feat: optional bpf mount

[frezbo]

On distributions that already mount the bpffs filesystem at /sys/fs/bpf this is a good way to optionally disable the bpf mount init container and have no pods running with securityContext.privilged and also reduced the number of init containers that needs to be run.

This option was previously used when containerRuntime.integration=crio
helm value was set, since this is not just only specific to crio,
deprecate the containerRuntime.integration=crio option to skip
mounting bpffs filesystem in favour of bpf.autoMount.enabled which
is similar to how cgroupv2 mounts are disabled (cgroup.autoMount.enabled).

Eg: On Talos both cgroupv2 and bpffs filesystems are already mounted and using a values yaml like below helps reduce the number of init containers by a factor of two.

partial-values.yaml

cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup
bpf:
  autoMount:
    enabled: false

[aanm]

@frezbo Thank you for the PR. Have you checked all other places that have the comment CRI-O already mounts the BPF filesystem in the install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml file? Might make sense to also add the bpf.autoMount.enabled there.

[frezbo]

@frezbo Thank you for the PR. Have you checked all other places that have the comment CRI-O already mounts the BPF filesystem in the install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml file? Might make sense to also add the bpf.autoMount.enabled there.

I can update that too, good point

[frezbo]

@aanm quick question, should i move from containerRuntime.integration and use bpf.autoMount.enabled instead and update the release notes or keep both?

[frezbo]

I've tested with the mount paths and the init container removed and all cilium connectivity test passes.

[aanm]

@aanm quick question, should i move from containerRuntime.integration and use bpf.autoMount.enabled instead and update the release notes or keep both?

@frezbo I would suggest to keep both and mark the containerRuntime.integration as deprecated because AFAIK the only reason why it's used is for the bpf mounting points.

[frezbo]

I've updated the PR and also removed some old references to un-used containerRuntime.integration values and removed the un-used containerRuntime.socketPath option. Also updated the upgrade notes to mention bpf.autoMount.enabled will be the default going forward and the old containerRuntime.integration will be deprecated. I hope this clears things up.

[aanm]

/test

Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed:

Click to show.

Test Name

K8sDatapathConfig MonitorAggregation Checks that monitor aggregation flags send notifications

Failure Output

FAIL: Error creating resource /home/jenkins/workspace/Cilium-PR-K8s-1.26-kernel-net-next/src/github.com/cilium/cilium/test/k8s/manifests/l3-policy-demo.yaml: Cannot retrieve "cilium-bd9rl"'s policy revision: cannot get policy revision: ""

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.26-kernel-net-next so I can create one.

[kaworu]

Hi @frezbo and thanks for the PR! Patch LGTM but doc update seems missing.

[qmonnet]

Please also provide context for the deprecation in the commit description. As it stands, without reading the discussion in the PR, the change looks unrelated to the autoMount addition and it's hard to understand why it's part of the commit.

[frezbo]

Updated the extra documentation and commit message.

[qmonnet]

Looks good, thank you!

[kaworu]

Thank you @frezbo, patch LGTM besides @qmonnet's comment.

[qmonnet]

Perfect, thanks a lot!

[qmonnet]

/test