Giter VIP home page Giter VIP logo

kube-vip-cilium-watcher's Introduction

Logo

kube-vip-cilium-watcher

This operator is used in an environment where you want to use Cilium as Ingress and Egress traffic manager.

Description

Due the limitation of CiliumEgressGatewayPolicy, it is not possible to implement freely an HA solution where the policy defines two egress IP or the IP is moved automatically from a node to another. You can use kube-vip to create a virtual IP that is moved from a node to another in case of failure. When kube-vip associate a service to a node, it annotates associated service with kube-vip.io/vipHost: . This operator watches for this annotation and updates the CiliumEgressPolicy to select the node where the service is running and implement a floating egress ip.

Installation

You can use Helm and the default settings to install the operator:

helm upgrade -i kube-vip-watcher --create-namespace --namespace kube-vip-watcher
     oci://registry-1.docker.io/angeloxx/kube-vip-cilium-watcher --version 0.0.6-helm

Configure

Configure the service as a virtual ip managed by kuve-vip. The Service must be of type LoadBalancer and set

spec.loadBalancerClass: "kube-vip.io/kube-vip-class"

in order to let kube-vip manage the service. Additionally the annotation:

kube-vip.io/cilium-egress-watcher: "true"

has to be added to the Service. You have to add to all nodes that runs kube-vip the label:

kube-vip.io/host: "<host-shortname>"

The CiliumEgressGatewayPolicy(es) that matches the service loadBalancerIps with spec.egressGateway.egressIP will be reconfigured with a spec.egressGateway.nodeSelector that matches the "kube-vip.io/host" label in order to route the traffic to that node.

Sample

A sample service is:

apiVersion: v1
kind: Service
metadata:
  name: egress-192-168-1-1
  namespace: kube-vip-tier-1
  annotations:
    kube-vip.io/cilium-egress-watcher: "true"
spec:
  type: LoadBalancer
  loadBalancerClass: kube-vip.io/kube-vip-class 
  loadBalancerIP: 192.168.1.1
  selector:
    app: pleaseDontMatch
  ports: []

and create the load balancer, managed by kube-vip, with the selected IP as egress. I suggest to create dedicate a namespace to kube-vip instance (or more instances, if you have to publish these services in different networks) and create the services in that namespace. The annotation activate the watcher for the service.

A sample CiliumEgressGatewayPolicy is:

apiVersion: cilium.io/v2
kind: CiliumEgressGatewayPolicy
metadata:
  name: external-dns
spec:
  selectors:
  - podSelector:
      matchLabels:
        io.kubernetes.pod.namespace: external-dns
  destinationCIDRs:
  - "0.0.0.0/0"

  egressGateway:
    nodeSelector:
      matchLabels:
        my/nodes: egress-nodes
    egressIP: 192.168.1.1

When kube-vip assigns the IP to a node, the kube-vip-cilium-watcher operator will update the egressGateway.nodeSelector in order to match the node, using kube-vip.io/host label. You can associate multiple CiliumEgressGatewayPolicy to the same IP, the operator will support all of them.

License

Copyright 2024 Angelo Conforti.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

kube-vip-cilium-watcher's People

Contributors

angeloxx avatar rangeid avatar

Stargazers

Ole Reifschneider avatar Oliver Fletcher avatar avatar Nguyen Duc Quynh avatar avatar Jorge Arco avatar

Watchers

avatar Nguyen Duc Quynh avatar

Forkers

quynhlab

kube-vip-cilium-watcher's Issues

spec.ports: Required value

Hello!

Found your project via the Cilium issue and I just tested it and seems to be working very nicely so first of all thanks for doing this!

Minor thing, while deploying this I tried to apply the service you have in your example but it throws an error:

The Service "egress-1" is invalid: spec.ports: Required value

I am not sure if this is a recent change in K8s, I am on 1.29 but seems the ports is needed. For now I just add a dummy port anyway there are no services behind so might be just a matter of updating the read me.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.