mirror of
https://github.com/outbackdingo/home-ops.git
synced 2026-01-27 10:19:11 +00:00
107 lines
3.4 KiB
YAML
107 lines
3.4 KiB
YAML
---
|
|
cluster:
|
|
name: "cluster01"
|
|
id: "1"
|
|
rollOutCiliumPods: true
|
|
localRedirectPolicy: true
|
|
kubeProxyReplacement: "strict"
|
|
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
|
|
ipv4NativeRoutingCIDR: 172.22.0.0/16
|
|
k8sServiceHost: 10.75.40.10
|
|
k8sServicePort: 6443
|
|
loadBalancer:
|
|
algorithm: random
|
|
mode: snat
|
|
tunnel: "disabled"
|
|
autoDirectNodeRoutes: true
|
|
endpointRoutes:
|
|
enabled: true
|
|
ipam:
|
|
mode: "kubernetes"
|
|
operator:
|
|
rollOutPods: true
|
|
containerRuntime:
|
|
integration: containerd
|
|
securityContext:
|
|
privileged: false
|
|
|
|
capabilities:
|
|
# -- Capabilities for the `cilium-agent` container
|
|
ciliumAgent:
|
|
# Use to set socket permission
|
|
- CHOWN
|
|
# Used to terminate envoy child process
|
|
- KILL
|
|
# Used since cilium modifies routing tables, etc...
|
|
- NET_ADMIN
|
|
# Used since cilium creates raw sockets, etc...
|
|
- NET_RAW
|
|
# Used since cilium monitor uses mmap
|
|
- IPC_LOCK
|
|
# Used in iptables. Consider removing once we are iptables-free
|
|
# - SYS_MODULE
|
|
# We need it for now but might not need it for >= 5.11 specially
|
|
# for the 'SYS_RESOURCE'.
|
|
# In >= 5.8 there's already BPF and PERMON capabilities
|
|
- SYS_ADMIN
|
|
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
|
|
- SYS_RESOURCE
|
|
# Both PERFMON and BPF requires kernel 5.8, container runtime
|
|
# cri-o >= v1.22.0 or containerd >= v1.5.0.
|
|
# If available, SYS_ADMIN can be removed.
|
|
#- PERFMON
|
|
#- BPF
|
|
# Allow discretionary access control (e.g. required for package installation)
|
|
- DAC_OVERRIDE
|
|
# Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation)
|
|
- FOWNER
|
|
# Allow to execute program that changes GID (e.g. required for package installation)
|
|
- SETGID
|
|
# Allow to execute program that changes UID (e.g. required for package installation)
|
|
- SETUID
|
|
# -- Capabilities for the `mount-cgroup` init container
|
|
mountCgroup:
|
|
# Only used for 'mount' cgroup
|
|
- SYS_ADMIN
|
|
# Used for nsenter
|
|
- SYS_CHROOT
|
|
- SYS_PTRACE
|
|
# -- capabilities for the `apply-sysctl-overwrites` init container
|
|
applySysctlOverwrites:
|
|
# Required in order to access host's /etc/sysctl.d dir
|
|
- SYS_ADMIN
|
|
# Used for nsenter
|
|
- SYS_CHROOT
|
|
- SYS_PTRACE
|
|
# -- Capabilities for the `clean-cilium-state` init container
|
|
cleanCiliumState:
|
|
# Most of the capabilities here are the same ones used in the
|
|
# cilium-agent's container because this container can be used to
|
|
# uninstall all Cilium resources, and therefore it is likely that
|
|
# will need the same capabilities.
|
|
# Used since cilium modifies routing tables, etc...
|
|
- NET_ADMIN
|
|
# Used in iptables. Consider removing once we are iptables-free
|
|
# - SYS_MODULE
|
|
# We need it for now but might not need it for >= 5.11 specially
|
|
# for the 'SYS_RESOURCE'.
|
|
# In >= 5.8 there's already BPF and PERMON capabilities
|
|
- SYS_ADMIN
|
|
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
|
|
- SYS_RESOURCE
|
|
# Both PERFMON and BPF requires kernel 5.8, container runtime
|
|
# cri-o >= v1.22.0 or containerd >= v1.5.0.
|
|
# If available, SYS_ADMIN can be removed.
|
|
#- PERFMON
|
|
#- BPF
|
|
hubble:
|
|
enabled: false
|
|
bgp:
|
|
enabled: false
|
|
announce:
|
|
loadbalancerIP: true
|
|
podCIDR: false
|
|
cgroup:
|
|
autoMount:
|
|
enabled: false
|
|
hostRoot: /sys/fs/cgroup |