feat: upgrade cilium and add default variables (#9065)

Signed-off-by: eminaktas <eminaktas34@gmail.com>
Signed-off-by: Emin Aktas <emin.aktas@trendyol.com>
This commit is contained in:
Emin AKTAS 2022-07-07 20:35:34 +03:00 committed by GitHub
parent 6d543b830a
commit 5071529a74
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 332 additions and 36 deletions

View file

@ -143,7 +143,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [cni-plugins](https://github.com/containernetworking/plugins) v1.1.1 - [cni-plugins](https://github.com/containernetworking/plugins) v1.1.1
- [calico](https://github.com/projectcalico/calico) v3.23.1 - [calico](https://github.com/projectcalico/calico) v3.23.1
- [canal](https://github.com/projectcalico/canal) (given calico/flannel versions) - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
- [cilium](https://github.com/cilium/cilium) v1.11.3 - [cilium](https://github.com/cilium/cilium) v1.11.6
- [flannel](https://github.com/flannel-io/flannel) v0.17.0 - [flannel](https://github.com/flannel-io/flannel) v0.17.0
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.9.2 - [kube-ovn](https://github.com/alauda/kube-ovn) v1.9.2
- [kube-router](https://github.com/cloudnativelabs/kube-router) v1.5.0 - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.5.0

View file

@ -1,19 +1,86 @@
# see roles/network_plugin/cilium/defaults/main.yml ---
# cilium_version: "v1.11.6"
# cilium_version: "v1.11.3" # Log-level
# cilium_identity_allocation_mode: kvstore # kvstore or crd # cilium_debug: false
# For adding and mounting extra volumes to the cilium operator # cilium_mtu: ""
# cilium_operator_extra_volumes: [] # cilium_enable_ipv4: true
# cilium_operator_extra_volume_mounts: [] # cilium_enable_ipv6: false
# Name of the cluster. Only relevant when building a mesh of clusters. # Cilium agent health port
# cilium_cluster_name: default # cilium_agent_health_port: "9879"
# Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
# These can be queried with:
# `kubectl get ciliumid`
# - "kvstore" stores identities in an etcd kvstore.
# - In order to support External Workloads, "crd" is required
# - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
# - KVStore operations are only required when cilium-operator is running with any of the below options:
# - --synchronize-k8s-services
# - --synchronize-k8s-nodes
# - --identity-allocation-mode=kvstore
# - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
# cilium_identity_allocation_mode: kvstore
# Etcd SSL dirs
# cilium_cert_dir: /etc/cilium/certs
# kube_etcd_cacert_file: ca.pem
# kube_etcd_cert_file: cert.pem
# kube_etcd_key_file: cert-key.pem
# Limits for apps
# cilium_memory_limit: 500M
# cilium_cpu_limit: 500m
# cilium_memory_requests: 64M
# cilium_cpu_requests: 100m
# Overlay Network Mode
# cilium_tunnel_mode: vxlan
# Optional features
# cilium_enable_prometheus: false
# Enable if you want to make use of hostPort mappings
# cilium_enable_portmap: false
# Monitor aggregation level (none/low/medium/maximum)
# cilium_monitor_aggregation: medium
# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
# cilium_monitor_aggregation_flags: "all"
# Kube Proxy Replacement mode (strict/probe/partial)
# cilium_kube_proxy_replacement: probe
# If upgrading from Cilium < 1.5, you may want to override some of these options
# to prevent service disruptions. See also:
# http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
# cilium_preallocate_bpf_maps: false
# `cilium_tofqdns_enable_poller` is deprecated in 1.8, removed in 1.9
# cilium_tofqdns_enable_poller: false
# `cilium_enable_legacy_services` is deprecated in 1.6, removed in 1.9
# cilium_enable_legacy_services: false
# Unique ID of the cluster. Must be unique across all conneted clusters and # Unique ID of the cluster. Must be unique across all conneted clusters and
# in the range of 1 and 255. Only relevant when building a mesh of clusters. # in the range of 1 and 255. Only relevant when building a mesh of clusters.
# This value is not defined by default # This value is not defined by default
# cluster-id: # cilium_cluster_id:
# Deploy cilium even if kube_network_plugin is not cilium.
# This enables to deploy cilium alongside another CNI to replace kube-proxy.
# cilium_deploy_additionally: false
# Auto direct nodes routes can be used to advertise pods routes in your cluster
# without any tunelling (with `cilium_tunnel_mode` sets to `disabled`).
# This works only if you have a L2 connectivity between all your nodes.
# You wil also have to specify the variable `cilium_native_routing_cidr` to
# make this work. Please refer to the cilium documentation for more
# information about this kind of setups.
# cilium_auto_direct_node_routes: false
# Allows to explicitly specify the IPv4 CIDR for native routing. # Allows to explicitly specify the IPv4 CIDR for native routing.
# When specified, Cilium assumes networking for this CIDR is preconfigured and # When specified, Cilium assumes networking for this CIDR is preconfigured and
@ -30,7 +97,6 @@
# Allows to explicitly specify the IPv6 CIDR for native routing. # Allows to explicitly specify the IPv6 CIDR for native routing.
# cilium_native_routing_cidr_ipv6: "" # cilium_native_routing_cidr_ipv6: ""
# Encryption
# Enable transparent network encryption. # Enable transparent network encryption.
# cilium_encryption_enabled: false # cilium_encryption_enabled: false
@ -40,8 +106,139 @@
# Enable encryption for pure node to node traffic. # Enable encryption for pure node to node traffic.
# This option is only effective when `cilium_encryption_type` is set to `ipsec`. # This option is only effective when `cilium_encryption_type` is set to `ipsec`.
# cilium_ipsec_node_encryption: "false" # cilium_ipsec_node_encryption: false
# Enables the fallback to the user-space implementation. # If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation.
# When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard,
# it will fallback on the wireguard-go user-space implementation of WireGuard.
# This option is only effective when `cilium_encryption_type` is set to `wireguard`. # This option is only effective when `cilium_encryption_type` is set to `wireguard`.
# cilium_wireguard_userspace_fallback: "false" # cilium_wireguard_userspace_fallback: false
# IP Masquerade Agent
# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
# cilium_ip_masq_agent_enable: false
### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
# cilium_non_masquerade_cidrs:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# - 100.64.0.0/10
# - 192.0.0.0/24
# - 192.0.2.0/24
# - 192.88.99.0/24
# - 198.18.0.0/15
# - 198.51.100.0/24
# - 203.0.113.0/24
# - 240.0.0.0/4
### Indicates whether to masquerade traffic to the link local prefix.
### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
# cilium_masq_link_local: false
### A time interval at which the agent attempts to reload config from disk
# cilium_ip_masq_resync_interval: 60s
# Hubble
### Enable Hubble without install
# cilium_enable_hubble: false
### Enable Hubble Metrics
# cilium_enable_hubble_metrics: false
### if cilium_enable_hubble_metrics: true
# cilium_hubble_metrics: {}
# - dns
# - drop
# - tcp
# - flow
# - icmp
# - http
### Enable Hubble install
# cilium_hubble_install: false
### Enable auto generate certs if cilium_hubble_install: true
# cilium_hubble_tls_generate: false
# IP address management mode for v1.9+.
# https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
# cilium_ipam_mode: kubernetes
# Extra arguments for the Cilium agent
# cilium_agent_custom_args: []
# For adding and mounting extra volumes to the cilium agent
# cilium_agent_extra_volumes: []
# cilium_agent_extra_volume_mounts: []
# cilium_agent_extra_env_vars: []
# cilium_operator_replicas: 2
# The address at which the cillium operator bind health check api
# cilium_operator_api_serve_addr: "127.0.0.1:9234"
## A dictionary of extra config variables to add to cilium-config, formatted like:
## cilium_config_extra_vars:
## var1: "value1"
## var2: "value2"
# cilium_config_extra_vars: {}
# For adding and mounting extra volumes to the cilium operator
# cilium_operator_extra_volumes: []
# cilium_operator_extra_volume_mounts: []
# Extra arguments for the Cilium Operator
# cilium_operator_custom_args: []
# Name of the cluster. Only relevant when building a mesh of clusters.
# cilium_cluster_name: default
# Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
# This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.
# Available for Cilium v1.10 and up.
# cilium_cni_exclusive: true
# Configure the log file for CNI logging with retention policy of 7 days.
# Disable CNI file logging by setting this field to empty explicitly.
# Available for Cilium v1.12 and up.
# cilium_cni_log_file: "/var/run/cilium/cilium-cni.log"
# -- Configure cgroup related configuration
# -- Enable auto mount of cgroup2 filesystem.
# When `cilium_cgroup_auto_mount` is enabled, cgroup2 filesystem is mounted at
# `cilium_cgroup_host_root` path on the underlying host and inside the cilium agent pod.
# If users disable `cilium_cgroup_auto_mount`, it's expected that users have mounted
# cgroup2 filesystem at the specified `cilium_cgroup_auto_mount` volume, and then the
# volume will be mounted inside the cilium agent pod at the same path.
# Available for Cilium v1.11 and up
# cilium_cgroup_auto_mount: true
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host
# cilium_cgroup_host_root: "/run/cilium/cgroupv2"
# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
# cilium_bpf_map_dynamic_size_ratio: "0.0"
# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
# Available for Cilium v1.10 and up
# cilium_enable_ipv4_masquerade: true
# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
# Available for Cilium v1.10 and up
# cilium_enable_ipv6_masquerade: true
# -- Enable native IP masquerade support in eBPF
# cilium_enable_bpf_masquerade: false
# -- Configure whether direct routing mode should route traffic via
# host stack (true) or directly and more efficiently out of BPF (false) if
# the kernel supports it. The latter has the implication that it will also
# bypass netfilter in the host namespace.
# cilium_enable_host_legacy_routing: true
# -- Enable use of the remote node identity.
# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity
# cilium_enable_remote_node_identity: true
# -- Enable the use of well-known identities.
# cilium_enable_well_known_identities: false
# cilium_enable_bpf_clock_probe: true
# -- Whether to enable CNP status updates.
# cilium_disable_cnp_status_updates: true

View file

@ -110,7 +110,7 @@ flannel_cni_version: "v1.0.1"
cni_version: "v1.1.1" cni_version: "v1.1.1"
weave_version: 2.8.1 weave_version: 2.8.1
pod_infra_version: "3.6" pod_infra_version: "3.6"
cilium_version: "v1.11.3" cilium_version: "v1.11.6"
kube_ovn_version: "v1.9.2" kube_ovn_version: "v1.9.2"
kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}" kube_ovn_dpdk_version: "19.11-{{ kube_ovn_version }}"
kube_router_version: "v1.5.0" kube_router_version: "v1.5.0"

View file

@ -6,6 +6,9 @@ cilium_mtu: ""
cilium_enable_ipv4: true cilium_enable_ipv4: true
cilium_enable_ipv6: false cilium_enable_ipv6: false
# Cilium agent health port
cilium_agent_health_port: "{%- if cilium_version | regex_replace('v') is version('1.11.6', '>=') -%}9879{%- else -%}9876{%- endif -%}"
# Identity allocation mode selects how identities are shared between cilium # Identity allocation mode selects how identities are shared between cilium
# nodes by setting how they are stored. The options are "crd" or "kvstore". # nodes by setting how they are stored. The options are "crd" or "kvstore".
# - "crd" stores identities in kubernetes as CRDs (custom resource definition). # - "crd" stores identities in kubernetes as CRDs (custom resource definition).
@ -91,13 +94,13 @@ cilium_encryption_type: "ipsec"
# Enable encryption for pure node to node traffic. # Enable encryption for pure node to node traffic.
# This option is only effective when `cilium_encryption_type` is set to `ipsec`. # This option is only effective when `cilium_encryption_type` is set to `ipsec`.
cilium_ipsec_node_encryption: "false" cilium_ipsec_node_encryption: false
# If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation. # If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation.
# When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard, # When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard,
# it will fallback on the wireguard-go user-space implementation of WireGuard. # it will fallback on the wireguard-go user-space implementation of WireGuard.
# This option is only effective when `cilium_encryption_type` is set to `wireguard`. # This option is only effective when `cilium_encryption_type` is set to `wireguard`.
cilium_wireguard_userspace_fallback: "false" cilium_wireguard_userspace_fallback: false
# IP Masquerade Agent # IP Masquerade Agent
# https://docs.cilium.io/en/stable/concepts/networking/masquerading/ # https://docs.cilium.io/en/stable/concepts/networking/masquerading/
@ -153,6 +156,8 @@ cilium_agent_extra_volume_mounts: []
cilium_agent_extra_env_vars: [] cilium_agent_extra_env_vars: []
cilium_operator_replicas: 2
# The address at which the cillium operator bind health check api # The address at which the cillium operator bind health check api
cilium_operator_api_serve_addr: "127.0.0.1:9234" cilium_operator_api_serve_addr: "127.0.0.1:9234"
@ -175,9 +180,59 @@ cilium_cluster_name: default
# Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`. # Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
# This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime. # This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.
# Available for Cilium v1.10 and up. # Available for Cilium v1.10 and up.
cilium_cni_exclusive: "true" cilium_cni_exclusive: true
# Configure the log file for CNI logging with retention policy of 7 days. # Configure the log file for CNI logging with retention policy of 7 days.
# Disable CNI file logging by setting this field to empty explicitly. # Disable CNI file logging by setting this field to empty explicitly.
# Available for Cilium v1.12 and up. # Available for Cilium v1.12 and up.
cilium_cni_log_file: "/var/run/cilium/cilium-cni.log" cilium_cni_log_file: "/var/run/cilium/cilium-cni.log"
# -- Configure cgroup related configuration
# -- Enable auto mount of cgroup2 filesystem.
# When `cilium_cgroup_auto_mount` is enabled, cgroup2 filesystem is mounted at
# `cilium_cgroup_host_root` path on the underlying host and inside the cilium agent pod.
# If users disable `cilium_cgroup_auto_mount`, it's expected that users have mounted
# cgroup2 filesystem at the specified `cilium_cgroup_auto_mount` volume, and then the
# volume will be mounted inside the cilium agent pod at the same path.
# Available for Cilium v1.11 and up
cilium_cgroup_auto_mount: true
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host
cilium_cgroup_host_root: "/run/cilium/cgroupv2"
# Specifies the ratio (0.0-1.0) of total system memory to use for dynamic
# sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps.
cilium_bpf_map_dynamic_size_ratio: "{%- if cilium_version | regex_replace('v') is version('1.8', '>=') -%}0.0025{%- else -%}0.0{%- endif -%}"
# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
# Available for Cilium v1.10 and up
cilium_enable_ipv4_masquerade: true
# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
# Available for Cilium v1.10 and up
cilium_enable_ipv6_masquerade: true
# -- Enable native IP masquerade support in eBPF
cilium_enable_bpf_masquerade: false
# -- Configure whether direct routing mode should route traffic via
# host stack (true) or directly and more efficiently out of BPF (false) if
# the kernel supports it. The latter has the implication that it will also
# bypass netfilter in the host namespace.
cilium_enable_host_legacy_routing: true
# -- Enable use of the remote node identity.
# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity
cilium_enable_remote_node_identity: true
# -- Enable the use of well-known identities.
cilium_enable_well_known_identities: false
# The monitor aggregation flags determine which TCP flags which, upon the
# first observation, cause monitor notifications to be generated.
#
# Only effective when monitor aggregation is set to "medium" or higher.
cilium_monitor_aggregation_flags: "all"
cilium_enable_bpf_clock_probe: true
# -- Whether to enable CNP status updates.
cilium_disable_cnp_status_updates: true

View file

@ -8,7 +8,7 @@ metadata:
name: cilium-operator name: cilium-operator
namespace: kube-system namespace: kube-system
spec: spec:
replicas: 1 replicas: {{ cilium_operator_replicas }}
selector: selector:
matchLabels: matchLabels:
io.cilium/app: operator io.cilium/app: operator

View file

@ -232,6 +232,33 @@ data:
ipam: "{{ cilium_ipam_mode }}" ipam: "{{ cilium_ipam_mode }}"
{% endif %} {% endif %}
agent-health-port: "{{ cilium_agent_health_port }}"
{% if cilium_version | regex_replace('v') is version('1.11', '>=') and cilium_cgroup_host_root != '' %}
cgroup-root: "{{ cilium_cgroup_host_root }}"
{% endif %}
bpf-map-dynamic-size-ratio: "{{ cilium_bpf_map_dynamic_size_ratio }}"
{% if cilium_version | regex_replace('v') is version('1.10', '>=') %}
enable-ipv4-masquerade: "{{ cilium_enable_ipv4_masquerade }}"
enable-ipv6-masquerade: "{{ cilium_enable_ipv6_masquerade }}"
{% endif %}
enable-bpf-masquerade: "{{ cilium_enable_bpf_masquerade }}"
enable-host-legacy-routing: "{{ cilium_enable_host_legacy_routing }}"
enable-remote-node-identity: "{{ cilium_enable_remote_node_identity }}"
enable-well-known-identities: "{{ cilium_enable_well_known_identities }}"
monitor-aggregation-flags: "{{ cilium_monitor_aggregation_flags }}"
enable-bpf-clock-probe: "{{ cilium_enable_bpf_clock_probe }}"
disable-cnp-status-updates: "{{ cilium_disable_cnp_status_updates }}"
{% if cilium_ip_masq_agent_enable %} {% if cilium_ip_masq_agent_enable %}
--- ---
apiVersion: v1 apiVersion: v1

View file

@ -96,11 +96,7 @@ spec:
httpGet: httpGet:
host: '127.0.0.1' host: '127.0.0.1'
path: /healthz path: /healthz
{% if cilium_version | regex_replace('v') is version('1.11.6', '>=') %} port: {{ cilium_agent_health_port }}
port: 9879
{% else %}
port: 9876
{% endif %}
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@ -112,11 +108,7 @@ spec:
httpGet: httpGet:
host: '127.0.0.1' host: '127.0.0.1'
path: /healthz path: /healthz
{% if cilium_version | regex_replace('v') is version('1.11.6', '>=') %} port: {{ cilium_agent_health_port }}
port: 9879
{% else %}
port: 9876
{% endif %}
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@ -129,11 +121,7 @@ spec:
httpGet: httpGet:
host: 127.0.0.1 host: 127.0.0.1
path: /healthz path: /healthz
{% if cilium_version | regex_replace('v') is version('1.11.6', '>=') %} port: {{ cilium_agent_health_port }}
port: 9879
{% else %}
port: 9876
{% endif %}
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@ -228,6 +216,35 @@ spec:
{% endif %} {% endif %}
hostNetwork: true hostNetwork: true
initContainers: initContainers:
{% if cilium_version | regex_replace('v') is version('1.11', '>=') and cilium_cgroup_auto_mount %}
- name: mount-cgroup
image: "{{cilium_image_repo}}:{{cilium_image_tag}}"
imagePullPolicy: {{ k8s_image_pull_policy }}
env:
- name: CGROUP_ROOT
value: {{ cilium_cgroup_host_root }}
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
- -ec
# The statically linked Go program binary is invoked to avoid any
# dependency on utilities like sh and mount that can be missing on certain
# distros installed on the underlying host. Copy the binary to the
# same directory where we install cilium cni plugin so that exec permissions
# are available.
- |
cp /usr/bin/cilium-mount /hostbin/cilium-mount;
nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
rm /hostbin/cilium-mount
volumeMounts:
- name: hostproc
mountPath: /hostproc
- name: cni-path
mountPath: /hostbin
securityContext:
privileged: true
{% endif %}
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -276,7 +293,7 @@ spec:
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %} {% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
# Required to mount cgroup filesystem from the host to cilium agent pod # Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup - name: cilium-cgroup
mountPath: /run/cilium/cgroupv2 mountPath: {{ cilium_cgroup_host_root }}
mountPropagation: HostToContainer mountPropagation: HostToContainer
{% endif %} {% endif %}
- mountPath: /var/run/cilium - mountPath: /var/run/cilium
@ -334,7 +351,7 @@ spec:
# To keep state between restarts / upgrades for cgroup2 filesystem # To keep state between restarts / upgrades for cgroup2 filesystem
- name: cilium-cgroup - name: cilium-cgroup
hostPath: hostPath:
path: /run/cilium/cgroupv2 path: {{ cilium_cgroup_host_root }}
type: DirectoryOrCreate type: DirectoryOrCreate
{% endif %} {% endif %}
# To install cilium cni plugin in the host # To install cilium cni plugin in the host