install/kubernetes/cilium/values.yaml

# Include the cilium-agent DaemonSet
agent:
  enabled: true
  # Do not run Cilium agent when running with clean mode. Useful to completely
  # uninstall Cilium as it will stop Cilium from starting and create artifacts
  # in the node.
  sleepAfterInit: false
  # Keep the deprecated selector labels when deploying Cilium DaemonSet
  keepDeprecatedLabels: false

# Include the cilium-config ConfigMap
config:
  enabled: true

# Include the cilium-operator Deployment
operator:
  enabled: true

# Include the PreFlight DaemonSet
preflight:
  enabled: false
  # Path to write the --tofqdns-pre-cache file to. When empty no file is
  # generated.
  tofqdnsPreCache: ""
  # By default we should always validate the installed CNPs before upgrading
  # Cilium. This will make sure the user will have the policies deployed in the
  # cluster with the right schema.
  validateCNPs: true

# global groups all configuration options that have effect on all sub-charts
global:
  # registry is the address of the registry and orgnization for all container images
  registry: docker.io/cilium

  # tag is the container image tag to use
  tag: latest

  # pullPolicy is the container image pull policy
  pullPolicy: Always

  # etcd is the etcd configuration
  etcd:
    # enabled enables use of etcd
    enabled: false

    # If etcd is behind a k8s service set this option to true so that Cilium
    # does the service translation automatically without requiring a DNS to be
    # running. Requires disable-k8s-services=false
    k8sService: false

    # managed turns on managed etcd mode based on the cilium-etcd-operator
    managed: false

    # sets cluster domain for cilium-etcd-operator
    clusterDomain: cluster.local

    # defines the size of the etcd cluster
    clusterSize: 3

    # endpoints is the list of etcd endpoints (not needed when using
    # managed=true)
    endpoints:
      - https://CHANGE-ME:2379

    # ssl enables use of TLS/SSL for connectivity to etcd. (auto-enabled if
    # managed=true)
    ssl: false

  # identityAllocationMode is the method to use for identity allocation.
  # Supported modes:
  #  crd: Kubernetes CRD backing
  #  kvstore: Key-value store backend (better scalability)
  identityAllocationMode: crd

  # identityChangeGracePeriod is the grace period that needs to pass
  # before an endpoint that has changed its identity will start using
  # that new identity. During the grace period, the new identity has
  # already been allocated and other nodes in the cluster have a chance
  # to whitelist the new upcoming identity of the endpoint.
  identityChangeGracePeriod: "5s"

  # ipv4 is the IPv4 addressing configuration
  ipv4:
    enabled: true

  # ipv6 is the IPv6 addressing configuration
  ipv6:
    enabled: false

  # debug enables debugging mode
  debug:
    enabled: false

  # verbose allows additional levels of debug/trace messaging
  # verbose: flow

  agent:
    # TCP port for the agent health API. This is not the port for cilium-health.
    healthPort: 9876

  # prometheus enables
  prometheus:
    enabled: false
    port: 9090
    serviceMonitor:
      enabled: false

  # operatorPrometheus enables
  operatorPrometheus:
    enabled: false
    port: 6942

  # enableXTSocketFallback enables the fallback compatibility solution
  # when the xt_socket kernel module is missing and it is needed for
  # the datapath L7 redirection to work properly.  See documentation
  # for details on when this can be disabled:
  # http://docs.cilium.io/en/latest/install/system_requirements/#admin-kernel-version.
  enableXTSocketFallback: true

  # installIptablesRules enables installation of iptables rules to allow for
  # TPROXY (L7 proxy injection), itpables based masquerading and compatibility
  # with kube-proxy. See documentation for details on when this can be
  # disabled.
  installIptablesRules: true

  # iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
  # iptablesLockTimeout: "5s"

  # masquerade enables masquerading of traffic leaving the node for
  # destinations outside of the cluster.
  masquerade: true

  # bpfMasquerade enables masquerading with BPF instead of iptables
  bpfMasquerade: false

  # ipMasqAgent enables and controls BPF ip-masq-agent
  ipMasqAgent:
    enabled: false

  # autoDirectNodeRoutes enables installation of PodCIDR routes between worker
  # nodes if worker nodes share a common L2 network segment.
  autoDirectNodeRoutes: false

  # nativeRoutingCIDR allows to explicitly specify the CIDR for native routing. This
  # value corresponds to the configured cluster-cidr.
  nativeRoutingCIDR: ""

  # endpointRoutes enables use of per endpoint routes instead of routing vis
  # the cilium_host interface
  endpointRoutes:
    enabled: false

  # cni is the CNI configuration
  cni:
    # install determines whether to install the CNI configuration and binary
    # files into the filesystem.
    install: true

    # chainingMode enables chaining on top of other CNI plugins. Possible
    # values:
    #  - none
    #  - generic-veth
    #  - aws-cni
    #  - portmap
    chainingMode: none

    # customConf skips writing of the CNI configuration. This can be used if
    # writing of the CNI configuration is performed by external automation.
    customConf: false

    # confPath is the path to the CNI configuration directory on the host
    confPath: /etc/cni/net.d

    # binPath si the path to the CNI binary directory on the host
    binPath: /opt/cni/bin

    # configMap when defined, will mount the provided value as ConfigMap  and
    # interpret the cniConf variable as CNI configuration file and write it
    # when the agent starts up
    # configMap: cni-configuration

    # configMapKey is the key in the CNI ConfigMap to read the contents of the
    # CNI configuration from
    configMapKey: cni-config

    # confFileMountPath is the path to where to mount the ConfigMap inside the
    # pod
    confFileMountPath: /tmp/cni-configuration

    # hostConfDirMountPath is the path to where the CNI configuration directory
    # is mounted inside the  pod
    hostConfDirMountPath: /host/etc/cni/net.d

  # cluster is the clustermesh related configuration
  cluster:
    # name is the human readable name of the cluster when setting up
    # clustermesh
    name: default

  # id is a 8 bits unique cluster identifier when setting up clustermesh
  # id: "1"

  # tunnel is the encapsulation configuration for communication between nodes
  # Possible values:
  #   - disabled
  #   - vxlan (default)
  #   - geneve
  tunnel: "vxlan"

  # containerRuntime enables container runtime specific integration. Supported
  # values:
  # - containerd
  # - crio
  # - docker
  # - none
  # - auto (automatically detect the container runtime)
  containerRuntime:
    integration: none

    # socketPath can be used to configure the path to the container runtime
    # control socket, if it is on a non-standard path.
    # socketPath:

  # bpf is the BPF datapath specific configuration
  bpf:
    # waitForMount instructs the cilium-agent DaemoNSet to wait in an
    # initContainer until the BPF filesystem has been mounted.
    waitForMount: false

    # preallocateMaps enables pre allocation of BPF map values. This increases
    # memory usage but can reduce latency.
    preallocateMaps: false

    # ctTcpMax is the maximum number of entries in the TCP connection tracking
    # table
    ctTcpMax: 524288

    # ctAnyMax is the maximum number of entries for the non-TCP connection
    # tracking table
    ctAnyMax: 262144

    # natMax is the maximum number of entries for the NAT table
    natMax: 524288

    # policyMapMax is the maximum number of entries in endpoint policy map (per endpoint)
    policyMapMax: 16384

    # mapDynamicSizeRatio is the ratio (0.0-1.0) of total system memory to use
    # for dynamic sizing of CT, NAT and policy BPF maps. If set to 0.0, dynamic
    # sizing of BPF maps is disabled. The default value of 0.03 (3%) leads to
    # approximately the default BPF map sizes on a node with 4 GiB of total
    # system memory.
    mapDynamicSizeRatio: 0.03

    # monitorAggregation is the level of aggregation for datapath trace events
    monitorAggregation: medium

    # monitorInterval is the typical time between monitor notifications for
    # active connections
    monitorInterval: "5s"

    # monitorFlags are TCP flags that trigger notifications when seen for the
    # first time
    monitorFlags: "all"

    # clockProbe enables the probing and potential of a more efficient clock
    # source for the BPF datapath
    clockProbe: true

  # encryption is the encryption specific configuration
  encryption:
    # enabled enables encryption
    enabled: false

    # keyFile is the name of the key file inside the Kubernetes secret
    # configured via secretName
    keyFile: keys

    # mountPath is the path where to mount the secret inside the Cilium pod
    mountPath: /etc/ipsec

    # secretName is the name of the Kubernetes secret containing the encryption
    # keys
    secretName: cilium-ipsec-keys

    # nodeEncryption enables encryption for pure node to node traffic
    nodeEncryption: false

    # interface is the interface to use for encryption
    # interface: eth0

  # kubeProxyReplacement enables kube-proxy replacement in Cilium BPF datapath
  kubeProxyReplacement: "probe"

  # hostServices is the configuration for ClusterIP service handling in host namespace
  hostServices:
    # enabled enables host reachable functionality
    enabled: false

    # protocols is the list of protocols to support
    protocols: tcp,udp

  # nodePort is the configuration for NodePort service handling
  nodePort:
    # enabled enables NodePort functionality
    enabled: false

    # range is the port range to use for NodePort
    # range:

    # device is the name of the device handling NodePort requests
    # device:

    # mode is the mode of NodePort feature
    # mode:

    # acceleration is the option to accelerate NodePort via XDP
    # acceleration:

    # bindProtection is the option to enable or disable prevention of
    # applications binding to service ports
    bindProtection: true

    # Append NodePort range to ip_local_reserved_ports if clash with ephemeral
    # ports is detected
    autoProtectPortRange: true

  # hostPort is the configuration for container hostPort mapping
  hostPort:
    # enabled enables the hostPort functionality
    enabled: false

  # externalIPs is the configuration for ExternalIPs service handling
  externalIPs:
    # enabled enables ExternalIPs functionality
    enabled: false

  # sessionAffinity enable support for service sessionAffinity
  sessionAffinity:
    enabled: true

  # flannel is the flannel specific configuration
  flannel:
    # enabled enables the flannel integration
    enabled: false

    # masterDevice is the name of the flannel bridge
    masterDevice: cni0

    # uninstallOnExt enables uninstallation of Cilium BPF programs on flannel
    # managed pods when the Cilium pod is terminated
    uninstallOnExit: false

  # ipvlan is the IPVLAN configuration
  ipvlan:
    # enabled enables use of the IPVLAN datapath
    enabled: false

    # masterDevice is the name of the device to use to attach secondary IPVLAN
    # devices
    # masterDevice: eth0

  # pprof is the GO pprof configuration
  pprof:
    # enabled enables go pprof debugging
    enabled: false

  # logSytemLoad enables logging of system load
  logSystemLoad: false

  # sockops is the BPF socket operations configuration
  sockops:
    # enabled enables installation of socket level functionality.
    enabled: false

  # k8s is the Kubernetes specific configuration
  k8s:
    # requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
    # range via the Kubernetes node resource
    requireIPv4PodCIDR: false

  # ENI mode configures the options required to run with ENI
  eni: false

  # Google Kubernetes Engine
  gke:
    enabled: false

  azure:
    enabled: false
    # resourceGroup: group1
    # subscriptionID: 00000000-0000-0000-0000-000000000000
    # tenantID: 00000000-0000-0000-0000-000000000000
    # clientID: 00000000-0000-0000-0000-000000000000
    # clientSecret: 00000000-0000-0000-0000-000000000000

  # cleanState instructs the cilium-agent DaemonSet to clean all state in the
  # initContainer
  #
  # WARNING: Use with care!
  cleanState: false

  # cleanBpfState instructs the cilium-agent DaemonSet to clean all BPF
  # datapath state in the initContainer
  #
  # WARNING: Use with care!
  cleanBpfState: false

  nodeinit:
    # enabled enables inclusion of the nodeinit DaemonSet
    enabled: false

    # bootstrapFile is the location of the file where the bootstrap timestamp is
    # written by the node-init DaemonSet
    bootstrapFile: "/tmp/cilium-bootstrap-time"

  daemon:
    runPath: "/var/run/cilium"

  wellKnownIdentities:
    # enabled enables the use of well-known identities
    enabled: false

  tls:
    secretsBackend: local

  # remoteNodeIdentity enables use of the remote node identity
  remoteNodeIdentity: true

  synchronizeK8sNodes: true

  # psp creates and binds PodSecurityPolicies for the components that require it
  psp:
    enabled: false

  # enables non-drop mode for installed policies. In audit mode
  # packets affected by policies will not be dropped. Policy related
  # decisions can be checked via the poicy verdict messages.
  policyAuditMode: false

  # hubble configures Hubble.
  hubble:
    enabled: false
    ui:
      enabled: false
    # Default unix domain socket path to listen to when Hubble is enabled. Default to "/var/run/cilium/hubble.sock".
    socketPath: /var/run/cilium/hubble.sock
    # An additional address to listen to, for example:
    #
    #   listenAddress: ":4244"
    #
    # Set this field ":4244" if you are enabling hubble-relay, as it assumes that Hubble is listening
    # on port 4244.
    listenAddress: ""
    # Buffer size of the channel Hubble uses to receive monitor events. If this value is not set,
    # the queue size is set to the default monitor queue size.
    eventQueueSize: ~
    # Number of recent flows for Hubble to cache. Defaults to 4096.
    flowBufferSize: ~
    # Specifies the address the metric server listens to (e.g. ":12345"). The metric server is
    # disabled if this value is empty.
    metricsServer: ~
    # List of metrics to collect, for example:
    #
    #   metrics:
    #   - dns:query;ignoreAAAA
    #   - drop
    #   - tcp
    #   - flow
    #   - port-distribution
    #   - icmp
    #   - http
    #
    # You can specify the list of metrics from the helm CLI:
    #
    #   --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,port-distribution,icmp,http}"
    #
    # See https://github.com/cilium/hubble/blob/master/Documentation/metrics.md for more comprehensive
    # documentation about Hubble's metric collection.
    metrics:
      enabled:
        - drop
      serviceMonitor:
        enabled: false
    # Configures the hubble-cli subchart
    cli:
      enabled: false
    # Configures the hubble-relay subchart
    relay:
      enabled: false

  # CI specific options: DO NOT USE IN PRODUCTION.
  ci:
    # Make Cilium panic if objects received by k8s are modified.
    kubeCacheMutationDetector: false

  ipam:
    mode: "cluster-pool"
    operator:
      clusterPoolIPv4PodCIDR: "10.0.0.0/8"
      clusterPoolIPv4MaskSize: 24
      clusterPoolIPv6PodCIDR: "fd00::/104"
      clusterPoolIPv6MaskSize: 120

  proxy:
    # Regular expression matching compatible Istio sidecar istio-proxy
    # container image names
    sidecarImageRegex: "cilium/istio_proxy"

  endpointHealthChecking:
    enabled: true

  healthChecking:
    enabled: true

  cnpStatusUpdates:
    enabled: false