cilium安装部署和升级
- cilium
- 2025-07-23
- 62热度
- 0评论
参考官方文档:https://docs.cilium.io/en/v1.17/gettingstarted/k8s-install-default/
1.准备k8s环境
[root@km1 ~]# k get node
NAME STATUS ROLES AGE VERSION
km1 NotReady control-plane,master 11m v1.23.17
kw1 NotReady <none> 7m9s v1.23.17
kw2 NotReady <none> 4m19s v1.23.17
2.安装cilium-cli命令行
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
安装最新版本的Cilium命令行界面(CLI)。Cilium CLI可用于安装Cilium、检查Cilium安装状态以及启用/禁用各种功能(例如,clustermesh、Hubble)。
查看cilium版本:
[root@km1 ~]# cilium version --client
cilium-cli: v0.18.5 compiled with go1.24.4 on linux/amd64
cilium image (default): v1.17.5
cilium image (stable): v1.17.6
3.安装cilium
默认安装方式:
cilium install --version 1.17.5
其他安装方式:参考文章:cilium取代kube-proxy
查看安装状态:
[root@km1 ~]# cilium status
/¯¯\
/¯¯\__/¯¯\ Cilium: OK
\__/¯¯\__/ Operator: OK
/¯¯\__/¯¯\ Envoy DaemonSet: OK
\__/¯¯\__/ Hubble Relay: disabled
\__/ ClusterMesh: disabled
DaemonSet cilium Desired: 3, Ready: 3/3, Available: 3/3
DaemonSet cilium-envoy Desired: 3, Ready: 3/3, Available: 3/3
Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1
Containers: cilium Running: 3
cilium-envoy Running: 3
cilium-operator Running: 1
clustermesh-apiserver
hubble-relay
Cluster Pods: 2/2 managed by Cilium
Helm chart version: 1.17.5
查看node节点状态:
[root@km1 ~]# k get nodes
NAME STATUS ROLES AGE VERSION
km1 Ready control-plane,master 31m v1.23.17
kw1 Ready <none> 26m v1.23.17
kw2 Ready <none> 23m v1.23.17
[root@km1 ~]# k get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system cilium-d5zhp 1/1 Running 0 3m3s
kube-system cilium-envoy-g8cwb 1/1 Running 0 3m3s
kube-system cilium-envoy-h4bjm 1/1 Running 0 3m3s
kube-system cilium-envoy-hkrg8 1/1 Running 0 3m3s
kube-system cilium-mtvdp 1/1 Running 0 3m3s
kube-system cilium-operator-5c4d5bdb6d-mt6d8 1/1 Running 0 3m3s
kube-system cilium-tftmb 1/1 Running 0 3m3s
kube-system coredns-65c54cc984-7gzkc 1/1 Running 0 31m
kube-system coredns-65c54cc984-r4vpp 1/1 Running 0 31m
kube-system etcd-km1 1/1 Running 0 31m
kube-system kube-apiserver-km1 1/1 Running 0 31m
kube-system kube-controller-manager-km1 1/1 Running 0 31m
kube-system kube-proxy-98wk5 1/1 Running 0 24m
kube-system kube-proxy-jtzqf 1/1 Running 0 31m
kube-system kube-proxy-kxndw 1/1 Running 0 27m
kube-system kube-scheduler-km1 1/1 Running 0 31m
4.网络模式选型
1. VXLAN模式(默认)
适用场景:
- 跨网段Pod通信
- 云厂商VPC网络限制
- 无底层网络管理权限
性能特征:
- 吞吐量:5-8 Gbps
- 延迟:≈50μs
2. Native Routing模式
适用场景:
- 裸金属服务器环境
- BGP网络基础设施
- 高性能计算场景
性能特征:
- 吞吐量:20-40 Gbps
- 延迟:≈10μs
5.生产环境优化部分
1.增大资源配置:
resources:
requests:
memory: 512Mi
cpu: 500m
limits:
memory: 2Gi
cpu: 2
2.安全加固
# 启用策略审计模式
cilium config set PolicyAuditMode=enabled
# 启用双向TLS认证
cilium config set MutualAuthEnabled=true
3.性能参数优化
# 提升eBPF Map大小
bpf:
mapDynamicSizeRatio: 0.0025
# 启用BBR拥塞控制
bpf:
tcpCongestionControl: bbr
6.升级策略
使用滚动升级方法
备份Cilium配置:
cilium config view > cilium-backup.yaml
逐节点升级:
cilium upgrade --version 1.17.5 --wait --force
验证功能:
cilium status --all-components
cilium connectivity test
7.回滚方案
# 快速回滚到上一版本
cilium downgrade --version 1.16.5 --force