Install Cilium with a cluster management project

Introduced in GitLab 14.0.

Cilium is a networking plugin for Kubernetes that you can use to implement support for NetworkPolicy resources. For more information, see Network Policies.

For an overview, see the Container Network Security Demo for GitLab 12.8.

Assuming you already have a Cluster management project created from a management project template, to install cilium you should uncomment this line from your helmfile.yaml:

  - path: applications/cilium/helmfile.yaml

and update the applications/cilium/values.yaml to set the clusterType:

# possible values are gke or eks
clusterType: gke

The clusterType variable enables the recommended Helm variables for a corresponding cluster type. You can check the recommended variables for each cluster type in the official documentation:

Do not use clusterType for sandbox environments like Minikube.

You can customize Cilium's Helm variables by defining the applications/cilium/values.yaml file in your cluster management project. Refer to the Cilium chart for the available configuration options.

You can check Cilium's installation status on the cluster management page:

WARNING: Installation and removal of the Cilium requires a manual restart of all affected pods in all namespaces to ensure that they are managed by the correct networking plugin. Whenever Hubble is enabled, its related pod might require a restart depending on whether it started prior to Cilium. For more information, see Failed Deployment in the Kubernetes docs.

NOTE: Major upgrades might require additional setup steps. For more information, see the official upgrade guide.

By default, Cilium's audit mode is enabled. In audit mode, Cilium doesn't drop disallowed packets. You can use policy-verdict log to observe policy-related decisions. You can disable audit mode by adding the following to applications/cilium/values.yaml:

config:
  policyAuditMode: false

agent:
  monitor:
    eventTypes: ["drop"]

The Cilium monitor log for traffic is logged out by the cilium-monitor sidecar container. You can check these logs with the following command:

kubectl -n gitlab-managed-apps logs -l k8s-app=cilium -c cilium-monitor

You can disable the monitor log in .gitlab/managed-apps/cilium/values.yaml:

agent:
  monitor:
    enabled: false

The Hubble monitoring daemon is enabled by default and it's set to collect per namespace flow metrics. This metrics are accessible on the Threat Monitoring dashboard. You can disable Hubble by adding the following to applications/cilium/values.yaml:

global:
  hubble:
    enabled: false

You can also adjust Helm values for Hubble by using applications/cilium/values.yaml:

global:
  hubble:
    enabled: true
    metrics:
      enabled:
      - 'flow:sourceContext=namespace;destinationContext=namespace'