Cilium#

Cilium Logo

Cillium is used as the Container Network Interface for the Platform. It was chosen over more basic CNIs for ease of observing traffic along with a strong set of accompanying tools.

EKS-A#

On EKS-A, Cilium is the default CNI, it's version is coordinated as part of the EKSA opinionated code, getting upgraded with the EKSA version. With this being a new change, we are planning to use EKS-A to determine the installed version there and use it as a recommendation to deploy that version on the EKS cluster.

EKS#

On EKS, we remove the default Amazon provided CNI and install Cilium via their supported helm chart.

Links#

Code: https://github.com/cilium/cilium
Releases: https://github.com/cilium/cilium/releases
Documentation:
- General Documentation: https://docs.cilium.io/en/stable/
- Upgrade Documentation: https://docs.cilium.io/en/stable/operations/upgrade/

Cilium Documentation Versioning

Make sure to select the version of the documentation you need in the bottom left.

Helm:
- Releases: https://helm.cilium.io/
- Helm Documentation: https://docs.cilium.io/en/stable/helm-reference/
Implementation:
- EKS: Remove Amazon VPC CNI
https://code.vt.edu/it-common-platform/infrastructure/eks-cluster/-/blob/main/cluster-bootstrap/environments/aws/cilium-pretask.tf
- EKS: Install Cilium
https://code.vt.edu/it-common-platform/infrastructure/eks-cluster/-/blob/main/cluster-bootstrap/environments/aws/cilium.tf
- EKS-A: Default CNI
https://anywhere.eks.amazonaws.com/docs/clustermgmt/networking/networking-and-security/

Update Concerns#

Critical Concerns#

Any Interruption of the CNI will cause an outage

General Concerns#

EKS-A Cilium version is governed by the EKS-A version. On EKS, the version of Cilium should target the EKS-A installed version.
Cilium has a upgrade instructions https://docs.cilium.io/en/stable/operations/upgrade/. You must run preflight checks. On EKS, the namespace is not standard, you will need to pay attention and add it in the arguments.