Cluster and service networking options¶
MKE supports the following cluster and service networking options:
Kube-proxy with iptables proxier, and either the managed CNI or an unmanaged alternative
Kube-proxy with ipvs proxier, and either the managed CNI or an unmanaged alternative
eBPF mode with either the managed CNI or an unmanaged alternative
You can configure cluster and service networking options at install time or in existing clusters. For detail on reconfiguring existing clusters, refer to Configure cluster and service networking in an existing cluster in the MKE Operations Guide.
Caution
Swarm workloads that require the use of encrypted overlay networks must use iptables proxier with either the managed CNI or an unmanaged alternative. Be aware that the other networking options detailed here automatically disable Docker Swarm encrypted overlay networks.
Solution component |
Develop and maintain |
Test and integrate with MKE |
First line support |
Product support |
---|---|---|---|---|
Calico Open Source |
Community |
Mirantis |
Mirantis |
Tigera for Linux, Mirantis for Windows |
Calico Enterprise |
Tigera |
Tigera, for every major MKE release |
Mirantis |
Tigera, with customers paying for additional features |
Cilium Open Source |
Community |
Planned |
Mirantis |
Community or Isovalent |
Cilium Enterprise |
Isovalent |
Isovalent |
Mirantis |
Isovalent |
To enable kube-proxy with iptables proxier while using the managed CNI:
Using default option kube-proxy with iptables proxier is the
equivalent of specifying --kube-proxy-mode=iptables
at install time. To
verify that the option is operational, confirm the presence of the following
line in the ucp-kube-proxy
container logs:
I1027 05:35:27.798469 1 server_others.go:212] Using iptables Proxier.
To enable kube-proxy with ipvs proxier while using the managed CNI:
Prior to MKE installation, verify that the following kernel modules are available on all Linux manager and worker nodes:
ipvs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
Specify
--kube-proxy-mode=ipvs
at install time.Optional. Once installation is complete, configure the following ipvs-related parameters in the MKE configuration file (otherwise, MKE will use the Kubernetes default parameter settings):
ipvs_exclude_cidrs = ""
ipvs_min_sync_period = ""
ipvs_scheduler = ""
ipvs_strict_arp = false
ipvs_sync_period = ""
ipvs_tcp_timeout = ""
ipvs_tcpfin_timeout = ""
ipvs_udp_timeout = ""
For more information on using these parameters, refer to kube-proxy in the Kubernetes documentation.
Note
The ipvs-related parameters have no install time counterparts and therefore must only be configured once MKE installation is complete.
Verify that kube-proxy with ipvs proxier is operational by confirming the presence of the following lines in the
ucp-kube-proxy
container logs:I1027 05:14:50.868486 1 server_others.go:274] Using ipvs Proxier. W1027 05:14:50.868822 1 proxier.go:445] IPVS scheduler not specified, use rr by default
To enable eBPF mode while using the managed CNI:
Verify that the prerequisites for eBPF use have been met, including kernel compatibility, for all Linux manager and worker nodes. Refer to the Calico documentation Enable the eBPF dataplane for more information.
Specify
--calico-ebpf-enabled
at install time.Verify that eBPF mode is operational by confirming the presence of the following lines in the
ucp-kube-proxy
container logs:KUBE_PROXY_MODE (disabled) CLEANUP_ON_START_DISABLED true "Sleeping forever...."
To enable kube-proxy with iptables proxier while using an unmanaged CNI.
Specify
--unmanaged-cni
at install time.Verify that kube-proxy with iptables proxier is operational by confirming the presence of the following line in the
ucp-kube-proxy
container logs:I1027 05:35:27.798469 1 server_others.go:212] Using iptables Proxier.
To enable kube-proxy with ipvs proxier while using an unmanaged CNI:
Specify the following parameters at install time:
--unmanaged-cni
--kube-proxy-mode=ipvs
Verify that kube-proxy with ipvs proxier is operational by confirming the presence of the following lines in the
ucp-kube-proxy
container logs:I1027 05:14:50.868486 1 server_others.go:274] Using ipvs Proxier. W1027 05:14:50.868822 1 proxier.go:445] IPVS scheduler not specified, use rr by default
To enable eBPF mode while using an unmanaged CNI:
Verify that the prerequisites for eBPF use have been met, including kernel compatibility, for all Linux manager and worker nodes. Refer to the Calico documentation Enable the eBPF dataplane for more information.
Specify the following parameters at install time:
--unmanaged-cni
--kube-proxy-mode=disabled
--kube-default-drop-masq-bits
Verify that eBPF mode is operational by confirming the presence of the following lines in
ucp-kube-proxy
container logs:KUBE_PROXY_MODE (disabled) CLEANUP_ON_START_DISABLED true "Sleeping forever...."