Created
December 6, 2019 16:52
-
-
Save rsmitty/4388fcf7a765f1264c8e4f82cee9c64a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Source: cilium/charts/config/templates/configmap.yaml | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: cilium-config | |
namespace: kube-system | |
data: | |
# Identity allocation mode selects how identities are shared between cilium | |
# nodes by setting how they are stored. The options are "crd" or "kvstore". | |
# - "crd" stores identities in kubernetes as CRDs (custom resource definition). | |
# These can be queried with: | |
# kubectl get ciliumid | |
# - "kvstore" stores identities in a kvstore, etcd or consul, that is | |
# configured below. Cilium versions before 1.6 supported only the kvstore | |
# backend. Upgrades from these older cilium versions should continue using | |
# the kvstore by commenting out the identity-allocation-mode below, or | |
# setting it to "kvstore". | |
identity-allocation-mode: crd | |
# If you want to run cilium in debug mode change this value to true | |
debug: "false" | |
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 | |
# address. | |
enable-ipv4: "true" | |
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 | |
# address. | |
enable-ipv6: "false" | |
# If you want cilium monitor to aggregate tracing for packets, set this level | |
# to "low", "medium", or "maximum". The higher the level, the less packets | |
# that will be seen in monitor output. | |
monitor-aggregation: medium | |
# ct-global-max-entries-* specifies the maximum number of connections | |
# supported across all endpoints, split by protocol: tcp or other. One pair | |
# of maps uses these values for IPv4 connections, and another pair of maps | |
# use these values for IPv6 connections. | |
# | |
# If these values are modified, then during the next Cilium startup the | |
# tracking of ongoing connections may be disrupted. This may lead to brief | |
# policy drops or a change in loadbalancing decisions for a connection. | |
# | |
# For users upgrading from Cilium 1.2 or earlier, to minimize disruption | |
# during the upgrade process, comment out these options. | |
bpf-ct-global-tcp-max: "524288" | |
bpf-ct-global-any-max: "262144" | |
# Pre-allocation of map entries allows per-packet latency to be reduced, at | |
# the expense of up-front memory allocation for the entries in the maps. The | |
# default value below will minimize memory usage in the default installation; | |
# users who are sensitive to latency may consider setting this to "true". | |
# | |
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore | |
# this option and behave as though it is set to "true". | |
# | |
# If this value is modified, then during the next Cilium startup the restore | |
# of existing endpoints and tracking of ongoing connections may be disrupted. | |
# This may lead to policy drops or a change in loadbalancing decisions for a | |
# connection for some time. Endpoints may need to be recreated to restore | |
# connectivity. | |
# | |
# If this option is set to "false" during an upgrade from 1.3 or earlier to | |
# 1.4 or later, then it may cause one-time disruptions during the upgrade. | |
preallocate-bpf-maps: "false" | |
# Regular expression matching compatible Istio sidecar istio-proxy | |
# container image names | |
sidecar-istio-proxy-image: "cilium/istio_proxy" | |
# Encapsulation mode for communication between nodes | |
# Possible values: | |
# - disabled | |
# - vxlan (default) | |
# - geneve | |
tunnel: vxlan | |
# Name of the cluster. Only relevant when building a mesh of clusters. | |
cluster-name: default | |
# DNS Polling periodically issues a DNS lookup for each `matchName` from | |
# cilium-agent. The result is used to regenerate endpoint policy. | |
# DNS lookups are repeated with an interval of 5 seconds, and are made for | |
# A(IPv4) and AAAA(IPv6) addresses. Should a lookup fail, the most recent IP | |
# data is used instead. An IP change will trigger a regeneration of the Cilium | |
# policy for each endpoint and increment the per cilium-agent policy | |
# repository revision. | |
# | |
# This option is disabled by default starting from version 1.4.x in favor | |
# of a more powerful DNS proxy-based implementation, see [0] for details. | |
# Enable this option if you want to use FQDN policies but do not want to use | |
# the DNS proxy. | |
# | |
# To ease upgrade, users may opt to set this option to "true". | |
# Otherwise please refer to the Upgrade Guide [1] which explains how to | |
# prepare policy rules for upgrade. | |
# | |
# [0] http://docs.cilium.io/en/stable/policy/language/#dns-based | |
# [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action | |
tofqdns-enable-poller: "false" | |
# wait-bpf-mount makes init container wait until bpf filesystem is mounted | |
wait-bpf-mount: "false" | |
# Enable fetching of container-runtime specific metadata | |
# | |
# By default, the Kubernetes pod and namespace labels are retrieved and | |
# associated with endpoints for identification purposes. By integrating | |
# with the container runtime, container runtime specific labels can be | |
# retrieved, such labels will be prefixed with container: | |
# | |
# CAUTION: The container runtime labels can include information such as pod | |
# annotations which may result in each pod being associated a unique set of | |
# labels which can result in excessive security identities being allocated. | |
# Please review the labels filter when enabling container runtime labels. | |
# | |
# Supported values: | |
# - containerd | |
# - crio | |
# - docker | |
# - none | |
# - auto (automatically detect the container runtime) | |
# | |
container-runtime: none | |
masquerade: "true" | |
install-iptables-rules: "true" | |
auto-direct-node-routes: "false" | |
enable-node-port: "false" | |
--- | |
# Source: cilium/charts/agent/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: cilium | |
namespace: kube-system | |
--- | |
# Source: cilium/charts/operator/templates/serviceaccount.yaml | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: cilium-operator | |
namespace: kube-system | |
--- | |
# Source: cilium/charts/agent/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: cilium | |
rules: | |
- apiGroups: | |
- networking.k8s.io | |
resources: | |
- networkpolicies | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- namespaces | |
- services | |
- nodes | |
- endpoints | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- "" | |
resources: | |
- pods | |
- nodes | |
verbs: | |
- get | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- "" | |
resources: | |
- nodes | |
- nodes/status | |
verbs: | |
- patch | |
- apiGroups: | |
- extensions | |
resources: | |
- ingresses | |
verbs: | |
- create | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- create | |
- get | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies | |
- ciliumnetworkpolicies/status | |
- ciliumendpoints | |
- ciliumendpoints/status | |
- ciliumnodes | |
- ciliumnodes/status | |
- ciliumidentities | |
- ciliumidentities/status | |
verbs: | |
- '*' | |
--- | |
# Source: cilium/charts/operator/templates/clusterrole.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: cilium-operator | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
# to automatically delete [core|kube]dns pods so that are starting to being | |
# managed by Cilium | |
- pods | |
verbs: | |
- get | |
- list | |
- watch | |
- delete | |
- apiGroups: | |
- "" | |
resources: | |
# to automatically read from k8s and import the node's pod CIDR to cilium's | |
# etcd so all nodes know how to reach another pod running in in a different | |
# node. | |
- nodes | |
# to perform the translation of a CNP that contains `ToGroup` to its endpoints | |
- services | |
- endpoints | |
# to check apiserver connectivity | |
- namespaces | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- cilium.io | |
resources: | |
- ciliumnetworkpolicies | |
- ciliumnetworkpolicies/status | |
- ciliumendpoints | |
- ciliumendpoints/status | |
- ciliumnodes | |
- ciliumnodes/status | |
- ciliumidentities | |
- ciliumidentities/status | |
verbs: | |
- '*' | |
--- | |
# Source: cilium/charts/agent/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: cilium | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cilium | |
subjects: | |
- kind: ServiceAccount | |
name: cilium | |
namespace: kube-system | |
--- | |
# Source: cilium/charts/operator/templates/clusterrolebinding.yaml | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: cilium-operator | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: cilium-operator | |
subjects: | |
- kind: ServiceAccount | |
name: cilium-operator | |
namespace: kube-system | |
--- | |
# Source: cilium/charts/agent/templates/daemonset.yaml | |
apiVersion: apps/v1 | |
kind: DaemonSet | |
metadata: | |
labels: | |
k8s-app: cilium | |
kubernetes.io/cluster-service: "true" | |
name: cilium | |
namespace: kube-system | |
spec: | |
selector: | |
matchLabels: | |
k8s-app: cilium | |
kubernetes.io/cluster-service: "true" | |
template: | |
metadata: | |
annotations: | |
# This annotation plus the CriticalAddonsOnly toleration makes | |
# cilium to be a critical pod in the cluster, which ensures cilium | |
# gets priority scheduling. | |
# https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ | |
scheduler.alpha.kubernetes.io/critical-pod: "" | |
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' | |
labels: | |
k8s-app: cilium | |
kubernetes.io/cluster-service: "true" | |
spec: | |
containers: | |
- args: | |
- --config-dir=/tmp/cilium/config-map | |
command: | |
- cilium-agent | |
env: | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: CILIUM_FLANNEL_MASTER_DEVICE | |
valueFrom: | |
configMapKeyRef: | |
key: flannel-master-device | |
name: cilium-config | |
optional: true | |
- name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT | |
valueFrom: | |
configMapKeyRef: | |
key: flannel-uninstall-on-exit | |
name: cilium-config | |
optional: true | |
- name: CILIUM_CLUSTERMESH_CONFIG | |
value: /var/lib/cilium/clustermesh/ | |
- name: CILIUM_CNI_CHAINING_MODE | |
valueFrom: | |
configMapKeyRef: | |
key: cni-chaining-mode | |
name: cilium-config | |
optional: true | |
- name: CILIUM_CUSTOM_CNI_CONF | |
valueFrom: | |
configMapKeyRef: | |
key: custom-cni-conf | |
name: cilium-config | |
optional: true | |
image: "docker.io/cilium/cilium:v1.6.4" | |
imagePullPolicy: IfNotPresent | |
lifecycle: | |
postStart: | |
exec: | |
command: | |
- /cni-install.sh | |
preStop: | |
exec: | |
command: | |
- /cni-uninstall.sh | |
livenessProbe: | |
exec: | |
command: | |
- cilium | |
- status | |
- --brief | |
failureThreshold: 10 | |
# The initial delay for the liveness probe is intentionally large to | |
# avoid an endless kill & restart cycle if in the event that the initial | |
# bootstrapping takes longer than expected. | |
initialDelaySeconds: 120 | |
periodSeconds: 30 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
name: cilium-agent | |
readinessProbe: | |
exec: | |
command: | |
- cilium | |
- status | |
- --brief | |
failureThreshold: 3 | |
initialDelaySeconds: 5 | |
periodSeconds: 30 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
securityContext: | |
capabilities: | |
add: | |
- NET_ADMIN | |
- SYS_MODULE | |
privileged: true | |
volumeMounts: | |
- mountPath: /sys/fs/bpf | |
name: bpf-maps | |
- mountPath: /var/run/cilium | |
name: cilium-run | |
- mountPath: /host/opt/cni/bin | |
name: cni-path | |
- mountPath: /host/etc/cni/net.d | |
name: etc-cni-netd | |
- mountPath: /var/lib/cilium/clustermesh | |
name: clustermesh-secrets | |
readOnly: true | |
- mountPath: /tmp/cilium/config-map | |
name: cilium-config-path | |
readOnly: true | |
# Needed to be able to load kernel modules | |
- mountPath: /lib/modules | |
name: lib-modules | |
readOnly: true | |
- mountPath: /run/xtables.lock | |
name: xtables-lock | |
hostNetwork: true | |
initContainers: | |
- command: | |
- /init-container.sh | |
env: | |
- name: CILIUM_ALL_STATE | |
valueFrom: | |
configMapKeyRef: | |
key: clean-cilium-state | |
name: cilium-config | |
optional: true | |
- name: CILIUM_BPF_STATE | |
valueFrom: | |
configMapKeyRef: | |
key: clean-cilium-bpf-state | |
name: cilium-config | |
optional: true | |
- name: CILIUM_WAIT_BPF_MOUNT | |
valueFrom: | |
configMapKeyRef: | |
key: wait-bpf-mount | |
name: cilium-config | |
optional: true | |
image: "docker.io/cilium/cilium:v1.6.4" | |
imagePullPolicy: IfNotPresent | |
name: clean-cilium-state | |
securityContext: | |
capabilities: | |
add: | |
- NET_ADMIN | |
privileged: true | |
volumeMounts: | |
- mountPath: /sys/fs/bpf | |
name: bpf-maps | |
- mountPath: /var/run/cilium | |
name: cilium-run | |
restartPolicy: Always | |
serviceAccount: cilium | |
serviceAccountName: cilium | |
terminationGracePeriodSeconds: 1 | |
tolerations: | |
- operator: Exists | |
volumes: | |
# To keep state between restarts / upgrades | |
- hostPath: | |
path: /var/run/cilium | |
type: DirectoryOrCreate | |
name: cilium-run | |
# To keep state between restarts / upgrades for bpf maps | |
- hostPath: | |
path: /sys/fs/bpf | |
type: DirectoryOrCreate | |
name: bpf-maps | |
# To install cilium cni plugin in the host | |
- hostPath: | |
path: /opt/cni/bin | |
type: DirectoryOrCreate | |
name: cni-path | |
# To install cilium cni configuration in the host | |
- hostPath: | |
path: /etc/cni/net.d | |
type: DirectoryOrCreate | |
name: etc-cni-netd | |
# To be able to load kernel modules | |
- hostPath: | |
path: /lib/modules | |
name: lib-modules | |
# To access iptables concurrently with other processes (e.g. kube-proxy) | |
- hostPath: | |
path: /run/xtables.lock | |
type: FileOrCreate | |
name: xtables-lock | |
# To read the clustermesh configuration | |
- name: clustermesh-secrets | |
secret: | |
defaultMode: 420 | |
optional: true | |
secretName: cilium-clustermesh | |
# To read the configuration from the config map | |
- configMap: | |
name: cilium-config | |
name: cilium-config-path | |
updateStrategy: | |
rollingUpdate: | |
maxUnavailable: 2 | |
type: RollingUpdate | |
--- | |
# Source: cilium/charts/operator/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
io.cilium/app: operator | |
name: cilium-operator | |
name: cilium-operator | |
namespace: kube-system | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
io.cilium/app: operator | |
name: cilium-operator | |
strategy: | |
rollingUpdate: | |
maxSurge: 1 | |
maxUnavailable: 1 | |
type: RollingUpdate | |
template: | |
metadata: | |
annotations: | |
labels: | |
io.cilium/app: operator | |
name: cilium-operator | |
spec: | |
containers: | |
- args: | |
- --debug=$(CILIUM_DEBUG) | |
- --identity-allocation-mode=$(CILIUM_IDENTITY_ALLOCATION_MODE) | |
command: | |
- cilium-operator | |
env: | |
- name: CILIUM_K8S_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: K8S_NODE_NAME | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: spec.nodeName | |
- name: CILIUM_DEBUG | |
valueFrom: | |
configMapKeyRef: | |
key: debug | |
name: cilium-config | |
optional: true | |
- name: CILIUM_CLUSTER_NAME | |
valueFrom: | |
configMapKeyRef: | |
key: cluster-name | |
name: cilium-config | |
optional: true | |
- name: CILIUM_CLUSTER_ID | |
valueFrom: | |
configMapKeyRef: | |
key: cluster-id | |
name: cilium-config | |
optional: true | |
- name: CILIUM_IPAM | |
valueFrom: | |
configMapKeyRef: | |
key: ipam | |
name: cilium-config | |
optional: true | |
- name: CILIUM_DISABLE_ENDPOINT_CRD | |
valueFrom: | |
configMapKeyRef: | |
key: disable-endpoint-crd | |
name: cilium-config | |
optional: true | |
- name: CILIUM_KVSTORE | |
valueFrom: | |
configMapKeyRef: | |
key: kvstore | |
name: cilium-config | |
optional: true | |
- name: CILIUM_KVSTORE_OPT | |
valueFrom: | |
configMapKeyRef: | |
key: kvstore-opt | |
name: cilium-config | |
optional: true | |
- name: AWS_ACCESS_KEY_ID | |
valueFrom: | |
secretKeyRef: | |
key: AWS_ACCESS_KEY_ID | |
name: cilium-aws | |
optional: true | |
- name: AWS_SECRET_ACCESS_KEY | |
valueFrom: | |
secretKeyRef: | |
key: AWS_SECRET_ACCESS_KEY | |
name: cilium-aws | |
optional: true | |
- name: AWS_DEFAULT_REGION | |
valueFrom: | |
secretKeyRef: | |
key: AWS_DEFAULT_REGION | |
name: cilium-aws | |
optional: true | |
- name: CILIUM_IDENTITY_ALLOCATION_MODE | |
valueFrom: | |
configMapKeyRef: | |
key: identity-allocation-mode | |
name: cilium-config | |
optional: true | |
image: "docker.io/cilium/operator:v1.6.4" | |
imagePullPolicy: IfNotPresent | |
name: cilium-operator | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 9234 | |
scheme: HTTP | |
initialDelaySeconds: 60 | |
periodSeconds: 10 | |
timeoutSeconds: 3 | |
hostNetwork: true | |
restartPolicy: Always | |
serviceAccount: cilium-operator | |
serviceAccountName: cilium-operator |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment