From 323d68bc80a61ee45e2ecda4da11e1d6e8615a64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=C3=A1n=20C=20McCord?= Date: Tue, 21 Apr 2020 21:21:16 -0400 Subject: [PATCH] update to cilium 1.7.2 --- cluster1/cilium/quick-install.yaml | 168 +++++++++++++++-------------- 1 file changed, 89 insertions(+), 79 deletions(-) diff --git a/cluster1/cilium/quick-install.yaml b/cluster1/cilium/quick-install.yaml index b6edb16..306ff24 100644 --- a/cluster1/cilium/quick-install.yaml +++ b/cluster1/cilium/quick-install.yaml @@ -1,4 +1,18 @@ --- +# Source: cilium/charts/agent/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium + namespace: kube-system +--- +# Source: cilium/charts/operator/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cilium-operator + namespace: kube-system +--- # Source: cilium/charts/config/templates/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -35,6 +49,18 @@ data: # that will be seen in monitor output. monitor-aggregation: medium + # The monitor aggregation interval governs the typical time between monitor + # notification events for each allowed connection. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-interval: 5s + + # The monitor aggregation flags determine which TCP flags which, upon the + # first observation, cause monitor notifications to be generated. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-flags: all + # ct-global-max-entries-* specifies the maximum number of connections # supported across all endpoints, split by protocol: tcp or other. One pair # of maps uses these values for IPv4 connections, and another pair of maps @@ -105,46 +131,19 @@ data: # wait-bpf-mount makes init container wait until bpf filesystem is mounted wait-bpf-mount: "false" - # Enable fetching of container-runtime specific metadata - # - # By default, the Kubernetes pod and namespace labels are retrieved and - # associated with endpoints for identification purposes. By integrating - # with the container runtime, container runtime specific labels can be - # retrieved, such labels will be prefixed with container: - # - # CAUTION: The container runtime labels can include information such as pod - # annotations which may result in each pod being associated a unique set of - # labels which can result in excessive security identities being allocated. - # Please review the labels filter when enabling container runtime labels. - # - # Supported values: - # - containerd - # - crio - # - docker - # - none - # - auto (automatically detect the container runtime) - # - container-runtime: none - masquerade: "true" - + enable-xt-socket-fallback: "true" install-iptables-rules: "true" auto-direct-node-routes: "false" + kube-proxy-replacement: "probe" + enable-host-reachable-services: "true" + enable-external-ips: "true" enable-node-port: "false" ---- -# Source: cilium/charts/agent/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cilium - namespace: kube-system ---- -# Source: cilium/charts/operator/templates/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cilium-operator - namespace: kube-system + enable-auto-protect-node-port-range: "true" + # Chaining mode is set to portmap, enable health checking + enable-endpoint-health-checking: "true" + enable-well-known-identities: "false" + enable-remote-node-identity: "true" --- # Source: cilium/charts/agent/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -160,6 +159,14 @@ rules: - get - list - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -188,15 +195,6 @@ rules: - nodes/status verbs: - patch -- apiGroups: - - extensions - resources: - - ingresses - verbs: - - create - - get - - list - - watch - apiGroups: - apiextensions.k8s.io resources: @@ -212,6 +210,8 @@ rules: resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status - ciliumendpoints - ciliumendpoints/status - ciliumnodes @@ -238,6 +238,14 @@ rules: - list - watch - delete +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -259,6 +267,8 @@ rules: resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status - ciliumendpoints - ciliumendpoints/status - ciliumnodes @@ -302,14 +312,12 @@ kind: DaemonSet metadata: labels: k8s-app: cilium - kubernetes.io/cluster-service: "true" name: cilium namespace: kube-system spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: annotations: @@ -318,16 +326,39 @@ spec: # gets priority scheduling. # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ scheduler.alpha.kubernetes.io/critical-pod: "" - scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' labels: k8s-app: cilium - kubernetes.io/cluster-service: "true" spec: containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent + livenessProbe: + exec: + command: + - cilium + - status + - --brief + failureThreshold: 10 + # The initial delay for the liveness probe is intentionally large to + # avoid an endless kill & restart cycle if in the event that the initial + # bootstrapping takes longer than expected. + initialDelaySeconds: 120 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - cilium + - status + - --brief + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 env: - name: K8S_NODE_NAME valueFrom: @@ -365,43 +396,19 @@ spec: key: custom-cni-conf name: cilium-config optional: true - image: "docker.io/cilium/cilium:v1.6.6" + image: "docker.io/cilium/cilium:v1.7.2" imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - - /cni-install.sh + - "/cni-install.sh" + - "--enable-debug=false" preStop: exec: command: - /cni-uninstall.sh - livenessProbe: - exec: - command: - - cilium - - status - - --brief - failureThreshold: 10 - # The initial delay for the liveness probe is intentionally large to - # avoid an endless kill & restart cycle if in the event that the initial - # bootstrapping takes longer than expected. - initialDelaySeconds: 120 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 name: cilium-agent - readinessProbe: - exec: - command: - - cilium - - status - - --brief - failureThreshold: 3 - initialDelaySeconds: 5 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 securityContext: capabilities: add: @@ -452,7 +459,7 @@ spec: key: wait-bpf-mount name: cilium-config optional: true - image: "docker.io/cilium/cilium:v1.6.6" + image: "docker.io/cilium/cilium:v1.7.2" imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -463,9 +470,11 @@ spec: volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps + mountPropagation: HostToContainer - mountPath: /var/run/cilium name: cilium-run restartPolicy: Always + priorityClassName: system-node-critical serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 @@ -547,6 +556,7 @@ spec: - args: - --debug=$(CILIUM_DEBUG) - --identity-allocation-mode=$(CILIUM_IDENTITY_ALLOCATION_MODE) + - --synchronize-k8s-nodes=true command: - cilium-operator env: @@ -626,18 +636,18 @@ spec: key: identity-allocation-mode name: cilium-config optional: true - image: "docker.io/cilium/operator:v1.6.6" + image: "docker.io/cilium/operator:v1.7.2" imagePullPolicy: IfNotPresent name: cilium-operator livenessProbe: httpGet: + host: '127.0.0.1' path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 3 - hostNetwork: true restartPolicy: Always serviceAccount: cilium-operator