Cilium
Cilium can be installed using Helm, so first step it's adding repository by command:
helm repo add cilium https://helm.cilium.io/
"cilium" has been added to your repositories
Then preload cilium image into Kubernetes worker nodes:
docker pull quay.io/cilium/cilium:v1.16.5
kind load docker-image quay.io/cilium/cilium:v1.16.5 --name home-lab
v1.16.5: Pulling from cilium/cilium
Digest: sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d
Status: Image is up to date for quay.io/cilium/cilium:v1.16.5
quay.io/cilium/cilium:v1.16.5
What's next:
View a summary of image vulnerabilities and recommendations → docker scout quickview quay.io/cilium/cilium:v1.16.5
Image: "quay.io/cilium/cilium:v1.16.5" with ID "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d" not yet present on node "home-lab-worker", loading...
Image: "quay.io/cilium/cilium:v1.16.5" with ID "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d" not yet present on node "home-lab-control-plane", loading...
Image: "quay.io/cilium/cilium:v1.16.5" with ID "sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d" not yet present on node "home-lab-worker2", loading...
Images preloaded in Kubernetes can be verified:
docker exec -it home-lab-control-plane crictl images
IMAGE TAG IMAGE ID SIZE
quay.io/cilium/cilium <none> 01d6cc4aa7274 212MB
docker.io/kindest/kindnetd v20241023-a345ebe4 55b97e1cbb2a3 35.3MB
registry.k8s.io/coredns/coredns v1.11.3 2f6c962e7b831 16.9MB
registry.k8s.io/etcd 3.5.15-0 27e3830e14027 66.5MB
registry.k8s.io/kube-apiserver-arm64 v1.31.2 7db5e8fdce19a 92.6MB
registry.k8s.io/kube-apiserver v1.31.2 7db5e8fdce19a 92.6MB
registry.k8s.io/kube-controller-manager-arm64 v1.31.2 d034a1438c8ae 87MB
registry.k8s.io/kube-controller-manager v1.31.2 d034a1438c8ae 87MB
registry.k8s.io/kube-proxy-arm64 v1.31.2 7e641dea6ec8f 96MB
registry.k8s.io/kube-proxy v1.31.2 7e641dea6ec8f 96MB
registry.k8s.io/kube-scheduler-arm64 v1.31.2 4ff74b8997ace 67MB
registry.k8s.io/kube-scheduler v1.31.2 4ff74b8997ace 67MB
quay.io/cilium/cilium-envoy <none> a226bca93af4a 59.6MB
docker.io/kindest/local-path-helper v20230510-486859a6 d022557af8b63 2.92MB
docker.io/kindest/local-path-provisioner v20240813-c6f155d6 282f619d10d4d 17.4MB
registry.k8s.io/pause 3.10 afb61768ce381 268kB
Finally, CNI plugin can be installed by Helm:
helm install cilium cilium/cilium --version 1.16.5 \
--namespace kube-system \
--set image.pullPolicy=IfNotPresent \
--set ipam.mode=kubernetes
NAME: cilium
LAST DEPLOYED: Fri Dec 27 16:59:19 2024
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble.
Your release version is 1.16.5.
For any further help, visit https://docs.cilium.io/en/v1.16/gettinghelp
Installation can be verified by commands:
kubectl -n kube-system get pods --watch
NAME READY STATUS RESTARTS AGE
cilium-drvt5 1/1 Running 0 5m35s
cilium-envoy-65vqs 1/1 Running 0 5m35s
cilium-envoy-7ls58 1/1 Running 0 5m35s
cilium-envoy-z48jk 1/1 Running 0 5m35s
cilium-hltmk 1/1 Running 0 5m35s
cilium-llgf7 1/1 Running 0 5m35s
cilium-operator-6c4fb78954-fqxvf 1/1 Running 0 5m35s
cilium-operator-6c4fb78954-tkp77 1/1 Running 0 5m35s
coredns-7c65d6cfc9-4bhh4 1/1 Running 0 18m
coredns-7c65d6cfc9-5l6kz 1/1 Running 0 18m
etcd-home-lab-control-plane 1/1 Running 0 18m
kube-apiserver-home-lab-control-plane 1/1 Running 0 18m
kube-controller-manager-home-lab-control-plane 1/1 Running 0 18m
kube-proxy-62vsh 1/1 Running 0 18m
kube-proxy-85v6f 1/1 Running 0 18m
kube-proxy-db228 1/1 Running 0 18m
kube-scheduler-home-lab-control-plane 1/1 Running 0 18m
Additionally tests can be executed to check network connectivity:
kubectl create ns cilium-test
namespace/cilium-test created
kubectl apply -n cilium-test -f https://raw.githubusercontent.com/cilium/cilium/1.16.5/examples/kubernetes/connectivity-check/connectivity-check.yaml
deployment.apps/echo-a created
deployment.apps/echo-b created
deployment.apps/echo-b-host created
deployment.apps/pod-to-a created
deployment.apps/pod-to-external-1111 created
deployment.apps/pod-to-a-denied-cnp created
deployment.apps/pod-to-a-allowed-cnp created
deployment.apps/pod-to-external-fqdn-allow-google-cnp created
deployment.apps/pod-to-b-multi-node-clusterip created
deployment.apps/pod-to-b-multi-node-headless created
deployment.apps/host-to-b-multi-node-clusterip created
deployment.apps/host-to-b-multi-node-headless created
deployment.apps/pod-to-b-multi-node-nodeport created
deployment.apps/pod-to-b-intra-node-nodeport created
service/echo-a created
service/echo-b created
service/echo-b-headless created
service/echo-b-host-headless created
ciliumnetworkpolicy.cilium.io/pod-to-a-denied-cnp created
ciliumnetworkpolicy.cilium.io/pod-to-a-allowed-cnp created
ciliumnetworkpolicy.cilium.io/pod-to-external-fqdn-allow-google-cnp created
kubectl get pods -n cilium-test
NAME READY STATUS RESTARTS AGE
echo-a-d9f4f8f57-gnwgf 1/1 Running 0 62s
echo-b-7cb49646f5-955nk 1/1 Running 0 62s
echo-b-host-f4cbc8d47-wmczv 1/1 Running 0 62s
host-to-b-multi-node-clusterip-5c555886df-n528c 1/1 Running 0 61s
host-to-b-multi-node-headless-859b49fd85-tc5kj 1/1 Running 0 61s
pod-to-a-5568669fc6-bllcp 1/1 Running 0 62s
pod-to-a-allowed-cnp-66676b4c86-n2wpv 1/1 Running 0 62s
pod-to-a-denied-cnp-6b65879df6-sbnwx 1/1 Running 0 62s
pod-to-b-intra-node-nodeport-67c6bb4845-wl69s 1/1 Running 0 60s
pod-to-b-multi-node-clusterip-756ff8996c-nnwxk 1/1 Running 0 61s
pod-to-b-multi-node-headless-5cb4bcf569-bg9dw 1/1 Running 0 61s
pod-to-b-multi-node-nodeport-65b9d6fd7c-znl9l 1/1 Running 0 61s
pod-to-external-1111-8c8ddfcb6-6lvx9 1/1 Running 0 62s
pod-to-external-fqdn-allow-google-cnp-7f9f7c4b4-9gmpq 1/1 Running 0 62s
kubectl delete ns cilium-test
namespace "cilium-test" deleted
Another approach to install Cilium is to use dedicated CLI tool - cilium:
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=arm64
if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi
echo "Download https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz ..."
curl -L "https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz" -O
curl -L "https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum" -O
shasum -a 256 -c "cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum"
sudo tar xzvfC "cilium-darwin-${CLI_ARCH}.tar.gz" /usr/local/bin
rm "cilium-darwin-${CLI_ARCH}.tar.gz"
rm "cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum"
cilium install
🔮 Auto-detected Kubernetes kind: kind
ℹ️ Using Cilium version 1.16.4
🔮 Auto-detected cluster name: kind-home-lab
🔮 Auto-detected kube-proxy has been installed
cilium status --wait
/¯¯\
/¯¯\__/¯¯\ Cilium: OK
\__/¯¯\__/ Operator: OK
/¯¯\__/¯¯\ Envoy DaemonSet: OK
\__/¯¯\__/ Hubble Relay: disabled
\__/ ClusterMesh: disabled
DaemonSet cilium Desired: 3, Ready: 3/3, Available: 3/3
DaemonSet cilium-envoy Desired: 3, Ready: 3/3, Available: 3/3
Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1
Containers: cilium Running: 3
cilium-envoy Running: 3
cilium-operator Running: 1
Cluster Pods: 3/3 managed by Cilium
Helm chart version: 1.16.4
Image versions cilium quay.io/cilium/cilium:v1.16.4@sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf: 3
cilium-envoy quay.io/cilium/cilium-envoy:v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16@sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed: 3
cilium-operator quay.io/cilium/operator-generic:v1.16.4@sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5: 1
cilium connectivity test
ℹ️ Monitor aggregation detected, will skip some flow validation steps
✨ [kind-home-lab] Creating namespace cilium-test-1 for connectivity check...
....
[cilium-test-1] Running 103 tests ...
[=] [cilium-test-1] Test [no-unexpected-packet-drops] [1/103]
...
[=] [cilium-test-1] Test [no-policies] [2/103]
..............................................
[=] [cilium-test-1] Skipping test [no-policies-from-outside] [3/103] (skipped by condition)
[=] [cilium-test-1] Test [no-policies-extra] [4/103]
..................
[=] [cilium-test-1] Test [allow-all-except-world] [5/103]
...........................
[=] [cilium-test-1] Test [client-ingress] [6/103]
......
[=] [cilium-test-1] Test [client-ingress-knp] [7/103]
......
[=] [cilium-test-1] Test [check-log-errors] [103/103]
.........................
✅ [cilium-test-1] All 58 tests (555 actions) successful, 45 tests skipped, 1 scenarios skipped.