1 # yamllint disable rule:hyphens rule:commas rule:indentation rule:line-length rule:comments rule:comments-indentation
3 # Source: cilium/charts/config/templates/configmap.yaml
11 # Identity allocation mode selects how identities are shared between cilium
12 # nodes by setting how they are stored. The options are "crd" or "kvstore".
13 # - "crd" stores identities in kubernetes as CRDs (custom resource definition).
14 # These can be queried with:
15 # kubectl get ciliumid
16 # - "kvstore" stores identities in a kvstore, etcd or consul, that is
17 # configured below. Cilium versions before 1.6 supported only the kvstore
18 # backend. Upgrades from these older cilium versions should continue using
19 # the kvstore by commenting out the identity-allocation-mode below, or
20 # setting it to "kvstore".
21 identity-allocation-mode: crd
23 # If you want to run cilium in debug mode change this value to true
26 # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4
30 # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6
34 # If you want cilium monitor to aggregate tracing for packets, set this level
35 # to "low", "medium", or "maximum". The higher the level, the less packets
36 # that will be seen in monitor output.
37 monitor-aggregation: medium
39 # ct-global-max-entries-* specifies the maximum number of connections
40 # supported across all endpoints, split by protocol: tcp or other. One pair
41 # of maps uses these values for IPv4 connections, and another pair of maps
42 # use these values for IPv6 connections.
44 # If these values are modified, then during the next Cilium startup the
45 # tracking of ongoing connections may be disrupted. This may lead to brief
46 # policy drops or a change in loadbalancing decisions for a connection.
48 # For users upgrading from Cilium 1.2 or earlier, to minimize disruption
49 # during the upgrade process, comment out these options.
50 bpf-ct-global-tcp-max: "524288"
51 bpf-ct-global-any-max: "262144"
53 # Pre-allocation of map entries allows per-packet latency to be reduced, at
54 # the expense of up-front memory allocation for the entries in the maps. The
55 # default value below will minimize memory usage in the default installation;
56 # users who are sensitive to latency may consider setting this to "true".
58 # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore
59 # this option and behave as though it is set to "true".
61 # If this value is modified, then during the next Cilium startup the restore
62 # of existing endpoints and tracking of ongoing connections may be disrupted.
63 # This may lead to policy drops or a change in loadbalancing decisions for a
64 # connection for some time. Endpoints may need to be recreated to restore
67 # If this option is set to "false" during an upgrade from 1.3 or earlier to
68 # 1.4 or later, then it may cause one-time disruptions during the upgrade.
69 preallocate-bpf-maps: "false"
71 # Regular expression matching compatible Istio sidecar istio-proxy
72 # container image names
73 sidecar-istio-proxy-image: "cilium/istio_proxy"
75 # Encapsulation mode for communication between nodes
82 # Name of the cluster. Only relevant when building a mesh of clusters.
85 # DNS Polling periodically issues a DNS lookup for each `matchName` from
86 # cilium-agent. The result is used to regenerate endpoint policy.
87 # DNS lookups are repeated with an interval of 5 seconds, and are made for
88 # A(IPv4) and AAAA(IPv6) addresses. Should a lookup fail, the most recent IP
89 # data is used instead. An IP change will trigger a regeneration of the Cilium
90 # policy for each endpoint and increment the per cilium-agent policy
91 # repository revision.
93 # This option is disabled by default starting from version 1.4.x in favor
94 # of a more powerful DNS proxy-based implementation, see [0] for details.
95 # Enable this option if you want to use FQDN policies but do not want to use
98 # To ease upgrade, users may opt to set this option to "true".
99 # Otherwise please refer to the Upgrade Guide [1] which explains how to
100 # prepare policy rules for upgrade.
102 # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based
103 # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
104 tofqdns-enable-poller: "false"
106 # wait-bpf-mount makes init container wait until bpf filesystem is mounted
107 wait-bpf-mount: "false"
109 # Enable fetching of container-runtime specific metadata
111 # By default, the Kubernetes pod and namespace labels are retrieved and
112 # associated with endpoints for identification purposes. By integrating
113 # with the container runtime, container runtime specific labels can be
114 # retrieved, such labels will be prefixed with container:
116 # CAUTION: The container runtime labels can include information such as pod
117 # annotations which may result in each pod being associated a unique set of
118 # labels which can result in excessive security identities being allocated.
119 # Please review the labels filter when enabling container runtime labels.
126 # - auto (automatically detect the container runtime)
128 container-runtime: none
132 install-iptables-rules: "true"
133 auto-direct-node-routes: "false"
134 enable-node-port: "false"
137 # Source: cilium/charts/agent/templates/serviceaccount.yaml
142 namespace: kube-system
145 # Source: cilium/charts/operator/templates/serviceaccount.yaml
149 name: cilium-operator
150 namespace: kube-system
153 # Source: cilium/charts/agent/templates/clusterrole.yaml
154 apiVersion: rbac.authorization.k8s.io/v1
205 - apiextensions.k8s.io
207 - customresourcedefinitions
217 - ciliumnetworkpolicies
218 - ciliumnetworkpolicies/status
219 - ciliumclusterwidenetworkpolicies
220 - ciliumclusterwidenetworkpolicies/status
222 - ciliumendpoints/status
226 - ciliumidentities/status
231 # Source: cilium/charts/operator/templates/clusterrole.yaml
232 apiVersion: rbac.authorization.k8s.io/v1
235 name: cilium-operator
240 # to automatically delete [core|kube]dns pods so that are starting to being
251 # to automatically read from k8s and import the node's pod CIDR to cilium's
252 # etcd so all nodes know how to reach another pod running in in a different
255 # to perform the translation of a CNP that contains `ToGroup` to its endpoints
258 # to check apiserver connectivity
267 - ciliumnetworkpolicies
268 - ciliumnetworkpolicies/status
269 - ciliumclusterwidenetworkpolicies
270 - ciliumclusterwidenetworkpolicies/status
272 - ciliumendpoints/status
276 - ciliumidentities/status
281 # Source: cilium/charts/agent/templates/clusterrolebinding.yaml
282 apiVersion: rbac.authorization.k8s.io/v1
283 kind: ClusterRoleBinding
287 apiGroup: rbac.authorization.k8s.io
291 - kind: ServiceAccount
293 namespace: kube-system
296 # Source: cilium/charts/operator/templates/clusterrolebinding.yaml
297 apiVersion: rbac.authorization.k8s.io/v1
298 kind: ClusterRoleBinding
300 name: cilium-operator
302 apiGroup: rbac.authorization.k8s.io
304 name: cilium-operator
306 - kind: ServiceAccount
307 name: cilium-operator
308 namespace: kube-system
311 # Source: cilium/charts/agent/templates/daemonset.yaml
317 kubernetes.io/cluster-service: "true"
319 namespace: kube-system
324 kubernetes.io/cluster-service: "true"
328 # This annotation plus the CriticalAddonsOnly toleration makes
329 # cilium to be a critical pod in the cluster, which ensures cilium
330 # gets priority scheduling.
331 # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
332 scheduler.alpha.kubernetes.io/critical-pod: ""
333 scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]'
336 kubernetes.io/cluster-service: "true"
340 - --config-dir=/tmp/cilium/config-map
344 - name: K8S_NODE_NAME
348 fieldPath: spec.nodeName
349 - name: CILIUM_K8S_NAMESPACE
353 fieldPath: metadata.namespace
354 - name: CILIUM_FLANNEL_MASTER_DEVICE
357 key: flannel-master-device
360 - name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT
363 key: flannel-uninstall-on-exit
366 - name: CILIUM_CLUSTERMESH_CONFIG
367 value: /var/lib/cilium/clustermesh/
368 - name: CILIUM_CNI_CHAINING_MODE
371 key: cni-chaining-mode
374 - name: CILIUM_CUSTOM_CNI_CONF
380 image: "iecedge/cilium:latest"
381 imagePullPolicy: IfNotPresent
398 # The initial delay for the liveness probe is intentionally large to
399 # avoid an endless kill & restart cycle if in the event that the initial
400 # bootstrapping takes longer than expected.
