Skip to content

K3's Cluster

Overview

This user journey guides you to install and verify the compatibility of Cilium on K3's by applying policies on Kubernetes workloads.

Step 1: Install K3's on Linux

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='--flannel-backend=none --disable traefik' sh -s - --write-kubeconfig-mode 644

Alt

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
systemctl status k3s

Alt

which kubectl ; kubectl get nodes

Alt

Step 2: Install Cilium

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin ; rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium install 

Alt

Cilium Verify

kubectl get pods -n kube-system | grep cilium

Alt

Cilium Hubble Enable

cilium hubble enable

Alt

Cilium Hubble Verify

kubectl get pods -n kube-system | grep hubble

Alt

Step 3: Cilium Policy

3.1: Create a tightfighter & deathstart deployment

vim tightfighter-deathstart-app.yaml
apiVersion: v1
kind: Service
metadata:
  name: deathstar
  labels:
    app.kubernetes.io/name: deathstar
spec:
  type: ClusterIP
  ports:
  - port: 80
  selector:
    org: empire
    class: deathstar
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deathstar
  labels:
    app.kubernetes.io/name: deathstar
spec:
  replicas: 2
  selector:
    matchLabels:
      org: empire
      class: deathstar
  template:
    metadata:
      labels:
        org: empire
        class: deathstar
        app.kubernetes.io/name: deathstar
    spec:
      containers:
      - name: deathstar
        image: docker.io/cilium/starwars
---
apiVersion: v1
kind: Pod
metadata:
  name: tiefighter
  labels:
    org: empire
    class: tiefighter
    app.kubernetes.io/name: tiefighter
spec:
  containers:
  - name: spaceship
    image: docker.io/tgraf/netperf
---
apiVersion: v1
kind: Pod
metadata:
  name: xwing
  labels:
    app.kubernetes.io/name: xwing
    org: alliance
    class: xwing
spec:
  containers:
  - name: spaceship
    image: docker.io/tgraf/netperf
kubectl apply -f tightfighter-deathstart-app.yaml 
kubectl get pods --show-labels

Alt

Apply the policy

vim sample-cilium-ingress-policy.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "rule1-ingress"
spec:
  description: "L7 policy to restrict access to specific HTTP call"
  endpointSelector:
    matchLabels:
      class: deathstar
  ingress:
  - toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      rules:
        http:
        - method: "POST"
          path: "/v1/request-landing"
kubectl apply -f sample-cilium-ingress-policy.yaml   
kubectl get cnp 

Alt

Violating the policy

kubectl exec -it tiefighter -- curl -XPOST deathstar.default.svc.cluster.local/v1/request-landing
kubectl exec -it tiefighter -- curl -XPOST deathstar.default.svc.cluster.local/v1/request

Alt

SVC port forward to Monitor the logs

kubectl -n kube-system port-forward svc/hubble-relay 4245:80

Alt

Step 4: Install the Hubble CLI Client

export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-amd64.tar.gz /usr/local/bin

Alt

rm hubble-linux-amd64.tar.gz{,.sha256sum}

Step 5: Monitoring the Cilium violation logs

hubble observe -f --protocol http --label class=deathstar

Alt

Back to top