New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: optional bpf mount #24161
feat: optional bpf mount #24161
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@frezbo Thank you for the PR. Have you checked all other places that have the comment CRI-O already mounts the BPF filesystem
in the install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml
file? Might make sense to also add the bpf.autoMount.enabled
there.
I can update that too, good point |
@aanm quick question, should i move from |
I've tested with the mount paths and the init container removed and all |
@frezbo I would suggest to keep both and mark the |
2ec1a3f
to
313c46b
Compare
I've updated the PR and also removed some old references to un-used |
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @frezbo and thanks for the PR! Patch LGTM but doc update seems missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also provide context for the deprecation in the commit description. As it stands, without reading the discussion in the PR, the change looks unrelated to the autoMount
addition and it's hard to understand why it's part of the commit.
313c46b
to
f04982a
Compare
Updated the extra documentation and commit message. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thank you!
f04982a
to
2a82132
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @frezbo, patch LGTM besides @qmonnet's comment.
On distributions that already mount the `bpffs` filesystem at `/sys/fs/bpf` this is a good way to optionally disable the bpf mount init container and have no pods running with `securityContext.privilged` and also reduced the number of init containers that needs to be run. This option was previously used when `containerRuntime.integration=crio` helm value was set, since this is not just only specific to crio, deprecate the `containerRuntime.integration=crio` option to skip mounting `bpffs` filesystem in favour of `bpf.autoMount.enabled` which is similar to how `cgroupv2` mounts are disabled (`cgroup.autoMount.enabled`). Eg: On [Talos](https://www.talos.dev/) both `cgroupv2` and `bpffs` filesystems are already mounted and using a values yaml like below helps reduce the number of init containers by a factor of two. `partial-values.yaml` ```yaml cgroup: autoMount: enabled: false hostRoot: /sys/fs/cgroup bpf: autoMount: enabled: false ``` Signed-off-by: Noel Georgi <git@frezbo.dev>
2a82132
to
21c6023
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect, thanks a lot!
/test |
Relates: #24161 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: #24161 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: #24161 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Relates: #24161 Signed-off-by: Tam Mach <tam.mach@cilium.io>
On distributions that already mount the
bpffs
filesystem at/sys/fs/bpf
this is a good way to optionally disable the bpf mount init container and have no pods running withsecurityContext.privilged
and also reduced the number of init containers that needs to be run.This option was previously used when
containerRuntime.integration=crio
helm value was set, since this is not just only specific to crio,
deprecate the
containerRuntime.integration=crio
option to skipmounting
bpffs
filesystem in favour ofbpf.autoMount.enabled
whichis similar to how
cgroupv2
mounts are disabled (cgroup.autoMount.enabled
).Eg: On Talos both
cgroupv2
andbpffs
filesystems are already mounted and using a values yaml like below helps reduce the number of init containers by a factor of two.partial-values.yaml