Installing the Linkerd CNI plugin with BEL

Linkerd provides an optional CNI plugin which can be used in clusters where the CAP_NET_ADMIN capability is restricted. Note that this is not a CNI implementation itself, but instead a plugin intended to be used with your existing CNI implementation.

When this plugin is active, Linkerd will not use an init container to configure the network, but will instead do this in the CNI plugin. This eliminates the need for granting CAP_NET_ADMIN capabilities to pods.

Due to the fragility of Kubernetes CNI, we generally recommend avoiding this plugin unless it is necessary for compliance or security reasons.

Prerequisites

• A Kubernetes cluster without the BEL control plane installed
• The BUOYANT_LICENSE environment variable set, with functioning BEL CLI

Step 1: Install the Linkerd CNI plugin

The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.

linkerd install-cni | kubectl apply -f -

helm repo add linkerd-edge https://helm.linkerd.io/edge
helm repo update
helm search repo linkerd2-cni
helm install linkerd-cni -n linkerd-cni --create-namespace linkerd/linkerd2-cni

Learn more about installing the CNI plugin and using the install-cni command.

Step 2: Install BEL with the CNI plugin enabled

Now that the Linkerd CNI plugin has been deployed, we can move on to installing BEL. In each of these installation paths, enabling the CNI plugin will vary.

linkerd install --linkerd-cni-enabled | kubectl apply -f -

helm install linkerd-control-plane \
  --set linkerd-control-plane.cniEnabled=true
  ...

apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      crdsConfig:
        cniEnabled: true
      controlPlaneConfig:
        cniEnabled: true
  ...