Production deployment for cilium/cilium.io

Deploying Cilium in a production environment involves careful planning and execution to ensure reliability, security, and performance. This guide will walk you through the process of deploying Cilium in production, offering code snippets and detailed instructions for expert developers.

1. Preparation

System Requirements

Ensure the following prerequisites are met before proceeding:

A Kubernetes cluster must be already set up and running.
Administrative access to the Kubernetes cluster.
Kubernetes version must be compatible with Cilium.

Install necessary tools:

# Install Kubernetes CLI
curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl

# Install Cilium CLI
curl -L https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz | tar -xz
sudo mv cilium /usr/local/bin

2. Deploying Cilium

Installing Cilium Using Helm

Cilium provides a Helm chart for easy deployment in Kubernetes. First, add the Cilium Helm repository.

helm repo add cilium https://helm.cilium.io/
helm repo update

Then, install Cilium:

helm install cilium cilium/cilium --version <CILIUM_VERSION> \
  --namespace kube-system \
  --set global.hubble.enabled=true \
  --set global.hubble.metrics.enabled=true

Replace <CILIUM_VERSION> with the desired release version of Cilium.

Verifying Installation

Once installed, verify that all Cilium pods are running correctly:

kubectl -n kube-system get pods -l k8s-app=cilium

You should see output indicating that the Cilium pods are in the Running state.

3. Configuring Cilium

Network Configuration

Cilium can operate in various modes. To configure Cilium for overlay networking, utilize the following command after deployment:

kubectl -n kube-system annotate cilium cilium.io/network=overlay

Applying Network Policies

Define network policies to enhance security within your deployment. Below is an example of a basic policy that allows communication from one namespace to another:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ns-communication
  namespace: target-namespace
spec:
  podSelector:
    matchLabels:
      app: target-app
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: source-namespace

Apply the network policy:

kubectl apply -f network-policy.yaml

4. Monitoring and Observability

Enabling Hubble

Hubble provides observability features within Cilium-managed environments. Ensure Hubble is enabled and accessible:

cilium hubble enable

Configuring Metrics and Tracing

To leverage metrics for troubleshooting, add Prometheus metrics exporters:

kubectl apply -f prometheus-config.yaml

This will set up your Prometheus instance to scrape metrics from the Cilium pods.

Fetching Metrics

To monitor Cilium metrics via Prometheus:

kubectl port-forward svc/prometheus-k8s 9090:80

You can now access the Prometheus interface at http://localhost:9090.

5. Testing the Setup

Sample Application Deployment

To validate that Cilium is functioning as expected, deploy a simple application:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      containers:
      - name: test-app
        image: nginx

Apply the deployment:

kubectl apply -f test-app.yaml

Checking Connectivity

Verify that your application pods can communicate correctly, based on the network policies implemented:

kubectl exec -it <pod-name> -- curl http://<other-pod-ip>

6. Day 2 Operations

Once Cilium is operational, focus on maintaining and scaling your deployment. Monitor Cilium’s performance and ensure your network policies are yielding the desired results.

Scale Cilium as needed:

kubectl scale deployment cilium --replicas=<desired-replicas> -n kube-system

Regularly review your configuration and adapt based on the unique demands of your workloads.

Conclusion

This guide provides a comprehensive process for deploying Cilium in a production environment. Proper implementation of monitoring and security practices is critical for a successful deployment, ensuring reliable and efficient networking for your Kubernetes applications.

For more extensive use cases and advanced techniques, refer to detailed experiences shared by deployment teams and case studies.

Source: The information is derived from documents related to Cilium and its deployment practices.