github.com/datadog/cilium@v1.6.12/Documentation/concepts/ipam/crd.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _concepts_ipam_crd: 8 9 ####################### 10 CRD-Backed (Kubernetes) 11 ####################### 12 13 The CRD-backed IPAM mode provides an extendable interface to control the IP 14 address management via a Kubernetes Custom Resource Definition (CRD). This 15 allows to delegate IPAM to external operators or make it user configurable per 16 node. 17 18 ************ 19 Architecture 20 ************ 21 22 .. image:: crd_arch.png 23 :align: center 24 25 When this mode is enabled, each Cilium agent will start watching for a 26 Kubernetes custom resource ``ciliumnodes.cilium.io`` with a name matching the 27 Kubernetes node on which the agent is running. 28 29 Whenever the custom resource is updated, the per node allocation pool is 30 updated with all addresses listed in the ``spec.ipam.available`` field. When an 31 IP is removed that is currently allocated, the IP will continue to be used but 32 will not be available for re-allocation after release. 33 34 Upon allocation of an IP in the allocation pool, the IP is added to the 35 ``status.ipam.inuse`` field. 36 37 .. note:: 38 39 The node status update is limited to run at most once every 15 seconds. 40 Therefore, if several pods are scheduled at the same time, the update of the 41 status section can bag behind. 42 43 ************* 44 Configuration 45 ************* 46 47 The CRD-backed IPAM mode is enabled by setting ``ipam: crd`` in the 48 ``cilium-config`` ConfigMap or by specifying the option ``--ipam=crd``. When 49 enabled, the agent will wait for a ``CiliumNode`` custom resource matching the 50 Kubernetes node name to become available with at least one IP address listed as 51 available. When connectivity health-checking is enabled, at least two IP 52 addresses must be available. 53 54 While waiting, the agent will print the following log message: 55 56 :: 57 58 Waiting for initial IP to become available in '<node-name>' custom resource 59 60 61 For a practical tutorial on how to enable CRD IPAM mode with Cilium, see the 62 section :ref:`gsg_ipam_crd`. 63 64 Privileges 65 ========== 66 67 In order for the custom resource to be functional, the following additional 68 privileges are required. These privileges are automatically granted when using 69 the standard Cilium deployment artifacts: 70 71 .. code-block:: yaml 72 73 apiVersion: rbac.authorization.k8s.io/v1 74 kind: ClusterRole 75 metadata: 76 name: cilium 77 rules: 78 - apiGroups: 79 - cilium.io 80 resources: 81 - ciliumnodes 82 - ciliumnodes/status 83 verbs: 84 - '*' 85 86 ************** 87 CRD Definition 88 ************** 89 90 The CilumNode custom resource is modeled after a standard Kubernetes resource 91 and is split into a ``spec`` and ``status`` section: 92 93 .. code-block:: go 94 95 type CiliumNode struct { 96 [...] 97 98 // Spec is the specification of the node 99 Spec NodeSpec `json:"spec"` 100 101 // Status it the status of the node 102 Status NodeStatus `json:"status"` 103 } 104 105 IPAM Specification 106 ================== 107 108 The ``spec`` section embeds an IPAM specific field which allows to define the 109 list of all IPs which are available to the node for allocation: 110 111 .. code-block:: go 112 113 114 // NodeSpec is the configuration specific to a node 115 type NodeSpec struct { 116 // [...] 117 118 // IPAM is the address management specification. This section can be 119 // populated by a user or it can be automatically populated by an IPAM 120 // operator 121 // 122 // +optional 123 IPAM IPAMSpec `json:"ipam,omitempty"` 124 } 125 126 // IPAMSpec is the IPAM specification of the node 127 type IPAMSpec struct { 128 // Pool is the list of IPs available to the node for allocation. When 129 // an IP is used, the IP will remain on this list but will be added to 130 // Status.IPAM.InUse 131 // 132 // +optional 133 Pool map[string]AllocationIP `json:"pool,omitempty"` 134 } 135 136 // AllocationIP is an IP available for allocation or already allocated 137 type AllocationIP struct { 138 // Owner is the owner of the IP, this field is set if the IP has been 139 // allocated. It will be set to the pod name or another identifier 140 // representing the usage of the IP 141 // 142 // The owner field is left blank for an entry in Spec.IPAM.Pool 143 // and filled out as the IP is used and also added to 144 // Status.IPAM.InUse. 145 // 146 // +optional 147 Owner string `json:"owner,omitempty"` 148 149 // Resource is set for both available and allocated IPs, it represents 150 // what resource the IP is associated with, e.g. in combination with 151 // AWS ENI, this will refer to the ID of the ENI 152 // 153 // +optional 154 Resource string `json:"resource,omitempty"` 155 } 156 157 IPAM Status 158 =========== 159 160 The ``status`` section contains an IPAM specific field. The IPAM status reports 161 all used addresses on that node: 162 163 .. code-block:: go 164 165 // NodeStatus is the status of a node 166 type NodeStatus struct { 167 // [...] 168 169 // IPAM is the IPAM status of the node 170 // 171 // +optional 172 IPAM IPAMStatus `json:"ipam,omitempty"` 173 } 174 175 // IPAMStatus is the IPAM status of a node 176 type IPAMStatus struct { 177 // InUse lists all IPs out of Spec.IPAM.Pool which have been 178 // allocated and are in use. 179 // 180 // +optional 181 InUse map[string]AllocationIP `json:"used,omitempty"` 182 }