Skip to content

Instantly share code, notes, and snippets.

@fujin

fujin/gist:5a40f5acd16a387d95bf7c33119b0ee9

Created December 26, 2024 19:44
Show Gist options
  • Save fujin/5a40f5acd16a387d95bf7c33119b0ee9 to your computer and use it in GitHub Desktop.
Save fujin/5a40f5acd16a387d95bf7c33119b0ee9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile0.txt
---
# Source: cilium/templates/cilium-secrets-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: "cilium-secrets"
---
# Source: cilium/templates/cilium-agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "cilium"
namespace: default
---
# Source: cilium/templates/cilium-envoy/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "cilium-envoy"
namespace: default
---
# Source: cilium/templates/cilium-operator/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "cilium-operator"
namespace: default
---
# Source: cilium/templates/hubble-relay/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "hubble-relay"
namespace: default
---
# Source: cilium/templates/hubble-ui/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "hubble-ui"
namespace: default
---
# Source: cilium/templates/cilium-ca-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: cilium-ca
namespace: default
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRUTdvY3JoNmswOWJleWZTZ2YvM2FWVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpJMk1UazBORFF5V2hjTk1qY3hNakkyTVRrMApORFF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdENm5vdTY1SW1aOTNNUVlkcnhtZHlBNStFYkhnTkhXamx4L29PVEswcmpLZjhiK1kKaTZCUjN2L0JjdFRtTkVCUWEvS01CVTR2Ui8zcUZoMWxSejQ3dWVwZEtuaUQ3YXU4ZWVjRnZBSENPQ2QvdU5RaQpUY2hxUmk5c3MybWhTVXpxR3ZpRlliY0xZTENTSzB5Q2dFS0pJSWVMb0RMUVNnUEZNckY0WkNIT1RnNHlCdEJwCkViem9SZzBrV1M3MGpBaEpLbEhmSGZ2VXllYThEYkdCN2R0MUNUZ2pBc2x1R1lWV21JdlhvbnNXd1ZGY05XNGsKdUxGN1U3SXlUQ1JCY3VDYTBYSXBpQ25temNRdXcvUmlOcnRYVVB3VHdXenZnWGc1aklybmQ5amRySTJ6WVJ6NApUYW9RaWlNZks1U00wcVZvZVBLRUVXdFk2VEd1Q05CeldUYm5BZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVCeDlIQzIybzFjZUJzdTBYNlNIOFlYMWJKSjR3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLSjk3NWhjdDJTQlBITHFidnJwdk9ZSkN3SmdML21oRUJuTkgwZ3ppZ0dUY1FGeXJPUXc2S0QvCnhIZlI3VzVYU1RuLzBCZW9RT0VUK29hd3Y2a052dHczV1dOUmNycCtoelgrV0xvdFQ3eVUxc3RrSmJLU0U3eWEKYlFudWpzMjhZVWVzRjBsWlRpdm94b0pMY2U0ZkhWVCtWaG9uUmFSRzllZkZQM1NsLzJqYnV3TG1MbFFPMEp3MgoyOGREVDFFL2ZVK2d4a1RmTHkzMnBJT2xuTUJtMU0rNVhwc25tY3c4QnJQVmRQWUx4eUdmNnpXV3kxNjV0K0lrCjRQTm5Lb3YzZjBkQkhRMTVoWU5zRG90MmNDZmFOOERLU3EyTWQ0Ulc5WXRQM3BTendIMEp3RVQwUXp2R2xpRWwKNGVjb09GTDQrQjFGUUNJd214cWpJK245SGJuZkx5ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdXcrcDZMdXVTSm1mZHpFR0hhOFpuY2dPZmhHeDREUjFvNWNmNkRreXRLNHluL0cvCm1JdWdVZDcvd1hMVTVqUkFVR3Z5akFWT0wwZjk2aFlkWlVjK083bnFYU3A0ZysycnZIbm5CYndCd2pnbmY3alUKSWszSWFrWXZiTE5wb1VsTTZocjRoV0czQzJDd2tpdE1nb0JDaVNDSGk2QXkwRW9EeFRLeGVHUWh6azRPTWdiUQphUkc4NkVZTkpGa3U5SXdJU1NwUjN4MzcxTW5tdkEyeGdlM2JkUWs0SXdMSmJobUZWcGlMMTZKN0ZzRlJYRFZ1CkpMaXhlMU95TWt3a1FYTGdtdEZ5S1lncDVzM0VMc1AwWWphN1YxRDhFOEZzNzRGNE9ZeUs1M2ZZM2F5TnMyRWMKK0UycUVJb2pIeXVVak5LbGFIanloQkZyV09reHJnalFjMWsyNXdJREFRQUJBb0lCQUg1a3RRK1dVTXFwVW9COAoxWDhWSXgvalh6ZDd5VTZPNDdYbmxSMmFHRkxSS1UrOVR4Skp0Y2ZiLzcrOFVYSkNkL3BmRmdIYVM5dlNyeFNPCllNcGYrd0xzT2hrOWF6VHBVSk1IWXp3U3JyV0dyOW16RDFNbWIzYXZlYmZlK2s2S2NyZjBCVnhLakIzWjlUU3UKb1FIRW5EQi9sRmFacGZ2ckp1VUZ2YmgxSUFwK3Q0Z2xVeGJxRENWek10K0RaTFN4SGZYK1FnU1kyQXd1NEZVVApLTEJJVVozK3U1YjFOZXV6L2NLcGNqcGpnWU9IU1dLcFd3THFicG91RzQ0L2gvVlNxKzRhaUQ3bDVDM3FSVWh5Ck9SaTUyZTlRWk9QSnpyYUlzY0VDVlk5bUhPOHU0V1VjbmFoS1BsZ1VKM0lSVVRVUzhCL3hNbWwrU0ZMVWtkMVIKOERZOFdmRUNnWUVBM0xzVXc4VUQ3UzJybHNMK2lpR1NJZU02QmlGOGsyV2pTV2R6UDhIeldLVzZwd2duSnEzVApSRDczOWJKV3ZwR1doQXdJUG1pcW5aRTVRdDFHUmZZSW53L0lGVCtDMHppSzFNVFY4TEtQM0l3L3huZmlkRXlMCk5QNk9kTlowODBBSjM2NHFmSHEyQ2VWVHVIdXA4R2lUbWdQRDFLQmxkZXN4VVpKTVdiYlB3aU1DZ1lFQTJQTlcKd3RacG53Z1YrdTBKUkhQREVXZEVYWEFIL0E0Z1p4U2swU28zNVVXdDVtbStITHBHTFNxdnZVN2FKanBhMEpYcQpjSDVFL1dCRzZwdGNocnFKU3grdHBpb1RNZzEyWjBtREUrUVV5Zk9JZ2ZRVFQ0bGE0RENZK0kra29MNVNzMFVKCmVNcklVbjNlUjdzZnFySHoxaTNFZmhWVzA2d0NzODFxSWJUa0dtMENnWUFRaWxoWS96ZDNHM2dET1NOMzJHSXAKOWV3UUw0dzFRMldFQjZPRVFKVnFyQ2liZ2FubFpSc3l2d0Uzd1NCczhWMzFFUzNBOTNqcGk4dGRybFVvd3ZJTQpjVk5OL0U5aVlwZE1zRjlUeFIyd3FqWFJPb1NXc0hHeUMrMUM1aHNuYTBJU0ordjVIZnpzS3VvbUplWXJKTHNDCnpJdHRNSVBKM1ZENXl0dTcwVTRxUHdLQmdHV0lKSStVcHVPdGRoUDBBUVZQSS9pdUdwbWNCN0NYcitSdURlQngKNEt6bEdraWVMa0hsajFndUJRY1VzeFYyOCs5d2FjSng1Ym1xNkNWOXhpU3JnZnR0Zk9ncUFzZkc4eVhOaXBHeAppV1VtR3ptdVQ2ZEdnZ2d2MWpkbGlrZE1Ld29KQWpETXZrbVU3SVVuZHQ5ODNyL2F0WDNJWU5VNVNCNTd3UEs3ClpKRlZBb0dBTVppcndGeU12WXU1N1hLSUVGb3ZmSFFxSVBtTVhmd0NRQlNCbXRxVy9OMkNKOWNtRExWL3hlcEQKd3hpdmtscW9WV0RmUVZsNDVRZjRnY2NVeDRTOXdlUDl3UjZFWGlpZmpyZmVCYlRNekNiQmRRK2hnOGN5Z1BNcQovNEZWMWhSVU1RcDFRZG82U2F0MmVLYWpmRzJoYUl3SUk4bjh1cDAzWURoaFVPNnJSd1E9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
---
# Source: cilium/templates/hubble/tls-helm/relay-client-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: hubble-relay-client-certs
namespace: default
type: kubernetes.io/tls
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRUTdvY3JoNmswOWJleWZTZ2YvM2FWVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpJMk1UazBORFF5V2hjTk1qY3hNakkyTVRrMApORFF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdENm5vdTY1SW1aOTNNUVlkcnhtZHlBNStFYkhnTkhXamx4L29PVEswcmpLZjhiK1kKaTZCUjN2L0JjdFRtTkVCUWEvS01CVTR2Ui8zcUZoMWxSejQ3dWVwZEtuaUQ3YXU4ZWVjRnZBSENPQ2QvdU5RaQpUY2hxUmk5c3MybWhTVXpxR3ZpRlliY0xZTENTSzB5Q2dFS0pJSWVMb0RMUVNnUEZNckY0WkNIT1RnNHlCdEJwCkViem9SZzBrV1M3MGpBaEpLbEhmSGZ2VXllYThEYkdCN2R0MUNUZ2pBc2x1R1lWV21JdlhvbnNXd1ZGY05XNGsKdUxGN1U3SXlUQ1JCY3VDYTBYSXBpQ25temNRdXcvUmlOcnRYVVB3VHdXenZnWGc1aklybmQ5amRySTJ6WVJ6NApUYW9RaWlNZks1U00wcVZvZVBLRUVXdFk2VEd1Q05CeldUYm5BZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVCeDlIQzIybzFjZUJzdTBYNlNIOFlYMWJKSjR3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLSjk3NWhjdDJTQlBITHFidnJwdk9ZSkN3SmdML21oRUJuTkgwZ3ppZ0dUY1FGeXJPUXc2S0QvCnhIZlI3VzVYU1RuLzBCZW9RT0VUK29hd3Y2a052dHczV1dOUmNycCtoelgrV0xvdFQ3eVUxc3RrSmJLU0U3eWEKYlFudWpzMjhZVWVzRjBsWlRpdm94b0pMY2U0ZkhWVCtWaG9uUmFSRzllZkZQM1NsLzJqYnV3TG1MbFFPMEp3MgoyOGREVDFFL2ZVK2d4a1RmTHkzMnBJT2xuTUJtMU0rNVhwc25tY3c4QnJQVmRQWUx4eUdmNnpXV3kxNjV0K0lrCjRQTm5Lb3YzZjBkQkhRMTVoWU5zRG90MmNDZmFOOERLU3EyTWQ0Ulc5WXRQM3BTendIMEp3RVQwUXp2R2xpRWwKNGVjb09GTDQrQjFGUUNJd214cWpJK245SGJuZkx5ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lRV2wzRzlPeHpFTlRuV205eDljbGs3ekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpJMk1UazBORFF5V2hjTk1qY3hNakkyTVRrMApORFF5V2pBak1TRXdId1lEVlFRRERCZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEVTcvNzJNUmMyNjZ0NjlXSnRXcFUvQ3hBc3NWdFYKNWZ3TFMyckJ2VklCUkVkdjhiTC8vdmFISjhqS0h6T3FoVWpMWmg4aFhXb3cvN3I3aS93SUg1S2RGUEJXa2NHaQp3RXYwKy9KemQ3TU1ySmVtR2wwekgrSW9iYXYzeEhpVjd4ZTdFS01UczBESk1PQmdvSWliKzVuZ3o2QXFCVG91ClFHRU9lRkFHUnBmdStPdklnQ2l0NkhTZERWS1lYNzlNVEtka2g5VlI0RjUzTldWVEZnd3RSTmV5Q1NucjJTeGoKam5pa21YSllESDBaWW42UjVnZGcxMUordkRTTG1sS21pWEFIdkU0aFh0L3MxZ2wxT2hpcTJ0TW9IT0pPdk5GOQp3d09qQ3RFcDFUeHlTcThWTERXVHdEWHowSGgwS3VDL2xyU3VJditDWEJZVE9ZWWIzb1crSS9VUEFnTUJBQUdqCmdZWXdnWU13RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZBY2ZSd3R0cU5YSGdiTHRGK2toL0dGOQpXeVNlTUNNR0ExVWRFUVFjTUJxQ0dDb3VhSFZpWW14bExYSmxiR0Y1TG1OcGJHbDFiUzVwYnpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFKN0dXblcxN1BmNUttbWsveGFKMVZPNXNKKzJvaHhIYWhzVy96eVh5ZkpjNkdGWXAKbk1nVm9IUlZ1SmlhUnhSbnA1WmZobG5RaEFMQU5NRkF4YnlLOUdUVExvMVRGOUM1cTErMjlWQUJlbDZRN210agpscWZLZmlNck5OeWRkcDUrQWp0YWU4dnJVeUw4cGhrMDYxT1l6Z0N0WjFtdGZkdldJV0tYZ0dYV3ZOclEyNjBxCnBCM1pwZkg5TjVERDJKN0hRdDNuTEo4MEg5OHVibnFkSU1laksrS1hDc3d0WFhFVXVUU3U4ZktMUkY5MTlDSEEKVGtZY0o1SHJJMzhmZDB1VGd4R3duYmhkb0N6MGNaZG4rQVZ4aUkxZ3hHZTF0bHlTNy9iNXM4ZUJCNnpmc0ZNVgo1STAyVDNZUmMyS3NwS293QlVnbUJNVkFGR2ZTYkxDbTFUTWRjUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBMU8vKzlqRVhOdXVyZXZWaWJWcVZQd3NRTExGYlZlWDhDMHRxd2IxU0FVUkhiL0d5Ci8vNzJoeWZJeWg4enFvVkl5MllmSVYxcU1QKzYrNHY4Q0IrU25SVHdWcEhCb3NCTDlQdnljM2V6REt5WHBocGQKTXgvaUtHMnI5OFI0bGU4WHV4Q2pFN05BeVREZ1lLQ0ltL3VaNE0rZ0tnVTZMa0JoRG5oUUJrYVg3dmpyeUlBbwpyZWgwblExU21GKy9URXluWklmVlVlQmVkelZsVXhZTUxVVFhzZ2twNjlrc1k0NTRwSmx5V0F4OUdXSitrZVlICllOZFNmcncwaTVwU3BvbHdCN3hPSVY3ZjdOWUpkVG9ZcXRyVEtCemlUcnpSZmNNRG93clJLZFU4Y2txdkZTdzEKazhBMTg5QjRkQ3JndjVhMHJpTC9nbHdXRXptR0c5NkZ2aVAxRHdJREFRQUJBb0lCQUhURitHaENtNXgrdVZlQQo0aTFlRTZLekNuZTMrNEtyMFFEUXB3Y0FMOHlLQ1RNV3RUYzJOelAvV1ZtZXF0TEVyUnIrTWV3Mk1sb1VwQkgyCnZvd2w1RjFJY2xUSE1nMXlyelQyUmd1VWhSaGFQZi9WVFc4UCtSSjZzbWY1MHJkR214ajNFcmRuQWd4VFJYazQKRURLYVU5UzVoL2dEVGRpM2JZSmw4RnpBc2VsV2o5cDd6SlBXMUZoNmpqc244MUVtbVI0WkJ6Zis5K0RaNlZ4aQpvcTMza0JrNHhqRENCL0NtMFNPZTJBVWxKNjIwL3dvK1MvNlFqeHBrTVhXTm1hM3g3aWJoMmF0bXlKYys5SW1QCjhJYUVZaHdkV1JSbUtYUVBabVVjbTJ4NEU1T3BVMzVKVVFGSk9sZ1RQWUJlWmIyekxTSnlUWmZpTkYwTzZ2NG4KRUdYcDRFRUNnWUVBL2Z3ak1pdjc0a1VheHhIU1JwalU4a3BWRDNDQzN6cmlMaDNiRmJiZXdRYTQrdDBVUHMzUgo5VkxmOTJCSkQ2K2duUEFkOC9lSHM4ZlRkTDl4NEtLS25pMlZPcU1tc3dOdHlQdVMyTVArZStpek5DUENZSTVyCithZXVLVUtWajRRQWRmN0NJTG1GaTNpT2VLUDlBYlI1YmVDb2d3TnJaVlNTVUx0TFdpbzZCdWNDZ1lFQTFxQjgKOEFPUkRlTzFTK3RldWlPZ2IwcktUK3FjQ2FhV1U2NzU4MmpaWVhSMXhOUXdNZm1VdWJpeHlrTE5nZmJDVlBrRApxajNVRVN5T3IvR0x6VjB0aTdwTWRDRDJUVmwvYXRiS1FGY1ZmYnljTjIzMzNScGJVdU9iVlpVY0xKcmpPdzVuCkFtWk8zbzR4azZIUzB4TjhCVUo0Wi9kUjduM3ovbS9xMmFnUjQ1a0NnWUVBeHFtMzVnQ2RieWxhZnFlajhIQ08KOEUzUUp0bDhwSnRzVzJJakFlTWViYUdTZ3piMkpRSGMzcVZLWmphOEx6YlN6SzdNM3cyWTZiaTkzNjMzcHh1OApqV2xlTnBWektjYmUwcnhrNm9Tenc3d0tvQmZ3YkpJNlJ2Y3Z0VHBOdmdva1NpZFJOVU9uLzZYMjJzcDZsaURTCmNtMnRvWHpGUG1kZVl5TjlGek84VzdVQ2dZQmJiQWxNQTNqcVBiQ2dJaVk3aTZsdlBxQm00anlOTDlTZzJNdkgKajBYcGFUNHhGV0ZpS0RuZDBucUkrV09vbEgrNnlrZHhZTnpRWS9aem82UTFXaGRvaVhhL2tMclp2K0d5bE1PYQpISDRmRFJSTjJCM1lwTDE1MVZINVpvYVZ5WFE1VjYweExIc3orY1hNYVFYd3V6Lzh6WStVV1prZ3lhNEJGNU1tCkc1MWpJUUtCZ0F5eWdrQk1FRE5zNUg3L3lFT3JqZVQ4SEk2TjZIWUt4MitnbDVoaVFwM1h1WkpFY0NSODVML3AKTFRSd2tmRlR4Nkozc25DRnByNzZUelJTNlU0cmlkR1hkYWpmNlF0NGM5SGpybmhFaGVjVm9LK2dPdVRqeTYwYQpNSDB0MXh2bjkzc2dTZVBKald1ajRVWEJrQ0NrdGdqaDltdjhub1FUOUtSRmRDczErVHhoCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
---
# Source: cilium/templates/hubble/tls-helm/server-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: hubble-server-certs
namespace: default
type: kubernetes.io/tls
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRUTdvY3JoNmswOWJleWZTZ2YvM2FWVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpJMk1UazBORFF5V2hjTk1qY3hNakkyTVRrMApORFF5V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQzdENm5vdTY1SW1aOTNNUVlkcnhtZHlBNStFYkhnTkhXamx4L29PVEswcmpLZjhiK1kKaTZCUjN2L0JjdFRtTkVCUWEvS01CVTR2Ui8zcUZoMWxSejQ3dWVwZEtuaUQ3YXU4ZWVjRnZBSENPQ2QvdU5RaQpUY2hxUmk5c3MybWhTVXpxR3ZpRlliY0xZTENTSzB5Q2dFS0pJSWVMb0RMUVNnUEZNckY0WkNIT1RnNHlCdEJwCkViem9SZzBrV1M3MGpBaEpLbEhmSGZ2VXllYThEYkdCN2R0MUNUZ2pBc2x1R1lWV21JdlhvbnNXd1ZGY05XNGsKdUxGN1U3SXlUQ1JCY3VDYTBYSXBpQ25temNRdXcvUmlOcnRYVVB3VHdXenZnWGc1aklybmQ5amRySTJ6WVJ6NApUYW9RaWlNZks1U00wcVZvZVBLRUVXdFk2VEd1Q05CeldUYm5BZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVCeDlIQzIybzFjZUJzdTBYNlNIOFlYMWJKSjR3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFLSjk3NWhjdDJTQlBITHFidnJwdk9ZSkN3SmdML21oRUJuTkgwZ3ppZ0dUY1FGeXJPUXc2S0QvCnhIZlI3VzVYU1RuLzBCZW9RT0VUK29hd3Y2a052dHczV1dOUmNycCtoelgrV0xvdFQ3eVUxc3RrSmJLU0U3eWEKYlFudWpzMjhZVWVzRjBsWlRpdm94b0pMY2U0ZkhWVCtWaG9uUmFSRzllZkZQM1NsLzJqYnV3TG1MbFFPMEp3MgoyOGREVDFFL2ZVK2d4a1RmTHkzMnBJT2xuTUJtMU0rNVhwc25tY3c4QnJQVmRQWUx4eUdmNnpXV3kxNjV0K0lrCjRQTm5Lb3YzZjBkQkhRMTVoWU5zRG90MmNDZmFOOERLU3EyTWQ0Ulc5WXRQM3BTendIMEp3RVQwUXp2R2xpRWwKNGVjb09GTDQrQjFGUUNJd214cWpJK245SGJuZkx5ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYRENDQWtTZ0F3SUJBZ0lRQ1pYMlBJYWo0WUhKbld6ZXMxeHZqekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF4TWpJMk1UazBORFF5V2hjTk1qY3hNakkyTVRrMApORFF5V2pBdE1Tc3dLUVlEVlFRRERDSXFMbkJ5YjJReExXMXpjREl1YUhWaVlteGxMV2R5Y0dNdVkybHNhWFZ0CkxtbHZNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXNubHJpT0hpQXQrYWhKcmgKTGc4RHY0VXdDQXRIWkk3cU5GemQ2MWVEdzJTOVNZQW9zR0Z4dmtTNlZhQ0lxT0c4NFIzTU1nclZ6M1JWVi9FVwpYNE5CNVVObzhxSkpFSGxmSXJ2ME9XTnRxNktNZ3duMk9WNXFVVjBmRVZZellSWU9sRUJaVEpPRm9GUEJjVEROCllrL3VhbmZqN3FiVXFhcUJ2YkxLY1BSMFFSNHo1R1FVUWJpaGlTOE85YU82eEVIVElRMjVaM2dwdWFpam1LQjUKU0RTeVhkSmNRVzNRa1pHZHMybE1WUXJ1S01FN013MzFYY0trQ2R0dDVCR1NjTldDb285cElDbXNRNGcxQysrRwpjN21ycmRRTHJiMWVMdk5OeXp0RjBOTU5GZmVZek9nMUZsL2lsdHZyUUFoWnJBWWV3L1p3a25NTXd6NEZmZnN4CkFtcG4xUUlEQVFBQm80R1FNSUdOTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUYKQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUUhIMGNMYmFqVgp4NEd5N1JmcElmeGhmVnNrbmpBdEJnTlZIUkVFSmpBa2dpSXFMbkJ5YjJReExXMXpjREl1YUhWaVlteGxMV2R5CmNHTXVZMmxzYVhWdExtbHZNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUMxRnBGQTdLYUdJWDBZWXJwUDY1WWoKOFVzaEF0bGpNRkRQNTVHU3NROUhWazhuYXFKa2hpQUJacWZZODN5ekp4THY0TnRxMGE5WWFHR0pNeG42Q0JQTQp0algxZmU2cFIwNVhuMU4rYnQ3dVRQcEdCeDZJdnc5U1ZMUERTUDB6Wjd0NzRXbm1WcTIxaFpGQlRpZ0FhZzZyCllzSDBIUEx4NE5pM2Z4eFNuRXZkN0xLcURnemJsVlJlaDVMRVEraHhUd1lBdGRaVFVhWU11T0Z4QXIrUmlpdjAKdzdWQmE2V2QyMWRSVjFEL0xuR3FQeXNhU2xVZzFFbTZ0Y01tRXRIMmxkMUF1Z1NzRzdqbnhHRStmdHVuN2tvUgowQTljL2ttMFQ2cUNzVXBMU3QyMHh3Z0szYjRJUmdTM05BdnJ4ajNZZmsyYWdlSVhvN1hkUnR5d3BDZGMxZExxCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBc25scmlPSGlBdCthaEpyaExnOER2NFV3Q0F0SFpJN3FORnpkNjFlRHcyUzlTWUFvCnNHRnh2a1M2VmFDSXFPRzg0UjNNTWdyVnozUlZWL0VXWDROQjVVTm84cUpKRUhsZklydjBPV050cTZLTWd3bjIKT1Y1cVVWMGZFVll6WVJZT2xFQlpUSk9Gb0ZQQmNURE5Zay91YW5majdxYlVxYXFCdmJMS2NQUjBRUjR6NUdRVQpRYmloaVM4TzlhTzZ4RUhUSVEyNVozZ3B1YWlqbUtCNVNEU3lYZEpjUVczUWtaR2RzMmxNVlFydUtNRTdNdzMxClhjS2tDZHR0NUJHU2NOV0NvbzlwSUNtc1E0ZzFDKytHYzdtcnJkUUxyYjFlTHZOTnl6dEYwTk1ORmZlWXpPZzEKRmwvaWx0dnJRQWhackFZZXcvWndrbk1Nd3o0RmZmc3hBbXBuMVFJREFRQUJBb0lCQVFDbFcreHZZZUlYQ1hmUAozdlE5eVhtT2pHZHBQSklFTUluOHhBSjFWNXRrZ1VVRUFiTXhZTWVUSTNpRmQzekhCSWdOQjUrMnllVTZGaTR3CmtkWkozb0pDV2dlMXJ2a0ZRMzhLM3B3MFE5Uk1Ed29qS3lxd0VyTnMrVnVjbzRKdE5KT0RkbStHakxSbFROVFEKL0FkL1RGRzQ0YVlVNnd2a3UyOEVCTkNlZ1UvcE4vZDFhdGJDb2JIWlJWWms4RWs1ZnU3NWlBTTgzU1FjK0h1KwpWU0JXNzR0OXdpcFc5K2VmQzE0aXRtVnd6Nit0UUxwamxicXJJRTNPamE1YzVIcjNIR1VBOWIrR3ZlcU1oNXFOCk9EZzlBd0tZdTdhMkUwemZkWmx5NkZ5ZFN5LzQ1NzZIbnArWldpazJFL25tYndLZ2dHR3RYV2R6N3FJZFl0YUoKNE5SYUdzN3RBb0dCQU5rOGlLZUs4Q2xjbVZjd3puMTdhaElCUy9PQzJuQ1ZLM3ZQYnhkM2xiZ1cvcTAwNTBSOQpOTm1GdXdBQjJ6ZmZRUlRmK0ZjMFY5N05HMVVKK1ByamZQZm1ERmZLZTNod09LaDBlbFl3N1NYWEhqUVp2Z25CCkhsbFJSaGdEUS8wQzV2NmEwM0tUdFd1MHQ1TlROUlZCb1MzN3RKWXBrNkVwb0ppNXBQbml2ZEcvQW9HQkFOSlMKTmtNTzBkeFVaM3BtU1VSeHVZY2ltay9yMjR2NjhBbmNpbXJENXR6cE1mSGVLVURCc2V1Z2s4N3Zsa0tWVmh2MQoxWmpDL2xzdkwzaTc3bVB4Q0NKQ0VVODNFeHRvbnJFUnVpR0RLdmFFU0N0WHN6WEdoWjVjeEZTQXpJT2ZRc1p3CjZWdjliSjRRM3hJRWpybzNqOWlZbW5oYU43RExCSzNwOFNYM0FZTnJBb0dBRjRmNkdZUHdUZHFzOVlmZzVqREgKSlpva1d3VlNtaDFlYjNQaHliMzNadEIrMTg1Q091WUJJb3JjM2J4VnZiQ2VRUitkcS95TWhDTGRraEdaZWJ2SQpucVc1c296SllSdHUxN2grUS9YYXlsMko5UVRRMUFlcVBPeVQxaWdNWmt5NUx0MGdpR205bmlRZU9vUXAzTnFXCkZnQU02TE1xUGF2ZnJJdDNkbVg4UDhzQ2dZQVJDYUhscXNTcllaY0VYbGJmR1l0YS9CMmVEZEE2TmJqT1E3UmUKMDhIVzhYa2ZTOHp4dHY4dnhGRlUrU21sK1MwQmxOZVp5V29MZnZZTWhNVGFDY09MNnVnMkQ1TVhyRkQyclNYego0d2xPOFFaYnBINGJCQnI4Nml6cFg0bXh1K3dQNFVPMk5RQmdpYU5ZZFZBT204T21XeTVnUTRheFpyRFpXZE0wCkxSOU5Rd0tCZ1FDempsRGZVVFhlNXVERXhSQUFqc1RkMFdVdmtBSWlpOTk0MkIwaHJTckpaMVdyb2hFdFowRnkKeGFBd2pIOExzdlg1dFhmaU9kcXFpR1d5cW5NaUg1OTE0RVZTU3hrclVLSU04RC92M3pwTExDcjFzN0plRkFHMQp5OWVZUWpuOVpVdEJZd0JnUldxOURSUjhtK3VmM1lXSUdRUkVod0RKdFpZM0xwc2tDbTE0c3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
---
# Source: cilium/templates/cilium-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cilium-config
namespace: default
data:
# Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
# These can be queried with:
# kubectl get ciliumid
# - "kvstore" stores identities in an etcd kvstore, that is
# configured below. Cilium versions before 1.6 supported only the kvstore
# backend. Upgrades from these older cilium versions should continue using
# the kvstore by commenting out the identity-allocation-mode below, or
# setting it to "kvstore".
identity-allocation-mode: crd
identity-heartbeat-timeout: "30m0s"
identity-gc-interval: "15m0s"
cilium-endpoint-gc-interval: "5m0s"
nodes-gc-interval: "5m0s"
# If you want to run cilium in debug mode change this value to true
debug: "false"
debug-verbose: ""
# The agent can be put into the following three policy enforcement modes
# default, always and never.
# https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes
enable-policy: "default"
policy-cidr-match-mode: ""
# If you want metrics enabled in cilium-operator, set the port for
# which the Cilium Operator will have their metrics exposed.
# NOTE that this will open the port on the nodes where Cilium operator pod
# is scheduled.
operator-prometheus-serve-addr: ":9963"
enable-metrics: "true"
enable-envoy-config: "true"
envoy-config-retry-interval: "15s"
enable-gateway-api: "true"
enable-gateway-api-secrets-sync: "true"
enable-gateway-api-proxy-protocol: "false"
enable-gateway-api-app-protocol: "false"
enable-gateway-api-alpn: "false"
gateway-api-xff-num-trusted-hops: "0"
gateway-api-service-externaltrafficpolicy: "Cluster"
gateway-api-secrets-namespace: "cilium-secrets"
gateway-api-hostnetwork-enabled: "false"
gateway-api-hostnetwork-nodelabelselector: ""
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
# address.
enable-ipv4: "true"
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
# address.
enable-ipv6: "false"
# Users who wish to specify their own custom CNI configuration file must set
# custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
custom-cni-conf: "false"
enable-bpf-clock-probe: "false"
# If you want cilium monitor to aggregate tracing for packets, set this level
# to "low", "medium", or "maximum". The higher the level, the less packets
# that will be seen in monitor output.
monitor-aggregation: medium
# The monitor aggregation interval governs the typical time between monitor
# notification events for each allowed connection.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-interval: "5s"
# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-flags: all
# Specifies the ratio (0.0-1.0] of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
bpf-map-dynamic-size-ratio: "0.0025"
# bpf-policy-map-max specifies the maximum number of entries in endpoint
# policy map (per endpoint)
bpf-policy-map-max: "16384"
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
# backend and affinity maps.
bpf-lb-map-max: "65536"
bpf-lb-external-clusterip: "false"
bpf-events-drop-enabled: "true"
bpf-events-policy-verdict-enabled: "true"
bpf-events-trace-enabled: "true"
# Pre-allocation of map entries allows per-packet latency to be reduced, at
# the expense of up-front memory allocation for the entries in the maps. The
# default value below will minimize memory usage in the default installation;
# users who are sensitive to latency may consider setting this to "true".
#
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
# this option and behave as though it is set to "true".
#
# If this value is modified, then during the next Cilium startup the restore
# of existing endpoints and tracking of ongoing connections may be disrupted.
# As a result, reply packets may be dropped and the load-balancing decisions
# for established connections may change.
#
# If this option is set to "false" during an upgrade from 1.3 or earlier to
# 1.4 or later, then it may cause one-time disruptions during the upgrade.
preallocate-bpf-maps: "false"
# Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: prod1-msp2
# Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters.
cluster-id: "0"
# Encapsulation mode for communication between nodes
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
routing-mode: "tunnel"
service-no-backend-response: "reject"
# Enables L7 proxy for L7 policy enforcement and visibility
enable-l7-proxy: "true"
enable-ipv4-masquerade: "true"
enable-ipv4-big-tcp: "false"
enable-ipv6-big-tcp: "false"
enable-ipv6-masquerade: "true"
enable-tcx: "true"
datapath-mode: "veth"
enable-masquerade-to-route-source: "false"
enable-xt-socket-fallback: "true"
install-no-conntrack-iptables-rules: "false"
auto-direct-node-routes: "false"
direct-routing-skip-unreachable: "false"
enable-bandwidth-manager: "true"
enable-bbr: "true"
enable-local-redirect-policy: "false"
enable-runtime-device-detection: "true"
kube-proxy-replacement: "true"
kube-proxy-replacement-healthz-bind-address: ""
bpf-lb-sock: "false"
bpf-lb-sock-terminate-pod-connections: "false"
nodeport-addresses: ""
enable-health-check-nodeport: "true"
enable-health-check-loadbalancer-ip: "false"
node-port-bind-protection: "true"
enable-auto-protect-node-port-range: "true"
bpf-lb-acceleration: "disabled"
enable-svc-source-range-check: "true"
enable-l2-neigh-discovery: "true"
arping-refresh-period: "30s"
k8s-require-ipv4-pod-cidr: "false"
k8s-require-ipv6-pod-cidr: "false"
enable-k8s-networkpolicy: "true"
# Tell the agent to generate and write a CNI configuration file
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
cni-exclusive: "true"
cni-log-file: "/var/run/cilium/cilium-cni.log"
enable-endpoint-health-checking: "true"
enable-health-checking: "true"
enable-well-known-identities: "false"
enable-node-selector-labels: "false"
synchronize-k8s-nodes: "true"
operator-api-serve-addr: "127.0.0.1:9234"
# Enable Hubble gRPC service.
enable-hubble: "true"
# UNIX domain socket for Hubble server to listen to.
hubble-socket-path: "/var/run/cilium/hubble.sock"
hubble-export-file-max-size-mb: "10"
hubble-export-file-max-backups: "5"
# An additional address for Hubble server to listen to (e.g. ":4244").
hubble-listen-address: ":4244"
hubble-disable-tls: "false"
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
ipam: "kubernetes"
ipam-cilium-node-update-rate: "15s"
egress-gateway-reconciliation-trigger-interval: "1s"
enable-vtep: "false"
vtep-endpoint: ""
vtep-cidr: ""
vtep-mask: ""
vtep-mac: ""
enable-bgp-control-plane: "true"
bgp-secrets-namespace: "kube-system"
procfs: "/host/proc"
bpf-root: "/sys/fs/bpf"
cgroup-root: "/sys/fs/cgroup"
enable-k8s-terminating-endpoint: "true"
enable-sctp: "false"
k8s-client-qps: "100"
k8s-client-burst: "200"
remove-cilium-node-taints: "true"
set-cilium-node-taints: "true"
set-cilium-is-up-condition: "true"
unmanaged-pod-watcher-interval: "15"
# default DNS proxy to transparent mode in non-chaining modes
dnsproxy-enable-transparent-mode: "true"
dnsproxy-socket-linger-timeout: "10"
tofqdns-dns-reject-response-code: "refused"
tofqdns-enable-dns-compression: "true"
tofqdns-endpoint-max-ip-per-hostname: "50"
tofqdns-idle-connection-grace-period: "0s"
tofqdns-max-deferred-connection-deletes: "10000"
tofqdns-proxy-response-max-delay: "100ms"
agent-not-ready-taint-key: "node.cilium.io/agent-not-ready"
mesh-auth-enabled: "true"
mesh-auth-queue-size: "1024"
mesh-auth-rotated-identities-queue-size: "1024"
mesh-auth-gc-interval: "5m0s"
proxy-xff-num-trusted-hops-ingress: "0"
proxy-xff-num-trusted-hops-egress: "0"
proxy-connect-timeout: "2"
proxy-max-requests-per-connection: "0"
proxy-max-connection-duration-seconds: "0"
proxy-idle-timeout-seconds: "60"
external-envoy-proxy: "true"
envoy-base-id: "0"
envoy-keep-cap-netbindservice: "false"
max-connected-clusters: "255"
clustermesh-enable-endpoint-sync: "false"
clustermesh-enable-mcs-api: "false"
nat-map-stats-entries: "32"
nat-map-stats-interval: "30s"
# Extra config allows adding arbitrary properties to the cilium config.
# By putting it at the end of the ConfigMap, it's also possible to override existing properties.
---
# Source: cilium/templates/cilium-envoy/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cilium-envoy-config
namespace: default
data:
bootstrap-config.json: |
{
"node": {
"id": "host~127.0.0.1~no-id~localdomain",
"cluster": "ingress-cluster"
},
"staticResources": {
"listeners": [
{
"name": "envoy-prometheus-metrics-listener",
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 9964
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "envoy-prometheus-metrics-listener",
"route_config": {
"virtual_hosts": [
{
"name": "prometheus_metrics_route",
"domains": [
"*"
],
"routes": [
{
"name": "prometheus_metrics_route",
"match": {
"prefix": "/metrics"
},
"route": {
"cluster": "/envoy-admin",
"prefix_rewrite": "/stats/prometheus"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.filters.http.router",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
}
}
],
"stream_idle_timeout": "0s"
}
}
]
}
]
},
{
"name": "envoy-health-listener",
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 9878
}
},
"filter_chains": [
{
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"stat_prefix": "envoy-health-listener",
"route_config": {
"virtual_hosts": [
{
"name": "health",
"domains": [
"*"
],
"routes": [
{
"name": "health",
"match": {
"prefix": "/healthz"
},
"route": {
"cluster": "/envoy-admin",
"prefix_rewrite": "/ready"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.filters.http.router",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
}
}
],
"stream_idle_timeout": "0s"
}
}
]
}
]
}
],
"clusters": [
{
"name": "ingress-cluster",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s"
},
{
"name": "egress-cluster-tls",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"upstreamHttpProtocolOptions": {},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s",
"transportSocket": {
"name": "cilium.tls_wrapper",
"typedConfig": {
"@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
}
}
},
{
"name": "egress-cluster",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s"
},
{
"name": "ingress-cluster-tls",
"type": "ORIGINAL_DST",
"connectTimeout": "2s",
"lbPolicy": "CLUSTER_PROVIDED",
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"commonHttpProtocolOptions": {
"idleTimeout": "60s",
"maxConnectionDuration": "0s",
"maxRequestsPerConnection": 0
},
"upstreamHttpProtocolOptions": {},
"useDownstreamProtocolConfig": {}
}
},
"cleanupInterval": "2.500s",
"transportSocket": {
"name": "cilium.tls_wrapper",
"typedConfig": {
"@type": "type.googleapis.com/cilium.UpstreamTlsWrapperContext"
}
}
},
{
"name": "xds-grpc-cilium",
"type": "STATIC",
"connectTimeout": "2s",
"loadAssignment": {
"clusterName": "xds-grpc-cilium",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"pipe": {
"path": "/var/run/cilium/envoy/sockets/xds.sock"
}
}
}
}
]
}
]
},
"typedExtensionProtocolOptions": {
"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": {
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions",
"explicitHttpConfig": {
"http2ProtocolOptions": {}
}
}
}
},
{
"name": "/envoy-admin",
"type": "STATIC",
"connectTimeout": "2s",
"loadAssignment": {
"clusterName": "/envoy-admin",
"endpoints": [
{
"lbEndpoints": [
{
"endpoint": {
"address": {
"pipe": {
"path": "/var/run/cilium/envoy/sockets/admin.sock"
}
}
}
}
]
}
]
}
}
]
},
"dynamicResources": {
"ldsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "xds-grpc-cilium"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
},
"cdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"transportApiVersion": "V3",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "xds-grpc-cilium"
}
}
],
"setNodeOnFirstMessageOnly": true
},
"resourceApiVersion": "V3"
}
},
"bootstrapExtensions": [
{
"name": "envoy.bootstrap.internal_listener",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"
}
}
],
"layeredRuntime": {
"layers": [
{
"name": "static_layer_0",
"staticLayer": {
"overload": {
"global_downstream_max_connections": 50000
}
}
}
]
},
"admin": {
"address": {
"pipe": {
"path": "/var/run/cilium/envoy/sockets/admin.sock"
}
}
}
}
---
# Source: cilium/templates/hubble-relay/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-relay-config
namespace: default
data:
config.yaml: |
cluster-name: prod1-msp2
peer-service: "hubble-peer.default.svc.cluster.local:443"
listen-address: :4245
gops: true
gops-port: "9893"
dial-timeout:
retry-timeout:
sort-buffer-len-max:
sort-buffer-drain-timeout:
tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt
tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key
tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
disable-server-tls: true
---
# Source: cilium/templates/hubble-ui/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-ui-nginx
namespace: default
data:
nginx.conf: "server {\n listen 8081;\n listen [::]:8081;\n server_name localhost;\n root /app;\n index index.html;\n client_max_body_size 1G;\n\n location / {\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n\n # CORS\n add_header Access-Control-Allow-Methods \"GET, POST, PUT, HEAD, DELETE, OPTIONS\";\n add_header Access-Control-Allow-Origin *;\n add_header Access-Control-Max-Age 1728000;\n add_header Access-Control-Expose-Headers content-length,grpc-status,grpc-message;\n add_header Access-Control-Allow-Headers range,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout;\n if ($request_method = OPTIONS) {\n return 204;\n }\n # /CORS\n\n location /api {\n proxy_http_version 1.1;\n proxy_pass_request_headers on;\n proxy_hide_header Access-Control-Allow-Origin;\n proxy_pass http://127.0.0.1:8090;\n }\n location / {\n # double `/index.html` is required here \n try_files $uri $uri/ /index.html /index.html;\n }\n\n # Liveness probe\n location /healthz {\n access_log off;\n add_header Content-Type text/plain;\n return 200 'ok';\n }\n }\n}"
---
# Source: cilium/templates/cilium-agent/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- pods
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
# This is used when validating policies in preflight. This will need to stay
# until we figure out how to avoid "get" inside the preflight, and then
# should be removed ideally.
- get
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
- ciliumendpoints
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumidentities
- ciliumlocalredirectpolicies
- ciliumnetworkpolicies
- ciliumnodes
- ciliumnodeconfigs
- ciliumcidrgroups
- ciliuml2announcementpolicies
- ciliumpodippools
verbs:
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
- ciliumendpoints
- ciliumnodes
verbs:
- create
- apiGroups:
- cilium.io
# To synchronize garbage collection of such resources
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
verbs:
- delete
- get
- apiGroups:
- cilium.io
resources:
- ciliumnodes
- ciliumnodes/status
verbs:
- get
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints/status
- ciliumendpoints
- ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs:
- patch
---
# Source: cilium/templates/cilium-operator/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium-operator
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# to automatically delete [core|kube]dns pods so that are starting to being
# managed by Cilium
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
# To remove node taints
- nodes
# To set NetworkUnavailable false on startup
- nodes/status
verbs:
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform LB IP allocation for BGP
- services/status
verbs:
- update
- patch
- apiGroups:
- ""
resources:
# to check apiserver connectivity
- namespaces
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
- services
- endpoints
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
# Create auto-generated CNPs and CCNPs from Policies that have 'toGroups'
- create
- update
- deletecollection
# To update the status of the CNPs and CCNPs
- patch
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
verbs:
# Update the auto-generated CNPs and CCNPs status.
- patch
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
- ciliumidentities
verbs:
# To perform garbage collection of such resources
- delete
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
# To synchronize garbage collection of such resources
- update
- apiGroups:
- cilium.io
resources:
- ciliumnodes
verbs:
- create
- update
- get
- list
- watch
# To perform CiliumNode garbage collector
- delete
- apiGroups:
- cilium.io
resources:
- ciliumnodes/status
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs:
- create
- update
- get
- list
- watch
- delete
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
- ciliumcidrgroups.cilium.io
- ciliuml2announcementpolicies.cilium.io
- ciliumpodippools.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumpodippools
verbs:
- create
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools/status
verbs:
- patch
# For cilium-operator running in HA mode.
#
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
# between multiple running instances.
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
# common and fewer objects in the cluster watch "all Leases".
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- tlsroutes
- httproutes
- grpcroutes
- referencegrants
- referencepolicies
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
- grpcroutes/status
- tlsroutes/status
verbs:
- update
- patch
- apiGroups:
- multicluster.x-k8s.io
resources:
- serviceimports
verbs:
- get
- list
- watch
---
# Source: cilium/templates/hubble-ui/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- componentstatuses
- endpoints
- namespaces
- nodes
- pods
- services
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- "*"
verbs:
- get
- list
- watch
---
# Source: cilium/templates/cilium-agent/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium
subjects:
- kind: ServiceAccount
name: "cilium"
namespace: default
---
# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium-operator
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium-operator
subjects:
- kind: ServiceAccount
name: "cilium-operator"
namespace: default
---
# Source: cilium/templates/hubble-ui/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hubble-ui
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hubble-ui
subjects:
- kind: ServiceAccount
name: "hubble-ui"
namespace: default
---
# Source: cilium/templates/cilium-agent/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-config-agent
namespace: default
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
# Source: cilium/templates/cilium-agent/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-gateway-secrets
namespace: "cilium-secrets"
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
# Source: cilium/templates/cilium-agent/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-bgp-control-plane-secrets
namespace: "kube-system"
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
---
# Source: cilium/templates/cilium-operator/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cilium-operator-gateway-secrets
namespace: "cilium-secrets"
labels:
app.kubernetes.io/part-of: cilium
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- update
- patch
---
# Source: cilium/templates/cilium-agent/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-config-agent
namespace: default
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-config-agent
subjects:
- kind: ServiceAccount
name: "cilium"
namespace: default
---
# Source: cilium/templates/cilium-agent/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-gateway-secrets
namespace: "cilium-secrets"
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-gateway-secrets
subjects:
- kind: ServiceAccount
name: "cilium"
namespace: default
---
# Source: cilium/templates/cilium-agent/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-bgp-control-plane-secrets
namespace: "kube-system"
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-bgp-control-plane-secrets
subjects:
- kind: ServiceAccount
name: "cilium"
namespace: default
---
# Source: cilium/templates/cilium-operator/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cilium-operator-gateway-secrets
namespace: "cilium-secrets"
labels:
app.kubernetes.io/part-of: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-operator-gateway-secrets
subjects:
- kind: ServiceAccount
name: "cilium-operator"
namespace: default
---
# Source: cilium/templates/hubble-relay/service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-relay
namespace: default
annotations:
labels:
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
spec:
type: "ClusterIP"
selector:
k8s-app: hubble-relay
ports:
- protocol: TCP
port: 80
targetPort: grpc
---
# Source: cilium/templates/hubble-ui/service.yaml
kind: Service
apiVersion: v1
metadata:
name: hubble-ui
namespace: default
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
app.kubernetes.io/part-of: cilium
spec:
type: "LoadBalancer"
selector:
k8s-app: hubble-ui
ports:
- name: http
port: 80
targetPort: 8081
---
# Source: cilium/templates/hubble/peer-service.yaml
apiVersion: v1
kind: Service
metadata:
name: hubble-peer
namespace: default
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: hubble-peer
spec:
selector:
k8s-app: cilium
ports:
- name: peer-service
port: 443
protocol: TCP
targetPort: 4244
internalTrafficPolicy: Local
---
# Source: cilium/templates/cilium-agent/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium
namespace: default
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-agent
spec:
selector:
matchLabels:
k8s-app: cilium
updateStrategy:
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-agent
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: 105
periodSeconds: 2
successThreshold: 1
initialDelaySeconds: 5
livenessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
periodSeconds: 30
successThreshold: 1
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 5
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
resource: limits.memory
divisor: '1'
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
lifecycle:
postStart:
exec:
command:
- "bash"
- "-c"
- |
set -o errexit
set -o pipefail
set -o nounset
# When running in AWS ENI mode, it's likely that 'aws-node' has
# had a chance to install SNAT iptables rules. These can result
# in dropped traffic, so we should attempt to remove them.
# We do it using a 'postStart' hook since this may need to run
# for nodes which might have already been init'ed but may still
# have dangling rules. This is safe because there are no
# dependencies on anything that is part of the startup script
# itself, and can be safely run multiple times per node (e.g. in
# case of a restart).
if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
then
echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
fi
echo 'Done!'
preStop:
exec:
command:
- /cni-uninstall.sh
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: envoy-sockets
mountPath: /var/run/cilium/envoy/sockets
readOnly: false
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- name: bpf-maps
mountPath: /sys/fs/bpf
# Unprivileged containers can't set mount propagation to bidirectional
# in this case we will mount the bpf fs from an init container that
# is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation: HostToContainer
# Check for duplicate mounts before mounting
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
- name: cilium-run
mountPath: /var/run/cilium
- name: etc-cni-netd
mountPath: /host/etc/cni/net.d
- name: clustermesh-secrets
mountPath: /var/lib/cilium/clustermesh
readOnly: true
# Needed to be able to load kernel modules
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
- name: hubble-tls
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: apply-sysctl-overwrites
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-state
optional: true
- name: CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-bpf-state
optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
name: cilium-config
key: write-cni-conf-when-ready
optional: true
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
# Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium # wait-for-kube-proxy
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
command:
- "/install-plugin.sh"
resources:
requests:
cpu: 100m
memory: 10Mi
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: cni-path
mountPath: /host/opt/cni/bin # .Values.cni.install
restartPolicy: Always
priorityClassName: system-node-critical
serviceAccountName: "cilium"
automountServiceAccountToken: true
terminationGracePeriodSeconds: 1
hostNetwork: true
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists
volumes:
# For sharing configuration between the "config" initContainer and the agent
- name: tmp
emptyDir: {}
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: /var/run/cilium
type: DirectoryOrCreate
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
# To mount cgroup2 filesystem on the host or apply sysctlfix
- name: hostproc
hostPath:
path: /proc
type: Directory
# To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup
hostPath:
path: /sys/fs/cgroup
type: DirectoryOrCreate
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: /opt/cni/bin
type: DirectoryOrCreate
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d
type: DirectoryOrCreate
# To be able to load kernel modules
- name: lib-modules
hostPath:
path: /lib/modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
# Sharing socket with Cilium Envoy on the same node by using a host path
- name: envoy-sockets
hostPath:
path: "/var/run/cilium/envoy/sockets"
type: DirectoryOrCreate
# To read the clustermesh configuration
- name: clustermesh-secrets
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: cilium-clustermesh
optional: true
# note: items are not explicitly listed here, since the entries of this secret
# depend on the peers configured, and that would cause a restart of all agents
# at every addition/removal. Leaving the field empty makes each secret entry
# to be automatically projected into the volume as a file whose name is the key.
- secret:
name: clustermesh-apiserver-remote-cert
optional: true
items:
- key: tls.key
path: common-etcd-client.key
- key: tls.crt
path: common-etcd-client.crt
- key: ca.crt
path: common-etcd-client-ca.crt
# note: we configure the volume for the kvstoremesh-specific certificate
# regardless of whether KVStoreMesh is enabled or not, so that it can be
# automatically mounted in case KVStoreMesh gets subsequently enabled,
# without requiring an agent restart.
- secret:
name: clustermesh-apiserver-local-cert
optional: true
items:
- key: tls.key
path: local-etcd-client.key
- key: tls.crt
path: local-etcd-client.crt
- key: ca.crt
path: local-etcd-client-ca.crt
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
- name: hubble-tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-server-certs
optional: true
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
- key: ca.crt
path: client-ca.crt
---
# Source: cilium/templates/cilium-envoy/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium-envoy
namespace: default
labels:
k8s-app: cilium-envoy
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-envoy
name: cilium-envoy
spec:
selector:
matchLabels:
k8s-app: cilium-envoy
updateStrategy:
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "9964"
prometheus.io/scrape: "true"
labels:
k8s-app: cilium-envoy
name: cilium-envoy
app.kubernetes.io/name: cilium-envoy
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-envoy
image: "quay.io/cilium/cilium-envoy:v1.29.7-39a2a56bbd5b3a591f69dbca51d3e30ef97e0e51@sha256:bd5ff8c66716080028f414ec1cb4f7dc66f40d2fb5a009fff187f4a9b90b566b"
imagePullPolicy: IfNotPresent
command:
- /usr/bin/cilium-envoy-starter
args:
- '--'
- '-c /var/run/cilium/envoy/bootstrap-config.json'
- '--base-id 0'
- '--log-level info'
- '--log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v'
startupProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9878
scheme: HTTP
failureThreshold: 105
periodSeconds: 2
successThreshold: 1
initialDelaySeconds: 5
livenessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9878
scheme: HTTP
periodSeconds: 30
successThreshold: 1
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9878
scheme: HTTP
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
timeoutSeconds: 5
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
ports:
- name: envoy-metrics
containerPort: 9964
hostPort: 9964
protocol: TCP
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
add:
- NET_ADMIN
- SYS_ADMIN
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- name: envoy-sockets
mountPath: /var/run/cilium/envoy/sockets
readOnly: false
- name: envoy-artifacts
mountPath: /var/run/cilium/envoy/artifacts
readOnly: true
- name: envoy-config
mountPath: /var/run/cilium/envoy/
readOnly: true
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: HostToContainer
restartPolicy: Always
priorityClassName: system-node-critical
serviceAccountName: "cilium-envoy"
automountServiceAccountToken: true
terminationGracePeriodSeconds: 1
hostNetwork: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cilium.io/no-schedule
operator: NotIn
values:
- "true"
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium
topologyKey: kubernetes.io/hostname
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium-envoy
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists
volumes:
- name: envoy-sockets
hostPath:
path: "/var/run/cilium/envoy/sockets"
type: DirectoryOrCreate
- name: envoy-artifacts
hostPath:
path: "/var/run/cilium/envoy/artifacts"
type: DirectoryOrCreate
- name: envoy-config
configMap:
name: cilium-envoy-config
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items:
- key: bootstrap-config.json
path: bootstrap-config.json
# To keep state between restarts / upgrades
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
---
# Source: cilium/templates/cilium-operator/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cilium-operator
namespace: default
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
# See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go
# for more details.
replicas: 2
selector:
matchLabels:
io.cilium/app: operator
name: cilium-operator
# ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case
# of one replica and no user configured Recreate strategy.
# otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the
# podAntiAffinity which prevents deployments of multiple operator replicas on the same node.
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "9963"
prometheus.io/scrape: "true"
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
containers:
- name: cilium-operator
image: "quay.io/cilium/operator-generic:v1.16.1@sha256:3bc7e7a43bc4a4d8989cb7936c5d96675dd2d02c306adf925ce0a7c35aa27dc4"
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_DEBUG
valueFrom:
configMapKeyRef:
key: debug
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST
value: "localhost"
- name: KUBERNETES_SERVICE_PORT
value: "7445"
ports:
- name: prometheus
containerPort: 9963
hostPort: 9963
protocol: TCP
livenessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
host: "127.0.0.1"
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 5
volumeMounts:
- name: cilium-config-path
mountPath: /tmp/cilium/config-map
readOnly: true
terminationMessagePolicy: FallbackToLogsOnError
hostNetwork: true
restartPolicy: Always
priorityClassName: system-cluster-critical
serviceAccountName: "cilium-operator"
automountServiceAccountToken: true
# In HA mode, cilium-operator pods must not be scheduled on the same
# node as they will clash with each other.
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
io.cilium/app: operator
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists
volumes:
# To read the configuration from the config map
- name: cilium-config-path
configMap:
name: cilium-config
---
# Source: cilium/templates/hubble-relay/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hubble-relay
namespace: default
labels:
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-relay
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
labels:
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
spec:
securityContext:
fsGroup: 65532
containers:
- name: hubble-relay
securityContext:
capabilities:
drop:
- ALL
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
image: "quay.io/cilium/hubble-relay:v1.16.1@sha256:2e1b4c739a676ae187d4c2bfc45c3e865bda2567cc0320a90cb666657fcfcc35"
imagePullPolicy: IfNotPresent
command:
- hubble-relay
args:
- serve
ports:
- name: grpc
containerPort: 4245
readinessProbe:
grpc:
port: 4222
timeoutSeconds: 3
# livenessProbe will kill the pod, we should be very conservative
# here on failures since killing the pod should be a last resort, and
# we should provide enough time for relay to retry before killing it.
livenessProbe:
grpc:
port: 4222
timeoutSeconds: 10
# Give relay time to establish connections and make a few retries
# before starting livenessProbes.
initialDelaySeconds: 10
# 10 second * 12 failures = 2 minutes of failure.
# If relay cannot become healthy after 2 minutes, then killing it
# might resolve whatever issue is occurring.
#
# 10 seconds is a reasonable retry period so we can see if it's
# failing regularly or only sporadically.
periodSeconds: 10
failureThreshold: 12
startupProbe:
grpc:
port: 4222
# Give relay time to get it's certs and establish connections and
# make a few retries before starting startupProbes.
initialDelaySeconds: 10
# 20 * 3 seconds = 1 minute of failure before we consider startup as failed.
failureThreshold: 20
# Retry more frequently at startup so that it can be considered started more quickly.
periodSeconds: 3
volumeMounts:
- name: config
mountPath: /etc/hubble-relay
readOnly: true
- name: tls
mountPath: /var/lib/hubble-relay/tls
readOnly: true
terminationMessagePolicy: FallbackToLogsOnError
restartPolicy: Always
priorityClassName:
serviceAccountName: "hubble-relay"
automountServiceAccountToken: false
terminationGracePeriodSeconds: 1
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
volumes:
- name: config
configMap:
name: hubble-relay-config
items:
- key: config.yaml
path: config.yaml
- name: tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-relay-client-certs
items:
- key: tls.crt
path: client.crt
- key: tls.key
path: client.key
- key: ca.crt
path: hubble-server-ca.crt
---
# Source: cilium/templates/hubble-ui/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: hubble-ui
namespace: default
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
app.kubernetes.io/part-of: cilium
spec:
replicas: 1
selector:
matchLabels:
k8s-app: hubble-ui
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
app.kubernetes.io/part-of: cilium
spec:
securityContext:
fsGroup: 1001
runAsGroup: 1001
runAsUser: 1001
priorityClassName:
serviceAccountName: "hubble-ui"
automountServiceAccountToken: true
containers:
- name: frontend
image: "quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8081
livenessProbe:
httpGet:
path: /healthz
port: 8081
readinessProbe:
httpGet:
path: /
port: 8081
volumeMounts:
- name: hubble-ui-nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: tmp-dir
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: backend
image: "quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b"
imagePullPolicy: IfNotPresent
env:
- name: EVENTS_SERVER_PORT
value: "8090"
- name: FLOWS_API_ADDR
value: "hubble-relay:80"
ports:
- name: grpc
containerPort: 8090
volumeMounts:
terminationMessagePolicy: FallbackToLogsOnError
nodeSelector:
kubernetes.io/os: linux
volumes:
- configMap:
defaultMode: 420
name: hubble-ui-nginx
name: hubble-ui-nginx-conf
- emptyDir: {}
name: tmp-dir
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment