github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/cni-chaining-aws-cni.rst

github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/cni-chaining-aws-cni.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      http://docs.cilium.io
     6  
     7  *******
     8  AWS-CNI
     9  *******
    10  
    11  This guide explains how to set up Cilium in combination with aws-cni. In this
    12  hybrid mode, the aws-cni plugin is responsible for setting up the virtual
    13  network devices as well as address allocation (IPAM) via ENI. After the initial
    14  networking is setup, the Cilium CNI plugin is called to attach BPF programs to
    15  the network devices set up by aws-cni to enforce network policies, perform
    16  load-balancing, and encryption.
    17  
    18  .. image:: aws-cni-architecture.png
    19  
    20  
    21  Setup Cluster on AWS
    22  ====================
    23  
    24  Follow the instructions in the :ref:`k8s_install_eks` guide to set up an EKS
    25  cluster or use any other method of your preference to set up a Kubernetes
    26  cluster.
    27  
    28  Ensure that the `aws-vpc-cni-k8s <https://github.com/aws/amazon-vpc-cni-k8s>`__
    29  plugin is installed. If you have set up an EKS cluster, this is automatically
    30  done.
    31  
    32  .. include:: k8s-install-download-release.rst
    33  
    34  Generate the required YAML files and deploy them:
    35  
    36  .. code:: bash
    37  
    38     helm template cilium \
    39       --namespace kube-system \
    40       --set global.cni.chainingMode=aws-cni \
    41       --set global.masquerade=false \
    42       --set global.tunnel=disabled \
    43       --set global.nodeinit.enabled=true \
    44       > cilium.yaml
    45     kubectl apply -f cilium.yaml
    46  
    47  This will enable chaining with the aws-cni plugin. It will also disable
    48  tunneling. Tunneling is not required as ENI IP addresses can be directly routed
    49  in your VPC. You can also disable masquerading for the same reason.
    50  
    51  Restart existing pods
    52  =====================
    53  
    54  The new CNI chaining configuration will *not* apply to any pod that is already
    55  running in the cluster. Existing pods will be reachable and Cilium will
    56  load-balance to them but policy enforcement will not apply to them and
    57  load-balancing is not performed for traffic originating from existing pods.
    58  You must restart these pods in order to invoke the chaining configuration on
    59  them.
    60  
    61  If you are unsure if a pod is managed by Cilium or not, run ``kubectl get cep``
    62  in the respective namespace and see if the pod is listed.
    63  
    64  .. include:: k8s-install-validate.rst