cilium-haegress-operator
This operator is used in an environment where you want to use Cilium as Ingress and Egress traffic manager.
Description
Due the limitation of CiliumEgressGatewayPolicy, it is not possible to implement freely an HA solution where the policy
defines two egress IP or the IP is moved automatically from a node to another.
You can use this project to create a virtual IP that is moved from a node to another in case of failure. When kube-vip
associate a service to a node, it annotates associated service with kube-vip.io/vipHost: . This operator
watches for this annotation and updates the CiliumEgressPolicy to select the node where the service is running and
implement a floating egress ip.
Installation
You can use Helm and the default settings to install the operator:
helm upgrade -i kube-vip-watcher --create-namespace --namespace kube-vip-watcher
oci://registry-1.docker.io/angeloxx/cilium-haegress-operator --version 0.0.6-next-51228cb-20240609-dirty-helm
Configure the service as a virtual ip managed by kuve-vip. The Service must be of type LoadBalancer and set
spec.loadBalancerClass: "kube-vip.io/kube-vip-class"
in order to let kube-vip manage the service. Additionally the annotation:
kube-vip.io/cilium-egress-watcher: "true"
has to be added to the Service. You have to add to all nodes that runs kube-vip the label:
kube-vip.io/host: "<host-shortname>"
The CiliumEgressGatewayPolicy(es) that matches the service loadBalancerIps with spec.egressGateway.egressIP will
be reconfigured with a spec.egressGateway.nodeSelector that matches the "kube-vip.io/host" label in order to
route the traffic to that node.
Sample
A sample service is:
apiVersion: v1
kind: Service
metadata:
name: egress-192-168-1-1
namespace: kube-vip-tier-1
annotations:
kube-vip.io/cilium-egress-watcher: "true"
spec:
type: LoadBalancer
loadBalancerClass: kube-vip.io/kube-vip-class
loadBalancerIP: 192.168.1.1
selector:
app: pleaseDontMatch
ports: []
and create the load balancer, managed by kube-vip, with the selected IP as egress. I suggest to create dedicate a namespace
to kube-vip instance (or more instances, if you have to publish these services in different networks) and create the
services in that namespace. The annotation activate the watcher for the service.
A sample CiliumEgressGatewayPolicy is:
apiVersion: cilium.io/v2
kind: CiliumEgressGatewayPolicy
metadata:
name: external-dns
spec:
selectors:
- podSelector:
matchLabels:
io.kubernetes.pod.namespace: external-dns
destinationCIDRs:
- "0.0.0.0/0"
egressGateway:
nodeSelector:
matchLabels:
my/nodes: egress-nodes
egressIP: 192.168.1.1
When kube-vip assigns the IP to a node, the cilium-haegress-operator operator will update the egressGateway.nodeSelector in
order to match the node, using kube-vip.io/host label. You can associate multiple CiliumEgressGatewayPolicy to the same
IP, the operator will support all of them.
License
Copyright 2024 Angelo Conforti.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.