Install Cilium with a cluster management project
Introduced in GitLab 14.0.
Cilium is a networking plugin for Kubernetes that you can use to implement support for NetworkPolicy resources. For more information, see Network Policies.
For an overview, see the Container Network Security Demo for GitLab 12.8.
Assuming you already have a Cluster management project created from a
management project template, to install cilium you should
uncomment this line from your helmfile.yaml
:
- path: applications/cilium/helmfile.yaml
and update the applications/cilium/values.yaml
to set the clusterType
:
# possible values are gke or eks
clusterType: gke
The clusterType
variable enables the recommended Helm variables for a corresponding cluster type.
You can check the recommended variables for each cluster type in the official documentation:
Do not use clusterType
for sandbox environments like Minikube.
You can customize Cilium's Helm variables by defining the
applications/cilium/values.yaml
file in your cluster
management project. Refer to the
Cilium chart
for the available configuration options.
You can check Cilium's installation status on the cluster management page:
- Project-level cluster: Navigate to your project's Infrastructure > Kubernetes clusters page.
- Group-level cluster: Navigate to your group's Kubernetes page.
WARNING: Installation and removal of the Cilium requires a manual restart of all affected pods in all namespaces to ensure that they are managed by the correct networking plugin. Whenever Hubble is enabled, its related pod might require a restart depending on whether it started prior to Cilium. For more information, see Failed Deployment in the Kubernetes docs.
NOTE: Major upgrades might require additional setup steps. For more information, see the official upgrade guide.
By default, Cilium's
audit mode
is enabled. In audit mode, Cilium doesn't drop disallowed packets. You
can use policy-verdict
log to observe policy-related decisions. You
can disable audit mode by adding the following to
applications/cilium/values.yaml
:
config:
policyAuditMode: false
agent:
monitor:
eventTypes: ["drop"]
The Cilium monitor log for traffic is logged out by the
cilium-monitor
sidecar container. You can check these logs with the following command:
kubectl -n gitlab-managed-apps logs -l k8s-app=cilium -c cilium-monitor
You can disable the monitor log in .gitlab/managed-apps/cilium/values.yaml
:
agent:
monitor:
enabled: false
The Hubble monitoring daemon is enabled by default
and it's set to collect per namespace flow metrics. This metrics are accessible on the
Threat Monitoring
dashboard. You can disable Hubble by adding the following to
applications/cilium/values.yaml
:
global:
hubble:
enabled: false
You can also adjust Helm values for Hubble by using
applications/cilium/values.yaml
:
global:
hubble:
enabled: true
metrics:
enabled:
- 'flow:sourceContext=namespace;destinationContext=namespace'