Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install: Inconsistent Platform Prerequisites for Cilium CNI #15194

Open
danehans opened this issue May 29, 2024 · 5 comments
Open

Install: Inconsistent Platform Prerequisites for Cilium CNI #15194

danehans opened this issue May 29, 2024 · 5 comments

Comments

@danehans
Copy link
Contributor

The Cilium prerequisites differ between Istio and Cilium docs.

The Istio doc should be updated to include the requirement to disable socket load balancing for non-root namespaces.

$ kubectl get configmaps -n kube-system cilium-config -o yaml | grep bpf-lb-sock-hostns
bpf-lb-sock-hostns-only: "true"
@danehans
Copy link
Contributor Author

@bleggett thoughts on codifying these requirements in the cni node install? For example, if the cni node install detects cilium in the cni conf list, it uses kube client to read the values of bpf-lb-sock-hostns and cni-exclusive from the Cilium configmap and logs/fails to install if the values are not as expected.

@bleggett
Copy link
Contributor

bleggett commented May 29, 2024
edited
Loading

bpf-lb-sock-hostns-only: "true"

I am not 100% sure that this is still required, it's an inherited leftover from the pre-Ambient attempts to get Cilium and Istio working together.

From the description it seems like it might still be required, but I recall trying locally without it at one point and things seemed to work (I might be mistaken tho). If you can confirm it is strictly required still, we can update the docs with the requirement.

Thoughts on codifying these requirements in the cni node install? For example, if the cni node install detects cilium in the cni conf list, it uses kube client to read the values of bpf-lb-sock-hostns and cni-exclusive from the Cilium configmap and logs/fails to install if the values are not as expected.

I don't wanna read cilium's configmaps in istio-cni, but there's no real reason we can't do an istioctl precheck or something that does this.

@danehans
Copy link
Contributor Author

I am not 100% sure that this is still required, it's an inherited leftover from the pre-Ambient attempts to get Cilium and Istio working together.

@bleggett I confirmed that bpf-lb-sock-hostns-only is not required for ambient mode.

@bleggett
Copy link
Contributor

Nice!

@bleggett bleggett mentioned this issue Aug 28, 2024
Merged
@howardjohn
Copy link
Member

Things appear to work since Ambient has better support for direct-to-pod traffic. But it does not work; we still get the packets after LB which breaks a lot of features.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@howardjohn @bleggett @danehans