1.8 KiB
Cilium — noble (Talos)
Talos uses cluster.network.cni.name: none; you must install Cilium (or another CNI) before nodes become Ready and before MetalLB / most workloads. See talos/CLUSTER-BUILD.md ordering.
1. Install (phase 1 — required)
Uses values.yaml: IPAM kubernetes, k8sServiceHost / k8sServicePort pointing at KubePrism (127.0.0.1:7445, Talos default), Talos cgroup paths, drop SYS_MODULE from agent caps, bpf.masquerade: false (Talos Cilium, KubePrism). Without this, host-network CNI clients may dial tcp <VIP>:6443 and fail if the VIP path is unhealthy.
From repository root:
helm repo add cilium https://helm.cilium.io/
helm repo update
helm upgrade --install cilium cilium/cilium \
--namespace kube-system \
--version 1.16.6 \
-f clusters/noble/apps/cilium/values.yaml \
--wait
Verify:
kubectl -n kube-system rollout status ds/cilium
kubectl get nodes
When nodes are Ready, continue with MetalLB (clusters/noble/apps/metallb/README.md) and other Phase B items. kube-vip for the Kubernetes API VIP is separate (L2 ARP); it can run after the API is reachable.
2. Optional: kube-proxy replacement (phase 2)
To replace kube-proxy with Cilium entirely, use values-kpr.yaml and cluster.proxy.disabled: true in Talos on every node (see comments inside values-kpr.yaml). Follow the upstream Deploy Cilium CNI section without kube-proxy.
Do not skip phase 1 unless you already know your cluster matches the “bootstrap window” flow from the Talos docs.