Cilium with Kube-Proxy Replacement Option

2025-05-09 01:20:40 +02:00 · 2024-01-10 15:49:59 -07:00 · 2024-01-10 15:49:59 -07:00 · 21fe613563
commit 21fe613563
parent e09e979d27
3 changed files with 46 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -129,7 +129,7 @@ kubernetes_pod_network:
  # cidr: '192.168.0.0/16'
 ```

-This role currently supports `flannel` (default), `calico` or `weave` for cluster pod networking. Choose only one for your cluster; converting between them is not done automatically and could result in broken networking; if you need to switch from one to another, it should be done outside of this role.
+This role currently supports `flannel` (default), `cilium`, `calico` or `weave` for cluster pod networking. Choose only one for your cluster; converting between them is not done automatically and could result in broken networking; if you need to switch from one to another, it should be done outside of this role.

 ```yaml
 kubernetes_apiserver_advertise_address: ''`
@ -169,6 +169,13 @@ Flannel manifest file to apply to the Kubernetes cluster to enable networking. Y
 kubernetes_calico_manifest_file: https://projectcalico.docs.tigera.io/manifests/calico.yaml
 ```

+Cilium Helm chart values can be specified under `kubernetes_cilium_values`. [Kube Proxy Replacement](https://docs.cilium.io/en/latest/network/kubernetes/kubeproxy-free/) is supported through this method.
+
+```yaml
+kubernetes_cilium_values:
+  kubeProxyReplacement: true
+```
+
 Calico manifest file to apply to the Kubernetes cluster (if using Calico instead of Flannel).

 ## Dependencies
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,6 +13,7 @@ kubernetes_version: '1.25'
 kubernetes_version_rhel_package: '1.25.1'
 kubernetes_cilium_version: '1.14.5'
 kubernetes_cilium_datapath: 'native'
+kubernetes_cilium_values: ""

 kubernetes_role: control_plane

--- a/tasks/control-plane-setup.yml
+++ b/tasks/control-plane-setup.yml
@ -15,7 +15,7 @@
    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
    {{ kubernetes_kubeadm_init_extra_opts }}
  register: kubeadmin_init
-  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined)
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined) and (not kubernetes_cilium_values.kubeProxyReplacement)

 - name: Initialize Kubernetes control plane with kubeadm init and ignore_preflight_errors
  command: >
@ -24,7 +24,26 @@
    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
    {{ kubernetes_kubeadm_init_extra_opts }}
  register: kubeadmin_init
-  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined)
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined) and (not kubernetes_cilium_values.kubeProxyReplacement)
+
+- name: Initialize Kubernetes control plane with kubeadm init without kube-proxy
+  command: >
+    kubeadm init
+    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
+    --skip-phases=addon/kube-proxy
+    {{ kubernetes_kubeadm_init_extra_opts }}
+  register: kubeadmin_init
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is not defined) and (kubernetes_cilium_values.kubeProxyReplacement)
+
+- name: Initialize Kubernetes control plane with kubeadm init without kube-proxy and ignore_preflight_errors
+  command: >
+    kubeadm init
+    --config {{ kubernetes_kubeadm_kubelet_config_file_path }}
+    --ignore-preflight-errors={{ kubernetes_ignore_preflight_errors }}
+    --skip-phases=addon/kube-proxy
+    {{ kubernetes_kubeadm_init_extra_opts }}
+  register: kubeadmin_init
+  when: (not kubernetes_init_stat.stat.exists) and (kubernetes_ignore_preflight_errors is defined) and (kubernetes_cilium_values.kubeProxyReplacement)

 - name: Print the init output to screen.
  debug:
@ -94,6 +113,15 @@
      loop:
        - ''
        - '.sha256sum'
+
+- name: Write Cilium Helm values to file
+  copy:
+    dest: "/tmp/cilium_helm.yaml"
+    content: "{{ kubernetes_cilium_values | to_yaml }}"
+  when:
+    - kubernetes_pod_network.cni == 'cilium'
+    - not kubernetes_init_stat.stat.exists
+
 - name: Taint nodes with cilium agent-not-ready
  command: kubectl taint nodes --all node.cilium.io/agent-not-ready=true:NoExecute
  when:
@ -106,7 +134,13 @@
  delay: 5

 - name: Configure Cilium networking
-  command: /usr/local/bin/cilium install --version {{ kubernetes_cilium_version }} --datapath-mode {{ kubernetes_cilium_datapath }} 
+  command: >
+    /usr/local/bin/cilium install 
+    --version {{ kubernetes_cilium_version }} 
+    --datapath-mode {{ kubernetes_cilium_datapath }} 
+    --values /tmp/cilium_helm.yaml
+    --set k8sServiceHost="{{ kubernetes_apiserver_advertise_address | default(ansible_default_ipv4.address, true) }}"
+    --set k8sServicePort=6443
  when:
    - kubernetes_pod_network.cni == 'cilium'
    - not kubernetes_init_stat.stat.exists