cilium
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# File generated by install/kubernetes/Makefile; DO NOT EDIT.
2
# This file is based on install/kubernetes/cilium/*values.yaml.tmpl.
3
4
# @schema
5
# type: [null, string]
6
# @schema
7
# -- namespaceOverride allows to override the destination namespace for Cilium resources.
8
namespaceOverride: ""
9
# @schema
10
# type: [null, object]
11
# @schema
12
# -- commonLabels allows users to add common labels for all Cilium resources.
13
commonLabels: {}
14
# @schema
15
# type: [null, string]
16
# @schema
17
# -- upgradeCompatibility helps users upgrading to ensure that the configMap for
18
# Cilium will not change critical values to ensure continued operation
19
# This flag is not required for new installations.
20
# For example: '1.7', '1.8', '1.9'
21
upgradeCompatibility: null
22
debug:
23
# -- Enable debug logging
24
enabled: false
25
# @schema
26
# type: [null, string]
27
# @schema
28
# -- Configure verbosity levels for debug logging
29
# This option is used to enable debug messages for operations related to such
30
# sub-system such as (e.g. kvstore, envoy, datapath, policy, or tagged), and flow is
31
# for enabling debug messages emitted per request, message and connection.
32
# Multiple values can be set via a space-separated string (e.g. "datapath envoy").
33
#
34
# Applicable values:
35
# - flow
36
# - kvstore
37
# - envoy
38
# - datapath
39
# - policy
40
# - tagged
41
verbose: ~
42
# -- Set the agent-internal metrics sampling frequency. This sets the
43
# frequency of the internal sampling of the agent metrics. These are
44
# available via the "cilium-dbg shell -- metrics -s" command and are
45
# part of the metrics HTML page included in the sysdump.
46
# @schema
47
# type: [null, string]
48
# @schema
49
metricsSamplingInterval: "5m"
50
rbac:
51
# -- Enable creation of Resource-Based Access Control configuration.
52
create: true
53
# -- Configure image pull secrets for pulling container images
54
imagePullSecrets: []
55
# - name: "image-pull-secret"
56
57
# -- Configure iptables--random-fully. Disabled by default. View https://github.com/cilium/cilium/issues/13037 for more information.
58
iptablesRandomFully: false
59
# -- (string) Kubernetes config path
60
# @default -- `"~/.kube/config"`
61
kubeConfigPath: ""
62
# -- Configure the Kubernetes service endpoint dynamically using a ConfigMap. Mutually exclusive with `k8sServiceHost`.
63
k8sServiceHostRef:
64
# @schema
65
# type: [string, null]
66
# @schema
67
# -- (string) name of the ConfigMap containing the Kubernetes service endpoint
68
name:
69
# @schema
70
# type: [string, null]
71
# @schema
72
# -- (string) Key in the ConfigMap containing the Kubernetes service endpoint
73
key:
74
# -- (string) Kubernetes service host - use "auto" for automatic lookup from the cluster-info ConfigMap
75
k8sServiceHost: ""
76
# @schema
77
# type: [string, integer]
78
# @schema
79
# -- (string) Kubernetes service port
80
k8sServicePort: ""
81
# @schema
82
# type: [null, string]
83
# @schema
84
# -- (string) When `k8sServiceHost=auto`, allows to customize the configMap name. It defaults to `cluster-info`.
85
k8sServiceLookupConfigMapName: ""
86
# @schema
87
# type: [null, string]
88
# @schema
89
# -- (string) When `k8sServiceHost=auto`, allows to customize the namespace that contains `k8sServiceLookupConfigMapName`. It defaults to `kube-public`.
90
k8sServiceLookupNamespace: ""
91
# -- Configure the client side rate limit for the agent
92
#
93
# If the amount of requests to the Kubernetes API server exceeds the configured
94
# rate limit, the agent will start to throttle requests by delaying
95
# them until there is budget or the request times out.
96
k8sClientRateLimit:
97
# @schema
98
# type: [null, integer]
99
# @schema
100
# -- (int) The sustained request rate in requests per second.
101
# @default -- 10
102
qps:
103
# @schema
104
# type: [null, integer]
105
# @schema
106
# -- (int) The burst request rate in requests per second.
107
# The rate limiter will allow short bursts with a higher rate.
108
# @default -- 20
109
burst:
110
# -- Configure the client side rate limit for the Cilium Operator
111
operator:
112
# @schema
113
# type: [null, integer]
114
# @schema
115
# -- (int) The sustained request rate in requests per second.
116
# @default -- 100
117
qps:
118
# @schema
119
# type: [null, integer]
120
# @schema
121
# -- (int) The burst request rate in requests per second.
122
# The rate limiter will allow short bursts with a higher rate.
123
# @default -- 200
124
burst:
125
# -- Configure exponential backoff for client-go in Cilium agent.
126
k8sClientExponentialBackoff:
127
# -- Enable exponential backoff for client-go in Cilium agent.
128
enabled: true
129
# -- Configure base (in seconds) for exponential backoff.
130
backoffBaseSeconds: 1
131
# -- Configure maximum duration (in seconds) for exponential backoff.
132
backoffMaxDurationSeconds: 120
133
cluster:
134
# -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE.
135
# It must respect the following constraints:
136
# * It must contain at most 32 characters;
137
# * It must begin and end with a lower case alphanumeric character;
138
# * It may contain lower case alphanumeric characters and dashes between.
139
# The "default" name cannot be used if the Cluster ID is different from 0.
140
name: default
141
# -- (int) Unique ID of the cluster. Must be unique across all connected
142
# clusters and in the range of 1 to 255. Only required for Cluster Mesh,
143
# may be 0 if Cluster Mesh is not used.
144
id: 0
145
# -- Define serviceAccount names for components.
146
# @default -- Component's fully qualified name.
147
serviceAccounts:
148
cilium:
149
create: true
150
name: cilium
151
automount: true
152
annotations: {}
153
nodeinit:
154
create: true
155
# -- Enabled is temporary until https://github.com/cilium/cilium-cli/issues/1396 is implemented.
156
# Cilium CLI doesn't create the SAs for node-init, thus the workaround. Helm is not affected by
157
# this issue. Name and automount can be configured, if enabled is set to true.
158
# Otherwise, they are ignored. Enabled can be removed once the issue is fixed.
159
# Cilium-nodeinit DS must also be fixed.
160
enabled: false
161
name: cilium-nodeinit
162
automount: true
163
annotations: {}
164
envoy:
165
create: true
166
name: cilium-envoy
167
automount: true
168
annotations: {}
169
operator:
170
create: true
171
name: cilium-operator
172
automount: true
173
annotations: {}
174
preflight:
175
create: true
176
name: cilium-pre-flight
177
automount: true
178
annotations: {}
179
relay:
180
create: true
181
name: hubble-relay
182
automount: false
183
annotations: {}
184
ui:
185
create: true
186
name: hubble-ui
187
automount: true
188
annotations: {}
189
clustermeshApiserver:
190
create: true
191
name: clustermesh-apiserver
192
automount: true
193
annotations: {}
194
# -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob
195
clustermeshcertgen:
196
create: true
197
name: clustermesh-apiserver-generate-certs
198
automount: true
199
annotations: {}
200
# -- Hubblecertgen is used if hubble.tls.auto.method=cronJob
201
hubblecertgen:
202
create: true
203
name: hubble-generate-certs
204
automount: true
205
annotations: {}
206
# -- CorednsMCSAPI is used if clustermesh.mcsapi.corednsAutoConfigure.enabled=true
207
corednsMCSAPI:
208
create: true
209
name: cilium-coredns-mcsapi-autoconfig
210
automount: true
211
annotations: {}
212
# -- Ztunnel is used if encryption.type=ztunnel
213
ztunnel:
214
create: true
215
name: ztunnel-cilium
216
automount: false
217
annotations: {}
218
# -- Configure termination grace period for cilium-agent DaemonSet.
219
terminationGracePeriodSeconds: 1
220
# -- Install the cilium agent resources.
221
agent: true
222
# -- Agent daemonset name.
223
name: cilium
224
# -- Roll out cilium agent pods automatically when configmap is updated.
225
rollOutCiliumPods: false
226
# -- Configuration for the ConfigMap drift detection feature.
227
# When enabled, the agent continuously watches the cilium-config ConfigMap
228
# and exposes a cilium_drift_checker_config_delta Prometheus metric reporting
229
# the number of keys that differ between the ConfigMap and the agent's active
230
# settings. A non-zero value indicates that the agent has not yet applied all
231
# current ConfigMap changes and needs to be restarted.
232
configDriftDetection:
233
# -- Enable watching of the cilium-config ConfigMap and reflecting its
234
# contents into the agent's internal DynamicConfig table.
235
enabled: true
236
# -- Enable the drift checker which compares the DynamicConfig table against
237
# the agent's active settings and publishes the
238
# cilium_drift_checker_config_delta metric.
239
driftChecker: true
240
# -- List of config-map keys to ignore when computing the drift delta.
241
ignoredKeys: []
242
# -- Agent container image.
243
image:
244
# @schema
245
# type: [null, string]
246
# @schema
247
override: ~
248
repository: chainreg.biz/chainguard-private/cilium-agent
249
tag: "1.19"
250
pullPolicy: "IfNotPresent"
251
# cilium-digest
252
digest: sha256:baf006651419a36e646a045eb027e41df676685cb52dc54a28db4529e21df2bc
253
useDigest: true
254
# -- Scheduling configurations for cilium pods
255
scheduling:
256
# @schema
257
# enum: ["anti-affinity", "kube-scheduler"]
258
# @schema
259
# -- Mode specifies how Cilium daemonset pods should be scheduled to Nodes.
260
# `anti-affinity` mode applies a pod anti-affinity rule to the cilium daemonset.
261
# Pod anti-affinity may significantly impact scheduling throughput for large clusters.
262
# See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
263
# `kube-scheduler` mode forgoes the anti-affinity rule for full scheduling throughput.
264
# Kube-scheduler avoids host port conflict when scheduling pods.
265
# @default -- Defaults to apply a pod anti-affinity rule to the agent pod - `anti-affinity`
266
mode: anti-affinity
267
# -- Affinity for cilium-agent.
268
affinity:
269
podAntiAffinity:
270
requiredDuringSchedulingIgnoredDuringExecution:
271
- topologyKey: kubernetes.io/hostname
272
labelSelector:
273
matchLabels:
274
k8s-app: cilium
275
# -- Node selector for cilium-agent.
276
nodeSelector:
277
kubernetes.io/os: linux
278
# -- Node tolerations for agent scheduling to nodes with taints
279
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
280
tolerations:
281
- operator: Exists
282
# - key: "key"
283
# operator: "Equal|Exists"
284
# value: "value"
285
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
286
# -- The priority class to use for cilium-agent.
287
priorityClassName: ""
288
# -- DNS policy for Cilium agent pods.
289
# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
290
dnsPolicy: ""
291
# -- Additional containers added to the cilium DaemonSet.
292
extraContainers: []
293
# -- Additional initContainers added to the cilium Daemonset.
294
extraInitContainers: []
295
# -- Additional agent container arguments.
296
extraArgs: []
297
# -- Additional agent container environment variables.
298
extraEnv: []
299
# -- Additional agent hostPath mounts.
300
extraHostPathMounts: []
301
# - name: host-mnt-data
302
# mountPath: /host/mnt/data
303
# hostPath: /mnt/data
304
# hostPathType: Directory
305
# readOnly: true
306
# mountPropagation: HostToContainer
307
308
# -- Additional agent volumes.
309
extraVolumes: []
310
# -- Additional agent volumeMounts.
311
extraVolumeMounts: []
312
# -- extraConfig allows you to specify additional configuration parameters to be
313
# included in the cilium-config configmap.
314
extraConfig: {}
315
# my-config-a: "1234"
316
# my-config-b: |-
317
# test 1
318
# test 2
319
# test 3
320
321
# -- Annotations to be added to all top-level cilium-agent objects (resources under templates/cilium-agent)
322
annotations: {}
323
# -- Security Context for cilium-agent pods.
324
podSecurityContext:
325
# -- AppArmorProfile options for the `cilium-agent` and init containers
326
appArmorProfile:
327
type: "Unconfined"
328
seccompProfile:
329
type: "Unconfined"
330
# -- Annotations to be added to agent pods
331
podAnnotations: {}
332
# -- Labels to be added to agent pods
333
podLabels: {}
334
# -- Agent resource limits & requests
335
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
336
resources: {}
337
# limits:
338
# cpu: 4000m
339
# memory: 4Gi
340
# requests:
341
# cpu: 100m
342
# memory: 512Mi
343
344
# -- resources & limits for the agent init containers
345
initResources: {}
346
securityContext:
347
# -- User to run the pod with
348
# runAsUser: 0
349
# -- disable privilege escalation
350
allowPrivilegeEscalation: false
351
# -- Run the pod with elevated privileges
352
privileged: false
353
# -- SELinux options for the `cilium-agent` and init containers
354
seLinuxOptions:
355
level: 's0'
356
# Running with spc_t since we have removed the privileged mode.
357
# Users can change it to a different type as long as they have the
358
# type available on the system.
359
type: 'spc_t'
360
capabilities:
361
# -- Capabilities for the `cilium-agent` container
362
ciliumAgent:
363
# Use to set socket permission
364
- CHOWN
365
# Used to terminate envoy child process
366
- KILL
367
# Used since cilium modifies routing tables, etc...
368
- NET_ADMIN
369
# Used since cilium creates raw sockets, etc...
370
- NET_RAW
371
# Used since cilium monitor uses mmap
372
- IPC_LOCK
373
# Used in iptables. Consider removing once we are iptables-free
374
- SYS_MODULE
375
# Needed to switch network namespaces (used for health endpoint, socket-LB).
376
# We need it for now but might not need it for >= 5.11 specially
377
# for the 'SYS_RESOURCE'.
378
# In >= 5.8 there's already BPF and PERMON capabilities
379
- SYS_ADMIN
380
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
381
- SYS_RESOURCE
382
# Both PERFMON and BPF requires kernel 5.8, container runtime
383
# cri-o >= v1.22.0 or containerd >= v1.5.0.
384
# If available, SYS_ADMIN can be removed.
385
#- PERFMON
386
#- BPF
387
# Allow discretionary access control (e.g. required for package installation)
388
- DAC_OVERRIDE
389
# Allow to set Access Control Lists (ACLs) on arbitrary files (e.g. required for package installation)
390
- FOWNER
391
# Allow to execute program that changes GID (e.g. required for package installation)
392
- SETGID
393
# Allow to execute program that changes UID (e.g. required for package installation)
394
- SETUID
395
# Allow to read dmesg and get kernel pointers when kptr_restrict=1
396
- SYSLOG
397
# -- Capabilities for the `mount-cgroup` init container
398
mountCgroup:
399
# Only used for 'mount' cgroup
400
- SYS_ADMIN
401
# Used for nsenter
402
- SYS_CHROOT
403
- SYS_PTRACE
404
# -- capabilities for the `apply-sysctl-overwrites` init container
405
applySysctlOverwrites:
406
# Required in order to access host's /etc/sysctl.d dir
407
- SYS_ADMIN
408
# Used for nsenter
409
- SYS_CHROOT
410
- SYS_PTRACE
411
# -- Capabilities for the `clean-cilium-state` init container
412
cleanCiliumState:
413
# Most of the capabilities here are the same ones used in the
414
# cilium-agent's container because this container can be used to
415
# uninstall all Cilium resources, and therefore it is likely that
416
# will need the same capabilities.
417
# Used since cilium modifies routing tables, etc...
418
- NET_ADMIN
419
# Used in iptables. Consider removing once we are iptables-free
420
- SYS_MODULE
421
# We need it for now but might not need it for >= 5.11 specially
422
# for the 'SYS_RESOURCE'.
423
# In >= 5.8 there's already BPF and PERMON capabilities
424
- SYS_ADMIN
425
# Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC
426
- SYS_RESOURCE
427
# Both PERFMON and BPF requires kernel 5.8, container runtime
428
# cri-o >= v1.22.0 or containerd >= v1.5.0.
429
# If available, SYS_ADMIN can be removed.
430
#- PERFMON
431
#- BPF
432
# -- Cilium agent update strategy
433
updateStrategy:
434
type: RollingUpdate
435
rollingUpdate:
436
# @schema
437
# type: [integer, string]
438
# @schema
439
maxUnavailable: 2
440
# Configuration Values for cilium-agent
441
aksbyocni:
442
# -- Enable AKS BYOCNI integration.
443
# Note that this is incompatible with AKS clusters not created in BYOCNI mode:
444
# use Azure integration (`azure.enabled`) instead.
445
enabled: false
446
# @schema
447
# type: [boolean, string]
448
# @schema
449
# -- Enable installation of PodCIDR routes between worker
450
# nodes if worker nodes share a common L2 network segment.
451
autoDirectNodeRoutes: false
452
# -- Enable skipping of PodCIDR routes between worker
453
# nodes if the worker nodes are in a different L2 network segment.
454
directRoutingSkipUnreachable: false
455
# -- Annotate k8s node upon initialization with Cilium's metadata.
456
annotateK8sNode: false
457
azure:
458
# -- Enable Azure integration.
459
# Note that this is incompatible with AKS clusters created in BYOCNI mode: use
460
# AKS BYOCNI integration (`aksbyocni.enabled`) instead.
461
enabled: false
462
# usePrimaryAddress: false
463
# resourceGroup: group1
464
# subscriptionID: 00000000-0000-0000-0000-000000000000
465
# tenantID: 00000000-0000-0000-0000-000000000000
466
# clientID: 00000000-0000-0000-0000-000000000000
467
# clientSecret: 00000000-0000-0000-0000-000000000000
468
# userAssignedIdentityID: 00000000-0000-0000-0000-000000000000
469
nodeSpec:
470
azureInterfaceName: ""
471
alibabacloud:
472
# -- Enable AlibabaCloud ENI integration
473
enabled: false
474
nodeSpec:
475
vSwitches: []
476
vSwitchTags: []
477
securityGroups: []
478
securityGroupTags: []
479
# -- Enable bandwidth manager to optimize TCP and UDP workloads and allow
480
# for rate-limiting traffic from individual Pods with EDT (Earliest Departure
481
# Time) through the "kubernetes.io/egress-bandwidth" Pod annotation.
482
bandwidthManager:
483
# -- Enable bandwidth manager infrastructure (also prerequirement for BBR)
484
enabled: false
485
# -- Activate BBR TCP congestion control for Pods
486
bbr: false
487
# -- Activate BBR TCP congestion control for Pods in the host namespace only.
488
bbrHostNamespaceOnly: false
489
# -- Configure standalone NAT46/NAT64 gateway
490
nat46x64Gateway:
491
# -- Enable RFC6052-prefixed translation
492
enabled: false
493
# -- Configure L2 announcements
494
l2announcements:
495
# -- Enable L2 announcements
496
enabled: false
497
# -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked
498
# leaseDuration: 15s
499
# -- The interval at which the leader will renew the lease
500
# leaseRenewDeadline: 5s
501
# -- The timeout between retries if renewal fails
502
# leaseRetryPeriod: 2s
503
# -- Configure L2 pod announcements
504
l2podAnnouncements:
505
# -- Enable L2 pod announcements
506
enabled: false
507
# -- Interface used for sending Gratuitous ARP pod announcements
508
interface: "eth0"
509
# -- A regular expression matching interfaces used for sending Gratuitous ARP pod announcements
510
# interfacePattern: ""
511
# -- This feature set enables virtual BGP routers to be created via BGP CRDs.
512
bgpControlPlane:
513
# -- Enables the BGP control plane.
514
enabled: false
515
# -- SecretsNamespace is the namespace which BGP support will retrieve secrets from.
516
secretsNamespace:
517
# -- Create secrets namespace for BGP secrets.
518
create: false
519
# -- The name of the secret namespace to which Cilium agents are given read access
520
name: kube-system
521
# -- Status reporting settings
522
statusReport:
523
# -- Enable/Disable BGP status reporting
524
# It is recommended to enable status reporting in general, but if you have any issue
525
# such as high API server load, you can disable it by setting this to false.
526
enabled: true
527
# -- BGP router-id allocation mode
528
routerIDAllocation:
529
# -- BGP router-id allocation mode. In default mode, the router-id is derived from the IPv4 address if it is available, or else it is determined by the lower 32 bits of the MAC address.
530
mode: "default"
531
# -- IP pool to allocate the BGP router-id from when the mode is ip-pool.
532
ipPool: ""
533
# -- Legacy BGP ORIGIN attribute settings
534
legacyOriginAttribute:
535
# -- Enable/Disable advertising LoadBalancerIP routes with the legacy
536
# BGP ORIGIN attribute value INCOMPLETE (2) instead of the default IGP (0).
537
# Enable for compatibility with the legacy behavior of MetalLB integration.
538
enabled: false
539
pmtuDiscovery:
540
# -- Enable path MTU discovery to send ICMP fragmentation-needed replies to
541
# the client.
542
enabled: false
543
# -- Enable kernel probing path MTU discovery for Pods which uses different message
544
# sizes to search for correct MTU value.
545
# Valid values are: always, blackhole, disabled and unset (or empty). If value
546
# is 'unset' or left empty then will not try to override setting.
547
packetizationLayerPMTUDMode: "blackhole"
548
bpf:
549
autoMount:
550
# -- Enable automatic mount of BPF filesystem
551
# When `autoMount` is enabled, the BPF filesystem is mounted at
552
# `bpf.root` path on the underlying host and inside the cilium agent pod.
553
# If users disable `autoMount`, it's expected that users have mounted
554
# bpffs filesystem at the specified `bpf.root` volume, and then the
555
# volume will be mounted inside the cilium agent pod at the same path.
556
enabled: true
557
# -- Configure the mount point for the BPF filesystem
558
root: /sys/fs/bpf
559
# -- Enables pre-allocation of eBPF map values. This increases
560
# memory usage but can reduce latency.
561
preallocateMaps: false
562
# @schema
563
# type: [null, integer]
564
# @schema
565
# -- (int) Configure the maximum number of entries in auth map.
566
# @default -- `524288`
567
authMapMax: ~
568
# -- Enable CT accounting for packets and bytes
569
ctAccounting: false
570
# @schema
571
# type: [null, integer]
572
# @schema
573
# -- (int) Configure the maximum number of entries in the TCP connection tracking
574
# table.
575
# @default -- `524288`
576
ctTcpMax: ~
577
# @schema
578
# type: [null, integer]
579
# @schema
580
# -- (int) Configure the maximum number of entries for the non-TCP connection
581
# tracking table.
582
# @default -- `262144`
583
ctAnyMax: ~
584
# -- Control to use a distributed per-CPU backend memory for the core BPF LRU maps
585
# which Cilium uses. This improves performance significantly, but it is also
586
# recommended to increase BPF map sizing along with that.
587
distributedLRU:
588
# -- Enable distributed LRU backend memory. For compatibility with existing
589
# installations it is off by default.
590
enabled: false
591
# -- Control events generated by the Cilium datapath exposed to Cilium monitor and Hubble.
592
# Helm configuration for BPF events map rate limiting is experimental and might change
593
# in upcoming releases.
594
events:
595
# -- Default settings for all types of events except dbg.
596
default:
597
# @schema
598
# type: [null, integer]
599
# @schema
600
# -- (int) Configure the limit of messages per second that can be written to
601
# BPF events map. The number of messages is averaged, meaning that if no messages
602
# were written to the map over 5 seconds, it's possible to write more events
603
# in the 6th second. If rateLimit is greater than 0, non-zero value for burstLimit must
604
# also be provided lest the configuration is considered invalid. Setting both burstLimit
605
# and rateLimit to 0 disables BPF events rate limiting.
606
# @default -- `0`
607
rateLimit: ~
608
# @schema
609
# type: [null, integer]
610
# @schema
611
# -- (int) Configure the maximum number of messages that can be written to BPF events
612
# map in 1 second. If burstLimit is greater than 0, non-zero value for rateLimit must
613
# also be provided lest the configuration is considered invalid. Setting both burstLimit
614
# and rateLimit to 0 disables BPF events rate limiting.
615
# @default -- `0`
616
burstLimit: ~
617
drop:
618
# -- Enable drop events.
619
enabled: true
620
policyVerdict:
621
# -- Enable policy verdict events.
622
enabled: true
623
trace:
624
# -- Enable trace events.
625
enabled: true
626
# @schema
627
# type: [null, integer]
628
# @schema
629
# -- Configure the maximum number of service entries in the
630
# load balancer maps.
631
lbMapMax: 65536
632
# @schema
633
# type: [null, integer]
634
# @schema
635
# -- (int) Configure the maximum number of entries for the NAT table.
636
# @default -- `524288`
637
natMax: ~
638
# @schema
639
# type: [null, integer]
640
# @schema
641
# -- (int) Configure the maximum number of entries for the neighbor table.
642
# @default -- `524288`
643
neighMax: ~
644
# @schema
645
# type: [null, integer]
646
# @schema
647
# @default -- `16384`
648
# -- (int) Configures the maximum number of entries for the node table.
649
nodeMapMax: ~
650
# -- Configure the maximum number of entries in endpoint policy map (per endpoint).
651
# @schema
652
# type: [null, integer]
653
# @schema
654
policyMapMax: 16384
655
# -- (float64) Configure threshold for emitting pressure metrics of policy maps.
656
# @schema
657
# type: [null, number]
658
# @schema
659
# @default -- `0.1`
660
policyMapPressureMetricsThreshold: ~
661
# -- Configure the maximum number of entries in global policy stats map.
662
# @schema
663
# type: [null, integer]
664
# @schema
665
policyStatsMapMax: 65536
666
# @schema
667
# type: [null, number, string]
668
# @schema
669
# -- (float64) Configure auto-sizing for all BPF maps based on available memory.
670
# ref: https://docs.cilium.io/en/stable/network/ebpf/maps/
671
# @default -- `0.0025`
672
mapDynamicSizeRatio: ~
673
# -- Configure the level of aggregation for monitor notifications.
674
# Valid options are none, low, medium, maximum.
675
monitorAggregation: medium
676
# -- Configure the typical time between monitor notifications for
677
# active connections.
678
monitorInterval: "5s"
679
# -- Configure which TCP flags trigger notifications when seen for the
680
# first time in a connection.
681
monitorFlags: "all"
682
# -- (bool) Allow cluster external access to ClusterIP services.
683
# @default -- `false`
684
lbExternalClusterIP: false
685
# -- (bool) Enable loadBalancerSourceRanges CIDR filtering for all service
686
# types, not just LoadBalancer services. The corresponding NodePort and
687
# ClusterIP (if enabled for cluster-external traffic) will also apply the
688
# CIDR filter.
689
# @default -- `false`
690
lbSourceRangeAllTypes: false
691
# -- (bool) Enable the option to define the load balancing algorithm on
692
# a per-service basis through service.cilium.io/lb-algorithm annotation.
693
# @default -- `false`
694
lbAlgorithmAnnotation: false
695
# -- (bool) Enable the option to define the load balancing mode (SNAT or DSR)
696
# on a per-service basis through service.cilium.io/forwarding-mode annotation.
697
# @default -- `false`
698
lbModeAnnotation: false
699
# @schema
700
# type: [null, boolean]
701
# @schema
702
# -- (bool) Enable native IP masquerade support in eBPF
703
# @default -- `false`
704
masquerade: ~
705
# @schema
706
# type: [null, boolean]
707
# @schema
708
# -- (bool) Configure whether direct routing mode should route traffic via
709
# host stack (true) or directly and more efficiently out of BPF (false) if
710
# the kernel supports it. The latter has the implication that it will also
711
# bypass netfilter in the host namespace.
712
# @default -- `false`
713
hostLegacyRouting: ~
714
# @schema
715
# type: [null, boolean]
716
# @schema
717
# -- (bool) Configure the eBPF-based TPROXY (beta) to reduce reliance on iptables rules
718
# for implementing Layer 7 policy. Note this is incompatible with netkit (`bpf.datapathMode=netkit`,
719
# `bpf.datapathMode=netkit-l2`).
720
# @default -- `false`
721
tproxy: ~
722
# @schema
723
# type: [null, array]
724
# @schema
725
# -- (list) Configure explicitly allowed VLAN id's for bpf logic bypass.
726
# [0] will allow all VLAN id's without any filtering.
727
# @default -- `[]`
728
vlanBypass: ~
729
# -- Configure the IP tracing option type.
730
# This option is used to specify the IP option type to use for tracing.
731
# The value must be an integer between 0 and 255.
732
# @schema
733
# type: [null, integer]
734
# minimum: 0
735
# maximum: 255
736
# @schema
737
monitorTraceIPOption: 0
738
# -- (bool) Disable ExternalIP mitigation (CVE-2020-8554)
739
# @default -- `false`
740
disableExternalIPMitigation: false
741
# -- (bool) Attach endpoint programs using tcx instead of legacy tc hooks on
742
# supported kernels.
743
# @default -- `true`
744
enableTCX: true
745
# -- (string) Mode for Pod devices for the core datapath (veth, netkit, netkit-l2).
746
# Note netkit is incompatible with TPROXY (`bpf.tproxy`).
747
# @default -- `veth`
748
datapathMode: veth
749
# -- Enable BPF clock source probing for more efficient tick retrieval.
750
bpfClockProbe: false
751
# -- Clean all eBPF datapath state from the initContainer of the cilium-agent
752
# DaemonSet.
753
#
754
# WARNING: Use with care!
755
cleanBpfState: false
756
# -- Clean all local Cilium state from the initContainer of the cilium-agent
757
# DaemonSet. Implies cleanBpfState: true.
758
#
759
# WARNING: Use with care!
760
cleanState: false
761
# -- Wait for KUBE-PROXY-CANARY iptables rule to appear in "wait-for-kube-proxy"
762
# init container before launching cilium-agent.
763
# More context can be found in the commit message of below PR
764
# https://github.com/cilium/cilium/pull/20123
765
waitForKubeProxy: false
766
cni:
767
# -- Install the CNI configuration and binary files into the filesystem.
768
install: true
769
# -- Remove the CNI configuration and binary files on agent shutdown. Enable this
770
# if you're removing Cilium from the cluster. Disable this to prevent the CNI
771
# configuration file from being removed during agent upgrade, which can cause
772
# nodes to go unmanageable.
773
uninstall: false
774
# @schema
775
# type: [null, string]
776
# @schema
777
# -- Configure chaining on top of other CNI plugins. Possible values:
778
# - none
779
# - aws-cni
780
# - flannel
781
# - generic-veth
782
# - portmap
783
chainingMode: ~
784
# @schema
785
# type: [null, string]
786
# @schema
787
# -- A CNI network name in to which the Cilium plugin should be added as a chained plugin.
788
# This will cause the agent to watch for a CNI network with this network name. When it is
789
# found, this will be used as the basis for Cilium's CNI configuration file. If this is
790
# set, it assumes a chaining mode of generic-veth. As a special case, a chaining mode
791
# of aws-cni implies a chainingTarget of aws-cni.
792
chainingTarget: ~
793
# -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the
794
# node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
795
# This ensures no Pods can be scheduled using other CNI plugins during Cilium
796
# agent downtime.
797
exclusive: true
798
# -- Configure the log file for CNI logging with retention policy of 7 days.
799
# Disable CNI file logging by setting this field to empty explicitly.
800
logFile: /var/run/cilium/cilium-cni.log
801
# -- Skip writing of the CNI configuration. This can be used if
802
# writing of the CNI configuration is performed by external automation.
803
customConf: false
804
# -- Configure the path to the CNI configuration directory on the host.
805
confPath: /etc/cni/net.d
806
# -- Configure the path to the CNI binary directory on the host.
807
binPath: /opt/cni/bin
808
# -- Specify the path to a CNI config to read from on agent start.
809
# This can be useful if you want to manage your CNI
810
# configuration outside of a Kubernetes environment. This parameter is
811
# mutually exclusive with the 'cni.configMap' parameter. The agent will
812
# write this to 05-cilium.conflist on startup.
813
# readCniConf: /host/etc/cni/net.d/05-sample.conflist.input
814
815
# -- When defined, configMap will mount the provided value as ConfigMap and
816
# interpret the 'cni.configMapKey' value as CNI configuration file and write it
817
# when the agent starts up.
818
configMap: ""
819
# -- Configure the key in the CNI ConfigMap to read the contents of
820
# the CNI configuration from. For this to be effective, the 'cni.configMap'
821
# parameter must be specified too.
822
# Note that the 'cni.configMap' parameter is the name of the ConfigMap, while
823
# 'cni.configMapKey' is the name of the key in the ConfigMap data containing
824
# the actual configuration.
825
configMapKey: cni-config
826
# -- Configure the path to where to mount the ConfigMap inside the agent pod.
827
confFileMountPath: /tmp/cni-configuration
828
# -- Configure the path to where the CNI configuration directory is mounted
829
# inside the agent pod.
830
hostConfDirMountPath: /host/etc/cni/net.d
831
# -- Specifies the resources for the cni initContainer
832
resources:
833
requests:
834
# @schema
835
# type: [integer, string]
836
# @schema
837
cpu: 100m
838
memory: 10Mi
839
limits:
840
# @schema
841
# type: [integer, string]
842
# @schema
843
cpu: 1
844
memory: 1Gi
845
# -- Enable route MTU for pod netns when CNI chaining is used
846
enableRouteMTUForCNIChaining: false
847
# -- Enable the removal of iptables rules created by the AWS CNI VPC plugin.
848
iptablesRemoveAWSRules: true
849
# @schema
850
# type: [null, number]
851
# @schema
852
# -- (float64) Ratio of the connectivity probe frequency vs resource usage, a float in
853
# [0, 1]. 0 will give more frequent probing, 1 will give less frequent probing. Probing
854
# frequency is dynamically adjusted based on the cluster size.
855
# @default -- `0.5`
856
connectivityProbeFrequencyRatio: ~
857
# -- (string) Configure how frequently garbage collection should occur for the datapath
858
# connection tracking table.
859
# @default -- `"0s"`
860
conntrackGCInterval: ""
861
# -- (string) Configure the maximum frequency for the garbage collection of the
862
# connection tracking table. Only affects the automatic computation for the frequency
863
# and has no effect when 'conntrackGCInterval' is set. This can be set to more frequently
864
# clean up unused identities created from ToFQDN policies.
865
conntrackGCMaxInterval: ""
866
# -- (string) Configure timeout in which Cilium will exit if CRDs are not available
867
# @default -- `"5m"`
868
crdWaitTimeout: ""
869
daemon:
870
# -- Configure where Cilium runtime state should be stored.
871
runPath: "/var/run/cilium"
872
# @schema
873
# type: [null, string]
874
# @schema
875
# -- Configure a custom list of possible configuration override sources
876
# The default is "config-map:cilium-config,cilium-node-config". For supported
877
# values, see the help text for the build-config subcommand.
878
# Note that this value should be a comma-separated string.
879
configSources: ~
880
# @schema
881
# type: [null, string]
882
# @schema
883
# -- allowedConfigOverrides is a list of config-map keys that can be overridden.
884
# That is to say, if this value is set, config sources (excepting the first one) can
885
# only override keys in this list.
886
#
887
# This takes precedence over blockedConfigOverrides.
888
#
889
# By default, all keys may be overridden. To disable overrides, set this to "none" or
890
# change the configSources variable.
891
allowedConfigOverrides: ~
892
# @schema
893
# type: [null, string]
894
# @schema
895
# -- blockedConfigOverrides is a list of config-map keys that may not be overridden.
896
# In other words, if any of these keys appear in a configuration source excepting the
897
# first one, they will be ignored
898
#
899
# This is ignored if allowedConfigOverrides is set.
900
#
901
# By default, all keys may be overridden.
902
blockedConfigOverrides: ~
903
# @schema
904
# type: [null, boolean]
905
# @schema
906
# -- enableSourceIPVerification is a boolean flag to enable or disable the Source IP verification
907
# of endpoints. This flag is useful when Cilium is chained with other CNIs.
908
#
909
# By default, this functionality is enabled
910
enableSourceIPVerification: true
911
# -- Configure temporary volume for cilium-agent
912
tmpVolume: {}
913
# emptyDir:
914
# sizeLimit: "100Mi"
915
# medium: "Memory"
916
917
# -- Specify which network interfaces can run the eBPF datapath. This means
918
# that a packet sent from a pod to a destination outside the cluster will be
919
# masqueraded (to an output device IPv4 address), if the output device runs the
920
# program. When not specified, probing will automatically detect devices that have
921
# a non-local route. This should be used only when autodetection is not suitable.
922
# devices: ""
923
924
# -- Forces the auto-detection of devices, even if specific devices are explicitly listed
925
forceDeviceDetection: false
926
# -- Chains to ignore when installing feeder rules.
927
# disableIptablesFeederRules: ""
928
929
# -- Limit iptables-based egress masquerading to interface selector.
930
# egressMasqueradeInterfaces: ""
931
932
# -- Enable setting identity mark for local traffic.
933
# enableIdentityMark: true
934
935
# -- CiliumEndpointSlice configuration options.
936
ciliumEndpointSlice:
937
# -- Enable Cilium EndpointSlice feature.
938
enabled: false
939
# -- List of rate limit options to be used for the CiliumEndpointSlice controller.
940
# Each object in the list must have the following fields:
941
# nodes: Count of nodes at which to apply the rate limit.
942
# limit: The sustained request rate in requests per second. The maximum rate that can be configured is 50.
943
# burst: The burst request rate in requests per second. The maximum burst that can be configured is 100.
944
rateLimits:
945
- nodes: 0
946
limit: 10
947
burst: 20
948
- nodes: 100
949
limit: 50
950
burst: 100
951
# @schema
952
# enum: ["agent", "operator", "both"]
953
# @schema
954
# -- Control whether CiliumIdentities are created by the agent ("agent"), the operator ("operator") or both ("both").
955
# "Both" should be used only to migrate between "agent" and "operator".
956
# Operator-managed identities is a beta feature.
957
identityManagementMode: "agent"
958
envoyConfig:
959
# -- Enable CiliumEnvoyConfig CRD
960
# CiliumEnvoyConfig CRD can also be implicitly enabled by other options.
961
enabled: false
962
# -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from.
963
secretsNamespace:
964
# -- Create secrets namespace for CiliumEnvoyConfig CRDs.
965
create: true
966
# -- The name of the secret namespace to which Cilium agents are given read access.
967
name: cilium-secrets
968
# -- Interval in which an attempt is made to reconcile failed EnvoyConfigs. If the duration is zero, the retry is deactivated.
969
retryInterval: 15s
970
ingressController:
971
# -- Enable cilium ingress controller
972
# This will automatically set enable-envoy-config as well.
973
enabled: false
974
# -- Set cilium ingress controller to be the default ingress controller
975
# This will let cilium ingress controller route entries without ingress class set
976
default: false
977
# -- Default ingress load balancer mode
978
# Supported values: shared, dedicated
979
# For granular control, use the following annotations on the ingress resource:
980
# "ingress.cilium.io/loadbalancer-mode: dedicated" (or "shared").
981
loadbalancerMode: dedicated
982
# -- Enforce https for host having matching TLS host in Ingress.
983
# Incoming traffic to http listener will return 308 http error code with respective location in header.
984
enforceHttps: true
985
# -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
986
enableProxyProtocol: false
987
# -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service
988
ingressLBAnnotationPrefixes: ['lbipam.cilium.io', 'nodeipam.cilium.io', 'service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']
989
# @schema
990
# type: [null, string]
991
# @schema
992
# -- Default secret namespace for ingresses without .spec.tls[].secretName set.
993
defaultSecretNamespace:
994
# @schema
995
# type: [null, string]
996
# @schema
997
# -- Default secret name for ingresses without .spec.tls[].secretName set.
998
defaultSecretName:
999
# -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
1000
secretsNamespace:
1001
# -- Create secrets namespace for Ingress.
1002
create: true
1003
# -- Name of Ingress secret namespace.
1004
name: cilium-secrets
1005
# -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name.
1006
# If disabled, TLS secrets must be maintained externally.
1007
sync: true
1008
# -- Load-balancer service in shared mode.
1009
# This is a single load-balancer service for all Ingress resources.
1010
service:
1011
# -- Service name
1012
name: cilium-ingress
1013
# -- Labels to be added for the shared LB service
1014
labels: {}
1015
# -- Annotations to be added for the shared LB service
1016
annotations: {}
1017
# -- Service type for the shared LB service
1018
type: LoadBalancer
1019
# @schema
1020
# type: [null, integer]
1021
# @schema
1022
# -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service
1023
insecureNodePort: ~
1024
# @schema
1025
# type: [null, integer]
1026
# @schema
1027
# -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service
1028
secureNodePort: ~
1029
# @schema
1030
# type: [null, string]
1031
# @schema
1032
# -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+)
1033
loadBalancerClass: ~
1034
# @schema
1035
# type: [null, string]
1036
# @schema
1037
# -- Configure a specific loadBalancerIP on the shared LB service
1038
loadBalancerIP: ~
1039
# @schema
1040
# type: [null, boolean]
1041
# @schema
1042
# -- Configure if node port allocation is required for LB service
1043
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1044
allocateLoadBalancerNodePorts: ~
1045
# -- Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for Cilium Ingress in shared mode.
1046
# Valid values are "Cluster" and "Local".
1047
# ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy
1048
externalTrafficPolicy: Cluster
1049
# Host Network related configuration
1050
hostNetwork:
1051
# -- Configure whether the Envoy listeners should be exposed on the host network.
1052
enabled: false
1053
# -- Configure a specific port on the host network that gets used for the shared listener.
1054
sharedListenerPort: 8080
1055
# Specify the nodes where the Ingress listeners should be exposed
1056
nodes:
1057
# -- Specify the labels of the nodes where the Ingress listeners should be exposed
1058
#
1059
# matchLabels:
1060
# kubernetes.io/os: linux
1061
# kubernetes.io/hostname: kind-worker
1062
matchLabels: {}
1063
gatewayAPI:
1064
# -- Enable support for Gateway API in cilium
1065
# This will automatically set enable-envoy-config as well.
1066
enabled: false
1067
# -- Enable proxy protocol for all GatewayAPI listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
1068
enableProxyProtocol: false
1069
# -- Enable Backend Protocol selection support (GEP-1911) for Gateway API via appProtocol.
1070
enableAppProtocol: false
1071
# -- Enable ALPN for all listeners configured with Gateway API. ALPN will attempt HTTP/2, then HTTP 1.1.
1072
# Note that this will also enable `appProtocol` support, and services that wish to use HTTP/2 will need to indicate that via their `appProtocol`.
1073
enableAlpn: false
1074
# -- The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address.
1075
xffNumTrustedHops: 0
1076
# -- Control how traffic from external sources is routed to the LoadBalancer Kubernetes Service for all Cilium GatewayAPI Gateway instances. Valid values are "Cluster" and "Local".
1077
# Note that this value will be ignored when `hostNetwork.enabled == true`.
1078
# ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#external-traffic-policy
1079
externalTrafficPolicy: Cluster
1080
gatewayClass:
1081
# -- Enable creation of GatewayClass resource
1082
# The default value is 'auto' which decides according to presence of gateway.networking.k8s.io/v1/GatewayClass in the cluster.
1083
# Other possible values are 'true' and 'false', which will either always or never create the GatewayClass, respectively.
1084
create: auto
1085
# -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
1086
secretsNamespace:
1087
# -- Create secrets namespace for Gateway API.
1088
create: true
1089
# -- Name of Gateway API secret namespace.
1090
name: cilium-secrets
1091
# -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name.
1092
# If disabled, TLS secrets must be maintained externally.
1093
sync: true
1094
# Host Network related configuration
1095
hostNetwork:
1096
# -- Configure whether the Envoy listeners should be exposed on the host network.
1097
enabled: false
1098
# Specify the nodes where the Ingress listeners should be exposed
1099
nodes:
1100
# -- Specify the labels of the nodes where the Ingress listeners should be exposed
1101
#
1102
# matchLabels:
1103
# kubernetes.io/os: linux
1104
# kubernetes.io/hostname: kind-worker
1105
matchLabels: {}
1106
# -- Enables the fallback compatibility solution for when the xt_socket kernel
1107
# module is missing and it is needed for the datapath L7 redirection to work
1108
# properly. See documentation for details on when this can be disabled:
1109
# https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel.
1110
enableXTSocketFallback: true
1111
encryption:
1112
# -- Enable transparent network encryption.
1113
enabled: false
1114
# -- Encryption method. Can be one of ipsec, wireguard or ztunnel.
1115
type: ipsec
1116
# -- Enable encryption for pure node to node traffic.
1117
# This option is only effective when encryption.type is set to "wireguard".
1118
nodeEncryption: false
1119
# -- Configure the Encryption Pod2Pod strict mode.
1120
strictMode:
1121
# -- Enable Encryption Pod2Pod strict mode. (deprecated: please use encryption.strictMode.egress.enabled)
1122
enabled: false
1123
# -- CIDR for the Encryption Pod2Pod strict mode. (deprecated: please use encryption.strictMode.egress.cidr)
1124
cidr: ""
1125
# -- Allow dynamic lookup of remote node identities. (deprecated: please use encryption.strictMode.egress.allowRemoteNodeIdentities)
1126
# This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
1127
allowRemoteNodeIdentities: false
1128
egress:
1129
# -- Enable strict egress encryption.
1130
enabled: false
1131
# -- CIDR for the Encryption Pod2Pod strict egress mode.
1132
cidr: ""
1133
# -- Allow dynamic lookup of remote node identities.
1134
# This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
1135
allowRemoteNodeIdentities: false
1136
ingress:
1137
# -- Enable strict ingress encryption.
1138
# When enabled, all unencrypted overlay ingress traffic will be dropped.
1139
# This option is only applicable when WireGuard and tunneling are enabled.
1140
enabled: false
1141
ipsec:
1142
# -- Name of the key file inside the Kubernetes secret configured via secretName.
1143
keyFile: keys
1144
# -- Path to mount the secret inside the Cilium pod.
1145
mountPath: /etc/ipsec
1146
# -- Name of the Kubernetes secret containing the encryption keys.
1147
secretName: cilium-ipsec-keys
1148
# -- The interface to use for encrypted traffic.
1149
interface: ""
1150
# -- Enable the key watcher. If disabled, a restart of the agent will be
1151
# necessary on key rotations.
1152
keyWatcher: true
1153
# -- Maximum duration of the IPsec key rotation. The previous key will be
1154
# removed after that delay.
1155
keyRotationDuration: "5m"
1156
# -- Enable IPsec encrypted overlay
1157
encryptedOverlay: false
1158
wireguard:
1159
# -- Controls WireGuard PersistentKeepalive option. Set 0s to disable.
1160
persistentKeepalive: 0s
1161
# -- ztunnel encryption configuration.
1162
# ztunnel is Istio's purpose-built, per-node proxy for handling L4 traffic in ambient mesh mode.
1163
# These settings only apply when encryption.type is set to "ztunnel".
1164
ztunnel:
1165
# -- ztunnel container image.
1166
image:
1167
# @schema
1168
# type: [null, string]
1169
# @schema
1170
override: ~
1171
repository: chainreg.biz/chainguard-private/ztunnel
1172
tag: latest
1173
pullPolicy: "IfNotPresent"
1174
# @schema
1175
# type: [null, string]
1176
# @schema
1177
digest: sha256:8e979bb86cd0d32f8b745648085f516bdc2cbaa82ad365a260b8242e6ae26773
1178
useDigest: true
1179
# -- CA server address for certificate requests.
1180
caAddress: "https://localhost:15012"
1181
# -- TCP port for the health API.
1182
healthPort: 15021
1183
# -- ztunnel resource limits & requests.
1184
resources:
1185
requests:
1186
cpu: 200m
1187
memory: 512Mi
1188
# -- ztunnel update strategy.
1189
updateStrategy:
1190
type: RollingUpdate
1191
rollingUpdate:
1192
maxSurge: 1
1193
maxUnavailable: 0
1194
# -- Configure termination grace period for ztunnel DaemonSet.
1195
terminationGracePeriodSeconds: 30
1196
# -- Readiness probe configuration.
1197
readinessProbe:
1198
initialDelaySeconds: 0
1199
periodSeconds: 10
1200
failureThreshold: 3
1201
# -- Node selector for ztunnel pods.
1202
nodeSelector:
1203
kubernetes.io/os: linux
1204
# -- Node tolerations for ztunnel scheduling.
1205
tolerations:
1206
- effect: NoSchedule
1207
operator: Exists
1208
- key: CriticalAddonsOnly
1209
operator: Exists
1210
- effect: NoExecute
1211
operator: Exists
1212
# -- Affinity for ztunnel pods.
1213
affinity: {}
1214
# @schema
1215
# type: [null, string]
1216
# @schema
1217
# -- The priority class to use for ztunnel pods.
1218
priorityClassName: ~
1219
# -- Annotations to be added to all ztunnel resources.
1220
annotations: {}
1221
# -- Annotations to be added to ztunnel pods.
1222
podAnnotations: {}
1223
# -- Labels to be added to ztunnel pods.
1224
podLabels: {}
1225
# -- Additional ztunnel container environment variables.
1226
extraEnv: []
1227
# -- Additional ztunnel volumes.
1228
extraVolumes: []
1229
# -- Additional ztunnel volumeMounts.
1230
extraVolumeMounts: []
1231
# -- ztunnel secrets configuration.
1232
secrets:
1233
# -- Base64-encoded bootstrap root certificate content.
1234
# If not provided, the secret must be created manually before deploying.
1235
# @schema
1236
# type: [null, string]
1237
# @schema
1238
bootstrapRootCert: ~
1239
endpointHealthChecking:
1240
# -- Enable connectivity health checking between virtual endpoints.
1241
enabled: true
1242
# -- Max duration to wait for envoy to respond to configuration changes. Default "10s".
1243
endpointPolicyUpdateTimeoutDuration: null
1244
endpointRoutes:
1245
# @schema
1246
# type: [boolean, string]
1247
# @schema
1248
# -- Enable use of per endpoint routes instead of routing via
1249
# the cilium_host interface.
1250
enabled: false
1251
k8sNetworkPolicy:
1252
# -- Enable support for K8s NetworkPolicy
1253
enabled: true
1254
# -- Enable endpoint lockdown on policy map overflow.
1255
endpointLockdownOnMapOverflow: false
1256
eni:
1257
# -- Enable Elastic Network Interface (ENI) integration.
1258
enabled: false
1259
# -- Release IPs not used from the ENI
1260
awsReleaseExcessIPs: false
1261
# -- Enable ENI prefix delegation
1262
awsEnablePrefixDelegation: false
1263
# -- EC2 API endpoint to use
1264
ec2APIEndpoint: ""
1265
# -- Tags to apply to the newly created ENIs
1266
eniTags: {}
1267
# -- Interval for garbage collection of unattached ENIs. Set to "0s" to disable.
1268
# @default -- `"5m"`
1269
gcInterval: ""
1270
# -- Additional tags attached to ENIs created by Cilium.
1271
# Dangling ENIs with this tag will be garbage collected
1272
# @default -- `{"io.cilium/cilium-managed":"true,"io.cilium/cluster-name":"<auto-detected>"}`
1273
gcTags: {}
1274
# -- If using IAM role for Service Accounts will not try to
1275
# inject identity values from cilium-aws kubernetes secret.
1276
# Adds annotation to service account if managed by Helm.
1277
# See https://github.com/aws/amazon-eks-pod-identity-webhook
1278
iamRole: ""
1279
# -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs
1280
# Important note: This requires that each instance has an ENI with a matching subnet attached
1281
# when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium,
1282
# use the CNI configuration file settings (cni.customConf) instead.
1283
subnetIDsFilter: []
1284
# -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs
1285
# Important note: This requires that each instance has an ENI with a matching subnet attached
1286
# when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium,
1287
# use the CNI configuration file settings (cni.customConf) instead.
1288
subnetTagsFilter: []
1289
# -- Filter via AWS EC2 Instance tags (k=v) which will dictate which AWS EC2 Instances
1290
# are going to be used to create new ENIs
1291
instanceTagsFilter: []
1292
# -- NodeSpec configuration for the ENI
1293
nodeSpec:
1294
# -- First interface index to use for IP allocation
1295
# @schema
1296
# type: [null, integer]
1297
# @schema
1298
firstInterfaceIndex: ~
1299
# -- Subnet IDs to use for IP allocation
1300
subnetIDs: []
1301
# -- Subnet tags to use for IP allocation
1302
subnetTags: []
1303
# -- Security groups to use for IP allocation
1304
securityGroups: []
1305
# -- Security group tags to use for IP allocation
1306
securityGroupTags: []
1307
# -- Exclude interface tags to use for IP allocation
1308
excludeInterfaceTags: []
1309
# -- Use primary address for IP allocation
1310
usePrimaryAddress: false
1311
# -- Disable prefix delegation for IP allocation
1312
disablePrefixDelegation: false
1313
# -- Delete ENI on termination
1314
# @schema
1315
# type: [null, boolean]
1316
# @schema
1317
deleteOnTermination: ~
1318
# fragmentTracking enables IPv4 fragment tracking support in the datapath.
1319
# fragmentTracking: true
1320
gke:
1321
# -- Enable Google Kubernetes Engine integration
1322
enabled: false
1323
# -- Enable connectivity health checking.
1324
healthChecking: true
1325
# -- TCP port for the agent health API. This is not the port for cilium-health.
1326
healthPort: 9879
1327
# -- Number of ICMP requests sent for each health check before marking a node or endpoint unreachable.
1328
healthCheckICMPFailureThreshold: 3
1329
# -- Configure the host firewall.
1330
hostFirewall:
1331
# -- Enables the enforcement of host policies in the eBPF datapath.
1332
enabled: false
1333
# -- Enable routing to a service that has zero endpoints
1334
enableNoServiceEndpointsRoutable: true
1335
# -- Configure socket LB
1336
socketLB:
1337
# -- Enable socket LB
1338
enabled: false
1339
# -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
1340
# hostNamespaceOnly: false
1341
# -- Enable terminating pod connections to deleted service backends.
1342
# terminatePodConnections: true
1343
# -- Enables tracing for socket-based load balancing.
1344
# tracing: true
1345
# -- Configure certificate generation for Hubble integration.
1346
# If hubble.tls.auto.method=cronJob, these values are used
1347
# for the Kubernetes CronJob which will be scheduled regularly to
1348
# (re)generate any certificates not provided manually.
1349
certgen:
1350
# -- When set to true the certificate authority secret is created.
1351
generateCA: true
1352
image:
1353
# @schema
1354
# type: [null, string]
1355
# @schema
1356
override: ~
1357
repository: chainreg.biz/chainguard-private/cilium-certgen
1358
tag: latest
1359
digest: sha256:5912e556d9964998f76a4ab0ae6ea1413739c5960ff217cd65e39f4b4ec12330
1360
useDigest: true
1361
pullPolicy: "IfNotPresent"
1362
# @schema
1363
# type: [null, integer]
1364
# @schema
1365
# -- Seconds after which the completed job pod will be deleted
1366
ttlSecondsAfterFinished: null
1367
# -- Labels to be added to hubble-certgen pods
1368
podLabels: {}
1369
# -- Annotations to be added to the hubble-certgen initial Job and CronJob
1370
annotations:
1371
job: {}
1372
cronJob: {}
1373
# -- Node selector for certgen
1374
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
1375
nodeSelector: {}
1376
# -- Priority class for certgen
1377
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
1378
priorityClassName: ""
1379
# -- Node tolerations for pod assignment on nodes with taints
1380
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
1381
tolerations: []
1382
# -- Resource limits for certgen
1383
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers
1384
resources: {}
1385
# -- Additional certgen volumes.
1386
extraVolumes: []
1387
# -- Additional certgen volumeMounts.
1388
extraVolumeMounts: []
1389
# -- Affinity for certgen
1390
affinity: {}
1391
cronJob:
1392
# -- The number of successful finished jobs to keep
1393
successfulJobsHistoryLimit: 3
1394
# -- The number of failed finished jobs to keep
1395
failedJobsHistoryLimit: 1
1396
hubble:
1397
# -- Enable Hubble (true by default).
1398
enabled: true
1399
# -- Annotations to be added to all top-level hubble objects (resources under templates/hubble)
1400
annotations: {}
1401
# -- Buffer size of the channel Hubble uses to receive monitor events. If this
1402
# value is not set, the queue size is set to the default monitor queue size.
1403
# eventQueueSize: ""
1404
1405
# -- Number of recent flows for Hubble to cache. Defaults to 4095.
1406
# Possible values are:
1407
# 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023,
1408
# 2047, 4095, 8191, 16383, 32767, 65535
1409
# eventBufferCapacity: "4095"
1410
1411
# -- The interval at which Hubble will send out lost events from the Observer server, if any.
1412
# lostEventSendInterval: 1s
1413
1414
# -- Hubble metrics configuration.
1415
# See https://docs.cilium.io/en/stable/observability/metrics/#hubble-metrics
1416
# for more comprehensive documentation about Hubble metrics.
1417
metrics:
1418
# @schema
1419
# type: [null, array]
1420
# @schema
1421
# -- Configures the list of metrics to collect. If empty or null, metrics
1422
# are disabled.
1423
# Example:
1424
#
1425
# enabled:
1426
# - dns:query;ignoreAAAA
1427
# - drop
1428
# - tcp
1429
# - flow
1430
# - icmp
1431
# - http
1432
#
1433
# You can specify the list of metrics from the helm CLI:
1434
#
1435
# --set hubble.metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
1436
#
1437
enabled: ~
1438
# -- Enables exporting hubble metrics in OpenMetrics format.
1439
enableOpenMetrics: false
1440
# -- Configure the port the hubble metric server listens on.
1441
port: 9965
1442
tls:
1443
# Enable hubble metrics server TLS.
1444
enabled: false
1445
# Configure hubble metrics server TLS.
1446
server:
1447
# -- Name of the Secret containing the certificate and key for the Hubble metrics server.
1448
# If specified, cert and key are ignored.
1449
existingSecret: ""
1450
# -- base64 encoded PEM values for the Hubble metrics server certificate (deprecated).
1451
# Use existingSecret instead.
1452
cert: ""
1453
# -- base64 encoded PEM values for the Hubble metrics server key (deprecated).
1454
# Use existingSecret instead.
1455
key: ""
1456
# -- Extra DNS names added to certificate when it's auto generated
1457
extraDnsNames: []
1458
# -- Extra IP addresses added to certificate when it's auto generated
1459
extraIpAddresses: []
1460
# -- Configure mTLS for the Hubble metrics server.
1461
mtls:
1462
# When set to true enforces mutual TLS between Hubble Metrics server and its clients.
1463
# False allow non-mutual TLS connections.
1464
# This option has no effect when TLS is disabled.
1465
enabled: false
1466
useSecret: false
1467
# -- Name of the ConfigMap containing the CA to validate client certificates against.
1468
# If mTLS is enabled and this is unspecified, it will default to the
1469
# same CA used for Hubble metrics server certificates.
1470
name: ~
1471
# -- Entry of the ConfigMap containing the CA.
1472
key: ca.crt
1473
# -- Annotations to be added to hubble-metrics service.
1474
serviceAnnotations: {}
1475
serviceMonitor:
1476
# -- Create ServiceMonitor resources for Prometheus Operator.
1477
# This requires the prometheus CRDs to be available.
1478
# ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
1479
enabled: false
1480
# -- Labels to add to ServiceMonitor hubble
1481
labels: {}
1482
# -- Annotations to add to ServiceMonitor hubble
1483
annotations: {}
1484
# -- jobLabel to add for ServiceMonitor hubble
1485
jobLabel: ""
1486
# -- Interval for scrape metrics.
1487
interval: "10s"
1488
# @schema
1489
# type: [null, string]
1490
# @schema
1491
# -- Timeout after which scrape is considered to be failed.
1492
scrapeTimeout: ~
1493
# -- Relabeling configs for the ServiceMonitor hubble
1494
relabelings:
1495
- sourceLabels:
1496
- __meta_kubernetes_pod_node_name
1497
targetLabel: node
1498
action: replace
1499
replacement: ${1}
1500
# @schema
1501
# type: [null, array]
1502
# @schema
1503
# -- Metrics relabeling configs for the ServiceMonitor hubble
1504
metricRelabelings: ~
1505
# Configure TLS for the ServiceMonitor.
1506
# Note, when using TLS you will either need to specify
1507
# tlsConfig.insecureSkipVerify or specify a CA to use.
1508
tlsConfig: {}
1509
# -- Grafana dashboards for hubble
1510
# grafana can import dashboards based on the label and value
1511
# ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
1512
dashboards:
1513
enabled: false
1514
label: grafana_dashboard
1515
# @schema
1516
# type: [null, string]
1517
# @schema
1518
namespace: ~
1519
labelValue: "1"
1520
annotations: {}
1521
# Dynamic metrics may be reconfigured without a need of agent restarts.
1522
dynamic:
1523
enabled: false
1524
config:
1525
# ---- Name of configmap with configuration that may be altered to reconfigure metric handlers within a running agent.
1526
configMapName: cilium-dynamic-metrics-config
1527
# ---- True if helm installer should create config map.
1528
# Switch to false if you want to self maintain the file content.
1529
createConfigMap: true
1530
# ---- Exporters configuration in YAML format.
1531
content: []
1532
# - name: dns
1533
# contextOptions: []
1534
# includeFilters: []
1535
# excludeFilters: []
1536
# -- Unix domain socket path to listen to when Hubble is enabled.
1537
socketPath: /var/run/cilium/hubble.sock
1538
# -- Enables network policy correlation of Hubble flows, i.e. populating `egress_allowed_by`, `ingress_denied_by` fields with policy information.
1539
networkPolicyCorrelation:
1540
# @default -- `true`
1541
enabled: true
1542
# -- Enables redacting sensitive information present in Layer 7 flows.
1543
redact:
1544
enabled: false
1545
http:
1546
# -- Enables redacting URL query (GET) parameters.
1547
# Example:
1548
#
1549
# redact:
1550
# enabled: true
1551
# http:
1552
# urlQuery: true
1553
#
1554
# You can specify the options from the helm CLI:
1555
#
1556
# --set hubble.redact.enabled="true"
1557
# --set hubble.redact.http.urlQuery="true"
1558
urlQuery: false
1559
# -- Enables redacting user info, e.g., password when basic auth is used.
1560
# Example:
1561
#
1562
# redact:
1563
# enabled: true
1564
# http:
1565
# userInfo: true
1566
#
1567
# You can specify the options from the helm CLI:
1568
#
1569
# --set hubble.redact.enabled="true"
1570
# --set hubble.redact.http.userInfo="true"
1571
userInfo: true
1572
headers:
1573
# -- List of HTTP headers to allow: headers not matching will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present.
1574
# Example:
1575
# redact:
1576
# enabled: true
1577
# http:
1578
# headers:
1579
# allow:
1580
# - traceparent
1581
# - tracestate
1582
# - Cache-Control
1583
#
1584
# You can specify the options from the helm CLI:
1585
# --set hubble.redact.enabled="true"
1586
# --set hubble.redact.http.headers.allow="traceparent,tracestate,Cache-Control"
1587
allow: []
1588
# -- List of HTTP headers to deny: matching headers will be redacted. Note: `allow` and `deny` lists cannot be used both at the same time, only one can be present.
1589
# Example:
1590
# redact:
1591
# enabled: true
1592
# http:
1593
# headers:
1594
# deny:
1595
# - Authorization
1596
# - Proxy-Authorization
1597
#
1598
# You can specify the options from the helm CLI:
1599
# --set hubble.redact.enabled="true"
1600
# --set hubble.redact.http.headers.deny="Authorization,Proxy-Authorization"
1601
deny: []
1602
kafka:
1603
# -- Enables redacting Kafka's API key (deprecated, will be removed in v1.19).
1604
# Example:
1605
#
1606
# redact:
1607
# enabled: true
1608
# kafka:
1609
# apiKey: true
1610
#
1611
# You can specify the options from the helm CLI:
1612
#
1613
# --set hubble.redact.enabled="true"
1614
# --set hubble.redact.kafka.apiKey="true"
1615
apiKey: true
1616
# -- An additional address for Hubble to listen to.
1617
# Set this field ":4244" if you are enabling Hubble Relay, as it assumes that
1618
# Hubble is listening on port 4244.
1619
listenAddress: ":4244"
1620
# -- Whether Hubble should prefer to announce IPv6 or IPv4 addresses if both are available.
1621
preferIpv6: false
1622
# @schema
1623
# type: [null, boolean]
1624
# @schema
1625
# -- (bool) Skip Hubble events with unknown cgroup ids
1626
# @default -- `true`
1627
skipUnknownCGroupIDs: ~
1628
peerService:
1629
# -- Service Port for the Peer service.
1630
# If not set, it is dynamically assigned to port 443 if TLS is enabled and to
1631
# port 80 if not.
1632
# servicePort: 80
1633
# -- Target Port for the Peer service, must match the hubble.listenAddress'
1634
# port.
1635
targetPort: 4244
1636
# -- The cluster domain to use to query the Hubble Peer service. It should
1637
# be the local cluster.
1638
clusterDomain: cluster.local
1639
# -- TLS configuration for Hubble
1640
tls:
1641
# -- Enable mutual TLS for listenAddress. Setting this value to false is
1642
# highly discouraged as the Hubble API provides access to potentially
1643
# sensitive network flow metadata and is exposed on the host network.
1644
enabled: true
1645
# -- Configure automatic TLS certificates generation.
1646
auto:
1647
# -- Auto-generate certificates.
1648
# When set to true, automatically generate a CA and certificates to
1649
# enable mTLS between Hubble server and Hubble Relay instances. If set to
1650
# false, the certs for Hubble server need to be provided by setting
1651
# appropriate values below.
1652
enabled: true
1653
# -- Set the method to auto-generate certificates. Supported values:
1654
# - helm: This method uses Helm to generate all certificates.
1655
# - cronJob: This method uses a Kubernetes CronJob the generate any
1656
# certificates not provided by the user at installation
1657
# time.
1658
# - certmanager: This method use cert-manager to generate & rotate certificates.
1659
method: helm
1660
# -- Generated certificates validity duration in days.
1661
#
1662
# Defaults to 365 days (1 year) because MacOS does not accept
1663
# self-signed certificates with expirations > 825 days.
1664
certValidityDuration: 365
1665
# -- Schedule for certificates regeneration (regardless of their expiration date).
1666
# Only used if method is "cronJob". If nil, then no recurring job will be created.
1667
# Instead, only the one-shot job is deployed to generate the certificates at
1668
# installation time.
1669
#
1670
# Defaults to midnight of the first day of every fourth month. For syntax, see
1671
# https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax
1672
schedule: "0 0 1 */4 *"
1673
# [Example]
1674
# certManagerIssuerRef:
1675
# group: cert-manager.io
1676
# kind: ClusterIssuer
1677
# name: ca-issuer
1678
# -- certmanager issuer used when hubble.tls.auto.method=certmanager.
1679
certManagerIssuerRef: {}
1680
# -- The Hubble server certificate and private key
1681
server:
1682
# -- Name of the Secret containing the certificate and key for the Hubble server.
1683
# If specified, cert and key are ignored.
1684
existingSecret: ""
1685
# -- base64 encoded PEM values for the Hubble server certificate (deprecated).
1686
# Use existingSecret instead.
1687
cert: ""
1688
# -- base64 encoded PEM values for the Hubble server key (deprecated).
1689
# Use existingSecret instead.
1690
key: ""
1691
# -- Extra DNS names added to certificate when it's auto generated
1692
extraDnsNames: []
1693
# -- Extra IP addresses added to certificate when it's auto generated
1694
extraIpAddresses: []
1695
relay:
1696
# -- Enable Hubble Relay (requires hubble.enabled=true)
1697
enabled: false
1698
# -- Roll out Hubble Relay pods automatically when configmap is updated.
1699
rollOutPods: false
1700
# -- Hubble-relay container image.
1701
image:
1702
# @schema
1703
# type: [null, string]
1704
# @schema
1705
override: ~
1706
repository: chainreg.biz/chainguard-private/cilium-hubble-relay
1707
tag: "1.19"
1708
# hubble-relay-digest
1709
digest: sha256:a867001c50e37b6f0a853d9c394d21a6f934a42384e16d1e4e4c32742cb0603d
1710
useDigest: true
1711
pullPolicy: "IfNotPresent"
1712
# -- Specifies the resources for the hubble-relay pods
1713
resources: {}
1714
# -- Number of replicas run for the hubble-relay deployment.
1715
replicas: 1
1716
# -- Affinity for hubble-replay
1717
affinity:
1718
podAffinity:
1719
requiredDuringSchedulingIgnoredDuringExecution:
1720
- topologyKey: kubernetes.io/hostname
1721
labelSelector:
1722
matchLabels:
1723
k8s-app: cilium
1724
# -- Pod topology spread constraints for hubble-relay
1725
topologySpreadConstraints: []
1726
# - maxSkew: 1
1727
# topologyKey: topology.kubernetes.io/zone
1728
# whenUnsatisfiable: DoNotSchedule
1729
1730
# -- Node labels for pod assignment
1731
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
1732
nodeSelector:
1733
kubernetes.io/os: linux
1734
# -- Node tolerations for pod assignment on nodes with taints
1735
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
1736
tolerations: []
1737
# -- Additional hubble-relay environment variables.
1738
extraEnv: []
1739
# -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay)
1740
annotations: {}
1741
# -- Annotations to be added to hubble-relay pods
1742
podAnnotations: {}
1743
# -- Labels to be added to hubble-relay pods
1744
podLabels: {}
1745
# PodDisruptionBudget settings
1746
podDisruptionBudget:
1747
# -- enable PodDisruptionBudget
1748
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
1749
enabled: false
1750
# @schema
1751
# type: [null, integer, string]
1752
# @schema
1753
# -- Minimum number/percentage of pods that should remain scheduled.
1754
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
1755
minAvailable: null
1756
# @schema
1757
# type: [null, integer, string]
1758
# @schema
1759
# -- Maximum number/percentage of pods that may be made unavailable
1760
maxUnavailable: 1
1761
# @schema
1762
# type: [null, string]
1763
# @schema
1764
# -- How are unhealthy, but running, pods counted for eviction
1765
unhealthyPodEvictionPolicy: null
1766
# -- The priority class to use for hubble-relay
1767
priorityClassName: ""
1768
# -- Configure termination grace period for hubble relay Deployment.
1769
terminationGracePeriodSeconds: 1
1770
# -- hubble-relay update strategy
1771
updateStrategy:
1772
type: RollingUpdate
1773
rollingUpdate:
1774
# @schema
1775
# type: [integer, string]
1776
# @schema
1777
maxUnavailable: 1
1778
# -- Additional hubble-relay volumes.
1779
extraVolumes: []
1780
# -- Additional hubble-relay volumeMounts.
1781
extraVolumeMounts: []
1782
# -- hubble-relay pod security context
1783
podSecurityContext:
1784
fsGroup: 65532
1785
seccompProfile:
1786
type: RuntimeDefault
1787
# -- hubble-relay container security context
1788
securityContext:
1789
# readOnlyRootFilesystem: true
1790
allowPrivilegeEscalation: false
1791
runAsNonRoot: true
1792
runAsUser: 65532
1793
runAsGroup: 65532
1794
seccompProfile:
1795
type: RuntimeDefault
1796
capabilities:
1797
drop:
1798
- ALL
1799
# -- hubble-relay service configuration.
1800
service:
1801
# --- The type of service used for Hubble Relay access, either ClusterIP, NodePort or LoadBalancer.
1802
type: ClusterIP
1803
# --- The port to use when the service type is set to NodePort.
1804
nodePort: 31234
1805
# -- Host to listen to. Specify an empty string to bind to all the interfaces.
1806
listenHost: ""
1807
# -- Port to listen to.
1808
listenPort: "4245"
1809
# -- TLS configuration for Hubble Relay
1810
tls:
1811
# -- The hubble-relay client certificate and private key.
1812
# This keypair is presented to Hubble server instances for mTLS
1813
# authentication and is required when hubble.tls.enabled is true.
1814
# These values need to be set manually if hubble.tls.auto.enabled is false.
1815
client:
1816
# -- Name of the Secret containing the certificate and key for the Hubble metrics server.
1817
# If specified, cert and key are ignored.
1818
existingSecret: ""
1819
# -- base64 encoded PEM values for the Hubble relay client certificate (deprecated).
1820
# Use existingSecret instead.
1821
cert: ""
1822
# -- base64 encoded PEM values for the Hubble relay client key (deprecated).
1823
# Use existingSecret instead.
1824
key: ""
1825
# -- The hubble-relay server certificate and private key
1826
server:
1827
# When set to true, enable TLS on for Hubble Relay server
1828
# (ie: for clients connecting to the Hubble Relay API).
1829
enabled: false
1830
# When set to true enforces mutual TLS between Hubble Relay server and its clients.
1831
# False allow non-mutual TLS connections.
1832
# This option has no effect when TLS is disabled.
1833
mtls: false
1834
# -- Name of the Secret containing the certificate and key for the Hubble relay server.
1835
# If specified, cert and key are ignored.
1836
existingSecret: ""
1837
# -- base64 encoded PEM values for the Hubble relay server certificate (deprecated).
1838
# Use existingSecret instead.
1839
cert: ""
1840
# -- base64 encoded PEM values for the Hubble relay server key (deprecated).
1841
# Use existingSecret instead.
1842
key: ""
1843
# -- extra DNS names added to certificate when its auto gen
1844
extraDnsNames: []
1845
# -- extra IP addresses added to certificate when its auto gen
1846
extraIpAddresses: []
1847
# DNS name used by the backend to connect to the relay
1848
# This is a simple workaround as the relay certificates are currently hardcoded to
1849
# *.hubble-relay.cilium.io
1850
# See https://github.com/cilium/cilium/pull/28709#discussion_r1371792546
1851
# For GKE Dataplane V2 this should be set to relay.kube-system.svc.cluster.local
1852
relayName: "ui.hubble-relay.cilium.io"
1853
# @schema
1854
# type: [null, string]
1855
# @schema
1856
# -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s").
1857
retryTimeout: ~
1858
# @schema
1859
# type: [null, integer]
1860
# @schema
1861
# -- (int) Max number of flows that can be buffered for sorting before being sent to the
1862
# client (per request) (e.g. 100).
1863
sortBufferLenMax: ~
1864
# @schema
1865
# type: [null, string]
1866
# @schema
1867
# -- When the per-request flows sort buffer is not full, a flow is drained every
1868
# time this timeout is reached (only affects requests in follow-mode) (e.g. "1s").
1869
sortBufferDrainTimeout: ~
1870
# -- Port to use for the k8s service backed by hubble-relay pods.
1871
# If not set, it is dynamically assigned to port 443 if TLS is enabled and to
1872
# port 80 if not.
1873
# servicePort: 80
1874
1875
# -- Enable prometheus metrics for hubble-relay on the configured port at
1876
# /metrics
1877
prometheus:
1878
enabled: false
1879
port: 9966
1880
serviceMonitor:
1881
# -- Enable service monitors.
1882
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
1883
enabled: false
1884
# -- Labels to add to ServiceMonitor hubble-relay
1885
labels: {}
1886
# -- Annotations to add to ServiceMonitor hubble-relay
1887
annotations: {}
1888
# -- Interval for scrape metrics.
1889
interval: "10s"
1890
# @schema
1891
# type: [null, string]
1892
# @schema
1893
# -- Timeout after which scrape is considered to be failed.
1894
scrapeTimeout: ~
1895
# -- Specify the Kubernetes namespace where Prometheus expects to find
1896
# service monitors configured.
1897
# namespace: ""
1898
# @schema
1899
# type: [null, array]
1900
# @schema
1901
# -- Relabeling configs for the ServiceMonitor hubble-relay
1902
relabelings: ~
1903
# @schema
1904
# type: [null, array]
1905
# @schema
1906
# -- Metrics relabeling configs for the ServiceMonitor hubble-relay
1907
metricRelabelings: ~
1908
gops:
1909
# -- Enable gops for hubble-relay
1910
enabled: true
1911
# -- Configure gops listen port for hubble-relay
1912
port: 9893
1913
pprof:
1914
# -- Enable pprof for hubble-relay
1915
enabled: false
1916
# -- Configure pprof listen address for hubble-relay
1917
address: localhost
1918
# -- Configure pprof listen port for hubble-relay
1919
port: 6062
1920
# -- Enable mutex contention profiling for hubble-relay and set the fraction of sampled events (set to 1 to sample all events)
1921
mutexProfileFraction: 0
1922
# -- Enable goroutine blocking profiling for hubble-relay and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
1923
blockProfileRate: 0
1924
# -- Logging configuration for hubble-relay.
1925
logOptions:
1926
# @schema
1927
# type: [null, string]
1928
# @schema
1929
# -- Log format for hubble-relay. Valid values are: text, text-ts, json, json-ts.
1930
# @default -- text-ts
1931
format: ~
1932
# @schema
1933
# type: [null, string]
1934
# @schema
1935
# -- Log level for hubble-relay. Valid values are: debug, info, warn, error.
1936
# @default -- info
1937
level: ~
1938
ui:
1939
# -- Whether to enable the Hubble UI.
1940
enabled: false
1941
standalone:
1942
# -- When true, it will allow installing the Hubble UI only, without checking dependencies.
1943
# It is useful if a cluster already has cilium and Hubble relay installed and you just
1944
# want Hubble UI to be deployed.
1945
# When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui`
1946
enabled: false
1947
tls:
1948
# -- When deploying Hubble UI in standalone, with tls enabled for Hubble relay, it is required
1949
# to provide a volume for mounting the client certificates.
1950
certsVolume: {}
1951
# projected:
1952
# defaultMode: 0400
1953
# sources:
1954
# - secret:
1955
# name: hubble-ui-client-certs
1956
# items:
1957
# - key: tls.crt
1958
# path: client.crt
1959
# - key: tls.key
1960
# path: client.key
1961
# - key: ca.crt
1962
# path: hubble-relay-ca.crt
1963
# -- Roll out Hubble-ui pods automatically when configmap is updated.
1964
rollOutPods: false
1965
tls:
1966
client:
1967
# -- Name of the Secret containing the client certificate and key for Hubble UI
1968
# If specified, cert and key are ignored.
1969
existingSecret: ""
1970
# -- base64 encoded PEM values for the Hubble UI client certificate (deprecated).
1971
# Use existingSecret instead.
1972
cert: ""
1973
# -- base64 encoded PEM values for the Hubble UI client key (deprecated).
1974
# Use existingSecret instead.
1975
key: ""
1976
backend:
1977
# -- Hubble-ui backend image.
1978
image:
1979
# @schema
1980
# type: [null, string]
1981
# @schema
1982
override: chainreg.biz/chainguard-private/cilium-hubble-ui-backend:latest@sha256:b9be7331ed757914b3b9d8b0b8c91b23091db71bdcf64ea93efaeb9cf269e700
1983
repository: "quay.io/cilium/hubble-ui-backend"
1984
tag: "v0.13.5"
1985
digest: "sha256:fac0c300ae119274edca11fd89b1ad23c788792d8bc4ea2ba631c709e8d3c688"
1986
useDigest: true
1987
pullPolicy: "IfNotPresent"
1988
# -- Hubble-ui backend security context.
1989
securityContext:
1990
allowPrivilegeEscalation: false
1991
# -- Additional hubble-ui backend environment variables.
1992
extraEnv: []
1993
# -- Additional hubble-ui backend volumes.
1994
extraVolumes: []
1995
# -- Additional hubble-ui backend volumeMounts.
1996
extraVolumeMounts: []
1997
livenessProbe:
1998
# -- Enable liveness probe for Hubble-ui backend (requires Hubble-ui 0.12+)
1999
enabled: false
2000
readinessProbe:
2001
# -- Enable readiness probe for Hubble-ui backend (requires Hubble-ui 0.12+)
2002
enabled: false
2003
# -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment.
2004
resources: {}
2005
# limits:
2006
# cpu: 1000m
2007
# memory: 1024M
2008
# requests:
2009
# cpu: 100m
2010
# memory: 64Mi
2011
frontend:
2012
# -- Hubble-ui frontend image.
2013
image:
2014
# @schema
2015
# type: [null, string]
2016
# @schema
2017
override: chainreg.biz/chainguard-private/cilium-hubble-ui:latest@sha256:50a056648c872893c130374c3ad49e61f817533d5c0ac085c29b40c2fa749a8e
2018
repository: "quay.io/cilium/hubble-ui"
2019
tag: "v0.13.5"
2020
digest: "sha256:f7d514fc54d784ed6df9d58cf0e97648b143f92b766dd1780ed3fc845bd4c516"
2021
useDigest: true
2022
pullPolicy: "IfNotPresent"
2023
# -- Hubble-ui frontend security context.
2024
securityContext:
2025
allowPrivilegeEscalation: false
2026
# -- Additional hubble-ui frontend environment variables.
2027
extraEnv: []
2028
# -- Additional hubble-ui frontend volumes.
2029
extraVolumes: []
2030
# -- Additional hubble-ui frontend volumeMounts.
2031
extraVolumeMounts: []
2032
# -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
2033
resources: {}
2034
# limits:
2035
# cpu: 1000m
2036
# memory: 1024M
2037
# requests:
2038
# cpu: 100m
2039
# memory: 64Mi
2040
server:
2041
# -- Controls server listener for ipv6
2042
ipv6:
2043
enabled: true
2044
# -- The number of replicas of Hubble UI to deploy.
2045
replicas: 1
2046
# -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui)
2047
annotations: {}
2048
# -- Additional labels to be added to 'hubble-ui' deployment object
2049
labels: {}
2050
# -- Annotations to be added to hubble-ui pods
2051
podAnnotations: {}
2052
# -- Labels to be added to hubble-ui pods
2053
podLabels: {}
2054
# PodDisruptionBudget settings
2055
podDisruptionBudget:
2056
# -- enable PodDisruptionBudget
2057
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
2058
enabled: false
2059
# @schema
2060
# type: [null, integer, string]
2061
# @schema
2062
# -- Minimum number/percentage of pods that should remain scheduled.
2063
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
2064
minAvailable: null
2065
# @schema
2066
# type: [null, integer, string]
2067
# @schema
2068
# -- Maximum number/percentage of pods that may be made unavailable
2069
maxUnavailable: 1
2070
# @schema
2071
# type: [null, string]
2072
# @schema
2073
# -- How are unhealthy, but running, pods counted for eviction
2074
unhealthyPodEvictionPolicy: null
2075
# -- Affinity for hubble-ui
2076
affinity: {}
2077
# -- Pod topology spread constraints for hubble-ui
2078
topologySpreadConstraints: []
2079
# - maxSkew: 1
2080
# topologyKey: topology.kubernetes.io/zone
2081
# whenUnsatisfiable: DoNotSchedule
2082
2083
# -- Node labels for pod assignment
2084
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
2085
nodeSelector:
2086
kubernetes.io/os: linux
2087
# -- Node tolerations for pod assignment on nodes with taints
2088
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
2089
tolerations: []
2090
# -- The priority class to use for hubble-ui
2091
priorityClassName: ""
2092
# -- hubble-ui update strategy.
2093
updateStrategy:
2094
type: RollingUpdate
2095
rollingUpdate:
2096
# @schema
2097
# type: [integer, string]
2098
# @schema
2099
maxUnavailable: 1
2100
# -- Security context to be added to Hubble UI pods
2101
securityContext:
2102
runAsUser: 1001
2103
runAsGroup: 1001
2104
fsGroup: 1001
2105
# -- hubble-ui service configuration.
2106
service:
2107
# -- Annotations to be added for the Hubble UI service
2108
annotations: {}
2109
# -- Labels to be added for the Hubble UI service
2110
labels: {}
2111
# --- The type of service used for Hubble UI access, either ClusterIP or NodePort.
2112
type: ClusterIP
2113
# --- The port to use when the service type is set to NodePort.
2114
nodePort: 31235
2115
# -- Defines base url prefix for all hubble-ui http requests.
2116
# It needs to be changed in case if ingress for hubble-ui is configured under some sub-path.
2117
# Trailing `/` is required for custom path, ex. `/service-map/`
2118
baseUrl: "/"
2119
# -- hubble-ui ingress configuration.
2120
ingress:
2121
enabled: false
2122
annotations: {}
2123
# kubernetes.io/ingress.class: nginx
2124
# kubernetes.io/tls-acme: "true"
2125
className: ""
2126
hosts:
2127
- chart-example.local
2128
labels: {}
2129
tls: []
2130
# - secretName: chart-example-tls
2131
# hosts:
2132
# - chart-example.local
2133
# -- Configure temporary volume for hubble-ui
2134
tmpVolume: {}
2135
# emptyDir:
2136
# # sizeLimit: "100Mi"
2137
# # medium: "Memory"
2138
# -- Hubble flows export.
2139
export:
2140
# --- Static exporter configuration.
2141
# Static exporter is bound to agent lifecycle.
2142
static:
2143
enabled: false
2144
filePath: /var/run/cilium/hubble/events.log
2145
fieldMask: []
2146
# - time
2147
# - source
2148
# - destination
2149
# - verdict
2150
fieldAggregate: []
2151
# - time
2152
# - source
2153
# - destination
2154
# - verdict
2155
# --- Defines the interval at which to aggregate before exporting Hubble flows.
2156
# Aggregation feature is only enabled when fieldAggregate is specified and aggregationInterval > 0s.
2157
aggregationInterval: "0s"
2158
allowList: []
2159
# - '{"verdict":["DROPPED","ERROR"]}'
2160
denyList: []
2161
# - '{"source_pod":["kube-system/"]}'
2162
# - '{"destination_pod":["kube-system/"]}'
2163
# --- Defines max file size of output file before it gets rotated.
2164
fileMaxSizeMb: 10
2165
# --- Defines max number of backup/rotated files.
2166
fileMaxBackups: 5
2167
# --- Enable compression of rotated files.
2168
fileCompress: false
2169
# --- Dynamic exporters configuration.
2170
# Dynamic exporters may be reconfigured without a need of agent restarts.
2171
dynamic:
2172
enabled: false
2173
config:
2174
# ---- Name of configmap with configuration that may be altered to reconfigure exporters within a running agents.
2175
configMapName: cilium-flowlog-config
2176
# ---- True if helm installer should create config map.
2177
# Switch to false if you want to self maintain the file content.
2178
createConfigMap: true
2179
# ---- Exporters configuration in YAML format.
2180
content:
2181
- name: all
2182
fieldMask: []
2183
fieldAggregate: []
2184
aggregationInterval: "0s"
2185
includeFilters: []
2186
excludeFilters: []
2187
filePath: "/var/run/cilium/hubble/events.log"
2188
fileMaxSizeMb: 10
2189
fileMaxBackups: 5
2190
fileCompress: false
2191
# - name: "test002"
2192
# filePath: "/var/log/network/flow-log/pa/test002.log"
2193
# fieldMask: ["source.namespace", "source.pod_name", "destination.namespace", "destination.pod_name", "verdict"]
2194
# includeFilters:
2195
# - source_pod: ["default/"]
2196
# event_type:
2197
# - type: 1
2198
# - destination_pod: ["frontend/nginx-975996d4c-7hhgt"]
2199
# excludeFilters: []
2200
# fileMaxSizeMb: 1
2201
# fileMaxBackups: 10
2202
# fileCompress: true
2203
# end: "2023-10-09T23:59:59-07:00"
2204
# -- Emit v1.Events related to pods on detection of packet drops.
2205
# This feature is alpha, please provide feedback at https://github.com/cilium/cilium/issues/33975.
2206
dropEventEmitter:
2207
enabled: false
2208
# --- Minimum time between emitting same events.
2209
interval: 2m
2210
# --- Drop reasons to emit events for.
2211
# ref: https://docs.cilium.io/en/stable/_api/v1/flow/README/#dropreason
2212
reasons:
2213
- auth_required
2214
- policy_denied
2215
# -- Method to use for identity allocation (`crd`, `kvstore` or `doublewrite-readkvstore` / `doublewrite-readcrd` for migrating between identity backends).
2216
identityAllocationMode: "crd"
2217
# -- (string) Time to wait before using new identity on endpoint identity change.
2218
# @default -- `"5s"`
2219
identityChangeGracePeriod: ""
2220
# -- Install Iptables rules to skip netfilter connection tracking on all pod
2221
# traffic. This option is only effective when Cilium is running in direct
2222
# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium
2223
# is running in a managed Kubernetes environment or in a chained CNI setup.
2224
installNoConntrackIptablesRules: false
2225
ipam:
2226
# -- Configure IP Address Management mode.
2227
# ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
2228
mode: "cluster-pool"
2229
# -- Maximum rate at which the CiliumNode custom resource is updated.
2230
ciliumNodeUpdateRate: "15s"
2231
# -- Pre-allocation settings for IPAM in Multi-Pool mode
2232
multiPoolPreAllocation: ""
2233
# -- Install ingress/egress routes through uplink on host for Pods when working with delegated IPAM plugin.
2234
installUplinkRoutesForDelegatedIPAM: false
2235
operator:
2236
# @schema
2237
# type: [array, string]
2238
# @schema
2239
# -- IPv4 CIDR list range to delegate to individual nodes for IPAM.
2240
clusterPoolIPv4PodCIDRList: ["10.0.0.0/8"]
2241
# -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.
2242
clusterPoolIPv4MaskSize: 24
2243
# @schema
2244
# type: [array, string]
2245
# @schema
2246
# -- IPv6 CIDR list range to delegate to individual nodes for IPAM.
2247
clusterPoolIPv6PodCIDRList: ["fd00::/104"]
2248
# -- IPv6 CIDR mask size to delegate to individual nodes for IPAM.
2249
clusterPoolIPv6MaskSize: 120
2250
# -- IP pools to auto-create in multi-pool IPAM mode.
2251
autoCreateCiliumPodIPPools: {}
2252
# default:
2253
# ipv4:
2254
# cidrs:
2255
# - 10.10.0.0/8
2256
# maskSize: 24
2257
# other:
2258
# ipv6:
2259
# cidrs:
2260
# - fd00:100::/80
2261
# maskSize: 96
2262
# @schema
2263
# type: [null, integer]
2264
# @schema
2265
# -- (int) The maximum burst size when rate limiting access to external APIs.
2266
# Also known as the token bucket capacity.
2267
# @default -- `20`
2268
externalAPILimitBurstSize: ~
2269
# @schema
2270
# type: [null, number]
2271
# @schema
2272
# -- (float) The maximum queries per second when rate limiting access to
2273
# external APIs. Also known as the bucket refill rate, which is used to
2274
# refill the bucket up to the burst size capacity.
2275
# @default -- `4.0`
2276
externalAPILimitQPS: ~
2277
# -- NodeSpec configuration for the IPAM
2278
nodeSpec:
2279
# -- IPAM min allocate
2280
# @schema
2281
# type: [null, integer]
2282
# @schema
2283
ipamMinAllocate: ~
2284
# -- IPAM pre allocate
2285
# @schema
2286
# type: [null, integer]
2287
# @schema
2288
ipamPreAllocate: ~
2289
# -- IPAM max allocate
2290
# @schema
2291
# type: [null, integer]
2292
# @schema
2293
ipamMaxAllocate: ~
2294
# -- IPAM static IP tags (currently only works with AWS and Azure)
2295
ipamStaticIPTags: []
2296
# @schema
2297
# type: [string]
2298
# @schema
2299
# -- defaultLBServiceIPAM indicates the default LoadBalancer Service IPAM when
2300
# no LoadBalancer class is set. Applicable values: lbipam, nodeipam, none
2301
defaultLBServiceIPAM: lbipam
2302
nodeIPAM:
2303
# -- Configure Node IPAM
2304
# ref: https://docs.cilium.io/en/stable/network/node-ipam/
2305
enabled: false
2306
# @schema
2307
# type: [null, string]
2308
# @schema
2309
# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API
2310
apiRateLimit: ~
2311
# -- Configure the eBPF-based ip-masq-agent
2312
ipMasqAgent:
2313
enabled: false
2314
# the config of nonMasqueradeCIDRs
2315
# config:
2316
# nonMasqueradeCIDRs: []
2317
# masqLinkLocal: false
2318
# masqLinkLocalIPv6: false
2319
2320
# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
2321
# iptablesLockTimeout: "5s"
2322
ipv4:
2323
# -- Enable IPv4 support.
2324
enabled: true
2325
ipv6:
2326
# -- Enable IPv6 support.
2327
enabled: false
2328
# -- Configure Kubernetes specific configuration
2329
k8s:
2330
# -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
2331
# range via the Kubernetes node resource
2332
requireIPv4PodCIDR: false
2333
# -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR
2334
# range via the Kubernetes node resource
2335
requireIPv6PodCIDR: false
2336
# -- A space separated list of Kubernetes API server URLs to use with the client.
2337
# For example "https://192.168.0.1:6443 https://192.168.0.2:6443"
2338
# apiServerURLs: ""
2339
# -- Keep the deprecated selector labels when deploying Cilium DaemonSet.
2340
keepDeprecatedLabels: false
2341
# -- Keep the deprecated probes when deploying Cilium DaemonSet
2342
keepDeprecatedProbes: false
2343
startupProbe:
2344
# -- failure threshold of startup probe.
2345
# Allow Cilium to take up to 600s to start up (300 attempts with 2s between attempts).
2346
failureThreshold: 300
2347
# -- interval between checks of the startup probe
2348
periodSeconds: 2
2349
livenessProbe:
2350
# -- failure threshold of liveness probe
2351
failureThreshold: 10
2352
# -- interval between checks of the liveness probe
2353
periodSeconds: 30
2354
# -- whether to require k8s connectivity as part of the check.
2355
requireK8sConnectivity: false
2356
readinessProbe:
2357
# -- failure threshold of readiness probe
2358
failureThreshold: 3
2359
# -- interval between checks of the readiness probe
2360
periodSeconds: 30
2361
# -- Configure the kube-proxy replacement in Cilium BPF datapath
2362
# Valid options are "true" or "false".
2363
# ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
2364
# @schema@
2365
# type: [string, boolean]
2366
# @schema@
2367
kubeProxyReplacement: "false"
2368
# -- healthz server bind address for the kube-proxy replacement.
2369
# To enable set the value to '0.0.0.0:10256' for all ipv4
2370
# addresses and this '[::]:10256' for all ipv6 addresses.
2371
# By default it is disabled.
2372
kubeProxyReplacementHealthzBindAddr: ""
2373
l2NeighDiscovery:
2374
# -- Enable L2 neighbor discovery in the agent
2375
enabled: false
2376
# -- Enable Layer 7 network policy.
2377
l7Proxy: true
2378
# -- Enable Local Redirect Policy (deprecated, please use 'localRedirectPolicies.enabled' instead)
2379
localRedirectPolicy: false
2380
localRedirectPolicies:
2381
# -- Enable local redirect policies.
2382
enabled: false
2383
# -- Limit the allowed addresses in Address Matcher rule of
2384
# Local Redirect Policies to the given CIDRs.
2385
# @schema@
2386
# type: [null, array]
2387
# @schema@
2388
addressMatcherCIDRs: ~
2389
# To include or exclude matched resources from cilium identity evaluation
2390
# labels: ""
2391
2392
# logOptions allows you to define logging options. eg:
2393
# logOptions:
2394
# format: json
2395
2396
# -- Enables periodic logging of system load
2397
logSystemLoad: false
2398
# -- Configure maglev consistent hashing
2399
maglev: {}
2400
# -- tableSize is the size (parameter M) for the backend table of one
2401
# service entry
2402
# tableSize:
2403
2404
# -- hashSeed is the cluster-wide base64 encoded seed for the hashing
2405
# hashSeed:
2406
2407
# @schema
2408
# type: [null, boolean]
2409
# @schema
2410
# -- (bool) Enables masquerading of IPv4 traffic leaving the node from endpoints.
2411
# @default -- `true` unless ipam eni mode is active
2412
enableIPv4Masquerade: ~
2413
# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
2414
enableIPv6Masquerade: true
2415
# -- Enables masquerading to the source of the route for traffic leaving the node from endpoints.
2416
enableMasqueradeRouteSource: false
2417
# -- Enables IPv4 BIG TCP support which increases maximum IPv4 GSO/GRO limits for nodes and pods
2418
enableIPv4BIGTCP: false
2419
# -- Enables IPv6 BIG TCP support which increases maximum IPv6 GSO/GRO limits for nodes and pods
2420
enableIPv6BIGTCP: false
2421
nat:
2422
# -- Number of the top-k SNAT map connections to track in Cilium statedb.
2423
mapStatsEntries: 32
2424
# -- Interval between how often SNAT map is counted for stats.
2425
mapStatsInterval: 30s
2426
egressGateway:
2427
# -- Enables egress gateway to redirect and SNAT the traffic that leaves the
2428
# cluster.
2429
enabled: false
2430
# -- Time between triggers of egress gateway state reconciliations
2431
reconciliationTriggerInterval: 1s
2432
# -- Maximum number of entries in egress gateway policy map
2433
# maxPolicyEntries: 16384
2434
vtep:
2435
# -- Enables VXLAN Tunnel Endpoint (VTEP) Integration (beta) to allow
2436
# Cilium-managed pods to talk to third party VTEP devices over Cilium tunnel.
2437
enabled: false
2438
# -- A space separated list of VTEP device endpoint IPs, for example "1.1.1.1 1.1.2.1"
2439
endpoint: ""
2440
# -- A space separated list of VTEP device CIDRs, for example "1.1.1.0/24 1.1.2.0/24"
2441
cidr: ""
2442
# -- VTEP CIDRs Mask that applies to all VTEP CIDRs, for example "255.255.255.0"
2443
mask: ""
2444
# -- A space separated list of VTEP device MAC addresses (VTEP MAC), for example "x:x:x:x:x:x y:y:y:y:y:y:y"
2445
mac: ""
2446
# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing.
2447
# When specified, Cilium assumes networking for this CIDR is preconfigured and
2448
# hands traffic destined for that range to the Linux network stack without
2449
# applying any SNAT.
2450
# Generally speaking, specifying a native routing CIDR implies that Cilium can
2451
# depend on the underlying networking stack to route packets to their
2452
# destination. To offer a concrete example, if Cilium is configured to use
2453
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
2454
# the user must configure the routes to reach pods, either manually or by
2455
# setting the auto-direct-node-routes flag.
2456
ipv4NativeRoutingCIDR: ""
2457
# -- (string) Allows to explicitly specify the IPv6 CIDR for native routing.
2458
# When specified, Cilium assumes networking for this CIDR is preconfigured and
2459
# hands traffic destined for that range to the Linux network stack without
2460
# applying any SNAT.
2461
# Generally speaking, specifying a native routing CIDR implies that Cilium can
2462
# depend on the underlying networking stack to route packets to their
2463
# destination. To offer a concrete example, if Cilium is configured to use
2464
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
2465
# the user must configure the routes to reach pods, either manually or by
2466
# setting the auto-direct-node-routes flag.
2467
ipv6NativeRoutingCIDR: ""
2468
# -- cilium-monitor sidecar.
2469
monitor:
2470
# -- Enable the cilium-monitor sidecar.
2471
enabled: false
2472
# -- Configure service load balancing
2473
loadBalancer:
2474
# -- standalone enables the standalone L4LB which does not connect to
2475
# kube-apiserver.
2476
# standalone: false
2477
2478
# -- algorithm is the name of the load balancing algorithm for backend
2479
# selection e.g. random or maglev
2480
# algorithm: random
2481
2482
# -- mode is the operation mode of load balancing for remote backends
2483
# e.g. snat, dsr, hybrid
2484
# mode: snat
2485
2486
# -- acceleration is the option to accelerate service handling via XDP
2487
# Applicable values can be: disabled (do not use XDP), native (XDP BPF
2488
# program is run directly out of the networking driver's early receive
2489
# path), or best-effort (use native mode XDP acceleration on devices
2490
# that support it).
2491
acceleration: disabled
2492
# -- dsrDispatch configures whether IP option (opt), IPIP encapsulation (ipip),
2493
# Geneve Class Option (geneve) used to pass a service IP and port to remote backend
2494
# dsrDispatch: opt
2495
2496
# -- serviceTopology enables K8s Topology Aware Hints -based service
2497
# endpoints filtering
2498
serviceTopology: false
2499
# -- L7 LoadBalancer
2500
l7:
2501
# -- Enable L7 service load balancing via envoy proxy.
2502
# The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7,
2503
# will be forwarded to the local backend proxy to be load balanced to the service endpoints.
2504
# Please refer to docs for supported annotations for more configuration.
2505
#
2506
# Applicable values:
2507
# - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well.
2508
# - disabled: Disable L7 load balancing by way of service annotation.
2509
backend: disabled
2510
# -- List of ports from service to be automatically redirected to above backend.
2511
# Any service exposing one of these ports will be automatically redirected.
2512
# Fine-grained control can be achieved by using the service annotation.
2513
ports: []
2514
# -- Default LB algorithm
2515
# The default LB algorithm to be used for services, which can be overridden by the
2516
# service annotation (e.g. service.cilium.io/lb-l7-algorithm)
2517
# Applicable values: round_robin, least_request, random
2518
algorithm: round_robin
2519
# -- Configure N-S k8s service loadbalancing
2520
nodePort:
2521
# -- Port range to use for NodePort services.
2522
# range: "30000,32767"
2523
2524
# @schema
2525
# type: [null, string, array]
2526
# @schema
2527
# -- List of CIDRs for choosing which IP addresses assigned to native devices are used for NodePort load-balancing.
2528
# By default this is empty and the first suitable, preferably private, IPv4 and IPv6 address assigned to each device is used.
2529
#
2530
# Example:
2531
#
2532
# addresses: ["192.168.1.0/24", "2001::/64"]
2533
#
2534
addresses: ~
2535
# -- Set to true to prevent applications binding to service ports.
2536
bindProtection: true
2537
# -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral
2538
# ports is detected.
2539
autoProtectPortRange: true
2540
# -- Enable healthcheck nodePort server for NodePort services
2541
enableHealthCheck: true
2542
# -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs
2543
# EnableHealthCheck to be enabled
2544
enableHealthCheckLoadBalancerIP: false
2545
# policyAuditMode: false
2546
2547
# -- The agent can be put into one of the three policy enforcement modes:
2548
# default, always and never.
2549
# ref: https://docs.cilium.io/en/stable/security/policy/intro/#policy-enforcement-modes
2550
policyEnforcementMode: "default"
2551
# @schema
2552
# type: [null, string, array]
2553
# @schema
2554
# -- policyCIDRMatchMode is a list of entities that may be selected by CIDR selector.
2555
# The possible value is "nodes".
2556
policyCIDRMatchMode:
2557
pprof:
2558
# -- Enable pprof for cilium-agent
2559
enabled: false
2560
# -- Configure pprof listen address for cilium-agent
2561
address: localhost
2562
# -- Configure pprof listen port for cilium-agent
2563
port: 6060
2564
# -- Enable mutex contention profiling for cilium-agent and set the fraction of sampled events (set to 1 to sample all events)
2565
mutexProfileFraction: 0
2566
# -- Enable goroutine blocking profiling for cilium-agent and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
2567
blockProfileRate: 0
2568
# -- Configure prometheus metrics on the configured port at /metrics
2569
prometheus:
2570
metricsService: false
2571
enabled: false
2572
port: 9962
2573
serviceMonitor:
2574
# -- Enable service monitors.
2575
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
2576
enabled: false
2577
# -- Labels to add to ServiceMonitor cilium-agent
2578
labels: {}
2579
# -- Annotations to add to ServiceMonitor cilium-agent
2580
annotations: {}
2581
# -- jobLabel to add for ServiceMonitor cilium-agent
2582
jobLabel: ""
2583
# -- Interval for scrape metrics.
2584
interval: "10s"
2585
# @schema
2586
# type: [null, string]
2587
# @schema
2588
# -- Timeout after which scrape is considered to be failed.
2589
scrapeTimeout: ~
2590
# -- Specify the Kubernetes namespace where Prometheus expects to find
2591
# service monitors configured.
2592
# namespace: ""
2593
# -- Relabeling configs for the ServiceMonitor cilium-agent
2594
relabelings:
2595
- sourceLabels:
2596
- __meta_kubernetes_pod_node_name
2597
targetLabel: node
2598
action: replace
2599
replacement: ${1}
2600
# @schema
2601
# type: [null, array]
2602
# @schema
2603
# -- Metrics relabeling configs for the ServiceMonitor cilium-agent
2604
metricRelabelings: ~
2605
# -- Set to `true` and helm will not check for monitoring.coreos.com/v1 CRDs before deploying
2606
trustCRDsExist: false
2607
# @schema
2608
# type: [null, array]
2609
# @schema
2610
# -- Metrics that should be enabled or disabled from the default metric list.
2611
# The list is expected to be separated by a space. (+metric_foo to enable
2612
# metric_foo , -metric_bar to disable metric_bar).
2613
# ref: https://docs.cilium.io/en/stable/observability/metrics/
2614
metrics: ~
2615
# --- Enable controller group metrics for monitoring specific Cilium
2616
# subsystems. The list is a list of controller group names. The special
2617
# values of "all" and "none" are supported. The set of controller
2618
# group names is not guaranteed to be stable between Cilium versions.
2619
controllerGroupMetrics:
2620
- write-cni-file
2621
- sync-host-ips
2622
- sync-lb-maps-with-k8s-services
2623
# -- Grafana dashboards for cilium-agent
2624
# grafana can import dashboards based on the label and value
2625
# ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
2626
dashboards:
2627
enabled: false
2628
label: grafana_dashboard
2629
# @schema
2630
# type: [null, string]
2631
# @schema
2632
namespace: ~
2633
labelValue: "1"
2634
annotations: {}
2635
# Configure Cilium Envoy options.
2636
envoy:
2637
# @schema
2638
# type: [null, boolean]
2639
# @schema
2640
# -- Enable Envoy Proxy in standalone DaemonSet.
2641
# This field is enabled by default for new installation.
2642
# @default -- `true` for new installation
2643
enabled: ~
2644
# -- (int)
2645
# Set Envoy'--base-id' to use when allocating shared memory regions.
2646
# Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0'
2647
baseID: 0
2648
log:
2649
# @schema
2650
# type: [null, string]
2651
# @schema
2652
# -- The format string to use for laying out the log message metadata of Envoy. If specified, Envoy will use text format output.
2653
# This setting is mutually exclusive with envoy.log.format_json.
2654
format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"
2655
# @schema
2656
# type: [null, object]
2657
# @schema
2658
# -- The JSON logging format to use for Envoy. This setting is mutually exclusive with envoy.log.format.
2659
# ref: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-applicationlogconfig-logformat-json-format
2660
format_json: null
2661
# date: "%Y-%m-%dT%T.%e"
2662
# thread_id: "%t"
2663
# source_line: "%s:%#"
2664
# level: "%l"
2665
# logger: "%n"
2666
# message: "%j"
2667
# -- Path to a separate Envoy log file, if any. Defaults to /dev/stdout.
2668
path: ""
2669
# @schema
2670
# oneOf:
2671
# - type: [null]
2672
# - enum: [trace,debug,info,warning,error,critical,off]
2673
# @schema
2674
# -- Default log level of Envoy application log that is configured if Cilium debug / verbose logging isn't enabled.
2675
# This option allows to have a different log level than the Cilium Agent - e.g. lower it to `critical`.
2676
# Possible values: trace, debug, info, warning, error, critical, off
2677
# @default -- Defaults to the default log level of the Cilium Agent - `info`
2678
defaultLevel: ~
2679
# @schema
2680
# type: [null, integer]
2681
# @schema
2682
# -- Size of the Envoy access log buffer created within the agent in bytes.
2683
# Tune this value up if you encounter "Envoy: Discarded truncated access log message" errors.
2684
# Large request/response header sizes (e.g. 16KiB) will require a larger buffer size.
2685
accessLogBufferSize: 4096
2686
# -- Time in seconds after which a TCP connection attempt times out
2687
connectTimeoutSeconds: 2
2688
# -- Time in seconds after which the initial fetch on an xDS stream is considered timed out
2689
initialFetchTimeoutSeconds: 30
2690
# -- Maximum number of concurrent retries on Envoy clusters
2691
maxConcurrentRetries: 128
2692
# -- Maximum number of connections on Envoy clusters
2693
clusterMaxConnections: 1024
2694
# -- Maximum number of requests on Envoy clusters
2695
clusterMaxRequests: 1024
2696
# -- Maximum number of global downstream connections
2697
maxGlobalDownstreamConnections: 50000
2698
# -- Maximum number of retries for each HTTP request
2699
httpRetryCount: 3
2700
# -- ProxyMaxRequestsPerConnection specifies the max_requests_per_connection setting for Envoy
2701
maxRequestsPerConnection: 0
2702
# -- Set Envoy HTTP option max_connection_duration seconds. Default 0 (disable)
2703
maxConnectionDurationSeconds: 0
2704
# -- Set Envoy upstream HTTP idle connection timeout seconds.
2705
# Does not apply to connections with pending requests. Default 60s
2706
idleTimeoutDurationSeconds: 60
2707
# -- Set Envoy the amount of time that the connection manager will allow a stream to exist with no upstream or downstream activity.
2708
# default 5 minutes
2709
streamIdleTimeoutDurationSeconds: 300
2710
# -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the ingress L7 policy enforcement Envoy listeners.
2711
xffNumTrustedHopsL7PolicyIngress: 0
2712
# -- Number of trusted hops regarding the x-forwarded-for and related HTTP headers for the egress L7 policy enforcement Envoy listeners.
2713
xffNumTrustedHopsL7PolicyEgress: 0
2714
# -- For cases when CiliumEnvoyConfig is not used directly (Ingress, Gateway), configures Cilium BPF Metadata listener filter
2715
# to use the original source address when extracting the metadata for a request.
2716
useOriginalSourceAddress: true
2717
# @schema
2718
# type: [null, string]
2719
# @schema
2720
# -- Max duration to wait for endpoint policies to be restored on restart. Default "3m".
2721
policyRestoreTimeoutDuration: null
2722
# -- Time in seconds to block Envoy worker thread while an upstream HTTP connection is closing. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.
2723
httpUpstreamLingerTimeout: null
2724
# -- Envoy container image.
2725
image:
2726
# @schema
2727
# type: [null, string]
2728
# @schema
2729
override: ~
2730
repository: chainreg.biz/chainguard-private/cilium-envoy
2731
tag: "1.19"
2732
pullPolicy: "IfNotPresent"
2733
digest: sha256:9e782cdaec22b27284271e96e3a1d46a4c19983455acf1e567fb8669eaf406da
2734
useDigest: true
2735
# -- Init containers added to the cilium Envoy DaemonSet.
2736
initContainers: []
2737
# -- Additional containers added to the cilium Envoy DaemonSet.
2738
extraContainers: []
2739
# -- Additional envoy container arguments.
2740
extraArgs: []
2741
# -- Additional envoy container environment variables.
2742
extraEnv: []
2743
# -- Additional envoy hostPath mounts.
2744
extraHostPathMounts: []
2745
# - name: host-mnt-data
2746
# mountPath: /host/mnt/data
2747
# hostPath: /mnt/data
2748
# hostPathType: Directory
2749
# readOnly: true
2750
# mountPropagation: HostToContainer
2751
2752
# -- Additional envoy volumes.
2753
extraVolumes: []
2754
# -- Additional envoy volumeMounts.
2755
extraVolumeMounts: []
2756
# -- Configure termination grace period for cilium-envoy DaemonSet.
2757
terminationGracePeriodSeconds: 1
2758
# -- TCP port for the health API.
2759
healthPort: 9878
2760
# -- cilium-envoy update strategy
2761
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/#updating-a-daemonset
2762
updateStrategy:
2763
type: RollingUpdate
2764
rollingUpdate:
2765
# @schema
2766
# type: [integer, string]
2767
# @schema
2768
maxUnavailable: 2
2769
# -- Roll out cilium envoy pods automatically when configmap is updated.
2770
rollOutPods: false
2771
# -- ADVANCED OPTION: Bring your own custom Envoy bootstrap ConfigMap. Provide the name of a ConfigMap with a `bootstrap-config.json` key.
2772
# When specified, Envoy will use this ConfigMap instead of the default provided by the chart.
2773
# WARNING: Use of this setting has the potential to prevent cilium-envoy from starting up, and can cause unexpected behavior (e.g. due to
2774
# syntax error or semantically incorrect configuration). Before submitting an issue, please ensure you have disabled this feature, as support
2775
# cannot be provided for custom Envoy bootstrap configs.
2776
# @schema
2777
# type: [null, string]
2778
# @schema
2779
bootstrapConfigMap: ~
2780
# -- Annotations to be added to all top-level cilium-envoy objects (resources under templates/cilium-envoy)
2781
annotations: {}
2782
# -- Security Context for cilium-envoy pods.
2783
podSecurityContext:
2784
# -- AppArmorProfile options for the `cilium-agent` and init containers
2785
appArmorProfile:
2786
type: "Unconfined"
2787
# -- Annotations to be added to envoy pods
2788
podAnnotations: {}
2789
# -- Labels to be added to envoy pods
2790
podLabels: {}
2791
# -- Envoy resource limits & requests
2792
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
2793
resources: {}
2794
# limits:
2795
# cpu: 4000m
2796
# memory: 4Gi
2797
# requests:
2798
# cpu: 100m
2799
# memory: 512Mi
2800
2801
startupProbe:
2802
# -- Enable startup probe for cilium-envoy
2803
enabled: true
2804
# -- failure threshold of startup probe.
2805
# 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)
2806
failureThreshold: 105
2807
# -- interval between checks of the startup probe
2808
periodSeconds: 2
2809
livenessProbe:
2810
# -- Enable liveness probe for cilium-envoy
2811
enabled: true
2812
# -- failure threshold of liveness probe
2813
failureThreshold: 10
2814
# -- interval between checks of the liveness probe
2815
periodSeconds: 30
2816
readinessProbe:
2817
# -- failure threshold of readiness probe
2818
failureThreshold: 3
2819
# -- interval between checks of the readiness probe
2820
periodSeconds: 30
2821
securityContext:
2822
# -- User to run the pod with
2823
# runAsUser: 0
2824
# -- Run the pod with elevated privileges
2825
privileged: false
2826
# -- SELinux options for the `cilium-envoy` container
2827
seLinuxOptions:
2828
level: 's0'
2829
# Running with spc_t since we have removed the privileged mode.
2830
# Users can change it to a different type as long as they have the
2831
# type available on the system.
2832
type: 'spc_t'
2833
capabilities:
2834
# -- Capabilities for the `cilium-envoy` container.
2835
# Even though granted to the container, the cilium-envoy-starter wrapper drops
2836
# all capabilities after forking the actual Envoy process.
2837
# `NET_BIND_SERVICE` is the only capability that can be passed to the Envoy process by
2838
# setting `envoy.securityContext.capabilities.keepNetBindService=true` (in addition to granting the
2839
# capability to the container).
2840
# Note: In case of embedded envoy, the capability must be granted to the cilium-agent container.
2841
envoy:
2842
# Used since cilium proxy uses setting IPPROTO_IP/IP_TRANSPARENT
2843
- NET_ADMIN
2844
# We need it for now but might not need it for >= 5.11 specially
2845
# for the 'SYS_RESOURCE'.
2846
# In >= 5.8 there's already BPF and PERMON capabilities
2847
- SYS_ADMIN
2848
# Both PERFMON and BPF requires kernel 5.8, container runtime
2849
# cri-o >= v1.22.0 or containerd >= v1.5.0.
2850
# If available, SYS_ADMIN can be removed.
2851
#- PERFMON
2852
#- BPF
2853
# -- Keep capability `NET_BIND_SERVICE` for Envoy process.
2854
keepCapNetBindService: false
2855
# -- Affinity for cilium-envoy.
2856
affinity:
2857
podAntiAffinity:
2858
requiredDuringSchedulingIgnoredDuringExecution:
2859
- topologyKey: kubernetes.io/hostname
2860
labelSelector:
2861
matchLabels:
2862
k8s-app: cilium-envoy
2863
podAffinity:
2864
requiredDuringSchedulingIgnoredDuringExecution:
2865
- topologyKey: kubernetes.io/hostname
2866
labelSelector:
2867
matchLabels:
2868
k8s-app: cilium
2869
nodeAffinity:
2870
requiredDuringSchedulingIgnoredDuringExecution:
2871
nodeSelectorTerms:
2872
- matchExpressions:
2873
- key: cilium.io/no-schedule
2874
operator: NotIn
2875
values:
2876
- "true"
2877
# -- Node selector for cilium-envoy.
2878
nodeSelector:
2879
kubernetes.io/os: linux
2880
# -- Node tolerations for envoy scheduling to nodes with taints
2881
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
2882
tolerations:
2883
- operator: Exists
2884
# - key: "key"
2885
# operator: "Equal|Exists"
2886
# value: "value"
2887
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
2888
# @schema
2889
# type: [null, string]
2890
# @schema
2891
# -- The priority class to use for cilium-envoy.
2892
priorityClassName: ~
2893
# @schema
2894
# type: [null, string]
2895
# @schema
2896
# -- DNS policy for Cilium envoy pods.
2897
# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
2898
dnsPolicy: ~
2899
debug:
2900
admin:
2901
# -- Enable admin interface for cilium-envoy.
2902
# This is useful for debugging and should not be enabled in production.
2903
enabled: false
2904
# -- Port number (bound to loopback interface).
2905
# kubectl port-forward can be used to access the admin interface.
2906
port: 9901
2907
# -- Configure Cilium Envoy Prometheus options.
2908
# Note that some of these apply to either cilium-agent or cilium-envoy.
2909
prometheus:
2910
# -- Enable prometheus metrics for cilium-envoy
2911
enabled: true
2912
serviceMonitor:
2913
# -- Enable service monitors.
2914
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
2915
# Note that this setting applies to both cilium-envoy _and_ cilium-agent
2916
# with Envoy enabled.
2917
enabled: false
2918
# -- Labels to add to ServiceMonitor cilium-envoy
2919
labels: {}
2920
# -- Annotations to add to ServiceMonitor cilium-envoy
2921
annotations: {}
2922
# -- Interval for scrape metrics.
2923
interval: "10s"
2924
# @schema
2925
# type: [null, string]
2926
# @schema
2927
# -- Timeout after which scrape is considered to be failed.
2928
scrapeTimeout: ~
2929
# -- Specify the Kubernetes namespace where Prometheus expects to find
2930
# service monitors configured.
2931
# namespace: ""
2932
# -- Relabeling configs for the ServiceMonitor cilium-envoy
2933
# or for cilium-agent with Envoy configured.
2934
relabelings:
2935
- sourceLabels:
2936
- __meta_kubernetes_pod_node_name
2937
targetLabel: node
2938
action: replace
2939
replacement: ${1}
2940
# @schema
2941
# type: [null, array]
2942
# @schema
2943
# -- Metrics relabeling configs for the ServiceMonitor cilium-envoy
2944
# or for cilium-agent with Envoy configured.
2945
metricRelabelings: ~
2946
# -- Serve prometheus metrics for cilium-envoy on the configured port
2947
port: "9964"
2948
# -- Enable/Disable use of node label based identity
2949
nodeSelectorLabels: false
2950
# To include or exclude matched resources from cilium node identity evaluation
2951
# List of labels just like --labels flag (.Values.labels)
2952
# nodeLabels: ""
2953
2954
# -- Enable resource quotas for priority classes used in the cluster.
2955
resourceQuotas:
2956
enabled: false
2957
cilium:
2958
hard:
2959
# 5k nodes * 2 DaemonSets (Cilium and cilium node init)
2960
pods: "10k"
2961
operator:
2962
hard:
2963
# 15 "clusterwide" Cilium Operator pods for HA
2964
pods: "15"
2965
# Need to document default
2966
##################
2967
2968
# -- Annotations to be added to all cilium-secret namespaces (resources under templates/cilium-secrets-namespace)
2969
secretsNamespaceAnnotations: {}
2970
# -- Labels to be added to all cilium-secret namespaces (resources under templates/cilium-secrets-namespace)
2971
secretsNamespaceLabels: {}
2972
# -- Do not run Cilium agent when running with clean mode. Useful to completely
2973
# uninstall Cilium as it will stop Cilium from starting and create artifacts
2974
# in the node.
2975
sleepAfterInit: false
2976
# -- Synchronize Kubernetes nodes to kvstore and perform CNP GC.
2977
synchronizeK8sNodes: true
2978
# -- Configure TLS configuration in the agent.
2979
tls:
2980
# @schema
2981
# type: [null, string]
2982
# @schema
2983
# -- This configures how the Cilium agent loads the secrets used TLS-aware CiliumNetworkPolicies
2984
# (namely the secrets referenced by terminatingTLS and originatingTLS).
2985
# This value is DEPRECATED and will be removed in a future version.
2986
# Use `tls.readSecretsOnlyFromSecretsNamespace` instead.
2987
# Possible values:
2988
# - local
2989
# - k8s
2990
secretsBackend: ~
2991
# @schema
2992
# type: [null, boolean]
2993
# @schema
2994
# -- Configure if the Cilium Agent will only look in `tls.secretsNamespace` for
2995
# CiliumNetworkPolicy relevant Secrets.
2996
# If false, the Cilium Agent will be granted READ (GET/LIST/WATCH) access
2997
# to _all_ secrets in the entire cluster. This is not recommended and is
2998
# included for backwards compatibility.
2999
# This value obsoletes `tls.secretsBackend`, with `true` == `local` in the old
3000
# setting, and `false` == `k8s`.
3001
readSecretsOnlyFromSecretsNamespace: ~
3002
# -- Configures where secrets used in CiliumNetworkPolicies will be looked for
3003
secretsNamespace:
3004
# -- Create secrets namespace for TLS Interception secrets.
3005
create: true
3006
# -- Name of TLS Interception secret namespace.
3007
name: cilium-secrets
3008
# -- Configures settings for synchronization of TLS Interception Secrets
3009
secretSync:
3010
# @schema
3011
# type: [null, boolean]
3012
# @schema
3013
# -- Enable synchronization of Secrets for TLS Interception. If disabled and
3014
# tls.readSecretsOnlyFromSecretsNamespace is set to 'false', then secrets will be read directly by the agent.
3015
enabled: ~
3016
# -- Base64 encoded PEM values for the CA certificate and private key.
3017
# This can be used as common CA to generate certificates used by hubble and clustermesh components.
3018
# It is neither required nor used when cert-manager is used to generate the certificates.
3019
ca:
3020
# -- Optional CA cert. If it is provided, it will be used by cilium to
3021
# generate all other certificates. Otherwise, an ephemeral CA is generated.
3022
cert: ""
3023
# -- Optional CA private key. If it is provided, it will be used by cilium to
3024
# generate all other certificates. Otherwise, an ephemeral CA is generated.
3025
key: ""
3026
# -- Generated certificates validity duration in days. This will be used for auto generated CA.
3027
certValidityDuration: 1095
3028
# -- Configure the CA trust bundle used for the validation of the certificates
3029
# leveraged by hubble and clustermesh. When enabled, it overrides the content of the
3030
# 'ca.crt' field of the respective certificates, allowing for CA rotation with no down-time.
3031
caBundle:
3032
# -- Enable the use of the CA trust bundle.
3033
enabled: false
3034
# -- Name of the ConfigMap containing the CA trust bundle.
3035
name: cilium-root-ca.crt
3036
# -- Entry of the ConfigMap containing the CA trust bundle.
3037
key: ca.crt
3038
# -- Use a Secret instead of a ConfigMap.
3039
useSecret: false
3040
# If uncommented, creates the ConfigMap and fills it with the specified content.
3041
# Otherwise, the ConfigMap is assumed to be already present in .Release.Namespace.
3042
#
3043
# content: |
3044
# -----BEGIN CERTIFICATE-----
3045
# ...
3046
# -----END CERTIFICATE-----
3047
# -----BEGIN CERTIFICATE-----
3048
# ...
3049
# -----END CERTIFICATE-----
3050
# -- Tunneling protocol to use in tunneling mode and for ad-hoc tunnels.
3051
# Possible values:
3052
# - ""
3053
# - vxlan
3054
# - geneve
3055
# @default -- `"vxlan"`
3056
tunnelProtocol: ""
3057
# -- IP family for the underlay.
3058
# Possible values:
3059
# - "ipv4"
3060
# - "ipv6"
3061
# @default -- `"ipv4"`
3062
underlayProtocol: ""
3063
# -- Enable native-routing mode or tunneling mode.
3064
# Possible values:
3065
# - ""
3066
# - native
3067
# - tunnel
3068
# @default -- `"tunnel"`
3069
routingMode: ""
3070
# -- Configure VXLAN and Geneve tunnel port.
3071
# @default -- Port 8472 for VXLAN, Port 6081 for Geneve
3072
tunnelPort: 0
3073
# -- Configure VXLAN and Geneve tunnel source port range hint.
3074
# @default -- 0-0 to let the kernel driver decide the range
3075
tunnelSourcePortRange: 0-0
3076
# -- Configure what the response should be to traffic for a service without backends.
3077
# Possible values:
3078
# - reject (default)
3079
# - drop
3080
serviceNoBackendResponse: reject
3081
# -- Configure what the response should be to pod egress traffic denied by network policy.
3082
# Possible values:
3083
# - none (default)
3084
# - icmp
3085
policyDenyResponse: none
3086
# -- Configure the underlying network MTU to overwrite auto-detected MTU.
3087
# This value doesn't change the host network interface MTU i.e. eth0 or ens0.
3088
# It changes the MTU for cilium_net@cilium_host, cilium_host@cilium_net,
3089
# cilium_vxlan and lxc_health interfaces.
3090
MTU: 0
3091
# -- Disable the usage of CiliumEndpoint CRD.
3092
disableEndpointCRD: false
3093
wellKnownIdentities:
3094
# -- Enable the use of well-known identities.
3095
enabled: false
3096
etcd:
3097
# -- Enable etcd mode for the agent.
3098
enabled: false
3099
# -- List of etcd endpoints
3100
endpoints:
3101
- https://CHANGE-ME:2379
3102
# -- Enable use of TLS/SSL for connectivity to etcd.
3103
ssl: false
3104
operator:
3105
# -- Enable the cilium-operator component (required).
3106
enabled: true
3107
# -- Roll out cilium-operator pods automatically when configmap is updated.
3108
rollOutPods: false
3109
# -- cilium-operator image.
3110
image:
3111
# @schema
3112
# type: [null, string]
3113
# @schema
3114
override: chainreg.biz/chainguard-private/cilium-operator-generic:1.19@sha256:63a48bc03a08dfa84a1490fd4bcdb79c464781322e927c4c52b0d61f2582b9e9
3115
repository: "quay.io/cilium/operator"
3116
tag: "v1.19.4"
3117
# operator-generic-digest
3118
genericDigest: ""
3119
# operator-azure-digest
3120
azureDigest: ""
3121
# operator-aws-digest
3122
awsDigest: ""
3123
# operator-alibabacloud-digest
3124
alibabacloudDigest: ""
3125
useDigest: false
3126
pullPolicy: "IfNotPresent"
3127
suffix: ""
3128
# -- Number of replicas to run for the cilium-operator deployment
3129
replicas: 2
3130
# -- The priority class to use for cilium-operator
3131
priorityClassName: ""
3132
# -- DNS policy for Cilium operator pods.
3133
# Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
3134
dnsPolicy: ""
3135
# -- cilium-operator update strategy
3136
updateStrategy:
3137
type: RollingUpdate
3138
rollingUpdate:
3139
# @schema
3140
# type: [integer, string]
3141
# @schema
3142
maxSurge: 25%
3143
# @schema
3144
# type: [integer, string]
3145
# @schema
3146
maxUnavailable: 50%
3147
# -- Affinity for cilium-operator
3148
affinity:
3149
podAntiAffinity:
3150
requiredDuringSchedulingIgnoredDuringExecution:
3151
- topologyKey: kubernetes.io/hostname
3152
labelSelector:
3153
matchLabels:
3154
io.cilium/app: operator
3155
# -- Pod topology spread constraints for cilium-operator
3156
topologySpreadConstraints: []
3157
# - maxSkew: 1
3158
# topologyKey: topology.kubernetes.io/zone
3159
# whenUnsatisfiable: DoNotSchedule
3160
3161
# -- Node labels for cilium-operator pod assignment
3162
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
3163
nodeSelector:
3164
kubernetes.io/os: linux
3165
# -- Node tolerations for cilium-operator scheduling to nodes with taints
3166
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
3167
# Toleration for agentNotReadyTaintKey taint is always added to cilium-operator pods.
3168
# @schema
3169
# type: [null, array]
3170
# @schema
3171
tolerations:
3172
- key: "node-role.kubernetes.io/control-plane"
3173
operator: Exists
3174
- key: "node-role.kubernetes.io/master" #deprecated
3175
operator: Exists
3176
- key: "node.kubernetes.io/not-ready"
3177
operator: Exists
3178
- key: "node.cloudprovider.kubernetes.io/uninitialized"
3179
operator: Exists
3180
# -- Additional cilium-operator container arguments.
3181
extraArgs: []
3182
# -- Additional cilium-operator environment variables.
3183
extraEnv: []
3184
# -- Additional cilium-operator hostPath mounts.
3185
extraHostPathMounts: []
3186
# - name: host-mnt-data
3187
# mountPath: /host/mnt/data
3188
# hostPath: /mnt/data
3189
# hostPathType: Directory
3190
# readOnly: true
3191
# mountPropagation: HostToContainer
3192
3193
# -- Additional cilium-operator volumes.
3194
extraVolumes: []
3195
# -- Additional cilium-operator volumeMounts.
3196
extraVolumeMounts: []
3197
# -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator)
3198
annotations: {}
3199
# -- HostNetwork setting
3200
hostNetwork: true
3201
# -- Security context to be added to cilium-operator pods
3202
podSecurityContext:
3203
seccompProfile:
3204
type: RuntimeDefault
3205
# -- Annotations to be added to cilium-operator pods
3206
podAnnotations: {}
3207
# -- Labels to be added to cilium-operator pods
3208
podLabels: {}
3209
# PodDisruptionBudget settings
3210
podDisruptionBudget:
3211
# -- enable PodDisruptionBudget
3212
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
3213
enabled: false
3214
# @schema
3215
# type: [null, integer, string]
3216
# @schema
3217
# -- Minimum number/percentage of pods that should remain scheduled.
3218
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
3219
minAvailable: null
3220
# @schema
3221
# type: [null, integer, string]
3222
# @schema
3223
# -- Maximum number/percentage of pods that may be made unavailable
3224
maxUnavailable: 1
3225
# @schema
3226
# type: [null, string]
3227
# @schema
3228
# -- How are unhealthy, but running, pods counted for eviction
3229
unhealthyPodEvictionPolicy: null
3230
# -- cilium-operator resource limits & requests
3231
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
3232
resources: {}
3233
# limits:
3234
# cpu: 1000m
3235
# memory: 1Gi
3236
# requests:
3237
# cpu: 100m
3238
# memory: 128Mi
3239
3240
# -- Security context to be added to cilium-operator pods
3241
securityContext:
3242
capabilities:
3243
drop:
3244
- ALL
3245
allowPrivilegeEscalation: false
3246
# runAsUser: 0
3247
3248
# -- Interval for endpoint garbage collection.
3249
endpointGCInterval: "5m0s"
3250
# -- Interval for cilium node garbage collection.
3251
nodeGCInterval: "5m0s"
3252
# -- Interval for identity garbage collection.
3253
identityGCInterval: "15m0s"
3254
# -- Timeout for identity heartbeats.
3255
identityHeartbeatTimeout: "30m0s"
3256
pprof:
3257
# -- Enable pprof for cilium-operator
3258
enabled: false
3259
# -- Configure pprof listen address for cilium-operator
3260
address: localhost
3261
# -- Configure pprof listen port for cilium-operator
3262
port: 6061
3263
# -- Enable mutex contention profiling for cilium-operator and set the fraction of sampled events (set to 1 to sample all events)
3264
mutexProfileFraction: 0
3265
# -- Enable goroutine blocking profiling for cilium-operator and set the rate of sampled events in nanoseconds (set to 1 to sample all events [warning: performance overhead])
3266
blockProfileRate: 0
3267
# -- Enable prometheus metrics for cilium-operator on the configured port at
3268
# /metrics
3269
prometheus:
3270
metricsService: false
3271
enabled: true
3272
port: 9963
3273
serviceMonitor:
3274
# -- Enable service monitors.
3275
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
3276
enabled: false
3277
# -- Labels to add to ServiceMonitor cilium-operator
3278
labels: {}
3279
# -- Annotations to add to ServiceMonitor cilium-operator
3280
annotations: {}
3281
# -- jobLabel to add for ServiceMonitor cilium-operator
3282
jobLabel: ""
3283
# -- Interval for scrape metrics.
3284
interval: "10s"
3285
# @schema
3286
# type: [null, string]
3287
# @schema
3288
# -- Timeout after which scrape is considered to be failed.
3289
scrapeTimeout: ~
3290
# @schema
3291
# type: [null, array]
3292
# @schema
3293
# -- Relabeling configs for the ServiceMonitor cilium-operator
3294
relabelings: ~
3295
# @schema
3296
# type: [null, array]
3297
# @schema
3298
# -- Metrics relabeling configs for the ServiceMonitor cilium-operator
3299
metricRelabelings: ~
3300
# -- TLS configuration for Prometheus
3301
tls:
3302
enabled: false
3303
server:
3304
# -- Name of the Secret containing the certificate, key and CA files for the Prometheus server.
3305
existingSecret: ""
3306
mtls:
3307
# When set to true enforces mutual TLS between Operator Prometheus server and its clients.
3308
# False allow non-mutual TLS connections.
3309
# This option has no effect when TLS is disabled.
3310
enabled: false
3311
# -- Grafana dashboards for cilium-operator
3312
# grafana can import dashboards based on the label and value
3313
# ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
3314
dashboards:
3315
enabled: false
3316
label: grafana_dashboard
3317
# @schema
3318
# type: [null, string]
3319
# @schema
3320
namespace: ~
3321
labelValue: "1"
3322
annotations: {}
3323
# -- Skip CRDs creation for cilium-operator
3324
skipCRDCreation: false
3325
# -- Remove Cilium node taint from Kubernetes nodes that have a healthy Cilium
3326
# pod running.
3327
removeNodeTaints: true
3328
# @schema
3329
# type: [null, boolean]
3330
# @schema
3331
# -- Taint nodes where Cilium is scheduled but not running. This prevents pods
3332
# from being scheduled to nodes where Cilium is not the default CNI provider.
3333
# @default -- same as removeNodeTaints
3334
setNodeTaints: ~
3335
# -- Set Node condition NetworkUnavailable to 'false' with the reason
3336
# 'CiliumIsUp' for nodes that have a healthy Cilium pod.
3337
setNodeNetworkStatus: true
3338
unmanagedPodWatcher:
3339
# -- Restart any pod that are not managed by Cilium.
3340
restart: true
3341
# -- Interval, in seconds, to check if there are any pods that are not
3342
# managed by Cilium.
3343
intervalSeconds: 15
3344
# -- Selector for pods that should be restarted when not managed by Cilium.
3345
# If not set, defaults to built-in selector "k8s-app=kube-dns". Set to empty string to select all pods.
3346
# @schema
3347
# type: [null, string]
3348
# @schema
3349
selector: ~
3350
nodeinit:
3351
# -- Enable the node initialization DaemonSet
3352
enabled: false
3353
# -- node-init image.
3354
image:
3355
# @schema
3356
# type: [null, string]
3357
# @schema
3358
override: ~
3359
repository: chainreg.biz/chainguard-private/bash
3360
tag: latest
3361
digest: sha256:7178e5840790f7fea8c453f1550d8d42f404e12f131c13ae21c480059ca7fdb5
3362
useDigest: true
3363
pullPolicy: "IfNotPresent"
3364
# -- The priority class to use for the nodeinit pod.
3365
priorityClassName: ""
3366
# -- node-init update strategy
3367
updateStrategy:
3368
type: RollingUpdate
3369
# -- Additional nodeinit environment variables.
3370
extraEnv: []
3371
# -- Additional nodeinit volumes.
3372
extraVolumes: []
3373
# -- Additional nodeinit volumeMounts.
3374
extraVolumeMounts: []
3375
# -- Affinity for cilium-nodeinit
3376
affinity: {}
3377
# -- Node labels for nodeinit pod assignment
3378
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
3379
nodeSelector:
3380
kubernetes.io/os: linux
3381
# -- Node tolerations for nodeinit scheduling to nodes with taints
3382
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
3383
tolerations:
3384
- operator: Exists
3385
# - key: "key"
3386
# operator: "Equal|Exists"
3387
# value: "value"
3388
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
3389
# -- Annotations to be added to all top-level nodeinit objects (resources under templates/cilium-nodeinit)
3390
annotations: {}
3391
# -- Annotations to be added to node-init pods.
3392
podAnnotations: {}
3393
# -- Labels to be added to node-init pods.
3394
podLabels: {}
3395
# -- Security Context for cilium-node-init pods.
3396
podSecurityContext:
3397
# -- AppArmorProfile options for the `cilium-node-init` and init containers
3398
appArmorProfile:
3399
type: "Unconfined"
3400
# -- nodeinit resource limits & requests
3401
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
3402
resources:
3403
requests:
3404
# @schema
3405
# type: [integer, string]
3406
# @schema
3407
cpu: 100m
3408
memory: 100Mi
3409
# -- Security context to be added to nodeinit pods.
3410
securityContext:
3411
allowPrivilegeEscalation: false
3412
privileged: false
3413
seLinuxOptions:
3414
level: 's0'
3415
# Running with spc_t since we have removed the privileged mode.
3416
# Users can change it to a different type as long as they have the
3417
# type available on the system.
3418
type: 'spc_t'
3419
capabilities:
3420
add:
3421
# Used in iptables. Consider removing once we are iptables-free
3422
- SYS_MODULE
3423
# Used for nsenter
3424
- NET_ADMIN
3425
- SYS_ADMIN
3426
- SYS_CHROOT
3427
- SYS_PTRACE
3428
# -- bootstrapFile is the location of the file where the bootstrap timestamp is
3429
# written by the node-init DaemonSet
3430
bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time"
3431
# -- wait for Cloud init to finish on the host and assume the node has cloud init installed
3432
waitForCloudInit: false
3433
# -- startup offers way to customize startup nodeinit script (pre and post position)
3434
startup:
3435
preScript: ""
3436
postScript: ""
3437
# -- prestop offers way to customize prestop nodeinit script (pre and post position)
3438
prestop:
3439
preScript: ""
3440
postScript: ""
3441
preflight:
3442
# -- Enable Cilium pre-flight resources (required for upgrade)
3443
enabled: false
3444
# -- Cilium pre-flight image.
3445
image:
3446
# @schema
3447
# type: [null, string]
3448
# @schema
3449
override: ~
3450
repository: chainreg.biz/chainguard-private/cilium-agent
3451
tag: "1.19"
3452
# cilium-digest
3453
digest: sha256:baf006651419a36e646a045eb027e41df676685cb52dc54a28db4529e21df2bc
3454
useDigest: true
3455
pullPolicy: "IfNotPresent"
3456
envoy:
3457
# -- Envoy pre-flight image.
3458
image:
3459
# @schema
3460
# type: [null, string]
3461
# @schema
3462
override: ~
3463
repository: chainreg.biz/chainguard-private/cilium-envoy
3464
tag: "1.19"
3465
pullPolicy: "IfNotPresent"
3466
digest: sha256:9e782cdaec22b27284271e96e3a1d46a4c19983455acf1e567fb8669eaf406da
3467
useDigest: true
3468
# -- The priority class to use for the preflight pod.
3469
priorityClassName: ""
3470
# -- preflight update strategy
3471
updateStrategy:
3472
type: RollingUpdate
3473
# -- Additional preflight environment variables.
3474
extraEnv: []
3475
# -- Additional preflight volumes.
3476
extraVolumes: []
3477
# -- Additional preflight volumeMounts.
3478
extraVolumeMounts: []
3479
# -- Affinity for cilium-preflight
3480
affinity:
3481
podAffinity:
3482
requiredDuringSchedulingIgnoredDuringExecution:
3483
- topologyKey: kubernetes.io/hostname
3484
labelSelector:
3485
matchLabels:
3486
k8s-app: cilium
3487
# -- Node labels for preflight pod assignment
3488
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
3489
nodeSelector:
3490
kubernetes.io/os: linux
3491
# -- Node tolerations for preflight scheduling to nodes with taints
3492
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
3493
tolerations:
3494
- operator: Exists
3495
# - key: "key"
3496
# operator: "Equal|Exists"
3497
# value: "value"
3498
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
3499
# -- Annotations to be added to all top-level preflight objects (resources under templates/cilium-preflight)
3500
annotations: {}
3501
# -- Security context to be added to preflight pods.
3502
podSecurityContext: {}
3503
# -- Annotations to be added to preflight pods
3504
podAnnotations: {}
3505
# -- Labels to be added to the preflight pod.
3506
podLabels: {}
3507
# PodDisruptionBudget settings
3508
podDisruptionBudget:
3509
# -- enable PodDisruptionBudget
3510
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
3511
enabled: false
3512
# @schema
3513
# type: [null, integer, string]
3514
# @schema
3515
# -- Minimum number/percentage of pods that should remain scheduled.
3516
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
3517
minAvailable: null
3518
# @schema
3519
# type: [null, integer, string]
3520
# @schema
3521
# -- Maximum number/percentage of pods that may be made unavailable
3522
maxUnavailable: 1
3523
# @schema
3524
# type: [null, string]
3525
# @schema
3526
# -- How are unhealthy, but running, pods counted for eviction
3527
unhealthyPodEvictionPolicy: null
3528
# -- preflight resource limits & requests
3529
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
3530
resources: {}
3531
# limits:
3532
# cpu: 4000m
3533
# memory: 4Gi
3534
# requests:
3535
# cpu: 100m
3536
# memory: 512Mi
3537
3538
readinessProbe:
3539
# -- For how long kubelet should wait before performing the first probe
3540
initialDelaySeconds: 5
3541
# -- interval between checks of the readiness probe
3542
periodSeconds: 5
3543
# -- Security context to be added to preflight pods
3544
securityContext:
3545
allowPrivilegeEscalation: false
3546
# runAsUser: 0
3547
3548
# -- Path to write the `--tofqdns-pre-cache` file to.
3549
tofqdnsPreCache: ""
3550
# -- Configure termination grace period for preflight Deployment and DaemonSet.
3551
terminationGracePeriodSeconds: 1
3552
# -- By default we should always validate the installed CNPs before upgrading
3553
# Cilium. This will make sure the user will have the policies deployed in the
3554
# cluster with the right schema.
3555
validateCNPs: true
3556
# -- Explicitly enable or disable priority class.
3557
# .Capabilities.KubeVersion is unsettable in `helm template` calls,
3558
# it depends on k8s libraries version that Helm was compiled against.
3559
# This option allows to explicitly disable setting the priority class, which
3560
# is useful for rendering charts for gke clusters in advance.
3561
enableCriticalPriorityClass: true
3562
# disableEnvoyVersionCheck removes the check for Envoy, which can be useful
3563
# on AArch64 as the images do not currently ship a version of Envoy.
3564
#disableEnvoyVersionCheck: false
3565
clustermesh:
3566
# -- Deploy clustermesh-apiserver for clustermesh. This option is typically
3567
# used with ``clustermesh.config.enabled=true``. Refer to the
3568
# ``clustermesh.config.enabled=true``documentation for more information.
3569
useAPIServer: false
3570
# -- The maximum number of clusters to support in a ClusterMesh. This value
3571
# cannot be changed on running clusters, and all clusters in a ClusterMesh
3572
# must be configured with the same value. Values > 255 will decrease the
3573
# maximum allocatable cluster-local identities.
3574
# Supported values are 255 and 511.
3575
maxConnectedClusters: 255
3576
# -- The time to live for the cache of a remote cluster after connectivity is
3577
# lost. If the connection is not re-established within this duration, the
3578
# cached data is revoked to prevent stale state. If not specified or set to
3579
# 0s, the cache is never revoked (default).
3580
cacheTTL: "0s"
3581
# -- Enable the synchronization of Kubernetes EndpointSlices corresponding to
3582
# the remote endpoints of appropriately-annotated global services through ClusterMesh
3583
enableEndpointSliceSynchronization: false
3584
# -- Enable Multi-Cluster Services API support (deprecated; use clustermesh.mcsapi.enabled)
3585
enableMCSAPISupport: false
3586
# -- Control whether policy rules assume by default the local cluster if not explicitly selected
3587
policyDefaultLocalCluster: true
3588
# -- Annotations to be added to all top-level clustermesh objects (resources under templates/clustermesh-apiserver and templates/clustermesh-config)
3589
annotations: {}
3590
# -- Clustermesh explicit configuration.
3591
config:
3592
# -- Enable the Clustermesh explicit configuration.
3593
# If set to false, you need to provide the following resources yourself:
3594
# - (Secret) cilium-clustermesh (used by cilium-agent/cilium-operator to connect to
3595
# the local etcd instance if KVStoreMesh is enabled or the remote clusters
3596
# if KVStoreMesh is disabled)
3597
# - (Secret) cilium-kvstoremesh (used by KVStoreMesh to connect to the remote clusters)
3598
# - (ConfigMap) clustermesh-remote-users (used to create one etcd user per remote cluster
3599
# if clustermesh-apiserver is used and `clustermesh.apiserver.tls.authMode` is not
3600
# set to `legacy`)
3601
enabled: false
3602
# -- Default dns domain for the Clustermesh API servers
3603
# This is used in the case cluster addresses are not provided
3604
# and IPs are used.
3605
domain: mesh.cilium.io
3606
# -- Clusters to be peered in the mesh.
3607
# @schema
3608
# type: [object, array]
3609
# @schema
3610
clusters: []
3611
# You can use a dict of clusters (recommended):
3612
# clusters:
3613
# # -- Name of the cluster
3614
# cluster1:
3615
# # -- Whether to enable this cluster in the mesh. Optional, defaults to true.
3616
# enabled: true
3617
# # -- Address of the cluster, use this if you created DNS records for
3618
# # the cluster Clustermesh API server.
3619
# address: cluster1.mesh.cilium.io
3620
# # -- Port of the cluster Clustermesh API server.
3621
# port: 2379
3622
# # -- IPs of the cluster Clustermesh API server, use multiple ones when
3623
# # you have multiple IPs to access the Clustermesh API server.
3624
# ips:
3625
# - 172.18.255.201
3626
# # -- (deprecated) base64 encoded PEM values for the cluster client certificate, private key and certificate authority.
3627
# # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the
3628
# # "remote" private key and certificate available in the local cluster are automatically used instead.
3629
# tls:
3630
# cert: ""
3631
# key: ""
3632
# caCert: ""
3633
#
3634
# Or alternatively you can use a list of clusters:
3635
# clusters:
3636
# # -- Name of the cluster
3637
# - name: cluster1
3638
# # -- Address of the cluster, use this if you created DNS records for
3639
# # the cluster Clustermesh API server.
3640
# address: cluster1.mesh.cilium.io
3641
# # -- Port of the cluster Clustermesh API server.
3642
# port: 2379
3643
# # -- IPs of the cluster Clustermesh API server, use multiple ones when
3644
# # you have multiple IPs to access the Clustermesh API server.
3645
# ips:
3646
# - 172.18.255.201
3647
# # -- (deprecated) base64 encoded PEM values for the cluster client certificate, private key and certificate authority.
3648
# # These fields can (and should) be omitted in case the CA is shared across clusters. In that case, the
3649
# # "remote" private key and certificate available in the local cluster are automatically used instead.
3650
# tls:
3651
# cert: ""
3652
# key: ""
3653
# caCert: ""
3654
mcsapi:
3655
# -- Enable Multi-Cluster Services API support
3656
enabled: false
3657
# -- Enabled MCS-API CRDs auto-installation
3658
installCRDs: true
3659
corednsAutoConfigure:
3660
# -- Enable auto-configuration of CoreDNS for Multi-Cluster Services API.
3661
# CoreDNS MUST be at least in version v1.12.2 to run this.
3662
enabled: false
3663
coredns:
3664
# -- The Deployment for the cluster CoreDNS service
3665
deploymentName: coredns
3666
# -- The Service Account name for the cluster CoreDNS service
3667
serviceAccountName: coredns
3668
# -- The ConfigMap name for the cluster CoreDNS service
3669
configMapName: coredns
3670
# -- The namespace for the cluster CoreDNS service
3671
namespace: kube-system
3672
# -- The cluster domain for the cluster CoreDNS service
3673
clusterDomain: cluster.local
3674
# -- The clusterset domain for the cluster CoreDNS service
3675
clustersetDomain: clusterset.local
3676
# -- Additional arguments to `clustermesh-apiserver coredns-mcsapi-auto-configure`.
3677
extraArgs: []
3678
# -- Seconds after which the completed job pod will be deleted
3679
ttlSecondsAfterFinished: 1800
3680
# -- Labels to be added to coredns-mcsapi-autoconfig pods
3681
podLabels: {}
3682
# -- Annotations to be added to the coredns-mcsapi-autoconfig Job
3683
annotations: {}
3684
# -- Node selector for coredns-mcsapi-autoconfig
3685
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
3686
nodeSelector: {}
3687
# -- Priority class for coredns-mcsapi-autoconfig
3688
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
3689
priorityClassName: ""
3690
# -- Node tolerations for pod assignment on nodes with taints
3691
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
3692
tolerations: []
3693
# -- Resource limits for coredns-mcsapi-autoconfig
3694
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers
3695
resources: {}
3696
# -- Additional coredns-mcsapi-autoconfig volumes.
3697
extraVolumes: []
3698
# -- Additional coredns-mcsapi-autoconfig volumeMounts.
3699
extraVolumeMounts: []
3700
# -- Affinity for coredns-mcsapi-autoconfig
3701
affinity: {}
3702
apiserver:
3703
# -- Clustermesh API server image.
3704
image:
3705
# @schema
3706
# type: [null, string]
3707
# @schema
3708
override: ~
3709
repository: chainreg.biz/chainguard-private/cilium-clustermesh-apiserver
3710
tag: "1.19"
3711
# clustermesh-apiserver-digest
3712
digest: sha256:bc43fe4503874616c98c09fe074fc8381eef2eece35b8c07155e29a637c63cb1
3713
useDigest: true
3714
pullPolicy: "IfNotPresent"
3715
# -- TCP port for the clustermesh-apiserver health API.
3716
healthPort: 9880
3717
# -- Configuration for the clustermesh-apiserver readiness probe.
3718
readinessProbe: {}
3719
etcd:
3720
# The etcd binary is included in the clustermesh API server image, so the same image from above is reused.
3721
# Independent override isn't supported, because clustermesh-apiserver is tested against the etcd version it is
3722
# built with.
3723
3724
# -- Specifies the resources for etcd container in the apiserver
3725
resources: {}
3726
# requests:
3727
# cpu: 200m
3728
# memory: 256Mi
3729
# limits:
3730
# cpu: 1000m
3731
# memory: 256Mi
3732
3733
# -- Security context to be added to clustermesh-apiserver etcd containers
3734
securityContext:
3735
allowPrivilegeEscalation: false
3736
capabilities:
3737
drop:
3738
- ALL
3739
# -- lifecycle setting for the etcd container
3740
lifecycle: {}
3741
init:
3742
# -- Specifies the resources for etcd init container in the apiserver
3743
resources: {}
3744
# requests:
3745
# cpu: 100m
3746
# memory: 100Mi
3747
# limits:
3748
# cpu: 100m
3749
# memory: 100Mi
3750
3751
# -- Additional arguments to `clustermesh-apiserver etcdinit`.
3752
extraArgs: []
3753
# -- Additional environment variables to `clustermesh-apiserver etcdinit`.
3754
extraEnv: []
3755
# @schema
3756
# enum: [Disk, Memory]
3757
# @schema
3758
# -- Specifies whether etcd data is stored in a temporary volume backed by
3759
# the node's default medium, such as disk, SSD or network storage (Disk), or
3760
# RAM (Memory). The Memory option enables improved etcd read and write
3761
# performance at the cost of additional memory usage, which counts against
3762
# the memory limits of the container.
3763
storageMedium: Disk
3764
kvstoremesh:
3765
# -- Enable KVStoreMesh. KVStoreMesh caches the information retrieved
3766
# from the remote clusters in the local etcd instance (deprecated - KVStoreMesh will always be enabled once the option is removed).
3767
enabled: true
3768
# -- TCP port for the KVStoreMesh health API.
3769
healthPort: 9881
3770
# -- Configuration for the KVStoreMesh readiness probe.
3771
readinessProbe: {}
3772
# -- Additional KVStoreMesh arguments.
3773
extraArgs: []
3774
# -- Additional KVStoreMesh environment variables.
3775
extraEnv: []
3776
# -- Resource requests and limits for the KVStoreMesh container
3777
resources: {}
3778
# requests:
3779
# cpu: 100m
3780
# memory: 64Mi
3781
# limits:
3782
# cpu: 1000m
3783
# memory: 1024M
3784
3785
# -- Additional KVStoreMesh volumeMounts.
3786
extraVolumeMounts: []
3787
# -- KVStoreMesh Security context
3788
securityContext:
3789
allowPrivilegeEscalation: false
3790
capabilities:
3791
drop:
3792
- ALL
3793
# -- lifecycle setting for the KVStoreMesh container
3794
lifecycle: {}
3795
# -- Specify the KVStore mode when running KVStoreMesh
3796
# Supported values:
3797
# - "internal": remote cluster identities are cached in etcd that runs as a sidecar within ``clustermesh-apiserver`` pod.
3798
# - "external": ``clustermesh-apiserver`` will sync remote cluster information to the etcd used as kvstore. This can't be enabled with crd identity allocation mode.
3799
kvstoreMode: "internal"
3800
service:
3801
# -- (bool) Set externallyCreated to true to create the clustermesh-apiserver service outside this helm chart.
3802
# For example after external load balancer controllers are created.
3803
externallyCreated: false
3804
# -- The type of service used for apiserver access.
3805
type: NodePort
3806
# -- Optional port to use as the node port for apiserver access.
3807
nodePort: 32379
3808
# -- Annotations for the clustermesh-apiserver service.
3809
# Example annotations to configure an internal load balancer on different cloud providers:
3810
# * AKS: service.beta.kubernetes.io/azure-load-balancer-internal: "true"
3811
# * EKS: service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
3812
# * GKE: networking.gke.io/load-balancer-type: "Internal"
3813
annotations: {}
3814
# -- Labels for the clustermesh-apiserver service.
3815
labels: {}
3816
# @schema
3817
# enum: [Local, Cluster]
3818
# @schema
3819
# -- The externalTrafficPolicy of service used for apiserver access.
3820
externalTrafficPolicy: Cluster
3821
# @schema
3822
# enum: [Local, Cluster]
3823
# @schema
3824
# -- The internalTrafficPolicy of service used for apiserver access.
3825
internalTrafficPolicy: Cluster
3826
# @schema
3827
# enum: [HAOnly, Always, Never]
3828
# @schema
3829
# -- Defines when to enable session affinity.
3830
# Each replica in a clustermesh-apiserver deployment runs its own discrete
3831
# etcd cluster. Remote clients connect to one of the replicas through a
3832
# shared Kubernetes Service. A client reconnecting to a different backend
3833
# will require a full resync to ensure data integrity. Session affinity
3834
# can reduce the likelihood of this happening, but may not be supported
3835
# by all cloud providers.
3836
# Possible values:
3837
# - "HAOnly" (default) Only enable session affinity for deployments with more than 1 replica.
3838
# - "Always" Always enable session affinity.
3839
# - "Never" Never enable session affinity. Useful in environments where
3840
# session affinity is not supported, but may lead to slightly
3841
# degraded performance due to more frequent reconnections.
3842
enableSessionAffinity: "HAOnly"
3843
# @schema
3844
# type: [null, string]
3845
# @schema
3846
# -- Configure a loadBalancerClass.
3847
# Allows to configure the loadBalancerClass on the clustermesh-apiserver
3848
# LB service in case the Service type is set to LoadBalancer
3849
# (requires Kubernetes 1.24+).
3850
loadBalancerClass: ~
3851
# @schema
3852
# type: [null, string]
3853
# @schema
3854
# -- Configure a specific loadBalancerIP.
3855
# Allows to configure a specific loadBalancerIP on the clustermesh-apiserver
3856
# LB service in case the Service type is set to LoadBalancer.
3857
loadBalancerIP: ~
3858
# -- Configure loadBalancerSourceRanges.
3859
# Allows to configure the source IP ranges allowed to access the
3860
# clustermesh-apiserver LB service in case the Service type is set to LoadBalancer.
3861
loadBalancerSourceRanges: []
3862
# -- Number of replicas run for the clustermesh-apiserver deployment.
3863
replicas: 1
3864
# -- lifecycle setting for the apiserver container
3865
lifecycle: {}
3866
# -- terminationGracePeriodSeconds for the clustermesh-apiserver deployment
3867
terminationGracePeriodSeconds: 30
3868
# -- Additional clustermesh-apiserver arguments.
3869
extraArgs: []
3870
# -- Additional clustermesh-apiserver environment variables.
3871
extraEnv: []
3872
# -- Additional clustermesh-apiserver volumes.
3873
extraVolumes: []
3874
# -- Additional clustermesh-apiserver volumeMounts.
3875
extraVolumeMounts: []
3876
# -- Security context to be added to clustermesh-apiserver containers
3877
securityContext:
3878
allowPrivilegeEscalation: false
3879
capabilities:
3880
drop:
3881
- ALL
3882
# -- Security context to be added to clustermesh-apiserver pods
3883
podSecurityContext:
3884
runAsNonRoot: true
3885
runAsUser: 65532
3886
runAsGroup: 65532
3887
fsGroup: 65532
3888
# -- Annotations to be added to clustermesh-apiserver pods
3889
podAnnotations: {}
3890
# -- Labels to be added to clustermesh-apiserver pods
3891
podLabels: {}
3892
# PodDisruptionBudget settings
3893
podDisruptionBudget:
