatically disables the LoadBalancer type Service mode. They are mutually exclusive. 21 * The listener is exposed on all interfaces (``0.0.0.0`` for IPv4 and/or ``::`` for IPv6). 22 23 Host network mode can be enabled via Helm: 24 25 .. code-block:: yaml 26 27 gatewayAPI: 28 enabled: true 29 hostNetwork: 30 enabled: true 31 32 Once enabled, the host network port for a ``Gateway`` can be specified via 33 ``spec.listeners.port``. The port must be unique per ``Gateway`` 34 resource and you should choose a port number higher than ``1023`` (see 35 `Bind to privileged port`_). 36 37 .. warning:: 38 Be aware that misconfiguration might result in port clashes. Configure unique ports that are still available on all Cilium Nodes where Gateway API listeners are exposed. 39 40 Bind to privileged port 41 ======================= 42 43 By default, the Cilium L7 Envoy process does not have any Linux capabilities 44 out-of-the-box and is therefore not allowed to listen on privileged ports. 45 46 If you choose a port equal to or lower than ``1023``, ensure that the Helm value 47 ``envoy.securityContext.capabilities.keepCapNetBindService=true`` is configured 48 and to add the capability ``NET_BIND_SERVICE`` to the respective 49 :ref:`Cilium Envoy container via Helm values<envoy>`: 50 51 * Standalone DaemonSet mode: ``envoy.securityContext.capabilities.envoy`` 52 * Embedded mode: ``securityContext.capabilities.ciliumAgent`` 53 54 Configure the following Helm values to allow privileged port bindings in host 55 network mode: 56 57 .. tabs:: 58 59 .. group-tab:: Standalone DaemonSet mode 60 61 .. code-block:: yaml 62 63 gatewayAPI: 64 enabled: true 65 hostNetwork: 66 enabled: true 67 envoy: 68 enabled: true 69 securityContext: 70 capabilities: 71 keepCapNetBindService: true 72 envoy: 73 # Add NET_BIND_SERVICE to the list (keep the others!) 74 - NET_BIND_SERVICE 75 76 .. group-tab:: Embedded mode 77 78 .. code-block:: yaml 79 80 gatewayAPI: 81 enabled: true 82 hostNetwork: 83 enabled: true 84 envoy: 85 securityContext: 86 capabilities: 87 keepCapNetBindService: true 88 securityContext: 89 capabilities: 90 ciliumAgent: 91 # Add NET_BIND_SERVICE to the list (keep the others!) 92 - NET_BIND_SERVICE 93 94 Deploy Gateway API listeners on subset of nodes 95 =============================================== 96 97 The Cilium Gateway API Envoy listener can be exposed on a specific subset of 98 nodes. This only works in combination with the host network mode and can be 99 configured via a node label selector in the Helm values: 100 101 .. code-block:: yaml 102 103 gatewayAPI: 104 enabled: true 105 hostNetwork: 106 enabled: true 107 nodes: 108 matchLabels: 109 role: infra 110 component: gateway-api 111 112 This will deploy the Gateway API Envoy listener only on the Cilium Nodes 113 matching the configured labels. An empty selector selects all nodes and 114 continues to expose the functionality on all Cilium nodes.