Bump cilium to 1.10.3

pkg/model/components/cilium.go

@@ -39,7 +39,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 	}
 
 	if c.Version == "" {
-		c.Version = "v1.10.0"
+		c.Version = "v1.10.3"
 	}
 
 	if c.EnableEndpointHealthChecking == nil {

tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data

@@ -166,7 +166,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/minimal-warmpool.example.com
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: /Cv/aRkmeP1YxLc3sSyt9tEbsVyTpP/vHg6GyERbg8I=
+NodeupConfigHash: YOSnpGX96KVy/pdH+luCHwXQ+Ocl2AyShQHqARSwBww=
 
 __EOF_KUBE_ENV
 

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -203,7 +203,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.10.0
+      version: v1.10.3
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://clusters.example.com/minimal-warmpool.example.com/secrets

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_bucket_object_minimal-warmpool.example.com-addons-bootstrap_content

@@ -47,7 +47,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 04fd75ba7cc8558332aa3239b430e119ea66f21d7c269afb077c6a5e17dfcf8f
+    manifestHash: ac127b0c7f9f41936920c0c3c2d60953ea3ad893d4d363514579a46a4360997c
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_bucket_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content

@@ -35,6 +35,7 @@ data:
   bpf-nat-global-max: "524288"
   bpf-neigh-global-max: "524288"
   bpf-policy-map-max: "16384"
+  cgroup-root: /sys/fs/cgroup/unified
   cluster-name: default
   container-runtime: none
   debug: "false"
@@ -383,7 +384,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.10.0
+        image: quay.io/cilium/cilium:v1.10.3
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -434,7 +435,7 @@ spec:
             - SYS_MODULE
           privileged: true
         startupProbe:
-          failureThreshold: 24
+          failureThreshold: 105
           httpGet:
             host: 127.0.0.1
             httpHeaders:
@@ -488,7 +489,7 @@ spec:
               key: wait-bpf-mount
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.10.0
+        image: quay.io/cilium/cilium:v1.10.3
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -506,6 +507,9 @@ spec:
         - mountPath: /sys/fs/bpf
           mountPropagation: HostToContainer
           name: bpf-maps
+        - mountPath: /sys/fs/cgroup/unified
+          mountPropagation: HostToContainer
+          name: cilium-cgroup
         - mountPath: /var/run/cilium
           name: cilium-run
       priorityClassName: system-node-critical
@@ -528,6 +532,10 @@ spec:
           path: /opt/cni/bin
           type: DirectoryOrCreate
         name: cni-path
+      - hostPath:
+          path: /sys/fs/cgroup/unified
+          type: DirectoryOrCreate
+        name: cilium-cgroup
       - hostPath:
           path: /etc/cni/net.d
           type: DirectoryOrCreate
@@ -609,7 +617,7 @@ spec:
           value: api.internal.minimal-warmpool.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.10.0
+        image: quay.io/cilium/operator:v1.10.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_bucket_object_nodeupconfig-nodes_content

@@ -69,5 +69,5 @@ warmPoolImages:
 - k8s.gcr.io/provider-aws/aws-ebs-csi-driver:v1.1.0
 - k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0
 - k8s.gcr.io/sig-storage/livenessprobe:v2.2.0
-- quay.io/cilium/cilium:v1.10.0
+- quay.io/cilium/cilium:v1.10.3
-- quay.io/cilium/operator:v1.10.0
+- quay.io/cilium/operator:v1.10.3

tests/integration/update_cluster/privatecilium/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -196,7 +196,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: vxlan
-      version: v1.10.0
+      version: v1.10.3
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://clusters.example.com/privatecilium.example.com/secrets

tests/integration/update_cluster/privatecilium/data/aws_s3_bucket_object_privatecilium.example.com-addons-bootstrap_content

@@ -47,7 +47,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: aac64a032ef26caf615abc009b87d039a70737428e35410d9de57b95507bf891
+    manifestHash: c8a1d4c8d5ad96d82aae88279990a5d74897c830551eeb14aa44beac1f5d983a
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/privatecilium/data/aws_s3_bucket_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content

@@ -35,6 +35,7 @@ data:
   bpf-nat-global-max: "524288"
   bpf-neigh-global-max: "524288"
   bpf-policy-map-max: "16384"
+  cgroup-root: /sys/fs/cgroup/unified
   cluster-name: default
   container-runtime: none
   debug: "false"
@@ -383,7 +384,7 @@ spec:
           value: api.internal.privatecilium.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.10.0
+        image: quay.io/cilium/cilium:v1.10.3
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -434,7 +435,7 @@ spec:
             - SYS_MODULE
           privileged: true
         startupProbe:
-          failureThreshold: 24
+          failureThreshold: 105
           httpGet:
             host: 127.0.0.1
             httpHeaders:
@@ -488,7 +489,7 @@ spec:
               key: wait-bpf-mount
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.10.0
+        image: quay.io/cilium/cilium:v1.10.3
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -506,6 +507,9 @@ spec:
         - mountPath: /sys/fs/bpf
           mountPropagation: HostToContainer
           name: bpf-maps
+        - mountPath: /sys/fs/cgroup/unified
+          mountPropagation: HostToContainer
+          name: cilium-cgroup
         - mountPath: /var/run/cilium
           name: cilium-run
       priorityClassName: system-node-critical
@@ -528,6 +532,10 @@ spec:
           path: /opt/cni/bin
           type: DirectoryOrCreate
         name: cni-path
+      - hostPath:
+          path: /sys/fs/cgroup/unified
+          type: DirectoryOrCreate
+        name: cilium-cgroup
       - hostPath:
           path: /etc/cni/net.d
           type: DirectoryOrCreate
@@ -609,7 +617,7 @@ spec:
           value: api.internal.privatecilium.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.10.0
+        image: quay.io/cilium/operator:v1.10.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -209,7 +209,7 @@ spec:
       sidecarIstioProxyImage: cilium/istio_proxy
       toFqdnsDnsRejectResponseCode: refused
       tunnel: disabled
-      version: v1.10.0
+      version: v1.10.3
   nonMasqueradeCIDR: 100.64.0.0/10
   podCIDR: 100.96.0.0/11
   secretStore: memfs://clusters.example.com/privateciliumadvanced.example.com/secrets

tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_bucket_object_privateciliumadvanced.example.com-addons-bootstrap_content

@@ -47,7 +47,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 5e5bd5f13fedc1a8b9edfd0f7e81d1c411452442151896cb8e8f9ef49a932b23
+    manifestHash: 0a788246369c559b83e9081ff293dcd241dcace0fcd695793ab7d898fdd554ca
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_bucket_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content

@@ -37,6 +37,7 @@ data:
   bpf-nat-global-max: "524288"
   bpf-neigh-global-max: "524288"
   bpf-policy-map-max: "16384"
+  cgroup-root: /sys/fs/cgroup/unified
   cluster-name: default
   container-runtime: none
   debug: "false"
@@ -397,7 +398,7 @@ spec:
           value: api.internal.privateciliumadvanced.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/cilium:v1.10.0
+        image: quay.io/cilium/cilium:v1.10.3
         imagePullPolicy: IfNotPresent
         lifecycle:
           postStart:
@@ -448,7 +449,7 @@ spec:
             - SYS_MODULE
           privileged: true
         startupProbe:
-          failureThreshold: 24
+          failureThreshold: 105
           httpGet:
             host: 127.0.0.1
             httpHeaders:
@@ -508,7 +509,7 @@ spec:
               key: wait-bpf-mount
               name: cilium-config
               optional: true
-        image: quay.io/cilium/cilium:v1.10.0
+        image: quay.io/cilium/cilium:v1.10.3
         imagePullPolicy: IfNotPresent
         name: clean-cilium-state
         resources:
@@ -526,6 +527,9 @@ spec:
         - mountPath: /sys/fs/bpf
           mountPropagation: HostToContainer
           name: bpf-maps
+        - mountPath: /sys/fs/cgroup/unified
+          mountPropagation: HostToContainer
+          name: cilium-cgroup
         - mountPath: /var/run/cilium
           name: cilium-run
       priorityClassName: system-node-critical
@@ -548,6 +552,10 @@ spec:
           path: /opt/cni/bin
           type: DirectoryOrCreate
         name: cni-path
+      - hostPath:
+          path: /sys/fs/cgroup/unified
+          type: DirectoryOrCreate
+        name: cilium-cgroup
       - hostPath:
           path: /etc/cni/net.d
           type: DirectoryOrCreate
@@ -640,7 +648,7 @@ spec:
           value: api.internal.privateciliumadvanced.example.com
         - name: KUBERNETES_SERVICE_PORT
           value: "443"
-        image: quay.io/cilium/operator:v1.10.0
+        image: quay.io/cilium/operator:v1.10.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template

@@ -228,6 +228,8 @@ data:
   # enable-l7-proxy enables L7 proxy for L7 policy enforcement. (default true)
   enable-l7-proxy: "{{ .EnableL7Proxy }}"
 
