|
|
|
@ -1,19 +1,86 @@ |
|
|
|
# see roles/network_plugin/cilium/defaults/main.yml |
|
|
|
--- |
|
|
|
# cilium_version: "v1.11.6" |
|
|
|
|
|
|
|
# cilium_version: "v1.11.3" |
|
|
|
# cilium_identity_allocation_mode: kvstore # kvstore or crd |
|
|
|
# Log-level |
|
|
|
# cilium_debug: false |
|
|
|
|
|
|
|
# For adding and mounting extra volumes to the cilium operator |
|
|
|
# cilium_operator_extra_volumes: [] |
|
|
|
# cilium_operator_extra_volume_mounts: [] |
|
|
|
# cilium_mtu: "" |
|
|
|
# cilium_enable_ipv4: true |
|
|
|
# cilium_enable_ipv6: false |
|
|
|
|
|
|
|
# Name of the cluster. Only relevant when building a mesh of clusters. |
|
|
|
# cilium_cluster_name: default |
|
|
|
# Cilium agent health port |
|
|
|
# cilium_agent_health_port: "9879" |
|
|
|
|
|
|
|
# Identity allocation mode selects how identities are shared between cilium |
|
|
|
# nodes by setting how they are stored. The options are "crd" or "kvstore". |
|
|
|
# - "crd" stores identities in kubernetes as CRDs (custom resource definition). |
|
|
|
# These can be queried with: |
|
|
|
# `kubectl get ciliumid` |
|
|
|
# - "kvstore" stores identities in an etcd kvstore. |
|
|
|
# - In order to support External Workloads, "crd" is required |
|
|
|
# - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta |
|
|
|
# - KVStore operations are only required when cilium-operator is running with any of the below options: |
|
|
|
# - --synchronize-k8s-services |
|
|
|
# - --synchronize-k8s-nodes |
|
|
|
# - --identity-allocation-mode=kvstore |
|
|
|
# - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations |
|
|
|
# cilium_identity_allocation_mode: kvstore |
|
|
|
|
|
|
|
# Etcd SSL dirs |
|
|
|
# cilium_cert_dir: /etc/cilium/certs |
|
|
|
# kube_etcd_cacert_file: ca.pem |
|
|
|
# kube_etcd_cert_file: cert.pem |
|
|
|
# kube_etcd_key_file: cert-key.pem |
|
|
|
|
|
|
|
# Limits for apps |
|
|
|
# cilium_memory_limit: 500M |
|
|
|
# cilium_cpu_limit: 500m |
|
|
|
# cilium_memory_requests: 64M |
|
|
|
# cilium_cpu_requests: 100m |
|
|
|
|
|
|
|
# Overlay Network Mode |
|
|
|
# cilium_tunnel_mode: vxlan |
|
|
|
# Optional features |
|
|
|
# cilium_enable_prometheus: false |
|
|
|
# Enable if you want to make use of hostPort mappings |
|
|
|
# cilium_enable_portmap: false |
|
|
|
# Monitor aggregation level (none/low/medium/maximum) |
|
|
|
# cilium_monitor_aggregation: medium |
|
|
|
# The monitor aggregation flags determine which TCP flags which, upon the |
|
|
|
# first observation, cause monitor notifications to be generated. |
|
|
|
# |
|
|
|
# Only effective when monitor aggregation is set to "medium" or higher. |
|
|
|
# cilium_monitor_aggregation_flags: "all" |
|
|
|
# Kube Proxy Replacement mode (strict/probe/partial) |
|
|
|
# cilium_kube_proxy_replacement: probe |
|
|
|
|
|
|
|
# If upgrading from Cilium < 1.5, you may want to override some of these options |
|
|
|
# to prevent service disruptions. See also: |
|
|
|
# http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action |
|
|
|
# cilium_preallocate_bpf_maps: false |
|
|
|
|
|
|
|
# `cilium_tofqdns_enable_poller` is deprecated in 1.8, removed in 1.9 |
|
|
|
# cilium_tofqdns_enable_poller: false |
|
|
|
|
|
|
|
# `cilium_enable_legacy_services` is deprecated in 1.6, removed in 1.9 |
|
|
|
# cilium_enable_legacy_services: false |
|
|
|
|
|
|
|
# Unique ID of the cluster. Must be unique across all conneted clusters and |
|
|
|
# in the range of 1 and 255. Only relevant when building a mesh of clusters. |
|
|
|
# This value is not defined by default |
|
|
|
# cluster-id: |
|
|
|
# cilium_cluster_id: |
|
|
|
|
|
|
|
# Deploy cilium even if kube_network_plugin is not cilium. |
|
|
|
# This enables to deploy cilium alongside another CNI to replace kube-proxy. |
|
|
|
# cilium_deploy_additionally: false |
|
|
|
|
|
|
|
# Auto direct nodes routes can be used to advertise pods routes in your cluster |
|
|
|
# without any tunelling (with `cilium_tunnel_mode` sets to `disabled`). |
|
|
|
# This works only if you have a L2 connectivity between all your nodes. |
|
|
|
# You wil also have to specify the variable `cilium_native_routing_cidr` to |
|
|
|
# make this work. Please refer to the cilium documentation for more |
|
|
|
# information about this kind of setups. |
|
|
|
# cilium_auto_direct_node_routes: false |
|
|
|
|
|
|
|
# Allows to explicitly specify the IPv4 CIDR for native routing. |
|
|
|
# When specified, Cilium assumes networking for this CIDR is preconfigured and |
|
|
|
@ -30,7 +97,6 @@ |
|
|
|
# Allows to explicitly specify the IPv6 CIDR for native routing. |
|
|
|
# cilium_native_routing_cidr_ipv6: "" |
|
|
|
|
|
|
|
# Encryption |
|
|
|
# Enable transparent network encryption. |
|
|
|
# cilium_encryption_enabled: false |
|
|
|
|
|
|
|
@ -40,8 +106,139 @@ |
|
|
|
|
|
|
|
# Enable encryption for pure node to node traffic. |
|
|
|
# This option is only effective when `cilium_encryption_type` is set to `ipsec`. |
|
|
|
# cilium_ipsec_node_encryption: "false" |
|
|
|
# cilium_ipsec_node_encryption: false |
|
|
|
|
|
|
|
# Enables the fallback to the user-space implementation. |
|
|
|
# If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation. |
|
|
|
# When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard, |
|
|
|
# it will fallback on the wireguard-go user-space implementation of WireGuard. |
|
|
|
# This option is only effective when `cilium_encryption_type` is set to `wireguard`. |
|
|
|
# cilium_wireguard_userspace_fallback: "false" |
|
|
|
# cilium_wireguard_userspace_fallback: false |
|
|
|
|
|
|
|
# IP Masquerade Agent |
|
|
|
# https://docs.cilium.io/en/stable/concepts/networking/masquerading/ |
|
|
|
# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded |
|
|
|
# cilium_ip_masq_agent_enable: false |
|
|
|
### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded |
|
|
|
# cilium_non_masquerade_cidrs: |
|
|
|
# - 10.0.0.0/8 |
|
|
|
# - 172.16.0.0/12 |
|
|
|
# - 192.168.0.0/16 |
|
|
|
# - 100.64.0.0/10 |
|
|
|
# - 192.0.0.0/24 |
|
|
|
# - 192.0.2.0/24 |
|
|
|
# - 192.88.99.0/24 |
|
|
|
# - 198.18.0.0/15 |
|
|
|
# - 198.51.100.0/24 |
|
|
|
# - 203.0.113.0/24 |
|
|
|
# - 240.0.0.0/4 |
|
|
|
### Indicates whether to masquerade traffic to the link local prefix. |
|
|
|
### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list. |
|
|
|
# cilium_masq_link_local: false |
|
|
|
### A time interval at which the agent attempts to reload config from disk |
|
|
|
# cilium_ip_masq_resync_interval: 60s |
|
|
|
|
|
|
|
# Hubble |
|
|
|
### Enable Hubble without install |
|
|
|
# cilium_enable_hubble: false |
|
|
|
### Enable Hubble Metrics |
|
|
|
# cilium_enable_hubble_metrics: false |
|
|
|
### if cilium_enable_hubble_metrics: true |
|
|
|
# cilium_hubble_metrics: {} |
|
|
|
# - dns |
|
|
|
# - drop |
|
|
|
# - tcp |
|
|
|
# - flow |
|
|
|
# - icmp |
|
|
|
# - http |
|
|
|
### Enable Hubble install |
|
|
|
# cilium_hubble_install: false |
|
|
|
### Enable auto generate certs if cilium_hubble_install: true |
|
|
|
# cilium_hubble_tls_generate: false |
|
|
|
|
|
|
|
# IP address management mode for v1.9+. |
|
|
|
# https://docs.cilium.io/en/v1.9/concepts/networking/ipam/ |
|
|
|
# cilium_ipam_mode: kubernetes |
|
|
|
|
|
|
|
# Extra arguments for the Cilium agent |
|
|
|
# cilium_agent_custom_args: [] |
|
|
|
|
|
|
|
# For adding and mounting extra volumes to the cilium agent |
|
|
|
# cilium_agent_extra_volumes: [] |
|
|
|
# cilium_agent_extra_volume_mounts: [] |
|
|
|
|
|
|
|
# cilium_agent_extra_env_vars: [] |
|
|
|
|
|
|
|
# cilium_operator_replicas: 2 |
|
|
|
|
|
|
|
# The address at which the cillium operator bind health check api |
|
|
|
# cilium_operator_api_serve_addr: "127.0.0.1:9234" |
|
|
|
|
|
|
|
## A dictionary of extra config variables to add to cilium-config, formatted like: |
|
|
|
## cilium_config_extra_vars: |
|
|
|
## var1: "value1" |
|
|
|
## var2: "value2" |
|
|
|
# cilium_config_extra_vars: {} |
|
|
|
|
|
|
|
# For adding and mounting extra volumes to the cilium operator |
|
|
|
# cilium_operator_extra_volumes: [] |
|
|
|
# cilium_operator_extra_volume_mounts: [] |
|
|
|
|
|
|
|
# Extra arguments for the Cilium Operator |
|
|
|
# cilium_operator_custom_args: [] |
|
|
|
|
|
|
|
# Name of the cluster. Only relevant when building a mesh of clusters. |
|
|
|
# cilium_cluster_name: default |
|
|
|
|
|
|
|
# Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. |
|
|
|
# This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime. |
|
|
|
# Available for Cilium v1.10 and up. |
|
|
|
# cilium_cni_exclusive: true |
|
|
|
|
|
|
|
# Configure the log file for CNI logging with retention policy of 7 days. |
|
|
|
# Disable CNI file logging by setting this field to empty explicitly. |
|
|
|
# Available for Cilium v1.12 and up. |
|
|
|
# cilium_cni_log_file: "/var/run/cilium/cilium-cni.log" |
|
|
|
|
|
|
|
# -- Configure cgroup related configuration |
|
|
|
# -- Enable auto mount of cgroup2 filesystem. |
|
|
|
# When `cilium_cgroup_auto_mount` is enabled, cgroup2 filesystem is mounted at |
|
|
|
# `cilium_cgroup_host_root` path on the underlying host and inside the cilium agent pod. |
|
|
|
# If users disable `cilium_cgroup_auto_mount`, it's expected that users have mounted |
|
|
|
# cgroup2 filesystem at the specified `cilium_cgroup_auto_mount` volume, and then the |
|
|
|
# volume will be mounted inside the cilium agent pod at the same path. |
|
|
|
# Available for Cilium v1.11 and up |
|
|
|
# cilium_cgroup_auto_mount: true |
|
|
|
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host |
|
|
|
# cilium_cgroup_host_root: "/run/cilium/cgroupv2" |
|
|
|
|
|
|
|
# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic |
|
|
|
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. |
|
|
|
# cilium_bpf_map_dynamic_size_ratio: "0.0" |
|
|
|
|
|
|
|
# -- Enables masquerading of IPv4 traffic leaving the node from endpoints. |
|
|
|
# Available for Cilium v1.10 and up |
|
|
|
# cilium_enable_ipv4_masquerade: true |
|
|
|
# -- Enables masquerading of IPv6 traffic leaving the node from endpoints. |
|
|
|
# Available for Cilium v1.10 and up |
|
|
|
# cilium_enable_ipv6_masquerade: true |
|
|
|
|
|
|
|
# -- Enable native IP masquerade support in eBPF |
|
|
|
# cilium_enable_bpf_masquerade: false |
|
|
|
|
|
|
|
# -- Configure whether direct routing mode should route traffic via |
|
|
|
# host stack (true) or directly and more efficiently out of BPF (false) if |
|
|
|
# the kernel supports it. The latter has the implication that it will also |
|
|
|
# bypass netfilter in the host namespace. |
|
|
|
# cilium_enable_host_legacy_routing: true |
|
|
|
|
|
|
|
# -- Enable use of the remote node identity. |
|
|
|
# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity |
|
|
|
# cilium_enable_remote_node_identity: true |
|
|
|
|
|
|
|
# -- Enable the use of well-known identities. |
|
|
|
# cilium_enable_well_known_identities: false |
|
|
|
|
|
|
|
# cilium_enable_bpf_clock_probe: true |
|
|
|
|
|
|
|
# -- Whether to enable CNP status updates. |
|
|
|
# cilium_disable_cnp_status_updates: true |
Emin AKTAS
3 years ago
GitHub