-
-
Notifications
You must be signed in to change notification settings - Fork 105
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add experimental Cilium CNI provider
* Accept "cilium" as an experimental CNI `networking` mode * Run Cilium with overlay vxlan tunnels and a minimal set of features * Firewall: * Require UDP 8472 for vxlan (Linux kernel default) between nodes * Optional ICMP echo(8) between nodes for host reachability (health) * Optional TCP 4240 between nodes for host reachability (health) * https://github.com/cilium/cilium
- Loading branch information
Showing
9 changed files
with
612 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: cilium | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cilium | ||
subjects: | ||
- kind: ServiceAccount | ||
name: cilium | ||
namespace: kube-system | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: cilium-agent | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cilium-agent | ||
subjects: | ||
- kind: ServiceAccount | ||
name: cilium-agent | ||
namespace: kube-system | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,132 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: cilium | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
# to automatically delete [core|kube]dns pods so that are starting to being | ||
# managed by Cilium | ||
- pods | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- delete | ||
- apiGroups: | ||
- discovery.k8s.io | ||
resources: | ||
- endpointslices | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
# to automatically read from k8s and import the node's pod CIDR to cilium's | ||
# etcd so all nodes know how to reach another pod running in in a different | ||
# node. | ||
- nodes | ||
# to perform the translation of a CNP that contains `ToGroup` to its endpoints | ||
- services | ||
- endpoints | ||
# to check apiserver connectivity | ||
- namespaces | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- cilium.io | ||
resources: | ||
- ciliumnetworkpolicies | ||
- ciliumnetworkpolicies/status | ||
- ciliumclusterwidenetworkpolicies | ||
- ciliumclusterwidenetworkpolicies/status | ||
- ciliumendpoints | ||
- ciliumendpoints/status | ||
- ciliumnodes | ||
- ciliumnodes/status | ||
- ciliumidentities | ||
- ciliumidentities/status | ||
verbs: | ||
- '*' | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: cilium-agent | ||
rules: | ||
- apiGroups: | ||
- networking.k8s.io | ||
resources: | ||
- networkpolicies | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- discovery.k8s.io | ||
resources: | ||
- endpointslices | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- namespaces | ||
- services | ||
- nodes | ||
- endpoints | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods | ||
- nodes | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- update | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- nodes | ||
- nodes/status | ||
verbs: | ||
- patch | ||
- apiGroups: | ||
- apiextensions.k8s.io | ||
resources: | ||
- customresourcedefinitions | ||
verbs: | ||
- create | ||
- get | ||
- list | ||
- watch | ||
- update | ||
- apiGroups: | ||
- cilium.io | ||
resources: | ||
- ciliumnetworkpolicies | ||
- ciliumnetworkpolicies/status | ||
- ciliumclusterwidenetworkpolicies | ||
- ciliumclusterwidenetworkpolicies/status | ||
- ciliumendpoints | ||
- ciliumendpoints/status | ||
- ciliumnodes | ||
- ciliumnodes/status | ||
- ciliumidentities | ||
- ciliumidentities/status | ||
verbs: | ||
- '*' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: cilium | ||
namespace: kube-system | ||
data: | ||
# Identity allocation mode selects how identities are shared between cilium | ||
# nodes by setting how they are stored. The options are "crd" or "kvstore". | ||
# - "crd" stores identities in kubernetes as CRDs (custom resource definition). | ||
# These can be queried with: | ||
# kubectl get ciliumid | ||
# - "kvstore" stores identities in a kvstore, etcd or consul, that is | ||
# configured below. Cilium versions before 1.6 supported only the kvstore | ||
# backend. Upgrades from these older cilium versions should continue using | ||
# the kvstore by commenting out the identity-allocation-mode below, or | ||
# setting it to "kvstore". | ||
identity-allocation-mode: crd | ||
|
||
# If you want to run cilium in debug mode change this value to true | ||
debug: "false" | ||
|
||
# Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 | ||
# address. | ||
enable-ipv4: "true" | ||
|
||
# Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 | ||
# address. | ||
enable-ipv6: "false" | ||
|
||
# If you want cilium monitor to aggregate tracing for packets, set this level | ||
# to "low", "medium", or "maximum". The higher the level, the less packets | ||
# that will be seen in monitor output. | ||
monitor-aggregation: medium | ||
|
||
# The monitor aggregation interval governs the typical time between monitor | ||
# notification events for each allowed connection. | ||
# | ||
# Only effective when monitor aggregation is set to "medium" or higher. | ||
monitor-aggregation-interval: 5s | ||
|
||
# The monitor aggregation flags determine which TCP flags which, upon the | ||
# first observation, cause monitor notifications to be generated. | ||
# | ||
# Only effective when monitor aggregation is set to "medium" or higher. | ||
monitor-aggregation-flags: all | ||
|
||
# ct-global-max-entries-* specifies the maximum number of connections | ||
# supported across all endpoints, split by protocol: tcp or other. One pair | ||
# of maps uses these values for IPv4 connections, and another pair of maps | ||
# use these values for IPv6 connections. | ||
# | ||
# If these values are modified, then during the next Cilium startup the | ||
# tracking of ongoing connections may be disrupted. This may lead to brief | ||
# policy drops or a change in loadbalancing decisions for a connection. | ||
# | ||
# For users upgrading from Cilium 1.2 or earlier, to minimize disruption | ||
# during the upgrade process, comment out these options. | ||
bpf-ct-global-tcp-max: "524288" | ||
bpf-ct-global-any-max: "262144" | ||
|
||
# bpf-policy-map-max specified the maximum number of entries in endpoint | ||
# policy map (per endpoint) | ||
bpf-policy-map-max: "16384" | ||
|
||
# Pre-allocation of map entries allows per-packet latency to be reduced, at | ||
# the expense of up-front memory allocation for the entries in the maps. The | ||
# default value below will minimize memory usage in the default installation; | ||
# users who are sensitive to latency may consider setting this to "true". | ||
# | ||
# This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore | ||
# this option and behave as though it is set to "true". | ||
# | ||
# If this value is modified, then during the next Cilium startup the restore | ||
# of existing endpoints and tracking of ongoing connections may be disrupted. | ||
# This may lead to policy drops or a change in loadbalancing decisions for a | ||
# connection for some time. Endpoints may need to be recreated to restore | ||
# connectivity. | ||
# | ||
# If this option is set to "false" during an upgrade from 1.3 or earlier to | ||
# 1.4 or later, then it may cause one-time disruptions during the upgrade. | ||
preallocate-bpf-maps: "false" | ||
|
||
# Encapsulation mode for communication between nodes | ||
# Possible values: | ||
# - disabled | ||
# - vxlan (default) | ||
# - geneve | ||
tunnel: vxlan | ||
|
||
# Name of the cluster. Only relevant when building a mesh of clusters. | ||
cluster-name: default | ||
|
||
# DNS Polling periodically issues a DNS lookup for each `matchName` from | ||
# cilium-agent. The result is used to regenerate endpoint policy. | ||
# DNS lookups are repeated with an interval of 5 seconds, and are made for | ||
# A(IPv4) and AAAA(IPv6) addresses. Should a lookup fail, the most recent IP | ||
# data is used instead. An IP change will trigger a regeneration of the Cilium | ||
# policy for each endpoint and increment the per cilium-agent policy | ||
# repository revision. | ||
# | ||
# This option is disabled by default starting from version 1.4.x in favor | ||
# of a more powerful DNS proxy-based implementation, see [0] for details. | ||
# Enable this option if you want to use FQDN policies but do not want to use | ||
# the DNS proxy. | ||
# | ||
# To ease upgrade, users may opt to set this option to "true". | ||
# Otherwise please refer to the Upgrade Guide [1] which explains how to | ||
# prepare policy rules for upgrade. | ||
# | ||
# [0] http://docs.cilium.io/en/stable/policy/language/#dns-based | ||
# [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action | ||
tofqdns-enable-poller: "false" | ||
|
||
# wait-bpf-mount makes init container wait until bpf filesystem is mounted | ||
wait-bpf-mount: "false" | ||
|
||
# Enable chaining with another CNI plugin | ||
# - portmap (Enables HostPort support for Cilium) | ||
cni-chaining-mode: "portmap" | ||
|
||
masquerade: "true" | ||
enable-xt-socket-fallback: "true" | ||
install-iptables-rules: "true" | ||
auto-direct-node-routes: "false" | ||
kube-proxy-replacement: "probe" | ||
enable-host-reachable-services: "false" | ||
enable-external-ips: "false" | ||
enable-node-port: "false" | ||
node-port-bind-protection: "true" | ||
enable-auto-protect-node-port-range: "true" | ||
enable-endpoint-health-checking: "true" | ||
enable-well-known-identities: "false" | ||
enable-remote-node-identity: "true" |
Oops, something went wrong.