Documentation on enabling CNI For using Pod Network Policies

[emirot]

It looks like minikube supports network policies using --network-plugin=cni:

minikube start --vm-driver virtualbox --network-plugin=cni --cpus 4 --memory 8192s

However I don't find any documentation concerning that feature, and how to enable a network plugin for instance calico.

[dsebastien]

In my case, I'm using Cilium (because I want to mimic what my cloud provider does); here's how it's deployed:

  minikube start \
    --wait=all \
    --wait-timeout=${MINIKUBE_START_TIMEOUT} \
    --cpus=${MINIKUBE_CPUS} \
    --memory=${MINIKUBE_MEMORY} \
    --disk-size=${MINIKUBE_STORAGE} \
    --kubernetes-version "${KUBERNETES_VERSION}" \
    --extra-config="apiserver.authorization-mode=Node,RBAC" \
    --network-plugin=cni \
    --enable-default-cni \
    --bootstrapper=kubeadm \
     --v=7 \
     --alsologtostderr \
     ${MINIKUBE_OPTIONS}
...
echo "Enabling BPF filesystem (used by Cilium)"
minikube ssh -- sudo mount bpffs -t bpf /sys/fs/bpf

echo "Deploying Cilium"
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.6.4/install/kubernetes/quick-install.yaml

Reference docs for Cilium: https://docs.cilium.io/en/stable/gettingstarted/#gs-install

[zinizhu]

@dsebastien in my case I am also trying to use Calico but didn't work. Here's my command to start minikube:
minikube start \ --driver=virtualbox \ --network-plugin=cni \ --enable-default-cni \ --extra-config=kubelet.network-plugin=cni

The instruction I was following:
https://docs.projectcalico.org/getting-started/kubernetes/quickstart

Could you please further explain which flags are necessary to enable the network plugins? Also is it necessary to use kubeadm to bootstrap the cluster?

[emirot]

I was able to make calico work using minikube 1.8.1 , latest version on virtualbox

From https://github.com/inovex/illuminatio/blob/master/local_dev/start_docker.sh

#!/usr/bin/env bash
# Abort if any of the following commands fails or variables are undefined
set -eu

KUBERNETES_VERSION="${KUBERNETES_VERSION:-v1.15.0}"
CALICO_VERSION="${CALICO_VERSION:-v3.8}"

# Setup minikube
./minikube-darwin-amd64 delete
./minikube-darwin-amd64 config set embed-certs true
./minikube-darwin-amd64 start \
    --memory 4096 \
    --cpus 4 \
    --vm-driver=virtualbox \
    --network-plugin=cni \
    --extra-config=kubelet.network-plugin=cni \
    --kubernetes-version="${KUBERNETES_VERSION}"

kubectl apply -f "https://docs.projectcalico.org/${CALICO_VERSION}/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml"

Then using

kubectl -n kube-system set env daemonset/calico-node FELIX_IGNORELOOSERPF=true  

As describe here https://www.devopsfu.com/2020/02/17/enabling-cni-with-calico-with-minikube-on-hyper-v/

Thanks @dsebastien for the help, I wish that the documentation were more verbose

[zinizhu]

Mine worked with @emirot 's solution, thanks both of you!

[medyagh]

we need to update teh documentation on using Pod Network Policies,
I would accept any PR that adds this to our docs or tutorials

@tstromberg is also working Simplicifying CNI in minikube