From 19bf4a6e9c2017a781ad162145022e23c020d70a Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Tue, 25 Jun 2024 10:21:29 -0500 Subject: [PATCH 1/3] Add notes about Cilium's exclusive mode Closes linkerd/linkerd2#11597 --- linkerd.io/content/2.15/features/cni.md | 7 +++++++ .../content/2.15/reference/cluster-configuration.md | 11 +++++++++++ 2 files changed, 18 insertions(+) diff --git a/linkerd.io/content/2.15/features/cni.md b/linkerd.io/content/2.15/features/cni.md index 999e5443fb..b9f5478bb8 100644 --- a/linkerd.io/content/2.15/features/cni.md +++ b/linkerd.io/content/2.15/features/cni.md @@ -25,6 +25,13 @@ plugin, using _CNI chaining_. It handles only the Linkerd-specific configuration and does not replace the need for a CNI plugin. {{< /note >}} +{{< note >}} +If you're installing Linkerd's CNI on top of Cilium, make sure to install the +latter with the option `cni.exclusive=false`, so Cilium doesn't take ownership +over the CNI configurations directory, and allows other plugins to deploy their +configurations there. +{{< /note >}} + ## Installation Usage of the Linkerd CNI plugin requires that the `linkerd-cni` DaemonSet be diff --git a/linkerd.io/content/2.15/reference/cluster-configuration.md b/linkerd.io/content/2.15/reference/cluster-configuration.md index b7d7ac6364..99172cd797 100644 --- a/linkerd.io/content/2.15/reference/cluster-configuration.md +++ b/linkerd.io/content/2.15/reference/cluster-configuration.md @@ -78,6 +78,8 @@ gcloud compute firewall-rules describe gke-to-linkerd-control-plane ## Cilium +### Turn Off Socket-Level Load Balancing + Cilium can be configured to replace kube-proxy functionality through eBPF. When running in kube-proxy replacement mode, connections to a `ClusterIP` service will be established directly to the service's backend at the socket level (i.e. @@ -97,6 +99,15 @@ pods](https://docs.cilium.io/en/v1.13/network/istio/#setup-cilium) through the CLI option `--config bpf-lb-sock-hostns-only=true`, or through the Helm value `socketLB.hostNamespaceOnly=true`. +### Disable Exclusive Mode + +If you're using Cilium as your CNI and then want to install +[linkerd-cni](../../features/cni/) on top of it, make sure you install Cilium +with the option `cni.exclusive=false`. This avoids Cilium taking ownership over +the CNI configurations directory. Other CNI plugins like linkerd-cni install +themselves and operate in chain mode with the other deployed plugins by +deploying their configuration into this directory. + ## Lifecycle Hook Timeout Linkerd uses a `postStart` lifecycle hook for all control plane components, and From eab4284b0e752b3ff707f8cc0c5a38dae7661d9f Mon Sep 17 00:00:00 2001 From: Flynn Date: Tue, 2 Jul 2024 13:42:40 -0400 Subject: [PATCH 2/3] Update linkerd.io/content/2.15/features/cni.md Co-authored-by: William Morgan --- linkerd.io/content/2.15/features/cni.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linkerd.io/content/2.15/features/cni.md b/linkerd.io/content/2.15/features/cni.md index b9f5478bb8..eb8bb38df2 100644 --- a/linkerd.io/content/2.15/features/cni.md +++ b/linkerd.io/content/2.15/features/cni.md @@ -26,7 +26,7 @@ configuration and does not replace the need for a CNI plugin. {{< /note >}} {{< note >}} -If you're installing Linkerd's CNI on top of Cilium, make sure to install the +If you're installing Linkerd's CNI plugin on top of Cilium, make sure to install the latter with the option `cni.exclusive=false`, so Cilium doesn't take ownership over the CNI configurations directory, and allows other plugins to deploy their configurations there. From dfbf2cbb036397fcad6334c330ccd67476876bdb Mon Sep 17 00:00:00 2001 From: Alejandro Pedraza Date: Mon, 8 Jul 2024 09:10:42 -0500 Subject: [PATCH 3/3] lint --- linkerd.io/content/2.15/features/cni.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/linkerd.io/content/2.15/features/cni.md b/linkerd.io/content/2.15/features/cni.md index eb8bb38df2..0d314e1de9 100644 --- a/linkerd.io/content/2.15/features/cni.md +++ b/linkerd.io/content/2.15/features/cni.md @@ -26,10 +26,10 @@ configuration and does not replace the need for a CNI plugin. {{< /note >}} {{< note >}} -If you're installing Linkerd's CNI plugin on top of Cilium, make sure to install the -latter with the option `cni.exclusive=false`, so Cilium doesn't take ownership -over the CNI configurations directory, and allows other plugins to deploy their -configurations there. +If you're installing Linkerd's CNI plugin on top of Cilium, make sure to install +the latter with the option `cni.exclusive=false`, so Cilium doesn't take +ownership over the CNI configurations directory, and allows other plugins to +deploy their configurations there. {{< /note >}} ## Installation