fix(cilium): disable L7 proxy aka Envoy

2026-01-27 10:18:27 +00:00 · 2024-08-21 19:05:13 +08:00
parent 29d503d1b4
commit 89c28410f7
2 changed files with 11 additions and 27 deletions
--- a/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
+++ b/kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
@@ -72,7 +72,7 @@ operator:
 externalIPs:
  enabled: true
 l2announcements:
-  enabled: true
+  enabled: false
 #  leaseDuration: "120s"
 #  leaseRenewDeadline: "60s"
 #  leaseRetryPeriod: "1s"
@@ -86,7 +86,7 @@ bpf:
  tproxy: true # L7 netpols stuff
  #mapDynamicSizeRatio: "0.005" # Increase Cilium map sizes due to amount of netpols and identities, when BPF map pressure hits 100 endpoint creation starts failing
  policyMapMax: "40960" # 2.5x default, dynamic size ratio doesn't increase this
-l7Proxy: true # enables L7 netpols
+l7Proxy: false # enables L7 non-DNS netpols via proxy, e.g. Envoy
 dnsProxy:
  enableTransparentMode: true
 socketLB:
@@ -101,7 +101,7 @@ localRedirectPolicy: false
 nodePort:
  enabled: false
 bandwidthManager:
-  enabled: true
+  enabled: false
  bbr: false # enable after Talos kernel updated to >= 5.18
 enableIPv6BIGTCP: false # cannot enable if routingMode=tunnel
 ### `kubectl get` and `kubectl describe` will reflect CiliumNetworkPolicy (policy enforcement etc) with the below enabled
--- a/kube/deploy/core/_networking/cilium/app/hr.yaml
+++ b/kube/deploy/core/_networking/cilium/app/hr.yaml
@@ -110,7 +110,7 @@ spec:
          #enabled: true
          #annotations:
          #  grafana_folder: "Cilium"
-      eventQueueSize: "25000" # default is 6144 which fills up
+      eventQueueSize: "50000" # default is 6144 which fills up
    operator:
      prometheus:
        enabled: true
@@ -129,26 +129,10 @@ spec:
      enabled: true
      annotations:
        grafana_folder: "Cilium"
-    #resources: # for agent
-    #  limits:
-    #    memory: "3Gi"
-    debug: # for endpoint creation issue
-      enabled: true
-      verbose: "flow kvstore envoy datapath policy"
-  postRenderers:
-    - kustomize: # more reliable probe for endpoint creation issues
-        patches:
-          - target:
-              version: apps/v1
-              kind: DaemonSet
-              labelSelector: app.kubernetes.io/name=cilium-agent
-            patch: |
-              - op: replace
-                path: /spec/template/spec/containers/0/livenessProbe
-                value:
-                  failureThreshold: 10
-                  periodSeconds: 30
-                  successThreshold: 1
-                  timeoutSeconds: 5
-                  exec:
-                    command: ["cilium-health", "ping"]
+    resources: # for agent
+      requests:
+        cpu: "100m"
+        memory: "2Gi"
+      limits:
+        cpu: "1"
+        memory: "6Gi"