Blog
DevOps as a Service from Flant Dedicated 24x7x365 support Discover the benefits
5 July 2022
Oleg Zinovyev, technical writer

Deckhouse v1.33 brings Cilium CNI and Kubernetes 1.23 support

Since the previous stable release of Deckhouse, our Kubernetes platform has managed to get CNCF certification for Kubernetes v1.22 and v1.23. It has also joined the Prometheus Operator’s adopters list and added Cilium as one of the supported CNIs. The latter, Cilium, became the most significant improvement in the latest stable release — v1.33.

Cilium is an Open Source software that enables transparent and secure networking as well as load balancing between containerized applications in a Kubernetes cluster. The cni-cilium module is now available in Deckhouse along with cni-flannel we relied on before.

Let’s explore Cilium’s features and cover other important enhancements in Deckhouse v1.33.

Cilium-based network

Cilium is based on eBPF technology that extends the network capabilities and makes networking more secure and observable for Linux applications. eBPF implements the network management logic within the operating system kernel. The technology is used for high-performance networks, multi-cluster, and multi-cloud installations, traffic balancing, encryption, network protection, and monitoring.

In addition to Kubernetes, Cilium supports managed services from AWS, Google, and Azure.

Cilium architecture (cilium.io)

Advanced Network Policies

Cilium supports the Network Policy feature out-of-the-box for managing access between applications within a cluster. The network policies are enforced at the OSI layers 3, 4, and 7, so users get more flexibility in managing ingress and egress traffic in the cluster.

Cilium also provides Node-level network policy management — a feature that Deckhouse didn’t offer earlier.

Before cni-cilium, we used flannel and kube-router modules to implement the network in the cluster. Those have two critical disadvantages:

  • The modules rely on iptables for their operation. Compared to eBPF, it is much slower, and a large number of policies (500+) may lead to network performance problems.
  • The modules do not support Node-level policies in a cluster. You can only configure policies for Pods and Services.

eBPF is much faster than iptables; therefore, you can define more network policies with Cilium, including Node-level ones.

Service Map & Hubble UI

Cilium also provides an Open Source Hubble UI observability tool that automatically discovers all the services in the cluster and creates a map of their connections (service map). The Hubble UI is browser-based, so you can use any modern browser.

Example of a service map in Hubble UI (cilium.io)

Hubble UI visualization capabilities make it easier to see the interdependencies and behavior of services in a cluster, thus identifying and solving network problems faster.

Note that the cilium-hubble module gets automatically enabled together with the cni-cilium module.

Migrating to cni-cilium

Currently, you can enable the cni-cilium module manually. Instructions on how to migrate from cni-flannel will soon be added to the Deckhouse documentation (we’ll let you know in the Deckhouse Telegram channel when they’re available).

In future releases, the module will be enabled by default for new installations. The changes will not affect existing installations, but if necessary, you can do the migration yourself.

New modules in Deckhouse Community Edition

In addition to Cilium, the new Deckhouse release brings many other features to expand the platform’s functionality. For example, the free Deckhouse Community Edition now includes modules previously only available in the paid Enterprise Edition:

  • The extended-monitoring module provides Prometheus exporters that monitor free space and inodes on nodes, report image access problems in the Container Registry, collect events in the Kubernetes cluster, and more;
  • The namespace-configurator module automatically assigns labels and annotations to new K8s namespaces; for example, it can add the extended-monitoring.flant.com/enabled=true annotation to a namespace to enable its monitoring;
  • The openvpn module allows peers to authenticate each other using OpenVPN and certificates. It also provides a simple web interface to issue and revoke certificates, cancel revocation, and generate the ready-to-use user configuration file;
  • The secret-copier module distributes secrets to all namespaces. The module saves you from repeatedly copying secrets into the CI, e.g., to pull images or provision RBDs in Ceph;
  • The okmeter module installs Okmeter monitoring service agent (its license will be required).

Other changes and improvements

Deckhouse 1.33 also features support for:

  • Kubernetes 1.23;
  • Ubuntu 22.04 LTS as a node OS;
  • The UDP protocol in the openvpn module; in some cases, it improves the VPN performance.

Another notable update introduces a new base Alpine image since the previous one was found to have an OpenSSL vulnerability (CVE-2022-0778) that triggered the infinite loop by crafting a certificate with invalid explicit curve parameters.

P.S.

Deckhouse v1.33 became stable with the v1.33.12 release.

For those who prefer a hands-on approach, the Getting started guide will help you start your journey with the Deckhouse Kubernetes platform.

Follow @deckhouseio for updates and join our Telegram chat to ask any questions! Deckhouse’s main GitHub repo might also be useful to ask for feature requests and discuss any issues (your GitHub stars are also much appreciated!).

Share