We are pleased to announce that Isovalent Enterprise for Cilium is now available in the AWS marketplace. This blog will guide you how to deploy Isovalent Enterprise for Cilium on EKS and EKS-A clusters from the AWS marketplace. This new availability in AWS Marketplace allows customers to:
- Consume Kubernetes networking, security, and observability as services.
- Easily find, test, and deploy Cilium.
- Get started in minutes instead of lengthy deployment cycles.
- Only pay for services consumed upfront investment commitments.
Cilium is the default CNI for EKS-Anywhere and has been widely adopted by EKS users and customers.
What is Isovalent Enterprise for Cilium?
Isovalent Cilium Enterprise is an enterprise-grade, hardened distribution of open-source projects Cilium, Hubble, and Tetragon, built and supported by the Cilium creators. Cilium enhances networking and security at the network layer, while Hubble enables thorough network observability and tracing. Tetragon ties it all together with runtime enforcement and security observability, offering a well-rounded solution for connectivity, compliance, multi-cloud, and security concerns.
Why Isovalent Enterprise for Cilium?
For enterprise customers requiring support and/or usage of Advanced Networking, Security, and Observability features, “Isovalent Enterprise for Cilium” is recommended. This offering brings complete flexibility regarding access to Cilium features while retaining the advantageous ease of use and integration with AWS seamlessly.
What are the benefits of Cilium in AWS?
When running in the context of AWS, Cilium can natively integrate with the cloud provider’s SDN (Software Defined Networking). Cilium can speak BGP, route traffic on the network, and represent existing network endpoints with cloud-native identities in an on-premises environment. To the application team using Kubernetes daily, the user experience will be the same regardless of whether the workload runs in Kubernetes clusters backed by public or private cloud infrastructure. Entire application stacks or even entire clusters become portable across clouds.
Cilium has several differentiators that set it apart from other networking and security solutions in the cloud native ecosystem, including:
- eBPF-based technology: Cilium leverages eBPF technology to provide deep visibility into network traffic and granular control over network connections.
- Micro-segmentation: Cilium enables micro-segmentation at the network level, allowing organizations to enforce policies that limit communication between different services or workloads.
- Encryption and authentication: Cilium provides encryption and authentication of all network traffic, ensuring that only authorized parties can access data and resources.
- Application-aware network security: Cilium provides network firewalling on L3-L7, supporting HTTP, gRPC, Kafka, and other protocols. This enables application-aware network security and protects against attacks that target specific applications or services.
- Observability: Cilium provides rich observability of Kubernetes and cloud-native infrastructure, allowing security teams to gain security-relevant observability and feed network activity into an SIEM (Security Information and Event Management) solution such as Splunk or Elastic.
Why AWS marketplace?
AWS Marketplace is an online store that contains thousands of IT software applications and services built by industry-leading technology companies. In AWS Marketplace, you can find, try, buy, and deploy the software and services needed to build new solutions and manage your cloud infrastructure. The catalog includes solutions for different industries and technical areas, free trials, and consulting services from Microsoft partners. Included among these solutions are Kubernetes application-based container offers. These offers contain applications that are meant to run on Kubernetes clusters such as Elastic Kubernetes Service (EKS).
Prerequisites
The following prerequisites need to be taken into account before you proceed with this tutorial:
- Access to AWS marketplace. Create a new account for free.
- The Cilium operator requires the following EC2 privileges to perform ENI creation and IP allocation.
- Install kubectl
- Install Helm
- Install eksctl
- Install awscli
- Cilium CLI: Cilium Enterprise provides a Cilium CLI tool that automatically collects all the logs and debug information needed to troubleshoot your Cilium Enterprise installation. You can install Cilium CLI for Linux, macOS, or other distributions on their local machine(s) or server(s).
- Hubble CLI: To access the observability data collected by Hubble, you can install the Hubble CLI. You can install Hubble CLI for Linux, macOS, or other distributions on their local machine (s) or server (s).
Where can I deploy Isovalent Enterprise for Cilium?
Isovalent Enterprise from the AWS marketplace can be deployed on:
- An existing EKS cluster
- A new EKS cluster using QuickLaunch
- A new EKS-A cluster
1. Installing Isovalent Enterprise for Cilium on an EKS cluster
You can install Isovalent Enterprise for Cilium on an existing EKS cluster or create a new EKS cluster for this tutorial.
- Login to AWS marketplace.
- Type “Isovalent” in the search window and select the application.
- Click> Isovalent Enterprise for Cilium
- Click> Continue to Subscribe
- Click> Continue to Configuration
- Click> Fulfillment Option and select “Helm Chart”
- Click> Choose a fulfillment option and select “Isovalent Enterprise for Cilium on EKS”
- Click> Software version> Select v1.12.8-awsmp.* (*-pick the latest version)
- The Launch method should be selected as “Launch on existing cluster” by default.
- You must ensure the IAM OIDC provider is associated with the cluster.
- To use AWS Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster’s OIDC issuer URL.
- Create an AWS IAM role and Kubernetes service account.
Output Truncated:
- Launch Isovalent Enterprise for Cilium by installing a Helm chart on your Amazon EKS cluster.
- The Helm CLI version in your launch environment must be 3.7.1.
- Note- username, password, and path for pulling the image have been hidden here but are available when the user is logged in.
Output Truncated:
2. Optional-Installing Isovalent Enterprise for Cilium on an EKS cluster using QuickLaunch
QuickLaunch helps you easily launch and explore container-based applications. QuickLaunch uses AWS CloudFormation to create an Amazon EKS cluster and Helm charts to launch the application.
Note- Isovalent recommends using QuickLaunch only for early-release testing. For Production Environments, you should follow option 1.
- Login to AWS marketplace.
- Type “Isovalent” in the search window and select the application.
- Click> Isovalent Enterprise for Cilium
- Click> Continue to Subscribe
- Click> Continue to Configuration
- Click> Fulfillment Option and select “Helm Chart”
- Click> Choose a fulfillment option and select “Isovalent Enterprise for Cilium on EKS”
- Click> Software version> Select v1.12.8-awsmp.* (*-pick the latest version)
- Click> Continue to Launch
- Click> “Launch on a new EKS cluster with QuickLaunch”
- Click> QuickLaunch with Cloudformation
- This will redirect you to fill out details for creating a Cloudformation stack that will be used to create an EKS cluster running Isovalent Enterprise for Cilium.
- Enter a Stack Name
- Enter a name for your EKS cluster.
Note- The EKS cluster name should be less than 16 characters. This is a mandatory requirement.
- The Helm Chart parameters should be left to be set to the defaults populated from the pre-populated CloudFormation template.
- Select> I acknowledge that AWS CloudFormation might create IAM resources with customized names, and Select> l acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
- Click> Create Stack
- This will redirect you to the stacks page, where you can create a new CloudFormation Stack.
Accessing the Cluster
To access your EKS cluster created by Quicklaunch, you will need to update your kubectl config:
3. Installing Isovalent Enterprise for Cilium in an EKS-A cluster
EKS Anywhere creates a Kubernetes cluster on-premises for a chosen provider. Supported providers include Bare Metal (via Tinkerbell), CloudStack, and vSphere. To manage that cluster, you can run cluster create and delete commands from an Ubuntu or Mac Administrative machine.
Note-
- Refer to the Pre-requisites section to ensure all dependencies are installed and the administrative machine configured.
- For EKS-Anywhere
- Refer to the “Preparing the Administrative Machine” section to create an administrative machine to run cluster operations
- EKS-A cluster infrastructure preparation (hardware and inventory management) is not part of the scope of this document. This document assumes you have already handled it before creating a cluster for any provider types.
- The provider type chosen for this tutorial is docker, a development-only version, not for production. You can choose from a list of providers and modify the commands accordingly.
- To install an EKS-A cluster on docker, follow these steps outlined.
- All EKS-A clusters are deployed with the base edition of Cilium, which must be uninstalled before upgrading to Isovalent Enterprise for Cilium. An upcoming release will support an automatic upgrade from the default Cilium image to Isovalent Enterprise for Cilium. This can be achieved in two ways (you can use either):
spec.clusterNetwork.cniConfig.cilium.skipUpgrade
is set totrue
at either cluster creation or you can also upgrade your EKS cluster.
- Deleting the serviceaccount, clusterrole(s), clusterrolebinding(s)
Steps:
- Login to AWS marketplace.
- Type “Isovalent” in the search window and select the application.
- Click> Isovalent Enterprise for Cilium
- Click> Continue to Subscribe
- Click> Continue to Configuration
- Click> Fulfillment Option and select “Helm Chart”
- Click> Choose a fulfillment option and select “Isovalent Enterprise for Cilium on EKS Anywhere”
- Click> Software version> Select v1.12.8-awsmp.* (*-pick the latest version)
- Click> Continue to Launch
- The launch target is set to “Self-Managed Kubernetes”
- Create a license token and IAM role. Choose Create token to generate a license token and AWS IAM role. These will be used to access the AWS License Manager APIs for billing and metering. You can use an existing token if you have one, and make sure that the following permissions are granted to the token:
- To create the IAM role you will need to Grant Permission
- Save the token and IAM role as a Kubernetes secret
- Note- username, password, and path for pulling the image have been hidden here but are available when the user is logged in.
- Install Isovalent Enterprise for Cilium by installing a Helm chart from Amazon Elastic Container Registry (ECR).
- The Helm CLI version in your launch environment must be 3.7.1.
- Note- username, password, and path for pulling the image have been hidden here but are available when the user is logged in.
Output Truncated:
Validation- Isovalent Enterprise for Cilium
The validation part remains the same for an EKS or EKS-A cluster running Isovalent Enterprise for Cilium
Validate the Installation
To validate that Cilium has been properly installed with the correct version, run the following command cilium-status
, and you will see that Cilium is managing all the pods. They are in “Ready” state and are “Available”.
Cluster and Cilium Health Check
Check the nodes’ status and ensure they are in a “Ready” state
cilium-health
which is a tool available in Cilium that provides visibility into the overall health of the cluster’s networking connectivity. Use cilium-health
to get visibility into the overall health of the cluster’s networking connectivity.
Cilium Connectivity Test
The cilium connectivity test
command deploys a series of services and deployments, and CiliumNetworkPolicy will use various connectivity paths to connect. Connectivity paths include with and without service load-balancing and various network policy combinations.
Output Truncated:
Validate Hubble API access
To get temporary access to the Hubble API, create a port forward to the Hubble service from your local machine or server. This will allow you to connect the Hubble client to the local port 4245 and access the Hubble Relay service in your Kubernetes cluster. For more information on this method, see Use Port Forwarding to Access Application in a Cluster.
Validate that you have access to the Hubble API via the installed CLI and notice that both the nodes are connected and flows are being accounted for.
Run hubble observe
command in a different terminal against the local port to observe cluster-wide network events through Hubble Relay:
Accessing the Hubble UI
To get temporary access to the Hubble UI, create a port forward to the Hubble service from your local machine or server. This will allow you to connect to the local port 12000 and access the Hubble UI service in your Kubernetes cluster. For more information on this method, see Use Port Forwarding to Access Application in a Cluster.
- This will redirect you to http://localhost:12000 in your browser.
- You should see a screen with an invitation to select a namespace; use the namespace selector dropdown on the left top corner to select a namespace:
Troubleshooting
The default EKS-A cluster has Cilium installed/running by default, and you must uninstall the default version of Cilium, else you will be prompted with the error message below:
It would be best if you made sure that your ~/.aws/config is pointing to the correct region, else the described operation will fail as below: