-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
values.yaml
517 lines (412 loc) · 15.5 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
# Include the cilium-agent DaemonSet
agent:
enabled: true
# Do not run Cilium agent when running with clean mode. Useful to completely
# uninstall Cilium as it will stop Cilium from starting and create artifacts
# in the node.
sleepAfterInit: false
# Keep the deprecated selector labels when deploying Cilium DaemonSet
keepDeprecatedLabels: false
# Include the cilium-config ConfigMap
config:
enabled: true
# Include the cilium-operator Deployment
operator:
enabled: true
# Include the PreFlight DaemonSet
preflight:
enabled: false
# Path to write the --tofqdns-pre-cache file to. When empty no file is
# generated.
tofqdnsPreCache: ""
# By default we should always validate the installed CNPs before upgrading
# Cilium. This will make sure the user will have the policies deployed in the
# cluster with the right schema.
validateCNPs: true
# global groups all configuration options that have effect on all sub-charts
global:
# registry is the address of the registry and orgnization for all container images
registry: docker.io/cilium
# tag is the container image tag to use
tag: latest
# pullPolicy is the container image pull policy
pullPolicy: Always
# etcd is the etcd configuration
etcd:
# enabled enables use of etcd
enabled: false
# If etcd is behind a k8s service set this option to true so that Cilium
# does the service translation automatically without requiring a DNS to be
# running. Requires disable-k8s-services=false
k8sService: false
# managed turns on managed etcd mode based on the cilium-etcd-operator
managed: false
# sets cluster domain for cilium-etcd-operator
clusterDomain: cluster.local
# defines the size of the etcd cluster
clusterSize: 3
# endpoints is the list of etcd endpoints (not needed when using
# managed=true)
endpoints:
- https://CHANGE-ME:2379
# ssl enables use of TLS/SSL for connectivity to etcd. (auto-enabled if
# managed=true)
ssl: false
# identityAllocationMode is the method to use for identity allocation.
# Supported modes:
# crd: Kubernetes CRD backing
# kvstore: Key-value store backend (better scalability)
identityAllocationMode: crd
# identityChangeGracePeriod is the grace period that needs to pass
# before an endpoint that has changed its identity will start using
# that new identity. During the grace period, the new identity has
# already been allocated and other nodes in the cluster have a chance
# to whitelist the new upcoming identity of the endpoint.
identityChangeGracePeriod: "5s"
# ipv4 is the IPv4 addressing configuration
ipv4:
enabled: true
# ipv6 is the IPv6 addressing configuration
ipv6:
enabled: false
# debug enables debugging mode
debug:
enabled: false
# verbose allows additional levels of debug/trace messaging
# verbose: flow
agent:
# TCP port for the agent health API. This is not the port for cilium-health.
healthPort: 9876
# prometheus enables
prometheus:
enabled: false
port: 9090
serviceMonitor:
enabled: false
# operatorPrometheus enables
operatorPrometheus:
enabled: false
port: 6942
# enableXTSocketFallback enables the fallback compatibility solution
# when the xt_socket kernel module is missing and it is needed for
# the datapath L7 redirection to work properly. See documentation
# for details on when this can be disabled:
# http://docs.cilium.io/en/latest/install/system_requirements/#admin-kernel-version.
enableXTSocketFallback: true
# installIptablesRules enables installation of iptables rules to allow for
# TPROXY (L7 proxy injection), itpables based masquerading and compatibility
# with kube-proxy. See documentation for details on when this can be
# disabled.
installIptablesRules: true
# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
# iptablesLockTimeout: "5s"
# masquerade enables masquerading of traffic leaving the node for
# destinations outside of the cluster.
masquerade: true
# bpfMasquerade enables masquerading with BPF instead of iptables
bpfMasquerade: false
# ipMasqAgent enables and controls BPF ip-masq-agent
ipMasqAgent:
enabled: false
# autoDirectNodeRoutes enables installation of PodCIDR routes between worker
# nodes if worker nodes share a common L2 network segment.
autoDirectNodeRoutes: false
# nativeRoutingCIDR allows to explicitly specify the CIDR for native routing. This
# value corresponds to the configured cluster-cidr.
nativeRoutingCIDR: ""
# endpointRoutes enables use of per endpoint routes instead of routing vis
# the cilium_host interface
endpointRoutes:
enabled: false
# cni is the CNI configuration
cni:
# install determines whether to install the CNI configuration and binary
# files into the filesystem.
install: true
# chainingMode enables chaining on top of other CNI plugins. Possible
# values:
# - none
# - generic-veth
# - aws-cni
# - portmap
chainingMode: none
# customConf skips writing of the CNI configuration. This can be used if
# writing of the CNI configuration is performed by external automation.
customConf: false
# confPath is the path to the CNI configuration directory on the host
confPath: /etc/cni/net.d
# binPath si the path to the CNI binary directory on the host
binPath: /opt/cni/bin
# configMap when defined, will mount the provided value as ConfigMap and
# interpret the cniConf variable as CNI configuration file and write it
# when the agent starts up
# configMap: cni-configuration
# configMapKey is the key in the CNI ConfigMap to read the contents of the
# CNI configuration from
configMapKey: cni-config
# confFileMountPath is the path to where to mount the ConfigMap inside the
# pod
confFileMountPath: /tmp/cni-configuration
# hostConfDirMountPath is the path to where the CNI configuration directory
# is mounted inside the pod
hostConfDirMountPath: /host/etc/cni/net.d
# cluster is the clustermesh related configuration
cluster:
# name is the human readable name of the cluster when setting up
# clustermesh
name: default
# id is a 8 bits unique cluster identifier when setting up clustermesh
# id: "1"
# tunnel is the encapsulation configuration for communication between nodes
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
tunnel: "vxlan"
# containerRuntime enables container runtime specific integration. Supported
# values:
# - containerd
# - crio
# - docker
# - none
# - auto (automatically detect the container runtime)
containerRuntime:
integration: none
# socketPath can be used to configure the path to the container runtime
# control socket, if it is on a non-standard path.
# socketPath:
# bpf is the BPF datapath specific configuration
bpf:
# waitForMount instructs the cilium-agent DaemoNSet to wait in an
# initContainer until the BPF filesystem has been mounted.
waitForMount: false
# preallocateMaps enables pre allocation of BPF map values. This increases
# memory usage but can reduce latency.
preallocateMaps: false
# ctTcpMax is the maximum number of entries in the TCP connection tracking
# table
ctTcpMax: 524288
# ctAnyMax is the maximum number of entries for the non-TCP connection
# tracking table
ctAnyMax: 262144
# natMax is the maximum number of entries for the NAT table
natMax: 524288
# policyMapMax is the maximum number of entries in endpoint policy map (per endpoint)
policyMapMax: 16384
# mapDynamicSizeRatio is the ratio (0.0-1.0) of total system memory to use
# for dynamic sizing of CT, NAT and policy BPF maps. If set to 0.0, dynamic
# sizing of BPF maps is disabled. The default value of 0.03 (3%) leads to
# approximately the default BPF map sizes on a node with 4 GiB of total
# system memory.
mapDynamicSizeRatio: 0.03
# monitorAggregation is the level of aggregation for datapath trace events
monitorAggregation: medium
# monitorInterval is the typical time between monitor notifications for
# active connections
monitorInterval: "5s"
# monitorFlags are TCP flags that trigger notifications when seen for the
# first time
monitorFlags: "all"
# clockProbe enables the probing and potential of a more efficient clock
# source for the BPF datapath
clockProbe: true
# encryption is the encryption specific configuration
encryption:
# enabled enables encryption
enabled: false
# keyFile is the name of the key file inside the Kubernetes secret
# configured via secretName
keyFile: keys
# mountPath is the path where to mount the secret inside the Cilium pod
mountPath: /etc/ipsec
# secretName is the name of the Kubernetes secret containing the encryption
# keys
secretName: cilium-ipsec-keys
# nodeEncryption enables encryption for pure node to node traffic
nodeEncryption: false
# interface is the interface to use for encryption
# interface: eth0
# kubeProxyReplacement enables kube-proxy replacement in Cilium BPF datapath
kubeProxyReplacement: "probe"
# hostServices is the configuration for ClusterIP service handling in host namespace
hostServices:
# enabled enables host reachable functionality
enabled: false
# protocols is the list of protocols to support
protocols: tcp,udp
# nodePort is the configuration for NodePort service handling
nodePort:
# enabled enables NodePort functionality
enabled: false
# range is the port range to use for NodePort
# range:
# device is the name of the device handling NodePort requests
# device:
# mode is the mode of NodePort feature
# mode:
# acceleration is the option to accelerate NodePort via XDP
# acceleration:
# bindProtection is the option to enable or disable prevention of
# applications binding to service ports
bindProtection: true
# Append NodePort range to ip_local_reserved_ports if clash with ephemeral
# ports is detected
autoProtectPortRange: true
# hostPort is the configuration for container hostPort mapping
hostPort:
# enabled enables the hostPort functionality
enabled: false
# externalIPs is the configuration for ExternalIPs service handling
externalIPs:
# enabled enables ExternalIPs functionality
enabled: false
# sessionAffinity enable support for service sessionAffinity
sessionAffinity:
enabled: true
# flannel is the flannel specific configuration
flannel:
# enabled enables the flannel integration
enabled: false
# masterDevice is the name of the flannel bridge
masterDevice: cni0
# uninstallOnExt enables uninstallation of Cilium BPF programs on flannel
# managed pods when the Cilium pod is terminated
uninstallOnExit: false
# ipvlan is the IPVLAN configuration
ipvlan:
# enabled enables use of the IPVLAN datapath
enabled: false
# masterDevice is the name of the device to use to attach secondary IPVLAN
# devices
# masterDevice: eth0
# pprof is the GO pprof configuration
pprof:
# enabled enables go pprof debugging
enabled: false
# logSytemLoad enables logging of system load
logSystemLoad: false
# sockops is the BPF socket operations configuration
sockops:
# enabled enables installation of socket level functionality.
enabled: false
# k8s is the Kubernetes specific configuration
k8s:
# requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
# range via the Kubernetes node resource
requireIPv4PodCIDR: false
# ENI mode configures the options required to run with ENI
eni: false
# Google Kubernetes Engine
gke:
enabled: false
azure:
enabled: false
# resourceGroup: group1
# subscriptionID: 00000000-0000-0000-0000-000000000000
# tenantID: 00000000-0000-0000-0000-000000000000
# clientID: 00000000-0000-0000-0000-000000000000
# clientSecret: 00000000-0000-0000-0000-000000000000
# cleanState instructs the cilium-agent DaemonSet to clean all state in the
# initContainer
#
# WARNING: Use with care!
cleanState: false
# cleanBpfState instructs the cilium-agent DaemonSet to clean all BPF
# datapath state in the initContainer
#
# WARNING: Use with care!
cleanBpfState: false
nodeinit:
# enabled enables inclusion of the nodeinit DaemonSet
enabled: false
# bootstrapFile is the location of the file where the bootstrap timestamp is
# written by the node-init DaemonSet
bootstrapFile: "/tmp/cilium-bootstrap-time"
daemon:
runPath: "/var/run/cilium"
wellKnownIdentities:
# enabled enables the use of well-known identities
enabled: false
tls:
secretsBackend: local
# remoteNodeIdentity enables use of the remote node identity
remoteNodeIdentity: true
synchronizeK8sNodes: true
# psp creates and binds PodSecurityPolicies for the components that require it
psp:
enabled: false
# enables non-drop mode for installed policies. In audit mode
# packets affected by policies will not be dropped. Policy related
# decisions can be checked via the poicy verdict messages.
policyAuditMode: false
# hubble configures Hubble.
hubble:
enabled: false
ui:
enabled: false
# Default unix domain socket path to listen to when Hubble is enabled. Default to "/var/run/cilium/hubble.sock".
socketPath: /var/run/cilium/hubble.sock
# An additional address to listen to, for example:
#
# listenAddress: ":4244"
#
# Set this field ":4244" if you are enabling hubble-relay, as it assumes that Hubble is listening
# on port 4244.
listenAddress: ""
# Buffer size of the channel Hubble uses to receive monitor events. If this value is not set,
# the queue size is set to the default monitor queue size.
eventQueueSize: ~
# Number of recent flows for Hubble to cache. Defaults to 4096.
flowBufferSize: ~
# Specifies the address the metric server listens to (e.g. ":12345"). The metric server is
# disabled if this value is empty.
metricsServer: ~
# List of metrics to collect, for example:
#
# metrics:
# - dns:query;ignoreAAAA
# - drop
# - tcp
# - flow
# - port-distribution
# - icmp
# - http
#
# You can specify the list of metrics from the helm CLI:
#
# --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,port-distribution,icmp,http}"
#
# See https://github.com/cilium/hubble/blob/master/Documentation/metrics.md for more comprehensive
# documentation about Hubble's metric collection.
metrics:
enabled:
- drop
serviceMonitor:
enabled: false
# Configures the hubble-cli subchart
cli:
enabled: false
# Configures the hubble-relay subchart
relay:
enabled: false
# CI specific options: DO NOT USE IN PRODUCTION.
ci:
# Make Cilium panic if objects received by k8s are modified.
kubeCacheMutationDetector: false
ipam:
mode: "cluster-pool"
operator:
clusterPoolIPv4PodCIDR: "10.0.0.0/8"
clusterPoolIPv4MaskSize: 24
clusterPoolIPv6PodCIDR: "fd00::/104"
clusterPoolIPv6MaskSize: 120
proxy:
# Regular expression matching compatible Istio sidecar istio-proxy
# container image names
sidecarImageRegex: "cilium/istio_proxy"
endpointHealthChecking:
enabled: true
healthChecking:
enabled: true
cnpStatusUpdates:
enabled: false