Last updated on: 2023-12-04 07:13:44.

Configuring Cilium CNI

Prerequisites

Before you being configuring Cilium CNI, make sure the following prerequisites are met:

• BIG-IP is licensed and set up as a cluster.
• The networking setup is already complete.
• Supported Cilium Version v1.12.0 or newer.
• Linux version v5.2.0 or newer on all nodes of a Kubernetes cluster.
• Supported CIS version of v2.10.0 or newer.
• Validated Kubernetes Version: v1.24.3
• Cilium CNI is successfully installed and able to allocate a Pod IPaddress from Cilium CNI.

Configure CIS to enable Cilium CNI

The following are deployment parameters required to enable Cilium CNI for VxLAN Tunnelling.

• –cilium-name
• /test/cilium-Vxlan-tunnel-mp
• –pool-member-type
• cluster

Creating VXLAN Tunnels on Kubernetes Cluster for Cilium CNI

Note

CIS supports Cilium CNI >= v1.12.0

CIS supports Cilium CNI only in a ClusterIP Deployment. See Deployment Options for more information.

1. Create a VXLAN profile. In the example below, the profile name is cilium-vxlan-profile.

   tmsh create net tunnels vxlan cilium-vxlan-profile port 8472 flooding-type multipoint
   

   
   
   
   
   
   

2. Create a VXLAN tunnel.

   tmsh create net tunnels tunnel cilium-vxlan-tunnel-mp key 2 profile cilium-vxlan-profile local-address 10.4.1.59 remote-address any
   

   
   
   
   
   
   

3. Create the VXLAN tunnel self IP.

   tmsh create net self cilium-selfip address 10.1.5.15/255.255.0.0 allow-service none vlan cilium-vxlan-tunnel-mp
   

   
   
   
   
   
   

4. Create a default route to route traffic through vxlan-tunnel (i.e. vxlan-tunnel-mp) interface to podCIDR Network of kubernetes cluster.

   tmsh create net route ciliumRoute network 10.0.0.0/16 interface cilium-vxlan-tunnel-mp
   

   
   
   
   

Enabling Static Routes Provisioning by CIS for Cilium CNI

Note

Static-Routes feature is not applicable for CIS NodePort Mode and cannot be provisioned if CIS is deployed in NodePort Mode.

Add the below parameters to ensure VxLAN-related deployment parameters are not provided as part of the CIS deployment.

• –orchestration-cni
• cilium-k8s
• –pool-member-type
• cluster
• –static-routing-mode=true

Note

VxLAN-related deployment parameters: –flannel-name, –cilium-name, –openshift-sdn-name as static-routes don’t require VxLAN Tunnelling or overlay network.

Important

While installing Cilium versions < v1.13.0 make sure to have ipam: cluster-pool, so the k8s nodes have the below annotations in their manifest.

Annotations:

• io.cilium.network.ipv4-cilium-host: 10.42.0.235
• io.cilium.network.ipv4-health-ip: 10.42.0.64
• io.cilium.network.ipv4-pod-cidr: 10.42.0.0/24

Note

CIS creates only FDB entries. ARP entries of the cluster pods are learned dynamically by BIG-IP.

References:

BIG-IP Tunnel Setup for Cilium VTEP Integration

https://github.com/f5devcentral/f5-ci-docs/blob/master/docs/cilium/cilium-bigip-info.rst

https://clouddocs.f5.com/containers/latest/userguide/cilium-config.html?highlight=cilium

Provisioning Static Routes by CIS for OVN-Kubernetes CNI

https://github.com/f5devcentral/f5-cis-docs/tree/main/user_guides/ovn-kubernetes-ha#readme

https://github.com/f5devcentral/f5-cis-docs/tree/main/user_guides/ovn-kubernetes-standalone#readm