Cilium BGP Control Plane
BGP Control Plane provides a way for Cilium to advertise routes to connected routers by using the Border Gateway Protocol (BGP). BGP Control Plane makes Pod networks and/or Services reachable from outside the cluster for environments that support BGP. Because BGP Control Plane does not program the datapath, do not use it to establish reachability within the cluster.
Video
For more insights on Cilium’s BGP, check out eCHO episode 101: More BGP fun with Cilium.
Prerequisites
If you are using the older MetalLB-based MetalLB BGP ControlPlane (deprecated) feature, it must be disabled.
Installation
Cilium BGP Control Plane can be enabled with Helm flag bgpControlPlane.enabled
set as true.
$ helm upgrade cilium cilium/cilium --version 1.16.3 \ --namespace kube-system \ --reuse-values \ --set bgpControlPlane.enabled=true $ kubectl -n kube-system rollout restart ds/cilium
Warning
Make sure you install cilium-cli v0.15.0 or later. The rest of instructions do not work with older versions of cilium-cli. To confirm the cilium-cli version that’s installed in your system, run:
cilium version --client
See Cilium CLI upgrade notes for more details.
Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
shasum -a 256 -c cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-darwin-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
See the full page of releases.
Cilium BGP Control Plane can be enabled with the following command
$ cilium install --version 1.16.3 --set bgpControlPlane.enabled=true
IPv4/IPv6 single-stack and dual-stack setup are supported. Note that the BGP Control Plane can only advertise the route of the address family that the Cilium is configured to use. You cannot advertise IPv4 routes when the Cilium Agent is configured to use only IPv6 address family. Conversely, you cannot advertise IPv6 routes when Cilium Agent is configured to use only IPv4 address family.
Configuring BGP Control Plane
There are two ways to configure the BGP Control Plane. Using legacy CiliumBGPPeeringPolicy
resource,
or using newer BGP resources like CiliumBGPClusterConfig
. Currently, both configuration options are
supported, however CiliumBGPPeeringPolicy
will be deprecated in the future.