/
defaults.go
461 lines (332 loc) · 16.8 KB
/
defaults.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
// SPDX-License-Identifier: Apache-2.0
// Copyright 2016-2020 Authors of Cilium
package defaults
import (
"time"
)
const (
// AgentHealthPort is the default value for option.AgentHealthPort
AgentHealthPort = 9879
// ClusterHealthPort is the default value for option.ClusterHealthPort
ClusterHealthPort = 4240
// ClusterMeshHealthPort is the default value for option.ClusterMeshHealthPort
ClusterMeshHealthPort = 80
// PprofPortAgent is the default value for pprof in the agent
PprofPortAgent = 6060
// PprofPortAgent is the default value for pprof in the operator
PprofPortOperator = 6061
// GopsPortAgent is the default value for option.GopsPort in the agent
GopsPortAgent = 9890
// GopsPortOperator is the default value for option.GopsPort in the operator
GopsPortOperator = 9891
// GopsPortApiserver is the default value for option.GopsPort in the apiserver
GopsPortApiserver = 9892
// IPv6ClusterAllocCIDR is the default value for option.IPv6ClusterAllocCIDR
IPv6ClusterAllocCIDR = IPv6ClusterAllocCIDRBase + "/64"
// IPv6ClusterAllocCIDRBase is the default base for IPv6ClusterAllocCIDR
IPv6ClusterAllocCIDRBase = "f00d::"
// RuntimePath is the default path to the runtime directory
RuntimePath = "/var/run/cilium"
// RuntimePathRights are the default access rights of the RuntimePath directory
RuntimePathRights = 0775
// StateDirRights are the default access rights of the state directory
StateDirRights = 0770
//StateDir is the default path for the state directory relative to RuntimePath
StateDir = "state"
// TemplatesDir is the default path for the compiled template objects relative to StateDir
TemplatesDir = "templates"
// TemplatePath is the default path for a symlink to a template relative to StateDir/<EPID>
TemplatePath = "template.o"
// BpfDir is the default path for template files relative to LibDir
BpfDir = "bpf"
// LibraryPath is the default path to the cilium libraries directory
LibraryPath = "/var/lib/cilium"
// SockPath is the path to the UNIX domain socket exposing the API to clients locally
SockPath = RuntimePath + "/cilium.sock"
// SockPathEnv is the environment variable to overwrite SockPath
SockPathEnv = "CILIUM_SOCK"
// HubbleSockPath is the path to the UNIX domain socket exposing the Hubble
// API to clients locally.
HubbleSockPath = RuntimePath + "/hubble.sock"
// HubbleSockPathEnv is the environment variable to overwrite
// HubbleSockPath.
HubbleSockPathEnv = "HUBBLE_SOCK"
// HubbleRecorderStoragePath specifies the directory in which pcap files
// created via the Hubble Recorder API are stored
HubbleRecorderStoragePath = RuntimePath + "/pcaps"
// HubbleRecorderSinkQueueSize is the queue size for each recorder sink
HubbleRecorderSinkQueueSize = 1024
// MonitorSockPath1_2 is the path to the UNIX domain socket used to
// distribute BPF and agent events to listeners.
// This is the 1.2 protocol version.
MonitorSockPath1_2 = RuntimePath + "/monitor1_2.sock"
// PidFilePath is the path to the pid file for the agent.
PidFilePath = RuntimePath + "/cilium.pid"
// EnableHostIPRestore controls whether the host IP should be restored
// from previous state automatically
EnableHostIPRestore = true
// DefaultMapRoot is the default path where BPFFS should be mounted
DefaultMapRoot = "/sys/fs/bpf"
// DefaultCgroupRoot is the default path where cilium cgroup2 should be mounted
DefaultCgroupRoot = "/run/cilium/cgroupv2"
// SockopsEnable controsl whether sockmap should be used
SockopsEnable = false
// DefaultMapRootFallback is the path which is used when /sys/fs/bpf has
// a mount, but with the other filesystem than BPFFS.
DefaultMapRootFallback = "/run/cilium/bpffs"
// DefaultMapPrefix is the default prefix for all BPF maps.
DefaultMapPrefix = "tc/globals"
// DNSMaxIPsPerRestoredRule defines the maximum number of IPs to maintain
// for each FQDN selector in endpoint's restored DNS rules.
DNSMaxIPsPerRestoredRule = 1000
// FFQDNRegexCompileLRUSize defines the maximum size for the FQDN regex
// compilation LRU used by the DNS proxy and policy validation.
FQDNRegexCompileLRUSize = 1024
// ToFQDNsMinTTL is the default lower bound for TTLs used with ToFQDNs rules.
// This is used in DaemonConfig.Populate
ToFQDNsMinTTL = 3600 // 1 hour in seconds
// ToFQDNsMaxIPsPerHost defines the maximum number of IPs to maintain
// for each FQDN name in an endpoint's FQDN cache
ToFQDNsMaxIPsPerHost = 50
// ToFQDNsMaxDeferredConnectionDeletes Maximum number of IPs to retain for
// expired DNS lookups with still-active connections
ToFQDNsMaxDeferredConnectionDeletes = 10000
// ToFQDNsIdleConnectionGracePeriod Time during which idle but
// previously active connections with expired DNS lookups are
// still considered alive
ToFQDNsIdleConnectionGracePeriod = 0 * time.Second
// ToFQDNsPreCache is a path to a file with DNS cache data to insert into the
// global cache on startup.
// The file is not re-read after agent start.
ToFQDNsPreCache = ""
// ToFQDNsEnableDNSCompression allows the DNS proxy to compress responses to
// endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
ToFQDNsEnableDNSCompression = true
// IdentityChangeGracePeriod is the default value for
// option.IdentityChangeGracePeriod
IdentityChangeGracePeriod = 5 * time.Second
// IdentityRestoreGracePeriod is the default value for
// option.IdentityRestoreGracePeriod
IdentityRestoreGracePeriod = 10 * time.Minute
// ExecTimeout is a timeout for executing commands.
ExecTimeout = 300 * time.Second
// StatusCollectorInterval is the interval between a probe invocations
StatusCollectorInterval = 5 * time.Second
// StatusCollectorWarningThreshold is the duration after which a probe
// is declared as stale
StatusCollectorWarningThreshold = 15 * time.Second
// StatusCollectorFailureThreshold is the duration after which a probe
// is considered failed
StatusCollectorFailureThreshold = 1 * time.Minute
// EnableIPv4 is the default value for IPv4 enablement
EnableIPv4 = true
// EnableIPv6 is the default value for IPv6 enablement
EnableIPv6 = true
// EnableIPv6NDP is the default value for IPv6 NDP support enablement
EnableIPv6NDP = false
// EnableL7Proxy is the default value for L7 proxy enablement
EnableL7Proxy = true
// EnableHostLegacyRouting is the default value for using the old routing path via stack.
EnableHostLegacyRouting = false
// EnableExternalIPs is the default value for k8s service with externalIPs feature.
EnableExternalIPs = true
// K8sEnableEndpointSlice is the default value for k8s EndpointSlice feature.
K8sEnableEndpointSlice = true
// PreAllocateMaps is the default value for BPF map preallocation
PreAllocateMaps = true
// EnableIPSec is the default value for IPSec enablement
EnableIPSec = false
// EncryptNode enables encrypting traffic from host networking applications
// which are not part of Cilium manged pods.
EncryptNode = false
// MonitorQueueSizePerCPU is the default value for the monitor queue
// size per CPU
MonitorQueueSizePerCPU = 1024
// MonitorQueueSizePerCPUMaximum is the maximum value for the monitor
// queue size when derived from the number of CPUs
MonitorQueueSizePerCPUMaximum = 16384
// NodeInitTimeout is the time the agent is waiting until giving up to
// initialize the local node with the kvstore
NodeInitTimeout = 15 * time.Minute
// ClientConnectTimeout is the time the cilium-agent client is
// (optionally) waiting before returning an error.
ClientConnectTimeout = 30 * time.Second
// DatapathMode is the default value for the datapath mode.
DatapathMode = "veth"
// EnableBPFTProxy is the default value for EnableBPFTProxy
EnableBPFTProxy = false
// EnableXTSocketFallback is the default value for EnableXTSocketFallback
EnableXTSocketFallback = true
// EnableLocalNodeRoute default value for EnableLocalNodeRoute
EnableLocalNodeRoute = true
// EnableAutoDirectRouting is the default value for EnableAutoDirectRouting
EnableAutoDirectRouting = false
// EnableHealthChecking is the default value for EnableHealthChecking
EnableHealthChecking = true
// EnableEndpointHealthChecking is the default value for
// EnableEndpointHealthChecking
EnableEndpointHealthChecking = true
// EnableHealthCheckNodePort is the default value for
// EnableHealthCheckNodePort
EnableHealthCheckNodePort = true
// AlignCheckerName is the BPF object name for the alignchecker.
AlignCheckerName = "bpf_alignchecker.o"
// KVstorePeriodicSync is the default kvstore periodic sync interval
KVstorePeriodicSync = 5 * time.Minute
// KVstoreConnectivityTimeout is the timeout when performing kvstore operations
KVstoreConnectivityTimeout = 2 * time.Minute
// KVStoreStaleLockTimeout is the timeout for when a lock is held for
// a kvstore path for too long.
KVStoreStaleLockTimeout = 30 * time.Second
// IPAllocationTimeout is the timeout when allocating CIDRs
IPAllocationTimeout = 2 * time.Minute
// PolicyQueueSize is the default queue size for policy-related events.
PolicyQueueSize = 100
// KVstoreQPS is default rate limit for kv store operations
KVstoreQPS = 20
// EndpointQueueSize is the default queue size for an endpoint.
EndpointQueueSize = 25
// SelectiveRegeneration specifies whether regeneration of endpoints will be
// invoked only for endpoints which are selected by policy changes.
SelectiveRegeneration = true
// K8sSyncTimeout specifies the standard time to allow for synchronizing
// local caches with Kubernetes state before exiting.
K8sSyncTimeout = 3 * time.Minute
// AllocatorListTimeout specifies the standard time to allow for listing
// initial allocator state from kvstore before exiting.
AllocatorListTimeout = 3 * time.Minute
// K8sWatcherEndpointSelector specifies the k8s endpoints that Cilium
// should watch for.
K8sWatcherEndpointSelector = "metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager"
// ConntrackGCMaxLRUInterval is the maximum conntrack GC interval when using LRU maps
ConntrackGCMaxLRUInterval = 12 * time.Hour
// ConntrackGCMaxInterval is the maximum conntrack GC interval for non-LRU maps
ConntrackGCMaxInterval = 30 * time.Minute
// ConntrackGCMinInterval is the minimum conntrack GC interval
ConntrackGCMinInterval = 10 * time.Second
// ConntrackGCStartingInterval is the default starting interval for
// connection tracking garbage collection
ConntrackGCStartingInterval = 5 * time.Minute
// K8sEventHandover enables use of the kvstore to optimize Kubernetes
// event handling by listening for k8s events in the operator and
// mirroring it into the kvstore for reduced overhead in large
// clusters.
K8sEventHandover = false
// LoopbackIPv4 is the default address for service loopback
LoopbackIPv4 = "169.254.42.1"
// EndpointInterfaceNamePrefix is the default prefix name of the
// interface names shared by all endpoints
EndpointInterfaceNamePrefix = "lxc+"
// ForceLocalPolicyEvalAtSource is the default value for
// option.ForceLocalPolicyEvalAtSource. It is enabled by default to
// provide backwards compatibility, it can be disabled via an option
ForceLocalPolicyEvalAtSource = true
// EnableEndpointRoutes is the value for option.EnableEndpointRoutes.
// It is disabled by default for backwards compatibility.
EnableEndpointRoutes = false
// AnnotateK8sNode is the default value for option.AnnotateK8sNode. It is
// enabled by default to annotate kubernetes node and can be disabled using
// the provided option.
AnnotateK8sNode = true
// MonitorBufferPages is the default number of pages to use for the
// ring buffer interacting with the kernel
MonitorBufferPages = 64
// NodeDeleteDelay is the delay before an unreliable node delete is
// handled. During this delay, the node can re-appear and the delete
// event is ignored.
NodeDeleteDelay = 30 * time.Second
// KVstoreLeaseTTL is the time-to-live of the kvstore lease.
KVstoreLeaseTTL = 15 * time.Minute
// KVstoreMaxConsecutiveQuorumErrors is the maximum number of acceptable
// kvstore consecutive quorum errors before the agent assumes permanent failure
KVstoreMaxConsecutiveQuorumErrors = 2
// KVstoreKeepAliveIntervalFactor is the factor to calculate the interval
// from KVstoreLeaseTTL in which KVstore lease is being renewed.
KVstoreKeepAliveIntervalFactor = 3
// LockLeaseTTL is the time-to-live of the lease dedicated for locks of Kvstore.
LockLeaseTTL = 25 * time.Second
// KVstoreLeaseMaxTTL is the upper bound for KVStore lease TTL value.
// It is calculated as Min(int64 positive max, etcd MaxLeaseTTL, consul MaxLeaseTTL)
KVstoreLeaseMaxTTL = 86400 * time.Second
// IPAMPreAllocation is the default value for
// CiliumNode.Spec.IPAM.PreAllocate if no value is set
IPAMPreAllocation = 8
// ENIFirstInterfaceIndex is the default value for
// CiliumNode.Spec.ENI.FirstInterfaceIndex if no value is set.