3894
# -- enable PodDisruptionBudget
3895
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
3896
enabled: false
3897
# @schema
3898
# type: [null, integer, string]
3899
# @schema
3900
# -- Minimum number/percentage of pods that should remain scheduled.
3901
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
3902
minAvailable: null
3903
# @schema
3904
# type: [null, integer, string]
3905
# @schema
3906
# -- Maximum number/percentage of pods that may be made unavailable
3907
maxUnavailable: 1
3908
# @schema
3909
# type: [null, string]
3910
# @schema
3911
# -- How are unhealthy, but running, pods counted for eviction
3912
unhealthyPodEvictionPolicy: null
3913
# -- Resource requests and limits for the clustermesh-apiserver
3914
resources: {}
3915
# requests:
3916
# cpu: 100m
3917
# memory: 64Mi
3918
# limits:
3919
# cpu: 1000m
3920
# memory: 1024M
3921
3922
# -- Affinity for clustermesh.apiserver
3923
affinity:
3924
podAntiAffinity:
3925
preferredDuringSchedulingIgnoredDuringExecution:
3926
- weight: 100
3927
podAffinityTerm:
3928
labelSelector:
3929
matchLabels:
3930
k8s-app: clustermesh-apiserver
3931
topologyKey: kubernetes.io/hostname
3932
# -- Pod topology spread constraints for clustermesh-apiserver
3933
topologySpreadConstraints: []
3934
# - maxSkew: 1
3935
# topologyKey: topology.kubernetes.io/zone
3936
# whenUnsatisfiable: DoNotSchedule
3937
3938
# -- Node labels for pod assignment
3939
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
3940
nodeSelector:
3941
kubernetes.io/os: linux
3942
# -- Node tolerations for pod assignment on nodes with taints
3943
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
3944
tolerations: []
3945
# -- clustermesh-apiserver update strategy
3946
updateStrategy:
3947
type: RollingUpdate
3948
rollingUpdate:
3949
# @schema
3950
# type: [integer, string]
3951
# @schema
3952
maxSurge: 1
3953
# @schema
3954
# type: [integer, string]
3955
# @schema
3956
maxUnavailable: 0
3957
# -- The priority class to use for clustermesh-apiserver
3958
priorityClassName: ""
3959
tls:
3960
# -- Configure the clustermesh authentication mode.
3961
# Supported values:
3962
# - legacy: All clusters access remote clustermesh instances with the same
3963
# username (i.e., remote). The "remote" certificate must be
3964
# generated with CN=remote if provided manually.
3965
# - migration: Intermediate mode required to upgrade from legacy to cluster
3966
# (and vice versa) with no disruption. Specifically, it enables
3967
# the creation of the per-cluster usernames, while still using
3968
# the common one for authentication. The "remote" certificate must
3969
# be generated with CN=remote if provided manually (same as legacy).
3970
# - cluster: Each cluster accesses remote etcd instances with a username
3971
# depending on the local cluster name (i.e., remote-<cluster-name>).
3972
# The "remote" certificate must be generated with CN=remote-<cluster-name>
3973
# if provided manually. Cluster mode is meaningful only when the same
3974
# CA is shared across all clusters part of the mesh.
3975
authMode: migration
3976
# -- (deprecated) Allow users to provide their own certificates
3977
# Users may need to provide their certificates using
3978
# a mechanism that requires they provide their own secrets.
3979
# This setting does not apply to any of the auto-generated
3980
# mechanisms below, it only restricts the creation of secrets
3981
# via the `tls-provided` templates.
3982
# This option is deprecated as secrets are expected to be created
3983
# externally when 'auto' is not enabled.
3984
enableSecrets: true
3985
# -- Configure automatic TLS certificates generation.
3986
# A Kubernetes CronJob is used the generate any
3987
# certificates not provided by the user at installation
3988
# time.
3989
auto:
3990
# -- When set to true, automatically generate a CA and certificates to
3991
# enable mTLS between clustermesh-apiserver and external workload instances.
3992
#
3993
# When set to false you need to pre-create the following secrets:
3994
# - clustermesh-apiserver-server-cert
3995
# - clustermesh-apiserver-admin-cert
3996
# - clustermesh-apiserver-remote-cert
3997
# - clustermesh-apiserver-local-cert
3998
# The above secret should at least contains the keys `tls.crt` and `tls.key`
3999
# and optionally `ca.crt` if a CA bundle is not configured.
4000
enabled: true
4001
# Sets the method to auto-generate certificates. Supported values:
4002
# - helm: This method uses Helm to generate all certificates.
4003
# - cronJob: This method uses a Kubernetes CronJob the generate any
4004
# certificates not provided by the user at installation
4005
# time.
4006
# - certmanager: This method use cert-manager to generate & rotate certificates.
4007
method: helm
4008
# -- Generated certificates validity duration in days.
4009
certValidityDuration: 1095
4010
# -- Schedule for certificates regeneration (regardless of their expiration date).
4011
# Only used if method is "cronJob". If nil, then no recurring job will be created.
4012
# Instead, only the one-shot job is deployed to generate the certificates at
4013
# installation time.
4014
#
4015
# Due to the out-of-band distribution of client certs to external workloads the
4016
# CA is (re)regenerated only if it is not provided as a helm value and the k8s
4017
# secret is manually deleted.
4018
#
4019
# Defaults to none. Commented syntax gives midnight of the first day of every
4020
# fourth month. For syntax, see
4021
# https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax
4022
# schedule: "0 0 1 */4 *"
4023
4024
# [Example]
4025
# certManagerIssuerRef:
4026
# group: cert-manager.io
4027
# kind: ClusterIssuer
4028
# name: ca-issuer
4029
# -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.
4030
certManagerIssuerRef: {}
4031
# -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key.
4032
# Used if 'auto' is not enabled.
4033
server:
4034
# -- Deprecated, as secrets will always need to be created externally if `auto` is disabled.
4035
cert: ""
4036
# -- Deprecated, as secrets will always need to be created externally if `auto` is disabled.
4037
key: ""
4038
# -- Extra DNS names added to certificate when it's auto generated
4039
extraDnsNames: []
4040
# -- Extra IP addresses added to certificate when it's auto generated
4041
extraIpAddresses: []
4042
# -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key.
4043
# Used if 'auto' is not enabled.
4044
admin:
4045
# -- Deprecated, as secrets will always need to be created externally if `auto` is disabled.
4046
cert: ""
4047
# -- Deprecated, as secrets will always need to be created externally if `auto` is disabled.
4048
key: ""
4049
# -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key.
4050
# Used if 'auto' is not enabled.
4051
remote:
4052
# -- Deprecated, as secrets will always need to be created externally if `auto` is disabled.
4053
cert: ""
4054
# -- Deprecated, as secrets will always need to be created externally if `auto` is disabled.
4055
key: ""
4056
# clustermesh-apiserver Prometheus metrics configuration
4057
metrics:
4058
# -- Enables exporting apiserver metrics in OpenMetrics format.
4059
enabled: true
4060
# -- Configure the port the apiserver metric server listens on.
4061
port: 9962
4062
kvstoremesh:
4063
# -- Enables exporting KVStoreMesh metrics in OpenMetrics format.
4064
enabled: true
4065
# -- Configure the port the KVStoreMesh metric server listens on.
4066
port: 9964
4067
etcd:
4068
# -- Enables exporting etcd metrics in OpenMetrics format.
4069
enabled: true
4070
# -- Set level of detail for etcd metrics; specify 'extensive' to include server side gRPC histogram metrics.
4071
mode: basic
4072
# -- Configure the port the etcd metric server listens on.
4073
port: 9963
4074
serviceMonitor:
4075
# -- Enable service monitor.
4076
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
4077
enabled: false
4078
# -- Labels to add to ServiceMonitor clustermesh-apiserver
4079
labels: {}
4080
# -- Annotations to add to ServiceMonitor clustermesh-apiserver
4081
annotations: {}
4082
# -- Specify the Kubernetes namespace where Prometheus expects to find
4083
# service monitors configured.
4084
# namespace: ""
4085
4086
# -- Interval for scrape metrics (apiserver metrics)
4087
interval: "10s"
4088
# @schema
4089
# type: [null, string]
4090
# @schema
4091
# -- Timeout after which scrape is considered to be failed.
4092
scrapeTimeout: ~
4093
# @schema
4094
# type: [null, array]
4095
# @schema
4096
# -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)
4097
relabelings: ~
4098
# @schema
4099
# type: [null, array]
4100
# @schema
4101
# -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (apiserver metrics)
4102
metricRelabelings: ~
4103
kvstoremesh:
4104
# -- Interval for scrape metrics (KVStoreMesh metrics)
4105
interval: "10s"
4106
# @schema
4107
# type: [null, string]
4108
# @schema
4109
# -- Timeout after which scrape is considered to be failed.
4110
scrapeTimeout: ~
4111
# @schema
4112
# type: [null, array]
4113
# @schema
4114
# -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)
4115
relabelings: ~
4116
# @schema
4117
# type: [null, array]
4118
# @schema
4119
# -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (KVStoreMesh metrics)
4120
metricRelabelings: ~
4121
etcd:
4122
# -- Interval for scrape metrics (etcd metrics)
4123
interval: "10s"
4124
# @schema
4125
# type: [null, string]
4126
# @schema
4127
# -- Timeout after which scrape is considered to be failed.
4128
scrapeTimeout: ~
4129
# @schema
4130
# type: [null, array]
4131
# @schema
4132
# -- Relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)
4133
relabelings: ~
4134
# @schema
4135
# type: [null, array]
4136
# @schema
4137
# -- Metrics relabeling configs for the ServiceMonitor clustermesh-apiserver (etcd metrics)
4138
metricRelabelings: ~
4139
# -- Configure cgroup related configuration
4140
cgroup:
4141
autoMount:
4142
# -- Enable auto mount of cgroup2 filesystem.
4143
# When `autoMount` is enabled, cgroup2 filesystem is mounted at
4144
# `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.
4145
# If users disable `autoMount`, it's expected that users have mounted
4146
# cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
4147
# volume will be mounted inside the cilium agent pod at the same path.
4148
enabled: true
4149
# -- Init Container Cgroup Automount resource limits & requests
4150
resources: {}
4151
# limits:
4152
# cpu: 100m
4153
# memory: 128Mi
4154
# requests:
4155
# cpu: 100m
4156
# memory: 128Mi
4157
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
4158
hostRoot: /run/cilium/cgroupv2
4159
# -- Configure sysctl override described in #20072.
4160
sysctlfix:
4161
# -- Enable the sysctl override. When enabled, the init container will mount the /proc of the host so that the `sysctlfix` utility can execute.
4162
enabled: true
4163
# -- Configure whether to unload DNS policy rules on graceful shutdown
4164
# dnsPolicyUnloadOnShutdown: false
4165
4166
# -- Configure the key of the taint indicating that Cilium is not ready on the node.
4167
# When set to a value starting with `ignore-taint.cluster-autoscaler.kubernetes.io/`, the Cluster Autoscaler will ignore the taint on its decisions, allowing the cluster to scale up.
4168
agentNotReadyTaintKey: "node.cilium.io/agent-not-ready"
4169
dnsProxy:
4170
# -- Timeout (in seconds) when closing the connection between the DNS proxy and the upstream server. If set to 0, the connection is closed immediately (with TCP RST). If set to -1, the connection is closed asynchronously in the background.
4171
socketLingerTimeout: 10
4172
# -- DNS response code for rejecting DNS requests, available options are '[nameError refused]'.
4173
dnsRejectResponseCode: refused
4174
# -- Allow the DNS proxy to compress responses to endpoints that are larger than 512 Bytes or the EDNS0 option, if present.
4175
enableDnsCompression: true
4176
# -- Maximum number of IPs to maintain per FQDN name for each endpoint.
4177
endpointMaxIpPerHostname: 1000
4178
# -- Time during which idle but previously active connections with expired DNS lookups are still considered alive.
4179
idleConnectionGracePeriod: 0s
4180
# -- Maximum number of IPs to retain for expired DNS lookups with still-active connections.
4181
maxDeferredConnectionDeletes: 10000
4182
# -- The minimum time, in seconds, to use DNS data for toFQDNs policies. If
4183
# the upstream DNS server returns a DNS record with a shorter TTL, Cilium
4184
# overwrites the TTL with this value. Setting this value to zero means that
4185
# Cilium will honor the TTLs returned by the upstream DNS server.
4186
minTtl: 0
4187
# -- DNS cache data at this path is preloaded on agent startup.
4188
preCache: ""
4189
# -- Global port on which the in-agent DNS proxy should listen. Default 0 is a OS-assigned port.
4190
proxyPort: 0
4191
# -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.
4192
proxyResponseMaxDelay: 100ms
4193
# -- DNS proxy operation mode (true/false, or unset to use version dependent defaults)
4194
# enableTransparentMode: true
4195
# -- Pre-allocate ToFQDN identities. This reduces DNS proxy tail latency, at the potential cost of some
4196
# unnecessary policymap entries. Disable this if you have a large (200+) number of unique ToFQDN selectors.
4197
preAllocateIdentities: true
4198
# -- SCTP Configuration Values
4199
sctp:
4200
# -- Enable SCTP support. NOTE: Currently, SCTP support does not support rewriting ports or multihoming.
4201
enabled: false
4202
# -- Enable Non-Default-Deny policies
4203
enableNonDefaultDenyPolicies: true
4204
# Configuration for types of authentication for Cilium (beta)
4205
authentication:
4206
# -- Enable authentication processing and garbage collection.
4207
# Note that if disabled, policy enforcement will still block requests that require authentication.
4208
# But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed.
4209
enabled: false
4210
# -- Buffer size of the channel Cilium uses to receive authentication events from the signal map.
4211
queueSize: 1024
4212
# -- Buffer size of the channel Cilium uses to receive certificate expiration events from auth handlers.
4213
rotatedIdentitiesQueueSize: 1024
4214
# -- Interval for garbage collection of auth map entries.
4215
gcInterval: "5m0s"
4216
# Configuration for Cilium's service-to-service mutual authentication using TLS handshakes.
4217
# Note that this is not full mTLS support without also enabling encryption of some form.
4218
# Current encryption options are WireGuard or IPsec, configured in encryption block above.
4219
mutual:
4220
# -- Port on the agent where mutual authentication handshakes between agents will be performed
4221
port: 4250
4222
# -- Timeout for connecting to the remote node TCP socket
4223
connectTimeout: 5s
4224
# Settings for SPIRE
4225
spire:
4226
# -- Enable SPIRE integration (beta)
4227
enabled: false
4228
# -- Annotations to be added to all top-level spire objects (resources under templates/spire)
4229
annotations: {}
4230
# Settings to control the SPIRE installation and configuration
4231
install:
4232
# -- Enable SPIRE installation.
4233
# This will only take effect only if authentication.mutual.spire.enabled is true
4234
enabled: true
4235
# -- SPIRE namespace to install into
4236
namespace: cilium-spire
4237
# -- SPIRE namespace already exists. Set to true if Helm should not create, manage, and import the SPIRE namespace.
4238
existingNamespace: false
4239
# -- init container image of SPIRE agent and server
4240
initImage:
4241
# @schema
4242
# type: [null, string]
4243
# @schema
4244
override: ~
4245
repository: chainreg.biz/chainguard-private/busybox
4246
tag: latest
4247
digest: sha256:655f0f89892d3134b1c3dfa0eded3c451b1f2d39916d829753f28c889a547bd5
4248
useDigest: true
4249
pullPolicy: "IfNotPresent"
4250
# SPIRE agent configuration
4251
agent:
4252
# -- The priority class to use for the spire agent
4253
priorityClassName: ""
4254
# -- SPIRE agent image
4255
image:
4256
# @schema
4257
# type: [null, string]
4258
# @schema
4259
override: ~
4260
repository: chainreg.biz/chainguard-private/spire-agent
4261
tag: latest
4262
digest: sha256:0ae97cbfc89a2db67c72a789ecd21ec7670a39f19f7e935a779d1cf6bd2f83dc
4263
useDigest: true
4264
pullPolicy: "IfNotPresent"
4265
# -- SPIRE agent service account
4266
serviceAccount:
4267
create: true
4268
name: spire-agent
4269
# -- SPIRE agent annotations
4270
annotations: {}
4271
# -- SPIRE agent labels
4272
labels: {}
4273
# -- container resource limits & requests
4274
resources: {}
4275
# -- SPIRE Workload Attestor kubelet verification.
4276
skipKubeletVerification: true
4277
# -- SPIRE agent tolerations configuration
4278
# By default it follows the same tolerations as the agent itself
4279
# to allow the Cilium agent on this node to connect to SPIRE.
4280
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
4281
tolerations:
4282
- key: node.kubernetes.io/not-ready
4283
effect: NoSchedule
4284
- key: node-role.kubernetes.io/master
4285
effect: NoSchedule
4286
- key: node-role.kubernetes.io/control-plane
4287
effect: NoSchedule
4288
- key: node.cloudprovider.kubernetes.io/uninitialized
4289
effect: NoSchedule
4290
value: "true"
4291
- key: CriticalAddonsOnly
4292
operator: "Exists"
4293
# -- SPIRE agent affinity configuration
4294
affinity: {}
4295
# -- SPIRE agent nodeSelector configuration
4296
# ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
4297
nodeSelector: {}
4298
# -- Security context to be added to spire agent pods.
4299
# SecurityContext holds pod-level security attributes and common container settings.
4300
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
4301
podSecurityContext: {}
4302
# -- Security context to be added to spire agent containers.
4303
# SecurityContext holds pod-level security attributes and common container settings.
4304
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
4305
securityContext: {}
4306
server:
4307
# -- The priority class to use for the spire server
4308
priorityClassName: ""
4309
# -- SPIRE server image
4310
image:
4311
# @schema
4312
# type: [null, string]
4313
# @schema
4314
override: ~
4315
repository: chainreg.biz/chainguard-private/spire-server
4316
tag: latest
4317
digest: sha256:bdb4accabbed7646ed6de817bf950fe9cd475205fdcd9d07ecf137fe7bb29ac9
4318
useDigest: true
4319
pullPolicy: "IfNotPresent"
4320
# -- SPIRE server service account
4321
serviceAccount:
4322
create: true
4323
name: spire-server
4324
# -- SPIRE server init containers
4325
initContainers: []
4326
# -- SPIRE server annotations
4327
annotations: {}
4328
# -- SPIRE server labels
4329
labels: {}
4330
# SPIRE server service configuration
4331
# -- container resource limits & requests
4332
resources: {}
4333
service:
4334
# -- Service type for the SPIRE server service
4335
type: ClusterIP
4336
# -- Annotations to be added to the SPIRE server service
4337
annotations: {}
4338
# -- Labels to be added to the SPIRE server service
4339
labels: {}
4340
# -- SPIRE server affinity configuration
4341
affinity: {}
4342
# -- SPIRE server nodeSelector configuration
4343
# ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
4344
nodeSelector: {}
4345
# -- SPIRE server tolerations configuration
4346
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
4347
tolerations: []
4348
# SPIRE server datastorage configuration
4349
dataStorage:
4350
# -- Enable SPIRE server data storage
4351
enabled: true
4352
# -- Size of the SPIRE server data storage
4353
size: 1Gi
4354
# -- Access mode of the SPIRE server data storage
4355
accessMode: ReadWriteOnce
4356
# @schema
4357
# type: [null, string]
4358
# @schema
4359
# -- StorageClass of the SPIRE server data storage
4360
storageClass: null
4361
# -- Security context to be added to spire server pods.
4362
# SecurityContext holds pod-level security attributes and common container settings.
4363
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
4364
podSecurityContext: {}
4365
# -- Security context to be added to spire server containers.
4366
# SecurityContext holds pod-level security attributes and common container settings.
4367
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
4368
securityContext: {}
4369
# SPIRE CA configuration
4370
ca:
4371
# -- SPIRE CA key type
4372
# AWS requires the use of RSA. EC cryptography is not supported
4373
keyType: "rsa-4096"
4374
# -- SPIRE CA Subject
4375
subject:
4376
country: "US"
4377
organization: "SPIRE"
4378
commonName: "Cilium SPIRE CA"
4379
# @schema
4380
# type: [null, string]
4381
# @schema
4382
# -- SPIRE server address used by Cilium Operator
4383
#
4384
# If k8s Service DNS along with port number is used (e.g. <service-name>.<namespace>.svc(.*):<port-number> format),
4385
# Cilium Operator will resolve its address by looking up the clusterIP from Service resource.
4386
#
4387
# Example values: 10.0.0.1:8081, spire-server.cilium-spire.svc:8081
4388
serverAddress: ~
4389
# -- SPIFFE trust domain to use for fetching certificates
4390
trustDomain: spiffe.cilium
4391
# -- SPIRE socket path where the SPIRE delegated api agent is listening
4392
adminSocketPath: /run/spire/sockets/admin.sock
4393
# -- SPIRE socket path where the SPIRE workload agent is listening.
4394
# Applies to both the Cilium Agent and Operator
4395
agentSocketPath: /run/spire/sockets/agent/agent.sock
4396
# -- SPIRE connection timeout
4397
connectionTimeout: 30s
4398
# -- Enable Internal Traffic Policy
4399
enableInternalTrafficPolicy: true
4400
# -- Enable LoadBalancer IP Address Management
4401
enableLBIPAM: true
4402
# -- Standalone DNS Proxy Configuration
4403
# Note: The standalone DNS proxy uses the agent's dnsProxy.* configuration
4404
# for DNS settings (proxyPort, enableDnsCompression) to ensure consistency.
4405
standaloneDnsProxy:
4406
# -- Enable standalone DNS proxy (alpha feature)
4407
enabled: false
4408
# -- Roll out Standalone DNS proxy automatically when configmap is updated.
4409
rollOutPods: false
4410
# -- Standalone DNS proxy annotations
4411
annotations: {}
4412
# -- Standalone DNS proxy debug mode
4413
debug: false
4414
# -- Standalone DNS proxy server port
4415
serverPort: 10095
4416
# -- Standalone DNS proxy Node Selector
4417
nodeSelector:
4418
kubernetes.io/os: linux
4419
# -- Standalone DNS proxy tolerations
4420
tolerations: []
4421
# -- Standalone DNS proxy auto mount service account token
4422
automountServiceAccountToken: false
4423
# -- Standalone DNS proxy update strategy
4424
updateStrategy:
4425
type: RollingUpdate
4426
rollingUpdate:
4427
maxSurge: 2
4428
maxUnavailable: 0
4429
# -- Standalone DNS proxy image
4430
image:
4431
# @schema
4432
# type: [null, string]
4433
# @schema
4434
override: ~
4435
repository: chainreg.biz/chainguard-private/cilium-agent
4436
tag: "1.19"
4437
digest: sha256:baf006651419a36e646a045eb027e41df676685cb52dc54a28db4529e21df2bc
4438
useDigest: true
4439
pullPolicy: "IfNotPresent"
4440
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.