cycore/k8s-public
2
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

update to cilium 1.7.2

Browse source
This commit is contained in:
Seán C McCord 2020-04-21 21:21:16 -04:00
parent 0f92841360
commit 323d68bc80
1 changed files with 89 additions and 79 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

168
cluster1/cilium/quick-install.yaml
View file

@ -1,4 +1,18 @@
--- ---
# Source: cilium/charts/agent/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium
namespace: kube-system
---
# Source: cilium/charts/operator/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium-operator
namespace: kube-system
---
# Source: cilium/charts/config/templates/configmap.yaml # Source: cilium/charts/config/templates/configmap.yaml
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -35,6 +49,18 @@ data:
# that will be seen in monitor output. # that will be seen in monitor output.
monitor-aggregation: medium monitor-aggregation: medium
# The monitor aggregation interval governs the typical time between monitor
# notification events for each allowed connection.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-interval: 5s
# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
monitor-aggregation-flags: all
# ct-global-max-entries-* specifies the maximum number of connections # ct-global-max-entries-* specifies the maximum number of connections
# supported across all endpoints, split by protocol: tcp or other. One pair # supported across all endpoints, split by protocol: tcp or other. One pair
# of maps uses these values for IPv4 connections, and another pair of maps # of maps uses these values for IPv4 connections, and another pair of maps
@ -105,46 +131,19 @@ data:
# wait-bpf-mount makes init container wait until bpf filesystem is mounted # wait-bpf-mount makes init container wait until bpf filesystem is mounted
wait-bpf-mount: "false" wait-bpf-mount: "false"
# Enable fetching of container-runtime specific metadata
#
# By default, the Kubernetes pod and namespace labels are retrieved and
# associated with endpoints for identification purposes. By integrating
# with the container runtime, container runtime specific labels can be
# retrieved, such labels will be prefixed with container:
#
# CAUTION: The container runtime labels can include information such as pod
# annotations which may result in each pod being associated a unique set of
# labels which can result in excessive security identities being allocated.
# Please review the labels filter when enabling container runtime labels.
#
# Supported values:
# - containerd
# - crio
# - docker
# - none
# - auto (automatically detect the container runtime)
#
container-runtime: none
masquerade: "true" masquerade: "true"
enable-xt-socket-fallback: "true"
install-iptables-rules: "true" install-iptables-rules: "true"
auto-direct-node-routes: "false" auto-direct-node-routes: "false"
kube-proxy-replacement: "probe"
enable-host-reachable-services: "true"
enable-external-ips: "true"
enable-node-port: "false" enable-node-port: "false"
--- enable-auto-protect-node-port-range: "true"
# Source: cilium/charts/agent/templates/serviceaccount.yaml # Chaining mode is set to portmap, enable health checking
apiVersion: v1 enable-endpoint-health-checking: "true"
kind: ServiceAccount enable-well-known-identities: "false"
metadata: enable-remote-node-identity: "true"
name: cilium
namespace: kube-system
---
# Source: cilium/charts/operator/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cilium-operator
namespace: kube-system
--- ---
# Source: cilium/charts/agent/templates/clusterrole.yaml # Source: cilium/charts/agent/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -160,6 +159,14 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -188,15 +195,6 @@ rules:
- nodes/status - nodes/status
verbs: verbs:
- patch - patch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
- apiGroups: - apiGroups:
- apiextensions.k8s.io - apiextensions.k8s.io
resources: resources:
@ -212,6 +210,8 @@ rules:
resources: resources:
- ciliumnetworkpolicies - ciliumnetworkpolicies
- ciliumnetworkpolicies/status - ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints - ciliumendpoints
- ciliumendpoints/status - ciliumendpoints/status
- ciliumnodes - ciliumnodes
@ -238,6 +238,14 @@ rules:
- list - list
- watch - watch
- delete - delete
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -259,6 +267,8 @@ rules:
resources: resources:
- ciliumnetworkpolicies - ciliumnetworkpolicies
- ciliumnetworkpolicies/status - ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints - ciliumendpoints
- ciliumendpoints/status - ciliumendpoints/status
- ciliumnodes - ciliumnodes
@ -302,14 +312,12 @@ kind: DaemonSet
metadata: metadata:
labels: labels:
k8s-app: cilium k8s-app: cilium
kubernetes.io/cluster-service: "true"
name: cilium name: cilium
namespace: kube-system namespace: kube-system
spec: spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: cilium k8s-app: cilium
kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations: annotations:
@ -318,16 +326,39 @@ spec:
# gets priority scheduling. # gets priority scheduling.
# https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
scheduler.alpha.kubernetes.io/critical-pod: "" scheduler.alpha.kubernetes.io/critical-pod: ""
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]'
labels: labels:
k8s-app: cilium k8s-app: cilium
kubernetes.io/cluster-service: "true"
spec: spec:
containers: containers:
- args: - args:
- --config-dir=/tmp/cilium/config-map - --config-dir=/tmp/cilium/config-map
command: command:
- cilium-agent - cilium-agent
livenessProbe:
exec:
command:
- cilium
- status
- --brief
failureThreshold: 10
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
exec:
command:
- cilium
- status
- --brief
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
valueFrom: valueFrom:
@ -365,43 +396,19 @@ spec:
key: custom-cni-conf key: custom-cni-conf
name: cilium-config name: cilium-config
optional: true optional: true
image: "docker.io/cilium/cilium:v1.6.6" image: "docker.io/cilium/cilium:v1.7.2"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
postStart: postStart:
exec: exec:
command: command:
- /cni-install.sh - "/cni-install.sh"
- "--enable-debug=false"
preStop: preStop:
exec: exec:
command: command:
- /cni-uninstall.sh - /cni-uninstall.sh
livenessProbe:
exec:
command:
- cilium
- status
- --brief
failureThreshold: 10
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
initialDelaySeconds: 120
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
name: cilium-agent name: cilium-agent
readinessProbe:
exec:
command:
- cilium
- status
- --brief
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
securityContext: securityContext:
capabilities: capabilities:
add: add:
@ -452,7 +459,7 @@ spec:
key: wait-bpf-mount key: wait-bpf-mount
name: cilium-config name: cilium-config
optional: true optional: true
image: "docker.io/cilium/cilium:v1.6.6" image: "docker.io/cilium/cilium:v1.7.2"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
@ -463,9 +470,11 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
name: bpf-maps name: bpf-maps
mountPropagation: HostToContainer
- mountPath: /var/run/cilium - mountPath: /var/run/cilium
name: cilium-run name: cilium-run
restartPolicy: Always restartPolicy: Always
priorityClassName: system-node-critical
serviceAccount: cilium serviceAccount: cilium
serviceAccountName: cilium serviceAccountName: cilium
terminationGracePeriodSeconds: 1 terminationGracePeriodSeconds: 1
@ -547,6 +556,7 @@ spec:
- args: - args:
- --debug=$(CILIUM_DEBUG) - --debug=$(CILIUM_DEBUG)
- --identity-allocation-mode=$(CILIUM_IDENTITY_ALLOCATION_MODE) - --identity-allocation-mode=$(CILIUM_IDENTITY_ALLOCATION_MODE)
- --synchronize-k8s-nodes=true
command: command:
- cilium-operator - cilium-operator
env: env:
@ -626,18 +636,18 @@ spec:
key: identity-allocation-mode key: identity-allocation-mode
name: cilium-config name: cilium-config
optional: true optional: true
image: "docker.io/cilium/operator:v1.6.6" image: "docker.io/cilium/operator:v1.7.2"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: cilium-operator name: cilium-operator
livenessProbe: livenessProbe:
httpGet: httpGet:
host: '127.0.0.1'
path: /healthz path: /healthz
port: 9234 port: 9234
scheme: HTTP scheme: HTTP
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
hostNetwork: true hostNetwork: true
restartPolicy: Always restartPolicy: Always
serviceAccount: cilium-operator serviceAccount: cilium-operator