L7-Aware Traffic Management
Cilium provides a way to control L7 traffic via CRDs (e.g. CiliumEnvoyConfig and CiliumClusterwideEnvoyConfig).
Prerequisites
Cilium must be configured with
kubeProxyReplacementas partial or strict. Please refer to kube-proxy replacement for more details.The minimum supported Kubernetes version for Ingress is 1.19.
Installation
Cilium Ingress Controller can be enabled with helm flag ingressController.enabled
set as true. Please refer to Installation using Helm for a fresh installation.
$ helm upgrade cilium cilium/cilium --version 1.13.1 \
--namespace kube-system \
--reuse-values \
--set ingressController.enabled=true \
--set ingressController.loadbalancerMode=dedicated
$ kubectl -n kube-system rollout restart deployment/cilium-operator
$ kubectl -n kube-system rollout restart ds/cilium
If you only want to use envoy traffic management feature without Ingress support, you should only
enable --enable-envoy-config flag.
$ helm upgrade cilium cilium/cilium --version 1.13.1 \
--namespace kube-system \
--reuse-values \
--set-string extraConfig.enable-envoy-config=true
$ kubectl -n kube-system rollout restart deployment/cilium-operator
$ kubectl -n kube-system rollout restart ds/cilium
Additionally, the proxy load-balancing feature can be configured with the loadBalancer.l7.backend=envoy flag.
$ helm upgrade cilium cilium/cilium --version 1.13.1 \
--namespace kube-system \
--reuse-values \
--set loadBalancer.l7.backend=envoy
$ kubectl -n kube-system rollout restart deployment/cilium-operator
$ kubectl -n kube-system rollout restart ds/cilium
Next you can check the status of the Cilium agent and operator:
$ cilium status
Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
shasum -a 256 -c cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-darwin-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
See the full page of releases.
Install the latest version of the Cilium CLI. The Cilium CLI can be used to install Cilium, inspect the state of a Cilium installation, and enable/disable various features (e.g. clustermesh, Hubble).
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "arm64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
shasum -a 256 -c cilium-darwin-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-darwin-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-darwin-${CLI_ARCH}.tar.gz{,.sha256sum}
See the full page of releases.
Cilium Ingress Controller can be enabled with the below command
$ cilium install \\
--kube-proxy-replacement=strict \\
--helm-set ingressController.enabled=true \\
--helm-set ingressController.loadbalancerMode=dedicated
If you only want to use envoy traffic management feature without Ingress support, you should only
enable --enable-envoy-config flag.
$ cilium install \\
--kube-proxy-replacement=strict \\
--helm-set-string extraConfig.enable-envoy-config=true
Additionally, the proxy load-balancing feature can be configured with the loadBalancer.l7.backend=envoy flag.
$ cilium install \\
--kube-proxy-replacement=strict \\
--helm-set-string extraConfig.enable-envoy-config=true \\
--helm-set loadBalancer.l7.backend=envoy
Next you can check the status of the Cilium agent and operator:
$ cilium status
Hubble CLI is also used to observe the traffic in later steps.
Download the latest hubble release:
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
HUBBLE_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then HUBBLE_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
Download the latest hubble release:
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
HUBBLE_ARCH=amd64
if [ "$(uname -m)" = "arm64" ]; then HUBBLE_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-darwin-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
shasum -a 256 -c hubble-darwin-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-darwin-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-darwin-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
Download the latest hubble release:
curl -LO "https://raw.githubusercontent.com/cilium/hubble/master/stable.txt"
set /p HUBBLE_VERSION=<stable.txt
curl -L --fail -O "https://github.com/cilium/hubble/releases/download/%HUBBLE_VERSION%/hubble-windows-amd64.tar.gz"
curl -L --fail -O "https://github.com/cilium/hubble/releases/download/%HUBBLE_VERSION%/hubble-windows-amd64.tar.gz.sha256sum"
certutil -hashfile hubble-windows-amd64.tar.gz SHA256
type hubble-windows-amd64.tar.gz.sha256sum
:: verify that the checksum from the two commands above match
tar zxf hubble-windows-amd64.tar.gz
and move the hubble.exe CLI to a directory listed in the %PATH% environment variable after
extracting it from the tarball.
Supported Envoy API Versions
As of now only the Envoy API v3 is supported.
Supported Envoy Extension Resource Types
Envoy extensions are resource types that may or may not be built in to
an Envoy build. The standard types referred to in Envoy documentation,
such as type.googleapis.com/envoy.config.listener.v3.Listener, and
type.googleapis.com/envoy.config.route.v3.RouteConfiguration, are
always available.
Cilium nodes deploy an Envoy image to support Cilium HTTP policy enforcement and observability. This build of Envoy has been optimized for the needs of the Cilium Agent and does not contain many of the Envoy extensions available in the Envoy code base.
To see which Envoy extensions are available, please have a look at
the Envoy extensions configuration
file.
Only the extensions that have not been commented out with # are
built in to the Cilium Envoy image. Currently this contains the
following extensions:
envoy.clusters.dynamic_forward_proxyenvoy.filters.http.dynamic_forward_proxyenvoy.filters.http.ext_authzenvoy.filters.http.jwt_authnenvoy.filters.http.local_ratelimitenvoy.filters.http.oauth2envoy.filters.http.ratelimitenvoy.filters.http.routerenvoy.filters.http.set_metadataenvoy.filters.listener.tls_inspectorenvoy.filters.network.connection_limitenvoy.filters.network.ext_authzenvoy.filters.network.http_connection_managerenvoy.filters.network.local_ratelimitenvoy.filters.network.mongo_proxyenvoy.filters.network.mysql_proxyenvoy.filters.network.ratelimitenvoy.filters.network.tcp_proxyenvoy.filters.network.sni_clusterenvoy.filters.network.sni_dynamic_forward_proxyenvoy.stat_sinks.metrics_serviceenvoy.transport_sockets.raw_bufferenvoy.upstreams.http.httpenvoy.upstreams.http.tcp
We will evolve the list of built-in extensions based on user feedback.
Examples
Please refer to one of the below examples on how to use and leverage Cilium’s Ingress features: