github.com/looshlee/beatles@v0.0.0-20220727174639-742810ab631c/install/kubernetes/quick-install.yaml (about) 1 --- 2 # Source: cilium/charts/agent/templates/serviceaccount.yaml 3 apiVersion: v1 4 kind: ServiceAccount 5 metadata: 6 name: cilium 7 namespace: kube-system 8 --- 9 # Source: cilium/charts/operator/templates/serviceaccount.yaml 10 apiVersion: v1 11 kind: ServiceAccount 12 metadata: 13 name: cilium-operator 14 namespace: kube-system 15 --- 16 # Source: cilium/charts/config/templates/configmap.yaml 17 apiVersion: v1 18 kind: ConfigMap 19 metadata: 20 name: cilium-config 21 namespace: kube-system 22 data: 23 24 # Identity allocation mode selects how identities are shared between cilium 25 # nodes by setting how they are stored. The options are "crd" or "kvstore". 26 # - "crd" stores identities in kubernetes as CRDs (custom resource definition). 27 # These can be queried with: 28 # kubectl get ciliumid 29 # - "kvstore" stores identities in a kvstore, etcd or consul, that is 30 # configured below. Cilium versions before 1.6 supported only the kvstore 31 # backend. Upgrades from these older cilium versions should continue using 32 # the kvstore by commenting out the identity-allocation-mode below, or 33 # setting it to "kvstore". 34 identity-allocation-mode: crd 35 36 # If you want to run cilium in debug mode change this value to true 37 debug: "false" 38 39 # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 40 # address. 41 enable-ipv4: "true" 42 43 # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 44 # address. 45 enable-ipv6: "false" 46 47 # If you want cilium monitor to aggregate tracing for packets, set this level 48 # to "low", "medium", or "maximum". The higher the level, the less packets 49 # that will be seen in monitor output. 50 monitor-aggregation: medium 51 52 # ct-global-max-entries-* specifies the maximum number of connections 53 # supported across all endpoints, split by protocol: tcp or other. One pair 54 # of maps uses these values for IPv4 connections, and another pair of maps 55 # use these values for IPv6 connections. 56 # 57 # If these values are modified, then during the next Cilium startup the 58 # tracking of ongoing connections may be disrupted. This may lead to brief 59 # policy drops or a change in loadbalancing decisions for a connection. 60 # 61 # For users upgrading from Cilium 1.2 or earlier, to minimize disruption 62 # during the upgrade process, comment out these options. 63 bpf-ct-global-tcp-max: "524288" 64 bpf-ct-global-any-max: "262144" 65 66 # Pre-allocation of map entries allows per-packet latency to be reduced, at 67 # the expense of up-front memory allocation for the entries in the maps. The 68 # default value below will minimize memory usage in the default installation; 69 # users who are sensitive to latency may consider setting this to "true". 70 # 71 # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore 72 # this option and behave as though it is set to "true". 73 # 74 # If this value is modified, then during the next Cilium startup the restore 75 # of existing endpoints and tracking of ongoing connections may be disrupted. 76 # This may lead to policy drops or a change in loadbalancing decisions for a 77 # connection for some time. Endpoints may need to be recreated to restore 78 # connectivity. 79 # 80 # If this option is set to "false" during an upgrade from 1.3 or earlier to 81 # 1.4 or later, then it may cause one-time disruptions during the upgrade. 82 preallocate-bpf-maps: "false" 83 84 # Regular expression matching compatible Istio sidecar istio-proxy 85 # container image names 86 sidecar-istio-proxy-image: "cilium/istio_proxy" 87 88 # Encapsulation mode for communication between nodes 89 # Possible values: 90 # - disabled 91 # - vxlan (default) 92 # - geneve 93 tunnel: vxlan 94 95 # Name of the cluster. Only relevant when building a mesh of clusters. 96 cluster-name: default 97 98 # DNS Polling periodically issues a DNS lookup for each `matchName` from 99 # cilium-agent. The result is used to regenerate endpoint policy. 100 # DNS lookups are repeated with an interval of 5 seconds, and are made for 101 # A(IPv4) and AAAA(IPv6) addresses. Should a lookup fail, the most recent IP 102 # data is used instead. An IP change will trigger a regeneration of the Cilium 103 # policy for each endpoint and increment the per cilium-agent policy 104 # repository revision. 105 # 106 # This option is disabled by default starting from version 1.4.x in favor 107 # of a more powerful DNS proxy-based implementation, see [0] for details. 108 # Enable this option if you want to use FQDN policies but do not want to use 109 # the DNS proxy. 110 # 111 # To ease upgrade, users may opt to set this option to "true". 112 # Otherwise please refer to the Upgrade Guide [1] which explains how to 113 # prepare policy rules for upgrade. 114 # 115 # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based 116 # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action 117 tofqdns-enable-poller: "false" 118 119 # wait-bpf-mount makes init container wait until bpf filesystem is mounted 120 wait-bpf-mount: "false" 121 122 # Enable fetching of container-runtime specific metadata 123 # 124 # By default, the Kubernetes pod and namespace labels are retrieved and 125 # associated with endpoints for identification purposes. By integrating 126 # with the container runtime, container runtime specific labels can be 127 # retrieved, such labels will be prefixed with container: 128 # 129 # CAUTION: The container runtime labels can include information such as pod 130 # annotations which may result in each pod being associated a unique set of 131 # labels which can result in excessive security identities being allocated. 132 # Please review the labels filter when enabling container runtime labels. 133 # 134 # Supported values: 135 # - containerd 136 # - crio 137 # - docker 138 # - none 139 # - auto (automatically detect the container runtime) 140 # 141 container-runtime: none 142 143 masquerade: "true" 144 145 enable-xt-socket-fallback: "true" 146 install-iptables-rules: "true" 147 auto-direct-node-routes: "false" 148 enable-node-port: "false" 149 # Chaining mode is set to portmap, enable health checking 150 enable-endpoint-health-checking: "true" 151 --- 152 # Source: cilium/charts/agent/templates/clusterrole.yaml 153 apiVersion: rbac.authorization.k8s.io/v1 154 kind: ClusterRole 155 metadata: 156 name: cilium 157 rules: 158 - apiGroups: 159 - networking.k8s.io 160 resources: 161 - networkpolicies 162 verbs: 163 - get 164 - list 165 - watch 166 - apiGroups: 167 - "" 168 resources: 169 - namespaces 170 - services 171 - nodes 172 - endpoints 173 verbs: 174 - get 175 - list 176 - watch 177 - apiGroups: 178 - "" 179 resources: 180 - pods 181 - nodes 182 verbs: 183 - get 184 - list 185 - watch 186 - update 187 - apiGroups: 188 - "" 189 resources: 190 - nodes 191 - nodes/status 192 verbs: 193 - patch 194 - apiGroups: 195 - extensions 196 resources: 197 - ingresses 198 verbs: 199 - create 200 - get 201 - list 202 - watch 203 - apiGroups: 204 - apiextensions.k8s.io 205 resources: 206 - customresourcedefinitions 207 verbs: 208 - create 209 - get 210 - list 211 - watch 212 - update 213 - apiGroups: 214 - cilium.io 215 resources: 216 - ciliumnetworkpolicies 217 - ciliumnetworkpolicies/status 218 - ciliumendpoints 219 - ciliumendpoints/status 220 - ciliumnodes 221 - ciliumnodes/status 222 - ciliumidentities 223 - ciliumidentities/status 224 verbs: 225 - '*' 226 --- 227 # Source: cilium/charts/operator/templates/clusterrole.yaml 228 apiVersion: rbac.authorization.k8s.io/v1 229 kind: ClusterRole 230 metadata: 231 name: cilium-operator 232 rules: 233 - apiGroups: 234 - "" 235 resources: 236 # to automatically delete [core|kube]dns pods so that are starting to being 237 # managed by Cilium 238 - pods 239 verbs: 240 - get 241 - list 242 - watch 243 - delete 244 - apiGroups: 245 - "" 246 resources: 247 # to automatically read from k8s and import the node's pod CIDR to cilium's 248 # etcd so all nodes know how to reach another pod running in in a different 249 # node. 250 - nodes 251 # to perform the translation of a CNP that contains `ToGroup` to its endpoints 252 - services 253 - endpoints 254 # to check apiserver connectivity 255 - namespaces 256 verbs: 257 - get 258 - list 259 - watch 260 - apiGroups: 261 - cilium.io 262 resources: 263 - ciliumnetworkpolicies 264 - ciliumnetworkpolicies/status 265 - ciliumendpoints 266 - ciliumendpoints/status 267 - ciliumnodes 268 - ciliumnodes/status 269 - ciliumidentities 270 - ciliumidentities/status 271 verbs: 272 - '*' 273 --- 274 # Source: cilium/charts/agent/templates/clusterrolebinding.yaml 275 apiVersion: rbac.authorization.k8s.io/v1 276 kind: ClusterRoleBinding 277 metadata: 278 name: cilium 279 roleRef: 280 apiGroup: rbac.authorization.k8s.io 281 kind: ClusterRole 282 name: cilium 283 subjects: 284 - kind: ServiceAccount 285 name: cilium 286 namespace: kube-system 287 --- 288 # Source: cilium/charts/operator/templates/clusterrolebinding.yaml 289 apiVersion: rbac.authorization.k8s.io/v1 290 kind: ClusterRoleBinding 291 metadata: 292 name: cilium-operator 293 roleRef: 294 apiGroup: rbac.authorization.k8s.io 295 kind: ClusterRole 296 name: cilium-operator 297 subjects: 298 - kind: ServiceAccount 299 name: cilium-operator 300 namespace: kube-system 301 --- 302 # Source: cilium/charts/agent/templates/daemonset.yaml 303 apiVersion: apps/v1 304 kind: DaemonSet 305 metadata: 306 labels: 307 k8s-app: cilium 308 kubernetes.io/cluster-service: "true" 309 name: cilium 310 namespace: kube-system 311 spec: 312 selector: 313 matchLabels: 314 k8s-app: cilium 315 kubernetes.io/cluster-service: "true" 316 template: 317 metadata: 318 annotations: 319 # This annotation plus the CriticalAddonsOnly toleration makes 320 # cilium to be a critical pod in the cluster, which ensures cilium 321 # gets priority scheduling. 322 # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ 323 scheduler.alpha.kubernetes.io/critical-pod: "" 324 scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' 325 labels: 326 k8s-app: cilium 327 kubernetes.io/cluster-service: "true" 328 spec: 329 containers: 330 - args: 331 - --config-dir=/tmp/cilium/config-map 332 command: 333 - cilium-agent 334 livenessProbe: 335 exec: 336 command: 337 - cilium 338 - status 339 - --brief 340 failureThreshold: 10 341 # The initial delay for the liveness probe is intentionally large to 342 # avoid an endless kill & restart cycle if in the event that the initial 343 # bootstrapping takes longer than expected. 344 initialDelaySeconds: 120 345 periodSeconds: 30 346 successThreshold: 1 347 timeoutSeconds: 5 348 readinessProbe: 349 exec: 350 command: 351 - cilium 352 - status 353 - --brief 354 failureThreshold: 3 355 initialDelaySeconds: 5 356 periodSeconds: 30 357 successThreshold: 1 358 timeoutSeconds: 5 359 env: 360 - name: K8S_NODE_NAME 361 valueFrom: 362 fieldRef: 363 apiVersion: v1 364 fieldPath: spec.nodeName 365 - name: CILIUM_K8S_NAMESPACE 366 valueFrom: 367 fieldRef: 368 apiVersion: v1 369 fieldPath: metadata.namespace 370 - name: CILIUM_FLANNEL_MASTER_DEVICE 371 valueFrom: 372 configMapKeyRef: 373 key: flannel-master-device 374 name: cilium-config 375 optional: true 376 - name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT 377 valueFrom: 378 configMapKeyRef: 379 key: flannel-uninstall-on-exit 380 name: cilium-config 381 optional: true 382 - name: CILIUM_CLUSTERMESH_CONFIG 383 value: /var/lib/cilium/clustermesh/ 384 - name: CILIUM_CNI_CHAINING_MODE 385 valueFrom: 386 configMapKeyRef: 387 key: cni-chaining-mode 388 name: cilium-config 389 optional: true 390 - name: CILIUM_CUSTOM_CNI_CONF 391 valueFrom: 392 configMapKeyRef: 393 key: custom-cni-conf 394 name: cilium-config 395 optional: true 396 image: "docker.io/cilium/cilium:v1.6.9" 397 imagePullPolicy: IfNotPresent 398 lifecycle: 399 postStart: 400 exec: 401 command: 402 - /cni-install.sh 403 preStop: 404 exec: 405 command: 406 - /cni-uninstall.sh 407 name: cilium-agent 408 securityContext: 409 capabilities: 410 add: 411 - NET_ADMIN 412 - SYS_MODULE 413 privileged: true 414 volumeMounts: 415 - mountPath: /sys/fs/bpf 416 name: bpf-maps 417 - mountPath: /var/run/cilium 418 name: cilium-run 419 - mountPath: /host/opt/cni/bin 420 name: cni-path 421 - mountPath: /host/etc/cni/net.d 422 name: etc-cni-netd 423 - mountPath: /var/lib/cilium/clustermesh 424 name: clustermesh-secrets 425 readOnly: true 426 - mountPath: /tmp/cilium/config-map 427 name: cilium-config-path 428 readOnly: true 429 # Needed to be able to load kernel modules 430 - mountPath: /lib/modules 431 name: lib-modules 432 readOnly: true 433 - mountPath: /run/xtables.lock 434 name: xtables-lock 435 hostNetwork: true 436 initContainers: 437 - command: 438 - /init-container.sh 439 env: 440 - name: CILIUM_ALL_STATE 441 valueFrom: 442 configMapKeyRef: 443 key: clean-cilium-state 444 name: cilium-config 445 optional: true 446 - name: CILIUM_BPF_STATE 447 valueFrom: 448 configMapKeyRef: 449 key: clean-cilium-bpf-state 450 name: cilium-config 451 optional: true 452 - name: CILIUM_WAIT_BPF_MOUNT 453 valueFrom: 454 configMapKeyRef: 455 key: wait-bpf-mount 456 name: cilium-config 457 optional: true 458 image: "docker.io/cilium/cilium:v1.6.9" 459 imagePullPolicy: IfNotPresent 460 name: clean-cilium-state 461 securityContext: 462 capabilities: 463 add: 464 - NET_ADMIN 465 privileged: true 466 volumeMounts: 467 - mountPath: /sys/fs/bpf 468 name: bpf-maps 469 - mountPath: /var/run/cilium 470 name: cilium-run 471 restartPolicy: Always 472 serviceAccount: cilium 473 serviceAccountName: cilium 474 terminationGracePeriodSeconds: 1 475 tolerations: 476 - operator: Exists 477 volumes: 478 # To keep state between restarts / upgrades 479 - hostPath: 480 path: /var/run/cilium 481 type: DirectoryOrCreate 482 name: cilium-run 483 # To keep state between restarts / upgrades for bpf maps 484 - hostPath: 485 path: /sys/fs/bpf 486 type: DirectoryOrCreate 487 name: bpf-maps 488 # To install cilium cni plugin in the host 489 - hostPath: 490 path: /opt/cni/bin 491 type: DirectoryOrCreate 492 name: cni-path 493 # To install cilium cni configuration in the host 494 - hostPath: 495 path: /etc/cni/net.d 496 type: DirectoryOrCreate 497 name: etc-cni-netd 498 # To be able to load kernel modules 499 - hostPath: 500 path: /lib/modules 501 name: lib-modules 502 # To access iptables concurrently with other processes (e.g. kube-proxy) 503 - hostPath: 504 path: /run/xtables.lock 505 type: FileOrCreate 506 name: xtables-lock 507 # To read the clustermesh configuration 508 - name: clustermesh-secrets 509 secret: 510 defaultMode: 420 511 optional: true 512 secretName: cilium-clustermesh 513 # To read the configuration from the config map 514 - configMap: 515 name: cilium-config 516 name: cilium-config-path 517 updateStrategy: 518 rollingUpdate: 519 maxUnavailable: 2 520 type: RollingUpdate 521 --- 522 # Source: cilium/charts/operator/templates/deployment.yaml 523 apiVersion: apps/v1 524 kind: Deployment 525 metadata: 526 labels: 527 io.cilium/app: operator 528 name: cilium-operator 529 name: cilium-operator 530 namespace: kube-system 531 spec: 532 replicas: 1 533 selector: 534 matchLabels: 535 io.cilium/app: operator 536 name: cilium-operator 537 strategy: 538 rollingUpdate: 539 maxSurge: 1 540 maxUnavailable: 1 541 type: RollingUpdate 542 template: 543 metadata: 544 annotations: 545 labels: 546 io.cilium/app: operator 547 name: cilium-operator 548 spec: 549 containers: 550 - args: 551 - --debug=$(CILIUM_DEBUG) 552 - --identity-allocation-mode=$(CILIUM_IDENTITY_ALLOCATION_MODE) 553 command: 554 - cilium-operator 555 env: 556 - name: CILIUM_K8S_NAMESPACE 557 valueFrom: 558 fieldRef: 559 apiVersion: v1 560 fieldPath: metadata.namespace 561 - name: K8S_NODE_NAME 562 valueFrom: 563 fieldRef: 564 apiVersion: v1 565 fieldPath: spec.nodeName 566 - name: CILIUM_DEBUG 567 valueFrom: 568 configMapKeyRef: 569 key: debug 570 name: cilium-config 571 optional: true 572 - name: CILIUM_CLUSTER_NAME 573 valueFrom: 574 configMapKeyRef: 575 key: cluster-name 576 name: cilium-config 577 optional: true 578 - name: CILIUM_CLUSTER_ID 579 valueFrom: 580 configMapKeyRef: 581 key: cluster-id 582 name: cilium-config 583 optional: true 584 - name: CILIUM_IPAM 585 valueFrom: 586 configMapKeyRef: 587 key: ipam 588 name: cilium-config 589 optional: true 590 - name: CILIUM_DISABLE_ENDPOINT_CRD 591 valueFrom: 592 configMapKeyRef: 593 key: disable-endpoint-crd 594 name: cilium-config 595 optional: true 596 - name: CILIUM_KVSTORE 597 valueFrom: 598 configMapKeyRef: 599 key: kvstore 600 name: cilium-config 601 optional: true 602 - name: CILIUM_KVSTORE_OPT 603 valueFrom: 604 configMapKeyRef: 605 key: kvstore-opt 606 name: cilium-config 607 optional: true 608 - name: AWS_ACCESS_KEY_ID 609 valueFrom: 610 secretKeyRef: 611 key: AWS_ACCESS_KEY_ID 612 name: cilium-aws 613 optional: true 614 - name: AWS_SECRET_ACCESS_KEY 615 valueFrom: 616 secretKeyRef: 617 key: AWS_SECRET_ACCESS_KEY 618 name: cilium-aws 619 optional: true 620 - name: AWS_DEFAULT_REGION 621 valueFrom: 622 secretKeyRef: 623 key: AWS_DEFAULT_REGION 624 name: cilium-aws 625 optional: true 626 - name: CILIUM_IDENTITY_ALLOCATION_MODE 627 valueFrom: 628 configMapKeyRef: 629 key: identity-allocation-mode 630 name: cilium-config 631 optional: true 632 image: "docker.io/cilium/operator:v1.6.9" 633 imagePullPolicy: IfNotPresent 634 name: cilium-operator 635 livenessProbe: 636 httpGet: 637 host: '127.0.0.1' 638 path: /healthz 639 port: 9234 640 scheme: HTTP 641 initialDelaySeconds: 60 642 periodSeconds: 10 643 timeoutSeconds: 3 644 645 hostNetwork: true 646 restartPolicy: Always 647 serviceAccount: cilium-operator 648 serviceAccountName: cilium-operator