From 39667d69f14c315fe6b06e1df405ff513f6be160 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Mon, 1 Apr 2024 20:11:02 +0200 Subject: [PATCH] fix: cilium installation --- .../core/platform/bundles/full-distro.yaml | 3 + packages/system/cilium/Makefile | 2 +- .../system/cilium/charts/cilium/Chart.yaml | 4 +- .../system/cilium/charts/cilium/README.md | 14 +- .../cilium-agent/daemonset.yaml.orig | 981 ------------------ .../system/cilium/charts/cilium/values.yaml | 41 +- .../cilium/charts/cilium/values.yaml.tmpl | 15 +- packages/system/cilium/values.yaml | 4 +- 8 files changed, 56 insertions(+), 1008 deletions(-) delete mode 100644 packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml.orig diff --git a/packages/core/platform/bundles/full-distro.yaml b/packages/core/platform/bundles/full-distro.yaml index 8981ce8f..a203a1df 100644 --- a/packages/core/platform/bundles/full-distro.yaml +++ b/packages/core/platform/bundles/full-distro.yaml @@ -9,11 +9,14 @@ releases: dependsOn: [] values: cilium: + bpf: + masquerade: true cni: chainingMode: ~ customConf: false configMap: "" enableIPv4Masquerade: true + enableIdentityMark: true - name: fluxcd releaseName: fluxcd diff --git a/packages/system/cilium/Makefile b/packages/system/cilium/Makefile index e505f9b1..eb3ba0b4 100644 --- a/packages/system/cilium/Makefile +++ b/packages/system/cilium/Makefile @@ -16,4 +16,4 @@ update: helm repo update cilium helm pull cilium/cilium --untar --untardir charts sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml - patch -p3 < patches/fix-cgroups.patch + patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch diff --git a/packages/system/cilium/charts/cilium/Chart.yaml b/packages/system/cilium/charts/cilium/Chart.yaml index 7ac12ef6..43447f2c 100644 --- a/packages/system/cilium/charts/cilium/Chart.yaml +++ b/packages/system/cilium/charts/cilium/Chart.yaml @@ -79,7 +79,7 @@ annotations: Pod IP Pool\n description: |\n CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).\n" apiVersion: v2 -appVersion: 1.15.2 +appVersion: 1.15.3 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg @@ -95,4 +95,4 @@ kubeVersion: '>= 1.16.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.15.2 +version: 1.15.3 diff --git a/packages/system/cilium/charts/cilium/README.md b/packages/system/cilium/charts/cilium/README.md index 546d0c93..1e927580 100644 --- a/packages/system/cilium/charts/cilium/README.md +++ b/packages/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.15.2](https://img.shields.io/badge/Version-1.15.2-informational?style=flat-square) ![AppVersion: 1.15.2](https://img.shields.io/badge/AppVersion-1.15.2-informational?style=flat-square) +![Version: 1.15.3](https://img.shields.io/badge/Version-1.15.3-informational?style=flat-square) ![AppVersion: 1.15.3](https://img.shields.io/badge/AppVersion-1.15.3-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -170,7 +170,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:478c77371f34d6fe5251427ff90c3912567c69b2bdc87d72377e42a42054f1c2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.2","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:da4573f8fe4415bdb786c4fdcbc3b518e5a485f930cd4292416eb80800cbd7fc","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.3","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -320,7 +320,7 @@ contributors across the globe, there is almost always someone available to help. | eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API | -| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. | +| envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. | | envoy.annotations | object | `{}` | Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) | | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out | | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | @@ -458,7 +458,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:48480053930e884adaeb4141259ff1893a22eb59707906c6d38de2fe01916cb0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.2","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:b9c6431aa4f22242a5d0d750c621d9d04bdc25549e4fb1116bfec98dd87958a2","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.3","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -553,7 +553,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.2","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.3","useDigest":true}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -666,7 +666,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:e2dafa4c04ab05392a28561ab003c2894ec1fcc3214a4dfe2efd6b7d58a66650","awsDigest":"sha256:3f459999b753bfd8626f8effdf66720a996b2c15c70f4e418011d00de33552eb","azureDigest":"sha256:568293cebc27c01a39a9341b1b2578ebf445228df437f8b318adbbb2c4db842a","genericDigest":"sha256:4dd8f67630f45fcaf58145eb81780b677ef62d57632d7e4442905ad3226a9088","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.2","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:59d5c0c5782163d38151dd06bae0118144f6c080598901a632c628b1143ccd10","awsDigest":"sha256:2b05dc6b88037a5ce05e4030ef616b1f7be9e65083e35abd36a1b66953fd0b6a","azureDigest":"sha256:b85a2671a74903c6e9a45e884654bb970b5b8d6a6e20371811a6cc0ad92b2f87","genericDigest":"sha256:c97f23161906b82f5c81a2d825b0646a5aa1dfb4adf1d49cbb87815079e69d61","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.3","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -716,7 +716,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.2","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.3","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml.orig b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml.orig deleted file mode 100644 index f602af67..00000000 --- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml.orig +++ /dev/null @@ -1,981 +0,0 @@ -{{- if and .Values.agent (not .Values.preflight.enabled) }} - -{{- /* Default values with backwards compatibility */ -}} -{{- $defaultKeepDeprecatedProbes := true -}} - -{{- /* Default values when 1.8 was initially deployed */ -}} -{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}} - {{- $defaultKeepDeprecatedProbes = false -}} -{{- end -}} - -{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "false") -}} - ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: cilium - namespace: {{ .Release.Namespace }} - {{- with .Values.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-agent - {{- if .Values.keepDeprecatedLabels }} - kubernetes.io/cluster-service: "true" - {{- if and .Values.gke.enabled (eq .Release.Namespace "kube-system" ) }} - {{- fail "Invalid configuration: Installing Cilium on GKE with 'kubernetes.io/cluster-service' labels on 'kube-system' namespace causes Cilium DaemonSet to be removed by GKE. Either install Cilium on a different Namespace or install with '--set keepDeprecatedLabels=false'" }} - {{- end }} - {{- end }} -spec: - selector: - matchLabels: - k8s-app: cilium - {{- if .Values.keepDeprecatedLabels }} - kubernetes.io/cluster-service: "true" - {{- end }} - {{- with .Values.updateStrategy }} - updateStrategy: - {{- toYaml . | trim | nindent 4 }} - {{- end }} - template: - metadata: - annotations: - {{- if and .Values.prometheus.enabled (not .Values.prometheus.serviceMonitor.enabled) }} - prometheus.io/port: "{{ .Values.prometheus.port }}" - prometheus.io/scrape: "true" - {{- end }} - {{- if .Values.rollOutCiliumPods }} - # ensure pods roll when configmap updates - cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }} - {{- end }} - {{- if not .Values.securityContext.privileged }} - # Set app AppArmor's profile to "unconfined". The value of this annotation - # can be modified as long users know which profiles they have available - # in AppArmor. - container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined" - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined" - {{- if .Values.cgroup.autoMount.enabled }} - container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined" - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined" - {{- end }} - {{- end }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - k8s-app: cilium - app.kubernetes.io/name: cilium-agent - app.kubernetes.io/part-of: cilium - {{- if .Values.keepDeprecatedLabels }} - kubernetes.io/cluster-service: "true" - {{- end }} - {{- with .Values.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: cilium-agent - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.sleepAfterInit }} - command: - - /bin/bash - - -c - - -- - args: - - | - while true; do - sleep 30; - done - livenessProbe: - exec: - command: - - "true" - readinessProbe: - exec: - command: - - "true" - {{- else }} - command: - - cilium-agent - args: - - --config-dir=/tmp/cilium/config-map - {{- with .Values.extraArgs }} - {{- toYaml . | trim | nindent 8 }} - {{- end }} - {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} - startupProbe: - httpGet: - host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} - path: /healthz - port: {{ .Values.healthPort }} - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - failureThreshold: {{ .Values.startupProbe.failureThreshold }} - periodSeconds: {{ .Values.startupProbe.periodSeconds }} - successThreshold: 1 - initialDelaySeconds: 5 - {{- end }} - livenessProbe: - {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} - exec: - command: - - cilium - - status - - --brief - {{- else }} - httpGet: - host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} - path: /healthz - port: {{ .Values.healthPort }} - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - {{- end }} - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - # The initial delay for the liveness probe is intentionally large to - # avoid an endless kill & restart cycle if in the event that the initial - # bootstrapping takes longer than expected. - # Starting from Kubernetes 1.20, we are using startupProbe instead - # of this field. - initialDelaySeconds: 120 - {{- end }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - successThreshold: 1 - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - timeoutSeconds: 5 - readinessProbe: - {{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }} - exec: - command: - - cilium - - status - - --brief - {{- else }} - httpGet: - host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} - path: /healthz - port: {{ .Values.healthPort }} - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - {{- end }} - {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }} - initialDelaySeconds: 5 - {{- end }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - successThreshold: 1 - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - timeoutSeconds: 5 - {{- end }} - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_CLUSTERMESH_CONFIG - value: /var/lib/cilium/clustermesh/ - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - {{- if .Values.k8sServiceHost }} - - name: KUBERNETES_SERVICE_HOST - value: {{ .Values.k8sServiceHost | quote }} - {{- end }} - {{- if .Values.k8sServicePort }} - - name: KUBERNETES_SERVICE_PORT - value: {{ .Values.k8sServicePort | quote }} - {{- end }} - {{- with .Values.extraEnv }} - {{- toYaml . | trim | nindent 8 }} - {{- end }} - {{- if .Values.cni.install }} - lifecycle: - {{- if ne .Values.cni.chainingMode "aws-cni" }} - postStart: - exec: - command: - - "bash" - - "-c" - - | - {{- tpl (.Files.Get "files/agent/poststart-eni.bash") . | nindent 20 }} - {{- end }} - preStop: - exec: - command: - - /cni-uninstall.sh - {{- end }} - {{- with .Values.resources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - {{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }} - ports: - - name: peer-service - containerPort: {{ .Values.hubble.peerService.targetPort }} - hostPort: {{ .Values.hubble.peerService.targetPort }} - protocol: TCP - {{- if .Values.prometheus.enabled }} - - name: prometheus - containerPort: {{ .Values.prometheus.port }} - hostPort: {{ .Values.prometheus.port }} - protocol: TCP - {{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }} - - name: envoy-metrics - containerPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }} - hostPort: {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }} - protocol: TCP - {{- end }} - {{- end }} - {{- if .Values.hubble.metrics.enabled }} - - name: hubble-metrics - containerPort: {{ .Values.hubble.metrics.port }} - hostPort: {{ .Values.hubble.metrics.port }} - protocol: TCP - {{- end }} - {{- end }} - securityContext: - {{- if .Values.securityContext.privileged }} - privileged: true - {{- else }} - seLinuxOptions: - {{- with .Values.securityContext.seLinuxOptions }} - {{- toYaml . | nindent 12 }} - {{- end }} - capabilities: - add: - {{- with .Values.securityContext.capabilities.ciliumAgent }} - {{- toYaml . | nindent 14 }} - {{- end }} - drop: - - ALL - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - {{- if .Values.authentication.mutual.spire.enabled }} - - name: spire-agent-socket - mountPath: {{ dir .Values.authentication.mutual.spire.adminSocketPath }} - readOnly: false - {{- end }} - {{- if .Values.envoy.enabled }} - - name: envoy-sockets - mountPath: /var/run/cilium/envoy/sockets - readOnly: false - {{- end }} - {{- if not .Values.securityContext.privileged }} - # Unprivileged containers need to mount /proc/sys/net from the host - # to have write access - - mountPath: /host/proc/sys/net - name: host-proc-sys-net - # Unprivileged containers need to mount /proc/sys/kernel from the host - # to have write access - - mountPath: /host/proc/sys/kernel - name: host-proc-sys-kernel - {{- end}} - {{- /* CRI-O already mounts the BPF filesystem */ -}} - {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }} - - name: bpf-maps - mountPath: /sys/fs/bpf - {{- if .Values.securityContext.privileged }} - mountPropagation: Bidirectional - {{- else }} - # Unprivileged containers can't set mount propagation to bidirectional - # in this case we will mount the bpf fs from an init container that - # is privileged and set the mount propagation from host to container - # in Cilium. - mountPropagation: HostToContainer - {{- end}} - {{- end }} - {{- if not (contains "/run/cilium/cgroupv2" .Values.cgroup.hostRoot) }} - # Check for duplicate mounts before mounting - - name: cilium-cgroup - mountPath: {{ .Values.cgroup.hostRoot }} - {{- end}} - - name: cilium-run - mountPath: /var/run/cilium - - name: etc-cni-netd - mountPath: {{ .Values.cni.hostConfDirMountPath }} - {{- if .Values.etcd.enabled }} - - name: etcd-config-path - mountPath: /var/lib/etcd-config - readOnly: true - {{- if or .Values.etcd.ssl .Values.etcd.managed }} - - name: etcd-secrets - mountPath: /var/lib/etcd-secrets - readOnly: true - {{- end }} - {{- end }} - - name: clustermesh-secrets - mountPath: /var/lib/cilium/clustermesh - readOnly: true - {{- if .Values.ipMasqAgent.enabled }} - - name: ip-masq-agent - mountPath: /etc/config - readOnly: true - {{- end }} - {{- if .Values.cni.configMap }} - - name: cni-configuration - mountPath: {{ .Values.cni.confFileMountPath }} - readOnly: true - {{- end }} - # Needed to be able to load kernel modules - - name: lib-modules - mountPath: /lib/modules - readOnly: true - - name: xtables-lock - mountPath: /run/xtables.lock - {{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }} - - name: cilium-ipsec-secrets - mountPath: {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }} - {{- end }} - {{- if .Values.kubeConfigPath }} - - name: kube-config - mountPath: {{ .Values.kubeConfigPath }} - readOnly: true - {{- end }} - {{- if .Values.bgp.enabled }} - - name: bgp-config-path - mountPath: /var/lib/cilium/bgp - readOnly: true - {{- end }} - {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }} - - name: hubble-tls - mountPath: /var/lib/cilium/tls/hubble - readOnly: true - {{- end }} - - name: tmp - mountPath: /tmp - {{- range .Values.extraHostPathMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - readOnly: {{ .readOnly }} - {{- if .mountPropagation }} - mountPropagation: {{ .mountPropagation }} - {{- end }} - {{- end }} - {{- if .Values.hubble.export.dynamic.enabled }} - - name: hubble-flowlog-config - mountPath: /flowlog-config - readOnly: true - {{- end }} - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.monitor.enabled }} - - name: cilium-monitor - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/bash - - -c - - -- - args: - - |- - for i in {1..5}; do \ - [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ - done; \ - cilium-dbg monitor - {{- range $type := .Values.monitor.eventTypes -}} - {{ " " }}--type={{ $type }} - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: cilium-run - mountPath: /var/run/cilium - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.monitor.resources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - {{- end }} - {{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 6 }} - {{- end }} - initContainers: - - name: config - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - cilium-dbg - - build-config - {{- if (not (kindIs "invalid" .Values.daemon.configSources)) }} - - "--source={{.Values.daemon.configSources}}" - {{- end }} - {{- if (not (kindIs "invalid" .Values.daemon.allowedConfigOverrides)) }} - - "--allow-config-keys={{.Values.daemon.allowedConfigOverrides}}" - {{- end }} - {{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }} - - "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}" - {{- end }} - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- if .Values.k8sServiceHost }} - - name: KUBERNETES_SERVICE_HOST - value: {{ .Values.k8sServiceHost | quote }} - {{- end }} - {{- if .Values.k8sServicePort }} - - name: KUBERNETES_SERVICE_PORT - value: {{ .Values.k8sServicePort | quote }} - {{- end }} - {{- with .Values.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - volumeMounts: - - name: tmp - mountPath: /tmp - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError - {{- if .Values.cgroup.autoMount.enabled }} - # Required to mount cgroup2 filesystem on the underlying Kubernetes node. - # We use nsenter command with host's cgroup and mount namespaces enabled. - - name: mount-cgroup - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: CGROUP_ROOT - value: {{ .Values.cgroup.hostRoot }} - - name: BIN_PATH - value: {{ .Values.cni.binPath }} - {{- with .Values.cgroup.autoMount.resources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - command: - - sh - - -ec - # The statically linked Go program binary is invoked to avoid any - # dependency on utilities like sh and mount that can be missing on certain - # distros installed on the underlying host. Copy the binary to the - # same directory where we install cilium cni plugin so that exec permissions - # are available. - - | - cp /usr/bin/cilium-mount /hostbin/cilium-mount; - nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; - rm /hostbin/cilium-mount - volumeMounts: - - name: hostproc - mountPath: /hostproc - - name: cni-path - mountPath: /hostbin - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - {{- if .Values.securityContext.privileged }} - privileged: true - {{- else }} - seLinuxOptions: - {{- with .Values.securityContext.seLinuxOptions }} - {{- toYaml . | nindent 12 }} - {{- end }} - capabilities: - add: - {{- with .Values.securityContext.capabilities.mountCgroup }} - {{- toYaml . | nindent 14 }} - {{- end }} - drop: - - ALL - {{- end}} - - name: apply-sysctl-overwrites - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.initResources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - env: - - name: BIN_PATH - value: {{ .Values.cni.binPath }} - command: - - sh - - -ec - # The statically linked Go program binary is invoked to avoid any - # dependency on utilities like sh that can be missing on certain - # distros installed on the underlying host. Copy the binary to the - # same directory where we install cilium cni plugin so that exec permissions - # are available. - - | - cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; - nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; - rm /hostbin/cilium-sysctlfix - volumeMounts: - - name: hostproc - mountPath: /hostproc - - name: cni-path - mountPath: /hostbin - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - {{- if .Values.securityContext.privileged }} - privileged: true - {{- else }} - seLinuxOptions: - {{- with .Values.securityContext.seLinuxOptions }} - {{- toYaml . | nindent 12 }} - {{- end }} - capabilities: - add: - {{- with .Values.securityContext.capabilities.applySysctlOverwrites }} - {{- toYaml . | nindent 14 }} - {{- end }} - drop: - - ALL - {{- end}} - {{- end }} - {{- if and .Values.bpf.autoMount.enabled (not .Values.securityContext.privileged) }} - # Mount the bpf fs if it is not mounted. We will perform this task - # from a privileged container because the mount propagation bidirectional - # only works from privileged containers. - - name: mount-bpf-fs - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.initResources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - args: - - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' - command: - - /bin/bash - - -c - - -- - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - privileged: true - {{- /* CRI-O already mounts the BPF filesystem */ -}} - {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }} - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - {{- end }} - {{- end }} - {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} - - name: wait-for-node-init - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.initResources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - command: - - sh - - -c - - | - until test -s {{ (print "/tmp/cilium-bootstrap.d/" (.Values.nodeinit.bootstrapFile | base)) | quote }}; do - echo "Waiting on node-init to run..."; - sleep 1; - done - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: cilium-bootstrap-file-dir - mountPath: "/tmp/cilium-bootstrap.d" - {{- end }} - - name: clean-cilium-state - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /init-container.sh - env: - - name: CILIUM_ALL_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-state - optional: true - - name: CILIUM_BPF_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-bpf-state - optional: true - - name: WRITE_CNI_CONF_WHEN_READY - valueFrom: - configMapKeyRef: - name: cilium-config - key: write-cni-conf-when-ready - optional: true - {{- if .Values.k8sServiceHost }} - - name: KUBERNETES_SERVICE_HOST - value: {{ .Values.k8sServiceHost | quote }} - {{- end }} - {{- if .Values.k8sServicePort }} - - name: KUBERNETES_SERVICE_PORT - value: {{ .Values.k8sServicePort | quote }} - {{- end }} - {{- with .Values.extraEnv }} - {{- toYaml . | nindent 8 }} - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - {{- if .Values.securityContext.privileged }} - privileged: true - {{- else }} - seLinuxOptions: - {{- with .Values.securityContext.seLinuxOptions }} - {{- toYaml . | nindent 12 }} - {{- end }} - capabilities: - add: - {{- with .Values.securityContext.capabilities.cleanCiliumState }} - {{- toYaml . | nindent 14 }} - {{- end }} - drop: - - ALL - {{- end}} - volumeMounts: - {{- /* CRI-O already mounts the BPF filesystem */ -}} - {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }} - - name: bpf-maps - mountPath: /sys/fs/bpf - {{- end }} - # Required to mount cgroup filesystem from the host to cilium agent pod - - name: cilium-cgroup - mountPath: {{ .Values.cgroup.hostRoot }} - mountPropagation: HostToContainer - - name: cilium-run - mountPath: /var/run/cilium - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.initResources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - {{- if and .Values.waitForKubeProxy (and (ne $kubeProxyReplacement "strict") (ne $kubeProxyReplacement "true")) }} - - name: wait-for-kube-proxy - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.initResources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - securityContext: - privileged: true - command: - - bash - - -c - - | - while true - do - if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then - echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'" - exit 0 - fi - if ip6tables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then - echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'ip6tables-nft-save -t mangle'" - exit 0 - fi - if iptables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then - echo "Found KUBE-PROXY-CANARY iptables rule in 'iptables-legacy-save" - exit 0 - fi - if ip6tables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then - echo "KUBE-PROXY-CANARY iptables rule in 'ip6tables-legacy-save'" - exit 0 - fi - echo "Waiting for kube-proxy to create iptables rules..."; - sleep 1; - done - terminationMessagePolicy: FallbackToLogsOnError - {{- end }} # wait-for-kube-proxy - {{- if .Values.cni.install }} - # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - - name: install-cni-binaries - image: {{ include "cilium.image" .Values.image | quote }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - "/install-plugin.sh" - {{- with .Values.cni.resources }} - resources: - {{- toYaml . | trim | nindent 10 }} - {{- end }} - securityContext: - {{- if .Values.securityContext.privileged }} - privileged: true - {{- else }} - seLinuxOptions: - {{- with .Values.securityContext.seLinuxOptions }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: cni-path - mountPath: /host/opt/cni/bin - {{- end }} # .Values.cni.install - restartPolicy: Always - priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }} - serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }} - serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }} - automountServiceAccountToken: {{ .Values.serviceAccounts.cilium.automount }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - hostNetwork: true - {{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }} - # In managed etcd mode, Cilium must be able to resolve the DNS name of - # the etcd service - dnsPolicy: ClusterFirstWithHostNet - {{- else if .Values.dnsPolicy }} - dnsPolicy: {{ .Values.dnsPolicy }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | trim | nindent 8 }} - {{- end }} - {{- if and .Values.clustermesh.config.enabled (not (and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled )) }} - hostAliases: - {{- range $cluster := .Values.clustermesh.config.clusters }} - {{- range $ip := $cluster.ips }} - - ip: {{ $ip }} - hostnames: [ "{{ $cluster.name }}.{{ $.Values.clustermesh.config.domain }}" ] - {{- end }} - {{- end }} - {{- end }} - volumes: - # For sharing configuration between the "config" initContainer and the agent - - name: tmp - emptyDir: {} - # To keep state between restarts / upgrades - - name: cilium-run - hostPath: - path: {{ .Values.daemon.runPath }} - type: DirectoryOrCreate - {{- /* CRI-O already mounts the BPF filesystem */ -}} - {{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }} - # To keep state between restarts / upgrades for bpf maps - - name: bpf-maps - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate - {{- end }} - {{- if .Values.cgroup.autoMount.enabled }} - # To mount cgroup2 filesystem on the host - - name: hostproc - hostPath: - path: /proc - type: Directory - {{- end }} - # To keep state between restarts / upgrades for cgroup2 filesystem - - name: cilium-cgroup - hostPath: - path: {{ .Values.cgroup.hostRoot}} - type: DirectoryOrCreate - # To install cilium cni plugin in the host - - name: cni-path - hostPath: - path: {{ .Values.cni.binPath }} - type: DirectoryOrCreate - # To install cilium cni configuration in the host - - name: etc-cni-netd - hostPath: - path: {{ .Values.cni.confPath }} - type: DirectoryOrCreate - # To be able to load kernel modules - - name: lib-modules - hostPath: - path: /lib/modules - # To access iptables concurrently with other processes (e.g. kube-proxy) - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - {{- if .Values.authentication.mutual.spire.enabled }} - - name: spire-agent-socket - hostPath: - path: {{ dir .Values.authentication.mutual.spire.adminSocketPath }} - type: DirectoryOrCreate - {{- end }} - {{- if .Values.envoy.enabled }} - # Sharing socket with Cilium Envoy on the same node by using a host path - - name: envoy-sockets - hostPath: - path: "{{ .Values.daemon.runPath }}/envoy/sockets" - type: DirectoryOrCreate - {{- end }} - {{- if .Values.kubeConfigPath }} - - name: kube-config - hostPath: - path: {{ .Values.kubeConfigPath }} - type: FileOrCreate - {{- end }} - {{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }} - - name: cilium-bootstrap-file-dir - hostPath: - path: {{ .Values.nodeinit.bootstrapFile | dir | quote }} - type: DirectoryOrCreate - {{- end }} - {{- if .Values.etcd.enabled }} - # To read the etcd config stored in config maps - - name: etcd-config-path - configMap: - name: cilium-config - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - items: - - key: etcd-config - path: etcd.config - # To read the k8s etcd secrets in case the user might want to use TLS - {{- if or .Values.etcd.ssl .Values.etcd.managed }} - - name: etcd-secrets - secret: - secretName: cilium-etcd-secrets - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - optional: true - {{- end }} - {{- end }} - # To read the clustermesh configuration - - name: clustermesh-secrets - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: cilium-clustermesh - optional: true - # note: items are not explicitly listed here, since the entries of this secret - # depend on the peers configured, and that would cause a restart of all agents - # at every addition/removal. Leaving the field empty makes each secret entry - # to be automatically projected into the volume as a file whose name is the key. - - secret: - name: clustermesh-apiserver-remote-cert - optional: true - items: - - key: tls.key - path: common-etcd-client.key - - key: tls.crt - path: common-etcd-client.crt - {{- if not .Values.tls.caBundle.enabled }} - - key: ca.crt - path: common-etcd-client-ca.crt - {{- else }} - - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}: - name: {{ .Values.tls.caBundle.name }} - optional: true - items: - - key: {{ .Values.tls.caBundle.key }} - path: common-etcd-client-ca.crt - {{- end }} - {{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }} - - name: ip-masq-agent - configMap: - name: ip-masq-agent - optional: true - items: - - key: config - path: ip-masq-agent - {{- end }} - {{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }} - - name: cilium-ipsec-secrets - secret: - secretName: {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }} - {{- end }} - {{- if .Values.cni.configMap }} - - name: cni-configuration - configMap: - name: {{ .Values.cni.configMap }} - {{- end }} - {{- if .Values.bgp.enabled }} - - name: bgp-config-path - configMap: - name: bgp-config - {{- end }} - {{- if not .Values.securityContext.privileged }} - - name: host-proc-sys-net - hostPath: - path: /proc/sys/net - type: Directory - - name: host-proc-sys-kernel - hostPath: - path: /proc/sys/kernel - type: Directory - {{- end }} - {{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }} - - name: hubble-tls - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: hubble-server-certs - optional: true - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key - {{- if not .Values.tls.caBundle.enabled }} - - key: ca.crt - path: client-ca.crt - {{- else }} - - {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}: - name: {{ .Values.tls.caBundle.name }} - optional: true - items: - - key: {{ .Values.tls.caBundle.key }} - path: client-ca.crt - {{- end }} - {{- end }} - {{- if .Values.hubble.export.dynamic.enabled }} - - name: hubble-flowlog-config - configMap: - name: {{ .Values.hubble.export.dynamic.config.configMapName }} - optional: true - {{- end }} - {{- range .Values.extraHostPathMounts }} - - name: {{ .name }} - hostPath: - path: {{ .hostPath }} - {{- if .hostPathType }} - type: {{ .hostPathType }} - {{- end }} - {{- end }} - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 6 }} - {{- end }} -{{- end }} diff --git a/packages/system/cilium/charts/cilium/values.yaml b/packages/system/cilium/charts/cilium/values.yaml index 73c1f8c4..69cda0b5 100644 --- a/packages/system/cilium/charts/cilium/values.yaml +++ b/packages/system/cilium/charts/cilium/values.yaml @@ -146,10 +146,10 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.2" + tag: "v1.15.3" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746" + digest: "sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0" useDigest: true # -- Affinity for cilium-agent. @@ -1220,9 +1220,9 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.15.2" + tag: "v1.15.3" # hubble-relay-digest - digest: "sha256:48480053930e884adaeb4141259ff1893a22eb59707906c6d38de2fe01916cb0" + digest: "sha256:b9c6431aa4f22242a5d0d750c621d9d04bdc25549e4fb1116bfec98dd87958a2" useDigest: true pullPolicy: "IfNotPresent" @@ -2178,7 +2178,20 @@ envoy: labelSelector: matchLabels: k8s-app: cilium-envoy - + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - "true" # -- Node selector for cilium-envoy. nodeSelector: kubernetes.io/os: linux @@ -2468,15 +2481,15 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.15.2" + tag: "v1.15.3" # operator-generic-digest - genericDigest: "sha256:4dd8f67630f45fcaf58145eb81780b677ef62d57632d7e4442905ad3226a9088" + genericDigest: "sha256:c97f23161906b82f5c81a2d825b0646a5aa1dfb4adf1d49cbb87815079e69d61" # operator-azure-digest - azureDigest: "sha256:568293cebc27c01a39a9341b1b2578ebf445228df437f8b318adbbb2c4db842a" + azureDigest: "sha256:b85a2671a74903c6e9a45e884654bb970b5b8d6a6e20371811a6cc0ad92b2f87" # operator-aws-digest - awsDigest: "sha256:3f459999b753bfd8626f8effdf66720a996b2c15c70f4e418011d00de33552eb" + awsDigest: "sha256:2b05dc6b88037a5ce05e4030ef616b1f7be9e65083e35abd36a1b66953fd0b6a" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:e2dafa4c04ab05392a28561ab003c2894ec1fcc3214a4dfe2efd6b7d58a66650" + alibabacloudDigest: "sha256:59d5c0c5782163d38151dd06bae0118144f6c080598901a632c628b1143ccd10" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2761,9 +2774,9 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.2" + tag: "v1.15.3" # cilium-digest - digest: "sha256:bfeb3f1034282444ae8c498dca94044df2b9c9c8e7ac678e0b43c849f0b31746" + digest: "sha256:da74ab61d1bc665c1c088dff41d5be388d252ca5800f30c7d88844e6b5e440b0" useDigest: true pullPolicy: "IfNotPresent" @@ -2923,9 +2936,9 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.15.2" + tag: "v1.15.3" # clustermesh-apiserver-digest - digest: "sha256:478c77371f34d6fe5251427ff90c3912567c69b2bdc87d72377e42a42054f1c2" + digest: "sha256:da4573f8fe4415bdb786c4fdcbc3b518e5a485f930cd4292416eb80800cbd7fc" useDigest: true pullPolicy: "IfNotPresent" diff --git a/packages/system/cilium/charts/cilium/values.yaml.tmpl b/packages/system/cilium/charts/cilium/values.yaml.tmpl index b0a2abd2..c6df8efd 100644 --- a/packages/system/cilium/charts/cilium/values.yaml.tmpl +++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl @@ -2179,7 +2179,20 @@ envoy: labelSelector: matchLabels: k8s-app: cilium-envoy - + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - "true" # -- Node selector for cilium-envoy. nodeSelector: kubernetes.io/os: linux diff --git a/packages/system/cilium/values.yaml b/packages/system/cilium/values.yaml index 2c054039..6e3a484f 100644 --- a/packages/system/cilium/values.yaml +++ b/packages/system/cilium/values.yaml @@ -3,11 +3,10 @@ cilium: enabled: false externalIPs: enabled: true - tunnel: disabled autoDirectNodeRoutes: false kubeProxyReplacement: strict bpf: - masquerade: true + masquerade: false loadBalancer: algorithm: maglev cgroup: @@ -25,3 +24,4 @@ cilium: configMap: cni-configuration routingMode: native enableIPv4Masquerade: false + enableIdentityMark: false