Shinzu · June 19, 2018 13:12
diff --git a/cilium.yaml b/cilium.yaml
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: cilium-config
  namespace: kube-system
 data:
  # This etcd-config contains the etcd endpoints of your cluster. If you use
  # TLS please make sure you uncomment the ca-file line and add the respective
  # certificate has a k8s secret, see explanation below in the comment labeled
  # "ETCD-CERT"
  etcd-config: |-
    ---
    endpoints:
    - https://10.0.2.50:2379
    #
    # In case you want to use TLS in etcd, uncomment the following line
    # and add the certificate as explained in the comment labeled "ETCD-CERT"
    ca-file: '/var/lib/etcd-secrets/etcd-ca'
    #
    # In case you want client to server authentication, uncomment the following
    # lines and add the certificate and key in cilium-etcd-secrets below
    key-file: '/var/lib/etcd-secrets/etcd-client-key'
    cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
    insecure-skip-tls-verify: False

  # If you want to run cilium in debug mode change this value to true
  debug: "false"
  disable-ipv4: "false"
  sidecar-http-proxy: "false"
  tunnel: "disabled"
  clean-cilium-state: "false"
  legacy-host-allows-world: "false"
 ---
 # The etcd secrets can be populated in kubernetes.
 # For more information see: https://kubernetes.io/docs/concepts/configuration/secret
 kind: Secret
 apiVersion: v1
 type: Opaque
 metadata:
  name: cilium-etcd-secrets
  namespace: kube-system
 data:
  # ETCD-CERT: Each value should contain the whole certificate in base64, on a
  # single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
  # (the "-w 0" generates the output on a single line)
  etcd-ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1EWXhPVEV5TXpreE1sb1hEVEk0TURZeE5qRXlNemt4TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTVlCkNNYkdrVlYvR2VjSmpEOHJGVEpRVjJZV3JWdTVrSy82TEhDVTI3bkNJWG5LVEEwZUZrWHQ0NGFlVVRFNXkwTFEKbWRrajZrS3NwSVBqR1pSNk05Yk91SDgvSWF1R1ZZZEFuT0QrREkraE5NbDJiWk95dEFyK0hEU2puMmYvTkRMZgpYSWdRNnZvaWdKNTZadjFEK2VyMk5FTHdNMWpFUlhPbGpKdHNmcVFFdjZtanJQTGlvSkV2ZDZWQ2xHNGV5ZGZoCjM2Q2VFZTBLNmwxSWVERk42VFVFa2czL2ZzU0NxUjRKTVhnZGs1L3luTXV4c3hkeXN6VVNObGdyTzB1SDJTcWsKRXNYRnQ2NENoUE1YUUJmeTc1MU5nbHFZWjkvTVo2TFFKZ1ZEdWZOWlphSVVlRXg3cE0rbktsZDhMbENkZE5NMwp5cTkxaG1idDNMczZGYmhUYTNNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGdG01WEkzUWhHT0gxUloraE1aa29UeU14NTAKUlVKcVpHYno2dWlrbUpHdHQ2aVpOV2FBaFBOcFpYaS9CTVhZbUtFYnNGTTdHMDVVVXhjODRqZ1F5VHhjS2d3RApFMlJ5TnAxUGhTWXk5Z3JGVm4zYndMOG5UMGhZa0xneTc1UCtjQktzZUVFa1owdU1kRWtHNzdZUnhrWEhvN0hyClBUQnF6Qy8zZEY4bGQxdGM4TFB5VkhxOTA5ZktGcDE4RTdYWkt1anpHeXluVHJ0alc5M1hwamRtRkpycEtYWWEKTlRaQ0FEdTJVZzR6bWpLR21HVThZbGVkUUtHb2tBcitQU0sxUCs5L3Ixb1JUdU5vUXVQL0gva2xBdU5JUFdSVwp0MS9nRTNYcUFNa25jZWRiNDNvWk1mMDY4RzUyU3ZUNnh3eG5nTXFXYjNEOTcvVnRPWk53dGFUMTNSQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  etcd-client-key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMytiQnN6cEIrZkM5Q1JrY2hzTTlsOGJuTURKd3RYZVBUUk9JekhENHpuelJNZHlQCjAwT1ZqeCtXYkJybmQxeThCbm9USU9iQmFwcmdWSVFqM1lDNWc3bDk0ck9kMTZsYkpaWUVYKzhaOHRUcmpKMW8KYS9yRk5YMGxPWDN4TTRsSUp0VjNscElVTjIzeTIza2Q3Zy9NUFVvWTA3ZjJxeGw1QlpMb2FtcDV6RkhtSzYwSQpTdTRuNDAwU3BtakdUOFVGbTFVd1R0eVZFbVJpU2V0UWpKQ0w2Szh1R2NObThrQTdkWHNlcEZVbm5mWUdZeGQ2CjRFT24yRko3bEhPamR4VHlCejArWjhxS1JPeGIzNzl5SDZUdmtjNzFtSXlqR1Jvd1ZVSmcxTkdLSktDOEdFSVcKams3c3MwOEY3UnZwZjk2Z1V2a0JMMVdpZ3R1M29vWDFmMlVPclFJREFRQUJBb0lCQVFERjBTeWwydnpiaEpTZgpheTVHNmt5S3dsTVR4QnpNVjF1bWIzSFhucUJVWHZhOHBPLzFhYXJEanRicG9FT01zOFB6dlBzVmdJcTJVeXVMCndFdW5zY2sxMWphZ2lxMFVFeTdTWUY1eEcrRERLTmNMbnk3WTUvQkF0OWFobXVIMTlINW93UVV0Wk5henVsSnQKRWU4ZG01dUpNdVFJZW1wVzlPUjF4anZOZVZFdThDM3N6blU3SDZTdjRXeG5TbFJJTmF6Z2pMSzlCZi9qU25naApjQS84eHY0dW1NTDFLTWhsMGVCNnRaL1lybVNCZjVCSFJmY2lVSTBQWmw2MkFxeDkwbnF2VG5RcU9kZ0tKd3hRCi9oR0dWVG5hQnoxYldleUdFNko1VDQ0VUFoVzBJNlpxbm1VaXpUMEJWVzMvTC9qY0xySzNkYWpTek54dVlLSDMKK1NPYklmNkJBb0dCQU8rbWMyOHFTSGdmUVVZSG5sR2EzakcvOFhUOG1XbVp1czltWUlWK0pGWlVyNTZ0ZEkzZwoybDRTdnhmVmw2MkZYYW1vSjRxNHdVUW9IaElvUkRiSWhERnEwWW9ZQndlTTg3Yy8xaWh3dXh6cExlWDIyWjhlClZNcVJHcjBvUFdvMm5hSm1aaEZRQTAwSWZIM3NybjFzQ0JrMW5TTWQ2TCtLL3hsSVVaYVNMUVlkQW9HQkFPOHQKUDc1WStxVjc2c2V4Ry94aVRjYTcwdG1kK0FXZzRxNXZDRHhlbnIxMmlpYXhTaW5RdEd1a1JCZks3OUl2a1ZlZApsRGk3aU4xcUxLZ0xMM215SnJYblZxS0xQMUtQNzdPQnBvUC9lV3k1c0wzWU1Lc2N0NE1ubElDZGplK3MwYXNPClRmTGMvOXBhUTlub1FzME5oSDNmb0tTMFhqUGFxdnZpekkxMGJvWFJBb0dBZWdLT2hxeEtWUTNrbDVqTlc5S3oKQ1RVbDQxK3ZZM29uQit5aGU1VnJQcUREQU5CaXBORXptKzJEYU1rUC9nSUdXNWdHK2JOeWdoYkNxSS9qbXRpZgpwT0V6YVZFdVV3UEtHU1BoRHBuR1NjUFY0Rnk3RXkzSUVaR3F3Vjg1VlZnVkRWZUE0NU9PK3FzMVpvOFhqemR2Ck1CYUJ1QjFFSURET0M3c3IvckxSUldrQ2dZRUFseWlHejdzV2RiMnlMUkNPK2x2NmdhNDAzTm9NWlNvLytUUXQKQlZKYmlxdy9OYUw0bHlMUzAvRFdKQjlhb0FEMkgyUjB4OEltQnFGU3BjV2o5SXFXRW9LcGEwTUwreGNDeS9VVgprdmpEK2VZRmdJWUFoRFE2K3NYcUFic1JlRGRGcjVEenpKakZqbTliMEgwTXN1Rm5LZEpLaWEyQWw4OE1Idk5BCmllbmE2L0VDZ1lCd1J1VTdJSzA4RXBQQXpLQjRIaUxXV3lkcEpnaFhIVm9pdlNZMzM1eHZidzVJMkhrQXRBQzYKdURyZHBkbmttb0I2RE5XSHFjam9mdWtkVDlsT3hnb21nb0I3WUhDVW5LL1B6dkVkamplclhiak5rYTFodzBnMwp2L3Jadm1nUHdHUmFQdkFUTEl2RXBNTjBvUkhIWWY5S0FwcFlGakQ3TmVjR0hHbDRxb0d4OHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  etcd-client-crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvRENDQWVTZ0F3SUJBZ0lJUXhBWGpyRm1TTE13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T0RBMk1Ua3hNak01TVRKYUZ3MHhPVEEyTVRreE1qTTVNVE5hTUQ0eApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1TTXdJUVlEVlFRREV4cHJkV0psTFdGd2FYTmxjblpsCmNpMWxkR05rTFdOc2FXVnVkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOL20Kd2JNNlFmbnd2UWtaSEliRFBaZkc1ekF5Y0xWM2owMFRpTXh3K001ODBUSGNqOU5EbFk4Zmxtd2E1M2RjdkFaNgpFeURtd1dxYTRGU0VJOTJBdVlPNWZlS3puZGVwV3lXV0JGL3ZHZkxVNjR5ZGFHdjZ4VFY5SlRsOThUT0pTQ2JWCmQ1YVNGRGR0OHR0NUhlNFB6RDFLR05PMzlxc1plUVdTNkdwcWVjeFI1aXV0Q0VydUorTk5FcVpveGsvRkJadFYKTUU3Y2xSSmtZa25yVUl5UWkraXZMaG5EWnZKQU8zVjdIcVJWSjUzMkJtTVhldUJEcDloU2U1UnpvM2NVOGdjOQpQbWZLaWtUc1c5Ky9jaCtrNzVITzlaaU1veGthTUZWQ1lOVFJpaVNndkJoQ0ZvNU83TE5QQmUwYjZYL2VvRkw1CkFTOVZvb0xidDZLRjlYOWxEcTBDQXdFQUFhTW5NQ1V3RGdZRFZSMFBBUUgvQkFRREFnV2dNQk1HQTFVZEpRUU0KTUFvR0NDc0dBUVVGQndNQ01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ21leEphS01GMElkcDJYYzdBeEl0cQp1OUxyejNBbFA4Tm1vbUZUK0FINW5valRrZGVCYnFVU3QxUmE5M0h3QXI1V2xCU3JYbHRiL0Ywelg1YitETkY1CjNOZmx1R3k3Z1VMdlBPYS9GRS8rR1B4a2tLOGVWSGk5NGRDTVgyUGMwVlBjVFNGd0dVVHVOWWpTNFJ0MTNWYmcKTG1FUTllWU5PUkVDbmZBc08ra3lnUjU5bUJjRFhHeWkzL3dTbTdoQ3pXdDBNZTJ0MExJUEFXazF3aXV0YTFuNQo4WHVpZjY2bzk2UXFMNU9kalFTcG04VUpPVlZvWmUxK2NWVXQrRkdVakZGTWVZWXFNbFNiVy9MWUJ2b0lQcDJ4CkhIK3Z1R1E4VkxWb0VaS2hIR2dvU2RMTllKSkRuU2xuQkNQWktkait6NSt5cnlwbzRJWFgyU0JzYWpsSm4zTXkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 ---
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
  name: cilium
  namespace: kube-system
 spec:
  updateStrategy:
    type: "RollingUpdate"
    rollingUpdate:
      # Specifies the maximum number of Pods that can be unavailable during the update process.
      # The current default value is 1 or 100% for daemonsets; Adding an explicit value here
      # to avoid confusion, as the default value is specific to the type (daemonset/deployment).
      maxUnavailable: "100%"
  selector:
    matchLabels:
      k8s-app: cilium
      kubernetes.io/cluster-service: "true"
  template:
    metadata:
      labels:
        k8s-app: cilium
        kubernetes.io/cluster-service: "true"
      annotations:
        # This annotation plus the CriticalAddonsOnly toleration makes
        # cilium to be a critical pod in the cluster, which ensures cilium
        # gets priority scheduling.
        # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
        scheduler.alpha.kubernetes.io/critical-pod: ''
        scheduler.alpha.kubernetes.io/tolerations: >-
          [{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]
        prometheus.io/scrape: "true"
        prometheus.io/port: "9090"
    spec:
      serviceAccountName: cilium
      initContainers:
      - name: clean-cilium-state
        image: docker.io/library/busybox:1.28.4
        imagePullPolicy: IfNotPresent
        command: ['sh', '-c', 'if [ "${CLEAN_CILIUM_STATE}" = "true" ]; then rm -rf /var/run/cilium/state; rm -rf /sys/fs/bpf/tc/globals/cilium_*; fi']
        volumeMounts:
          - name: bpf-maps
            mountPath: /sys/fs/bpf
          - name: cilium-run
            mountPath: /var/run/cilium
        env:
          - name: "CLEAN_CILIUM_STATE"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                optional: true
                key: clean-cilium-state
      containers:
      - image: cilium/cilium:no-routes
        imagePullPolicy: Always
        name: cilium-agent
        command: [ "cilium-agent" ]
        args:
          - "--debug=$(CILIUM_DEBUG)"
          - "--kvstore=etcd"
          - "--kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config"
          - "--disable-ipv4=$(DISABLE_IPV4)"
          #- "--lb=eth0"
          #- "--device=eth0"
          #- "--tunnel=disabled"
          #- "-t=vxlan"
          #- "--k8s-kubeconfig-path=/etc/kubernetes/cilium.conf"
        ports:
          - name: prometheus
            containerPort: 9090
        lifecycle:
          postStart:
            exec:
              command:
                - "/cni-install.sh"
          preStop:
            exec:
              command:
                - "/cni-uninstall.sh"
        env:
          - name: "K8S_NODE_NAME"
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
          - name: "CILIUM_DEBUG"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: debug
          - name: "DISABLE_IPV4"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: disable-ipv4
          - name: "CILIUM_SIDECAR_HTTP_PROXY"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                key: sidecar-http-proxy
                optional: true
          # Note: this variable is a no-op if not defined, and is used in the
          # prometheus examples.
          - name: "CILIUM_PROMETHEUS_SERVE_ADDR"
            valueFrom:
              configMapKeyRef:
                name: cilium-metrics-config
                optional: true
                key: prometheus-serve-addr
          - name: "CILIUM_LEGACY_HOST_ALLOWS_WORLD"
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                optional: true
                key: legacy-host-allows-world
          - name: CILIUM_TUNNEL
            valueFrom:
              configMapKeyRef:
                name: cilium-config
                optional: true
                key: tunnel
        livenessProbe:
          exec:
            command:
            - cilium
            - status
          # The initial delay for the liveness probe is intentionally large to
          # avoid an endless kill & restart cycle if in the event that the initial
          # bootstrapping takes longer than expected.
          initialDelaySeconds: 120
          failureThreshold: 10
          periodSeconds: 10
        readinessProbe:
          exec:
            command:
            - cilium
            - status
          initialDelaySeconds: 5
          periodSeconds: 5
        volumeMounts:
          - name: bpf-maps
            mountPath: /sys/fs/bpf
          - name: cilium-run
            mountPath: /var/run/cilium
          - name: cilium-kubeconf
            mountPath: /etc/kubernetes/cilium.conf
          - name: cni-path
            mountPath: /host/opt/cni/bin
          - name: etc-cni-netd
            mountPath: /host/etc/cni/net.d
          - name: docker-socket
            mountPath: /var/run/docker.sock
            readOnly: true
          - name: etcd-config-path
            mountPath: /var/lib/etcd-config
            readOnly: true
          - name: etcd-secrets
            mountPath: /var/lib/etcd-secrets
            readOnly: true
        securityContext:
          capabilities:
            add:
              - "NET_ADMIN"
          privileged: true
      hostNetwork: true
      volumes:
          # To keep state between restarts / upgrades
        - name: cilium-run
          hostPath:
            path: /var/run/cilium
        - name: cilium-kubeconf
          hostPath:
            path: /etc/kubernetes/cilium.conf
          # To keep state between restarts / upgrades
        - name: bpf-maps
          hostPath:
            path: /sys/fs/bpf
          # To read docker events from the node
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
          # To install cilium cni plugin in the host
        - name: cni-path
          hostPath:
            path: /opt/cni/bin
          # To install cilium cni configuration in the host
        - name: etc-cni-netd
          hostPath:
              path: /etc/cni/net.d
          # To read the etcd config stored in config maps
        - name: etcd-config-path
          configMap:
            name: cilium-config
            items:
            - key: etcd-config
              path: etcd.config
          # To read the k8s etcd secrets in case the user might want to use TLS
        - name: etcd-secrets
          secret:
            secretName: cilium-etcd-secrets
      restartPolicy: Always
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      - effect: NoSchedule
        key: node.cloudprovider.kubernetes.io/uninitialized
        value: "true"
      # Mark cilium's pod as critical for rescheduling
      - key: CriticalAddonsOnly
        operator: "Exists"
 ---
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: cilium-config
	namespace: kube-system
	data:
	# This etcd-config contains the etcd endpoints of your cluster. If you use
	# TLS please make sure you uncomment the ca-file line and add the respective
	# certificate has a k8s secret, see explanation below in the comment labeled
	# "ETCD-CERT"
	etcd-config: \|-
	---
	endpoints:
	- https://10.0.2.50:2379
	#
	# In case you want to use TLS in etcd, uncomment the following line
	# and add the certificate as explained in the comment labeled "ETCD-CERT"
	ca-file: '/var/lib/etcd-secrets/etcd-ca'
	#
	# In case you want client to server authentication, uncomment the following
	# lines and add the certificate and key in cilium-etcd-secrets below
	key-file: '/var/lib/etcd-secrets/etcd-client-key'
	cert-file: '/var/lib/etcd-secrets/etcd-client-crt'
	insecure-skip-tls-verify: False

	# If you want to run cilium in debug mode change this value to true
	debug: "false"
	disable-ipv4: "false"
	sidecar-http-proxy: "false"
	tunnel: "disabled"
	clean-cilium-state: "false"
	legacy-host-allows-world: "false"
	---
	# The etcd secrets can be populated in kubernetes.
	# For more information see: https://kubernetes.io/docs/concepts/configuration/secret
	kind: Secret
	apiVersion: v1
	type: Opaque
	metadata:
	name: cilium-etcd-secrets
	namespace: kube-system
	data:
	# ETCD-CERT: Each value should contain the whole certificate in base64, on a
	# single line. You can generate the base64 with: $ base64 -w 0 ./ca.pem
	# (the "-w 0" generates the output on a single line)
	etcd-ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1EWXhPVEV5TXpreE1sb1hEVEk0TURZeE5qRXlNemt4TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTVlCkNNYkdrVlYvR2VjSmpEOHJGVEpRVjJZV3JWdTVrSy82TEhDVTI3bkNJWG5LVEEwZUZrWHQ0NGFlVVRFNXkwTFEKbWRrajZrS3NwSVBqR1pSNk05Yk91SDgvSWF1R1ZZZEFuT0QrREkraE5NbDJiWk95dEFyK0hEU2puMmYvTkRMZgpYSWdRNnZvaWdKNTZadjFEK2VyMk5FTHdNMWpFUlhPbGpKdHNmcVFFdjZtanJQTGlvSkV2ZDZWQ2xHNGV5ZGZoCjM2Q2VFZTBLNmwxSWVERk42VFVFa2czL2ZzU0NxUjRKTVhnZGs1L3luTXV4c3hkeXN6VVNObGdyTzB1SDJTcWsKRXNYRnQ2NENoUE1YUUJmeTc1MU5nbHFZWjkvTVo2TFFKZ1ZEdWZOWlphSVVlRXg3cE0rbktsZDhMbENkZE5NMwp5cTkxaG1idDNMczZGYmhUYTNNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGdG01WEkzUWhHT0gxUloraE1aa29UeU14NTAKUlVKcVpHYno2dWlrbUpHdHQ2aVpOV2FBaFBOcFpYaS9CTVhZbUtFYnNGTTdHMDVVVXhjODRqZ1F5VHhjS2d3RApFMlJ5TnAxUGhTWXk5Z3JGVm4zYndMOG5UMGhZa0xneTc1UCtjQktzZUVFa1owdU1kRWtHNzdZUnhrWEhvN0hyClBUQnF6Qy8zZEY4bGQxdGM4TFB5VkhxOTA5ZktGcDE4RTdYWkt1anpHeXluVHJ0alc5M1hwamRtRkpycEtYWWEKTlRaQ0FEdTJVZzR6bWpLR21HVThZbGVkUUtHb2tBcitQU0sxUCs5L3Ixb1JUdU5vUXVQL0gva2xBdU5JUFdSVwp0MS9nRTNYcUFNa25jZWRiNDNvWk1mMDY4RzUyU3ZUNnh3eG5nTXFXYjNEOTcvVnRPWk53dGFUMTNSQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
	etcd-client-key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMytiQnN6cEIrZkM5Q1JrY2hzTTlsOGJuTURKd3RYZVBUUk9JekhENHpuelJNZHlQCjAwT1ZqeCtXYkJybmQxeThCbm9USU9iQmFwcmdWSVFqM1lDNWc3bDk0ck9kMTZsYkpaWUVYKzhaOHRUcmpKMW8KYS9yRk5YMGxPWDN4TTRsSUp0VjNscElVTjIzeTIza2Q3Zy9NUFVvWTA3ZjJxeGw1QlpMb2FtcDV6RkhtSzYwSQpTdTRuNDAwU3BtakdUOFVGbTFVd1R0eVZFbVJpU2V0UWpKQ0w2Szh1R2NObThrQTdkWHNlcEZVbm5mWUdZeGQ2CjRFT24yRko3bEhPamR4VHlCejArWjhxS1JPeGIzNzl5SDZUdmtjNzFtSXlqR1Jvd1ZVSmcxTkdLSktDOEdFSVcKams3c3MwOEY3UnZwZjk2Z1V2a0JMMVdpZ3R1M29vWDFmMlVPclFJREFRQUJBb0lCQVFERjBTeWwydnpiaEpTZgpheTVHNmt5S3dsTVR4QnpNVjF1bWIzSFhucUJVWHZhOHBPLzFhYXJEanRicG9FT01zOFB6dlBzVmdJcTJVeXVMCndFdW5zY2sxMWphZ2lxMFVFeTdTWUY1eEcrRERLTmNMbnk3WTUvQkF0OWFobXVIMTlINW93UVV0Wk5henVsSnQKRWU4ZG01dUpNdVFJZW1wVzlPUjF4anZOZVZFdThDM3N6blU3SDZTdjRXeG5TbFJJTmF6Z2pMSzlCZi9qU25naApjQS84eHY0dW1NTDFLTWhsMGVCNnRaL1lybVNCZjVCSFJmY2lVSTBQWmw2MkFxeDkwbnF2VG5RcU9kZ0tKd3hRCi9oR0dWVG5hQnoxYldleUdFNko1VDQ0VUFoVzBJNlpxbm1VaXpUMEJWVzMvTC9qY0xySzNkYWpTek54dVlLSDMKK1NPYklmNkJBb0dCQU8rbWMyOHFTSGdmUVVZSG5sR2EzakcvOFhUOG1XbVp1czltWUlWK0pGWlVyNTZ0ZEkzZwoybDRTdnhmVmw2MkZYYW1vSjRxNHdVUW9IaElvUkRiSWhERnEwWW9ZQndlTTg3Yy8xaWh3dXh6cExlWDIyWjhlClZNcVJHcjBvUFdvMm5hSm1aaEZRQTAwSWZIM3NybjFzQ0JrMW5TTWQ2TCtLL3hsSVVaYVNMUVlkQW9HQkFPOHQKUDc1WStxVjc2c2V4Ry94aVRjYTcwdG1kK0FXZzRxNXZDRHhlbnIxMmlpYXhTaW5RdEd1a1JCZks3OUl2a1ZlZApsRGk3aU4xcUxLZ0xMM215SnJYblZxS0xQMUtQNzdPQnBvUC9lV3k1c0wzWU1Lc2N0NE1ubElDZGplK3MwYXNPClRmTGMvOXBhUTlub1FzME5oSDNmb0tTMFhqUGFxdnZpekkxMGJvWFJBb0dBZWdLT2hxeEtWUTNrbDVqTlc5S3oKQ1RVbDQxK3ZZM29uQit5aGU1VnJQcUREQU5CaXBORXptKzJEYU1rUC9nSUdXNWdHK2JOeWdoYkNxSS9qbXRpZgpwT0V6YVZFdVV3UEtHU1BoRHBuR1NjUFY0Rnk3RXkzSUVaR3F3Vjg1VlZnVkRWZUE0NU9PK3FzMVpvOFhqemR2Ck1CYUJ1QjFFSURET0M3c3IvckxSUldrQ2dZRUFseWlHejdzV2RiMnlMUkNPK2x2NmdhNDAzTm9NWlNvLytUUXQKQlZKYmlxdy9OYUw0bHlMUzAvRFdKQjlhb0FEMkgyUjB4OEltQnFGU3BjV2o5SXFXRW9LcGEwTUwreGNDeS9VVgprdmpEK2VZRmdJWUFoRFE2K3NYcUFic1JlRGRGcjVEenpKakZqbTliMEgwTXN1Rm5LZEpLaWEyQWw4OE1Idk5BCmllbmE2L0VDZ1lCd1J1VTdJSzA4RXBQQXpLQjRIaUxXV3lkcEpnaFhIVm9pdlNZMzM1eHZidzVJMkhrQXRBQzYKdURyZHBkbmttb0I2RE5XSHFjam9mdWtkVDlsT3hnb21nb0I3WUhDVW5LL1B6dkVkamplclhiak5rYTFodzBnMwp2L3Jadm1nUHdHUmFQdkFUTEl2RXBNTjBvUkhIWWY5S0FwcFlGakQ3TmVjR0hHbDRxb0d4OHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
	etcd-client-crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvRENDQWVTZ0F3SUJBZ0lJUXhBWGpyRm1TTE13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T0RBMk1Ua3hNak01TVRKYUZ3MHhPVEEyTVRreE1qTTVNVE5hTUQ0eApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1TTXdJUVlEVlFRREV4cHJkV0psTFdGd2FYTmxjblpsCmNpMWxkR05rTFdOc2FXVnVkRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOL20Kd2JNNlFmbnd2UWtaSEliRFBaZkc1ekF5Y0xWM2owMFRpTXh3K001ODBUSGNqOU5EbFk4Zmxtd2E1M2RjdkFaNgpFeURtd1dxYTRGU0VJOTJBdVlPNWZlS3puZGVwV3lXV0JGL3ZHZkxVNjR5ZGFHdjZ4VFY5SlRsOThUT0pTQ2JWCmQ1YVNGRGR0OHR0NUhlNFB6RDFLR05PMzlxc1plUVdTNkdwcWVjeFI1aXV0Q0VydUorTk5FcVpveGsvRkJadFYKTUU3Y2xSSmtZa25yVUl5UWkraXZMaG5EWnZKQU8zVjdIcVJWSjUzMkJtTVhldUJEcDloU2U1UnpvM2NVOGdjOQpQbWZLaWtUc1c5Ky9jaCtrNzVITzlaaU1veGthTUZWQ1lOVFJpaVNndkJoQ0ZvNU83TE5QQmUwYjZYL2VvRkw1CkFTOVZvb0xidDZLRjlYOWxEcTBDQXdFQUFhTW5NQ1V3RGdZRFZSMFBBUUgvQkFRREFnV2dNQk1HQTFVZEpRUU0KTUFvR0NDc0dBUVVGQndNQ01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ21leEphS01GMElkcDJYYzdBeEl0cQp1OUxyejNBbFA4Tm1vbUZUK0FINW5valRrZGVCYnFVU3QxUmE5M0h3QXI1V2xCU3JYbHRiL0Ywelg1YitETkY1CjNOZmx1R3k3Z1VMdlBPYS9GRS8rR1B4a2tLOGVWSGk5NGRDTVgyUGMwVlBjVFNGd0dVVHVOWWpTNFJ0MTNWYmcKTG1FUTllWU5PUkVDbmZBc08ra3lnUjU5bUJjRFhHeWkzL3dTbTdoQ3pXdDBNZTJ0MExJUEFXazF3aXV0YTFuNQo4WHVpZjY2bzk2UXFMNU9kalFTcG04VUpPVlZvWmUxK2NWVXQrRkdVakZGTWVZWXFNbFNiVy9MWUJ2b0lQcDJ4CkhIK3Z1R1E4VkxWb0VaS2hIR2dvU2RMTllKSkRuU2xuQkNQWktkait6NSt5cnlwbzRJWFgyU0JzYWpsSm4zTXkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
	---
	kind: DaemonSet
	apiVersion: apps/v1
	metadata:
	name: cilium
	namespace: kube-system
	spec:
	updateStrategy:
	type: "RollingUpdate"
	rollingUpdate:
	# Specifies the maximum number of Pods that can be unavailable during the update process.
	# The current default value is 1 or 100% for daemonsets; Adding an explicit value here
	# to avoid confusion, as the default value is specific to the type (daemonset/deployment).
	maxUnavailable: "100%"
	selector:
	matchLabels:
	k8s-app: cilium
	kubernetes.io/cluster-service: "true"
	template:
	metadata:
	labels:
	k8s-app: cilium
	kubernetes.io/cluster-service: "true"
	annotations:
	# This annotation plus the CriticalAddonsOnly toleration makes
	# cilium to be a critical pod in the cluster, which ensures cilium
	# gets priority scheduling.
	# https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
	scheduler.alpha.kubernetes.io/critical-pod: ''
	scheduler.alpha.kubernetes.io/tolerations: >-
	[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]
	prometheus.io/scrape: "true"
	prometheus.io/port: "9090"
	spec:
	serviceAccountName: cilium
	initContainers:
	- name: clean-cilium-state
	image: docker.io/library/busybox:1.28.4
	imagePullPolicy: IfNotPresent
	command: ['sh', '-c', 'if [ "${CLEAN_CILIUM_STATE}" = "true" ]; then rm -rf /var/run/cilium/state; rm -rf /sys/fs/bpf/tc/globals/cilium_*; fi']
	volumeMounts:
	- name: bpf-maps
	mountPath: /sys/fs/bpf
	- name: cilium-run
	mountPath: /var/run/cilium
	env:
	- name: "CLEAN_CILIUM_STATE"
	valueFrom:
	configMapKeyRef:
	name: cilium-config
	optional: true
	key: clean-cilium-state
	containers:
	- image: cilium/cilium:no-routes
	imagePullPolicy: Always
	name: cilium-agent
	command: [ "cilium-agent" ]
	args:
	- "--debug=$(CILIUM_DEBUG)"
	- "--kvstore=etcd"
	- "--kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config"
	- "--disable-ipv4=$(DISABLE_IPV4)"
	#- "--lb=eth0"
	#- "--device=eth0"
	#- "--tunnel=disabled"
	#- "-t=vxlan"
	#- "--k8s-kubeconfig-path=/etc/kubernetes/cilium.conf"
	ports:
	- name: prometheus
	containerPort: 9090
	lifecycle:
	postStart:
	exec:
	command:
	- "/cni-install.sh"
	preStop:
	exec:
	command:
	- "/cni-uninstall.sh"
	env:
	- name: "K8S_NODE_NAME"
	valueFrom:
	fieldRef:
	fieldPath: spec.nodeName
	- name: "CILIUM_DEBUG"
	valueFrom:
	configMapKeyRef:
	name: cilium-config
	key: debug
	- name: "DISABLE_IPV4"
	valueFrom:
	configMapKeyRef:
	name: cilium-config
	key: disable-ipv4
	- name: "CILIUM_SIDECAR_HTTP_PROXY"
	valueFrom:
	configMapKeyRef:
	name: cilium-config
	key: sidecar-http-proxy
	optional: true
	# Note: this variable is a no-op if not defined, and is used in the
	# prometheus examples.
	- name: "CILIUM_PROMETHEUS_SERVE_ADDR"
	valueFrom:
	configMapKeyRef:
	name: cilium-metrics-config
	optional: true
	key: prometheus-serve-addr
	- name: "CILIUM_LEGACY_HOST_ALLOWS_WORLD"
	valueFrom:
	configMapKeyRef:
	name: cilium-config
	optional: true
	key: legacy-host-allows-world
	- name: CILIUM_TUNNEL
	valueFrom:
	configMapKeyRef:
	name: cilium-config
	optional: true
	key: tunnel
	livenessProbe:
	exec:
	command:
	- cilium
	- status
	# The initial delay for the liveness probe is intentionally large to
	# avoid an endless kill & restart cycle if in the event that the initial
	# bootstrapping takes longer than expected.
	initialDelaySeconds: 120
	failureThreshold: 10
	periodSeconds: 10
	readinessProbe:
	exec:
	command:
	- cilium
	- status
	initialDelaySeconds: 5
	periodSeconds: 5
	volumeMounts:
	- name: bpf-maps
	mountPath: /sys/fs/bpf
	- name: cilium-run
	mountPath: /var/run/cilium
	- name: cilium-kubeconf
	mountPath: /etc/kubernetes/cilium.conf
	- name: cni-path
	mountPath: /host/opt/cni/bin
	- name: etc-cni-netd
	mountPath: /host/etc/cni/net.d
	- name: docker-socket
	mountPath: /var/run/docker.sock
	readOnly: true
	- name: etcd-config-path
	mountPath: /var/lib/etcd-config
	readOnly: true
	- name: etcd-secrets
	mountPath: /var/lib/etcd-secrets
	readOnly: true
	securityContext:
	capabilities:
	add:
	- "NET_ADMIN"
	privileged: true
	hostNetwork: true
	volumes:
	# To keep state between restarts / upgrades
	- name: cilium-run
	hostPath:
	path: /var/run/cilium
	- name: cilium-kubeconf
	hostPath:
	path: /etc/kubernetes/cilium.conf
	# To keep state between restarts / upgrades
	- name: bpf-maps
	hostPath:
	path: /sys/fs/bpf
	# To read docker events from the node
	- name: docker-socket
	hostPath:
	path: /var/run/docker.sock
	# To install cilium cni plugin in the host
	- name: cni-path
	hostPath:
	path: /opt/cni/bin
	# To install cilium cni configuration in the host
	- name: etc-cni-netd
	hostPath:
	path: /etc/cni/net.d
	# To read the etcd config stored in config maps
	- name: etcd-config-path
	configMap:
	name: cilium-config
	items:
	- key: etcd-config
	path: etcd.config
	# To read the k8s etcd secrets in case the user might want to use TLS
	- name: etcd-secrets
	secret:
	secretName: cilium-etcd-secrets
	restartPolicy: Always
	tolerations:
	- effect: NoSchedule
	key: node-role.kubernetes.io/master
	- effect: NoSchedule
	key: node.cloudprovider.kubernetes.io/uninitialized
	value: "true"
	# Mark cilium's pod as critical for rescheduling
	- key: CriticalAddonsOnly
	operator: "Exists"
	---