From ccab127f6ddd83fb96f378fff312a80e6160ef5a Mon Sep 17 00:00:00 2001 From: Maxime Colmant Date: Tue, 2 Apr 2024 12:09:33 +0200 Subject: [PATCH] add options for enabling DNS based cilium network policies --- .../sample/group_vars/k8s_cluster/k8s-net-cilium.yml | 9 +++++++++ roles/network_plugin/cilium/defaults/main.yml | 9 +++++++++ .../network_plugin/cilium/templates/cilium/config.yml.j2 | 8 ++++++++ 3 files changed, 26 insertions(+) diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml index b3190a2f14a..f805578cb7a 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml @@ -262,3 +262,12 @@ # resourceNames: # - toto # cilium_clusterrole_rules_operator_extra_vars: [] + +# -- Enable DNS based Cilium network policy +# ref: https://docs.cilium.io/en/latest/security/policy/language/#dns-based +# cilium_enable_l7_proxy: true + +# -- Configure the minimum time, in seconds, to use DNS data for toFQDNs policies. +# If the upstream DNS server returns a DNS record with a shorter TTL, Cilium overwrites the TTL with this value. +# Setting this value to zero means that Cilium will honor the TTLs returned by the upstream DNS server. +# cilium_tofqdns_min_ttl: 0 diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index f4c70e4795b..9076b3444df 100644 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -309,3 +309,12 @@ cilium_certgen_args: # resourceNames: # - toto cilium_clusterrole_rules_operator_extra_vars: [] + +# Enable DNS based Cilium network policy +# ref: https://docs.cilium.io/en/latest/security/policy/language/#dns-based +# cilium_enable_l7_proxy: true + +# Configure the minimum time, in seconds, to use DNS data for toFQDNs policies. +# If the upstream DNS server returns a DNS record with a shorter TTL, Cilium overwrites the TTL with this value. +# Setting this value to zero means that Cilium will honor the TTLs returned by the upstream DNS server. +# cilium_tofqdns_min_ttl: 0 diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2 index 32144de28cb..a60ad40f4d7 100644 --- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2 @@ -268,3 +268,11 @@ data: masqLinkLocal: {{ cilium_masq_link_local | bool }} resyncInterval: "{{ cilium_ip_masq_resync_interval }}" {% endif %} + +{% if cilium_enable_l7_proxy is defined %} + enable-l7-proxy: "{{ cilium_enable_l7_proxy }}" +{% endif %} + +{% if cilium_tofqdns_min_ttl is defined %} + tofqdns-min-ttl: "{{ cilium_tofqdns_min_ttl }}" +{% endif %}