+  cgroup-root: /sys/fs/cgroup/unified
+
   {{ if WithDefaultBool .Hubble.Enabled false }}
   # Enable Hubble gRPC service.
   enable-hubble: "true"
@@ -754,6 +756,10 @@ spec:
         - mountPath: /sys/fs/bpf
           name: bpf-maps
           mountPropagation: HostToContainer
+        # Required to mount cgroup filesystem from the host to cilium agent pod
+        - mountPath: /sys/fs/cgroup/unified
+          name: cilium-cgroup
+          mountPropagation: HostToContainer
         - mountPath: /var/run/cilium
           name: cilium-run
         resources:
@@ -785,7 +791,12 @@ spec:
           path:  /opt/cni/bin
           type: DirectoryOrCreate
         name: cni-path
-        # To install cilium cni configuration in the host
+      # To keep state between restarts / upgrades for cgroup2 filesystem
+      - hostPath:
+          path: /sys/fs/cgroup/unified
+          type: DirectoryOrCreate
+        name: cilium-cgroup
+      # To install cilium cni configuration in the host
       - hostPath:
           path: /etc/cni/net.d
           type: DirectoryOrCreate

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template

@@ -234,6 +234,8 @@ data:
   # enable-l7-proxy enables L7 proxy for L7 policy enforcement. (default true)
   enable-l7-proxy: "{{ .EnableL7Proxy }}"
 
+  cgroup-root: /sys/fs/cgroup/unified
+
   {{ if WithDefaultBool .Hubble.Enabled false }}
   # Enable Hubble gRPC service.
   enable-hubble: "true"
@@ -607,7 +609,7 @@ spec:
             httpHeaders:
             - name: "brief"
               value: "true"
-          failureThreshold: 24
+          failureThreshold: 105
           periodSeconds: 2
           successThreshold:
         livenessProbe:
@@ -781,6 +783,10 @@ spec:
         - mountPath: /sys/fs/bpf
           name: bpf-maps
           mountPropagation: HostToContainer
+         # Required to mount cgroup filesystem from the host to cilium agent pod
+        - mountPath: /sys/fs/cgroup/unified
+          name: cilium-cgroup
+          mountPropagation: HostToContainer
         - mountPath: /var/run/cilium
           name: cilium-run
         resources:
@@ -802,7 +808,7 @@ spec:
           path: /var/run/cilium
           type: DirectoryOrCreate
         name: cilium-run
-        # To keep state between restarts / upgrades for bpf maps
+      # To keep state between restarts / upgrades for bpf maps
       - hostPath:
           path: /sys/fs/bpf
           type: DirectoryOrCreate
@@ -812,6 +818,11 @@ spec:
           path:  /opt/cni/bin
           type: DirectoryOrCreate
         name: cni-path
+      # To keep state between restarts / upgrades for cgroup2 filesystem
+      - hostPath:
+          path: /sys/fs/cgroup/unified
+          type: DirectoryOrCreate
+        name: cilium-cgroup
         # To install cilium cni configuration in the host
       - hostPath:
           path: /etc/cni/net.d

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml

@@ -53,7 +53,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 60da1ee7e51ce39ddedcf7db008205c0b466e41d1b9d6ac865d9aeabbbf0ee81
+    manifestHash: 61385128a1f6969a576cc0111565c3d6d054580a3ae228d901355e47112e1cc2
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.18/manifest.yaml

@@ -59,7 +59,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 60da1ee7e51ce39ddedcf7db008205c0b466e41d1b9d6ac865d9aeabbbf0ee81
+    manifestHash: 61385128a1f6969a576cc0111565c3d6d054580a3ae228d901355e47112e1cc2
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml

@@ -53,7 +53,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 60da1ee7e51ce39ddedcf7db008205c0b466e41d1b9d6ac865d9aeabbbf0ee81
+    manifestHash: 61385128a1f6969a576cc0111565c3d6d054580a3ae228d901355e47112e1cc2
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.18/manifest.yaml

@@ -65,7 +65,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 60da1ee7e51ce39ddedcf7db008205c0b466e41d1b9d6ac865d9aeabbbf0ee81
+    manifestHash: 61385128a1f6969a576cc0111565c3d6d054580a3ae228d901355e47112e1cc2
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml

@@ -59,7 +59,7 @@ spec:
       k8s-addon: storage-aws.addons.k8s.io
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.10.yaml
-    manifestHash: 60da1ee7e51ce39ddedcf7db008205c0b466e41d1b9d6ac865d9aeabbbf0ee81
+    manifestHash: 61385128a1f6969a576cc0111565c3d6d054580a3ae228d901355e47112e1cc2
     name: networking.cilium.io
     needsRollingUpdate: all
     selector: