/
values.yaml
403 lines (321 loc) · 11.8 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
# Include the cilium-agent DaemonSet
agent:
enabled: true
# Do not run Cilium agent when running with clean mode. Useful to completely
# uninstall Cilium as it will stop Cilium from starting and create artifacts
# in the node.
sleepAfterInit: false
# Keep the deprecated selector labels when deploying Cilium DaemonSet
keepDeprecatedLabels: false
# Include the cilium-config ConfigMap
config:
enabled: true
# Include the cilium-operator Deployment
operator:
enabled: true
# Include the PreFlight DaemonSet
preflight:
enabled: false
# Path to write the --tofqdns-pre-cache file to. When empty no file is
# generated.
tofqdnsPreCache: ""
# global groups all configuration options that have effect on all sub-charts
global:
# registry is the address of the registry and orgnization for all container images
registry: docker.io/cilium
# tag is the container image tag to use
tag: latest
# pullPolicy is the container image pull policy
pullPolicy: Always
# etcd is the etcd configuration
etcd:
# enabled enables use of etcd
enabled: false
# managed turns on managed etcd mode based on the cilium-etcd-operator
managed: false
# sets cluster domain for cilium-etcd-operator
clusterDomain: cluster.local
# endpoints is the list of etcd endpoints (not needed when using
# managed=true)
endpoints:
- https://CHANGE-ME:2379
# ssl enables use of TLS/SSL for connectivity to etcd. (auto-enabled if
# managed=true)
ssl: false
# identityAllocationMode is the method to use for identity allocation.
# Supported modes:
# crd: Kubernetes CRD backing
# kvstore: Key-value store backend (better scalability)
identityAllocationMode: crd
# ipv4 is the IPv4 addressing configuration
ipv4:
enabled: true
# ipv6 is the IPv6 addressing configuration
ipv6:
enabled: false
# debug enables debugging mode
debug:
enabled: false
# verbose allows additional levels of debug/trace messaging
#verbose: flow
# prometheus enables
prometheus:
enabled: false
port: 9090
serviceMonitor:
enabled: false
# operatorPrometheus enables
operatorPrometheus:
enabled: false
port: 6942
# enableXTSocketFallback enables the fallback compatibility solution
# when the xt_socket kernel module is missing and it is needed for
# the datapath L7 redirection to work properly. See documentation
# for details on when this can be disabled:
# http://docs.cilium.io/en/latest/install/system_requirements/#admin-kernel-version.
enableXTSocketFallback: true
# installIptablesRules enables installation of iptables rules to allow for
# TPROXY (L7 proxy injection), itpables based masquerading and compatibility
# with kube-proxy. See documentation for details on when this can be
# disabled.
installIptablesRules: true
# masquerade enables masquerading of traffic leaving the ndoe for
# destinations outside of the cluster.
masquerade: true
# autoDirectNodeRoutes enables installation of PodCIDR routes between worker
# nodes if worker nodes share a common L2 network segment.
autoDirectNodeRoutes: false
# endpointRoutes enables use of per endpoint routes instead of routing vis
# the cilium_host interface
endpointRoutes:
enabled: false
# cni is the CNI configuration
cni:
# install determines whether to install the CNI configuration and binary
# files into the filesystem.
install: true
# chainingMode enables chaining on top of other CNI plugins. Possible
# values:
# - none
# - generic-veth
# - aws-cni
# - portmap
chainingMode: none
# customConf skips writing of the CNI configuration. This can be used if
# writing of the CNI configuration is performed by external automation.
customConf: false
# confPath is the path to the CNI configuration directory on the host
confPath: /etc/cni/net.d
# binPath si the path to the CNI binary directory on the host
binPath: /opt/cni/bin
# configMap when defined, will mount the provided value as ConfigMap and
# interpret the cniConf variable as CNI configuration file and write it
# when the agent starts up
# configMap: cni-configuration
# configMapKey is the key in the CNI ConfigMap to read the contents of the
# CNI configuration from
configMapKey: cni-config
# confFileMountPath is the path to where to mount the ConfigMap inside the
# pod
confFileMountPath: /tmp/cni-configuration
# hostConfDirMountPath is the path to where the CNI configuration directory
# is mounted inside the pod
hostConfDirMountPath: /host/etc/cni/net.d
# cluster is the clustermesh related configuration
cluster:
# name is the human readable name of the cluster when setting up
# clustermesh
name: default
# id is a 8 bits unique cluster identifier when setting up clustermesh
#id: "1"
# tunnel is the encapsulation configuration for communication between nodes
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
tunnel: "vxlan"
# containerRuntime enables container runtime specific integration. Supported
# values:
# - containerd
# - crio
# - docker
# - none
# - auto (automatically detect the container runtime)
containerRuntime:
integration: none
# socketPath can be used to configure the path to the container runtime
# control socket, if it is on a non-standard path.
#socketPath:
# bpf is the BPF datapath specific configuration
bpf:
# waitForMount instructs the cilium-agent DaemoNSet to wait in an
# initContainer until the BPF filesystem has been mounted.
waitForMount: false
# preallocateMaps enables pre allocation of BPF map values. This increases
# memory usage but can reduce latency.
preallocateMaps: false
# ctTcpMax is the maximum number of entries in the TCP connection tracking
# table
ctTcpMax: 524288
# ctAnyMax is the maximum number of entries for the non-TCP connection
# tracking table
ctAnyMax: 262144
# natMax is the maximum number of entries for the NAT table
natMax: 841429
# montiorAggregation is the level of aggregation for datapath trace events
monitorAggregation: medium
# monitorInterval is the typical time between monitor notifications for
# active connections
monitorInterval: "5s"
# monitorFlags are TCP flags that trigger notifications when seen for the
# first time
monitorFlags: "all"
# encryption is the encryption specific configuration
encryption:
# enabled enables encryption
enabled: false
# keyFile is the name of the key file inside the Kubernetes secret
# configured via secretName
keyFile: keys
# mountPath is the path where to mount the secret inside the Cilium pod
mountPath: /etc/ipsec
# secretName is the name of the Kubernetes secret containing the encryption
# keys
secretName: cilium-ipsec-keys
# nodeEncryption enables encryption for pure node to node traffic
nodeEncryption: false
# interface is the interface to use for encryption
# interface: eth0
# kubeProxyReplacement enables kube-proxy replacement in Cilium BPF datapath
kubeProxyReplacement: "probe"
# hostServices is the configuration for ClusterIP service handling in host namespace
hostServices:
# enabled enables host reachable functionality
enabled: false
# protocols is the list of protocols to support
protocols: tcp,udp
# nodePort is the configuration for NodePort service handling
nodePort:
# enabled enables NodePort functionality
enabled: false
# range is the port range to use for NodePort
# range:
# device is the name of the device handling NodePort requests
# device:
# mode is the mode of NodePort feature
mode: "hybrid"
# externalIPs is the configuration for ExternalIPs service handling
externalIPs:
# enabled enables ExternalIPs functionality
enabled: false
# flannel is the flannel specific configuration
flannel:
# enabled enables the flannel integration
enabled: false
# masterDevice is the name of the flannel bridge
masterDevice: cni0
# uninstallOnExt enables uninstallation of Cilium BPF programs on flannel
# managed pods when the Cilium pod is terminated
uninstallOnExit: false
# ipvlan is the IPVLAN configuration
ipvlan:
# enabled enables use of the IPVLAN datapath
enabled: false
# masterDevice is the name of the device to use to attach secondary IPVLAN
# devices
# masterDevice: eth0
# pprof is the GO pprof configuration
pprof:
# enabled enables go pprof debugging
enabled: false
# logSytemLoad enables logging of system load
logSystemLoad: false
# sockops is the BPF socket operations configuration
sockops:
# enabled enables installation of socket level functionality.
enabled: false
# k8s is the Kubernetes specific configuration
k8s:
# requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
# range via the Kubernetes node resource
requireIPv4PodCIDR: false
# ENI mode configures the options required to run with ENI
eni: false
azure:
enabled: false
#resourceGroup: group1
#subscriptionID: 00000000-0000-0000-0000-000000000000
#tenantID: 00000000-0000-0000-0000-000000000000
#clientID: 00000000-0000-0000-0000-000000000000
#clientSecret: 00000000-0000-0000-0000-000000000000
# cleanState instructs the cilium-agent DaemonSet to clean all state in the
# initContainer
#
# WARNING: Use with care!
cleanState: false
# cleanBpfState instructs the cilium-agent DaemonSet to clean all BPF
# datapath state in the initContainer
#
# WARNING: Use with care!
cleanBpfState: false
nodeinit:
# enabled enables inclusion of the nodeinit DaemonSet
enabled: false
# bootstrapFile is the location of the file where the bootstrap timestamp is
# written by the node-init DaemonSet
bootstrapFile: "/tmp/cilium-bootstrap-time"
daemon:
runPath: "/var/run/cilium"
wellKnownIdentities:
# enabled enables the use of well-known identities
enabled: false
tls:
secretsBackend: local
# remoteNodeIdentity enables use of the remote node identity
remoteNodeIdentity: true
synchronizeK8sNodes: true
# psp creates and binds PodSecurityPolicies for the components that require it
psp:
enabled: false
# enables non-drop mode for installed policies. In audit mode
# packets affected by policies will not be dropped. Policy related
# decisions can be checked via the poicy verdict messages.
policyAuditMode: false
# hubble configures Hubble.
hubble:
# List of unix domain socket paths to listen to, for example:
#
# listenAddresses:
# - "unix:///var/run/cilium/hubble.sock"
#
# You can specify the list of metrics from the helm CLI:
#
# --set global.hubble.listenAddresses={unix:///var/run/cilium}
#
# Hubble is disabled if the list is empty.
listenAddresses: []
# Buffer size of the channel Hubble uses to receive monitor events. Defaults to 128.
eventQueueSize: ~
# Number of recent flows for Hubble to cache. Defaults to 4096.
flowBufferSize: ~
# Specifies the address the metric server listens to (e.g. ":12345"). The metric server is
# disabled if this value is empty.
metricServer: ~
# List of metrics to collect, for example:
#
# metrics:
# - dns:query;ignoreAAAA
# - drop
# - tcp
# - flow
# - port-distribution
# - icmp
# - http
#
# You can specify the list of metrics from the helm CLI:
#
# --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,port-distribution,icmp,http}"
#
# See https://github.com/cilium/hubble/blob/master/Documentation/metrics.md for more comprehensive
# documentation about Hubble's metric collection.
metrics: []