mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
Feat/cilium strict mode2.0 (#25)
* bump cilium helm charts * integrate cilium strict mode v2
This commit is contained in:
parent
4adc19b7f5
commit
f649219cbf
@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- CoreOS images are publicly available for Azure.
|
||||
- GCP: Support for higher end N2D standard (128 & 224 vCPUs), *high-mem* and *high-cpu* VMs
|
||||
- Add `constellation upgrade` to update node images in Constellation.
|
||||
- Add cilium v1.12.1 with strict mode v2
|
||||
|
||||
### Changed
|
||||
<!-- For changes in existing functionality. -->
|
||||
@ -41,6 +42,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Change cdbg to use load balancer for deploy.
|
||||
- cdbg now uses the Constellation config directly and does not require any extra config
|
||||
- Azure CVMs are attested using SNP attestation
|
||||
- Replaced kube-proxy with cilium
|
||||
|
||||
### Deprecated
|
||||
<!-- For soon-to-be removed features. -->
|
||||
|
@ -55,7 +55,7 @@ For more elaborate overviews of Constellation, see the [architecture] documentat
|
||||
### Everything always encrypted
|
||||
|
||||
- Memory runtime encryption of all Kubernetes nodes
|
||||
- [Transparent network encryption][network-encryption] for the entire cluster node to node traffic. Provided by [Cilium], application independent, no sidecar required
|
||||
- [Transparent network encryption][network-encryption] provided by [Cilium]. Application independent, no sidecar required
|
||||
- [Persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) encryption for block storage. [Encrypted in the confidential Kubernetes context][storage-encryption], keys and plaintext data never leave the cluster. No trust in the cloud storage backend required
|
||||
- [Key management][key-management] for transparent network and storage encryption
|
||||
|
||||
|
@ -14,6 +14,7 @@ import (
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@ -175,7 +176,7 @@ func (k *KubernetesUtil) InitCluster(
|
||||
|
||||
// initialize the cluster
|
||||
log.Infof("Initializing the cluster using kubeadm init")
|
||||
cmd = exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--skip-phases=preflight,certs", "--config", initConfigFile.Name())
|
||||
cmd = exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--skip-phases=preflight,certs,addon/kube-proxy", "--config", initConfigFile.Name())
|
||||
out, err = cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
var exitErr *exec.ExitError
|
||||
@ -216,20 +217,21 @@ func (k *KubernetesUtil) SetupHelmDeployments(ctx context.Context, kubectl Clien
|
||||
}
|
||||
|
||||
type SetupPodNetworkInput struct {
|
||||
CloudProvider string
|
||||
NodeName string
|
||||
FirstNodePodCIDR string
|
||||
SubnetworkPodCIDR string
|
||||
ProviderID string
|
||||
CloudProvider string
|
||||
NodeName string
|
||||
FirstNodePodCIDR string
|
||||
SubnetworkPodCIDR string
|
||||
ProviderID string
|
||||
LoadBalancerEndpoint string
|
||||
}
|
||||
|
||||
// deployCilium sets up the cilium pod network.
|
||||
func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInput, helmClient *action.Install, ciliumDeployment helm.Deployment, kubectl Client) error {
|
||||
switch in.CloudProvider {
|
||||
case "gcp":
|
||||
return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR)
|
||||
return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR, in.LoadBalancerEndpoint)
|
||||
case "azure":
|
||||
return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment)
|
||||
return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment, in.LoadBalancerEndpoint)
|
||||
case "qemu":
|
||||
return k.deployCiliumQEMU(ctx, helmClient, ciliumDeployment, in.SubnetworkPodCIDR)
|
||||
default:
|
||||
@ -237,7 +239,11 @@ func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInp
|
||||
}
|
||||
}
|
||||
|
||||
func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment) error {
|
||||
func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment, kubeAPIEndpoint string) error {
|
||||
host := kubeAPIEndpoint
|
||||
ciliumDeployment.Values["k8sServiceHost"] = host
|
||||
ciliumDeployment.Values["k8sServicePort"] = strconv.Itoa(constants.KubernetesPort)
|
||||
|
||||
_, err := helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values)
|
||||
if err != nil {
|
||||
return fmt.Errorf("installing cilium: %w", err)
|
||||
@ -245,7 +251,7 @@ func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *acti
|
||||
return nil
|
||||
}
|
||||
|
||||
func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR string) error {
|
||||
func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR, kubeAPIEndpoint string) error {
|
||||
out, err := exec.CommandContext(ctx, kubectlPath, "--kubeconfig", kubeConfig, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput()
|
||||
if err != nil {
|
||||
err = errors.New(string(out))
|
||||
@ -270,9 +276,18 @@ func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action
|
||||
return err
|
||||
}
|
||||
|
||||
host, port, err := net.SplitHostPort(kubeAPIEndpoint)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// configure pod network CIDR
|
||||
ciliumDeployment.Values["ipv4NativeRoutingCIDR"] = subnetworkPodCIDR
|
||||
ciliumDeployment.Values["strictModeCIDR"] = subnetworkPodCIDR
|
||||
ciliumDeployment.Values["k8sServiceHost"] = host
|
||||
if port != "" {
|
||||
ciliumDeployment.Values["k8sServicePort"] = port
|
||||
}
|
||||
|
||||
_, err = helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values)
|
||||
if err != nil {
|
||||
|
@ -164,10 +164,11 @@ func (k *KubeWrapper) InitCluster(
|
||||
// Step 3: configure & start kubernetes controllers
|
||||
log.Infof("Starting Kubernetes controllers and deployments")
|
||||
setupPodNetworkInput := k8sapi.SetupPodNetworkInput{
|
||||
CloudProvider: k.cloudProvider,
|
||||
NodeName: nodeName,
|
||||
FirstNodePodCIDR: nodePodCIDR,
|
||||
SubnetworkPodCIDR: subnetworkPodCIDR,
|
||||
CloudProvider: k.cloudProvider,
|
||||
NodeName: nodeName,
|
||||
FirstNodePodCIDR: nodePodCIDR,
|
||||
SubnetworkPodCIDR: subnetworkPodCIDR,
|
||||
LoadBalancerEndpoint: controlPlaneEndpoint,
|
||||
}
|
||||
if err = k.clusterUtil.SetupHelmDeployments(ctx, k.client, helmDeployments, setupPodNetworkInput, log); err != nil {
|
||||
return nil, fmt.Errorf("setting up pod network: %w", err)
|
||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: cilium
|
||||
displayName: Cilium
|
||||
home: https://cilium.io/
|
||||
version: 1.12.0
|
||||
appVersion: 1.12.0
|
||||
version: 1.12.1
|
||||
appVersion: 1.12.1
|
||||
kubeVersion: ">= 1.16.0-0"
|
||||
icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg
|
||||
description: eBPF-based Networking, Security, and Observability
|
||||
|
@ -1,6 +1,6 @@
|
||||
# cilium
|
||||
|
||||
![Version: 1.12.0](https://img.shields.io/badge/Version-1.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square)
|
||||
![Version: 1.12.1](https://img.shields.io/badge/Version-1.12.1-informational?style=flat-square) ![AppVersion: 1.12.1](https://img.shields.io/badge/AppVersion-1.12.1-informational?style=flat-square)
|
||||
|
||||
Cilium is open source software for providing and transparently securing
|
||||
network connectivity and loadbalancing between application workloads such as
|
||||
@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver |
|
||||
| clustermesh.apiserver.etcd.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3"}` | Clustermesh API server etcd image. |
|
||||
| clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
|
||||
| clustermesh.apiserver.image | object | `{"digest":"sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.0","useDigest":true}` | Clustermesh API server image. |
|
||||
| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.1","useDigest":false}` | Clustermesh API server image. |
|
||||
| clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
|
||||
| clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods |
|
||||
| clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
||||
@ -239,7 +239,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). |
|
||||
| hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) |
|
||||
| hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. |
|
||||
| hubble.relay.image | object | `{"digest":"sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.0","useDigest":true}` | Hubble-relay container image. |
|
||||
| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.1","useDigest":false}` | Hubble-relay container image. |
|
||||
| hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
|
||||
| hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
|
||||
| hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
|
||||
@ -289,11 +289,11 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated |
|
||||
| hubble.ui.affinity | object | `{}` | Affinity for hubble-ui |
|
||||
| hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
|
||||
| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"}` | Hubble-ui backend image. |
|
||||
| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.1@sha256:c4b86e0d7a38d52c6ea3d9d7b17809e5212efd97494e8bd37c8466ddd68d42d0"}` | Hubble-ui backend image. |
|
||||
| hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
|
||||
| hubble.ui.enabled | bool | `false` | Whether to enable the Hubble UI. |
|
||||
| hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
|
||||
| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"}` | Hubble-ui frontend image. |
|
||||
| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.1@sha256:baff611b975cb12307a163c0e547e648da211384eabdafd327707ff2ec31cc24"}` | Hubble-ui frontend image. |
|
||||
| hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
|
||||
| hubble.ui.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"tls":[]}` | hubble-ui ingress configuration. |
|
||||
| hubble.ui.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
|
||||
@ -316,7 +316,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
|
||||
| hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
|
||||
| identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
|
||||
| image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Agent container image. |
|
||||
| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.1","useDigest":false}` | Agent container image. |
|
||||
| imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
|
||||
| ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
|
||||
| ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
|
||||
@ -336,7 +336,6 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| ipam.operator.clusterPoolIPv6PodCIDRList | list | `[]` | IPv6 CIDR list range to delegate to individual nodes for IPAM. |
|
||||
| ipv4.enabled | bool | `true` | Enable IPv4 support. |
|
||||
| ipv6.enabled | bool | `false` | Enable IPv6 support. |
|
||||
| ipvlan.enabled | bool | `false` | Enable the IPVLAN datapath (deprecated) |
|
||||
| k8s | object | `{}` | Configure Kubernetes specific configuration |
|
||||
| keepDeprecatedLabels | bool | `false` | Keep the deprecated selector labels when deploying Cilium DaemonSet. |
|
||||
| keepDeprecatedProbes | bool | `false` | Keep the deprecated probes when deploying Cilium DaemonSet |
|
||||
@ -382,7 +381,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
|
||||
| operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
|
||||
| operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
|
||||
| operator.image | object | `{"alibabacloudDigest":"sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5","awsDigest":"sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22","azureDigest":"sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba","genericDigest":"sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.0","useDigest":true}` | cilium-operator image. |
|
||||
| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.1","useDigest":false}` | cilium-operator image. |
|
||||
| operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
|
||||
| operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
|
||||
| operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
|
||||
@ -413,7 +412,7 @@ contributors across the globe, there is almost always someone available to help.
|
||||
| preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight |
|
||||
| preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) |
|
||||
| preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
|
||||
| preflight.image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Cilium pre-flight image. |
|
||||
| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.1","useDigest":false}` | Cilium pre-flight image. |
|
||||
| preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
|
||||
| preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
|
||||
| preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
||||
|
@ -463,7 +463,6 @@ spec:
|
||||
- SYS_CHROOT
|
||||
- SYS_PTRACE
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
- name: apply-sysctl-overwrites
|
||||
image: {{ include "cilium.image" .Values.image | quote }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
@ -507,6 +506,7 @@ spec:
|
||||
- SYS_CHROOT
|
||||
- SYS_PTRACE
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
{{- if not .Values.securityContext.privileged }}
|
||||
# Mount the bpf fs if it is not mounted. We will perform this task
|
||||
# from a privileged container because the mount propagation bidirectional
|
||||
|
@ -48,6 +48,7 @@
|
||||
{{- if .Values.azure.enabled }}
|
||||
{{- $azureUsePrimaryAddress = "false" -}}
|
||||
{{- end }}
|
||||
{{- $defaultKubeProxyReplacement = "disabled" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $ipam := (coalesce .Values.ipam.mode $defaultIPAM) -}}
|
||||
@ -498,13 +499,6 @@ data:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if hasKey .Values "datapathMode" }}
|
||||
{{- if eq .Values.datapathMode "ipvlan" }}
|
||||
datapath-mode: ipvlan
|
||||
ipvlan-master-device: {{ .Values.ipvlan.masterDevice }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.strictModeCIDR }}
|
||||
strict-mode-cidr: {{ .Values.strictModeCIDR | quote }}
|
||||
{{- end }}
|
||||
|
@ -37,25 +37,19 @@ spec:
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
# To access iptables concurrently with other processes (e.g. kube-proxy)
|
||||
- hostPath:
|
||||
path: /run/xtables.lock
|
||||
type: FileOrCreate
|
||||
name: xtables-lock
|
||||
containers:
|
||||
- name: node-init
|
||||
image: {{ include "cilium.image" .Values.nodeinit.image | quote }}
|
||||
imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }}
|
||||
volumeMounts:
|
||||
# To access iptables concurrently with other processes (e.g. kube-proxy)
|
||||
- mountPath: /run/xtables.lock
|
||||
name: xtables-lock
|
||||
lifecycle:
|
||||
{{- if .Values.eni.enabled }}
|
||||
postStart:
|
||||
exec:
|
||||
command:
|
||||
- nsenter
|
||||
- --target=1
|
||||
- --mount
|
||||
- --
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
- |
|
||||
|
@ -207,7 +207,7 @@ spec:
|
||||
# In managed etcd mode, Cilium must be able to resolve the DNS name of
|
||||
# the etcd service
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
{{- else if .Values.dnsPolicy }}
|
||||
{{- else if .Values.operator.dnsPolicy }}
|
||||
dnsPolicy: {{ .Values.operator.dnsPolicy }}
|
||||
{{- end }}
|
||||
restartPolicy: Always
|
||||
|
@ -127,6 +127,12 @@ spec:
|
||||
configMapKeyRef:
|
||||
name: cilium-config
|
||||
key: identity-allocation-mode
|
||||
- name: ENABLE_K8S_ENDPOINT_SLICE
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: cilium-config
|
||||
key: enable-k8s-endpoint-slice
|
||||
optional: true
|
||||
{{- with .Values.clustermesh.apiserver.extraEnv }}
|
||||
{{- toYaml . | trim | nindent 8 }}
|
||||
{{- end }}
|
||||
|
@ -90,11 +90,11 @@ rollOutCiliumPods: false
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/cilium"
|
||||
tag: "v1.12.0"
|
||||
tag: "v1.12.1"
|
||||
pullPolicy: "IfNotPresent"
|
||||
# cilium-digest
|
||||
digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
|
||||
useDigest: true
|
||||
digest: ""
|
||||
useDigest: false
|
||||
|
||||
# -- Affinity for cilium-agent.
|
||||
affinity:
|
||||
@ -788,10 +788,10 @@ hubble:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/hubble-relay"
|
||||
tag: "v1.12.0"
|
||||
tag: "v1.12.1"
|
||||
# hubble-relay-digest
|
||||
digest: "sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d"
|
||||
useDigest: true
|
||||
digest: ""
|
||||
useDigest: false
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
# -- Specifies the resources for the hubble-relay pods
|
||||
@ -972,7 +972,7 @@ hubble:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/hubble-ui-backend"
|
||||
tag: "v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"
|
||||
tag: "v0.9.1@sha256:c4b86e0d7a38d52c6ea3d9d7b17809e5212efd97494e8bd37c8466ddd68d42d0"
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
# -- Additional hubble-ui backend environment variables.
|
||||
@ -992,7 +992,7 @@ hubble:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/hubble-ui"
|
||||
tag: "v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"
|
||||
tag: "v0.9.1@sha256:baff611b975cb12307a163c0e547e648da211384eabdafd327707ff2ec31cc24"
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
# -- Additional hubble-ui frontend environment variables.
|
||||
@ -1139,14 +1139,6 @@ ipv6:
|
||||
# -- Enable IPv6 support.
|
||||
enabled: false
|
||||
|
||||
ipvlan:
|
||||
# -- Enable the IPVLAN datapath (deprecated)
|
||||
enabled: false
|
||||
|
||||
# -- masterDevice is the name of the device to use to attach secondary IPVLAN
|
||||
# devices
|
||||
# masterDevice: eth0
|
||||
|
||||
# -- Configure Kubernetes specific configuration
|
||||
k8s: {}
|
||||
# -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
|
||||
@ -1534,16 +1526,16 @@ operator:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/operator"
|
||||
tag: "v1.12.0"
|
||||
tag: "v1.12.1"
|
||||
# operator-generic-digest
|
||||
genericDigest: "sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410"
|
||||
genericDigest: ""
|
||||
# operator-azure-digest
|
||||
azureDigest: "sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba"
|
||||
azureDigest: ""
|
||||
# operator-aws-digest
|
||||
awsDigest: "sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22"
|
||||
awsDigest: ""
|
||||
# operator-alibabacloud-digest
|
||||
alibabacloudDigest: "sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5"
|
||||
useDigest: true
|
||||
alibabacloudDigest: ""
|
||||
useDigest: false
|
||||
pullPolicy: "IfNotPresent"
|
||||
suffix: ""
|
||||
|
||||
@ -1767,10 +1759,10 @@ preflight:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/cilium"
|
||||
tag: "v1.12.0"
|
||||
tag: "v1.12.1"
|
||||
# cilium-digest
|
||||
digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
|
||||
useDigest: true
|
||||
digest: ""
|
||||
useDigest: false
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
# -- The priority class to use for the preflight pod.
|
||||
@ -1904,10 +1896,10 @@ clustermesh:
|
||||
image:
|
||||
override: ~
|
||||
repository: "quay.io/cilium/clustermesh-apiserver"
|
||||
tag: "v1.12.0"
|
||||
tag: "v1.12.1"
|
||||
# clustermesh-apiserver-digest
|
||||
digest: "sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299"
|
||||
useDigest: true
|
||||
digest: ""
|
||||
useDigest: false
|
||||
pullPolicy: "IfNotPresent"
|
||||
|
||||
etcd:
|
||||
|
@ -1134,14 +1134,6 @@ ipv6:
|
||||
# -- Enable IPv6 support.
|
||||
enabled: false
|
||||
|
||||
ipvlan:
|
||||
# -- Enable the IPVLAN datapath (deprecated)
|
||||
enabled: false
|
||||
|
||||
# -- masterDevice is the name of the device to use to attach secondary IPVLAN
|
||||
# devices
|
||||
# masterDevice: eth0
|
||||
|
||||
# -- Configure Kubernetes specific configuration
|
||||
k8s: {}
|
||||
# -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
|
||||
|
@ -3,7 +3,7 @@
|
||||
CALLDIR=$(pwd)
|
||||
CILIUMTMPDIR=$(mktemp -d)
|
||||
cd $CILIUMTMPDIR
|
||||
git clone --depth 1 -b v1.12 https://github.com/cilium/cilium.git
|
||||
git clone --depth 1 -b 1.12.1 https://github.com/cilium/cilium.git
|
||||
cd cilium
|
||||
git apply $CALLDIR/cilium.patch
|
||||
cp -r install/kubernetes/cilium $CALLDIR/charts
|
||||
|
@ -16,27 +16,28 @@ var azureVals = map[string]interface{}{
|
||||
},
|
||||
},
|
||||
},
|
||||
"strictModeCIDRs": []string{
|
||||
"10.244.0.0/16",
|
||||
},
|
||||
"strictModeCIDR": "10.244.0.0/16",
|
||||
"image": map[string]interface{}{
|
||||
"repository": "ghcr.io/3u13r/cilium",
|
||||
"suffix": "v1.12.0-edg2",
|
||||
"tag": "latest",
|
||||
"digest": "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf",
|
||||
"useDigest": false,
|
||||
"suffix": "",
|
||||
"tag": "v1.12.1-edg",
|
||||
"digest": "sha256:fdac430143fe719331698b76fbe66410631a21afd3405407d56db260d2d6999b",
|
||||
"useDigest": true,
|
||||
},
|
||||
"operator": map[string]interface{}{
|
||||
"image": map[string]interface{}{
|
||||
"repository": "ghcr.io/3u13r/operator",
|
||||
"tag": "v1.12.0-edg2",
|
||||
"tag": "v1.12.1-edg",
|
||||
"suffix": "",
|
||||
"genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a",
|
||||
"genericDigest": "sha256:a225d8d3976fd2a05cfa0c929cd32e60283abedf6bae51db4709df19b2fb70cb",
|
||||
"useDigest": true,
|
||||
},
|
||||
},
|
||||
"egressMasqueradeInterfaces": "eth0",
|
||||
"enableIPv4Masquerade": true,
|
||||
"egressMasqueradeInterfaces": "eth0",
|
||||
"enableIPv4Masquerade": true,
|
||||
"kubeProxyReplacement": "strict",
|
||||
"enableCiliumEndpointSlice": true,
|
||||
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
||||
}
|
||||
|
||||
var gcpVals = map[string]interface{}{
|
||||
@ -51,16 +52,16 @@ var gcpVals = map[string]interface{}{
|
||||
"image": map[string]interface{}{
|
||||
"repository": "ghcr.io/3u13r/cilium",
|
||||
"suffix": "",
|
||||
"tag": "v1.12.0-edg2",
|
||||
"digest": "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf",
|
||||
"tag": "v1.12.1-edg",
|
||||
"digest": "sha256:fdac430143fe719331698b76fbe66410631a21afd3405407d56db260d2d6999b",
|
||||
"useDigest": true,
|
||||
},
|
||||
"operator": map[string]interface{}{
|
||||
"image": map[string]interface{}{
|
||||
"repository": "ghcr.io/3u13r/operator",
|
||||
"suffix": "",
|
||||
"tag": "v1.12.0-edg2",
|
||||
"genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a",
|
||||
"tag": "v1.12.1-edg",
|
||||
"genericDigest": "sha256:a225d8d3976fd2a05cfa0c929cd32e60283abedf6bae51db4709df19b2fb70cb",
|
||||
"useDigest": true,
|
||||
},
|
||||
},
|
||||
@ -68,6 +69,9 @@ var gcpVals = map[string]interface{}{
|
||||
"ipam": map[string]interface{}{
|
||||
"mode": "kubernetes",
|
||||
},
|
||||
"kubeProxyReplacement": "strict",
|
||||
"enableCiliumEndpointSlice": true,
|
||||
"kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256",
|
||||
}
|
||||
|
||||
var qemuVals = map[string]interface{}{
|
||||
|
Loading…
Reference in New Issue
Block a user