Tasks
Install Tools
Configure Pods and Containers
Assign Memory Resources to Containers and Pods
Assign CPU Resources to Containers and Pods
Configure Quality of Service for Pods
Assign Extended Resources to a Container
Configure a Pod to Use a Volume for Storage
Configure a Pod to Use a PersistentVolume for Storage
Configure a Pod to Use a Projected Volume for Storage
Configure a Security Context for a Pod or Container
Configure Service Accounts for Pods
Pull an Image from a Private Registry
Configure Liveness and Readiness Probes
Assign Pods to Nodes
Configure Pod Initialization
Attach Handlers to Container Lifecycle Events
Configure Containers Using a ConfigMap
Use ConfigMap Data in Pods
Translate a Docker Compose File to Kubernetes Resources
Inject Data Into Applications
Define a Command and Arguments for a Container
Define Environment Variables for a Container
Expose Pod Information to Containers Through Environment Variables
Expose Pod Information to Containers Through Files
Distribute Credentials Securely Using Secrets
Inject Information into Pods Using a PodPreset
Run Applications
Run a Stateless Application Using a Deployment
Run a Single-Instance Stateful Application
Run a Replicated Stateful Application
Update API Objects in Place Using kubectl patch
Upgrade from PetSets to StatefulSets
Scale a StatefulSet
Delete a Stateful Set
Force Delete StatefulSet Pods
Perform Rolling Update Using a Replication Controller
Horizontal Pod Autoscaler
Horizontal Pod Autoscaler Walkthrough
Specifying a Disruption Budget for your Application
Run Jobs
Access Applications in a Cluster
Web UI (Dashboard)
Accessing Clusters
Configure Access to Multiple Clusters
Use Port Forwarding to Access Applications in a Cluster
Provide Load-Balanced Access to an Application in a Cluster
Use a Service to Access an Application in a Cluster
Connect a Front End to a Back End Using a Service
Create an External Load Balancer
Configure Your Cloud Provider's Firewalls
List All Container Images Running in a Cluster
Communicate Between Containers in the Same Pod Using a Shared Volume
Configuring DNS for a Cluster
Monitor, Log, and Debug
Core metrics pipeline
Tools for Monitoring Compute, Storage, and Network Resources
Get a Shell to a Running Container
Monitor Node Health
Logging Using Stackdriver
Events in Stackdriver
Logging Using Elasticsearch and Kibana
Determine the Reason for Pod Failure
Debug Init Containers
Debug Pods and Replication Controllers
Debug Services
Troubleshoot Clusters
Troubleshoot Applications
Debug a StatefulSet
Application Introspection and Debugging
Auditing
Developing and debugging services locally
Use Explorer to Examine the Runtime Environment
Extend Kubernetes
Use an HTTP Proxy to Access the Kubernetes API
Extend the Kubernetes API with CustomResourceDefinitions
Extend the Kubernetes API with ThirdPartyResources
Migrate a ThirdPartyResource to CustomResourceDefinition
Configure the aggregation layer
Setup an extension API server
Install Service Catalog using Helm
Install Service Catalog using SC
Administer a Cluster
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace
Configure Default CPU Requests and Limits for a Namespace
Configure Minimum and Maximum Memory Constraints for a Namespace
Configure Minimum and Maximum CPU Constraints for a Namespace
Configure Memory and CPU Quotas for a Namespace
Configure a Pod Quota for a Namespace
Configure Quotas for API Objects
Advertise Extended Resources for a Node
Control CPU Management Policies on the Node
Access Clusters Using the Kubernetes API
Access Services Running on Clusters
Securing a Cluster
Encrypting data at rest
Operating etcd clusters for Kubernetes
Static Pods
Cluster Management
Cluster Management Guide for Version 1.6
Upgrading kubeadm clusters from 1.6 to 1.7
Upgrading kubeadm clusters from 1.7 to 1.8
Share a Cluster with Namespaces
Namespaces Walkthrough
Autoscale the DNS Service in a Cluster
Safely Drain a Node while Respecting Application SLOs
Configure Out Of Resource Handling
Reserve Compute Resources for System Daemons
Guaranteed Scheduling For Critical Add-On Pods
Declare Network Policy
Reconfigure a Node's Kubelet in a Live Cluster
Set Kubelet parameters via a config file
Install Network Policy Provider
Change the Reclaim Policy of a PersistentVolume
Limit Storage Consumption
Change the default StorageClass
Kubernetes Cloud Controller Manager
Developing Cloud Controller Manager
Set up High-Availability Kubernetes Masters
Configure Multiple Schedulers
IP Masquerade Agent User Guide
Configure private DNS zones and upstream nameservers in Kubernetes
Federation - Run an App on Multiple Clusters
Cross-cluster Service Discovery using Federated Services
Set up Cluster Federation with Kubefed
Set up CoreDNS as DNS provider for Cluster Federation
Set up placement policies in Federation
Federated Cluster
Federated ConfigMap
Federated DaemonSet
Federated Deployment
Federated Events
Federated Horizontal Pod Autoscalers (HPA)
Federated Ingress
Federated Jobs
Federated Namespaces
Federated ReplicaSets
Federated Secrets
Manage Cluster Daemons
Manage GPUs
Manage HugePages
Extend kubectl with plugins
Use Cilium for NetworkPolicy
This page shows how to use Cilium for NetworkPolicy.
For background on Cilium, read the Introduction to Cilium.
- Before you begin
- Deploying Cilium on Minikube for Basic Testing
- Deploying Cilium for Production Use
- Understanding Cilium components
- What’s next
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:
To check the version, enter kubectl version.
Deploying Cilium on Minikube for Basic Testing
To get familiar with Cilium easily you can follow the Cilium Kubernetes Getting Started Guide to perform a basic DaemonSet installation of Cilium in minikube.
Installation in a minikube setup uses a simple ‘‘all-in-one’’ YAML file that includes DaemonSet configurations for Cilium and a key-value store (consul) as well as appropriate RBAC settings:
$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/master/examples/minikube/cilium-ds.yaml
clusterrole "cilium" created
serviceaccount "cilium" created
clusterrolebinding "cilium" created
daemonset "cilium-consul" created
daemonset "cilium" created
The remainder of the Getting Started Guide explains how to enforce both L3/L4 (i.e., IP address + port) security policies, as well as L7 (e.g., HTTP) security policies using an example application.
Deploying Cilium for Production Use
For detailed instructions around deploying Cilium for production, see: Cilium Administrator Guide This documentation includes detailed requirements, instructions and example production DaemonSet files.
Understanding Cilium components
Deploying a cluster with Cilium adds Pods to the kube-system namespace. To see this list of Pods run:
kubectl get pods --namespace=kube-system
You’ll see a list of Pods similar to this:
NAME DESIRED CURRENT READY NODE-SELECTOR AGE
cilium 1 1 1 <none> 2m
...
There are two main components to be aware of:
- One
ciliumPod runs on each node in your cluster and enforces network policy on the traffic to/from Pods on that node using Linux BPF. - For production deployments, Cilium should leverage the key-value store cluster (e.g., etcd) used by Kubernetes, which typically runs on the Kubernetes master nodes. The Cilium Administrator Guide includes an example DaemonSet which can be customized to point to this key-value store cluster. The simple ‘‘all-in-one’’ DaemonSet for minikube requires no such configuration because it automatically deploys a
cilium-consulPod to provide a key-value store.
What’s next
Once your cluster is running, you can follow the Declare Network Policy to try out Kubernetes NetworkPolicy with Cilium. Have fun, and if you have questions, contact us using the Cilium Slack Channel.