Rules section. This guide assumes your external workload manages domain name resolution service via systemd. Prepare your cluster Enable support for external workloads Note First, make sure you have Helm cilium/cilium:v1.9.18 sudo cp /etc/resolv.conf /etc/resolv.conf.orig sudo systemctl disable systemd-resolved.service sudo service systemd-resolved stop Then, assuming they are in the same directory: NodePort CLUSTER_ADDR= configuration: sudo cp /etc/resolv.conf.orig /etc/resolv.conf sudo systemctl enable systemd-resolved.service sudo service systemd-resolved start Conclusion With the above we have enabled policy-based communication

end at Mon 2020-02-24 18:58:35 CST. -- Feb 24 18:58:24 node systemd[1]: Started BIRD Internet Routing Daemon. Feb 24 18:58:24 node systemd[1]: Starting BIRD Internet Routing Daemon... Feb 24 18:58:24 ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-04-04 external workload manages domain name resolution service by a stand-alone /etc/resolv.conf, or via systemd (e.g., Ubuntu). So far this functionality is only tested with the vxlan tunneling datapath mode (default

replacement (Kubernetes Without kube- proxy), cgroup v2 needs to be enabled by setting the kernel systemd.unified_cgroup_hierarchy=1 parameter. Also, cgroup v1 controllers net_cls and net_prio have to be end at Mon 2020-02-24 18:58:35 CST. -- Feb 24 18:58:24 node systemd[1]: Started BIRD Internet Routing Daemon. Feb 24 18:58:24 node systemd[1]: Starting BIRD Internet Routing Daemon... Feb 24 18:58:24 ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-04-04

and the kubelet service has to be updated accordingly. Configure Kubernetes for CRI-O Add /etc/systemd/system/kubelet.service.d/0-crio.conf [Service] Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime- endpoint=unix:///var/run/crio/crio.sock" Configure for Kubernetes for containerd Add /etc/systemd/system/kubelet.service.d/0-cri-containerd.conf [Service] Environment="KUBELET_EXTRA_ARGS=--cont /sys/fs/bpf bpf defaults 0 0 If you are using systemd to manage the kubelet, see the section Mounting BPFFS with systemd. kube-dns The Installation with managed etcd relies on the etcd-operator

end at Mon 2020-02-24 18:58:35 CST. -- Feb 24 18:58:24 node systemd[1]: Started BIRD Internet Routing Daemon. Feb 24 18:58:24 node systemd[1]: Starting BIRD Internet Routing Daemon... Feb 24 18:58:24 /sys/fs/bpf bpf defaults 0 0 If you are using systemd to manage the kubelet, see the section Mounting BPFFS with systemd. kube-dns The Installation with managed etcd relies on the etcd-operator a port out of the 0-65535 range. Mounting BPFFS with systemd Due to how systemd mounts [https://unix.stackexchange.com/questions/283442/systemd-mount-fails- where-setting-doesnt-match-unit-name] filesystems

end at Mon 2020-02-24 18:58:35 CST. -- Feb 24 18:58:24 node systemd[1]: Started BIRD Internet Routing Daemon. Feb 24 18:58:24 node systemd[1]: Starting BIRD Internet Routing Daemon... Feb 24 18:58:24 network interfaces will interfere with Cilium’s configuration. Common scenarios are NetworkManager or systemd-networkd automatically performing DHCP on these interfaces or removing Cilium’s IP address when the examples configure all Linux network devices named eth* except eth0 as unmanaged. Network Manager systemd-networkd # cat </etc/NetworkManager/conf.d/99-unmanaged-devices.conf [keyfile] unmanaged-

/sys/fs/bpf bpf defaults 0 0 If you are using systemd to manage the kubelet, see the sec�on Moun�ng BPFFS with systemd. kube-dns The Standard Installa�on relies on the etcd-operator has a port out of the 0-65535 range. Mounting BPFFS with systemd Due to how systemd mounts [h�ps://unix.stackexchange.com/ques�ons/283442/systemd-mount-fails- where-se�ng-doesnt-match-unit-name] filesystems filesystems, the mount point path must be reflected in the unit filename. cat <systemd/system/sys-fs-bpf.mount [Unit] Description=Cilium BPF mounts Documentation=http://docs.cilium.io/

1. pass FD with SCM_RIGHTS cmsg - see unix(7) man page 2. inherit FD from parent process - see systemd socket activation 3. use pidfd_getfd() syscall - Linux 5.6+ pid=1289,fd=3 pidfd_getfd(pidfd_open(1289