概要
Calico、Cilium は、KubernetesのCNIプラグインとして使用できるものです。
非常にメジャーなのはCalicoだと思いますが、ベアメタルで使用する場合、MetalLBと相性がよくありません。
Cilium
- 【Kubernetes】Ubuntu OS 22.04で高可用性クラスタを作りたい
- Cluster Scope (Default) — Cilium 1.15.6 documentation
- System Requirements — Cilium 1.15.6 documentation
- Cilium Quick Installation — Cilium 1.15.6 documentation
- Welcome to Cilium’s documentation! — Cilium 1.15.6 documentation
- cilium/cilium: eBPF-based Networking, Security, and Observability
- Kubernetes Compatibility — Cilium 1.15.6 documentation
- Kubernetes Compatibility — Cilium 1.17.0-dev documentation
Calico vs Cilium
Calico
Cilium 使用例
cilium connectivity test
$ cilium connectivity test ℹ️ Monitor aggregation detected, will skip some flow validation steps ✨ [kubernetes] Creating namespace cilium-test for connectivity check... ✨ [kubernetes] Deploying echo-same-node service... ✨ [kubernetes] Deploying DNS test server configmap... ✨ [kubernetes] Deploying same-node deployment... ✨ [kubernetes] Deploying client deployment... ✨ [kubernetes] Deploying client2 deployment... ✨ [kubernetes] Deploying client3 deployment... ✨ [kubernetes] Deploying echo-other-node service... ✨ [kubernetes] Deploying other-node deployment... ✨ [host-netns] Deploying kubernetes daemonset... ✨ [host-netns-non-cilium] Deploying kubernetes daemonset... ℹ️ Skipping tests that require a node Without Cilium ⌛ [kubernetes] Waiting for deployment cilium-test/client to become ready... ⌛ [kubernetes] Waiting for deployment cilium-test/client2 to become ready... ⌛ [kubernetes] Waiting for deployment cilium-test/echo-same-node to become ready... ⌛ [kubernetes] Waiting for deployment cilium-test/client3 to become ready... ⌛ [kubernetes] Waiting for deployment cilium-test/echo-other-node to become ready... ⌛ [kubernetes] Waiting for pod cilium-test/client-69748f45d8-c9q5l to reach DNS server on cilium-test/echo-same-node-6698bd45b-m9c6j pd... ⌛ [kubernetes] Waiting for pod cilium-test/client2-ccd7b8bdf-22cr2 to reach DNS server on cilium-test/echo-same-node-6698bd45b-m9c6j pd... ⌛ [kubernetes] Waiting for pod cilium-test/client3-868f7b8f6b-56s9v to reach DNS server on cilium-test/echo-same-node-6698bd45b-m9c6j od... ⌛ [kubernetes] Waiting for pod cilium-test/client2-ccd7b8bdf-22cr2 to reach DNS server on cilium-test/echo-other-node-5d67f9786b-xtss9pod... ⌛ [kubernetes] Waiting for pod cilium-test/client3-868f7b8f6b-56s9v to reach DNS server on cilium-test/echo-other-node-5d67f9786b-xtss pod... ⌛ [kubernetes] Waiting for pod cilium-test/client-69748f45d8-c9q5l to reach DNS server on cilium-test/echo-other-node-5d67f9786b-xtss9pod... ⌛ [kubernetes] Waiting for pod cilium-test/client-69748f45d8-c9q5l to reach default/kubernetes service... ⌛ [kubernetes] Waiting for pod cilium-test/client2-ccd7b8bdf-22cr2 to reach default/kubernetes service... ⌛ [kubernetes] Waiting for pod cilium-test/client3-868f7b8f6b-56s9v to reach default/kubernetes service... ⌛ [kubernetes] Waiting for Service cilium-test/echo-other-node to become ready... ⌛ [kubernetes] Waiting for Service cilium-test/echo-other-node to be synchronized by Cilium pod kube-system/cilium-2zpfl ⌛ [kubernetes] Waiting for Service cilium-test/echo-other-node to be synchronized by Cilium pod kube-system/cilium-nmk75 ⌛ [kubernetes] Waiting for Service cilium-test/echo-same-node to become ready... ⌛ [kubernetes] Waiting for Service cilium-test/echo-same-node to be synchronized by Cilium pod kube-system/cilium-2zpfl ⌛ [kubernetes] Waiting for Service cilium-test/echo-same-node to be synchronized by Cilium pod kube-system/cilium-nmk75 ⌛ [kubernetes] Waiting for NodePort 192.168.10.12:30768 (cilium-test/echo-other-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.12:31991 (cilium-test/echo-same-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.22:30768 (cilium-test/echo-other-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.22:31991 (cilium-test/echo-same-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.13:30768 (cilium-test/echo-other-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.13:31991 (cilium-test/echo-same-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.11:30768 (cilium-test/echo-other-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.11:31991 (cilium-test/echo-same-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.23:30768 (cilium-test/echo-other-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.23:31991 (cilium-test/echo-same-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.21:30768 (cilium-test/echo-other-node) to become ready... ⌛ [kubernetes] Waiting for NodePort 192.168.10.21:31991 (cilium-test/echo-same-node) to become ready... ⌛ [kubernetes] Waiting for DaemonSet cilium-test/host-netns-non-cilium to become ready... ⌛ [kubernetes] Waiting for DaemonSet cilium-test/host-netns to become ready... ℹ️ Skipping IPCache check ???? Enabling Hubble telescope... ⚠️ Unable to contact Hubble Relay, disabling Hubble telescope and flow validation: rpc error: code = Unavailable desc = connection erro ℹ️ Expose Relay locally with: cilium hubble enable cilium hubble port-forward& ℹ️ Cilium version: 1.15.6 ????[cilium-test] Running 80 tests ... [=] [cilium-test] Test [no-unexpected-packet-drops] [1/80] ...... [=] [cilium-test] Test [no-policies] [2/80] ......................................................... [=] [cilium-test] Skipping test [no-policies-from-outside] [3/80] (skipped by condition) [=] [cilium-test] Test [no-policies-extra] [4/80] .................................... [=] [cilium-test] Test [allow-all-except-world] [5/80] W0702 08:13:47.544790 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .................................... [=] [cilium-test] Test [client-ingress] [6/80] W0702 08:13:58.629883 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [client-ingress-knp] [7/80] ...... [=] [cilium-test] Test [allow-all-with-metrics-check] [8/80] ...... [=] [cilium-test] Test [all-ingress-deny] [9/80] W0702 08:14:28.456137 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............ [=] [cilium-test] Test [all-ingress-deny-knp] [11/80] ............ [=] [cilium-test] Skipping test [all-ingress-deny-from-outside] [10/80] (skipped by condition) [=] [cilium-test] Test [all-egress-deny] [12/80] W0702 08:15:08.133591 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ........................ [=] [cilium-test] Test [all-egress-deny-knp] [13/80] ........................ [=] [cilium-test] Test [all-entities-deny] [14/80] W0702 08:17:02.229392 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............ [=] [cilium-test] Test [cluster-entity] [15/80] W0702 08:17:33.652937 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ... [=] [cilium-test] Skipping test [cluster-entity-multi-cluster] [16/80] (skipped by condition) [=] [cilium-test] Test [host-entity-egress] [17/80] W0702 08:17:39.847239 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .................. [=] [cilium-test] Test [host-entity-ingress] [18/80] W0702 08:17:48.056995 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [echo-ingress] [19/80] W0702 08:17:54.462343 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Skipping test [echo-ingress-from-outside] [20/80] (skipped by condition) [=] [cilium-test] Test [echo-ingress-knp] [21/80] ...... [=] [cilium-test] Test [client-ingress-icmp] [22/80] W0702 08:18:23.380151 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [client-egress] [23/80] W0702 08:18:37.814376 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [client-egress-knp] [24/80] ...... [=] [cilium-test] Test [client-egress-expression] [25/80] W0702 08:18:50.817041 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [client-egress-expression-knp] [26/80] ...... [=] [cilium-test] Test [client-with-service-account-egress-to-echo] [27/80] W0702 08:19:03.857917 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [client-egress-to-echo-service-account] [28/80] W0702 08:19:10.504306 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [to-entities-world] [29/80] W0702 08:19:23.098675 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ......... [=] [cilium-test] Test [to-cidr-external] [30/80] W0702 08:19:41.976782 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [to-cidr-external-knp] [31/80] ...... [=] [cilium-test] Skipping test [from-cidr-host-netns] [32/80] (skipped by condition) [=] [cilium-test] Test [echo-ingress-from-other-client-deny] [33/80] W0702 08:20:08.481567 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:08.496877 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:08.520582 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .......... [=] [cilium-test] Test [client-ingress-from-other-client-icmp-deny] [34/80] W0702 08:20:20.814592 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:20.831343 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:20.848678 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............ [=] [cilium-test] Test [client-egress-to-echo-deny] [35/80] W0702 08:20:32.327322 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:32.349113 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:32.367902 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............ [=] [cilium-test] Test [client-ingress-to-echo-named-port-deny] [36/80] W0702 08:20:51.720210 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:51.745413 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:20:51.761996 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .... [=] [cilium-test] Test [client-egress-to-echo-expression-deny] [37/80] W0702 08:21:02.108237 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:02.135721 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:02.150526 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .... [=] [cilium-test] Test [client-with-service-account-egress-to-echo-deny] [38/80] W0702 08:21:12.280545 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:12.302931 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:12.321168 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .... [=] [cilium-test] Test [client-egress-to-echo-service-account-deny] [39/80] W0702 08:21:23.505728 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:23.521782 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:23.552993 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .. [=] [cilium-test] Test [client-egress-to-cidr-deny] [40/80] W0702 08:21:31.530895 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:21:31.553137 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Test [client-egress-to-cidr-deny-default] [41/80] W0702 08:21:44.235498 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ...... [=] [cilium-test] Skipping test [clustermesh-endpointslice-sync] [42/80] (skipped by condition) [=] [cilium-test] Test [health] [43/80] ...... [=] [cilium-test] Skipping test [north-south-loadbalancing] [44/80] (Feature node-without-cilium is disabled) [=] [cilium-test] Test [pod-to-pod-encryption] [45/80] . [=] [cilium-test] Test [node-to-node-encryption] [46/80] ... [=] [cilium-test] Skipping test [egress-gateway] [47/80] (skipped by condition) [=] [cilium-test] Skipping test [egress-gateway-excluded-cidrs] [48/80] (Feature enable-ipv4-egress-gateway is disabled) [=] [cilium-test] Skipping test [egress-gateway-with-l7-policy] [49/80] (skipped by condition) [=] [cilium-test] Skipping test [pod-to-node-cidrpolicy] [50/80] (Feature cidr-match-nodes is disabled) [=] [cilium-test] Skipping test [north-south-loadbalancing-with-l7-policy] [51/80] (Feature node-without-cilium is disabled) [=] [cilium-test] Test [echo-ingress-l7] [52/80] W0702 08:22:15.968047 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .................. [=] [cilium-test] Test [echo-ingress-l7-named-port] [53/80] W0702 08:22:48.450121 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .................. [=] [cilium-test] Test [client-egress-l7-method] [54/80] W0702 08:23:20.887814 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:23:20.912058 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" .................. [=] [cilium-test] Test [client-egress-l7] [55/80] W0702 08:23:53.106687 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:23:53.129657 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............... [=] [cilium-test] Test [client-egress-l7-named-port] [56/80] W0702 08:24:25.174737 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" W0702 08:24:25.228263 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............... [=] [cilium-test] Skipping test [client-egress-l7-tls-deny-without-headers] [57/80] (Feature secret-backend-k8s is disabled) [=] [cilium-test] Skipping test [client-egress-l7-tls-headers] [58/80] (Feature secret-backend-k8s is disabled) [=] [cilium-test] Skipping test [client-egress-l7-set-header] [59/80] (Feature secret-backend-k8s is disabled) [=] [cilium-test] Skipping test [echo-ingress-auth-always-fail] [60/80] (Feature mutual-auth-spiffe is disabled) [=] [cilium-test] Skipping test [echo-ingress-mutual-auth-spiffe] [61/80] (Feature mutual-auth-spiffe is disabled) [=] [cilium-test] Skipping test [pod-to-ingress-service] [62/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [pod-to-ingress-service-deny-all] [63/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [pod-to-ingress-service-deny-ingress-identity] [64/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [outside-to-ingress-service] [67/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [pod-to-ingress-service-deny-backend-service] [65/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [pod-to-ingress-service-allow-ingress-identity] [66/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [outside-to-ingress-service-deny-world-identity] [68/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [outside-to-ingress-service-deny-cidr] [69/80] (Feature ingress-controller is disabled) [=] [cilium-test] Skipping test [outside-to-ingress-service-deny-all-ingress] [70/80] (Feature ingress-controller is disabled) [=] [cilium-test] Test [dns-only] [71/80] W0702 08:24:57.046257 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............... [=] [cilium-test] Test [to-fqdns] [72/80] W0702 08:25:34.817103 3464 warnings.go:70] unknown field "spec.enableDefaultDeny" ............ [=] [cilium-test] Skipping test [pod-to-controlplane-host] [73/80] (skipped by condition) [=] [cilium-test] Skipping test [pod-to-k8s-on-controlplane] [74/80] (skipped by condition) [=] [cilium-test] Skipping test [pod-to-controlplane-host-cidr] [75/80] (skipped by condition) [=] [cilium-test] Skipping test [pod-to-k8s-on-controlplane-cidr] [76/80] (skipped by condition) [=] [cilium-test] Skipping test [local-redirect-policy] [77/80] (Feature enable-local-redirect-policy is disabled) [=] [cilium-test] Skipping test [host-firewall-ingress] [78/80] (skipped by condition) [=] [cilium-test] Skipping test [host-firewall-egress] [79/80] (skipped by condition) [=] [cilium-test] Test [check-log-errors] [80/80] ........................................... ✅ [cilium-test] All 47 tests (563 actions) successful, 33 tests skipped, 1 scenarios skipped.
k delete ns cilium-test
