Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / dca7297d232b26e7b8e8e7b2baf1fa05c3986a53 / . / charts / cilium / values.yaml
blob: ff1e3b9945c820fe1f12344ec356656bf665c046 [file] [log] [blame]
# upgradeCompatibility helps users upgrading to ensure that the configMap for
# Cilium will not change critical values to ensure continued operation
# This is flag is not required for new installations.
# For example: 1.7, 1.8, 1.9
# upgradeCompatibility: '1.8'
debug:
# -- Enable debug logging
enabled: false
# verbose:
rbac:
# -- Enable creation of Resource-Based Access Control configuration.
create: true
# -- Configure image pull secrets for pulling container images
imagePullSecrets:
# - name: "image-pull-secret"
# kubeConfigPath: ~/.kube/config
# k8sServiceHost:
# k8sServicePort:
cluster:
# -- Name of the cluster. Only required for Cluster Mesh.
name: default
# -- (int) Unique ID of the cluster. Must be unique across all connected
# clusters and in the range of 1 to 255. Only required for Cluster Mesh.
id:
# -- Define serviceAccount names for components.
# @default -- Component's fully qualified name.
serviceAccounts:
cilium:
create: true
name: cilium
annotations: {}
etcd:
create: true
name: cilium-etcd-operator
annotations: {}
operator:
create: true
name: cilium-operator
annotations: {}
preflight:
create: true
name: cilium-pre-flight
annotations: {}
relay:
create: true
name: hubble-relay
annotations: {}
ui:
create: true
name: hubble-ui
annotations: {}
clustermeshApiserver:
create: true
name: clustermesh-apiserver
annotations: {}
# -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob
clustermeshcertgen:
create: true
name: clustermesh-apiserver-generate-certs
annotations: {}
# -- Hubblecertgen is used if hubble.tls.auto.method=cronJob
hubblecertgen:
create: true
name: hubble-generate-certs
annotations: {}
# -- Install the cilium agent resources.
agent: true
# -- Agent container name.
name: cilium
# -- Roll out cilium agent pods automatically when configmap is updated.
rollOutCiliumPods: false
# -- Agent container image.
image:
repository: quay.io/cilium/cilium
tag: v1.10.7
pullPolicy: IfNotPresent
# cilium-digest
digest: "sha256:e23f55e80e1988db083397987a89967aa204ad6fc32da243b9160fbcea29b0ca"
useDigest: true
# -- Pod affinity for cilium-agent.
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
# Compatible with Kubernetes 1.12.x and 1.13.x
- matchExpressions:
- key: beta.kubernetes.io/os
operator: In
values:
- linux
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: k8s-app
operator: In
values:
- cilium
topologyKey: kubernetes.io/hostname
# -- The priority class to use for cilium-agent.
priorityClassName: ""
# -- Additional agent container arguments.
extraArgs: []
# -- Additional agent container environment variables.
extraEnv: {}
# -- Additional InitContainers to initialize the pod.
extraInitContainers: []
# -- Additional agent hostPath mounts.
extraHostPathMounts: []
# - name: host-mnt-data
# mountPath: /host/mnt/data
# hostPath: /mnt/data
# hostPathType: Directory
# readOnly: true
# mountPropagation: HostToContainer
# -- Additional agent ConfigMap mounts.
extraConfigmapMounts: []
# - name: certs-configmap
# mountPath: /certs
# configMap: certs-configmap
# readOnly: true
# -- extraConfig allows you to specify additional configuration parameters to be
# included in the cilium-config configmap.
extraConfig: {}
# my-config-a: "1234"
# my-config-b: |-
# test 1
# test 2
# test 3
# -- Node tolerations for agent scheduling to nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
tolerations:
- operator: Exists
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
# -- Annotations to be added to agent pods
podAnnotations: {}
# -- Labels to be added to agent pods
podLabels: {}
# -- PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: true
maxUnavailable: 2
# -- Agent resource limits & requests
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
resources: {}
# limits:
# cpu: 4000m
# memory: 4Gi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Security context to be added to agent pods
securityContext: {}
# runAsUser: 0
# -- Cilium agent update strategy
updateStrategy:
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
# Configuration Values for cilium-agent
# -- Enable installation of PodCIDR routes between worker
# nodes if worker nodes share a common L2 network segment.
autoDirectNodeRoutes: false
azure:
# -- Enable Azure integration
enabled: false
# resourceGroup: group1
# subscriptionID: 00000000-0000-0000-0000-000000000000
# tenantID: 00000000-0000-0000-0000-000000000000
# clientID: 00000000-0000-0000-0000-000000000000
# clientSecret: 00000000-0000-0000-0000-000000000000
# userAssignedIdentityID: 00000000-0000-0000-0000-000000000000
alibabacloud:
# -- Enable AlibabaCloud ENI integration
enabled: false
# -- Optimize TCP and UDP workloads and enable rate-limiting traffic from
# individual Pods with EDT (Earliest Departure Time)
# through the "kubernetes.io/egress-bandwidth" Pod annotation.
bandwidthManager: false
# -- Configure BGP
bgp:
# -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside
# cilium-agent and cilium-operator
enabled: false
announce:
# -- Enable allocation and announcement of service LoadBalancer IPs
loadbalancerIP: false
bpf:
# -- Enable BPF clock source probing for more efficient tick retrieval.
clockProbe: false
# -- Enables pre-allocation of eBPF map values. This increases
# memory usage but can reduce latency.
preallocateMaps: false
# -- Configure the maximum number of entries in the TCP connection tracking
# table.
# ctTcpMax: '524288'
# -- Configure the maximum number of entries for the non-TCP connection
# tracking table.
# ctAnyMax: '262144'
# -- Configure the maximum number of service entries in the
# load balancer maps.
lbMapMax: 65536
# -- Configure the maximum number of entries for the NAT table.
# natMax: 524288
# -- Configure the maximum number of entries for the neighbor table.
# neighMax: 524288
# -- Configure the maximum number of entries in endpoint policy map (per endpoint).
policyMapMax: 16384
# -- Configure auto-sizing for all BPF maps based on available memory.
# ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps
#mapDynamicSizeRatio: 0.0025
# -- Configure the level of aggregation for monitor notifications.
# Valid options are none, low, medium, maximum.
monitorAggregation: medium
# -- Configure the typical time between monitor notifications for
# active connections.
monitorInterval: "5s"
# -- Configure which TCP flags trigger notifications when seen for the
# first time in a connection.
monitorFlags: "all"
# -- Allow cluster external access to ClusterIP services.
lbExternalClusterIP: false
# -- Enable native IP masquerade support in eBPF
#masquerade: false
# -- Configure whether direct routing mode should route traffic via
# host stack (true) or directly and more efficiently out of BPF (false) if
# the kernel supports it. The latter has the implication that it will also
# bypass netfilter in the host namespace.
#hostRouting: true
# -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules
# for implementing Layer 7 policy.
# tproxy: true
# -- Configure the FIB lookup bypass optimization for nodeport reverse
# NAT handling.
# lbBypassFIBLookup: true
# -- Clean all eBPF datapath state from the initContainer of the cilium-agent
# DaemonSet.
#
# WARNING: Use with care!
cleanBpfState: false
# -- Clean all local Cilium state from the initContainer of the cilium-agent
# DaemonSet. Implies cleanBpfState: true.
#
# WARNING: Use with care!
cleanState: false
cni:
# -- Install the CNI configuration and binary files into the filesystem.
install: true
# -- Configure chaining on top of other CNI plugins. Possible values:
# - none
# - generic-veth
# - aws-cni
# - portmap
chainingMode: none
# -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the
# node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
# This ensures no Pods can be scheduled using other CNI plugins during Cilium
# agent downtime.
exclusive: true
# -- Skip writing of the CNI configuration. This can be used if
# writing of the CNI configuration is performed by external automation.
customConf: false
# -- Configure the path to the CNI configuration directory on the host.
confPath: /etc/cni/net.d
# -- Configure the path to the CNI binary directory on the host.
binPath: /opt/cni/bin
# -- Specify the path to a CNI config to read from on agent start.
# This can be useful if you want to manage your CNI
# configuration outside of a Kubernetes environment. This parameter is
# mutually exclusive with the 'cni.configMap' parameter.
# readCniConf: /host/etc/cni/net.d/05-cilium.conf
# -- When defined, configMap will mount the provided value as ConfigMap and
# interpret the cniConf variable as CNI configuration file and write it
# when the agent starts up
# configMap: cni-configuration
# -- Configure the key in the CNI ConfigMap to read the contents of
# the CNI configuration from.
configMapKey: cni-config
# -- Configure the path to where to mount the ConfigMap inside the agent pod.
confFileMountPath: /tmp/cni-configuration
# -- Configure the path to where the CNI configuration directory is mounted
# inside the agent pod.
hostConfDirMountPath: /host/etc/cni/net.d
# -- Configure how frequently garbage collection should occur for the datapath
# connection tracking table.
# conntrackGCInterval: "0s"
# -- Configure container runtime specific integration.
containerRuntime:
# -- Enables specific integrations for container runtimes.
# Supported values:
# - containerd
# - crio
# - docker
# - none
# - auto (automatically detect the container runtime)
integration: none
# -- Configure the path to the container runtime control socket.
# socketPath: /path/to/runtime.sock
# crdWaitTimeout: ""
# -- Tail call hooks for custom eBPF programs.
customCalls:
# -- Enable tail call hooks for custom eBPF programs.
enabled: false
# -- Configure which datapath mode should be used for configuring container
# connectivity. Valid options are "veth" or "ipvlan".
datapathMode: veth
daemon:
# -- Configure where Cilium runtime state should be stored.
runPath: "/var/run/cilium"
# -- Specify which network interfaces can run the eBPF datapath. This means
# that a packet sent from a pod to a destination outside the cluster will be
# masqueraded (to an output device IPv4 address), if the output device runs the
# program. When not specified, probing will automatically detect devices.
# devices: ""
# -- Chains to ignore when installing feeder rules.
# disableIptablesFeederRules: ""
# -- Limit egress masquerading to interface selector.
# egressMasqueradeInterfaces: ""
# -- Whether to enable CNP status updates.
enableCnpStatusUpdates: false
# -- Configures the use of the KVStore to optimize Kubernetes event handling by
# mirroring it into the KVstore for reduced overhead in large clusters.
enableK8sEventHandover: false
# TODO: Add documentation
# enableIdentityMark: false
# enableK8sEndpointSlice: false
# -- Enables the fallback compatibility solution for when the xt_socket kernel
# module is missing and it is needed for the datapath L7 redirection to work
# properly. See documentation for details on when this can be disabled:
# http://docs.cilium.io/en/stable/install/system_requirements/#admin-kernel-version.
enableXTSocketFallback: true
encryption:
# -- Enable transparent network encryption.
enabled: false
# -- Encryption method. Can be either ipsec or wireguard.
type: ipsec
# -- Enable encryption for pure node to node traffic.
# This option is only effective when encryption.type is set to ipsec.
nodeEncryption: false
ipsec:
# -- Name of the key file inside the Kubernetes secret configured via secretName.
keyFile: ""
# -- Path to mount the secret inside the Cilium pod.
mountPath: ""
# -- Name of the Kubernetes secret containing the encryption keys.
secretName: ""
# -- The interface to use for encrypted traffic.
interface: ""
# -- Deprecated in favor of encryption.ipsec.keyFile.
# Name of the key file inside the Kubernetes secret configured via secretName.
# This option is only effective when encryption.type is set to ipsec.
keyFile: keys
# -- Deprecated in favor of encryption.ipsec.mountPath.
# Path to mount the secret inside the Cilium pod.
# This option is only effective when encryption.type is set to ipsec.
mountPath: /etc/ipsec
# -- Deprecated in favor of encryption.ipsec.secretName.
# Name of the Kubernetes secret containing the encryption keys.
# This option is only effective when encryption.type is set to ipsec.
secretName: cilium-ipsec-keys
# -- Deprecated in favor of encryption.ipsec.interface.
# The interface to use for encrypted traffic.
# This option is only effective when encryption.type is set to ipsec.
interface: ""
endpointHealthChecking:
# -- Enable connectivity health checking between virtual endpoints.
enabled: true
# -- Enable endpoint status.
# Status can be: policy, health, controllers, logs and / or state. For 2 or more options use a comma.
endpointStatus:
enabled: false
status: ""
endpointRoutes:
# -- Enable use of per endpoint routes instead of routing via
# the cilium_host interface.
enabled: false
eni:
# -- Enable Elastic Network Interface (ENI) integration.
enabled: false
# -- Update ENI Adapter limits from the EC2 API
updateEC2AdapterLimitViaAPI: false
# -- Release IPs not used from the ENI
awsReleaseExcessIPs: false
# -- EC2 API endpoint to use
ec2APIEndpoint: ""
# -- Tags to apply to the newly created ENIs
eniTags: {}
# -- If using IAM role for Service Accounts will not try to
# inject identity values from cilium-aws kubernetes secret.
# Adds annotation to service account if managed by Helm.
# See https://github.com/aws/amazon-eks-pod-identity-webhook
iamRole: ""
# -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs
subnetIDsFilter: ""
# -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs
subnetTagsFilter: ""
externalIPs:
# -- Enable ExternalIPs service support.
enabled: false
# fragmentTracking enables IPv4 fragment tracking support in the datapath.
# fragmentTracking: true
gke:
# -- Enable Google Kubernetes Engine integration
enabled: false
# -- Enable connectivity health checking.
healthChecking: true
# -- TCP port for the agent health API. This is not the port for cilium-health.
healthPort: 9876
# -- Enables the enforcement of host policies in the eBPF datapath.
hostFirewall: false
hostPort:
# -- Enable hostPort service support.
enabled: false
# -- Configure ClusterIP service handling in the host namespace (the node).
hostServices:
# -- Enable host reachable services.
enabled: false
# -- Supported list of protocols to apply ClusterIP translation to.
protocols: tcp,udp
# -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
# hostNamespaceOnly: false
# -- Configure certificate generation for Hubble integration.
# If hubble.tls.auto.method=cronJob, these values are used
# for the Kubernetes CronJob which will be scheduled regularly to
# (re)generate any certificates not provided manually.
certgen:
image:
repository: quay.io/cilium/certgen
tag: v0.1.5
pullPolicy: IfNotPresent
# -- Seconds after which the completed job pod will be deleted
ttlSecondsAfterFinished: 1800
# -- Labels to be added to hubble-certgen pods
podLabels: {}
hubble:
# -- Enable Hubble (true by default).
enabled: true
# -- Buffer size of the channel Hubble uses to receive monitor events. If this
# value is not set, the queue size is set to the default monitor queue size.
# eventQueueSize: ""
# -- Number of recent flows for Hubble to cache. Defaults to 4095.
# Possible values are:
# 1, 3, 7, 15, 31, 63, 127, 255, 511, 1023,
# 2047, 4095, 8191, 16383, 32767, 65535
# eventBufferCapacity: "4095"
# -- Hubble metrics configuration.
# See https://docs.cilium.io/en/stable/configuration/metrics/#hubble-metrics
# for more comprehensive documentation about Hubble metrics.
metrics:
# -- Configures the list of metrics to collect. If empty or null, metrics
# are disabled.
# Example:
#
# enabled:
# - dns:query;ignoreAAAA
# - drop
# - tcp
# - flow
# - icmp
# - http
#
# You can specify the list of metrics from the helm CLI:
#
# --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
#
enabled: ~
# -- Configure the port the hubble metric server listens on.
port: 9091
serviceMonitor:
# -- Create ServiceMonitor resources for Prometheus Operator.
# This requires the prometheus CRDs to be available.
# ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
enabled: false
# -- Labels to add to ServiceMonitor hubble
labels: {}
# -- Unix domain socket path to listen to when Hubble is enabled.
socketPath: /var/run/cilium/hubble.sock
# -- An additional address for Hubble to listen to.
# Set this field ":4244" if you are enabling Hubble Relay, as it assumes that
# Hubble is listening on port 4244.
listenAddress: ":4244"
# -- TLS configuration for Hubble
tls:
# -- Enable mutual TLS for listenAddress. Setting this value to false is
# highly discouraged as the Hubble API provides access to potentially
# sensitive network flow metadata and is exposed on the host network.
enabled: true
# -- Configure automatic TLS certificates generation.
auto:
# -- Auto-generate certificates.
# When set to true, automatically generate a CA and certificates to
# enable mTLS between Hubble server and Hubble Relay instances. If set to
# false, the certs for Hubble server need to be provided by setting
# appropriate values below.
enabled: true
# -- Set the method to auto-generate certificates. Supported values:
# - helm: This method uses Helm to generate all certificates.
# - cronJob: This method uses a Kubernetes CronJob the generate any
# certificates not provided by the user at installation
# time.
method: helm
# -- Generated certificates validity duration in days.
certValidityDuration: 1095
# -- Schedule for certificates regeneration (regardless of their expiration date).
# Only used if method is "cronJob". If nil, then no recurring job will be created.
# Instead, only the one-shot job is deployed to generate the certificates at
# installation time.
#
# Defaults to midnight of the first day of every fourth month. For syntax, see
# https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
schedule: "0 0 1 */4 *"
# -- base64 encoded PEM values for the Hubble CA certificate and private key.
ca:
cert: ""
# -- The CA private key (optional). If it is provided, then it will be
# used by hubble.tls.auto.method=cronJob to generate all other certificates.
# Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true.
key: ""
# -- base64 encoded PEM values for the Hubble server certificate and private key
server:
cert: ""
key: ""
relay:
# -- Enable Hubble Relay (requires hubble.enabled=true)
enabled: false
# -- Roll out Hubble Relay pods automatically when configmap is updated.
rollOutPods: false
# -- Hubble-relay container image.
image:
repository: quay.io/cilium/hubble-relay
tag: v1.10.7
# hubble-relay-digest
digest: "sha256:385fcc4fa315eb6b66626c3e5f607b6b6514c8c3a863c47c2b2dbc97790acb47"
useDigest: true
pullPolicy: IfNotPresent
# -- Specifies the resources for the hubble-relay pods
resources: {}
# -- Number of replicas run for the hubble-relay deployment.
replicas: 1
# -- Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# -- Annotations to be added to hubble-relay pods
podAnnotations: {}
# -- Labels to be added to hubble-relay pods
podLabels: {}
# -- Node tolerations for pod assignment on nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
#
tolerations: []
# -- hubble-relay update strategy
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
# -- Host to listen to. Specify an empty string to bind to all the interfaces.
listenHost: ""
# -- Port to listen to.
listenPort: "4245"
# -- TLS configuration for Hubble Relay
tls:
# -- base64 encoded PEM values for the hubble-relay client certificate and private key
# This keypair is presented to Hubble server instances for mTLS
# authentication and is required when hubble.tls.enabled is true.
# These values need to be set manually if hubble.tls.auto.enabled is false.
client:
cert: ""
key: ""
# -- base64 encoded PEM values for the hubble-relay server certificate and private key
server:
# When set to true, enable TLS on for Hubble Relay server
# (ie: for clients connecting to the Hubble Relay API).
enabled: false
# These values need to be set manually if hubble.tls.auto.enabled is false.
cert: ""
key: ""
# -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s").
dialTimeout: ~
# -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s").
retryTimeout: ~
# -- Max number of flows that can be buffered for sorting before being sent to the
# client (per request) (e.g. 100).
sortBufferLenMax: ~
# -- When the per-request flows sort buffer is not full, a flow is drained every
# time this timeout is reached (only affects requests in follow-mode) (e.g. "1s").
sortBufferDrainTimeout: ~
# -- Port to use for the k8s service backed by hubble-relay pods.
# If not set, it is dynamically assigned to port 443 if TLS is enabled and to
# port 80 if not.
# servicePort: 80
ui:
# -- Whether to enable the Hubble UI.
enabled: false
# -- Roll out Hubble-ui pods automatically when configmap is updated.
rollOutPods: false
backend:
# -- Hubble-ui backend image.
image:
repository: quay.io/cilium/hubble-ui-backend
tag: v0.8.5@sha256:2bce50cf6c32719d072706f7ceccad654bfa907b2745a496da99610776fe31ed
pullPolicy: IfNotPresent
# [Example]
# resources:
# limits:
# cpu: 1000m
# memory: 1024M
# requests:
# cpu: 100m
# memory: 64Mi
# -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment.
resources: {}
frontend:
# -- Hubble-ui frontend image.
image:
repository: quay.io/cilium/hubble-ui
tag: v0.8.5@sha256:4eaca1ec1741043cfba6066a165b3bf251590cf4ac66371c4f63fbed2224ebb4
pullPolicy: IfNotPresent
# [Example]
# resources:
# limits:
# cpu: 1000m
# memory: 1024M
# requests:
# cpu: 100m
# memory: 64Mi
# -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
resources: {}
proxy:
# -- Hubble-ui ingress proxy image.
image:
repository: docker.io/envoyproxy/envoy
tag: v1.18.4@sha256:e5c2bb2870d0e59ce917a5100311813b4ede96ce4eb0c6bfa879e3fbe3e83935
pullPolicy: IfNotPresent
# [Example]
# resources:
# limits:
# cpu: 1000m
# memory: 1024M
# requests:
# cpu: 100m
# memory: 64Mi
# -- Resource requests and limits for the 'proxy' container of the 'hubble-ui' deployment.
resources: {}
# -- The number of replicas of Hubble UI to deploy.
replicas: 1
# -- Annotations to be added to hubble-ui pods
podAnnotations: {}
# -- Labels to be added to hubble-ui pods
podLabels: {}
# -- Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# -- Node tolerations for pod assignment on nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
#
tolerations: []
# -- hubble-ui update strategy.
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
securityContext:
# -- Whether to set the security context on the Hubble UI pods.
enabled: true
# -- hubble-ui ingress configuration.
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- chart-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# -- Method to use for identity allocation (`crd` or `kvstore`).
identityAllocationMode: "crd"
# TODO: Add documentation
# identityChangeGracePeriod: "5s"
# TODO: Add documentation
# identityGCInterval:
# TODO: Add documentation
# identityHeartbeatTimeout: ""
# -- Configure whether to install iptables rules to allow for TPROXY
# (L7 proxy injection), iptables-based masquerading and compatibility
# with kube-proxy.
installIptablesRules: true
# -- Install Iptables rules to skip netfilter connection tracking on all pod
# traffic. This option is only effective when Cilium is running in direct
# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium
# is running in a managed Kubernetes environment or in a chained CNI setup.
installNoConntrackIptablesRules: false
ipam:
# -- Configure IP Address Management mode.
# ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/
mode: "cluster-pool"
operator:
# -- IPv4 CIDR range to delegate to individual nodes for IPAM.
clusterPoolIPv4PodCIDR: "10.0.0.0/8"
# -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.
clusterPoolIPv4MaskSize: 24
# -- IPv6 CIDR range to delegate to individual nodes for IPAM.
clusterPoolIPv6PodCIDR: "fd00::/104"
# -- IPv6 CIDR mask size to delegate to individual nodes for IPAM.
clusterPoolIPv6MaskSize: 120
# -- Configure the eBPF-based ip-masq-agent
ipMasqAgent:
enabled: false
# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
# iptablesLockTimeout: "5s"
ipv4:
# -- Enable IPv4 support.
enabled: true
ipv6:
# -- Enable IPv6 support.
enabled: false
ipvlan:
# -- Enable the IPVLAN datapath
enabled: false
# -- masterDevice is the name of the device to use to attach secondary IPVLAN
# devices
# masterDevice: eth0
# -- Configure Kubernetes specific configuration
k8s: {}
# -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
# range via the Kubernetes node resource
# requireIPv4PodCIDR: false
# -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR
# range via the Kubernetes node resource
# requireIPv6PodCIDR: false
# -- Keep the deprecated selector labels when deploying Cilium DaemonSet.
keepDeprecatedLabels: false
# -- Keep the deprecated probes when deploying Cilium DaemonSet
keepDeprecatedProbes: false
startupProbe:
# -- failure threshold of startup probe.
# 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)
failureThreshold: 105
# -- interval between checks of the startup probe
periodSeconds: 2
livenessProbe:
# -- failure threshold of liveness probe
failureThreshold: 10
# -- interval between checks of the liveness probe
periodSeconds: 30
readinessProbe:
# -- failure threshold of readiness probe
failureThreshold: 3
# -- interval between checks of the readiness probe
periodSeconds: 30
# -- Configure the kube-proxy replacement in Cilium BPF datapath
# Valid options are "disabled", "probe", "partial", "strict".
# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/
#kubeProxyReplacement: "disabled"
# -- healthz server bind address for the kube-proxy replacement.
# To enable set the value to '0.0.0.0:10256' for all ipv4
# addresses and this '[::]:10256' for all ipv6 addresses.
# By default it is disabled.
kubeProxyReplacementHealthzBindAddr: ""
l2NeighDiscovery:
# -- Enable L2 neighbour discovery in the agent
enabled: true
# -- Set period for arping
arping-refresh-period: "5m"
# -- Enable Layer 7 network policy.
l7Proxy: true
# -- Enable Local Redirect Policy.
localRedirectPolicy: false
# To include or exclude matched resources from cilium identity evaluation
# labels: ""
# logOptions allows you to define logging options. eg:
# logOptions:
# format: json
# -- Enables periodic logging of system load
logSystemLoad: false
# -- Configure maglev consistent hashing
maglev: {}
# -- tableSize is the size (parameter M) for the backend table of one
# service entry
# tableSize:
# -- hashSeed is the cluster-wide base64 encoded seed for the hashing
# hashSeed:
# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
enableIPv4Masquerade: true
# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
enableIPv6Masquerade: true
# -- Enables egress gateway (beta) to redirect and SNAT the traffic that
# leaves the cluster.
egressGateway:
enabled: false
# -- Specify the CIDR for native routing (ie to avoid IP masquerade for).
# This value corresponds to the configured cluster-cidr.
# nativeRoutingCIDR:
monitor:
# -- Enable the cilium-monitor sidecar.
enabled: false
# -- Configure service load balancing
# loadBalancer:
# -- standalone enables the standalone L4LB which does not connect to
# kube-apiserver.
# standalone: false
# -- algorithm is the name of the load balancing algorithm for backend
# selection e.g. random or maglev
# algorithm: random
# -- mode is the operation mode of load balancing for remote backends
# e.g. snat, dsr, hybrid
# mode: snat
# -- acceleration is the option to accelerate service handling via XDP
# e.g. native, disabled
# acceleration: disabled
# -- dsrDispatch configures whether IP option or IPIP encapsulation is
# used to pass a service IP and port to remote backend
# dsrDispatch: opt
# -- Configure N-S k8s service loadbalancing
nodePort:
# -- Enable the Cilium NodePort service implementation.
enabled: false
# -- Port range to use for NodePort services.
# range: "30000,32767"
# -- Set to true to prevent applications binding to service ports.
bindProtection: true
# -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral
# ports is detected.
autoProtectPortRange: true
# -- Enable healthcheck nodePort server for NodePort services
enableHealthCheck: true
# policyAuditMode: false
# -- The agent can be put into one of the three policy enforcement modes:
# default, always and never.
# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes
policyEnforcementMode: "default"
pprof:
# -- Enable Go pprof debugging
enabled: false
# -- Configure prometheus metrics on the configured port at /metrics
prometheus:
enabled: false
port: 9090
serviceMonitor:
# -- Enable service monitors.
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
#
enabled: false
# -- Labels to add to ServiceMonitor cilium-agent
labels: {}
# -- Specify the Kubernetes namespace where Prometheus expects to find
# service monitors configured.
# namespace: ""
# -- Metrics that should be enabled or disabled from the default metric
# list. (+metric_foo to enable metric_foo , -metric_bar to disable
# metric_bar).
# ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics
metrics: ~
# -- Configure Istio proxy options.
proxy:
prometheus:
enabled: true
port: "9095"
# -- Regular expression matching compatible Istio sidecar istio-proxy
# container image names
sidecarImageRegex: "cilium/istio_proxy"
# -- Enable use of the remote node identity.
# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity
remoteNodeIdentity: true
# -- Enable resource quotas for priority classes used in the cluster.
resourceQuotas:
enabled: false
cilium:
hard:
# 5k nodes * 2 DaemonSets (Cilium and cilium node init)
pods: "10k"
operator:
hard:
# 15 "clusterwide" Cilium Operator pods for HA
pods: "15"
# Need to document default
##################
#sessionAffinity: false
# -- Do not run Cilium agent when running with clean mode. Useful to completely
# uninstall Cilium as it will stop Cilium from starting and create artifacts
# in the node.
sleepAfterInit: false
# -- Configure BPF socket operations configuration
sockops:
# enabled enables installation of socket options acceleration.
enabled: false
# TODO: Add documentation, default value
# svcSourceRangeCheck:
# synchronizeK8sNodes: true
# -- Configure TLS configuration in the agent.
tls:
enabled: true
secretsBackend: local
# -- Configure the encapsulation configuration for communication between nodes.
# Possible values:
# - disabled
# - vxlan (default)
# - geneve
tunnel: "vxlan"
wellKnownIdentities:
# -- Enable the use of well-known identities.
enabled: false
etcd:
# -- Enable etcd mode for the agent.
enabled: false
# -- cilium-etcd-operator image.
image:
repository: quay.io/cilium/cilium-etcd-operator
tag: v2.0.7
pullPolicy: IfNotPresent
# -- cilium-etcd-operator priorityClassName
priorityClassName: ""
# -- Additional cilium-etcd-operator container arguments.
extraArgs: []
