docs: 添加 Cilium eBPF L4 负载均衡方案文档

[changluyi]

Summary

• 添加 Cilium eBPF L4 负载均衡方案文档（中英文双语）
• 介绍如何在 ACP 4.2+ 集群中部署 Cilium CNI
• 利用 eBPF 实现高性能四层负载均衡，支持源 IP 透传

内容概要

• 环境要求（内核版本、端口、内核配置）
• ACP 4.2+ Cilium 部署步骤
• 创建透传的 L4 负载均衡
• 验证方法

Test plan

• 文档格式检查通过
• 链接可访问

Summary by CodeRabbit

• Documentation
  • Added end-to-end deployment guide (EN/ZH) for deploying Cilium eBPF L4 LoadBalancer with source IP preservation in ACP 4.2+ Custom network mode.
  • Covers prerequisites (OS/kernel, network/port requirements), cluster creation and Cilium installation workflow, and temporary permission steps needed during install.
  • Describes disabling kube-proxy, configuring VIP allocation and L2 failover, and verification procedures for LoadBalancer IPs and source-IP preservation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5f6bd9fd-39cb-45fd-b028-ff1332ae6852

📥 Commits

Reviewing files that changed from the base of the PR and between 5e1790c and 53f012d.

📒 Files selected for processing (2)

• docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md
• docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

✅ Files skipped from review due to trivial changes (2)

• docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md
• docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

---

Walkthrough

Added English and Chinese solution pages documenting how to deploy Cilium (ACP 4.2+ in Custom network mode) and configure an eBPF L4 LoadBalancer with source IP preservation, including prerequisites, temporary RBAC, kube-proxy removal/cleanup, VIP allocation, L2 ARP failover resources, and verification steps.

Changes

Cohort / File(s)

Summary

Solution Documentation docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md, docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

New bilingual deployment guides. Cover prerequisites (OS/kernel, ports, kernel settings), ACP marketplace installation flow (including temporary ClusterPluginInstance RBAC), kube-proxy backup/delete and BroadcastJob cleanup, CiliumLoadBalancerIPPool and CiliumL2AnnouncementPolicy definitions, VIP/L2 placement requirements, and verification procedures. Pay attention to temporary RBAC, kube-proxy cleanup image discovery, and VIP L2 constraints.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• fanzy618
• tyzhou111

Poem

🐰 I hopped through docs in English and 汉语,

VIPs snug on the same L2, hooray!
Kube‑proxy waved goodbye with a cleanup sigh,
Cilium hums, eBPF keeps the source IP nigh,
A rabbit cheers the network sky 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding documentation about deploying Cilium eBPF L4 load balancing solution, which directly matches the changeset of two new documentation files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md (2)

80-91: Reduce RBAC permissions from wildcard to specific verbs.

The temporary RBAC configuration grants wildcard permissions (verbs: ["*"]) which is overly permissive, even temporarily. Consider restricting to only the necessary verbs.

🔒 Proposed fix to use specific permissions

 rules:
 - apiGroups: ["cluster.alauda.io"]
   resources: ["clusterplugininstances"]
-  verbs: ["*"]
+  verbs: ["get", "list", "create", "update", "patch"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
around lines 80 - 91, The ClusterRole cilium-clusterplugininstance-admin grants
wildcard verbs ["*"] for apiGroups "cluster.alauda.io" and resources
"clusterplugininstances"; replace the wildcard with an explicit minimal verbs
list required by the component (e.g., get, list, watch, create, update, patch,
delete) or an even smaller subset if some actions are unnecessary—edit the
ClusterRole resource in the tmp.yaml to remove verbs: ["*"] and add the specific
verbs needed.

---

10-10: Consider clarifying "S2 方案" terminology.

The title references "S2 方案" (S2 solution) which may not be immediately clear to all readers. Consider adding a brief explanation of what "S2" refers to in this context, or removing it if it's internal terminology.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
at line 10, 标题中出现的“S2 方案”术语可能不够清晰；在文档顶部标题行（"# 基于 eBPF 的高性能容器网络 Cilium CNI 和 eBPF
实现的高性能四层负载均衡（支持源 IP 可见的 S2
方案）"）处，添加一段简短说明以解释“S2”代表的具体含义或替换为更通用的描述，例如在标题后紧接一行括号内或在引言段落中用一句话说明“S2”为何种架构/方案，确保读者能立刻理解该术语；如果“S2”为内部简称且无必要，则直接移除以避免歧义。

docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md (1)

81-91: Reduce RBAC permissions from wildcard to specific verbs.

The temporary RBAC grants wildcard permissions (verbs: ["*"]), which is overly permissive even temporarily. Consider using only the required verbs.

🔒 Proposed fix for more restrictive permissions

 rules:
 - apiGroups: ["cluster.alauda.io"]
   resources: ["clusterplugininstances"]
-  verbs: ["*"]
+  verbs: ["get", "list", "create", "update", "patch"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
around lines 81 - 91, The ClusterRole cilium-clusterplugininstance-admin
currently uses verbs: ["*"] for apiGroup "cluster.alauda.io" and resource
"clusterplugininstances"; replace the wildcard with explicit, minimal verbs
required by the controller (e.g.
["get","list","watch","create","update","patch"] as a starting point and omit
"delete" unless the component actually needs it), update the manifest block that
creates the ClusterRole to use those specific verbs, and verify functionality
and apply the least-privilege set after testing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Line 174: The kube-proxy image reference "image:
registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5" is outdated; update that
image tag to a current kube-proxy release (e.g., v1.35.x or v1.34.x) consistent
with the version chosen in Step 1, and verify the container image registry/name
remains "registry.alauda.cn:60070/tkestack/kube-proxy" while only changing the
tag to the selected newer version.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Line 173: Replace the hardcoded example image tag
"registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5" with a current version or
an explicit placeholder; e.g., update to
"registry.alauda.cn:60070/tkestack/kube-proxy:v1.35.x" or use a template
placeholder like "{{KUBE_PROXY_IMAGE}}" and keep the existing comment about
replacing it for the target environment so readers aren’t confused by an
outdated example.

---

Nitpick comments:
In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Around line 81-91: The ClusterRole cilium-clusterplugininstance-admin
currently uses verbs: ["*"] for apiGroup "cluster.alauda.io" and resource
"clusterplugininstances"; replace the wildcard with explicit, minimal verbs
required by the controller (e.g.
["get","list","watch","create","update","patch"] as a starting point and omit
"delete" unless the component actually needs it), update the manifest block that
creates the ClusterRole to use those specific verbs, and verify functionality
and apply the least-privilege set after testing.

In
`@docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`:
- Around line 80-91: The ClusterRole cilium-clusterplugininstance-admin grants
wildcard verbs ["*"] for apiGroups "cluster.alauda.io" and resources
"clusterplugininstances"; replace the wildcard with an explicit minimal verbs
list required by the component (e.g., get, list, watch, create, update, patch,
delete) or an even smaller subset if some actions are unnecessary—edit the
ClusterRole resource in the tmp.yaml to remove verbs: ["*"] and add the specific
verbs needed.
- Line 10: 标题中出现的“S2 方案”术语可能不够清晰；在文档顶部标题行（"# 基于 eBPF 的高性能容器网络 Cilium CNI 和 eBPF
实现的高性能四层负载均衡（支持源 IP 可见的 S2
方案）"）处，添加一段简短说明以解释“S2”代表的具体含义或替换为更通用的描述，例如在标题后紧接一行括号内或在引言段落中用一句话说明“S2”为何种架构/方案，确保读者能立刻理解该术语；如果“S2”为内部简称且无必要，则直接移除以避免歧义。

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 940dc40f-96fe-49f5-b6ba-b9a2013c2aa4

📥 Commits

Reviewing files that changed from the base of the PR and between a867802 and 5e1790c.

📒 Files selected for processing (2)

• docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md
• docs/zh/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is the latest stable Kubernetes version as of March 2025?

💡 Result:

The latest stable Kubernetes version as of March 2025 was v1.32.x (with v1.32.13 released February 26, 2026, still supported until end of February 2026 per policy). However, by late March 2025, v1.33 would have been released (April 23, 2025 per blog), becoming the latest stable. v1.34 and v1.35 followed later in 2025. The official Kubernetes releases page lists v1.35.3 (March 19, 2026) as the current latest stable release today.

Citations:

• 1: https://kubernetes.io/releases/
• 2: https://www.k8s.io/releases/
• 3: https://github.com/kubernetes/kubernetes/tags
• 4: https://kubernetes.io/blog/2025/11/26/kubernetes-v1-35-sneak-peek/
• 5: https://kubernetes.io/blog/2025/04/23/kubernetes-v1-33-release
• 6: https://github.com/kubernetes/kubernetes/releases

---

Replace the outdated kube-proxy version with a current one.

The kube-proxy version v1.33.5 is outdated for the current time period. While v1.33 is a valid Kubernetes release (released April 2025), it's no longer current in March 2026. Use a more recent version like v1.35 or v1.34 to avoid potential compatibility or security issues.

Suggested fix

-        image: registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5      ## Replace with the kube-proxy image from Step 1
+        image: registry.alauda.cn:60070/tkestack/kube-proxy:v1.35.3      ## Replace with the kube-proxy image from Step 1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	image: registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5 ## Replace with the kube-proxy image from Step 1
	image: registry.alauda.cn:60070/tkestack/kube-proxy:v1.35.3 ## Replace with the kube-proxy image from Step 1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/en/solutions/How_to_Deploy_Cilium_eBPF_L4_LoadBalancer_with_Source_IP_Preservation.md`
at line 174, The kube-proxy image reference "image:
registry.alauda.cn:60070/tkestack/kube-proxy:v1.33.5" is outdated; update that
image tag to a current kube-proxy release (e.g., v1.35.x or v1.34.x) consistent
with the version chosen in Step 1, and verify the container image registry/name
remains "registry.alauda.cn:60070/tkestack/kube-proxy" while only changing the
tag to the selected newer version.