The operation of the Kuma data plane proxy,
precludes that all the relevant inbound and outbound traffic on the host (or container)
that runs the service is diverted to pass through the proxy itself.
This is done through transparent proxying,
which is set up automatically on Kubernetes.
Installing it requires certain privileges,
which are delegated to pre-sidecar initialisation steps.
There are two options to do this with Kuma:
use the standard kuma-init, which is the default
use the Kuma CNI
Kuma CNI can be leveraged in the two installation methods for Kubernetes: using kumactl and with Helm.
The default settings are tuned for OpenShift with Multus,
therefore to use it in other environments we need to set the relevant configuration parameters.
Kuma CNI applies NetworkAttachmentDefinition(NAD) to applications in a namespace with kuma.io/sidecar-injection label.
To apply NAD to the applications not in a Mesh, add the label kuma.io/sidecar-injection with the value disabled to the namespace.
Installation
Below are the details of how to set up Kuma CNI in different environments using both kumactl and helm.
Follow the instructions in OpenShift 3.11 installation
to get the MutatingAdmissionWebhook and ValidatingAdmissionWebhook enabled (this is required for regular kuma installation).
You need to grant privileged permission to kuma-cni service account:
Currently, the v2 CNI is behind an experimental flag, but it’s intended to be the default CNI in future releases.
Kuma v2 CNI Taint controller
To prevent a race condition described in this issue a new controller was implemented.
The controller will taint a node with NoSchedule taint to prevent scheduling before the CNI DaemonSet is running and ready.
Once the CNI DaemonSet is running and ready it will remove the taint and allow other pods to be scheduled into the node.
To disable the taint controller use the following env variable: