K8s 集群基于阿里云弹性网卡 ENI 部署 Cilium 遇到问题

悬赏园豆：50 [已解决问题] 解决于 2022-05-14 21:19

使用 helm 部署，部署命令如下

helm upgrade cilium cilium/cilium --version 1.11.4 \
  --install \
  --namespace kube-system \
  --set alibabacloud.enabled=true \
  --set ipam.mode=alibabacloud \
  --set enableIPv4Masquerade=false \
  --set tunnel=disabled

部署后，cilium pod 一直进入不了 ready 状态

# kubectl get pods -l k8s-app=cilium -n kube-system        
NAME           READY   STATUS    RESTARTS         AGE
cilium-5b2mz   0/1     Running   18 (68s ago)     103m
cilium-5fx9s   0/1     Running   18 (84s ago)     103m

查看日志

kubectl logs --since 5m ds/cilium -n kube-system

发现很多 Waiting for IPs to become available in CRD-backed allocation pool

level=info msg="Using autogenerated IPv4 allocation range" subsys=node v4Prefix=10.171.0.0/16
...
level=info msg="Initializing CRD-based IPAM" subsys=ipam
level=info msg="Subscribed to CiliumNode custom resource" name=kube-master0 subsys=ipam
level=info msg="Successfully synchronized CiliumNode custom resource" name=kube-master0 subsys=ipam
level=info msg="Waiting for IPs to become available in CRD-backed allocation pool" available=0 helpMessage="Check if cilium-operator pod is running and does not have any warnings or error messages." name=kube-master0 required=2 subsys=ipam
level=info msg="Waiting for IPs to become available in CRD-backed allocation pool" available=0 helpMessage="Check if cilium-operator pod is running and does not have any warnings or error messages." name=kube-master0 required=2 subsys=ipam
level=info msg="Waiting for IPs to become available in CRD-backed allocation pool" available=0 helpMessage="Check if cilium-operator pod is running and does not have any warnings or error messages." name=kube-master0 required=2 subsys=ipam
...
level=info msg="Exiting due to signal" signal=terminated subsys=daemon
level=info msg="Waiting for all endpoints' go routines to be stopped." subsys=daemon
level=info msg="All endpoints' goroutines stopped." subsys=daemon

请问如何解决？

k8s cilium 阿里云

问题补充：

通过 cilium-operator 日志找到了更有用的信息

# kubectl logs --since 5m deployment/cilium-operator -n kube-system
level=info msg="Starting AlibabaCloud ENI allocator..." subsys=ipam-allocator-alibaba-cloud
level=warning msg="Unable to synchronize VPC list" error="SDK.ServerError\nErrorCode: Forbidden.RAM\nRecommend: https://troubleshoot.api.aliyun.com?q=Forbidden.RAM&product=Vpc\nRequestId: C87FA6DB-0308-5935-85C9-B2AB69EEC12F\nMessage: User not authorized to operate on the specified resource, or this API doesn't support RAM." subsys=eni
level=fatal msg="Unable to start alibabacloud allocator" error="Initial synchronization with instances API failed" subsys=cilium-operator-alibabacloud

dudu | 高人七级 | 园豆：30994
提问于：2022-05-14 19:56

< >

最佳答案

终于解决了！是因为 cilium 所用的阿里云 RAM 子账号权限不够，添加 AliyunVPCReadOnlyAccess （只读访问专有网络(VPC)的权限）权限就解决了。

虽然是完成按照官网帮助文档 Setting Up Cilium in AlibabaCloud ENI Mode (beta) 进行授权，但依然踩坑。

dudu | 高人七级 |园豆：30994 | 2022-05-14 21:17

清除回答草稿

您需要登录以后才能回答，未注册用户请先注册。

欢迎，请先 登录 或者 注册 。

K8s 集群基于阿里云弹性网卡 ENI 部署 Cilium 遇到问题

欢迎，请先登录或者注册。