github.com/datadog/cilium@v1.6.12/Documentation/concepts/datapath.rst

github.com/datadog/cilium@v1.6.12/Documentation/concepts/datapath.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      http://docs.cilium.io
     6  
     7  .. _concepts_datapath:
     8  
     9  ********
    10  Datapath
    11  ********
    12  
    13  .. _aws_eni_datapath:
    14  
    15  AWS ENI
    16  =======
    17  
    18  The AWS ENI datapath is enabled when Cilium is run with the option
    19  ``--ipam=eni``. It is a special purpose datapath that is useful when running
    20  Cilium in an AWS environment.
    21  
    22  Advantages of the model
    23  -----------------------
    24  
    25  * Pods are assigned ENI IPs which are directly routable in the AWS VPC. This
    26    simplifies communication of pod traffic within VPCs and avoids the need for
    27    SNAT.
    28  
    29  * Pod IPs are assigned a security group. The security groups for pods are
    30    configured per node which allows to create node pools and give different
    31    security group assignments to different pods. See section :ref:`ipam_eni` for
    32    more details.
    33  
    34  Disadvantages of this model
    35  ---------------------------
    36  
    37  * The number of ENI IPs is limited per instance. The limit depends on the EC2
    38    instance type. This can become a problem when attempting to run a larger
    39    number of pods on very small instance types.
    40  
    41  * Allocation of ENIs and ENI IPs requires interaction with the EC2 API which is
    42    subject to rate limiting. This is primarily mitigated via the operator
    43    design, see section :ref:`ipam_eni` for more details.
    44  
    45  Architecture
    46  ------------
    47  
    48  Ingress
    49  ~~~~~~~
    50  
    51  1. Traffic is received on one of the ENIs attached to the instance which is
    52     represented on the node as interface ``ethN``.
    53  
    54  2. An IP routing rule ensures that traffic to all local pod IPs is done using
    55     the main routing table:
    56  
    57     .. code-block:: bash
    58  
    59         20:	from all to 192.168.105.44 lookup main
    60  
    61  3. The main routing table contains an exact match route to steer traffic into a
    62     veth pair which is hooked into the pod:
    63  
    64     .. code-block:: bash
    65  
    66         192.168.105.44 dev lxc5a4def8d96c5
    67  
    68  4. All traffic passing ``lxc5a4def8d96c5`` on the way into the pod is subject
    69     to Cilium's BPF program to enforce network policies, provide service reverse
    70     load-balancing, and visibility.
    71  
    72  Egress
    73  ~~~~~~
    74  
    75  1. The pod's network namespace contains a default route which points to the
    76     node's router IP via the veth pair which is named ``eth0`` inside of the pod
    77     and ``lxcXXXXXX`` in the host namespace. The router IP is allocated from the
    78     ENI space, allowing for sending of ICMP errors from the router IP for Path
    79     MTU purposes.
    80  
    81  2. After passing through the veth pair and before reaching the Linux routing
    82     layer, all traffic is subject to Cilium's BPF program to enforce network
    83     policies, implement load-balancing and provide networking features.
    84  
    85  3. An IP routing rule ensures that traffic from individual endpoints are using
    86     a routing table specific to the ENI from which the endpoint IP was
    87     allocated:
    88  
    89     .. code-block:: bash
    90  
    91         30:	from 192.168.105.44 to 192.168.0.0/16 lookup 92
    92  
    93  4. The ENI specific routing table contains a default route which redirects
    94     to the router of the VPC via the ENI interface:
    95  
    96     .. code-block:: bash
    97  
    98         default via 192.168.0.1 dev eth2
    99         192.168.0.1 dev eth2
   100  
   101  
   102  Configuration
   103  -------------
   104  
   105  The AWS ENI datapath is enabled by setting the following option:
   106  
   107  .. code-block: yaml
   108  
   109          ipam: eni
   110          blacklist-conflicting-routes: "false"
   111          enable-endpoint-routes: "true"
   112          auto-create-cilium-node-resource: "true"
   113          egress-masquerade-interfaces: eth+
   114  
   115  * ``ipam: eni`` Enables the ENI specific IPAM backend and indicates to the
   116    datapath that ENI IPs will be used.
   117  
   118  * ``blacklist-conflicting-routes: "false"`` disables blacklisting of local
   119    routes. This is required as routes will exist covering ENI IPs pointing to
   120    interfaces that are not owned by Cilium. If blacklisting is not disabled, all
   121    ENI IPs would be considered used by another networking component.
   122  
   123  * ``enable-endpoint-routes: "true"`` enables direct routing to the ENI
   124    veth pairs without requiring to route via the ``cilium_host`` interface.
   125  
   126  * ``auto-create-cilium-node-resource: "true"`` enables the automatic creation of
   127    the ``CiliumNode`` custom resource with all required ENI parameters. It is
   128    possible to disable this and provide the custom resource manually.
   129  
   130  * ``egress-masquerade-interfaces: eth+`` is the interface selector of all
   131    interfaces which are subject to masquerading. Masquerading can be disabled
   132    entirely with ``masquerade: "false"``.
   133  
   134  See the section :ref:`ipam_eni` for details on how to configure ENI IPAM
   135  specific parameters.
   136