Congratulations to the Kubespray team on the release of 2.17! This release brings support for two of the newer features in Calico: support for the eBPF data plane, and also for WireGuard encryption.
Let’s dive into configuring Kubespray to enable these new features.
If you’re interested in getting started with Kubespray and Calico, you can refer to Using Calico with Kubespray, which covers some of the settings you might want to use, as well as how to enable Calico in several of the quick start guides.
To configure Calico options when using Kubespray to deploy a cluster, you’ll need to configure some variables. If you’re using the examples in the Kubespray repository, those files are under
inventory/…/group_vars/k8s_cluster/, with the Calico options residing in
Calico offers several different data planes, ensuring that end users can choose the technology that’s right for their particular use case. eBPF is a relatively new set of facilities in the Linux kernel that lets developers write code to modify its functionality at runtime in a way that is safe and efficient.
Calico’s eBPF data plane offers increased efficiency, as well as functionality like providing source IP preservation for increased visibility of traffic. Reza Ramezanpour has a great post that goes into more detail about the eBPF data plane with some examples using AKS, and there’s more information about eBPF and how it’s used in the Calico documentation.
The eBPF data plane has a number of significant differences in the way that it operates compared to the standard iptables data plane, and a few limitations as well. For complete details, refer to Enable the eBPF data plane in the Calico documentation. If you want to enable the data plane, you can set:
One difference is that Kubernetes’s built-in proxy, kube-proxy, relies on iptables to function. Because Calico’s eBPF data plane bypasses iptables, we need to remove kube-proxy, which we can do as follows:
Without kube-proxy, we need some way for Calico to communicate with the Kubernetes API. This is how the Kubespray docs describe how they’ve dealt with this issue:
“Kubespray sets up the kubernetes-services-endpoint configmap based on the contents of the loadbalancer_apiserver inventory variable documented in HA Mode.”
If no external load balancer is used, Calico eBPF can also use the localhost load balancer option. In this case, Calico automatic host endpoints need to be enabled to allow services like coredns and metrics-server to communicate with the Kubernetes host endpoint.
The following variables are used:
loadbalancer_apiserver_localhost: true use_localhost_as_kubeapi_loadbalancer: true
You can also have a look at the Configure Calico to talk directly to the API server section of the Calico docs.
This feature skips a network hop for traffic to services from outside the cluster, reducing latency and CPU usage, but requires that the underlying network allows one node to respond on behalf of another. There are some details about specific environments in the Calico documentation. You can enable this feature with:
To enable better debugging, you might want to turn on the Calico eBPF logs, which need to be examined using the tc program. The Calico documentation goes into more detail in the Troubleshooting eBPF mode section. You can turn on the logs by setting the following variable:
Calico released a tech preview for WireGuard support in v3.14, with the feature becoming generally available in v3.15. When enabled, Calico will automatically set up WireGuard tunnels between each of your nodes, encrypting all pod traffic that goes “over the wire” between those nodes, securing your workload traffic at the cost of a small performance penalty. You can read more about this feature in Introducing WireGuard Encryption with Calico, and find more details about enabling encryption in the Calico documentation.
To configure Kubespray to turn on WireGuard support when installing Calico, edit the following setting in
The Kubespray docs also mention that for certain operating systems, like CentOS 7 & 8, AlmaLinux, and Amazon Linux 2, you will also need the EPEL repo, which you can install using the following variable:
If you enjoyed this blog, you might also like:
Get updates on blog posts, new releases and more!