From 7c1c21b3a1af2ff4c3bb186bf260e06cff0387cf Mon Sep 17 00:00:00 2001 From: Dimitri Koshkin Date: Wed, 23 Apr 2025 08:27:18 -0700 Subject: [PATCH 1/2] fix: update Cilium to v1.17.3 --- .../templates/cni/cilium/manifests/cilium-configmap.yaml | 2 +- .../templates/helm-config.yaml | 2 +- hack/addons/helm-chart-bundler/repos.yaml | 2 +- make/addons.mk | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/cni/cilium/manifests/cilium-configmap.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/cni/cilium/manifests/cilium-configmap.yaml index 3b026ca11..07d1b9118 100644 --- a/charts/cluster-api-runtime-extensions-nutanix/templates/cni/cilium/manifests/cilium-configmap.yaml +++ b/charts/cluster-api-runtime-extensions-nutanix/templates/cni/cilium/manifests/cilium-configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 data: cilium.json: | - [{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"kube-system"}},{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"cilium","namespace":"kube-system"}},{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"cilium-envoy","namespace":"kube-system"}},{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"cilium-operator","namespace":"kube-system"}},{"apiVersion":"v1","data":{"agent-not-ready-taint-key":"node.cilium.io/agent-not-ready","arping-refresh-period":"30s","auto-direct-node-routes":"false","bpf-events-drop-enabled":"true","bpf-events-policy-verdict-enabled":"true","bpf-events-trace-enabled":"true","bpf-lb-acceleration":"disabled","bpf-lb-algorithm-annotation":"false","bpf-lb-external-clusterip":"false","bpf-lb-map-max":"65536","bpf-lb-mode-annotation":"false","bpf-lb-sock":"false","bpf-lb-sock-hostns-only":"true","bpf-lb-source-range-all-types":"false","bpf-map-dynamic-size-ratio":"0.0025","bpf-policy-map-max":"16384","bpf-root":"/sys/fs/bpf","cgroup-root":"/run/cilium/cgroupv2","cilium-endpoint-gc-interval":"5m0s","cluster-id":"0","cluster-name":"default","clustermesh-enable-endpoint-sync":"false","clustermesh-enable-mcs-api":"false","cni-chaining-mode":"portmap","cni-exclusive":"false","cni-log-file":"/var/run/cilium/cilium-cni.log","custom-cni-conf":"false","datapath-mode":"veth","debug":"false","debug-verbose":"","default-lb-service-ipam":"lbipam","direct-routing-skip-unreachable":"false","dnsproxy-socket-linger-timeout":"10","egress-gateway-reconciliation-trigger-interval":"1s","enable-auto-protect-node-port-range":"true","enable-bpf-clock-probe":"false","enable-endpoint-health-checking":"true","enable-endpoint-lockdown-on-policy-overflow":"false","enable-experimental-lb":"false","enable-health-check-loadbalancer-ip":"false","enable-health-check-nodeport":"true","enable-health-checking":"true","enable-host-legacy-routing":"true","enable-internal-traffic-policy":"true","enable-ipv4":"true","enable-ipv4-big-tcp":"false","enable-ipv4-masquerade":"true","enable-ipv6":"false","enable-ipv6-big-tcp":"false","enable-ipv6-masquerade":"true","enable-k8s-networkpolicy":"true","enable-k8s-terminating-endpoint":"true","enable-l2-neigh-discovery":"true","enable-l7-proxy":"true","enable-lb-ipam":"true","enable-local-redirect-policy":"false","enable-masquerade-to-route-source":"false","enable-metrics":"true","enable-node-port":"false","enable-node-selector-labels":"false","enable-non-default-deny-policies":"true","enable-policy":"default","enable-policy-secrets-sync":"true","enable-runtime-device-detection":"true","enable-sctp":"false","enable-source-ip-verification":"true","enable-svc-source-range-check":"true","enable-tcx":"true","enable-vtep":"false","enable-well-known-identities":"false","enable-xt-socket-fallback":"true","envoy-access-log-buffer-size":"4096","envoy-base-id":"0","envoy-keep-cap-netbindservice":"false","external-envoy-proxy":"true","health-check-icmp-failure-threshold":"3","http-retry-count":"3","identity-allocation-mode":"crd","identity-gc-interval":"15m0s","identity-heartbeat-timeout":"30m0s","install-no-conntrack-iptables-rules":"false","ipam":"kubernetes","ipam-cilium-node-update-rate":"15s","ipam-multi-pool-pre-allocation":null,"iptables-random-fully":"false","k8s-require-ipv4-pod-cidr":"false","k8s-require-ipv6-pod-cidr":"false","kube-proxy-replacement":"false","kube-proxy-replacement-healthz-bind-address":"","max-connected-clusters":"255","mesh-auth-enabled":"true","mesh-auth-gc-interval":"5m0s","mesh-auth-queue-size":"1024","mesh-auth-rotated-identities-queue-size":"1024","monitor-aggregation":"medium","monitor-aggregation-flags":"all","monitor-aggregation-interval":"5s","nat-map-stats-entries":"32","nat-map-stats-interval":"30s","node-port-bind-protection":"true","nodeport-addresses":"","nodes-gc-interval":"5m0s","operator-api-serve-addr":"127.0.0.1:9234","operator-prometheus-serve-addr":":9963","policy-cidr-match-mode":"","policy-secrets-namespace":"cilium-secrets","policy-secrets-only-from-secrets-namespace":"true","preallocate-bpf-maps":"false","procfs":"/host/proc","proxy-connect-timeout":"2","proxy-idle-timeout-seconds":"60","proxy-initial-fetch-timeout":"30","proxy-max-concurrent-retries":"128","proxy-max-connection-duration-seconds":"0","proxy-max-requests-per-connection":"0","proxy-xff-num-trusted-hops-egress":"0","proxy-xff-num-trusted-hops-ingress":"0","remove-cilium-node-taints":"true","routing-mode":"tunnel","service-no-backend-response":"reject","set-cilium-is-up-condition":"true","set-cilium-node-taints":"true","synchronize-k8s-nodes":"true","tofqdns-dns-reject-response-code":"refused","tofqdns-enable-dns-compression":"true","tofqdns-endpoint-max-ip-per-hostname":"1000","tofqdns-idle-connection-grace-period":"0s","tofqdns-max-deferred-connection-deletes":"10000","tofqdns-proxy-response-max-delay":"100ms","tunnel-protocol":"vxlan","unmanaged-pod-watcher-interval":"15","vtep-cidr":"","vtep-endpoint":"","vtep-mac":"","vtep-mask":"","write-cni-conf-when-ready":"/host/etc/cni/net.d/05-cilium.conflist"},"kind":"ConfigMap","metadata":{"name":"cilium-config","namespace":"kube-system"}},{"apiVersion":"v1","data":{"bootstrap-config.json":"{\"admin\":{\"address\":{\"pipe\":{\"path\":\"/var/run/cilium/envoy/sockets/admin.sock\"}}},\"applicationLogConfig\":{\"logFormat\":{\"textFormat\":\"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v\"}},\"bootstrapExtensions\":[{\"name\":\"envoy.bootstrap.internal_listener\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener\"}}],\"dynamicResources\":{\"cdsConfig\":{\"apiConfigSource\":{\"apiType\":\"GRPC\",\"grpcServices\":[{\"envoyGrpc\":{\"clusterName\":\"xds-grpc-cilium\"}}],\"setNodeOnFirstMessageOnly\":true,\"transportApiVersion\":\"V3\"},\"initialFetchTimeout\":\"30s\",\"resourceApiVersion\":\"V3\"},\"ldsConfig\":{\"apiConfigSource\":{\"apiType\":\"GRPC\",\"grpcServices\":[{\"envoyGrpc\":{\"clusterName\":\"xds-grpc-cilium\"}}],\"setNodeOnFirstMessageOnly\":true,\"transportApiVersion\":\"V3\"},\"initialFetchTimeout\":\"30s\",\"resourceApiVersion\":\"V3\"}},\"node\":{\"cluster\":\"ingress-cluster\",\"id\":\"host~127.0.0.1~no-id~localdomain\"},\"overloadManager\":{\"resourceMonitors\":[{\"name\":\"envoy.resource_monitors.global_downstream_max_connections\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig\",\"max_active_downstream_connections\":\"50000\"}}]},\"staticResources\":{\"clusters\":[{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"ingress-cluster\",\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"useDownstreamProtocolConfig\":{}}}},{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"egress-cluster-tls\",\"transportSocket\":{\"name\":\"cilium.tls_wrapper\",\"typedConfig\":{\"@type\":\"type.googleapis.com/cilium.UpstreamTlsWrapperContext\"}},\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"upstreamHttpProtocolOptions\":{},\"useDownstreamProtocolConfig\":{}}}},{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"egress-cluster\",\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"useDownstreamProtocolConfig\":{}}}},{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"ingress-cluster-tls\",\"transportSocket\":{\"name\":\"cilium.tls_wrapper\",\"typedConfig\":{\"@type\":\"type.googleapis.com/cilium.UpstreamTlsWrapperContext\"}},\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"upstreamHttpProtocolOptions\":{},\"useDownstreamProtocolConfig\":{}}}},{\"connectTimeout\":\"2s\",\"loadAssignment\":{\"clusterName\":\"xds-grpc-cilium\",\"endpoints\":[{\"lbEndpoints\":[{\"endpoint\":{\"address\":{\"pipe\":{\"path\":\"/var/run/cilium/envoy/sockets/xds.sock\"}}}}]}]},\"name\":\"xds-grpc-cilium\",\"type\":\"STATIC\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"explicitHttpConfig\":{\"http2ProtocolOptions\":{}}}}},{\"connectTimeout\":\"2s\",\"loadAssignment\":{\"clusterName\":\"/envoy-admin\",\"endpoints\":[{\"lbEndpoints\":[{\"endpoint\":{\"address\":{\"pipe\":{\"path\":\"/var/run/cilium/envoy/sockets/admin.sock\"}}}}]}]},\"name\":\"/envoy-admin\",\"type\":\"STATIC\"}],\"listeners\":[{\"address\":{\"socketAddress\":{\"address\":\"0.0.0.0\",\"portValue\":9964}},\"filterChains\":[{\"filters\":[{\"name\":\"envoy.filters.network.http_connection_manager\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\",\"httpFilters\":[{\"name\":\"envoy.filters.http.router\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router\"}}],\"internalAddressConfig\":{\"cidrRanges\":[{\"addressPrefix\":\"10.0.0.0\",\"prefixLen\":8},{\"addressPrefix\":\"172.16.0.0\",\"prefixLen\":12},{\"addressPrefix\":\"192.168.0.0\",\"prefixLen\":16},{\"addressPrefix\":\"127.0.0.1\",\"prefixLen\":32}]},\"routeConfig\":{\"virtualHosts\":[{\"domains\":[\"*\"],\"name\":\"prometheus_metrics_route\",\"routes\":[{\"match\":{\"prefix\":\"/metrics\"},\"name\":\"prometheus_metrics_route\",\"route\":{\"cluster\":\"/envoy-admin\",\"prefixRewrite\":\"/stats/prometheus\"}}]}]},\"statPrefix\":\"envoy-prometheus-metrics-listener\",\"streamIdleTimeout\":\"0s\"}}]}],\"name\":\"envoy-prometheus-metrics-listener\"},{\"address\":{\"socketAddress\":{\"address\":\"127.0.0.1\",\"portValue\":9878}},\"filterChains\":[{\"filters\":[{\"name\":\"envoy.filters.network.http_connection_manager\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\",\"httpFilters\":[{\"name\":\"envoy.filters.http.router\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router\"}}],\"internalAddressConfig\":{\"cidrRanges\":[{\"addressPrefix\":\"10.0.0.0\",\"prefixLen\":8},{\"addressPrefix\":\"172.16.0.0\",\"prefixLen\":12},{\"addressPrefix\":\"192.168.0.0\",\"prefixLen\":16},{\"addressPrefix\":\"127.0.0.1\",\"prefixLen\":32}]},\"routeConfig\":{\"virtual_hosts\":[{\"domains\":[\"*\"],\"name\":\"health\",\"routes\":[{\"match\":{\"prefix\":\"/healthz\"},\"name\":\"health\",\"route\":{\"cluster\":\"/envoy-admin\",\"prefixRewrite\":\"/ready\"}}]}]},\"statPrefix\":\"envoy-health-listener\",\"streamIdleTimeout\":\"0s\"}}]}],\"name\":\"envoy-health-listener\"}]}}\n"},"kind":"ConfigMap","metadata":{"name":"cilium-envoy-config","namespace":"kube-system"}},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium"},"rules":[{"apiGroups":["networking.k8s.io"],"resources":["networkpolicies"],"verbs":["get","list","watch"]},{"apiGroups":["discovery.k8s.io"],"resources":["endpointslices"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["namespaces","services","pods","endpoints","nodes"],"verbs":["get","list","watch"]},{"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"],"verbs":["list","watch","get"]},{"apiGroups":["cilium.io"],"resources":["ciliumloadbalancerippools","ciliumbgppeeringpolicies","ciliumbgpnodeconfigs","ciliumbgpadvertisements","ciliumbgppeerconfigs","ciliumclusterwideenvoyconfigs","ciliumclusterwidenetworkpolicies","ciliumegressgatewaypolicies","ciliumendpoints","ciliumendpointslices","ciliumenvoyconfigs","ciliumidentities","ciliumlocalredirectpolicies","ciliumnetworkpolicies","ciliumnodes","ciliumnodeconfigs","ciliumcidrgroups","ciliuml2announcementpolicies","ciliumpodippools"],"verbs":["list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumidentities","ciliumendpoints","ciliumnodes"],"verbs":["create"]},{"apiGroups":["cilium.io"],"resources":["ciliumidentities"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpoints"],"verbs":["delete","get"]},{"apiGroups":["cilium.io"],"resources":["ciliumnodes","ciliumnodes/status"],"verbs":["get","update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpoints/status","ciliumendpoints","ciliuml2announcementpolicies/status","ciliumbgpnodeconfigs/status"],"verbs":["patch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get","list","watch","delete"]},{"apiGroups":[""],"resourceNames":["cilium-config"],"resources":["configmaps"],"verbs":["patch"]},{"apiGroups":[""],"resources":["nodes"],"verbs":["list","watch"]},{"apiGroups":[""],"resources":["nodes","nodes/status"],"verbs":["patch"]},{"apiGroups":["discovery.k8s.io"],"resources":["endpointslices"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["services/status"],"verbs":["update","patch"]},{"apiGroups":[""],"resources":["namespaces","secrets"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["services","endpoints"],"verbs":["get","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumnetworkpolicies","ciliumclusterwidenetworkpolicies"],"verbs":["create","update","deletecollection","patch","get","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumnetworkpolicies/status","ciliumclusterwidenetworkpolicies/status"],"verbs":["patch","update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpoints","ciliumidentities"],"verbs":["delete","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumidentities"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumnodes"],"verbs":["create","update","get","list","watch","delete"]},{"apiGroups":["cilium.io"],"resources":["ciliumnodes/status"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpointslices","ciliumenvoyconfigs","ciliumbgppeerconfigs","ciliumbgpadvertisements","ciliumbgpnodeconfigs"],"verbs":["create","update","get","list","watch","delete","patch"]},{"apiGroups":["cilium.io"],"resources":["ciliumbgpclusterconfigs/status","ciliumbgppeerconfigs/status"],"verbs":["update"]},{"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"],"verbs":["create","get","list","watch"]},{"apiGroups":["apiextensions.k8s.io"],"resourceNames":["ciliumloadbalancerippools.cilium.io","ciliumbgppeeringpolicies.cilium.io","ciliumbgpclusterconfigs.cilium.io","ciliumbgppeerconfigs.cilium.io","ciliumbgpadvertisements.cilium.io","ciliumbgpnodeconfigs.cilium.io","ciliumbgpnodeconfigoverrides.cilium.io","ciliumclusterwideenvoyconfigs.cilium.io","ciliumclusterwidenetworkpolicies.cilium.io","ciliumegressgatewaypolicies.cilium.io","ciliumendpoints.cilium.io","ciliumendpointslices.cilium.io","ciliumenvoyconfigs.cilium.io","ciliumexternalworkloads.cilium.io","ciliumidentities.cilium.io","ciliumlocalredirectpolicies.cilium.io","ciliumnetworkpolicies.cilium.io","ciliumnodes.cilium.io","ciliumnodeconfigs.cilium.io","ciliumcidrgroups.cilium.io","ciliuml2announcementpolicies.cilium.io","ciliumpodippools.cilium.io"],"resources":["customresourcedefinitions"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumloadbalancerippools","ciliumpodippools","ciliumbgppeeringpolicies","ciliumbgpclusterconfigs","ciliumbgpnodeconfigoverrides","ciliumbgppeerconfigs"],"verbs":["get","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumpodippools"],"verbs":["create"]},{"apiGroups":["cilium.io"],"resources":["ciliumloadbalancerippools/status"],"verbs":["patch"]},{"apiGroups":["coordination.k8s.io"],"resources":["leases"],"verbs":["create","get","update"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cilium"},"subjects":[{"kind":"ServiceAccount","name":"cilium","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cilium-operator"},"subjects":[{"kind":"ServiceAccount","name":"cilium-operator","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-config-agent","namespace":"kube-system"},"rules":[{"apiGroups":[""],"resources":["configmaps"],"verbs":["get","list","watch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-tlsinterception-secrets","namespace":"kube-system"},"