35 lines
1.8 KiB
Markdown
35 lines
1.8 KiB
Markdown
# Cilium — noble (Talos)
|
|
|
|
Talos uses **`cluster.network.cni.name: none`**; you must install Cilium (or another CNI) before nodes become **Ready** and before **MetalLB** / most workloads. See `talos/CLUSTER-BUILD.md` ordering.
|
|
|
|
## 1. Install (phase 1 — required)
|
|
|
|
Uses **`values.yaml`**: IPAM **kubernetes**, **`k8sServiceHost` / `k8sServicePort`** pointing at **KubePrism** (`127.0.0.1:7445`, Talos default), Talos cgroup paths, **drop `SYS_MODULE`** from agent caps, **`bpf.masquerade: false`** ([Talos Cilium](https://www.talos.dev/latest/kubernetes-guides/network/deploying-cilium/), [KubePrism](https://www.talos.dev/latest/kubernetes-guides/configuration/kubeprism/)). Without this, host-network CNI clients may **`dial tcp <VIP>:6443`** and fail if the VIP path is unhealthy.
|
|
|
|
From **repository root**:
|
|
|
|
```bash
|
|
helm repo add cilium https://helm.cilium.io/
|
|
helm repo update
|
|
helm upgrade --install cilium cilium/cilium \
|
|
--namespace kube-system \
|
|
--version 1.16.6 \
|
|
-f clusters/noble/apps/cilium/values.yaml \
|
|
--wait
|
|
```
|
|
|
|
Verify:
|
|
|
|
```bash
|
|
kubectl -n kube-system rollout status ds/cilium
|
|
kubectl get nodes
|
|
```
|
|
|
|
When nodes are **Ready**, continue with **MetalLB** (`clusters/noble/apps/metallb/README.md`) and other Phase B items. **kube-vip** for the Kubernetes API VIP is separate (L2 ARP); it can run after the API is reachable.
|
|
|
|
## 2. Optional: kube-proxy replacement (phase 2)
|
|
|
|
To replace **`kube-proxy`** with Cilium entirely, use **`values-kpr.yaml`** and **`cluster.proxy.disabled: true`** in Talos on every node (see comments inside `values-kpr.yaml`). Follow the upstream [Deploy Cilium CNI](https://www.talos.dev/latest/kubernetes-guides/network/deploying-cilium/) section *without kube-proxy*.
|
|
|
|
Do **not** skip phase 1 unless you already know your cluster matches the “bootstrap window” flow from the Talos docs.
|