Cilium: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| No edit summary | mNo edit summary | ||
| (22 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| Cilium Documentation and Downloads can be found at the [https://cilium.io Cilium] project website. | Cilium Documentation and Downloads can be found at the [https://cilium.io Cilium] project website. | ||
| ==== Requirements and Flags ==== | |||
| * Host nodes need to have [https://docs.cilium.io/en/stable/kubernetes/requirements/#mounted-bpf-filesystem Mounted BFP Filesystem] | |||
| * <code>kube-control-manager</code> needs to have [https://docs.cilium.io/en/stable/kubernetes/requirements/#enable-automatic-node-cidr-allocation-recommended automatic node CIDR allocation] | |||
| ==== Flag Options ==== | ==== Flag Options ==== | ||
| As the IP addresses used for the cluster prefix are typically allocated from RFC1918 private address blocks and are not publicly routable. Cilium will automatically masquerade the source IP address of all traffic that is leaving the cluster. This behavior can be disabled by running cilium-agent with the option --masquerade=false. | As the IP addresses used for the cluster prefix are typically allocated from RFC1918 private address blocks and are not publicly routable. Cilium will automatically masquerade the source IP address of all traffic that is leaving the cluster. This behavior can be disabled by running cilium-agent with the option <code>--masquerade=false</code>. | ||
| === BPF Map Limitations<ref>[https://cilium.readthedocs.io/en/stable/architecture/#bpf-map-limitations Cilium Documentation] Documentation on Cilium BPF Mapping and their limitations.</ref> === | |||
| All BPF maps are created with upper capacity limits. Insertion beyond the limit will fail and thus limits the scalability of the datapath. The following table shows the default values of the maps. Each limit can be bumped in the source code. Configuration options will be added on request if demand arises. | |||
| {| class="wikitable" | {| class="wikitable" | ||
| |- | |||
| ! Map Name !! Scope !! Default Limit !! Scale Implications | ! Map Name !! Scope !! Default Limit !! Scale Implications | ||
| |- | |||
| | Connection Tracking || node or endpoint || 1M TCP/256K UDP || Max 1M concurrent TCP connections, max 256K expected UDP answers | |||
| | Connection Tracking  | |- | ||
| | Endpoints  | | Endpoints || node || 64k || Max 64k local endpoints + host IPs per node | ||
| | IP cache  | |- | ||
| | Load Balancer  | | IP cache || node || 512K || Max 256K endpoints (IPv4+IPv6), max 512k endpoints (IPv4 or IPv6) across all clusters | ||
| | Policy  | |- | ||
| | Proxy Map  | | Load Balancer || node || 64k || Max 64k cumulative backends across all services across all clusters | ||
| | Tunnel  | |- | ||
| | Policy || endpoint || 16k || Max 16k allowed identity + port + protocol pairs for specific endpoint | |||
| |- | |||
| | Proxy Map || node || 512k || Max 512k concurrent redirected TCP connections to proxy | |||
| |- | |||
| | Tunnel || node || 64k || Max 32k nodes (IPv4+IPv6) or 64k nodes (IPv4 or IPv6) across all clusters | |||
| |} | |} | ||
Latest revision as of 00:23, 9 August 2020
Cilium Documentation and Downloads can be found at the Cilium project website.
Requirements and Flags
- Host nodes need to have Mounted BFP Filesystem
- kube-control-managerneeds to have automatic node CIDR allocation
Flag Options
As the IP addresses used for the cluster prefix are typically allocated from RFC1918 private address blocks and are not publicly routable. Cilium will automatically masquerade the source IP address of all traffic that is leaving the cluster. This behavior can be disabled by running cilium-agent with the option --masquerade=false.
BPF Map Limitations[1]
All BPF maps are created with upper capacity limits. Insertion beyond the limit will fail and thus limits the scalability of the datapath. The following table shows the default values of the maps. Each limit can be bumped in the source code. Configuration options will be added on request if demand arises.
| Map Name | Scope | Default Limit | Scale Implications | 
|---|---|---|---|
| Connection Tracking | node or endpoint | 1M TCP/256K UDP | Max 1M concurrent TCP connections, max 256K expected UDP answers | 
| Endpoints | node | 64k | Max 64k local endpoints + host IPs per node | 
| IP cache | node | 512K | Max 256K endpoints (IPv4+IPv6), max 512k endpoints (IPv4 or IPv6) across all clusters | 
| Load Balancer | node | 64k | Max 64k cumulative backends across all services across all clusters | 
| Policy | endpoint | 16k | Max 16k allowed identity + port + protocol pairs for specific endpoint | 
| Proxy Map | node | 512k | Max 512k concurrent redirected TCP connections to proxy | 
| Tunnel | node | 64k | Max 32k nodes (IPv4+IPv6) or 64k nodes (IPv4 or IPv6) across all clusters | 
- ↑ Cilium Documentation Documentation on Cilium BPF Mapping and their limitations.