Deploying Cilium in VMs¶
Cilium is a network policy enforcement engine that can be used both in k8s and VMs. Using Cilium with Kubernetes, one can protect both k8s workloads (pods, services) and virtual machines from network vulnerabilities.
Deployment Steps for Cilium VM¶
Dependencies¶
1) A k8s cluster - A k8s cluster (it can be a single node cluster) to act as a control plane and distribute information about identities, labels and IPs of the VMs. Users can manage network polices of the VMs using kubectl
just like how pods or services are managed in k8s usually.
2) Docker >= 20.10 should be installed in all the VMs.
1. Download and Install Cilium CLI¶
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/download/v0.10.2/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
2. Setup Cilium in K8s Cluster¶
cilium install --config tunnel=vxlan --agent-image docker.io/accuknox/cilium:latest --operator-image docker.io/accuknox/cilium-operator-generic:latest
Note: If you are using AWS or Azure managed kubernetes cluster, then change the value of --operator-image
option in the above command to docker.io/accuknox/cilium-operator-aws:latest
or docker.io/accuknox/cilium-operator-azure:latest
respectively.
3. Check the Cilium status¶
cilium status
4. Enable Cilium clustermesh¶
a) If you are using self-managed k8s, use the following command to enable clustermesh
.
cilium clustermesh enable --apiserver-image=docker.io/accuknox/cilium-clustermesh-apiserver:latest --service-type NodePort
cilium clustermesh enable --apiserver-image=docker.io/accuknox/cilium-clustermesh-apiserver:latest --service-type LoadBalancer
5. Onboard VMs in the cluster¶
a) Create an entry for each VM and assign labels to them.
cilium clustermesh vm create <vm-hostname> --labels key1=value1,key2=value2..keyN=valueN
hostname
- VM's hostnamekey1=value1,key2=value2...keyN=valueN
- Labels of the VM (similar to pod labels).
b) Repeat the above command for each VM you wish to add to the cluster.
c) Once all the VMs are added, verify it.
cilium clustermesh vm status
6. Generate VM installation script¶
a) Generate the shell script to install Cilium in VMs.
cilium clustermesh vm install <file-name> --config devices=<interfaces>,enable-host-firewall,enable-hubble=true,hubble-listen-address=:4244,hubble-disable-tls=true,external-workload
file-name
- script name (example,cilium-vm-XYZ-install.sh
)interfaces
- one or more, comma separated list of VM's physical interfaces (example -eth0,eth1
).
b) Open the generated script and edit the value of CILIUM_IMAGE
to ${1:-docker.io/accuknox/cilium:latest}
c) Note:
- If the host interface names of the VMs differs from one VM to another VM, then generate a script of each VM by configuring the interface
parameter appropriately.
- If the interface name is same for all the VMs, then you could generate the script once and use it across all the VMs.
7. Install Cilium in the VMs¶
a) Copy the installation script to the VMs that are added to the cluster and run the scripts in the VM's shell.
b) Once the installation is successful in the VM, check the status by executing the following command in VM's shell.
cilium status
8. Enforcing network policies in VM¶
Once the Cilium installation in VMs are completed, users can start to configure network policies using kubectl
.
A sample Cilium network policy will look similar to the following YAML.
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
name: "rule1"
spec:
description: "L4 policy to allow traffic only at port 80/TCP"
nodeSelector:
matchLabels:
name: vm1
ingress:
- fromEndpoints:
- matchLabels:
name: vm2
toPorts:
- ports:
- port: "80"
protocol: TCP
name: vm1
from VM with label name: vm2
at only port 80/TCP. All other ingress traffic to VM with name: vm1
will be blocked because of this policy.
Users can apply polices in the cluster using kubectl
just like how resources are managed in k8s usually.
kubectl apply -f <yaml-file/url>
More examples of the network policies and their syntax are available in the official Cilium docs page.
Note: For policies that involves VMs, the kind
should always be CiliumClusterwideNetworkPolicy
9. Network Observability in VMs¶
Users can use hubble
CLI tool that comes along with the Cilium installation to monitor network traffic and policy enforcement in VMs.
docker exec -it cilium hubble observe -f