Member-only story
The Complete Guide to Setting Up Cilium on K3s with Kubernetes Gateway API
Introduction
In this guide, we will walk through setting up Cilium as the CNI for a K3s cluster while integrating the Kubernetes Gateway API. Kubernetes Gateway API is the evolution of Kubernetes Ingress, providing advanced routing, better traffic control, and support for multiple protocols.
On a free medium plan? Read here for free.
Step 1: Install K3s with Required Options
First, install K3s without the default network components, allowing Cilium to function as the primary CNI. We are using a single node K3S cluster. Please refer to the documentation for more info.
$ curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server" sh -s - --flannel-backend=none --disable-kube-proxy --disable servicelb --disable-network-policy --disable traefik --tls-san rancher.rajesh-kumar.inExplanation of Options:
--flannel-backend=none: Disables Flannel as the default CNI (we will use Cilium instead).--disable-kube-proxy: Cilium has its own eBPF-based networking and does not require kube-proxy.--disable servicelb: K3s includesServiceLB, but we disable it to use Cilium’s L4/L7 load balancing.--disable-network-policy: Network policies will be managed by Cilium.--disable traefik: K3s comes with Traefik by default, but we want to use Cilium Gateway API for ingress traffic.--tls-san rancher.rajesh-kumar.in: Ensures API server TLS is valid for the given hostname.
Step 2: Install Kubernetes Gateway API CRDs
The Gateway API CRDs must be installed before deploying Cilium. Otherwise, the Cilium Operator may need to be restarted after deploying the CRDs. For the safer side, apply CRDs beforehand.
$ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml\
👉 The latest release (v1.2.1) does not include TLSRoutes in the standard release channel. Since Cilium depends on it, we must install it manually from the experiment channel.💡 Tip: Always check the latest updates on Kubernetes Gateway API releases here.
