Skip to content

Instantly share code, notes, and snippets.

@smira
Last active December 15, 2020 17:39
Show Gist options
  • Save smira/8eec615453282722d275b62448067db4 to your computer and use it in GitHub Desktop.
Save smira/8eec615453282722d275b62448067db4 to your computer and use it in GitHub Desktop.
---
#######
# Generated with: helm template cilium/cilium --version 1.9.1 --set kubeProxyReplacement=disabled --set ipam.mode=kubernetes --namespace kube-system > cilium.yaml
# Patched with:
# * nodeSelector:
# kubernetes.io/arch: amd64
# * disable-envoy-version-check: "true"
########
#######
# Source: cilium/templates/cilium-agent-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system
---
# Source: cilium/templates/cilium-operator-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium-operator
namespace: kube-system
---
# Source: cilium/templates/hubble-server-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: hubble-server-certs
namespace: kube-system
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQakNDQWlhZ0F3SUJBZ0lSQUsvaDNFUmFqdmtZSHhxcmpiMTdZQTR3RFFZSktvWklodmNOQVFFTEJRQXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TURFeU1UVXhOekl3TlRKYQpGdzB5TXpFeU1UVXhOekl3TlRKYU1Db3hLREFtQmdOVkJBTU1IeW91WkdWbVlYVnNkQzVvZFdKaWJHVXRaM0p3Cll5NWphV3hwZFcwdWFXOHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEclZIeUwKQ0Z4SzErL1FpbG5MQU14VEF0bUxTR092WmlWeFI0T1FwcUZmbXhjTzBveUFOTG15MW5idjRIWjVtUmhLSXkvVgpBUldHNW9Kb0daNk52MjVsYnNFWTNaRUVGTUlGRittU3hFY052Rnp6dHA2YWVrZERINTQ1bDZKemxNTU1XNEdTCldkdStqaUIxT3R1VkZjRXhjTk13WGowOUU3ek5BTTh2dFpGRTIzdEQxN1NHSHV0N2FtN0hDakJ3MDJIblpuQ1gKYlZnNVdZUk5QZ1NIaDdNSExZS3Z1UXVBRVQxNkZXclhCdHNBOC85Z01BMkhzbHU0QmNuOHJnbG9TVlA3ZnZZegpHbVVBWFJGaXJYODU3TUlWdk5uVmJuY3J5Q1Q3NkdPSW1JT29UK3RGekZHZ0hYZG8ycnZYUTZ1OUx2QjRvV1FGCnBkUEQyakM4eWJZZTBIUjlBZ01CQUFHamF6QnBNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVUKQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFxQmdOVkhSRUVJekFoZ2g4cQpMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQWJwUjZwZEN4Vmo1LzBTZFpOYzBqVE9sY1dMRmNQeVZod3lkQktWMGF2NWhrOEx0dVg3bFNXTzJtSHZpdEwKczdOU0x3UTBsa2tSN1lCekRrRkFNaFR1bUMybkp5SGRMYU9LdWF0VFB3Y3RsSXg3eWR1SzBRc3pHTy92UWgxTgpIalJPdWhRSDBWR2dFd3NMRW5KNWI5cERWNVlGUXd5TDlUTXRSQWNFSy9kU2JWbzIwTFRrMFpRN1ZGeTZETDNGClhaMU5DZzJpWDdhNi9BUjBLekNQWHp4Q1A1K21OK0syUTlwU0RvdjBOZ3JWNThydDFwQm0wSm56K3BTKzh5N1cKZlp3ekR0bkpMeXdHWmx3S1NPdW83MzF3WUp0Ym02TFFFampCM0RHZ3RVTU83cHZZOXdnUTg0TDJCMVBXRG1heQptM0Z6QXkrSm5raW9CdEFsWmxkOHhnNHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNjFSOGl3aGNTdGZ2MElwWnl3RE1Vd0xaaTBoanIyWWxjVWVEa0thaFg1c1hEdEtNCmdEUzVzdFoyNytCMmVaa1lTaU12MVFFVmh1YUNhQm1lamI5dVpXN0JHTjJSQkJUQ0JSZnBrc1JIRGJ4Yzg3YWUKbW5wSFF4K2VPWmVpYzVURERGdUJrbG5idm80Z2RUcmJsUlhCTVhEVE1GNDlQUk84elFEUEw3V1JSTnQ3UTllMApoaDdyZTJwdXh3b3djTk5oNTJad2wyMVlPVm1FVFQ0RWg0ZXpCeTJDcjdrTGdCRTllaFZxMXdiYkFQUC9ZREFOCmg3SmJ1QVhKL0s0SmFFbFQrMzcyTXhwbEFGMFJZcTEvT2V6Q0ZieloxVzUzSzhnaysraGppSmlEcUUvclJjeFIKb0IxM2FOcTcxME9ydlM3d2VLRmtCYVhUdzlvd3ZNbTJIdEIwZlFJREFRQUJBb0lCQVFDNXIvQ1Z4QU1QQzFRdgpPUHVoTXdBR2dEa25yZmI2YjU4YncxSU0wVzZFQWR3djFmTUhOcE5RaWVsUFhjNGVKSzhGMEwzdFZPMm5oRHRoCjZOVXpBOW9ZTDB3dVVxWWFra2FGdmxpUGRsQ2FoZ2JTUjBiZW5aMmRXVldBSENZVERVN2FjVm5NSVJ0RFFPSmIKbmhXbGpZVGpmaU1tQnpaSyswZitlcVVCQUVPZ0VBdlFKVzRMeEQrT2YzbWkvdEJpZ250MFNpeG5GMzgrNmttZApTSFZIRTY1aVZsV2N2MEpNQzZISlVuVVlqTUE2VkpEMUlRcTg2eTM3MHVGQ2lBaEZ0Yk90WDdaazh4bnlzVzFHCnhrV1dDcHFSbzY2cHVKb3BRYnVxRzhVSS9DZE4wanNMUllzTEpzckFLa3lwNDNvZXZ2MkFwdGxvTlM3ZlhBZGQKRlJOcHI0QUJBb0dCQVBrTmJ0ZXR0b0JCWURTV2F5MHltR09yM2IwQUN4TGdRN1VXL0pCR3djK1NISHVjN2s5NQp5ME05SEFISVdSL20xeDVnWFREMVpBUWdjRVA1dUpEa1RJeUdKRXNtTWFVWG9WbVpZdGpVYnRrY0RZdDBmaEJOCk9MNFRHcjIveUZad2djK210UnZiOTk2Y1RGYmxrWndoMG1ubVVwa1VsS2FrWnB5ZS9wM1NLaXROQW9HQkFQSGwKRHBNWXl1Vy9iazVMNS9KSk9lVHVoQnFpZENQNFB2U1BnME5pVUJSTWZSdHFJbGZaaC9mcXAvNFNlTEtETXE4MQpjQUxDZzZ5Z2MzcC81eWpzUEMyZkZIaW1yeGQ4QVBJZk52SDZvN0J3Z1YwMEVraWFUYUtTMDI4YmdCaVRGYXNBCkNjcnBTVXBaU0tDNXNlSDQzR0xGZEYzZ2hRVzc2WkNxVTJqSDRmWHhBb0dCQU5ydXB4Q3I0VEd2eHEyVHlSV0wKVTVEU3hYTGV0ZDFiRGNvRU1mTjJiK3RUYXZ4elFMN1d0d3NkamlBM0NiblVpQ2hvMTZNeEpFSElia2dqSHM4bwpFZTY2QU8rYTNLdGZNWFI5TlBxZEMvQ0pDNU1hemJMdzN6K2Z0Yk0yQXh1UmZWdVlGYjh1eUIrRjBFblhOd0JFCmJ4NnUzTTg2MjAzK1dVRzNOdVp2bUtoRkFvR0FUclBUSVNNQTZPMTI2enloTStDRldLb09DMGh0OTBJTzRhMUwKN1FHd3dsbjhubzNTckxpWEY1K2VsdmpWa21kRGQyUXdsSVZMS0VCd01od3BUdFJGNUNZTkdCQkxpWjJNQlRzSQp1b1JzKzd3dkt1OEZQK0FNZ0dlN0tUeE9XakNJN1VFdTdua21vbTBZUjBzRHlGMGEvM3YxRjVJMFZhQkZKdzl6CjRmU2UzVkVDZ1lFQWs1cFBuTXhuOThrSXJQQ29iWVY4dkFyU2VhSkNUelVFSWRCWld0a2lkeTFLdnFZQlc5Rk4KdS9mcit0cDVZQnhPNzgrbVRtNVRWWGJmYnQvVFBScytacnliMjQyVEpZaDRTS2NDOS9ueCtzRTVQQldmQ3kvSApqeEJMaGo2TFM3MEp2S3h1NWtlS1pDcFFGMTlwVEUrVFh4Q05OdnJwY3BpVGZzYndheTRGZjh3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
---
# Source: cilium/templates/cilium-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: cilium-config
namespace: kube-system
data:
# Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
# These can be queried with:
# kubectl get ciliumid
# - "kvstore" stores identities in a kvstore, etcd or consul, that is
# configured below. Cilium versions before 1.6 supported only the kvstore
# backend. Upgrades from these older cilium versions should continue using
# the kvstore by commenting out the identity-allocation-mode below, or
# setting it to "kvstore".
identity-allocation-mode: crd
cilium-endpoint-gc-interval: "5m0s"
# For arm64 Cilium
disable-envoy-version-check: "true"
# If you want to run cilium in debug mode change this value to true
debug: "false"
# The agent can be put into the following three policy enforcement modes
# default, always and never.
# https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes
enable-policy: "default"
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
# address.
enable-ipv4: "true"
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
# address.
enable-ipv6: "false"
# Users who wish to specify their own custom CNI configuration file must set
# custom-cni-conf to "true", otherwise Cilium may overwrite the configuration.
custom-cni-conf: "false"
enable-bpf-clock-probe: "true"
# If you want cilium monitor to aggregate tracing for packets, set this level
# to "low", "medium", or "maximum". The higher the level, the less packets
# that will be seen in monitor output.
monitor-aggregation: medium
# The monitor aggregation interval governs the typical time between monitor
# notification events for each allowed connection.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-interval: 5s
# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-flags: all
# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
bpf-map-dynamic-size-ratio: "0.0025"
# bpf-policy-map-max specifies the maximum number of entries in endpoint
# policy map (per endpoint)
bpf-policy-map-max: "16384"
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service,
# backend and affinity maps.
bpf-lb-map-max: "65536"
# Pre-allocation of map entries allows per-packet latency to be reduced, at
# the expense of up-front memory allocation for the entries in the maps. The
# default value below will minimize memory usage in the default installation;
# users who are sensitive to latency may consider setting this to "true".
#
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
# this option and behave as though it is set to "true".
#
# If this value is modified, then during the next Cilium startup the restore
# of existing endpoints and tracking of ongoing connections may be disrupted.
# As a result, reply packets may be dropped and the load-balancing decisions
# for established connections may change.
#
# If this option is set to "false" during an upgrade from 1.3 or earlier to
# 1.4 or later, then it may cause one-time disruptions during the upgrade.
preallocate-bpf-maps: "false"
# Regular expression matching compatible Istio sidecar istio-proxy
# container image names
sidecar-istio-proxy-image: "cilium/istio_proxy"
# Encapsulation mode for communication between nodes
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
tunnel: vxlan
# Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: default
# Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters.
cluster-id: ""
# Enables L7 proxy for L7 policy enforcement and visibility
enable-l7-proxy: "true"
# wait-bpf-mount makes init container wait until bpf filesystem is mounted
wait-bpf-mount: "false"
masquerade: "true"
enable-bpf-masquerade: "true"
enable-xt-socket-fallback: "true"
install-iptables-rules: "true"
auto-direct-node-routes: "false"
enable-bandwidth-manager: "false"
enable-local-redirect-policy: "false"
kube-proxy-replacement: "disabled"
enable-health-check-nodeport: "true"
node-port-bind-protection: "true"
enable-auto-protect-node-port-range: "true"
enable-session-affinity: "true"
enable-endpoint-health-checking: "true"
enable-health-checking: "true"
enable-well-known-identities: "false"
enable-remote-node-identity: "true"
operator-api-serve-addr: "127.0.0.1:9234"
# Enable Hubble gRPC service.
enable-hubble: "true"
# UNIX domain socket for Hubble server to listen to.
hubble-socket-path: "/var/run/cilium/hubble.sock"
ipam: "kubernetes"
disable-cnp-status-updates: "true"
---
# Source: cilium/templates/hubble-ca-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-ca-cert
namespace: kube-system
data:
ca.crt: |-
-----BEGIN CERTIFICATE-----
MIIDCDCCAfCgAwIBAgIQJPtSjK9oWdEaKimRPmtBuTANBgkqhkiG9w0BAQsFADAe
MRwwGgYDVQQDExNodWJibGUtY2EuY2lsaXVtLmlvMB4XDTIwMTIxNTE3MjA1MloX
DTIzMTIxNTE3MjA1MlowHjEcMBoGA1UEAxMTaHViYmxlLWNhLmNpbGl1bS5pbzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTEDtpDnRjL5il1ybf+VZWo
il6uuAwwL3GAQ31PGQk+71rrTINRXLBOjxEEG76orj186tVD7t8WabRMVlnlkvei
019GEQBaQnJg0O59uFu5caJMxY1N38ezmdPDCkUv2s24GieW7T0NjM2sda2uJAr3
mjHmgbXDX9Y57ngiqGrxBJ766QJo6tnLPXDSFXVHCpnKaR2JmoVYDxuZ7+Z8iYJC
mCOXYsiDg2zIIXmV3m1A1XcEuK/1dOUTmEG9V1w2psdpX9bL3eWJHduwc6Nb1GH+
cdd7Std4M4zNrohlTgeYhRTlejDQ59qVmau8WJcBSquf+kaswuzjad1mUF3c4AcC
AwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBKn3P2
6EyAx9Fmenb19rnZPqMTIRs2DenY3NJUKHA7K5UZYBLnRoAQarXjjipKrqTPLcQG
Qoj3BhWQaTgAzgAsO7mczkzPip6l7zgrZlenZjpuWyC9qwzFjR3kunZISJlMHfDz
59fTDXHVbZdqHbwwsIcKhG9sGxAK9PhTvWNZj+5ZrxgjwEX5FYNwQdaZQwU4edyi
FvULIJh87M01ejE6qaaFMgJ06SSbw7gENFTzIvL/dWk3GwW7nv98UgoaJqN+BCWD
Gq5gRJMFMFPT2YaUk+92UpDMuQ+xCwl4rJr5/SEXLfxs53+T6rCYg+DGzvf528b4
TXY2cEryl9zQ4HCt
-----END CERTIFICATE-----
---
# Source: cilium/templates/cilium-agent-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- nodes
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- pods/finalizers
verbs:
- get
- list
- watch
- update
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
# Deprecated for removal in v1.10
- create
- list
- watch
- update
# This is used when validating policies in preflight. This will need to stay
# until we figure out how to avoid "get" inside the preflight, and then
# should be removed ideally.
- get
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints
- ciliumendpoints/status
- ciliumendpoints/finalizers
- ciliumnodes
- ciliumnodes/status
- ciliumnodes/finalizers
- ciliumidentities
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
verbs:
- '*'
---
# Source: cilium/templates/cilium-operator-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium-operator
rules:
- apiGroups:
- ""
resources:
# to automatically delete [core|kube]dns pods so that are starting to being
# managed by Cilium
- pods
verbs:
- get
- list
- watch
- delete
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
- services
- endpoints
# to check apiserver connectivity
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints
- ciliumendpoints/status
- ciliumendpoints/finalizers
- ciliumnodes
- ciliumnodes/status
- ciliumnodes/finalizers
- ciliumidentities
- ciliumidentities/status
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumlocalredirectpolicies/finalizers
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- update
- watch
# For cilium-operator running in HA mode.
#
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
# between mulitple running instances.
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
# common and fewer objects in the cluster watch "all Leases".
# The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release.
# In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure
# that we only authorize access to leases resources in supported K8s versions.
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
---
# Source: cilium/templates/cilium-agent-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium
subjects:
- kind: ServiceAccount
name: cilium
namespace: kube-system
---
# Source: cilium/templates/cilium-operator-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cilium-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium-operator
subjects:
- kind: ServiceAccount
name: cilium-operator
namespace: kube-system
---
# Source: cilium/templates/cilium-agent-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: cilium
name: cilium
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: cilium
updateStrategy:
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
# This annotation plus the CriticalAddonsOnly toleration makes
# cilium to be a critical pod in the cluster, which ensures cilium
# gets priority scheduling.
# https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
k8s-app: cilium
spec:
nodeSelector:
kubernetes.io/arch: amd64
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: k8s-app
operator: In
values:
- cilium
topologyKey: kubernetes.io/hostname
containers:
- args:
- --config-dir=/tmp/cilium/config-map
command:
- cilium-agent
livenessProbe:
httpGet:
host: '127.0.0.1'
path: /healthz
port: 9876
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: 10
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
httpGet:
host: '127.0.0.1'
path: /healthz
port: 9876
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_FLANNEL_MASTER_DEVICE
valueFrom:
configMapKeyRef:
key: flannel-master-device
name: cilium-config
optional: true
- name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT
valueFrom:
configMapKeyRef:
key: flannel-uninstall-on-exit
name: cilium-config
optional: true
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
- name: CILIUM_CNI_CHAINING_MODE
valueFrom:
configMapKeyRef:
key: cni-chaining-mode
name: cilium-config
optional: true
- name: CILIUM_CUSTOM_CNI_CONF
valueFrom:
configMapKeyRef:
key: custom-cni-conf
name: cilium-config
optional: true
image: quay.io/cilium/cilium:v1.9.1
imagePullPolicy: IfNotPresent
lifecycle:
postStart:
exec:
command:
- "/cni-install.sh"
- "--enable-debug=false"
preStop:
exec:
command:
- /cni-uninstall.sh
name: cilium-agent
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
privileged: true
volumeMounts:
- mountPath: /sys/fs/bpf
name: bpf-maps
- mountPath: /var/run/cilium
name: cilium-run
- mountPath: /host/opt/cni/bin
name: cni-path
- mountPath: /host/etc/cni/net.d
name: etc-cni-netd
- mountPath: /var/lib/cilium/clustermesh
name: clustermesh-secrets
readOnly: true
- mountPath: /tmp/cilium/config-map
name: cilium-config-path
readOnly: true
# Needed to be able to load kernel modules
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
hostNetwork: true
initContainers:
- command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
configMapKeyRef:
key: clean-cilium-state
name: cilium-config
optional: true
- name: CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
key: clean-cilium-bpf-state
name: cilium-config
optional: true
- name: CILIUM_WAIT_BPF_MOUNT
valueFrom:
configMapKeyRef:
key: wait-bpf-mount
name: cilium-config
optional: true
image: quay.io/cilium/cilium:v1.9.1
imagePullPolicy: IfNotPresent
name: clean-cilium-state
securityContext:
capabilities:
add:
- NET_ADMIN
privileged: true
volumeMounts:
- mountPath: /sys/fs/bpf
name: bpf-maps
mountPropagation: HostToContainer
- mountPath: /var/run/cilium
name: cilium-run
resources:
requests:
cpu: 100m
memory: 100Mi
restartPolicy: Always
priorityClassName: system-node-critical
serviceAccount: cilium
serviceAccountName: cilium
terminationGracePeriodSeconds: 1
tolerations:
- operator: Exists
volumes:
# To keep state between restarts / upgrades
- hostPath:
path: /var/run/cilium
type: DirectoryOrCreate
name: cilium-run
# To keep state between restarts / upgrades for bpf maps
- hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
name: bpf-maps
# To install cilium cni plugin in the host
- hostPath:
path: /opt/cni/bin
type: DirectoryOrCreate
name: cni-path
# To install cilium cni configuration in the host
- hostPath:
path: /etc/cni/net.d
type: DirectoryOrCreate
name: etc-cni-netd
# To be able to load kernel modules
- hostPath:
path: /lib/modules
name: lib-modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- hostPath:
path: /run/xtables.lock
type: FileOrCreate
name: xtables-lock
# To read the clustermesh configuration
- name: clustermesh-secrets
secret:
defaultMode: 420
optional: true
secretName: cilium-clustermesh
# To read the configuration from the config map
- configMap:
name: cilium-config
name: cilium-config-path
---
# Source: cilium/templates/cilium-operator-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.cilium/app: operator
name: cilium-operator
name: cilium-operator
namespace: kube-system
spec:
# We support HA mode only for Kubernetes version > 1.14
# See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go
# for more details.
replicas: 2
selector:
matchLabels:
io.cilium/app: operator
name: cilium-operator
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
labels:
io.cilium/app: operator
name: cilium-operator
spec:
nodeSelector:
kubernetes.io/arch: amd64
# In HA mode, cilium-operator pods must not be scheduled on the same
# node as they will clash with each other.
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: io.cilium/app
operator: In
values:
- operator
topologyKey: kubernetes.io/hostname
containers:
- args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
command:
- cilium-operator-generic
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_DEBUG
valueFrom:
configMapKeyRef:
key: debug
name: cilium-config
optional: true
image: quay.io/cilium/operator-generic:v1.9.1
imagePullPolicy: IfNotPresent
name: cilium-operator
livenessProbe:
httpGet:
host: '127.0.0.1'
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
volumeMounts:
- mountPath: /tmp/cilium/config-map
name: cilium-config-path
readOnly: true
hostNetwork: true
restartPolicy: Always
priorityClassName: system-cluster-critical
serviceAccount: cilium-operator
serviceAccountName: cilium-operator
tolerations:
- operator: Exists
volumes:
# To read the configuration from the config map
- configMap:
name: cilium-config
name: cilium-config-path
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment