Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
d43242a55f
constellation/cli/internal/helm/charts/cilium/templates/cilium-agent/daemonset.yaml
3u13r f649219cbf
Feat/cilium strict mode2.0 (#25) 
* bump cilium helm charts

* integrate cilium strict mode v2
2022-08-31 15:37:07 +02:00

845 lines
31 KiB
YAML
Raw Blame History

{{- if and .Values.agent (not .Values.preflight.enabled) }}
{{- /* Default values with backwards compatibility */ -}}
{{- $defaultKeepDeprecatedProbes := true -}}
{{- /* Default values when 1.8 was initially deployed */ -}}
{{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
{{- $defaultKeepDeprecatedProbes = false -}}
{{- end -}}
{{- $kubeProxyReplacement := (coalesce .Values.kubeProxyReplacement "disabled") -}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cilium
namespace: {{ .Release.Namespace }}
labels:
k8s-app: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- if and .Values.gke.enabled (eq .Release.Namespace "kube-system" ) }}
{{- fail "Invalid configuration: Installing Cilium on GKE with 'kubernetes.io/cluster-service' labels on 'kube-system' namespace causes Cilium DaemonSet to be removed by GKE. Either install Cilium on a different Namespace or install with '--set keepDeprecatedLabels=false'" }}
{{- end }}
{{- end }}
spec:
selector:
matchLabels:
k8s-app: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- end }}
{{- with .Values.updateStrategy }}
updateStrategy:
{{- toYaml . | trim | nindent 4 }}
{{- end }}
template:
metadata:
annotations:
{{- if and .Values.prometheus.enabled (not .Values.prometheus.serviceMonitor.enabled) }}
prometheus.io/port: "{{ .Values.prometheus.port }}"
prometheus.io/scrape: "true"
{{- end }}
{{- if .Values.rollOutCiliumPods }}
# ensure pods roll when configmap updates
cilium.io/cilium-configmap-checksum: {{ include (print $.Template.BasePath "/cilium-configmap.yaml") . | sha256sum | quote }}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined"
container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined"
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined"
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
k8s-app: cilium
{{- if .Values.keepDeprecatedLabels }}
kubernetes.io/cluster-service: "true"
{{- end }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cilium-agent
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.sleepAfterInit }}
command:
- /bin/bash
- -c
- --
args:
- |
while true; do
sleep 30;
done
livenessProbe:
exec:
command:
- "true"
readinessProbe:
exec:
command:
- "true"
{{- else }}
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
{{- with .Values.extraArgs }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
startupProbe:
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
successThreshold: 1
{{- end }}
livenessProbe:
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec:
command:
- cilium
- status
- --brief
{{- else }}
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
# The initial delay for the liveness probe is intentionally large to
# avoid an endless kill & restart cycle if in the event that the initial
# bootstrapping takes longer than expected.
# Starting from Kubernetes 1.20, we are using startupProbe instead
# of this field.
initialDelaySeconds: 120
{{- end }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
timeoutSeconds: 5
readinessProbe:
{{- if or .Values.keepDeprecatedProbes $defaultKeepDeprecatedProbes }}
exec:
command:
- cilium
- status
- --brief
{{- else }}
httpGet:
host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
path: /healthz
port: {{ .Values.healthPort }}
scheme: HTTP
httpHeaders:
- name: "brief"
value: "true"
{{- end }}
{{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
initialDelaySeconds: 5
{{- end }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
successThreshold: 1
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
timeoutSeconds: 5
{{- end }}
env:
- name: K8S_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: CILIUM_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
- name: CILIUM_CNI_CHAINING_MODE
valueFrom:
configMapKeyRef:
name: cilium-config
key: cni-chaining-mode
optional: true
- name: CILIUM_CUSTOM_CNI_CONF
valueFrom:
configMapKeyRef:
name: cilium-config
key: custom-cni-conf
optional: true
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if .Values.cni.install }}
lifecycle:
postStart:
exec:
command:
- "/cni-install.sh"
- "--enable-debug={{ .Values.debug.enabled }}"
- "--cni-exclusive={{ .Values.cni.exclusive }}"
- "--log-file={{ .Values.cni.logFile }}"
preStop:
exec:
command:
- /cni-uninstall.sh
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if or .Values.prometheus.enabled .Values.hubble.metrics.enabled }}
ports:
{{- if .Values.hubble.peerService.enabled }}
- name: peer-service
containerPort: {{ .Values.hubble.peerService.targetPort }}
hostPort: {{ .Values.hubble.peerService.targetPort }}
protocol: TCP
{{- end }}
{{- if .Values.prometheus.enabled }}
- name: prometheus
containerPort: {{ .Values.prometheus.port }}
hostPort: {{ .Values.prometheus.port }}
protocol: TCP
{{- if .Values.proxy.prometheus.enabled }}
- name: envoy-metrics
containerPort: {{ .Values.proxy.prometheus.port }}
hostPort: {{ .Values.proxy.prometheus.port }}
protocol: TCP
{{- end }}
{{- end }}
{{- if .Values.hubble.metrics.enabled }}
- name: hubble-metrics
containerPort: {{ .Values.hubble.metrics.port }}
hostPort: {{ .Values.hubble.metrics.port }}
protocol: TCP
{{- end }}
{{- end }}
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
level: 's0'
