From f649219cbf9693112fdc95c58bd17cedda5c5679 Mon Sep 17 00:00:00 2001 From: 3u13r Date: Wed, 31 Aug 2022 15:37:07 +0200 Subject: [PATCH] Feat/cilium strict mode2.0 (#25) * bump cilium helm charts * integrate cilium strict mode v2 --- CHANGELOG.md | 2 + README.md | 2 +- .../internal/kubernetes/k8sapi/util.go | 35 ++++++++++---- .../internal/kubernetes/kubernetes.go | 9 ++-- cli/internal/helm/charts/cilium/Chart.yaml | 4 +- cli/internal/helm/charts/cilium/README.md | 17 ++++--- .../templates/cilium-agent/daemonset.yaml | 2 +- .../cilium/templates/cilium-configmap.yaml | 8 +--- .../templates/cilium-nodeinit/daemonset.yaml | 14 ++---- .../templates/cilium-operator/deployment.yaml | 2 +- .../clustermesh-apiserver/deployment.yaml | 6 +++ cli/internal/helm/charts/cilium/values.yaml | 48 ++++++++----------- .../helm/charts/cilium/values.yaml.tmpl | 8 ---- cli/internal/helm/generateCilium.sh | 2 +- cli/internal/helm/values.go | 34 +++++++------ 15 files changed, 96 insertions(+), 97 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d1e36b04..08c3df7db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - CoreOS images are publicly available for Azure. - GCP: Support for higher end N2D standard (128 & 224 vCPUs), *high-mem* and *high-cpu* VMs - Add `constellation upgrade` to update node images in Constellation. +- Add cilium v1.12.1 with strict mode v2 ### Changed @@ -41,6 +42,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Change cdbg to use load balancer for deploy. - cdbg now uses the Constellation config directly and does not require any extra config - Azure CVMs are attested using SNP attestation +- Replaced kube-proxy with cilium ### Deprecated diff --git a/README.md b/README.md index 8700b55e8..e5719016c 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ For more elaborate overviews of Constellation, see the [architecture] documentat ### Everything always encrypted - Memory runtime encryption of all Kubernetes nodes -- [Transparent network encryption][network-encryption] for the entire cluster node to node traffic. Provided by [Cilium], application independent, no sidecar required +- [Transparent network encryption][network-encryption] provided by [Cilium]. Application independent, no sidecar required - [Persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) encryption for block storage. [Encrypted in the confidential Kubernetes context][storage-encryption], keys and plaintext data never leave the cluster. No trust in the cloud storage backend required - [Key management][key-management] for transparent network and storage encryption diff --git a/bootstrapper/internal/kubernetes/k8sapi/util.go b/bootstrapper/internal/kubernetes/k8sapi/util.go index 44231cb76..e0a552ff4 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/util.go +++ b/bootstrapper/internal/kubernetes/k8sapi/util.go @@ -14,6 +14,7 @@ import ( "os" "os/exec" "path/filepath" + "strconv" "strings" "time" @@ -175,7 +176,7 @@ func (k *KubernetesUtil) InitCluster( // initialize the cluster log.Infof("Initializing the cluster using kubeadm init") - cmd = exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--skip-phases=preflight,certs", "--config", initConfigFile.Name()) + cmd = exec.CommandContext(ctx, kubeadmPath, "init", "-v=5", "--skip-phases=preflight,certs,addon/kube-proxy", "--config", initConfigFile.Name()) out, err = cmd.CombinedOutput() if err != nil { var exitErr *exec.ExitError @@ -216,20 +217,21 @@ func (k *KubernetesUtil) SetupHelmDeployments(ctx context.Context, kubectl Clien } type SetupPodNetworkInput struct { - CloudProvider string - NodeName string - FirstNodePodCIDR string - SubnetworkPodCIDR string - ProviderID string + CloudProvider string + NodeName string + FirstNodePodCIDR string + SubnetworkPodCIDR string + ProviderID string + LoadBalancerEndpoint string } // deployCilium sets up the cilium pod network. func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInput, helmClient *action.Install, ciliumDeployment helm.Deployment, kubectl Client) error { switch in.CloudProvider { case "gcp": - return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR) + return k.deployCiliumGCP(ctx, helmClient, kubectl, ciliumDeployment, in.NodeName, in.FirstNodePodCIDR, in.SubnetworkPodCIDR, in.LoadBalancerEndpoint) case "azure": - return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment) + return k.deployCiliumAzure(ctx, helmClient, ciliumDeployment, in.LoadBalancerEndpoint) case "qemu": return k.deployCiliumQEMU(ctx, helmClient, ciliumDeployment, in.SubnetworkPodCIDR) default: @@ -237,7 +239,11 @@ func (k *KubernetesUtil) deployCilium(ctx context.Context, in SetupPodNetworkInp } } -func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment) error { +func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *action.Install, ciliumDeployment helm.Deployment, kubeAPIEndpoint string) error { + host := kubeAPIEndpoint + ciliumDeployment.Values["k8sServiceHost"] = host + ciliumDeployment.Values["k8sServicePort"] = strconv.Itoa(constants.KubernetesPort) + _, err := helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values) if err != nil { return fmt.Errorf("installing cilium: %w", err) @@ -245,7 +251,7 @@ func (k *KubernetesUtil) deployCiliumAzure(ctx context.Context, helmClient *acti return nil } -func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR string) error { +func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action.Install, kubectl Client, ciliumDeployment helm.Deployment, nodeName, nodePodCIDR, subnetworkPodCIDR, kubeAPIEndpoint string) error { out, err := exec.CommandContext(ctx, kubectlPath, "--kubeconfig", kubeConfig, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput() if err != nil { err = errors.New(string(out)) @@ -270,9 +276,18 @@ func (k *KubernetesUtil) deployCiliumGCP(ctx context.Context, helmClient *action return err } + host, port, err := net.SplitHostPort(kubeAPIEndpoint) + if err != nil { + return err + } + // configure pod network CIDR ciliumDeployment.Values["ipv4NativeRoutingCIDR"] = subnetworkPodCIDR ciliumDeployment.Values["strictModeCIDR"] = subnetworkPodCIDR + ciliumDeployment.Values["k8sServiceHost"] = host + if port != "" { + ciliumDeployment.Values["k8sServicePort"] = port + } _, err = helmClient.RunWithContext(ctx, ciliumDeployment.Chart, ciliumDeployment.Values) if err != nil { diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index cabcd13a0..2357bcb04 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -164,10 +164,11 @@ func (k *KubeWrapper) InitCluster( // Step 3: configure & start kubernetes controllers log.Infof("Starting Kubernetes controllers and deployments") setupPodNetworkInput := k8sapi.SetupPodNetworkInput{ - CloudProvider: k.cloudProvider, - NodeName: nodeName, - FirstNodePodCIDR: nodePodCIDR, - SubnetworkPodCIDR: subnetworkPodCIDR, + CloudProvider: k.cloudProvider, + NodeName: nodeName, + FirstNodePodCIDR: nodePodCIDR, + SubnetworkPodCIDR: subnetworkPodCIDR, + LoadBalancerEndpoint: controlPlaneEndpoint, } if err = k.clusterUtil.SetupHelmDeployments(ctx, k.client, helmDeployments, setupPodNetworkInput, log); err != nil { return nil, fmt.Errorf("setting up pod network: %w", err) diff --git a/cli/internal/helm/charts/cilium/Chart.yaml b/cli/internal/helm/charts/cilium/Chart.yaml index edbcd63d2..6ffee03cd 100644 --- a/cli/internal/helm/charts/cilium/Chart.yaml +++ b/cli/internal/helm/charts/cilium/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.12.0 -appVersion: 1.12.0 +version: 1.12.1 +appVersion: 1.12.1 kubeVersion: ">= 1.16.0-0" icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.12/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability diff --git a/cli/internal/helm/charts/cilium/README.md b/cli/internal/helm/charts/cilium/README.md index c5c4c2acd..49cfe3056 100644 --- a/cli/internal/helm/charts/cilium/README.md +++ b/cli/internal/helm/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.12.0](https://img.shields.io/badge/Version-1.12.0-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square) +![Version: 1.12.1](https://img.shields.io/badge/Version-1.12.1-informational?style=flat-square) ![AppVersion: 1.12.1](https://img.shields.io/badge/AppVersion-1.12.1-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -93,7 +93,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"clustermesh-apiserver"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for clustermesh.apiserver | | clustermesh.apiserver.etcd.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/coreos/etcd","tag":"v3.5.4@sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3"}` | Clustermesh API server etcd image. | | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.0","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.12.1","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | | clustermesh.apiserver.podAnnotations | object | `{}` | Annotations to be added to clustermesh-apiserver pods | | clustermesh.apiserver.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -239,7 +239,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | -| hubble.relay.image | object | `{"digest":"sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.0","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.12.1","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | @@ -289,11 +289,11 @@ contributors across the globe, there is almost always someone available to help. | hubble.tls.server.extraIpAddresses | list | `[]` | Extra IP addresses added to certificate when it's auto generated | | hubble.ui.affinity | object | `{}` | Affinity for hubble-ui | | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | -| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b"}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.9.1@sha256:c4b86e0d7a38d52c6ea3d9d7b17809e5212efd97494e8bd37c8466ddd68d42d0"}` | Hubble-ui backend image. | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | | hubble.ui.enabled | bool | `false` | Whether to enable the Hubble UI. | | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | -| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0"}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.9.1@sha256:baff611b975cb12307a163c0e547e648da211384eabdafd327707ff2ec31cc24"}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.ingress | object | `{"annotations":{},"className":"","enabled":false,"hosts":["chart-example.local"],"tls":[]}` | hubble-ui ingress configuration. | | hubble.ui.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | @@ -316,7 +316,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.tolerations | list | `[]` | Node tolerations for pod assignment on nodes with taints ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | -| image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.1","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. | | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. | @@ -336,7 +336,6 @@ contributors across the globe, there is almost always someone available to help. | ipam.operator.clusterPoolIPv6PodCIDRList | list | `[]` | IPv6 CIDR list range to delegate to individual nodes for IPAM. | | ipv4.enabled | bool | `true` | Enable IPv4 support. | | ipv6.enabled | bool | `false` | Enable IPv6 support. | -| ipvlan.enabled | bool | `false` | Enable the IPVLAN datapath (deprecated) | | k8s | object | `{}` | Configure Kubernetes specific configuration | | keepDeprecatedLabels | bool | `false` | Keep the deprecated selector labels when deploying Cilium DaemonSet. | | keepDeprecatedProbes | bool | `false` | Keep the deprecated probes when deploying Cilium DaemonSet | @@ -382,7 +381,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5","awsDigest":"sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22","azureDigest":"sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba","genericDigest":"sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.0","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.12.1","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -413,7 +412,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.affinity | object | `{"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-preflight | | preflight.enabled | bool | `false` | Enable Cilium pre-flight resources (required for upgrade) | | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | -| preflight.image | object | `{"digest":"sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.0","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.12.1","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml index af6fe5ff5..7a58f6b33 100644 --- a/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -463,7 +463,6 @@ spec: - SYS_CHROOT - SYS_PTRACE {{- end}} - {{- end }} - name: apply-sysctl-overwrites image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -507,6 +506,7 @@ spec: - SYS_CHROOT - SYS_PTRACE {{- end}} + {{- end }} {{- if not .Values.securityContext.privileged }} # Mount the bpf fs if it is not mounted. We will perform this task # from a privileged container because the mount propagation bidirectional diff --git a/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml b/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml index 9e3db9f63..3b72516f4 100644 --- a/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml +++ b/cli/internal/helm/charts/cilium/templates/cilium-configmap.yaml @@ -48,6 +48,7 @@ {{- if .Values.azure.enabled }} {{- $azureUsePrimaryAddress = "false" -}} {{- end }} + {{- $defaultKubeProxyReplacement = "disabled" -}} {{- end -}} {{- $ipam := (coalesce .Values.ipam.mode $defaultIPAM) -}} @@ -498,13 +499,6 @@ data: {{- end }} {{- end }} -{{- if hasKey .Values "datapathMode" }} -{{- if eq .Values.datapathMode "ipvlan" }} - datapath-mode: ipvlan - ipvlan-master-device: {{ .Values.ipvlan.masterDevice }} -{{- end }} -{{- end }} - {{- if .Values.strictModeCIDR }} strict-mode-cidr: {{ .Values.strictModeCIDR | quote }} {{- end }} diff --git a/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml b/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml index a458a9f80..687c739e5 100644 --- a/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml +++ b/cli/internal/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -37,25 +37,19 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - volumes: - # To access iptables concurrently with other processes (e.g. kube-proxy) - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: xtables-lock containers: - name: node-init image: {{ include "cilium.image" .Values.nodeinit.image | quote }} imagePullPolicy: {{ .Values.nodeinit.image.pullPolicy }} - volumeMounts: - # To access iptables concurrently with other processes (e.g. kube-proxy) - - mountPath: /run/xtables.lock - name: xtables-lock lifecycle: {{- if .Values.eni.enabled }} postStart: exec: command: + - nsenter + - --target=1 + - --mount + - -- - "/bin/sh" - "-c" - | diff --git a/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml b/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml index e78d7f2d5..7ae4ce83d 100644 --- a/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml +++ b/cli/internal/helm/charts/cilium/templates/cilium-operator/deployment.yaml @@ -207,7 +207,7 @@ spec: # In managed etcd mode, Cilium must be able to resolve the DNS name of # the etcd service dnsPolicy: ClusterFirstWithHostNet - {{- else if .Values.dnsPolicy }} + {{- else if .Values.operator.dnsPolicy }} dnsPolicy: {{ .Values.operator.dnsPolicy }} {{- end }} restartPolicy: Always diff --git a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml index 1df9ce243..eca1ae777 100644 --- a/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/cli/internal/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -127,6 +127,12 @@ spec: configMapKeyRef: name: cilium-config key: identity-allocation-mode + - name: ENABLE_K8S_ENDPOINT_SLICE + valueFrom: + configMapKeyRef: + name: cilium-config + key: enable-k8s-endpoint-slice + optional: true {{- with .Values.clustermesh.apiserver.extraEnv }} {{- toYaml . | trim | nindent 8 }} {{- end }} diff --git a/cli/internal/helm/charts/cilium/values.yaml b/cli/internal/helm/charts/cilium/values.yaml index ec3898a58..7e9c47674 100644 --- a/cli/internal/helm/charts/cilium/values.yaml +++ b/cli/internal/helm/charts/cilium/values.yaml @@ -90,11 +90,11 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.12.0" + tag: "v1.12.1" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" - useDigest: true + digest: "" + useDigest: false # -- Affinity for cilium-agent. affinity: @@ -788,10 +788,10 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.12.0" + tag: "v1.12.1" # hubble-relay-digest - digest: "sha256:ca8033ea8a3112d838f958862fa76c8d895e3c8d0f5590de849b91745af5ac4d" - useDigest: true + digest: "" + useDigest: false pullPolicy: "IfNotPresent" # -- Specifies the resources for the hubble-relay pods @@ -972,7 +972,7 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.9.0@sha256:000df6b76719f607a9edefb9af94dfd1811a6f1b6a8a9c537cba90bf12df474b" + tag: "v0.9.1@sha256:c4b86e0d7a38d52c6ea3d9d7b17809e5212efd97494e8bd37c8466ddd68d42d0" pullPolicy: "IfNotPresent" # -- Additional hubble-ui backend environment variables. @@ -992,7 +992,7 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-ui" - tag: "v0.9.0@sha256:0ef04e9a29212925da6bdfd0ba5b581765e41a01f1cc30563cef9b30b457fea0" + tag: "v0.9.1@sha256:baff611b975cb12307a163c0e547e648da211384eabdafd327707ff2ec31cc24" pullPolicy: "IfNotPresent" # -- Additional hubble-ui frontend environment variables. @@ -1139,14 +1139,6 @@ ipv6: # -- Enable IPv6 support. enabled: false -ipvlan: - # -- Enable the IPVLAN datapath (deprecated) - enabled: false - - # -- masterDevice is the name of the device to use to attach secondary IPVLAN - # devices - # masterDevice: eth0 - # -- Configure Kubernetes specific configuration k8s: {} # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR @@ -1534,16 +1526,16 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.12.0" + tag: "v1.12.1" # operator-generic-digest - genericDigest: "sha256:bb2a42eda766e5d4a87ee8a5433f089db81b72dd04acf6b59fcbb445a95f9410" + genericDigest: "" # operator-azure-digest - azureDigest: "sha256:98ffa2c8ebff33d4e91762fb57d4c36f152bb044c4e2141e15362cf95ecc24ba" + azureDigest: "" # operator-aws-digest - awsDigest: "sha256:cb73df18b03b4fc914c80045d0ddb6c9256972449382e3c4b294fd9c371ace22" + awsDigest: "" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:93dddf88e92119a141a913b44ab9cb909f19b9a7bf01e30b98c1e8afeec51cd5" - useDigest: true + alibabacloudDigest: "" + useDigest: false pullPolicy: "IfNotPresent" suffix: "" @@ -1767,10 +1759,10 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.12.0" + tag: "v1.12.1" # cilium-digest - digest: "sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" - useDigest: true + digest: "" + useDigest: false pullPolicy: "IfNotPresent" # -- The priority class to use for the preflight pod. @@ -1904,10 +1896,10 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.12.0" + tag: "v1.12.1" # clustermesh-apiserver-digest - digest: "sha256:3f5a6298bd70a2b555c88e291eec1583a6478c3e2272e3fc721aa03b3300d299" - useDigest: true + digest: "" + useDigest: false pullPolicy: "IfNotPresent" etcd: diff --git a/cli/internal/helm/charts/cilium/values.yaml.tmpl b/cli/internal/helm/charts/cilium/values.yaml.tmpl index bdb2217a1..48bcb48cf 100644 --- a/cli/internal/helm/charts/cilium/values.yaml.tmpl +++ b/cli/internal/helm/charts/cilium/values.yaml.tmpl @@ -1134,14 +1134,6 @@ ipv6: # -- Enable IPv6 support. enabled: false -ipvlan: - # -- Enable the IPVLAN datapath (deprecated) - enabled: false - - # -- masterDevice is the name of the device to use to attach secondary IPVLAN - # devices - # masterDevice: eth0 - # -- Configure Kubernetes specific configuration k8s: {} # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR diff --git a/cli/internal/helm/generateCilium.sh b/cli/internal/helm/generateCilium.sh index 3407fa52e..ee1077c3f 100755 --- a/cli/internal/helm/generateCilium.sh +++ b/cli/internal/helm/generateCilium.sh @@ -3,7 +3,7 @@ CALLDIR=$(pwd) CILIUMTMPDIR=$(mktemp -d) cd $CILIUMTMPDIR -git clone --depth 1 -b v1.12 https://github.com/cilium/cilium.git +git clone --depth 1 -b 1.12.1 https://github.com/cilium/cilium.git cd cilium git apply $CALLDIR/cilium.patch cp -r install/kubernetes/cilium $CALLDIR/charts diff --git a/cli/internal/helm/values.go b/cli/internal/helm/values.go index 46ce780b9..2bb599a29 100644 --- a/cli/internal/helm/values.go +++ b/cli/internal/helm/values.go @@ -16,27 +16,28 @@ var azureVals = map[string]interface{}{ }, }, }, - "strictModeCIDRs": []string{ - "10.244.0.0/16", - }, + "strictModeCIDR": "10.244.0.0/16", "image": map[string]interface{}{ "repository": "ghcr.io/3u13r/cilium", - "suffix": "v1.12.0-edg2", - "tag": "latest", - "digest": "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf", - "useDigest": false, + "suffix": "", + "tag": "v1.12.1-edg", + "digest": "sha256:fdac430143fe719331698b76fbe66410631a21afd3405407d56db260d2d6999b", + "useDigest": true, }, "operator": map[string]interface{}{ "image": map[string]interface{}{ "repository": "ghcr.io/3u13r/operator", - "tag": "v1.12.0-edg2", + "tag": "v1.12.1-edg", "suffix": "", - "genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a", + "genericDigest": "sha256:a225d8d3976fd2a05cfa0c929cd32e60283abedf6bae51db4709df19b2fb70cb", "useDigest": true, }, }, - "egressMasqueradeInterfaces": "eth0", - "enableIPv4Masquerade": true, + "egressMasqueradeInterfaces": "eth0", + "enableIPv4Masquerade": true, + "kubeProxyReplacement": "strict", + "enableCiliumEndpointSlice": true, + "kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256", } var gcpVals = map[string]interface{}{ @@ -51,16 +52,16 @@ var gcpVals = map[string]interface{}{ "image": map[string]interface{}{ "repository": "ghcr.io/3u13r/cilium", "suffix": "", - "tag": "v1.12.0-edg2", - "digest": "sha256:8dee8839bdf4cfdc28a61c4586f23f2dbfabe03f94dee787c4d749cfcc02c6bf", + "tag": "v1.12.1-edg", + "digest": "sha256:fdac430143fe719331698b76fbe66410631a21afd3405407d56db260d2d6999b", "useDigest": true, }, "operator": map[string]interface{}{ "image": map[string]interface{}{ "repository": "ghcr.io/3u13r/operator", "suffix": "", - "tag": "v1.12.0-edg2", - "genericDigest": "sha256:adbdeb0199aa1d870940c3363bfa5b69a5c8b4f533fc9f67463f8d447077464a", + "tag": "v1.12.1-edg", + "genericDigest": "sha256:a225d8d3976fd2a05cfa0c929cd32e60283abedf6bae51db4709df19b2fb70cb", "useDigest": true, }, }, @@ -68,6 +69,9 @@ var gcpVals = map[string]interface{}{ "ipam": map[string]interface{}{ "mode": "kubernetes", }, + "kubeProxyReplacement": "strict", + "enableCiliumEndpointSlice": true, + "kubeProxyReplacementHealthzBindAddr": "0.0.0.0:10256", } var qemuVals = map[string]interface{}{