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["get","list","watch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator-tlsinterception-secrets","namespace":"kube-system"},"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["create","delete","update","patch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-config-agent","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"cilium-config-agent"},"subjects":[{"kind":"ServiceAccount","name":"cilium","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-tlsinterception-secrets","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"cilium-tlsinterception-secrets"},"subjects":[{"kind":"ServiceAccount","name":"cilium","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator-tlsinterception-secrets","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"cilium-operator-tlsinterception-secrets"},"subjects":[{"kind":"ServiceAccount","name":"cilium-operator","namespace":"kube-system"}]},{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"prometheus.io/port":"9964","prometheus.io/scrape":"true"},"labels":{"app.kubernetes.io/name":"cilium-envoy","app.kubernetes.io/part-of":"cilium","io.cilium/app":"proxy","k8s-app":"cilium-envoy"},"name":"cilium-envoy","namespace":"kube-system"},"spec":{"clusterIP":"None","ports":[{"name":"envoy-metrics","port":9964,"protocol":"TCP","targetPort":"envoy-metrics"}],"selector":{"k8s-app":"cilium-envoy"},"type":"ClusterIP"}},{"apiVersion":"apps/v1","kind":"DaemonSet","metadata":{"labels":{"app.kubernetes.io/name":"cilium-agent","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium"},"name":"cilium","namespace":"kube-system"},"spec":{"selector":{"matchLabels":{"k8s-app":"cilium"}},"template":{"metadata":{"annotations":null,"labels":{"app.kubernetes.io/name":"cilium-agent","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium"}},"spec":{"affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}},"automountServiceAccountToken":true,"containers":[{"args":["--config-dir=/tmp/cilium/config-map"],"command":["cilium-agent"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"CILIUM_CLUSTERMESH_CONFIG","value":"/var/lib/cilium/clustermesh/"},{"name":"GOMEMLIMIT","valueFrom":{"resourceFieldRef":{"divisor":"1","resource":"limits.memory"}}}],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","lifecycle":{"postStart":{"exec":{"command":["bash","-c","set -o errexit\nset -o pipefail\nset -o nounset\n\n# When running in AWS ENI mode, it's likely that 'aws-node' has\n# had a chance to install SNAT iptables rules. These can result\n# in dropped traffic, so we should attempt to remove them.\n# We do it using a 'postStart' hook since this may need to run\n# for nodes which might have already been init'ed but may still\n# have dangling rules. This is safe because there are no\n# dependencies on anything that is part of the startup script\n# itself, and can be safely run multiple times per node (e.g. in\n# case of a restart).\nif [[ \"$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')\" != \"0\" ]];\nthen\n echo 'Deleting iptables rules created by the AWS CNI VPC plugin'\n iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore\nfi\necho 'Done!'\n"]}},"preStop":{"exec":{"command":["/cni-uninstall.sh"]}}},"livenessProbe":{"failureThreshold":10,"httpGet":{"host":"127.0.0.1","httpHeaders":[{"name":"brief","value":"true"}],"path":"/healthz","port":9879,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"name":"cilium-agent","readinessProbe":{"failureThreshold":3,"httpGet":{"host":"127.0.0.1","httpHeaders":[{"name":"brief","value":"true"}],"path":"/healthz","port":9879,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"securityContext":{"capabilities":{"add":["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"startupProbe":{"failureThreshold":105,"httpGet":{"host":"127.0.0.1","httpHeaders":[{"name":"brief","value":"true"}],"path":"/healthz","port":9879,"scheme":"HTTP"},"initialDelaySeconds":5,"periodSeconds":2,"successThreshold":1},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/var/run/cilium/envoy/sockets","name":"envoy-sockets","readOnly":false},{"mountPath":"/host/proc/sys/net","name":"host-proc-sys-net"},{"mountPath":"/host/proc/sys/kernel","name":"host-proc-sys-kernel"},{"mountPath":"/sys/fs/bpf","mountPropagation":"HostToContainer","name":"bpf-maps"},{"mountPath":"/var/run/cilium","name":"cilium-run"},{"mountPath":"/var/run/cilium/netns","mountPropagation":"HostToContainer","name":"cilium-netns"},{"mountPath":"/host/etc/cni/net.d","name":"etc-cni-netd"},{"mountPath":"/var/lib/cilium/clustermesh","name":"clustermesh-secrets","readOnly":true},{"mountPath":"/lib/modules","name":"lib-modules","readOnly":true},{"mountPath":"/run/xtables.lock","name":"xtables-lock"},{"mountPath":"/tmp","name":"tmp"}]}],"hostNetwork":true,"initContainers":[{"command":["cilium-dbg","build-config"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}}],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","name":"config","terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/tmp","name":"tmp"}]},{"command":["sh","-ec","cp /usr/bin/cilium-mount /hostbin/cilium-mount;\nnsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt \"${BIN_PATH}/cilium-mount\" $CGROUP_ROOT;\nrm /hostbin/cilium-mount\n"],"env":[{"name":"CGROUP_ROOT","value":"/run/cilium/cgroupv2"},{"name":"BIN_PATH","value":"/opt/cni/bin"}],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","name":"mount-cgroup","securityContext":{"capabilities":{"add":["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/hostproc","name":"hostproc"},{"mountPath":"/hostbin","name":"cni-path"}]},{"command":["sh","-ec","cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;\nnsenter --mount=/hostproc/1/ns/mnt \"${BIN_PATH}/cilium-sysctlfix\";\nrm /hostbin/cilium-sysctlfix\n"],"env":[{"name":"BIN_PATH","value":"/opt/cni/bin"}],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","name":"apply-sysctl-overwrites","securityContext":{"capabilities":{"add":["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/hostproc","name":"hostproc"},{"mountPath":"/hostbin","name":"cni-path"}]},{"args":["mount | grep \"/sys/fs/bpf type bpf\" || mount -t bpf bpf /sys/fs/bpf"],"command":["/bin/bash","-c","--"],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","name":"mount-bpf-fs","securityContext":{"privileged":true},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/sys/fs/bpf","mountPropagation":"Bidirectional","name":"bpf-maps"}]},{"command":["/init-container.sh"],"env":[{"name":"CILIUM_ALL_STATE","valueFrom":{"configMapKeyRef":{"key":"clean-cilium-state","name":"cilium-config","optional":true}}},{"name":"CILIUM_BPF_STATE","valueFrom":{"configMapKeyRef":{"key":"clean-cilium-bpf-state","name":"cilium-config","optional":true}}},{"name":"WRITE_CNI_CONF_WHEN_READY","valueFrom":{"configMapKeyRef":{"key":"write-cni-conf-when-ready","name":"cilium-config","optional":true}}}],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","name":"clean-cilium-state","securityContext":{"capabilities":{"add":["NET_ADMIN","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/sys/fs/bpf","name":"bpf-maps"},{"mountPath":"/run/cilium/cgroupv2","mountPropagation":"HostToContainer","name":"cilium-cgroup"},{"mountPath":"/var/run/cilium","name":"cilium-run"}]},{"command":["/install-plugin.sh"],"image":"quay.io/cilium/cilium:v1.17.1","imagePullPolicy":"IfNotPresent","name":"install-cni-binaries","resources":{"requests":{"cpu":"100m","memory":"10Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/host/opt/cni/bin","name":"cni-path"}]}],"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-node-critical","restartPolicy":"Always","securityContext":{"appArmorProfile":{"type":"Unconfined"}},"serviceAccountName":"cilium","terminationGracePeriodSeconds":1,"tolerations":[{"operator":"Exists"}],"volumes":[{"emptyDir":{},"name":"tmp"},{"hostPath":{"path":"/var/run/cilium","type":"DirectoryOrCreate"},"name":"cilium-run"},{"hostPath":{"path":"/var/run/netns","type":"DirectoryOrCreate"},"name":"cilium-netns"},{"hostPath":{"path":"/sys/fs/bpf","type":"DirectoryOrCreate"},"name":"bpf-maps"},{"hostPath":{"path":"/proc","type":"Directory"},"name":"hostproc"},{"hostPath":{"path":"/run/cilium/cgroupv2","type":"DirectoryOrCreate"},"name":"cilium-cgroup"},{"hostPath":{"path":"/opt/cni/bin","type":"DirectoryOrCreate"},"name":"cni-path"},{"hostPath":{"path":"/etc/cni/net.d","type":"DirectoryOrCreate"},"name":"etc-cni-netd"},{"hostPath":{"path":"/lib/modules"},"name":"lib-modules"},{"hostPath":{"path":"/run/xtables.lock","type":"FileOrCreate"},"name":"xtables-lock"},{"hostPath":{"path":"/var/run/cilium/envoy/sockets","type":"DirectoryOrCreate"},"name":"envoy-sockets"},{"name":"clustermesh-secrets","projected":{"defaultMode":256,"sources":[{"secret":{"name":"cilium-clustermesh","optional":true}},{"secret":{"items":[{"key":"tls.key","path":"common-etcd-client.key"},{"key":"tls.crt","path":"common-etcd-client.crt"},{"key":"ca.crt","path":"common-etcd-client-ca.crt"}],"name":"clustermesh-apiserver-remote-cert","optional":true}},{"secret":{"items":[{"key":"tls.key","path":"local-etcd-client.key"},{"key":"tls.crt","path":"local-etcd-client.crt"},{"key":"ca.crt","path":"local-etcd-client-ca.crt"}],"name":"clustermesh-apiserver-local-cert","optional":true}}]}},{"hostPath":{"path":"/proc/sys/net","type":"Directory"},"name":"host-proc-sys-net"},{"hostPath":{"path":"/proc/sys/kernel","type":"Directory"},"name":"host-proc-sys-kernel"}]}},"updateStrategy":{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}}},{"apiVersion":"apps/v1","kind":"DaemonSet","metadata":{"labels":{"app.kubernetes.io/name":"cilium-envoy","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium-envoy","name":"cilium-envoy"},"name":"cilium-envoy","namespace":"kube-system"},"spec":{"selector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"template":{"metadata":{"annotations":null,"labels":{"app.kubernetes.io/name":"cilium-envoy","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium-envoy","name":"cilium-envoy"}},"spec":{"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}},"automountServiceAccountToken":true,"containers":[{"args":["--","-c /var/run/cilium/envoy/bootstrap-config.json","--base-id 0","--log-level info"],"command":["/usr/bin/cilium-envoy-starter"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}}],"image":"quay.io/cilium/cilium-envoy:v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold":10,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9878,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"name":"cilium-envoy","ports":[{"containerPort":9964,"hostPort":9964,"name":"envoy-metrics","protocol":"TCP"}],"readinessProbe":{"failureThreshold":3,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9878,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"securityContext":{"capabilities":{"add":["NET_ADMIN","SYS_ADMIN"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"startupProbe":{"failureThreshold":105,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9878,"scheme":"HTTP"},"initialDelaySeconds":5,"periodSeconds":2,"successThreshold":1},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/var/run/cilium/envoy/sockets","name":"envoy-sockets","readOnly":false},{"mountPath":"/var/run/cilium/envoy/artifacts","name":"envoy-artifacts","readOnly":true},{"mountPath":"/var/run/cilium/envoy/","name":"envoy-config","readOnly":true},{"mountPath":"/sys/fs/bpf","mountPropagation":"HostToContainer","name":"bpf-maps"}]}],"hostNetwork":true,"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-node-critical","restartPolicy":"Always","securityContext":{"appArmorProfile":{"type":"Unconfined"}},"serviceAccountName":"cilium-envoy","terminationGracePeriodSeconds":1,"tolerations":[{"operator":"Exists"}],"volumes":[{"hostPath":{"path":"/var/run/cilium/envoy/sockets","type":"DirectoryOrCreate"},"name":"envoy-sockets"},{"hostPath":{"path":"/var/run/cilium/envoy/artifacts","type":"DirectoryOrCreate"},"name":"envoy-artifacts"},{"configMap":{"defaultMode":256,"items":[{"key":"bootstrap-config.json","path":"bootstrap-config.json"}],"name":"cilium-envoy-config"},"name":"envoy-config"},{"hostPath":{"path":"/sys/fs/bpf","type":"DirectoryOrCreate"},"name":"bpf-maps"}]}},"updateStrategy":{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}}},{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app.kubernetes.io/name":"cilium-operator","app.kubernetes.io/part-of":"cilium","io.cilium/app":"operator","name":"cilium-operator"},"name":"cilium-operator","namespace":"kube-system"},"spec":{"replicas":2,"selector":{"matchLabels":{"io.cilium/app":"operator","name":"cilium-operator"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"50%"},"type":"RollingUpdate"},"template":{"metadata":{"annotations":{"prometheus.io/port":"9963","prometheus.io/scrape":"true"},"labels":{"app.kubernetes.io/name":"cilium-operator","app.kubernetes.io/part-of":"cilium","io.cilium/app":"operator","name":"cilium-operator"}},"spec":{"affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}},"automountServiceAccountToken":true,"containers":[{"args":["--config-dir=/tmp/cilium/config-map","--debug=$(CILIUM_DEBUG)"],"command":["cilium-operator-generic"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"CILIUM_DEBUG","valueFrom":{"configMapKeyRef":{"key":"debug","name":"cilium-config","optional":true}}}],"image":"quay.io/cilium/operator-generic:v1.17.1","imagePullPolicy":"IfNotPresent","livenessProbe":{"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9234,"scheme":"HTTP"},"initialDelaySeconds":60,"periodSeconds":10,"timeoutSeconds":3},"name":"cilium-operator","ports":[{"containerPort":9963,"hostPort":9963,"name":"prometheus","protocol":"TCP"}],"readinessProbe":{"failureThreshold":5,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9234,"scheme":"HTTP"},"initialDelaySeconds":0,"periodSeconds":5,"timeoutSeconds":3},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/tmp/cilium/config-map","name":"cilium-config-path","readOnly":true}]}],"hostNetwork":true,"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-cluster-critical","restartPolicy":"Always","serviceAccountName":"cilium-operator","tolerations":[{"operator":"Exists"}],"volumes":[{"configMap":{"name":"cilium-config"},"name":"cilium-config-path"}]}}}}] + [{"apiVersion":"v1","kind":"Namespace","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"kube-system"}},{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"cilium","namespace":"kube-system"}},{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"cilium-envoy","namespace":"kube-system"}},{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"name":"cilium-operator","namespace":"kube-system"}},{"apiVersion":"v1","data":{"agent-not-ready-taint-key":"node.cilium.io/agent-not-ready","arping-refresh-period":"30s","auto-direct-node-routes":"false","bpf-distributed-lru":"false","bpf-events-drop-enabled":"true","bpf-events-policy-verdict-enabled":"true","bpf-events-trace-enabled":"true","bpf-lb-acceleration":"disabled","bpf-lb-algorithm-annotation":"false","bpf-lb-external-clusterip":"false","bpf-lb-map-max":"65536","bpf-lb-mode-annotation":"false","bpf-lb-sock":"false","bpf-lb-sock-hostns-only":"true","bpf-lb-source-range-all-types":"false","bpf-map-dynamic-size-ratio":"0.0025","bpf-policy-map-max":"16384","bpf-root":"/sys/fs/bpf","cgroup-root":"/run/cilium/cgroupv2","cilium-endpoint-gc-interval":"5m0s","cluster-id":"0","cluster-name":"default","clustermesh-enable-endpoint-sync":"false","clustermesh-enable-mcs-api":"false","cni-chaining-mode":"portmap","cni-exclusive":"false","cni-log-file":"/var/run/cilium/cilium-cni.log","custom-cni-conf":"false","datapath-mode":"veth","debug":"false","debug-verbose":"","default-lb-service-ipam":"lbipam","direct-routing-skip-unreachable":"false","dnsproxy-socket-linger-timeout":"10","egress-gateway-reconciliation-trigger-interval":"1s","enable-auto-protect-node-port-range":"true","enable-bpf-clock-probe":"false","enable-endpoint-health-checking":"true","enable-endpoint-lockdown-on-policy-overflow":"false","enable-experimental-lb":"false","enable-health-check-loadbalancer-ip":"false","enable-health-check-nodeport":"true","enable-health-checking":"true","enable-host-legacy-routing":"true","enable-hubble":"false","enable-internal-traffic-policy":"true","enable-ipv4":"true","enable-ipv4-big-tcp":"false","enable-ipv4-masquerade":"true","enable-ipv6":"false","enable-ipv6-big-tcp":"false","enable-ipv6-masquerade":"true","enable-k8s-networkpolicy":"true","enable-k8s-terminating-endpoint":"true","enable-l2-neigh-discovery":"true","enable-l7-proxy":"true","enable-lb-ipam":"true","enable-local-redirect-policy":"false","enable-masquerade-to-route-source":"false","enable-metrics":"true","enable-node-port":"false","enable-node-selector-labels":"false","enable-non-default-deny-policies":"true","enable-policy":"default","enable-policy-secrets-sync":"true","enable-runtime-device-detection":"true","enable-sctp":"false","enable-source-ip-verification":"true","enable-svc-source-range-check":"true","enable-tcx":"true","enable-vtep":"false","enable-well-known-identities":"false","enable-xt-socket-fallback":"true","envoy-access-log-buffer-size":"4096","envoy-base-id":"0","envoy-keep-cap-netbindservice":"false","external-envoy-proxy":"true","health-check-icmp-failure-threshold":"3","http-retry-count":"3","identity-allocation-mode":"crd","identity-gc-interval":"15m0s","identity-heartbeat-timeout":"30m0s","install-no-conntrack-iptables-rules":"false","ipam":"kubernetes","ipam-cilium-node-update-rate":"15s","iptables-random-fully":"false","k8s-require-ipv4-pod-cidr":"false","k8s-require-ipv6-pod-cidr":"false","kube-proxy-replacement":"false","kube-proxy-replacement-healthz-bind-address":"","max-connected-clusters":"255","mesh-auth-enabled":"true","mesh-auth-gc-interval":"5m0s","mesh-auth-queue-size":"1024","mesh-auth-rotated-identities-queue-size":"1024","monitor-aggregation":"medium","monitor-aggregation-flags":"all","monitor-aggregation-interval":"5s","nat-map-stats-entries":"32","nat-map-stats-interval":"30s","node-port-bind-protection":"true","nodeport-addresses":"","nodes-gc-interval":"5m0s","operator-api-serve-addr":"127.0.0.1:9234","operator-prometheus-serve-addr":":9963","policy-cidr-match-mode":"","policy-secrets-namespace":"cilium-secrets","policy-secrets-only-from-secrets-namespace":"true","preallocate-bpf-maps":"false","procfs":"/host/proc","proxy-connect-timeout":"2","proxy-idle-timeout-seconds":"60","proxy-initial-fetch-timeout":"30","proxy-max-concurrent-retries":"128","proxy-max-connection-duration-seconds":"0","proxy-max-requests-per-connection":"0","proxy-xff-num-trusted-hops-egress":"0","proxy-xff-num-trusted-hops-ingress":"0","remove-cilium-node-taints":"true","routing-mode":"tunnel","service-no-backend-response":"reject","set-cilium-is-up-condition":"true","set-cilium-node-taints":"true","synchronize-k8s-nodes":"true","tofqdns-dns-reject-response-code":"refused","tofqdns-enable-dns-compression":"true","tofqdns-endpoint-max-ip-per-hostname":"1000","tofqdns-idle-connection-grace-period":"0s","tofqdns-max-deferred-connection-deletes":"10000","tofqdns-proxy-response-max-delay":"100ms","tunnel-protocol":"vxlan","tunnel-source-port-range":"0-0","unmanaged-pod-watcher-interval":"15","vtep-cidr":"","vtep-endpoint":"","vtep-mac":"","vtep-mask":"","write-cni-conf-when-ready":"/host/etc/cni/net.d/05-cilium.conflist"},"kind":"ConfigMap","metadata":{"name":"cilium-config","namespace":"kube-system"}},{"apiVersion":"v1","data":{"bootstrap-config.json":"{\"admin\":{\"address\":{\"pipe\":{\"path\":\"/var/run/cilium/envoy/sockets/admin.sock\"}}},\"applicationLogConfig\":{\"logFormat\":{\"textFormat\":\"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v\"}},\"bootstrapExtensions\":[{\"name\":\"envoy.bootstrap.internal_listener\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener\"}}],\"dynamicResources\":{\"cdsConfig\":{\"apiConfigSource\":{\"apiType\":\"GRPC\",\"grpcServices\":[{\"envoyGrpc\":{\"clusterName\":\"xds-grpc-cilium\"}}],\"setNodeOnFirstMessageOnly\":true,\"transportApiVersion\":\"V3\"},\"initialFetchTimeout\":\"30s\",\"resourceApiVersion\":\"V3\"},\"ldsConfig\":{\"apiConfigSource\":{\"apiType\":\"GRPC\",\"grpcServices\":[{\"envoyGrpc\":{\"clusterName\":\"xds-grpc-cilium\"}}],\"setNodeOnFirstMessageOnly\":true,\"transportApiVersion\":\"V3\"},\"initialFetchTimeout\":\"30s\",\"resourceApiVersion\":\"V3\"}},\"node\":{\"cluster\":\"ingress-cluster\",\"id\":\"host~127.0.0.1~no-id~localdomain\"},\"overloadManager\":{\"resourceMonitors\":[{\"name\":\"envoy.resource_monitors.global_downstream_max_connections\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig\",\"max_active_downstream_connections\":\"50000\"}}]},\"staticResources\":{\"clusters\":[{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"ingress-cluster\",\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"useDownstreamProtocolConfig\":{}}}},{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"egress-cluster-tls\",\"transportSocket\":{\"name\":\"cilium.tls_wrapper\",\"typedConfig\":{\"@type\":\"type.googleapis.com/cilium.UpstreamTlsWrapperContext\"}},\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"upstreamHttpProtocolOptions\":{},\"useDownstreamProtocolConfig\":{}}}},{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"egress-cluster\",\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"useDownstreamProtocolConfig\":{}}}},{\"circuitBreakers\":{\"thresholds\":[{\"maxRetries\":128}]},\"cleanupInterval\":\"2.500s\",\"connectTimeout\":\"2s\",\"lbPolicy\":\"CLUSTER_PROVIDED\",\"name\":\"ingress-cluster-tls\",\"transportSocket\":{\"name\":\"cilium.tls_wrapper\",\"typedConfig\":{\"@type\":\"type.googleapis.com/cilium.UpstreamTlsWrapperContext\"}},\"type\":\"ORIGINAL_DST\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"commonHttpProtocolOptions\":{\"idleTimeout\":\"60s\",\"maxConnectionDuration\":\"0s\",\"maxRequestsPerConnection\":0},\"upstreamHttpProtocolOptions\":{},\"useDownstreamProtocolConfig\":{}}}},{\"connectTimeout\":\"2s\",\"loadAssignment\":{\"clusterName\":\"xds-grpc-cilium\",\"endpoints\":[{\"lbEndpoints\":[{\"endpoint\":{\"address\":{\"pipe\":{\"path\":\"/var/run/cilium/envoy/sockets/xds.sock\"}}}}]}]},\"name\":\"xds-grpc-cilium\",\"type\":\"STATIC\",\"typedExtensionProtocolOptions\":{\"envoy.extensions.upstreams.http.v3.HttpProtocolOptions\":{\"@type\":\"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions\",\"explicitHttpConfig\":{\"http2ProtocolOptions\":{}}}}},{\"connectTimeout\":\"2s\",\"loadAssignment\":{\"clusterName\":\"/envoy-admin\",\"endpoints\":[{\"lbEndpoints\":[{\"endpoint\":{\"address\":{\"pipe\":{\"path\":\"/var/run/cilium/envoy/sockets/admin.sock\"}}}}]}]},\"name\":\"/envoy-admin\",\"type\":\"STATIC\"}],\"listeners\":[{\"address\":{\"socketAddress\":{\"address\":\"0.0.0.0\",\"portValue\":9964}},\"filterChains\":[{\"filters\":[{\"name\":\"envoy.filters.network.http_connection_manager\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\",\"httpFilters\":[{\"name\":\"envoy.filters.http.router\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router\"}}],\"internalAddressConfig\":{\"cidrRanges\":[{\"addressPrefix\":\"10.0.0.0\",\"prefixLen\":8},{\"addressPrefix\":\"172.16.0.0\",\"prefixLen\":12},{\"addressPrefix\":\"192.168.0.0\",\"prefixLen\":16},{\"addressPrefix\":\"127.0.0.1\",\"prefixLen\":32}]},\"routeConfig\":{\"virtualHosts\":[{\"domains\":[\"*\"],\"name\":\"prometheus_metrics_route\",\"routes\":[{\"match\":{\"prefix\":\"/metrics\"},\"name\":\"prometheus_metrics_route\",\"route\":{\"cluster\":\"/envoy-admin\",\"prefixRewrite\":\"/stats/prometheus\"}}]}]},\"statPrefix\":\"envoy-prometheus-metrics-listener\",\"streamIdleTimeout\":\"0s\"}}]}],\"name\":\"envoy-prometheus-metrics-listener\"},{\"address\":{\"socketAddress\":{\"address\":\"127.0.0.1\",\"portValue\":9878}},\"filterChains\":[{\"filters\":[{\"name\":\"envoy.filters.network.http_connection_manager\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager\",\"httpFilters\":[{\"name\":\"envoy.filters.http.router\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router\"}}],\"internalAddressConfig\":{\"cidrRanges\":[{\"addressPrefix\":\"10.0.0.0\",\"prefixLen\":8},{\"addressPrefix\":\"172.16.0.0\",\"prefixLen\":12},{\"addressPrefix\":\"192.168.0.0\",\"prefixLen\":16},{\"addressPrefix\":\"127.0.0.1\",\"prefixLen\":32}]},\"routeConfig\":{\"virtual_hosts\":[{\"domains\":[\"*\"],\"name\":\"health\",\"routes\":[{\"match\":{\"prefix\":\"/healthz\"},\"name\":\"health\",\"route\":{\"cluster\":\"/envoy-admin\",\"prefixRewrite\":\"/ready\"}}]}]},\"statPrefix\":\"envoy-health-listener\",\"streamIdleTimeout\":\"0s\"}}]}],\"name\":\"envoy-health-listener\"}]}}\n"},"kind":"ConfigMap","metadata":{"name":"cilium-envoy-config","namespace":"kube-system"}},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium"},"rules":[{"apiGroups":["networking.k8s.io"],"resources":["networkpolicies"],"verbs":["get","list","watch"]},{"apiGroups":["discovery.k8s.io"],"resources":["endpointslices"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["namespaces","services","pods","endpoints","nodes"],"verbs":["get","list","watch"]},{"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"],"verbs":["list","watch","get"]},{"apiGroups":["cilium.io"],"resources":["ciliumloadbalancerippools","ciliumbgppeeringpolicies","ciliumbgpnodeconfigs","ciliumbgpadvertisements","ciliumbgppeerconfigs","ciliumclusterwideenvoyconfigs","ciliumclusterwidenetworkpolicies","ciliumegressgatewaypolicies","ciliumendpoints","ciliumendpointslices","ciliumenvoyconfigs","ciliumidentities","ciliumlocalredirectpolicies","ciliumnetworkpolicies","ciliumnodes","ciliumnodeconfigs","ciliumcidrgroups","ciliuml2announcementpolicies","ciliumpodippools"],"verbs":["list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumidentities","ciliumendpoints","ciliumnodes"],"verbs":["create"]},{"apiGroups":["cilium.io"],"resources":["ciliumidentities"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpoints"],"verbs":["delete","get"]},{"apiGroups":["cilium.io"],"resources":["ciliumnodes","ciliumnodes/status"],"verbs":["get","update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpoints/status","ciliumendpoints","ciliuml2announcementpolicies/status","ciliumbgpnodeconfigs/status"],"verbs":["patch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get","list","watch","delete"]},{"apiGroups":[""],"resourceNames":["cilium-config"],"resources":["configmaps"],"verbs":["patch"]},{"apiGroups":[""],"resources":["nodes"],"verbs":["list","watch"]},{"apiGroups":[""],"resources":["nodes","nodes/status"],"verbs":["patch"]},{"apiGroups":["discovery.k8s.io"],"resources":["endpointslices"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["services/status"],"verbs":["update","patch"]},{"apiGroups":[""],"resources":["namespaces","secrets"],"verbs":["get","list","watch"]},{"apiGroups":[""],"resources":["services","endpoints"],"verbs":["get","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumnetworkpolicies","ciliumclusterwidenetworkpolicies"],"verbs":["create","update","deletecollection","patch","get","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumnetworkpolicies/status","ciliumclusterwidenetworkpolicies/status"],"verbs":["patch","update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpoints","ciliumidentities"],"verbs":["delete","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumidentities"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumnodes"],"verbs":["create","update","get","list","watch","delete"]},{"apiGroups":["cilium.io"],"resources":["ciliumnodes/status"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumendpointslices","ciliumenvoyconfigs","ciliumbgppeerconfigs","ciliumbgpadvertisements","ciliumbgpnodeconfigs"],"verbs":["create","update","get","list","watch","delete","patch"]},{"apiGroups":["cilium.io"],"resources":["ciliumbgpclusterconfigs/status","ciliumbgppeerconfigs/status"],"verbs":["update"]},{"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"],"verbs":["create","get","list","watch"]},{"apiGroups":["apiextensions.k8s.io"],"resourceNames":["ciliumloadbalancerippools.cilium.io","ciliumbgppeeringpolicies.cilium.io","ciliumbgpclusterconfigs.cilium.io","ciliumbgppeerconfigs.cilium.io","ciliumbgpadvertisements.cilium.io","ciliumbgpnodeconfigs.cilium.io","ciliumbgpnodeconfigoverrides.cilium.io","ciliumclusterwideenvoyconfigs.cilium.io","ciliumclusterwidenetworkpolicies.cilium.io","ciliumegressgatewaypolicies.cilium.io","ciliumendpoints.cilium.io","ciliumendpointslices.cilium.io","ciliumenvoyconfigs.cilium.io","ciliumexternalworkloads.cilium.io","ciliumidentities.cilium.io","ciliumlocalredirectpolicies.cilium.io","ciliumnetworkpolicies.cilium.io","ciliumnodes.cilium.io","ciliumnodeconfigs.cilium.io","ciliumcidrgroups.cilium.io","ciliuml2announcementpolicies.cilium.io","ciliumpodippools.cilium.io"],"resources":["customresourcedefinitions"],"verbs":["update"]},{"apiGroups":["cilium.io"],"resources":["ciliumloadbalancerippools","ciliumpodippools","ciliumbgppeeringpolicies","ciliumbgpclusterconfigs","ciliumbgpnodeconfigoverrides","ciliumbgppeerconfigs"],"verbs":["get","list","watch"]},{"apiGroups":["cilium.io"],"resources":["ciliumpodippools"],"verbs":["create"]},{"apiGroups":["cilium.io"],"resources":["ciliumloadbalancerippools/status"],"verbs":["patch"]},{"apiGroups":["coordination.k8s.io"],"resources":["leases"],"verbs":["create","get","update"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cilium"},"subjects":[{"kind":"ServiceAccount","name":"cilium","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cilium-operator"},"subjects":[{"kind":"ServiceAccount","name":"cilium-operator","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-config-agent","namespace":"kube-system"},"rules":[{"apiGroups":[""],"resources":["configmaps"],"verbs":["get","list","watch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-tlsinterception-secrets","namespace":"kube-system"},"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["get","list","watch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator-tlsinterception-secrets","namespace":"kube-system"},"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["create","delete","update","patch"]}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-config-agent","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"cilium-config-agent"},"subjects":[{"kind":"ServiceAccount","name":"cilium","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-tlsinterception-secrets","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"cilium-tlsinterception-secrets"},"subjects":[{"kind":"ServiceAccount","name":"cilium","namespace":"kube-system"}]},{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"labels":{"app.kubernetes.io/part-of":"cilium"},"name":"cilium-operator-tlsinterception-secrets","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"cilium-operator-tlsinterception-secrets"},"subjects":[{"kind":"ServiceAccount","name":"cilium-operator","namespace":"kube-system"}]},{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"prometheus.io/port":"9964","prometheus.io/scrape":"true"},"labels":{"app.kubernetes.io/name":"cilium-envoy","app.kubernetes.io/part-of":"cilium","io.cilium/app":"proxy","k8s-app":"cilium-envoy"},"name":"cilium-envoy","namespace":"kube-system"},"spec":{"clusterIP":"None","ports":[{"name":"envoy-metrics","port":9964,"protocol":"TCP","targetPort":"envoy-metrics"}],"selector":{"k8s-app":"cilium-envoy"},"type":"ClusterIP"}},{"apiVersion":"apps/v1","kind":"DaemonSet","metadata":{"labels":{"app.kubernetes.io/name":"cilium-agent","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium"},"name":"cilium","namespace":"kube-system"},"spec":{"selector":{"matchLabels":{"k8s-app":"cilium"}},"template":{"metadata":{"annotations":null,"labels":{"app.kubernetes.io/name":"cilium-agent","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium"}},"spec":{"affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]}},"automountServiceAccountToken":true,"containers":[{"args":["--config-dir=/tmp/cilium/config-map"],"command":["cilium-agent"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"CILIUM_CLUSTERMESH_CONFIG","value":"/var/lib/cilium/clustermesh/"},{"name":"GOMEMLIMIT","valueFrom":{"resourceFieldRef":{"divisor":"1","resource":"limits.memory"}}}],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","lifecycle":{"postStart":{"exec":{"command":["bash","-c","set -o errexit\nset -o pipefail\nset -o nounset\n\n# When running in AWS ENI mode, it's likely that 'aws-node' has\n# had a chance to install SNAT iptables rules. These can result\n# in dropped traffic, so we should attempt to remove them.\n# We do it using a 'postStart' hook since this may need to run\n# for nodes which might have already been init'ed but may still\n# have dangling rules. This is safe because there are no\n# dependencies on anything that is part of the startup script\n# itself, and can be safely run multiple times per node (e.g. in\n# case of a restart).\nif [[ \"$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')\" != \"0\" ]];\nthen\n echo 'Deleting iptables rules created by the AWS CNI VPC plugin'\n iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore\nfi\necho 'Done!'\n"]}},"preStop":{"exec":{"command":["/cni-uninstall.sh"]}}},"livenessProbe":{"failureThreshold":10,"httpGet":{"host":"127.0.0.1","httpHeaders":[{"name":"brief","value":"true"}],"path":"/healthz","port":9879,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"name":"cilium-agent","readinessProbe":{"failureThreshold":3,"httpGet":{"host":"127.0.0.1","httpHeaders":[{"name":"brief","value":"true"}],"path":"/healthz","port":9879,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"securityContext":{"capabilities":{"add":["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"startupProbe":{"failureThreshold":105,"httpGet":{"host":"127.0.0.1","httpHeaders":[{"name":"brief","value":"true"}],"path":"/healthz","port":9879,"scheme":"HTTP"},"initialDelaySeconds":5,"periodSeconds":2,"successThreshold":1},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/var/run/cilium/envoy/sockets","name":"envoy-sockets","readOnly":false},{"mountPath":"/host/proc/sys/net","name":"host-proc-sys-net"},{"mountPath":"/host/proc/sys/kernel","name":"host-proc-sys-kernel"},{"mountPath":"/sys/fs/bpf","mountPropagation":"HostToContainer","name":"bpf-maps"},{"mountPath":"/var/run/cilium","name":"cilium-run"},{"mountPath":"/var/run/cilium/netns","mountPropagation":"HostToContainer","name":"cilium-netns"},{"mountPath":"/host/etc/cni/net.d","name":"etc-cni-netd"},{"mountPath":"/var/lib/cilium/clustermesh","name":"clustermesh-secrets","readOnly":true},{"mountPath":"/lib/modules","name":"lib-modules","readOnly":true},{"mountPath":"/run/xtables.lock","name":"xtables-lock"},{"mountPath":"/tmp","name":"tmp"}]}],"hostNetwork":true,"initContainers":[{"command":["cilium-dbg","build-config"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}}],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","name":"config","terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/tmp","name":"tmp"}]},{"command":["sh","-ec","cp /usr/bin/cilium-mount /hostbin/cilium-mount;\nnsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt \"${BIN_PATH}/cilium-mount\" $CGROUP_ROOT;\nrm /hostbin/cilium-mount\n"],"env":[{"name":"CGROUP_ROOT","value":"/run/cilium/cgroupv2"},{"name":"BIN_PATH","value":"/opt/cni/bin"}],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","name":"mount-cgroup","securityContext":{"capabilities":{"add":["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/hostproc","name":"hostproc"},{"mountPath":"/hostbin","name":"cni-path"}]},{"command":["sh","-ec","cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;\nnsenter --mount=/hostproc/1/ns/mnt \"${BIN_PATH}/cilium-sysctlfix\";\nrm /hostbin/cilium-sysctlfix\n"],"env":[{"name":"BIN_PATH","value":"/opt/cni/bin"}],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","name":"apply-sysctl-overwrites","securityContext":{"capabilities":{"add":["SYS_ADMIN","SYS_CHROOT","SYS_PTRACE"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/hostproc","name":"hostproc"},{"mountPath":"/hostbin","name":"cni-path"}]},{"args":["mount | grep \"/sys/fs/bpf type bpf\" || mount -t bpf bpf /sys/fs/bpf"],"command":["/bin/bash","-c","--"],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","name":"mount-bpf-fs","securityContext":{"privileged":true},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/sys/fs/bpf","mountPropagation":"Bidirectional","name":"bpf-maps"}]},{"command":["/init-container.sh"],"env":[{"name":"CILIUM_ALL_STATE","valueFrom":{"configMapKeyRef":{"key":"clean-cilium-state","name":"cilium-config","optional":true}}},{"name":"CILIUM_BPF_STATE","valueFrom":{"configMapKeyRef":{"key":"clean-cilium-bpf-state","name":"cilium-config","optional":true}}},{"name":"WRITE_CNI_CONF_WHEN_READY","valueFrom":{"configMapKeyRef":{"key":"write-cni-conf-when-ready","name":"cilium-config","optional":true}}}],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","name":"clean-cilium-state","securityContext":{"capabilities":{"add":["NET_ADMIN","SYS_MODULE","SYS_ADMIN","SYS_RESOURCE"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/sys/fs/bpf","name":"bpf-maps"},{"mountPath":"/run/cilium/cgroupv2","mountPropagation":"HostToContainer","name":"cilium-cgroup"},{"mountPath":"/var/run/cilium","name":"cilium-run"}]},{"command":["/install-plugin.sh"],"image":"quay.io/cilium/cilium:v1.17.3","imagePullPolicy":"IfNotPresent","name":"install-cni-binaries","resources":{"requests":{"cpu":"100m","memory":"10Mi"}},"securityContext":{"capabilities":{"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/host/opt/cni/bin","name":"cni-path"}]}],"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-node-critical","restartPolicy":"Always","securityContext":{"appArmorProfile":{"type":"Unconfined"}},"serviceAccountName":"cilium","terminationGracePeriodSeconds":1,"tolerations":[{"operator":"Exists"}],"volumes":[{"emptyDir":{},"name":"tmp"},{"hostPath":{"path":"/var/run/cilium","type":"DirectoryOrCreate"},"name":"cilium-run"},{"hostPath":{"path":"/var/run/netns","type":"DirectoryOrCreate"},"name":"cilium-netns"},{"hostPath":{"path":"/sys/fs/bpf","type":"DirectoryOrCreate"},"name":"bpf-maps"},{"hostPath":{"path":"/proc","type":"Directory"},"name":"hostproc"},{"hostPath":{"path":"/run/cilium/cgroupv2","type":"DirectoryOrCreate"},"name":"cilium-cgroup"},{"hostPath":{"path":"/opt/cni/bin","type":"DirectoryOrCreate"},"name":"cni-path"},{"hostPath":{"path":"/etc/cni/net.d","type":"DirectoryOrCreate"},"name":"etc-cni-netd"},{"hostPath":{"path":"/lib/modules"},"name":"lib-modules"},{"hostPath":{"path":"/run/xtables.lock","type":"FileOrCreate"},"name":"xtables-lock"},{"hostPath":{"path":"/var/run/cilium/envoy/sockets","type":"DirectoryOrCreate"},"name":"envoy-sockets"},{"name":"clustermesh-secrets","projected":{"defaultMode":256,"sources":[{"secret":{"name":"cilium-clustermesh","optional":true}},{"secret":{"items":[{"key":"tls.key","path":"common-etcd-client.key"},{"key":"tls.crt","path":"common-etcd-client.crt"},{"key":"ca.crt","path":"common-etcd-client-ca.crt"}],"name":"clustermesh-apiserver-remote-cert","optional":true}},{"secret":{"items":[{"key":"tls.key","path":"local-etcd-client.key"},{"key":"tls.crt","path":"local-etcd-client.crt"},{"key":"ca.crt","path":"local-etcd-client-ca.crt"}],"name":"clustermesh-apiserver-local-cert","optional":true}}]}},{"hostPath":{"path":"/proc/sys/net","type":"Directory"},"name":"host-proc-sys-net"},{"hostPath":{"path":"/proc/sys/kernel","type":"Directory"},"name":"host-proc-sys-kernel"}]}},"updateStrategy":{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}}},{"apiVersion":"apps/v1","kind":"DaemonSet","metadata":{"labels":{"app.kubernetes.io/name":"cilium-envoy","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium-envoy","name":"cilium-envoy"},"name":"cilium-envoy","namespace":"kube-system"},"spec":{"selector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"template":{"metadata":{"annotations":null,"labels":{"app.kubernetes.io/name":"cilium-envoy","app.kubernetes.io/part-of":"cilium","k8s-app":"cilium-envoy","name":"cilium-envoy"}},"spec":{"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}},"automountServiceAccountToken":true,"containers":[{"args":["--","-c /var/run/cilium/envoy/bootstrap-config.json","--base-id 0","--log-level info"],"command":["/usr/bin/cilium-envoy-starter"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}}],"image":"quay.io/cilium/cilium-envoy:v1.32.5-1744305768-f9ddca7dcd91f7ca25a505560e655c47d3dec2cf","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold":10,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9878,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"name":"cilium-envoy","ports":[{"containerPort":9964,"hostPort":9964,"name":"envoy-metrics","protocol":"TCP"}],"readinessProbe":{"failureThreshold":3,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9878,"scheme":"HTTP"},"periodSeconds":30,"successThreshold":1,"timeoutSeconds":5},"securityContext":{"capabilities":{"add":["NET_ADMIN","SYS_ADMIN"],"drop":["ALL"]},"seLinuxOptions":{"level":"s0","type":"spc_t"}},"startupProbe":{"failureThreshold":105,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9878,"scheme":"HTTP"},"initialDelaySeconds":5,"periodSeconds":2,"successThreshold":1},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/var/run/cilium/envoy/sockets","name":"envoy-sockets","readOnly":false},{"mountPath":"/var/run/cilium/envoy/artifacts","name":"envoy-artifacts","readOnly":true},{"mountPath":"/var/run/cilium/envoy/","name":"envoy-config","readOnly":true},{"mountPath":"/sys/fs/bpf","mountPropagation":"HostToContainer","name":"bpf-maps"}]}],"hostNetwork":true,"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-node-critical","restartPolicy":"Always","securityContext":{"appArmorProfile":{"type":"Unconfined"}},"serviceAccountName":"cilium-envoy","terminationGracePeriodSeconds":1,"tolerations":[{"operator":"Exists"}],"volumes":[{"hostPath":{"path":"/var/run/cilium/envoy/sockets","type":"DirectoryOrCreate"},"name":"envoy-sockets"},{"hostPath":{"path":"/var/run/cilium/envoy/artifacts","type":"DirectoryOrCreate"},"name":"envoy-artifacts"},{"configMap":{"defaultMode":256,"items":[{"key":"bootstrap-config.json","path":"bootstrap-config.json"}],"name":"cilium-envoy-config"},"name":"envoy-config"},{"hostPath":{"path":"/sys/fs/bpf","type":"DirectoryOrCreate"},"name":"bpf-maps"}]}},"updateStrategy":{"rollingUpdate":{"maxUnavailable":2},"type":"RollingUpdate"}}},{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app.kubernetes.io/name":"cilium-operator","app.kubernetes.io/part-of":"cilium","io.cilium/app":"operator","name":"cilium-operator"},"name":"cilium-operator","namespace":"kube-system"},"spec":{"replicas":2,"selector":{"matchLabels":{"io.cilium/app":"operator","name":"cilium-operator"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"50%"},"type":"RollingUpdate"},"template":{"metadata":{"annotations":{"prometheus.io/port":"9963","prometheus.io/scrape":"true"},"labels":{"app.kubernetes.io/name":"cilium-operator","app.kubernetes.io/part-of":"cilium","io.cilium/app":"operator","name":"cilium-operator"}},"spec":{"affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"io.cilium/app":"operator"}},"topologyKey":"kubernetes.io/hostname"}]}},"automountServiceAccountToken":true,"containers":[{"args":["--config-dir=/tmp/cilium/config-map","--debug=$(CILIUM_DEBUG)"],"command":["cilium-operator-generic"],"env":[{"name":"K8S_NODE_NAME","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"spec.nodeName"}}},{"name":"CILIUM_K8S_NAMESPACE","valueFrom":{"fieldRef":{"apiVersion":"v1","fieldPath":"metadata.namespace"}}},{"name":"CILIUM_DEBUG","valueFrom":{"configMapKeyRef":{"key":"debug","name":"cilium-config","optional":true}}}],"image":"quay.io/cilium/operator-generic:v1.17.3","imagePullPolicy":"IfNotPresent","livenessProbe":{"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9234,"scheme":"HTTP"},"initialDelaySeconds":60,"periodSeconds":10,"timeoutSeconds":3},"name":"cilium-operator","ports":[{"containerPort":9963,"hostPort":9963,"name":"prometheus","protocol":"TCP"}],"readinessProbe":{"failureThreshold":5,"httpGet":{"host":"127.0.0.1","path":"/healthz","port":9234,"scheme":"HTTP"},"initialDelaySeconds":0,"periodSeconds":5,"timeoutSeconds":3},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/tmp/cilium/config-map","name":"cilium-config-path","readOnly":true}]}],"hostNetwork":true,"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-cluster-critical","restartPolicy":"Always","serviceAccountName":"cilium-operator","tolerations":[{"operator":"Exists"}],"volumes":[{"configMap":{"name":"cilium-config"},"name":"cilium-config-path"}]}}}}] kind: ConfigMap metadata: creationTimestamp: null diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml index 11b12326e..3c5f1670c 100644 --- a/charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml +++ b/charts/cluster-api-runtime-extensions-nutanix/templates/helm-config.yaml @@ -17,7 +17,7 @@ data: RepositoryURL: '{{ if .Values.helmRepository.enabled }}oci://helm-repository.{{ .Release.Namespace }}.svc/charts{{ else }}https://kubernetes-sigs.github.io/aws-ebs-csi-driver{{ end }}' cilium: | ChartName: cilium - ChartVersion: 1.17.1 + ChartVersion: 1.17.3 RepositoryURL: '{{ if .Values.helmRepository.enabled }}oci://helm-repository.{{ .Release.Namespace }}.svc/charts{{ else }}https://helm.cilium.io/{{ end }}' cluster-autoscaler: | ChartName: cluster-autoscaler diff --git a/hack/addons/helm-chart-bundler/repos.yaml b/hack/addons/helm-chart-bundler/repos.yaml index 3b7cb523b..8dabb881a 100644 --- a/hack/addons/helm-chart-bundler/repos.yaml +++ b/hack/addons/helm-chart-bundler/repos.yaml @@ -20,7 +20,7 @@ repositories: repoURL: https://helm.cilium.io/ charts: cilium: - - 1.17.1 + - 1.17.3 cluster-autoscaler: repoURL: https://kubernetes.github.io/autoscaler charts: diff --git a/make/addons.mk b/make/addons.mk index 25aee004c..03a8d3f75 100644 --- a/make/addons.mk +++ b/make/addons.mk @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 export CALICO_VERSION := v3.29.3 -export CILIUM_VERSION := 1.17.1 +export CILIUM_VERSION := 1.17.3 export NODE_FEATURE_DISCOVERY_VERSION := 0.17.2 export CLUSTER_AUTOSCALER_CHART_VERSION := 9.46.3 export AWS_EBS_CSI_CHART_VERSION := 2.40.3 From 6e39c72e4894cf40e2597643b117649103e8cdd7 Mon Sep 17 00:00:00 2001 From: Dimitri Koshkin Date: Wed, 23 Apr 2025 08:28:59 -0700 Subject: [PATCH 2/2] fix: update kube-vip to v0.8.10 --- .../defaultclusterclasses/nutanix-cluster-class.yaml | 4 +++- hack/examples/files/kube-vip.yaml | 4 +++- make/addons.mk | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml index 2f0648720..6a14ffc58 100644 --- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml +++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml @@ -173,7 +173,7 @@ spec: - name: address value: '{{ .Address }}' - name: prometheus_server - image: ghcr.io/kube-vip/kube-vip:v0.8.9 + image: ghcr.io/kube-vip/kube-vip:v0.8.10 imagePullPolicy: IfNotPresent name: kube-vip resources: {} @@ -182,6 +182,8 @@ spec: add: - NET_ADMIN - NET_RAW + drop: + - ALL volumeMounts: - mountPath: /etc/kubernetes/admin.conf name: kubeconfig diff --git a/hack/examples/files/kube-vip.yaml b/hack/examples/files/kube-vip.yaml index f61bc1e3e..00c6b9111 100644 --- a/hack/examples/files/kube-vip.yaml +++ b/hack/examples/files/kube-vip.yaml @@ -37,7 +37,7 @@ - name: address value: '{{ .Address }}' - name: prometheus_server - image: ghcr.io/kube-vip/kube-vip:v0.8.9 + image: ghcr.io/kube-vip/kube-vip:v0.8.10 imagePullPolicy: IfNotPresent name: kube-vip resources: {} @@ -46,6 +46,8 @@ add: - NET_ADMIN - NET_RAW + drop: + - ALL volumeMounts: - mountPath: /etc/kubernetes/admin.conf name: kubeconfig diff --git a/make/addons.mk b/make/addons.mk index 03a8d3f75..1371796d7 100644 --- a/make/addons.mk +++ b/make/addons.mk @@ -19,7 +19,7 @@ export AWS_CCM_VERSION_132 := v1.32.1 export NUTANIX_CCM_CHART_VERSION := 0.5.0 -export KUBE_VIP_VERSION := v0.8.9 +export KUBE_VIP_VERSION := v0.8.10 export METALLB_CHART_VERSION := 0.14.9