scottk/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-03-22 01:39:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(cilium): socketLB hostns for gvisor

Browse Source
This commit is contained in:
JJGadgets
2025-02-10 19:48:05 +08:00
parent 5f0bef321d
commit 537c2e8090
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kube/deploy/core/_networking/cilium/app/config/biohazard/helm-values.yaml
View File

@@ -6,6 +6,14 @@ securityContext:
capabilities:
ciliumAgent: [CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,NET_BIND_SERVICE,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID]
cleanCiliumState: [NET_ADMIN,SYS_ADMIN,SYS_RESOURCE]
# podSecurityContext:
# appArmorProfile:
# type: "Unconfined"
# # podAnnotations:
# # "container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites": "runtime/default"
# # "container.apparmor.security.beta.kubernetes.io/cilium-agent": "runtime/default"
# # "container.apparmor.security.beta.kubernetes.io/clean-cilium-state": "runtime/default"
# # "container.apparmor.security.beta.kubernetes.io/mount-cgroup": "runtime/default"
cgroup:
autoMount:
enabled: false
@@ -21,7 +29,7 @@ routingMode: native
devices: 'br0'
autoDirectNodeRoutes: true
ipv4NativeRoutingCIDR: "${IP_POD_CIDR_V4}"
endpointRoutes: # supposedly helps with LB routing...? 1.16 introduced a bug where BGP LBs (L2 untested) would randomly timeout requests at unknown intervals, most noticeably is loading SearXNG front page would usually load practically instantly but would be stuck until timeout, FortiGate pcaps show connection does establish but TCP Previous Segment Not Captured
endpointRoutes: # supposedly helps with LB routing...?
enabled: true
loadBalancer:
algorithm: maglev
@@ -43,11 +51,10 @@ bpf:
tproxy: true # L7 netpols stuff
preallocateMaps: true # reduce latency, increased memory usage
policyMapMax: 40960 # 2.5x default, Increase Cilium map sizes due to amount of netpols and identities, when BPF map pressure hits 100 endpoint creation starts failing, max dynamic size ratio doesn't increase this
enableTCX: true # testing if it causes Cilium 1.16 BGP LB timeouts
l7Proxy: true # enables L7 netpols (including DNS) via proxy, e.g. Envoy
socketLB:
enabled: true # faster and more direct same-node pod routing than tc/tcx # supposed to be default off, but it's enabled anyway if unspecified, and looks fun lol
#hostNamespaceOnly: true # KubeVirt compatibility with k8s services # disabled because KubeVirt VMs now use Multus bridging rather than CNI
hostNamespaceOnly: true # KubeVirt, gvisor and Kata compatibility with k8s services
enableIPv4BIGTCP: true
enableIPv6BIGTCP: true
bandwidthManager:
@@ -90,5 +97,3 @@ hubble:
ui:
enabled: true
rollOutPods: true
### endpointStatus + enableCnpStatusUpdates no longer enabled since it can cause large apiserver resource usage and latency spikes, removed from Cilium 1.16, since netpols now have validation status