Last active
December 15, 2020 17:39
-
-
Save smira/8eec615453282722d275b62448067db4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
####### | |
# Generated with: helm template cilium/cilium --version 1.9.1 --set kubeProxyReplacement=disabled --set ipam.mode=kubernetes --namespace kube-system > cilium.yaml | |
# Patched with: | |
# * nodeSelector: | |
# kubernetes.io/arch: amd64 | |
# * disable-envoy-version-check: "true" | |
######## | |
####### | |
# Source: cilium/templates/cilium-agent-serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: cilium | |
namespace: kube-system | |
--- | |
# Source: cilium/templates/cilium-operator-serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: cilium-operator | |
namespace: kube-system | |
--- | |
# Source: cilium/templates/hubble-server-secret.yaml | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: hubble-server-certs | |
namespace: kube-system | |
type: kubernetes.io/tls | |
data: | |
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQakNDQWlhZ0F3SUJBZ0lSQUsvaDNFUmFqdmtZSHhxcmpiMTdZQTR3RFFZSktvWklodmNOQVFFTEJRQXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TURFeU1UVXhOekl3TlRKYQpGdzB5TXpFeU1UVXhOekl3TlRKYU1Db3hLREFtQmdOVkJBTU1IeW91WkdWbVlYVnNkQzVvZFdKaWJHVXRaM0p3Cll5NWphV3hwZFcwdWFXOHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEclZIeUwKQ0Z4SzErL1FpbG5MQU14VEF0bUxTR092WmlWeFI0T1FwcUZmbXhjTzBveUFOTG15MW5idjRIWjVtUmhLSXkvVgpBUldHNW9Kb0daNk52MjVsYnNFWTNaRUVGTUlGRittU3hFY052Rnp6dHA2YWVrZERINTQ1bDZKemxNTU1XNEdTCldkdStqaUIxT3R1VkZjRXhjTk13WGowOUU3ek5BTTh2dFpGRTIzdEQxN1NHSHV0N2FtN0hDakJ3MDJIblpuQ1gKYlZnNVdZUk5QZ1NIaDdNSExZS3Z1UXVBRVQxNkZXclhCdHNBOC85Z01BMkhzbHU0QmNuOHJnbG9TVlA3ZnZZegpHbVVBWFJGaXJYODU3TUlWdk5uVmJuY3J5Q1Q3NkdPSW1JT29UK3RGekZHZ0hYZG8ycnZYUTZ1OUx2QjRvV1FGCnBkUEQyakM4eWJZZTBIUjlBZ01CQUFHamF6QnBNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVUKQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFxQmdOVkhSRUVJekFoZ2g4cQpMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQWJwUjZwZEN4Vmo1LzBTZFpOYzBqVE9sY1dMRmNQeVZod3lkQktWMGF2NWhrOEx0dVg3bFNXTzJtSHZpdEwKczdOU0x3UTBsa2tSN1lCekRrRkFNaFR1bUMybkp5SGRMYU9LdWF0VFB3Y3RsSXg3eWR1SzBRc3pHTy92UWgxTgpIalJPdWhRSDBWR2dFd3NMRW5KNWI5cERWNVlGUXd5TDlUTXRSQWNFSy9kU2JWbzIwTFRrMFpRN1ZGeTZETDNGClhaMU5DZzJpWDdhNi9BUjBLekNQWHp4Q1A1K21OK0syUTlwU0RvdjBOZ3JWNThydDFwQm0wSm56K3BTKzh5N1cKZlp3ekR0bkpMeXdHWmx3S1NPdW83MzF3WUp0Ym02TFFFampCM0RHZ3RVTU83cHZZOXdnUTg0TDJCMVBXRG1heQptM0Z6QXkrSm5raW9CdEFsWmxkOHhnNHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | |
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNjFSOGl3aGNTdGZ2MElwWnl3RE1Vd0xaaTBoanIyWWxjVWVEa0thaFg1c1hEdEtNCmdEUzVzdFoyNytCMmVaa1lTaU12MVFFVmh1YUNhQm1lamI5dVpXN0JHTjJSQkJUQ0JSZnBrc1JIRGJ4Yzg3YWUKbW5wSFF4K2VPWmVpYzVURERGdUJrbG5idm80Z2RUcmJsUlhCTVhEVE1GNDlQUk84elFEUEw3V1JSTnQ3UTllMApoaDdyZTJwdXh3b3djTk5oNTJad2wyMVlPVm1FVFQ0RWg0ZXpCeTJDcjdrTGdCRTllaFZxMXdiYkFQUC9ZREFOCmg3SmJ1QVhKL0s0SmFFbFQrMzcyTXhwbEFGMFJZcTEvT2V6Q0ZieloxVzUzSzhnaysraGppSmlEcUUvclJjeFIKb0IxM2FOcTcxME9ydlM3d2VLRmtCYVhUdzlvd3ZNbTJIdEIwZlFJREFRQUJBb0lCQVFDNXIvQ1Z4QU1QQzFRdgpPUHVoTXdBR2dEa25yZmI2YjU4YncxSU0wVzZFQWR3djFmTUhOcE5RaWVsUFhjNGVKSzhGMEwzdFZPMm5oRHRoCjZOVXpBOW9ZTDB3dVVxWWFra2FGdmxpUGRsQ2FoZ2JTUjBiZW5aMmRXVldBSENZVERVN2FjVm5NSVJ0RFFPSmIKbmhXbGpZVGpmaU1tQnpaSyswZitlcVVCQUVPZ0VBdlFKVzRMeEQrT2YzbWkvdEJpZ250MFNpeG5GMzgrNmttZApTSFZIRTY1aVZsV2N2MEpNQzZISlVuVVlqTUE2VkpEMUlRcTg2eTM3MHVGQ2lBaEZ0Yk90WDdaazh4bnlzVzFHCnhrV1dDcHFSbzY2cHVKb3BRYnVxRzhVSS9DZE4wanNMUllzTEpzckFLa3lwNDNvZXZ2MkFwdGxvTlM3ZlhBZGQKRlJOcHI0QUJBb0dCQVBrTmJ0ZXR0b0JCWURTV2F5MHltR09yM2IwQUN4TGdRN1VXL0pCR3djK1NISHVjN2s5NQp5ME05SEFISVdSL20xeDVnWFREMVpBUWdjRVA1dUpEa1RJeUdKRXNtTWFVWG9WbVpZdGpVYnRrY0RZdDBmaEJOCk9MNFRHcjIveUZad2djK210UnZiOTk2Y1RGYmxrWndoMG1ubVVwa1VsS2FrWnB5ZS9wM1NLaXROQW9HQkFQSGwKRHBNWXl1Vy9iazVMNS9KSk9lVHVoQnFpZENQNFB2U1BnME5pVUJSTWZSdHFJbGZaaC9mcXAvNFNlTEtETXE4MQpjQUxDZzZ5Z2MzcC81eWpzUEMyZkZIaW1yeGQ4QVBJZk52SDZvN0J3Z1YwMEVraWFUYUtTMDI4YmdCaVRGYXNBCkNjcnBTVXBaU0tDNXNlSDQzR0xGZEYzZ2hRVzc2WkNxVTJqSDRmWHhBb0dCQU5ydXB4Q3I0VEd2eHEyVHlSV0wKVTVEU3hYTGV0ZDFiRGNvRU1mTjJiK3RUYXZ4elFMN1d0d3NkamlBM0NiblVpQ2hvMTZNeEpFSElia2dqSHM4bwpFZTY2QU8rYTNLdGZNWFI5TlBxZEMvQ0pDNU1hemJMdzN6K2Z0Yk0yQXh1UmZWdVlGYjh1eUIrRjBFblhOd0JFCmJ4NnUzTTg2MjAzK1dVRzNOdVp2bUtoRkFvR0FUclBUSVNNQTZPMTI2enloTStDRldLb09DMGh0OTBJTzRhMUwKN1FHd3dsbjhubzNTckxpWEY1K2VsdmpWa21kRGQyUXdsSVZMS0VCd01od3BUdFJGNUNZTkdCQkxpWjJNQlRzSQp1b1JzKzd3dkt1OEZQK0FNZ0dlN0tUeE9XakNJN1VFdTdua21vbTBZUjBzRHlGMGEvM3YxRjVJMFZhQkZKdzl6CjRmU2UzVkVDZ1lFQWs1cFBuTXhuOThrSXJQQ29iWVY4dkFyU2VhSkNUelVFSWRCWld0a2lkeTFLdnFZQlc5Rk4KdS9mcit0cDVZQnhPNzgrbVRtNVRWWGJmYnQvVFBScytacnliMjQyVEpZaDRTS2NDOS9ueCtzRTVQQldmQ3kvSApqeEJMaGo2TFM3MEp2S3h1NWtlS1pDcFFGMTlwVEUrVFh4Q05OdnJwY3BpVGZzYndheTRGZjh3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= | |
--- | |
# Source: cilium/templates/cilium-configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: cilium-config | |
namespace: kube-system | |
data: | |
# Identity allocation mode selects how identities are shared between cilium | |
# nodes by setting how they are stored. The options are "crd" or "kvstore". | |
# - "crd" stores identities in kubernetes as CRDs (custom resource definition). | |
# These can be queried with: | |
# kubectl get ciliumid | |
# - "kvstore" stores identities in a kvstore, etcd or consul, that is | |
# configured below. Cilium versions before 1.6 supported only the kvstore | |
# backend. Upgrades from these older cilium versions should continue using | |
# the kvstore by commenting out the identity-allocation-mode below, or | |
# setting it to "kvstore". | |
identity-allocation-mode: crd | |
cilium-endpoint-gc-interval: "5m0s" | |
# For arm64 Cilium | |
disable-envoy-version-check: "true" | |
# If you want to run cilium in debug mode change this value to true | |
debug: "false" | |
# The agent can be put into the following three policy enforcement modes | |
# default, always and never. | |
# https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes | |
enable-policy: "default" | |
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 | |
# address. | |
enable-ipv4: "true" | |
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 | |
# address. | |
enable-ipv6: "false" | |
# Users who wish to specify their own custom CNI configuration file must set | |
# custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. | |
custom-cni-conf: "false" | |
enable-bpf-clock-probe: "true" | |
# If you want cilium monitor to aggregate tracing for packets, set this level | |
# to "low", "medium", or "maximum". The higher the level, the less packets | |
# that will be seen in monitor output. | |
monitor-aggregation: medium | |
# The monitor aggregation interval governs the typical time between monitor | |
# notification events for each allowed connection. | |
# | |
# Only effective when monitor aggregation is set to "medium" or higher. | |
monitor-aggregation-interval: 5s | |
# The monitor aggregation flags determine which TCP flags which, upon the | |
# first observation, cause monitor notifications to be generated. | |
# | |
# Only effective when monitor aggregation is set to "medium" or higher. | |
monitor-aggregation-flags: all | |
# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic | |
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. | |
bpf-map-dynamic-size-ratio: "0.0025" | |
# bpf-policy-map-max specifies the maximum number of entries in endpoint | |
# policy map (per endpoint) | |
bpf-policy-map-max: "16384" | |
# bpf-lb-map-max specifies the maximum number of entries in bpf lb service, | |
# backend and affinity maps. | |
bpf-lb-map-max: "65536" | |
# Pre-allocation of map entries allows per-packet latency to be reduced, at | |
# the expense of up-front memory allocation for the entries in the maps. The | |
# default value below will minimize memory usage in the default installation; | |
# users who are sensitive to latency may consider setting this to "true". | |
# | |
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore | |
# this option and behave as though it is set to "true". | |
# | |
# If this value is modified, then during the next Cilium startup the restore | |
# of existing endpoints and tracking of ongoing connections may be disrupted. | |
# As a result, reply packets may be dropped and the load-balancing decisions | |
# for established connections may change. | |
# | |
# If this option is set to "false" during an upgrade from 1.3 or earlier to | |
# 1.4 or later, then it may cause one-time disruptions during the upgrade. | |
preallocate-bpf-maps: "false" | |
# Regular expression matching compatible Istio sidecar istio-proxy | |
# container image names | |
sidecar-istio-proxy-image: "cilium/istio_proxy" | |
# Encapsulation mode for communication between nodes | |
# Possible values: | |
# - disabled | |
# - vxlan (default) | |
# - geneve | |
tunnel: vxlan | |
# Name of the cluster. Only relevant when building a mesh of clusters. | |
cluster-name: default | |
# Unique ID of the cluster. Must be unique across all conneted clusters and | |
# in the range of 1 and 255. Only relevant when building a mesh of clusters. | |
cluster-id: "" | |
# Enables L7 proxy for L7 policy enforcement and visibility | |
enable-l7-proxy: "true" | |
# wait-bpf-mount makes init container wait until bpf filesystem is mounted | |
wait-bpf-mount: "false" | |
masquerade: "true" | |
enable-bpf-masquerade: "true" | |
enable-xt-socket-fallback: "true" | |
install-iptables-rules: "true" | |
auto-direct-node-routes: "false" | |
enable-bandwidth-manager: "false" | |
enable-local-redirect-policy: "false" | |
kube-proxy-replacement: "disabled" | |
enable-health-check-nodeport: "true" | |
node-port-bind-protection: "true" | |
enable-auto-protect-node-port-range: "true" | |
enable-session-affinity: "true" | |
enable-endpoint-health-checking: "true" | |
enable-health-checking: "true" | |
enable-well-known-identities: "false" | |
enable-remote-node-identity: "true" | |
operator-api-serve-addr: "127.0.0.1:9234" | |
# Enable Hubble gRPC service. | |
enable-hubble: "true" | |
# UNIX domain socket for Hubble server to listen to. | |
hubble-socket-path: "/var/run/cilium/hubble.sock" | |
ipam: "kubernetes" | |
disable-cnp-status-updates: "true" | |
--- | |
# Source: cilium/templates/hubble-ca-configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: hubble-ca-cert | |
namespace: kube-system | |
data: | |
ca.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDCDCCAfCgAwIBAgIQJPtSjK9oWdEaKimRPmtBuTANBgkqhkiG9w0BAQsFADAe | |
MRwwGgYDVQQDExNodWJibGUtY2EuY2lsaXVtLmlvMB4XDTIwMTIxNTE3MjA1MloX | |
DTIzMTIxNTE3MjA1MlowHjEcMBoGA1UEAxMTaHViYmxlLWNhLmNpbGl1bS5pbzCC | |
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTEDtpDnRjL5il1ybf+VZWo | |
il6uuAwwL3GAQ31PGQk+71rrTINRXLBOjxEEG76orj186tVD7t8WabRMVlnlkvei | |
019GEQBaQnJg0O59uFu5caJMxY1N38ezmdPDCkUv2s24GieW7T0NjM2sda2uJAr3 | |
mjHmgbXDX9Y57ngiqGrxBJ766QJo6tnLPXDSFXVHCpnKaR2JmoVYDxuZ7+Z8iYJC | |
mCOXYsiDg2zIIXmV3m1A1XcEuK/1dOUTmEG9V1w2psdpX9bL3eWJHduwc6Nb1GH+ | |
cdd7Std4M4zNrohlTgeYhRTlejDQ59qVmau8WJcBSquf+kaswuzjad1mUF3c4AcC | |
AwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr | |
BgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBKn3P2 | |
6EyAx9Fmenb19rnZPqMTIRs2DenY3NJUKHA7K5UZYBLnRoAQarXjjipKrqTPLcQG | |
Qoj3BhWQaTgAzgAsO7mczkzPip6l7zgrZlenZjpuWyC9qwzFjR3kunZISJlMHfDz | |
59fTDXHVbZdqHbwwsIcKhG9sGxAK9PhTvWNZj+5ZrxgjwEX5FYNwQdaZQwU4edyi | |
FvULIJh87M01ejE6qaaFMgJ06SSbw7gENFTzIvL/dWk3GwW7nv98UgoaJqN+BCWD | |
Gq5gRJMFMFPT2YaUk+92UpDMuQ+xCwl4rJr5/SEXLfxs53+T6rCYg+DGzvf528b4 | |
TXY2cEryl9zQ4HCt | |
-----END CERTIFICATE----- | |
--- | |
# Source: cilium/templates/cilium-agent-clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: cilium | |
rules: | |
- apiGroups: | |
- networking.k8s.io | |
resources: | |
- networkpolicies | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- discovery.k8s.io | |
resources: | |
- endpointslices | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- namespaces | |
- services | |
- nodes | |
- endpoints | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- pods | |
- pods/finalizers | |
verbs: | |
- get | |
- list | |
- watch | |
- update | |
- delete | |
- apiGroups: | |
- "" | |
resources: | |
- nodes | |
verbs: | |
- get | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- "" | |
resources: | |
- nodes | |
- nodes/status | |
verbs: | |
- patch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
# Deprecated for removal in v1.10 | |
- create | |
- list | |
- watch | |
- update | |
# This is used when validating policies in preflight. This will need to stay | |
# until we figure out how to avoid "get" inside the preflight, and then | |
# should be removed ideally. | |
- get | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies | |
- ciliumnetworkpolicies/status | |
- ciliumnetworkpolicies/finalizers | |
- ciliumclusterwidenetworkpolicies | |
- ciliumclusterwidenetworkpolicies/status | |
- ciliumclusterwidenetworkpolicies/finalizers | |
- ciliumendpoints | |
- ciliumendpoints/status | |
- ciliumendpoints/finalizers | |
- ciliumnodes | |
- ciliumnodes/status | |
- ciliumnodes/finalizers | |
- ciliumidentities | |
- ciliumidentities/finalizers | |
- ciliumlocalredirectpolicies | |
- ciliumlocalredirectpolicies/status | |
- ciliumlocalredirectpolicies/finalizers | |
verbs: | |
- '*' | |
--- | |
# Source: cilium/templates/cilium-operator-clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: cilium-operator | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
# to automatically delete [core|kube]dns pods so that are starting to being | |
# managed by Cilium | |
- pods | |
verbs: | |
- get | |
- list | |
- watch | |
- delete | |
- apiGroups: | |
- discovery.k8s.io | |
resources: | |
- endpointslices | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
# to perform the translation of a CNP that contains `ToGroup` to its endpoints | |
- services | |
- endpoints | |
# to check apiserver connectivity | |
- namespaces | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies | |
- ciliumnetworkpolicies/status | |
- ciliumnetworkpolicies/finalizers | |
- ciliumclusterwidenetworkpolicies | |
- ciliumclusterwidenetworkpolicies/status | |
- ciliumclusterwidenetworkpolicies/finalizers | |
- ciliumendpoints | |
- ciliumendpoints/status | |
- ciliumendpoints/finalizers | |
- ciliumnodes | |
- ciliumnodes/status | |
- ciliumnodes/finalizers | |
- ciliumidentities | |
- ciliumidentities/status | |
- ciliumidentities/finalizers | |
- ciliumlocalredirectpolicies | |
- ciliumlocalredirectpolicies/status | |
- ciliumlocalredirectpolicies/finalizers | |
verbs: | |
- '*' | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- create | |
- get | |
- list | |
- update | |
- watch | |
# For cilium-operator running in HA mode. | |
# | |
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election | |
# between mulitple running instances. | |
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less | |
# common and fewer objects in the cluster watch "all Leases". | |
# The support for leases was introduced in coordination.k8s.io/v1 during Kubernetes 1.14 release. | |
# In Cilium we currently don't support HA mode for K8s version < 1.14. This condition make sure | |
# that we only authorize access to leases resources in supported K8s versions. | |
- apiGroups: | |
- coordination.k8s.io | |
resources: | |
- leases | |
verbs: | |
- create | |
- get | |
- update | |
--- | |
# Source: cilium/templates/cilium-agent-clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: cilium | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cilium | |
subjects: | |
- kind: ServiceAccount | |
name: cilium | |
namespace: kube-system | |
--- | |
# Source: cilium/templates/cilium-operator-clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: cilium-operator | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cilium-operator | |
subjects: | |
- kind: ServiceAccount | |
name: cilium-operator | |
namespace: kube-system | |
--- | |
# Source: cilium/templates/cilium-agent-daemonset.yaml | |
apiVersion: apps/v1 | |
kind: DaemonSet | |
metadata: | |
labels: | |
k8s-app: cilium | |
name: cilium | |
namespace: kube-system | |
spec: | |
selector: | |
matchLabels: | |
k8s-app: cilium | |
updateStrategy: | |
rollingUpdate: | |
maxUnavailable: 2 | |
type: RollingUpdate | |
template: | |
metadata: | |
annotations: | |
# This annotation plus the CriticalAddonsOnly toleration makes | |
# cilium to be a critical pod in the cluster, which ensures cilium | |
# gets priority scheduling. | |
# https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ | |
scheduler.alpha.kubernetes.io/critical-pod: "" | |
labels: | |
k8s-app: cilium | |
spec: | |
nodeSelector: | |
kubernetes.io/arch: amd64 | |
affinity: | |
podAntiAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
- labelSelector: | |
matchExpressions: | |
- key: k8s-app | |
operator: In | |
values: | |
- cilium | |
topologyKey: kubernetes.io/hostname | |
containers: | |
- args: | |
- --config-dir=/tmp/cilium/config-map | |
command: | |
- cilium-agent | |
livenessProbe: | |
httpGet: | |
host: '127.0.0.1' | |
path: /healthz | |
port: 9876 | |
scheme: HTTP | |
httpHeaders: | |
- name: "brief" | |
value: "true" | |
failureThreshold: 10 | |
# The initial delay for the liveness probe is intentionally large to | |
# avoid an endless kill & restart cycle if in the event that the initial | |
# bootstrapping takes longer than expected. | |
initialDelaySeconds: 120 | |
periodSeconds: 30 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
readinessProbe: | |
httpGet: | |
host: '127.0.0.1' | |
path: /healthz | |
port: 9876 | |
scheme: HTTP | |
httpHeaders: | |
- name: "brief" | |
value: "true" | |
failureThreshold: 3 | |
initialDelaySeconds: 5 | |
periodSeconds: 30 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
env: | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: CILIUM_FLANNEL_MASTER_DEVICE | |
valueFrom: | |
configMapKeyRef: | |
key: flannel-master-device | |
name: cilium-config | |
optional: true | |
- name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT | |
valueFrom: | |
configMapKeyRef: | |
key: flannel-uninstall-on-exit | |
name: cilium-config | |
optional: true | |
- name: CILIUM_CLUSTERMESH_CONFIG | |
value: /var/lib/cilium/clustermesh/ | |
- name: CILIUM_CNI_CHAINING_MODE | |
valueFrom: | |
configMapKeyRef: | |
key: cni-chaining-mode | |
name: cilium-config | |
optional: true | |
- name: CILIUM_CUSTOM_CNI_CONF | |
valueFrom: | |
configMapKeyRef: | |
key: custom-cni-conf | |
name: cilium-config | |
optional: true | |
image: quay.io/cilium/cilium:v1.9.1 | |
imagePullPolicy: IfNotPresent | |
lifecycle: | |
postStart: | |
exec: | |
command: | |
- "/cni-install.sh" | |
- "--enable-debug=false" | |
preStop: | |
exec: | |
command: | |
- /cni-uninstall.sh | |
name: cilium-agent | |
securityContext: | |
capabilities: | |
add: | |
- NET_ADMIN | |
- SYS_MODULE | |
privileged: true | |
volumeMounts: | |
- mountPath: /sys/fs/bpf | |
name: bpf-maps | |
- mountPath: /var/run/cilium | |
name: cilium-run | |
- mountPath: /host/opt/cni/bin | |
name: cni-path | |
- mountPath: /host/etc/cni/net.d | |
name: etc-cni-netd | |
- mountPath: /var/lib/cilium/clustermesh | |
name: clustermesh-secrets | |
readOnly: true | |
- mountPath: /tmp/cilium/config-map | |
name: cilium-config-path | |
readOnly: true | |
# Needed to be able to load kernel modules | |
- mountPath: /lib/modules | |
name: lib-modules | |
readOnly: true | |
- mountPath: /run/xtables.lock | |
name: xtables-lock | |
hostNetwork: true | |
initContainers: | |
- command: | |
- /init-container.sh | |
env: | |
- name: CILIUM_ALL_STATE | |
valueFrom: | |
configMapKeyRef: | |
key: clean-cilium-state | |
name: cilium-config | |
optional: true | |
- name: CILIUM_BPF_STATE | |
valueFrom: | |
configMapKeyRef: | |
key: clean-cilium-bpf-state | |
name: cilium-config | |
optional: true | |
- name: CILIUM_WAIT_BPF_MOUNT | |
valueFrom: | |
configMapKeyRef: | |
key: wait-bpf-mount | |
name: cilium-config | |
optional: true | |
image: quay.io/cilium/cilium:v1.9.1 | |
imagePullPolicy: IfNotPresent | |
name: clean-cilium-state | |
securityContext: | |
capabilities: | |
add: | |
- NET_ADMIN | |
privileged: true | |
volumeMounts: | |
- mountPath: /sys/fs/bpf | |
name: bpf-maps | |
mountPropagation: HostToContainer | |
- mountPath: /var/run/cilium | |
name: cilium-run | |
resources: | |
requests: | |
cpu: 100m | |
memory: 100Mi | |
restartPolicy: Always | |
priorityClassName: system-node-critical | |
serviceAccount: cilium | |
serviceAccountName: cilium | |
terminationGracePeriodSeconds: 1 | |
tolerations: | |
- operator: Exists | |
volumes: | |
# To keep state between restarts / upgrades | |
- hostPath: | |
path: /var/run/cilium | |
type: DirectoryOrCreate | |
name: cilium-run | |
# To keep state between restarts / upgrades for bpf maps | |
- hostPath: | |
path: /sys/fs/bpf | |
type: DirectoryOrCreate | |
name: bpf-maps | |
# To install cilium cni plugin in the host | |
- hostPath: | |
path: /opt/cni/bin | |
type: DirectoryOrCreate | |
name: cni-path | |
# To install cilium cni configuration in the host | |
- hostPath: | |
path: /etc/cni/net.d | |
type: DirectoryOrCreate | |
name: etc-cni-netd | |
# To be able to load kernel modules | |
- hostPath: | |
path: /lib/modules | |
name: lib-modules | |
# To access iptables concurrently with other processes (e.g. kube-proxy) | |
- hostPath: | |
path: /run/xtables.lock | |
type: FileOrCreate | |
name: xtables-lock | |
# To read the clustermesh configuration | |
- name: clustermesh-secrets | |
secret: | |
defaultMode: 420 | |
optional: true | |
secretName: cilium-clustermesh | |
# To read the configuration from the config map | |
- configMap: | |
name: cilium-config | |
name: cilium-config-path | |
--- | |
# Source: cilium/templates/cilium-operator-deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
io.cilium/app: operator | |
name: cilium-operator | |
name: cilium-operator | |
namespace: kube-system | |
spec: | |
# We support HA mode only for Kubernetes version > 1.14 | |
# See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go | |
# for more details. | |
replicas: 2 | |
selector: | |
matchLabels: | |
io.cilium/app: operator | |
name: cilium-operator | |
strategy: | |
rollingUpdate: | |
maxSurge: 1 | |
maxUnavailable: 1 | |
type: RollingUpdate | |
template: | |
metadata: | |
annotations: | |
labels: | |
io.cilium/app: operator | |
name: cilium-operator | |
spec: | |
nodeSelector: | |
kubernetes.io/arch: amd64 | |
# In HA mode, cilium-operator pods must not be scheduled on the same | |
# node as they will clash with each other. | |
affinity: | |
podAntiAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
- labelSelector: | |
matchExpressions: | |
- key: io.cilium/app | |
operator: In | |
values: | |
- operator | |
topologyKey: kubernetes.io/hostname | |
containers: | |
- args: | |
- --config-dir=/tmp/cilium/config-map | |
- --debug=$(CILIUM_DEBUG) | |
command: | |
- cilium-operator-generic | |
env: | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: CILIUM_DEBUG | |
valueFrom: | |
configMapKeyRef: | |
key: debug | |
name: cilium-config | |
optional: true | |
image: quay.io/cilium/operator-generic:v1.9.1 | |
imagePullPolicy: IfNotPresent | |
name: cilium-operator | |
livenessProbe: | |
httpGet: | |
host: '127.0.0.1' | |
path: /healthz | |
port: 9234 | |
scheme: HTTP | |
initialDelaySeconds: 60 | |
periodSeconds: 10 | |
timeoutSeconds: 3 | |
volumeMounts: | |
- mountPath: /tmp/cilium/config-map | |
name: cilium-config-path | |
readOnly: true | |
hostNetwork: true | |
restartPolicy: Always | |
priorityClassName: system-cluster-critical | |
serviceAccount: cilium-operator | |
serviceAccountName: cilium-operator | |
tolerations: | |
- operator: Exists | |
volumes: | |
# To read the configuration from the config map | |
- configMap: | |
name: cilium-config | |
name: cilium-config-path |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment