Configure KubeProxy Replacement with Cilium

Prerequisites

  • cluster-admin privileges

  • Cluster is running Cilium. See the migrating to Cilium how-to for a guide to migrate a cluster to Cilium.

  • kubectl

  • jq

  • Working commodore command

Prepare for configuration

Make sure that your $KUBECONFIG points to the cluster you want to migrate before starting.

  1. Select cluster

    export CLUSTER_ID=c-cluster-id-1234 (1)
export COMMODORE_API_URL=https://api.syn.vshn.net (2)
export TENANT_ID=$(curl -sH "Authorization: Bearer $(commodore fetch-token)" \
  "${COMMODORE_API_URL}/clusters/${CLUSTER_ID}" | jq -r '.tenant')
    1 Replace with the Project Syn cluster ID of the cluster to migrate
    2 Replace with the Lieutenant API on which the cluster is registered

  2. Check KUBERNETES_SERVICE_HOST is configured

    kubectl -n cilium get cm cilium-ee-olm-overrides -ocustom-columns='HOST:.data.KUBERNETES_SERVICE_HOST,PORT:.data.KUBERNETES_SERVICE_PORT'

    Yields the following output:

    HOST                                    PORT
api-int.<CLUSTER_DOMAIN>                6443 (1)
    1 If either of these fields returns <none>, make sure cilium is deployed and has no special customisation requirements.

  3. Check k8sServiceHost is configured

    kubectl -n cilium get ciliumconfig cilium-enterprise -ocustom-columns='HOST:.spec.cilium.k8sServiceHost,PORT:.spec.cilium.k8sServicePort'

    Yields the following output:

    HOST                                    PORT
api-int.<CLUSTER_DOMAIN>                6443 (1)
    1 If either of these fields returns <none>, make sure cilium is deployed and has no special customisation requirements.

Configure KubeProxy Replacement

  1. Get local cluster working directory

    commodore catalog compile "$CLUSTER_ID" (1)
    1 We recommend switching to an empty directory to run this command. Alternatively, switch to your existing directory for the cluster.

  2. Update kubeProxyReplacement for cilium

    pushd inventory/classes/"${TENANT_ID}"
yq -i '.parameters.cilium.cilium_helm_values.kubeProxyReplacement = "true"' "${CLUSTER_ID}.yml"
yq -i '.parameters.cilium.cilium_helm_values.nodePort.enableHealthCheck = true' "${CLUSTER_ID}.yml"

  3. Commit changes

    git commit -am "Replace KubeProxy on ${CLUSTER_ID} with cilium"
git push origin master
popd

  4. Compile catalog

    commodore catalog compile "${CLUSTER_ID}" --push -i

  5. Update deployKubeProxy for network operator

    kubectl --as=cluster-admin patch networks.operator.openshift.io cluster \
 --type=merge -p '{"spec":{"deployKubeProxy":false}}'