勇往邁進

CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

$ cilium install
ℹ️  Using Cilium version 1.12.2
🔮 Auto-detected cluster name: nuc-kubernetes
🔮 Auto-detected datapath mode: tunnel
🔮 Auto-detected kube-proxy has been installed
ℹ️  helm template --namespace kube-system cilium cilium/cilium --version 1.12.2 --set cluster.id=0,cluster.name=nuc-kubernetes,encryption.nodeEncryption=false,kubeProxyReplacement=disabled,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
ℹ️  Storing helm values file in kube-system/cilium-cli-helm-values Secret
🔑 Created CA in secret cilium-ca
🔑 Generating certificates for Hubble...
🚀 Creating Service accounts...
🚀 Creating Cluster roles...
🚀 Creating ConfigMap for Cilium version 1.12.2...
🚀 Creating Agent DaemonSet...
🚀 Creating Operator Deployment...
⌛ Waiting for Cilium to be installed and ready...
♻️  Restarting unmanaged pods...
♻️  Restarted unmanaged pod argocd/argocd-application-controller-0
♻️  Restarted unmanaged pod argocd/argocd-applicationset-controller-6ddcfb56c5-2twtr
♻️  Restarted unmanaged pod argocd/argocd-dex-server-6569f7db86-qlvht
♻️  Restarted unmanaged pod argocd/argocd-notifications-controller-7c777f9bbb-rbrgd
♻️  Restarted unmanaged pod argocd/argocd-redis-ha-haproxy-699bd9dc9c-2lsbz
♻️  Restarted unmanaged pod argocd/argocd-redis-ha-haproxy-699bd9dc9c-b6sb5
♻️  Restarted unmanaged pod argocd/argocd-redis-ha-haproxy-699bd9dc9c-khwsz
♻️  Restarted unmanaged pod argocd/argocd-redis-ha-server-0
♻️  Restarted unmanaged pod argocd/argocd-redis-ha-server-1
♻️  Restarted unmanaged pod argocd/argocd-redis-ha-server-2
♻️  Restarted unmanaged pod argocd/argocd-repo-server-686555df69-l7qqv
♻️  Restarted unmanaged pod argocd/argocd-repo-server-686555df69-xjl2x
♻️  Restarted unmanaged pod argocd/argocd-server-6f5565ff-6jhgx
♻️  Restarted unmanaged pod argocd/argocd-server-6f5565ff-bq55m
♻️  Restarted unmanaged pod calico-apiserver/calico-apiserver-5b68b6b54-6h5dv
♻️  Restarted unmanaged pod calico-apiserver/calico-apiserver-5b68b6b54-t782c
♻️  Restarted unmanaged pod calico-system/calico-kube-controllers-59c45ff85c-jf92d
♻️  Restarted unmanaged pod cert-manager/cert-manager-798f8bb594-p2tx4
♻️  Restarted unmanaged pod cert-manager/cert-manager-cainjector-5bb9bfbb5c-qnncp
♻️  Restarted unmanaged pod cert-manager/cert-manager-webhook-69579b9ccd-s7b6v
♻️  Restarted unmanaged pod ingress-nginx/ingress-nginx-controller-568764d844-vpmgw
♻️  Restarted unmanaged pod kube-system/coredns-64897985d-zh9b9
♻️  Restarted unmanaged pod kube-system/external-dns-645cdcdb57-84tkh
♻️  Restarted unmanaged pod kube-system/external-dns-645cdcdb57-hntlc
♻️  Restarted unmanaged pod kube-system/external-dns-645cdcdb57-wwnw8
♻️  Restarted unmanaged pod kube-system/metrics-server-7b857dcf59-hchdt
♻️  Restarted unmanaged pod metallb-system/controller-7476b58756-gxrxt
♻️  Restarted unmanaged pod monitoring/alertmanager-main-0
♻️  Restarted unmanaged pod monitoring/blackbox-exporter-559db48fd-9wn6w
♻️  Restarted unmanaged pod monitoring/curl
♻️  Restarted unmanaged pod monitoring/grafana-7b947f9c4f-6hklv
♻️  Restarted unmanaged pod monitoring/kube-state-metrics-576b75c6f7-xc5z2
♻️  Restarted unmanaged pod monitoring/prometheus-adapter-5f68766c85-8lrst
♻️  Restarted unmanaged pod monitoring/prometheus-adapter-5f68766c85-qndsg
♻️  Restarted unmanaged pod monitoring/prometheus-k8s-0
♻️  Restarted unmanaged pod monitoring/prometheus-operator-79c5847fd8-lx2qt
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-2fcrp
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-8bpjt
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-holder-rook-ceph-89866
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-holder-rook-ceph-dvnsj
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-holder-rook-ceph-f6lmb
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-provisioner-756887cbc-qrb4n
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-provisioner-756887cbc-zk2sc
♻️  Restarted unmanaged pod rook-ceph/csi-cephfsplugin-xnv7f
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-bbx7w
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-dhmlm
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-holder-rook-ceph-wlvwg
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-holder-rook-ceph-ws6dv
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-holder-rook-ceph-zbkqg
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-provisioner-59956fc65f-2t9l8
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-provisioner-59956fc65f-qdk95
♻️  Restarted unmanaged pod rook-ceph/csi-rbdplugin-w69qv
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-crashcollector-kube-work1.nnstt1.home-7b7dfbd4cchgldk
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-crashcollector-kube-work2.nnstt1.home-6cc79dc594lk4tr
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-crashcollector-kube-work4.nnstt1.home-5b867bcdb84zdbq
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-mgr-a-7df44488cc-sz892
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-mgr-b-7dd594ddbf-8j7mt
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-mon-c-dfb56986f-85ld5
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-mon-d-6b9896d578-dts4s
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-mon-e-66f88b5c74-9r2x2
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-operator-5cf8876b44-qccj5
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-osd-0-69d5d87bdb-8wrqm
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-osd-1-59bb64f7c4-ljp5v
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-osd-2-6fd4d8787-78qt5
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-osd-3-7949c6bdbd-gg9vh
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-osd-4-b5455c9b5-khgc2
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-osd-5-7569f547cd-fqgn9
♻️  Restarted unmanaged pod rook-ceph/rook-ceph-tools-79bc54b8d8-8gcbv
♻️  Restarted unmanaged pod wordpress/wordpress-85558758cf-8x97v
♻️  Restarted unmanaged pod wordpress/wordpress-mysql-5f98ff5559-jnxj6
✅ Cilium was successfully installed! Run 'cilium status' to view installation health

$ cilium status
    /¯¯\
 /¯¯\__/¯¯\    Cilium:         OK
 \__/¯¯\__/    Operator:       OK
 /¯¯\__/¯¯\    Hubble:         disabled
 \__/¯¯\__/    ClusterMesh:    disabled
    \__/

DaemonSet         cilium             Desired: 6, Ready: 6/6, Available: 6/6
Deployment        cilium-operator    Desired: 1, Ready: 1/1, Available: 1/1
Containers:       cilium             Running: 6
                  cilium-operator    Running: 1
Cluster Pods:     69/74 managed by Cilium
Image versions    cilium             quay.io/cilium/cilium:v1.12.2@sha256:986f8b04cfdb35cf714701e58e35da0ee63da2b8a048ab596ccb49de58d5ba36: 6
                  cilium-operator    quay.io/cilium/operator-generic:v1.12.2@sha256:00508f78dae5412161fa40ee30069c2802aef20f7bdd20e91423103ba8c0df6e: 1

Hubble enable

$ cilium hubble enable
🔑 Found CA in secret cilium-ca
ℹ️  helm template --namespace kube-system cilium cilium/cilium --version 1.12.2 --set cluster.id=0,cluster.name=nuc-kubernetes,encryption.nodeEncryption=false,hubble.enabled=true,hubble.relay.enabled=true,hubble.tls.ca.cert=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNFekNDQWJxZ0F3SUJBZ0lVSXJQYmVLZjF4RzExdGVHTHEyWk1tMkFzQWdNd0NnWUlLb1pJemowRUF3SXcKYURFTE1Ba0dBMVVFQmhNQ1ZWTXhGakFVQmdOVkJBZ1REVk5oYmlCR2NtRnVZMmx6WTI4eEN6QUpCZ05WQkFjVApBa05CTVE4d0RRWURWUVFLRXdaRGFXeHBkVzB4RHpBTkJnTlZCQXNUQmtOcGJHbDFiVEVTTUJBR0ExVUVBeE1KClEybHNhWFZ0SUVOQk1CNFhEVEl5TVRBeU56SXdOVGt3TUZvWERUSTNNVEF5TmpJd05Ua3dNRm93YURFTE1Ba0cKQTFVRUJoTUNWVk14RmpBVUJnTlZCQWdURFZOaGJpQkdjbUZ1WTJselkyOHhDekFKQmdOVkJBY1RBa05CTVE4dwpEUVlEVlFRS0V3WkRhV3hwZFcweER6QU5CZ05WQkFzVEJrTnBiR2wxYlRFU01CQUdBMVVFQXhNSlEybHNhWFZ0CklFTkJNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVvSndKaWtqaDhGM2tRS2t0TGgwaXozdFIKemRQeGdkb2dkQzR5VGZsNTJ2QjdLYXM4NVdxWExtb3JDL1ArYmpoQUZhMDUydkQ1TjBNRmpwOWlieFNxNGFOQwpNRUF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRFpSCjhWTkVnMFdPelNXWjdvVDc2NXNxUE1VRU1Bb0dDQ3FHU000OUJBTUNBMGNBTUVRQ0lEYyt5UDg1UjdKRklud1EKMFdBaEtWMDdWQ0k3ek9kSGl2YUFiR1VzNWYzU0FpQmZhbTRBOE9vM1JVQm1YY3Yyc0w5YmE5eUtuL1Q0dWdnVwpYS2lEemczMjR3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=,hubble.tls.ca.key=[--- REDACTED WHEN PRINTING TO TERMINAL (USE --redact-helm-certificate-keys=false TO PRINT) ---],kubeProxyReplacement=disabled,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
✨ Patching ConfigMap cilium-config to enable Hubble...
🚀 Creating ConfigMap for Cilium version 1.12.2...
♻️  Restarted Cilium pods
⌛ Waiting for Cilium to become ready before deploying other Hubble component(s)...
🚀 Creating Peer Service...
✨ Generating certificates...
🔑 Generating certificates for Relay...
✨ Deploying Relay...
⌛ Waiting for Hubble to be installed...
ℹ️  Storing helm values file in kube-system/cilium-cli-helm-values Secret
✅ Hubble was successfully enabled!

$ cilium status
    /¯¯\
 /¯¯\__/¯¯\    Cilium:         OK
 \__/¯¯\__/    Operator:       OK
 /¯¯\__/¯¯\    Hubble:         OK
 \__/¯¯\__/    ClusterMesh:    disabled
    \__/

Deployment        cilium-operator    Desired: 1, Ready: 1/1, Available: 1/1
Deployment        hubble-relay       Desired: 1, Ready: 1/1, Available: 1/1
DaemonSet         cilium             Desired: 6, Ready: 6/6, Available: 6/6
Containers:       cilium             Running: 6
                  cilium-operator    Running: 1
                  hubble-relay       Running: 1
Cluster Pods:     70/75 managed by Cilium
Image versions    cilium             quay.io/cilium/cilium:v1.12.2@sha256:986f8b04cfdb35cf714701e58e35da0ee63da2b8a048ab596ccb49de58d5ba36: 6
                  cilium-operator    quay.io/cilium/operator-generic:v1.12.2@sha256:00508f78dae5412161fa40ee30069c2802aef20f7bdd20e91423103ba8c0df6e: 1
                  hubble-relay       quay.io/cilium/hubble-relay:v1.12.2@sha256:6f3496c28f23542f2645d614c0a9e79e3b0ae2732080da794db41c33e4379e5c: 1

Hubble Client install

$ export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
HUBBLE_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then HUBBLE_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-${HUBBLE_ARCH}.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-${HUBBLE_ARCH}.tar.gz /usr/local/bin
rm hubble-linux-${HUBBLE_ARCH}.tar.gz{,.sha256sum}

$ cilium hubble port-forward&

$ hubble status
Healthcheck (via localhost:4245): Ok
Current/Max Flows: 15,096/24,570 (61.44%)
Flows/s: 244.67
Connected Nodes: 6/6

$ hubble observe
Oct 27 21:32:15.613: 10.0.5.98:179 (remote-node) <> 10.0.0.77:55655 (remote-node) to-overlay FORWARDED (TCP Flags: SYN, ACK)
Oct 27 21:32:15.614: 10.0.5.98:179 (remote-node) <> 10.0.0.77:55655 (remote-node) to-overlay FORWARDED (TCP Flags: ACK)
Oct 27 21:32:15.615: 10.0.5.98:179 (remote-node) <> 10.0.0.77:55655 (remote-node) to-overlay FORWARDED (TCP Flags: ACK, RST)
Oct 27 21:32:17.616: 10.0.5.98:55113 (remote-node) <> 10.0.1.238:179 (remote-node) to-overlay FORWARDED (TCP Flags: ACK)
Oct 27 21:32:17.619: 10.0.5.98:179 (remote-node) <> 10.0.0.77:60569 (remote-node) to-overlay FORWARDED (TCP Flags: SYN, ACK)
Oct 27 21:32:17.620: 10.0.5.98:179 (remote-node) <> 10.0.0.77:60569 (remote-node) to-overlay FORWARDED (TCP Flags: ACK)
Oct 27 21:32:17.620: 10.0.5.98:179 (remote-node) <> 10.0.0.77:60569 (remote-node) to-overlay FORWARDED (TCP Flags: ACK, RST)
Oct 27 21:32:18.620: 10.0.5.98:56763 (remote-node) <> 10.0.3.181:179 (remote-node) to-overlay FORWARDED (TCP Flags: ACK, PSH)
Oct 27 21:32:19.315: 10.0.2.190 (remote-node) <- 10.0.1.55 (health) to-overlay FORWARDED (ICMPv4 EchoReply)
Oct 27 21:32:19.316: 10.0.2.190 (remote-node) -> 10.0.5.105 (health) to-endpoint FORWARDED (ICMPv4 EchoRequest)
Oct 27 21:32:19.316: 10.0.2.190 (remote-node) <- 10.0.5.105 (health) to-overlay FORWARDED (ICMPv4 EchoReply)
Oct 27 21:32:19.317: 10.0.2.190 (remote-node) <> 10.0.5.105 (health) to-overlay FORWARDED (ICMPv4 EchoRequest)
Oct 27 21:32:19.317: 10.0.2.190 (remote-node) <> 10.0.1.55 (health) to-overlay FORWARDED (ICMPv4 EchoRequest)
Oct 27 21:32:19.317: 10.0.2.190 (host) -> 10.0.2.199 (health) to-endpoint FORWARDED (ICMPv4 EchoRequest)
Oct 27 21:32:19.317: 10.0.2.190 (remote-node) <> 10.0.0.14 (health) to-overlay FORWARDED (ICMPv4 EchoRequest)
Oct 27 21:32:19.317: 10.0.2.190 (host) <- 10.0.2.199 (health) to-stack FORWARDED (ICMPv4 EchoReply)
Oct 27 21:32:19.317: 10.0.2.190:41728 (remote-node) <> 10.0.4.174:4240 (health) to-overlay FORWARDED (TCP Flags: ACK)