{{- if and .Values.agent (not .Values.preflight.enabled) }}
{{- /* Default values with backwards compatibility */ -}}
{{- $defaultKeepDeprecatedProbes := true -}}
{{- /* Default values when 1.8 was initially deployed */ -}}
{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
{{- $defaultKeepDeprecatedProbes = false -}}
{{- end -}}
{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "false") -}}
apiVersion : apps/v1
kind : DaemonSet
metadata :
name : cilium
namespace : {{ .Release.Namespace }}
{{- with .Values.annotations }}
annotations :
{{- toYaml . | nindent 4 }}
{{- end }}
labels :
k8s-app : cilium
app.kubernetes.io/part-of : cilium
app.kubernetes.io/name : cilium-agent
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service : "true"
{{- if and .Values.gke.enabled (eq .Release.Namespace "kube-system" ) }}
{{- fail "Invalid configuration: Installing Cilium on GKE with 'kubernetes.io/cluster-service' labels on 'kube-system' namespace causes Cilium DaemonSet to be removed by GKE. Either install Cilium on a different Namespace or install with '--set keepDeprecatedLabels=false'" }}
{{- end }}
{{- end }}
spec :
selector :
matchLabels :
k8s-app : cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service : "true"
{{- end }}
{{- with .Values.updateStrategy }}
updateStrategy :
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template :
metadata :
annotations :
{{- if and .Values.prometheus.enabled (not .Values.prometheus.serviceMonitor.enabled) }}
prometheus.io/port : "{{ .Values.prometheus.port }}"
prometheus.io/scrape : "true"
{{- end }}
{{- if .Values.rollOutCiliumPods }}
# ensure pods roll when configmap updates
cilium.io/cilium-configmap-checksum : {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-agent : "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state : "unconfined"
{{- if .Values.cgroup.autoMount.enabled }}
container.apparmor.security.beta.kubernetes.io/mount-cgroup : "unconfined"
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites : "unconfined"
{{- end }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels :
k8s-app : cilium
app.kubernetes.io/name : cilium-agent
app.kubernetes.io/part-of : cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service : "true"
{{- end }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec :
{{- with .Values.imagePullSecrets }}
imagePullSecrets :
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext :
{{- toYaml . | nindent 8 }}
{{- end }}
containers :
- name : cilium-agent
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
{{- if .Values.sleepAfterInit }}
command :
- /bin/bash
- -c
- --
args :
- |
while true; do
sleep 30;
livenessProbe :
exec :
command :
- "true"
readinessProbe :
exec :
command :
- "true"
{{- else }}
command :
- cilium-agent
args :
- --config-dir=/tmp/cilium/config-map
{{- with .Values.extraArgs }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
startupProbe :
httpGet :
host : {{ .Values.ipv4.enabled | ternary "" "::1" | quote }}
path : /healthz
port : {{ .Values.healthPort }}
scheme : HTTP
httpHeaders :
- name : "brief"
value : "true"
failureThreshold : {{ .Values.startupProbe.failureThreshold }}
periodSeconds : {{ .Values.startupProbe.periodSeconds }}
successThreshold : 1
{{- end }}
livenessProbe :
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec :
command :
- cilium
- status
- --brief
{{- else }}
httpGet :
host : {{ .Values.ipv4.enabled | ternary "" "::1" | quote }}
path : /healthz
port : {{ .Values.healthPort }}
scheme : HTTP
httpHeaders :
- name : "brief"
value : "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
# Starting from Kubernetes 1.20, we are using startupProbe instead
# of this field.
initialDelaySeconds : 120
{{- end }}
periodSeconds : {{ .Values.livenessProbe.periodSeconds }}
successThreshold : 1
failureThreshold : {{ .Values.livenessProbe.failureThreshold }}
timeoutSeconds : 5
readinessProbe :
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec :
command :
- cilium
- status
- --brief
{{- else }}
httpGet :
host : {{ .Values.ipv4.enabled | ternary "" "::1" | quote }}
path : /healthz
port : {{ .Values.healthPort }}
scheme : HTTP
httpHeaders :
- name : "brief"
value : "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
initialDelaySeconds : 5
{{- end }}
periodSeconds : {{ .Values.readinessProbe.periodSeconds }}
successThreshold : 1
failureThreshold : {{ .Values.readinessProbe.failureThreshold }}
timeoutSeconds : 5
{{- end }}
env :
- name : K8S_NODE_NAME
valueFrom :
fieldRef :
apiVersion : v1
fieldPath : spec.nodeName
valueFrom :
fieldRef :
apiVersion : v1
fieldPath : metadata.namespace
value : /var/lib/cilium/clustermesh/
valueFrom :
2023-10-16 19:14:53 +02:00
resourceFieldRef :
resource : limits.memory
2022-08-12 10:20:19 +02:00
{{- if .Values.k8sServiceHost }}
value : {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
value : {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if .Values.cni.install }}
lifecycle :
{{- if ne .Values.cni.chainingMode "aws-cni" }}
postStart :
exec :
command :
2023-10-16 19:14:53 +02:00
- "bash"
- "-c"
- |
{{- tpl (.Files.Get "files/agent/poststart-eni.bash") . | nindent 20 }}
{{- end }}
preStop :
exec :
command :
- /cni-uninstall.sh
{{- end }}
{{- with .Values.resources }}
resources :
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }}
ports :
- name : peer-service
containerPort : {{ .Values.hubble.peerService.targetPort }}
hostPort : {{ .Values.hubble.peerService.targetPort }}
protocol : TCP
{{- if .Values.prometheus.enabled }}
- name : prometheus
containerPort : {{ .Values.prometheus.port }}
hostPort : {{ .Values.prometheus.port }}
protocol : TCP
{{- if and .Values.proxy.prometheus.enabled .Values.envoy.prometheus.enabled (not .Values.envoy.enabled) }}
- name : envoy-metrics
2023-10-16 19:14:53 +02:00
containerPort : {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
hostPort : {{ .Values.proxy.prometheus.port | default .Values.envoy.prometheus.port }}
protocol : TCP
{{- end }}
{{- end }}
{{- if .Values.hubble.metrics.enabled }}
- name : hubble-metrics
containerPort : {{ .Values.hubble.metrics.port }}
hostPort : {{ .Values.hubble.metrics.port }}
protocol : TCP
{{- end }}
{{- end }}
securityContext :
{{- if .Values.securityContext.privileged }}
privileged : true
{{- else }}
seLinuxOptions :
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities :
add :
{{- with .Values.securityContext.capabilities.ciliumAgent }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop :
{{- end }}
terminationMessagePolicy : FallbackToLogsOnError
volumeMounts :
{{- if .Values.authentication.mutual.spire.enabled }}
- name : spire-agent-socket
mountPath : {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
readOnly : false
{{- end }}
{{- if .Values.envoy.enabled }}
- name : envoy-sockets
mountPath : /var/run/cilium/envoy/sockets
readOnly : false
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath : /host/proc/sys/net
name : host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath : /host/proc/sys/kernel
name : host-proc-sys-kernel
{{- end}}
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
- name : bpf-maps
mountPath : /sys/fs/bpf
{{- if .Values.securityContext.privileged }}
mountPropagation : Bidirectional
{{- else }}
# Unprivileged containers can't set mount propagation to bidirectional
# in this case we will mount the bpf fs from an init container that
# is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation : HostToContainer
{{- end}}
{{- end }}
{{- if not (contains "/run/cilium/cgroupv2" .Values.cgroup.hostRoot) }}
# Check for duplicate mounts before mounting
- name : cilium-cgroup
mountPath : {{ .Values.cgroup.hostRoot }}
{{- end}}
- name : cilium-run
mountPath : /var/run/cilium
- name : etc-cni-netd
mountPath : {{ .Values.cni.hostConfDirMountPath }}
{{- if .Values.etcd.enabled }}
- name : etcd-config-path
mountPath : /var/lib/etcd-config
readOnly : true
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name : etcd-secrets
mountPath : /var/lib/etcd-secrets
readOnly : true
{{- end }}
{{- end }}
- name : clustermesh-secrets
mountPath : /var/lib/cilium/clustermesh
readOnly : true
{{- if .Values.ipMasqAgent.enabled }}
- name : ip-masq-agent
mountPath : /etc/config
readOnly : true
{{- end }}
{{- if .Values.cni.configMap }}
- name : cni-configuration
mountPath : {{ .Values.cni.confFileMountPath }}
readOnly : true
{{- end }}
# Needed to be able to load kernel modules
- name : lib-modules
mountPath : /lib/modules
readOnly : true
- name : xtables-lock
mountPath : /run/xtables.lock
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name : cilium-ipsec-secrets
mountPath : {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }}
{{- end }}
{{- if .Values.kubeConfigPath }}
- name : kube-config
mountPath : {{ .Values.kubeConfigPath }}
readOnly : true
{{- end }}
{{- if .Values.bgp.enabled }}
- name : bgp-config-path
mountPath : /var/lib/cilium/bgp
readOnly : true
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name : hubble-tls
mountPath : /var/lib/cilium/tls/hubble
readOnly : true
{{- end }}
- name : tmp
mountPath : /tmp
{{- range .Values.extraHostPathMounts }}
- name : {{ .name }}
mountPath : {{ .mountPath }}
readOnly : {{ .readOnly }}
{{- if .mountPropagation }}
mountPropagation : {{ .mountPropagation }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.monitor.enabled }}
- name : cilium-monitor
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
command :
- /bin/bash
- -c
- --
args :
- |-
for i in {1..5}; do \
[ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\
done; \
cilium-dbg monitor
{{- range $type := .Values.monitor.eventTypes -}}
{{ " " }}--type={{ $type }}
{{- end }}
terminationMessagePolicy : FallbackToLogsOnError
volumeMounts :
- name : cilium-run
mountPath : /var/run/cilium
{{- with .Values.monitor.resources }}
resources :
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 6 }}
{{- end }}
initContainers :
- name : config
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
command :
- cilium-dbg
- build-config
{{- if (not (kindIs "invalid" .Values.daemon.configSources)) }}
- "--source={{.Values.daemon.configSources}}"
{{- end }}
{{- if (not (kindIs "invalid" .Values.daemon.allowedConfigOverrides)) }}
- "--allow-config-keys={{.Values.daemon.allowedConfigOverrides}}"
{{- end }}
{{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }}
- "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}"
{{- end }}
env :
- name : K8S_NODE_NAME
valueFrom :
fieldRef :
apiVersion : v1
fieldPath : spec.nodeName
valueFrom :
fieldRef :
apiVersion : v1
fieldPath : metadata.namespace
{{- if .Values.k8sServiceHost }}
value : {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
value : {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts :
- name : tmp
mountPath : /tmp
terminationMessagePolicy : FallbackToLogsOnError
{{- if .Values.cgroup.autoMount.enabled }}
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name : mount-cgroup
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
env :
- name : CGROUP_ROOT
value : {{ .Values.cgroup.hostRoot }}
- name : BIN_PATH
value : {{ .Values.cni.binPath }}
{{- with .Values.cgroup.autoMount.resources }}
resources :
{{- toYaml . | trim | nindent 10 }}
{{- end }}
command :
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh and mount that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
rm /hostbin/cilium-mount
volumeMounts :
- name : hostproc
mountPath : /hostproc
- name : cni-path
mountPath : /hostbin
terminationMessagePolicy : FallbackToLogsOnError
securityContext :
{{- if .Values.securityContext.privileged }}
privileged : true
{{- else }}
seLinuxOptions :
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities :
2023-10-16 19:14:53 +02:00
add :
{{- with .Values.securityContext.capabilities.mountCgroup }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop :
{{- end}}
- name : apply-sysctl-overwrites
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
env :
- name : BIN_PATH
value : {{ .Values.cni.binPath }}
command :
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix
volumeMounts :
- name : hostproc
mountPath : /hostproc
- name : cni-path
mountPath : /hostbin
terminationMessagePolicy : FallbackToLogsOnError
securityContext :
{{- if .Values.securityContext.privileged }}
privileged : true
{{- else }}
seLinuxOptions :
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities :
2023-10-16 19:14:53 +02:00
add :
{{- with .Values.securityContext.capabilities.applySysctlOverwrites }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop :
{{- end}}
{{- end }}
{{- if and .Values.bpf.autoMount.enabled (not .Values.securityContext.privileged) }}
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name : mount-bpf-fs
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
args :
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command :
- /bin/bash
- -c
- --
terminationMessagePolicy : FallbackToLogsOnError
securityContext :
privileged : true
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
volumeMounts :
- name : bpf-maps
mountPath : /sys/fs/bpf
mountPropagation : Bidirectional
{{- end }}
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name : wait-for-node-init
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
command :
- sh
- -c
- |
until test -s {{ (print "/tmp/cilium-bootstrap.d/" (.Values.nodeinit.bootstrapFile | base)) | quote }}; do
echo "Waiting on node-init to run...";
sleep 1;
terminationMessagePolicy : FallbackToLogsOnError
volumeMounts :
- name : cilium-bootstrap-file-dir
mountPath : "/tmp/cilium-bootstrap.d"
{{- end }}
- name : clean-cilium-state
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
command :
- /init-container.sh
env :
valueFrom :
configMapKeyRef :
name : cilium-config
key : clean-cilium-state
optional : true
valueFrom :
configMapKeyRef :
name : cilium-config
key : clean-cilium-bpf-state
optional : true
valueFrom :
configMapKeyRef :
name : cilium-config
key : write-cni-conf-when-ready
optional : true
{{- if .Values.k8sServiceHost }}
value : {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
value : {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
terminationMessagePolicy : FallbackToLogsOnError
securityContext :
{{- if .Values.securityContext.privileged }}
privileged : true
{{- else }}
seLinuxOptions :
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
capabilities :
add :
{{- with .Values.securityContext.capabilities.cleanCiliumState }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop :
{{- end}}
volumeMounts :
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
- name : bpf-maps
mountPath : /sys/fs/bpf
{{- end }}
# Required to mount cgroup filesystem from the host to cilium agent pod
- name : cilium-cgroup
mountPath : {{ .Values.cgroup.hostRoot }}
mountPropagation : HostToContainer
- name : cilium-run
mountPath : /var/run/cilium
{{- with .Values.nodeinit.resources }}
resources :
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if and .Values.waitForKubeProxy (and (ne $kubeProxyReplacement "strict") (ne $kubeProxyReplacement "true")) }}
- name : wait-for-kube-proxy
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
securityContext :
privileged : true
command :
- bash
- -c
- |
while true
if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'"
exit 0
if ip6tables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'ip6tables-nft-save -t mangle'"
exit 0
if iptables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "Found KUBE-PROXY-CANARY iptables rule in 'iptables-legacy-save"
exit 0
if ip6tables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "KUBE-PROXY-CANARY iptables rule in 'ip6tables-legacy-save'"
exit 0
echo "Waiting for kube-proxy to create iptables rules...";
sleep 1;
terminationMessagePolicy : FallbackToLogsOnError
{{- end }} # wait-for-kube-proxy
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name : install-cni-binaries
image : {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy : {{ .Values.image.pullPolicy }}
command :
- "/install-plugin.sh"
resources :
requests :
cpu : 100m
memory : 10Mi
securityContext :
{{- if .Values.securityContext.privileged }}
privileged : true
{{- else }}
seLinuxOptions :
{{- with .Values.securityContext.seLinuxOptions }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
capabilities :
drop :
terminationMessagePolicy : FallbackToLogsOnError
volumeMounts :
- name : cni-path
mountPath : /host/opt/cni/bin
{{- end }} # .Values.cni.install
restartPolicy : Always
priorityClassName : {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
serviceAccount : {{ .Values.serviceAccounts.cilium.name | quote }}
serviceAccountName : {{ .Values.serviceAccounts.cilium.name | quote }}
automountServiceAccountToken : {{ .Values.serviceAccounts.cilium.automount }}
terminationGracePeriodSeconds : {{ .Values.terminationGracePeriodSeconds }}
hostNetwork : true
{{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }}
# In managed etcd mode, Cilium must be able to resolve the DNS name of
# the etcd service
dnsPolicy : ClusterFirstWithHostNet
{{- else if .Values.dnsPolicy }}
dnsPolicy : {{ .Values.dnsPolicy }}
{{- end }}
{{- with .Values.affinity }}
affinity :
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector :
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations :
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if and .Values.clustermesh.config.enabled (not (and .Values.clustermesh.useAPIServer .Values.clustermesh.apiserver.kvstoremesh.enabled )) }}
hostAliases :
{{- range $cluster := .Values.clustermesh.config.clusters }}
{{- range $ip := $cluster.ips }}
- ip : {{ $ip }}
hostnames : [ "{{ $cluster.name }}.{{ $.Values.clustermesh.config.domain }}" ]
{{- end }}
{{- end }}
{{- end }}
volumes :
# For sharing configuration between the "config" initContainer and the agent
- name : tmp
emptyDir : {}
# To keep state between restarts / upgrades
- name : cilium-run
hostPath :
path : {{ .Values.daemon.runPath }}
type : DirectoryOrCreate
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if and .Values.bpf.autoMount.enabled (not (eq .Values.containerRuntime.integration "crio")) }}
# To keep state between restarts / upgrades for bpf maps
- name : bpf-maps
hostPath :
path : /sys/fs/bpf
type : DirectoryOrCreate
{{- end }}
{{- if .Values.cgroup.autoMount.enabled }}
# To mount cgroup2 filesystem on the host
- name : hostproc
hostPath :
path : /proc
type : Directory
{{- end }}
# To keep state between restarts / upgrades for cgroup2 filesystem
- name : cilium-cgroup
hostPath :
path : {{ .Values.cgroup.hostRoot}}
type : DirectoryOrCreate
# To install cilium cni plugin in the host
- name : cni-path
hostPath :
path : {{ .Values.cni.binPath }}
type : DirectoryOrCreate
# To install cilium cni configuration in the host
- name : etc-cni-netd
hostPath :
path : {{ .Values.cni.confPath }}
type : DirectoryOrCreate
# To be able to load kernel modules
- name : lib-modules
hostPath :
path : /lib/modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name : xtables-lock
hostPath :
path : /run/xtables.lock
type : FileOrCreate
{{- if .Values.authentication.mutual.spire.enabled }}
- name : spire-agent-socket
hostPath :
path : {{ dir .Values.authentication.mutual.spire.adminSocketPath }}
type : DirectoryOrCreate
{{- end }}
{{- if .Values.envoy.enabled }}
# Sharing socket with Cilium Envoy on the same node by using a host path
- name : envoy-sockets
hostPath :
path : "{{ .Values.daemon.runPath }}/envoy/sockets"
type : DirectoryOrCreate
{{- end }}
{{- if .Values.kubeConfigPath }}
- name : kube-config
hostPath :
path : {{ .Values.kubeConfigPath }}
type : FileOrCreate
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name : cilium-bootstrap-file-dir
hostPath :
path : {{ .Values.nodeinit.bootstrapFile | dir | quote }}
type : DirectoryOrCreate
{{- end }}
{{- if .Values.etcd.enabled }}
# To read the etcd config stored in config maps
- name : etcd-config-path
configMap :
name : cilium-config
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode : 0400
items :
- key : etcd-config
path : etcd.config
# To read the k8s etcd secrets in case the user might want to use TLS
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name : etcd-secrets
secret :
secretName : cilium-etcd-secrets
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode : 0400
optional : true
{{- end }}
{{- end }}
# To read the clustermesh configuration
- name : clustermesh-secrets
projected :
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode : 0400
sources :
- secret :
name : cilium-clustermesh
optional : true
# note: items are not explicitly listed here, since the entries of this secret
# depend on the peers configured, and that would cause a restart of all agents
# at every addition/removal. Leaving the field empty makes each secret entry
# to be automatically projected into the volume as a file whose name is the key.
- secret :
name : clustermesh-apiserver-remote-cert
optional : true
items :
- key : tls.key
path : common-etcd-client.key
- key : tls.crt
path : common-etcd-client.crt
{{- if not .Values.tls.caBundle.enabled }}
- key : ca.crt
path : common-etcd-client-ca.crt
{{- else }}
- {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
name : {{ .Values.tls.caBundle.name }}
optional : true
items :
- key : {{ .Values.tls.caBundle.key }}
path : common-etcd-client-ca.crt
{{- end }}
{{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }}
- name : ip-masq-agent
configMap :
name : ip-masq-agent
optional : true
items :
- key : config
path : ip-masq-agent
{{- end }}
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name : cilium-ipsec-secrets
secret :
secretName : {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }}
{{- end }}
{{- if .Values.cni.configMap }}
- name : cni-configuration
configMap :
name : {{ .Values.cni.configMap }}
{{- end }}
{{- if .Values.bgp.enabled }}
- name : bgp-config-path
configMap :
name : bgp-config
{{- end }}
{{- if not .Values.securityContext.privileged }}
- name : host-proc-sys-net
hostPath :
path : /proc/sys/net
type : Directory
- name : host-proc-sys-kernel
hostPath :
path : /proc/sys/kernel
type : Directory
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name : hubble-tls
projected :
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode : 0400
sources :
- secret :
name : hubble-server-certs
optional : true
items :
- key : tls.crt
path : server.crt
- key : tls.key
path : server.key
{{- if not .Values.tls.caBundle.enabled }}
- key : ca.crt
path : client-ca.crt
{{- else }}
- {{ .Values.tls.caBundle.useSecret | ternary "secret" "configMap" }}:
name : {{ .Values.tls.caBundle.name }}
optional : true
items :
- key : {{ .Values.tls.caBundle.key }}
path : client-ca.crt
{{- end }}
{{- end }}
{{- range .Values.extraHostPathMounts }}
- name : {{ .name }}
hostPath :
path : {{ .hostPath }}
{{- if .hostPathType }}
type : {{ .hostPathType }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}