install: default AnnotateK8sNode to false

Since this option only existed to set up annotations in Kubernetes Nodes
before the introduction of CiliumNodes, it can be default to 'false' so
that Cilium's RBAC can have less permissions as possible.

Signed-off-by: André Martins <andre@cilium.io>

Documentation/spelling_wordlist.txt

@@ -151,6 +151,7 @@ allocator
 allocators
 amd
 analytics
+annotateK
 ansible
 api
 apiKeys
@@ -790,6 +791,7 @@ runPath
 runtime
 runtimes
 sEventHandover
+sNode
 sNodes
 sService
 sServiceHost

install/kubernetes/cilium/README.md

@@ -56,6 +56,7 @@ contributors across the globe, there is almost always someone available to help.
 | affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-agent. |
 | agent | bool | `true` | Install the cilium agent resources. |
 | alibabacloud.enabled | bool | `false` | Enable AlibabaCloud ENI integration |
+| annotateK8sNode | bool | `false` | Annotate k8s node upon initialization with Cilium's metadata. |
 | autoDirectNodeRoutes | bool | `false` | Enable installation of PodCIDR routes between worker nodes if worker nodes share a common L2 network segment. |
 | azure.enabled | bool | `false` | Enable Azure integration |
 | bandwidthManager | object | `{"bbr":false,"enabled":false}` | Enable bandwidth manager to optimize TCP and UDP workloads and allow for rate-limiting traffic from individual Pods with EDT (Earliest Departure Time) through the "kubernetes.io/egress-bandwidth" Pod annotation. |

install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml

@@ -40,11 +40,12 @@ rules:
   resources:
   - nodes
   verbs:
+  # To remove node taints and to annotate node
   - update
 - apiGroups:
   - ""
   resources:
-  - nodes
+  # To set NodeNetworkUnavailable: false on startup
   - nodes/status
   verbs:
   - patch

install/kubernetes/cilium/templates/cilium-configmap.yaml

@@ -856,6 +856,10 @@ data:
   dns-policy-unload-on-shutdown: {{.Values.dnsPolicyUnloadOnShutdown | quote }}
 {{- end }}
 
+{{- if .Values.annotateK8sNode }}
+  annotate-k8s-node: "true"
+{{- end }}
+
 {{- if .Values.extraConfig }}
   {{ toYaml .Values.extraConfig | nindent 2 }}
 {{- end }}

install/kubernetes/cilium/templates/cilium-preflight/clusterrole.yaml

@@ -40,11 +40,12 @@ rules:
   resources:
   - nodes
   verbs:
+  # To remove node taints and to annotate node
   - update
 - apiGroups:
   - ""
   resources:
-  - nodes
+  # To set NodeNetworkUnavailable: false on startup
   - nodes/status
   verbs:
   - patch

install/kubernetes/cilium/values.yaml

@@ -186,6 +186,9 @@ updateStrategy:
 # nodes if worker nodes share a common L2 network segment.
 autoDirectNodeRoutes: false
 
+# -- Annotate k8s node upon initialization with Cilium's metadata.
+annotateK8sNode: false
+
 azure:
   # -- Enable Azure integration
   enabled: false

pkg/defaults/defaults.go

@@ -308,7 +308,7 @@ const (
 	// AnnotateK8sNode is the default value for option.AnnotateK8sNode. It is
 	// enabled by default to annotate kubernetes node and can be disabled using
 	// the provided option.
-	AnnotateK8sNode = true
+	AnnotateK8sNode = false
 
 	// MonitorBufferPages is the default number of pages to use for the
 	// ring buffer interacting with the kernel

test/helpers/kubectl.go

@@ -2916,9 +2916,9 @@ func (kub *Kubectl) WaitForCiliumInitContainerToFinish() error {
 // to be annotated.
 func (kub *Kubectl) CiliumNodesWait() (bool, error) {
 	body := func() bool {
-		filter := `{range .items[*]}{@.metadata.name}{"="}{@.metadata.annotations.io\.cilium\.network\.ipv4-pod-cidr}{"\n"}{end}`
+		filter := `{range .items[*]}{@.metadata.name}{"="}{@.spec.addresses[?(@.type=="CiliumInternalIP")].ip}{"\n"}{end}`
 		data := kub.ExecShort(fmt.Sprintf(
-			"%s get nodes -o jsonpath='%s'", KubectlCmd, filter))
+			"%s get ciliumnodes -o jsonpath='%s'", KubectlCmd, filter))
 		if !data.WasSuccessful() {
 			return false
 		}