401 initialDelaySeconds: 120
413 initialDelaySeconds: 5
424 - mountPath: /sys/fs/bpf
426 - mountPath: /var/run/cilium
428 - mountPath: /host/opt/cni/bin
430 - mountPath: /host/etc/cni/net.d
432 - mountPath: /var/lib/cilium/clustermesh
433 name: clustermesh-secrets
435 - mountPath: /tmp/cilium/config-map
436 name: cilium-config-path
438 # Needed to be able to load kernel modules
439 - mountPath: /lib/modules
442 - mountPath: /run/xtables.lock
449 - name: CILIUM_ALL_STATE
452 key: clean-cilium-state
455 - name: CILIUM_BPF_STATE
458 key: clean-cilium-bpf-state
461 - name: CILIUM_WAIT_BPF_MOUNT
467 image: "iecedge/cilium:latest"
468 imagePullPolicy: IfNotPresent
469 name: clean-cilium-state
476 - mountPath: /sys/fs/bpf
478 - mountPath: /var/run/cilium
480 restartPolicy: Always
481 serviceAccount: cilium
482 serviceAccountName: cilium
483 terminationGracePeriodSeconds: 1
487 # To keep state between restarts / upgrades
489 path: /var/run/cilium
490 type: DirectoryOrCreate
492 # To keep state between restarts / upgrades for bpf maps
495 type: DirectoryOrCreate
497 # To install cilium cni plugin in the host
500 type: DirectoryOrCreate
502 # To install cilium cni configuration in the host
505 type: DirectoryOrCreate
507 # To be able to load kernel modules
511 # To access iptables concurrently with other processes (e.g. kube-proxy)
513 path: /run/xtables.lock
516 # To read the clustermesh configuration
517 - name: clustermesh-secrets
521 secretName: cilium-clustermesh
522 # To read the configuration from the config map
525 name: cilium-config-path
532 # Source: cilium/charts/operator/templates/deployment.yaml
537 io.cilium/app: operator
538 name: cilium-operator
539 name: cilium-operator
540 namespace: kube-system
545 io.cilium/app: operator
546 name: cilium-operator
556 io.cilium/app: operator
557 name: cilium-operator
561 - --debug=$(CILIUM_DEBUG)
562 - --identity-allocation-mode=$(CILIUM_IDENTITY_ALLOCATION_MODE)
566 - name: CILIUM_K8S_NAMESPACE
570 fieldPath: metadata.namespace
571 - name: K8S_NODE_NAME
575 fieldPath: spec.nodeName
582 - name: CILIUM_CLUSTER_NAME
588 - name: CILIUM_CLUSTER_ID
600 - name: CILIUM_DISABLE_ENDPOINT_CRD
603 key: disable-endpoint-crd
606 - name: CILIUM_KVSTORE
612 - name: CILIUM_KVSTORE_OPT
618 - name: AWS_ACCESS_KEY_ID
621 key: AWS_ACCESS_KEY_ID
624 - name: AWS_SECRET_ACCESS_KEY
627 key: AWS_SECRET_ACCESS_KEY
630 - name: AWS_DEFAULT_REGION
633 key: AWS_DEFAULT_REGION
636 - name: CILIUM_IDENTITY_ALLOCATION_MODE
639 key: identity-allocation-mode
642 image: "iecedge/operator:latest"
643 imagePullPolicy: IfNotPresent
644 name: cilium-operator
650 initialDelaySeconds: 60
655 restartPolicy: Always
656 serviceAccount: cilium-operator
657 serviceAccountName: cilium-operator
660 # Source: cilium/charts/agent/templates/servicemonitor.yaml
663 # Source: cilium/charts/agent/templates/svc.yaml
666 # Source: cilium/charts/operator/templates/servicemonitor.yaml
669 # Source: cilium/charts/operator/templates/svc.yaml