github.com/fafucoder/cilium@v1.6.11/install/kubernetes/cilium/charts/agent/templates/daemonset.yaml (about) 1 apiVersion: apps/v1 2 kind: DaemonSet 3 metadata: 4 labels: 5 k8s-app: cilium 6 kubernetes.io/cluster-service: "true" 7 name: cilium 8 namespace: {{ .Release.Namespace }} 9 spec: 10 selector: 11 matchLabels: 12 k8s-app: cilium 13 kubernetes.io/cluster-service: "true" 14 template: 15 metadata: 16 annotations: 17 {{- if and .Values.global.prometheus.enabled (not .Values.global.prometheus.serviceMonitor.enabled) }} 18 prometheus.io/port: "9090" 19 prometheus.io/scrape: "true" 20 {{- end }} 21 # This annotation plus the CriticalAddonsOnly toleration makes 22 # cilium to be a critical pod in the cluster, which ensures cilium 23 # gets priority scheduling. 24 # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ 25 scheduler.alpha.kubernetes.io/critical-pod: "" 26 scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' 27 labels: 28 k8s-app: cilium 29 kubernetes.io/cluster-service: "true" 30 spec: 31 containers: 32 {{- if .Values.sleepAfterInit }} 33 - command: [ "/bin/bash", "-c", "--" ] 34 args: [ "while true; do sleep 30; done;" ] 35 livenessProbe: 36 exec: 37 command: 38 - "true" 39 readinessProbe: 40 exec: 41 command: 42 - "true" 43 {{- else }} 44 - args: 45 - --config-dir=/tmp/cilium/config-map 46 command: 47 - cilium-agent 48 livenessProbe: 49 exec: 50 command: 51 - cilium 52 - status 53 - --brief 54 failureThreshold: 10 55 # The initial delay for the liveness probe is intentionally large to 56 # avoid an endless kill & restart cycle if in the event that the initial 57 # bootstrapping takes longer than expected. 58 initialDelaySeconds: 120 59 periodSeconds: 30 60 successThreshold: 1 61 timeoutSeconds: 5 62 readinessProbe: 63 exec: 64 command: 65 - cilium 66 - status 67 - --brief 68 failureThreshold: 3 69 initialDelaySeconds: 5 70 periodSeconds: 30 71 successThreshold: 1 72 timeoutSeconds: 5 73 {{- end }} 74 env: 75 - name: K8S_NODE_NAME 76 valueFrom: 77 fieldRef: 78 apiVersion: v1 79 fieldPath: spec.nodeName 80 - name: CILIUM_K8S_NAMESPACE 81 valueFrom: 82 fieldRef: 83 apiVersion: v1 84 fieldPath: metadata.namespace 85 - name: CILIUM_FLANNEL_MASTER_DEVICE 86 valueFrom: 87 configMapKeyRef: 88 key: flannel-master-device 89 name: cilium-config 90 optional: true 91 - name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT 92 valueFrom: 93 configMapKeyRef: 94 key: flannel-uninstall-on-exit 95 name: cilium-config 96 optional: true 97 - name: CILIUM_CLUSTERMESH_CONFIG 98 value: /var/lib/cilium/clustermesh/ 99 - name: CILIUM_CNI_CHAINING_MODE 100 valueFrom: 101 configMapKeyRef: 102 key: cni-chaining-mode 103 name: cilium-config 104 optional: true 105 - name: CILIUM_CUSTOM_CNI_CONF 106 valueFrom: 107 configMapKeyRef: 108 key: custom-cni-conf 109 name: cilium-config 110 optional: true 111 {{- if .Values.global.k8sServiceHost }} 112 - name: KUBERNETES_SERVICE_HOST 113 value: {{ .Values.global.k8sServiceHost | quote }} 114 {{- end }} 115 {{- if .Values.global.k8sServicePort }} 116 - name: KUBERNETES_SERVICE_PORT 117 value: {{ .Values.global.k8sServicePort | quote }} 118 {{- end }} 119 {{- if contains "/" .Values.image }} 120 image: "{{ .Values.image }}" 121 {{- else }} 122 image: "{{ .Values.global.registry }}/{{ .Values.image }}:{{ .Values.global.tag }}" 123 {{- end }} 124 imagePullPolicy: {{ .Values.global.pullPolicy }} 125 {{- if .Values.global.cni.install }} 126 lifecycle: 127 postStart: 128 exec: 129 command: 130 - /cni-install.sh 131 preStop: 132 exec: 133 command: 134 - /cni-uninstall.sh 135 {{- end }} 136 name: cilium-agent 137 {{- if .Values.global.prometheus.enabled }} 138 ports: 139 - containerPort: 9090 140 hostPort: 9090 141 name: prometheus 142 protocol: TCP 143 {{- end }} 144 securityContext: 145 capabilities: 146 add: 147 - NET_ADMIN 148 - SYS_MODULE 149 privileged: true 150 volumeMounts: 151 {{- /* CRI-O already mounts the BPF filesystem */ -}} 152 {{- if not (eq .Values.global.containerRuntime.integration "crio") }} 153 - mountPath: /sys/fs/bpf 154 name: bpf-maps 155 {{- end }} 156 - mountPath: /var/run/cilium 157 name: cilium-run 158 - mountPath: /host/opt/cni/bin 159 name: cni-path 160 - mountPath: {{ .Values.global.cni.hostConfDirMountPath }} 161 name: etc-cni-netd 162 {{- if or (eq .Values.global.containerRuntime.integration "docker") (eq .Values.global.containerRuntime.integration "auto") }} 163 - mountPath: /var/run/docker.sock 164 name: docker-socket 165 readOnly: true 166 {{- else if eq .Values.global.containerRuntime.integration "crio" }} 167 - mountPath: /var/run/crio/crio.sock 168 name: crio-socket 169 {{- else if eq .Values.global.containerRuntime.integration "containerd" }} 170 - mountPath: /var/run/containerd/containerd.sock 171 name: containerd-socket 172 {{- end }} 173 {{- if .Values.global.etcd.enabled }} 174 - mountPath: /var/lib/etcd-config 175 name: etcd-config-path 176 readOnly: true 177 {{- if or .Values.global.etcd.ssl .Values.global.etcd.managed }} 178 - mountPath: /var/lib/etcd-secrets 179 name: etcd-secrets 180 readOnly: true 181 {{- end }} 182 {{- end }} 183 - mountPath: /var/lib/cilium/clustermesh 184 name: clustermesh-secrets 185 readOnly: true 186 - mountPath: /tmp/cilium/config-map 187 name: cilium-config-path 188 readOnly: true 189 {{- if .Values.global.cni.configMap }} 190 - mountPath: {{ .Values.global.cni.confFileMountPath }} 191 name: cni-configuration 192 readOnly: true 193 {{- end }} 194 # Needed to be able to load kernel modules 195 - mountPath: /lib/modules 196 name: lib-modules 197 readOnly: true 198 - mountPath: /run/xtables.lock 199 name: xtables-lock 200 {{- if .Values.global.encryption.enabled }} 201 - mountPath: {{ .Values.global.encryption.mountPath }} 202 name: cilium-ipsec-secrets 203 {{- end }} 204 {{- if .Values.global.kubeConfigPath }} 205 - mountPath: {{ .Values.global.kubeConfigPath }} 206 name: kube-config 207 readOnly: true 208 {{- end}} 209 {{- if .Values.global.etcd.managed }} 210 # In managed etcd mode, Cilium must be able to resolve the DNS name of 211 # the etcd service 212 dnsPolicy: ClusterFirstWithHostNet 213 {{- end }} 214 hostNetwork: true 215 {{- if .Values.global.flannel.manageExistingContainers }} 216 # Enable host PID namespace to allow the flannel integration to attach to 217 # existing containers 218 hostPID: true 219 {{- end }} 220 initContainers: 221 {{- if and .Values.global.nodeinit.enabled (not (eq .Values.global.nodeinit.bootstrapFile "")) }} 222 - name: wait-for-node-init 223 command: ['sh', '-c', 'until stat {{ .Values.global.nodeinit.bootstrapFile }} > /dev/null 2>&1; do echo "Waiting on node-init to run..."; sleep 1; done'] 224 {{- if contains "/" .Values.image }} 225 image: "{{ .Values.image }}" 226 {{- else }} 227 image: "{{ .Values.global.registry }}/{{ .Values.image }}:{{ .Values.global.tag }}" 228 {{- end }} 229 imagePullPolicy: {{ .Values.global.pullPolicy }} 230 volumeMounts: 231 - mountPath: {{ .Values.global.nodeinit.bootstrapFile }} 232 name: cilium-bootstrap-file 233 {{- end }} 234 - command: 235 - /init-container.sh 236 env: 237 - name: CILIUM_ALL_STATE 238 valueFrom: 239 configMapKeyRef: 240 key: clean-cilium-state 241 name: cilium-config 242 optional: true 243 - name: CILIUM_BPF_STATE 244 valueFrom: 245 configMapKeyRef: 246 key: clean-cilium-bpf-state 247 name: cilium-config 248 optional: true 249 - name: CILIUM_WAIT_BPF_MOUNT 250 valueFrom: 251 configMapKeyRef: 252 key: wait-bpf-mount 253 name: cilium-config 254 optional: true 255 {{- if contains "/" .Values.image }} 256 image: "{{ .Values.image }}" 257 {{- else }} 258 image: "{{ .Values.global.registry }}/{{ .Values.image }}:{{ .Values.global.tag }}" 259 {{- end }} 260 imagePullPolicy: {{ .Values.global.pullPolicy }} 261 name: clean-cilium-state 262 securityContext: 263 capabilities: 264 add: 265 - NET_ADMIN 266 privileged: true 267 volumeMounts: 268 {{- /* CRI-O already mounts the BPF filesystem */ -}} 269 {{- if not (eq .Values.global.containerRuntime.integration "crio") }} 270 - mountPath: /sys/fs/bpf 271 name: bpf-maps 272 {{- end }} 273 - mountPath: /var/run/cilium 274 name: cilium-run 275 restartPolicy: Always 276 {{- if and (eq .Release.Namespace "kube-system") (or (gt .Capabilities.KubeVersion.Minor "10") (gt .Capabilities.KubeVersion.Major "1"))}} 277 priorityClassName: system-node-critical 278 {{- end }} 279 serviceAccount: cilium 280 serviceAccountName: cilium 281 terminationGracePeriodSeconds: 1 282 tolerations: 283 - operator: Exists 284 volumes: 285 # To keep state between restarts / upgrades 286 - hostPath: 287 path: /var/run/cilium 288 type: DirectoryOrCreate 289 name: cilium-run 290 {{- /* CRI-O already mounts the BPF filesystem */ -}} 291 {{- if not (eq .Values.global.containerRuntime.integration "crio") }} 292 # To keep state between restarts / upgrades for bpf maps 293 - hostPath: 294 path: /sys/fs/bpf 295 type: DirectoryOrCreate 296 name: bpf-maps 297 {{- end }} 298 {{- if not (eq .Values.global.containerRuntime.integration "none") }} 299 # To read container runtime events from the node 300 - hostPath: 301 {{- if .Values.global.containerRuntime.socketPath }} 302 path: {{ .Values.global.containerRuntime.socketPath }} 303 {{- end }} 304 {{- end }} 305 {{- if or (eq .Values.global.containerRuntime.integration "docker") (eq .Values.global.containerRuntime.integration "auto") }} 306 {{- if not (.Values.global.containerRuntime.socketPath) }} 307 path: /var/run/docker.sock 308 {{- end }} 309 type: Socket 310 name: docker-socket 311 {{- else if eq .Values.global.containerRuntime.integration "crio" }} 312 {{- if not (.Values.global.containerRuntime.socketPath) }} 313 path: /var/run/crio/crio.sock 314 {{- end }} 315 type: Socket 316 name: crio-socket 317 {{- else if eq .Values.global.containerRuntime.integration "containerd" }} 318 {{- if not (.Values.global.containerRuntime.socketPath) }} 319 path: /var/run/containerd/containerd.sock 320 {{- end }} 321 type: Socket 322 name: containerd-socket 323 {{- end }} 324 # To install cilium cni plugin in the host 325 - hostPath: 326 path: {{ .Values.global.cni.binPath }} 327 type: DirectoryOrCreate 328 name: cni-path 329 # To install cilium cni configuration in the host 330 - hostPath: 331 path: {{ .Values.global.cni.confPath }} 332 type: DirectoryOrCreate 333 name: etc-cni-netd 334 # To be able to load kernel modules 335 - hostPath: 336 path: /lib/modules 337 name: lib-modules 338 # To access iptables concurrently with other processes (e.g. kube-proxy) 339 - hostPath: 340 path: /run/xtables.lock 341 type: FileOrCreate 342 name: xtables-lock 343 {{- if .Values.global.kubeConfigPath }} 344 - hostPath: 345 path: {{ .Values.global.kubeConfigPath }} 346 type: FileOrCreate 347 name: kube-config 348 {{- end }} 349 {{- if and .Values.global.nodeinit.enabled (not (eq .Values.global.nodeinit.bootstrapFile "")) }} 350 - hostPath: 351 path: {{ .Values.global.nodeinit.bootstrapFile }} 352 type: FileOrCreate 353 name: cilium-bootstrap-file 354 {{- end }} 355 {{- if .Values.global.etcd.enabled }} 356 # To read the etcd config stored in config maps 357 - configMap: 358 defaultMode: 420 359 items: 360 - key: etcd-config 361 path: etcd.config 362 name: cilium-config 363 name: etcd-config-path 364 # To read the k8s etcd secrets in case the user might want to use TLS 365 {{- if or .Values.global.etcd.ssl .Values.global.etcd.managed }} 366 - name: etcd-secrets 367 secret: 368 defaultMode: 420 369 optional: true 370 secretName: cilium-etcd-secrets 371 {{- end }} 372 {{- end }} 373 # To read the clustermesh configuration 374 - name: clustermesh-secrets 375 secret: 376 defaultMode: 420 377 optional: true 378 secretName: cilium-clustermesh 379 # To read the configuration from the config map 380 - configMap: 381 name: cilium-config 382 name: cilium-config-path 383 {{- if .Values.global.encryption.enabled }} 384 - name: cilium-ipsec-secrets 385 secret: 386 secretName: {{ .Values.global.encryption.secretName }} 387 {{- end }} 388 {{- if .Values.global.cni.configMap }} 389 - name: cni-configuration 390 configMap: 391 name: {{ .Values.global.cni.configMap }} 392 {{- end }} 393 updateStrategy: 394 rollingUpdate: 395 maxUnavailable: {{ .Values.maxUnavailable }} 396 type: RollingUpdate