diff --git a/internal/constellation/helm/charts/cilium/Chart.yaml b/internal/constellation/helm/charts/cilium/Chart.yaml index 3ba2d273f..9f079933b 100644 --- a/internal/constellation/helm/charts/cilium/Chart.yaml +++ b/internal/constellation/helm/charts/cilium/Chart.yaml @@ -2,10 +2,10 @@ apiVersion: v2 name: cilium displayName: Cilium home: https://cilium.io/ -version: 1.15.0-pre.3-edg.3 -appVersion: 1.15.0-pre.3-edg.3 +version: 1.15.5-edg.1 +appVersion: 1.15.5-edg.1 kubeVersion: ">= 1.16.0-0" -icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg +icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability keywords: - BPF diff --git a/internal/constellation/helm/charts/cilium/README.md b/internal/constellation/helm/charts/cilium/README.md index 21f7633a0..6c41b865c 100644 --- a/internal/constellation/helm/charts/cilium/README.md +++ b/internal/constellation/helm/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.15.0-pre.3](https://img.shields.io/badge/Version-1.15.0--pre.3-informational?style=flat-square) ![AppVersion: 1.15.0-pre.3](https://img.shields.io/badge/AppVersion-1.15.0--pre.3-informational?style=flat-square) +![Version: 1.15.5](https://img.shields.io/badge/Version-1.15.5-informational?style=flat-square) ![AppVersion: 1.15.5](https://img.shields.io/badge/AppVersion-1.15.5-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -73,15 +73,16 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | | authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | -| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.4","useDigest":true}` | SPIRE agent image | +| authentication.mutual.spire.install.agent.image | object | `{"digest":"sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-agent","tag":"1.8.5","useDigest":true}` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | | authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | | authentication.mutual.spire.install.agent.securityContext | object | `{}` | Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account | | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | -| authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | +| authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true | +| authentication.mutual.spire.install.existingNamespace | bool | `false` | SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. | | authentication.mutual.spire.install.initImage | object | `{"digest":"sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b","override":null,"pullPolicy":"IfNotPresent","repository":"docker.io/library/busybox","tag":"1.36.1","useDigest":true}` | init container image of SPIRE agent and server | | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into | | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration | @@ -92,7 +93,7 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.install.server.dataStorage.enabled | bool | `true` | Enable SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.size | string | `"1Gi"` | Size of the SPIRE server data storage | | authentication.mutual.spire.install.server.dataStorage.storageClass | string | `nil` | StorageClass of the SPIRE server data storage | -| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.4","useDigest":true}` | SPIRE server image | +| authentication.mutual.spire.install.server.image | object | `{"digest":"sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428","override":null,"pullPolicy":"IfNotPresent","repository":"ghcr.io/spiffe/spire-server","tag":"1.8.5","useDigest":true}` | SPIRE server image | | authentication.mutual.spire.install.server.initContainers | list | `[]` | SPIRE server init containers | | authentication.mutual.spire.install.server.labels | object | `{}` | SPIRE server labels | | authentication.mutual.spire.install.server.nodeSelector | object | `{}` | SPIRE server nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -135,13 +136,14 @@ contributors across the globe, there is almost always someone available to help. | bpf.monitorInterval | string | `"5s"` | Configure the typical time between monitor notifications for active connections. | | bpf.natMax | int | `524288` | Configure the maximum number of entries for the NAT table. | | bpf.neighMax | int | `524288` | Configure the maximum number of entries for the neighbor table. | -| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). | +| bpf.nodeMapMax | int | `nil` | Configures the maximum number of entries for the node table. | +| bpf.policyMapMax | int | `16384` | Configure the maximum number of entries in endpoint policy map (per endpoint). @schema type: [null, integer] @schema | | bpf.preallocateMaps | bool | `false` | Enables pre-allocation of eBPF map values. This increases memory usage but can reduce latency. | | bpf.root | string | `"/sys/fs/bpf"` | Configure the mount point for the BPF filesystem | | bpf.tproxy | bool | `false` | Configure the eBPF-based TPROXY to reduce reliance on iptables rules for implementing Layer 7 policy. | | bpf.vlanBypass | list | `[]` | Configure explicitly allowed VLAN id's for bpf logic bypass. [0] will allow all VLAN id's without any filtering. | | bpfClockProbe | bool | `false` | Enable BPF clock source probing for more efficient tick retrieval. | -| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.9","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | +| certgen | object | `{"affinity":{},"annotations":{"cronJob":{},"job":{}},"extraVolumeMounts":[],"extraVolumes":[],"image":{"digest":"sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/certgen","tag":"v0.1.12","useDigest":true},"podLabels":{},"tolerations":[],"ttlSecondsAfterFinished":1800}` | Configure certificate generation for Hubble integration. If hubble.tls.auto.method=cronJob, these values are used for the Kubernetes CronJob which will be scheduled regularly to (re)generate any certificates not provided manually. | | certgen.affinity | object | `{}` | Affinity for certgen | | certgen.annotations | object | `{"cronJob":{},"job":{}}` | Annotations to be added to the hubble-certgen initial Job and CronJob | | certgen.extraVolumeMounts | list | `[]` | Additional certgen volumeMounts. | @@ -169,7 +171,7 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.0-pre.3","useDigest":false}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.15.5","useDigest":false}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | @@ -320,7 +322,7 @@ contributors across the globe, there is almost always someone available to help. | eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. | | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API | -| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. | +| envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. | | envoy.annotations | object | `{}` | Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy) | | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out | | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | @@ -333,7 +335,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -343,16 +345,18 @@ contributors across the globe, there is almost always someone available to help. | envoy.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for cilium-envoy. | | envoy.podAnnotations | object | `{}` | Annotations to be added to envoy pods | | envoy.podLabels | object | `{}` | Labels to be added to envoy pods | -| envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. | +| envoy.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-envoy pods. | +| envoy.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. | +| envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. | | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy | | envoy.prometheus.port | string | `"9964"` | Serve prometheus metrics for cilium-envoy on the configured port | | envoy.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-envoy | -| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) | +| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy _and_ cilium-agent with Envoy enabled. | | envoy.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. | | envoy.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-envoy | -| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy | -| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy | +| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. | +| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. | | envoy.readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe | | envoy.readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe | | envoy.resources | object | `{}` | Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | @@ -365,6 +369,8 @@ contributors across the globe, there is almost always someone available to help. | envoy.terminationGracePeriodSeconds | int | `1` | Configure termination grace period for cilium-envoy DaemonSet. | | envoy.tolerations | list | `[{"operator":"Exists"}]` | Node tolerations for envoy scheduling to nodes with taints ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | | envoy.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}` | cilium-envoy update strategy ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset | +| envoy.xffNumTrustedHopsL7PolicyEgress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. | +| envoy.xffNumTrustedHopsL7PolicyIngress | int | `0` | Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. | | envoyConfig.enabled | bool | `false` | Enable CiliumEnvoyConfig CRD CiliumEnvoyConfig CRD can also be implicitly enabled by other options. | | envoyConfig.secretsNamespace | object | `{"create":true,"name":"cilium-secrets"}` | SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from. | | envoyConfig.secretsNamespace.create | bool | `true` | Create secrets namespace for CiliumEnvoyConfig CRDs. | @@ -453,9 +459,11 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | +| hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. | +| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.0-pre.3","useDigest":false}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.15.5","useDigest":false}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -513,7 +521,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. | | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. | | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. | -| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. | +| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. | | hubble.ui.backend.livenessProbe.enabled | bool | `false` | Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.readinessProbe.enabled | bool | `false` | Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+) | | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. | @@ -523,7 +531,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. | | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. | | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. | -| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. | +| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. | | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. | | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. | | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 | @@ -550,7 +558,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.3","useDigest":false}` | Agent container image. | +| image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":false}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -574,6 +582,7 @@ contributors across the globe, there is almost always someone available to help. | ingressController.service.name | string | `"cilium-ingress"` | Service name | | ingressController.service.secureNodePort | string | `nil` | Configure a specific nodePort for secure HTTPS traffic on the shared LB service | | ingressController.service.type | string | `"LoadBalancer"` | Service type for the shared LB service | +| initResources | object | `{}` | resources & limits for the agent init containers | | installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. | | ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent | | ipam.ciliumNodeUpdateRate | string | `"15s"` | Maximum rate at which the CiliumNode custom resource is updated. | @@ -638,10 +647,12 @@ contributors across the globe, there is almost always someone available to help. | nodeinit.extraEnv | list | `[]` | Additional nodeinit environment variables. | | nodeinit.extraVolumeMounts | list | `[]` | Additional nodeinit volumeMounts. | | nodeinit.extraVolumes | list | `[]` | Additional nodeinit volumes. | -| nodeinit.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"62093c5c233ea914bfa26a10ba41f8780d9b737f"}` | node-init image. | +| nodeinit.image | object | `{"digest":"sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/startup-script","tag":"19fb149fb3d5c7a37d3edfaf10a2be3ab7386661","useDigest":true}` | node-init image. | | nodeinit.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for nodeinit pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | nodeinit.podAnnotations | object | `{}` | Annotations to be added to node-init pods. | | nodeinit.podLabels | object | `{}` | Labels to be added to node-init pods. | +| nodeinit.podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-node-init pods. | +| nodeinit.podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-node-init` and init containers | | nodeinit.prestop | object | `{"postScript":"","preScript":""}` | prestop offers way to customize prestop nodeinit script (pre and post position) | | nodeinit.priorityClassName | string | `""` | The priority class to use for the nodeinit pod. | | nodeinit.resources | object | `{"requests":{"cpu":"100m","memory":"100Mi"}}` | nodeinit resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | @@ -662,7 +673,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.0-pre.3","useDigest":false}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"","awsDigest":"","azureDigest":"","genericDigest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.15.5","useDigest":false}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -700,7 +711,8 @@ contributors across the globe, there is almost always someone available to help. | pmtuDiscovery.enabled | bool | `false` | Enable path MTU discovery to send ICMP fragmentation-needed replies to the client. | | podAnnotations | object | `{}` | Annotations to be added to agent pods | | podLabels | object | `{}` | Labels to be added to agent pods | -| podSecurityContext | object | `{}` | Security Context for cilium-agent pods. | +| podSecurityContext | object | `{"appArmorProfile":{"type":"Unconfined"}}` | Security Context for cilium-agent pods. | +| podSecurityContext.appArmorProfile | object | `{"type":"Unconfined"}` | AppArmorProfile options for the `cilium-agent` and init containers | | policyCIDRMatchMode | string | `nil` | policyCIDRMatchMode is a list of entities that may be selected by CIDR selector. The possible value is "nodes". | | policyEnforcementMode | string | `"default"` | The agent can be put into one of the three policy enforcement modes: default, always and never. ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes | | pprof.address | string | `"localhost"` | Configure pprof listen address for cilium-agent | @@ -712,7 +724,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.0-pre.3","useDigest":false}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.15.5","useDigest":false}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | @@ -747,7 +759,7 @@ contributors across the globe, there is almost always someone available to help. | rbac.create | bool | `true` | Enable creation of Resource-Based Access Control configuration. | | readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe | | readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe | -| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity | +| remoteNodeIdentity | bool | `true` | Enable use of the remote node identity. ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity Deprecated without replacement in 1.15. To be removed in 1.16. | | resourceQuotas | object | `{"cilium":{"hard":{"pods":"10k"}},"enabled":false,"operator":{"hard":{"pods":"15"}}}` | Enable resource quotas for priority classes used in the cluster. | | resources | object | `{}` | Agent resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | | rollOutCiliumPods | bool | `false` | Roll out cilium agent pods automatically when configmap is updated. | diff --git a/internal/constellation/helm/charts/cilium/files/agent/poststart-eni.bash b/internal/constellation/helm/charts/cilium/files/agent/poststart-eni.bash index 66fccf457..a57d89682 100644 --- a/internal/constellation/helm/charts/cilium/files/agent/poststart-eni.bash +++ b/internal/constellation/helm/charts/cilium/files/agent/poststart-eni.bash @@ -11,9 +11,9 @@ set -o nounset # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). -if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; +if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' - iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' diff --git a/internal/constellation/helm/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json b/internal/constellation/helm/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json index 992c8524a..94af2eac3 100644 --- a/internal/constellation/helm/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json +++ b/internal/constellation/helm/charts/cilium/files/cilium-agent/dashboards/cilium-dashboard.json @@ -5823,7 +5823,7 @@ "refId": "C" }, { - "expr": "sum(cilium_policy_change_total{k8s_app=\"cilium\", pod=~\"$pod\"}, outcome=\"fail\") by (pod)", + "expr": "sum(cilium_policy_change_total{k8s_app=\"cilium\", pod=~\"$pod\", outcome=\"fail\"}) by (pod)", "format": "time_series", "intervalFactor": 1, "legendFormat": "policy change errors", diff --git a/internal/constellation/helm/charts/cilium/files/nodeinit/startup.bash b/internal/constellation/helm/charts/cilium/files/nodeinit/startup.bash index 975b71fa7..aaaba0925 100644 --- a/internal/constellation/helm/charts/cilium/files/nodeinit/startup.bash +++ b/internal/constellation/helm/charts/cilium/files/nodeinit/startup.bash @@ -100,7 +100,7 @@ then # Since that version containerd no longer allows missing configuration for the CNI, # not even for pods with hostNetwork set to true. Thus, we add a temporary one. # This will be replaced with the real config by the agent pod. - echo -e "{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}" > /etc/cni/net.d/05-cilium.conf + echo -e '{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}' > /etc/cni/net.d/05-cilium.conf fi # Start containerd. It won't create it's CNI configuration file anymore. diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml index d63395f8a..ffd5935ba 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -53,6 +53,7 @@ spec: cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }} {{- end }} {{- if not .Values.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. @@ -63,6 +64,7 @@ spec: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined" {{- end }} {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -81,6 +83,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.podSecurityContext "appArmorProfile" }} + {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -201,6 +208,7 @@ spec: valueFrom: resourceFieldRef: resource: limits.memory + divisor: '1' {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST value: {{ .Values.k8sServiceHost | quote }} @@ -405,6 +413,9 @@ spec: volumeMounts: - name: cilium-run mountPath: /var/run/cilium + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.monitor.resources }} resources: {{- toYaml . | trim | nindent 10 }} @@ -429,6 +440,9 @@ spec: {{- if (not (kindIs "invalid" .Values.daemon.blockedConfigOverrides)) }} - "--deny-config-keys={{.Values.daemon.blockedConfigOverrides}}" {{- end }} + {{- if .Values.kubeConfigPath }} + - "--k8s-kubeconfig-path={{ .Values.kubeConfigPath }}" + {{- end }} env: - name: K8S_NODE_NAME valueFrom: @@ -454,6 +468,14 @@ spec: volumeMounts: - name: tmp mountPath: /tmp + {{- if .Values.kubeConfigPath }} + - name: kube-config + mountPath: {{ .Values.kubeConfigPath }} + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- if .Values.cgroup.autoMount.enabled }} # Required to mount cgroup2 filesystem on the underlying Kubernetes node. @@ -507,6 +529,10 @@ spec: - name: apply-sysctl-overwrites image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} env: - name: BIN_PATH value: {{ .Values.cni.binPath }} @@ -552,6 +578,10 @@ spec: - name: mount-bpf-fs image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' command: @@ -573,6 +603,10 @@ spec: - name: wait-for-node-init image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} command: - sh - -c @@ -650,14 +684,21 @@ spec: mountPropagation: HostToContainer - name: cilium-run mountPath: /var/run/cilium - {{- with .Values.nodeinit.resources }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initResources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} - {{- if and .Values.waitForKubeProxy (and (ne $kubeProxyReplacement "strict") (ne $kubeProxyReplacement "true")) }} + {{- if and .Values.waitForKubeProxy (and (ne (toString $kubeProxyReplacement) "strict") (ne (toString $kubeProxyReplacement) "true")) }} - name: wait-for-kube-proxy image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} securityContext: privileged: true command: diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml index d7c5e5e3c..c2ffa66c2 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-agent/servicemonitor.yaml @@ -39,6 +39,20 @@ spec: metricRelabelings: {{- toYaml . | nindent 4 }} {{- end }} + {{- if .Values.envoy.prometheus.serviceMonitor.enabled }} + - port: envoy-metrics + interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }} + honorLabels: true + path: /metrics + {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} targetLabels: - k8s-app {{- if .Values.prometheus.serviceMonitor.jobLabel }} diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-configmap.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-configmap.yaml index b67e50392..273673053 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-configmap.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-configmap.yaml @@ -14,6 +14,7 @@ {{- $azureUsePrimaryAddress := "true" -}} {{- $defaultK8sClientQPS := 5 -}} {{- $defaultK8sClientBurst := 10 -}} +{{- $defaultDNSProxyEnableTransparentMode := "false" -}} {{- /* Default values when 1.8 was initially deployed */ -}} {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}} @@ -48,6 +49,7 @@ {{- $azureUsePrimaryAddress = "false" -}} {{- end }} {{- $defaultKubeProxyReplacement = "disabled" -}} + {{- $defaultDNSProxyEnableTransparentMode = "true" -}} {{- end -}} {{- /* Default values when 1.14 was initially deployed */ -}} @@ -364,6 +366,11 @@ data: enable-host-legacy-routing: "true" {{- end }} +{{- if .Values.bpf.nodeMapMax }} + # node-map-max specifies the maximum number of entries for the node map. + bpf-node-map-max: {{ .Values.bpf.nodeMapMax | quote }} +{{- end }} + {{- if .Values.bpf.authMapMax }} # bpf-auth-map-max specifies the maximum number of entries in the auth map bpf-auth-map-max: {{ .Values.bpf.authMapMax | quote }} @@ -448,9 +455,15 @@ data: # - vxlan (default) # - geneve {{- if .Values.gke.enabled }} + {{- if ne (.Values.routingMode | default "native") "native" }} + {{- fail (printf "RoutingMode must be set to native when gke.enabled=true" )}} + {{- end }} routing-mode: "native" enable-endpoint-routes: "true" {{- else if .Values.aksbyocni.enabled }} + {{- if ne (.Values.routingMode | default "tunnel") "tunnel" }} + {{- fail (printf "RoutingMode must be set to tunnel when aksbyocni.enabled=true" )}} + {{- end }} routing-mode: "tunnel" tunnel-protocol: "vxlan" {{- else if .Values.routingMode }} @@ -1153,6 +1166,13 @@ data: {{- end }} {{- if .Values.dnsProxy }} + {{- if hasKey .Values.dnsProxy "enableTransparentMode" }} + # explicit setting gets precedence + dnsproxy-enable-transparent-mode: {{ .Values.dnsProxy.enableTransparentMode | quote }} + {{- else if eq $cniChainingMode "none" }} + # default DNS proxy to transparent mode in non-chaining modes + dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }} + {{- end }} {{- if .Values.dnsProxy.dnsRejectResponseCode }} tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }} {{- end }} @@ -1206,9 +1226,12 @@ data: mesh-auth-spiffe-trust-domain: {{ .Values.authentication.mutual.spire.trustDomain | quote }} {{- end }} + proxy-xff-num-trusted-hops-ingress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyIngress | quote }} + proxy-xff-num-trusted-hops-egress: {{ .Values.envoy.xffNumTrustedHopsL7PolicyEgress | quote }} proxy-connect-timeout: {{ .Values.envoy.connectTimeoutSeconds | quote }} proxy-max-requests-per-connection: {{ .Values.envoy.maxRequestsPerConnection | quote }} proxy-max-connection-duration-seconds: {{ .Values.envoy.maxConnectionDurationSeconds | quote }} + proxy-idle-timeout-seconds: {{ .Values.envoy.idleTimeoutDurationSeconds | quote }} external-envoy-proxy: {{ .Values.envoy.enabled | quote }} diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml index baec799ec..30b9af0f8 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/daemonset.yaml @@ -35,11 +35,13 @@ spec: cilium.io/cilium-envoy-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-envoy/configmap.yaml") . | sha256sum | quote }} {{- end }} {{- if not .Values.envoy.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. container.apparmor.security.beta.kubernetes.io/cilium-envoy: "unconfined" {{- end }} + {{- end }} {{- with .Values.envoy.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -56,6 +58,11 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.envoy.podSecurityContext "appArmorProfile" }} + {{- end }} {{- with .Values.envoy.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -86,7 +93,7 @@ spec: {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }} startupProbe: httpGet: - host: "localhost" + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} path: /healthz port: {{ .Values.envoy.healthPort }} scheme: HTTP @@ -97,7 +104,7 @@ spec: {{- end }} livenessProbe: httpGet: - host: "localhost" + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} path: /healthz port: {{ .Values.envoy.healthPort }} scheme: HTTP @@ -115,7 +122,7 @@ spec: timeoutSeconds: 5 readinessProbe: httpGet: - host: "localhost" + host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }} path: /healthz port: {{ .Values.envoy.healthPort }} scheme: HTTP diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/servicemonitor.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/servicemonitor.yaml index 3d6b745e3..10f84d82b 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-envoy/servicemonitor.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-envoy/servicemonitor.yaml @@ -7,15 +7,16 @@ metadata: namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }} labels: app.kubernetes.io/part-of: cilium + app.kubernetes.io/name: cilium-envoy {{- with .Values.envoy.prometheus.serviceMonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- if or .Values.envoy.prometheus.serviceMonitor .Values.envoy.annotations }} + {{- if or .Values.envoy.prometheus.serviceMonitor.annotations .Values.envoy.annotations }} annotations: {{- with .Values.envoy.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.envoy.prometheus.serviceMonitor }} + {{- with .Values.envoy.prometheus.serviceMonitor.annotations }} {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml index 76f1a20d2..3ed09268a 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-nodeinit/daemonset.yaml @@ -28,11 +28,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- if not .Values.securityContext.privileged }} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} # Set app AppArmor's profile to "unconfined". The value of this annotation # can be modified as long users know which profiles they have available # in AppArmor. container.apparmor.security.beta.kubernetes.io/node-init: "unconfined" {{- end }} + {{- end }} labels: app: cilium-node-init app.kubernetes.io/part-of: cilium @@ -45,6 +47,15 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- /* K8s version lower than 1.30.0 don't support the "appArmorProfile" field, */}} + {{- /* thus we have to remove it. */}} + {{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }} + {{- $_ := unset .Values.nodeinit.podSecurityContext "appArmorProfile" }} + {{- end }} + {{- with .Values.nodeinit.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: node-init image: {{ include "cilium.image" .Values.nodeinit.image | quote }} diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml index bc13be432..bafd27007 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-preflight/daemonset.yaml @@ -70,8 +70,13 @@ spec: - /tmp/ready initialDelaySeconds: 5 periodSeconds: 5 - {{- with .Values.preflight.extraEnv }} env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- with .Values.preflight.extraEnv }} {{- toYaml . | trim | nindent 12 }} {{- end }} volumeMounts: diff --git a/internal/constellation/helm/charts/cilium/templates/cilium-preflight/deployment.yaml b/internal/constellation/helm/charts/cilium/templates/cilium-preflight/deployment.yaml index efd923b2d..af0a31baa 100644 --- a/internal/constellation/helm/charts/cilium/templates/cilium-preflight/deployment.yaml +++ b/internal/constellation/helm/charts/cilium/templates/cilium-preflight/deployment.yaml @@ -60,6 +60,10 @@ spec: - /tmp/ready-validate-cnp initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.preflight.extraVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} env: {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST @@ -77,11 +81,16 @@ spec: {{- toYaml . | trim | nindent 12 }} {{- end }} terminationMessagePolicy: FallbackToLogsOnError + {{- with .Values.preflight.extraVolumes }} + volumes: + {{- toYaml . | trim | nindent 6 }} + {{- end }} hostNetwork: true restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-cluster-critical") }} serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} + automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }} terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} {{- with .Values.preflight.affinity }} affinity: diff --git a/internal/constellation/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml b/internal/constellation/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml index a1d7a6df5..6c5e6c3ec 100644 --- a/internal/constellation/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/internal/constellation/helm/charts/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -59,7 +59,7 @@ spec: {{- end }} # These need to match the equivalent arguments to etcd in the main container. - --etcd-cluster-name=clustermesh-apiserver - - --etcd-initial-cluster-token=clustermesh-apiserver + - --etcd-initial-cluster-token=$(INITIAL_CLUSTER_TOKEN) - --etcd-data-dir=/var/run/etcd {{- with .Values.clustermesh.apiserver.etcd.init.extraArgs }} {{- toYaml . | trim | nindent 8 }} @@ -76,12 +76,23 @@ spec: configMapKeyRef: name: cilium-config key: cluster-name + - name: INITIAL_CLUSTER_TOKEN + valueFrom: + fieldRef: + fieldPath: metadata.uid {{- with .Values.clustermesh.apiserver.etcd.init.extraEnv }} {{- toYaml . | trim | nindent 8 }} {{- end }} + {{- with .Values.clustermesh.apiserver.etcd.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} volumeMounts: - name: etcd-data-dir mountPath: /var/run/etcd + {{- with .Values.clustermesh.apiserver.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.clustermesh.apiserver.etcd.init.resources }} resources: @@ -105,7 +116,7 @@ spec: # uses net.SplitHostPort() internally and it accepts the that format. - --listen-client-urls=https://127.0.0.1:2379,https://[$(HOSTNAME_IP)]:2379 - --advertise-client-urls=https://[$(HOSTNAME_IP)]:2379 - - --initial-cluster-token=clustermesh-apiserver + - --initial-cluster-token=$(INITIAL_CLUSTER_TOKEN) - --auto-compaction-retention=1 {{- if .Values.clustermesh.apiserver.metrics.etcd.enabled }} - --listen-metrics-urls=http://[$(HOSTNAME_IP)]:{{ .Values.clustermesh.apiserver.metrics.etcd.port }} @@ -118,6 +129,10 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + - name: INITIAL_CLUSTER_TOKEN + valueFrom: + fieldRef: + fieldPath: metadata.uid ports: - name: etcd containerPort: 2379 @@ -133,6 +148,9 @@ spec: readOnly: true - name: etcd-data-dir mountPath: /var/run/etcd + {{- with .Values.clustermesh.apiserver.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.clustermesh.apiserver.etcd.resources }} resources: diff --git a/internal/constellation/helm/charts/cilium/templates/hubble-relay/deployment.yaml b/internal/constellation/helm/charts/cilium/templates/hubble-relay/deployment.yaml index 14d6c62c6..52b9eba5c 100644 --- a/internal/constellation/helm/charts/cilium/templates/hubble-relay/deployment.yaml +++ b/internal/constellation/helm/charts/cilium/templates/hubble-relay/deployment.yaml @@ -108,6 +108,9 @@ spec: mountPath: /var/lib/hubble-relay/tls readOnly: true {{- end }} + {{- with .Values.hubble.relay.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError restartPolicy: Always priorityClassName: {{ .Values.hubble.relay.priorityClassName }} @@ -178,6 +181,9 @@ spec: path: server.key {{- end }} {{- end }} + {{- with .Values.hubble.relay.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} {{- define "hubble-relay.probe" }} diff --git a/internal/constellation/helm/charts/cilium/templates/spire/agent/daemonset.yaml b/internal/constellation/helm/charts/cilium/templates/spire/agent/daemonset.yaml index f515a9ac9..6c0bffe78 100644 --- a/internal/constellation/helm/charts/cilium/templates/spire/agent/daemonset.yaml +++ b/internal/constellation/helm/charts/cilium/templates/spire/agent/daemonset.yaml @@ -99,10 +99,12 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.authentication.mutual.spire.install.agent.tolerations }} tolerations: - {{- toYaml . | trim | nindent 8 }} - {{- end }} + {{- with .Values.authentication.mutual.spire.install.agent.tolerations }} + {{- toYaml . | trim | nindent 8 }} + {{- end }} + - key: {{ .Values.agentNotReadyTaintKey | default "node.cilium.io/agent-not-ready" }} + effect: NoSchedule volumes: - name: spire-config configMap: diff --git a/internal/constellation/helm/charts/cilium/templates/spire/namespace.yaml b/internal/constellation/helm/charts/cilium/templates/spire/namespace.yaml index 1c281f4f7..ccd386808 100644 --- a/internal/constellation/helm/charts/cilium/templates/spire/namespace.yaml +++ b/internal/constellation/helm/charts/cilium/templates/spire/namespace.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled -}} +{{- if and .Values.authentication.mutual.spire.enabled .Values.authentication.mutual.spire.install.enabled (not .Values.authentication.mutual.spire.install.existingNamespace) -}} apiVersion: v1 kind: Namespace metadata: diff --git a/internal/constellation/helm/charts/cilium/values.yaml b/internal/constellation/helm/charts/cilium/values.yaml index 712d981a7..9b42fc187 100644 --- a/internal/constellation/helm/charts/cilium/values.yaml +++ b/internal/constellation/helm/charts/cilium/values.yaml @@ -146,7 +146,7 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.0-pre.3" + tag: "v1.15.5" pullPolicy: "IfNotPresent" # cilium-digest digest: "" @@ -218,8 +218,10 @@ extraConfig: {} annotations: {} # -- Security Context for cilium-agent pods. -podSecurityContext: {} - +podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to agent pods podAnnotations: {} @@ -236,6 +238,9 @@ resources: {} # cpu: 100m # memory: 512Mi +# -- resources & limits for the agent init containers +initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -465,7 +470,17 @@ bpf: # @default -- `524288` neighMax: ~ + # @schema + # type: [null, integer] + # @schema + # @default -- `16384` + # -- (int) Configures the maximum number of entries for the node table. + nodeMapMax: ~ + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + # @schema + # type: [null, integer] + # @schema policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. @@ -966,8 +981,8 @@ certgen: image: override: ~ repository: "quay.io/cilium/certgen" - tag: "v0.1.9" - digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f" + tag: "v0.1.12" + digest: "sha256:bbc5e65e9dc65bc6b58967fe536b7f3b54e12332908aeb0a96a36866b4372b4e" useDigest: true pullPolicy: "IfNotPresent" # -- Seconds after which the completed job pod will be deleted @@ -1225,7 +1240,7 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.15.0-pre.3" + tag: "v1.15.5" # hubble-relay-digest digest: "" useDigest: false @@ -1296,6 +1311,12 @@ hubble: rollingUpdate: maxUnavailable: 1 + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 @@ -1456,8 +1477,8 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-ui-backend" - tag: "v0.12.1" - digest: "sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe" + tag: "v0.13.0" + digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803" useDigest: true pullPolicy: "IfNotPresent" @@ -1495,8 +1516,8 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-ui" - tag: "v0.12.1" - digest: "sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267" + tag: "v0.13.0" + digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666" useDigest: true pullPolicy: "IfNotPresent" @@ -2054,14 +2075,18 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyIngress: 0 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyEgress: 0 # -- Envoy container image. image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.27.2-f19708f3d0188fe39b7e024b4525b75a9eeee61f" + tag: "v1.28.3-31ec52ec5f2e4d28a8e19a0bfb872fa48cf7a515" pullPolicy: "IfNotPresent" - digest: "sha256:80de27c1d16ab92923cc0cd1fff90f2e7047a9abf3906fda712268d9cbc5b950" + digest: "sha256:bc8dcc3bc008e3a5aab98edb73a0985e6ef9469bda49d5bb3004c001c995c380" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2107,8 +2132,10 @@ envoy: annotations: {} # -- Security Context for cilium-envoy pods. - podSecurityContext: {} - + podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to envoy pods podAnnotations: {} @@ -2177,7 +2204,20 @@ envoy: labelSelector: matchLabels: k8s-app: cilium-envoy - + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - "true" # -- Node selector for cilium-envoy. nodeSelector: kubernetes.io/os: linux @@ -2198,12 +2238,16 @@ envoy: # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: ~ + # -- Configure Cilium Envoy Prometheus options. + # Note that some of these apply to either cilium-agent or cilium-envoy. prometheus: # -- Enable prometheus metrics for cilium-envoy enabled: true serviceMonitor: # -- Enable service monitors. # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # Note that this setting applies to both cilium-envoy _and_ cilium-agent + # with Envoy enabled. enabled: false # -- Labels to add to ServiceMonitor cilium-envoy labels: {} @@ -2215,18 +2259,21 @@ envoy: # service monitors configured. # namespace: "" # -- Relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. relabelings: - sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: node replacement: ${1} # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. metricRelabelings: ~ # -- Serve prometheus metrics for cilium-envoy on the configured port port: "9964" # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +# Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -2460,7 +2507,7 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.15.0-pre.3" + tag: "v1.15.5" # operator-generic-digest genericDigest: "" # operator-azure-digest @@ -2663,7 +2710,9 @@ nodeinit: image: override: ~ repository: "quay.io/cilium/startup-script" - tag: "62093c5c233ea914bfa26a10ba41f8780d9b737f" + tag: "19fb149fb3d5c7a37d3edfaf10a2be3ab7386661" + digest: "sha256:820155cb3b7f00c8d61c1cffa68c44440906cb046bdbad8ff544f5deb1103456" + useDigest: true pullPolicy: "IfNotPresent" # -- The priority class to use for the nodeinit pod. @@ -2707,7 +2756,11 @@ nodeinit: # -- Labels to be added to node-init pods. podLabels: {} - + # -- Security Context for cilium-node-init pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-node-init` and init containers + appArmorProfile: + type: "Unconfined" # -- nodeinit resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: @@ -2755,7 +2808,7 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.15.0-pre.3" + tag: "v1.15.5" # cilium-digest digest: "" useDigest: false @@ -2917,7 +2970,7 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.15.0-pre.3" + tag: "v1.15.5" # clustermesh-apiserver-digest digest: "" useDigest: false @@ -3310,6 +3363,8 @@ dnsProxy: proxyPort: 0 # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. proxyResponseMaxDelay: 100ms + # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) + # enableTransparentMode: true # -- SCTP Configuration Values sctp: @@ -3349,6 +3404,8 @@ authentication: enabled: true # -- SPIRE namespace to install into namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false # -- init container image of SPIRE agent and server initImage: override: ~ @@ -3363,8 +3420,8 @@ authentication: image: override: ~ repository: "ghcr.io/spiffe/spire-agent" - tag: "1.8.4" - digest: "sha256:d489bc8470d7a0f292e0e3576c3e7025253343dc798241bcfd9061828e2a6bef" + tag: "1.8.5" + digest: "sha256:99405637647968245ff9fe215f8bd2bd0ea9807be9725f8bf19fe1b21471e52b" useDigest: true pullPolicy: "IfNotPresent" # -- SPIRE agent service account @@ -3378,8 +3435,21 @@ authentication: # -- SPIRE Workload Attestor kubelet verification. skipKubeletVerification: true # -- SPIRE agent tolerations configuration + # By default it follows the same tolerations as the agent itself + # to allow the Cilium agent on this node to connect to SPIRE. # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" # -- SPIRE agent affinity configuration affinity: {} # -- SPIRE agent nodeSelector configuration @@ -3398,8 +3468,8 @@ authentication: image: override: ~ repository: "ghcr.io/spiffe/spire-server" - tag: "1.8.4" - digest: "sha256:bf79e0a921f8b8aa92602f7ea335616e72f7e91f939848e7ccc52d5bddfe96a1" + tag: "1.8.5" + digest: "sha256:28269265882048dcf0fed32fe47663cd98613727210b8d1a55618826f9bf5428" useDigest: true pullPolicy: "IfNotPresent" # -- SPIRE server service account diff --git a/internal/constellation/helm/charts/cilium/values.yaml.tmpl b/internal/constellation/helm/charts/cilium/values.yaml.tmpl index 2f55aa49a..71fad1e51 100644 --- a/internal/constellation/helm/charts/cilium/values.yaml.tmpl +++ b/internal/constellation/helm/charts/cilium/values.yaml.tmpl @@ -215,8 +215,10 @@ extraConfig: {} annotations: {} # -- Security Context for cilium-agent pods. -podSecurityContext: {} - +podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to agent pods podAnnotations: {} @@ -233,6 +235,9 @@ resources: {} # cpu: 100m # memory: 512Mi +# -- resources & limits for the agent init containers +initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -462,7 +467,17 @@ bpf: # @default -- `524288` neighMax: ~ + # @schema + # type: [null, integer] + # @schema + # @default -- `16384` + # -- (int) Configures the maximum number of entries for the node table. + nodeMapMax: ~ + # -- Configure the maximum number of entries in endpoint policy map (per endpoint). + # @schema + # type: [null, integer] + # @schema policyMapMax: 16384 # -- (float64) Configure auto-sizing for all BPF maps based on available memory. @@ -1293,6 +1308,12 @@ hubble: rollingUpdate: maxUnavailable: 1 + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 @@ -2051,6 +2072,10 @@ envoy: # -- Set Envoy upstream HTTP idle connection timeout seconds. # Does not apply to connections with pending requests. Default 60s idleTimeoutDurationSeconds: 60 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyIngress: 0 + # -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners. + xffNumTrustedHopsL7PolicyEgress: 0 # -- Envoy container image. image: @@ -2104,8 +2129,10 @@ envoy: annotations: {} # -- Security Context for cilium-envoy pods. - podSecurityContext: {} - + podSecurityContext: + # -- AppArmorProfile options for the `cilium-agent` and init containers + appArmorProfile: + type: "Unconfined" # -- Annotations to be added to envoy pods podAnnotations: {} @@ -2174,7 +2201,20 @@ envoy: labelSelector: matchLabels: k8s-app: cilium-envoy - + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + k8s-app: cilium + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cilium.io/no-schedule + operator: NotIn + values: + - "true" # -- Node selector for cilium-envoy. nodeSelector: kubernetes.io/os: linux @@ -2195,12 +2235,16 @@ envoy: # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: ~ + # -- Configure Cilium Envoy Prometheus options. + # Note that some of these apply to either cilium-agent or cilium-envoy. prometheus: # -- Enable prometheus metrics for cilium-envoy enabled: true serviceMonitor: # -- Enable service monitors. # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) + # Note that this setting applies to both cilium-envoy _and_ cilium-agent + # with Envoy enabled. enabled: false # -- Labels to add to ServiceMonitor cilium-envoy labels: {} @@ -2212,18 +2256,21 @@ envoy: # service monitors configured. # namespace: "" # -- Relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. relabelings: - sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: node replacement: ${1} # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy + # or for cilium-agent with Envoy configured. metricRelabelings: ~ # -- Serve prometheus metrics for cilium-envoy on the configured port port: "9964" # -- Enable use of the remote node identity. # ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity +# Deprecated without replacement in 1.15. To be removed in 1.16. remoteNodeIdentity: true # -- Enable resource quotas for priority classes used in the cluster. @@ -2661,6 +2708,8 @@ nodeinit: override: ~ repository: "${CILIUM_NODEINIT_REPO}" tag: "${CILIUM_NODEINIT_VERSION}" + digest: "${CILIUM_NODEINIT_DIGEST}" + useDigest: true pullPolicy: "${PULL_POLICY}" # -- The priority class to use for the nodeinit pod. @@ -2704,7 +2753,11 @@ nodeinit: # -- Labels to be added to node-init pods. podLabels: {} - + # -- Security Context for cilium-node-init pods. + podSecurityContext: + # -- AppArmorProfile options for the `cilium-node-init` and init containers + appArmorProfile: + type: "Unconfined" # -- nodeinit resource limits & requests # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: @@ -3307,6 +3360,8 @@ dnsProxy: proxyPort: 0 # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information. proxyResponseMaxDelay: 100ms + # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults) + # enableTransparentMode: true # -- SCTP Configuration Values sctp: @@ -3346,6 +3401,8 @@ authentication: enabled: true # -- SPIRE namespace to install into namespace: cilium-spire + # -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace. + existingNamespace: false # -- init container image of SPIRE agent and server initImage: override: ~ @@ -3375,8 +3432,21 @@ authentication: # -- SPIRE Workload Attestor kubelet verification. skipKubeletVerification: true # -- SPIRE agent tolerations configuration + # By default it follows the same tolerations as the agent itself + # to allow the Cilium agent on this node to connect to SPIRE. # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ - tolerations: [] + tolerations: + - key: node.kubernetes.io/not-ready + effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + - key: node.cloudprovider.kubernetes.io/uninitialized + effect: NoSchedule + value: "true" + - key: CriticalAddonsOnly + operator: "Exists" # -- SPIRE agent affinity configuration affinity: {} # -- SPIRE agent nodeSelector configuration diff --git a/internal/constellation/helm/cilium.patch b/internal/constellation/helm/cilium.patch index 1ef6a2419..44857e283 100644 --- a/internal/constellation/helm/cilium.patch +++ b/internal/constellation/helm/cilium.patch @@ -6,11 +6,11 @@ index 256a79542..3f3fc714b 100644 name: cilium displayName: Cilium home: https://cilium.io/ --version: 1.15.0-pre.3 --appVersion: 1.15.0-pre.3 -+version: 1.15.0-pre.3-edg.3 -+appVersion: 1.15.0-pre.3-edg.3 +-version: 1.15.5 +-appVersion: 1.15.5 ++version: 1.15.5-edg.1 ++appVersion: 1.15.5-edg.1 kubeVersion: ">= 1.16.0-0" - icon: https://cdn.jsdelivr.net/gh/cilium/cilium@main/Documentation/images/logo-solo.svg + icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.15/Documentation/images/logo-solo.svg description: eBPF-based Networking, Security, and Observability \ No newline at end of file diff --git a/internal/constellation/helm/generateCilium.sh b/internal/constellation/helm/generateCilium.sh index 8d8e462f9..5a05fb466 100755 --- a/internal/constellation/helm/generateCilium.sh +++ b/internal/constellation/helm/generateCilium.sh @@ -21,7 +21,7 @@ git clone \ --no-checkout \ --sparse \ --depth 1 \ - -b v1.15.0-pre.3-edg.3 \ + -b v1.15.5-edg.1 \ https://github.com/edgelesssys/cilium.git cd cilium diff --git a/internal/constellation/helm/helm_test.go b/internal/constellation/helm/helm_test.go index cd8aab6a6..e2f8265b3 100644 --- a/internal/constellation/helm/helm_test.go +++ b/internal/constellation/helm/helm_test.go @@ -198,7 +198,7 @@ func TestHelmApply(t *testing.T) { if tc.clusterCertManagerVersion != nil { certManagerVersion = *tc.clusterCertManagerVersion } - helmListVersion(lister, "cilium", "v1.15.0-pre.3-edg.3") + helmListVersion(lister, "cilium", "v1.15.5-edg.1") helmListVersion(lister, "cert-manager", certManagerVersion) helmListVersion(lister, "constellation-services", tc.clusterMicroServiceVersion) helmListVersion(lister, "constellation-operators", tc.clusterMicroServiceVersion) diff --git a/internal/constellation/helm/loader.go b/internal/constellation/helm/loader.go index a3c6a50fa..c9badd4cc 100644 --- a/internal/constellation/helm/loader.go +++ b/internal/constellation/helm/loader.go @@ -367,16 +367,18 @@ func (i *chartLoader) loadCiliumValues(cloudprovider.Provider) (map[string]any, "image": map[string]any{ "repository": "ghcr.io/edgelesssys/cilium/cilium", "suffix": "", - "tag": "v1.15.0-pre.3-edg.2", - "digest": "sha256:c21b7fbbb084a128a479d6170e5f89ad2768dfecb4af10ee6a99ffe5d1a11749", + "tag": "v1.15.5-edg.1-experimental", + "digest": "sha256:a7e33355e6c632c826bfce37a8789b58a708c2743b7c1023bc01dbda3cccc241", "useDigest": true, }, "operator": map[string]any{ "image": map[string]any{ - "repository": "ghcr.io/edgelesssys/cilium/operator", - "suffix": "", - "tag": "v1.15.0-pre.3-edg.2", - "genericDigest": "sha256:4ea9de5cfeb4554b82b509f0de41120a90e35a15e81a04f76c4cb405ddea3e7c", + "repository": "ghcr.io/edgelesssys/cilium/operator", + "suffix": "", + "tag": "v1.15.5-edg.1-experimental", + // Careful: this is the digest of ghcr.io/.../operator-generic! + // See magic image manipulation in ./helm/charts/cilium/templates/cilium-operator/_helpers.tpl. + "genericDigest": "sha256:f1706b15fa7fc94c3a7d082a93f249f42d4811eb5e2472805a461ba1be3938a7", "useDigest": true, }, "podDisruptionBudget": map[string]any{