Starting from Cilium 1.8, the Kubernetes HostPort feature is supported natively through Cilium’s eBPF-based kube-proxy replacement. CNI chaining is therefore not needed anymore. For more information, see section Container hostPort support.
However, for the case where Cilium is deployed as
the HostPort feature can then be enabled via CNI chaining with the portmap plugin which
implements HostPort. This guide documents how to enable the latter for the chaining
For more general information about the Kubernetes HostPort feature, check out the upstream documentation: Kubernetes hostPort-CNI plugin documentation.
Before using HostPort, read the Kubernetes Configuration Best Practices to understand the implications of this feature.
Deploy Cilium with the portmap plugin enabled¶
First, make sure you have Helm 3 installed.
If you have (or planning to have) Helm 2 charts (and Tiller) in the same cluster, there should be no issue as both version are mutually compatible in order to support gradual migration. Cilium chart is targeting Helm 3 (v3.0.3 and above).
Download the Cilium release tarball and change to the kubernetes install directory:
curl -LO https://github.com/cilium/cilium/archive/master.tar.gz tar xzf master.tar.gz cd cilium-master/install/kubernetes
Deploy Cilium release via Helm:
helm install cilium ./cilium \ --namespace=kube-system \ --set cni.chainingMode=portmap
You can combine the
cni.chainingMode=portmap option with any of
the other installation guides.
As Cilium is deployed as a DaemonSet, it will write a new CNI configuration
05-cilium.conflist and remove the standard
05-cilium.conf. The new
configuration now enables HostPort. Any new pod scheduled is now able to make
use of the HostPort functionality.
Restart existing pods¶
The new CNI chaining configuration will not apply to any pod that is already running the cluster. Existing pods will be reachable and Cilium will load-balance to them but policy enforcement will not apply to them and load-balancing is not performed for traffic originating from existing pods. You must restart these pods in order to invoke the chaining configuration on them.