Skip to content

EKS Ubuntu Server 20.04

Overview

This user journey guides you to install and verify the compatibility of Cilium on EKS Ubuntu Server 20.04 by applying policies on Kubernetes workloads.

Step 1: Create a EKS Cluster

Install EKS CTL, AWS CLI, Helm tools

cat eks-config.yaml 
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: eks-ubuntu-cluster
  region: us-east-2
nodeGroups:
  - name: ng-1
    instanceType: c5a.xlarge
    amiFamily: "Ubuntu2004"
    desiredCapacity: 1
    volumeSize: 80
    ssh:
      allow: true
    preBootstrapCommands:
- "sudo apt install linux-headers-$(uname -r)"

Official Link: Sample eks-config.yaml

Note:

EKS suported image types:

  • Amazon Linux 2

  • Ubuntu 20.04

  • Ubuntu 18.04

  • Bottlerocket

  • Windows Server 2019 Core Container

  • Windows Server 2019 Full Container

  • Windows Server 2004 Core Container

  • Windows Server 20H2 Core Container

eksctl create cluster -f eks-config.yaml

Alt

aws eks --region us-east-2 update-kubeconfig --name eks-ubuntu-cluster

Alt

Step 2: Cilium Install

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium install 

Alt

Cilium Verify:

kubectl get pods -n kube-system | grep cilium 

Alt

Cilium Hubble Enable:

cilium hubble enable

Alt

Cilium Hubble Verify:

kubectl get pods -n kube-system | grep hubble

Alt

Step 3: Cilium Policy

1. Create a tightfighter and deathstart deployment

cat tightfighter-deathstart-app.yaml
apiVersion: v1
kind: Service
metadata:
  name: deathstar
  labels:
    app.kubernetes.io/name: deathstar
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    org: empire
    class: deathstar
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deathstar
  labels:
    app.kubernetes.io/name: deathstar
spec:
  replicas: 2
  selector:
    matchLabels:
      org: empire
      class: deathstar
  template:
    metadata:
      labels:
        org: empire
        class: deathstar
        app.kubernetes.io/name: deathstar
    spec:
      containers:
      - name: deathstar
        image: docker.io/cilium/starwars
---
apiVersion: v1
kind: Pod
metadata:
  name: tiefighter
  labels:
    org: empire
    class: tiefighter
    app.kubernetes.io/name: tiefighter
spec:
  containers:
  - name: spaceship
    image: docker.io/tgraf/netperf
---
apiVersion: v1
kind: Pod
metadata:
  name: xwing
  labels:
    app.kubernetes.io/name: xwing
    org: alliance
    class: xwing
spec:
  containers:
  - name: spaceship
    image: docker.io/tgraf/netperf
kubectl apply -f tightfighter-deathstart-app.yaml 
kubectl get pods --show-labels

Alt

2. Explore the policy

cat sample-cilium-ingress-policy.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "rule1-ingress"
spec:
  description: "L7 policy to restrict access to specific HTTP call"
  endpointSelector:
    matchLabels:
      class: deathstar
  ingress:
  - toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: "POST"
          path: "/v1/request-landing"

Alt

3. Apply the policy

kubectl apply -f sample-cilium-ingress-policy.yaml 

Alt

4. Policy violation

kubectl get svc 
kubectl exec -n default tiefighter -- curl -s -XPOST 10.100.255.199/v1/request-landing
kubectl exec -n default tiefighter -- curl -s -XPOST 10.100.255.199/v1/bye 

5. Cilium SVC port forward to Monitor the logs

cilium hubble port-forward

Alt

6. Monitoring the Cilium Violation logs

hubble observe -f --protocol http --pod tiefighter

Alt

Back to top