概要
アップグレード前は、Helm 管理の Cilium 1.16.5 なので、uninstall→install は不要。helm upgrade で 1.17 系に上げられるとのこと。
Cilium公式の Upgrade Guide では
- 「まず現行マイナー(1.16)の最新パッチへ上げてから、次マイナー(1.17)へ」を推奨
- 「helm upgrade 時に –reuse-values は使わず、helm get values で退避して -f で渡す」を推奨
- datapath disruption を抑えるため upgradeCompatibility を “最初に入れたCiliumのマイナー” にセットすることを推奨
となっています。
0) 事前退避
clientにて
# いまのHelm valuesを退避(--reuse-valuesの代わりにこれを使う) helm get values cilium -n kube-system -o yaml > cilium-old-values.yaml # 念のため manifest も保存(戻す時に便利) helm get manifest cilium -n kube-system > cilium-old-manifest.yaml ctrl1にて # 現状確認 cilium status kubectl -n kube-system get pods -l k8s-app=cilium -o wide
実行結果
wurly@k8s-ctrl1:~/work$ cilium status
/¯¯\
/¯¯\__/¯¯\ Cilium: OK
\__/¯¯\__/ Operator: OK
/¯¯\__/¯¯\ Envoy DaemonSet: OK
\__/¯¯\__/ Hubble Relay: disabled
\__/ ClusterMesh: disabled
DaemonSet cilium Desired: 6, Ready: 6/6, Available: 6/6
Deployment cilium-operator Desired: 2, Ready: 2/2, Available: 2/2
DaemonSet cilium-envoy Desired: 6, Ready: 6/6, Available: 6/6
Containers: cilium Running: 6
cilium-operator Running: 2
cilium-envoy Running: 6
Cluster Pods: 36/36 managed by Cilium
Helm chart version:
Image versions cilium quay.io/cilium/cilium:v1.16.5@sha256:758ca0793f5995bb938a2fa219dcce63dc0b3fa7fc4ce5cc851125281fb7361d: 6
cilium-operator quay.io/cilium/operator-generic:v1.16.5@sha256:f7884848483bbcd7b1e0ccfd34ba4546f258b460cb4b7e2f06a1bcc96ef88039: 2
cilium-envoy quay.io/cilium/cilium-envoy:v1.30.8-1733837904-eaae5aca0fb988583e5617170a65ac5aa51c0aa8@sha256:709c08ade3d17d52da4ca2af33f431360ec26268d288d9a6cd1d98acc9a1dced: 6
wurly@k8s-ctrl1:~/work$ kubectl -n kube-system get pods -l k8s-app=cilium -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cilium-8nzzf 1/1 Running 9 (121m ago) 426d 192.168.10.12 k8s-ctrl2 <none> <none>
cilium-bhhph 1/1 Running 9 (121m ago) 426d 192.168.10.22 k8s-worker2 <none> <none>
cilium-cgrpp 1/1 Running 9 (121m ago) 426d 192.168.10.21 k8s-worker1 <none> <none>
cilium-hgrmk 1/1 Running 9 426d 192.168.10.13 k8s-ctrl3 <none> <none>
cilium-nhnrg 1/1 Running 9 (121m ago) 426d 192.168.10.11 k8s-ctrl1 <none> <none>
cilium-rh7dx 1/1 Running 8 (121m ago) 426d 192.168.10.23 k8s-worker3 <none> <none>
1) Chart の更新と「ターゲット版」の決め方
helm repo add cilium https://helm.cilium.io/ helm repo update helm search repo cilium/cilium | head
helm search repo cilium/cilium --versions | head -n 30 helm search repo cilium/cilium --versions | grep '^cilium/cilium' | grep ' 1\.17\.' | head helm search repo cilium/cilium --versions | grep '^cilium/cilium' | grep ' 1\.17\.' | tail
wurly@rockers-ubuntu:~/temp$ helm search repo cilium/cilium --versions | head -n 30 NAME CHART VERSION APP VERSION DESCRIPTION cilium/cilium 1.19.1 1.19.1 eBPF-based Networking, Security, and Observability cilium/cilium 1.19.0 1.19.0 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.7 1.18.7 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.6 1.18.6 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.5 1.18.5 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.4 1.18.4 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.3 1.18.3 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.2 1.18.2 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.1 1.18.1 eBPF-based Networking, Security, and Observability cilium/cilium 1.18.0 1.18.0 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.13 1.17.13 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.12 1.17.12 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.11 1.17.11 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.10 1.17.10 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.9 1.17.9 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.8 1.17.8 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.7 1.17.7 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.6 1.17.6 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.5 1.17.5 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.4 1.17.4 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.3 1.17.3 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.2 1.17.2 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.1 1.17.1 eBPF-based Networking, Security, and Observability cilium/cilium 1.17.0 1.17.0 eBPF-based Networking, Security, and Observability cilium/cilium 1.16.19 1.16.19 eBPF-based Networking, Security, and Observability cilium/cilium 1.16.18 1.16.18 eBPF-based Networking, Security, and Observability cilium/cilium 1.16.17 1.16.17 eBPF-based Networking, Security, and Observability cilium/cilium 1.16.16 1.16.16 eBPF-based Networking, Security, and Observability cilium/cilium 1.16.15 1.16.15 eBPF-based Networking, Security, and Observability
まずは1.16.19へ。その後、1.17.13へ。
2) (推奨)Pre-flight check(Cilium公式が “Required” としている)
まず preflight を入れて READY を確認 → 消す、の流れです。
# preflight install(まずはそのまま) helm install cilium-preflight cilium/cilium --version 1.17.13 \ --namespace kube-system \ --set preflight.enabled=true \ --set agent=false \ --set operator.enabled=false
READY 確認:
kubectl -n kube-system get ds | sed -n '1p;/cilium/p'
kubectl -n kube-system get deploy cilium-pre-flight-check -w
まだ
wurly@rockers-ubuntu:~/temp$ kubectl -n kube-system get deploy cilium-pre-flight-check -w NAME READY UP-TO-DATE AVAILABLE AGE cilium-pre-flight-check 0/1 1 0 75s
OK
$ kubectl -n kube-system get deploy cilium-pre-flight-check -w NAME READY UP-TO-DATE AVAILABLE AGE cilium-pre-flight-check 1/1 1 1 3m5s
終わったら削除:
helm delete cilium-preflight -n kube-system
3) Step1: まず 1.16 系の最新パッチへ(推奨)
helm upgrade cilium cilium/cilium --version 1.16.19 \ -n kube-system \ -f cilium-old-values.yaml \ --set upgradeCompatibility=1.16
upgradeCompatibility=1.16 は「このクラスタに最初に入れたCiliumのマイナー(=1.16)」に合わせる、という意図です。
wurly@rockers-ubuntu:~/temp$ helm upgrade cilium cilium/cilium --version 1.16.19 \ -n kube-system \ -f cilium-old-values.yaml \ --set upgradeCompatibility=1.16 Release "cilium" has been upgraded. Happy Helming! NAME: cilium LAST DEPLOYED: Sat Feb 28 11:24:29 2026 NAMESPACE: kube-system STATUS: deployed REVISION: 2 TEST SUITE: None NOTES: You have successfully installed Cilium with Hubble. Your release version is 1.16.19. For any further help, visit https://docs.cilium.io/en/v1.16/gettinghelp
ロールアウト確認:
kubectl -n kube-system rollout status ds/cilium kubectl -n kube-system rollout status deploy/cilium-operator cilium status
wurly@rockers-ubuntu:~/temp$ kubectl -n kube-system rollout status ds/cilium daemon set "cilium" successfully rolled out wurly@rockers-ubuntu:~/temp$ kubectl -n kube-system rollout status deploy/cilium-operator deployment "cilium-operator" successfully rolled out
wurly@k8s-ctrl1:~/work$ cilium status
/¯¯\
/¯¯\__/¯¯\ Cilium: OK
\__/¯¯\__/ Operator: OK
/¯¯\__/¯¯\ Envoy DaemonSet: OK
\__/¯¯\__/ Hubble Relay: disabled
\__/ ClusterMesh: disabled
DaemonSet cilium-envoy Desired: 6, Ready: 6/6, Available: 6/6
Deployment cilium-operator Desired: 2, Ready: 2/2, Available: 2/2
DaemonSet cilium Desired: 6, Ready: 6/6, Available: 6/6
Containers: cilium Running: 6
cilium-envoy Running: 6
cilium-operator Running: 2
Cluster Pods: 36/36 managed by Cilium
Helm chart version:
Image versions cilium quay.io/cilium/cilium:v1.16.19@sha256:f0c260e30ef97ce3e45e833e702ab47efbbb1dadd0a394969c0a65553e98fefb: 6
cilium-envoy quay.io/cilium/cilium-envoy:v1.34.12-1767177245-7935d4d711cb6f8020385a50c996b90896e16a71@sha256:377175048c79d12c129d29e7a56268e1edaad37c96e649e892465c01bf2b4f8f: 6
cilium-operator quay.io/cilium/operator-generic:v1.16.19@sha256:8879e792c5566f6349b5f2865e07c0dd690eb32638afc4417b51b0ec574fa5f0: 2
4) Step2: 1.17 系の最新パッチへ
helm upgrade cilium cilium/cilium --version 1.17.13 \ -n kube-system \ -f cilium-old-values.yaml \ --set upgradeCompatibility=1.16
確認:
kubectl -n kube-system rollout status ds/cilium kubectl -n kube-system rollout status ds/cilium-envoy || true kubectl -n kube-system rollout status deploy/cilium-operator cilium status kubectl get nodes kubectl get pod -A -o wide | head
成功
wurly@k8s-ctrl1:~/work$ cilium status
/¯¯\
/¯¯\__/¯¯\ Cilium: OK
\__/¯¯\__/ Operator: OK
/¯¯\__/¯¯\ Envoy DaemonSet: OK
\__/¯¯\__/ Hubble Relay: disabled
\__/ ClusterMesh: disabled
Deployment cilium-operator Desired: 2, Ready: 2/2, Available: 2/2
DaemonSet cilium-envoy Desired: 6, Ready: 6/6, Available: 6/6
DaemonSet cilium Desired: 6, Ready: 6/6, Available: 6/6
Containers: cilium Running: 6
cilium-operator Running: 2
cilium-envoy Running: 6
Cluster Pods: 36/36 managed by Cilium
Helm chart version:
Image versions cilium quay.io/cilium/cilium:v1.17.13@sha256:1e3907ba8815e2e474ea8da25876911af2da0ae07c04eaa87a326ba4343aa539: 6
cilium-operator quay.io/cilium/operator-generic:v1.17.13@sha256:c2582d9eaeec598de9cd8815a3ed20caade17c26858eea672cff3240b0970983: 2
cilium-envoy quay.io/cilium/cilium-envoy:v1.35.9-1770554954-8ce3bb4eca04188f4a0a1bfbd0a06a40f90883de@sha256:da85124deeb42c8e56e55e9e6e155740f5df00e1064759a244bc246c3addb45d: 6
