Cluster and service networking options

MKE supports the following cluster and service networking options:

  • Kube-proxy with iptables proxier, and either the managed CNI or an unmanaged alternative

  • Kube-proxy with ipvs proxier, and either the managed CNI or an unmanaged alternative

  • eBPF mode with either the managed CNI or an unmanaged alternative

You can configure cluster and service networking options at install time or in existing clusters. For detail on reconfiguring existing clusters, refer to Configure cluster and service networking in an existing cluster in the MKE Operations Guide.

Caution

Swarm workloads that require the use of encrypted overlay networks must use iptables proxier with either the managed CNI or an unmanaged alternative. Be aware that the other networking options detailed here automatically disable Docker Swarm encrypted overlay networks.

Supported unmanaged CNI plugins

Partner name

CNI plugin

Tigera

Calico Enterprise

Isovalent

Cilium


To enable kube-proxy with iptables proxier while using the managed CNI:

Using default option kube-proxy with iptables proxier is the equivalent of specifying --kube-proxy-mode=iptables at install time. To verify that the option is operational, confirm the presence of the following line in the ucp-kube-proxy container logs:

I1027 05:35:27.798469        1 server_others.go:212] Using iptables Proxier.

To enable kube-proxy with ipvs proxier while using the managed CNI:

  1. Prior to MKE installation, verify that the following kernel modules are available on all Linux manager and worker nodes:

    • ipvs

    • ip_vs_rr

    • ip_vs_wrr

    • ip_vs_sh

    • nf_conntrack_ipv4

  2. Specify --kube-proxy-mode=ipvs at install time.

  3. Optional. Once installation is complete, configure the following ipvs-related parameters in the MKE configuration file (otherwise, MKE will use the Kubernetes default parameter settings):

    • ipvs_exclude_cidrs = ""

    • ipvs_min_sync_period = ""

    • ipvs_scheduler = ""

    • ipvs_strict_arp = false

    • ipvs_sync_period = ""

    • ipvs_tcp_timeout = ""

    • ipvs_tcpfin_timeout = ""

    • ipvs_udp_timeout = ""

    For more information on using these parameters, refer to kube-proxy in the Kubernetes documentation.

    Note

    The ipvs-related parameters have no install time counterparts and therefore must only be configured once MKE installation is complete.

  4. Verify that kube-proxy with ipvs proxier is operational by confirming the presence of the following lines in the ucp-kube-proxy container logs:

    I1027 05:14:50.868486     1 server_others.go:274] Using ipvs Proxier.
    W1027 05:14:50.868822     1 proxier.go:445] IPVS scheduler not specified, use rr by default
    

To enable eBPF mode while using the managed CNI:

  1. Verify that the prerequisites for eBPF use have been met, including kernel compatibility, for all Linux manager and worker nodes. Refer to the Calico documentation Enable the eBPF dataplane for more information.

  2. Specify --calico-ebpf-enabled at install time.

  3. Verify that eBPF mode is operational by confirming the presence of the following lines in the ucp-kube-proxy container logs:

    KUBE_PROXY_MODE (disabled) CLEANUP_ON_START_DISABLED true
    "Sleeping forever...."
    

To enable kube-proxy with iptables proxier while using an unmanaged CNI.

  1. Specify --unmanaged-cni at install time.

  2. Verify that kube-proxy with iptables proxier is operational by confirming the presence of the following line in the ucp-kube-proxy container logs:

    I1027 05:35:27.798469     1 server_others.go:212] Using iptables Proxier.
    

To enable kube-proxy with ipvs proxier while using an unmanaged CNI:

  1. Specify the following parameters at install time:

    • --unmanaged-cni

    • --kube-proxy-mode=ipvs

  2. Verify that kube-proxy with ipvs proxier is operational by confirming the presence of the following lines in the ucp-kube-proxy container logs:

    I1027 05:14:50.868486     1 server_others.go:274] Using ipvs Proxier.
    W1027 05:14:50.868822     1 proxier.go:445] IPVS scheduler not specified, use rr by default
    

To enable eBPF mode while using an unmanaged CNI:

  1. Verify that the prerequisites for eBPF use have been met, including kernel compatibility, for all Linux manager and worker nodes. Refer to the Calico documentation Enable the eBPF dataplane for more information.

  2. Specify the following parameters at install time:

    • --unmanaged-cni

    • --kube-proxy-mode=disabled

    • --kube-default-drop-masq-bits

  3. Verify that eBPF mode is operational by confirming the presence of the following lines in ucp-kube-proxy container logs:

    KUBE_PROXY_MODE (disabled) CLEANUP_ON_START_DISABLED true
    "Sleeping forever...."