Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CR = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{Name: "cilium"}, Rules: []rbacv1.PolicyRule{ { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{"networking.k8s.io"}, Resources: []string{"networkpolicies"}, }, { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{"discovery.k8s.io"}, Resources: []string{"endpointslices"}, }, { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{""}, Resources: []string{ "namespaces", "services", "pods", "endpoints", "nodes", }, }, { Verbs: []string{ "list", "watch", "get", }, APIGroups: []string{"apiextensions.k8s.io"}, Resources: []string{"customresourcedefinitions"}, }, { Verbs: []string{ "list", "watch", }, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumbgploadbalancerippools", "ciliumbgppeeringpolicies", "ciliumclusterwideenvoyconfigs", "ciliumclusterwidenetworkpolicies", "ciliumegressgatewaypolicies", "ciliumegressnatpolicies", "ciliumendpoints", "ciliumendpointslices", "ciliumenvoyconfigs", "ciliumidentities", "ciliumlocalredirectpolicies", "ciliumnetworkpolicies", "ciliumnodes", }, }, { Verbs: []string{"create"}, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumidentities", "ciliumendpoints", "ciliumnodes", }, }, { Verbs: []string{"update"}, APIGroups: []string{"cilium.io"}, Resources: []string{"ciliumidentities"}, }, { Verbs: []string{ "delete", "get", }, APIGroups: []string{"cilium.io"}, Resources: []string{"ciliumendpoints"}, }, { Verbs: []string{ "get", "update", }, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumnodes", "ciliumnodes/status", }, }, { Verbs: []string{"patch"}, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumnetworkpolicies/status", "ciliumclusterwidenetworkpolicies/status", "ciliumendpoints/status", "ciliumendpoints", }, }, }, }
View Source
var Daemon = &appsv1.DaemonSet{ TypeMeta: kubeutil.TypeMeta("DaemonSet"), ObjectMeta: metav1.ObjectMeta{ Name: "cilium", Namespace: "kube-system", Labels: map[string]string{"k8s-app": "cilium"}, }, Spec: appsv1.DaemonSetSpec{ Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "k8s-app": "cilium", }, }, Template: v1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{"k8s-app": "cilium"}, Annotations: map[string]string{ "container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites": "unconfined", "container.apparmor.security.beta.kubernetes.io/cilium-agent": "unconfined", "container.apparmor.security.beta.kubernetes.io/clean-cilium-state": "unconfined", "container.apparmor.security.beta.kubernetes.io/mount-cgroup": "unconfined", }, }, Spec: v1.PodSpec{ Volumes: []v1.Volume{ { Name: "cilium-run", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/var/run/cilium", Type: P(v1.HostPathDirectoryOrCreate), }, }, }, { Name: "bpf-maps", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/sys/fs/bpf", Type: P(v1.HostPathDirectoryOrCreate), }, }, }, { Name: "hostproc", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/proc", Type: P(v1.HostPathDirectory), }, }, }, { Name: "cilium-cgroup", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/run/cilium/cgroupv2", Type: P(v1.HostPathDirectoryOrCreate), }, }, }, { Name: "cni-path", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/opt/cni/bin", Type: P(v1.HostPathDirectoryOrCreate), }, }, }, { Name: "etc-cni-netd", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/etc/cni/net.d", Type: P(v1.HostPathDirectoryOrCreate), }, }, }, { Name: "lib-modules", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{Path: "/lib/modules"}, }, }, { Name: "xtables-lock", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/run/xtables.lock", Type: P(v1.HostPathFileOrCreate), }, }, }, { Name: "clustermesh-secrets", VolumeSource: v1.VolumeSource{ Secret: &v1.SecretVolumeSource{ SecretName: "cilium-clustermesh", DefaultMode: P(int32(256)), Optional: P(true), }, }, }, { Name: "cilium-config-path", VolumeSource: v1.VolumeSource{ ConfigMap: &v1.ConfigMapVolumeSource{ LocalObjectReference: v1.LocalObjectReference{ Name: "cilium-config", }, }, }, }, { Name: "host-proc-sys-net", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/proc/sys/net", Type: P(v1.HostPathDirectory), }, }, }, { Name: "host-proc-sys-kernel", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/proc/sys/kernel", Type: P(v1.HostPathDirectory), }, }, }, { Name: "hubble-tls", VolumeSource: v1.VolumeSource{ Projected: &v1.ProjectedVolumeSource{ Sources: []v1.VolumeProjection{ { Secret: &v1.SecretProjection{ LocalObjectReference: v1.LocalObjectReference{ Name: "hubble-server-certs", }, Items: []v1.KeyToPath{ { Key: "ca.crt", Path: "client-ca.crt", }, { Key: "tls.crt", Path: "server.crt", }, { Key: "tls.key", Path: "server.key", }, }, Optional: P(true), }, }, }, DefaultMode: P(int32(256)), }, }, }, }, InitContainers: []v1.Container{ { Name: "mount-cgroup", Image: "quay.io/cilium/cilium:v1.12.4@sha256:4b074fcfba9325c18e97569ed1988464309a5ebf64bbc79bec6f3d58cafcb8cf", Command: []string{ "sh", "-ec", ciliumMountScript, }, Env: []v1.EnvVar{ { Name: "CGROUP_ROOT", Value: "/run/cilium/cgroupv2", }, { Name: "BIN_PATH", Value: "/opt/cni/bin", }, }, VolumeMounts: []v1.VolumeMount{ { Name: "hostproc", MountPath: "/hostproc", }, { Name: "cni-path", MountPath: "/hostbin", }, }, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), SecurityContext: &v1.SecurityContext{ Capabilities: &v1.Capabilities{ Add: []v1.Capability{ v1.Capability("SYS_ADMIN"), v1.Capability("SYS_CHROOT"), v1.Capability("SYS_PTRACE"), }, Drop: []v1.Capability{v1.Capability("ALL")}, }, SELinuxOptions: &v1.SELinuxOptions{ Type: "spc_t", Level: "s0", }, }, }, { Name: "apply-sysctl-overwrites", Image: "quay.io/cilium/cilium:v1.12.4@sha256:4b074fcfba9325c18e97569ed1988464309a5ebf64bbc79bec6f3d58cafcb8cf", Command: []string{ "sh", "-ec", ciliumSysctlScript, }, Env: []v1.EnvVar{ { Name: "BIN_PATH", Value: "/opt/cni/bin", }, }, VolumeMounts: []v1.VolumeMount{ { Name: "hostproc", MountPath: "/hostproc", }, { Name: "cni-path", MountPath: "/hostbin", }, }, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), SecurityContext: &v1.SecurityContext{ Capabilities: &v1.Capabilities{ Add: []v1.Capability{ v1.Capability("SYS_ADMIN"), v1.Capability("SYS_CHROOT"), v1.Capability("SYS_PTRACE"), }, Drop: []v1.Capability{v1.Capability("ALL")}, }, SELinuxOptions: &v1.SELinuxOptions{ Type: "spc_t", Level: "s0", }, }, }, { Name: "mount-bpf-fs", Image: "quay.io/cilium/cilium:v1.12.4@sha256:4b074fcfba9325c18e97569ed1988464309a5ebf64bbc79bec6f3d58cafcb8cf", Command: []string{ "/bin/bash", "-c", "--", }, Args: []string{`mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf`}, VolumeMounts: []v1.VolumeMount{ { Name: "bpf-maps", MountPath: "/sys/fs/bpf", MountPropagation: P(v1.MountPropagationMode("Bidirectional")), }, }, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), SecurityContext: &v1.SecurityContext{Privileged: P(true)}, }, { Name: "clean-cilium-state", Image: "quay.io/cilium/cilium:v1.12.4@sha256:4b074fcfba9325c18e97569ed1988464309a5ebf64bbc79bec6f3d58cafcb8cf", Command: []string{"/init-container.sh"}, Env: []v1.EnvVar{ { Name: "CILIUM_ALL_STATE", ValueFrom: &v1.EnvVarSource{ ConfigMapKeyRef: &v1.ConfigMapKeySelector{ LocalObjectReference: v1.LocalObjectReference{ Name: "cilium-config", }, Key: "clean-cilium-state", Optional: P(true), }, }, }, { Name: "CILIUM_BPF_STATE", ValueFrom: &v1.EnvVarSource{ ConfigMapKeyRef: &v1.ConfigMapKeySelector{ LocalObjectReference: v1.LocalObjectReference{Name: "cilium-config"}, Key: "clean-cilium-bpf-state", Optional: P(true), }, }, }, }, Resources: v1.ResourceRequirements{ Requests: v1.ResourceList{ v1.ResourceName("cpu"): resource.MustParse("100m"), v1.ResourceName("memory"): resource.MustParse("100Mi"), }, }, VolumeMounts: []v1.VolumeMount{ { Name: "bpf-maps", MountPath: "/sys/fs/bpf", }, { Name: "cilium-cgroup", MountPath: "/run/cilium/cgroupv2", MountPropagation: P(v1.MountPropagationMode("HostToContainer")), }, { Name: "cilium-run", MountPath: "/var/run/cilium", }, }, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), SecurityContext: &v1.SecurityContext{ Capabilities: &v1.Capabilities{ Add: []v1.Capability{ v1.Capability("NET_ADMIN"), v1.Capability("SYS_MODULE"), v1.Capability("SYS_ADMIN"), v1.Capability("SYS_RESOURCE"), }, Drop: []v1.Capability{v1.Capability("ALL")}, }, SELinuxOptions: &v1.SELinuxOptions{ Type: "spc_t", Level: "s0", }, }, }, }, Containers: []v1.Container{ { Name: "cilium-agent", Image: "quay.io/cilium/cilium:v1.12.4@sha256:4b074fcfba9325c18e97569ed1988464309a5ebf64bbc79bec6f3d58cafcb8cf", Command: []string{"cilium-agent"}, Args: []string{"--config-dir=/tmp/cilium/config-map"}, Env: []v1.EnvVar{ { Name: "K8S_NODE_NAME", ValueFrom: &v1.EnvVarSource{ FieldRef: &v1.ObjectFieldSelector{ APIVersion: "v1", FieldPath: "spec.nodeName", }, }, }, { Name: "CILIUM_K8S_NAMESPACE", ValueFrom: &v1.EnvVarSource{ FieldRef: &v1.ObjectFieldSelector{ APIVersion: "v1", FieldPath: "metadata.namespace", }, }, }, { Name: "CILIUM_CLUSTERMESH_CONFIG", Value: "/var/lib/cilium/clustermesh/", }, { Name: "CILIUM_CNI_CHAINING_MODE", ValueFrom: &v1.EnvVarSource{ ConfigMapKeyRef: &v1.ConfigMapKeySelector{ LocalObjectReference: v1.LocalObjectReference{Name: "cilium-config"}, Key: "cni-chaining-mode", Optional: P(true), }, }, }, { Name: "CILIUM_CUSTOM_CNI_CONF", ValueFrom: &v1.EnvVarSource{ ConfigMapKeyRef: &v1.ConfigMapKeySelector{ LocalObjectReference: v1.LocalObjectReference{Name: "cilium-config"}, Key: "custom-cni-conf", Optional: P(true), }, }, }, }, VolumeMounts: []v1.VolumeMount{ { Name: "host-proc-sys-net", MountPath: "/host/proc/sys/net", }, { Name: "host-proc-sys-kernel", MountPath: "/host/proc/sys/kernel", }, { Name: "bpf-maps", MountPath: "/sys/fs/bpf", MountPropagation: P(v1.MountPropagationMode("HostToContainer")), }, { Name: "cilium-run", MountPath: "/var/run/cilium", }, { Name: "cni-path", MountPath: "/host/opt/cni/bin", }, { Name: "etc-cni-netd", MountPath: "/host/etc/cni/net.d", }, { Name: "clustermesh-secrets", ReadOnly: true, MountPath: "/var/lib/cilium/clustermesh", }, { Name: "cilium-config-path", ReadOnly: true, MountPath: "/tmp/cilium/config-map", }, { Name: "lib-modules", ReadOnly: true, MountPath: "/lib/modules", }, { Name: "xtables-lock", MountPath: "/run/xtables.lock", }, { Name: "hubble-tls", ReadOnly: true, MountPath: "/var/lib/cilium/tls/hubble", }, }, LivenessProbe: &v1.Probe{ ProbeHandler: v1.ProbeHandler{ HTTPGet: &v1.HTTPGetAction{ Path: "/healthz", Port: intstr.IntOrString{IntVal: 9879}, Host: "127.0.0.1", Scheme: v1.URIScheme("HTTP"), HTTPHeaders: []v1.HTTPHeader{ { Name: "brief", Value: "true", }, }, }, }, TimeoutSeconds: 5, PeriodSeconds: 30, SuccessThreshold: 1, FailureThreshold: 10, }, ReadinessProbe: &v1.Probe{ ProbeHandler: v1.ProbeHandler{ HTTPGet: &v1.HTTPGetAction{ Path: "/healthz", Port: intstr.IntOrString{IntVal: 9879}, Host: "127.0.0.1", Scheme: v1.URIScheme("HTTP"), HTTPHeaders: []v1.HTTPHeader{ { Name: "brief", Value: "true", }, }, }, }, TimeoutSeconds: 5, PeriodSeconds: 30, SuccessThreshold: 1, FailureThreshold: 3, }, StartupProbe: &v1.Probe{ ProbeHandler: v1.ProbeHandler{ HTTPGet: &v1.HTTPGetAction{ Path: "/healthz", Port: intstr.IntOrString{IntVal: 9879}, Host: "127.0.0.1", Scheme: v1.URIScheme("HTTP"), HTTPHeaders: []v1.HTTPHeader{ { Name: "brief", Value: "true", }, }, }, }, PeriodSeconds: 2, SuccessThreshold: 1, FailureThreshold: 105, }, Lifecycle: &v1.Lifecycle{ PostStart: &v1.LifecycleHandler{ Exec: &v1.ExecAction{ Command: []string{ "/cni-install.sh", "--enable-debug=false", "--cni-exclusive=true", "--log-file=/var/run/cilium/cilium-cni.log", }, }, }, PreStop: &v1.LifecycleHandler{Exec: &v1.ExecAction{Command: []string{"/cni-uninstall.sh"}}}, }, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), SecurityContext: &v1.SecurityContext{ Capabilities: &v1.Capabilities{ Add: []v1.Capability{ v1.Capability("CHOWN"), v1.Capability("KILL"), v1.Capability("NET_ADMIN"), v1.Capability("NET_RAW"), v1.Capability("IPC_LOCK"), v1.Capability("SYS_MODULE"), v1.Capability("SYS_ADMIN"), v1.Capability("SYS_RESOURCE"), v1.Capability("DAC_OVERRIDE"), v1.Capability("FOWNER"), v1.Capability("SETGID"), v1.Capability("SETUID"), }, Drop: []v1.Capability{v1.Capability("ALL")}, }, SELinuxOptions: &v1.SELinuxOptions{ Type: "spc_t", Level: "s0", }, }, }, }, RestartPolicy: v1.RestartPolicy("Always"), TerminationGracePeriodSeconds: P(int64(1)), NodeSelector: map[string]string{"kubernetes.io/os": "linux"}, ServiceAccountName: "cilium", HostNetwork: true, Affinity: &v1.Affinity{ PodAntiAffinity: &v1.PodAntiAffinity{ RequiredDuringSchedulingIgnoredDuringExecution: []v1.PodAffinityTerm{ { LabelSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"k8s-app": "cilium"}}, TopologyKey: "kubernetes.io/hostname", }, }, }, }, Tolerations: []v1.Toleration{{Operator: v1.TolerationOperator("Exists")}}, PriorityClassName: "system-node-critical", }, }, UpdateStrategy: appsv1.DaemonSetUpdateStrategy{ Type: appsv1.DaemonSetUpdateStrategyType("RollingUpdate"), RollingUpdate: &appsv1.RollingUpdateDaemonSet{MaxUnavailable: &intstr.IntOrString{IntVal: 2}}, }, }, }
View Source
var DefaultConfigData = map[string]string{
"identity-allocation-mode": "crd",
"cilium-endpoint-gc-interval": "5m0s",
"nodes-gc-interval": "5m0s",
"skip-cnp-status-startup-clean": "false",
"disable-endpoint-crd": "false",
"debug": "false",
"enable-policy": "default",
"enable-ipv4": "true",
"enable-ipv6": "false",
"custom-cni-conf": "false",
"enable-bpf-clock-probe": "true",
"monitor-aggregation": "medium",
"monitor-aggregation-interval": "5s",
"monitor-aggregation-flags": "all",
"bpf-map-dynamic-size-ratio": "0.0025",
"bpf-policy-map-max": "16384",
"bpf-lb-map-max": "65536",
"bpf-lb-external-clusterip": "false",
"preallocate-bpf-maps": "false",
"sidecar-istio-proxy-image": "cilium/istio_proxy",
"cluster-name": "go-terriyaki-test-1",
"cluster-id": "1",
"tunnel": "disabled",
"enable-endpoint-routes": "true",
"auto-create-cilium-node-resource": "true",
"ec2-api-endpoint": "",
"eni-tags": "{}",
"subnet-ids-filter": "",
"subnet-tags-filter": "",
"instance-tags-filter": "",
"enable-l7-proxy": "true",
"enable-ipv4-masquerade": "true",
"enable-ipv6-masquerade": "true",
"egress-masquerade-interfaces": "eth0",
"enable-xt-socket-fallback": "true",
"install-iptables-rules": "true",
"install-no-conntrack-iptables-rules": "false",
"auto-direct-node-routes": "false",
"enable-local-redirect-policy": "false",
"kube-proxy-replacement": "disabled",
"bpf-lb-sock": "false",
"enable-health-check-nodeport": "true",
"node-port-bind-protection": "true",
"enable-auto-protect-node-port-range": "true",
"enable-svc-source-range-check": "true",
"enable-l2-neigh-discovery": "true",
"arping-refresh-period": "30s",
"enable-endpoint-health-checking": "true",
"enable-health-checking": "true",
"enable-well-known-identities": "false",
"enable-remote-node-identity": "true",
"synchronize-k8s-nodes": "true",
"operator-api-serve-addr": "127.0.0.1:9234",
"enable-hubble": "true",
"hubble-socket-path": "/var/run/cilium/hubble.sock",
"hubble-listen-address": "4244",
"hubble-disable-tls": "false",
"hubble-tls-cert-file": "/var/lib/cilium/tls/hubble/server.crt",
"hubble-tls-key-file": "/var/lib/cilium/tls/hubble/server.key",
"hubble-tls-client-ca-files": "/var/lib/cilium/tls/hubble/client-ca.crt",
"ipam": "eni",
"disable-cnp-status-updates": "true",
"enable-vtep": "false",
"vtep-endpoint": "",
"vtep-cidr": "",
"vtep-mask": "",
"vtep-mac": "",
"enable-bgp-control-plane": "false",
"procfs": "/host/proc",
"bpf-root": "/sys/fs/bpf",
"cgroup-root": "/run/cilium/cgroupv2",
"enable-k8s-terminating-endpoint": "true",
"remove-cilium-node-taints": "true",
"set-cilium-is-up-condition": "true",
"unmanaged-pod-watcher-interval": "15",
"tofqdns-dns-reject-response-code": "refused",
"tofqdns-enable-dns-compression": "true",
"tofqdns-endpoint-max-ip-per-hostname": "50",
"tofqdns-idle-connection-grace-period": "0s",
"tofqdns-max-deferred-connection-deletes": "10000",
"tofqdns-min-ttl": "3600",
"tofqdns-proxy-response-max-delay": "100ms",
"agent-not-ready-taint-key": "node.cilium.io/agent-not-ready",
}
View Source
var HubblePeerSvc = &v1.Service{ TypeMeta: kubeutil.TypeMeta("Service"), ObjectMeta: metav1.ObjectMeta{ Name: "hubble-peer", Namespace: "kube-system", Labels: map[string]string{"k8s-app": "cilium"}, }, Spec: v1.ServiceSpec{ Ports: []v1.ServicePort{ { Name: "peer-service", Protocol: v1.ProtocolTCP, Port: 443, TargetPort: intstr.IntOrString{IntVal: 4244}, }, }, Selector: map[string]string{"k8s-app": "cilium"}, InternalTrafficPolicy: P(v1.ServiceInternalTrafficPolicyLocal), }, }
View Source
var NodeInit = &appsv1.DaemonSet{ TypeMeta: kubeutil.TypeDaemonSetV1, ObjectMeta: metav1.ObjectMeta{ Name: "cilium-node-init", Namespace: "kube-system", Labels: map[string]string{"app": "cilium-node-init"}, }, Spec: appsv1.DaemonSetSpec{ Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "app": "cilium-node-init", }, }, Template: v1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{"app": "cilium-node-init"}, Annotations: map[string]string{"container.apparmor.security.beta.kubernetes.io/node-init": "unconfined"}, }, Spec: v1.PodSpec{ Containers: []v1.Container{ { Name: "node-init", Image: "quay.io/cilium/startup-script:d69851597ea019af980891a4628fb36b7880ec26", Env: []v1.EnvVar{ { Name: "STARTUP_SCRIPT", Value: startUpScript, }, }, Resources: v1.ResourceRequirements{ Requests: v1.ResourceList{ v1.ResourceName("cpu"): resource.MustParse("100m"), v1.ResourceName("memory"): resource.MustParse("100Mi"), }, }, Lifecycle: &v1.Lifecycle{ PostStart: &v1.LifecycleHandler{ Exec: &v1.ExecAction{ Command: []string{ "nsenter", "--target=1", "--mount", "--", "/bin/bash", "-c", editIPTableScript, }, }, }, }, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), SecurityContext: &v1.SecurityContext{ Capabilities: &v1.Capabilities{ Add: []v1.Capability{ v1.Capability("SYS_MODULE"), v1.Capability("NET_ADMIN"), v1.Capability("SYS_ADMIN"), v1.Capability("SYS_CHROOT"), v1.Capability("SYS_PTRACE"), }, }, Privileged: valast.Addr(false).(*bool), SELinuxOptions: &v1.SELinuxOptions{ Type: "spc_t", Level: "s0", }, }, }, }, NodeSelector: map[string]string{"kubernetes.io/os": "linux"}, HostNetwork: true, HostPID: true, Tolerations: []v1.Toleration{{Operator: v1.TolerationOperator("Exists")}}, PriorityClassName: "system-node-critical", }, }, UpdateStrategy: appsv1.DaemonSetUpdateStrategy{Type: appsv1.DaemonSetUpdateStrategyType("RollingUpdate")}, }, }
View Source
var Operator = &appsv1.Deployment{ TypeMeta: kubeutil.TypeDeploymentV1, ObjectMeta: opMeta, Spec: appsv1.DeploymentSpec{ Replicas: P(int32(2)), Selector: &metav1.LabelSelector{ MatchLabels: opMeta.Labels, }, Template: v1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: opMeta.Labels, }, Spec: v1.PodSpec{ Volumes: []v1.Volume{ { Name: "cilium-config-path", VolumeSource: v1.VolumeSource{ ConfigMap: &v1.ConfigMapVolumeSource{ LocalObjectReference: v1.LocalObjectReference{Name: "cilium-config"}, }, }, }, }, Containers: []v1.Container{ { Name: "cilium-operator", Image: "quay.io/cilium/operator-generic:v1.12.4@sha256:071089ec5bca1f556afb8e541d9972a0dfb09d1e25504ae642ced021ecbedbd1", Command: []string{"cilium-operator-generic"}, Args: []string{ "--config-dir=/tmp/cilium/config-map", "--debug=$(CILIUM_DEBUG)", }, Env: []v1.EnvVar{ { Name: "K8S_NODE_NAME", ValueFrom: &v1.EnvVarSource{ FieldRef: &v1.ObjectFieldSelector{ APIVersion: "v1", FieldPath: "spec.nodeName", }, }, }, { Name: "CILIUM_K8S_NAMESPACE", ValueFrom: &v1.EnvVarSource{ FieldRef: &v1.ObjectFieldSelector{ APIVersion: "v1", FieldPath: "metadata.namespace", }, }, }, { Name: "CILIUM_DEBUG", ValueFrom: &v1.EnvVarSource{ ConfigMapKeyRef: &v1.ConfigMapKeySelector{ LocalObjectReference: v1.LocalObjectReference{Name: "cilium-config"}, Key: "debug", Optional: P(true), }, }, }, }, VolumeMounts: []v1.VolumeMount{ { Name: "cilium-config-path", ReadOnly: true, MountPath: "/tmp/cilium/config-map", }, }, LivenessProbe: liveness, TerminationMessagePolicy: v1.TerminationMessagePolicy("FallbackToLogsOnError"), ImagePullPolicy: v1.PullPolicy("IfNotPresent"), }, }, RestartPolicy: v1.RestartPolicy("Always"), NodeSelector: map[string]string{"kubernetes.io/os": "linux"}, ServiceAccountName: "cilium-operator", HostNetwork: true, Affinity: &v1.Affinity{ PodAntiAffinity: &v1.PodAntiAffinity{ RequiredDuringSchedulingIgnoredDuringExecution: []v1.PodAffinityTerm{ { LabelSelector: &metav1.LabelSelector{MatchLabels: map[string]string{"io.cilium/app": "operator"}}, TopologyKey: "kubernetes.io/hostname", }, }, }, }, Tolerations: []v1.Toleration{{Operator: v1.TolerationOperator("Exists")}}, PriorityClassName: "system-cluster-critical", }, }, Strategy: appsv1.DeploymentStrategy{ Type: appsv1.DeploymentStrategyType("RollingUpdate"), RollingUpdate: &appsv1.RollingUpdateDeployment{ MaxUnavailable: &intstr.IntOrString{IntVal: 1}, MaxSurge: &intstr.IntOrString{IntVal: 1}, }, }, }, }
View Source
var OperatorCR = &rbacv1.ClusterRole{ TypeMeta: kubeutil.TypeClusterRoleV1, ObjectMeta: metav1.ObjectMeta{Name: "cilium-operator"}, Rules: []rbacv1.PolicyRule{ { Verbs: []string{ "get", "list", "watch", "delete", }, APIGroups: []string{""}, Resources: []string{"pods"}, }, { Verbs: []string{ "list", "watch", }, APIGroups: []string{""}, Resources: []string{"nodes"}, }, { Verbs: []string{"patch"}, APIGroups: []string{""}, Resources: []string{ "nodes", "nodes/status", }, }, { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{"discovery.k8s.io"}, Resources: []string{"endpointslices"}, }, { Verbs: []string{"update"}, APIGroups: []string{""}, Resources: []string{"services/status"}, }, { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{""}, Resources: []string{"namespaces"}, }, { Verbs: []string{ "get", "list", "watch", }, APIGroups: []string{""}, Resources: []string{ "services", "endpoints", }, }, { Verbs: []string{ "create", "update", "deletecollection", "patch", "get", "list", "watch", }, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumnetworkpolicies", "ciliumclusterwidenetworkpolicies", }, }, { Verbs: []string{ "patch", "update", }, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumnetworkpolicies/status", "ciliumclusterwidenetworkpolicies/status", }, }, { Verbs: []string{ "delete", "list", "watch", }, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumendpoints", "ciliumidentities", }, }, { Verbs: []string{"update"}, APIGroups: []string{"cilium.io"}, Resources: []string{"ciliumidentities"}, }, { Verbs: []string{ "create", "update", "get", "list", "watch", "delete", }, APIGroups: []string{"cilium.io"}, Resources: []string{"ciliumnodes"}, }, { Verbs: []string{"update"}, APIGroups: []string{"cilium.io"}, Resources: []string{"ciliumnodes/status"}, }, { Verbs: []string{ "create", "update", "get", "list", "watch", "delete", }, APIGroups: []string{"cilium.io"}, Resources: []string{ "ciliumendpointslices", "ciliumenvoyconfigs", }, }, { Verbs: []string{ "create", "get", "list", "watch", }, APIGroups: []string{"apiextensions.k8s.io"}, Resources: []string{"customresourcedefinitions"}, }, { Verbs: []string{"update"}, APIGroups: []string{"apiextensions.k8s.io"}, Resources: []string{"customresourcedefinitions"}, ResourceNames: []string{ "ciliumbgploadbalancerippools.cilium.io", "ciliumbgppeeringpolicies.cilium.io", "ciliumclusterwideenvoyconfigs.cilium.io", "ciliumclusterwidenetworkpolicies.cilium.io", "ciliumegressgatewaypolicies.cilium.io", "ciliumegressnatpolicies.cilium.io", "ciliumendpoints.cilium.io", "ciliumendpointslices.cilium.io", "ciliumenvoyconfigs.cilium.io", "ciliumexternalworkloads.cilium.io", "ciliumidentities.cilium.io", "ciliumlocalredirectpolicies.cilium.io", "ciliumnetworkpolicies.cilium.io", "ciliumnodes.cilium.io", }, }, { Verbs: []string{ "create", "get", "update", }, APIGroups: []string{"coordination.k8s.io"}, Resources: []string{"leases"}, }, }, }
Functions ¶
Types ¶
type CiliumApp ¶
type CiliumApp struct { kube.App CACertSecret *corev1.Secret Config *corev1.ConfigMap MattDamon *appsv1.DaemonSet NodeInit *appsv1.DaemonSet AppSA *corev1.ServiceAccount AppBinding *rbacv1.ClusterRoleBinding AppRole *rbacv1.ClusterRole Operator *appsv1.Deployment OpSA *corev1.ServiceAccount OpBinding *rbacv1.ClusterRoleBinding OpRole *rbacv1.ClusterRole HubbleSecret *corev1.Secret HubbleCert *corev1.Secret HubbleSvc *corev1.Service }
func New ¶
func New(config ClusterConfig) *CiliumApp
type ClusterConfig ¶
Click to show internal directories.
Click to hide internal directories.