Running Kubernetes Without kube-proxy Using Cilium: Step‑by‑Step Guide
This article walks through installing Cilium as a CNI on a Kubernetes v1.21.3 cluster, disabling kube-proxy, and verifying network connectivity with an Nginx deployment, providing commands, configuration details, and validation steps for a kube‑proxy‑free setup.
Introduction
Many have heard that Cilium, powered by eBPF, offers high performance and network policy support, and can replace the traditional kube-proxy component. This guide documents a hands‑on installation of Cilium as a CNI on a Kubernetes cluster without installing kube‑proxy.
Environment
Kubernetes version: v1.21.3
Cilium version: v1.10.3
Installation method: kubeadm
Cilium networking mode: vxlan
OS: Ubuntu 18.04
Cluster size: 1 master, 2 nodes
Procedure
Initialize the master node while skipping the kube‑proxy addon:
<code>kubeadm init \
--apiserver-advertise-address=10.211.55.50 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.21.3 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=all \
--skip-phases=addon/kube-proxy</code>Join the two worker nodes to the cluster:
<code>kubeadm join 10.211.55.50:6443 \
--token ouez6j.02ms269v8i4psl7p \
--discovery-token-ca-cert-hash sha256:5fdafe0fe1adb3b60cd7bc33f033f028279a94a3944816424cc7f5bb498f6868</code>Add the Cilium Helm repository:
<code>helm repo add cilium https://helm.cilium.io/</code>Install Cilium with the kubeProxyReplacement=strict option:
<code>helm install cilium cilium/cilium \
--version 1.10.3 \
--namespace kube-system \
--set kubeProxyReplacement=strict \
--set k8sServiceHost=10.211.55.50 \
--set k8sServicePort=6443</code>Verify Cilium pods are running:
<code># kubectl -n kube-system get pods -l k8s-app=cilium
cilium-8gwg2 1/1 Running 0 8m4s
cilium-t9ffc 1/1 Running 0 8m39s
cilium-x42r6 1/1 Running 0 8m16s</code>Confirm that the kube‑proxy component is absent:
<code># kubectl get po -n kube-system
... (output shows no kube-proxy pods) ...</code>Check Cilium status to ensure a correct installation:
<code># kubectl -n kube-system exec cilium-t9ffc -- cilium status
... (status output confirming OK, KubeProxyReplacement: Strict, etc.) ...</code>Deploy an Nginx application to test network connectivity:
<code># cat deployment-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
run: nginx
replicas: 4
template:
metadata:
labels:
run: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
kubectl create -f deployment-nginx.yaml</code>Create a NodePort service for the Nginx deployment:
<code>kubectl expose deployment nginx --type=NodePort --port=80</code>Validate access via NodePort and ClusterIP:
<code># curl 127.0.0.1:31126 # returns Nginx welcome page
# curl 10.97.209.103 # returns Nginx welcome page</code>Conclusion
The cluster operates normally without the kube‑proxy component, demonstrating that Cilium can fully replace kube‑proxy in a Kubernetes environment. Further topics such as Cilium system requirements, networking modes, and policy features will be covered in future articles.
Ops Development Stories
Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.