Skip to content

Instantly share code, notes, and snippets.

@nyrahul
Last active August 18, 2021 04:11
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save nyrahul/e38287ac45b3f8ae4fca05ed596645ff to your computer and use it in GitHub Desktop.
cilium quick notes for dev VM
# -------[ Cilium installation on GKE ]---------
NATIVE_CIDR="$(gcloud container clusters describe "cluster-core-backend" --zone "us-central1-c" --format 'value(clusterIpv4Cidr)')"
# with hubble-relay
helm install cilium cilium/cilium --version 1.9.6 \
--namespace kube-system \
--set nodeinit.enabled=true \
--set nodeinit.reconfigureKubelet=true \
--set nodeinit.removeCbrBridge=true \
--set cni.binPath=/home/kubernetes/bin \
--set gke.enabled=true \
--set ipam.mode=kubernetes \
--set hubble.relay.enabled=true \
--set hubble.ui.enabled=true \
--set nativeRoutingCIDR=$NATIVE_CIDR
#-----------------------------------------
# Enable debug for envoy, datapath ... edit /etc/sysconfig/cilium
--debug-verbose=envoy --debug-verbose=datapath --debug-verbose=flow
# Edit cilium configuration at runtime
kubectl edit configmap cilium-config -n kube-system
# Mounting bpffs
minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf
# Port-forward hubble-relay
kubectl -n cilium port-forward service/hubble-relay --address 0.0.0.0 --address :: 4245:80
# Curl from xwing -> Deathstar
kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
# For loading Cilium from local images
make dev-docker-image
docker images ... should list all the newly created images
copy quick-install.yaml loc-install.yaml ... change the image names to use local images .. and change imagePullPolicy to Never
# DEbugging
cilium config debug=true debug-verbose=true
cilium monitor -v
cilium monitor -v -v
cilium endpoint config 1156 debug=true
cilium monitor -t drop ## Dropped packets
cilium policy get #Gets all the rules
# Get the list of all packets handled through all bpf policies
sudo cilium bpf policy get --all
# Using direct-routing-mode: /etc/sysconfig/cilium
CILIUM_OPTS=" --debug --pprof --enable-hubble --hubble-listen-address :4244 --enable-k8s-event-handover --k8s-require-ipv4-pod-cidr --auto-direct-node-routes --enable-ipv6-ndp --ipv6-mcast-device enp0s8 --k8s-kubeconfig-path /var/lib/cilium/cilium.kubeconfig --kvstore etcd --kvstore-opt etcd.config=/var/lib/cilium/etcd-config.yml --native-routing-cidr=10.10.20.0/24 --masquerade --tunnel=disabled --enable-ipv4=true"
# Enable delve based debugging for cilium
make clean; make NOSTRIP=1 NOOPT=1; sudo make install
#------------------------------------------[Cilium Visibility Handling]-----------------------
# Enable reporting of visibility in kubectl get cep
--endpoint-status=policy
# Check proxy-statistics
cilium endpoint get 2950 -o json #observe .status.policy.proxy-statistics ... 2950 is the endpoint ID of the annotated pod under consideration ... you can get the endpoint ID by using `cilium endpoint list`
# Installing Cilium 1.10.3
https://kloudone.atlassian.net/browse/AK-4548
#Delete unmanaged pods
kubectl get pods --all-namespaces -o custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,HOSTNETWORK:.spec.hostNetwork --no-headers=true | grep '<none>' | awk '{print "-n "$1" "$2}' | xargs -L 1 -r kubectl delete pod
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment