Недостатки Istio по сравнению с Cilium: подробное объяснение

В этой статье мы разберём основные недостатки Istio в сравнении с Cilium Service Mesh, чтобы даже начинающий разработчик мог понять, в чём разница и почему некоторые команды выбирают Cilium вместо Istio.

https://habr.com/ru/articles/903736/

Provide additional metadata information to Cilium for IP addresses outside of the Kubernetes cluster scope https://www.danielstechblog.io/provide-additional-metadata-information-to-cilium-for-ip-addresses-outside-of-the-kubernetes-cluster-scope/ #Azure #AKS #Cilium #Kubernetes

YES! Generally Available: Azure CNI Overlay Dual-stack with Cilium Dataplane SUPPORT #aks #kubernetes #Azure #cilium https://azure.microsoft.com/updates?id=486814

Public Preview: Cilium WireGuard Encryption Support in AKS #kubernetes #cilium #Azure #aks #wireguard https://azure.microsoft.com/en-us/updates

Cilium doesn't add IPv6 pod IPs to the host network interface, which means that returning packets get discarded before hitting the OS unless promiscuous mode is on.

I've enabled masquerading but the docs say it won't SNAT anything in the `ipv6NativeRoutingCIDR`.

So I'm confused, how is the Native routing mode supposed to work then in IPv6? The pods are all getting globally unique addresses all valid for the subnet...

This morning's *absolute* WTF moment:

Pod network traffic 100% packet loss outbound UNTIL I `tcpdump` it on the node, then it starts working fine.

I'm tempted to break everything by switching my cluster to #cilium CNI today. Surely it couldn't be as disastrous as when I deployed #multus, right?

#Question

What #CNI do you recommend for #HomeLab?

I have experience with:
- #Istio
- #Calico
- #Cilium *
- #Flannel *

*: I didn't configured them manually, they came with #k3s and I left them on defaults

I finally managed to create a new cluster with #Talos, and want to configure CNI for it.

Hubble is up and running ! Great way to visualize traffic in your cluster.
#DevOps #k8s #learnk8s #cncf #100DaysOfCode #100DaysOfDevOps #kubernetes #cilium

ok so cilium's hubble tool is really helpful, even the non-enterprise version

it has been really helpful for troubleshooting network policies

but can we maybe talk about how it renders the connections?

like, what in the heck? #Kubernetes #Cilium

Nico Vibert, my beloved,,,,

is Cilium native routing mode supposed to publish pod IPs on the interfaces in the host network namespace?

That would make sense to me as using the native network layer 2/3 routing.

Or am I required to turn on SNAT using the IP masquerading feature?

Pods are getting valid IPv6 GUAs in the LAN/host subnet, but of course nothing can return to them...

Kubernetes DNS question:

Couldn't the CNI actually manage DNS instead of CoreDNS?

I mean it'd be potentially a lot of data to throw at eBPF for in-cluster records. It's already distributing information for routing.

It could also enforce all-pods upstreams by using DNAT - assuming DNSSEC remains a niche concern.

...in my defence, I never said my ideas were good...

Using Hubble CLI’s automatic port forwarding https://www.danielstechblog.io/using-hubble-clis-automatic-port-forwarding/ #Kubernetes #Cilium

Ok, serious question, what do I replace tailscale with? Can I run ipsec in a k8s pod?

I know #cilium can do multicluster but it wasn't fun. Managing another CA and making sure policies are multicluster-aware sucks. And I've hit a few issues where I had to restart the cilium node agent until it'd finally catch up (was a while ago, so maybe a non-issue nowadays).

What I want to have is to have a k8s service in cluster A that resolves to a k8s pod in cluster B. It's almost http only but not quite.

I guess I could get away with setting up an LB pool in both clusters and doing a host-to-host wireguard or ipsec to bridge those lb pools over. Still not ideal as it'd be harder to firewall everything off.

Securing #Microservices with #Cilium and #Istio #Azure #AKS #Kubernetes https://techcommunity.microsoft.com/blog/azurenetworkingblog/securing-microservices-with-cilium-and-istio/4381646

#kubernetes on #AREDN

also, i hate #cilium

A race condition in the #Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.
#ebpf
https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw

wawaweewa #cilium #ingress adventure time!

https://docs.cilium.io/en/stable/network/servicemesh/ingress/
https://docs.cilium.io/en/stable/network/lb-ipam/

look ma! no #MetalLB !

Cilium Netkit: Revolutionizing Container Networking Performance for AI Workloads

Cilium's latest feature, Netkit, is set to redefine container networking performance by eliminating traditional bottlenecks and achieving parity with host networking. This innovation is crucial for ba...

https://news.lavx.hu/article/cilium-netkit-revolutionizing-container-networking-performance-for-ai-workloads