Requirements

Kubernetes Version

The following Kubernetes versions have been tested in the continuous integration system for this version of Cilium:

  • 1.10
  • 1.11
  • 1.12
  • 1.13
  • 1.14
  • 1.15
  • 1.16

System Requirements

Cilium requires a Linux kernel >= 4.9. See System Requirements for the full details on all systems requirements.

Enable CNI in Kubernetes

CNI - Container Network Interface is the plugin layer used by Kubernetes to delegate networking configuration. CNI must be enabled in your Kubernetes cluster in order to install Cilium. This is done by passing --network-plugin=cni to kubelet on all nodes. For more information, see the Kubernets CNI network-plugins documentation.

Mounted BPF filesystem

This step is required for production environments but optional for testing and development. It allows the cilium-agent to pin BPF resources to a persistent filesystem and make them persistent across restarts of the agent. If the BPF filesystem is not mounted in the host filesystem, Cilium will automatically mount the filesystem but it will be unmounted and re-mounted when the Cilium pod is restarted. This in turn will cause BPF resources to be re-created which will cause network connectivity to be disrupted. Mounting the BPF filesystem in the host mount namespace will ensure that the agent can be restarted without affecting connectivity of any pods.

In order to mount the BPF filesystem, the following command must be run in the host mount namespace. The command must only be run once during the boot process of the machine.

mount bpffs /sys/fs/bpf -t bpf

A portable way to achieve this with persistence is to add the following line to /etc/fstab and then run mount /sys/fs/bpf. This will cause the filesystem to be automatically mounted when the node boots.

bpffs                      /sys/fs/bpf             bpf     defaults 0 0

If you are using systemd to manage the kubelet, see the section Mounting BPFFS with systemd.

kube-dns

The Installation with managed etcd relies on the etcd-operator to manage an etcd cluster. In order for the etcd cluster to be available, the Cilium pod is being run with dnsPolicy: ClusterFirstWithHostNet in order for Cilium to be able to look up Kubernetes service names via DNS. This creates a dependency on kube-dns. If you would like to avoid running kube-dns, choose a different installation method and remove the dnsPolicy field from the DaemonSet.