Skip to content

Instantly share code, notes, and snippets.

@esomore

esomore/cilium.yaml

Last active November 3, 2023 20:05
Show Gist options
  • Save esomore/bf6e5ff2fe9d7ca480087beb8e9ea0dd to your computer and use it in GitHub Desktop.
Save esomore/bf6e5ff2fe9d7ca480087beb8e9ea0dd to your computer and use it in GitHub Desktop.
Download ZIP
cilium 1.14.3 for talos
Raw
cilium.yaml
---
# Source: cilium/templates/cilium-agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "cilium"
namespace: kube-system
---
# Source: cilium/templates/cilium-operator/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "cilium-operator"
namespace: kube-system
---
# Source: cilium/templates/cilium-ca-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: cilium-ca
namespace: kube-system
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVB2QXRFNjFVcG1PNjBPM2M5cmlHdUF3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEl6TVRFd016SXdNRFF6T1ZvWERUSTJNVEV3TWpJdwpNRFF6T1Zvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUExeDJ2bDVZSzFlOHdVdGN4bmxxV0tuWEZDVVRIZ0tlNU12V2k1V0o3WGprYXhtTEcKangvL09XVDBaNDBVQ21EaDd5cEVFdWJ3bm1mZlZnU245MWtobkh5ZFdhZTlQclJTbUJzeEtlc3QwcWdIQ1F2NwpwT3JBbTR1aERJMXlvbnRnQnNQcnBuL2ZMQ0NoUWJ5WnEwY1lOQkhTdEVXOXV4eHZvOGR2cG94ZWRPRmNGUzMvCk9qODJWWGpZeXBxbzZFZVR3cnc5eEpwWlJyODg1Mjl2K0dtVnNYTWJUWUYwMTQ0bkRRZlpkVEIyRTcwWldPMkcKOFl6TEtFTkp3ODd6amFxY2tpOHpiUUhIQ0VzcE42RkpNdzdsckVLS3BERTNJbTlqUk1lUTYzYVFHaUNBTmJrWgpaeUtlTzhYZnJUSm05aFlqOGNSRzJwZHBGSGN1aUdxaldETURiUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQnVUQnlhZTZkb0tVZnFoeWYzcHBYc2FlcjZFTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQWZPSDJKVitCandpRERhNVgyL2VPZkJnM0VuVUZKZzB2Z1N3OGZYMDQ3VWc2aGVDK09zeC93Cmd0K2YzL3ZhbmQ4YnZrU0NMZk5hVFE3a1hKMVhjWmVJMHI1NXZ6NGR5YjlDMEVzZFpkczU0M2k1Wi9PRmFraEEKcExJKzN0TjkxZkYyUUpMZitiblZDOGNtc0lYNFd5bWpRS1h2anlsd20reHlOM3QrdFZoRGplSnFqTzUwdUEzbwo5YjA1cURFYVJPb2N6OEdicUlxcGIyd1FoKzZlZUU1VlRCTDZ5KzloYTl5SEFsajkrclhzWXRVNEJCRFVwbmF2CmkzazFVK3hDQWt6emNRNmdCb2VMUVNNbmNIYnVpNDQxaWVDT2lFTGxqTHlNelhhQ0xmV2FnT1hWdjBsL0Qyb3QKWTE3bmJpdTFQN3ovK2VYblBueFVrc1pJTXBPVno2V0YKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMXgydmw1WUsxZTh3VXRjeG5scVdLblhGQ1VUSGdLZTVNdldpNVdKN1hqa2F4bUxHCmp4Ly9PV1QwWjQwVUNtRGg3eXBFRXVid25tZmZWZ1NuOTFraG5IeWRXYWU5UHJSU21Cc3hLZXN0MHFnSENRdjcKcE9yQW00dWhESTF5b250Z0JzUHJwbi9mTENDaFFieVpxMGNZTkJIU3RFVzl1eHh2bzhkdnBveGVkT0ZjRlMzLwpPajgyVlhqWXlwcW82RWVUd3J3OXhKcFpScjg4NTI5ditHbVZzWE1iVFlGMDE0NG5EUWZaZFRCMkU3MFpXTzJHCjhZekxLRU5Kdzg3emphcWNraTh6YlFISENFc3BONkZKTXc3bHJFS0twREUzSW05alJNZVE2M2FRR2lDQU5ia1oKWnlLZU84WGZyVEptOWhZajhjUkcycGRwRkhjdWlHcWpXRE1EYlFJREFRQUJBb0lCQUZ1blAxQlQwbXdTVEVHUApoSW1XeVJKd09USll4clBQUW40dTRHZmhqUFM1V2VvYTNjVFBlanZuQXFjNEdjak9QSlZkS2NIdithZFVWSGplCjVQM2pVUW5Pb25BM29zOGJuM0ZGYks0U2tPU0hTUEFXMWZJUFAxOUduNmlzZjZJdzlOb05FZE5QK2pOZjk3VDkKZVcvYmk3bHJ1cDJxZFV0S3MxcFJ1QVY3R3llcXNVY0xvck1oUWxIdm80L1dOUlVtdDNMaFNnYUNBdmp6cThrWQp0Vk5ma2QzSTVJa0tNdTdaRDJ1WWhrbW40eWRubi9nMVA3Zk4rUS9rWXg2dnVXRU10YU0xdFVLbjRNUjlFMTFlClNHQkpTa2tJaHlpMUVtMStxYW0rQjlPNHhHd2NOWHhtRGl2MFBDNXVUYkpVWVd6aXNWYmxvMUs5cDFza0twaW0KVHhZMTlnRUNnWUVBN2NGL1pDOWRUZk4wMzdQOXNKSnAwcTRVdmVmZXhnTk95ZDc2TmM0Vy9ob3VTTEY5NC9aVApjMStMVWVld095dWtmS2pLK2NtUDdkZE1Bci9RTlNrNjVDZ0RkU0RLNm9KT3JVUko1dmJ6S0VQbEw3S2QxZUZLCnZmby9rS3lJYUxzaW5DL1JwZTdoVXBaL1poaGwwNTc4WWFtdzRCZEZtc0hEaDE1SjI5ckpRKzBDZ1lFQTU1OXkKb1dYcitGeHNZaklsb1VwY3RVajZseTJ5RXA0UFNkN2JuTUlMeEVFbGJhUmdyVlpKaXVJSGRxZUNWTkp6emF5dgpqcFgvalU3SitsVk1pTUNGQ2Z2WksrRmI4NWlXOTYzQ1NTZW9Ud01SZ1l4WlU1SU03NE1aM20rdVBlcWRuSUd0CllCSHRMN2FyL2VYdmtvTSthU21aOE5sVkVhTUx3ckt0bW15UHpZRUNnWUVBd29RV3AyNmcxWStqUlFwTE9kVHYKd3pBdFJCbWFCMExaaVF0bWhmS3dtUC91Y2diVXlsYlRlNGJsd3dMZENldnd6UlNEeTh6K2RrWTRwOThxaHZQTwpmSy9IOUdINTRkYnVhNDk5THZ0SGdOL2JlQ1NZUVUzckNuYmMzbzVwbzlYR3dTWFdUZjJjVnlkTjM4ZUNONXJSClBVM0pxZTBnUXpiWHM3Nk9pdEw2NnhrQ2dZRUFxZjFKZ2M1dGlrODZkQzdka3l3aU1pSW5WNEIvNmszNlpucWEKcnNkekgwdTRqbWxQVXFlN1BhUjVXY25DUzBKUkh5ZVhpSXZwaStuQkxtb2Z5MVdQemkzNXlzeVFVWTB4YndFbApUODg5SlEvWmJ6eHo2bk9MN3RSR3pnc2swK2cyV0VDTDM3QUlaVFlwc0NOcTJocGNXWTNnbnZUQ0REbWZUZnNZCmtmY082d0VDZ1lCWUhkbFQyZ091SVErT3hzbzJidVFSUzFjcjBrRVNtaXE5QmVIUUl2MXBEMkk0QXQ0ZU83azQKMGNSc1pJYmJMQitIK3dLc0hjL2hRQVorZ25JU0hjSWVuWUhCN214ZHBFenVLSnpoYzA4WG5MMHcrd3FWR1BlOApUUlAzdlhhcng2UFZaanNGeDAxQnhJN0NwSFI2dkNLWUZDU0xQaktqcTdxMVArZ0k3d1h5UGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
---
# Source: cilium/templates/hubble/tls-helm/server-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: hubble-server-certs
namespace: kube-system
type: kubernetes.io/tls
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVB2QXRFNjFVcG1PNjBPM2M5cmlHdUF3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEl6TVRFd016SXdNRFF6T1ZvWERUSTJNVEV3TWpJdwpNRFF6T1Zvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUExeDJ2bDVZSzFlOHdVdGN4bmxxV0tuWEZDVVRIZ0tlNU12V2k1V0o3WGprYXhtTEcKangvL09XVDBaNDBVQ21EaDd5cEVFdWJ3bm1mZlZnU245MWtobkh5ZFdhZTlQclJTbUJzeEtlc3QwcWdIQ1F2NwpwT3JBbTR1aERJMXlvbnRnQnNQcnBuL2ZMQ0NoUWJ5WnEwY1lOQkhTdEVXOXV4eHZvOGR2cG94ZWRPRmNGUzMvCk9qODJWWGpZeXBxbzZFZVR3cnc5eEpwWlJyODg1Mjl2K0dtVnNYTWJUWUYwMTQ0bkRRZlpkVEIyRTcwWldPMkcKOFl6TEtFTkp3ODd6amFxY2tpOHpiUUhIQ0VzcE42RkpNdzdsckVLS3BERTNJbTlqUk1lUTYzYVFHaUNBTmJrWgpaeUtlTzhYZnJUSm05aFlqOGNSRzJwZHBGSGN1aUdxaldETURiUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQnVUQnlhZTZkb0tVZnFoeWYzcHBYc2FlcjZFTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQWZPSDJKVitCandpRERhNVgyL2VPZkJnM0VuVUZKZzB2Z1N3OGZYMDQ3VWc2aGVDK09zeC93Cmd0K2YzL3ZhbmQ4YnZrU0NMZk5hVFE3a1hKMVhjWmVJMHI1NXZ6NGR5YjlDMEVzZFpkczU0M2k1Wi9PRmFraEEKcExJKzN0TjkxZkYyUUpMZitiblZDOGNtc0lYNFd5bWpRS1h2anlsd20reHlOM3QrdFZoRGplSnFqTzUwdUEzbwo5YjA1cURFYVJPb2N6OEdicUlxcGIyd1FoKzZlZUU1VlRCTDZ5KzloYTl5SEFsajkrclhzWXRVNEJCRFVwbmF2CmkzazFVK3hDQWt6emNRNmdCb2VMUVNNbmNIYnVpNDQxaWVDT2lFTGxqTHlNelhhQ0xmV2FnT1hWdjBsL0Qyb3QKWTE3bmJpdTFQN3ovK2VYblBueFVrc1pJTXBPVno2V0YKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQU9TUmtObEMyQkdSRWkyYk1LeHJCT3d3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEl6TVRFd016SXdNRFEwTUZvWERUSTJNVEV3TWpJdwpNRFEwTUZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtPTDh1TVFyWG1MOFZPRnZoTFUKRzh1L2FFVTg3Ry9RMWpncUVFZklTRlNIM1FXazVUakdOWi9ETkp5eU83ckNiVi96OFRDa3ZRWG5pVXV1ZWpsTgpnUFhHaythRERGUURjUFdady9tb0tONnVNd2gzcWwrMmFMdlJuckZicmpYRVBqNHlPK0tPKzZBUmJxYkoya2kyCndINHg5MEdSL05LY1dwQVIvbVppWlRRSGNWNDVoU01ReEhQSDFXVFA3VkgyYVJiV2EvbEVVUGEwUURNOUZORGIKMDVCTk55K05JVGxjU3BPazJjbyt6ck14UVpjTGdCVUNzQnNYcXJONXJXSkRxUlRrNzhwQjBOK2MxMzA1L0tWLwpwRk9PbVFCZWp5V05IdnZPdVhtTnNTNkdVWXpOeXJ0Vnh1K1ZOVWZmOTRIUzUyU05rNFMvZU4wV1QwUjc2SFhICmxWOENBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVUc1TUhKcDdwMmdwUgorcUhKL2VtbGV4cDZ2b1F3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUY2dC9OWWtRRFlZa3phMS9yV1BaZWtnZUUzQzgKdUVvUFpTNHNzTGhTK3M2M1MyVUM2QkRTRVZBcjcreUZzdlkxSFMyaU9FR0dzd2hrVEpQNGpRenJIVmlraGZjKwo2a2sydXYzcFpjUko2M3RCU2tqMjZkTWxIUUFIT2U3V3g3QS9LK3NEWmNnU0svUXF3akJsaWJSZWx0c2w3MkJPClJBVEloWHdWUk5uSG5mZGdwaXJtdWluOEZ6R3duUGs0QTBibVNXNkw5VE5WWmpTZC91WmhRRWlaWWR1aURRWTMKQzZyQ2FhVFFNTkljdEhGV21RQzU1N0QxRDR1bjlHbHJFYVVNWGw3UVZUU3hhN0dtMjg3YVZLK0J4TmRQUU10ZApQNEtMbkY5UTlkTkpVZ3N3bEswQVlVOEhQcXVaR2cxK0JxWm0zNzJ1OFFSdE5YN0w5T3pFUjBYSHJBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbzR2eTR4Q3RlWXZ4VTRXK0V0UWJ5NzlvUlR6c2I5RFdPQ29RUjhoSVZJZmRCYVRsCk9NWTFuOE0wbkxJN3VzSnRYL1B4TUtTOUJlZUpTNjU2T1UyQTljYVQ1b01NVkFOdzlabkQrYWdvM3E0ekNIZXEKWDdab3U5R2VzVnV1TmNRK1BqSTc0bzc3b0JGdXBzbmFTTGJBZmpIM1FaSDgwcHhha0JIK1ptSmxOQWR4WGptRgpJeERFYzhmVlpNL3RVZlpwRnRacitVUlE5clJBTXowVTBOdlRrRTAzTDQwaE9WeEtrNlRaeWo3T3N6RkJsd3VBCkZRS3dHeGVxczNtdFlrT3BGT1R2eWtIUTM1elhmVG44cFgra1U0NlpBRjZQSlkwZSs4NjVlWTJ4TG9aUmpNM0sKdTFYRzc1VTFSOS8zZ2RMblpJMlRoTDk0M1JaUFJIdm9kY2VWWHdJREFRQUJBb0lCQUJIeWtiMEpYNEF2TTFTUApJTVRBTWl5eDNLZDhnQlhsUFJ6OHdMeWY1aEFndU1pZHgrbnJGb2RwektSRml2aDd6YlR4K0UzMlJpZ1h1S0Z0CmpFd3RqVEZya1YrQ2toL0dJT2RTOElhOVJYN3FidjlHNHBPT1dRQURpUDY5cU9pTm1LY0tyRGU0cVRSdnRVem8KYWVRQTZpN3ZITXM5VWhscXZ5V0FWQUs0V1pMVDhVcEt2SGtQOVVUYmJvZXRMZVhscjNkOFQ3OFc2cFc5ZGlpOAp0OFhMOHpPb205ZGlRZSt4eGdPVmM5SUtiK0ZoTkRXbDN0bHRJakUzMldaRU9vTjhFaC9lTVhPS0tiVFFwODV3ClJEaVJRVU5yMi9Od0VjS0dWbmZaYU5zYXBxcW1MbXpXWm5iWHV4eEc1VXVLbDdPNFBkbGRXY2VRb2dlZHVQY1AKdHhkQkY0RUNnWUVBd1lxV3RJMHNEUHNWeDRFUXYweHRwM0xhZkxWeHhyOTlqbkxkd1ZFNmdEZ2pybTZITWFNNwpBVFFVcDNWUjc0NFFneWM3SzA2cEZLdkJDS3FBS0E3MVMxTkZEZThWck9PSWRFTVd2TFZqZGU2NTlvV3IwM2J2Ckc3K011NjZrLzVlYXZmWldqbXhlZjVtai81Q2ZSYnZOYithY05WeEhaZG1Pb2RBYU1PQ2F3cGNDZ1lFQTJGTloKck5ydXZpSmpWdlpvc3VVNmluOW1kbWUvK0ltQ0JHVnVabnp2VUlLOW9LeVdqQ0tyZWlsVjE0TFZjL0JvbHVWWQprazdrdWZhRzh2bGxzOEJyZnpmSit0cDVhS1gvYjRFS1lZS1JKeHUvM3BhL0U5MlphODZoRTQ3Ny9wSXhCUm1SCm1jN2pScCtmdGxkSzFKTU5HWGExdmFtcUlxcXhoRWRkZ3ZCS3hIa0NnWUVBdTZvaFJZTVpzcUNJVnNHc05vSHEKVlpLRmpxVDFaTXpxOXdRa1NEMzJKcnZJeFd1QkJiMk1DamV3eTB0MEhuKzNQU1QrTjVqM1ZBYlNqdytjWXJ0VwpXQ3F1NjdyblhwUG1EUzI4VDFEbTEwU2E1eEpvTVF6Qy96bjJRVW92elhINFpyZ0U1K2Jtbm4yZ3lyODE0UTBnClA1L3gyYi9YcjBlTUNSVGJRSWVaS0pNQ2dZQUpKS3k3bzUxSHFBaHUyb2RlV0ZYN0dKdHFFY1NKYXJaMkhSdG4KZFl4ZjZNYS9EY3huSytmM2g5dTYraXF2ZGMvVjRPZTNkMkl2Z2YzK014QmJZcHlvaWVFZG16SmFlL21wNnRoWAplcjlMMmQ1b09CTG5jZ3hVQkMzR3Q5cHF6aDhJU2laZlMrRkxVTi9kUXg5RWtOcVM0dk9YaXA1SVROS245cVE3CkxwRGFjUUtCZ0Q0cTI2TktGU3BqQUJWNlBTNEx2L0dhSzdEN2kvbFZoOEhmUC9hVXVTMTFwWTFIRWpYL0d4c0sKODA4NUp5Y2xGVkVKQms4aW53NVczV2h0RGgwdzMzek5LWWRRVWJnaXBNanRpcWNsTVJJSmRMcXV4Ui9VM0J0Ugp3cUZJQnRTRVdHblBjMnZlUzNjbmlqeWJHd2ZUR0NXMyt2dUdNb1IzaE14dmV6ZkJGUkNUCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
---
# Source: cilium/templates/cilium-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cilium-config
namespace: kube-system
data:
# Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
# These can be queried with:
# kubectl get ciliumid
# - "kvstore" stores identities in an etcd kvstore, that is
# configured below. Cilium versions before 1.6 supported only the kvstore
# backend. Upgrades from these older cilium versions should continue using
# the kvstore by commenting out the identity-allocation-mode below, or
# setting it to "kvstore".
identity-allocation-mode: crd
identity-heartbeat-timeout: "30m0s"
identity-gc-interval: "15m0s"
cilium-endpoint-gc-interval: "5m0s"
nodes-gc-interval: "5m0s"
skip-cnp-status-startup-clean: "false"
# If you want to run cilium in debug mode change this value to true
debug: "false"
debug-verbose: ""
# The agent can be put into the following three policy enforcement modes
# default, always and never.
# https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes
enable-policy: "default"
# Port to expose Envoy metrics (e.g. "9964"). Envoy metrics listener will be disabled if this
# field is not set.
proxy-prometheus-port: "9964"
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
# address.
enable-ipv4: "true"
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
# address.
enable-ipv6: "false"
# Users who wish to specify their own custom CNI configuration file must set
# custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
custom-cni-conf: "false"
enable-bpf-clock-probe: "false"
# If you want cilium monitor to aggregate tracing for packets, set this level
# to "low", "medium", or "maximum". The higher the level, the less packets
# that will be seen in monitor output.
monitor-aggregation: medium
# The monitor aggregation interval governs the typical time between monitor
# notification events for each allowed connection.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-interval: "5s"
# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-flags: all
# Specifies the ratio (0.0-1.0] of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
bpf-map-dynamic-size-ratio: "0.0025"
# bpf-policy-map-max specifies the maximum number of entries in endpoint
# policy map (per endpoint)
bpf-policy-map-max: "16384"
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
# backend and affinity maps.
bpf-lb-map-max: "65536"
bpf-lb-external-clusterip: "false"
# Pre-allocation of map entries allows per-packet latency to be reduced, at
# the expense of up-front memory allocation for the entries in the maps. The
# default value below will minimize memory usage in the default installation;
# users who are sensitive to latency may consider setting this to "true".
#
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
# this option and behave as though it is set to "true".
#
# If this value is modified, then during the next Cilium startup the restore
# of existing endpoints and tracking of ongoing connections may be disrupted.
# As a result, reply packets may be dropped and the load-balancing decisions
# for established connections may change.
#
# If this option is set to "false" during an upgrade from 1.3 or earlier to
# 1.4 or later, then it may cause one-time disruptions during the upgrade.
preallocate-bpf-maps: "false"
# Regular expression matching compatible Istio sidecar istio-proxy
# container image names
sidecar-istio-proxy-image: "cilium/istio_proxy"
# Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: default
# Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters.
cluster-id: "0"
# Encapsulation mode for communication between nodes
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
# Default case
routing-mode: "tunnel"
tunnel-protocol: "vxlan"
# Enables L7 proxy for L7 policy enforcement and visibility
enable-l7-proxy: "true"
enable-ipv4-masquerade: "true"
enable-ipv4-big-tcp: "false"
enable-ipv6-big-tcp: "false"
enable-ipv6-masquerade: "true"
enable-xt-socket-fallback: "true"
install-no-conntrack-iptables-rules: "false"
auto-direct-node-routes: "false"
enable-local-redirect-policy: "false"
kube-proxy-replacement: "true"
kube-proxy-replacement-healthz-bind-address: ""
bpf-lb-sock: "false"
enable-health-check-nodeport: "true"
node-port-bind-protection: "true"
enable-auto-protect-node-port-range: "true"
enable-svc-source-range-check: "true"
enable-l2-neigh-discovery: "true"
arping-refresh-period: "30s"
enable-k8s-networkpolicy: "true"
# Tell the agent to generate and write a CNI configuration file
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
cni-exclusive: "true"
cni-log-file: "/var/run/cilium/cilium-cni.log"
enable-endpoint-health-checking: "true"
enable-health-checking: "true"
enable-well-known-identities: "false"
enable-remote-node-identity: "true"
synchronize-k8s-nodes: "true"
operator-api-serve-addr: "127.0.0.1:9234"
# Enable Hubble gRPC service.
enable-hubble: "true"
# UNIX domain socket for Hubble server to listen to.
hubble-socket-path: "/var/run/cilium/hubble.sock"
# An additional address for Hubble server to listen to (e.g. ":4244").
hubble-listen-address: ":4244"
hubble-disable-tls: "false"
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
ipam: "kubernetes"
ipam-cilium-node-update-rate: "15s"
disable-cnp-status-updates: "true"
cnp-node-status-gc-interval: "0s"
egress-gateway-reconciliation-trigger-interval: "1s"
enable-vtep: "false"
vtep-endpoint: ""
vtep-cidr: ""
vtep-mask: ""
vtep-mac: ""
enable-bgp-control-plane: "true"
procfs: "/host/proc"
bpf-root: "/sys/fs/bpf"
cgroup-root: "/sys/fs/cgroup"
enable-k8s-terminating-endpoint: "true"
enable-sctp: "false"
k8s-client-qps: "5"
k8s-client-burst: "10"
remove-cilium-node-taints: "true"
set-cilium-node-taints: "true"
set-cilium-is-up-condition: "true"
unmanaged-pod-watcher-interval: "15"
tofqdns-dns-reject-response-code: "refused"
tofqdns-enable-dns-compression: "true"
tofqdns-endpoint-max-ip-per-hostname: "50"
tofqdns-idle-connection-grace-period: "0s"
tofqdns-max-deferred-connection-deletes: "10000"
tofqdns-proxy-response-max-delay: "100ms"
agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
mesh-auth-enabled: "true"
mesh-auth-queue-size: "1024"
mesh-auth-rotated-identities-queue-size: "1024"
mesh-auth-gc-interval: "5m0s"
proxy-connect-timeout: "2"
proxy-max-requests-per-connection: "0"
proxy-max-connection-duration-seconds: "0"
external-envoy-proxy: "false"
---
# Source: cilium/templates/cilium-agent/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- pods
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
# This is used when validating policies in preflight. This will need to stay
# until we figure out how to avoid "get" inside the preflight, and then
# should be removed ideally.
- get
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
- ciliumendpoints
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumidentities
- ciliumlocalredirectpolicies
- ciliumnetworkpolicies
- ciliumnodes
- ciliumnodeconfigs
- ciliumcidrgroups
- ciliuml2announcementpolicies
- ciliumpodippools
verbs:
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
- ciliumendpoints
- ciliumnodes
verbs:
- create
- apiGroups:
- cilium.io
# To synchronize garbage collection of such resources
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
verbs:
- delete
- get
- apiGroups:
- cilium.io
resources:
- ciliumnodes
- ciliumnodes/status
verbs:
- get
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status
- ciliumendpoints
- ciliuml2announcementpolicies/status
verbs:
- patch
---
# Source: cilium/templates/cilium-operator/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium-operator
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# to automatically delete [core|kube]dns pods so that are starting to being
# managed by Cilium
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
# To remove node taints
- nodes
# To set NetworkUnavailable false on startup
- nodes/status
verbs:
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform LB IP allocation for BGP
- services/status
verbs:
- update
- patch
- apiGroups:
- ""
resources:
# to check apiserver connectivity
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
# Create auto-generated CNPs and CCNPs from Policies that have 'toGroups'
- create
- update
- deletecollection
# To update the status of the CNPs and CCNPs
- patch
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
verbs:
# Update the auto-generated CNPs and CCNPs status.
- patch
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
- ciliumidentities
verbs:
# To perform garbage collection of such resources
- delete
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
# To synchronize garbage collection of such resources
- update
- apiGroups:
- cilium.io
resources:
- ciliumnodes
verbs:
- create
- update
- get
- list
- watch
# To perform CiliumNode garbage collector
- delete
- apiGroups:
- cilium.io
resources:
- ciliumnodes/status
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
- ciliumenvoyconfigs
verbs:
- create
- update
- get
- list
- watch
- delete
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
- ciliumcidrgroups.cilium.io
- ciliuml2announcementpolicies.cilium.io
- ciliumpodippools.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumpodippools
verbs:
- create
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools/status
verbs:
- patch
# For cilium-operator running in HA mode.
#
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
# between multiple running instances.
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
# common and fewer objects in the cluster watch "all Leases".
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
---
# Source: cilium/templates/cilium-agent/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium
subjects:
- kind: ServiceAccount
name: "cilium"
namespace: kube-system
---
# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium-operator
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium-operator
subjects:
- kind: ServiceAccount
name: "cilium-operator"
namespace: kube-system
---
# Source: cilium/templates/cilium-agent/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-config-agent
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
# Source: cilium/templates/cilium-agent/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-config-agent
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-config-agent
subjects:
- kind: ServiceAccount
name: "cilium"
namespace: kube-system
---
# Source: cilium/templates/hubble/peer-service.yaml
apiVersion: v1
kind: Service
metadata:
name: hubble-peer
namespace: kube-system
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: hubble-peer
spec:
selector:
k8s-app: cilium
ports:
- name: peer-service
port: 443
protocol: TCP
targetPort: 4244
internalTrafficPolicy: Local
---
# Source: cilium/templates/cilium-agent/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium
namespace: kube-system
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-agent
spec:
selector:
matchLabels:
k8s-app: cilium
updateStrategy:
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined"
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
containers:
- name: cilium-agent
image: "quay.io/cilium/cilium:v1.14.3@sha256:e5ca22526e01469f8d10c14e2339a82a13ad70d9a359b879024715540eef4ace"
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: 105
periodSeconds: 2
successThreshold: 1
livenessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
periodSeconds: 30
successThreshold: 1
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 5
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
lifecycle:
preStop:
exec:
command:
- /cni-uninstall.sh
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- name: bpf-maps
mountPath: /sys/fs/bpf
# Unprivileged containers can't set mount propagation to bidirectional
# in this case we will mount the bpf fs from an init container that
# is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation: HostToContainer
# Check for duplicate mounts before mounting
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
- name: cilium-run
mountPath: /var/run/cilium
- name: etc-cni-netd
mountPath: /host/etc/cni/net.d
- name: clustermesh-secrets
mountPath: /var/lib/cilium/clustermesh
readOnly: true
# Needed to be able to load kernel modules
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
- name: hubble-tls
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
image: "quay.io/cilium/cilium:v1.14.3@sha256:e5ca22526e01469f8d10c14e2339a82a13ad70d9a359b879024715540eef4ace"
imagePullPolicy: IfNotPresent
command:
- cilium
- build-config
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: "quay.io/cilium/cilium:v1.14.3@sha256:e5ca22526e01469f8d10c14e2339a82a13ad70d9a359b879024715540eef4ace"
imagePullPolicy: IfNotPresent
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
image: "quay.io/cilium/cilium:v1.14.3@sha256:e5ca22526e01469f8d10c14e2339a82a13ad70d9a359b879024715540eef4ace"
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-state
optional: true
- name: CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-bpf-state
optional: true
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
# Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
resources:
requests:
cpu: 100m
memory: 100Mi # wait-for-kube-proxy
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
image: "quay.io/cilium/cilium:v1.14.3@sha256:e5ca22526e01469f8d10c14e2339a82a13ad70d9a359b879024715540eef4ace"
imagePullPolicy: IfNotPresent
command:
- "/install-plugin.sh"
resources:
requests:
cpu: 100m
memory: 10Mi
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cni-path
mountPath: /host/opt/cni/bin # .Values.cni.install
restartPolicy: Always
priorityClassName: system-node-critical
serviceAccount: "cilium"
serviceAccountName: "cilium"
automountServiceAccountToken: true
terminationGracePeriodSeconds: 1
hostNetwork: true
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists
volumes:
# For sharing configuration between the "config" initContainer and the agent
- name: tmp
emptyDir: {}
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: /var/run/cilium
type: DirectoryOrCreate
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
# To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup
hostPath:
path: /sys/fs/cgroup
type: DirectoryOrCreate
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: /opt/cni/bin
type: DirectoryOrCreate
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d
type: DirectoryOrCreate
# To be able to load kernel modules
- name: lib-modules
hostPath:
path: /lib/modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
# To read the clustermesh configuration
- name: clustermesh-secrets
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: cilium-clustermesh
optional: true
# note: items are not explicitly listed here, since the entries of this secret
# depend on the peers configured, and that would cause a restart of all agents
# at every addition/removal. Leaving the field empty makes each secret entry
# to be automatically projected into the volume as a file whose name is the key.
- secret:
name: clustermesh-apiserver-remote-cert
optional: true
items:
- key: tls.key
path: common-etcd-client.key
- key: tls.crt
path: common-etcd-client.crt
- key: ca.crt
path: common-etcd-client-ca.crt
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
- name: hubble-tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-server-certs
optional: true
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
- key: ca.crt
path: client-ca.crt
---
# Source: cilium/templates/cilium-operator/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cilium-operator
namespace: kube-system
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
# See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go
# for more details.
replicas: 2
selector:
matchLabels:
io.cilium/app: operator
name: cilium-operator
# ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case
# of one replica and no user configured Recreate strategy.
# otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the
# podAntiAffinity which prevents deployments of multiple operator replicas on the same node.
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
annotations:
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
containers:
- name: cilium-operator
image: "quay.io/cilium/operator-generic:v1.14.3@sha256:c9613277b72103ed36e9c0d16b9a17cafd507461d59340e432e3e9c23468b5e2"
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_DEBUG
valueFrom:
configMapKeyRef:
key: debug
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
livenessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 5
volumeMounts:
- name: cilium-config-path
mountPath: /tmp/cilium/config-map
readOnly: true
terminationMessagePolicy: FallbackToLogsOnError
hostNetwork: true
restartPolicy: Always
priorityClassName: system-cluster-critical
serviceAccount: "cilium-operator"
serviceAccountName: "cilium-operator"
automountServiceAccountToken: true
# In HA mode, cilium-operator pods must not be scheduled on the same
# node as they will clash with each other.
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
io.cilium/app: operator
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists
volumes:
# To read the configuration from the config map
- name: cilium-config-path
configMap:
name: cilium-config
---
# Source: cilium/templates/cilium-secrets-namespace.yaml
# Only create the namespace if it's different from Ingress secret namespace or Ingress is not enabled.
# Only create the namespace if it's different from Ingress and Gateway API secret namespaces (if enabled).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment