Skip to content

Instantly share code, notes, and snippets.

@clemenko

clemenko/rke2-multus.md

Last active November 25, 2024 23:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save clemenko/18061e6b040cd2baffac11140c0c0680 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save clemenko/18061e6b040cd2baffac11140c0c0680 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rke2-multus.md

Multus

update rke2 config

aka install
add the following to the config.yaml from https://docs.rke2.io/install/network_options#using-multus

# /etc/rancher/rke2/config.yaml
cni:
- multus
- canal

to air gap pull rancher/hardened-multus-cni:v4.0.2-build20230811

valdiate install

validate with kubectl get pods -A | grep -i multus-ds

create macvlan config

From https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md#storing-a-configuration-as-a-custom-resource

create NetworkAttachmentDefinition for local network.

cat <<EOF | kubectl create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: macvlan-conf
spec:
  config: '{
      "cniVersion": "0.3.1",
      "type": "macvlan",
      "master": "eth0",
      "mode": "bridge",
      "ipam": {
        "type": "host-local",
        "subnet": "192.168.1.0/24",
        "rangeStart": "192.168.1.200",
        "rangeEnd": "192.168.1.216"
      }
    }'
EOF

run test pod

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: samplepod
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-conf
spec:
  containers:
  - name: samplepod
    command: ["/bin/ash", "-c", "trap : TERM INT; sleep infinity & wait"]
    image: alpine
EOF

get network config from test pod

kubectl exec -it samplepod -- ip a

Moar Fun

Good article : https://devopstales.github.io/kubernetes/multus/

for fun

DHCP anyone? Keep in mind that nohup /opt/cni/bin/dhcp daemon & needs to be running on the control node for DHCP to be passing into the pod.

cat <<EOF | kubectl create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: macvlan-dhcp
spec:
  config: '{
      "cniVersion": "0.3.1",
      "type": "macvlan",
      "master": "eth0",
      "mode": "bridge",
      "ipam": { "type": "dhcp" }
    }'
EOF

and

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: dhcp
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-dhcp
spec:
  containers:
  - name: dhcp
    command: ["/bin/ash", "-c", "trap : TERM INT; sleep infinity & wait"]
    image: alpine
EOF

get ip kubectl exec -it dhcp -- ip a and now ping it from an external device.

Or nginx

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  annotations:
    k8s.v1.cni.cncf.io/networks: macvlan-dhcp
spec:
  containers:
  - name: nginx
    image: nginx
EOF

And we can check for the 192.168.1.0/24 address with kubectl describe pod nginx

Raw
z_ipvlan_example.md

ipvlan on ubuntu with single nic

cat <<EOF | kubectl create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: ipvlan-def
spec:
  config: '{
      "cniVersion": "0.3.1",
      "type": "ipvlan",
      "master": "enp1s0",
      "mode": "l2",
      "ipam": { "type": "static" }
    }'
EOF


cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  annotations:
    k8s.v1.cni.cncf.io/networks: '[{ "name": "ipvlan-def", "ips": [ "192.168.1.202/24" ] }]'
spec:
  containers:
  - name: nginx
    image: nginx
EOF

for @technotim

@b3rs3rk
Copy link

b3rs3rk commented May 11, 2024

I'm doing the same thing, multus with cilium on RKE2 1.28. Can't get the pod that spins up to recognize the annotation and plumb the extra interface. Also using cis profile (just "cis" now), but not all of the hardening settings you've applied. Which usually only makes things worse. Were there any gotchas you found along the way? Do you feel like any of the extra sysctls and settings you added in your script had any relevant effects?

@clemenko
Copy link
Author

clemenko commented May 11, 2024

What does your config.yaml look like? The kernel tuning has be collected over the years. There are a few that are important. net.ipv4.ip_forward=1 and

# SWAP settings
vm.swappiness=0
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
vm.max_map_count = 262144

Start there. Check that all the pods are happy.

@b3rs3rk
Copy link

b3rs3rk commented May 11, 2024

@clemenko Thanks for the response. It was nothing that basic. When Cilium gets installed during RKE2 deployment, the default behavior is to act as an exclusive CNI in the Helm chart values. So when the cilium pod was starting up on the nodes, it mounted /etc/cni/net.d/ and renamed all other CNI configs to make them ineligible so that there is no chance pod startups use another CNI. Long story short, it was renaming my 00-multus.conf to a .bak file and continued to do so if I tried to rename it back while the cilium pod was still running.

I had to deploy a cilium HelmChartConfig manifest into the static folder on one of my nodes with...

cni:
  exclusive: false

...before it would stop. As soon as it stopped changing out the multus conf file, I was able to deploy ipvlan interfaces.

@clemenko
Copy link
Author

clemenko commented May 11, 2024

Ah.. makes sense. Just curious why you are using Cilium? What features do you need over Canal?

@b3rs3rk
Copy link

b3rs3rk commented May 13, 2024

Just testing the next big thing in my lab, really. Originally, I picked cilium because it might have coexisted with FirewallD on RHEL. Found out pretty quickly it still didn't work. Cilium was still creating chains via iptables, and FirewallD likes to step all over them. I thought Cilium used eBPF for everything if you disable kube proxy. But that didn't appear to be the case for me. Might have a config wrong somewhere.

@clemenko
Copy link
Author

clemenko commented May 13, 2024

my 2 cents. Start with Rocky, remove firewalld, and stick with the default canal. Change only when it truly makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment