diff --git a/docs/releases/1.33-NOTES.md b/docs/releases/1.33-NOTES.md index f1d9a744a6eba..e4c87db0a2405 100644 --- a/docs/releases/1.33-NOTES.md +++ b/docs/releases/1.33-NOTES.md @@ -41,7 +41,7 @@ kOps 1.33.0 introduces significant improvements to cloud provider support, netwo ## Container Runtime and Component Updates ### Major Version Updates -* Update Cilium to v1.16.7 +* Update Cilium to v1.17.7 * Update Calico to v3.29.4 * Update CoreDNS to v1.11.4 * Update containerd to v1.7.28 diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index aaa5d172aa8cc..8d337a83a8ac9 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -1245,8 +1245,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Could not parse as semantic version")) } - if version.Minor != 16 { - allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Only version 1.16 is supported")) + if version.Minor != 17 { + allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Only version 1.17 is supported")) } if v.Hubble != nil && fi.ValueOf(v.Hubble.Enabled) { diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index e69bb8656ee12..76f61e64b2dae 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -1204,7 +1204,7 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - Version: "v1.16.0", + Version: "v1.17.0", Ingress: &kops.CiliumIngressSpec{ Enabled: fi.PtrTo(true), DefaultLoadBalancerMode: "bad-value", @@ -1214,7 +1214,7 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - Version: "v1.16.0", + Version: "v1.17.0", Ingress: &kops.CiliumIngressSpec{ Enabled: fi.PtrTo(true), DefaultLoadBalancerMode: "dedicated", @@ -1223,7 +1223,7 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - Version: "v1.16.0", + Version: "v1.17.0", GatewayAPI: &kops.CiliumGatewayAPISpec{ Enabled: fi.PtrTo(true), EnableSecretsSync: fi.PtrTo(true), @@ -1232,7 +1232,7 @@ func Test_Validate_Cilium(t *testing.T) { }, { Cilium: kops.CiliumNetworkingSpec{ - Version: "v1.16.0", + Version: "v1.17.0", Hubble: &kops.HubbleSpec{ Enabled: fi.PtrTo(true), }, diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index 79d0790c62bf0..2da14172aff82 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -40,7 +40,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error { } if c.Version == "" { - c.Version = "v1.16.7" + c.Version = "v1.17.7" } if c.EnableEndpointHealthChecking == nil { diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content index ca872355d4626..a78f6e18ec847 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content @@ -217,7 +217,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: disabled - version: v1.16.7 + version: v1.17.7 nodeTerminationHandler: cpuRequest: 50m deleteSQSMsgIfNodeNotFound: false diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index 67fe47c547c97..4a2b166721e34 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -99,7 +99,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: ef83322197fa3f645effca0229c7e508d2b6c758c388c62c0a126715bed529b7 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content index 08ee69c3e3dd1..cb46798af6060 100644 --- a/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -24,54 +37,239 @@ metadata: --- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system + +--- + apiVersion: v1 data: - agent-health-port: "9879" + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "false" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-ingress-controller: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" enable-ipv4: "false" - enable-ipv4-masquerade: "false" + enable-ipv4-big-tcp: "false" + enable-ipv4-masquerade: "true" enable-ipv6: "true" - enable-ipv6-masquerade: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" enable-node-port: "false" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" + hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-listen-address: :4244 + hubble-metrics: drop + hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s - install-iptables-rules: "true" - ipam: kubernetes + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + ingress-default-lb-mode: dedicated + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" - routing-mode: native + routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms + tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -85,6 +283,25 @@ metadata: --- +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-config + namespace: kube-system + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -259,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -345,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -391,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -415,6 +641,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -483,6 +724,100 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -505,6 +840,199 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9965" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + role.kubernetes.io/networking: "1" + name: hubble-metrics + namespace: kube-system +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + role.kubernetes.io/networking: "1" + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -515,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -523,31 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -566,25 +1078,39 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-ipv6.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -596,6 +1122,8 @@ spec: httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -603,7 +1131,15 @@ spec: successThreshold: 1 timeoutSeconds: 5 name: cilium-agent - ports: null + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -617,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -638,7 +1170,9 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: @@ -661,10 +1195,11 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -675,8 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/lib/cilium/tls/hubble + name: hubble-tls + readOnly: true - mountPath: /tmp name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -693,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-ipv6.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -716,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -727,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -743,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -754,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -767,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -798,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-ipv6.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -814,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -827,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -838,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -857,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -901,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -909,6 +1484,20 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - name: hubble-tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + - key: ca.crt + path: client-ca.crt + name: hubble-server-certs + optional: true updateStrategy: type: OnDelete @@ -929,18 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -950,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=minimal-ipv6.example.com command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -983,11 +1572,7 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-ipv6.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/operator:v1.16.7 + image: quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -999,6 +1584,11 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: @@ -1009,38 +1599,19 @@ spec: initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config @@ -1048,21 +1619,145 @@ spec: --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: apps/v1 +kind: Deployment metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay role.kubernetes.io/networking: "1" - name: cilium-operator + name: hubble-relay namespace: kube-system spec: - maxUnavailable: 1 + replicas: 1 selector: matchLabels: - io.cilium/app: operator - name: cilium-operator + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + kops.k8s.io/managed-by: kops + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + - mountPath: /var/lib/hubble-relay/tls + name: tls + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config + - name: tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + - key: ca.crt + path: hubble-server-ca.crt + name: hubble-relay-client-certs + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data index a6323339d33dd..12923f04a8a1f 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data @@ -149,7 +149,7 @@ ConfigServer: - https://kops-controller.internal.minimal-warmpool.example.com:3988/ InstanceGroupName: nodes InstanceGroupRole: Node -NodeupConfigHash: b2zV5MSx4wad58ywLyeV0/LObHqwQ0SjBopYkbZCJi8= +NodeupConfigHash: 5Ja2a9+Pax0+bsoFt1+S+88CNUdeLS+Duf59tsR3mfM= __EOF_KUBE_ENV diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content index 5afbddb2498bd..8cf926389062c 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content @@ -211,7 +211,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: vxlan - version: v1.16.7 + version: v1.17.7 nodeTerminationHandler: cpuRequest: 50m deleteSQSMsgIfNodeNotFound: false diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content index 3cc6bfb6529c9..8baaf6abfd995 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content @@ -99,7 +99,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: d9cf37239f73ec224904209dfcfdbd79330c202bab99fe823d7bf3bf91988212 + manifestHash: ad14c72e6cdf2d5a2ef7c1918bb7f5a22fb34bc9846d0b43b9856d49ae628335 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content index 6750659f5e427..118e40843c07b 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -24,55 +37,239 @@ metadata: --- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system + +--- + apiVersion: v1 data: - agent-health-port: "9879" + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "false" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" - enable-ipv4: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-ingress-controller: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" + enable-ipv4: "false" + enable-ipv4-big-tcp: "false" enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" enable-node-port: "false" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" + hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-listen-address: :4244 + hubble-metrics: drop + hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s - install-iptables-rules: "true" - ipam: kubernetes + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + ingress-default-lb-mode: dedicated + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 + operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -86,6 +283,25 @@ metadata: --- +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-config + namespace: kube-system + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -260,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -346,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -392,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -416,6 +641,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -484,6 +724,100 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -506,6 +840,199 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9965" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + role.kubernetes.io/networking: "1" + name: hubble-metrics + namespace: kube-system +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + role.kubernetes.io/networking: "1" + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -516,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -524,31 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -567,25 +1078,39 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-warmpool.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -593,10 +1118,12 @@ spec: livenessProbe: failureThreshold: 10 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -604,11 +1131,19 @@ spec: successThreshold: 1 timeoutSeconds: 5 name: cilium-agent - ports: null + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -618,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -639,11 +1170,13 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -662,10 +1195,11 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -676,8 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/lib/cilium/tls/hubble + name: hubble-tls + readOnly: true - mountPath: /tmp name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -694,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-warmpool.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -717,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -728,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -744,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -755,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -768,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -799,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-warmpool.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -815,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -828,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -839,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -858,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -902,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -910,6 +1484,20 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - name: hubble-tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + - key: ca.crt + path: client-ca.crt + name: hubble-server-certs + optional: true updateStrategy: type: OnDelete @@ -930,18 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -951,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=minimal-warmpool.example.com command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -984,15 +1572,11 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.minimal-warmpool.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: kops.k8s.io/remapped-image/cilium/operator:v1.16.7 + image: kops.k8s.io/remapped-image/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP @@ -1000,48 +1584,34 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config @@ -1049,21 +1619,145 @@ spec: --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: apps/v1 +kind: Deployment metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay role.kubernetes.io/networking: "1" - name: cilium-operator + name: hubble-relay namespace: kube-system spec: - maxUnavailable: 1 + replicas: 1 selector: matchLabels: - io.cilium/app: operator - name: cilium-operator + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + kops.k8s.io/managed-by: kops + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: kops.k8s.io/remapped-image/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + - mountPath: /var/lib/hubble-relay/tls + name: tls + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config + - name: tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + - key: ca.crt + path: hubble-server-ca.crt + name: hubble-relay-client-certs + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content index 31724d1f8e5e4..10dda33fb97af 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content @@ -57,8 +57,9 @@ containerdConfig: usesLegacyGossip: false usesNoneDNS: false warmPoolImages: -- kops.k8s.io/remapped-image/cilium/cilium:v1.16.7 -- kops.k8s.io/remapped-image/cilium/operator:v1.16.7 +- kops.k8s.io/remapped-image/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 +- kops.k8s.io/remapped-image/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 +- kops.k8s.io/remapped-image/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 - kops.k8s.io/remapped-image/kube-proxy:v1.32.0 - kops.k8s.io/remapped-image/provider-aws/aws-ebs-csi-driver:v1.47.0 - kops.k8s.io/remapped-image/provider-aws/cloud-controller-manager:v1.31.0 diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content index c68c381491a5d..4bb6a5dd18e9e 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content @@ -205,7 +205,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: vxlan - version: v1.16.7 + version: v1.17.7 nonMasqueradeCIDR: 100.64.0.0/10 podCIDR: 100.96.0.0/11 secretStore: memfs://tests/scw-minimal.k8s.local/secrets diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content index 5d5f694053dae..56055c0d8fbd8 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content @@ -55,7 +55,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: d2cd13682c1764c0bfef35c97a19b1d2b335ccf03822d2912121a3adbeef5830 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-networking.cilium.io-k8s-1.16_content index 63365ed0c2fb8..cb46798af6060 100644 --- a/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -24,55 +37,239 @@ metadata: --- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system + +--- + apiVersion: v1 data: - agent-health-port: "9879" + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "false" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" - enable-ipv4: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-ingress-controller: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" + enable-ipv4: "false" + enable-ipv4-big-tcp: "false" enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" - enable-node-port: "true" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-port: "false" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" + hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-listen-address: :4244 + hubble-metrics: drop + hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s - install-iptables-rules: "true" - ipam: kubernetes - kube-proxy-replacement: "true" + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + ingress-default-lb-mode: dedicated + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 + operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -86,6 +283,25 @@ metadata: --- +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-config + namespace: kube-system + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -260,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -346,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -392,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -416,6 +641,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -484,6 +724,100 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -506,6 +840,199 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9965" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + role.kubernetes.io/networking: "1" + name: hubble-metrics + namespace: kube-system +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + role.kubernetes.io/networking: "1" + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -516,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -524,31 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -567,25 +1078,39 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.scw-minimal.k8s.local - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -593,10 +1118,12 @@ spec: livenessProbe: failureThreshold: 10 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -604,11 +1131,19 @@ spec: successThreshold: 1 timeoutSeconds: 5 name: cilium-agent - ports: null + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -618,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -639,11 +1170,13 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -662,10 +1195,11 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -676,8 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/lib/cilium/tls/hubble + name: hubble-tls + readOnly: true - mountPath: /tmp name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -694,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.scw-minimal.k8s.local - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -717,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -728,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -744,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -755,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -768,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -799,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.scw-minimal.k8s.local - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -815,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -828,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -839,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -858,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -902,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -910,6 +1484,20 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - name: hubble-tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + - key: ca.crt + path: client-ca.crt + name: hubble-server-certs + optional: true updateStrategy: type: OnDelete @@ -930,18 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -951,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=scw-minimal.k8s.local command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -984,15 +1572,11 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.scw-minimal.k8s.local - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/operator:v1.16.7 + image: quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP @@ -1000,48 +1584,34 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config @@ -1049,21 +1619,145 @@ spec: --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: apps/v1 +kind: Deployment metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay role.kubernetes.io/networking: "1" - name: cilium-operator + name: hubble-relay namespace: kube-system spec: - maxUnavailable: 1 + replicas: 1 selector: matchLabels: - io.cilium/app: operator - name: cilium-operator + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + kops.k8s.io/managed-by: kops + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + - mountPath: /var/lib/hubble-relay/tls + name: tls + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config + - name: tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + - key: ca.crt + path: hubble-server-ca.crt + name: hubble-relay-client-certs + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content index 5e5dc1e5b0e77..276d534271ed3 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content @@ -211,7 +211,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: disabled - version: v1.16.7 + version: v1.17.7 nodeTerminationHandler: cpuRequest: 50m deleteSQSMsgIfNodeNotFound: false diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index 7ed9a2f09a027..e240dd889988b 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -99,7 +99,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: f4190bd1eace9a9ddbb866537debcc2f8fcb4327a8d80cb51e9860f23a34b529 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index caa710b2186ee..cb46798af6060 100644 --- a/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -24,57 +37,239 @@ metadata: --- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + apiVersion: v1 data: - agent-health-port: "9879" - auto-create-cilium-node-resource: "true" + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "true" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" - enable-endpoint-routes: "true" - enable-ipv4: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-ingress-controller: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" + enable-ipv4: "false" + enable-ipv4-big-tcp: "false" enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" enable-node-port: "false" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" - eni-tags: KubernetesCluster=privatecilium.example.com + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" + hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-listen-address: :4244 + hubble-metrics: drop + hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s - install-iptables-rules: "true" - ipam: eni + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + ingress-default-lb-mode: dedicated + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 + operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" - routing-mode: native + routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms + tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -88,6 +283,25 @@ metadata: --- +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-config + namespace: kube-system + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -262,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -348,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -394,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -418,6 +641,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -486,6 +724,100 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -508,6 +840,199 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9965" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + role.kubernetes.io/networking: "1" + name: hubble-metrics + namespace: kube-system +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + role.kubernetes.io/networking: "1" + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -518,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -526,31 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -569,23 +1078,12 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -620,10 +1118,12 @@ spec: livenessProbe: failureThreshold: 10 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -631,11 +1131,19 @@ spec: successThreshold: 1 timeoutSeconds: 5 name: cilium-agent - ports: null + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -645,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -666,11 +1170,13 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -689,10 +1195,11 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -703,8 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/lib/cilium/tls/hubble + name: hubble-tls + readOnly: true - mountPath: /tmp name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -721,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -744,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -755,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -771,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -782,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -795,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -826,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -842,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -855,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -866,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -885,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -929,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -937,6 +1484,20 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - name: hubble-tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + - key: ca.crt + path: client-ca.crt + name: hubble-server-certs + optional: true updateStrategy: type: OnDelete @@ -957,18 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -978,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=privatecilium.example.com command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -1011,15 +1572,11 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/operator:v1.16.7 + image: quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP @@ -1027,48 +1584,34 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config @@ -1076,21 +1619,145 @@ spec: --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: apps/v1 +kind: Deployment metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay role.kubernetes.io/networking: "1" - name: cilium-operator + name: hubble-relay namespace: kube-system spec: - maxUnavailable: 1 + replicas: 1 selector: matchLabels: - io.cilium/app: operator - name: cilium-operator + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + kops.k8s.io/managed-by: kops + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + - mountPath: /var/lib/hubble-relay/tls + name: tls + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config + - name: tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + - key: ca.crt + path: hubble-server-ca.crt + name: hubble-relay-client-certs + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content index 25940b9dfc741..f291e6e56120f 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content @@ -219,7 +219,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: vxlan - version: v1.16.7 + version: v1.17.7 nodeTerminationHandler: cpuRequest: 50m deleteSQSMsgIfNodeNotFound: false diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index b38fe33f4c00d..e240dd889988b 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -99,7 +99,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: dd8217efb975e6a7d3a82ccb95aa006c2372731dc8dbfd136c62c5d4c95e2750 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index b6faf16af9bc8..cb46798af6060 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -24,55 +37,239 @@ metadata: --- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system + +--- + apiVersion: v1 data: - agent-health-port: "9879" + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "false" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" - enable-ipv4: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-ingress-controller: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" + enable-ipv4: "false" + enable-ipv4-big-tcp: "false" enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" enable-node-port: "false" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" + hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-listen-address: :4244 + hubble-metrics: drop + hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s - install-iptables-rules: "true" - ipam: kubernetes + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + ingress-default-lb-mode: dedicated + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 + operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -86,6 +283,25 @@ metadata: --- +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-config + namespace: kube-system + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -260,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -346,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -392,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -416,6 +641,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -484,6 +724,100 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -506,6 +840,199 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9965" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + role.kubernetes.io/networking: "1" + name: hubble-metrics + namespace: kube-system +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + role.kubernetes.io/networking: "1" + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -516,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -524,34 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined - test1: "true" - test2: "123" - test3: awesome creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -570,25 +1078,39 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -596,10 +1118,12 @@ spec: livenessProbe: failureThreshold: 10 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -607,11 +1131,19 @@ spec: successThreshold: 1 timeoutSeconds: 5 name: cilium-agent - ports: null + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -621,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -642,11 +1170,13 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -665,10 +1195,11 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -679,8 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/lib/cilium/tls/hubble + name: hubble-tls + readOnly: true - mountPath: /tmp name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -697,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -720,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -731,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -747,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -758,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -771,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -802,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -818,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -831,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -842,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -861,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -905,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -913,6 +1484,20 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - name: hubble-tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + - key: ca.crt + path: client-ca.crt + name: hubble-server-certs + optional: true updateStrategy: type: OnDelete @@ -933,22 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: annotations: - test1: "true" - test2: "123" - test3: cilium-operator + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -958,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=privatecilium.example.com command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -991,15 +1572,11 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/operator:v1.16.7 + image: quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP @@ -1007,48 +1584,34 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config @@ -1056,21 +1619,145 @@ spec: --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: apps/v1 +kind: Deployment metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay role.kubernetes.io/networking: "1" - name: cilium-operator + name: hubble-relay namespace: kube-system spec: - maxUnavailable: 1 + replicas: 1 selector: matchLabels: - io.cilium/app: operator - name: cilium-operator + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + kops.k8s.io/managed-by: kops + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + - mountPath: /var/lib/hubble-relay/tls + name: tls + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config + - name: tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + - key: ca.crt + path: hubble-server-ca.crt + name: hubble-relay-client-certs + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content index b492f4861d58f..c31e4eac861cb 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content @@ -231,7 +231,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: vxlan - version: v1.16.7 + version: v1.17.7 nodeTerminationHandler: cpuRequest: 50m deleteSQSMsgIfNodeNotFound: false diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content index 3b884c78de5aa..bf74c740bd827 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content @@ -155,7 +155,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: 9f9002db17eb2010a50ac3da0628b27b5005b00c465e47f722c932a277584d01 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsPKI: true needsRollingUpdate: all diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content index 9d111190221ba..cb46798af6060 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -25,6 +38,7 @@ metadata: --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: creationTimestamp: null @@ -39,72 +53,223 @@ metadata: apiVersion: v1 data: - agent-health-port: "9879" + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 - cluster-id: "253" - cluster-name: privatecilium.example.com + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "false" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" enable-hubble: "true" + enable-hubble-open-metrics: "false" enable-ingress-controller: "true" - enable-ingress-secrets-sync: "false" - enable-ipv4: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" + enable-ipv4: "false" + enable-ipv4-big-tcp: "false" enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" enable-node-port: "false" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" - enforce-ingress-https: "false" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" hubble-listen-address: :4244 hubble-metrics: drop hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" hubble-socket-path: /var/run/cilium/hubble.sock hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s ingress-default-lb-mode: dedicated - ingress-lb-annotation-prefixes: service.alpha.kubernetes.io - ingress-secrets-namespace: kube-system - ingress-shared-lb-service-name: private-ingress - install-iptables-rules: "true" - ipam: kubernetes + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 + operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -120,16 +285,11 @@ metadata: apiVersion: v1 data: - config.yaml: |- - cluster-name: "privatecilium.example.com" - peer-service: "hubble-peer.kube-system.svc.cluster.local:443" - listen-address: :4245 - - disable-server-tls: true - - tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt - tls-client-key-file: /var/lib/hubble-relay/tls/client.key - tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" kind: ConfigMap metadata: creationTimestamp: null @@ -142,31 +302,6 @@ metadata: --- -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.cilium.io - app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: hubble-peer - app.kubernetes.io/part-of: cilium - k8s-app: cilium - role.kubernetes.io/networking: "1" - name: hubble-peer - namespace: kube-system -spec: - internalTrafficPolicy: Local - ports: - - name: peer-service - port: 443 - protocol: TCP - targetPort: 4244 - selector: - k8s-app: cilium - ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -341,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -427,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -473,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -581,7 +725,7 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: creationTimestamp: null labels: @@ -589,16 +733,17 @@ metadata: app.kubernetes.io/managed-by: kops app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" - name: cilium-config-agent - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-config-agent -subjects: -- kind: ServiceAccount - name: cilium - namespace: kube-system + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch --- @@ -611,8 +756,8 @@ metadata: app.kubernetes.io/managed-by: kops app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" - name: cilium-ingress-secrets - namespace: kube-system + name: cilium-tlsinterception-secrets + namespace: cilium-secrets rules: - apiGroups: - "" @@ -626,7 +771,7 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: creationTimestamp: null labels: @@ -634,16 +779,18 @@ metadata: app.kubernetes.io/managed-by: kops app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" - name: cilium-secrets - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-ingress-secrets -subjects: -- kind: ServiceAccount - name: cilium - namespace: kube-system + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch --- @@ -656,8 +803,8 @@ metadata: app.kubernetes.io/managed-by: kops app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" - name: cilium-operator-ingress-secrets - namespace: kube-system + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets rules: - apiGroups: - "" @@ -680,8 +827,74 @@ metadata: app.kubernetes.io/managed-by: kops app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" - name: cilium-operator-ingress-secrets + name: cilium-config-agent + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-config-agent +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -693,17 +906,76 @@ subjects: --- -apiVersion: networking.k8s.io/v1 -kind: IngressClass +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium role.kubernetes.io/networking: "1" - name: cilium + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system spec: - controller: cilium.io/ingress-controller + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP --- @@ -743,20 +1015,21 @@ metadata: labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - app.kubernetes.io/name: hubble-relay + app.kubernetes.io/name: hubble-peer app.kubernetes.io/part-of: cilium - k8s-app: hubble-relay + k8s-app: cilium role.kubernetes.io/networking: "1" - name: hubble-relay + name: hubble-peer namespace: kube-system spec: + internalTrafficPolicy: Local ports: - - port: 80 + - name: peer-service + port: 443 protocol: TCP - targetPort: 4245 + targetPort: 4244 selector: - k8s-app: hubble-relay - type: ClusterIP + k8s-app: cilium --- @@ -770,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -778,31 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -821,25 +1078,39 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -847,10 +1118,12 @@ spec: livenessProbe: failureThreshold: 10 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -870,7 +1143,7 @@ spec: readinessProbe: failureThreshold: 3 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -880,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -901,11 +1170,13 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -924,10 +1195,11 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh @@ -938,11 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - - mountPath: /tmp - name: tmp - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true + - mountPath: /tmp + name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -959,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -982,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -993,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -1009,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -1020,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -1033,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -1064,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -1080,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -1093,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -1104,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -1123,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -1167,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -1209,18 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -1230,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=privatecilium.example.com command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -1263,15 +1572,11 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privatecilium.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/operator:v1.16.7 + image: quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP @@ -1279,48 +1584,34 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config @@ -1342,7 +1633,7 @@ metadata: name: hubble-relay namespace: kube-system spec: - replicas: 2 + replicas: 1 selector: matchLabels: k8s-app: hubble-relay @@ -1366,12 +1657,13 @@ spec: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false containers: - args: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.16.7 + image: quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 12 @@ -1409,25 +1701,14 @@ spec: - mountPath: /var/lib/hubble-relay/tls name: tls readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null restartPolicy: Always securityContext: fsGroup: 65532 - serviceAccount: hubble-relay serviceAccountName: hubble-relay terminationGracePeriodSeconds: 1 - topologySpreadConstraints: - - labelSelector: - matchLabels: - k8s-app: hubble-relay - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - k8s-app: hubble-relay - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: items: @@ -1451,75 +1732,32 @@ spec: --- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - creationTimestamp: null - labels: - addon.kops.k8s.io/name: networking.cilium.io - app.kubernetes.io/managed-by: kops - k8s-app: cilium - role.kubernetes.io/networking: "1" - name: hubble-server-certs - namespace: kube-system -spec: - dnsNames: - - '*.privatecilium-example-com.hubble-grpc.cilium.io' - isCA: false - issuerRef: - kind: Issuer - name: networking.cilium.io - secretName: hubble-server-certs - usages: - - signing - - key encipherment - - server auth - - client auth - ---- - -apiVersion: cert-manager.io/v1 -kind: Certificate +apiVersion: networking.k8s.io/v1 +kind: IngressClass metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - app.kubernetes.io/part-of: cilium - k8s-app: cilium role.kubernetes.io/networking: "1" - name: hubble-relay-client-certs - namespace: kube-system + name: cilium spec: - dnsNames: - - hubble-relay-client - isCA: false - issuerRef: - kind: Issuer - name: networking.cilium.io - secretName: hubble-relay-client-certs - usages: - - signing - - key encipherment - - client auth + controller: cilium.io/ingress-controller --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: v1 +kind: Endpoints metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator role.kubernetes.io/networking: "1" - name: cilium-operator + name: cilium-ingress namespace: kube-system -spec: - maxUnavailable: 1 - selector: - matchLabels: - io.cilium/app: operator - name: cilium-operator +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content index ab86a2ab2ba74..794061fc836b3 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content @@ -223,7 +223,7 @@ spec: sidecarIstioProxyImage: cilium/istio_proxy toFqdnsDnsRejectResponseCode: refused tunnel: disabled - version: v1.16.7 + version: v1.17.7 nodeTerminationHandler: cpuRequest: 50m deleteSQSMsgIfNodeNotFound: false diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content index 985adf658402e..0bea49e7d25b7 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content @@ -99,7 +99,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: 5030328bbc065c993306fc2e37163a15788044f0aad13b0dfeebb5f4b8aa4abc + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content index fd1290aee4daf..cb46798af6060 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content @@ -1,3 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + +--- + apiVersion: v1 kind: ServiceAccount metadata: @@ -24,67 +37,239 @@ metadata: --- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system + +--- + apiVersion: v1 data: - agent-health-port: "9879" - auto-create-cilium-node-resource: "true" + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ca + namespace: kube-system + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls + +--- + +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s auto-direct-node-routes: "false" - bpf-ct-global-any-max: "262144" - bpf-ct-global-tcp-max: "524288" - bpf-lb-algorithm: random - bpf-lb-maglev-table-size: "16381" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-algorithm-annotation: "false" + bpf-lb-external-clusterip: "false" bpf-lb-map-max: "65536" - bpf-lb-sock-hostns-only: "false" - bpf-nat-global-max: "524288" - bpf-neigh-global-max: "524288" + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" cluster-name: default + cluster-pool-ipv6-cidr: fd00::/104 + cluster-pool-ipv6-mask-size: "120" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" cni-exclusive: "true" cni-log-file: /var/run/cilium/cilium-cni.log + custom-cni-conf: "false" + datapath-mode: veth debug: "false" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-bpf-masquerade: "true" + debug-verbose: "" + default-lb-service-ipam: lbipam + direct-routing-skip-unreachable: "false" + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bpf-clock-probe: "false" enable-endpoint-health-checking: "true" - enable-endpoint-routes: "true" - enable-ipv4: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-envoy-config: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-port: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-ingress-controller: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + enable-internal-traffic-policy: "true" + enable-ipv4: "false" + enable-ipv4-big-tcp: "false" enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" enable-l7-proxy: "true" + enable-lb-ipam: "true" enable-local-redirect-policy: "false" - enable-node-port: "true" - enable-remote-node-identity: "true" - enable-service-topology: "false" - enable-unreachable-routes: "false" - eni-tags: KubernetesCluster=privateciliumadvanced.example.com - etcd-config: |- - --- - endpoints: - - https://api.internal.privateciliumadvanced.example.com:4003 - - trusted-ca-file: '/var/lib/etcd-secrets/etcd-ca.crt' - key-file: '/var/lib/etcd-secrets/etcd-client-cilium.key' - cert-file: '/var/lib/etcd-secrets/etcd-client-cilium.crt' + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-port: "false" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-policy-secrets-sync: "true" + enable-runtime-device-detection: "true" + enable-sctp: "false" + enable-source-ip-verification: "true" + enable-svc-source-range-check: "true" + enable-tcx: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + enforce-ingress-https: "true" + envoy-access-log-buffer-size: "4096" + envoy-base-id: "0" + envoy-config-retry-interval: 15s + envoy-keep-cap-netbindservice: "false" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + http-retry-count: "3" + hubble-disable-tls: "false" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-listen-address: :4244 + hubble-metrics: drop + hubble-metrics-server: :9965 + hubble-metrics-server-enable-tls: "false" + hubble-prefer-ipv6: "true" + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key identity-allocation-mode: crd - identity-change-grace-period: 5s - install-iptables-rules: "true" - ipam: eni - kube-proxy-replacement: "true" - kvstore: etcd - kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}' + identity-gc-interval: 15m0s + identity-heartbeat-timeout: 30m0s + ingress-default-lb-mode: dedicated + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-nodelabelselector: "" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-lb-annotation-prefixes: lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io + service.kubernetes.io cloud.google.com + ingress-secrets-namespace: cilium-secrets + ingress-shared-lb-service-name: cilium-ingress + install-no-conntrack-iptables-rules: "false" + ipam: cluster-pool + ipam-cilium-node-update-rate: 15s + iptables-random-fully: "false" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "false" + max-connected-clusters: "255" + mesh-auth-enabled: "true" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 + operator-api-serve-addr: '[::1]:9234' + operator-prometheus-serve-addr: :9963 + policy-cidr-match-mode: "" + policy-secrets-namespace: cilium-secrets + policy-secrets-only-from-secrets-namespace: "true" preallocate-bpf-maps: "false" + procfs: /host/proc + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-initial-fetch-timeout: "30" + proxy-max-concurrent-retries: "128" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-prometheus-port: "9964" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" remove-cilium-node-taints: "true" - routing-mode: native + routing-mode: tunnel + service-no-backend-response: reject set-cilium-is-up-condition: "true" set-cilium-node-taints: "true" - sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused - tofqdns-enable-poller: "false" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: 100ms + tunnel-protocol: vxlan + tunnel-source-port-range: 0-0 + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist kind: ConfigMap metadata: @@ -98,6 +283,25 @@ metadata: --- +apiVersion: v1 +data: + config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\nlisten-address: + :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max: + \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: + /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: + true" +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: hubble-relay-config + namespace: kube-system + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -272,6 +476,7 @@ rules: - "" resources: - namespaces + - secrets verbs: - get - list @@ -358,6 +563,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -404,6 +616,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -428,6 +641,21 @@ rules: - create - get - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update --- @@ -496,6 +724,100 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -518,6 +840,199 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-ingress-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + role.kubernetes.io/networking: "1" + name: cilium-operator-tlsinterception-secrets + namespace: cilium-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-tlsinterception-secrets +subjects: +- kind: ServiceAccount + name: cilium-operator + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/part-of: cilium + cilium.io/ingress: "true" + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: null + port: 80 + protocol: TCP + - name: https + nodePort: null + port: 443 + protocol: TCP + type: LoadBalancer + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + role.kubernetes.io/networking: "1" + name: hubble-relay + namespace: kube-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: grpc + selector: + k8s-app: hubble-relay + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "9965" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble + app.kubernetes.io/part-of: cilium + k8s-app: hubble + role.kubernetes.io/networking: "1" + name: hubble-metrics + namespace: kube-system +spec: + clusterIP: None + ports: + - name: hubble-metrics + port: 9965 + protocol: TCP + targetPort: hubble-metrics + selector: + k8s-app: cilium + type: ClusterIP + +--- + +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + app.kubernetes.io/name: hubble-peer + app.kubernetes.io/part-of: cilium + k8s-app: cilium + role.kubernetes.io/networking: "1" + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Local + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -528,7 +1043,6 @@ metadata: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium - kubernetes.io/cluster-service: "true" role.kubernetes.io/networking: "1" name: cilium namespace: kube-system @@ -536,31 +1050,16 @@ spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" template: metadata: - annotations: - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined - container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined - container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium kops.k8s.io/managed-by: kops - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map @@ -579,23 +1078,12 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privateciliumadvanced.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + resourceFieldRef: + divisor: "1" + resource: limits.memory + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent lifecycle: postStart: @@ -630,10 +1118,12 @@ spec: livenessProbe: failureThreshold: 10 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" + - name: require-k8s-connectivity + value: "false" path: /healthz port: 9879 scheme: HTTP @@ -641,11 +1131,19 @@ spec: successThreshold: 1 timeoutSeconds: 5 name: cilium-agent - ports: null + ports: + - containerPort: 4244 + hostPort: 4244 + name: peer-service + protocol: TCP + - containerPort: 9965 + hostPort: 9965 + name: hubble-metrics + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -655,10 +1153,6 @@ spec: periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 - resources: - requests: - cpu: 25m - memory: 128Mi securityContext: capabilities: add: @@ -676,11 +1170,13 @@ spec: - SETUID drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t startupProbe: failureThreshold: 105 httpGet: - host: 127.0.0.1 + host: ::1 httpHeaders: - name: brief value: "true" @@ -699,18 +1195,13 @@ spec: - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - - mountPath: /run/cilium/cgroupv2 - name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - - mountPath: /var/lib/etcd-config - name: etcd-config-path - readOnly: true - - mountPath: /var/lib/etcd-secrets - name: etcd-secrets - readOnly: true - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true @@ -719,8 +1210,28 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/lib/cilium/tls/hubble + name: hubble-tls + readOnly: true - mountPath: /tmp name: tmp + - args: + - |- + for i in {1..5}; do \ + [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ + done; \ + cilium-dbg monitor + command: + - /bin/bash + - -c + - -- + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 + imagePullPolicy: IfNotPresent + name: cilium-monitor + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/cilium + name: cilium-run hostNetwork: true initContainers: - command: @@ -737,11 +1248,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privateciliumadvanced.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -760,7 +1267,7 @@ spec: value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-cgroup securityContext: @@ -771,6 +1278,9 @@ spec: - SYS_PTRACE drop: - ALL + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -787,7 +1297,7 @@ spec: env: - name: BIN_PATH value: /opt/cni/bin - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites securityContext: @@ -798,7 +1308,9 @@ spec: - SYS_PTRACE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc @@ -811,7 +1323,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -842,11 +1354,7 @@ spec: key: write-cni-conf-when-ready name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privateciliumadvanced.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: @@ -858,11 +1366,12 @@ spec: - SYS_RESOURCE drop: - ALL - privileged: true + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf - mountPropagation: HostToContainer name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer @@ -871,7 +1380,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.16.7 + image: quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: @@ -882,14 +1391,22 @@ spec: capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log + seLinuxOptions: + level: s0 + type: spc_t terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always - serviceAccount: cilium + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: @@ -901,6 +1418,10 @@ spec: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate @@ -928,17 +1449,6 @@ spec: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - - configMap: - defaultMode: 256 - items: - - key: etcd-config - path: etcd.config - name: cilium-config - name: etcd-config-path - - hostPath: - path: /etc/kubernetes/pki/cilium - type: Directory - name: etcd-secrets - name: clustermesh-secrets projected: defaultMode: 256 @@ -956,6 +1466,16 @@ spec: path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true + - secret: + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt + name: clustermesh-apiserver-local-cert + optional: true - hostPath: path: /proc/sys/net type: Directory @@ -964,6 +1484,20 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - name: hubble-tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + - key: ca.crt + path: client-ca.crt + name: hubble-server-certs + optional: true updateStrategy: type: OnDelete @@ -984,18 +1518,21 @@ metadata: name: cilium-operator namespace: kube-system spec: - replicas: 1 + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator @@ -1005,22 +1542,19 @@ spec: name: cilium-operator spec: affinity: - nodeAffinity: + podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) - - --eni-tags=KubernetesCluster=privateciliumadvanced.example.com command: - - cilium-operator + - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: @@ -1038,15 +1572,11 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: api.internal.privateciliumadvanced.example.com - - name: KUBERNETES_SERVICE_PORT - value: "443" - image: quay.io/cilium/operator:v1.16.7 + image: quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788 imagePullPolicy: IfNotPresent livenessProbe: httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP @@ -1054,87 +1584,180 @@ spec: periodSeconds: 10 timeoutSeconds: 3 name: cilium-operator + ports: + - containerPort: 9963 + hostPort: 9963 + name: prometheus + protocol: TCP readinessProbe: failureThreshold: 5 httpGet: - host: 127.0.0.1 + host: ::1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 3 - resources: - requests: - cpu: 25m - memory: 128Mi terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true - - mountPath: /var/lib/etcd-config - name: etcd-config-path - readOnly: true - - mountPath: /var/lib/etcd-secrets - name: etcd-secrets - readOnly: true hostNetwork: true - nodeSelector: null + nodeSelector: + kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always - serviceAccount: cilium-operator serviceAccountName: cilium-operator tolerations: - operator: Exists - topologySpreadConstraints: - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: cilium-config name: cilium-config-path - - configMap: - defaultMode: 420 - items: - - key: etcd-config - path: etcd.config - name: cilium-config - name: etcd-config-path - - hostPath: - path: /etc/kubernetes/pki/cilium - type: Directory - name: etcd-secrets --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +apiVersion: apps/v1 +kind: Deployment metadata: creationTimestamp: null labels: addon.kops.k8s.io/name: networking.cilium.io app.kubernetes.io/managed-by: kops - io.cilium/app: operator - name: cilium-operator + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay role.kubernetes.io/networking: "1" - name: cilium-operator + name: hubble-relay namespace: kube-system spec: - maxUnavailable: 1 + replicas: 1 selector: matchLabels: - io.cilium/app: operator - name: cilium-operator + k8s-app: hubble-relay + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + k8s-app: hubble-relay + kops.k8s.io/managed-by: kops + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + k8s-app: cilium + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - args: + - serve + command: + - hubble-relay + image: quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 12 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 10 + name: hubble-relay + ports: + - containerPort: 4245 + name: grpc + readinessProbe: + grpc: + port: 4222 + timeoutSeconds: 3 + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + startupProbe: + failureThreshold: 20 + grpc: + port: 4222 + initialDelaySeconds: 10 + periodSeconds: 3 + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/hubble-relay + name: config + readOnly: true + - mountPath: /var/lib/hubble-relay/tls + name: tls + readOnly: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: null + restartPolicy: Always + securityContext: + fsGroup: 65532 + serviceAccountName: hubble-relay + terminationGracePeriodSeconds: 1 + volumes: + - configMap: + items: + - key: config.yaml + path: config.yaml + name: hubble-relay-config + name: config + - name: tls + projected: + defaultMode: 256 + sources: + - secret: + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + - key: ca.crt + path: hubble-server-ca.crt + name: hubble-relay-client-certs + +--- + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium +spec: + controller: cilium.io/ingress-controller + +--- + +apiVersion: v1 +kind: Endpoints +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.cilium.io + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: cilium-ingress + namespace: kube-system +subsets: +- addresses: + - ip: 192.192.192.192 + ports: + - port: 9999 diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/helm-values.yaml b/upup/models/cloudup/resources/addons/networking.cilium.io/helm-values.yaml index b44d824945437..170db5cbf6e4a 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/helm-values.yaml +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/helm-values.yaml @@ -22,6 +22,8 @@ gatewayAPI: bgpControlPlane: secretsNamespace: create: false +scheduling: + mode: kube-scheduler updateStrategy: type: OnDelete rollingUpdate: null @@ -30,4 +32,4 @@ monitor: ipv4: enabled: false ipv6: - enabled: true \ No newline at end of file + enabled: true diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template index 147b575e6c3c0..667ffe91de501 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template @@ -1,169 +1,176 @@ -# helm template --release-name cilium cilium/cilium \ -# --version 1.16.2 \ -# --namespace kube-system \ -# --values helm-values.yaml -{{ with .Networking.Cilium }} -{{- if CiliumSecret }} +--- +# Source: cilium/templates/cilium-secrets-namespace.yaml apiVersion: v1 -kind: Secret +kind: Namespace metadata: - name: cilium-ipsec-keys - namespace: kube-system -stringData: - {{ CiliumSecret }} ---- -{{- end }} + name: "cilium-secrets" + labels: + app.kubernetes.io/part-of: cilium --- +# Source: cilium/templates/cilium-agent/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: cilium + name: "cilium" namespace: kube-system --- +# Source: cilium/templates/cilium-operator/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: cilium-operator + name: "cilium-operator" namespace: kube-system -{{ if WithDefaultBool .Hubble.Enabled false }} --- +# Source: cilium/templates/hubble-relay/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: hubble-relay + name: "hubble-relay" + namespace: kube-system +automountServiceAccountToken: false +--- +# Source: cilium/templates/cilium-ca-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cilium-ca namespace: kube-system -{{ end }} +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdGRhODdMemRFUUxLb1lObmRMbktsbWt4ZlVEcmxzVlh0d08wbmp5RmlJd1BtakcyCmdsWE9jR0xXd3NMYXNzYlNoK2xZbExIYjEybHFONitmK2puc0p6OVBnQkpNWkQ1U3Q1TWsxK2p3c2VZSXVxVW0KdUFyUkhKQjNOV3dJN215YmhMdzRUb3Jya1pCd0J3UGgwQzR2WFJqZHBBQ1VxQXZBejJaTldHbnhVZ2l3aDBZVAo3MzFDUVAyaUJndDliVmxPTjl0SFc0cUt5a3EvTllxa0Z1amJ6LzQxWlBudnFjdXd1SXF1WUVNUi9iNk9KK3VnCi9DcU4xV0t3OGR1T09sTkRGelRWUFAwNGE3Skc5bDVUbSs1RHpFbTZ1L3poc2pDeHV3MVArbkVJN043OW1pK20KZE5zNVV2TWlmeXFQWmMvNHhWcW5pZGc4RHR3UjQ5Y0xtMUhGcVFJREFRQUJBb0lCQUV0NWdCMDdIdjdxaTdTUwpXQ1NvNFIraE5mdHBNTi81dFRpdmZ3Nld6RTRxNUdiNTcya1Z1SVFKWWw2Z2hpbmlRSXhOSElsTGNaWnRtTHJZCldLeUIwalZRSCsxbXF2S0lzOGlpZUk1dGowb24wc08xdk9aekJ1eTJRZVNZblBScGUvdVNMRVRkZ0gyQTJCN3gKUzQ4ZlBHV0Y1cWtsM0k0TG90SHpBbk9LTmJINFdVQlI2SnFtZjJaSXFMQW9OMjlxUU14RUg1SVFML0NuK3pFVgpFVjlxekYzT1lHWGlaWktaOEI1d1ZEcnhWZU02MU9uWmZtcVJYNllZVXpBNzh4bklhTHhSZ0Q4SXBPejVOSzBLCm5kdXIvQ21GZEdkdldVMnhJRTgrK2lUMTBuMUxHK1BuZ0VtaUNsL2dnQnl3SGVCNGZTTzRlZHo2blZyM1laTWoKOUs4TWU2a0NnWUVBNzlzSnJTdHB4TDZVaGhHSkFtQ0RTSVB0Y3E4cEZITGs1amdFQVhDb2pvbU56V3E0dmdkagplU0pybnFIZThFR0g5V1RaOEx3ZTV1ak1GYmFkYU9hVHVGdU1xWUY1QVQ5a2lCQ3V4YjYyaFp6Z24xNGJyRG5iCmRWUEE1bUhGTVpCZ2NjbUNuM2pwZ3haOW5PTHFXMkZiNTBUTkE1bWNacUQwendtTCs5RHl3OWNDZ1lFQXdoUUMKcFhuZWJoL1dwUnE2bkxVbGhtZGU1WnlOdG8zN21Sa1VQN2MxVktFQkZ3OEczb0drY1BQb2FoMmQwRmZLVkpUdQpvNTYwUFc1Wk1rcnVBZU0zR0dhRnFoNC93bitJc3pBQWt6VDMweEJJU0NMZjV6ZHk3L0hIbS9JNk1zVWNrTlRFCkdmY01Ib2ZMdnd0YkUyNUVueFNUQWpSdzBKMWlmQkV1MlZRZWtuOENnWUJLY3R5QUNiZWN2K0x0OGtkcW0zWmsKYmI2b0dFSlIvSStiL2NzUWYxMXlVTFBaRE1VbkJyZ1RnMkdRTFlJN1pMdkVxWGNVUisvM2tFNjRkcVJKU1RpVQp3cVhZZnoyRjY1MVN0b3JwQ2hjeFJjNWE2U1VCd2p1aUlVc0F0MXd6MURKN1h5YlNSUCtHRnRjS2VVeHc3TGxRCkFZVDVGeGI2cS84UXZFL2M2N0JPcFFLQmdDYTdSWmZ1alZSZTZFQkU2RThUMjZ4Si91ZEY2Z1l2cWJGeER0aDAKWUtGR0RHaWtxQk5Kdmg2SW5xNW13TEx1Z2tPRkFXY0g2aUtFWGlxcVIzdDY4K2pidFBzeFZEb2xwNHRUSGhwQwpyTjZqVmptSE5EWDVtK2VFMGZndVRDMExwMXJFQzJxL0lkMEo3c0J1ckx0Zyt6TGdNVUowWXJ0UFhYTXpIcTFpCm0wTlRBb0dBYndsYlVESHEyTW1NdWdWczhyemMySjk1NmNEWUFJTEVLWEh3UWdkeFFUWGlodlgvcmJqcnhTcEQKcTRWdmxWOFExam1Wam05R1ZYQ1JIbUZkUy8vQWtNOW5GWnZLTmVSQnJaeEZCWEg5QUpjSXM4Q3NCQllDSlI0Tgpmd0NrbVdZMFVGM2VWL2RZQ2w0VGdmbkRhQTFJV3lzd0R2eE40UEVLa3lSNWtWMVp5WXM9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== --- +# Source: cilium/templates/hubble/tls-helm/relay-client-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: hubble-relay-client-certs + namespace: kube-system +type: kubernetes.io/tls +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQUtyT2VLQ3hsM3hDbWdtTjFuZHhaVU13RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTWxvWERUSTJNRGt3TWpBNQpNalEwTWxvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZcUNWSWtRZkRNZmJnblpkN2NZUlpVVlY3UkUKT2JBMFQ3bXRCbnN5dWhBYnZiWTFUckRZU2F4RHVvQnREL0E2UU5MR21QYVhsWC9WN08yS0s1bVlsVHRkTGVxOAp0RHJTZThOT1d1MkFCQWhHdUpNZStqeE9GaktLelZOWXVWOGd1UFZvUEtqV2doYmx1NW5DenVkam5aTkI1L2FlCllQYkh5M0liSzRNNDR2cTUzUzNiRWp0SjAwODFwNFF3N3hnbE1OemZtVWh2YVZpNjNKaTBKMEJoL2RvamNNKzAKZzFwd3c0akJYcjJHZEdnUmRrUDNKMVkrYmFoYWphTHY4T2NlSGFmTm1hNk8zWWR0cHdqNlladG1VMTR1OU9MMAovMmllQ05jRnpUY1RJWGtJSU9qTWJyNUc3QVFDYXBTNWw2NUlqSFJzdndCbFNNRWphSmRNUW5jdm53SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUWR1ck41Um9vZCszYU95SHg0ZHhHZgo3MFZxZkRBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSHBjVExhcm1ob0RQYWRRWTdvY3V4UDA1alpRZmlMazNyWkNpcmJEdzFxMlBybkYKWHVET1Zydmt6Y3A1LzVjNzRTeC9xWnBnQWVpeUJQYmF1d2FTM0xoR2lOWmVCSUVFOXVEK0tpenUwWm1tUGtkegprTTF3Z24wdjhwcENNNEFJWkFmc08xUnpwNkFBbnRtQS9yQXNuOWtmWHQ4K2xreEVQSU9NSS9LZzhDdWhvREx4Cm5PeUdVN044V0J6RHRuOWViTlVuaVlOSDV4MTBqNmVSMjZ5OXFyaVhhaFhqSC96ODhFck1lcFpIelh4QkhDYmIKWFc0akpqVDM0bkFheTV5TzAxRG5xSjRhbFQ5aWRmYUhlV3cxa2tnQjJzREJzM3lqZ1RpMkNsU2pweEt2bWQ5VApwUFV5d3NxTXlrOTl6aHpEdzk5bGxqZ2FrY0FoOUlUdk5QQVJpdDQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd1lxQ1ZJa1FmRE1mYmduWmQ3Y1lSWlVWVjdSRU9iQTBUN210Qm5zeXVoQWJ2YlkxClRyRFlTYXhEdW9CdEQvQTZRTkxHbVBhWGxYL1Y3TzJLSzVtWWxUdGRMZXE4dERyU2U4Tk9XdTJBQkFoR3VKTWUKK2p4T0ZqS0t6Vk5ZdVY4Z3VQVm9QS2pXZ2hibHU1bkN6dWRqblpOQjUvYWVZUGJIeTNJYks0TTQ0dnE1M1MzYgpFanRKMDA4MXA0UXc3eGdsTU56Zm1VaHZhVmk2M0ppMEowQmgvZG9qY00rMGcxcHd3NGpCWHIyR2RHZ1Jka1AzCkoxWStiYWhhamFMdjhPY2VIYWZObWE2TzNZZHRwd2o2WVp0bVUxNHU5T0wwLzJpZUNOY0Z6VGNUSVhrSUlPak0KYnI1RzdBUUNhcFM1bDY1SWpIUnN2d0JsU01FamFKZE1RbmN2bndJREFRQUJBb0lCQUVUMENRei9MRDFqcFYzNQo2bDJwZ045Qmh6SVJDb0dYRW53WkJka2FTVzlhejlkZU5FM04yYkVkeTUrRm85V2EyOVkrZ2Z6N1ZmUXdjRklTCkt6anZaeG83NVMyM3hQVmRRNkpPYWZzaFJJdXJPeThGVTNNSnl6UkRXNHBkbUcycXc2akIzaHBHZU80dUpEa2IKUmZtYkhMV0dRbVBYVElQMVNDZG1odUdReGRLdnJLdGVDNks5OFBxaVE0Y09jTWF6RXhvb0w2QWNHQmdzekIvYgpVU2RJSFIvN2lmNXVKbStZcnJkak1TTW1MaFQ3T2ZwcEpvMm5kdHVOTlpFODc1R05WUTVRWTBRRnFscEdJK21GClZwZXFMMVZDWGxnVS9Ed29sQlhYUW9CU01iS0xab1NnUDJ6MU5HcGNMRGsvcU1hRklISXlSYnFHc3lWQ3hIWkoKSS9ISi9hRUNnWUVBNFlEVEhhZWFMQ29QSFU2bXB5NUZsWXZKWDlRWk5TR3d2cEVhSEt1b0lVQ0ZTUTZpa1Jwagp3aHR0akJUZjFWcGZ1dE1PaTNtazFpcVhRY2NGaFNxL01FQVNSVkFzd3RKTXNXV1J1dzJzM25wMFV1OGowa3VKClBWTWNWcHNOTFhiTUpRSGpLcW9QMmZxTFFLZmlseG5HVnl5OEtDTW1SZUExRENGbVN2YkpMZkVDZ1lFQTI3Y2UKUFhxcDJLaHZ0ZFRidmVoaDZ5QmYrZEdxSjQrdytRZ0o2WG42NXpIcWcwa0l2VFNzdHhrbGxkczJrR0lWeFJVaQpoNmt5a2IvMUxsT0gwZXNyOTk1aEx2M0VtNk5mVk5YY21SUmx2alBKZHduWDlHa25qVEtOSlpjdHo2U0xuRTNSCnQydUpYT2hYMk9sNkhub2RFR3VzZUxPSG5GZ29LdDdMd3FYUTVvOENnWUVBc1ZCbXNJNjFQN3ppblp6V2xlWmcKZUxLdDZWZ1JhaUhQcEVqY1MyYitrUWIyeHZkbkJNbkhYejNKNmJnUU9PY1RGd2dXQzczZXl6ZzZMMUtiR0pjQQpOcVJxdVczTmhITndNcDAyOWVwTzM3RlIvbFJqeWx2eTBmR2orc1Y0bXlNcWFuOE5iT0xFREJaaG9MbGlCb1lSCjIwSWx3VG5DUW5lRnZzQVVleVdLRTBFQ2dZRUFtcjFnNHRPZEF5VzlaMFkrYklWWlVRdEFET1dJL012S1M5bEoKZ2RHU3ozanNQUUlXMFlwamlhQ0FSQVpiYTF4cEVLQk43VlZRZEMzSk01Tkl1S0wwR0dIWitBcHBpV09LSkdscQpMN1daNGxiK3NJT1NRR1Erb3NiVGVZSDdsWjNCWlplNDk0RVpBUUh4dktiU2h0eGgwOHJCY1ZDZlZaRVEyUUNJCmFOSDNTaWtDZ1lBSFh5QlF2WXVrUDBFczd1TDg2Nk85Z29LUnVGeEFRYTB3THBxa3NkZmxJaFh6cllVZENsbFoKK3JFVUswTlVTVjZlQlVwa2Ywd2NTaEE3OFpBWDV6dEU3clB3eFBWT0tkSXY0a0JkS2NXd1FvaVVWck1CaWVsQQo1Znk4RmI0ay9HSVd2YWduOEt1M2hhMHFmSjVxSkNnWlBwbmszR3ZBQThUOGRxUmJrRm0xN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +--- +# Source: cilium/templates/hubble/tls-helm/server-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: hubble-server-certs + namespace: kube-system +type: kubernetes.io/tls +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ5Z0F3SUJBZ0lSQVBtV0s5WlY3b3VHSWpmV0RZOEtxZ1F3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkxTURrd01qQTVNalEwTVZvWERUSTRNRGt3TVRBNQpNalEwTVZvd0ZERVNNQkFHQTFVRUF4TUpRMmxzYVhWdElFTkJNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF0ZGE4N0x6ZEVRTEtvWU5uZExuS2xta3hmVURybHNWWHR3TzBuanlGaUl3UG1qRzIKZ2xYT2NHTFd3c0xhc3NiU2grbFlsTEhiMTJscU42K2Yram5zSno5UGdCSk1aRDVTdDVNazErandzZVlJdXFVbQp1QXJSSEpCM05Xd0k3bXliaEx3NFRvcnJrWkJ3QndQaDBDNHZYUmpkcEFDVXFBdkF6MlpOV0dueFVnaXdoMFlUCjczMUNRUDJpQmd0OWJWbE9OOXRIVzRxS3lrcS9OWXFrRnVqYnovNDFaUG52cWN1d3VJcXVZRU1SL2I2T0ordWcKL0NxTjFXS3c4ZHVPT2xOREZ6VFZQUDA0YTdKRzlsNVRtKzVEekVtNnUvemhzakN4dXcxUCtuRUk3Tjc5bWkrbQpkTnM1VXZNaWZ5cVBaYy80eFZxbmlkZzhEdHdSNDljTG0xSEZxUUlEQVFBQm8yRXdYekFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdIUVlEVlIwT0JCWUVGQjI2czNsR2loMzdkbzdJZkhoM0VaL3ZSV3A4TUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0daemdHUHpUTFpEUHQxMkJzK3hJT1ptczdRTzY0YzAzYVBtbUV3M1R5SjRJdzVoM0RtU2NHCnZtUWc5ckE2bS9OVE9Sd3I1T1BROS8rMmprK1E1LzBleG9HRDZQUW1qQjZlNDR1L1pXQnNPejg3bCtLeStHODAKaFlCSmYyRjVrU3VEOVloRm02OWc2ZTUwMUN0bzBXalpsRUZhWlpCOVF2RFhic3VFWjRRVkhPTmRrRWtsM3BNSgo3R0VTYVM5QWRwZEZJclMxanUySTA1cENRdFNMZFZNZHExeXBxMDNCSlBESUVuMmZTVy90eEVteWwrS1UzRDBqCmhSbEtXV1IxdkJxTWM0NHVuWGNrYThZdkkrTHYxckVyTGVyS2tCRWlzbEUwT1dpWUFPUUxoUEhEVlNoenBUM1QKRHZpUXFwb2c1TGsrVW8wMllkVGt3ZXJzR1lDVnB0eVQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWakNDQWo2Z0F3SUJBZ0lRREVsano1elhZQ1pDVEZBS2Z4em5LREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalV3T1RBeU1Ea3lORFF5V2hjTk1qWXdPVEF5TURreQpORFF5V2pBcU1TZ3dKZ1lEVlFRRERCOHFMbVJsWm1GMWJIUXVhSFZpWW14bExXZHljR011WTJsc2FYVnRMbWx2Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGkKQzdWUlJ1Z0pwNzlhdmgvUk9Ddm04bUpmTVJIcUFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUMwpjN0x5R2FtYURGdzJvdEQrY3FVUCtYbXhnQXdLOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsClpMZ2FNTTFJL0NCZUNNNnFUcnZvS1JTbVdNemROZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L20Kd2pqTTRXdzVQMThCaGpGaG9rK3BudERORGhOK2xtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUSwpxSGVGaXdEZCs3VHBISWRiNEgrNHdVYXR4NFBSWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1Cnd3SURBUUFCbzRHTk1JR0tNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0QKQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRZHVyTjVSb29kKzNhTwp5SHg0ZHhHZjcwVnFmREFxQmdOVkhSRUVJekFoZ2g4cUxtUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCRWpiSkRFcmhsK3dEcG9zeGFMZlJ0dFBMRmRSSE4KUFRtOUdDVlBpK2d2dE5GbHdNdkFZU1RCNnVNNFFSRUtRZFdhQVoyeitiZnZ4Y2h3dGxxUW9xMjI4UCsyUjI3TgpsRW1mSWlBYS9GamUzRHVhakRiLzlLMFNjQy9yZWs3clppUVF0eFZaK0V4cG1PekRqb29MTmVhZmtxcm9QSVloCmJDN2RIdUhOSm9zdElkNUxRcUcxMlFyNEZWRk5Kb3pUZ0Y3ZzRvbnpTOFh5Rk1lamxubGRuT1VLa2V6ZjdHN24KbXVaNU1uU0hzdjBKSzZ0RUNNUkFqYlR4Vk5pcXNzSlRpUnkxS3dCOG1tdmFvSDVlUkdsWUgvVWhtSzdLUWRZUwp2dGV5a0xzbUNLV3BWMFJMaFVFKytVQ2ZFWWpHcC95dmxuQSt5MXFnalUzcVMvNStYbEJFTGI3QQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd09FUXc2Y0ZpbG5ncTJRZ3lOMGlDN1ZSUnVnSnA3OWF2aC9ST0N2bThtSmZNUkhxCkFrRWU3Mmlua0Ntd2RjN2E1dmdzcmhWR0MrY1lObm9aZUtUM2M3THlHYW1hREZ3Mm90RCtjcVVQK1hteGdBd0sKOXhXSHJQakJLZDJiS3d2QXJvZEU1NFBqeDI0YU4vdzA3a0tsWkxnYU1NMUkvQ0JlQ002cVRydm9LUlNtV016ZApOZEZwY1pvdlQ3Wnhpc0pqRGRKVjZPNzhwbEhlZ0todm85L213ampNNFd3NVAxOEJoakZob2srcG50RE5EaE4rCmxtRis5U3EzV2dNRFQ1L1JHSFcrZ29yUzVpYnkrbUtiK3VUS3FIZUZpd0RkKzdUcEhJZGI0SCs0d1VhdHg0UFIKWEwyTnRDNVR5aDczWUl2QkxRWGdOTHJzczc1YTJvSzRDcXo1d3dJREFRQUJBb0lCQUZ0OVJwVHYwRVo0YklRUAp5aWRORVQycGc0U1ZReU14TnN0UlQwNE1NUStQRHVVNVFKMVNJMmpmWlFBU2JsUHJTMVZjcWVEblVXTUsrcWE0Cmt3Vnhocmo0VEROVkNpL0x1OVRPT3F2SjFRSjZzWEh5QkcrQVpHdHRVVDdaRWFYQS9PUXNZTWhLZk15WDB0TDAKakd6cDZ3Y1Q5c1JvVTdMWWJaSlM2V0RRYkFhenBFRmU0SkZ2ejNRdUFldFhVWHg5SUlGUDhZRmExTjRKazV0RApEVUYvL0dTUkJ1U3RYU1BKVDA3amxBb2FrNG9KU1lQbk5YdjlUdDVSTENsRHlvaFFJMU1iWkpERVlWamZWeERxClJxOHpZNHZRbTNSb1J0MW1leDdOd1JvTEFsbk1jV0dEL29mMkI5N09sUGNWdGdZQ1MrY2hzU2NiS1Q2MUN5MzUKaXduU3lTRUNnWUVBNmRiRkVPTjQ4YWg5WkpkWnNaUkFYQ1loK3l0NTZ3OXc2RExBQXRSUHh4RG1UWm5tYXNNUgpOMWU3QVhWZkRLWWsrNXhiMnVxQjl5czJicDJ3SkJxd1ZqYUdJRDFFejVlc1EwMFpxcXQwUUFGWHR4OFFpQmR0CjVLN1dUTHVIRWpBaGFweWFaRnpTUDB6eDBPUVYweXY5V3FoR0dYSVY3Z0JITVdZZHBIbDNWYUVDZ1lFQTB5aVAKTE5yWTVSMWJrMHFDSjdDRlowWERSN29YS3BOaEdsMzZOV1J4YjhkSUlqZVU0Tmd0MUNDNkt1RjB4ZFF0eG81TQpxcC9RaVJiSWUxeUJPSHVFV1VDb2hmaSt5cmVTNlFZZ1Y4TmhlMUpRWHR0UDlIa3FPQktPRXJ1RENieEhUUFdnCnNuM29RSitKTXNVU3hYN3gvUE1QdW4vOHRVTDUxMkVvOHFZSWpPTUNnWUVBbVkrKzdtNVRtRzlMbVdtREw0anEKRXhtL3F4Qk1DaitqcC9qYiszK3R2RTZ1enp0SUE4aUNYOU92TFRBRThXdVNVZUhHdUtiVUhwczBMY1JFVGhGdwp4ODBhbThWZ2tPdEw1dzZVMG0yeDgrNXR5Z1lPZHpEYnJCZmRCNXNIQXJ5MDFTeHVmNFl0VkFDVnROWjBOcTltCnU4aFI4SmZwS3RqbjU5cmxrSU5zQ01FQ2dZQVZVckV5bkY3dXRBbzlVM2JWUHpRWmU2ZitwRUlXb0k5YnRFWEMKQW9TWi93dS91TkVsNjI2bFR6QzloOHJjOTFJd0RNcWRLRXBNcmFwTkdzaEp4ZDlWaS92NG0yZlkzTFRQSnprNAo0NWdDZGd0N3FMWG9RQndOVVlKYlRlZ3JvWUdwdWR3aWFpaDc3aUJTcWlmOUhaYWVMb1ZXRmZxVTYxQ0RlV0pECkxwVUtkUUtCZ1FDU1p1MVYvZlZRaENkeldHWWl1UzJWbzdibnhMQXdiakdKR0R4a0ljL29oTUdpR2FZcTZwU08KREMwV0J3UnFRVXV2RGptU2ZNTnRQa1phVjBGMXN6TWNDV291S2E0ekoxdVJpc0ZiWEg3Rm9vMUNucXBLclE0eApaVnE0T2xVUDFYTjZCMyt3aTl3bkJuam1Gck9mVU9jWEsrSnhiYTJOQmNqSVAzQlVzaUFqZmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +--- +# Source: cilium/templates/cilium-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: cilium-config namespace: kube-system data: - agent-health-port: "9879" - -{{- if .EtcdManaged }} - kvstore: etcd - kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}' - - etcd-config: |- - --- - endpoints: - - https://{{ APIInternalName }}:4003 - - trusted-ca-file: '/var/lib/etcd-secrets/etcd-ca.crt' - key-file: '/var/lib/etcd-secrets/etcd-client-cilium.key' - cert-file: '/var/lib/etcd-secrets/etcd-client-cilium.crt' -{{ end }} # Identity allocation mode selects how identities are shared between cilium - # nodes by setting how they are stored. The options are "crd" or "kvstore". + # nodes by setting how they are stored. The options are "crd", "kvstore" or + # "doublewrite-readkvstore" / "doublewrite-readcrd". # - "crd" stores identities in kubernetes as CRDs (custom resource definition). # These can be queried with: # kubectl get ciliumid - # - "kvstore" stores identities in a kvstore, etcd or consul, that is + # - "kvstore" stores identities in an etcd kvstore, that is # configured below. Cilium versions before 1.6 supported only the kvstore # backend. Upgrades from these older cilium versions should continue using # the kvstore by commenting out the identity-allocation-mode below, or # setting it to "kvstore". - # (default crd) - identity-allocation-mode: "{{ .IdentityAllocationMode }}" + # - "doublewrite" modes store identities in both the kvstore and CRDs. This is useful + # for seamless migrations from the kvstore mode to the crd mode. Consult the + # documentation for more information on how to perform the migration. + identity-allocation-mode: crd - # Time to wait before using new identity on endpoint identity change (default 5s) - identity-change-grace-period: "{{ .IdentityChangeGracePeriod }}" + identity-heartbeat-timeout: "30m0s" + identity-gc-interval: "15m0s" + cilium-endpoint-gc-interval: "5m0s" + nodes-gc-interval: "5m0s" # If you want to run cilium in debug mode change this value to true - debug: "{{ .Debug }}" - - {{ if .EnablePrometheusMetrics }} - # If you want metrics enabled in all of your Cilium agents, set the port for - # which the Cilium agents will have their metrics exposed. - # This option deprecates the "prometheus-serve-addr" in the - # "cilium-metrics-config" ConfigMap - # NOTE that this will open the port on ALL nodes where Cilium pods are - # scheduled. - prometheus-serve-addr: ":{{ .AgentPrometheusPort }}" + debug: "false" + debug-verbose: "" + # The agent can be put into the following three policy enforcement modes + # default, always and never. + # https://docs.cilium.io/en/latest/security/policy/intro/#policy-enforcement-modes + enable-policy: "default" + policy-cidr-match-mode: "" + # Port to expose Envoy metrics (e.g. "9964"). Envoy metrics listener will be disabled if this + # field is not set. + proxy-prometheus-port: "9964" + # If you want metrics enabled in cilium-operator, set the port for + # which the Cilium Operator will have their metrics exposed. + # NOTE that this will open the port on the nodes where Cilium operator pod + # is scheduled. operator-prometheus-serve-addr: ":9963" enable-metrics: "true" - {{ end }} - - {{ if .Metrics }} - # Metrics that should be enabled or disabled from the default metric - # list. (+metric_foo to enable metric_foo , -metric_bar to disable - # metric_bar). - metrics: {{- range .Metrics }} - {{ . }} - {{- end }} - {{ end }} - - {{ if .EnableEncryption }} - {{ if eq .EncryptionType "ipsec" }} - enable-ipsec: "true" - ipsec-key-file: /etc/ipsec/keys - {{ else if eq .EncryptionType "wireguard" }} - enable-wireguard: "true" - {{ end }} - encrypt-node: "{{ .NodeEncryption }}" - {{ end }} + enable-envoy-config: "true" + envoy-config-retry-interval: "15s" + enable-ingress-controller: "true" + enforce-ingress-https: "true" + enable-ingress-proxy-protocol: "false" + enable-ingress-secrets-sync: "true" + ingress-secrets-namespace: "cilium-secrets" + ingress-lb-annotation-prefixes: "lbipam.cilium.io nodeipam.cilium.io service.beta.kubernetes.io service.kubernetes.io cloud.google.com" + ingress-default-lb-mode: dedicated + ingress-shared-lb-service-name: cilium-ingress + ingress-hostnetwork-enabled: "false" + ingress-hostnetwork-shared-listener-port: "8080" + ingress-hostnetwork-nodelabelselector: "" + enable-policy-secrets-sync: "true" + policy-secrets-only-from-secrets-namespace: "true" + policy-secrets-namespace: "cilium-secrets" # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 # address. - enable-ipv4: "{{ not IsIPv6Only }}" + enable-ipv4: "false" + # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 # address. - enable-ipv6: "{{ IsIPv6Only }}" + enable-ipv6: "true" + # Users who wish to specify their own custom CNI configuration file must set + # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. + custom-cni-conf: "false" + enable-bpf-clock-probe: "false" # If you want cilium monitor to aggregate tracing for packets, set this level # to "low", "medium", or "maximum". The higher the level, the less packets # that will be seen in monitor output. - monitor-aggregation: "{{ .MonitorAggregation }}" - # ct-global-max-entries-* specifies the maximum number of connections - # supported across all endpoints, split by protocol: tcp or other. One pair - # of maps uses these values for IPv4 connections, and another pair of maps - # use these values for IPv6 connections. - # - # If these values are modified, then during the next Cilium startup the - # tracking of ongoing connections may be disrupted. This may lead to brief - # policy drops or a change in loadbalancing decisions for a connection. - # - # For users upgrading from Cilium 1.2 or earlier, to minimize disruption - # during the upgrade process, comment out these options. - bpf-ct-global-tcp-max: "{{ .BPFCTGlobalTCPMax }}" - bpf-ct-global-any-max: "{{ .BPFCTGlobalAnyMax }}" - - # BPF load balancing algorithm ("random", "maglev") (default "random") - bpf-lb-algorithm: "{{ .BPFLBAlgorithm }}" - - # Maglev per service backend table size (parameter M) (default 16381) - bpf-lb-maglev-table-size: "{{ .BPFLBMaglevTableSize }}" + monitor-aggregation: medium - # bpf-nat-global-max specified the maximum number of entries in the - # BPF NAT table. (default 524288) - bpf-nat-global-max: "{{ .BPFNATGlobalMax }}" - - # bpf-neigh-global-max specified the maximum number of entries in the - # BPF neighbor table. (default 524288) - bpf-neigh-global-max: "{{ .BPFNeighGlobalMax }}" + # The monitor aggregation interval governs the typical time between monitor + # notification events for each allowed connection. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-interval: "5s" + # The monitor aggregation flags determine which TCP flags which, upon the + # first observation, cause monitor notifications to be generated. + # + # Only effective when monitor aggregation is set to "medium" or higher. + monitor-aggregation-flags: all + # Specifies the ratio (0.0-1.0] of total system memory to use for dynamic + # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. + bpf-map-dynamic-size-ratio: "0.0025" # bpf-policy-map-max specifies the maximum number of entries in endpoint - # policy map (per endpoint) (default 16384) - bpf-policy-map-max: "{{ .BPFPolicyMapMax }}" - + # policy map (per endpoint) + bpf-policy-map-max: "16384" # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, - # backend and affinity maps. (default 65536) - bpf-lb-map-max: "{{ .BPFLBMapMax }}" + # backend and affinity maps. + bpf-lb-map-max: "65536" + bpf-lb-external-clusterip: "false" + bpf-lb-source-range-all-types: "false" + bpf-lb-algorithm-annotation: "false" + bpf-lb-mode-annotation: "false" - # bpf-lb-sock-hostns-only enables skipping socket LB for services when inside a pod namespace, - # in favor of service LB at the pod interface. Socket LB is still used when in the host namespace. - # Required by service mesh (e.g., Istio, Linkerd). (default false) - bpf-lb-sock-hostns-only: "{{ .BPFLBSockHostNSOnly }}" - - {{ if .ChainingMode }} - cni-chaining-mode: "{{ .ChainingMode }}" - {{ end }} - - # enable-bpf-masquerade enables masquerading packets from endpoints leaving - # the host with BPF instead of iptables. (default false) - enable-bpf-masquerade: "{{ and (WithDefaultBool .EnableBPFMasquerade false) (not IsIPv6Only) }}" + bpf-distributed-lru: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" # Pre-allocation of map entries allows per-packet latency to be reduced, at # the expense of up-front memory allocation for the entries in the maps. The @@ -175,185 +182,169 @@ data: # # If this value is modified, then during the next Cilium startup the restore # of existing endpoints and tracking of ongoing connections may be disrupted. - # This may lead to policy drops or a change in loadbalancing decisions for a - # connection for some time. Endpoints may need to be recreated to restore - # connectivity. + # As a result, reply packets may be dropped and the load-balancing decisions + # for established connections may change. # # If this option is set to "false" during an upgrade from 1.3 or earlier to # 1.4 or later, then it may cause one-time disruptions during the upgrade. - preallocate-bpf-maps: "{{- if .PreallocateBPFMaps -}}true{{- else -}}false{{- end -}}" - # Regular expression matching compatible Istio sidecar istio-proxy - # container image names - sidecar-istio-proxy-image: "{{ .SidecarIstioProxyImage }}" + preallocate-bpf-maps: "false" + + # Name of the cluster. Only relevant when building a mesh of clusters. + cluster-name: default + # Unique ID of the cluster. Must be unique across all conneted clusters and + # in the range of 1 and 255. Only relevant when building a mesh of clusters. + cluster-id: "0" + # Encapsulation mode for communication between nodes # Possible values: # - disabled # - vxlan (default) # - geneve - {{ if eq .Tunnel "disabled" }} - # This option enables native-routing mode, in place of tunnel=disabled, now deprecated. - routing-mode: "native" - {{ else }} - routing-mode: "tunnel" - tunnel-protocol: "{{ .Tunnel }}" - {{ end }} - - # Name of the cluster. Only relevant when building a mesh of clusters. - cluster-name: "{{ .ClusterName }}" - # ID of the cluster. Only relevant when building a mesh of clusters. - # Must be a number between 1 and 255. - {{ if .ClusterID }} - cluster-id: "{{ .ClusterID }}" - {{ end }} - remove-cilium-node-taints: "true" - set-cilium-node-taints: "true" - set-cilium-is-up-condition: "true" - - # DNS response code for rejecting DNS requests, - # available options are "nameError" and "refused" - tofqdns-dns-reject-response-code: "{{ .ToFQDNsDNSRejectResponseCode }}" - # This option is disabled by default starting from version 1.4.x in favor - # of a more powerful DNS proxy-based implementation, see [0] for details. - # Enable this option if you want to use FQDN policies but do not want to use - # the DNS proxy. - # - # To ease upgrade, users may opt to set this option to "true". - # Otherwise please refer to the Upgrade Guide [1] which explains how to - # prepare policy rules for upgrade. - # - # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based - # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action - tofqdns-enable-poller: "{{- if .ToFQDNsEnablePoller -}}true{{- else -}}false{{- end -}}" - # Enable fetching of container-runtime specific metadata - # - # By default, the Kubernetes pod and namespace labels are retrieved and - # associated with endpoints for identification purposes. By integrating - # with the container runtime, container runtime specific labels can be - # retrieved, such labels will be prefixed with container: - # - # CAUTION: The container runtime labels can include information such as pod - # annotations which may result in each pod being associated a unique set of - # labels which can result in excessive security identities being allocated. - # Please review the labels filter when enabling container runtime labels. - # - # Supported values: - # - containerd - # - crio - # - docker - # - none - # - auto (automatically detect the container runtime) - # - enable-ipv4-masquerade: "{{ .Masquerade }}" - enable-ipv6-masquerade: "false" - install-iptables-rules: "{{ WithDefaultBool .InstallIptablesRules true }}" - auto-direct-node-routes: "{{ .AutoDirectNodeRoutes }}" - {{ if .EnableHostReachableServices }} - enable-host-reachable-services: "{{ .EnableHostReachableServices }}" - {{ end }} - enable-node-port: "{{ .EnableNodePort }}" - kube-proxy-replacement: "{{- if .EnableNodePort -}}true{{- else -}}false{{- end -}}" - - operator-api-serve-addr: "{{- if IsIPv6Only -}}[::1]{{- else -}}127.0.0.1{{- end -}}:9234" - {{ with .IPAM }} - ipam: {{ . }} - {{ if eq . "eni" }} - enable-endpoint-routes: "true" - auto-create-cilium-node-resource: "true" - eni-tags: "{{ CloudLabels }}" - {{ end }} - {{ end }} - - # Disables usage of CiliumEndpoint CRD - disable-endpoint-crd: "{{ .DisableEndpointCRD }}" - - # Enable connectivity health checking between virtual endpoints (default true) - enable-endpoint-health-checking: "{{ .EnableEndpointHealthChecking }}" - - # Enable use of remote node identity (default false) - enable-remote-node-identity: "{{ .EnableRemoteNodeIdentity }}" - - # Enable unreachable routes on pod deletion (default false) - enable-unreachable-routes: "{{ .EnableUnreachableRoutes }}" - - # enable-l7-proxy enables L7 proxy for L7 policy enforcement. (default true) - enable-l7-proxy: "{{ .EnableL7Proxy }}" - - # enable-local-redirect-policy EnableLocalRedirectPolicy that enables pod traffic destined to an IP address and port/protocol - # tuple or Kubernetes service to be redirected locally to backend pod(s) within a node, using eBPF. (default false) - enable-local-redirect-policy: "{{ .EnableLocalRedirectPolicy }}" - - cgroup-root: /run/cilium/cgroupv2 - - disable-cnp-status-updates: "{{ .DisableCNPStatusUpdates }}" - nodes-gc-interval: "5m0s" - - enable-service-topology: "{{ .EnableServiceTopology }}" - - {{ if WithDefaultBool .Ingress.Enabled false }} - enable-envoy-config: "true" - external-envoy-proxy: "false" - enable-ingress-controller: "true" - ingress-secrets-namespace: kube-system - - {{ if .Ingress.EnforceHttps }} - enforce-ingress-https: "{{ .Ingress.EnforceHttps }}" - {{ end }} - - {{ if .Ingress.EnableSecretsSync }} - enable-ingress-secrets-sync: "{{ .Ingress.EnableSecretsSync }}" - {{ end }} + routing-mode: "tunnel" + tunnel-protocol: "vxlan" + tunnel-source-port-range: "0-0" + service-no-backend-response: "reject" - {{ if .Ingress.SharedLoadBalancerServiceName }} - ingress-shared-lb-service-name: {{ .Ingress.SharedLoadBalancerServiceName }} - {{ end }} - {{ if .Ingress.DefaultLoadBalancerMode }} - ingress-default-lb-mode: {{ .Ingress.DefaultLoadBalancerMode }} - {{ end }} + # Enables L7 proxy for L7 policy enforcement and visibility + enable-l7-proxy: "true" - {{ if .Ingress.LoadBalancerAnnotationPrefixes }} - ingress-lb-annotation-prefixes: "{{ .Ingress.LoadBalancerAnnotationPrefixes }}" - {{ end }} - {{ end }} + enable-ipv4-masquerade: "true" + enable-ipv4-big-tcp: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "true" + enable-tcx: "true" + datapath-mode: "veth" + enable-masquerade-to-route-source: "false" - {{ if WithDefaultBool .GatewayAPI.Enabled false }} - enable-gateway-api: "true" - gateway-api-secrets-namespace: kube-system + enable-xt-socket-fallback: "true" + install-no-conntrack-iptables-rules: "false" + iptables-random-fully: "false" - {{ if .GatewayAPI.EnableSecretsSync }} - enable-gateway-api-secrets-sync: "{{ .GatewayAPI.EnableSecretsSync }}" - {{ end }} - {{ end }} + auto-direct-node-routes: "false" + direct-routing-skip-unreachable: "false" + enable-local-redirect-policy: "false" + enable-runtime-device-detection: "true" + kube-proxy-replacement: "false" + bpf-lb-sock: "false" + enable-host-port: "false" + enable-node-port: "false" + nodeport-addresses: "" + enable-health-check-nodeport: "true" + enable-health-check-loadbalancer-ip: "false" + node-port-bind-protection: "true" + enable-auto-protect-node-port-range: "true" + bpf-lb-acceleration: "disabled" + enable-experimental-lb: "false" + enable-svc-source-range-check: "true" + enable-l2-neigh-discovery: "true" + arping-refresh-period: "30s" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + enable-k8s-networkpolicy: "true" + enable-endpoint-lockdown-on-policy-overflow: "false" # Tell the agent to generate and write a CNI configuration file write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist - cni-exclusive: "{{ .CniExclusive }}" + cni-exclusive: "true" cni-log-file: "/var/run/cilium/cilium-cni.log" + enable-endpoint-health-checking: "true" + enable-health-checking: "true" + health-check-icmp-failure-threshold: "3" + enable-well-known-identities: "false" + enable-node-selector-labels: "false" + synchronize-k8s-nodes: "true" + operator-api-serve-addr: "[::1]:9234" - {{ if WithDefaultBool .Hubble.Enabled false }} - # Enable Hubble gRPC service. enable-hubble: "true" # UNIX domain socket for Hubble server to listen to. - hubble-socket-path: "/var/run/cilium/hubble.sock" + hubble-socket-path: "/var/run/cilium/hubble.sock" + # Address to expose Hubble metrics (e.g. ":7070"). Metrics server will be disabled if this + # field is not set. + hubble-metrics-server: ":9965" + hubble-metrics-server-enable-tls: "false" + enable-hubble-open-metrics: "false" + # A space separated list of metrics to enable. See [0] for available metrics. + # + # https://github.com/cilium/hubble/blob/master/Documentation/metrics.md + hubble-metrics: + drop + hubble-export-file-max-size-mb: "10" + hubble-export-file-max-backups: "5" # An additional address for Hubble server to listen to (e.g. ":4244"). hubble-listen-address: ":4244" hubble-disable-tls: "false" hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt - {{ if .Hubble.Metrics }} - hubble-metrics-server: ":9965" - hubble-metrics: - {{- range .Hubble.Metrics }} - {{ . }} - {{- end }} - {{ end }} - {{ end }} + hubble-prefer-ipv6: "true" + ipam: "cluster-pool" + ipam-cilium-node-update-rate: "15s" + cluster-pool-ipv6-cidr: "fd00::/104" + cluster-pool-ipv6-mask-size: "120" + + default-lb-service-ipam: "lbipam" + egress-gateway-reconciliation-trigger-interval: "1s" + enable-vtep: "false" + vtep-endpoint: "" + vtep-cidr: "" + vtep-mask: "" + vtep-mac: "" + procfs: "/host/proc" + bpf-root: "/sys/fs/bpf" + cgroup-root: "/run/cilium/cgroupv2" + enable-k8s-terminating-endpoint: "true" + enable-sctp: "false" + remove-cilium-node-taints: "true" + set-cilium-node-taints: "true" + set-cilium-is-up-condition: "true" + unmanaged-pod-watcher-interval: "15" + # default DNS proxy to transparent mode in non-chaining modes + dnsproxy-enable-transparent-mode: "true" + dnsproxy-socket-linger-timeout: "10" + tofqdns-dns-reject-response-code: "refused" + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: "0s" + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-proxy-response-max-delay: "100ms" + agent-not-ready-taint-key: "node.cilium.io/agent-not-ready" + + mesh-auth-enabled: "true" + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + mesh-auth-gc-interval: "5m0s" -{{ if WithDefaultBool .Hubble.Enabled false }} + proxy-xff-num-trusted-hops-ingress: "0" + proxy-xff-num-trusted-hops-egress: "0" + proxy-connect-timeout: "2" + proxy-initial-fetch-timeout: "30" + proxy-max-requests-per-connection: "0" + proxy-max-connection-duration-seconds: "0" + proxy-idle-timeout-seconds: "60" + proxy-max-concurrent-retries: "128" + http-retry-count: "3" + + external-envoy-proxy: "false" + envoy-base-id: "0" + envoy-access-log-buffer-size: "4096" + envoy-keep-cap-netbindservice: "false" + max-connected-clusters: "255" + clustermesh-enable-endpoint-sync: "false" + clustermesh-enable-mcs-api: "false" + + nat-map-stats-entries: "32" + nat-map-stats-interval: "30s" + enable-internal-traffic-policy: "true" + enable-lb-ipam: "true" + enable-non-default-deny-policies: "true" + enable-source-ip-verification: "true" + +# Extra config allows adding arbitrary properties to the cilium config. +# By putting it at the end of the ConfigMap, it's also possible to override existing properties. --- -# Source: cilium/templates/hubble-relay-configmap.yaml +# Source: cilium/templates/hubble-relay/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: @@ -361,37 +352,21 @@ metadata: namespace: kube-system data: config.yaml: | - cluster-name: "{{ .ClusterName }}" - peer-service: "hubble-peer.kube-system.svc.cluster.local:443" + cluster-name: default + peer-service: "hubble-peer.kube-system.svc.cluster.local.:443" listen-address: :4245 - - disable-server-tls: true - - tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt - tls-client-key-file: /var/lib/hubble-relay/tls/client.key + gops: true + gops-port: "9893" + retry-timeout: + sort-buffer-len-max: + sort-buffer-drain-timeout: + tls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt + tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt + + disable-server-tls: true --- -# Source: cilium/templates/hubble/peer-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: hubble-peer - namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - app.kubernetes.io/name: hubble-peer -spec: - selector: - k8s-app: cilium - ports: - - name: peer-service - port: 443 - protocol: TCP - targetPort: 4244 - internalTrafficPolicy: Local -{{ end }} ---- +# Source: cilium/templates/cilium-agent/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -434,6 +409,9 @@ rules: verbs: - list - watch + # This is used when validating policies in preflight. This will need to stay + # until we figure out how to avoid "get" inside the preflight, and then + # should be removed ideally. - get - apiGroups: - cilium.io @@ -500,6 +478,7 @@ rules: verbs: - patch --- +# Source: cilium/templates/cilium-operator/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -525,7 +504,7 @@ rules: resourceNames: - cilium-config verbs: - # allow patching of the configmap to set annotations + # allow patching of the configmap to set annotations - patch - apiGroups: - "" @@ -564,6 +543,7 @@ rules: resources: # to check apiserver connectivity - namespaces + - secrets verbs: - get - list @@ -657,6 +637,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -703,6 +690,7 @@ rules: - ciliumbgppeeringpolicies - ciliumbgpclusterconfigs - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs verbs: - get - list @@ -719,6 +707,12 @@ rules: - ciliumloadbalancerippools/status verbs: - patch +# For cilium-operator running in HA mode. +# +# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election +# between multiple running instances. +# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less +# common and fewer objects in the cluster watch "all Leases". - apiGroups: - coordination.k8s.io resources: @@ -727,7 +721,6 @@ rules: - create - get - update -{{ if WithDefaultBool .Ingress.Enabled false }} - apiGroups: - networking.k8s.io resources: @@ -743,56 +736,8 @@ rules: - ingresses/status # To update ingress status with load balancer IP. verbs: - update -{{ end }} -{{ if WithDefaultBool .GatewayAPI.Enabled false }} -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - - gateways - - tlsroutes - - httproutes - - grpcroutes - - referencegrants - - referencepolicies - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - verbs: - - patch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses/status - - gateways/status - - httproutes/status - - grpcroutes/status - - tlsroutes/status - verbs: - - update - - patch -- apiGroups: - - cilium.io - resources: - - ciliumgatewayclassconfigs - verbs: - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumgatewayclassconfigs/status - verbs: - - update - - patch -{{ end }} --- +# Source: cilium/templates/cilium-agent/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -805,9 +750,10 @@ roleRef: name: cilium subjects: - kind: ServiceAccount - name: cilium + name: "cilium" namespace: kube-system --- +# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -820,9 +766,10 @@ roleRef: name: cilium-operator subjects: - kind: ServiceAccount - name: cilium-operator + name: "cilium-operator" namespace: kube-system --- +# Source: cilium/templates/cilium-agent/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -840,30 +787,30 @@ rules: - list - watch --- -# Source: cilium/templates/cilium-agent/rolebinding.yaml +# Source: cilium/templates/cilium-agent/role.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: - name: cilium-config-agent - namespace: kube-system + name: cilium-ingress-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-config-agent -subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system -{{ if WithDefaultBool .Ingress.Enabled false }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch --- # Source: cilium/templates/cilium-agent/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: cilium-ingress-secrets - namespace: kube-system + name: cilium-tlsinterception-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium rules: @@ -876,28 +823,31 @@ rules: - list - watch --- +# Source: cilium/templates/cilium-operator/role.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: Role metadata: - name: cilium-secrets - namespace: kube-system + name: cilium-operator-ingress-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-ingress-secrets -subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - update + - patch --- # Source: cilium/templates/cilium-operator/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: cilium-operator-ingress-secrets - namespace: kube-system + name: cilium-operator-tlsinterception-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium rules: @@ -911,147 +861,133 @@ rules: - update - patch --- -# Source: cilium/templates/cilium-operator/rolebinding.yaml +# Source: cilium/templates/cilium-agent/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: cilium-operator-ingress-secrets + name: cilium-config-agent namespace: kube-system labels: app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: cilium-operator-ingress-secrets + name: cilium-config-agent subjects: - kind: ServiceAccount - name: "cilium-operator" + name: "cilium" namespace: kube-system --- -# Source: cilium/templates/cilium-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: cilium -spec: - controller: cilium.io/ingress-controller -{{ if or (eq .Ingress.DefaultLoadBalancerMode "shared") (not .Ingress.DefaultLoadBalancerMode) }} ---- -# Source: cilium/templates/cilium-ingress-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: {{ .Ingress.SharedLoadBalancerServiceName }} - namespace: kube-system - labels: - cilium.io/ingress: "true" -spec: - ports: - - name: http - port: 80 - protocol: TCP - nodePort: - - name: https - port: 443 - protocol: TCP - nodePort: - type: LoadBalancer ---- -# Source: cilium/templates/cilium-ingress-service.yaml -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ .Ingress.SharedLoadBalancerServiceName }} - namespace: kube-system -subsets: -- addresses: - - ip: "192.192.192.192" - ports: - - port: 9999 -{{ end }} -{{ end }} -{{ if WithDefaultBool .GatewayAPI.Enabled false }} ---- -# Source: cilium/templates/cilium-agent/role.yaml +# Source: cilium/templates/cilium-agent/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: RoleBinding metadata: - name: cilium-gateway-secrets - namespace: kube-system + name: cilium-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-ingress-secrets +subjects: + - kind: ServiceAccount + name: "cilium" + namespace: kube-system --- -# Source: cilium/templates/cilium-operator/rolebinding.yaml +# Source: cilium/templates/cilium-agent/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: cilium-gateway-secrets - namespace: kube-system + name: cilium-tlsinterception-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: cilium-gateway-secrets + name: cilium-tlsinterception-secrets subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system +- kind: ServiceAccount + name: "cilium" + namespace: kube-system --- -# Source: cilium/templates/cilium-operator/clusterrole.yaml +# Source: cilium/templates/cilium-operator/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: RoleBinding metadata: - name: cilium-operator-gateway-secrets + name: cilium-operator-ingress-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - update - - patch +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cilium-operator-ingress-secrets +subjects: +- kind: ServiceAccount + name: "cilium-operator" + namespace: kube-system --- -# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml +# Source: cilium/templates/cilium-operator/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: cilium-operator-gateway-secrets + name: cilium-operator-tlsinterception-secrets + namespace: "cilium-secrets" labels: app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium-operator-gateway-secrets + kind: Role + name: cilium-operator-tlsinterception-secrets subjects: - - kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system +- kind: ServiceAccount + name: "cilium-operator" + namespace: kube-system --- -# Source: cilium/templates/cilium-gateway-api-class.yaml -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass +# Source: cilium/templates/cilium-ingress-service.yaml +apiVersion: v1 +kind: Service metadata: - name: cilium + name: cilium-ingress + namespace: kube-system + labels: + cilium.io/ingress: "true" + app.kubernetes.io/part-of: cilium spec: - controllerName: io.cilium/gateway-controller - description: The default Cilium GatewayClass -{{ end }} -{{ if WithDefaultBool .Hubble.Enabled false }} -{{ if .Hubble.Metrics }} + ports: + - name: http + port: 80 + protocol: TCP + nodePort: + - name: https + port: 443 + protocol: TCP + nodePort: + type: LoadBalancer + externalTrafficPolicy: Cluster +--- +# Source: cilium/templates/hubble-relay/service.yaml +kind: Service +apiVersion: v1 +metadata: + name: hubble-relay + namespace: kube-system + annotations: + labels: + k8s-app: hubble-relay + app.kubernetes.io/name: hubble-relay + app.kubernetes.io/part-of: cilium + +spec: + type: "ClusterIP" + selector: + k8s-app: hubble-relay + ports: + - protocol: TCP + port: 80 + targetPort: grpc --- # Source: cilium/templates/hubble/metrics-service.yaml apiVersion: v1 @@ -1063,6 +999,7 @@ metadata: k8s-app: hubble app.kubernetes.io/name: hubble app.kubernetes.io/part-of: cilium + annotations: prometheus.io/scrape: "true" prometheus.io/port: "9965" @@ -1076,28 +1013,29 @@ spec: targetPort: hubble-metrics selector: k8s-app: cilium -{{ end }} --- -# Source: cilium/templates/hubble-relay-service.yaml -kind: Service +# Source: cilium/templates/hubble/peer-service.yaml apiVersion: v1 +kind: Service metadata: - name: hubble-relay + name: hubble-peer namespace: kube-system labels: - k8s-app: hubble-relay - app.kubernetes.io/name: hubble-relay + k8s-app: cilium app.kubernetes.io/part-of: cilium + app.kubernetes.io/name: hubble-peer + spec: - type: ClusterIP selector: - k8s-app: hubble-relay + k8s-app: cilium ports: - - protocol: TCP - port: 80 - targetPort: 4245 -{{ end }} + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + internalTrafficPolicy: Local --- +# Source: cilium/templates/cilium-agent/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: @@ -1107,48 +1045,28 @@ metadata: k8s-app: cilium app.kubernetes.io/part-of: cilium app.kubernetes.io/name: cilium-agent - kubernetes.io/cluster-service: "true" spec: selector: matchLabels: k8s-app: cilium - kubernetes.io/cluster-service: "true" updateStrategy: type: OnDelete template: metadata: annotations: - {{ if .EnablePrometheusMetrics }} - # Annotation required for prometheus auto-discovery scraping - # https://docs.cilium.io/en/v1.9/operations/metrics/#installation - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .AgentPrometheusPort }}" - {{ end }} - container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined" - container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined" - container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined" - container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined" - {{- range $key, $value := .AgentPodAnnotations }} - {{ $key }}: "{{ $value }}" - {{- end }} labels: k8s-app: cilium app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium - kubernetes.io/cluster-service: "true" spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux + securityContext: + appArmorProfile: + type: Unconfined + seccompProfile: + type: Unconfined containers: - name: cilium-agent - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent command: - cilium-agent @@ -1156,7 +1074,7 @@ spec: - --config-dir=/tmp/cilium/config-map startupProbe: httpGet: - host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' + host: "::1" path: /healthz port: 9879 scheme: HTTP @@ -1169,24 +1087,22 @@ spec: initialDelaySeconds: 5 livenessProbe: httpGet: - host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' + host: "::1" path: /healthz port: 9879 scheme: HTTP httpHeaders: - name: "brief" value: "true" + - name: "require-k8s-connectivity" + value: "false" periodSeconds: 30 successThreshold: 1 failureThreshold: 10 timeoutSeconds: 5 - resources: - requests: - cpu: {{ or .CPURequest "25m" }} - memory: {{ or .MemoryRequest "128Mi" }} readinessProbe: httpGet: - host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' + host: "::1" path: /healthz port: 9879 scheme: HTTP @@ -1210,79 +1126,55 @@ spec: fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - key: cni-chaining-mode - name: cilium-config - optional: true - - name: CILIUM_CUSTOM_CNI_CONF + - name: GOMEMLIMIT valueFrom: - configMapKeyRef: - key: custom-cni-conf - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "{{ APIInternalName }}" - - name: KUBERNETES_SERVICE_PORT - value: "443" - {{ with .EnablePolicy }} - - name: CILIUM_ENABLE_POLICY - value: {{ . }} - {{ end }} + resourceFieldRef: + resource: limits.memory + divisor: '1' lifecycle: - {{ if eq .IPAM "eni" }} postStart: exec: command: - "bash" - "-c" - | - set -o errexit - set -o pipefail - set -o nounset - - # When running in AWS ENI mode, it's likely that 'aws-node' has - # had a chance to install SNAT iptables rules. These can result - # in dropped traffic, so we should attempt to remove them. - # We do it using a 'postStart' hook since this may need to run - # for nodes which might have already been init'ed but may still - # have dangling rules. This is safe because there are no - # dependencies on anything that is part of the startup script - # itself, and can be safely run multiple times per node (e.g. in - # case of a restart). - if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; - then - echo 'Deleting iptables rules created by the AWS CNI VPC plugin' - iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore - fi - echo 'Done!' - {{- end }} + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' + preStop: exec: command: - /cni-uninstall.sh ports: - {{- if WithDefaultBool .Hubble.Enabled false }} - name: peer-service containerPort: 4244 hostPort: 4244 protocol: TCP - {{- if .Hubble.Metrics }} - - containerPort: 9965 + - name: hubble-metrics + containerPort: 9965 hostPort: 9965 - name: hubble-metrics - protocol: TCP - {{- end }} - {{- end }} - {{ if .EnablePrometheusMetrics }} - - containerPort: {{ .AgentPrometheusPort }} - name: prometheus protocol: TCP - {{- end }} - terminationMessagePolicy: FallbackToLogsOnError securityContext: - privileged: true + seLinuxOptions: + level: s0 + type: spc_t capabilities: add: - CHOWN @@ -1299,6 +1191,7 @@ spec: - SETUID drop: - ALL + terminationMessagePolicy: FallbackToLogsOnError volumeMounts: # Unprivileged containers need to mount /proc/sys/net from the host # to have write access @@ -1315,20 +1208,13 @@ spec: # is privileged and set the mount propagation from host to container # in Cilium. mountPropagation: HostToContainer - - name: cilium-cgroup - mountPath: /run/cilium/cgroupv2 - name: cilium-run mountPath: /var/run/cilium + - name: cilium-netns + mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer - name: etc-cni-netd mountPath: /host/etc/cni/net.d -{{ if .EtcdManaged }} - - name: etcd-config-path - mountPath: /var/lib/etcd-config - readOnly: true - - name: etcd-secrets - mountPath: /var/lib/etcd-secrets - readOnly: true -{{ end }} - name: clustermesh-secrets mountPath: /var/lib/cilium/clustermesh readOnly: true @@ -1338,20 +1224,14 @@ spec: readOnly: true - name: xtables-lock mountPath: /run/xtables.lock - - name: tmp - mountPath: /tmp -{{ if WithDefaultBool .Hubble.Enabled false }} - name: hubble-tls mountPath: /var/lib/cilium/tls/hubble readOnly: true -{{ end }} -{{ if CiliumSecret }} - - mountPath: /etc/ipsec - name: cilium-ipsec-secrets -{{ end }} -{{ if .Debug }} + - name: tmp + mountPath: /tmp + - name: cilium-monitor - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent command: - /bin/bash @@ -1367,10 +1247,9 @@ spec: volumeMounts: - name: cilium-run mountPath: /var/run/cilium -{{ end }} initContainers: - name: config - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent command: - cilium-dbg @@ -1386,10 +1265,6 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: KUBERNETES_SERVICE_HOST - value: "{{ APIInternalName }}" - - name: KUBERNETES_SERVICE_PORT - value: "443" volumeMounts: - name: tmp mountPath: /tmp @@ -1397,7 +1272,7 @@ spec: # Required to mount cgroup2 filesystem on the underlying Kubernetes node. # We use nsenter command with host's cgroup and mount namespaces enabled. - name: mount-cgroup - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent env: - name: CGROUP_ROOT @@ -1423,6 +1298,9 @@ spec: mountPath: /hostbin terminationMessagePolicy: FallbackToLogsOnError securityContext: + seLinuxOptions: + level: s0 + type: spc_t capabilities: add: - SYS_ADMIN @@ -1431,7 +1309,7 @@ spec: drop: - ALL - name: apply-sysctl-overwrites - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent env: - name: BIN_PATH @@ -1455,7 +1333,9 @@ spec: mountPath: /hostbin terminationMessagePolicy: FallbackToLogsOnError securityContext: - privileged: true + seLinuxOptions: + level: s0 + type: spc_t capabilities: add: - SYS_ADMIN @@ -1467,7 +1347,7 @@ spec: # from a privileged container because the mount propagation bidirectional # only works from privileged containers. - name: mount-bpf-fs - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' @@ -1483,7 +1363,7 @@ spec: mountPath: /sys/fs/bpf mountPropagation: Bidirectional - name: clean-cilium-state - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent command: - /init-container.sh @@ -1506,13 +1386,11 @@ spec: name: cilium-config key: write-cni-conf-when-ready optional: true - - name: KUBERNETES_SERVICE_HOST - value: "{{ APIInternalName }}" - - name: KUBERNETES_SERVICE_PORT - value: "443" terminationMessagePolicy: FallbackToLogsOnError securityContext: - privileged: true + seLinuxOptions: + level: s0 + type: spc_t capabilities: add: - NET_ADMIN @@ -1524,46 +1402,43 @@ spec: volumeMounts: - name: bpf-maps mountPath: /sys/fs/bpf - mountPropagation: HostToContainer # Required to mount cgroup filesystem from the host to cilium agent pod - name: cilium-cgroup mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer - name: cilium-run - mountPath: /var/run/cilium + mountPath: /var/run/cilium # wait-for-kube-proxy # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent - name: install-cni-binaries - image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" + image: "quay.io/cilium/cilium:v1.17.7@sha256:b22440f49c61195171aca585c7a57c6a8867271e43a5abc38f2a2f561436ff86" imagePullPolicy: IfNotPresent command: - - /install-plugin.sh + - "/install-plugin.sh" resources: requests: cpu: 100m memory: 10Mi securityContext: + seLinuxOptions: + level: s0 + type: spc_t capabilities: drop: - ALL - terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - name: cni-path - mountPath: /host/opt/cni/bin + mountPath: /host/opt/cni/bin # .Values.cni.install restartPolicy: Always priorityClassName: system-node-critical -{{ if ContainerdSELinuxEnabled }} - securityContext: - seLinuxOptions: - type: spc_t - level: s0 -{{ end }} - serviceAccount: cilium - serviceAccountName: cilium + serviceAccountName: "cilium" + automountServiceAccountToken: true terminationGracePeriodSeconds: 1 hostNetwork: true + nodeSelector: + kubernetes.io/os: linux tolerations: - - operator: Exists + - operator: Exists volumes: # For sharing configuration between the "config" initContainer and the agent - name: tmp @@ -1573,12 +1448,17 @@ spec: hostPath: path: /var/run/cilium type: DirectoryOrCreate + # To exec into pod network namespaces + - name: cilium-netns + hostPath: + path: /var/run/netns + type: DirectoryOrCreate # To keep state between restarts / upgrades for bpf maps - name: bpf-maps hostPath: path: /sys/fs/bpf type: DirectoryOrCreate - # To mount cgroup2 filesystem on the host + # To mount cgroup2 filesystem on the host or apply sysctlfix - name: hostproc hostPath: path: /proc @@ -1607,22 +1487,7 @@ spec: hostPath: path: /run/xtables.lock type: FileOrCreate -{{- if .EtcdManaged }} - # To read the etcd config stored in config maps - - name: etcd-config-path - configMap: - name: cilium-config - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - items: - - key: etcd-config - path: etcd.config - # To read the Cilium etcd secrets in case the user might want to use TLS - - name: etcd-secrets - hostPath: - path: /etc/kubernetes/pki/cilium - type: Directory -{{- end }} + # To read the clustermesh configuration - name: clustermesh-secrets projected: # note: the leading zero means this number is in octal representation: do not remove it @@ -1645,11 +1510,20 @@ spec: path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt -{{ if CiliumSecret }} - - name: cilium-ipsec-secrets - secret: - secretName: cilium-ipsec-keys -{{ end }} + # note: we configure the volume for the kvstoremesh-specific certificate + # regardless of whether KVStoreMesh is enabled or not, so that it can be + # automatically mounted in case KVStoreMesh gets subsequently enabled, + # without requiring an agent restart. + - secret: + name: clustermesh-apiserver-local-cert + optional: true + items: + - key: tls.key + path: local-etcd-client.key + - key: tls.crt + path: local-etcd-client.crt + - key: ca.crt + path: local-etcd-client-ca.crt - name: host-proc-sys-net hostPath: path: /proc/sys/net @@ -1658,7 +1532,6 @@ spec: hostPath: path: /proc/sys/kernel type: Directory -{{ if WithDefaultBool .Hubble.Enabled false }} - name: hubble-tls projected: # note: the leading zero means this number is in octal representation: do not remove it @@ -1674,62 +1547,55 @@ spec: path: server.key - key: ca.crt path: client-ca.crt -{{ end }} --- +# Source: cilium/templates/cilium-operator/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: + name: cilium-operator + namespace: kube-system labels: io.cilium/app: operator name: cilium-operator app.kubernetes.io/part-of: cilium app.kubernetes.io/name: cilium-operator - name: cilium-operator - namespace: kube-system spec: - replicas: {{ ControlPlaneControllerReplicas false }} + # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go + # for more details. + replicas: 2 selector: matchLabels: io.cilium/app: operator name: cilium-operator + # ensure operator update on single node k8s clusters, by using rolling update with maxUnavailable=100% in case + # of one replica and no user configured Recreate strategy. + # otherwise an update might get stuck due to the default maxUnavailable=50% in combination with the + # podAntiAffinity which prevents deployments of multiple operator replicas on the same node. strategy: rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 + maxSurge: 25% + maxUnavailable: 50% type: RollingUpdate template: metadata: annotations: - {{- range $key, $value := .OperatorPodAnnotations }} - {{ $key }}: "{{ $value }}" - {{- end }} + prometheus.io/port: "9963" + prometheus.io/scrape: "true" labels: io.cilium/app: operator name: cilium-operator app.kubernetes.io/part-of: cilium app.kubernetes.io/name: cilium-operator spec: - nodeSelector: null - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - - matchExpressions: - - key: node-role.kubernetes.io/master - operator: Exists containers: - name: cilium-operator - image: "{{ or .Registry "quay.io" }}/cilium/operator:{{ .Version }}" + image: "quay.io/cilium/operator-generic:v1.17.7@sha256:a610be2562d0f5a8945a27df7d5681711263ce92e09947e867fc37fc9ab08788" imagePullPolicy: IfNotPresent command: - - cilium-operator + - cilium-operator-generic args: - - "--config-dir=/tmp/cilium/config-map" - - "--debug=$(CILIUM_DEBUG)" - - "--eni-tags={{ CloudLabels }}" + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) env: - name: K8S_NODE_NAME valueFrom: @@ -1747,24 +1613,14 @@ spec: key: debug name: cilium-config optional: true - - name: KUBERNETES_SERVICE_HOST - value: "{{ APIInternalName }}" - - name: KUBERNETES_SERVICE_PORT - value: "443" - {{ if .EnablePrometheusMetrics }} ports: - name: prometheus containerPort: 9963 hostPort: 9963 protocol: TCP - {{ end }} - resources: - requests: - cpu: {{ or .CPURequest "25m" }} - memory: {{ or .MemoryRequest "128Mi" }} livenessProbe: httpGet: - host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' + host: "::1" path: /healthz port: 9234 scheme: HTTP @@ -1773,7 +1629,7 @@ spec: timeoutSeconds: 3 readinessProbe: httpGet: - host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' + host: "::1" path: /healthz port: 9234 scheme: HTTP @@ -1781,70 +1637,36 @@ spec: periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 5 - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - - mountPath: /tmp/cilium/config-map - name: cilium-config-path - readOnly: true -{{- if .EtcdManaged }} - - mountPath: /var/lib/etcd-config - name: etcd-config-path + - name: cilium-config-path + mountPath: /tmp/cilium/config-map readOnly: true - - mountPath: /var/lib/etcd-secrets - name: etcd-secrets - readOnly: true -{{- end }} + terminationMessagePolicy: FallbackToLogsOnError hostNetwork: true restartPolicy: Always priorityClassName: system-cluster-critical -{{ if ContainerdSELinuxEnabled }} - securityContext: - seLinuxOptions: - type: spc_t - level: s0 -{{ end }} - serviceAccount: cilium-operator - serviceAccountName: cilium-operator + serviceAccountName: "cilium-operator" + automountServiceAccountToken: true + # In HA mode, cilium-operator pods must not be scheduled on the same + # node as they will clash with each other. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + nodeSelector: + kubernetes.io/os: linux tolerations: - - operator: Exists - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: "topology.kubernetes.io/zone" - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - io.cilium/app: operator - name: cilium-operator + - operator: Exists volumes: # To read the configuration from the config map - - configMap: - name: cilium-config - name: cilium-config-path -{{- if .EtcdManaged }} - # To read the etcd config stored in config maps - - configMap: - defaultMode: 420 - items: - - key: etcd-config - path: etcd.config + - name: cilium-config-path + configMap: name: cilium-config - name: etcd-config-path - # To read the k8s etcd secrets in case the user might want to use TLS - - name: etcd-secrets - hostPath: - path: /etc/kubernetes/pki/cilium - type: Directory -{{- end }} -{{ if WithDefaultBool .Hubble.Enabled false }} --- -# Source: cilium/charts/hubble-relay/templates/deployment.yaml +# Source: cilium/templates/hubble-relay/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: @@ -1854,8 +1676,9 @@ metadata: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay app.kubernetes.io/part-of: cilium + spec: - replicas: 2 + replicas: 1 selector: matchLabels: k8s-app: hubble-relay @@ -1865,6 +1688,7 @@ spec: type: RollingUpdate template: metadata: + annotations: labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay @@ -1874,8 +1698,6 @@ spec: fsGroup: 65532 containers: - name: hubble-relay - image: "{{ or .Registry "quay.io" }}/cilium/hubble-relay:{{ .Version }}" - imagePullPolicy: IfNotPresent securityContext: capabilities: drop: @@ -1883,13 +1705,12 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + image: "quay.io/cilium/hubble-relay:v1.17.7@sha256:9394312ce65c3c253a8c26a6c292f58736e75c78d1446ecfcd244f1418bebe77" + imagePullPolicy: IfNotPresent command: - hubble-relay args: - serve - {{- if .Debug }} - - '--debug' - {{- end }} ports: - name: grpc containerPort: 4245 @@ -1897,20 +1718,34 @@ spec: grpc: port: 4222 timeoutSeconds: 3 + # livenessProbe will kill the pod, we should be very conservative + # here on failures since killing the pod should be a last resort, and + # we should provide enough time for relay to retry before killing it. livenessProbe: grpc: port: 4222 timeoutSeconds: 10 + # Give relay time to establish connections and make a few retries + # before starting livenessProbes. initialDelaySeconds: 10 + # 10 second * 12 failures = 2 minutes of failure. + # If relay cannot become healthy after 2 minutes, then killing it + # might resolve whatever issue is occurring. + # + # 10 seconds is a reasonable retry period so we can see if it's + # failing regularly or only sporadically. periodSeconds: 10 failureThreshold: 12 startupProbe: grpc: port: 4222 + # Give relay time to get it's certs and establish connections and + # make a few retries before starting startupProbes. initialDelaySeconds: 10 + # 20 * 3 seconds = 1 minute of failure before we consider startup as failed. failureThreshold: 20 + # Retry more frequently at startup so that it can be considered started more quickly. periodSeconds: 3 - terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - name: config mountPath: /etc/hubble-relay @@ -1918,6 +1753,13 @@ spec: - name: tls mountPath: /var/lib/hubble-relay/tls readOnly: true + terminationMessagePolicy: FallbackToLogsOnError + + restartPolicy: Always + priorityClassName: + serviceAccountName: "hubble-relay" + automountServiceAccountToken: false + terminationGracePeriodSeconds: 1 affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -1925,23 +1767,8 @@ spec: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname - restartPolicy: Always - serviceAccount: hubble-relay - serviceAccountName: hubble-relay - terminationGracePeriodSeconds: 1 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: "topology.kubernetes.io/zone" - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - k8s-app: hubble-relay - - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - k8s-app: hubble-relay + nodeSelector: + kubernetes.io/os: linux volumes: - name: config configMap: @@ -1964,61 +1791,23 @@ spec: - key: ca.crt path: hubble-server-ca.crt --- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: - k8s-app: cilium - name: hubble-server-certs - namespace: kube-system -spec: - dnsNames: - - "*.{{ replace .ClusterName "." "-" }}.hubble-grpc.cilium.io" - issuerRef: - kind: Issuer - name: networking.cilium.io - secretName: hubble-server-certs - isCA: false - usages: - - signing - - key encipherment - - server auth - - client auth ---- -apiVersion: cert-manager.io/v1 -kind: Certificate +# Source: cilium/templates/cilium-ingress-class.yaml +apiVersion: networking.k8s.io/v1 +kind: IngressClass metadata: - labels: - k8s-app: cilium - app.kubernetes.io/part-of: cilium - name: hubble-relay-client-certs - namespace: kube-system + name: cilium spec: - dnsNames: - - "hubble-relay-client" - issuerRef: - kind: Issuer - name: networking.cilium.io - isCA: false - usages: - - signing - - key encipherment - - client auth - secretName: hubble-relay-client-certs -{{ end }} -{{ end }} + controller: cilium.io/ingress-controller --- -apiVersion: policy/v1 -kind: PodDisruptionBudget +# Source: cilium/templates/cilium-ingress-service.yaml +apiVersion: v1 +kind: Endpoints metadata: - name: cilium-operator + name: cilium-ingress namespace: kube-system labels: - io.cilium/app: operator - name: cilium-operator -spec: - selector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - maxUnavailable: 1 +subsets: +- addresses: + - ip: "192.192.192.192" + ports: + - port: 9999 diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml index 71199e8c58c2b..43b6cbfbf7de1 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml @@ -99,7 +99,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: 3e326a45535c1c5efecc1723ec7bdc9a79cd16fea06b28bf014ad46a1bab6bf6 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml index 32dff358e7117..afc2882cd212b 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml @@ -106,7 +106,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: 3e326a45535c1c5efecc1723ec7bdc9a79cd16fea06b28bf014ad46a1bab6bf6 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml index c2aad84ed866f..919765da7836e 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml @@ -163,7 +163,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.15.yaml - manifestHash: 3e326a45535c1c5efecc1723ec7bdc9a79cd16fea06b28bf014ad46a1bab6bf6 + manifestHash: 5d45b38438614bdb4b9549540a7aeb02a1a38c5bd83170ddb1daabdc30bbbd55 name: networking.cilium.io needsRollingUpdate: all selector: