CNI Plugin
By default, this rewiring is done with an Init Container that uses iptables to install routing rules for the pod, at pod startup time. However, this requires the capability; and in some clusters, this capability is not granted to pods.
To handle this, Linkerd can optionally run these iptables rules in a rather than in an Init Container. This avoids the need for a CAP_NET_ADMIN
capability.
Note
Linkerd’s CNI plugin is designed to run in conjunction with your existing CNI plugin, using CNI chaining. It handles only the Linkerd-specific configuration and does not replace the need for a CNI plugin.
To install the linkerd-cni
DaemonSet, run:
Once the DaemonSet is up and running, meshed pods should no longer use the linkerd-init
Init Container. To accomplish this, use the --linkerd-cni-enabled
flag when installing the control plane:
Using this option will set a cniEnabled
flag in the linkerd-config
ConfigMap. Proxy injections will read this field and omit the Init Container.
Using Helm
First ensure that your Helm local cache is updated:
Note
For Helm versions < v3, --name
flag has to specifically be passed. In Helm v3, It has been deprecated, and is the first argument as specified above.
At that point you are ready to install Linkerd with CNI enabled. Follow the instructions.
The linkerd install-cni
command includes additional flags that you can use to customize the installation. See linkerd install-cni --help
for more information. Note that many of the flags are similar to the flags that can be used to configure the proxy when running linkerd inject
. If you change a default when running linkerd install-cni
, you will want to ensure that you make a corresponding change when running linkerd inject
.
--dest-cni-bin-dir
: This is the directory on the node where the CNI Plugin binaries reside. It defaults to:/opt/cni/bin
.--cni-log-level
: Setting this todebug
will allow more verbose logging. In order to view the CNI Plugin logs, you must be able to see thekubelet
logs. One way to do this is to log onto the node and usejournalctl -t kubelet
. The stringlinkerd-cni:
can be used as a search to find the plugin log output.
Since the CNI plugin is basically stateless, there is no need for a separate command. If you are using the CLI to upgrade the CNI plugin you can just do: