kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use privileged approach 

As done before updating to 1.14

This allows us to have a simpler update. We can add unprivileged mode later on (it was not working all the time for me)
This commit is contained in:
zadjadr 2023-09-01 22:05:27 +02:00
parent 4dfaba5242
commit ef8a1f3d7e
No known key found for this signature in database
GPG Key ID: 0F5C56E6213A7610
1 changed files with 70 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.14.yaml.template
View File

@ -352,45 +352,21 @@ metadata:
namespace: kube-system namespace: kube-system
data: data:
config.yaml: | config.yaml: |
cluster-name: "{{ .ClusterName }}" peer-service: unix:///var/run/cilium/hubble.sock
peer-service: "hubble-peer.kube-system.svc.cluster.local:443"
listen-address: :4245 listen-address: :4245
gops: true
gops-port: "9893"
disable-server-tls: true disable-server-tls: true
tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt
tls-client-key-file: /var/lib/hubble-relay/tls/client.key tls-client-key-file: /var/lib/hubble-relay/tls/client.key
tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
---
# Source: cilium/templates/hubble/peer-service.yaml
apiVersion: v1
kind: Service
metadata:
name: hubble-peer
namespace: kube-system
labels:
k8s-app: cilium
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: hubble-peer
spec:
selector:
k8s-app: cilium
ports:
- name: peer-service
port: 443
protocol: TCP
targetPort: 4244
internalTrafficPolicy: Local
{{ end }} {{ end }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cilium name: cilium
labels:
app.kubernetes.io/part-of: cilium
rules: rules:
- apiGroups: - apiGroups:
- networking.k8s.io - networking.k8s.io
@ -427,9 +403,6 @@ rules:
verbs: verbs:
- list - list
- watch - watch
# This is used when validating policies in preflight. This will need to stay
# until we figure out how to avoid "get" inside the preflight, and then
# should be removed ideally.
- get - get
- apiGroups: - apiGroups:
- cilium.io - cilium.io
@ -498,8 +471,6 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: cilium-operator name: cilium-operator
labels:
app.kubernetes.io/part-of: cilium
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@ -689,12 +660,6 @@ rules:
- ciliumloadbalancerippools/status - ciliumloadbalancerippools/status
verbs: verbs:
- patch - patch
# For cilium-operator running in HA mode.
#
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
# between multiple running instances.
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
# common and fewer objects in the cluster watch "all Leases".
- apiGroups: - apiGroups:
- coordination.k8s.io - coordination.k8s.io
resources: resources:
@ -725,30 +690,26 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cilium name: cilium
labels:
app.kubernetes.io/part-of: cilium
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cilium name: cilium
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: "cilium" name: cilium
namespace: kube-system namespace: kube-system
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: cilium-operator name: cilium-operator
labels:
app.kubernetes.io/part-of: cilium
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cilium-operator name: cilium-operator
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: "cilium-operator" name: cilium-operator
namespace: kube-system namespace: kube-system
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
@ -908,7 +869,6 @@ metadata:
namespace: kube-system namespace: kube-system
labels: labels:
k8s-app: hubble-relay k8s-app: hubble-relay
app.kubernetes.io/part-of: cilium
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector:
@ -927,8 +887,6 @@ metadata:
labels: labels:
k8s-app: cilium k8s-app: cilium
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec: spec:
selector: selector:
matchLabels: matchLabels:
@ -941,13 +899,6 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
# Set app AppArmor's profile to "unconfined". The value of this annotation
# can be modified as long users know which profiles they have available
# in AppArmor.
container.apparmor.security.beta.kubernetes.io/cilium-agent: "unconfined"
container.apparmor.security.beta.kubernetes.io/clean-cilium-state: "unconfined"
container.apparmor.security.beta.kubernetes.io/mount-cgroup: "unconfined"
container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: "unconfined"
{{ if .EnablePrometheusMetrics }} {{ if .EnablePrometheusMetrics }}
# Annotation required for prometheus auto-discovery scraping # Annotation required for prometheus auto-discovery scraping
# https://docs.cilium.io/en/v1.9/operations/metrics/#installation # https://docs.cilium.io/en/v1.9/operations/metrics/#installation
@ -960,8 +911,6 @@ spec:
labels: labels:
k8s-app: cilium k8s-app: cilium
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec: spec:
containers: containers:
- name: cilium-agent - name: cilium-agent
@ -996,6 +945,10 @@ spec:
successThreshold: 1 successThreshold: 1
failureThreshold: 10 failureThreshold: 10
timeoutSeconds: 5 timeoutSeconds: 5
resources:
requests:
cpu: {{ or .CPURequest "25m" }}
memory: {{ or .MemoryRequest "128Mi" }}
readinessProbe: readinessProbe:
httpGet: httpGet:
host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}' host: '{{- if IsIPv6Only -}}::1{{- else -}}127.0.0.1{{- end -}}'
@ -1074,15 +1027,7 @@ spec:
exec: exec:
command: command:
- /cni-uninstall.sh - /cni-uninstall.sh
resources:
requests:
cpu: {{ or .CPURequest "25m" }}
memory: {{ or .MemoryRequest "128Mi" }}
ports: ports:
- name: peer-service
containerPort: 4244
hostPort: 4244
protocol: TCP
{{ if .EnablePrometheusMetrics }} {{ if .EnablePrometheusMetrics }}
- containerPort: {{ .AgentPrometheusPort }} - containerPort: {{ .AgentPrometheusPort }}
name: prometheus name: prometheus
@ -1096,37 +1041,21 @@ spec:
{{- end }} {{- end }}
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
{{- if ContainerdSELinuxEnabled }}
seLinuxOptions:
type: spc_t
level: s0
{{- end }}
# Writing to /host/proc/sys/net does not work without a privileged container
privileged: true privileged: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
# Unprivileged containers need to mount /proc/sys/net from the host
# to have write access
- mountPath: /host/proc/sys/net
name: host-proc-sys-net
# Unprivileged containers need to mount /proc/sys/kernel from the host
# to have write access
- mountPath: /host/proc/sys/kernel
name: host-proc-sys-kernel
- name: bpf-maps - name: bpf-maps
mountPath: /sys/fs/bpf mountPath: /sys/fs/bpf
# Unprivileged containers can't set mount propagation to bidirectional {{- if semverCompare ">=1.10.4 || ~1.9.10" $semver }}
# in this case we will mount the bpf fs from an init container that mountPropagation: Bidirectional
# is privileged and set the mount propagation from host to container {{- end }}
# in Cilium.
mountPropagation: HostToContainer
- name: cilium-cgroup - name: cilium-cgroup
mountPath: /run/cilium/cgroupv2 mountPath: /run/cilium/cgroupv2
- name: cilium-run - name: cilium-run
mountPath: /var/run/cilium mountPath: /var/run/cilium
{{- if not (semverCompare "~1.11.15 || ~1.12.8 || >=1.13.1" $semver) }} {{- if not (semverCompare "~1.11.15 || ~1.12.8 || >=1.13.1" $semver) }}
- mountPath: /host/opt/cni/bin - name: cni-path
name: cni-path mountPath: /host/opt/cni/bin
{{- end }} {{- end }}
- name: etc-cni-netd - name: etc-cni-netd
mountPath: /host/etc/cni/net.d mountPath: /host/etc/cni/net.d
@ -1141,8 +1070,8 @@ spec:
- name: clustermesh-secrets - name: clustermesh-secrets
mountPath: /var/lib/cilium/clustermesh mountPath: /var/lib/cilium/clustermesh
readOnly: true readOnly: true
- mountPath: /tmp/cilium/config-map - name: cilium-config-path
name: cilium-config-path mountPath: /tmp/cilium/config-map
readOnly: true readOnly: true
# Needed to be able to load kernel modules # Needed to be able to load kernel modules
- name: lib-modules - name: lib-modules
@ -1150,17 +1079,17 @@ spec:
readOnly: true readOnly: true
- name: xtables-lock - name: xtables-lock
mountPath: /run/xtables.lock mountPath: /run/xtables.lock
{{ if CiliumSecret }} - name: tmp
- name: cilium-ipsec-secrets mountPath: /tmp
mountPath: /etc/ipsec
{{ end }}
{{ if WithDefaultBool .Hubble.Enabled false }} {{ if WithDefaultBool .Hubble.Enabled false }}
- name: hubble-tls - name: hubble-tls
mountPath: /var/lib/cilium/tls/hubble mountPath: /var/lib/cilium/tls/hubble
readOnly: true readOnly: true
{{ end }} {{ end }}
- name: tmp {{ if CiliumSecret }}
mountPath: /tmp - mountPath: /etc/ipsec
name: cilium-ipsec-secrets
{{ end }}
{{ if .Debug }} {{ if .Debug }}
- name: cilium-monitor - name: cilium-monitor
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
@ -1216,10 +1145,6 @@ spec:
value: /run/cilium/cgroupv2 value: /run/cilium/cgroupv2
- name: BIN_PATH - name: BIN_PATH
value: /opt/cni/bin value: /opt/cni/bin
resources:
requests:
cpu: 100m
memory: 128Mi
command: command:
- sh - sh
- -ec - -ec
@ -1239,20 +1164,7 @@ spec:
mountPath: /hostbin mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
{{- if ContainerdSELinuxEnabled }} privileged: true
seLinuxOptions:
level: s0
type: spc_t
{{- end }}
capabilities:
add:
# Only used for 'mount' cgroup
- SYS_ADMIN
# Used for nsenter
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: apply-sysctl-overwrites - name: apply-sysctl-overwrites
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
@ -1277,40 +1189,8 @@ spec:
- name: cni-path - name: cni-path
mountPath: /hostbin mountPath: /hostbin
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext:
{{- if ContainerdSELinuxEnabled }}
seLinuxOptions:
level: s0
type: spc_t
{{- end }}
capabilities:
add:
# Required in order to access host's /etc/sysctl.d dir
- SYS_ADMIN
# Used for nsenter
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
# Mount the bpf fs if it is not mounted. We will perform this task
# from a privileged container because the mount propagation bidirectional
# only works from privileged containers.
- name: mount-bpf-fs
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent
args:
- 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf'
command:
- /bin/bash
- -c
- --
terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
privileged: true privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state - name: clean-cilium-state
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
@ -1343,38 +1223,11 @@ spec:
{{- end }} {{- end }}
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
securityContext: securityContext:
{{- if ContainerdSELinuxEnabled }} privileged: true
seLinuxOptions:
level: s0
type: spc_t
{{- end }}
capabilities:
add:
# Most of the capabilities here are the same ones used in the
# cilium-agent's container because this container can be used to
# uninstall all Cilium resources, and therefore it is likely that
# will need the same capabilities.
# Used since cilium modifies routing tables, etc...
- NET_ADMIN
# Used in iptables. Consider removing once we are iptables-free
- SYS_MODULE
# We need it for now but might not need it for >= 5.11 specially
# for the 'SYS_RESOURCE'.
# In >= 5.8 there's already BPF and PERMON capabilities
- SYS_ADMIN
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
- SYS_RESOURCE
# Both PERFMON and BPF requires kernel 5.8, container runtime
# cri-o >= v1.22.0 or containerd >= v1.5.0.
# If available, SYS_ADMIN can be removed.
#- PERFMON
#- BPF
drop:
- ALL
volumeMounts: volumeMounts:
- name: bpf-maps - name: bpf-maps
mountPath: /sys/fs/bpf mountPath: /sys/fs/bpf
{{- if not (semverCompare ">=1.10.4 || ~1.9.10" $semver) }} {{- if semverCompare ">=1.10.4 || ~1.9.10" $semver }}
mountPropagation: HostToContainer mountPropagation: HostToContainer
{{- end }} {{- end }}
# Required to mount cgroup filesystem from the host to cilium agent pod # Required to mount cgroup filesystem from the host to cilium agent pod
@ -1389,18 +1242,16 @@ spec:
image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/cilium:{{ .Version }}"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- "/install-plugin.sh" - /install-plugin.sh
resources: resources:
requests: requests:
cpu: 100m cpu: 100m
memory: 10Mi memory: 10Mi
securityContext: securityContext:
privileged: true capabilities:
{{- if ContainerdSELinuxEnabled }} drop:
seLinuxOptions: - ALL
level: s0 terminationMessagePath: /dev/termination-log
type: spc_t
{{- end }}
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts: volumeMounts:
- name: cni-path - name: cni-path
@ -1408,9 +1259,14 @@ spec:
{{- end }} {{- end }}
restartPolicy: Always restartPolicy: Always
priorityClassName: system-node-critical priorityClassName: system-node-critical
serviceAccount: "cilium" {{ if ContainerdSELinuxEnabled }}
serviceAccountName: "cilium" securityContext:
automountServiceAccountToken: true seLinuxOptions:
type: spc_t
level: s0
{{ end }}
serviceAccount: cilium
serviceAccountName: cilium
terminationGracePeriodSeconds: 1 terminationGracePeriodSeconds: 1
hostNetwork: true hostNetwork: true
affinity: affinity:
@ -1423,7 +1279,7 @@ spec:
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
tolerations: tolerations:
- operator: Exists - operator: Exists
volumes: volumes:
# For sharing configuration between the "config" initContainer and the agent # For sharing configuration between the "config" initContainer and the agent
- name: tmp - name: tmp
@ -1508,19 +1364,11 @@ spec:
- configMap: - configMap:
name: cilium-config name: cilium-config
name: cilium-config-path name: cilium-config-path
{{- if CiliumSecret }} {{ if CiliumSecret }}
- name: cilium-ipsec-secrets - name: cilium-ipsec-secrets
secret: secret:
secretName: cilium-ipsec-keys secretName: cilium-ipsec-keys
{{- end }} {{ end }}
- name: host-proc-sys-net
hostPath:
path: /proc/sys/net
type: Directory
- name: host-proc-sys-kernel
hostPath:
path: /proc/sys/kernel
type: Directory
{{ if WithDefaultBool .Hubble.Enabled false }} {{ if WithDefaultBool .Hubble.Enabled false }}
- name: hubble-tls - name: hubble-tls
projected: projected:
@ -1538,8 +1386,6 @@ metadata:
labels: labels:
io.cilium/app: operator io.cilium/app: operator
name: cilium-operator name: cilium-operator
app.kubernetes.io/name: cilium-operator
app.kubernetes.io/part-of: cilium
name: cilium-operator name: cilium-operator
namespace: kube-system namespace: kube-system
spec: spec:
@ -1562,8 +1408,6 @@ spec:
labels: labels:
io.cilium/app: operator io.cilium/app: operator
name: cilium-operator name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec: spec:
nodeSelector: null nodeSelector: null
affinity: affinity:
@ -1576,16 +1420,6 @@ spec:
- matchExpressions: - matchExpressions:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
operator: Exists operator: Exists
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
io.cilium/app: operator
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- operator: Exists
containers: containers:
- name: cilium-operator - name: cilium-operator
image: "{{ or .Registry "quay.io" }}/cilium/operator:{{ .Version }}" image: "{{ or .Registry "quay.io" }}/cilium/operator:{{ .Version }}"
@ -1718,8 +1552,6 @@ metadata:
namespace: kube-system namespace: kube-system
labels: labels:
k8s-app: hubble-relay k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
spec: spec:
replicas: 2 replicas: 2
selector: selector:
@ -1733,8 +1565,6 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: hubble-relay k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
spec: spec:
securityContext: securityContext:
fsGroup: 65532 fsGroup: 65532
@ -1752,10 +1582,13 @@ spec:
command: command:
- hubble-relay - hubble-relay
args: args:
- serve - "serve"
{{- if .Debug }} - "--peer-service=unix:///var/run/cilium/hubble.sock"
- '--debug' - "--listen-address=:4245"
{{- end }} env:
# unfortunately, the addon CAs use only CN
- name: GODEBUG
value: x509ignoreCN=0
ports: ports:
- name: grpc - name: grpc
containerPort: 4245 containerPort: 4245
@ -1765,51 +1598,46 @@ spec:
livenessProbe: livenessProbe:
tcpSocket: tcpSocket:
port: grpc port: grpc
volumeMounts:
- name: config
mountPath: /etc/hubble-relay
readOnly: true
- name: tls
mountPath: /var/lib/hubble-relay/tls
readOnly: true
terminationMessagePolicy: FallbackToLogsOnError terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/cilium
name: hubble-sock-dir
readOnly: true
- mountPath: /etc/hubble-relay
name: config
readOnly: true
- mountPath: /var/lib/hubble-relay/tls
name: tls
readOnly: true
restartPolicy: Always restartPolicy: Always
serviceAccount: "hubble-relay" serviceAccount: hubble-relay
serviceAccountName: "hubble-relay" serviceAccountName: hubble-relay
terminationGracePeriodSeconds: 1 terminationGracePeriodSeconds: 0
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
k8s-app: cilium
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
topologySpreadConstraints: topologySpreadConstraints:
- maxSkew: 1 - maxSkew: 1
topologyKey: topology.kubernetes.io/zone topologyKey: "topology.kubernetes.io/zone"
whenUnsatisfiable: ScheduleAnyway whenUnsatisfiable: ScheduleAnyway
labelSelector: labelSelector:
matchLabels: matchLabels:
k8s-app: hubble-relay k8s-app: hubble-relay
- maxSkew: 1 - maxSkew: 1
topologyKey: kubernetes.io/hostname topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: DoNotSchedule whenUnsatisfiable: DoNotSchedule
labelSelector: labelSelector:
matchLabels: matchLabels:
k8s-app: hubble-relay k8s-app: hubble-relay
volumes: volumes:
- name: config - hostPath:
configMap: path: /var/run/cilium
type: Directory
name: hubble-sock-dir
- configMap:
name: hubble-relay-config name: hubble-relay-config
items: items:
- key: config.yaml - key: config.yaml
path: config.yaml path: config.yaml
- name: tls name: config
projected: - projected:
# note: the leading zero means this number is in octal representation: do not remove it
defaultMode: 0400
sources: sources:
- secret: - secret:
name: hubble-relay-client-certs name: hubble-relay-client-certs
@ -1820,14 +1648,13 @@ spec:
path: client.key path: client.key
- key: ca.crt - key: ca.crt
path: hubble-server-ca.crt path: hubble-server-ca.crt
name: tls
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
labels: labels:
k8s-app: cilium k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
name: hubble-server-certs name: hubble-server-certs
namespace: kube-system namespace: kube-system
spec: spec:
@ -1843,8 +1670,6 @@ kind: Certificate
metadata: metadata:
labels: labels:
k8s-app: cilium k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
name: hubble-relay-client-certs name: hubble-relay-client-certs
namespace: kube-system namespace: kube-system
spec: spec:
@ -1867,8 +1692,6 @@ metadata:
labels: labels:
io.cilium/app: operator io.cilium/app: operator
name: cilium-operator name: cilium-operator
app.kubernetes.io/name: cilium-operator
app.kubernetes.io/part-of: cilium
spec: spec:
selector: selector:
matchLabels: matchLabels: