Dabbled with enabling #IPv6 on my #cilium based #k3s cluster this morning. Seems that it /is/ possible to enable without a full cluster/node rebuild*.

Mostly went fine, prefix, prefix mask, masq set to off. After poking a couple of the Cilium Pods new Pods got an IPv6 addr. ...but couldn't ping anything. Traffic made it out based on what Hubble was showing, but not the reverse.

Enabled v6 masquerading, and it all started to work, yay. Suspect I need to try setting up a static route on my router for this to work.

I have a couple pods w/ quirky networking so they got unhappy. v6 IP, dns query replying w/ AAAA but no dice as they really only have v4 connectivity.

Back off for now but promising that it could work.

*.spec.PodCIDR(s) are immutable on v1.Node resources, but cilium in it's default configuration doesn't get it's PodCIDR from there in the default config.

Deep dive into enabling Cilium native routing on Azure Kubernetes Service with BYOCNI - a 3-part experiment:

Part 1: https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-1/

Part 2: https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-2/

Part 3: https://www.danielstechblog.io/an-experiment-enable-cilium-native-routing-on-azure-kubernetes-service-byocni-part-3/

#Azure #AKS #Kubernetes #Cilium #Networking

Cilium deprecated external workload? Deploy HAProxy Ingress in DMZ w/ BGP+BIRD. Pod CIDR export, firewalld hardening, AlmaLinux-ready. Secure & tested! 👇

https://devopstales.github.io/kubernetes/k8s-dmz-bgp-external-haproxy/

#Kubernetes #BGP #HAProxy #NetworkSecurity #DevOps #Cilium

One last oddity from my NetworkPolicy project over the last few days.....

I am getting the following in my hubble logs: