istio.io
istio.io copied to clipboard
istio
Install: Inconsistent Platform Prerequisites for Cilium CNI
The Cilium prerequisites differ between Istio and Cilium docs.
The Istio doc should be updated to include the requirement to disable socket load balancing for non-root namespaces.
$ kubectl get configmaps -n kube-system cilium-config -o yaml | grep bpf-lb-sock-hostns
bpf-lb-sock-hostns-only: "true"
@bleggett thoughts on codifying these requirements in the cni node install? For example, if the cni node install detects cilium in the cni conf list, it uses kube client to read the values of bpf-lb-sock-hostns and cni-exclusive from the Cilium configmap and logs/fails to install if the values are not as expected.
bpf-lb-sock-hostns-only: "true"
I am not 100% sure that this is still required, it's an inherited leftover from the pre-Ambient attempts to get Cilium and Istio working together.
From the description it seems like it might still be required, but I recall trying locally without it at one point and things seemed to work (I might be mistaken tho). If you can confirm it is strictly required still, we can update the docs with the requirement.
Thoughts on codifying these requirements in the cni node install? For example, if the cni node install detects cilium in the cni conf list, it uses kube client to read the values of bpf-lb-sock-hostns and cni-exclusive from the Cilium configmap and logs/fails to install if the values are not as expected.
I don't wanna read cilium's configmaps in istio-cni, but there's no real reason we can't do an istioctl precheck or something that does this.
I am not 100% sure that this is still required, it's an inherited leftover from the pre-Ambient attempts to get Cilium and Istio working together.
@bleggett I confirmed that bpf-lb-sock-hostns-only is not required for ambient mode.
Things appear to work since Ambient has better support for direct-to-pod traffic. But it does not work; we still get the packets after LB which breaks a lot of features.
