Installing the Linkerd CNI plugin with BEL

Linkerd provides an optional CNI plugin which can be used in clusters where the CAP_NET_ADMIN capability is restricted. Note that this is not a CNI implementation itself, but instead a plugin intended to be used with your existing CNI implementation.

When this plugin is active, Linkerd will not use an init container to configure the network, but will instead do this in the CNI plugin. This eliminates the need for granting CAP_NET_ADMIN capabilities to pods.

Due to the fragility of Kubernetes CNI, we generally recommend avoiding this plugin unless it is necessary for compliance or security reasons.

Note: The current version of BEL supplies the open source Linkerd CNI plugin. In the future, BEL will supply its hardened version of this plugin.
  • A Kubernetes cluster without the BEL control plane installed
  • The BUOYANT_LICENSE environment variable set, with functioning BEL CLI

The Linkerd CNI plugin requires that the linkerd-cni DaemonSet be successfully installed on your cluster first, before installing the BEL control plane.

linkerd install-cni | kubectl apply -f -
Note: The BEL CLI will install the latest Linkerd edge version of the CNI plugin at the time the BEL CLI was released.
helm repo add linkerd-edge https://helm.linkerd.io/edge
helm repo update
helm search repo linkerd2-cni
helm install linkerd-cni -n linkerd-cni --create-namespace linkerd/linkerd2-cni

Learn more about installing the CNI plugin and using the install-cni command.

Now that the Linkerd CNI plugin has been deployed, we can move on to installing BEL. In each of these installation paths, enabling the CNI plugin will vary.

When installing BEL using the CLI, use the --linkerd-cni-enabled flag when installing the control plane:

linkerd install --linkerd-cni-enabled | kubectl apply -f -

When installing BEL with Helm, you must also add cniEnabled=true to your helm install linkerd-control-plane command:

helm install linkerd-control-plane \
  --set linkerd-control-plane.cniEnabled=true
  ...

When configuring BEL’s lifecycle operator, you must enable the CNI plugin by setting cniEnabled: true in the Control Plane manifest:

apiVersion: linkerd.buoyant.io/v1alpha1
kind: ControlPlane
metadata:
  name: linkerd-control-plane
spec:
  components:
    linkerd:
      crdsConfig:
        cniEnabled: true
      controlPlaneConfig:
        cniEnabled: true
  ...