Running Kubernetes Without kube-proxy Using Cilium: Step‑by‑Step Guide
This article walks through installing Cilium as a CNI on a Kubernetes v1.21.3 cluster, disabling kube-proxy, and verifying network connectivity with an Nginx deployment, providing commands, configuration details, and validation steps for a kube‑proxy‑free setup.
Introduction
Many have heard that Cilium, powered by eBPF, offers high performance and network policy support, and can replace the traditional kube-proxy component. This guide documents a hands‑on installation of Cilium as a CNI on a Kubernetes cluster without installing kube‑proxy.
Environment
Kubernetes version: v1.21.3
Cilium version: v1.10.3
Installation method: kubeadm
Cilium networking mode: vxlan
OS: Ubuntu 18.04
Cluster size: 1 master, 2 nodes
Procedure
Initialize the master node while skipping the kube‑proxy addon:
kubeadm init \
--apiserver-advertise-address=10.211.55.50 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.21.3 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=all \
--skip-phases=addon/kube-proxyJoin the two worker nodes to the cluster:
kubeadm join 10.211.55.50:6443 \
--token ouez6j.02ms269v8i4psl7p \
--discovery-token-ca-cert-hash sha256:5fdafe0fe1adb3b60cd7bc33f033f028279a94a3944816424cc7f5bb498f6868Add the Cilium Helm repository: helm repo add cilium https://helm.cilium.io/ Install Cilium with the kubeProxyReplacement=strict option:
helm install cilium cilium/cilium \
--version 1.10.3 \
--namespace kube-system \
--set kubeProxyReplacement=strict \
--set k8sServiceHost=10.211.55.50 \
--set k8sServicePort=6443Verify Cilium pods are running:
# kubectl -n kube-system get pods -l k8s-app=cilium
cilium-8gwg2 1/1 Running 0 8m4s
cilium-t9ffc 1/1 Running 0 8m39s
cilium-x42r6 1/1 Running 0 8m16sConfirm that the kube‑proxy component is absent:
# kubectl get po -n kube-system
... (output shows no kube-proxy pods) ...Check Cilium status to ensure a correct installation:
# kubectl -n kube-system exec cilium-t9ffc -- cilium status
... (status output confirming OK, KubeProxyReplacement: Strict, etc.) ...Deploy an Nginx application to test network connectivity:
# cat deployment-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
run: nginx
replicas: 4
template:
metadata:
labels:
run: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
kubectl create -f deployment-nginx.yamlCreate a NodePort service for the Nginx deployment:
kubectl expose deployment nginx --type=NodePort --port=80Validate access via NodePort and ClusterIP:
# curl 127.0.0.1:31126 # returns Nginx welcome page
# curl 10.97.209.103 # returns Nginx welcome pageConclusion
The cluster operates normally without the kube‑proxy component, demonstrating that Cilium can fully replace kube‑proxy in a Kubernetes environment. Further topics such as Cilium system requirements, networking modes, and policy features will be covered in future articles.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ops Development Stories
Maintained by a like‑minded team, covering both operations and development. Topics span Linux ops, DevOps toolchain, Kubernetes containerization, monitoring, log collection, network security, and Python or Go development. Team members: Qiao Ke, wanger, Dong Ge, Su Xin, Hua Zai, Zheng Ge, Teacher Xia.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.