github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/host-services.rst

github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/host-services.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      http://docs.cilium.io
     6  
     7  .. _host-services:
     8  
     9  ******************************
    10  Host-Reachable Services (beta)
    11  ******************************
    12  
    13  This guide explains how to configure Cilium to enable services to be
    14  reached from the host namespace.
    15  
    16  .. note::
    17  
    18      This is a beta feature. Please provide feedback and file a GitHub issue if
    19      you experience any problems.
    20  
    21  .. note::
    22  
    23     Host-reachable services for TCP and UDP requires a v4.19.57, v5.1.16, v5.2.0
    24     or more recent Linux kernel. Note that v5.0.y kernels do not have the fix
    25     required to run host-reachable services with UDP since at this point in time
    26     the v5.0.y stable kernel is end-of-life (EOL) and not maintained anymore. For
    27     only enabling TCP-based host-reachable services a v4.17.0 or newer kernel
    28     is required.
    29  
    30  .. include:: k8s-install-download-release.rst
    31  
    32  Generate the required YAML file and deploy it:
    33  
    34  .. code:: bash
    35  
    36     helm template cilium \
    37       --namespace kube-system \
    38       --set global.hostServices.enabled=true \
    39       > cilium.yaml
    40  
    41  If you can't run 4.19.57 but have 4.17.0 available you can restrict protocol
    42  support to TCP only:
    43  
    44  .. code:: bash
    45  
    46     helm template cilium \
    47       --namespace kube-system \
    48       --set global.hostServices.enabled=true \
    49       --set global.hostServices.protocols=tcp \
    50       > cilium.yaml
    51  
    52  Host-reachable services act transparent to Cilium's lower layer datapath
    53  in that upon connect system call (TCP, connected UDP) or sendmsg as well
    54  as recvmsg (UDP) the destination IP is checked for an existing service IP
    55  and one of the service backends is selected as a target, meaning, while
    56  the application is assuming its connection to the service address, the
    57  corresponding kernel's socket is actually connected to the backend address
    58  and therefore no additional lower layer NAT is required.
    59  
    60  Deploy Cilium:
    61  
    62  .. code:: bash
    63  
    64      kubectl create -f cilium.yaml
    65      kubectl -n kube-system get pods -l k8s-app=cilium
    66      NAME                READY     STATUS    RESTARTS   AGE
    67      cilium-crf7f        1/1       Running   0          10m
    68  
    69  Limitations
    70  ###########
    71  
    72      * The kernel BPF cgroup hooks operate at connect(2), sendmsg(2) and
    73        recvmsg(2) system call layers for connecting the application to one
    74        of the service backends. Currently getpeername(2) does not yet have
    75        a BPF hook for rewriting sock addresses before copying them into
    76        user space in which case the application will see the backend address
    77        instead of the service address. This limitation will be resolved in
    78        future kernels.