Cleaning up cilium values

This commit is contained in:
Joseph Hanson 2023-09-26 14:10:55 -05:00
parent 5000f8889a
commit 1fad218deb

View file

@ -1,241 +1,88 @@
---
# -- Enable installation of PodCIDR routes between worker
# nodes if worker nodes share a common L2 network segment.
autoDirectNodeRoutes: true
# -- Configure BGP
bgp:
# -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside
# cilium-agent and cilium-operator
enabled: false
announce:
# -- Enable allocation and announcement of service LoadBalancer IPs
loadbalancerIP: true
# -- Enable announcement of node pod CIDR
podCIDR: false
# -- Configure cgroup related configuration
cgroup:
autoMount:
# -- Enable auto mount of cgroup2 filesystem.
# When `autoMount` is enabled, cgroup2 filesystem is mounted at
# `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.
# If users disable `autoMount`, it's expected that users have mounted
# cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
# volume will be mounted inside the cilium agent pod at the same path.
enabled: false
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
hostRoot: /sys/fs/cgroup
cluster:
# -- Name of the cluster. Only required for Cluster Mesh.
name: valinor
# -- (int) Unique ID of the cluster. Must be unique across all connected
# clusters and in the range of 1 to 255. Only required for Cluster Mesh,
# may be 0 if Cluster Mesh is not used.
id: 1
# -- Configure container runtime specific integration.
containerRuntime:
# -- Enables specific integrations for container runtimes.
# Supported values:
# - containerd
# - crio
# - docker
# - none
# - auto (automatically detect the container runtime)
integration: containerd
endpointRoutes:
# -- Enable use of per endpoint routes instead of routing via
# the cilium_host interface.
bandwidthManager:
enabled: true
bbr: true
bpf:
masquerade: true
bgp:
enabled: false
cluster:
name: valinor
id: 1
containerRuntime:
integration: containerd
endpointRoutes:
enabled: true
hubble:
# -- Enable Hubble (true by default).
enabled: true
metrics:
# -- Configures the list of metrics to collect. If empty or null, metrics
# are disabled.
# Example:
#
# enabled:
# - dns:query;ignoreAAAA
# - drop
# - tcp
# - flow
# - icmp
# - http
#
# You can specify the list of metrics from the helm CLI:
#
# --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
#
enabled:
- dns:query;ignoreAAAA,
- dns:query
- drop
- tcp
- flow
- http
- icmp
- port-distribution
- icmp
- http
serviceMonitor:
enabled: true
dashboards:
enabled: true
annotations:
grafana_folder: Cilium
relay:
# -- Enable Hubble Relay (requires hubble.enabled=true)
enabled: true
# -- Roll out Hubble Relay pods automatically when configmap is updated.
rollOutPods: true
# serviceMonitor:
# # -- Create ServiceMonitor resources for Prometheus Operator.
# # This requires the prometheus CRDs to be available.
# # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
# enabled: false
prometheus:
serviceMonitor:
enabled: true
ui:
# -- Whether to enable the Hubble UI.
enabled: true
# -- hubble-ui ingress configuration.
rollOutPods: true
ingress:
enabled: false
# -- Roll out Hubble-ui pods automatically when configmap is updated.
rollOutPods: true
ipam:
# -- Configure IP Address Management mode.
# ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/
mode: kubernetes
# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing.
# When specified, Cilium assumes networking for this CIDR is preconfigured and
# hands traffic destined for that range to the Linux network stack without
# applying any SNAT.
# Generally speaking, specifying a native routing CIDR implies that Cilium can
# depend on the underlying networking stack to route packets to their
# destination. To offer a concrete example, if Cilium is configured to use
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
# the user must configure the routes to reach pods, either manually or by
# setting the auto-direct-node-routes flag.
ipv4NativeRoutingCIDR: 10.244.0.0/16
# -- (string) Kubernetes service host
k8sServiceHost: valinor.hsn.dev
# -- (string) Kubernetes service port
k8sServicePort: 6443
# -- Configure the kube-proxy replacement in Cilium BPF datapath
# Valid options are "disabled", "partial", "strict".
# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/
kubeProxyReplacement: strict
# -- healthz server bind address for the kube-proxy replacement.
# To enable set the value to '0.0.0.0:10256' for all ipv4
# addresses and this '[::]:10256' for all ipv6 addresses.
# By default it is disabled.
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
# -- Configure service load balancing
loadBalancer:
# -- algorithm is the name of the load balancing algorithm for backend
# selection e.g. random or maglev
algorithm: random
# -- mode is the operation mode of load balancing for remote backends
# e.g. snat, dsr, hybrid
mode: snat
# -- Enable Local Redirect Policy.
localRedirectPolicy: false
operator:
# -- Enable the cilium-operator component (required).
enabled: true
# -- Roll out cilium-operator pods automatically when configmap is updated.
className: internal
hosts:
- &host hubble.hsn.dev
tls:
- hosts:
- *host
ipam:
mode: kubernetes
ipv4NativeRoutingCIDR: 10.32.0.0/16
k8sServiceHost: 10.2.0.6
k8sServicePort: 6443
kubeProxyReplacement: true
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
l2announcements:
enabled: true
leaseDuration: 120s
leaseRenewDeadline: 60s
leaseRetryPeriod: 1s
loadBalancer:
algorithm: maglev
mode: dsr
localRedirectPolicy: true
operator:
rollOutPods: true
# -- Roll out cilium agent pods automatically when configmap is updated.
rollOutCiliumPods: false
prometheus:
enabled: true
serviceMonitor:
enabled: true
dashboards:
enabled: true
annotations:
grafana_folder: Cilium
prometheus:
enabled: true
serviceMonitor:
enabled: true
trustCRDsExist: true
dashboards:
enabled: true
annotations:
grafana_folder: Cilium
rollOutCiliumPods: true
securityContext:
# -- Run the pod with elevated privileges
privileged: false
capabilities:
# -- Capabilities for the `cilium-agent` container
ciliumAgent:
# Use to set socket permission
- CHOWN
# Used to terminate envoy child process
- KILL
# Used since cilium modifies routing tables, etc...
- NET_ADMIN
# Used since cilium creates raw sockets, etc...
- NET_RAW
# Used since cilium monitor uses mmap
- IPC_LOCK
# Used in iptables. Consider removing once we are iptables-free
# - SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
- SYS_ADMIN
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
- SYS_RESOURCE
# Both PERFMON and BPF requires kernel 5.8, container runtime
# cri-o >= v1.22.0 or containerd >= v1.5.0.
# If available, SYS_ADMIN can be removed.
#- PERFMON
#- BPF
# Allow discretionary access control (e.g. required for package installation)
- DAC_OVERRIDE
# Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation)
- FOWNER
# Allow to execute program that changes GID (e.g. required for package installation)
- SETGID
# Allow to execute program that changes UID (e.g. required for package installation)
- SETUID
# -- Capabilities for the `mount-cgroup` init container
mountCgroup:
# Only used for 'mount' cgroup
- SYS_ADMIN
# Used for nsenter
- SYS_CHROOT
- SYS_PTRACE
# -- capabilities for the `apply-sysctl-overwrites` init container
applySysctlOverwrites:
# Required in order to access host's /etc/sysctl.d dir
- SYS_ADMIN
# Used for nsenter
- SYS_CHROOT
- SYS_PTRACE
# -- Capabilities for the `clean-cilium-state` init container
cleanCiliumState:
# Most of the capabilities here are the same ones used in the
# cilium-agent's container because this container can be used to
# uninstall all Cilium resources, and therefore it is likely that
# will need the same capabilities.
# Used since cilium modifies routing tables, etc...
- NET_ADMIN
# Used in iptables. Consider removing once we are iptables-free
# - SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
- SYS_ADMIN
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
- SYS_RESOURCE
# Both PERFMON and BPF requires kernel 5.8, container runtime
# cri-o >= v1.22.0 or containerd >= v1.5.0.
# If available, SYS_ADMIN can be removed.
#- PERFMON
#- BPF
# -- Configure the encapsulation configuration for communication between nodes.
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
tunnel: "disabled"
privileged: true
tunnel: disabled