github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/ipvlan.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _ipvlan: 8 9 ****************************** 10 IPVLAN based Networking (beta) 11 ****************************** 12 13 This guide explains how to configure Cilium to set up an ipvlan-based 14 datapath instead of the default veth-based one. 15 16 .. note:: 17 18 This is a beta feature. Please provide feedback and file a GitHub issue if 19 you experience any problems. 20 21 The feature lacks support of the following, which will be resolved in 22 upcoming Cilium releases: 23 24 - IPVLAN L2 mode 25 - L7 policy enforcement 26 - NAT64 27 - IPVLAN with tunneling 28 29 .. note:: 30 31 The ipvlan-based datapath in L3 mode requires v4.12 or more recent Linux 32 kernel, while L3S mode, in addition, requires a stable kernel with the fix 33 mentioned in this document (see below). 34 35 .. include:: k8s-install-download-release.rst 36 37 Generate the required YAML file and deploy it: 38 39 .. code:: bash 40 41 helm template cilium \ 42 --namespace kube-system \ 43 --set global.datapathMode=ipvlan \ 44 --set global.ipvlan.masterDevice=eth0 \ 45 --set global.tunnel=disabled \ 46 > cilium.yaml 47 48 It is required to specify the master ipvlan device which typically points to a 49 networking device that is facing the external network. This is done through 50 setting ``global.ipvlan.masterDevice`` to the name of the networking device 51 such as ``"eth0"`` or ``"bond0"``, for example. Be aware this option will be 52 used by all nodes, so it is required this device name is consistent on all 53 nodes where you are going to deploy Cilium. 54 55 The ipvlan datapath only supports direct routing mode right now, therefore 56 tunneling must be disabled through setting ``tunnel`` to ``"disabled"``. 57 58 To make ipvlan work between hosts, routes on each host have to be installed 59 either manually or automatically by Cilium. The latter can be enabled 60 through setting ``global.autoDirectNodeRoutes`` to ``"true"``. 61 62 The ``global.installIptablesRules`` parameter is optional and if set to 63 ``"false"`` then Cilium will not install any iptables rules which are 64 mainly for interaction with kube-proxy, and additionally it will trigger 65 ipvlan setup in L3 mode. For the default case where the latter is ``"true"``, 66 ipvlan is operated in L3S mode such that netfilter in host namespace 67 is not bypassed. Optionally, the agent can also be set up for masquerading 68 all traffic leaving the ipvlan master device if ``global.masquerade`` is set 69 to ``"true"``. Note that in order for L3S mode to work correctly, a kernel 70 with the following fix is required: `d5256083f62e <https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=d5256083f62e2720f75bb3c5a928a0afe47d6bc3>`_ . 71 This fix is included in stable kernels ``v4.9.155``, ``4.14.98``, ``4.19.20``, 72 ``4.20.6`` or higher. Without this kernel fix, ipvlan in L3S mode cannot 73 connect to kube-apiserver. 74 75 Masquerading with iptables in L3-only mode is not possible since netfilter 76 hooks are bypassed in the kernel in this mode, hence L3S (symmetric) had 77 to be introduced in the kernel at the cost of performance. However, Cilium 78 supports its own BPF-based masquerading which does not rely in any way on 79 iptables masquerading. If the ``global.installIptablesRules`` parameter is set 80 to ``"false"`` and ``global.masquerade`` set to ``"true"``, then Cilium will 81 use the more efficient BPF-based masquerading where ipvlan can remain in 82 L3 mode as well (instead of L3S). A Linux kernel v4.16 or higher would be 83 required for BPF-based masquerading. 84 85 Example ConfigMap extract for ipvlan in pure L3 mode: 86 87 .. code:: bash 88 89 helm template ciliumn \ 90 --namespace kube-system \ 91 --set global.datapathMode=ipvlan \ 92 --set global.ipvlan.masterDevice=bond0 \ 93 --set global.tunnel=disabled \ 94 --set global.installIptablesRules=false \ 95 --set global.l7Proxy.enabled=false \ 96 --set global.autoDirectNodeRoutes=true \ 97 > cilium.yaml 98 99 Example ConfigMap extract for ipvlan in L3S mode with iptables 100 masquerading all traffic leaving the node: 101 102 .. code:: bash 103 104 helm template cilium \ 105 --namespace kube-system \ 106 --set global.datapathMode=ipvlan \ 107 --set global.ipvlan.masterDevice=bond0 \ 108 --set global.tunnel=disabled \ 109 --set global.masquerade=true \ 110 --set global.autoDirectNodeRoutes=true \ 111 > cilium.yaml 112 113 Example ConfigMap extract for ipvlan in L3 mode with more efficient 114 BPF-based masquerading instead of iptables-based: 115 116 .. code:: bash 117 118 helm template cilium \ 119 --namespace kube-system \ 120 --set global.datapathMode=ipvlan \ 121 --set global.ipvlan.masterDevice=bond0 \ 122 --set global.tunnel=disabled \ 123 --set global.masquerade=true \ 124 --set global.installIptablesRules=false \ 125 --set global.autoDirectNodeRoutes=true \ 126 > cilium.yaml 127 128 Apply the DaemonSet file to deploy Cilium and verify that it has 129 come up correctly: 130 131 .. parsed-literal:: 132 133 kubectl create -f ./cilium.yaml 134 kubectl -n kube-system get pods -l k8s-app=cilium 135 NAME READY STATUS RESTARTS AGE 136 cilium-crf7f 1/1 Running 0 10m 137 138 For further information on Cilium's ipvlan datapath mode, see :ref:`arch_guide`.