Skip to content

Commit

Permalink
add interface verification step for BPF dataplane configuration
Browse files Browse the repository at this point in the history 
In some corner cases cluster nodes may have custom interface names which may not get matched by the `bpfDataIfacePattern` regex. Need to clarify what users need to change to have their nodes BPF dataplane ready.
  • Loading branch information
@ivansharamok @ctauchen
ivansharamok authored and ctauchen committed Dec 17, 2024
1 parent 4ae19ff commit 944496f
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions calico-enterprise_versioned_docs/version-3.19-2/operations/ebpf/enabling-ebpf.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,17 @@ kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptable

If both `kube-proxy` and `BPFKubeProxyIptablesCleanupEnabled` is enabled then `kube-proxy` will write its iptables rules and Felix will try to clean them up resulting in iptables flapping between the two.

### Verify node interface naming pattern

When Calico dataplane is configured in BPF mode, Calico configures `ebpf` programs for the host interfaces that match the regex pattern defined by the `bpfDataIfacePattern` setting in [FelixConfiguration](../../reference/resources/felixconfig.mdx). If your nodes use custom interface naming or have multiple interfaces on the hosts, adjust the regex pattern command to only include interfaces that Kubernetes nodes use for pod communications.

:::note

A common example is when a cluster is configured in an on-prem environment and control-plane nodes are virtualized whith only one network interface, but the worker nodes are bare-metal nodes with multiple interfaces that can be bonded or VLAN devices with sub-interfaces and custom naming patterns. In such cases, the `bpfDataIfacePattern` setting may need to be adjusted to include the interface from the control-plane node and only necessary interface from the worker node.
For example, it's common that sub-interface from a VLAN main device is used for Kubernetes networking. In such a case, only that sub-interface from the worker node should be matched by the regex command but not other interfaces on the node including its parent interface.

:::

### Enable eBPF mode

To enable eBPF mode, change the `spec.calicoNetwork.linuxDataplane` parameter in the operator's `Installation`
Expand Down

0 comments on commit 944496f

Please sign in to comment.