variables cilium_enable_host_firewall and cilium_policy_audit_mode for configmap/cilium-config (#11230)

capitalise values for Host Firewall and Policy Audit Mode fix missing quotes
1 month ago · 0eeac591ad
4 changed files with 33 additions and 3 deletions
--- a/docs/CNI/cilium.md
+++ b/docs/CNI/cilium.md
@ -170,14 +170,14 @@ Kubespray currently supports Linux distributions with Wireguard Kernel mode on L

 ## Bandwidth Manager

-Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
+Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.

 Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
 In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.

 Bandwidth Manager requires a v5.1.x or more recent Linux kernel.

-For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/v1.12/gettingstarted/bandwidth-manager/)
+For further information, make sure to check the official [Cilium documentation](https://docs.cilium.io/en/latest/network/kubernetes/bandwidth-manager/)

 To use this function, set the following parameters

@ -185,6 +185,26 @@ To use this function, set the following parameters
 cilium_enable_bandwidth_manager: true
 ```

+## Host Firewall
+
+Host Firewall enforces security policies for Kubernetes nodes. It is disable by default, since it can break the cluster connectivity.
+
+```yaml
+cilium_enable_host_firewall: true
+```
+
+For further information, check [host firewall documentation](https://docs.cilium.io/en/latest/security/host-firewall/)
+
+## Policy Audit Mode
+
+When _Policy Audit Mode_ is enabled, no network policy is enforced. This feature helps to validate the impact of host policies before enforcing them.
+
+```yaml
+cilium_policy_audit_mode: true
+```
+
+It is disable by default, and should not be enabled in production.
+
 ## Install Cilium Hubble

 k8s-net-cilium.yml:
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@ -145,6 +145,10 @@ cilium_l2announcements: false
 ### A time interval at which the agent attempts to reload config from disk
 # cilium_ip_masq_resync_interval: 60s

+### Host Firewall and Policy Audit Mode
+# cilium_enable_host_firewall: false
+# cilium_policy_audit_mode: false
+
 # Hubble
 ### Enable Hubble without install
 # cilium_enable_hubble: false
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@ -322,3 +322,5 @@ cilium_certgen_args:
 #       resourceNames:
 #       - toto
 cilium_clusterrole_rules_operator_extra_vars: []
+cilium_enable_host_firewall: false
+cilium_policy_audit_mode: false
--- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2
@ -138,7 +138,7 @@ data:
  enable-l2-announcements: "{{ cilium_l2announcements }}"

  # Enable Bandwidth Manager
-  # Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
+  # Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
  # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
  # In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
  # Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
@ -146,6 +146,10 @@ data:
  enable-bandwidth-manager: "true"
 {% endif %}

+  # Host Firewall and Policy Audit Mode
+  enable-host-firewall: "{{ cilium_enable_host_firewall | capitalize }}"
+  policy-audit-mode: "{{ cilium_policy_audit_mode | capitalize }}"
+
  # Name of the cluster. Only relevant when building a mesh of clusters.
  cluster-name: "{{ cilium_cluster_name }}"