This is a needed configuration option for users that want to combine
Cilium alongside with a ServiceMesh. Cilium by default will LB requests
at CNI layer meaning that the Sidecars of ServiceMesh Proxy are not able
to apply LB by themselves thus loosing the capability of applying their
features for traffic management.
Ref issue: https://github.com/istio/istio/issues/35531
Signed-off-by: dntosas <ntosas@gmail.com>
Annotations is pretty useful when you need third-party tool to add additional behavior
for a k8s resource.
Lots of auto-discovery tools are based on this annotations.
CNI chaining allows to use Cilium in combination with other CNI plugins.
With Cilium CNI chaining, the base network connectivity and IP address management is managed by the non-Cilium CNI plugin, but Cilium attaches eBPF programs to the network devices created by the non-Cilium plugin to provide L3/L4 network visibility, policy enforcement and other advanced features.
https://docs.cilium.io/en/v1.9/gettingstarted/cni-chaining/#cni-chaining
In our case, to be able to use the `HostPort` feature in our cluster, we need to enable the `portmap` plugin.
As per
3b17e06879,
node-local-dns addon is now builded with latest coreDNS base v1.8 and
that brings great consistency between cache and upstream servers in a
manner of configuration, metrics name convention, etc.
So in this commit, we bump node-local-dns image to latest v1.20.0 which
is build upon latest coreDNS and also add support for overriding this
field.
Signed-off-by: dntosas <ntosas@gmail.com>
In this commit, we enable users to choose WireGuard as their prefered
encryption type, leveraging this new feature from Cilium.
Ref: https://cilium.io/blog/2021/05/20/cilium-110#wireguard
Signed-off-by: dntosas <ntosas@gmail.com>
Node Problem Detector aims to make various node problems visible to
the upstream layers in the cluster management stack. It is a daemon
that runs on each node, detects node problems and reports them to apiserver
so to avoid scheduling new pods on bad nodes and also easily identify
which are the problems on underlying nodes.
Project Home: https://github.com/kubernetes/node-problem-detector
Signed-off-by: dntosas <ntosas@gmail.com>
Node termination handler as all daemonSets may play a critical role in
capacity planning, define resource policy for chosing instanceType etc.
In this commit, we enable users to define resources themselves to meet
their needs and also removed limits to convey with the chosen strategy
to avoid limits on such components.
Signed-off-by: dntosas <ntosas@gmail.com>
After upgrading Cilium to 1.8 via kops one of our clusters had a total
outage due to cilium reporting errors as below:
```
level=error msg="endpoint regeneration failed" containerID= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=592 error="Failed to load tc filter: exit status 1" identity=40147 ipv4= ipv6= k8sPodName=/ subsys=endpoint
```
upon searching Cilium slack we found the below thread:
https://cilium.slack.com/archives/C1MATJ5U5/p1616400216167600
which recommended setting `enable-host-reachable-services` to true will
address the problems. We set the field and it fixed our issues too,
however we observed that kops does not have a means to configure this
hence this PR.
We will like to have this backported after it has been merged.
- Update manifests
- Bump components version
- Add API capability of setting Version + VolumeLimit
- Remove snapshot-controller resources as it should be independent from
any CSI driver
Signed-off-by: dntosas <ntosas@gmail.com>
Apply suggestions from code review
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
Apply suggestions from code review
Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
Cilium as a CNI is a critical component for the cluster so it would be safe
to have some guaranteed resources as well as allowing the users to
define them based on their needs.
In this commit, we init default requested resources and add the
capability of user-defined values.
Signed-off-by: dntosas <ntosas@gmail.com>
Generate and upload keys.json + discovery.json to public store
Don't enable anonymous auth on publicjwks
Remove tests that won't work using FS VFS anymore
As with the Cluster-level "spec.updatePolicy" field, add a similar
field at the InstanceGroup level, allowing overriding of the
cluster-level choice in each InstanceGroup.
Introduce a new value for the field ("automatic") as equivalent to the
default value applied when the field is absent. Honoring this new
value allows disabling automatic updates at the cluster level, but
then enabling them again for particular InstanceGroups. Without such a
positive affirmation, it's not possible to override a cluster-level
"external" policy at the InstanceGroup level, as there's no way to
specify positively that you want to recover the default
value. Instead, expressing the explicit "automatic" value is clear and
unambiguous.
Ole Markus With