Support cilium ip-masq-agent configuration (#8893)
* fix deploy Cilium with eBPF-based Masquerading failed Signed-off-by: mahjonp <junpeng.man@gmail.com> * forget to add the enable-ip-masq-agent flag Signed-off-by: mahjonp <junpeng.man@gmail.com>
This commit is contained in:
parent
1600fd9082
commit
c927da00e0
3 changed files with 56 additions and 0 deletions
|
@ -99,6 +99,29 @@ cilium_ipsec_node_encryption: "false"
|
||||||
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
|
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
|
||||||
cilium_wireguard_userspace_fallback: "false"
|
cilium_wireguard_userspace_fallback: "false"
|
||||||
|
|
||||||
|
# IP Masquerade Agent
|
||||||
|
# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
|
||||||
|
# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
|
||||||
|
cilium_ip_masq_agent_enable: false
|
||||||
|
### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
|
||||||
|
cilium_non_masquerade_cidrs:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 192.168.0.0/16
|
||||||
|
- 100.64.0.0/10
|
||||||
|
- 192.0.0.0/24
|
||||||
|
- 192.0.2.0/24
|
||||||
|
- 192.88.99.0/24
|
||||||
|
- 198.18.0.0/15
|
||||||
|
- 198.51.100.0/24
|
||||||
|
- 203.0.113.0/24
|
||||||
|
- 240.0.0.0/4
|
||||||
|
### Indicates whether to masquerade traffic to the link local prefix.
|
||||||
|
### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
|
||||||
|
cilium_masq_link_local: false
|
||||||
|
### A time interval at which the agent attempts to reload config from disk
|
||||||
|
cilium_ip_masq_resync_interval: 60s
|
||||||
|
|
||||||
# Hubble
|
# Hubble
|
||||||
### Enable Hubble without install
|
### Enable Hubble without install
|
||||||
cilium_enable_hubble: false
|
cilium_enable_hubble: false
|
||||||
|
|
|
@ -206,6 +206,9 @@ data:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# IP Masquerade Agent
|
||||||
|
enable-ip-masq-agent: "{{ cilium_ip_masq_agent_enable }}"
|
||||||
|
|
||||||
{% for key, value in cilium_config_extra_vars.items() %}
|
{% for key, value in cilium_config_extra_vars.items() %}
|
||||||
{{ key }}: "{{ value }}"
|
{{ key }}: "{{ value }}"
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -228,3 +231,20 @@ data:
|
||||||
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
|
{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
|
||||||
ipam: "{{ cilium_ipam_mode }}"
|
ipam: "{{ cilium_ipam_mode }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if cilium_ip_masq_agent_enable %}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: ip-masq-agent
|
||||||
|
namespace: kube-system
|
||||||
|
data:
|
||||||
|
config: |
|
||||||
|
nonMasqueradeCIDRs:
|
||||||
|
{% for cidr in cilium_non_masquerade_cidrs %}
|
||||||
|
- {{ cidr }}
|
||||||
|
{% endfor %}
|
||||||
|
masqLinkLocal: {{ cilium_masq_link_local|bool }}
|
||||||
|
resyncInterval: "{{ cilium_ip_masq_resync_interval }}"
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -186,6 +186,11 @@ spec:
|
||||||
- mountPath: /tmp/cilium/config-map
|
- mountPath: /tmp/cilium/config-map
|
||||||
name: cilium-config-path
|
name: cilium-config-path
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{% if not cilium_ip_masq_agent_enable %}
|
||||||
|
- name: ip-masq-agent
|
||||||
|
mountPath: /etc/config
|
||||||
|
readOnly: true
|
||||||
|
{% endif %}
|
||||||
# Needed to be able to load kernel modules
|
# Needed to be able to load kernel modules
|
||||||
- mountPath: /lib/modules
|
- mountPath: /lib/modules
|
||||||
name: lib-modules
|
name: lib-modules
|
||||||
|
@ -365,6 +370,14 @@ spec:
|
||||||
- configMap:
|
- configMap:
|
||||||
name: cilium-config
|
name: cilium-config
|
||||||
name: cilium-config-path
|
name: cilium-config-path
|
||||||
|
{% if not cilium_ip_masq_agent_enable %}
|
||||||
|
- configMap:
|
||||||
|
name: ip-masq-agent
|
||||||
|
items:
|
||||||
|
- key: config
|
||||||
|
path: ip-masq-agent
|
||||||
|
name: ip-masq-agent
|
||||||
|
{% endif %}
|
||||||
{% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
|
{% if cilium_encryption_enabled and cilium_encryption_type == "ipsec" %}
|
||||||
- name: cilium-ipsec-secrets
|
- name: cilium-ipsec-secrets
|
||||||
secret:
|
secret:
|
||||||
|
|
Loading…
Reference in a new issue