Cilium Kubernetes CNI Provider, Part 1: Overview of eBPF and Cilium and the Installation Process

@Ognyan Lazarov,
Hi Ognyan, Thank you very much for your very kind words! I truly appreciate your post. Thank you again!

Welcome!
Be well and keep up the stunning work! 👍

Thanks very much!

Thank you!

Many thanks for your kind feedback and glad it was helpful! Thanks again!

Glad it was helpful!

czcams.com/video/5EcVrm01rAU/video.html

Glad you enjoyed it!

You are welcome!

Glad you liked it!

Cilium can be configured to use wiregurad to encrypt POD to POD encryption, it is not enabled by default.

Hi Maciej,
Unfortunately, I couldn't find anything useful in the logs. My guess is that it has something to do with the IP allocation of coredns PODs, if coredens PODs are not healthy, cilium agents PODs will remain in an error/crash state. This was my experience installing (not using kube-proxy). I'd be interested if others run into this. Thanks,

@@TheLearningChannel-Tech Even I have tried to install Cilium as steps mentioned by you. CoreDNS pods was in Container Creating status. Have you modified any steps when you build your LAB? If so, please share what was the step to fix this issue.

Hi Veera,
Tyr explicitly setting the CIDR range and also explicitly enabling ipv4, helm give better control. Also, in addition to master, you must have at least a worker node as Cilium operator expects at least two nodes:
helm install cilium cilium/cilium --version 1.11.3 --namespace kube-system \
--set ipv4.enabled=true \
--set nativeRoutingCIDR="" \
--set kubeProxyReplacement=strict \
--set k8sServiceHost= \
--set k8sServicePort=6443 \

@@TheLearningChannel-Tech Thank You!!!
Could you please advice how to fix the below issue?
cloud_user@k8s-clus1-control:~$ cilium hubble enable
🔑 Found CA in secret cilium-ca
Error: Unable to enable Hubble: unable to retrieve helm values secret kube-system/cilium-cli-helm-values: secrets "cilium-cli-helm-values" not found
cloud_user@k8s-clus1-control:~$

@@veerakumar2831 Try disabling Hubble and install it through hlem:
helm upgrade cilium cilium/cilium --version 1.11.2 \
--namespace kube-system \
--reuse-values \
--set hubble.relay.enabled=true \
--set hubble.enabled=true

Hi,
1- I am not sure which IPs you are referring to, to be sure this is the URL at minute 20:30 czcams.com/video/aLq3O3l2LF4/video.html. There are two IPs, one is the node (192.168.0.35) and the other one is the pod's IP(10.0.0.247). Packets arrive at the node's interface and will be forwarded to the pod if they meet the criteria (destination port is 80).
2- No, the setting is the CNI level.
3- I might cover that in a future video.
Thanks.

Apologies my mistake, it was meant to be 22.20 ! czcams.com/video/aLq3O3l2LF4/video.html
@@TheLearningChannel-Tech

@@skunkworksinc. No, they are end-point IP addresses (Cluster IPs). Think of cluster IPs as load balancers. You really wouldn't want to call a node directly because there is no fault tolerance, if that node goes down, then your service is dead in the water. So, clients call the Cluster IP address of a service which then forwards the call to one of the nodes. The mapping between the Cluster IP and the nodes is either in IPTables or in the case of Cilium (if Kube proxy is disabled) is done in eBPF.

understand your last point, but my understanding on K8S prior to this was the endpoint IP address in etcd are the POD IPs that are currently active for the service... i.e. you have cluster IP which is associated with a set of active endpoints (pods) which you see with kubectl get service/ kubectl describe services (the latter showing the endpoints).....but the addresses you have shown in etcd don't match the PODs, or Cluster IPs.... hence was wondering if you were talking about something different..... ?@@TheLearningChannel-Tech

@@skunkworksinc. Sorry, I meant to say POD IPs in that context, not Cluster IPs. Cluster IPs load balance on POD IPs. Just noticed that the IPs on that screen should be POD IPs, must have copied and pasted them wrong. So that is a typo. In conclusion, the IPs in the service endpoints should have been POD IPs. Thanks for noticing.

Hi, I usually don't but I made an exception as you mentioned it helps with your learning. I uploaded it to the video script files in GitHub, the link is under the video's description, and the file name is "Kube-Cilium-Part1-Intro.pptx". Please remember that this is my intellectual property, so please don't modify or distribute it. Also note that it was you'll need Microsoft Power Point software to view it. Hope this helps.

Thanks for your help, and as always, great contents for beginners!

@@nguyennam870 Welcome.

By firewall I think you mean switching to eBPF. The answer is yes, this is at the kernel level, not hardware layer.

@@TheLearningChannel-Tech maybe you know some utility which prepared for it? Or I should use tc and C language to make that?

@@moshonkin If you already have a cluster that is not using Cilium and you want to switch it to Cilium, I'm afraid there is no easy way that I know of other than creating a brand new cluster using Cilium and then restoring your old cluster to it.

@@TheLearningChannel-Tech noo, I don't have any clusters. I look for replace iptables to some firewall based on ebpf xdp

@@moshonkin I might have misunderstood your question, if you just want to learn eBPF, and looking for tools and getting started, this is a good channel to go to: czcams.com/video/eZp_3EjJdnA/video.html

Hi, I don't have any videos on the subject but you can find info on Kubernetes docs: kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/

Hi,
When you say you block an IP, do you mean blocking like as in a firewall policy and somehow it would create a rule in Cilium's network policy? Nothing that I know. Remember that the goal of CNI policies is to operate independent of the environment they are installed on.

@@TheLearningChannel-Tech In my case is IDS/IPS system like Snort and I want to automate update network policy instead of edit raw .json or .yaml network policy file when update network policy :((. Thank you for answering

Got it. I don't think such automation exists, the issue is that CNI providers such as Celium and Calico have their own syntax and rules when it comes to defining network policies. But it doesn't mean you can't create your own system if you have a development background. I haven't used Snort but I would imagine it generates some sort of alert. A service could be written to constantly monitor the alerts log file and when an update occurs, parses it and looks for keywords you define, and then calls another custom app whose job is to add the rule to the policy file. Since the policy files are written in yaml/json, it wouldn't be too difficult to praise and update them.

@@TheLearningChannel-Tech Thanks for your idea