架构支持
AMD64
AArch64内核版本
Linux kernel >= 4.19.57Linux 发行版兼容性和注意事项
|
发行版 |
最低版本 |
|---|---|
|
all |
|
|
all |
|
|
>= 8.0 |
|
|
all |
|
|
all |
|
|
>= 10 Buster |
|
|
all |
|
|
all |
|
|
Tumbleweed, >=Leap 15.4 |
|
|
>= 8.0 |
|
|
>= 18.04.3 |
ubuntu 22.04 系统要求
# Ubuntu 22.04 上运行 Cilium 之前,请确保安装以下软件包:
sudo apt install linux-modules-extra-raspi高级功能所需的内核版本
|
Cilium 特性 |
最低内核版本 |
|---|---|
|
>= 5.1 |
|
|
>= 5.2 |
|
|
VXLAN Tunnel Endpoint (VTEP) Integration |
>= 5.2 |
|
>= 5.6 |
|
|
Full support for Session Affinity |
>= 5.7 |
|
BPF-based proxy redirection |
>= 5.7 |
|
Socket-level LB bypass in pod netns |
>= 5.7 |
|
L3 devices |
>= 5.8 |
|
BPF-based host routing |
>= 5.10 |
|
IPv6 BIG TCP support |
>= 5.19 |
|
IPv4 BIG TCP support |
>= 6.3 |
防火墙规则
主节点
|
Port Range / Protocol |
Ingress/Egress |
Source/Destination |
Description |
|---|---|---|---|
|
2379-2380/tcp |
ingress |
|
etcd access |
|
8472/udp |
ingress |
|
VXLAN overlay |
|
8472/udp |
ingress |
|
VXLAN overlay |
|
4240/tcp |
ingress |
|
health checks |
|
4240/tcp |
ingress |
|
health checks |
|
ICMP 8/0 |
ingress |
|
health checks |
|
ICMP 8/0 |
ingress |
|
health checks |
|
8472/udp |
egress |
|
VXLAN overlay |
|
8472/udp |
egress |
|
VXLAN overlay |
|
4240/tcp |
egress |
|
health checks |
|
4240/tcp |
egress |
|
health checks |
|
ICMP 8/0 |
egress |
|
health checks |
|
ICMP 8/0 |
egress |
|
health checks |
工作节点
|
Port Range / Protocol |
Ingress/Egress |
Source/Destination |
Description |
|---|---|---|---|
|
8472/udp |
ingress |
|
VXLAN overlay |
|
8472/udp |
ingress |
|
VXLAN overlay |
|
4240/tcp |
ingress |
|
health checks |
|
4240/tcp |
ingress |
|
health checks |
|
ICMP 8/0 |
ingress |
|
health checks |
|
ICMP 8/0 |
ingress |
|
health checks |
|
8472/udp |
egress |
|
VXLAN overlay |
|
8472/udp |
egress |
|
VXLAN overlay |
|
4240/tcp |
egress |
|
health checks |
|
4240/tcp |
egress |
|
health checks |
|
ICMP 8/0 |
egress |
|
health checks |
|
ICMP 8/0 |
egress |
|
health checks |
|
2379-2380/tcp |
egress |
|
etcd access |
所有节点的其它端口
|
Port Range / Protocol |
Description |
|---|---|
|
4240/tcp |
cluster health checks ( |
|
4244/tcp |
Hubble server |
|
4245/tcp |
Hubble Relay |
|
4250/tcp |
Mutual Authentication port |
|
4251/tcp |
Spire Agent health check port (listening on 127.0.0.1 or ::1) |
|
6060/tcp |
cilium-agent pprof server (listening on 127.0.0.1) |
|
6061/tcp |
cilium-operator pprof server (listening on 127.0.0.1) |
|
6062/tcp |
Hubble Relay pprof server (listening on 127.0.0.1) |
|
9878/tcp |
cilium-envoy health listener (listening on 127.0.0.1) |
|
9879/tcp |
cilium-agent health status API (listening on 127.0.0.1 and/or ::1) |
|
9890/tcp |
cilium-agent gops server (listening on 127.0.0.1) |
|
9891/tcp |
operator gops server (listening on 127.0.0.1) |
|
9893/tcp |
Hubble Relay gops server (listening on 127.0.0.1) |
|
9962/tcp |
cilium-agent Prometheus metrics |
|
9963/tcp |
cilium-operator Prometheus metrics |
|
9964/tcp |
cilium-envoy Prometheus metrics |
|
51871/udp |
WireGuard encryption tunnel endpoint |
放行 ESP 流量
sudo firewall-cmd --permanent --add-protocol=esp
sudo firewall-cmd --reloadcilium CLI 部署
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}验证 cilium
# cilium version --clientcilium-cli: v0.16.8 compiled with go1.22.3 on linux/amd64
cilium image (default): v1.15.5参考文档
https://docs.cilium.io/en/stable/operations/system_requirements/
标签:ingress,CLI,部署,tcp,checks,health,sg,cilium From: https://www.cnblogs.com/wangguishe/p/18180229