ENIFirstInterfaceIndex = 0
// ParallelAllocWorkers is the default max number of parallel workers doing allocation in the operator
ParallelAllocWorkers = 50
// IPAMAPIBurst is the default burst value when rate limiting access to external APIs
IPAMAPIBurst = 4
// IPAMAPIQPSLimit is the default QPS limit when rate limiting access to external APIs
IPAMAPIQPSLimit = 20.0
// AutoCreateCiliumNodeResource enables automatic creation of a
// CiliumNode resource for the local node
AutoCreateCiliumNodeResource = true
// PolicyTriggerInterval is default amount of time between triggers of
// policy updates are invoked.
PolicyTriggerInterval = 1 * time.Second
// K8sClientQPSLimit is the default qps for the k8s client. It is set to 0 because the the k8s client
// has its own default.
K8sClientQPSLimit float32 = 0.0
// K8sClientBurst is the default burst for the k8s client. It is set to 0 because the the k8s client
// has its own default.
K8sClientBurst = 0
// K8sServiceCacheSize is the default value for option.K8sServiceCacheSize
// which denotes the value of Cilium's K8s service cache size.
K8sServiceCacheSize = 128
// AllowICMPFragNeeded is the default value for option.AllowICMPFragNeeded flag.
// It is enabled by default and directs that the ICMP Fragmentation needed type
// packets are allowed to enable TCP Path MTU.
AllowICMPFragNeeded = true
// RestoreV4Addr is used as match for cilium_host v4 address
RestoreV4Addr = "cilium.v4.internal.raw "
// RestoreV6Addr is used as match for cilium_host v6 (router) address
RestoreV6Addr = "cilium.v6.internal.raw "
// EnableWellKnownIdentities is enabled by default as this is the
// original behavior. New default Helm templates will disable this.
EnableWellKnownIdentities = true
// CertsDirectory is the default directory used to find certificates
// specified in the L7 policies.
CertsDirectory = RuntimePath + "/certs"
// EnableRemoteNodeIdentity is the default value for option.EnableRemoteNodeIdentity
EnableRemoteNodeIdentity = false
// IPAMExpiration is the timeout after which an IP subject to expiratio
// is being released again if no endpoint is being created in time.
IPAMExpiration = 10 * time.Minute
// EnableIPv4FragmentsTracking enables IPv4 fragments tracking for
// L4-based lookups
EnableIPv4FragmentsTracking = true
// FragmentsMapEntries is the default number of entries allowed in an
// the map used to track datagram fragments.
FragmentsMapEntries = 8192
// K8sEnableAPIDiscovery defines whether Kuberntes API groups and
// resources should be probed using the discovery API
K8sEnableAPIDiscovery = false
// EnableIdentityMark enables setting identity in mark field of packet
// for local traffic
EnableIdentityMark = true
// K8sEnableLeasesFallbackDiscovery enables k8s to fallback to API probing to check
// for the support of Leases in Kubernetes when there is an error in discovering
// API groups using Discovery API.
K8sEnableLeasesFallbackDiscovery = false
// KubeProxyReplacementHealthzBindAddr is the default kubeproxyReplacement healthz server bind addr
KubeProxyReplacementHealthzBindAddr = ""
// InstallNoConntrackRules instructs Cilium to install Iptables rules to skip netfilter connection tracking on all pod traffic.
InstallNoConntrackIptRules = false
// WireguardSubnetV4 is a default wireguard tunnel subnet
WireguardSubnetV4 = "172.16.43.0/24"
// WireguardSubnetV6 is a default wireguard tunnel subnet
WireguardSubnetV6 = "fdc9:281f:04d7:9ee9::1/64"
// ExternalClusterIP enables cluster external access to ClusterIP services.
// Defaults to false to retain prior behaviour of not routing external packets to ClusterIPs.
ExternalClusterIP = false
// EnableICMPRules enables ICMP-based rule support for Cilium Network Policies.
EnableICMPRules = false
// TunnelPortVXLAN is the default VXLAN port
TunnelPortVXLAN = 8472
// TunnelPortGeneve is the default Geneve port
TunnelPortGeneve = 6081
// ARPBaseReachableTime resembles the kernel's NEIGH_VAR_BASE_REACHABLE_TIME which defaults to 30 seconds.
ARPBaseReachableTime = 30 * time.Second
)