Forem: Mikhail [azalio] Petrov The latest articles on Forem by Mikhail [azalio] Petrov (@azalio). https://forem.com/azalio https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F28117%2Fafa7e52f-04c8-4fff-8169-1a9b4082698f.jpeg Forem: Mikhail [azalio] Petrov https://forem.com/azalio en Kubernetes Agent Blind to New Mounts? Demystifying Mount Propagation Mikhail [azalio] Petrov Wed, 23 Apr 2025 20:43:54 +0000 https://forem.com/azalio/kubernetes-agent-blind-to-new-mounts-demystifying-mount-propagation-38ic https://forem.com/azalio/kubernetes-agent-blind-to-new-mounts-demystifying-mount-propagation-38ic <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frokcbj6j4rv4yorwa8wc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frokcbj6j4rv4yorwa8wc.png" alt="mountpropagation" width="800" height="533"></a></p> <h2> How <code>mountPropagation: HostToContainer</code> leverages Linux namespaces to solve a common agent problem </h2> <p>Ever run into this frustrating scenario? You deploy a Kubernetes agent (like an I/O limiter, monitoring tool, or operator) that needs to interact with PersistentVolumes mounted by Kubelet for other pods. It works fine initially, seeing all existing mounts. But then, a <em>new</em> pod gets scheduled, its PV gets mounted by Kubelet... and your agent is completely blind to it! 😠 Restarting the agent fixes it, but that's just a workaround, not a solution.</p> <p>I recently wrestled with this exact issue while building an I/O limiter that needed device <code>MAJOR:MINOR</code> numbers from pod mounts. Let's dive into why this happens and how to fix it properly using Kubernetes <code>mountPropagation</code>.</p> <h3> The Root Cause: Linux Mount Namespaces </h3> <p>The core of the issue lies in <strong>Linux mount namespaces</strong>. By default, each container in Kubernetes gets its own isolated mount namespace. Think of it as a private view of the system's mount points. When a container starts, it gets a <em>copy</em> of the host's mount table at that moment.</p> <p>Crucially, subsequent mount events happening on the host (like Kubelet mounting a new PV under <code>/var/lib/kubelet/pods/</code>) are <em>not</em> automatically reflected inside the container's isolated namespace. This default behavior corresponds to <code>private</code> propagation in Linux terminology.</p> <p>In Kubernetes, this default isolation is represented by:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mountPropagation</span><span class="pi">:</span> <span class="s">None</span> <span class="c1"># (Default if not specified)</span> </code></pre> </div> <p>This isolation is great for security and preventing containers from interfering with each other or the host, but it causes the "blind agent" problem.</p> <h3> The Solution: Kubernetes <code>mountPropagation</code> </h3> <p>Kubernetes provides the <code>mountPropagation</code> field within a <code>volumeMount</code> definition to control how mount events are shared between the host and the container's namespace. It bridges the isolation gap when needed. There are three modes:</p> <ol> <li> <strong><code>None</code> (Default):</strong> Complete isolation. No mount events propagate in either direction. (Linux: <code>private</code>)</li> <li> <strong><code>HostToContainer</code>:</strong> One-way street! Mount events from the host <strong>propagate into</strong> the container. Mounts created <em>inside</em> the container do <strong>not</strong> propagate back to the host. (Linux: <code>rslave</code> - recursive slave). <strong>This is exactly what we need for our agent!</strong> 👍</li> <li> <strong><code>Bidirectional</code>:</strong> Two-way street. Mounts propagate from host to container AND from container back to the host (and other containers in the pod using <code>Bidirectional</code>). (Linux: <code>rshared</code> - recursive shared). <strong>Use with extreme caution!</strong> This can affect the host system and requires the container to be privileged or have <code>CAP_SYS_ADMIN</code>.</li> </ol> <h3> The Recipe: Fixing the Blind Agent </h3> <p>To allow our agent container to see new PVs mounted by Kubelet under <code>/var/lib/kubelet/pods</code> <em>after</em> the agent has started, we need to mount that host directory into the agent and set <code>mountPropagation: HostToContainer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Example Pod spec for the agent</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-observing-agent</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-agent-image:latest</span> <span class="c1"># Optional: If your agent needs to *do* something with mounts,</span> <span class="c1"># it might need privileges beyond just seeing them.</span> <span class="c1"># Bidirectional *requires* privileged or CAP_SYS_ADMIN.</span> <span class="c1"># HostToContainer itself doesn't require extra privileges just to see mounts.</span> <span class="c1"># securityContext:</span> <span class="c1"># privileged: false</span> <span class="c1"># capabilities:</span> <span class="c1"># add: ["SYS_ADMIN"] # Example if needed for other operations</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubelet-pods-dir</span> <span class="c1"># The path inside the container where the host dir will be mounted</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/mnt/kubelet-pods</span> <span class="c1"># The magic setting!</span> <span class="na">mountPropagation</span><span class="pi">:</span> <span class="s">HostToContainer</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubelet-pods-dir</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="c1"># The directory on the host we want to observe</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/var/lib/kubelet/pods</span> <span class="c1"># Ensures the path exists on the host</span> <span class="na">type</span><span class="pi">:</span> <span class="s">DirectoryOrCreate</span> </code></pre> </div> <p>With this configuration, any new directory or mount point created by Kubelet under <code>/var/lib/kubelet/pods</code> on the host will automatically appear under <code>/mnt/kubelet-pods</code> inside the <code>my-observing-agent</code> container, without requiring a restart. Problem solved! ✅</p> <h3> Under the Hood: How It Works </h3> <p>What happens when you set <code>HostToContainer</code>?</p> <ol> <li> <strong>Kubelet:</strong> Sees <code>mountPropagation: HostToContainer</code> in the Pod spec.</li> <li> <strong>CRI Request:</strong> Kubelet translates this to the corresponding enum (<code>PROPAGATION_HOST_TO_CONTAINER</code>) in its request to the Container Runtime Interface (CRI).</li> <li> <strong>Container Runtime (containerd, CRI-O):</strong> Receives the request and uses Linux system calls (specifically the <code>mount</code> syscall with flags like <code>MS_SLAVE | MS_REC</code>) to configure the container's mount point (<code>/mnt/kubelet-pods</code> in our example) as a <strong>recursive slave</strong> (<code>rslave</code>) of the corresponding host mount point (<code>/var/lib/kubelet/pods</code>).</li> <li> <strong>Propagation:</strong> Because the container's mount is now a slave of the host's mount, any mount events occurring under the host path are automatically propagated by the Linux kernel into the container's mount namespace at the slave mount point.</li> </ol> <h3> Important Considerations </h3> <ul> <li> <strong>Security (<code>Bidirectional</code>):</strong> Seriously, be careful with <code>Bidirectional</code>. A container mount propagating back to the host can have significant security implications, especially in multi-tenant clusters. It generally requires the container to run as privileged or have <code>CAP_SYS_ADMIN</code>.</li> <li> <strong>Privileges (<code>HostToContainer</code>):</strong> Simply <em>observing</em> mounts with <code>HostToContainer</code> doesn't inherently require extra privileges. However, if your agent needs to <em>perform actions</em> within those propagated mounts (like modifying files owned by root, mounting things itself), it might need appropriate capabilities (<code>CAP_SYS_ADMIN</code>) or run as privileged, independent of the <code>mountPropagation</code> setting itself.</li> <li> <strong>Debugging:</strong> If things aren't working, check the mount table inside the container (<code>findmnt</code> or <code>cat /proc/self/mountinfo</code>) and compare it to the host's. Look for the <code>master:</code> entries or propagation flags (<code>shared</code>, <code>slave</code>) associated with your mount point.</li> <li> <strong>Historical Note:</strong> For a brief period around Kubernetes 1.10, the default was accidentally changed to <code>HostToContainer</code> before being reverted. If you're managing a very old cluster, be aware of this possibility (<a href="https://github.com/kubernetes/kubernetes/pull/62462" rel="noopener noreferrer">#62462</a>).</li> </ul> <h3> Conclusion </h3> <p>Kubernetes <code>mountPropagation</code> is a powerful mechanism rooted in Linux mount namespaces that allows you to selectively break container isolation for specific use cases. Understanding the <code>HostToContainer</code> mode (<code>rslave</code>) is key to solving the common problem of agents needing visibility into dynamically created host mounts, like those managed by Kubelet. By applying it correctly, you can build more robust and reliable agents and operators without resorting to restarting them.</p> <p>Connect with me on <a href="https://www.linkedin.com/in/azalio/" rel="noopener noreferrer">LinkedIn</a>!</p> kubernetes linux storage namespaces Securing Kubernetes API Server Health Checks Without Anonymous Access Mikhail [azalio] Petrov Sun, 13 Apr 2025 19:11:00 +0000 https://forem.com/azalio/securing-kubernetes-api-server-health-checks-without-anonymous-access-31f9 https://forem.com/azalio/securing-kubernetes-api-server-health-checks-without-anonymous-access-31f9 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs23cgocckdh557tp8rj6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs23cgocckdh557tp8rj6.png" alt="Image description" width="800" height="800"></a></p> <h2> How to disable anonymous auth globally but keep /livez, /readyz, and /healthz accessible </h2> <p>Recently, a security-savvy colleague posed an interesting question: "Is it possible to disable anonymous access to the Kubernetes API server entirely, but still allow the <code>/livez</code>, <code>/readyz</code>, and <code>/healthz</code> endpoints to work?" 🤔</p> <p>Honestly, I didn't know the answer offhand, so I dove into the Kubernetes source code and relevant KEPs (Kubernetes Enhancement Proposals). Here's what I found and how you can implement it.</p> <h3> The Default Scenario: Anonymous Access Enabled </h3> <p>As you probably know, by default, <code>kube-apiserver</code> allows anonymous authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--anonymous-auth Default: true </code></pre> </div> <blockquote> <p>Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of <code>system:anonymous</code>, and a group name of <code>system:unauthenticated</code>.</p> </blockquote> <p>When you set up a cluster using <code>kubeadm</code> with default settings, anonymous requests to health endpoints (and potentially others like <code>/version</code>, depending on default bindings) succeed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># curl -k https://&lt;YOUR_API_SERVER_IP&gt;:6443/livez ; echo</span> ok </code></pre> </div> <p>Looking at the audit logs, we can confirm the request is handled by <code>system:anonymous</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"kind"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Event"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"audit.k8s.io/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Metadata"</span><span class="p">,</span><span class="w"> </span><span class="nl">"auditID"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2caca66d-ccec-4b1f-8116-86741193cdce"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Example</span><span class="w"> </span><span class="err">ID</span><span class="w"> </span><span class="nl">"stage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ResponseComplete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestURI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/livez"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verb"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:anonymous"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">&lt;---</span><span class="w"> </span><span class="err">Anonymous</span><span class="w"> </span><span class="err">user</span><span class="w"> </span><span class="nl">"groups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"system:unauthenticated"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"sourceIPs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"&lt;SOURCE_IP&gt;"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl/7.88.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"responseStatus"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestReceivedTimestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-04-13T14:41:33.630618Z"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Example</span><span class="w"> </span><span class="err">timestamp</span><span class="w"> </span><span class="nl">"stageTimestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-04-13T14:41:33.630908Z"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Example</span><span class="w"> </span><span class="err">timestamp</span><span class="w"> </span><span class="nl">"annotations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"authorization.k8s.io/decision"</span><span class="p">:</span><span class="w"> </span><span class="s2">"allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorization.k8s.io/reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RBAC: allowed by ClusterRoleBinding </span><span class="se">\"</span><span class="s2">system:public-info-viewer</span><span class="se">\"</span><span class="s2">..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>However, anonymous users can't access other API paths like <code>/apis</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">audit</span><span class="w"> </span><span class="err">metadata</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"requestURI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/apis"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verb"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:anonymous"</span><span class="p">,</span><span class="w"> </span><span class="nl">"groups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"system:unauthenticated"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"responseStatus"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Failure"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"forbidden: User </span><span class="se">\"</span><span class="s2">system:anonymous</span><span class="se">\"</span><span class="s2"> cannot get path </span><span class="se">\"</span><span class="s2">/apis</span><span class="se">\"</span><span class="s2">"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Forbidden"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">403</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">&lt;---</span><span class="w"> </span><span class="err">Forbidden</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">timestamps</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">annotations</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"annotations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"authorization.k8s.io/decision"</span><span class="p">:</span><span class="w"> </span><span class="s2">"forbid"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorization.k8s.io/reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>While this default setup restricts access, leaving anonymous authentication enabled at all, even for specific paths, can be a security concern. Misconfigured RBAC or potential vulnerabilities could expose more than intended. 😟</p> <h3> The Solution: KEP-4633 and AuthenticationConfiguration </h3> <p>Digging into the Kubernetes source code led me to <a href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md" rel="noopener noreferrer">KEP-4633: Make anonymous authentication configuration endpoints configurable</a>. This KEP addresses the exact concern of wanting to disable anonymous access globally while still allowing essential health checks (which don't necessarily need full TCP checks to be useful).</p> <p>The solution, documented <a href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-authenticator-configuration" rel="noopener noreferrer">here</a>, involves using an <code>AuthenticationConfiguration</code> object.</p> <p><strong>How to Implement It:</strong></p> <ol> <li> <p><strong>Disable Global Anonymous Auth:</strong><br> Modify your <code>kube-apiserver</code> manifest (usually a static pod in <code>/etc/kubernetes/manifests/</code>) to include these flags:<br> </p> <pre class="highlight yaml"><code><span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kube-apiserver</span> <span class="c1"># ... other flags ...</span> <span class="pi">-</span> <span class="s">--anonymous-auth=false</span> <span class="c1"># &lt;--- Disable global anonymous auth</span> <span class="pi">-</span> <span class="s">--authentication-config=/etc/kubernetes/auth-config.yaml</span> <span class="c1"># &lt;--- Point to the config file</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="c1"># ... other volume mounts ...</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/kubernetes/auth-config.yaml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">auth-config-volume</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="c1"># ... other volumes ...</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">auth-config-volume</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/etc/kubernetes/auth-config.yaml</span> <span class="na">type</span><span class="pi">:</span> <span class="s">File</span> </code></pre> </li> <li> <p><strong>Create the Authentication Configuration File:</strong><br> Create the following file on your control plane node(s) at <code>/etc/kubernetes/auth-config.yaml</code>:<br> </p> <pre class="highlight yaml"><code><span class="c1"># /etc/kubernetes/auth-config.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apiserver.config.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AuthenticationConfiguration</span> <span class="na">anonymous</span><span class="pi">:</span> <span class="c1"># Enable anonymous access ONLY for the paths listed below</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">conditions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/livez</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/readyz</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/healthz</span> </code></pre> <p><em>Ensure the <code>kube-apiserver</code> pod restarts to pick up the changes.</em></p> </li> </ol> <h3> The Result: Granular Anonymous Access </h3> <p>With this configuration:</p> <p>✅ Requests to <code>/livez</code>, <code>/readyz</code>, and <code>/healthz</code> are still allowed for <code>system:anonymous</code>. The audit log looks similar to the default case for these paths.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">audit</span><span class="w"> </span><span class="err">metadata</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"requestURI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/livez"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verb"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"system:anonymous"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">&lt;---</span><span class="w"> </span><span class="err">Still</span><span class="w"> </span><span class="err">anonymous</span><span class="w"> </span><span class="nl">"groups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"system:unauthenticated"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"responseStatus"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">&lt;---</span><span class="w"> </span><span class="err">Still</span><span class="w"> </span><span class="err">OK</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">timestamps</span><span class="w"> </span><span class="err">and</span><span class="w"> </span><span class="err">annotations</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>❌ Requests to any <em>other</em> path (like <code>/apis</code>) without valid credentials will now receive a <code>401 Unauthorized</code> instead of a <code>403 Forbidden</code>, because the request isn't even treated as anonymous anymore.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># curl -k https://&lt;YOUR_API_SERVER_IP&gt;:6443/apis ; echo</span> Unauthorized </code></pre> </div> <p>The audit log confirms this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">audit</span><span class="w"> </span><span class="err">metadata</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"requestURI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/apis"</span><span class="p">,</span><span class="w"> </span><span class="nl">"verb"</span><span class="p">:</span><span class="w"> </span><span class="s2">"get"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">&lt;---</span><span class="w"> </span><span class="err">No</span><span class="w"> </span><span class="err">user</span><span class="w"> </span><span class="err">identified</span><span class="w"> </span><span class="err">(not</span><span class="w"> </span><span class="err">even</span><span class="w"> </span><span class="err">anonymous)</span><span class="w"> </span><span class="nl">"responseStatus"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Failure"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Unauthorized"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Unauthorized"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">401</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">&lt;---</span><span class="w"> </span><span class="err">Unauthorized</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">timestamps</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Feature Availability </h3> <p>According to the <a href="https://github.com/kubernetes/enhancements/issues/4633" rel="noopener noreferrer">KEP issue tracker</a>, this feature graduated to Alpha in Kubernetes v1.31 and Beta in v1.32.</p> <p>This approach provides a more secure posture by default, explicitly allowing anonymous access only where strictly necessary for health checks, without relying solely on RBAC for protection against anonymous requests to other endpoints. Now you can tighten security without breaking essential cluster monitoring! 👍</p> <p>Connect with me on <a href="https://www.linkedin.com/in/azalio/" rel="noopener noreferrer">LinkedIn</a>!</p> kubernetes security devops infosec Complete Guide: Cilium L2 Announcements for LoadBalancer Services in Bare-Metal Kubernetes Mikhail [azalio] Petrov Wed, 22 Jan 2025 13:06:36 +0000 https://forem.com/azalio/complete-guide-cilium-l2-announcements-for-loadbalancer-services-in-bare-metal-kubernetes-3jl2 https://forem.com/azalio/complete-guide-cilium-l2-announcements-for-loadbalancer-services-in-bare-metal-kubernetes-3jl2 <h2> Table of Contents </h2> <ol> <li>Introduction</li> <li>Environment Setup</li> <li>Nginx Deployment</li> <li>Ingress Configuration</li> <li>LoadBalancer IP Pool Configuration</li> <li>ARP Issue</li> <li>Enabling L2 Announcements</li> <li> How It Works <ul> <li>L2 Policy Configuration</li> <li>Lease Acquisition</li> <li>BPF Map for ARP</li> </ul> </li> <li>Packet Path</li> <li> Additional Resources <ul> <li> Cilium L2 Announcements vs Proxy ARP </li> <li>Cached vs Non-Cached Maps in Cilium</li> </ul> </li> </ol> <h2> Introduction: Why L2 Announcements in Kubernetes? <a></a> </h2> <h3> Target Audience </h3> <p>This material is intended for:</p> <ul> <li>Kubernetes cluster administrators</li> <li>Network engineers working with Cilium technologies (eBPF, CNI)</li> <li>Infrastructure specialists familiar with L2/L3 networking basics</li> <li>Professionals interested in Kubernetes networking</li> </ul> <p>📚 Terminology (recommended)</p> <p><strong>Gratuitous ARP</strong> - Special ARP packet broadcast by a node when changing its MAC or IP address to update neighbor ARP caches.</p> <p><strong>Kubernetes Lease</strong> - Resource leasing mechanism through API, ensuring exclusive access to resources (IP addresses in this case) for cluster nodes.</p> <p><strong>Bare-Metal Kubernetes</strong> - Cluster infrastructure deployed on physical servers without cloud providers.</p> <h3> Problem Statement </h3> <p>When working with Kubernetes in bare-metal environments, accessing LoadBalancer services from external networks often becomes challenging. Traditional solutions like <strong>MetalLB</strong> require additional components and can be overkill for simple scenarios.</p> <p>Cilium provides native <a href="https://docs.cilium.io/en/latest/network/l2-announcements/" rel="noopener noreferrer">L2 announcement capabilities</a> with:</p> <ul> <li>ARP response handling for LoadBalancer IPs</li> <li>High availability through lease mechanism</li> <li>Integration with existing network infrastructure</li> </ul> <p>This guide covers:</p> <ol> <li>Configuring L2 announcements in Cilium</li> <li>ARP response mechanics through BPF</li> <li>Practical tips for working with Cilium</li> </ol> <p>The primary goal is to demonstrate Kubernetes service accessibility in bare-metal environments using Cilium's native capabilities.</p> <h2> Environment Setup <a></a> </h2> <p>Environment setup is described in the <a href="https://github.com/azalio/cilium-l2-announcements-workshop/blob/main/README.md" rel="noopener noreferrer">README.md</a></p> <p>Network diagram:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcki1vj0e3ilkwzab4m8k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcki1vj0e3ilkwzab4m8k.png" alt="Network scheme" width="800" height="206"></a></p> <ul> <li> <strong>Pod Subnets</strong>: <ul> <li> <code>10.200.0.0/24</code> for server</li> <li> <code>10.200.1.0/24</code> for node-0</li> <li> <code>10.200.2.0/24</code> for node-1</li> </ul> </li> </ul> <p>Kubernetes and Cilium Configuration</p> <p>VMs created on ARM Mac using Vagrant.</p> <p><strong>jumpbox - 192.168.56.10</strong> - client outside Kubernetes cluster.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq9g78b6r7knu2ggvjpnm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq9g78b6r7knu2ggvjpnm.png" alt="jumpbox network" width="800" height="403"></a></p> <p><strong>server - 192.168.56.20</strong> - control plane </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwtgmrx68gpq15ilr76td.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwtgmrx68gpq15ilr76td.png" alt="Server networking" width="800" height="250"></a></p> <p><strong>node-0 - 192.168.56.50</strong> - k8s node </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjoz8tjuz5rsrlsjx7ocb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjoz8tjuz5rsrlsjx7ocb.png" alt="node-0 networking" width="800" height="248"></a></p> <p><strong>node-1 - 192.168.56.60</strong> - k8s node </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxejwxyp1fnxhoa5jual3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxejwxyp1fnxhoa5jual3.png" alt="node-1 networking" width="800" height="248"></a></p> <p>Cilium with native routing (no tunnels). Version v1.16.5.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> cilium cilium/cilium <span class="nt">--version</span> 1.16.5 <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--set</span> l2announcements.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> externalIPs.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">kubeProxyReplacement</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> ipam.mode<span class="o">=</span>kubernetes <span class="se">\</span> <span class="nt">--set</span> <span class="nv">k8sServiceHost</span><span class="o">=</span>192.168.56.20 <span class="se">\</span> <span class="nt">--set</span> <span class="nv">k8sServicePort</span><span class="o">=</span>6443 <span class="se">\</span> <span class="nt">--set</span> operator.replicas<span class="o">=</span>1 <span class="se">\</span> <span class="nt">--set</span> <span class="nv">routingMode</span><span class="o">=</span>native <span class="se">\</span> <span class="nt">--set</span> <span class="nv">ipv4NativeRoutingCIDR</span><span class="o">=</span>10.200.0.0/22 <span class="se">\</span> <span class="nt">--set</span> endpointRoutes.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> ingressController.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> ingressController.loadbalancerMode<span class="o">=</span>dedicated </code></pre> </div> <p>Kernel info:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># uname -a</span> Linux node-1 6.1.0-20-arm64 <span class="c">#1 SMP Debian 6.1.85-1 (2024-04-11) aarch64 aarch64 aarch64 GNU/Linux</span> </code></pre> </div> <h2> Deploy Nginx <a></a> </h2> <p>In this section we'll deploy a simple Nginx web server.</p> <h3> Step 1. Create Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># vagrant ssh server</span> <span class="c"># sudo bash</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: default spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 80 </span><span class="no">EOF </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: nginx namespace: default spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 </span><span class="no">EOF </span></code></pre> </div> <h3> Step 2. Verify Deployment </h3> <p>Check service status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># kubectl get pod -o wide</span> NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-96b9d695-25swg 1/1 Running 0 55s 10.200.2.189 node-1 &lt;none&gt; &lt;none&gt; <span class="c"># kubectl get svc nginx</span> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE nginx ClusterIP 10.96.79.80 &lt;none&gt; 80/TCP 89s <span class="c"># curl 10.96.79.80</span> &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;title&gt;Welcome to nginx!&lt;/title&gt; ... <span class="c"># curl 10.200.2.189</span> &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;title&gt;Welcome to nginx!&lt;/title&gt; ... </code></pre> </div> <p>↑ Table of Contents | ← Back</p> <h2> Configure Ingress <a></a> </h2> <p><a href="https://docs.cilium.io/en/stable/network/servicemesh/ingress/#kubernetes-ingress-support" rel="noopener noreferrer">Cilium documentation</a></p> <p>Apply ingress manifest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: basic-ingress namespace: default spec: ingressClassName: cilium rules: - http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix </span><span class="no">EOF </span><span class="c"># kubectl get ingress</span> NAME CLASS HOSTS ADDRESS PORTS AGE basic-ingress cilium <span class="k">*</span> 80 40s </code></pre> </div> <p>This creates a corresponding service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># kubectl get svc cilium-ingress-basic-ingress</span> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE cilium-ingress-basic-ingress LoadBalancer 10.96.156.194 &lt;pending&gt; 80:31017/TCP,443:32600/TCP 115s </code></pre> </div> <p>The <code>EXTERNAL-IP</code> remains in <code>pending</code> state due to missing IP pool configuration.</p> <p>↑ Table of Contents | ← Back</p> <h2> Configure LoadBalancer IP Pool <a></a> </h2> <p>Cilium supports IP assignment for LoadBalancer services.</p> <h3> CiliumLoadBalancerIPPool </h3> <p><a href="https://docs.cilium.io/en/stable/network/lb-ipam/" rel="noopener noreferrer">Official documentation</a></p> <p>Create CiliumLoadBalancerIPPool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: "cilium.io/v2alpha1" kind: CiliumLoadBalancerIPPool metadata: name: "blue-pool" spec: blocks: - cidr: "10.0.10.0/24" </span><span class="no">EOF </span></code></pre> </div> <p>Now the service gets an IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># kubectl get svc cilium-ingress-basic-ingress</span> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE cilium-ingress-basic-ingress LoadBalancer 10.96.156.194 10.0.10.0 80:31017/TCP,443:32600/TCP 4m9s </code></pre> </div> <p>Service is now accessible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># curl 10.0.10.0</span> &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;title&gt;Welcome to nginx!&lt;/title&gt; ... </code></pre> </div> <p>↑ Table of Contents | ← Back</p> <h2> ARP Issue <a></a> </h2> <p>Testing from jumpbox client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># vagrant ssh jumpbox</span> root@jumpbox:/home/vagrant# curl 10.0.10.0 curl: <span class="o">(</span>7<span class="o">)</span> Failed to connect to 10.0.10.0 port 80 after 3074 ms: Couldn<span class="s1">'t connect to server </span></code></pre> </div> <p>Why? No ARP responses received.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@server:/home/vagrant# tcpdump <span class="nt">-n</span> <span class="nt">-i</span> any arp host 10.0.10.0 tcpdump: data <span class="nb">link type </span>LINUX_SLL2 tcpdump: verbose output suppressed, use <span class="nt">-v</span><span class="o">[</span>v]... <span class="k">for </span>full protocol decode listening on any, link-type LINUX_SLL2 <span class="o">(</span>Linux cooked v2<span class="o">)</span>, snapshot length 262144 bytes 21:15:05.927064 eth1 B ARP, Request who-has 10.0.10.0 tell 192.168.56.10, length 46 21:15:06.948513 eth1 B ARP, Request who-has 10.0.10.0 tell 192.168.56.10, length 46 21:15:07.973210 eth1 B ARP, Request who-has 10.0.10.0 tell 192.168.56.10, length 46 21:15:08.998950 eth1 B ARP, Request who-has 10.0.10.0 tell 192.168.56.10, length 46 21:15:10.024080 eth1 B ARP, Request who-has 10.0.10.0 tell 192.168.56.10, length 46 21:15:11.050053 eth1 B ARP, Request who-has 10.0.10.0 tell 192.168.56.10, length 46 root@jumpbox:/home/vagrant# arp <span class="nt">-n</span> 10.0.10.0 Address HWtype HWaddress Flags Mask Iface 10.0.10.0 <span class="o">(</span>incomplete<span class="o">)</span> eth1 </code></pre> </div> <p>↑ Table of Contents | ← Back</p> <h2> Enable L2 Announcements <a></a> </h2> <p>Enable <a href="https://docs.cilium.io/en/stable/network/l2-announcements/" rel="noopener noreferrer">ARP announcements</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmg8xweo3yumagadg25vw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmg8xweo3yumagadg25vw.png" alt="L2 Announcements" width="800" height="1250"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@server:/home/vagrant# tcpdump <span class="nt">-n</span> <span class="nt">-i</span> any arp host 10.0.10.0 &amp; <span class="c"># background tcpdump</span> <span class="o">[</span>1] 17207 root@server:/home/vagrant# <span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: "cilium.io/v2alpha1" kind: CiliumL2AnnouncementPolicy metadata: name: policy1 spec: nodeSelector: matchExpressions: - key: node-role.kubernetes.io/control-plane operator: DoesNotExist interfaces: - ^eth[0-9]+ externalIPs: true loadBalancerIPs: true </span><span class="no">EOF </span>ciliuml2announcementpolicy.cilium.io/policy1 created 21:18:52.093372 eth1 B ARP, Reply 10.0.10.0 is-at 00:0c:29:0d:b7:76, length 46 21:18:52.102795 eth0 B ARP, Reply 10.0.10.0 is-at 00:0c:29:0d:b7:6c, length 46 root@jumpbox:/home/vagrant# tcpdump <span class="nt">-n</span> <span class="nt">-i</span> any arp tcpdump: data <span class="nb">link type </span>LINUX_SLL2 tcpdump: verbose output suppressed, use <span class="nt">-v</span><span class="o">[</span>v]... <span class="k">for </span>full protocol decode listening on any, link-type LINUX_SLL2 <span class="o">(</span>Linux cooked v2<span class="o">)</span>, snapshot length 262144 bytes 21:18:52.113122 eth1 B ARP, Reply 10.0.10.0 is-at 00:0c:29:0d:b7:76, length 46 21:18:52.113211 eth1 B ARP, Reply 10.0.10.1 is-at 00:0c:29:e3:b1:b2, length 46 21:18:52.122245 eth0 B ARP, Reply 10.0.10.1 is-at 00:0c:29:e3:b1:a8, length 46 21:18:52.122495 eth0 B ARP, Reply 10.0.10.0 is-at 00:0c:29:0d:b7:6c, length 46 root@jumpbox:/home/vagrant# arp <span class="nt">-n</span> 10.0.10.0 Address HWtype HWaddress Flags Mask Iface 10.0.10.0 ether 00:0c:29:0d:b7:76 C eth1 </code></pre> </div> <p>The MAC <code>00:0c:29:0d:b7:76</code> belongs to node-1's eth1 interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@node-1:/home/vagrant# ip addr sh | <span class="nb">grep</span> <span class="nt">-1</span> 00:0c:29:0d:b7:76 3: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000 <span class="nb">link</span>/ether 00:0c:29:0d:b7:76 brd ff:ff:ff:ff:ff:ff altname enp18s0 </code></pre> </div> <p>Verify lease acquisition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># kubectl get lease -n kube-system cilium-l2announce-default-cilium-ingress-basic-ingress</span> NAME HOLDER AGE cilium-l2announce-default-cilium-ingress-basic-ingress node-1 8m49s </code></pre> </div> <p>↑ Table of Contents | ← Back</p> <h2> How It Works <a></a> </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvifkl9o80qhuk4k1k3bn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvifkl9o80qhuk4k1k3bn.png" alt="arp-path" width="800" height="428"></a></p> <ol> <li>L2 Policy Configuration</li> <li>Lease Acquisition</li> <li>BPF Map for ARP</li> </ol> <p>For detailed documentation see <a href="https://docs.cilium.io/en/latest/network/l2-announcements/" rel="noopener noreferrer">Cilium L2 Announcements</a>.</p> <h3> L2 Policy Configuration <a></a> </h3> <ol> <li>Configure L2 announcement policy</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cilium.io/v2alpha1"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CiliumL2AnnouncementPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">policy1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">node-role.kubernetes.io/control-plane</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">DoesNotExist</span> <span class="na">interfaces</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">^eth[0-9]+</span> <span class="na">externalIPs</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">loadBalancerIPs</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Lease Acquisition <a></a> </h3> <ol> <li>Cilium acquires lease </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@server:/home/vagrant# kubectl get lease <span class="nt">-n</span> kube-system | <span class="nb">grep </span>l2announce cilium-l2announce-default-cilium-ingress-basic-ingress node-1 16m cilium-l2announce-kube-system-cilium-ingress node-0 16m </code></pre> </div> <h3> BPF Map for ARP <a></a> </h3> <ol> <li>BPF map created for ARP responses </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># kubectl get svc cilium-ingress-basic-ingress</span> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE cilium-ingress-basic-ingress LoadBalancer 10.96.156.194 10.0.10.0 80:31017/TCP,443:32600/TCP 24h </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@node-1:/home/cilium# bpftool map show pinned /sys/fs/bpf/tc/globals/cilium_l2_responder_v4 72: <span class="nb">hash </span>name cilium_l2_respo flags 0x1 key 8B value 8B max_entries 4096 memlock 65536B btf_id 125 root@node-1:/home/cilium# bpftool map dump pinned /sys/fs/bpf/tc/globals/cilium_l2_responder_v4 <span class="o">[{</span> <span class="s2">"key"</span>: <span class="o">{</span> <span class="s2">"ip4"</span>: 655370, <span class="c"># IP</span> <span class="s2">"ifindex"</span>: 2 <span class="c"># Interface index</span> <span class="o">}</span>, <span class="s2">"value"</span>: <span class="o">{</span> <span class="s2">"responses_sent"</span>: 0 <span class="o">}</span> <span class="o">}</span>,<span class="o">{</span> <span class="s2">"key"</span>: <span class="o">{</span> <span class="s2">"ip4"</span>: 655370, <span class="s2">"ifindex"</span>: 3 <span class="o">}</span>, <span class="s2">"value"</span>: <span class="o">{</span> <span class="s2">"responses_sent"</span>: 3 <span class="c"># ARP responses count</span> <span class="o">}</span> <span class="o">}</span> <span class="o">]</span> </code></pre> </div> <p>The number <code>655370</code> represents IP 10.0.10.0 in little-endian format.</p> <p>Packet flow through ARP response system:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphlwd6uxll2oqsm8m82q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphlwd6uxll2oqsm8m82q.png" alt="arp request reply" width="800" height="149"></a></p> <p>↑ Table of Contents | ← Back</p> <h2> Packet Path <a></a> </h2> <p>ARP request processing on node-1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight scheme"><code> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">External</span> <span class="nv">Host</span> <span class="nv">|</span> <span class="nv">|</span> <span class="p">(</span><span class="nf">jumpbox</span><span class="p">)</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">ARP</span> <span class="nv">Request</span> <span class="s">"Who has 10.0.10.0?"</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">Interface</span> <span class="nv">eth1</span> <span class="nv">|</span> <span class="nv">|</span> <span class="nv">node-1</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">TC</span> <span class="nv">ingress</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">BPF</span> <span class="nv">Program</span> <span class="nv">|</span> <span class="nv">|</span> <span class="nv">cil_from_netdev</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">handle_netdev</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">do_netdev</span><span class="p">()</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">ARP</span> <span class="nv">check</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">handle_l2_announcement</span><span class="p">()</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">Checks:</span> <span class="nv">|</span> <span class="mi">1</span><span class="o">.</span> <span class="nv">Agent</span> <span class="nv">liveness</span> <span class="nv">|</span> <span class="mi">2</span><span class="o">.</span> <span class="nv">Valid</span> <span class="nv">ARP</span> <span class="nv">|</span> <span class="mi">3</span><span class="o">.</span> <span class="nv">L2_RESPONDER_MAP4</span> <span class="nv">entry</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">arp_respond</span><span class="p">()</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">Prepare</span> <span class="nv">ARP</span> <span class="nv">reply</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">ctx_redirect</span><span class="p">()</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">Egress</span> <span class="nv">redirect</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">Interface</span> <span class="nv">eth1</span> <span class="nv">|</span> <span class="nv">|</span> <span class="nv">node-1</span> <span class="nv">|</span> <span class="nv">+--------+----------+</span> <span class="nv">|</span> <span class="nv">ARP</span> <span class="nv">Reply</span> <span class="nv">v</span> <span class="nv">+-------------------+</span> <span class="nv">|</span> <span class="nv">External</span> <span class="nv">Host</span> <span class="nv">|</span> <span class="nv">|</span> <span class="p">(</span><span class="nf">jumpbox</span><span class="p">)</span> <span class="nv">|</span> <span class="nv">+-------------------+</span> </code></pre> </div> <p>↑ Table of Contents | ← Back</p> <h2> Additional Resources <a></a> </h2> <h3> Cilium L2 Announcements vs Proxy ARP <a></a> </h3> <p><em>Q</em>: How do Cilium L2 announcements differ from enabling <a href="http://linux-ip.net/html/ether-arp-proxy.html" rel="noopener noreferrer">proxy_arp</a>?<br><br> <em>A</em>: Proxy ARP handles ARP at kernel level while Cilium uses Kubernetes API for distributed control and BPF for performance.</p> <p>Disable L2 announcements:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@server:/home/vagrant# kubectl delete <span class="nt">-f</span> workshop/l2.yaml ciliuml2announcementpolicy.cilium.io <span class="s2">"policy1"</span> deleted </code></pre> </div> <p>Enable proxy_arp on node-1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@node-1:/home/vagrant# sysctl <span class="nt">-w</span> net.ipv4.conf.eth1.proxy_arp<span class="o">=</span>1 net.ipv4.conf.eth1.proxy_arp <span class="o">=</span> 1 </code></pre> </div> <p>Proxy ARP responses come from kernel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@jumpbox:/home/vagrant# arping <span class="nt">-I</span> eth1 10.0.10.0 ARPING 10.0.10.0 Timeout Timeout Timeout Timeout 60 bytes from 00:0c:29:0d:b7:76 <span class="o">(</span>10.0.10.0<span class="o">)</span>: <span class="nv">index</span><span class="o">=</span>0 <span class="nb">time</span><span class="o">=</span>449.655 msec </code></pre> </div> <h3> Cached vs Non-Cached BPF Maps <a></a> </h3> <p>Diagnostic tools behavior differs for cached maps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@node-1:/home/cilium# cilium-dbg map list Name Num entries Num errors Cache enabled cilium_policy_00215 3 0 <span class="nb">true</span> <span class="c"># ...</span> cilium_l2_responder_v4 0 0 <span class="nb">false</span> </code></pre> </div> <p>Actual map contents via bpftool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>root@node-1:/home/cilium# bpftool map dump pinned /sys/fs/bpf/tc/globals/cilium_l2_responder_v4 <span class="o">[{</span> <span class="s2">"key"</span>: <span class="o">{</span> <span class="s2">"ip4"</span>: 655370, <span class="s2">"ifindex"</span>: 2 <span class="o">}</span>, <span class="s2">"value"</span>: <span class="o">{</span> <span class="s2">"responses_sent"</span>: 0 <span class="o">}</span> <span class="o">}</span>,<span class="o">{</span> <span class="s2">"key"</span>: <span class="o">{</span> <span class="s2">"ip4"</span>: 655370, <span class="s2">"ifindex"</span>: 3 <span class="o">}</span>, <span class="s2">"value"</span>: <span class="o">{</span> <span class="s2">"responses_sent"</span>: 40 <span class="o">}</span> <span class="o">}</span> <span class="o">]</span> </code></pre> </div> <p>↑ Table of Contents | ← Back</p> <h2> Conclusion: Benefits of Cilium L2 Announcements </h2> <p>This guide demonstrated Cilium's L2 announcement implementation for bare-metal Kubernetes LoadBalancer services. Key aspects covered:</p> <ul> <li>ARP request handling via BPF programs</li> <li>High availability through lease system</li> <li>Diagnostic techniques</li> </ul> <p>Key advantages:</p> <ol> <li>Native Kubernetes integration</li> <li>eBPF-based packet processing performance</li> <li>Automatic load distribution</li> <li>No external dependencies</li> <li>Standard L2 protocol support</li> </ol> <p>Particularly valuable for hybrid and on-premise environments requiring cloud-like service accessibility while maintaining bare-metal flexibility.</p> <p>↑ Table of Contents</p> cilium kubernetes bpf networking