Dive into Kubernetes BGP Network, Part Two

Kubernetes with Cilium BGP

0x00 Introduction

In my previous blog of this series, I wrote about how to prepare the environment for deploying Kubernetes with BGP Network. Today, I am going to write about the process of how I deployed.

0x0000 The Environment

Before We start, here are the tools and versions I used to deploy Kubernetes.

  • kubeadm: v1.25.4
  • cilium: v1.12.2
  • helm: v3.10.2
  • kube-router: v1.5.3

Here is my configuration for kubeadm, and I will explain the usage of the configurations I used.

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: systemd        # Specify cgroup driver of kubelet,recommend systemd
apiVersion: kubeadm.k8s.io/v1beta3
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  - signing
  - authentication
kind: InitConfiguration
  advertiseAddress:   # the address for apiserver listening
  bindPort: 6443
    #  criSocket: unix:///var/run/containerd/containerd.sock
    #  imagePullPolicy: IfNotPresent
    #  name: k8smaster0
    #  taints: null
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
    dataDir: /var/lib/etcd
imageRepository: registry.k8s.io
kind: ClusterConfiguration
kubernetesVersion: 1.25.4
# Recommand to set up controlPlane if you want to add apiserver for HA,
# and the cluster-endpoint is to use for the DNS parsed to the apiservers.
controlPlaneEndpoint: "cluster-endpoint:6443"  
  dnsDomain: cluster.local
# Specify the service CIDR range
# Specify the pod CIDR range
scheduler: {}

Usually, We can start to deploy Kubernetes using kubeadm, but unfortunately, as a Chinese developer behind the GFW, there are some obstacle to pulling the images. So I wrote the scripts to pull images from the domestic image mirror sources, and the scripts will rename images to the name that kubeadm used.

After we install kubeadm, we can use kubeadm config images list to show the images require for kubeadm. Here is my command execution result:

root@k8smaster0:~# kubeadm config images list
I1221 07:38:49.772660    1024 version.go:256] remote version is much newer: v1.26.0; falling back to: stable-1.25

As you know, we have already installed containerd as Kubernetes runtime in the previous article. However, the usage of containerd is somewhat different from docker because containerd uses ctr as a command line tool, and also, containerd has a namespace concept. If we use ctr command without specifying namespaces, it will use the default namespace. However, the Kubernetes CRI use k8s.io namespace. So if we want to pre-pull images, we need to put them into the correct namespace; otherwise, Kubernetes can not find the resources. Here are my commands to pre-pull images:

#Download the scripts for pulling images from China.
wget https://raw.githubusercontent.com/N0mansky/docker_wrapper/master/crt_wrapper.py
chmod +x crt_wrapper.py

# Pullings images to k8s.io namespace by using scripts
./crt_wrapper.py pull registry.k8s.io/xxxxxx

# After we have pulled the images, we can check by using the command
ctr -n k8s.io image ls -q

# Or we can use the crictl
root@k8sslave0:~# crictl image ls
IMAGE                                                         TAG                 IMAGE ID            SIZE
docker.io/cloudnativelabs/kube-router                         latest              a5e6dc4b76a3f       45MB
docker.io/library/busybox                                     1.28                8c811b4aec35f       728kB
docker.io/library/nginx                                       1.14.2              295c7be079025       44.7MB
quay.io/cilium/cilium                                         v1.12.2             743cf6b60787d       167MB
quay.io/cilium/cilium                                         v1.12.4             b7257a8403c50       167MB
quay.io/cilium/operator-generic                               v1.12.2             1f3c9d6876457       18.9MB
quay.io/cilium/operator-generic                               v1.12.4             ca5b3c9580cb3       18.9MB
registry.cn-hangzhou.aliyuncs.com/google_containers/coredns   v1.9.3              5185b96f0becf       14.8MB
registry.k8s.io/coredns/coredns                               v1.9.3              5185b96f0becf       14.8MB
registry.cn-hangzhou.aliyuncs.com/google_containers/pause     3.8                 4873874c08efc       311kB
registry.k8s.io/pause                                         3.8                 4873874c08efc       311kB
registry.k8s.io/kube-proxy                                    v1.25.4             2c2bc18642790       20.3MB

0x01 Deployment

0x0100 Create Cluster

After all the pre-work has been done, it is time to create a cluster. First, I initiated the master with the command:

# I specified to skip kube-proxy, because I will use cilium to replace it.
kubeadm init --config kubeadm-config.yml --skip-phases=addon/kube-proxy

# After the above command had finished, the following results were printed.
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join cluster-endpoint:6443 --token abcdef.0123456789abcdef \
	--discovery-token-ca-cert-hash sha256:7337839717eb93c80bad2157ecbed814c389f8fa843c2d6b41e305e763751107 \

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join cluster-endpoint:6443 --token abcdef.0123456789abcdef \
	--discovery-token-ca-cert-hash sha256:7337839717eb93c80bad2157ecbed814c389f8fa843c2d6b41e305e763751107

After the master node had initialized successfully, I used the following command to add a worker node:

# Executing the join command on worker node
kubeadm join cluster-endpoint:6443 --token abcdef.0123456789abcdef \
	--discovery-token-ca-cert-hash sha256:7337839717eb93c80bad2157ecbed814c389f8fa843c2d6b41e305e763751107

# After the above command had finished, the following result were printed.
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

# And the nodes all were in the ready status
root@k8smaster0:~# kubectl get nodes -A
NAME         STATUS   ROLES           AGE     VERSION
k8smaster0   Ready    control-plane   5m42s   v1.25.4
k8sslave0    Ready    <none>          66s     v1.25.4

Now we can use kubectl get pods -A to check the state of pods. We can see the result didn’t show the pods of kube-proxy, and the Coredns are in ContainerCreating status. That is because we didn’t install kube-proxy and a network add-on, and the Coredns containers need a pod network add-on for creation.

root@k8smaster0:~# kubectl get pods -A
NAMESPACE     NAME                                 READY   STATUS              RESTARTS           AGE
kube-system   coredns-565d847f94-l7pz9             0/1     ContainerCreating   0                  18d
kube-system   coredns-565d847f94-pfxbj             0/1     ContainerCreating   0                  18d
kube-system   etcd-k8smaster0                      1/1     Running             1154 (5m50s ago)   18d
kube-system   kube-apiserver-k8smaster0            1/1     Running             1327 (5m50s ago)   18d
kube-system   kube-controller-manager-k8smaster0   1/1     Running             1125 (5m50s ago)   18d
kube-system   kube-scheduler-k8smaster0            1/1     Running             1186 (5m50s ago)   18d

0x0101 Install Cilium

After we create the cluster, it is time to install the Network add-on. At this time, I am using cilium. There are many methods to install Cilium. I used helm to install it. Here is the command I used to install Cilium.

root@k8smaster0:~# cat install_cilium.sh
# Kubeadm default is 6443
helm install cilium cilium/cilium --version 1.12.4 \
    --namespace kube-system \
    --set kubeProxyReplacement=strict \
    --set k8sServiceHost=${API_SERVER_IP} \
    --set k8sServicePort=${API_SERVER_PORT} \
    --set ipv4NativeRoutingCIDR= \
    --set tunnel="disabled" \
    --set ipam.mode=kubernetes

Let me explain those options. The kubeProxyReplacement means we are using Cilium to replace the kube-proxy component. The tunnel and ipv4NativeRoutingCIDR indicate we are using Native Route mode instead of the overlay network and the ipam.mode means we delegate each node in the cluster to allocate IP addresses for the Pods.

The CoreDNS has been running since we installed Cilium.

root@k8smaster0:~# kubectl get pods -A
NAMESPACE     NAME                                 READY   STATUS    RESTARTS           AGE
kube-system   cilium-2xlxh                         1/1     Running   0                  6m53s
kube-system   cilium-hcr6r                         1/1     Running   0                  6m53s
kube-system   cilium-operator-675567f547-8jz7l     1/1     Running   0                  6m53s
kube-system   cilium-operator-675567f547-l68zt     1/1     Running   0                  6m53s
kube-system   coredns-565d847f94-l7pz9             1/1     Running   0                  18d
kube-system   coredns-565d847f94-pfxbj             1/1     Running   0                  18d
kube-system   etcd-k8smaster0                      1/1     Running   1154 (4h19m ago)   18d
kube-system   kube-apiserver-k8smaster0            1/1     Running   1327 (4h19m ago)   18d
kube-system   kube-controller-manager-k8smaster0   1/1     Running   1125 (4h19m ago)   18d
kube-system   kube-scheduler-k8smaster0            1/1     Running   1186 (4h19m ago)   18d

0x0102 Install kube-router

At the moment, the setting up of the network still has some work to do. If we want to use BGP mode, we must install BGP Daemonset on each node for BPG peering and route propagation. There have many options, such as kube-router, BIRD and Cilium Native BGP. I chose kube-router instead of others because the kube-router is easy to use.

You can download the YAML file which I used to install kube-router from here https://github.com/cloudnativelabs/kube-router/blob/v1.5.3/daemonset/generic-kuberouter-only-advertise-routes.yaml ,and I used following options:

      - name: kube-router
        image: docker.io/cloudnativelabs/kube-router
        imagePullPolicy: Always
        - "--run-router=true"
        - "--run-firewall=false"
        - "--run-service-proxy=false"
        - "--bgp-graceful-restart=true"
        - "--enable-cni=false"
        - "--enable-ibgp=true"
        - "--enable-overlay=false"
        - "--cluster-asn=65001"
        - "--advertise-cluster-ip=true"
        - "--advertise-external-ip=true"
        - "--advertise-loadbalancer-ip=true"

Now, the internal cluster is already using BGP. We can create a Deployment and a service to test it.

apiVersion: apps/v1
kind: Deployment
  name: nginx-deployment
      app: nginx
  replicas: 2 # tells deployment to run 2 pods matching the template
        app: nginx
      - name: nginx
        image: nginx:1.14.2
        - containerPort: 80
apiVersion: v1
kind: Service
    app: nginx
  name: nginx
  - port: 80
    protocol: TCP
    targetPort: 80
    app: nginx

Check the Nginx pods and services IP addresses by the following command. It indicated Cilium works fine.

root@k8smaster0:~/app# kubectl get service nginx
nginx   ClusterIP   <none>        80/TCP    12m
root@k8smaster0:~/app# kubectl get pods -o wide -l app=nginx
NAME                                READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
nginx-deployment-7fb96c846b-7jhtt   1/1     Running   0          12m   k8sslave0   <none>           <none>
nginx-deployment-7fb96c846b-lqpgf   1/1     Running   0          12m   k8sslave0   <none>           <none>
root@k8smaster0:~/app# curl
<!DOCTYPE html>
<title>Welcome to nginx!</title>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>

And we can use the Cilium command to get the services managed by Cilium.

root@k8smaster0:~/app# kubectl get pods -A -l k8s-app=cilium
kube-system   cilium-2xlxh   1/1     Running   0          60m
kube-system   cilium-hcr6r   1/1     Running   0          60m
root@k8smaster0:~/app# kubectl -n kube-system exec cilium-2xlxh -- cilium service list
Defaulted container "cilium-agent" out of: cilium-agent, mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init)
ID   Frontend           Service Type   Backend
1      ClusterIP      1 => (active)
2      ClusterIP      1 => (active)
                                       2 => (active)
3    ClusterIP      1 => (active)
                                       2 => (active)
4   ClusterIP      1 => (active)
                                       2 => (active)
5    ClusterIP      1 => (active)
                                       2 => (active)

We can see the Nginx Cluster IP is active.

By now, we have finished all the work, the internal cluster is using BPG to communicate with each other, but we still have some work to do to let the external can route to the cluster. I’ll write it in my next blog.