From b2516649919ea382c3879a58e6e381175e95792f Mon Sep 17 00:00:00 2001 From: Serge Logvinov Date: Thu, 18 Aug 2022 17:18:59 +0300 Subject: [PATCH] Update cilium 1.12.1 --- scaleway/Makefile | 2 +- scaleway/deployments/cilium-result.yaml | 124 +++--------------------- scaleway/deployments/cilium.yaml | 6 +- 3 files changed, 16 insertions(+), 116 deletions(-) diff --git a/scaleway/Makefile b/scaleway/Makefile index 802319d..d9cb355 100644 --- a/scaleway/Makefile +++ b/scaleway/Makefile @@ -53,7 +53,7 @@ create-kubeconfig: ## Prepare kubeconfig kubectl --kubeconfig=kubeconfig config set-context --current --namespace=kube-system create-deployments: - helm template --namespace=kube-system --version=1.11.6 -f deployments/cilium.yaml cilium \ + helm template --namespace=kube-system --version=1.12.1 -f deployments/cilium.yaml cilium \ cilium/cilium > deployments/cilium-result.yaml helm template --namespace=ingress-nginx --version=4.2.1 -f deployments/ingress.yaml ingress-nginx \ ingress-nginx/ingress-nginx > deployments/ingress-result.yaml diff --git a/scaleway/deployments/cilium-result.yaml b/scaleway/deployments/cilium-result.yaml index b14bf99..05782b6 100644 --- a/scaleway/deployments/cilium-result.yaml +++ b/scaleway/deployments/cilium-result.yaml @@ -148,7 +148,6 @@ data: kube-proxy-replacement: "strict" kube-proxy-replacement-healthz-bind-address: "" bpf-lb-sock: "false" - host-reachable-services-protos: enable-health-check-nodeport: "true" node-port-bind-protection: "true" enable-auto-protect-node-port-range: "true" @@ -172,10 +171,10 @@ data: vtep-mac: "" enable-k8s-endpoint-slice: "true" enable-bgp-control-plane: "false" - procfs: "/host/proc" bpf-root: "/sys/fs/bpf" cgroup-root: "/sys/fs/cgroup" enable-k8s-terminating-endpoint: "true" + annotate-k8s-node: "true" remove-cilium-node-taints: "true" set-cilium-is-up-condition: "true" unmanaged-pod-watcher-interval: "15" @@ -222,6 +221,13 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + # To annotate the k8s node with Cilium's metadata + - patch - apiGroups: - apiextensions.k8s.io resources: @@ -546,12 +552,6 @@ spec: annotations: prometheus.io/port: "9962" prometheus.io/scrape: "true" - # Set app AppArmor's profile to "unconfined". The value of this annotation - # can be modified as long users know which profiles they have available - # in AppArmor. - container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined" - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined" - container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined" labels: k8s-app: cilium spec: @@ -663,59 +663,11 @@ spec: hostPort: 9964 protocol: TCP securityContext: - seLinuxOptions: - level: 's0' - # Running with spc_t since we have removed the privileged mode. - # Users can change it to a different type as long as they have the - # type available on the system. - type: 'spc_t' - capabilities: - add: - # Use to set socket permission - - CHOWN - # Used to terminate envoy child process - - KILL - # Used since cilium modifies routing tables, etc... - - NET_ADMIN - # Used since cilium creates raw sockets, etc... - - NET_RAW - # Used since cilium monitor uses mmap - - IPC_LOCK - # Used in iptables. Consider removing once we are iptables-free - - SYS_MODULE - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC - - SYS_RESOURCE - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - drop: - - ALL + privileged: true volumeMounts: - # Unprivileged containers need to mount /proc/sys/net from the host - # to have write access - - mountPath: /host/proc/sys/net - name: host-proc-sys-net - # Unprivileged containers need to mount /proc/sys/kernel from the host - # to have write access - - mountPath: /host/proc/sys/kernel - name: host-proc-sys-kernel - name: bpf-maps mountPath: /sys/fs/bpf - # Unprivileged containers can't set mount propagation to bidirectional - # in this case we will mount the bpf fs from an init container that - # is privileged and set the mount propagation from host to container - # in Cilium. - mountPropagation: HostToContainer + mountPropagation: Bidirectional # Check for duplicate mounts before mounting - name: cilium-cgroup mountPath: /sys/fs/cgroup @@ -738,24 +690,6 @@ spec: - name: xtables-lock mountPath: /run/xtables.lock initContainers: - # Mount the bpf fs if it is not mounted. We will perform this task - # from a privileged container because the mount propagation bidirectional - # only works from privileged containers. - - name: mount-bpf-fs - image: "quay.io/cilium/cilium:v1.12.1@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b" - imagePullPolicy: IfNotPresent - args: - - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' - command: - - /bin/bash - - -c - - -- - securityContext: - privileged: true - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - name: clean-cilium-state image: "quay.io/cilium/cilium:v1.12.1@sha256:ea2db1ee21b88127b5c18a96ad155c25485d0815a667ef77c2b7c7f31cab601b" imagePullPolicy: IfNotPresent @@ -779,35 +713,7 @@ spec: - name: KUBERNETES_SERVICE_PORT value: "6443" securityContext: - seLinuxOptions: - level: 's0' - # Running with spc_t since we have removed the privileged mode. - # Users can change it to a different type as long as they have the - # type available on the system. - type: 'spc_t' - capabilities: - # Most of the capabilities here are the same ones used in the - # cilium-agent's container because this container can be used to - # uninstall all Cilium resources, and therefore it is likely that - # will need the same capabilities. - add: - # Used since cilium modifies routing tables, etc... - - NET_ADMIN - # Used in iptables. Consider removing once we are iptables-free - - SYS_MODULE - # We need it for now but might not need it for >= 5.11 specially - # for the 'SYS_RESOURCE'. - # In >= 5.8 there's already BPF and PERMON capabilities - - SYS_ADMIN - # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC - - SYS_RESOURCE - # Both PERFMON and BPF requires kernel 5.8, container runtime - # cri-o >= v1.22.0 or containerd >= v1.5.0. - # If available, SYS_ADMIN can be removed. - #- PERFMON - #- BPF - drop: - - ALL + privileged: true volumeMounts: - name: bpf-maps mountPath: /sys/fs/bpf @@ -884,14 +790,6 @@ spec: - name: cilium-config-path configMap: name: cilium-config - - name: host-proc-sys-net - hostPath: - path: /proc/sys/net - type: Directory - - name: host-proc-sys-kernel - hostPath: - path: /proc/sys/kernel - type: Directory --- # Source: cilium/templates/cilium-operator/deployment.yaml apiVersion: apps/v1 diff --git a/scaleway/deployments/cilium.yaml b/scaleway/deployments/cilium.yaml index 8185154..4b0dea3 100644 --- a/scaleway/deployments/cilium.yaml +++ b/scaleway/deployments/cilium.yaml @@ -19,6 +19,7 @@ autoDirectNodeRoutes: false devices: [eth+] healthChecking: true +annotateK8sNode: true # l7Proxy: false # encryption: @@ -40,8 +41,6 @@ ipv4: enabled: true ipv6: enabled: true -hostServices: - enabled: true hostPort: enabled: true nodePort: @@ -51,6 +50,9 @@ externalIPs: hostFirewall: enabled: true +securityContext: + privileged: true + hubble: enabled: false