-
-
Save Cubea01/fa9dc4606529f96b006f720862940fe2 to your computer and use it in GitHub Desktop.
Talos config.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- op: add | |
path: /cluster/inlineManifests | |
value: | |
- name: cilium | |
contents: | | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
name: cilium | |
namespace: kube-system | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
name: cilium-operator | |
namespace: kube-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/part-of: cilium | |
name: cilium-config-agent | |
namespace: kube-system | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- configmaps | |
verbs: | |
- get | |
- list | |
- watch | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/part-of: cilium | |
name: cilium | |
rules: | |
- apiGroups: | |
- networking.k8s.io | |
resources: | |
- networkpolicies | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- discovery.k8s.io | |
resources: | |
- endpointslices | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- namespaces | |
- services | |
- pods | |
- endpoints | |
- nodes | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- list | |
- watch | |
- get | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumloadbalancerippools | |
- ciliumbgppeeringpolicies | |
- ciliumclusterwideenvoyconfigs | |
- ciliumclusterwidenetworkpolicies | |
- ciliumegressgatewaypolicies | |
- ciliumendpoints | |
- ciliumendpointslices | |
- ciliumenvoyconfigs | |
- ciliumidentities | |
- ciliumlocalredirectpolicies | |
- ciliumnetworkpolicies | |
- ciliumnodes | |
- ciliumnodeconfigs | |
- ciliumcidrgroups | |
- ciliuml2announcementpolicies | |
- ciliumpodippools | |
verbs: | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumidentities | |
- ciliumendpoints | |
- ciliumnodes | |
verbs: | |
- create | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumidentities | |
verbs: | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumendpoints | |
verbs: | |
- delete | |
- get | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnodes | |
- ciliumnodes/status | |
verbs: | |
- get | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies/status | |
- ciliumclusterwidenetworkpolicies/status | |
- ciliumendpoints/status | |
- ciliumendpoints | |
- ciliuml2announcementpolicies/status | |
verbs: | |
- patch | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/part-of: cilium | |
name: cilium-operator | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- pods | |
verbs: | |
- get | |
- list | |
- watch | |
- delete | |
- apiGroups: | |
- "" | |
resources: | |
- nodes | |
verbs: | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- nodes | |
- nodes/status | |
verbs: | |
- patch | |
- apiGroups: | |
- discovery.k8s.io | |
resources: | |
- endpointslices | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- services/status | |
verbs: | |
- update | |
- patch | |
- apiGroups: | |
- "" | |
resources: | |
- namespaces | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- services | |
- endpoints | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies | |
- ciliumclusterwidenetworkpolicies | |
verbs: | |
- create | |
- update | |
- deletecollection | |
- patch | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies/status | |
- ciliumclusterwidenetworkpolicies/status | |
verbs: | |
- patch | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumendpoints | |
- ciliumidentities | |
verbs: | |
- delete | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumidentities | |
verbs: | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnodes | |
verbs: | |
- create | |
- update | |
- get | |
- list | |
- watch | |
