部署cilium环境和hubble可视化UI界面

官网：https://docs.cilium.io/en/v1.10/

Cilium+hubble

Cilium 是一个基于 eBPF 和 XDP 的高性能容器网络方案的开源项目，目标是为微服务环境提供网络、负载均衡、安全功能，主要定位是容器平台。

部署Cilium

！！！！！！！！！！！版本要求！！！！！！！！！！！

Kubernetes >= 1.9
Linux kernel >= 4.9
ETCD >= 3.1.0
kubernetes 环境中安装了 Helm 3
Kubernetes in CNI mode
在所有 worker node 上挂载 BPF 文件系统
//推荐：在 kube-controller-manager 上使能 PodCIDR allocation (--allocate-node-cidrs)

安装 helm 3

wget https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz
tar -zxvf helm-v3.1.2-linux-amd64.tar.gz
mv linux-amd64/helm /usr/local/bin/
helm version                                           #查看版本

挂载 BPF 文件系统

mount bpffs /sys/fs/bpf -t bpf
mount |grep bpf
bpffs on /sys/fs/bpf type bpf (rw,relatime)
echo "bpffs /sys/fs/bpf  bpf defaults 0 0" >> /etc/fstab

kubernetes 配置

# 在所有的 kubernetes node 中的 kubelet 配置使用 CNI 模式, kubelet.config 中添加 
--network-plugin=cni
# 在 kube-controller-manager 中使能 PodCIDR, kube-controller-manager.config 中添加
--allocate-node-cidrs=tru

部署 Cilium

添加仓库并安装

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.10.0 --namespace kube-system

验证安装

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}

cilium status --wait
   /¯¯\
/¯¯\__/¯¯\    Cilium:         OK
\__/¯¯\__/    Operator:       OK
/¯¯\__/¯¯\    Hubble:         disabled
\__/¯¯\__/    ClusterMesh:    disabled
   \__/
DaemonSet         cilium             Desired: 2, Ready: 2/2, Available: 2/2
Deployment        cilium-operator    Desired: 2, Ready: 2/2, Available: 2/2
Containers:       cilium-operator    Running: 2
                  cilium             Running: 2
Image versions    cilium             quay.io/cilium/cilium:v1.9.5: 2
                  cilium-operator    quay.io/cilium/operator-generic:v1.9.5: 2

运行以下命令以验证您的集群是否具有正确的网络连接：

cilium connectivity test
ℹ️  Monitor aggregation detected, will skip some flow validation steps
✨ [k8s-cluster] Creating namespace for connectivity check...
---------------------------------------------------------------------------------------------------------------------
📋 Test Report
---------------------------------------------------------------------------------------------------------------------
✅ 69/69 tests successful (0 warnings)

部署Hubble

生产yaml

helm template cilium cilium/cilium --version 1.8.1 \
   --namespace kube-system \
   --set global.etcd.enabled=true \
   --set global.etcd.managed=true \
   --set global.hubble.enabled=true \
   --set global.hubble.listenAddress=":4244" \
   --set global.hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" \
   --set global.hubble.relay.enabled=true \
   --set global.hubble.ui.enabled=true > hubble.yaml
kubectl apply -f hubble.yaml
# 包含两个组件
# - daemonset hubble
# - deployment hubble UI
kubectl get pod -n kube-system |grep hubble
hubble-67ldp                       1/1     Running   0          21h
hubble-f287p                       1/1     Running   0          21h
hubble-fxzms                       1/1     Running   0          21h
hubble-tlq64                       1/1     Running   1          21h
hubble-ui-5f9fc85849-hkzkr         1/1     Running   0          15h
hubble-vpxcb                       1/1     Running   0          21h

kubectl apply -f hubble-ui-nodeport-svc.yaml

hubble-ui-nodeport-svc.yaml
kind: Service
apiVersion: v1
metadata:
  namespace: kube-system
  name: hubble-ui-np
spec:
  selector:
    k8s-app: hubble-ui
  ports:
    - name: http
      port: 12000
      nodePort: 32321
  type: NodePort