Cleaning up cilium values
This commit is contained in:
parent
5000f8889a
commit
1fad218deb
1 changed files with 65 additions and 218 deletions
|
@ -1,241 +1,88 @@
|
|||
---
|
||||
# -- Enable installation of PodCIDR routes between worker
|
||||
# nodes if worker nodes share a common L2 network segment.
|
||||
autoDirectNodeRoutes: true
|
||||
|
||||
# -- Configure BGP
|
||||
bgp:
|
||||
# -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside
|
||||
# cilium-agent and cilium-operator
|
||||
enabled: false
|
||||
announce:
|
||||
# -- Enable allocation and announcement of service LoadBalancer IPs
|
||||
loadbalancerIP: true
|
||||
# -- Enable announcement of node pod CIDR
|
||||
podCIDR: false
|
||||
|
||||
# -- Configure cgroup related configuration
|
||||
cgroup:
|
||||
autoMount:
|
||||
# -- Enable auto mount of cgroup2 filesystem.
|
||||
# When `autoMount` is enabled, cgroup2 filesystem is mounted at
|
||||
# `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.
|
||||
# If users disable `autoMount`, it's expected that users have mounted
|
||||
# cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
|
||||
# volume will be mounted inside the cilium agent pod at the same path.
|
||||
enabled: false
|
||||
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
|
||||
hostRoot: /sys/fs/cgroup
|
||||
|
||||
cluster:
|
||||
# -- Name of the cluster. Only required for Cluster Mesh.
|
||||
name: valinor
|
||||
# -- (int) Unique ID of the cluster. Must be unique across all connected
|
||||
# clusters and in the range of 1 to 255. Only required for Cluster Mesh,
|
||||
# may be 0 if Cluster Mesh is not used.
|
||||
id: 1
|
||||
|
||||
# -- Configure container runtime specific integration.
|
||||
containerRuntime:
|
||||
# -- Enables specific integrations for container runtimes.
|
||||
# Supported values:
|
||||
# - containerd
|
||||
# - crio
|
||||
# - docker
|
||||
# - none
|
||||
# - auto (automatically detect the container runtime)
|
||||
integration: containerd
|
||||
|
||||
endpointRoutes:
|
||||
# -- Enable use of per endpoint routes instead of routing via
|
||||
# the cilium_host interface.
|
||||
bandwidthManager:
|
||||
enabled: true
|
||||
bbr: true
|
||||
bpf:
|
||||
masquerade: true
|
||||
bgp:
|
||||
enabled: false
|
||||
cluster:
|
||||
name: valinor
|
||||
id: 1
|
||||
containerRuntime:
|
||||
integration: containerd
|
||||
endpointRoutes:
|
||||
enabled: true
|
||||
|
||||
hubble:
|
||||
# -- Enable Hubble (true by default).
|
||||
enabled: true
|
||||
metrics:
|
||||
# -- Configures the list of metrics to collect. If empty or null, metrics
|
||||
# are disabled.
|
||||
# Example:
|
||||
#
|
||||
# enabled:
|
||||
# - dns:query;ignoreAAAA
|
||||
# - drop
|
||||
# - tcp
|
||||
# - flow
|
||||
# - icmp
|
||||
# - http
|
||||
#
|
||||
# You can specify the list of metrics from the helm CLI:
|
||||
#
|
||||
# --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
|
||||
#
|
||||
enabled:
|
||||
- dns:query;ignoreAAAA,
|
||||
- dns:query
|
||||
- drop
|
||||
- tcp
|
||||
- flow
|
||||
- http
|
||||
- icmp
|
||||
- port-distribution
|
||||
|
||||
- icmp
|
||||
- http
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
dashboards:
|
||||
enabled: true
|
||||
annotations:
|
||||
grafana_folder: Cilium
|
||||
relay:
|
||||
# -- Enable Hubble Relay (requires hubble.enabled=true)
|
||||
enabled: true
|
||||
# -- Roll out Hubble Relay pods automatically when configmap is updated.
|
||||
rollOutPods: true
|
||||
|
||||
# serviceMonitor:
|
||||
# # -- Create ServiceMonitor resources for Prometheus Operator.
|
||||
# # This requires the prometheus CRDs to be available.
|
||||
# # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
|
||||
# enabled: false
|
||||
|
||||
prometheus:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
ui:
|
||||
# -- Whether to enable the Hubble UI.
|
||||
enabled: true
|
||||
|
||||
# -- hubble-ui ingress configuration.
|
||||
rollOutPods: true
|
||||
ingress:
|
||||
enabled: false
|
||||
|
||||
# -- Roll out Hubble-ui pods automatically when configmap is updated.
|
||||
rollOutPods: true
|
||||
|
||||
ipam:
|
||||
# -- Configure IP Address Management mode.
|
||||
# ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/
|
||||
mode: kubernetes
|
||||
|
||||
# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing.
|
||||
# When specified, Cilium assumes networking for this CIDR is preconfigured and
|
||||
# hands traffic destined for that range to the Linux network stack without
|
||||
# applying any SNAT.
|
||||
# Generally speaking, specifying a native routing CIDR implies that Cilium can
|
||||
# depend on the underlying networking stack to route packets to their
|
||||
# destination. To offer a concrete example, if Cilium is configured to use
|
||||
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
|
||||
# the user must configure the routes to reach pods, either manually or by
|
||||
# setting the auto-direct-node-routes flag.
|
||||
ipv4NativeRoutingCIDR: 10.244.0.0/16
|
||||
|
||||
# -- (string) Kubernetes service host
|
||||
k8sServiceHost: valinor.hsn.dev
|
||||
# -- (string) Kubernetes service port
|
||||
k8sServicePort: 6443
|
||||
|
||||
# -- Configure the kube-proxy replacement in Cilium BPF datapath
|
||||
# Valid options are "disabled", "partial", "strict".
|
||||
# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/
|
||||
kubeProxyReplacement: strict
|
||||
|
||||
# -- healthz server bind address for the kube-proxy replacement.
|
||||
# To enable set the value to '0.0.0.0:10256' for all ipv4
|
||||
# addresses and this '[::]:10256' for all ipv6 addresses.
|
||||
# By default it is disabled.
|
||||
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
|
||||
|
||||
# -- Configure service load balancing
|
||||
loadBalancer:
|
||||
# -- algorithm is the name of the load balancing algorithm for backend
|
||||
# selection e.g. random or maglev
|
||||
algorithm: random
|
||||
|
||||
# -- mode is the operation mode of load balancing for remote backends
|
||||
# e.g. snat, dsr, hybrid
|
||||
mode: snat
|
||||
|
||||
# -- Enable Local Redirect Policy.
|
||||
localRedirectPolicy: false
|
||||
|
||||
operator:
|
||||
# -- Enable the cilium-operator component (required).
|
||||
enabled: true
|
||||
|
||||
# -- Roll out cilium-operator pods automatically when configmap is updated.
|
||||
className: internal
|
||||
hosts:
|
||||
- &host hubble.hsn.dev
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
ipam:
|
||||
mode: kubernetes
|
||||
ipv4NativeRoutingCIDR: 10.32.0.0/16
|
||||
k8sServiceHost: 10.2.0.6
|
||||
k8sServicePort: 6443
|
||||
kubeProxyReplacement: true
|
||||
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
|
||||
l2announcements:
|
||||
enabled: true
|
||||
leaseDuration: 120s
|
||||
leaseRenewDeadline: 60s
|
||||
leaseRetryPeriod: 1s
|
||||
loadBalancer:
|
||||
algorithm: maglev
|
||||
mode: dsr
|
||||
localRedirectPolicy: true
|
||||
operator:
|
||||
rollOutPods: true
|
||||
|
||||
# -- Roll out cilium agent pods automatically when configmap is updated.
|
||||
rollOutCiliumPods: false
|
||||
|
||||
prometheus:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
dashboards:
|
||||
enabled: true
|
||||
annotations:
|
||||
grafana_folder: Cilium
|
||||
prometheus:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
trustCRDsExist: true
|
||||
dashboards:
|
||||
enabled: true
|
||||
annotations:
|
||||
grafana_folder: Cilium
|
||||
rollOutCiliumPods: true
|
||||
securityContext:
|
||||
# -- Run the pod with elevated privileges
|
||||
privileged: false
|
||||
|
||||
capabilities:
|
||||
# -- Capabilities for the `cilium-agent` container
|
||||
ciliumAgent:
|
||||
# Use to set socket permission
|
||||
- CHOWN
|
||||
# Used to terminate envoy child process
|
||||
- KILL
|
||||
# Used since cilium modifies routing tables, etc...
|
||||
- NET_ADMIN
|
||||
# Used since cilium creates raw sockets, etc...
|
||||
- NET_RAW
|
||||
# Used since cilium monitor uses mmap
|
||||
- IPC_LOCK
|
||||
# Used in iptables. Consider removing once we are iptables-free
|
||||
# - SYS_MODULE
|
||||
# We need it for now but might not need it for >= 5.11 specially
|
||||
# for the 'SYS_RESOURCE'.
|
||||
# In >= 5.8 there's already BPF and PERMON capabilities
|
||||
- SYS_ADMIN
|
||||
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
|
||||
- SYS_RESOURCE
|
||||
# Both PERFMON and BPF requires kernel 5.8, container runtime
|
||||
# cri-o >= v1.22.0 or containerd >= v1.5.0.
|
||||
# If available, SYS_ADMIN can be removed.
|
||||
#- PERFMON
|
||||
#- BPF
|
||||
# Allow discretionary access control (e.g. required for package installation)
|
||||
- DAC_OVERRIDE
|
||||
# Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation)
|
||||
- FOWNER
|
||||
# Allow to execute program that changes GID (e.g. required for package installation)
|
||||
- SETGID
|
||||
# Allow to execute program that changes UID (e.g. required for package installation)
|
||||
- SETUID
|
||||
# -- Capabilities for the `mount-cgroup` init container
|
||||
mountCgroup:
|
||||
# Only used for 'mount' cgroup
|
||||
- SYS_ADMIN
|
||||
# Used for nsenter
|
||||
- SYS_CHROOT
|
||||
- SYS_PTRACE
|
||||
# -- capabilities for the `apply-sysctl-overwrites` init container
|
||||
applySysctlOverwrites:
|
||||
# Required in order to access host's /etc/sysctl.d dir
|
||||
- SYS_ADMIN
|
||||
# Used for nsenter
|
||||
- SYS_CHROOT
|
||||
- SYS_PTRACE
|
||||
# -- Capabilities for the `clean-cilium-state` init container
|
||||
cleanCiliumState:
|
||||
# Most of the capabilities here are the same ones used in the
|
||||
# cilium-agent's container because this container can be used to
|
||||
# uninstall all Cilium resources, and therefore it is likely that
|
||||
# will need the same capabilities.
|
||||
# Used since cilium modifies routing tables, etc...
|
||||
- NET_ADMIN
|
||||
# Used in iptables. Consider removing once we are iptables-free
|
||||
# - SYS_MODULE
|
||||
# We need it for now but might not need it for >= 5.11 specially
|
||||
# for the 'SYS_RESOURCE'.
|
||||
# In >= 5.8 there's already BPF and PERMON capabilities
|
||||
- SYS_ADMIN
|
||||
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
|
||||
- SYS_RESOURCE
|
||||
# Both PERFMON and BPF requires kernel 5.8, container runtime
|
||||
# cri-o >= v1.22.0 or containerd >= v1.5.0.
|
||||
# If available, SYS_ADMIN can be removed.
|
||||
#- PERFMON
|
||||
#- BPF
|
||||
|
||||
# -- Configure the encapsulation configuration for communication between nodes.
|
||||
# Possible values:
|
||||
# - disabled
|
||||
# - vxlan (default)
|
||||
# - geneve
|
||||
tunnel: "disabled"
|
||||
privileged: true
|
||||
tunnel: disabled
|
||||
|
|
Reference in a new issue