- delete | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnodes/status | |
verbs: | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumendpointslices | |
- ciliumenvoyconfigs | |
verbs: | |
- create | |
- update | |
- get | |
- list | |
- watch | |
- delete | |
- patch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- create | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resourceNames: | |
- ciliumloadbalancerippools.cilium.io | |
- ciliumbgppeeringpolicies.cilium.io | |
- ciliumclusterwideenvoyconfigs.cilium.io | |
- ciliumclusterwidenetworkpolicies.cilium.io | |
- ciliumegressgatewaypolicies.cilium.io | |
- ciliumendpoints.cilium.io | |
- ciliumendpointslices.cilium.io | |
- ciliumenvoyconfigs.cilium.io | |
- ciliumexternalworkloads.cilium.io | |
- ciliumidentities.cilium.io | |
- ciliumlocalredirectpolicies.cilium.io | |
- ciliumnetworkpolicies.cilium.io | |
- ciliumnodes.cilium.io | |
- ciliumnodeconfigs.cilium.io | |
- ciliumcidrgroups.cilium.io | |
- ciliuml2announcementpolicies.cilium.io | |
- ciliumpodippools.cilium.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumloadbalancerippools | |
- ciliumpodippools | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumpodippools | |
verbs: | |
- create | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumloadbalancerippools/status | |
verbs: | |
- patch | |
- apiGroups: | |
- coordination.k8s.io | |
resources: | |
- leases | |
verbs: | |
- create | |
- get | |
- update | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/part-of: cilium | |
name: cilium-config-agent | |
namespace: kube-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: cilium-config-agent | |
subjects: | |
- kind: ServiceAccount | |
name: cilium | |
namespace: kube-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/part-of: cilium | |
name: cilium | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cilium | |
subjects: | |
- kind: ServiceAccount | |
name: cilium | |
namespace: kube-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/part-of: cilium | |
name: cilium-operator | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cilium-operator | |
subjects: | |
- kind: ServiceAccount | |
name: cilium-operator | |
namespace: kube-system | |
--- | |
apiVersion: v1 | |
data: | |
agent-not-ready-taint-key: node.cilium.io/agent-not-ready | |
arping-refresh-period: 30s | |
auto-direct-node-routes: "true" | |
bpf-lb-algorithm: maglev | |
bpf-lb-external-clusterip: "false" | |
bpf-lb-map-max: "65536" | |
bpf-lb-mode: dsr | |
bpf-lb-sock: "false" | |
bpf-lb-sock-hostns-only: "true" | |
bpf-map-dynamic-size-ratio: "0.0025" | |
bpf-policy-map-max: "16384" | |
bpf-root: /sys/fs/bpf | |
cgroup-root: /sys/fs/cgroup | |
cilium-endpoint-gc-interval: 5m0s | |
cluster-id: "1" | |
cluster-name: k8s | |
cni-exclusive: "false" | |
cni-log-file: /var/run/cilium/cilium-cni.log | |
custom-cni-conf: "false" | |
debug: "false" | |
debug-verbose: "" | |
disable-cnp-status-updates: "false" | |
egress-gateway-reconciliation-trigger-interval: 1s | |
enable-auto-protect-node-port-range: "true" | |
enable-bgp-control-plane: "true" | |
enable-bpf-clock-probe: "false" | |
enable-bpf-masquerade: "true" | |
enable-bpf-tproxy: "true" | |
enable-endpoint-health-checking: "true" | |
enable-health-check-nodeport: "true" | |
enable-health-checking: "true" | |
enable-ipv4: "true" | |
enable-ipv4-big-tcp: "false" | |
enable-ipv4-masquerade: "true" | |
enable-ipv6: "false" | |
enable-ipv6-big-tcp: "false" | |
enable-ipv6-masquerade: "true" | |
enable-k8s-networkpolicy: "true" | |
enable-k8s-terminating-endpoint: "true" | |
enable-l2-neigh-discovery: "true" | |
enable-l7-proxy: "true" | |
enable-local-redirect-policy: "true" | |
enable-pmtu-discovery: "true" | |
enable-policy: default | |
enable-remote-node-identity: "true" | |
enable-sctp: "false" | |
enable-svc-source-range-check: "true" | |
enable-vtep: "false" | |
enable-well-known-identities: "false" | |
enable-xt-socket-fallback: "true" | |
endpoint-status: policy | |
external-envoy-proxy: "false" | |
identity-allocation-mode: crd | |
identity-gc-interval: 15m0s | |
identity-heartbeat-timeout: 30m0s | |
install-no-conntrack-iptables-rules: "false" | |
ipam: kubernetes | |
ipam-cilium-node-update-rate: 15s | |
ipv4-native-routing-cidr: 10.244.0.0/16 | |
k8s-client-burst: "10" | |
k8s-client-qps: "5" | |
kube-proxy-replacement: strict | |
kube-proxy-replacement-healthz-bind-address: "" | |
mesh-auth-enabled: "true" | |
mesh-auth-gc-interval: 5m0s | |
mesh-auth-queue-size: "1024" | |
mesh-auth-rotated-identities-queue-size: "1024" | |
monitor-aggregation: medium | |
monitor-aggregation-flags: all | |
monitor-aggregation-interval: 5s | |
node-port-bind-protection: "true" | |
nodes-gc-interval: 5m0s | |
operator-api-serve-addr: 127.0.0.1:9234 | |
preallocate-bpf-maps: "false" | |
procfs: /host/proc | |
proxy-connect-timeout: "2" | |
proxy-max-connection-duration-seconds: "0" | |
proxy-max-requests-per-connection: "0" | |
proxy-prometheus-port: "9964" | |
remove-cilium-node-taints: "true" | |
routing-mode: native | |
set-cilium-is-up-condition: "true" | |
set-cilium-node-taints: "true" | |
sidecar-istio-proxy-image: cilium/istio_proxy | |
skip-cnp-status-startup-clean: "false" | |
synchronize-k8s-nodes: "true" | |
tofqdns-dns-reject-response-code: refused | |
tofqdns-enable-dns-compression: "true" | |
tofqdns-endpoint-max-ip-per-hostname: "50" | |
tofqdns-idle-connection-grace-period: 0s | |
tofqdns-max-deferred-connection-deletes: "10000" | |
tofqdns-proxy-response-max-delay: 100ms | |
unmanaged-pod-watcher-interval: "15" | |
vtep-cidr: "" | |
vtep-endpoint: "" | |
vtep-mac: "" | |
vtep-mask: "" | |
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist | |
kind: ConfigMap | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
name: cilium-config | |
namespace: kube-system | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/name: cilium-operator | |
app.kubernetes.io/part-of: cilium | |
io.cilium/app: operator | |
name: cilium-operator | |
name: cilium-operator | |
namespace: kube-system | |
spec: | |
replicas: 2 | |
selector: | |
matchLabels: | |
io.cilium/app: operator | |
name: cilium-operator | |
strategy: | |
rollingUpdate: | |
maxSurge: 25% | |
maxUnavailable: 50% | |
type: RollingUpdate | |
template: | |
metadata: | |
annotations: | |
cilium.io/cilium-configmap-checksum: 7720174f8150205181910a6f4031c9f94f6311362c065b46fefd3e0982dc1033 | |
labels: | |
app.kubernetes.io/name: cilium-operator | |
app.kubernetes.io/part-of: cilium | |
io.cilium/app: operator | |
name: cilium-operator | |
spec: | |
affinity: | |
podAntiAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
- labelSelector: | |
matchLabels: | |
io.cilium/app: operator | |
topologyKey: kubernetes.io/hostname | |
automountServiceAccountToken: true | |
containers: | |
- args: | |
- --config-dir=/tmp/cilium/config-map | |
- --debug=$(CILIUM_DEBUG) | |
command: | |
- cilium-operator-generic | |
env: | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: CILIUM_DEBUG | |
valueFrom: | |
configMapKeyRef: | |
key: debug | |
name: cilium-config | |
optional: true | |
- name: KUBERNETES_SERVICE_HOST | |
value: 10.211.55.28 | |
- name: KUBERNETES_SERVICE_PORT | |
value: "6443" | |
image: quay.io/cilium/operator-generic:v1.14.0@sha256:3014d4bcb8352f0ddef90fa3b5eb1bbf179b91024813a90a0066eb4517ba93c9 | |
imagePullPolicy: IfNotPresent | |
livenessProbe: | |
httpGet: | |
host: 127.0.0.1 | |
path: /healthz | |
port: 9234 | |
scheme: HTTP | |
initialDelaySeconds: 60 | |
periodSeconds: 10 | |
timeoutSeconds: 3 | |
name: cilium-operator | |
readinessProbe: | |
failureThreshold: 5 | |
httpGet: | |
host: 127.0.0.1 | |
path: /healthz | |
port: 9234 | |
scheme: HTTP | |
initialDelaySeconds: 0 | |
periodSeconds: 5 | |
timeoutSeconds: 3 | |
terminationMessagePolicy: FallbackToLogsOnError | |
volumeMounts: | |
- mountPath: /tmp/cilium/config-map | |
name: cilium-config-path | |
readOnly: true | |
hostNetwork: true | |
nodeSelector: | |
kubernetes.io/os: linux | |
priorityClassName: system-cluster-critical | |
restartPolicy: Always | |
serviceAccount: cilium-operator | |
serviceAccountName: cilium-operator | |
tolerations: | |
- operator: Exists | |
volumes: | |
- configMap: | |
name: cilium-config | |
name: cilium-config-path | |
--- | |
apiVersion: apps/v1 | |
kind: DaemonSet | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: cilium | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/name: cilium-agent | |
app.kubernetes.io/part-of: cilium | |
k8s-app: cilium | |
name: cilium | |
namespace: kube-system | |
spec: | |
selector: | |
matchLabels: | |
k8s-app: cilium | |
template: | |
metadata: | |
annotations: | |
cilium.io/cilium-configmap-checksum: 7720174f8150205181910a6f4031c9f94f6311362c065b46fefd3e0982dc1033 | |
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined | |
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined | |
labels: | |
app.kubernetes.io/name: cilium-agent | |
app.kubernetes.io/part-of: cilium | |
k8s-app: cilium | |
spec: | |
affinity: | |
podAntiAffinity: | |
requiredDuringSchedulingIgnoredDuringExecution: | |
- labelSelector: | |
matchLabels: | |
k8s-app: cilium | |
topologyKey: kubernetes.io/hostname | |
automountServiceAccountToken: true | |
containers: | |
- args: | |
- --config-dir=/tmp/cilium/config-map | |
command: | |
- cilium-agent | |
env: | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: CILIUM_CLUSTERMESH_CONFIG | |
value: /var/lib/cilium/clustermesh/ | |
- name: KUBERNETES_SERVICE_HOST | |
value: 10.211.55.28 | |
- name: KUBERNETES_SERVICE_PORT | |
value: "6443" | |
image: quay.io/cilium/cilium:v1.14.0@sha256:5a94b561f4651fcfd85970a50bc78b201cfbd6e2ab1a03848eab25a82832653a | |
imagePullPolicy: IfNotPresent | |
lifecycle: | |
preStop: | |
exec: | |
command: | |
- /cni-uninstall.sh | |
livenessProbe: | |
failureThreshold: 10 | |
httpGet: | |
host: 127.0.0.1 | |
httpHeaders: | |
- name: brief | |
value: "true" | |
path: /healthz | |
port: 9879 | |
scheme: HTTP | |
periodSeconds: 30 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
name: cilium-agent | |
readinessProbe: | |
failureThreshold: 3 | |
httpGet: | |
host: 127.0.0.1 | |
httpHeaders: | |
- name: brief | |
value: "true" | |
path: /healthz | |
port: 9879 | |
scheme: HTTP | |
periodSeconds: 30 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
securityContext: | |
capabilities: | |
add: | |
- CHOWN | |
- KILL | |
- NET_ADMIN | |
- NET_RAW | |
- IPC_LOCK | |
- SYS_ADMIN | |
- SYS_RESOURCE | |
- DAC_OVERRIDE | |
- FOWNER | |
- SETGID | |
- SETUID | |
drop: | |
- ALL | |
seLinuxOptions: | |
level: s0 | |
type: spc_t | |
startupProbe: | |
failureThreshold: 105 | |
httpGet: | |
host: 127.0.0.1 | |
httpHeaders: | |
- name: brief | |
value: "true" | |
path: /healthz | |
port: 9879 | |
scheme: HTTP | |
periodSeconds: 2 | |
successThreshold: 1 | |
terminationMessagePolicy: FallbackToLogsOnError | |
volumeMounts: | |
- mountPath: /host/proc/sys/net | |
name: host-proc-sys-net | |
- mountPath: /host/proc/sys/kernel | |
name: host-proc-sys-kernel | |
- mountPath: /sys/fs/bpf | |
mountPropagation: HostToContainer | |
name: bpf-maps | |
- mountPath: /sys/fs/cgroup | |
name: cilium-cgroup | |
- mountPath: /var/run/cilium | |
name: cilium-run | |
- mountPath: /host/etc/cni/net.d | |
name: etc-cni-netd | |
- mountPath: /var/lib/cilium/clustermesh | |
name: clustermesh-secrets | |
readOnly: true | |
- mountPath: /lib/modules | |
name: lib-modules | |
readOnly: true | |
- mountPath: /run/xtables.lock | |
name: xtables-lock | |
- mountPath: /tmp | |
name: tmp | |
hostNetwork: true | |
initContainers: | |
- command: | |
- cilium | |
- build-config | |
env: | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: KUBERNETES_SERVICE_HOST | |
value: 10.211.55.28 | |
- name: KUBERNETES_SERVICE_PORT | |
value: "6443" | |
image: quay.io/cilium/cilium:v1.14.0@sha256:5a94b561f4651fcfd85970a50bc78b201cfbd6e2ab1a03848eab25a82832653a | |
imagePullPolicy: IfNotPresent | |
name: config | |
terminationMessagePolicy: FallbackToLogsOnError | |
volumeMounts: | |
- mountPath: /tmp | |
name: tmp | |
- args: | |
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf | |
command: | |
- /bin/bash | |
- -c | |
- -- | |
image: quay.io/cilium/cilium:v1.14.0@sha256:5a94b561f4651fcfd85970a50bc78b201cfbd6e2ab1a03848eab25a82832653a | |
imagePullPolicy: IfNotPresent | |
name: mount-bpf-fs | |
securityContext: | |
privileged: true | |
terminationMessagePolicy: FallbackToLogsOnError | |
volumeMounts: | |
- mountPath: /sys/fs/bpf | |
mountPropagation: Bidirectional | |
name: bpf-maps | |
- command: | |
- /init-container.sh | |
env: | |
- name: CILIUM_ALL_STATE | |
valueFrom: | |
configMapKeyRef: | |
key: clean-cilium-state | |
name: cilium-config | |
optional: true | |
- name: CILIUM_BPF_STATE | |
valueFrom: | |
configMapKeyRef: | |
key: clean-cilium-bpf-state | |
name: cilium-config | |
optional: true | |
- name: KUBERNETES_SERVICE_HOST | |
value: 10.211.55.28 | |
- name: KUBERNETES_SERVICE_PORT | |
value: "6443" | |
image: quay.io/cilium/cilium:v1.14.0@sha256:5a94b561f4651fcfd85970a50bc78b201cfbd6e2ab1a03848eab25a82832653a | |
imagePullPolicy: IfNotPresent | |
name: clean-cilium-state | |
resources: | |
requests: | |
cpu: 100m | |
memory: 100Mi | |
securityContext: | |
capabilities: | |
add: | |
- NET_ADMIN | |
- SYS_ADMIN | |
- SYS_RESOURCE | |
drop: | |
- ALL | |
seLinuxOptions: | |
level: s0 | |
type: spc_t | |
terminationMessagePolicy: FallbackToLogsOnError | |
volumeMounts: | |
- mountPath: /sys/fs/bpf | |
name: bpf-maps | |
- mountPath: /sys/fs/cgroup | |
mountPropagation: HostToContainer | |
name: cilium-cgroup | |
- mountPath: /var/run/cilium | |
name: cilium-run | |
- command: | |
- /install-plugin.sh | |
image: quay.io/cilium/cilium:v1.14.0@sha256:5a94b561f4651fcfd85970a50bc78b201cfbd6e2ab1a03848eab25a82832653a | |
imagePullPolicy: IfNotPresent | |
name: install-cni-binaries | |
resources: | |
requests: | |
cpu: 100m | |
memory: 10Mi | |
securityContext: | |
capabilities: | |
drop: | |
- ALL | |
seLinuxOptions: | |
level: s0 | |
type: spc_t | |
terminationMessagePolicy: FallbackToLogsOnError | |
volumeMounts: | |
- mountPath: /host/opt/cni/bin | |
name: cni-path | |
nodeSelector: | |
kubernetes.io/os: linux | |
priorityClassName: system-node-critical | |
restartPolicy: Always | |
serviceAccount: cilium | |
serviceAccountName: cilium | |
terminationGracePeriodSeconds: 1 | |
tolerations: | |
- operator: Exists | |
volumes: | |
- emptyDir: {} | |
name: tmp | |
- hostPath: | |
path: /var/run/cilium | |
type: DirectoryOrCreate | |
name: cilium-run | |
- hostPath: | |
path: /sys/fs/bpf | |
type: DirectoryOrCreate | |
name: bpf-maps | |
- hostPath: | |
path: /sys/fs/cgroup | |
type: DirectoryOrCreate | |
name: cilium-cgroup | |
- hostPath: | |
path: /opt/cni/bin | |
type: DirectoryOrCreate | |
name: cni-path | |
- hostPath: | |
path: /etc/cni/net.d | |
type: DirectoryOrCreate | |
name: etc-cni-netd | |
- hostPath: | |
path: /lib/modules | |
name: lib-modules | |
- hostPath: | |
path: /run/xtables.lock | |
type: FileOrCreate | |
name: xtables-lock | |
- name: clustermesh-secrets | |
projected: | |
defaultMode: 256 | |
sources: | |
- secret: | |
name: cilium-clustermesh | |
optional: true | |
- secret: | |
items: | |
- key: tls.key | |
path: common-etcd-client.key | |
- key: tls.crt | |
path: common-etcd-client.crt | |
- key: ca.crt | |
path: common-etcd-client-ca.crt | |
name: clustermesh-apiserver-remote-cert | |
optional: true | |
- hostPath: | |
path: /proc/sys/net | |
type: Directory | |
name: host-proc-sys-net | |
- hostPath: | |
path: /proc/sys/kernel | |
type: Directory | |
name: host-proc-sys-kernel | |
updateStrategy: | |
rollingUpdate: | |
maxUnavailable: 2 | |
type: RollingUpdate | |
- name: kubelet-csr-approver | |
contents: | | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: kubelet-csr-approver | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/version: v1.0.1 | |
helm.sh/chart: kubelet-csr-approver-1.0.1 | |
name: kubelet-csr-approver | |
namespace: kube-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: kubelet-csr-approver | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
name: kubelet-csr-approver | |
rules: | |
- apiGroups: | |
- coordination.k8s.io | |
resources: | |
- leases | |
verbs: | |
- create | |
- get | |
- update | |
- apiGroups: | |
- certificates.k8s.io | |
resources: | |
- certificatesigningrequests | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- certificates.k8s.io | |
resources: | |
- certificatesigningrequests/approval | |
verbs: | |
- update | |
- apiGroups: | |
- certificates.k8s.io | |
resourceNames: | |
- kubernetes.io/kubelet-serving | |
resources: | |
- signers | |
verbs: | |
- approve | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: kubelet-csr-approver | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/managed-by: Helm | |
name: kubelet-csr-approver | |
namespace: kube-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: kubelet-csr-approver | |
subjects: | |
- kind: ServiceAccount | |
name: kubelet-csr-approver | |
namespace: kube-system | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: kubelet-csr-approver | |
meta.helm.sh/release-namespace: kube-system | |
prometheus.io/port: "8080" | |
prometheus.io/scrape: "true" | |
labels: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/version: v1.0.1 | |
helm.sh/chart: kubelet-csr-approver-1.0.1 | |
name: kubelet-csr-approver | |
namespace: kube-system | |
spec: | |
ports: | |
- name: metrics | |
port: 8080 | |
protocol: TCP | |
targetPort: metrics | |
selector: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/name: kubelet-csr-approver | |
type: ClusterIP | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
annotations: | |
meta.helm.sh/release-name: kubelet-csr-approver | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/version: v1.0.1 | |
helm.sh/chart: kubelet-csr-approver-1.0.1 | |
name: kubelet-csr-approver | |
namespace: kube-system | |
spec: | |
replicas: 2 | |
selector: | |
matchLabels: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/name: kubelet-csr-approver | |
template: | |
metadata: | |
labels: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/name: kubelet-csr-approver | |
spec: | |
containers: | |
- args: | |
- -metrics-bind-address | |
- :8080 | |
- -health-probe-bind-address | |
- :8081 | |
- -leader-election | |
env: | |
- name: PROVIDER_REGEX | |
value: ^(node1|node2|node3)$ | |
- name: BYPASS_DNS_RESOLUTION | |
value: "true" | |
- name: ALLOWED_DNS_NAMES | |
value: "1" | |
image: ghcr.io/postfinance/kubelet-csr-approver:v1.0.1 | |
imagePullPolicy: IfNotPresent | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 8081 | |
name: kubelet-csr-approver | |
ports: | |
- containerPort: 8080 | |
name: metrics | |
protocol: TCP | |
resources: | |
limits: | |
cpu: 500m | |
memory: 128Mi | |
requests: | |
cpu: 100m | |
memory: 64Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- all | |
privileged: false | |
readOnlyRootFilesystem: true | |
runAsNonRoot: true | |
runAsUser: 65532 | |
securityContext: {} | |
serviceAccountName: kubelet-csr-approver | |
tolerations: | |
- effect: NoSchedule | |
key: node-role.kubernetes.io/master | |
operator: Equal | |
- effect: NoSchedule | |
key: node-role.kubernetes.io/control-plane | |
operator: Equal | |
--- | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
annotations: | |
helm.sh/hook: test | |
meta.helm.sh/release-name: kubelet-csr-approver | |
meta.helm.sh/release-namespace: kube-system | |
labels: | |
app.kubernetes.io/instance: kubelet-csr-approver | |
app.kubernetes.io/managed-by: Helm | |
app.kubernetes.io/name: kubelet-csr-approver | |
app.kubernetes.io/version: v1.0.1 | |
helm.sh/chart: kubelet-csr-approver-1.0.1 | |
name: kubelet-csr-approver-test-connection | |
namespace: kube-system | |
spec: | |
containers: | |
- command: | |
- /bin/sh | |
- -c | |
- | | |
sleep 10 ; wget -O- -S kubelet-csr-approver:8080/metrics | |
image: busybox | |
name: wget | |
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
clusterName: k8s | |
talosVersion: v1.4.7 | |
kubernetesVersion: 1.27.3 | |
endpoint: https://10.211.55.28:6443 | |
cniConfig: | |
name: none | |
additionalMachineCertSans: | |
- 10.211.55.28 | |
additionalApiServerCertSans: | |
- 10.211.55.28 | |
clusterPodNets: | |
- 10.244.0.0/16 | |
clusterSvcNets: | |
- 10.96.0.0/12 | |
nodes: | |
- hostname: talos | |
disableSearchDomain: true | |
ipAddress: 10.211.55.26 | |
controlPlane: true | |
installDisk: /dev/sda | |
networkInterfaces: | |
- interface: br0 | |
dhcp: true | |
mtu: 9000 | |
bond: | |
mode: balance-rr | |
deviceSelectors: | |
- hardwareAddr: '00:1c:42:29:fc:11' | |
- hardwareAddr: '00:1c:42:2f:11:61' | |
vip: | |
ip: 10.211.55.28 | |
controlPlane: | |
patches: | |
- "@./inlinemanifests.yaml" | |
- |- | |
cluster: | |
allowSchedulingOnMasters: true | |
etcd: | |
advertisedSubnets: | |
- 10.211.55.0/24 | |
proxy: | |
disabled: true | |
- |- | |
machine: | |
kubelet: | |
extraArgs: | |
feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,NewVolumeManagerReconstruction=false | |
rotate-server-certificates: "true" | |
network: | |
extraHostEntries: | |
- ip: 10.211.55.28 | |
time: | |
disabled: false | |
servers: | |
- pool.ntp.org | |
systemDiskEncryption: | |
ephemeral: | |
provider: luks2 | |
keys: | |
- nodeID: {} | |
slot: 0 | |
state: | |
provider: luks2 | |
keys: | |
- nodeID: {} | |
slot: 0 | |
install: | |
extensions: | |
- image: ghcr.io/siderolabs/bnx2-bnx2x:20230310 | |
- image: ghcr.io/siderolabs/iscsi-tools:v0.1.4 | |
- image: ghcr.io/siderolabs/i915-ucode:20230310 | |
- image: ghcr.io/siderolabs/intel-ucode:20230214 | |
# kernel: | |
# modules: | |
# - name: nvidia | |
# - name: nvidia_uvm | |
# - name: nvidia_drm | |
# - name: nvidia_modeset | |
sysctls: | |
fs.inotify.max_user_watches: "1048576" | |
fs.inotify.max_user_instances: "8192" | |
fs.file-max: "9223372036854775807" | |
net.core.rmem_max: "33554432" | |
net.core.wmem_max: "33554432" | |
# net.core.bpf_jit_harden: 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment