kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16800 from rifelpet/cilium1161 

Update Cilium to v1.16.1
This commit is contained in:
Kubernetes Prow Robot 2024-09-13 04:41:13 +01:00 committed by GitHub
parent 41b6e070b5 ba19a19fec
commit 6a5f4e741c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
33 changed files with 1085 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/releases/1.31-NOTES.md
View File

@ -24,6 +24,8 @@ Lorem ipsum....
# Other changes of note # Other changes of note
* Cilium has been upgraded to v1.16.
* Spotinst cluster controller V1 is replaced with Ocean kubernetes controller V2, all old k8s resource are removed * Spotinst cluster controller V1 is replaced with Ocean kubernetes controller V2, all old k8s resource are removed
except spotinst-kubernetes-cluster-controller Secret. except spotinst-kubernetes-cluster-controller Secret.

4
pkg/apis/kops/validation/validation.go
View File

@ -1293,8 +1293,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Could not parse as semantic version")) allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Could not parse as semantic version"))
} }
if version.Minor != 15 { if version.Minor != 16 {
allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Only version 1.15 is supported")) allErrs = append(allErrs, field.Invalid(versionFld, v.Version, "Only version 1.16 is supported"))
} }
if v.Hubble != nil && fi.ValueOf(v.Hubble.Enabled) { if v.Hubble != nil && fi.ValueOf(v.Hubble.Enabled) {

6
pkg/apis/kops/validation/validation_test.go
View File

@ -1137,7 +1137,7 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
Version: "v1.15.0", Version: "v1.16.0",
Ingress: &kops.CiliumIngressSpec{ Ingress: &kops.CiliumIngressSpec{
Enabled: fi.PtrTo(true), Enabled: fi.PtrTo(true),
DefaultLoadBalancerMode: "bad-value", DefaultLoadBalancerMode: "bad-value",
@ -1147,7 +1147,7 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
Version: "v1.15.0", Version: "v1.16.0",
Ingress: &kops.CiliumIngressSpec{ Ingress: &kops.CiliumIngressSpec{
Enabled: fi.PtrTo(true), Enabled: fi.PtrTo(true),
DefaultLoadBalancerMode: "dedicated", DefaultLoadBalancerMode: "dedicated",
@ -1156,7 +1156,7 @@ func Test_Validate_Cilium(t *testing.T) {
}, },
{ {
Cilium: kops.CiliumNetworkingSpec{ Cilium: kops.CiliumNetworkingSpec{
Version: "v1.15.0", Version: "v1.16.0",
Hubble: &kops.HubbleSpec{ Hubble: &kops.HubbleSpec{
Enabled: fi.PtrTo(true), Enabled: fi.PtrTo(true),
}, },

2
pkg/model/components/cilium.go
View File

@ -40,7 +40,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error {
} }
if c.Version == "" { if c.Version == "" {
c.Version = "v1.15.6" c.Version = "v1.16.1"
} }
if c.EnableEndpointHealthChecking == nil { if c.EnableEndpointHealthChecking == nil {

2
tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content
View File

@ -226,7 +226,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: disabled tunnel: disabled
version: v1.15.6 version: v1.16.1
nodeTerminationHandler: nodeTerminationHandler:
cpuRequest: 50m cpuRequest: 50m
deleteSQSMsgIfNodeNotFound: false deleteSQSMsgIfNodeNotFound: false

2
tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content
View File

@ -106,7 +106,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: b9879c934ae3fc644e07f15629981bb9bf0162335a4ef5be413182fcfc66897a manifestHash: da0ef2e57342372e25f1280da556dbe12a2a0e2b81f9d2463b20c804820abd7e
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

129
tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.cilium.io-k8s-1.16_content
View File

@ -62,6 +62,7 @@ data:
kube-proxy-replacement: "false" kube-proxy-replacement: "false"
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: '[::1]:9234'
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: native routing-mode: native
@ -135,6 +136,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -184,11 +188,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -260,6 +263,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -318,6 +325,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -340,6 +350,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -364,6 +379,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -499,6 +517,11 @@ spec:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
creationTimestamp: null creationTimestamp: null
labels: labels:
app.kubernetes.io/name: cilium-agent app.kubernetes.io/name: cilium-agent
@ -550,7 +573,7 @@ spec:
value: api.internal.minimal-ipv6.example.com value: api.internal.minimal-ipv6.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -590,6 +613,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -601,12 +640,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -630,7 +674,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -647,7 +691,7 @@ spec:
value: api.internal.minimal-ipv6.example.com value: api.internal.minimal-ipv6.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -666,11 +710,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -687,10 +737,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -698,6 +755,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -713,14 +786,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.minimal-ipv6.example.com value: api.internal.minimal-ipv6.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -734,7 +821,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -811,6 +898,14 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
updateStrategy: updateStrategy:
type: OnDelete type: OnDelete
@ -889,7 +984,7 @@ spec:
value: api.internal.minimal-ipv6.example.com value: api.internal.minimal-ipv6.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -901,6 +996,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: ::1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m

2
tests/integration/update_cluster/minimal-warmpool/data/aws_launch_template_nodes.minimal-warmpool.example.com_user_data
View File

@ -153,7 +153,7 @@ ConfigServer:
- https://kops-controller.internal.minimal-warmpool.example.com:3988/ - https://kops-controller.internal.minimal-warmpool.example.com:3988/
InstanceGroupName: nodes InstanceGroupName: nodes
InstanceGroupRole: Node InstanceGroupRole: Node
NodeupConfigHash: Qk29AY0f5+WYSZtngVmowAvt0IFItqN2mBDATTa1yqU= NodeupConfigHash: 9eR3ArCmiOtRlM5MiKgIeyh9zBfs2MNlwaMYUH85wUs=
__EOF_KUBE_ENV __EOF_KUBE_ENV

2
tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content
View File

@ -218,7 +218,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: vxlan tunnel: vxlan
version: v1.15.6 version: v1.16.1
nodeTerminationHandler: nodeTerminationHandler:
cpuRequest: 50m cpuRequest: 50m
deleteSQSMsgIfNodeNotFound: false deleteSQSMsgIfNodeNotFound: false

2
tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-bootstrap_content
View File

@ -99,7 +99,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: a1a193f3b5a7e4978166141793abd91ca31da43c5d22ccac28cbe8a9e971620e manifestHash: 4f58454b1058faea22637f20d8a07415aa92609904d8d9047ccf132ba7d8aad6
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

129
tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_minimal-warmpool.example.com-addons-networking.cilium.io-k8s-1.16_content
View File

@ -62,6 +62,7 @@ data:
kube-proxy-replacement: "false" kube-proxy-replacement: "false"
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: tunnel routing-mode: tunnel
@ -136,6 +137,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -185,11 +189,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -261,6 +264,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -319,6 +326,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -341,6 +351,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -365,6 +380,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -500,6 +518,11 @@ spec:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
creationTimestamp: null creationTimestamp: null
labels: labels:
app.kubernetes.io/name: cilium-agent app.kubernetes.io/name: cilium-agent
@ -551,7 +574,7 @@ spec:
value: api.internal.minimal-warmpool.example.com value: api.internal.minimal-warmpool.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -591,6 +614,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -602,12 +641,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -631,7 +675,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -648,7 +692,7 @@ spec:
value: api.internal.minimal-warmpool.example.com value: api.internal.minimal-warmpool.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -667,11 +711,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -688,10 +738,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -699,6 +756,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -714,14 +787,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.minimal-warmpool.example.com value: api.internal.minimal-warmpool.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -735,7 +822,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -812,6 +899,14 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
updateStrategy: updateStrategy:
type: OnDelete type: OnDelete
@ -890,7 +985,7 @@ spec:
value: api.internal.minimal-warmpool.example.com value: api.internal.minimal-warmpool.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -902,6 +997,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m

5
tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_nodeupconfig-nodes_content
View File

@ -64,7 +64,8 @@ containerdConfig:
usesLegacyGossip: false usesLegacyGossip: false
usesNoneDNS: false usesNoneDNS: false
warmPoolImages: warmPoolImages:
- quay.io/cilium/cilium:v1.15.6 - quay.io/cilium/cilium:v1.16.1
- quay.io/cilium/operator:v1.15.6 - quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
- quay.io/cilium/operator:v1.16.1
- registry.k8s.io/kube-proxy:v1.26.0 - registry.k8s.io/kube-proxy:v1.26.0
- registry.k8s.io/provider-aws/cloud-controller-manager:v1.26.11 - registry.k8s.io/provider-aws/cloud-controller-manager:v1.26.11

2
tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content
View File

@ -199,7 +199,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: vxlan tunnel: vxlan
version: v1.15.6 version: v1.16.1
nonMasqueradeCIDR: 100.64.0.0/10 nonMasqueradeCIDR: 100.64.0.0/10
podCIDR: 100.96.0.0/11 podCIDR: 100.96.0.0/11
secretStore: memfs://tests/scw-minimal.k8s.local/secrets secretStore: memfs://tests/scw-minimal.k8s.local/secrets

2
tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-bootstrap_content
View File

@ -55,7 +55,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 7b74c26eba86a08e584e9621b100ef63a3aedca452958210ae67304f84d40542 manifestHash: 867fc89c551b1efeb56de4cce715099a543f713551a05428cb1d0a3299fc46b4
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

129
tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_scw-minimal.k8s.local-addons-networking.cilium.io-k8s-1.16_content
View File

@ -62,6 +62,7 @@ data:
kube-proxy-replacement: "true" kube-proxy-replacement: "true"
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: tunnel routing-mode: tunnel
@ -136,6 +137,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -185,11 +189,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -261,6 +264,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -319,6 +326,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -341,6 +351,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -365,6 +380,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -500,6 +518,11 @@ spec:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
creationTimestamp: null creationTimestamp: null
labels: labels:
app.kubernetes.io/name: cilium-agent app.kubernetes.io/name: cilium-agent
@ -551,7 +574,7 @@ spec:
value: api.internal.scw-minimal.k8s.local value: api.internal.scw-minimal.k8s.local
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -591,6 +614,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -602,12 +641,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -631,7 +675,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -648,7 +692,7 @@ spec:
value: api.internal.scw-minimal.k8s.local value: api.internal.scw-minimal.k8s.local
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -667,11 +711,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -688,10 +738,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -699,6 +756,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -714,14 +787,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.scw-minimal.k8s.local value: api.internal.scw-minimal.k8s.local
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -735,7 +822,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -812,6 +899,14 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
updateStrategy: updateStrategy:
type: OnDelete type: OnDelete
@ -890,7 +985,7 @@ spec:
value: api.internal.scw-minimal.k8s.local value: api.internal.scw-minimal.k8s.local
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -902,6 +997,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m

2
tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content
View File

@ -220,7 +220,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: disabled tunnel: disabled
version: v1.15.6 version: v1.16.1
nodeTerminationHandler: nodeTerminationHandler:
cpuRequest: 50m cpuRequest: 50m
deleteSQSMsgIfNodeNotFound: false deleteSQSMsgIfNodeNotFound: false

2
tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content
View File

@ -99,7 +99,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 73bb75823f5a80f87197e6fcb8dc72a63ee1c24883175dac77300e6902681161 manifestHash: 7d691d06fc71e313cb156d6a75dcdb2f3f1a03fe41661fbe2260b5d1823ccb0d
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

133
tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content
View File

@ -65,6 +65,7 @@ data:
kube-proxy-replacement: "false" kube-proxy-replacement: "false"
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: native routing-mode: native
@ -138,6 +139,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -187,11 +191,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -263,6 +266,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -321,6 +328,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -343,6 +353,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -367,6 +382,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -502,6 +520,11 @@ spec:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
creationTimestamp: null creationTimestamp: null
labels: labels:
app.kubernetes.io/name: cilium-agent app.kubernetes.io/name: cilium-agent
@ -553,7 +576,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
postStart: postStart:
@ -575,10 +598,10 @@ spec:
# dependencies on anything that is part of the startup script # dependencies on anything that is part of the startup script
# itself, and can be safely run multiple times per node (e.g. in # itself, and can be safely run multiple times per node (e.g. in
# case of a restart). # case of a restart).
if [[ "$(iptables-save | grep -c AWS-SNAT-CHAIN)" != "0" ]]; if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
then then
echo 'Deleting iptables rules created by the AWS CNI VPC plugin' echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
iptables-save | grep -v AWS-SNAT-CHAIN | iptables-restore iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
fi fi
echo 'Done!' echo 'Done!'
preStop: preStop:
@ -618,6 +641,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -629,12 +668,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -658,7 +702,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -675,7 +719,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -694,11 +738,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -715,10 +765,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -726,6 +783,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -741,14 +814,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -762,7 +849,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -839,6 +926,14 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
updateStrategy: updateStrategy:
type: OnDelete type: OnDelete
@ -917,7 +1012,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -929,6 +1024,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m

2
tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content
View File

@ -228,7 +228,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: vxlan tunnel: vxlan
version: v1.15.6 version: v1.16.1
nodeTerminationHandler: nodeTerminationHandler:
cpuRequest: 50m cpuRequest: 50m
deleteSQSMsgIfNodeNotFound: false deleteSQSMsgIfNodeNotFound: false

2
tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content
View File

@ -99,7 +99,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 12325ce4b4f85d7aa094ccd86197641ff7aff6a90c32da34b64678aa9454a18e manifestHash: 492810dae91d3d96f60f547fcb0b34c14b4a2d3d953171101cf3af8d4addff70
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

128
tests/integration/update_cluster/privatecilium/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content
View File

@ -62,6 +62,7 @@ data:
kube-proxy-replacement: "false" kube-proxy-replacement: "false"
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: tunnel routing-mode: tunnel
@ -136,6 +137,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -185,11 +189,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -261,6 +264,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -319,6 +326,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -341,6 +351,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -365,6 +380,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -501,6 +519,10 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
test1: "true" test1: "true"
test2: "123" test2: "123"
test3: awesome test3: awesome
@ -555,7 +577,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -595,6 +617,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -606,12 +644,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -635,7 +678,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -652,7 +695,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -671,11 +714,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -692,10 +741,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -703,6 +759,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -718,14 +790,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -739,7 +825,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -816,6 +902,14 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
updateStrategy: updateStrategy:
type: OnDelete type: OnDelete
@ -898,7 +992,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -910,6 +1004,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m

2
tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content
View File

@ -225,7 +225,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: vxlan tunnel: vxlan
version: v1.15.6 version: v1.16.1
nodeTerminationHandler: nodeTerminationHandler:
cpuRequest: 50m cpuRequest: 50m
deleteSQSMsgIfNodeNotFound: false deleteSQSMsgIfNodeNotFound: false

2
tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content
View File

@ -155,7 +155,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 3fdb869ea26ce50ae6db32e1b997749f18cbb30ebf31468f2c5da2c692681a54 manifestHash: 0a96b2e9786d0cc7e87eff42a6b38e011a45cb6c485825aaa491034e2c7d631b
name: networking.cilium.io name: networking.cilium.io
needsPKI: true needsPKI: true
needsRollingUpdate: all needsRollingUpdate: all

159
tests/integration/update_cluster/privatecilium2/data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content
View File

@ -94,6 +94,7 @@ data:
kube-proxy-replacement: "false" kube-proxy-replacement: "false"
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: tunnel routing-mode: tunnel
@ -217,6 +218,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -266,11 +270,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -342,6 +345,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -400,6 +407,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -422,6 +432,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -446,6 +461,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -754,6 +772,11 @@ spec:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
creationTimestamp: null creationTimestamp: null
labels: labels:
app.kubernetes.io/name: cilium-agent app.kubernetes.io/name: cilium-agent
@ -805,7 +828,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
preStop: preStop:
@ -853,6 +876,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -864,12 +903,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -896,7 +940,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -913,7 +957,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -932,11 +976,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -953,10 +1003,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -964,6 +1021,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -979,14 +1052,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -1000,7 +1087,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -1077,11 +1164,26 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
- name: hubble-tls - name: hubble-tls
projected: projected:
defaultMode: 256 defaultMode: 256
sources: sources:
- secret: - secret:
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
- key: ca.crt
path: client-ca.crt
name: hubble-server-certs name: hubble-server-certs
optional: true optional: true
updateStrategy: updateStrategy:
@ -1162,7 +1264,7 @@ spec:
value: api.internal.privatecilium.example.com value: api.internal.privatecilium.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -1174,6 +1276,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m
@ -1256,18 +1368,23 @@ spec:
- serve - serve
command: command:
- hubble-relay - hubble-relay
image: quay.io/cilium/hubble-relay:v1.15.6 image: quay.io/cilium/hubble-relay:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
tcpSocket: failureThreshold: 12
port: grpc grpc:
port: 4222
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 10
name: hubble-relay name: hubble-relay
ports: ports:
- containerPort: 4245 - containerPort: 4245
name: grpc name: grpc
readinessProbe: readinessProbe:
tcpSocket: grpc:
port: grpc port: 4222
timeoutSeconds: 3
securityContext: securityContext:
capabilities: capabilities:
drop: drop:
@ -1275,6 +1392,12 @@ spec:
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65532 runAsUser: 65532
startupProbe:
failureThreshold: 20
grpc:
port: 4222
initialDelaySeconds: 10
periodSeconds: 3
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /etc/hubble-relay - mountPath: /etc/hubble-relay
@ -1288,7 +1411,7 @@ spec:
fsGroup: 65532 fsGroup: 65532
serviceAccount: hubble-relay serviceAccount: hubble-relay
serviceAccountName: hubble-relay serviceAccountName: hubble-relay
terminationGracePeriodSeconds: 0 terminationGracePeriodSeconds: 1
topologySpreadConstraints: topologySpreadConstraints:
- labelSelector: - labelSelector:
matchLabels: matchLabels:

2
tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content
View File

@ -232,7 +232,7 @@ spec:
sidecarIstioProxyImage: cilium/istio_proxy sidecarIstioProxyImage: cilium/istio_proxy
toFqdnsDnsRejectResponseCode: refused toFqdnsDnsRejectResponseCode: refused
tunnel: disabled tunnel: disabled
version: v1.15.6 version: v1.16.1
nodeTerminationHandler: nodeTerminationHandler:
cpuRequest: 50m cpuRequest: 50m
deleteSQSMsgIfNodeNotFound: false deleteSQSMsgIfNodeNotFound: false

2
tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content
View File

@ -99,7 +99,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: be09a607c2a87737bee2f1fbf38420f09ae2ff560e021fab080a98f3225f0c51 manifestHash: 0fed3b36276ff3f87b1c01bbc1b81576a14fd45da3958df8947230afd410dbff
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

133
tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content
View File

@ -75,6 +75,7 @@ data:
kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}' kvstore-opt: '{"etcd.config": "/var/lib/etcd-config/etcd.config"}'
monitor-aggregation: medium monitor-aggregation: medium
nodes-gc-interval: 5m0s nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false" preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true" remove-cilium-node-taints: "true"
routing-mode: native routing-mode: native
@ -148,6 +149,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -197,11 +201,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
@ -273,6 +276,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -331,6 +338,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -353,6 +363,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -377,6 +392,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -512,6 +530,11 @@ spec:
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
template: template:
metadata: metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
creationTimestamp: null creationTimestamp: null
labels: labels:
app.kubernetes.io/name: cilium-agent app.kubernetes.io/name: cilium-agent
@ -563,7 +586,7 @@ spec:
value: api.internal.privateciliumadvanced.example.com value: api.internal.privateciliumadvanced.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
lifecycle: lifecycle:
postStart: postStart:
@ -585,10 +608,10 @@ spec:
# dependencies on anything that is part of the startup script # dependencies on anything that is part of the startup script
# itself, and can be safely run multiple times per node (e.g. in # itself, and can be safely run multiple times per node (e.g. in
# case of a restart). # case of a restart).
if [[ "$(iptables-save | grep -c AWS-SNAT-CHAIN)" != "0" ]]; if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
then then
echo 'Deleting iptables rules created by the AWS CNI VPC plugin' echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
iptables-save | grep -v AWS-SNAT-CHAIN | iptables-restore iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
fi fi
echo 'Done!' echo 'Done!'
preStop: preStop:
@ -628,6 +651,22 @@ spec:
cpu: 25m cpu: 25m
memory: 128Mi memory: 128Mi
securityContext: securityContext:
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
privileged: true privileged: true
startupProbe: startupProbe:
failureThreshold: 105 failureThreshold: 105
@ -639,12 +678,17 @@ spec:
path: /healthz path: /healthz
port: 9879 port: 9879
scheme: HTTP scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- mountPath: /sys/fs/bpf - mountPath: /sys/fs/bpf
mountPropagation: Bidirectional mountPropagation: HostToContainer
name: bpf-maps name: bpf-maps
- mountPath: /run/cilium/cgroupv2 - mountPath: /run/cilium/cgroupv2
name: cilium-cgroup name: cilium-cgroup
@ -674,7 +718,7 @@ spec:
hostNetwork: true hostNetwork: true
initContainers: initContainers:
- command: - command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -691,7 +735,7 @@ spec:
value: api.internal.privateciliumadvanced.example.com value: api.internal.privateciliumadvanced.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: config name: config
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
@ -710,11 +754,17 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: mount-cgroup name: mount-cgroup
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /hostproc - mountPath: /hostproc
@ -731,10 +781,17 @@ spec:
env: env:
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: apply-sysctl-overwrites name: apply-sysctl-overwrites
securityContext: securityContext:
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -742,6 +799,22 @@ spec:
name: hostproc name: hostproc
- mountPath: /hostbin - mountPath: /hostbin
name: cni-path name: cni-path
- args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
- --
image: quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39
imagePullPolicy: IfNotPresent
name: mount-bpf-fs
securityContext:
privileged: true
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
name: bpf-maps
- command: - command:
- /init-container.sh - /init-container.sh
env: env:
@ -757,14 +830,28 @@ spec:
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
name: cilium-config name: cilium-config
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
key: write-cni-conf-when-ready
name: cilium-config
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: api.internal.privateciliumadvanced.example.com value: api.internal.privateciliumadvanced.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: clean-cilium-state name: clean-cilium-state
securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
@ -778,7 +865,7 @@ spec:
name: cilium-run name: cilium-run
- command: - command:
- /install-plugin.sh - /install-plugin.sh
image: quay.io/cilium/cilium:v1.15.6 image: quay.io/cilium/cilium:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
name: install-cni-binaries name: install-cni-binaries
resources: resources:
@ -866,6 +953,14 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
- hostPath:
path: /proc/sys/net
type: Directory
name: host-proc-sys-net
- hostPath:
path: /proc/sys/kernel
type: Directory
name: host-proc-sys-kernel
updateStrategy: updateStrategy:
type: OnDelete type: OnDelete
@ -944,7 +1039,7 @@ spec:
value: api.internal.privateciliumadvanced.example.com value: api.internal.privateciliumadvanced.example.com
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
image: quay.io/cilium/operator:v1.15.6 image: quay.io/cilium/operator:v1.16.1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -956,6 +1051,16 @@ spec:
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
name: cilium-operator name: cilium-operator
readinessProbe:
failureThreshold: 5
httpGet:
host: 127.0.0.1
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
resources: resources:
requests: requests:
cpu: 25m cpu: 25m

18
upup/models/cloudup/resources/addons/coredns.addons.k8s.io/values.yaml Normal file
View File

@ -0,0 +1,18 @@
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ template "coredns.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
topologyKey: topology.kubernetes.io/zone
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ template "coredns.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}'
topologyKey: kubernetes.io/hostname
maxSkew: 1
whenUnsatisfiable: ScheduleAnyway
autoscaler:
enabled: true

33
upup/models/cloudup/resources/addons/networking.cilium.io/helm-values.yaml Normal file
View File

@ -0,0 +1,33 @@
# This file is only used to help generate the .yaml.template file
hubble:
metrics:
enabled: [drop]
relay:
enabled: true
ingressController:
enabled: true
secretsNamespace:
create: false
serviceAccounts:
envoy:
create: false
envoy:
enabled: false
envoyConfig:
secretsNamespace:
create: false
gatewayAPI:
secretsNamespace:
create: false
bgpControlPlane:
secretsNamespace:
create: false
updateStrategy:
type: OnDelete
rollingUpdate: null
monitor:
enabled: true
ipv4:
enabled: false
ipv6:
enabled: true

202
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template
View File

@ -1,6 +1,9 @@
# helm template --release-name cilium cilium/cilium \
# --version 1.16.1 \
# --namespace kube-system \
# --values helm-values.yaml
{{ with .Networking.Cilium }} {{ with .Networking.Cilium }}
{{ $semver := (trimPrefix "v" .Version) }} {{ $semver := (trimPrefix "v" .Version) }}
{{ $healthPort := (ternary 9879 9876 (semverCompare ">=1.11.6" $semver)) }}
{{ $operatorHealthPort := 9234 }} {{ $operatorHealthPort := 9234 }}
{{- if CiliumSecret }} {{- if CiliumSecret }}
apiVersion: v1 apiVersion: v1
@ -39,7 +42,7 @@ metadata:
name: cilium-config name: cilium-config
namespace: kube-system namespace: kube-system
data: data:
agent-health-port: "{{ $healthPort }}" agent-health-port: "9879"
{{- if .EtcdManaged }} {{- if .EtcdManaged }}
kvstore: etcd kvstore: etcd
@ -224,10 +227,6 @@ data:
# [0] http://docs.cilium.io/en/stable/policy/language/#dns-based # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based
# [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
tofqdns-enable-poller: "{{- if .ToFQDNsEnablePoller -}}true{{- else -}}false{{- end -}}" tofqdns-enable-poller: "{{- if .ToFQDNsEnablePoller -}}true{{- else -}}false{{- end -}}"
{{- if not (semverCompare ">=1.10.4 || ~1.9.10" $semver) }}
# wait-bpf-mount makes init container wait until bpf filesystem is mounted
wait-bpf-mount: "false"
{{- end }}
# Enable fetching of container-runtime specific metadata # Enable fetching of container-runtime specific metadata
# #
# By default, the Kubernetes pod and namespace labels are retrieved and # By default, the Kubernetes pod and namespace labels are retrieved and
@ -257,6 +256,7 @@ data:
enable-node-port: "{{ .EnableNodePort }}" enable-node-port: "{{ .EnableNodePort }}"
kube-proxy-replacement: "{{- if .EnableNodePort -}}true{{- else -}}false{{- end -}}" kube-proxy-replacement: "{{- if .EnableNodePort -}}true{{- else -}}false{{- end -}}"
operator-api-serve-addr: "{{- if IsIPv6Only -}}[::1]{{- else -}}127.0.0.1{{- end -}}:9234"
{{ with .IPAM }} {{ with .IPAM }}
ipam: {{ . }} ipam: {{ . }}
{{ if eq . "eni" }} {{ if eq . "eni" }}
@ -429,6 +429,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumbgppeeringpolicies - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs - ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies - ciliumegressgatewaypolicies
@ -479,11 +482,10 @@ rules:
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status - ciliumendpoints/status
- ciliumendpoints - ciliumendpoints
- ciliuml2announcementpolicies/status - ciliuml2announcementpolicies/status
- ciliumbgpnodeconfigs/status
verbs: verbs:
- patch - patch
--- ---
@ -556,6 +558,10 @@ rules:
- get - get
- list - list
- watch - watch
- create
- update
- delete
- patch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
@ -620,6 +626,9 @@ rules:
resources: resources:
- ciliumendpointslices - ciliumendpointslices
- ciliumenvoyconfigs - ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
verbs: verbs:
- create - create
- update - update
@ -646,6 +655,11 @@ rules:
resourceNames: resourceNames:
- ciliumloadbalancerippools.cilium.io - ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io
@ -666,6 +680,9 @@ rules:
resources: resources:
- ciliumloadbalancerippools - ciliumloadbalancerippools
- ciliumpodippools - ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs: verbs:
- get - get
- list - list
@ -959,6 +976,10 @@ spec:
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
prometheus.io/port: "{{ .AgentPrometheusPort }}" prometheus.io/port: "{{ .AgentPrometheusPort }}"
{{ end }} {{ end }}
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined"
container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined"
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined"
{{- range $key, $value := .AgentPodAnnotations }} {{- range $key, $value := .AgentPodAnnotations }}
{{ $key }}: "{{ $value }}" {{ $key }}: "{{ $value }}"
{{- end }} {{- end }}
@ -989,7 +1010,7 @@ spec:
httpGet: httpGet:
host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}'
path: /healthz path: /healthz
port: {{ $healthPort }} port: 9879
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@ -997,11 +1018,12 @@ spec:
failureThreshold: 105 failureThreshold: 105
periodSeconds: 2 periodSeconds: 2
successThreshold: 1 successThreshold: 1
initialDelaySeconds: 5
livenessProbe: livenessProbe:
httpGet: httpGet:
host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}'
path: /healthz path: /healthz
port: {{ $healthPort }} port: 9879
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@ -1018,7 +1040,7 @@ spec:
httpGet: httpGet:
host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}'
path: /healthz path: /healthz
port: {{ $healthPort }} port: 9879
scheme: HTTP scheme: HTTP
httpHeaders: httpHeaders:
- name: "brief" - name: "brief"
@ -1081,10 +1103,10 @@ spec:
# dependencies on anything that is part of the startup script # dependencies on anything that is part of the startup script
# itself, and can be safely run multiple times per node (e.g. in # itself, and can be safely run multiple times per node (e.g. in
# case of a restart). # case of a restart).
if [[ "$(iptables-save | grep -c AWS-SNAT-CHAIN)" != "0" ]]; if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
then then
echo 'Deleting iptables rules created by the AWS CNI VPC plugin' echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
iptables-save | grep -v AWS-SNAT-CHAIN | iptables-restore iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
fi fi
echo 'Done!' echo 'Done!'
{{- end }} {{- end }}
@ -1113,20 +1135,42 @@ spec:
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
privileged: true privileged: true
capabilities:
add:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
drop:
- ALL
volumeMounts: volumeMounts:
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- name: bpf-maps - name: bpf-maps
mountPath: /sys/fs/bpf mountPath: /sys/fs/bpf
{{- if semverCompare ">=1.10.4 || ~1.9.10" $semver }} # Unprivileged containers can't set mount propagation to bidirectional
mountPropagation: Bidirectional # in this case we will mount the bpf fs from an init container that
{{- end }} # is privileged and set the mount propagation from host to container
# in Cilium.
mountPropagation: HostToContainer
- name: cilium-cgroup - name: cilium-cgroup
mountPath: /run/cilium/cgroupv2 mountPath: /run/cilium/cgroupv2
- name: cilium-run - name: cilium-run
mountPath: /var/run/cilium mountPath: /var/run/cilium
{{- if not (semverCompare "~1.11.15 || ~1.12.8 || >=1.13.1" $semver) }}
- name: cni-path
mountPath: /host/opt/cni/bin
{{- end }}
- name: etc-cni-netd - name: etc-cni-netd
mountPath: /host/etc/cni/net.d mountPath: /host/etc/cni/net.d
{{ if .EtcdManaged }} {{ if .EtcdManaged }}
@ -1173,7 +1217,7 @@ spec:
for i in {1..5}; do \ for i in {1..5}; do \
[ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\ [ -S /var/run/cilium/monitor1_2.sock ] && break || sleep 10;\
done; \ done; \
cilium monitor --type=agent cilium-dbg monitor
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- name: cilium-run - name: cilium-run
@ -1184,7 +1228,7 @@ spec:
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- cilium - cilium-dbg
- build-config - build-config
env: env:
- name: K8S_NODE_NAME - name: K8S_NODE_NAME
@ -1234,7 +1278,13 @@ spec:
mountPath: /hostbin mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
privileged: true capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: apply-sysctl-overwrites - name: apply-sysctl-overwrites
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
@ -1261,6 +1311,32 @@ spec:
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
privileged: true privileged: true
capabilities:
add:
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: "quay.io/cilium/cilium:v1.16.1@sha256:0b4a3ab41a4760d86b7fc945b8783747ba27f29dac30dd434d94f2c9e3679f39"
imagePullPolicy: IfNotPresent
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
terminationMessagePolicy: FallbackToLogsOnError
securityContext:
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state - name: clean-cilium-state
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
@ -1279,34 +1355,37 @@ spec:
name: cilium-config name: cilium-config
key: clean-cilium-bpf-state key: clean-cilium-bpf-state
optional: true optional: true
- name: WRITE_CNI_CONF_WHEN_READY
valueFrom:
configMapKeyRef:
name: cilium-config
key: write-cni-conf-when-ready
optional: true
- name: KUBERNETES_SERVICE_HOST - name: KUBERNETES_SERVICE_HOST
value: "{{ APIInternalName }}" value: "{{ APIInternalName }}"
- name: KUBERNETES_SERVICE_PORT - name: KUBERNETES_SERVICE_PORT
value: "443" value: "443"
{{- if not (semverCompare ">=1.10.4 || ~1.9.10" $semver) }}
- name: CILIUM_WAIT_BPF_MOUNT
valueFrom:
configMapKeyRef:
key: wait-bpf-mount
name: cilium-config
optional: true
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
privileged: true privileged: true
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
- SYS_ADMIN
- SYS_RESOURCE
drop:
- ALL
volumeMounts: volumeMounts:
- name: bpf-maps - name: bpf-maps
mountPath: /sys/fs/bpf mountPath: /sys/fs/bpf
{{- if semverCompare ">=1.10.4 || ~1.9.10" $semver }}
mountPropagation: HostToContainer mountPropagation: HostToContainer
{{- end }}
# Required to mount cgroup filesystem from the host to cilium agent pod # Required to mount cgroup filesystem from the host to cilium agent pod
- name: cilium-cgroup - name: cilium-cgroup
mountPath: /run/cilium/cgroupv2 mountPath: /run/cilium/cgroupv2
mountPropagation: HostToContainer mountPropagation: HostToContainer
- name: cilium-run - name: cilium-run
mountPath: /var/run/cilium mountPath: /var/run/cilium
{{- if semverCompare "~1.11.15 || ~1.12.8 || >=1.13.1" $semver }}
# Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent # Install the CNI binaries in an InitContainer so we don't have a writable host mount in the agent
- name: install-cni-binaries - name: install-cni-binaries
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
@ -1326,7 +1405,6 @@ spec:
volumeMounts: volumeMounts:
- name: cni-path - name: cni-path
mountPath: /host/opt/cni/bin mountPath: /host/opt/cni/bin
{{- end }}
restartPolicy: Always restartPolicy: Always
priorityClassName: system-node-critical priorityClassName: system-node-critical
{{ if ContainerdSELinuxEnabled }} {{ if ContainerdSELinuxEnabled }}
@ -1430,6 +1508,14 @@ spec:
secret: secret:
secretName: cilium-ipsec-keys secretName: cilium-ipsec-keys
{{ end }} {{ end }}
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
{{ if WithDefaultBool .Hubble.Enabled false }} {{ if WithDefaultBool .Hubble.Enabled false }}
- name: hubble-tls - name: hubble-tls
projected: projected:
@ -1439,6 +1525,13 @@ spec:
- secret: - secret:
name: hubble-server-certs name: hubble-server-certs
optional: true optional: true
items:
- key: tls.crt
path: server.crt
- key: tls.key
path: server.key
- key: ca.crt
path: client-ca.crt
{{ end }} {{ end }}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
@ -1518,9 +1611,9 @@ spec:
value: "443" value: "443"
{{ if .EnablePrometheusMetrics }} {{ if .EnablePrometheusMetrics }}
ports: ports:
- containerPort: 6942 - name: prometheus
hostPort: 6942 containerPort: 9963
name: prometheus hostPort: 9963
protocol: TCP protocol: TCP
{{ end }} {{ end }}
resources: resources:
@ -1531,11 +1624,21 @@ spec:
httpGet: httpGet:
host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}'
path: /healthz path: /healthz
port: {{ $operatorHealthPort }} port: 9234
scheme: HTTP scheme: HTTP
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 3 timeoutSeconds: 3
readinessProbe:
httpGet:
host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}'
path: /healthz
port: 9234
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 5
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- mountPath: /tmp/cilium/config-map - mountPath: /tmp/cilium/config-map
@ -1649,11 +1752,22 @@ spec:
- name: grpc - name: grpc
containerPort: 4245 containerPort: 4245
readinessProbe: readinessProbe:
tcpSocket: grpc:
port: grpc port: 4222
timeoutSeconds: 3
livenessProbe: livenessProbe:
tcpSocket: grpc:
port: grpc port: 4222
timeoutSeconds: 10
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 12
startupProbe:
grpc:
port: 4222
initialDelaySeconds: 10
failureThreshold: 20
periodSeconds: 3
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- name: config - name: config
@ -1672,7 +1786,7 @@ spec:
restartPolicy: Always restartPolicy: Always
serviceAccount: hubble-relay serviceAccount: hubble-relay
serviceAccountName: hubble-relay serviceAccountName: hubble-relay
terminationGracePeriodSeconds: 0 terminationGracePeriodSeconds: 1
topologySpreadConstraints: topologySpreadConstraints:
- maxSkew: 1 - maxSkew: 1
topologyKey: "topology.kubernetes.io/zone" topologyKey: "topology.kubernetes.io/zone"

2
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml
View File

@ -99,7 +99,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 3cd28effb6499670f52244fa0fe1814c2a6921a3e7eaac43b0064dab804127d7 manifestHash: be919b9d3124ee841a8f46a8309b8ec689715bd651bc44f8cebc3717eafd019f
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

2
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/insecure-1.19/manifest.yaml
View File

@ -113,7 +113,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 3cd28effb6499670f52244fa0fe1814c2a6921a3e7eaac43b0064dab804127d7 manifestHash: be919b9d3124ee841a8f46a8309b8ec689715bd651bc44f8cebc3717eafd019f
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector:

2
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/metrics-server/secure-1.19/manifest.yaml
View File

@ -170,7 +170,7 @@ spec:
version: 9.99.0 version: 9.99.0
- id: k8s-1.16 - id: k8s-1.16
manifest: networking.cilium.io/k8s-1.16-v1.15.yaml manifest: networking.cilium.io/k8s-1.16-v1.15.yaml
manifestHash: 3cd28effb6499670f52244fa0fe1814c2a6921a3e7eaac43b0064dab804127d7 manifestHash: be919b9d3124ee841a8f46a8309b8ec689715bd651bc44f8cebc3717eafd019f
name: networking.cilium.io name: networking.cilium.io
needsRollingUpdate: all needsRollingUpdate: all
selector: selector: