cilium-cli icon indicating copy to clipboard operation
cilium-cli copied to clipboard

Published 20 hours ago verified publisher icon cilium

Initial support for Envoy CRD config and examples

Open jrajahalme opened this issue 4 years ago • 0 comments

Draft support for Cilium Envoy Config CRD.

To test:

  1. Build this branch:
BINDIR=~/.local/bin make install

(You may need to modify BINDIR to something in your PATH)

  1. Start Kind cluster (from your cilium-cli repo):
kind create cluster --config .github/kind-config.yaml
  1. Install the beta version of Cilium with feature and kube proxy replacement flags on:
cilium install --version -beta:v1.11.0-k8s-ingress-beta.1 --config enable-envoy-config=true --kube-proxy-replacement=probe
cilium hubble enable --relay-version -beta:v1.11.0-k8s-ingress-beta.1
cilium hubble port-forward&
  1. Apply envoy-test.yaml:
kubectl apply -f connectivity/manifests/envoy-test.yaml
  1. Run connectivity test to deploy the test services:
cilium connectivity test --test egress-l7
  1. Apply L7 policy:
kubectl apply -f connectivity/manifests/client-egress-l7-http.yaml
kubectl apply -f connectivity/manifests/client-egress-only-dns.yaml
  1. Observe traffic from Hubble:
hubble observe --from-pod cilium-test/client2-6dd75b74c6-68h7d -f

Note: You need to adjust the exact name of client2-xxxxx-xxxx.

  1. Try out traffic from client2 (allowed by the policy) couple of times:
kubectl exec -it -n cilium-test client2-6dd75b74c6-68h7d -- curl -v echo-other-node:8080/foo

Note: You need to adjust (auto-complete) the exact name of client2-xxxxx-xxxx.

Observe:

  • Without the envoy-test.yaml CRD the path /foo is not found. This L7 LB rewrites paths starting with /foo to /, which is found in the echo services.
  • ClusterIP (echo-other-node) is observed in Hubble output, showing that cluster IP gets out of the source pod.
  • The service is 50/50 load balanced to backend(s) of both echo-same-node and echo-other-node

Example:

Oct 13 16:30:59.023: cilium-test/client2-6dd75b74c6-68h7d:45004 <> cilium-test/echo-other-node:8080 from-endpoint FORWARDED (TCP Flags: SYN)
Oct 13 16:30:59.032: cilium-test/client2-6dd75b74c6-68h7d:45004 <> cilium-test/echo-other-node-697d5d69b7-x6qnp:8080 from-proxy FORWARDED (TCP Flags: SYN)
Oct 13 16:31:10.717: cilium-test/client2-6dd75b74c6-68h7d:45164 <> cilium-test/echo-other-node:8080 from-endpoint FORWARDED (TCP Flags: SYN)
Oct 13 16:31:10.721: cilium-test/client2-6dd75b74c6-68h7d:45164 <> cilium-test/echo-same-node-7967996674-t24mq:8080 from-proxy FORWARDED (TCP Flags: SYN)

jrajahalme avatar Sep 17 '21 15:09 jrajahalme