You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

297 lines
8.8 KiB

  1. apiVersion: apps/v1
  2. kind: DaemonSet
  3. metadata:
  4. labels:
  5. k8s-app: cilium
  6. name: cilium
  7. namespace: kube-system
  8. spec:
  9. selector:
  10. matchLabels:
  11. k8s-app: cilium
  12. template:
  13. metadata:
  14. annotations:
  15. {% if cilium_enable_prometheus %}
  16. prometheus.io/port: "9090"
  17. prometheus.io/scrape: "true"
  18. {% endif %}
  19. scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]'
  20. labels:
  21. k8s-app: cilium
  22. spec:
  23. affinity:
  24. podAntiAffinity:
  25. requiredDuringSchedulingIgnoredDuringExecution:
  26. - labelSelector:
  27. matchExpressions:
  28. - key: k8s-app
  29. operator: In
  30. values:
  31. - cilium
  32. topologyKey: kubernetes.io/hostname
  33. containers:
  34. - args:
  35. - --kvstore=etcd
  36. - --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config
  37. - --config-dir=/tmp/cilium/config-map
  38. {% if cilium_mtu != "" %}
  39. - --mtu={{ cilium_mtu }}
  40. {% endif %}
  41. command:
  42. - cilium-agent
  43. env:
  44. - name: K8S_NODE_NAME
  45. valueFrom:
  46. fieldRef:
  47. apiVersion: v1
  48. fieldPath: spec.nodeName
  49. - name: CILIUM_K8S_NAMESPACE
  50. valueFrom:
  51. fieldRef:
  52. apiVersion: v1
  53. fieldPath: metadata.namespace
  54. - name: CILIUM_CLUSTERMESH_CONFIG
  55. value: /var/lib/cilium/clustermesh/
  56. {% if cilium_kube_proxy_replacement == 'strict' %}
  57. - name: KUBERNETES_SERVICE_HOST
  58. value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
  59. - name: KUBERNETES_SERVICE_PORT
  60. value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
  61. {% endif %}
  62. image: "{{cilium_image_repo}}:{{cilium_image_tag}}"
  63. imagePullPolicy: {{ k8s_image_pull_policy }}
  64. resources:
  65. limits:
  66. cpu: {{ cilium_cpu_limit }}
  67. memory: {{ cilium_memory_limit }}
  68. requests:
  69. cpu: {{ cilium_cpu_requests }}
  70. memory: {{ cilium_memory_requests }}
  71. lifecycle:
  72. postStart:
  73. exec:
  74. command:
  75. - /cni-install.sh
  76. preStop:
  77. exec:
  78. command:
  79. - /cni-uninstall.sh
  80. livenessProbe:
  81. httpGet:
  82. host: '127.0.0.1'
  83. path: /healthz
  84. port: 9876
  85. scheme: HTTP
  86. httpHeaders:
  87. - name: "brief"
  88. value: "true"
  89. failureThreshold: 10
  90. # The initial delay for the liveness probe is intentionally large to
  91. # avoid an endless kill & restart cycle if in the event that the initial
  92. # bootstrapping takes longer than expected.
  93. initialDelaySeconds: 120
  94. periodSeconds: 30
  95. successThreshold: 1
  96. timeoutSeconds: 5
  97. name: cilium-agent
  98. {% if cilium_enable_prometheus or cilium_enable_hubble_metrics %}
  99. ports:
  100. {% endif %}
  101. {% if cilium_enable_prometheus %}
  102. - containerPort: 9090
  103. hostPort: 9090
  104. name: prometheus
  105. protocol: TCP
  106. {% endif %}
  107. {% if cilium_enable_hubble_metrics %}
  108. - containerPort: 9091
  109. hostPort: 9091
  110. name: hubble-metrics
  111. protocol: TCP
  112. {% endif %}
  113. readinessProbe:
  114. httpGet:
  115. host: '127.0.0.1'
  116. path: /healthz
  117. port: 9876
  118. scheme: HTTP
  119. httpHeaders:
  120. - name: "brief"
  121. value: "true"
  122. failureThreshold: 3
  123. initialDelaySeconds: 5
  124. periodSeconds: 30
  125. successThreshold: 1
  126. timeoutSeconds: 5
  127. securityContext:
  128. capabilities:
  129. add:
  130. - NET_ADMIN
  131. - SYS_MODULE
  132. privileged: true
  133. volumeMounts:
  134. - mountPath: /sys/fs/bpf
  135. name: bpf-maps
  136. - mountPath: /var/run/cilium
  137. name: cilium-run
  138. - mountPath: /host/opt/cni/bin
  139. name: cni-path
  140. - mountPath: /host/etc/cni/net.d
  141. name: etc-cni-netd
  142. {% if container_manager == 'docker' %}
  143. - mountPath: /var/run/docker.sock
  144. name: docker-socket
  145. readOnly: true
  146. {% else %}
  147. - name: "{{ container_manager }}-socket"
  148. mountPath: {{ cri_socket }}
  149. readOnly: true
  150. {% endif %}
  151. - mountPath: /var/lib/etcd-config
  152. name: etcd-config-path
  153. readOnly: true
  154. - mountPath: "{{cilium_cert_dir}}"
  155. name: etcd-secrets
  156. readOnly: true
  157. - mountPath: /var/lib/cilium/clustermesh
  158. name: clustermesh-secrets
  159. readOnly: true
  160. - mountPath: /tmp/cilium/config-map
  161. name: cilium-config-path
  162. readOnly: true
  163. # Needed to be able to load kernel modules
  164. - mountPath: /lib/modules
  165. name: lib-modules
  166. readOnly: true
  167. - mountPath: /run/xtables.lock
  168. name: xtables-lock
  169. {% if cilium_ipsec_enabled %}
  170. - mountPath: /etc/ipsec
  171. name: cilium-ipsec-secrets
  172. readOnly: true
  173. {% endif %}
  174. dnsPolicy: ClusterFirstWithHostNet
  175. hostNetwork: true
  176. hostPID: false
  177. initContainers:
  178. - command:
  179. - /init-container.sh
  180. env:
  181. - name: CILIUM_ALL_STATE
  182. valueFrom:
  183. configMapKeyRef:
  184. key: clean-cilium-state
  185. name: cilium-config
  186. optional: true
  187. - name: CLEAN_CILIUM_BPF_STATE
  188. valueFrom:
  189. configMapKeyRef:
  190. key: clean-cilium-bpf-state
  191. name: cilium-config
  192. optional: true
  193. - name: CILIUM_WAIT_BPF_MOUNT
  194. valueFrom:
  195. configMapKeyRef:
  196. key: wait-bpf-mount
  197. name: cilium-config
  198. optional: true
  199. image: "{{cilium_init_image_repo}}:{{cilium_init_image_tag}}"
  200. imagePullPolicy: {{ k8s_image_pull_policy }}
  201. name: clean-cilium-state
  202. securityContext:
  203. capabilities:
  204. add:
  205. - NET_ADMIN
  206. privileged: true
  207. volumeMounts:
  208. - mountPath: /sys/fs/bpf
  209. name: bpf-maps
  210. - mountPath: /var/run/cilium
  211. name: cilium-run
  212. resources:
  213. requests:
  214. cpu: 100m
  215. memory: 100Mi
  216. priorityClassName: system-node-critical
  217. restartPolicy: Always
  218. serviceAccount: cilium
  219. serviceAccountName: cilium
  220. terminationGracePeriodSeconds: 1
  221. tolerations:
  222. - operator: Exists
  223. volumes:
  224. # To keep state between restarts / upgrades
  225. - hostPath:
  226. path: /var/run/cilium
  227. type: DirectoryOrCreate
  228. name: cilium-run
  229. # To keep state between restarts / upgrades for bpf maps
  230. - hostPath:
  231. path: /sys/fs/bpf
  232. type: DirectoryOrCreate
  233. name: bpf-maps
  234. {% if container_manager == 'docker' %}
  235. # To read docker events from the node
  236. - hostPath:
  237. path: /var/run/docker.sock
  238. type: Socket
  239. name: docker-socket
  240. {% else %}
  241. # To read crio events from the node
  242. - hostPath:
  243. path: {{ cri_socket }}
  244. type: Socket
  245. name: {{ container_manager }}-socket
  246. {% endif %}
  247. # To install cilium cni plugin in the host
  248. - hostPath:
  249. path: /opt/cni/bin
  250. type: DirectoryOrCreate
  251. name: cni-path
  252. # To install cilium cni configuration in the host
  253. - hostPath:
  254. path: /etc/cni/net.d
  255. type: DirectoryOrCreate
  256. name: etc-cni-netd
  257. # To be able to load kernel modules
  258. - hostPath:
  259. path: /lib/modules
  260. name: lib-modules
  261. # To access iptables concurrently with other processes (e.g. kube-proxy)
  262. - hostPath:
  263. path: /run/xtables.lock
  264. type: FileOrCreate
  265. name: xtables-lock
  266. # To read the etcd config stored in config maps
  267. - configMap:
  268. defaultMode: 420
  269. items:
  270. - key: etcd-config
  271. path: etcd.config
  272. name: cilium-config
  273. name: etcd-config-path
  274. # To read the k8s etcd secrets in case the user might want to use TLS
  275. - name: etcd-secrets
  276. hostPath:
  277. path: "{{cilium_cert_dir}}"
  278. # To read the clustermesh configuration
  279. - name: clustermesh-secrets
  280. secret:
  281. defaultMode: 420
  282. optional: true
  283. secretName: cilium-clustermesh
  284. # To read the configuration from the config map
  285. - configMap:
  286. name: cilium-config
  287. name: cilium-config-path
  288. {% if cilium_ipsec_enabled %}
  289. - name: cilium-ipsec-secrets
  290. secret:
  291. secretName: cilium-ipsec-keys
  292. {% endif %}
  293. updateStrategy:
  294. rollingUpdate:
  295. # Specifies the maximum number of Pods that can be unavailable during the update process.
  296. maxUnavailable: 2
  297. type: RollingUpdate