# Running with spc_t since we have removed the privileged mode.
# Users can change it to a different type as long as they have the
# type available on the system.
type: 'spc_t'
capabilities:
add:
# Use to set socket permission
- CHOWN
# Used to terminate envoy child process
- KILL
# Used since cilium modifies routing tables, etc...
- NET_ADMIN
# Used since cilium creates raw sockets, etc...
- NET_RAW
# Used since cilium monitor uses mmap
- IPC_LOCK
# Used in iptables. Consider removing once we are iptables-free
- SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
- SYS_ADMIN
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
- SYS_RESOURCE
# Both PERFMON and BPF requires kernel 5.8, container runtime
# cri-o >= v1.22.0 or containerd >= v1.5.0.
# If available, SYS_ADMIN can be removed.
#- PERFMON
#- BPF
{{- with .Values.securityContext.extraCapabilities }}
{{- toYaml . | nindent 14 }}
{{- end }}
drop:
- ALL
{{- end }}
volumeMounts:
{{- if not .Values.securityContext.privileged }}
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
{{- end}}
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if not (eq .Values.containerRuntime.integration "crio") }}
- name: bpf-maps
mountPath: /sys/fs/bpf
{{- if .Values.securityContext.privileged }}
mountPropagation: Bidirectional
{{- else }}
# Unprivileged containers can't set mount propagation to bidirectional
# in this case we will mount the bpf fs from an init container that
# is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation: HostToContainer
{{- end}}
{{- end }}
{{- if not (contains "/run/cilium/cgroupv2" .Values.cgroup.hostRoot) }}
# Check for duplicate mounts before mounting
- name: cilium-cgroup
mountPath: {{ .Values.cgroup.hostRoot }}
{{- end}}
- name: cilium-run
mountPath: /var/run/cilium
- name: cni-path
mountPath: /host/opt/cni/bin
- name: etc-cni-netd
mountPath: {{ .Values.cni.hostConfDirMountPath }}
{{- if .Values.etcd.enabled }}
- name: etcd-config-path
mountPath: /var/lib/etcd-config
readOnly: true
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name: etcd-secrets
mountPath: /var/lib/etcd-secrets
readOnly: true
{{- end }}
{{- end }}
- name: clustermesh-secrets
mountPath: /var/lib/cilium/clustermesh
readOnly: true
- name: cilium-config-path
mountPath: /tmp/cilium/config-map
readOnly: true
{{- if .Values.ipMasqAgent.enabled }}
- name: ip-masq-agent
mountPath: /etc/config
readOnly: true
{{- end }}
{{- if .Values.cni.configMap }}
- name: cni-configuration
mountPath: {{ .Values.cni.confFileMountPath }}
readOnly: true
{{- end }}
# Needed to be able to load kernel modules
- name: lib-modules
mountPath: /lib/modules
readOnly: true
- name: xtables-lock
mountPath: /run/xtables.lock
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name: cilium-ipsec-secrets
mountPath: {{ .Values.encryption.ipsec.mountPath | default .Values.encryption.mountPath }}
{{- end }}
{{- if .Values.kubeConfigPath }}
- name: kube-config
mountPath: {{ .Values.kubeConfigPath }}
readOnly: true
{{- end }}
{{- if .Values.bgp.enabled }}
- name: bgp-config-path
mountPath: /var/lib/cilium/bgp
readOnly: true
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name: hubble-tls
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
{{- end }}
{{- range .Values.extraHostPathMounts }}
- name: {{ .name }}
mountPath: {{ .mountPath }}
readOnly: {{ .readOnly }}
{{- if .mountPropagation }}
mountPropagation: {{ .mountPropagation }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.monitor.enabled }}
- name: cilium-monitor
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/bash
- -c
- --
args:
- |-
for i in {1..5}; do \
[ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\
done; \
cilium monitor
{{- range $type := .Values.monitor.eventTypes -}}
{{ " " }}--type={{ $type }}
{{- end }}
volumeMounts:
- name: cilium-run
mountPath: /var/run/cilium
{{- with .Values.monitor.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- end }}
initContainers:
{{- if .Values.cgroup.autoMount.enabled }}
# Required to mount cgroup2 filesystem on the underlying Kubernetes node.
# We use nsenter command with host's cgroup and mount namespaces enabled.
- name: mount-cgroup
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: CGROUP_ROOT
value: {{ .Values.cgroup.hostRoot }}
- name: BIN_PATH
value: {{ .Values.cni.binPath }}
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh and mount that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
rm /hostbin/cilium-mount
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
level: 's0'
# Running with spc_t since we have removed the privileged mode.
# Users can change it to a different type as long as they have the
# type available on the system.
type: 'spc_t'
capabilities:
drop:
- ALL
add:
# Only used for 'mount' cgroup
- SYS_ADMIN
# Used for nsenter
- SYS_CHROOT
- SYS_PTRACE
{{- end}}
- name: apply-sysctl-overwrites
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: BIN_PATH
value: {{ .Values.cni.binPath }}
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
rm /hostbin/cilium-sysctlfix
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
level: 's0'
# Running with spc_t since we have removed the privileged mode.
# Users can change it to a different type as long as they have the
# type available on the system.
type: 'spc_t'
capabilities:
drop:
- ALL
add:
# Required in order to access host's /etc/sysctl.d dir
- SYS_ADMIN
# Used for nsenter
- SYS_CHROOT
- SYS_PTRACE
{{- end}}
{{- end }}
{{- if not .Values.securityContext.privileged }}
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
securityContext:
privileged: true
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if not (eq .Values.containerRuntime.integration "crio") }}
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
{{- end }}
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: wait-for-node-init
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
- -c
- |
until test -s {{ (print "/tmp/cilium-bootstrap.d/" (.Values.nodeinit.bootstrapFile | base)) | quote }}; do
echo "Waiting on node-init to run...";
sleep 1;
done
volumeMounts:
- name: cilium-bootstrap-file-dir
mountPath: "/tmp/cilium-bootstrap.d"
{{- end }}
- name: clean-cilium-state
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-state
optional: true
- name: CILIUM_BPF_STATE
valueFrom:
configMapKeyRef:
name: cilium-config
key: clean-cilium-bpf-state
optional: true
{{- if .Values.k8sServiceHost }}
- name: KUBERNETES_SERVICE_HOST
value: {{ .Values.k8sServiceHost | quote }}
{{- end }}
{{- if .Values.k8sServicePort }}
- name: KUBERNETES_SERVICE_PORT
value: {{ .Values.k8sServicePort | quote }}
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- if .Values.securityContext.privileged }}
privileged: true
{{- else }}
seLinuxOptions:
level: 's0'
# Running with spc_t since we have removed the privileged mode.
# Users can change it to a different type as long as they have the
# type available on the system.
type: 'spc_t'
capabilities:
# Most of the capabilities here are the same ones used in the
# cilium-agent's container because this container can be used to
# uninstall all Cilium resources, and therefore it is likely that
# will need the same capabilities.
add:
# Used since cilium modifies routing tables, etc...
- NET_ADMIN
# Used in iptables. Consider removing once we are iptables-free
- SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
- SYS_ADMIN
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
- SYS_RESOURCE
# Both PERFMON and BPF requires kernel 5.8, container runtime
# cri-o >= v1.22.0 or containerd >= v1.5.0.
# If available, SYS_ADMIN can be removed.
#- PERFMON
#- BPF
drop:
- ALL
{{- end}}
volumeMounts:
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if not (eq .Values.containerRuntime.integration "crio") }}
- name: bpf-maps
mountPath: /sys/fs/bpf
{{- end }}
# Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup
mountPath: {{ .Values.cgroup.hostRoot }}
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
{{- with .Values.nodeinit.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
{{- if and .Values.waitForKubeProxy (ne $kubeProxyReplacement "strict") }}
- name: wait-for-kube-proxy
image: {{ include "cilium.image" .Values.image | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
privileged: true
command:
- bash
- -c
- |
while true
do
if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'iptables-nft-save -t mangle'"
exit 0
fi
if ip6tables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then
echo "Found KUBE-IPTABLES-HINT or KUBE-PROXY-CANARY iptables rule in 'ip6tables-nft-save -t mangle'"
exit 0
fi
if iptables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "Found KUBE-PROXY-CANARY iptables rule in 'iptables-legacy-save"
exit 0
fi
if ip6tables-legacy-save | grep -E '^:KUBE-PROXY-CANARY'; then
echo "KUBE-PROXY-CANARY iptables rule in 'ip6tables-legacy-save'"
exit 0
fi
echo "Waiting for kube-proxy to create iptables rules...";
sleep 1;
done
{{- end }} # wait-for-kube-proxy
restartPolicy: Always
priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.priorityClassName "system-node-critical") }}
serviceAccount: {{ .Values.serviceAccounts.cilium.name | quote }}
serviceAccountName: {{ .Values.serviceAccounts.cilium.name | quote }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
hostNetwork: true
{{- if and .Values.etcd.managed (not .Values.etcd.k8sService) }}
# In managed etcd mode, Cilium must be able to resolve the DNS name of
# the etcd service
dnsPolicy: ClusterFirstWithHostNet
{{- else if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- if and .Values.clustermesh.useAPIServer .Values.clustermesh.config.enabled }}
hostAliases:
{{- range $cluster := .Values.clustermesh.config.clusters }}
{{- range $ip := $cluster.ips }}
- ip: {{ $ip }}
hostnames: [ "{{ $cluster.name }}.{{ $.Values.clustermesh.config.domain }}" ]
{{- end }}
{{- end }}
{{- end }}
volumes:
# To keep state between restarts / upgrades
- name: cilium-run
hostPath:
path: {{ .Values.daemon.runPath }}
type: DirectoryOrCreate
{{- /* CRI-O already mounts the BPF filesystem */ -}}
{{- if not (eq .Values.containerRuntime.integration "crio") }}
# To keep state between restarts / upgrades for bpf maps
- name: bpf-maps
hostPath:
path: /sys/fs/bpf
type: DirectoryOrCreate
{{- end }}
{{- if .Values.cgroup.autoMount.enabled }}
# To mount cgroup2 filesystem on the host
- name: hostproc
hostPath:
path: /proc
type: Directory
{{- end }}
# To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup
hostPath:
path: {{ .Values.cgroup.hostRoot}}
type: DirectoryOrCreate
# To install cilium cni plugin in the host
- name: cni-path
hostPath:
path: {{ .Values.cni.binPath }}
type: DirectoryOrCreate
# To install cilium cni configuration in the host
- name: etc-cni-netd
hostPath:
path: {{ .Values.cni.confPath }}
type: DirectoryOrCreate
# To be able to load kernel modules
- name: lib-modules
hostPath:
path: /lib/modules
# To access iptables concurrently with other processes (e.g. kube-proxy)
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{{- if .Values.kubeConfigPath }}
- name: kube-config
hostPath:
path: {{ .Values.kubeConfigPath }}
type: FileOrCreate
{{- end }}
{{- if and .Values.nodeinit.enabled .Values.nodeinit.bootstrapFile }}
- name: cilium-bootstrap-file-dir
hostPath:
path: {{ .Values.nodeinit.bootstrapFile | dir | quote }}
type: DirectoryOrCreate
{{- end }}
{{- if .Values.etcd.enabled }}
# To read the etcd config stored in config maps
- name: etcd-config-path
configMap:
name: cilium-config
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
items:
- key: etcd-config
path: etcd.config
# To read the k8s etcd secrets in case the user might want to use TLS
{{- if or .Values.etcd.ssl .Values.etcd.managed }}
- name: etcd-secrets
secret:
secretName: cilium-etcd-secrets
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
optional: true
{{- end }}
{{- end }}
# To read the clustermesh configuration
- name: clustermesh-secrets
secret:
secretName: cilium-clustermesh
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
optional: true
# To read the configuration from the config map
- name: cilium-config-path
configMap:
name: cilium-config
{{- if and .Values.ipMasqAgent .Values.ipMasqAgent.enabled }}
- name: ip-masq-agent
configMap:
name: ip-masq-agent
optional: true
items:
- key: config
path: ip-masq-agent
{{- end }}
{{- if and .Values.encryption.enabled (eq .Values.encryption.type "ipsec") }}
- name: cilium-ipsec-secrets
secret:
secretName: {{ .Values.encryption.ipsec.secretName | default .Values.encryption.secretName }}
{{- end }}
{{- if .Values.cni.configMap }}
- name: cni-configuration
configMap:
name: {{ .Values.cni.configMap }}
{{- end }}
{{- if .Values.bgp.enabled }}
- name: bgp-config-path
configMap:
name: bgp-config
{{- end }}
{{- if not .Values.securityContext.privileged }}
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
{{- end }}
{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled (hasKey .Values.hubble "listenAddress") }}
- name: hubble-tls
projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources:
- secret:
name: hubble-server-certs
optional: true
items:
- key: ca.crt
path: client-ca.crt
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
{{- end }}
{{- range .Values.extraHostPathMounts }}
- name: {{ .name }}
hostPath:
path: {{ .hostPath }}
{{- if .hostPathType }}
type: {{ .hostPathType }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink