diff --git a/talos/patches/cilium.yaml b/talos/patches/cilium.yaml deleted file mode 100644 index fc09623..0000000 --- a/talos/patches/cilium.yaml +++ /dev/null @@ -1,2045 +0,0 @@ -cluster: - network: - cni: - name: none - proxy: - disabled: true - inlineManifests: - - name: cilium - contents: | - --- - # Source: cilium/templates/cilium-secrets-namespace.yaml - apiVersion: v1 - kind: Namespace - metadata: - name: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium - annotations: - --- - # Source: cilium/templates/cilium-agent/serviceaccount.yaml - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "cilium" - namespace: kube-system - --- - # Source: cilium/templates/cilium-envoy/serviceaccount.yaml - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "cilium-envoy" - namespace: kube-system - --- - # Source: cilium/templates/cilium-operator/serviceaccount.yaml - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "cilium-operator" - namespace: kube-system - --- - # Source: cilium/templates/hubble-relay/serviceaccount.yaml - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "hubble-relay" - namespace: kube-system - automountServiceAccountToken: false - --- - # Source: cilium/templates/hubble-ui/serviceaccount.yaml - apiVersion: v1 - kind: ServiceAccount - metadata: - name: "hubble-ui" - namespace: kube-system - --- - # Source: cilium/templates/cilium-ca-secret.yaml - apiVersion: v1 - kind: Secret - metadata: - name: cilium-ca - namespace: kube-system - data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWDhrSVBBQ0pXeitRRlZIVUlOcm9FekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TVRBeU1UVTBNakV4V2hjTk1qZ3hNVEF4TVRVMApNakV4V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3JFYmcvOHZGalgyQXcrREY0My9KTkc0VFhuRDJoY2xrVGFiR3A1UXRYYmpnN1pMNy8KeHdNdW56M3BpNlZENkVrME9sbmVNK0EyNUxIVlZnRzJHUktrQ2lMOVpEakdJSkordXhWZmZSZDVYc0hRYzVzWgo4SzZEaG5NZGRJWWpoTzJhakNvSGdNUVYwOXNPODZtN0tCQmdLbTZmeDFPQVlFbHlXM0dwRWVVMndpMnFXK1pUCmJDQ045NWJ6bFNqd3grNFlZZUtoOEVKU2NnUk5IUi90Qis1OFlmTzIvaGRLaC9TSnJxek5XLzBQRDhVL1Y3KzkKdzR3eXMwMlFKUlZNb3hLVU9JQWozcFByMGhvTUU4by9TNG9UWjZJSUo1R0R1VWFnbnNVL3FCbjJJMnUzQkR4SgpoNk5XMGd6TjY5MTl2TVZmSnJxdXo4V1hJMGwzUkxKTklhOUZBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVU2YjRabzdCcjd1TWlTaUtsQlJ1eWxrYmMxWHd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFHbTIzSjhvL2ZtTmRwME1GWjRRZ0M1S2hlc1BTQ2xwSm9jOENWZjE2eTdFWHkrNGRqMzYzKzdMClpSNFlRc3VGMUhDbDZxRG8xbVVEMC9GdDdRZWtDREV2U2VKOUEvd29SbUlENmR1VG9uSDBQUU1lM1dOUUYxZlgKSE5zWmt5WE1pejBWelFJMWFhSmU5WHNkMzgrM3RqT011UlRtOW9ZQzJsUHk2QVpsT1pidUNhVTE1UU03bkZzcgpHYVZpYlJTWVlMUHc3cExFdS90ZHAzSXlra1lSeU9WRWZLaUJ6QjRsZlE0Z1FCUXBpMkc0bGYvak50V2g0QTBOCmVGQ0JLTEZZZXE1ZjQwRksySEQ3NHBUMWJ4cURCMm9LdkNOUS9jUnl3d3o4RGRKRVpIbFVENXFtc2dQT3Z0b2oKcG94R2lMZDl1WlFYcHNWSWJnalY0c29sNTdQcjZvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBcXhHNFAvTHhZMTlnTVBneGVOL3lUUnVFMTV3OW9YSlpFMm14cWVVTFYyNDRPMlMrCi84Y0RMcDg5Nll1bFEraEpORHBaM2pQZ051U3gxVllCdGhrU3BBb2kvV1E0eGlDU2Zyc1ZYMzBYZVY3QjBIT2IKR2ZDdWc0WnpIWFNHSTRUdG1vd3FCNERFRmRQYkR2T3B1eWdRWUNwdW44ZFRnR0JKY2x0eHFSSGxOc0l0cWx2bQpVMndnamZlVzg1VW84TWZ1R0dIaW9mQkNVbklFVFIwZjdRZnVmR0h6dHY0WFNvZjBpYTZzelZ2OUR3L0ZQMWUvCnZjT01Nck5Oa0NVVlRLTVNsRGlBSTk2VDY5SWFEQlBLUDB1S0UyZWlDQ2VSZzdsR29KN0ZQNmdaOWlOcnR3UTgKU1llalZ0SU16ZXZkZmJ6Rlh5YTZycy9GbHlOSmQwU3lUU0d2UlFJREFRQUJBb0lCQUh6NElPVjJrS2pMai9XMgpHazMzSzRid3g0YksrS3JzWWU0d2xEMU11WkJSVUhyekNpVElPYWJoWmRVcTByeGRBTDFLczBRRUdaT0FWZmxICkwxRGIyQ1pGMFhIU3VUYmpyS0V3QWxrVGhRYUJGbzAxSnVVNFVnUjdQN1VRM3IwcjZuZXdWVFBOK1hFSXAwcXcKN2hsdkZ5ZHBXQThaQ2dNS1ZCMWFlQm5Pbk9mMm1BUGhUay9FbUNOUlNRZmptb2tQVTcwaW16cC9maURnQ1QwZwo1ZDhxYkIzdlFDYW1GWnZoRlh2dGIvdjZWdkI2RWE3V0pWWlNvSVM1am5pQ1FaVTcwb1RIY24rTXAxVW1icjBICmp0Nzg4RWJDZmVmMGxMNDZJOVIrOU5PaEgvL01PalpwTWZKcWtpalFEbDJlMk1QcTRUL2tQWVNBdjdaZFhxYlYKaCtJSTVyRUNnWUVBdy95aTB2OE5nUkRYQUtYZitFQml1aTJvZmhMbW9ubUZVUFFLR3ZjSGV2YmdTZEVHejRkSQpvdnhCM2x5WWJ0UlZmQnV1MDJMdzJLVXhPMTBXU2FXaWNDdkQrdGFUK2YrYVBKYThNMjVkM3N2M1hsTDY5K0ZSCm52OUtnK21BVjM2V2pWWFNMSXdZYStJc2RSem93VkMwN2p2VVFwakRXME8yVmRLT2VuOGNJR01DZ1lFQTMzUEwKcS83ZEtJd2M4djdTd2ZUdmo3RmViTm9DN1NwR2RRbHBhY2xSeGtXa3dFMnEwSk14dFVneUtNeTQ3bVlaTE9GUQpPVTd6M0NGZ3NCUTJLU1VFT3FDY2I0aWd2VFJKejRtS3hjV1g3UmZsOWxwK3BKejA3OUx2alBsaDhFYkMvaEErCkw5aW95cWU3ZWpyN3d0SXNmb0tmS1RqeFN4L3FoTWtIVkpNaWZqY0NnWUVBZzRTbWsyY2EzZEM2SnpJbzhVUHIKdkxwbEJtMlNuZGRra21XaDNtU0ZmWXZzQ1QwZkQrYmQ1Sm5aYmVtL1ZTaGlVVTJXYlQ1SkYya0xkNlhKRGhUNwp3OEJxM0lwZ2RQU0V3VUg1KzUyRm1yeFBQTm44bHBsNmwzTUR3eS9QczJjOGlvM2I0NDhEMkduSG9iT0xzaWFCCnRCa3NJS0M1QUNhWlZsQmMwbkU0STdjQ2dZRUFsdWRabmM4aHhqZFJlWjB6OGY2YkpseHZXMjJqMmt6WmhrS1QKNlBnbmZKSWQ0Q3pUZGNaaUpINGNPY2VBQUtmOHluMWpNMENwbVhrRkZnU2dTd3NQbnhSR2NXQkF4V1loanNIaApjUXl2UEZRT1hsL2c5UVIydWR1bklYcHRkTm9rNTNWS3VmOUVoby9lSVg3aDlVRUJBWEx2VCtSL3QrOVc3dFBnClduSi9NZU1DZ1lFQXN1L0xERUloQURhL0M5T1pCNHBrb3VXMm5XSTZvaXlWbGw3WFV4VEl4bHRZVmhPV3c4WlUKS2dDQ2l2OFhJNExPazNTWUl5SjVvY1A0SGpwTE9uZVNXd2FwMjRLTXZ4NW1RTmZPeVJBUHZwT0NXbkZqOWVjUwpxZGNNRHl6cFlDTGQwcU9pQnZyWXhiTXI1VjM1RGZvVHZxZHJTOHVqaVBlYXh1UUErclpQYVlFPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - --- - # Source: cilium/templates/hubble/tls-helm/relay-client-secret.yaml - apiVersion: v1 - kind: Secret - metadata: - name: hubble-relay-client-certs - namespace: kube-system - type: kubernetes.io/tls - data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWDhrSVBBQ0pXeitRRlZIVUlOcm9FekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TVRBeU1UVTBNakV4V2hjTk1qZ3hNVEF4TVRVMApNakV4V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3JFYmcvOHZGalgyQXcrREY0My9KTkc0VFhuRDJoY2xrVGFiR3A1UXRYYmpnN1pMNy8KeHdNdW56M3BpNlZENkVrME9sbmVNK0EyNUxIVlZnRzJHUktrQ2lMOVpEakdJSkordXhWZmZSZDVYc0hRYzVzWgo4SzZEaG5NZGRJWWpoTzJhakNvSGdNUVYwOXNPODZtN0tCQmdLbTZmeDFPQVlFbHlXM0dwRWVVMndpMnFXK1pUCmJDQ045NWJ6bFNqd3grNFlZZUtoOEVKU2NnUk5IUi90Qis1OFlmTzIvaGRLaC9TSnJxek5XLzBQRDhVL1Y3KzkKdzR3eXMwMlFKUlZNb3hLVU9JQWozcFByMGhvTUU4by9TNG9UWjZJSUo1R0R1VWFnbnNVL3FCbjJJMnUzQkR4SgpoNk5XMGd6TjY5MTl2TVZmSnJxdXo4V1hJMGwzUkxKTklhOUZBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVU2YjRabzdCcjd1TWlTaUtsQlJ1eWxrYmMxWHd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFHbTIzSjhvL2ZtTmRwME1GWjRRZ0M1S2hlc1BTQ2xwSm9jOENWZjE2eTdFWHkrNGRqMzYzKzdMClpSNFlRc3VGMUhDbDZxRG8xbVVEMC9GdDdRZWtDREV2U2VKOUEvd29SbUlENmR1VG9uSDBQUU1lM1dOUUYxZlgKSE5zWmt5WE1pejBWelFJMWFhSmU5WHNkMzgrM3RqT011UlRtOW9ZQzJsUHk2QVpsT1pidUNhVTE1UU03bkZzcgpHYVZpYlJTWVlMUHc3cExFdS90ZHAzSXlra1lSeU9WRWZLaUJ6QjRsZlE0Z1FCUXBpMkc0bGYvak50V2g0QTBOCmVGQ0JLTEZZZXE1ZjQwRksySEQ3NHBUMWJ4cURCMm9LdkNOUS9jUnl3d3o4RGRKRVpIbFVENXFtc2dQT3Z0b2oKcG94R2lMZDl1WlFYcHNWSWJnalY0c29sNTdQcjZvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lRT216QVRKQXFLRndVY0FoeTRMK1B1akFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TVRBeU1UVTBNakV4V2hjTk1qWXhNVEF5TVRVMApNakV4V2pBak1TRXdId1lEVlFRRERCZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdGQya2YxZ2cxR3dnOXNHM2s1emx4ZkVrZVNyaDIKTVNUYXIzTXB5SUxqd2lnSXc0WDhuZTMxSVR0emtOdFpBNmpaeXAzT2EvekJkNUFXUWp4c1dYRXdNUU10d0xMcQpKcmlubVdVNzNRV0h2dUJneUJuRjdkTXhxRWtXaGJaeWo0ZEx0M05Xc3NqUUEwZGdFMmlEdW5CaUdsUlJhbGlhCmJvT1piZzA3ejlrd1dsVDIvN01SSG5RV1I2Z2R4YVBvZkF5ZTBCTUxTTEdxOUdJcEVKVENvSnZxVnNHNzR1aW8KRGxZeDF2Z1BLNlV3a042RU4xaDFiM0xZL3Z3Sm5halhVa1oxVzFqM0p6Tmw0NVoxL2VxRjdSeGlKL0dZeEVmbgpHK2REYm4vMDVpUGNKcXNOOWVHazhqYjFBU1hwZng2eTRFUG9JY09DUlhSZnBaWkI1UktwU3FvM0FnTUJBQUdqCmdZWXdnWU13RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZPbStHYU93YSs3aklrb2lwUVVic3BaRwozTlY4TUNNR0ExVWRFUVFjTUJxQ0dDb3VhSFZpWW14bExYSmxiR0Y1TG1OcGJHbDFiUzVwYnpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFURVJBUUZuTVdLekdhK1hIeEt1NktqTTlOeXZ0YnFPZTMrbTFjLzNHUEY2TmJUdloKWTJYQzdyZDNkUzNFZFc0QnQxQjNPbG4xSS8yZVRHeEhyemsyMmNyaWFuUnNoZ3VQdU5OOG1qZ0E2T3VXVGFQNApaeXRla0xHRWdEVGJqdlY5ZVRtOWxaNGROLzgzVlFYL1JHSUE1aG9sN0FHZmtUdktJN2RMQzlqMUJHbjlSR05yCmhsYzMwSUhhc0FGeHFKdjJLbFduUXdvOVlNOUZOUHlpN0lmZXV0eVFyRVpWVVRDQW5ZOU5vd2tpd1MxdVhaRlYKZ3hDVVVpdVh5bFBPNTFCUTM3VVBYdHZjTS9IdW4yR1hyQlpLRGpVdGNHMGtGL09ib1hNYTNubDFwNHZQaTFWWgpTUDEvbllaZlhLd2NWSlplUllwbHRBQzFVaUp2UnJRSlZPVTVwdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBN1hkcEg5WUlOUnNJUGJCdDVPYzVjWHhKSGtxNGRqRWsycTl6S2NpQzQ4SW9DTU9GCi9KM3Q5U0U3YzVEYldRT28yY3Fkem12OHdYZVFGa0k4YkZseE1ERURMY0N5NmlhNHA1bGxPOTBGaDc3Z1lNZ1oKeGUzVE1haEpGb1cyY28rSFM3ZHpWckxJMEFOSFlCTm9nN3B3WWhwVVVXcFltbTZEbVc0Tk84L1pNRnBVOXYregpFUjUwRmtlb0hjV2o2SHdNbnRBVEMwaXhxdlJpS1JDVXdxQ2I2bGJCdStMb3FBNVdNZGI0RHl1bE1KRGVoRGRZCmRXOXkyUDc4Q1oybzExSkdkVnRZOXljelplT1dkZjNxaGUwY1lpZnhtTVJINXh2blEyNS85T1lqM0NhckRmWGgKcFBJMjlRRWw2WDhlc3VCRDZDSERna1YwWDZXV1FlVVNxVXFxTndJREFRQUJBb0lCQUFudmN4Q0g3ZlA2MjQ5cApNRS9oZEwvUXlXWmhEZkt6LzZ5K3BuemJETTdtc3JJYkxDSHpvWjhkOHRUVS9MaHV0TVBYL0Y1RW1tQ2wxZnQ0CmJmckNpei9PN1NrZTVOMXpIVXExMmt4MDVPUlhFaUE2ZndtTzk4VWVHMkM3MjNSVG1QK0wvMkZqUFkrbWMzZ0wKbDlYYkdSU2hzV0Z1cDZKZWVWY1VDYTIwOW90VlI1TEhFR01KNWZPVjBmWHFDbnQ4RE5YdElLemwzb3JPQ25hWgpIMTFISjhGSks5b3M1NDE4dUVmUFZrYWJDUm9UQzRWVHpvQmpNUkdXdUlZOVZzazA4NlNndUhTckM1NjFFN1dRCmhBbjQzaGJCOUE5U3pjUnVVM1hSZ1hlUzFPVTAyNTBiTjVxNXNKcUtsL3NsaTR0WmRBUmkydTV2VXRCQndXcVEKUTVmVE5QRUNnWUVBK09la1pTb2k2N2lsRlRIRFBodzBkU09SVzQ4UnRyb2E0Q1ZZdnc4Rmh0MEo1Wm5sd3BSdwpwYU1EM2FXbHowUHhCSXVLaWIxRkZ0bTZsL0NIVmYrRHl4bGRVSlJjVnJBWW5pN3BJK1Rycno1bVg3eEUzclZiCnJLZ1FFbXlndmZmK3NzNjhRQXcxeEFnTnRoeUlvbks3ampQMnMzdjVIQTJmZlVIMWZUSWJIcVVDZ1lFQTlEeE0KUWZFNXptK1UvRUoyZ09yYVUrT2dzUEtNTGRxVExrMVRrU0xZYXhkTUFibTV4REkybzUvYU1OTVdNNDZBVlN6VgpoNDhkVnVINGtmRlQyTnhQL1Z2MVY1MUlzQnNlbFhDeko5MzY0cC9zb0g1T3dyVUNoc2I0Nm9tTTNyTGlQcVZKClAvSGVycWZ3QnVLcXpCWFp0Smt5eURPbUN3NHdnOGJUN3hYVHlxc0NnWUJaejBNN0dYUVdONzZoSWg1L3A2K3AKNEphUFFkVXphSDFRQ1VtM1RwVkE3enFsOU55NVU5UTlmODlpUjJYSG5vMDFoYUFNU1JYSHcvSVc1cnYrWkw3SwpKckhMNUd4WS94c3k0RnhSRGtXWUt0ekhpR2dWTDcwUFZHalFMUS9tMjdlMER2SlA3ZGZzanJkYjBYbmZtNlJmCkVCTGcra2VOUHNFZ2NnOUJDRFpPM1FLQmdFUTlRTFUvOS8zRTBXUzJFVFF0NmpoOEpoNnFkaDR0cnVmRjlTNWQKQlFqTzVvNm8zTTJEbGg2YmdEUWFGbDdyVnRIMWgrZXJSZkJMak04Q0ZZSkc5QlovQmdxbnlISmo4V1NocTN6ZApHY2NPRmVnMXdqM0dvMkVTNE9OdThTd2I0UGpONTZ4MUlObTkxR09vR3o2UWNGWjBZMnJxZTE4bFpNcTgxK1E2ClBnV25Bb0dBY051S3U5a2tzcHBkL0ptQU5hY1lza1dLaUw0S21sRjFuQ1YwYndwaDI2QUN5RXNUb1RjL1pXemoKOW1pWUk5UGhZaTUrc1p0dzNKSFV2NE5WWE80Q2sxQ3p1RFptVWRBbHV2NUVUVTRpSk55U25vRk42VnV6NXNmQwo4SmJFV2I1anh4TFp1Q0puWWk1azduMHpKVWtTRndodlRSWkFWRXFtTXhPVjl1bDhUUjQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== - --- - # Source: cilium/templates/hubble/tls-helm/server-secret.yaml - apiVersion: v1 - kind: Secret - metadata: - name: hubble-server-certs - namespace: kube-system - type: kubernetes.io/tls - data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWDhrSVBBQ0pXeitRRlZIVUlOcm9FekFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV4TVRBeU1UVTBNakV4V2hjTk1qZ3hNVEF4TVRVMApNakV4V2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3JFYmcvOHZGalgyQXcrREY0My9KTkc0VFhuRDJoY2xrVGFiR3A1UXRYYmpnN1pMNy8KeHdNdW56M3BpNlZENkVrME9sbmVNK0EyNUxIVlZnRzJHUktrQ2lMOVpEakdJSkordXhWZmZSZDVYc0hRYzVzWgo4SzZEaG5NZGRJWWpoTzJhakNvSGdNUVYwOXNPODZtN0tCQmdLbTZmeDFPQVlFbHlXM0dwRWVVMndpMnFXK1pUCmJDQ045NWJ6bFNqd3grNFlZZUtoOEVKU2NnUk5IUi90Qis1OFlmTzIvaGRLaC9TSnJxek5XLzBQRDhVL1Y3KzkKdzR3eXMwMlFKUlZNb3hLVU9JQWozcFByMGhvTUU4by9TNG9UWjZJSUo1R0R1VWFnbnNVL3FCbjJJMnUzQkR4SgpoNk5XMGd6TjY5MTl2TVZmSnJxdXo4V1hJMGwzUkxKTklhOUZBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVU2YjRabzdCcjd1TWlTaUtsQlJ1eWxrYmMxWHd3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFHbTIzSjhvL2ZtTmRwME1GWjRRZ0M1S2hlc1BTQ2xwSm9jOENWZjE2eTdFWHkrNGRqMzYzKzdMClpSNFlRc3VGMUhDbDZxRG8xbVVEMC9GdDdRZWtDREV2U2VKOUEvd29SbUlENmR1VG9uSDBQUU1lM1dOUUYxZlgKSE5zWmt5WE1pejBWelFJMWFhSmU5WHNkMzgrM3RqT011UlRtOW9ZQzJsUHk2QVpsT1pidUNhVTE1UU03bkZzcgpHYVZpYlJTWVlMUHc3cExFdS90ZHAzSXlra1lSeU9WRWZLaUJ6QjRsZlE0Z1FCUXBpMkc0bGYvak50V2g0QTBOCmVGQ0JLTEZZZXE1ZjQwRksySEQ3NHBUMWJ4cURCMm9LdkNOUS9jUnl3d3o4RGRKRVpIbFVENXFtc2dQT3Z0b2oKcG94R2lMZDl1WlFYcHNWSWJnalY0c29sNTdQcjZvUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWekNDQWorZ0F3SUJBZ0lSQU0rYUc5QjRwYmF6dXM2SWNaRCtuaEV3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTVRFd01qRTFOREl4TVZvWERUSTJNVEV3TWpFMQpOREl4TVZvd0tqRW9NQ1lHQTFVRUF3d2ZLaTVrWldaaGRXeDBMbWgxWW1Kc1pTMW5jbkJqTG1OcGJHbDFiUzVwCmJ6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU11NTBGYzg0aUE2MjcvTnByNjkKRmdyYlpTMTAvNXF1NngzWWUvVWpFQUJFSGZ3aExBdTlIR1ZiaWJSb3lXT0JHZ2MvTmxvTUhjbUZEYzQ2dzlVNApSOURWdGhmOFR4TVVUeGtDZlVTMGJMMEExNGlDMVNKT01zeldyNjJ0bDVnNTllN0xKTEpRS0IxZHB4UjZUaHhOCkRBVFhIcGtpQzJ0V0R5OU5NZ0tETnBIa2RTdm9nYlZuVUxOdUY4NWtsQjc5SVB0Y1dTakNYMWZVUkVqcE9pZEsKYi81K2gzeDkxMXUySDZJZEpacDZvM0dXM0R1dlkxdHl4VTVYbHNqTmlzZkZJSVRDaTlETmxmUnM1SFgzU3pvSQpvQnhBbDZxUEZKM040OVNTWkZFRncyVVBQVThPMktxaXo4cnBYa2thU0RZbS95SUI1RGs5cGRqQUpoM3dRQ3dOCi9qRUNBd0VBQWFPQmpUQ0JpakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVTZiNFpvN0JyN3VNaQpTaUtsQlJ1eWxrYmMxWHd3S2dZRFZSMFJCQ013SVlJZktpNWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUNLaFk4b3NGTzV4UTNzSURzbnJQR3NoTHZQOWcKRXlsUlpQUU9xUnhKNUZKT0E4VS9Ibmt2MWFGUGNYNzJUSExYQW54S0xQWktDa1QrSTM1cUNSVHM1R2ZqNkRNNgpoaFVrUGJKS0pHSGxvM1BTcG1zcEZwT0R4VVVvaTUrbW1aZWxFZ1FGbldMQUxpWTNwWjRWRGp1UWhoVG0wekdHCjJNZUtOektPQXZ2ZDhkcVR6c3RuREp1MmdRTU1GZDh1RlA1N3JDdHY2QWZRRDBRMGtCOTZJMk5LT0xSbURDb0IKcnEvNXc1cTZZanZPaWhENzZITjhqS0dZcWNtVTlKSUd0VWV6Q0RNdFhEYmpWT3o5VDQ2T1lRcGlJTDFCUy9QUgpKanQ2Z3kyZ2ZLSk1sdXZKTm5jSW1IZkxMekZHcTFTZVQyVzJFNnJZbzlvdUgwTDFTSHcxYkQ1VnRRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeTduUVZ6emlJRHJidjgybXZyMFdDdHRsTFhUL21xN3JIZGg3OVNNUUFFUWQvQ0VzCkM3MGNaVnVKdEdqSlk0RWFCejgyV2d3ZHlZVU56anJEMVRoSDBOVzJGL3hQRXhSUEdRSjlSTFJzdlFEWGlJTFYKSWs0eXpOYXZyYTJYbURuMTdzc2tzbEFvSFYybkZIcE9IRTBNQk5jZW1TSUxhMVlQTDAweUFvTTJrZVIxSytpQgp0V2RRczI0WHptU1VIdjBnKzF4WktNSmZWOVJFU09rNkowcHYvbjZIZkgzWFc3WWZvaDBsbW5xamNaYmNPNjlqClczTEZUbGVXeU0yS3g4VWdoTUtMME0yVjlHemtkZmRMT2dpZ0hFQ1hxbzhVbmMzajFKSmtVUVhEWlE4OVR3N1kKcXFMUHl1bGVTUnBJTmliL0lnSGtPVDJsMk1BbUhmQkFMQTMrTVFJREFRQUJBb0lCQVFDYm1KRmM3NjB0UEliMQptUllQZTg5SC80VHBFUURmblZVSmVIeEVIOEZxMHB1c0k1SEdiV3N3cHBjbjZSaFhIUlZLRDZkdFl1K2xLREFCCklMVE5OcXp5L1NhVWJ5bmR3cGNlM04zY0NZazdXVmRFZGRoZTJTYkhkL2k1UjJvTzQ4WEgyZk52RlBWdWFFYmgKeHYrOWNjTUtOMXF4VG1VMlY0WkZkRW9MelRkeWVKT0N0NDk2UTl4dlU2eFB5SjB5czVDdmxrZ29yY2VzQ1QrOQpKZVFHSDVkd0FScDlVaFFqOXQ2UUlaUGJTMHd5VDRrdnR5NXJ0czlES0xyN21IU1haQndkellqZisyOXRKUE12Cm50UnFKaHVYMnk4bmZVQ3pSc0dIMEl6eURXUElzRDRFKzVSd2FFTis4ZGZNSHZtcWpucVlFa0pIU3RhSlRZSnkKL2pIRENXelpBb0dCQU9LK0RDTnAyZ01OK3crY3YycHUxeHA4elRjVVM2SzlDalBkSlRMVEJJVFhhOThkTXJkZwp0bGIxd0FsUU9PeTNZNTNxb1Y5ZXhIeVBvWUIvby9UT0pDdHh4ZHFpVDZEb2lHYSs3MlhlaDVpQWdmR2FXTlJGCjVUNCs3MnFkU09lQjZab09lZVJaYjk1LzJlMGJNeHdUZkpIT0pTOTVFMUN4ZE1icENOQkh5L3kzQW9HQkFPWUQKZHNpYkE0dmlKYnZSTG5ETEJCNlpIbWF3MnNZcmJxWXVWNy9KcnRseXlPb25DQVA1THZlanVETUxodC9VUzZ3NApacTN2dnI5dWdZK0hKSDJwWTZYQ1lueTRRNkorNzRiRHdXMnhzMk5mVy9iOXlaa3pHUGw0SUN5RU5sbGE4Q3JYClRCdFIrNmZTbTRpM1lFNEVIdy9hUkNaUWxRMWJFcm1vb1pISXVjUlhBb0dBZXBpOVlXeDdWMGw0NU9FZzBrQnEKQjhWUkJDWHlHMlRSSG1mRkZDenFkWlV3bXl0alg2bG9EYTdFallTVnN0QVppYW55Wk9tTm5iZmZYK1lqMVZxYwpUZTB2U0Y2WVpXMDFTekNUcW1YZXRRTk92ejV3Sng0L3JCOUZQa1VheFNvR0Q2a2lHT2lPeHlRanhjTCtLSUVVCnlwVkduOXQ4S1JZNkNNNjVXRHhwdkJNQ2dZQUtNdmtmYUJBK01hYnVyeFhhRm9aMlBOL21PYzFab0M5bDJ3UTEKRXVKWDdna09xUEJvRExLU2RJWUViV3hybkdSR25MR2c0TkthZG5IMFJVL082cVhxZ2JZUVJiTnFEeXJiMU81TQp5T1psYjZNS1RyS1R3bnBIQlphWG9yMHVOU1FWSWpyVHMwenZZaDFYY0pvcW0zQXRLY1ovMUc3bmlyUkgyenhlCjFJRzRQUUtCZ0dIRnFPMkY4Y0pqQUpwbXVhQ0I2UnVLanUwaXd0RzBweGNxanBxMWQyeDZzL2ROMmNmQXZZRU8KY24xNE1VMmk5SXJZRi9EOGw5Qms0bldaaE5ObURFelZTTGNDTFhUd1g5dHFVOWtzODJXZE94aVNqOTRnQzMzbgpuT29kdHpXVWE4bHJ4cGxvZGFVNkU0Y2c2WFhpWG5PY3ZubDgwd0RxN21oYUJrL3VkNElLCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== - --- - # Source: cilium/templates/cilium-configmap.yaml - apiVersion: v1 - kind: ConfigMap - metadata: - name: cilium-config - namespace: kube-system - data: - - # Identity allocation mode selects how identities are shared between cilium - # nodes by setting how they are stored. The options are "crd", "kvstore" or - # "doublewrite-readkvstore" / "doublewrite-readcrd". - # - "crd" stores identities in kubernetes as CRDs (custom resource definition). - # These can be queried with: - # kubectl get ciliumid - # - "kvstore" stores identities in an etcd kvstore, that is - # configured below. Cilium versions before 1.6 supported only the kvstore - # backend. Upgrades from these older cilium versions should continue using - # the kvstore by commenting out the identity-allocation-mode below, or - # setting it to "kvstore". - # - "doublewrite" modes store identities in both the kvstore and CRDs. This is useful - # for seamless migrations from the kvstore mode to the crd mode. Consult the - # documentation for more information on how to perform the migration. - identity-allocation-mode: crd - - identity-heartbeat-timeout: "30m0s" - identity-gc-interval: "15m0s" - cilium-endpoint-gc-interval: "5m0s" - nodes-gc-interval: "5m0s" - - # If you want to run cilium in debug mode change this value to true - debug: "false" - debug-verbose: "" - metrics-sampling-interval: "5m" - # The agent can be put into the following three policy enforcement modes - # default, always and never. - # https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes - enable-policy: "default" - policy-cidr-match-mode: "" - # If you want metrics enabled in cilium-operator, set the port for - # which the Cilium Operator will have their metrics exposed. - # NOTE that this will open the port on the nodes where Cilium operator pod - # is scheduled. - operator-prometheus-serve-addr: ":9963" - enable-metrics: "true" - enable-policy-secrets-sync: "true" - policy-secrets-only-from-secrets-namespace: "true" - policy-secrets-namespace: "cilium-secrets" - - # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 - # address. - enable-ipv4: "true" - - # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 - # address. - enable-ipv6: "false" - # Users who wish to specify their own custom CNI configuration file must set - # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. - custom-cni-conf: "false" - enable-bpf-clock-probe: "false" - # If you want cilium monitor to aggregate tracing for packets, set this level - # to "low", "medium", or "maximum". The higher the level, the less packets - # that will be seen in monitor output. - monitor-aggregation: medium - - # The monitor aggregation interval governs the typical time between monitor - # notification events for each allowed connection. - # - # Only effective when monitor aggregation is set to "medium" or higher. - monitor-aggregation-interval: "5s" - - # The monitor aggregation flags determine which TCP flags which, upon the - # first observation, cause monitor notifications to be generated. - # - # Only effective when monitor aggregation is set to "medium" or higher. - monitor-aggregation-flags: all - # Specifies the ratio (0.0-1.0] of total system memory to use for dynamic - # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. - bpf-map-dynamic-size-ratio: "0.0025" - # bpf-policy-map-max specifies the maximum number of entries in endpoint - # policy map (per endpoint) - bpf-policy-map-max: "16384" - # bpf-policy-stats-map-max specifies the maximum number of entries in global - # policy stats map - bpf-policy-stats-map-max: "65536" - # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, - # backend and affinity maps. - bpf-lb-map-max: "65536" - bpf-lb-external-clusterip: "false" - bpf-lb-source-range-all-types: "false" - bpf-lb-algorithm-annotation: "false" - bpf-lb-mode-annotation: "false" - - bpf-distributed-lru: "false" - bpf-events-drop-enabled: "true" - bpf-events-policy-verdict-enabled: "true" - bpf-events-trace-enabled: "true" - - # Pre-allocation of map entries allows per-packet latency to be reduced, at - # the expense of up-front memory allocation for the entries in the maps. The - # default value below will minimize memory usage in the default installation; - # users who are sensitive to latency may consider setting this to "true". - # - # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore - # this option and behave as though it is set to "true". - # - # If this value is modified, then during the next Cilium startup the restore - # of existing endpoints and tracking of ongoing connections may be disrupted. - # As a result, reply packets may be dropped and the load-balancing decisions - # for established connections may change. - # - # If this option is set to "false" during an upgrade from 1.3 or earlier to - # 1.4 or later, then it may cause one-time disruptions during the upgrade. - preallocate-bpf-maps: "false" - - # Name of the cluster. Only relevant when building a mesh of clusters. - cluster-name: "default" - # Unique ID of the cluster. Must be unique across all conneted clusters and - # in the range of 1 and 255. Only relevant when building a mesh of clusters. - cluster-id: "0" - - # Encapsulation mode for communication between nodes - # Possible values: - # - disabled - # - vxlan (default) - # - geneve - - routing-mode: "tunnel" - tunnel-protocol: "vxlan" - tunnel-source-port-range: "0-0" - service-no-backend-response: "reject" - - - # Enables L7 proxy for L7 policy enforcement and visibility - enable-l7-proxy: "true" - enable-ipv4-masquerade: "true" - enable-ipv4-big-tcp: "false" - enable-ipv6-big-tcp: "false" - enable-ipv6-masquerade: "true" - enable-tcx: "true" - datapath-mode: "veth" - enable-masquerade-to-route-source: "false" - - enable-xt-socket-fallback: "true" - install-no-conntrack-iptables-rules: "false" - iptables-random-fully: "false" - - auto-direct-node-routes: "false" - direct-routing-skip-unreachable: "false" - - - - kube-proxy-replacement: "true" - kube-proxy-replacement-healthz-bind-address: "" - bpf-lb-sock: "false" - nodeport-addresses: "" - enable-health-check-nodeport: "true" - enable-health-check-loadbalancer-ip: "false" - node-port-bind-protection: "true" - enable-auto-protect-node-port-range: "true" - bpf-lb-acceleration: "disabled" - enable-svc-source-range-check: "true" - enable-l2-neigh-discovery: "false" - k8s-require-ipv4-pod-cidr: "false" - k8s-require-ipv6-pod-cidr: "false" - enable-k8s-networkpolicy: "true" - enable-endpoint-lockdown-on-policy-overflow: "false" - # Tell the agent to generate and write a CNI configuration file - write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist - cni-exclusive: "true" - cni-log-file: "/var/run/cilium/cilium-cni.log" - enable-endpoint-health-checking: "true" - enable-health-checking: "true" - health-check-icmp-failure-threshold: "3" - enable-well-known-identities: "false" - enable-node-selector-labels: "false" - synchronize-k8s-nodes: "true" - operator-api-serve-addr: "127.0.0.1:9234" - - enable-hubble: "true" - # UNIX domain socket for Hubble server to listen to. - hubble-socket-path: "/var/run/cilium/hubble.sock" - hubble-network-policy-correlation-enabled: "true" - # An additional address for Hubble server to listen to (e.g. ":4244"). - hubble-listen-address: ":4244" - hubble-disable-tls: "false" - hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt - hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key - hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt - ipam: "kubernetes" - ipam-cilium-node-update-rate: "15s" - - default-lb-service-ipam: "lbipam" - egress-gateway-reconciliation-trigger-interval: "1s" - enable-vtep: "false" - vtep-endpoint: "" - vtep-cidr: "" - vtep-mask: "" - vtep-mac: "" - # Enable L2 announcements - enable-l2-announcements: "true" - procfs: "/host/proc" - bpf-root: "/sys/fs/bpf" - cgroup-root: "/sys/fs/cgroup" - - identity-management-mode: "agent" - enable-sctp: "false" - remove-cilium-node-taints: "true" - set-cilium-node-taints: "true" - set-cilium-is-up-condition: "true" - unmanaged-pod-watcher-interval: "15" - # default DNS proxy to transparent mode in non-chaining modes - dnsproxy-enable-transparent-mode: "true" - dnsproxy-socket-linger-timeout: "10" - tofqdns-dns-reject-response-code: "refused" - tofqdns-enable-dns-compression: "true" - tofqdns-endpoint-max-ip-per-hostname: "1000" - tofqdns-idle-connection-grace-period: "0s" - tofqdns-max-deferred-connection-deletes: "10000" - tofqdns-proxy-response-max-delay: "100ms" - tofqdns-preallocate-identities: "true" - agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" - - mesh-auth-enabled: "true" - mesh-auth-queue-size: "1024" - mesh-auth-rotated-identities-queue-size: "1024" - mesh-auth-gc-interval: "5m0s" - - proxy-xff-num-trusted-hops-ingress: "0" - proxy-xff-num-trusted-hops-egress: "0" - proxy-connect-timeout: "2" - proxy-initial-fetch-timeout: "30" - proxy-max-requests-per-connection: "0" - proxy-max-connection-duration-seconds: "0" - proxy-idle-timeout-seconds: "60" - proxy-max-concurrent-retries: "128" - http-retry-count: "3" - - external-envoy-proxy: "true" - envoy-base-id: "0" - envoy-access-log-buffer-size: "4096" - envoy-keep-cap-netbindservice: "false" - max-connected-clusters: "255" - clustermesh-enable-endpoint-sync: "false" - clustermesh-enable-mcs-api: "false" - policy-default-local-cluster: "false" - - nat-map-stats-entries: "32" - nat-map-stats-interval: "30s" - enable-internal-traffic-policy: "true" - enable-lb-ipam: "true" - enable-non-default-deny-policies: "true" - enable-source-ip-verification: "true" - - # Extra config allows adding arbitrary properties to the cilium config. - # By putting it at the end of the ConfigMap, it's also possible to override existing properties. - --- - # Source: cilium/templates/cilium-envoy/configmap.yaml - apiVersion: v1 - kind: ConfigMap - metadata: - name: cilium-envoy-config - namespace: kube-system - data: - # Keep the key name as bootstrap-config.json to avoid breaking changes - bootstrap-config.json: | - {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"applicationLogConfig":{"logFormat":{"textFormat":"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"circuitBreakers":{"thresholds":[{"maxRetries":128}]},"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"300s"}}]}],"name":"envoy-health-listener"}]}} - --- - # Source: cilium/templates/hubble-relay/configmap.yaml - apiVersion: v1 - kind: ConfigMap - metadata: - name: hubble-relay-config - namespace: kube-system - data: - config.yaml: | - cluster-name: default - peer-service: "hubble-peer.kube-system.svc.cluster.local.:443" - listen-address: :4245 - gops: true - gops-port: "9893" - retry-timeout: - sort-buffer-len-max: - sort-buffer-drain-timeout: - tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt - tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key - tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt - - disable-server-tls: true - --- - # Source: cilium/templates/hubble-ui/configmap.yaml - apiVersion: v1 - kind: ConfigMap - metadata: - name: hubble-ui-nginx - namespace: kube-system - data: - nginx.conf: "server {\n listen 8081;\n listen [::]:8081;\n server_name localhost;\n root /app;\n index index.html;\n client_max_body_size 1G;\n\n location / {\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n\n location /api {\n proxy_http_version 1.1;\n proxy_pass_request_headers on;\n proxy_pass http://127.0.0.1:8090;\n }\n location / {\n if ($http_user_agent ~* \"kube-probe\") { access_log off; }\n # double `/index.html` is required here\n try_files $uri $uri/ /index.html /index.html;\n }\n\n # Liveness probe\n location /healthz {\n access_log off;\n add_header Content-Type text/plain;\n return 200 'ok';\n }\n }\n}" - --- - # Source: cilium/templates/cilium-agent/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: cilium - labels: - app.kubernetes.io/part-of: cilium - rules: - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - - services - - pods - - endpoints - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - - list - - delete - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch - # This is used when validating policies in preflight. This will need to stay - # until we figure out how to avoid "get" inside the preflight, and then - # should be removed ideally. - - get - - apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools - - ciliumbgppeeringpolicies - - ciliumbgpnodeconfigs - - ciliumbgpadvertisements - - ciliumbgppeerconfigs - - ciliumclusterwideenvoyconfigs - - ciliumclusterwidenetworkpolicies - - ciliumegressgatewaypolicies - - ciliumendpoints - - ciliumendpointslices - - ciliumenvoyconfigs - - ciliumidentities - - ciliumlocalredirectpolicies - - ciliumnetworkpolicies - - ciliumnodes - - ciliumnodeconfigs - - ciliumcidrgroups - - ciliuml2announcementpolicies - - ciliumpodippools - verbs: - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumidentities - - ciliumendpoints - - ciliumnodes - verbs: - - create - - apiGroups: - - cilium.io - # To synchronize garbage collection of such resources - resources: - - ciliumidentities - verbs: - - update - - apiGroups: - - cilium.io - resources: - - ciliumendpoints - verbs: - - delete - - get - - apiGroups: - - cilium.io - resources: - - ciliumnodes - - ciliumnodes/status - verbs: - - get - - update - - apiGroups: - - cilium.io - resources: - - ciliumendpoints/status - - ciliumendpoints - - ciliuml2announcementpolicies/status - - ciliumbgpnodeconfigs/status - verbs: - - patch - --- - # Source: cilium/templates/cilium-operator/clusterrole.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: cilium-operator - labels: - app.kubernetes.io/part-of: cilium - rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - # to automatically delete [core|kube]dns pods so that are starting to being - # managed by Cilium - - delete - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - - cilium-config - verbs: - # allow patching of the configmap to set annotations - - patch - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - # To remove node taints - - nodes - # To set NetworkUnavailable false on startup - - nodes/status - verbs: - - patch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - # to perform LB IP allocation for BGP - - services/status - verbs: - - update - - patch - - apiGroups: - - "" - resources: - # to check apiserver connectivity - - namespaces - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - # to perform the translation of a CNP that contains `ToGroup` to its endpoints - - services - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - - ciliumclusterwidenetworkpolicies - verbs: - # Create auto-generated CNPs and CCNPs from Policies that have 'toGroups' - - create - - update - - deletecollection - # To update the status of the CNPs and CCNPs - - patch - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies/status - - ciliumclusterwidenetworkpolicies/status - verbs: - # Update the auto-generated CNPs and CCNPs status. - - patch - - update - - apiGroups: - - cilium.io - resources: - - ciliumendpoints - - ciliumidentities - verbs: - # To perform garbage collection of such resources - - delete - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumidentities - verbs: - # To synchronize garbage collection of such resources - - update - - apiGroups: - - cilium.io - resources: - - ciliumnodes - verbs: - - create - - update - - get - - list - - watch - # To perform CiliumNode garbage collector - - delete - - apiGroups: - - cilium.io - resources: - - ciliumnodes/status - verbs: - - update - - apiGroups: - - cilium.io - resources: - - ciliumendpointslices - - ciliumenvoyconfigs - - ciliumbgppeerconfigs - - ciliumbgpadvertisements - - ciliumbgpnodeconfigs - verbs: - - create - - update - - get - - list - - watch - - delete - - patch - - apiGroups: - - cilium.io - resources: - - ciliumbgpclusterconfigs/status - - ciliumbgppeerconfigs/status - verbs: - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - get - - list - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - update - resourceNames: - - ciliumloadbalancerippools.cilium.io - - ciliumbgppeeringpolicies.cilium.io - - ciliumbgpclusterconfigs.cilium.io - - ciliumbgppeerconfigs.cilium.io - - ciliumbgpadvertisements.cilium.io - - ciliumbgpnodeconfigs.cilium.io - - ciliumbgpnodeconfigoverrides.cilium.io - - ciliumclusterwideenvoyconfigs.cilium.io - - ciliumclusterwidenetworkpolicies.cilium.io - - ciliumegressgatewaypolicies.cilium.io - - ciliumendpoints.cilium.io - - ciliumendpointslices.cilium.io - - ciliumenvoyconfigs.cilium.io - - ciliumidentities.cilium.io - - ciliumlocalredirectpolicies.cilium.io - - ciliumnetworkpolicies.cilium.io - - ciliumnodes.cilium.io - - ciliumnodeconfigs.cilium.io - - ciliumcidrgroups.cilium.io - - ciliuml2announcementpolicies.cilium.io - - ciliumpodippools.cilium.io - - ciliumgatewayclassconfigs.cilium.io - - apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools - - ciliumpodippools - - ciliumbgppeeringpolicies - - ciliumbgpclusterconfigs - - ciliumbgpnodeconfigoverrides - - ciliumbgppeerconfigs - verbs: - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumpodippools - verbs: - - create - - apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools/status - verbs: - - patch - # For cilium-operator running in HA mode. - # - # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election - # between multiple running instances. - # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less - # common and fewer objects in the cluster watch "all Leases". - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update - --- - # Source: cilium/templates/hubble-ui/clusterrole.yaml - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: hubble-ui - labels: - app.kubernetes.io/part-of: cilium - - rules: - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - componentstatuses - - endpoints - - namespaces - - nodes - - pods - - services - verbs: - - get - - list - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - "*" - verbs: - - get - - list - - watch - --- - # Source: cilium/templates/cilium-agent/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: cilium - labels: - app.kubernetes.io/part-of: cilium - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium - subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system - --- - # Source: cilium/templates/cilium-operator/clusterrolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: cilium-operator - labels: - app.kubernetes.io/part-of: cilium - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium-operator - subjects: - - kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system - --- - # Source: cilium/templates/hubble-ui/clusterrolebinding.yaml - kind: ClusterRoleBinding - apiVersion: rbac.authorization.k8s.io/v1 - metadata: - name: hubble-ui - labels: - app.kubernetes.io/part-of: cilium - - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: hubble-ui - subjects: - - kind: ServiceAccount - name: "hubble-ui" - namespace: kube-system - --- - # Source: cilium/templates/cilium-agent/role.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: cilium-config-agent - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium - rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - --- - # Source: cilium/templates/cilium-agent/role.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: cilium-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium - rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - --- - # Source: cilium/templates/cilium-operator/role.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: cilium-operator-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium - rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - update - - patch - --- - # Source: cilium/templates/cilium-agent/rolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: cilium-config-agent - namespace: kube-system - labels: - app.kubernetes.io/part-of: cilium - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-config-agent - subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system - --- - # Source: cilium/templates/cilium-agent/rolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: cilium-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-tlsinterception-secrets - subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system - --- - # Source: cilium/templates/cilium-operator/rolebinding.yaml - apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: cilium-operator-tlsinterception-secrets - namespace: "cilium-secrets" - labels: - app.kubernetes.io/part-of: cilium - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-operator-tlsinterception-secrets - subjects: - - kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system - --- - # Source: cilium/templates/cilium-envoy/service.yaml - apiVersion: v1 - kind: Service - metadata: - name: cilium-envoy - namespace: kube-system - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9964" - labels: - k8s-app: cilium-envoy - app.kubernetes.io/name: cilium-envoy - app.kubernetes.io/part-of: cilium - io.cilium/app: proxy - spec: - clusterIP: None - type: ClusterIP - selector: - k8s-app: cilium-envoy - ports: - - name: envoy-metrics - port: 9964 - protocol: TCP - targetPort: envoy-metrics - --- - # Source: cilium/templates/hubble-relay/service.yaml - kind: Service - apiVersion: v1 - metadata: - name: hubble-relay - namespace: kube-system - annotations: - labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay - app.kubernetes.io/part-of: cilium - - spec: - type: "ClusterIP" - selector: - k8s-app: hubble-relay - ports: - - protocol: TCP - port: 80 - targetPort: grpc - --- - # Source: cilium/templates/hubble-ui/service.yaml - kind: Service - apiVersion: v1 - metadata: - name: hubble-ui - namespace: kube-system - labels: - k8s-app: hubble-ui - app.kubernetes.io/name: hubble-ui - app.kubernetes.io/part-of: cilium - - spec: - type: "ClusterIP" - selector: - k8s-app: hubble-ui - ports: - - name: http - port: 80 - targetPort: 8081 - --- - # Source: cilium/templates/hubble/peer-service.yaml - apiVersion: v1 - kind: Service - metadata: - name: hubble-peer - namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: hubble-peer - - spec: - selector: - k8s-app: cilium - ports: - - name: peer-service - port: 443 - protocol: TCP - targetPort: 4244 - internalTrafficPolicy: Local - --- - # Source: cilium/templates/cilium-agent/daemonset.yaml - apiVersion: apps/v1 - kind: DaemonSet - metadata: - name: cilium - namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-agent - spec: - selector: - matchLabels: - k8s-app: cilium - updateStrategy: - rollingUpdate: - maxUnavailable: 2 - type: RollingUpdate - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: cilium-agent - labels: - k8s-app: cilium - app.kubernetes.io/name: cilium-agent - app.kubernetes.io/part-of: cilium - spec: - securityContext: - appArmorProfile: - type: Unconfined - seccompProfile: - type: Unconfined - containers: - - name: cilium-agent - image: "quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15" - imagePullPolicy: IfNotPresent - command: - - cilium-agent - args: - - --config-dir=/tmp/cilium/config-map - startupProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9879 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - failureThreshold: 300 - periodSeconds: 2 - successThreshold: 1 - initialDelaySeconds: 5 - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9879 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - - name: "require-k8s-connectivity" - value: "false" - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9879 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_CLUSTERMESH_CONFIG - value: /var/lib/cilium/clustermesh/ - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - divisor: '1' - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - - name: KUBE_CLIENT_BACKOFF_BASE - value: "1" - - name: KUBE_CLIENT_BACKOFF_DURATION - value: "120" - lifecycle: - postStart: - exec: - command: - - "bash" - - "-c" - - | - set -o errexit - set -o pipefail - set -o nounset - - # When running in AWS ENI mode, it's likely that 'aws-node' has - # had a chance to install SNAT iptables rules. These can result - # in dropped traffic, so we should attempt to remove them. - # We do it using a 'postStart' hook since this may need to run - # for nodes which might have already been init'ed but may still - # have dangling rules. This is safe because there are no - # dependencies on anything that is part of the startup script - # itself, and can be safely run multiple times per node (e.g. in - # case of a restart). - if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; - then - echo 'Deleting iptables rules created by the AWS CNI VPC plugin' - iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore - fi - echo 'Done!' - - preStop: - exec: - command: - - /cni-uninstall.sh - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: envoy-sockets - mountPath: /var/run/cilium/envoy/sockets - readOnly: false - # Unprivileged containers need to mount /proc/sys/net from the host - # to have write access - - mountPath: /host/proc/sys/net - name: host-proc-sys-net - # Unprivileged containers need to mount /proc/sys/kernel from the host - # to have write access - - mountPath: /host/proc/sys/kernel - name: host-proc-sys-kernel - - name: bpf-maps - mountPath: /sys/fs/bpf - # Unprivileged containers can't set mount propagation to bidirectional - # in this case we will mount the bpf fs from an init container that - # is privileged and set the mount propagation from host to container - # in Cilium. - mountPropagation: HostToContainer - # Check for duplicate mounts before mounting - - name: cilium-cgroup - mountPath: /sys/fs/cgroup - - name: cilium-run - mountPath: /var/run/cilium - - name: cilium-netns - mountPath: /var/run/cilium/netns - mountPropagation: HostToContainer - - name: etc-cni-netd - mountPath: /host/etc/cni/net.d - - name: clustermesh-secrets - mountPath: /var/lib/cilium/clustermesh - readOnly: true - # Needed to be able to load kernel modules - - name: lib-modules - mountPath: /lib/modules - readOnly: true - - name: xtables-lock - mountPath: /run/xtables.lock - - name: hubble-tls - mountPath: /var/lib/cilium/tls/hubble - readOnly: true - - name: tmp - mountPath: /tmp - - initContainers: - - name: config - image: "quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15" - imagePullPolicy: IfNotPresent - command: - - cilium-dbg - - build-config - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - volumeMounts: - - name: tmp - mountPath: /tmp - terminationMessagePolicy: FallbackToLogsOnError - - name: apply-sysctl-overwrites - image: "quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15" - imagePullPolicy: IfNotPresent - env: - - name: BIN_PATH - value: /opt/cni/bin - command: - - sh - - -ec - # The statically linked Go program binary is invoked to avoid any - # dependency on utilities like sh that can be missing on certain - # distros installed on the underlying host. Copy the binary to the - # same directory where we install cilium cni plugin so that exec permissions - # are available. - - | - cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; - nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; - rm /hostbin/cilium-sysctlfix - volumeMounts: - - name: hostproc - mountPath: /hostproc - - name: cni-path - mountPath: /hostbin - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - SYS_ADMIN - - SYS_CHROOT - - SYS_PTRACE - drop: - - ALL - # Mount the bpf fs if it is not mounted. We will perform this task - # from a privileged container because the mount propagation bidirectional - # only works from privileged containers. - - name: mount-bpf-fs - image: "quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15" - imagePullPolicy: IfNotPresent - args: - - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' - command: - - /bin/bash - - -c - - -- - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - privileged: true - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15" - imagePullPolicy: IfNotPresent - command: - - /init-container.sh - env: - - name: CILIUM_ALL_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-state - optional: true - - name: CILIUM_BPF_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-bpf-state - optional: true - - name: WRITE_CNI_CONF_WHEN_READY - valueFrom: - configMapKeyRef: - name: cilium-config - key: write-cni-conf-when-ready - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE - drop: - - ALL - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - # Required to mount cgroup filesystem from the host to cilium agent pod - - name: cilium-cgroup - mountPath: /sys/fs/cgroup - mountPropagation: HostToContainer - - name: cilium-run - mountPath: /var/run/cilium # wait-for-kube-proxy - # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - - name: install-cni-binaries - image: "quay.io/cilium/cilium:v1.18.3@sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15" - imagePullPolicy: IfNotPresent - command: - - "/install-plugin.sh" - resources: - requests: - cpu: 100m - memory: 10Mi - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: cni-path - mountPath: /host/opt/cni/bin # .Values.cni.install - restartPolicy: Always - priorityClassName: system-node-critical - serviceAccountName: "cilium" - automountServiceAccountToken: true - terminationGracePeriodSeconds: 1 - hostNetwork: true - - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - tolerations: - - operator: Exists - volumes: - # For sharing configuration between the "config" initContainer and the agent - - name: tmp - emptyDir: {} - # To keep state between restarts / upgrades - - name: cilium-run - hostPath: - path: /var/run/cilium - type: DirectoryOrCreate - # To exec into pod network namespaces - - name: cilium-netns - hostPath: - path: /var/run/netns - type: DirectoryOrCreate - # To keep state between restarts / upgrades for bpf maps - - name: bpf-maps - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate - # To mount cgroup2 filesystem on the host or apply sysctlfix - - name: hostproc - hostPath: - path: /proc - type: Directory - # To keep state between restarts / upgrades for cgroup2 filesystem - - name: cilium-cgroup - hostPath: - path: /sys/fs/cgroup - type: DirectoryOrCreate - # To install cilium cni plugin in the host - - name: cni-path - hostPath: - path: /opt/cni/bin - type: DirectoryOrCreate - # To install cilium cni configuration in the host - - name: etc-cni-netd - hostPath: - path: /etc/cni/net.d - type: DirectoryOrCreate - # To be able to load kernel modules - - name: lib-modules - hostPath: - path: /lib/modules - # To access iptables concurrently with other processes (e.g. kube-proxy) - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - # Sharing socket with Cilium Envoy on the same node by using a host path - - name: envoy-sockets - hostPath: - path: "/var/run/cilium/envoy/sockets" - type: DirectoryOrCreate - # To read the clustermesh configuration - - name: clustermesh-secrets - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: cilium-clustermesh - optional: true - # note: items are not explicitly listed here, since the entries of this secret - # depend on the peers configured, and that would cause a restart of all agents - # at every addition/removal. Leaving the field empty makes each secret entry - # to be automatically projected into the volume as a file whose name is the key. - - secret: - name: clustermesh-apiserver-remote-cert - optional: true - items: - - key: tls.key - path: common-etcd-client.key - - key: tls.crt - path: common-etcd-client.crt - - key: ca.crt - path: common-etcd-client-ca.crt - # note: we configure the volume for the kvstoremesh-specific certificate - # regardless of whether KVStoreMesh is enabled or not, so that it can be - # automatically mounted in case KVStoreMesh gets subsequently enabled, - # without requiring an agent restart. - - secret: - name: clustermesh-apiserver-local-cert - optional: true - items: - - key: tls.key - path: local-etcd-client.key - - key: tls.crt - path: local-etcd-client.crt - - key: ca.crt - path: local-etcd-client-ca.crt - - name: host-proc-sys-net - hostPath: - path: /proc/sys/net - type: Directory - - name: host-proc-sys-kernel - hostPath: - path: /proc/sys/kernel - type: Directory - - name: hubble-tls - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: hubble-server-certs - optional: true - items: - - key: tls.crt - path: server.crt - - key: tls.key - path: server.key - - key: ca.crt - path: client-ca.crt - --- - # Source: cilium/templates/cilium-envoy/daemonset.yaml - apiVersion: apps/v1 - kind: DaemonSet - metadata: - name: cilium-envoy - namespace: kube-system - labels: - k8s-app: cilium-envoy - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-envoy - name: cilium-envoy - spec: - selector: - matchLabels: - k8s-app: cilium-envoy - updateStrategy: - rollingUpdate: - maxUnavailable: 2 - type: RollingUpdate - template: - metadata: - annotations: - labels: - k8s-app: cilium-envoy - name: cilium-envoy - app.kubernetes.io/name: cilium-envoy - app.kubernetes.io/part-of: cilium - spec: - securityContext: - appArmorProfile: - type: Unconfined - containers: - - name: cilium-envoy - image: "quay.io/cilium/cilium-envoy:v1.34.10-1761014632-c360e8557eb41011dfb5210f8fb53fed6c0b3222@sha256:ca76eb4e9812d114c7f43215a742c00b8bf41200992af0d21b5561d46156fd15" - imagePullPolicy: IfNotPresent - command: - - /usr/bin/cilium-envoy-starter - args: - - '--' - - '-c /var/run/cilium/envoy/bootstrap-config.json' - - '--base-id 0' - - '--log-level info' - startupProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9878 - scheme: HTTP - failureThreshold: 105 - periodSeconds: 2 - successThreshold: 1 - initialDelaySeconds: 5 - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9878 - scheme: HTTP - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9878 - scheme: HTTP - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - ports: - - name: envoy-metrics - containerPort: 9964 - hostPort: 9964 - protocol: TCP - securityContext: - seLinuxOptions: - level: s0 - type: spc_t - capabilities: - add: - - NET_ADMIN - - SYS_ADMIN - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - name: envoy-sockets - mountPath: /var/run/cilium/envoy/sockets - readOnly: false - - name: envoy-artifacts - mountPath: /var/run/cilium/envoy/artifacts - readOnly: true - - name: envoy-config - mountPath: /var/run/cilium/envoy/ - readOnly: true - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer - restartPolicy: Always - priorityClassName: system-node-critical - serviceAccountName: "cilium-envoy" - automountServiceAccountToken: true - terminationGracePeriodSeconds: 1 - hostNetwork: true - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: cilium.io/no-schedule - operator: NotIn - values: - - "true" - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium-envoy - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - tolerations: - - operator: Exists - volumes: - - name: envoy-sockets - hostPath: - path: "/var/run/cilium/envoy/sockets" - type: DirectoryOrCreate - - name: envoy-artifacts - hostPath: - path: "/var/run/cilium/envoy/artifacts" - type: DirectoryOrCreate - - name: envoy-config - configMap: - name: "cilium-envoy-config" - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - items: - - key: bootstrap-config.json - path: bootstrap-config.json - # To keep state between restarts / upgrades - # To keep state between restarts / upgrades for bpf maps - - name: bpf-maps - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate - --- - # Source: cilium/templates/cilium-operator/deployment.yaml - apiVersion: apps/v1 - kind: Deployment - metadata: - name: cilium-operator - namespace: kube-system - labels: - io.cilium/app: operator - name: cilium-operator - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-operator - spec: - # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go - # for more details. - replicas: 2 - selector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - # ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case - # of one replica and no user configured Recreate strategy. - # otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the - # podAntiAffinity which prevents deployments of multiple operator replicas on the same node. - strategy: - rollingUpdate: - maxSurge: 25% - maxUnavailable: 50% - type: RollingUpdate - template: - metadata: - annotations: - prometheus.io/port: "9963" - prometheus.io/scrape: "true" - labels: - io.cilium/app: operator - name: cilium-operator - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: cilium-operator - spec: - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: cilium-operator - image: "quay.io/cilium/operator-generic:v1.18.3@sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797" - imagePullPolicy: IfNotPresent - command: - - cilium-operator-generic - args: - - --config-dir=/tmp/cilium/config-map - - --debug=$(CILIUM_DEBUG) - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_DEBUG - valueFrom: - configMapKeyRef: - key: debug - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "localhost" - - name: KUBERNETES_SERVICE_PORT - value: "7445" - ports: - - name: prometheus - containerPort: 9963 - hostPort: 9963 - protocol: TCP - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9234 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 3 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9234 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 3 - failureThreshold: 5 - volumeMounts: - - name: cilium-config-path - mountPath: /tmp/cilium/config-map - readOnly: true - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - terminationMessagePolicy: FallbackToLogsOnError - hostNetwork: true - restartPolicy: Always - priorityClassName: system-cluster-critical - serviceAccountName: "cilium-operator" - automountServiceAccountToken: true - # In HA mode, cilium-operator pods must not be scheduled on the same - # node as they will clash with each other. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - io.cilium/app: operator - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - key: node-role.kubernetes.io/master - operator: Exists - - key: node.kubernetes.io/not-ready - operator: Exists - - key: node.cloudprovider.kubernetes.io/uninitialized - operator: Exists - - key: node.cilium.io/agent-not-ready - operator: Exists - - volumes: - # To read the configuration from the config map - - name: cilium-config-path - configMap: - name: cilium-config - --- - # Source: cilium/templates/hubble-relay/deployment.yaml - apiVersion: apps/v1 - kind: Deployment - metadata: - name: hubble-relay - namespace: kube-system - labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay - app.kubernetes.io/part-of: cilium - - spec: - replicas: 1 - selector: - matchLabels: - k8s-app: hubble-relay - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - annotations: - labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay - app.kubernetes.io/part-of: cilium - spec: - securityContext: - fsGroup: 65532 - seccompProfile: - type: RuntimeDefault - containers: - - name: hubble-relay - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 - seccompProfile: - type: RuntimeDefault - image: "quay.io/cilium/hubble-relay:v1.18.3@sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3" - imagePullPolicy: IfNotPresent - command: - - hubble-relay - args: - - serve - ports: - - name: grpc - containerPort: 4245 - readinessProbe: - grpc: - port: 4222 - timeoutSeconds: 3 - # livenessProbe will kill the pod, we should be very conservative - # here on failures since killing the pod should be a last resort, and - # we should provide enough time for relay to retry before killing it. - livenessProbe: - grpc: - port: 4222 - timeoutSeconds: 10 - # Give relay time to establish connections and make a few retries - # before starting livenessProbes. - initialDelaySeconds: 10 - # 10 second * 12 failures = 2 minutes of failure. - # If relay cannot become healthy after 2 minutes, then killing it - # might resolve whatever issue is occurring. - # - # 10 seconds is a reasonable retry period so we can see if it's - # failing regularly or only sporadically. - periodSeconds: 10 - failureThreshold: 12 - startupProbe: - grpc: - port: 4222 - # Give relay time to get it's certs and establish connections and - # make a few retries before starting startupProbes. - initialDelaySeconds: 10 - # 20 * 3 seconds = 1 minute of failure before we consider startup as failed. - failureThreshold: 20 - # Retry more frequently at startup so that it can be considered started more quickly. - periodSeconds: 3 - volumeMounts: - - name: config - mountPath: /etc/hubble-relay - readOnly: true - - name: tls - mountPath: /var/lib/hubble-relay/tls - readOnly: true - terminationMessagePolicy: FallbackToLogsOnError - - restartPolicy: Always - priorityClassName: - serviceAccountName: "hubble-relay" - automountServiceAccountToken: false - terminationGracePeriodSeconds: 1 - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname - nodeSelector: - kubernetes.io/os: linux - volumes: - - name: config - configMap: - name: hubble-relay-config - items: - - key: config.yaml - path: config.yaml - - name: tls - projected: - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - sources: - - secret: - name: hubble-relay-client-certs - items: - - key: tls.crt - path: client.crt - - key: tls.key - path: client.key - - key: ca.crt - path: hubble-server-ca.crt - --- - # Source: cilium/templates/hubble-ui/deployment.yaml - kind: Deployment - apiVersion: apps/v1 - metadata: - name: hubble-ui - namespace: kube-system - labels: - k8s-app: hubble-ui - app.kubernetes.io/name: hubble-ui - app.kubernetes.io/part-of: cilium - spec: - replicas: 1 - selector: - matchLabels: - k8s-app: hubble-ui - strategy: - rollingUpdate: - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - annotations: - labels: - k8s-app: hubble-ui - app.kubernetes.io/name: hubble-ui - app.kubernetes.io/part-of: cilium - spec: - securityContext: - fsGroup: 1001 - runAsGroup: 1001 - runAsUser: 1001 - priorityClassName: - serviceAccountName: "hubble-ui" - automountServiceAccountToken: true - containers: - - name: frontend - image: "quay.io/cilium/hubble-ui:v0.13.3@sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d" - imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 8081 - livenessProbe: - httpGet: - path: /healthz - port: 8081 - readinessProbe: - httpGet: - path: / - port: 8081 - volumeMounts: - - name: hubble-ui-nginx-conf - mountPath: /etc/nginx/conf.d/default.conf - subPath: nginx.conf - - name: tmp-dir - mountPath: /tmp - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - allowPrivilegeEscalation: false - - name: backend - image: "quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953" - imagePullPolicy: IfNotPresent - env: - - name: EVENTS_SERVER_PORT - value: "8090" - - name: FLOWS_API_ADDR - value: "hubble-relay:80" - ports: - - name: grpc - containerPort: 8090 - volumeMounts: - terminationMessagePolicy: FallbackToLogsOnError - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - volumes: - - configMap: - defaultMode: 420 - name: hubble-ui-nginx - name: hubble-ui-nginx-conf - - emptyDir: {} - name: tmp-dir diff --git a/talos/patches/network.yaml b/talos/patches/network.yaml new file mode 100644 index 0000000..2b7b65d --- /dev/null +++ b/talos/patches/network.yaml @@ -0,0 +1,6 @@ +cluster: + network: + cni: + name: none + proxy: + disabled: true diff --git a/talos/patches/cilium.sh b/talos/scripts/cilium.sh similarity index 63% rename from talos/patches/cilium.sh rename to talos/scripts/cilium.sh index 1669357..8c30175 100644 --- a/talos/patches/cilium.sh +++ b/talos/scripts/cilium.sh @@ -1,20 +1,7 @@ #!/usr/bin/env bash -cat > template.yaml << 'EOF' -cluster: - network: - cni: - name: none - proxy: - disabled: true - inlineManifests: - - name: cilium - contents: | - __CILIUM_MANIFEST__ -EOF - helm repo add cilium https://helm.cilium.io/ -helm template \ +helm install \ cilium \ cilium/cilium \ --version 1.18.3 \ @@ -29,9 +16,4 @@ helm template \ --set cgroup.autoMount.enabled=false \ --set cgroup.hostRoot=/sys/fs/cgroup \ --set k8sServiceHost=localhost \ - --set k8sServicePort=7445 | sed 's/^/ /' > manifest.tmp - -sed -e '/__CILIUM_MANIFEST__/r manifest.tmp' -e '/__CILIUM_MANIFEST__/d' template.yaml > cilium.yaml - -rm manifest.tmp -rm template.yaml \ No newline at end of file + --set k8sServicePort=7445