Update cilium to 1.8.0 (#6314)

README.md

@@ -124,7 +124,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
   - [calico](https://github.com/projectcalico/calico) v3.14.1
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.7.4
+  - [cilium](https://github.com/cilium/cilium) v1.8.0
   - [contiv](https://github.com/contiv/install) v1.2.1
   - [flanneld](https://github.com/coreos/flannel) v0.12.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.2.0

roles/download/defaults/main.yml

@@ -79,7 +79,7 @@ cni_version: "v0.8.6"
 weave_version: 2.6.4
 pod_infra_version: "3.2"
 contiv_version: 1.2.1
-cilium_version: "v1.7.4"
+cilium_version: "v1.8.0"
 kube_ovn_version: "v1.2.0"
 kube_router_version: "v0.4.0"
 multus_version: "v3.4.2"

roles/network_plugin/cilium/templates/cilium-cr.yml.j2

@@ -26,10 +26,12 @@ rules:
 - apiGroups:
   - ""
   resources:
+{% if cilium_version | regex_replace('v') is version('1.8', '<') %}
   # to automatically read from k8s and import the node's pod CIDR to cilium's
   # etcd so all nodes know how to reach another pod running in in a different
   # node.
   - nodes
+{% endif %}
   # to perform the translation of a CNP that contains `ToGroup` to its endpoints
   - services
   - endpoints
@@ -59,6 +61,14 @@ rules:
 {% endif %}
   verbs:
   - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

roles/network_plugin/cilium/templates/cilium-deploy.yml.j2

@@ -92,7 +92,7 @@ spec:
 {% if cilium_enable_ipv4 %}
               host: 127.0.0.1
 {% else %}
-              host: host: '[::1]'
+              host: '::1'
 {% endif %}
               path: /healthz
               port: 9234

roles/network_plugin/cilium/templates/cilium-ds.yml.j2

@@ -59,11 +59,14 @@ spec:
               command:
               - /cni-uninstall.sh
         livenessProbe:
-          exec:
+          httpGet:
-            command:
+            host: '127.0.0.1'
-            - cilium
+            path: /healthz
-            - status
+            port: 9876
-            - --brief
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
           failureThreshold: 10
           # The initial delay for the liveness probe is intentionally large to
           # avoid an endless kill & restart cycle if in the event that the initial
@@ -81,11 +84,14 @@ spec:
           protocol: TCP
 {% endif %}
         readinessProbe:
-          exec:
+          httpGet:
-            command:
+            host: '127.0.0.1'
-            - cilium
+            path: /healthz
-            - status
+            port: 9876
-            - --brief
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
           failureThreshold: 3
           initialDelaySeconds: 5
           periodSeconds: 30
@@ -131,6 +137,8 @@ spec:
         - mountPath: /lib/modules
           name: lib-modules
           readOnly: true
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       hostPID: false
@@ -138,7 +146,7 @@ spec:
       - command:
         - /init-container.sh
         env:
-        - name: CLEAN_CILIUM_STATE
+        - name: CILIUM_ALL_STATE
           valueFrom:
             configMapKeyRef:
               key: clean-cilium-state
@@ -214,6 +222,11 @@ spec:
       - hostPath:
           path: /lib/modules
         name: lib-modules
+        # To access iptables concurrently with other processes (e.g. kube-proxy)
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
         # To read the etcd config stored in config maps
       - configMap:
           defaultMode: 420