Created
March 21, 2022 21:23
-
-
Save samueljon/a25b06f2254bdc82adc6a1ca2ecb0cb5 to your computer and use it in GitHub Desktop.
Revisions
-
samueljon created this gist
Mar 21, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,798 @@ --- # Source: cilium/templates/cilium-agent/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: "cilium" namespace: kube-system --- # Source: cilium/templates/cilium-operator/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: "cilium-operator" namespace: kube-system --- # Source: cilium/templates/hubble/tls-helm/ca-secret.yaml apiVersion: v1 kind: Secret metadata: name: hubble-ca-secret namespace: kube-system data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lSQVA1elVMUnhDT3g2b250ajFFSENBZTB3RFFZSktvWklodmNOQVFFTEJRQXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TWpBek1qRXlNVEl3TWpWYQpGdzB5TlRBek1qQXlNVEl3TWpWYU1CNHhIREFhQmdOVkJBTVRFMmgxWW1Kc1pTMWpZUzVqYVd4cGRXMHVhVzh3CmdnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURkYkRTWm1WZXZ0VHNJL2xtL2JNekgKcGVWS2ZLVnNJMWd6UDBiOWM1c3pCWXNINGJFR1k5MGhoajVpUkwyUFBHalZQd2lXU2YyNWNmaWlUdzVuWFlnTwpGSENVZHd4ZFlNVjV1NGZHZ1dCL25ocFY5Z0JOLzlWSzF3dXp3TGsxZ3NaKzVNSnR0OW1RdG5aRjRkZFllV1FVCjd1WEFvRWFsdXRWeWNVZHZka2EyYWtGc2FoSW96d0RXUHhtZ2I1N2tkcTFiOERjKzhwdHpLV3pTWE8wcVZpWVYKZVk4bnRJK2RxNlNCRE5NOTRabFJFR2ZIcFB5eGxOd3l2aGk1M2lzREcxS2pMSGlzZWtVRU1UL3hmaEFTdFh6ZwozYml4M0U0KzJkNXhuei8vQ2dPRzBtUUw0SkFySHYvMVhhejFYcDZmWStMVFBKMS9DV2FDUVpIRVlkcXVCVGl4CkFnTUJBQUdqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FValdDTStZSFUvbWYrZ1A2MgpobndML3RBWnFEOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTUpnK2c1NkN3Zm0yZm1yQld2YTAyZjFCWWdFCis0TmVZS1IvTzFRQ1FDRzNLb21lRXBNcitCTS9oSFdHUWhzeForYlY3cm9yR2ZEVUFSRmNCUU80KzdBQUJzNm0KMnBDV2poUSszM2xBSUNhZEY3dVFSdlN1aHRFQWo0YmZBQ3hXVnR4WUZHWjBCc0FqaXpZcmdBRlJ1M05hdVR0WQozNWpuTWpyNlBQNit0WDdrNUdXQ09PMkFsRFREWnk5RlVWU2JtczNBRkpXWVZFQWthaytSY3gxdkFxS1lrdVk3CktoaGJoVzJYMWVGYkVraENZcFN4MGVLV3ZJcEh0eEFvUURJYzRMNHovUjJ5ZGl2MVRpd2gzTWxyLy8rRmhVWWsKSy9idTgzRzBPMFpQUmRJQTcyY0piQTN5cStVNE1VQVZxSnhTb2pnQnNkRDFwZnhOT0FyR2ZERnphb1U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBM1d3MG1abFhyN1U3Q1A1WnYyek14NlhsU255bGJDTllNejlHL1hPYk13V0xCK0d4CkJtUGRJWVkrWWtTOWp6eG8xVDhJbGtuOXVYSDRvazhPWjEySURoUndsSGNNWFdERmVidUh4b0ZnZjU0YVZmWUEKVGYvVlN0Y0xzOEM1TllMR2Z1VENiYmZaa0xaMlJlSFhXSGxrRk83bHdLQkdwYnJWY25GSGIzWkd0bXBCYkdvUwpLTThBMWo4Wm9HK2U1SGF0Vy9BM1B2S2JjeWxzMGx6dEtsWW1GWG1QSjdTUG5hdWtnUXpUUGVHWlVSQm54NlQ4CnNaVGNNcjRZdWQ0ckF4dFNveXg0ckhwRkJERS84WDRRRXJWODROMjRzZHhPUHRuZWNaOC8vd29EaHRKa0MrQ1EKS3g3LzlWMnM5VjZlbjJQaTB6eWRmd2xtZ2tHUnhHSGFyZ1U0c1FJREFRQUJBb0lCQVFDU2JMc0FGRHE3ZEdLYwoyTzdxdXYxVXphMHFxL0VNNlBhcnRSMngvK0JUUmtnaHB5dFU2WGRUY3g0UUNCcysvSmpxNUNzK2o2R2RIL1JuCkNWYWlIbVVad29TTWVZbVF1cXo4aW5vSVdJaEMvSCszOXQxT3QyOEtkZGxFUHA5NzlvWmpaYzM1bG9ubXUvTE0KMWNOOXU1RG1rdkVXaUNjUDg5U3hRSjRYNUtSd2ZlcHhVbG1FY0JxUjErQ3JmSU9SbVQzUEZNQWNaNXFvbHJCOAo5dm5NQ1M4VlkxdFpZcC96YndHWTdmWmo0RzE5ZnRYbEE3ZFZzVWxWamxEaHpLUVBFbkZYYVJRWWZUeG1Nd1ZyClBoVXBQWlBpaWExbnE0TkUyTkk4SnBId29GeVVWcEZEakl3amJNdE9NZUpqSld1dTVZZkh4aTlFZEV0cGphR3oKUUpBTm9LSlJBb0dCQVB2TWQ4a1BOUTN4K2QyakdFZEtPdjFoK0xzeDNld1RIRG9VQkp1TjVRd2kzNkpmWVBGSwp6Rk96S2JhZXJZRTMwN2hLcjZicHF0cDBrUTZoQkhXUXpzREt0NEs3eTBLTkpqUm5WR0kvVFpmVHBFNmFiQ1pGCmwwVStJNVJvc0JhVjNCQ3AxaGNsekMyUG9YVlJFQWFpcjI0dW14Nmp5eU5oZnNPbnd6VXFLTlZGQW9HQkFPRWQKL1ZDUlRxMUhhTmdZZFhHTGhTZS94Ny9uS1BtV3JyOEJZVUJmNkdXVkY1V2FrK1BBMlAwNHdmdmhldThFTTFtcQoySGpJYktCWnV4ZWxtUEN6VTA2Ym9YN3lwSXlUK29tWkJBZ2xpQUtKejBqK04wN3RmTFJPNFdxYXA5ZXZIR3AzCmJsVEFvZUcxVE9GYWRiZGJYakZoRXRmYUtqSjdzUnREUkdNU3F4NTlBb0dBZmM0aTZ5blY4Q20rRmFhdk1xODcKMmUxaFFPWWhZeG9KT0Z0WUVnQkxPRTBVUHlRNFkxWmowRTNyd1hwMlplRm12dVZSN2F0QjJmUHpwY045WHVBQwo3UUJidjgza09GUWRpb0UyQUFCdzNESzZIU3U2YlVUSDE2aThUaUlnR0tpM1V2d0lJM2lYRXd4NE53MVJYSDliCjkwa0I1OFVlY1liOHR2VFM2M1V0QWFFQ2dZRUF5NkRGNzJmUTVCcXc4cStGSkhVUXVEallwWFNpY3NualBYRXgKRi9ycEMySUdXRlBmckdkWG9BNEVJaVArZ0UrcloxT0x4ZzE5ZkxwTjZ3RG15K3RaMHNRaUcrTytCazhnay9CdQpYalFjeURjQjRrUFpvYkplVi9iMkhlalJJOThJOUNFZUV0bkFWSnNiZE1qUHJGQ2dia2dodEZCcVZRbmYxUXBPCnhOTXhLRDBDZ1lFQWd0WUlpdThqRDlUK3JxMUcwUVhDN053RjBiY0dCa1NWM1N5RDIra3lFTktkdDVHQ2VvNEcKQ2YvVjFjS3hCK2txSDRkVmxhSW41L01ha3BiTnJ1Y0tNWEJyRVk5R05CV2tXYzF5QWVob1NhcHZBbE5uWVlEdAo4MkQyMTVEOWg2VTk4eXZyeWhEM2hvWm5RR2NOQ2J3TzNlcFBSNWVSMDlnT3QyVVdEcFNlUFA0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= --- # Source: cilium/templates/hubble/tls-helm/server-secret.yaml apiVersion: v1 kind: Secret metadata: name: hubble-server-certs namespace: kube-system type: kubernetes.io/tls data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lSQVA1elVMUnhDT3g2b250ajFFSENBZTB3RFFZSktvWklodmNOQVFFTEJRQXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TWpBek1qRXlNVEl3TWpWYQpGdzB5TlRBek1qQXlNVEl3TWpWYU1CNHhIREFhQmdOVkJBTVRFMmgxWW1Kc1pTMWpZUzVqYVd4cGRXMHVhVzh3CmdnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURkYkRTWm1WZXZ0VHNJL2xtL2JNekgKcGVWS2ZLVnNJMWd6UDBiOWM1c3pCWXNINGJFR1k5MGhoajVpUkwyUFBHalZQd2lXU2YyNWNmaWlUdzVuWFlnTwpGSENVZHd4ZFlNVjV1NGZHZ1dCL25ocFY5Z0JOLzlWSzF3dXp3TGsxZ3NaKzVNSnR0OW1RdG5aRjRkZFllV1FVCjd1WEFvRWFsdXRWeWNVZHZka2EyYWtGc2FoSW96d0RXUHhtZ2I1N2tkcTFiOERjKzhwdHpLV3pTWE8wcVZpWVYKZVk4bnRJK2RxNlNCRE5NOTRabFJFR2ZIcFB5eGxOd3l2aGk1M2lzREcxS2pMSGlzZWtVRU1UL3hmaEFTdFh6ZwozYml4M0U0KzJkNXhuei8vQ2dPRzBtUUw0SkFySHYvMVhhejFYcDZmWStMVFBKMS9DV2FDUVpIRVlkcXVCVGl4CkFnTUJBQUdqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FValdDTStZSFUvbWYrZ1A2MgpobndML3RBWnFEOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTUpnK2c1NkN3Zm0yZm1yQld2YTAyZjFCWWdFCis0TmVZS1IvTzFRQ1FDRzNLb21lRXBNcitCTS9oSFdHUWhzeForYlY3cm9yR2ZEVUFSRmNCUU80KzdBQUJzNm0KMnBDV2poUSszM2xBSUNhZEY3dVFSdlN1aHRFQWo0YmZBQ3hXVnR4WUZHWjBCc0FqaXpZcmdBRlJ1M05hdVR0WQozNWpuTWpyNlBQNit0WDdrNUdXQ09PMkFsRFREWnk5RlVWU2JtczNBRkpXWVZFQWthaytSY3gxdkFxS1lrdVk3CktoaGJoVzJYMWVGYkVraENZcFN4MGVLV3ZJcEh0eEFvUURJYzRMNHovUjJ5ZGl2MVRpd2gzTWxyLy8rRmhVWWsKSy9idTgzRzBPMFpQUmRJQTcyY0piQTN5cStVNE1VQVZxSnhTb2pnQnNkRDFwZnhOT0FyR2ZERnphb1U9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZVENDQWttZ0F3SUJBZ0lSQU04L1Jtc0NGb0s1TFlhRjVDTytBUTR3RFFZSktvWklodmNOQVFFTEJRQXcKSGpFY01Cb0dBMVVFQXhNVGFIVmlZbXhsTFdOaExtTnBiR2wxYlM1cGJ6QWVGdzB5TWpBek1qRXlNVEl3TWpWYQpGdzB5TlRBek1qQXlNVEl3TWpWYU1Db3hLREFtQmdOVkJBTU1IeW91WkdWbVlYVnNkQzVvZFdKaWJHVXRaM0p3Cll5NWphV3hwZFcwdWFXOHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDZEhrU04KWWt1YnVjeis1QWl2ZFdDRkovcHhoaDZCKzlkRE1RTERITGFISmRrUzNUNTZmTWtoQXYxVFBDUnRJektmZHVxeQpicTdVQ1p6WUR2bmg5Y0NFNldHb3V2UXFXMmVsUlJ6R2d0ejd6anc2UzRDeFdjdFFSTktNbFZzanZwd2NSS3Y2Cms0a256Z1FQMGt6R2EyYlFrR29JS1NoRDdEWlNmSmNlMGN5RGQzUWdKeUx2Mk5OeDF3YjY2TDVjZWVTcG95MFUKclBNNHRwOUlNU3pvMlNoclRVM2RUNzZqWWFwVERXSVJidUlWT240dWU2RkhBenJBWDZ3OUY3QnhObHAyS09Tbwoya1ArK05MSm40Y205TDh5alNJMW5zU0JNKzNiK1FvQWxYdXc0U0V4YnpreXI4Z0hBYmRqMHFjdjljMVZXL1Q4CitxTWp2b3pXZXdFN2xHWHJBZ01CQUFHamdZMHdnWW93RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVcKTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQQpGSTFnalBtQjFQNW4vb0QrdG9aOEMvN1FHYWcvTUNvR0ExVWRFUVFqTUNHQ0h5b3VaR1ZtWVhWc2RDNW9kV0ppCmJHVXRaM0p3WXk1amFXeHBkVzB1YVc4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMaGdvQmF2bW1KaUpuc0oKZGJpQXFUNThVYUdEZHBJWG9JM2gwQzd1cnJhdk12ME5vb1pXd01sMjVsNUE4bmtPQlIzdUoyUGZYV1E0cVhMcQpXd3grTmh3SmFlb0puVHBVMkpYZlluazVoK3hkZW5jcVIyUWN5eVp1ZHVnZGxlNmdOeDFuS1dNL2Uvb3BPNk94CnBVTmQ4QXIzSFpVUEVKVjJXbEZ5bEJndGRTWDA5RUQ4VHdIaVpZK0d4ZWNGaEFEbk9EZ2s3MzNYWEpsMElzL28KcVNKbFVqNmVWTWhGWm04TUJ0R0JCYi8ydG03dENCVjJ3SjA1S2R6ZUVhTUNvdWcxZUhVc2ppV2ZtTXFITGJoMwphcVl4ZVRaNWlnYWRiUm5RcUY4UkN1aVVsZXh6QzBFR054NEtMNysraVEzZnQyM3VNL1pteHNDSTQrenRiREU1CmVkTS9vYzg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBblI1RWpXSkxtN25NL3VRSXIzVmdoU2Y2Y1lZZWdmdlhRekVDd3h5Mmh5WFpFdDArCmVuekpJUUw5VXp3a2JTTXluM2Jxc202dTFBbWMyQTc1NGZYQWhPbGhxTHIwS2x0bnBVVWN4b0xjKzg0OE9rdUEKc1ZuTFVFVFNqSlZiSTc2Y0hFU3IrcE9KSjg0RUQ5Sk14bXRtMEpCcUNDa29RK3cyVW55WEh0SE1nM2QwSUNjaQo3OWpUY2RjRyt1aStYSG5rcWFNdEZLenpPTGFmU0RFczZOa29hMDFOM1UrK28yR3FVdzFpRVc3aUZUcCtMbnVoClJ3TTZ3RitzUFJld2NUWmFkaWprcU5wRC92alN5WitISnZTL01vMGlOWjdFZ1RQdDIva0tBSlY3c09FaE1XODUKTXEvSUJ3RzNZOUtuTC9YTlZWdjAvUHFqSTc2TTFuc0JPNVJsNndJREFRQUJBb0lCQUFVZVVrOWt6MS9BV3N4Rwo4MzE3em13b0ZFR1VnL1BxRjJZcDk1UVJvR1NndUFTa1RuL0JCdkJiWDVOUmwwSXk3bGhCa0gzRm0wNXZEYndBCktPWFNrcllCd0Z1MTAzUjV5OU9YZjh0N3dlVTJIOElxYVlQZGtBRUtiTzJGaEJXVEJSVHFxOHVhK05IaUpVRzYKc1NPWnBoelBSNVVDZWp4VU9xVFBTRUVKeHFiVnRWS0VmVG9QRm1ZMFB4UTBKU0F6MDdTVGRwRitLUlo4eWtFZgphd2d5TUlBUVBGQWorbzhLNXliVkxlbytqU3hLYVlUSUgrOHdzOU54RHJXZjJFM1Fwd0RHOGJ3bmh6bVN0bzkyCmhJV3o1UmxiZEhHZWFQMmhrVjdpMFBRWEhRaVljVFRkZ1pkR1RMdDVtNk9kTys5V1hnaU11WnZKbkUraStJZ1oKOWduMEhza0NnWUVBeDNUV0FyRWxkVWNCYjhqMC9VTThEMlBUS05xN29pbEJHUUYwcTdvRytsNlVKMkxrVzZWQwp3dlptc3F2d1I4RElJdDZ0WnlPMU53ZjVIZGpWekNuaUJWSU8yTHp0Rk95UWpUTnpTU01DR2tEbXlMOHp6Qk9CCkNuMGxWRkVwdlZmdVBKbUxITnoxcjkzekVJdjMvYVJ6TzBMdWNReGJ4Y3dqc0NBVDYyQyt3dVVDZ1lFQXlhalMKUzdTSDZDVUFYUHlSSnR0KzFWZ2pWWWN4NEdRQjl6MFFMa0VGTFM0V3dJTkI3MmFBOXIzYS9wcU9uc2tMbnEwRAorcXR4SlNncTB5TFhpeHZ0dHU3ZW9hdzVoTXJ6V043VG9oeGIwMi8yODBzbU1PWkI3NnFWMjNlSldIWkUwQTF2CkJ3U1FQd2w3Snp4NGcxaWlMbkNWVGlrUjluNHVVNmFpeUNwdTZJOENnWUVBajVVU0Fyb1had2VJaHpvNDhxQ1YKK2RZNHlpNDc2STZlS0N3ZUd3azl3THFaR0lsZUxvTVhQbFkycytTR2dvRExFaDhPNFRLWlgxWkVCVEoxSmhYNAplVEFMTkFjOC9GVVg4aTNaamdxL2xycWw2Rm1NSmhyY1IvcXpCckd1eEhrcUxVR3pIVUlMTTJFcGV2M250aFhPClJoajJvVGJ1VWNPVTVWTVNROTFQTmVrQ2dZQW5DYzZFSjFPMEJnMjI4cEhxOHN6djRoc2RBSW9RUld2My85TTEKRVJNK2R0Q2l2Z1l5b1NaUUhkcmFOUE50RzhCckhGVkwzb3FOeGVQY2NiOUdSOGJTQmhZRk9FRCtTd2VtNmFRUQptdXJQMkxuMnlWS0FYdUxlMGFnbkQxSUFWUXpuTmVLTGVqK3VaRmg1OVFQamNYSWNDV0Z0K3hkbUgzRTZjbVRLCjJTUVZVd0tCZ0VkME5sT0hQYjgwK0pxVVU2a2FUOEhPMTNmTDUyMmQ1K1htU2Z2WWFTOTVLMmRyVVI4RnBxS3MKd2QyN1EwUDdPVXo3bWxycVh2UFpmYm9waFpSZjZpbXhqK0hyWERhb1JCWjFGaG5VKzVxc2NGYkZxUm03K3dVegpLbDJaYnkvSy9ncjZoWThwUVlZQ1JKVmZ0MjA2NGM3enBiMnVrZlRERlkyeVErWUp1RVE4Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== --- # Source: cilium/templates/cilium-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: cilium-config namespace: kube-system data: # Identity allocation mode selects how identities are shared between cilium # nodes by setting how they are stored. The options are "crd" or "kvstore". # - "crd" stores identities in kubernetes as CRDs (custom resource definition). # These can be queried with: # kubectl get ciliumid # - "kvstore" stores identities in an etcd kvstore, that is # configured below. Cilium versions before 1.6 supported only the kvstore # backend. Upgrades from these older cilium versions should continue using # the kvstore by commenting out the identity-allocation-mode below, or # setting it to "kvstore". identity-allocation-mode: crd cilium-endpoint-gc-interval: "5m0s" # Disable the usage of CiliumEndpoint CRD disable-endpoint-crd: "false" # If you want to run cilium in debug mode change this value to true debug: "false" # The agent can be put into the following three policy enforcement modes # default, always and never. # https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes enable-policy: "default" # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 # address. enable-ipv4: "true" # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 # address. enable-ipv6: "false" # Users who wish to specify their own custom CNI configuration file must set # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. custom-cni-conf: "false" enable-bpf-clock-probe: "true" # If you want cilium monitor to aggregate tracing for packets, set this level # to "low", "medium", or "maximum". The higher the level, the less packets # that will be seen in monitor output. monitor-aggregation: medium # The monitor aggregation interval governs the typical time between monitor # notification events for each allowed connection. # # Only effective when monitor aggregation is set to "medium" or higher. monitor-aggregation-interval: 5s # The monitor aggregation flags determine which TCP flags which, upon the # first observation, cause monitor notifications to be generated. # # Only effective when monitor aggregation is set to "medium" or higher. monitor-aggregation-flags: all # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. bpf-map-dynamic-size-ratio: "0.0025" # bpf-policy-map-max specifies the maximum number of entries in endpoint # policy map (per endpoint) bpf-policy-map-max: "16384" # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, # backend and affinity maps. bpf-lb-map-max: "65536" # bpf-lb-bypass-fib-lookup instructs Cilium to enable the FIB lookup bypass # optimization for nodeport reverse NAT handling. bpf-lb-external-clusterip: "false" # Pre-allocation of map entries allows per-packet latency to be reduced, at # the expense of up-front memory allocation for the entries in the maps. The # default value below will minimize memory usage in the default installation; # users who are sensitive to latency may consider setting this to "true". # # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore # this option and behave as though it is set to "true". # # If this value is modified, then during the next Cilium startup the restore # of existing endpoints and tracking of ongoing connections may be disrupted. # As a result, reply packets may be dropped and the load-balancing decisions # for established connections may change. # # If this option is set to "false" during an upgrade from 1.3 or earlier to # 1.4 or later, then it may cause one-time disruptions during the upgrade. preallocate-bpf-maps: "false" # Regular expression matching compatible Istio sidecar istio-proxy # container image names sidecar-istio-proxy-image: "cilium/istio_proxy" # Name of the cluster. Only relevant when building a mesh of clusters. cluster-name: default # Unique ID of the cluster. Must be unique across all conneted clusters and # in the range of 1 and 255. Only relevant when building a mesh of clusters. cluster-id: "" # Encapsulation mode for communication between nodes # Possible values: # - disabled # - vxlan (default) # - geneve tunnel: vxlan # Enables L7 proxy for L7 policy enforcement and visibility enable-l7-proxy: "true" enable-ipv4-masquerade: "true" enable-ipv6-masquerade: "true" enable-xt-socket-fallback: "true" install-iptables-rules: "true" install-no-conntrack-iptables-rules: "false" auto-direct-node-routes: "false" enable-bandwidth-manager: "false" enable-local-redirect-policy: "false" kube-proxy-replacement: "disabled" enable-health-check-nodeport: "true" node-port-bind-protection: "true" enable-auto-protect-node-port-range: "true" enable-session-affinity: "true" enable-l2-neigh-discovery: "true" enable-endpoint-health-checking: "true" enable-health-checking: "true" enable-well-known-identities: "false" enable-remote-node-identity: "true" operator-api-serve-addr: "127.0.0.1:9234" # Enable Hubble gRPC service. enable-hubble: "true" # UNIX domain socket for Hubble server to listen to. hubble-socket-path: "/var/run/cilium/hubble.sock" # An additional address for Hubble server to listen to (e.g. ":4244"). hubble-listen-address: ":4244" hubble-disable-tls: "false" hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt ipam: "kubernetes" disable-cnp-status-updates: "true" cgroup-root: "/run/cilium/cgroupv2" enable-k8s-terminating-endpoint: "true" --- # Source: cilium/templates/cilium-agent/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium rules: - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - "" resources: - namespaces - services - nodes - endpoints verbs: - get - list - watch - apiGroups: - "" resources: - pods - pods/finalizers verbs: - get - list - watch - update - delete - apiGroups: - "" resources: - nodes verbs: - get - list - watch - update - apiGroups: - "" resources: - nodes - nodes/status verbs: - patch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: # Deprecated for removal in v1.10 - create - list - watch - update # This is used when validating policies in preflight. This will need to stay # until we figure out how to avoid "get" inside the preflight, and then # should be removed ideally. - get - apiGroups: - cilium.io resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status - ciliumnetworkpolicies/finalizers - ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies/status - ciliumclusterwidenetworkpolicies/finalizers - ciliumendpoints - ciliumendpoints/status - ciliumendpoints/finalizers - ciliumnodes - ciliumnodes/status - ciliumnodes/finalizers - ciliumidentities - ciliumidentities/finalizers - ciliumlocalredirectpolicies - ciliumlocalredirectpolicies/status - ciliumlocalredirectpolicies/finalizers - ciliumegressnatpolicies - ciliumendpointslices verbs: - '*' --- # Source: cilium/templates/cilium-operator/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-operator rules: - apiGroups: - "" resources: # to automatically delete [core|kube]dns pods so that are starting to being # managed by Cilium - pods verbs: - get - list - watch - delete - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: # to perform LB IP allocation for BGP - services/status verbs: - update - apiGroups: - "" resources: # to perform the translation of a CNP that contains `ToGroup` to its endpoints - services - endpoints # to check apiserver connectivity - namespaces verbs: - get - list - watch - apiGroups: - cilium.io resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status - ciliumnetworkpolicies/finalizers - ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies/status - ciliumclusterwidenetworkpolicies/finalizers - ciliumendpoints - ciliumendpoints/status - ciliumendpoints/finalizers - ciliumnodes - ciliumnodes/status - ciliumnodes/finalizers - ciliumidentities - ciliumendpointslices - ciliumidentities/status - ciliumidentities/finalizers - ciliumlocalredirectpolicies - ciliumlocalredirectpolicies/status - ciliumlocalredirectpolicies/finalizers verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create - get - list - update - watch # For cilium-operator running in HA mode. # # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election # between multiple running instances. # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less # common and fewer objects in the cluster watch "all Leases". - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update --- # Source: cilium/templates/cilium-agent/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cilium subjects: - kind: ServiceAccount name: "cilium" namespace: kube-system --- # Source: cilium/templates/cilium-operator/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cilium-operator subjects: - kind: ServiceAccount name: "cilium-operator" namespace: kube-system --- # Source: cilium/templates/cilium-agent/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: cilium namespace: kube-system labels: k8s-app: cilium spec: selector: matchLabels: k8s-app: cilium updateStrategy: rollingUpdate: maxUnavailable: 2 type: RollingUpdate template: metadata: annotations: # This annotation plus the CriticalAddonsOnly toleration makes # cilium to be a critical pod in the cluster, which ensures cilium # gets priority scheduling. # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ scheduler.alpha.kubernetes.io/critical-pod: "" labels: k8s-app: cilium spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - matchExpressions: - key: beta.kubernetes.io/os operator: In values: - linux podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: k8s-app operator: In values: - cilium topologyKey: kubernetes.io/hostname containers: - name: cilium-agent image: "quay.io/cilium/cilium:v1.11.2@sha256:4332428fbb528bda32fffe124454458c9b716c86211266d1a03c4ddf695d7f60" imagePullPolicy: IfNotPresent command: - cilium-agent args: - --config-dir=/tmp/cilium/config-map startupProbe: httpGet: host: "127.0.0.1" path: /healthz port: 9876 scheme: HTTP httpHeaders: - name: "brief" value: "true" failureThreshold: 105 periodSeconds: 2 successThreshold: 1 livenessProbe: httpGet: host: "127.0.0.1" path: /healthz port: 9876 scheme: HTTP httpHeaders: - name: "brief" value: "true" periodSeconds: 30 successThreshold: 1 failureThreshold: 10 timeoutSeconds: 5 readinessProbe: httpGet: host: "127.0.0.1" path: /healthz port: 9876 scheme: HTTP httpHeaders: - name: "brief" value: "true" periodSeconds: 30 successThreshold: 1 failureThreshold: 3 timeoutSeconds: 5 env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: CILIUM_CNI_CHAINING_MODE valueFrom: configMapKeyRef: name: cilium-config key: cni-chaining-mode optional: true - name: CILIUM_CUSTOM_CNI_CONF valueFrom: configMapKeyRef: name: cilium-config key: custom-cni-conf optional: true lifecycle: postStart: exec: command: - "/cni-install.sh" - "--enable-debug=false" - "--cni-exclusive=true" preStop: exec: command: - /cni-uninstall.sh securityContext: privileged: true volumeMounts: - name: bpf-maps mountPath: /sys/fs/bpf mountPropagation: Bidirectional - name: cilium-run mountPath: /var/run/cilium - name: cni-path mountPath: /host/opt/cni/bin - name: etc-cni-netd mountPath: /host/etc/cni/net.d - name: clustermesh-secrets mountPath: /var/lib/cilium/clustermesh readOnly: true - name: cilium-config-path mountPath: /tmp/cilium/config-map readOnly: true # Needed to be able to load kernel modules - name: lib-modules mountPath: /lib/modules readOnly: true - name: xtables-lock mountPath: /run/xtables.lock - name: hubble-tls mountPath: /var/lib/cilium/tls/hubble readOnly: true hostNetwork: true initContainers: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup image: "quay.io/cilium/cilium:v1.11.2@sha256:4332428fbb528bda32fffe124454458c9b716c86211266d1a03c4ddf695d7f60" imagePullPolicy: IfNotPresent env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin command: - sh - -ec # The statically linked Go program binary is invoked to avoid any # dependency on utilities like sh and mount that can be missing on certain # distros installed on the underlying host. Copy the binary to the # same directory where we install cilium cni plugin so that exec permissions # are available. - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount volumeMounts: - name: hostproc mountPath: /hostproc - name: cni-path mountPath: /hostbin securityContext: privileged: true - name: clean-cilium-state image: "quay.io/cilium/cilium:v1.11.2@sha256:4332428fbb528bda32fffe124454458c9b716c86211266d1a03c4ddf695d7f60" imagePullPolicy: IfNotPresent command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: name: cilium-config key: clean-cilium-state optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: name: cilium-config key: clean-cilium-bpf-state optional: true securityContext: privileged: true volumeMounts: - name: bpf-maps mountPath: /sys/fs/bpf # Required to mount cgroup filesystem from the host to cilium agent pod - name: cilium-cgroup mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer - name: cilium-run mountPath: /var/run/cilium resources: requests: cpu: 100m memory: 100Mi restartPolicy: Always priorityClassName: system-node-critical serviceAccount: "cilium" serviceAccountName: "cilium" terminationGracePeriodSeconds: 1 tolerations: - operator: Exists volumes: # To keep state between restarts / upgrades - name: cilium-run hostPath: path: /var/run/cilium type: DirectoryOrCreate # To keep state between restarts / upgrades for bpf maps - name: bpf-maps hostPath: path: /sys/fs/bpf type: DirectoryOrCreate # To mount cgroup2 filesystem on the host - name: hostproc hostPath: path: /proc type: Directory # To keep state between restarts / upgrades for cgroup2 filesystem - name: cilium-cgroup hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate # To install cilium cni plugin in the host - name: cni-path hostPath: path: /opt/cni/bin type: DirectoryOrCreate # To install cilium cni configuration in the host - name: etc-cni-netd hostPath: path: /etc/cni/net.d type: DirectoryOrCreate # To be able to load kernel modules - name: lib-modules hostPath: path: /lib/modules # To access iptables concurrently with other processes (e.g. kube-proxy) - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate # To read the clustermesh configuration - name: clustermesh-secrets secret: secretName: cilium-clustermesh # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 optional: true # To read the configuration from the config map - name: cilium-config-path configMap: name: cilium-config - name: hubble-tls projected: # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 sources: - secret: name: hubble-server-certs optional: true items: - key: ca.crt path: client-ca.crt - key: tls.crt path: server.crt - key: tls.key path: server.key --- # Source: cilium/templates/cilium-operator/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: cilium-operator namespace: kube-system labels: io.cilium/app: operator name: cilium-operator spec: # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go # for more details. replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: labels: io.cilium/app: operator name: cilium-operator spec: # In HA mode, cilium-operator pods must not be scheduled on the same # node as they will clash with each other. affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: io.cilium/app operator: In values: - operator topologyKey: kubernetes.io/hostname containers: - name: cilium-operator image: quay.io/cilium/operator-generic:v1.11.2@sha256:4c8bea6818ee3e4932f99e9c1d7efa88b8c0f3cd516160caec878406531e45e7 imagePullPolicy: IfNotPresent command: - cilium-operator-generic args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config optional: true livenessProbe: httpGet: host: "127.0.0.1" path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 3 volumeMounts: - name: cilium-config-path mountPath: /tmp/cilium/config-map readOnly: true hostNetwork: true restartPolicy: Always priorityClassName: system-cluster-critical serviceAccount: "cilium-operator" serviceAccountName: "cilium-operator" tolerations: - operator: Exists volumes: # To read the configuration from the config map - name: cilium-config-path configMap: name: cilium-config