--- apiVersion: v1 kind: ConfigMap metadata: name: cilium-config namespace: kube-system labels: addonmanager.kubernetes.io/mode: "EnsureExists" data: etcd-config: |- --- endpoints: - https://cilium-etcd-client.kube-system.svc:2379 ca-file: '/var/lib/etcd-secrets/etcd-client-ca.crt' key-file: '/var/lib/etcd-secrets/etcd-client.key' cert-file: '/var/lib/etcd-secrets/etcd-client.crt' debug: "false" enable-ipv4: "true" enable-ipv6: "false" clean-cilium-state: "false" clean-cilium-bpf-state: "false" monitor-aggregation-level: "none" ct-global-max-entries-tcp: "524288" ct-global-max-entries-other: "262144" preallocate-bpf-maps: "false" sidecar-istio-proxy-image: "cilium/istio_proxy" tunnel: "vxlan" cluster-name: default flannel-master-device: "" flannel-uninstall-on-exit: "false" flannel-manage-existing-containers: "false" tofqdns-enable-poller: "false" --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: cilium kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: "Reconcile" name: cilium namespace: kube-system spec: selector: matchLabels: k8s-app: cilium kubernetes.io/cluster-service: "true" template: metadata: annotations: prometheus.io/port: "9090" prometheus.io/scrape: "true" scheduler.alpha.kubernetes.io/critical-pod: "" scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' cluster-autoscaler.kubernetes.io/daemonset-pod: "true" labels: k8s-app: cilium kubernetes.io/cluster-service: "true" spec: containers: - args: - --debug=$(CILIUM_DEBUG) - --kvstore=etcd - --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config - name: CILIUM_ENABLE_IPV4 valueFrom: configMapKeyRef: key: enable-ipv4 name: cilium-config optional: true - name: CILIUM_ENABLE_IPV6 valueFrom: configMapKeyRef: key: enable-ipv6 name: cilium-config optional: true - name: CILIUM_PROMETHEUS_SERVE_ADDR valueFrom: configMapKeyRef: key: prometheus-serve-addr name: cilium-metrics-config optional: true - name: CILIUM_LEGACY_HOST_ALLOWS_WORLD valueFrom: configMapKeyRef: key: legacy-host-allows-world name: cilium-config optional: true - name: CILIUM_SIDECAR_ISTIO_PROXY_IMAGE valueFrom: configMapKeyRef: key: sidecar-istio-proxy-image name: cilium-config optional: true - name: CILIUM_TUNNEL valueFrom: configMapKeyRef: key: tunnel name: cilium-config optional: true - name: CILIUM_MONITOR_AGGREGATION_LEVEL valueFrom: configMapKeyRef: key: monitor-aggregation-level name: cilium-config optional: true - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: CILIUM_CLUSTER_NAME valueFrom: configMapKeyRef: key: cluster-name name: cilium-config optional: true - name: CILIUM_CLUSTER_ID valueFrom: configMapKeyRef: key: cluster-id name: cilium-config optional: true - name: CILIUM_GLOBAL_CT_MAX_TCP valueFrom: configMapKeyRef: key: ct-global-max-entries-tcp name: cilium-config optional: true - name: CILIUM_GLOBAL_CT_MAX_ANY valueFrom: configMapKeyRef: key: ct-global-max-entries-other name: cilium-config optional: true - name: CILIUM_PREALLOCATE_BPF_MAPS valueFrom: configMapKeyRef: key: preallocate-bpf-maps name: cilium-config optional: true - name: CILIUM_FLANNEL_MASTER_DEVICE valueFrom: configMapKeyRef: key: flannel-master-device name: cilium-config optional: true - name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT valueFrom: configMapKeyRef: key: flannel-uninstall-on-exit name: cilium-config optional: true - name: CILIUM_FLANNEL_MANAGE_EXISTING_CONTAINERS valueFrom: configMapKeyRef: key: flannel-manage-existing-containers name: cilium-config optional: true - name: CILIUM_DATAPATH_MODE valueFrom: configMapKeyRef: key: datapath-mode name: cilium-config optional: true - name: CILIUM_IPVLAN_MASTER_DEVICE valueFrom: configMapKeyRef: key: ipvlan-master-device name: cilium-config optional: true - name: CILIUM_INSTALL_IPTABLES_RULES valueFrom: configMapKeyRef: key: install-iptables-rules name: cilium-config optional: true - name: CILIUM_MASQUERADE valueFrom: configMapKeyRef: key: masquerade name: cilium-config optional: true - name: CILIUM_AUTO_DIRECT_NODE_ROUTES valueFrom: configMapKeyRef: key: auto-direct-node-routes name: cilium-config optional: true - name: CILIUM_TOFQDNS_ENABLE_POLLER valueFrom: configMapKeyRef: key: tofqdns-enable-poller name: cilium-config optional: true image: {{ContainerImage "cilium-agent"}} imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - /cni-install.sh preStop: exec: command: - /cni-uninstall.sh livenessProbe: exec: command: - cilium - status failureThreshold: 10 initialDelaySeconds: 120 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: cilium-agent ports: - containerPort: 9090 hostPort: 9090 name: prometheus protocol: TCP readinessProbe: exec: command: - cilium - status failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 securityContext: capabilities: add: - NET_ADMIN privileged: true volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/run/docker.sock name: docker-socket readOnly: true - mountPath: /var/lib/etcd-config name: etcd-config-path readOnly: true - mountPath: /var/lib/etcd-secrets name: etcd-secrets readOnly: true - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true dnsPolicy: ClusterFirstWithHostNet hostNetwork: true hostPID: false initContainers: - command: - /init-container.sh env: - name: CLEAN_CILIUM_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CLEAN_CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true image: {{ContainerImage "clean-cilium-state"}} imagePullPolicy: IfNotPresent name: clean-cilium-state securityContext: capabilities: add: - NET_ADMIN privileged: true volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run priorityClassName: system-node-critical restartPolicy: Always serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists - effect: NoSchedule key: node.kubernetes.io/not-ready operator: Exists volumes: - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /var/run/docker.sock type: Socket name: docker-socket - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - configMap: defaultMode: 420 items: - key: etcd-config path: etcd.config name: cilium-config name: etcd-config-path - name: etcd-secrets secret: defaultMode: 420 optional: true secretName: cilium-etcd-secrets - name: clustermesh-secrets secret: defaultMode: 420 optional: true secretName: cilium-clustermesh updateStrategy: rollingUpdate: maxUnavailable: 50% type: RollingUpdate --- apiVersion: apps/v1 kind: Deployment metadata: labels: io.cilium/app: operator name: cilium-operator addonmanager.kubernetes.io/mode: "Reconcile" name: cilium-operator namespace: kube-system spec: replicas: 1 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: io.cilium/app: operator name: cilium-operator spec: containers: - args: - --debug=$(CILIUM_DEBUG) - --kvstore=etcd - --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config command: - cilium-operator env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config optional: true - name: CILIUM_CLUSTER_NAME valueFrom: configMapKeyRef: key: cluster-name name: cilium-config optional: true - name: CILIUM_CLUSTER_ID valueFrom: configMapKeyRef: key: cluster-id name: cilium-config optional: true - name: CILIUM_DISABLE_ENDPOINT_CRD valueFrom: configMapKeyRef: key: disable-endpoint-crd name: cilium-config optional: true - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: key: AWS_ACCESS_KEY_ID name: cilium-aws optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: key: AWS_SECRET_ACCESS_KEY name: cilium-aws optional: true - name: AWS_DEFAULT_REGION valueFrom: secretKeyRef: key: AWS_DEFAULT_REGION name: cilium-aws optional: true image: {{ContainerImage "cilium-operator"}} imagePullPolicy: IfNotPresent name: cilium-operator volumeMounts: - mountPath: /var/lib/etcd-config name: etcd-config-path readOnly: true - mountPath: /var/lib/etcd-secrets name: etcd-secrets readOnly: true dnsPolicy: ClusterFirst priorityClassName: system-node-critical restartPolicy: Always serviceAccount: cilium-operator serviceAccountName: cilium-operator volumes: - configMap: defaultMode: 420 items: - key: etcd-config path: etcd.config name: cilium-config name: etcd-config-path - name: etcd-secrets secret: defaultMode: 420 optional: true secretName: cilium-etcd-secrets --- apiVersion: v1 kind: ServiceAccount metadata: name: cilium-operator namespace: kube-system labels: addonmanager.kubernetes.io/mode: "Reconcile" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-operator labels: addonmanager.kubernetes.io/mode: "Reconcile" rules: - apiGroups: - "" resources: - pods - deployments - componentstatuses verbs: - '*' - apiGroups: - "" resources: - services - endpoints verbs: - get - list - watch - apiGroups: - cilium.io resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status - ciliumendpoints - ciliumendpoints/status verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-operator labels: addonmanager.kubernetes.io/mode: "Reconcile" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cilium-operator subjects: - kind: ServiceAccount name: cilium-operator namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-etcd-operator labels: addonmanager.kubernetes.io/mode: "Reconcile" rules: - apiGroups: - etcd.database.coreos.com resources: - etcdclusters verbs: - get - delete - create - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - delete - get - create - apiGroups: - "" resources: - deployments verbs: - delete - create - get - update - apiGroups: - "" resources: - pods verbs: - list - delete - get - apiGroups: - apps resources: - deployments verbs: - delete - create - get - update - apiGroups: - "" resources: - componentstatuses verbs: - get - apiGroups: - extensions resources: - deployments verbs: - delete - create - get - update - apiGroups: - "" resources: - secrets verbs: - get - create - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: addonmanager.kubernetes.io/mode: "Reconcile" name: cilium-etcd-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cilium-etcd-operator subjects: - kind: ServiceAccount name: cilium-etcd-operator namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: etcd-operator labels: addonmanager.kubernetes.io/mode: "Reconcile" rules: - apiGroups: - etcd.database.coreos.com resources: - etcdclusters - etcdbackups - etcdrestores verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - '*' - apiGroups: - "" resources: - pods - services - endpoints - persistentvolumeclaims - events - deployments verbs: - '*' - apiGroups: - apps resources: - deployments verbs: - '*' - apiGroups: - extensions resources: - deployments verbs: - create - get - list - patch - update - apiGroups: - "" resources: - secrets verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: etcd-operator labels: addonmanager.kubernetes.io/mode: "Reconcile" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: etcd-operator subjects: - kind: ServiceAccount name: cilium-etcd-sa namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: cilium-etcd-operator namespace: kube-system labels: addonmanager.kubernetes.io/mode: "Reconcile" --- apiVersion: v1 kind: ServiceAccount metadata: name: cilium-etcd-sa namespace: kube-system labels: addonmanager.kubernetes.io/mode: "Reconcile" --- apiVersion: apps/v1 kind: Deployment metadata: labels: io.cilium/app: etcd-operator name: cilium-etcd-operator addonmanager.kubernetes.io/mode: "Reconcile" name: cilium-etcd-operator namespace: kube-system spec: replicas: 1 selector: matchLabels: io.cilium/app: etcd-operator name: cilium-etcd-operator strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: io.cilium/app: etcd-operator name: cilium-etcd-operator spec: containers: - command: - /usr/bin/cilium-etcd-operator env: - name: CILIUM_ETCD_OPERATOR_CLUSTER_DOMAIN value: cluster.local - name: CILIUM_ETCD_OPERATOR_ETCD_CLUSTER_SIZE value: "3" - name: CILIUM_ETCD_OPERATOR_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_ETCD_OPERATOR_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: CILIUM_ETCD_OPERATOR_POD_UID valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.uid image: {{ContainerImage "cilium-etcd-operator"}} imagePullPolicy: IfNotPresent name: cilium-etcd-operator dnsPolicy: ClusterFirst hostNetwork: true priorityClassName: system-node-critical restartPolicy: Always serviceAccount: cilium-etcd-operator serviceAccountName: cilium-etcd-operator tolerations: - operator: Exists --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium labels: addonmanager.kubernetes.io/mode: "Reconcile" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cilium subjects: - kind: ServiceAccount name: cilium namespace: kube-system - apiGroup: rbac.authorization.k8s.io kind: Group name: system:nodes --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium labels: addonmanager.kubernetes.io/mode: "Reconcile" rules: - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - "" resources: - namespaces - services - nodes - endpoints - componentstatuses verbs: - get - list - watch - apiGroups: - "" resources: - pods - nodes verbs: - get - list - watch - update - apiGroups: - extensions resources: - ingresses verbs: - create - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create - get - list - watch - update - apiGroups: - cilium.io resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status - ciliumendpoints - ciliumendpoints/status verbs: - '*' --- apiVersion: v1 kind: ServiceAccount metadata: name: cilium namespace: kube-system labels: addonmanager.kubernetes.io/mode: "Reconcile"