|
| 1 | +# Cilium Feature Proposal: Configuration Profiles |
| 2 | + |
| 3 | +## Author(s) |
| 4 | + |
| 5 | +Dorde Lapcevic ( [email protected]) |
| 6 | + |
| 7 | +## Date |
| 8 | + |
| 9 | +2025-02-07 |
| 10 | + |
| 11 | +## Status |
| 12 | + |
| 13 | +Implementable |
| 14 | + |
| 15 | +## Abstract |
| 16 | + |
| 17 | +This proposal introduces the concept of "Configuration Profiles" to Cilium. Profiles are pre-defined, documented, and tested sets of Cilium configuration options designed to address specific operational needs and use cases. This aims to simplify deployment, improve predictability, and enhance the user experience by providing well-defined operational modes. |
| 18 | + |
| 19 | +## Motivation |
| 20 | + |
| 21 | +Currently, Cilium offers numerous feature flags that operators configure individually. This granular control, while powerful, presents several challenges: |
| 22 | + |
| 23 | +* **Combinatorial Complexity:** The interaction between numerous flags can lead to unexpected behavior and makes exhaustive testing difficult. Certain combinations may be subtly broken or have performance implications that are not immediately apparent. |
| 24 | +* **Operational Expertise Required:** Operators need a deep understanding of individual flags and their interplay to configure Cilium optimally for their environment. |
| 25 | +* **Lack of Clear Guidance:** New users may struggle to understand the best configuration for their needs, leading to suboptimal deployments. |
| 26 | +* **Implicit Knowledge:** Experienced operators often develop a set of preferred flags based on their specific environment (scale, performance requirements, network topology, etc.). This knowledge is often implicit and not easily shared. |
| 27 | + |
| 28 | +Configuration Profiles address these issues by: |
| 29 | + |
| 30 | +* **Simplifying Deployment:** Profiles provide a "one-click" (or "one-command") deployment option for common use cases. |
| 31 | +* **Improving Predictability:** Each profile will be thoroughly tested and documented, ensuring consistent behavior and performance. |
| 32 | +* **Providing Clear Guidance:** Documentation will clearly explain the purpose, benefits, limitations, and enabled/disabled features of each profile. |
| 33 | +* **Best Practices:** Profiles encapsulate expert knowledge and best practices for specific operational scenarios. |
| 34 | +* **Targeted Testing:** By testing at the profile level (a set of features) instead of only individual flags, we increase coverage and reduce the risk of unexpected interactions. |
| 35 | + |
| 36 | +## Goals |
| 37 | + |
| 38 | +The main goals of this proposal are: |
| 39 | +* Define a process for creating a new Configuration Profile |
| 40 | +* Establish a testing framework to ensure the stability and correctness of each profile. |
| 41 | +* Enable the community to propose and contribute new profiles. |
| 42 | + |
| 43 | +## Non-Goals |
| 44 | + |
| 45 | +* Completely eliminate individual feature flags. Advanced users will still be able to customize their deployments beyond the pre-defined profiles. Profiles are intended to be a starting point, not a restriction. |
| 46 | +* Create a profile for every possible combination of flags. The focus is on common, well-understood use cases. |
| 47 | +* Guarantee that profiles will cover 100% of user needs. It's recognized there will always be edge cases, but this helps a majority of users. |
| 48 | + |
| 49 | +## Example Profile |
| 50 | + |
| 51 | +* **High-Scale:** Optimized for large-scale clusters, with high number (thousands) of nodes and high pod churn rate (hundreds per second). Limited to a set of basic networking and K8s features: pod connectivity, K8s Service and basic observability. |
| 52 | + * `--enable-policy=never` |
| 53 | + * `--enable-k8s-networkpolicy=false` |
| 54 | + * `--enable-cilium-network-policy=false` |
| 55 | + * `--enable-cilium-clusterwide-network-policy=false` |
| 56 | + * `--identity-allocation-mode=crd` |
| 57 | + * `--disable-endpoint-crd=true` |
| 58 | + * `--enable-cilium-endpoint-slice=false` |
| 59 | + |
| 60 | + Note: This is only an example profile. It's not ready for use. |
| 61 | + |
| 62 | +## Creating a Profile |
| 63 | + |
| 64 | +* Provide clear documentation for each profile, including: |
| 65 | + * Purpose and use case |
| 66 | + * Benefits and limitations (trade-offs) |
| 67 | + * Specific configuration options (flags) enabled/disabled |
| 68 | + * Installation instructions |
| 69 | + * Supported Cilium versions |
| 70 | + * Known issues |
| 71 | +* Implement profile selection via Helm charts. |
| 72 | + |
| 73 | +## Implementation |
| 74 | + |
| 75 | +The implementation will leverage Cilium's Helm chart capabilities: |
| 76 | + |
| 77 | +1. **Helm Chart Values:** Each profile will be defined as a set of Helm values overrides. These overrides will configure the necessary Cilium feature flags. For example, the `values.yaml` for the "High-Scale" profile might include: |
| 78 | + |
| 79 | + ```yaml |
| 80 | + # profiles/high-scale.yaml |
| 81 | + disableEndpointCRD: false |
| 82 | + policyEnforcementMode: "never" |
| 83 | + # ... other relevant settings ... |
| 84 | + ``` |
| 85 | + |
| 86 | +2. **Profile Selection:** Users will select a profile during installation by referencing the appropriate values file: |
| 87 | + |
| 88 | + ```bash |
| 89 | + helm install cilium cilium/cilium --version 1.17.x \ |
| 90 | + --namespace kube-system \ |
| 91 | + --values profiles/high-scale.yaml |
| 92 | + # Or: |
| 93 | + # --set profile=high-scale (if we add a 'profile' value to the main chart) |
| 94 | + ``` |
| 95 | + The main `values.yaml` might include a top-level `profile` key, allowing users to select a profile with `--set profile=high-scale`. This would then conditionally include the settings from the corresponding profile file. |
| 96 | + |
| 97 | +3. **Documentation:** Each profile will have a dedicated page in the Cilium documentation, detailing its characteristics, installation instructions, incompatible features and functionality, and relevant configuration options. This documentation will be part of the Cilium documentation repository. |
| 98 | + |
| 99 | +4. **Testing:** |
| 100 | + * **Unit Tests:** The Helm chart rendering will be unit-tested to ensure that the correct flags are set for each profile. |
| 101 | + * **Integration/E2E Tests:** A new test suite will be created to validate the functionality and stability of each profile. These tests will run against a Kubernetes cluster with Cilium installed using the profile's Helm values. A subset of existing tests will run together with new per-profile tests that cover key features and use cases relevant to the profile. |
| 102 | + * **Continuous Integration:** Profile tests will be integrated into the Cilium CI pipeline to ensure that changes to Cilium do not break existing profiles. |
| 103 | + |
| 104 | +## Alternatives Considered |
| 105 | + |
| 106 | +* **Individual Flags:** As discussed in the "Motivation" section, this approach is complex and error-prone. |
| 107 | +* **Separate Helm Charts:** Creating separate Helm charts for each profile would lead to significant code duplication and maintenance overhead. |
| 108 | + |
| 109 | +## Open Issues |
| 110 | + |
| 111 | +* Onboard initial profiles. This requires community input. |
| 112 | +* Determine the best way to handle profile updates and versioning. How do we ensure that users can safely upgrade Cilium while using a specific profile? |
| 113 | +* Develop detailed test plans for each profile. |
| 114 | +* Consider how to allow users to extend profiles (create custom profiles based on existing ones) without modifying the core Helm charts. |
| 115 | + |
| 116 | +## Next Steps |
| 117 | + |
| 118 | +Proceed with implementing one of the initial candidate profiles. |
| 119 | +* Initial Documentation. |
| 120 | +* Create the necessary Helm chart values file. |
| 121 | +* Create a test suite. |
0 commit comments