Installation k0s Using k0sctl

This guide walks you through installation of Cilium on k0s, an open source, all-inclusive Kubernetes distribution, which is configured with all of the features needed to build a Kubernetes cluster.

Cilium is presently supported on amd64 and arm64 architectures.

Install a Master Node

Ensure you have the k0sctl binary installed locally.

Setup your VMs:

How to do this is out of the scope of this guide, please refer to your favorite virtualization tool. After deploying the VMs, export their IP addresses to environment variables (see example below). These will be used in a later step.

export node1-IP=192.168.2.1 node2-IP=192.168.2.2 node3-IP=192.168.2.3

Prepare the yaml configuration file k0sctl will use:

# The following command assumes the user has deployed 3 VMs
# with the default user "k0s" using the default ssh-key (without passphrase)
k0sctl init --k0s -n "myk0scluster" -u "k0s" -i "~/.ssh/id_rsa" -C "1" "${node1-IP}" "${node2-IP}" "${node3-IP}" > k0s-myk0scluster-config.yaml

Next step is editing k0s-myk0scluster-config.yaml:

# replace
 ...
   provider: kube-router
 ...
# with
 ...
   provider: custom
 ...

Finally apply the config file:

k0sctl apply --config k0s-myk0scluster-config.yaml --no-wait

Note

If running Cilium in Kubernetes Without kube-proxy mode disable kube-proxy in the k0s config file

# edit k0s-myk0scluster-config.yaml

# replace
...
   network:
      kubeProxy:
         disabled: false
...
# with
...
   network:
      kubeProxy:
         disabled: true
...

Configure Cluster Access

For the Cilium CLI to access the cluster in successive steps you will need to generate the kubeconfig file, store it in ~/.kube/k0s-mycluster.config and setting the KUBECONFIG environment variable:

k0sctl kubeconfig --config k0s-myk0scluster-config.yaml > ~/.kube/k0s-mycluster.config
export KUBECONFIG=~/.kube/k0s-mycluster.config

Install Cilium

Warning

Make sure you install cilium-cli v0.15.0 or later. The rest of instructions do not work with older versions of cilium-cli. To confirm the cilium-cli version that’s installed in your system, run:

cilium version --client

See Cilium CLI upgrade notes for more details.

Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
shasum -a 256 -c cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-darwin-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}

Clone the Cilium GitHub repository so that the Cilium CLI can access the latest unreleased Helm chart from the main branch:

git clone git@github.com:cilium/cilium.git
cd cilium

Install Cilium by running:

cilium install --chart-directory ./install/kubernetes/cilium

Validate the Installation

To validate that Cilium has been properly installed, you can run

$ cilium status --wait
   /¯¯\
/¯¯\__/¯¯\    Cilium:         OK
\__/¯¯\__/    Operator:       OK
/¯¯\__/¯¯\    Hubble:         disabled
\__/¯¯\__/    ClusterMesh:    disabled
   \__/

DaemonSet         cilium             Desired: 2, Ready: 2/2, Available: 2/2
Deployment        cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
Containers:       cilium-operator    Running: 2
                  cilium             Running: 2
Image versions    cilium             quay.io/cilium/cilium:v1.9.5: 2
                  cilium-operator    quay.io/cilium/operator-generic:v1.9.5: 2

Run the following command to validate that your cluster has proper network connectivity:

$ cilium connectivity test
ℹ️  Monitor aggregation detected, will skip some flow validation steps
✨ [k8s-cluster] Creating namespace for connectivity check...
(...)
---------------------------------------------------------------------------------------------------------------------
📋 Test Report
---------------------------------------------------------------------------------------------------------------------
✅ 69/69 tests successful (0 warnings)

Note

The connectivity test may fail to deploy due to too many open files in one or more of the pods. If you notice this error, you can increase the inotify resource limits on your host machine (see Pod errors due to “too many open files”).

Congratulations! You have a fully functional Kubernetes cluster with Cilium. 🎉

Next Steps

Setting up Hubble Observability

Inspecting Network Flows with the CLI

Service Map & Hubble UI

Identity-Aware and HTTP-Aware Policy Enforcement

Setting up Cluster Mesh