# -- Additional InitContainers to initialize the pod.
extraInitContainers: []
# -- Additional cilium-etcd-operator hostPath mounts.
extraHostPathMounts: []
# - name: textfile-dir
# mountPath: /srv/txt_collector
# hostPath: /var/lib/cilium-etcd-operator
# readOnly: true
# mountPropagation: HostToContainer
# -- Additional cilium-etcd-operator ConfigMap mounts.
extraConfigmapMounts: []
# - name: certs-configmap
# mountPath: /certs
# configMap: certs-configmap
# readOnly: true
# -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
tolerations:
- operator: Exists
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
# -- Node labels for cilium-etcd-operator pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# -- Annotations to be added to cilium-etcd-operator pods
podAnnotations: {}
# -- Labels to be added to cilium-etcd-operator pods
podLabels: {}
# -- PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
enabled: true
maxUnavailable: 2
# -- cilium-etcd-operator resource limits & requests
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
#
resources: {}
# limits:
# cpu: 4000m
# memory: 4Gi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Security context to be added to cilium-etcd-operator pods
#
securityContext: {}
# runAsUser: 0
# -- cilium-etcd-operator update strategy
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
# -- If etcd is behind a k8s service set this option to true so that Cilium
# does the service translation automatically without requiring a DNS to be
# running.
k8sService: false
# -- Cluster domain for cilium-etcd-operator.
clusterDomain: cluster.local
# -- List of etcd endpoints (not needed when using managed=true).
endpoints:
- https://CHANGE-ME:2379
# -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if
# managed=true)
ssl: false
operator:
# -- Enable the cilium-operator component (required).
enabled: true
# -- Roll out cilium-operator pods automatically when configmap is updated.
rollOutPods: false
# -- cilium-operator image.
image:
repository: quay.io/cilium/operator
tag: v1.10.7
# operator-generic-digest
genericDigest: "sha256:d0b491d8d8cb45862ed7f0410f65e7c141832f0f95262643fa5ff1edfcddcafe"
# operator-azure-digest
azureDigest: "sha256:556d692b2f08822101c159d9d6f731efe6c437d2b80f0ef96813e8745203c852"
# operator-aws-digest
awsDigest: "sha256:97b378e0e3b6b5ade6ae1706024c7a25fe6fc48e00102b65a6b7ac51d6327f40"
# operator-alibabacloud-digest
alibabacloudDigest: "sha256:7a6ccc99195ae6a8216d2a1e1e0cc05d49c2d263b194895da264899fe9d0f45a"
useDigest: true
pullPolicy: IfNotPresent
suffix: ""
# -- Number of replicas to run for the cilium-operator deployment
replicas: 2
# -- For using with an existing serviceAccount.
serviceAccountName: cilium-operator
# -- cilium-operator priorityClassName
priorityClassName: ""
# -- cilium-operator update strategy
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
# -- cilium-operator affinity
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: io.cilium/app
operator: In
values:
- operator
topologyKey: kubernetes.io/hostname
# -- Additional cilium-operator container arguments.
extraArgs: []
# -- Additional cilium-operator environment variables.
extraEnv: {}
# -- Additional InitContainers to initialize the pod.
extraInitContainers: []
# -- Additional cilium-operator hostPath mounts.
extraHostPathMounts: []
# - name: host-mnt-data
# mountPath: /host/mnt/data
# hostPath: /mnt/data
# hostPathType: Directory
# readOnly: true
# mountPropagation: HostToContainer
# -- Additional cilium-operator ConfigMap mounts.
extraConfigmapMounts: []
# - name: certs-configmap
# mountPath: /certs
# configMap: certs-configmap
# readOnly: true
# -- Node tolerations for cilium-operator scheduling to nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
tolerations:
- operator: Exists
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
# -- Node labels for cilium-operator pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
#
nodeSelector: {}
# -- Annotations to be added to cilium-operator pods
podAnnotations: {}
# -- Labels to be added to cilium-operator pods
podLabels: {}
# -- PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
enabled: false
maxUnavailable: 1
# -- cilium-operator resource limits & requests
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
#
resources: {}
# limits:
# cpu: 1000m
# memory: 1Gi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Security context to be added to cilium-operator pods
#
securityContext: {}
# runAsUser: 0
# -- Interval for endpoint garbage collection.
endpointGCInterval: "5m0s"
# -- Interval for identity garbage collection.
identityGCInterval: "15m0s"
# -- Timeout for identity heartbeats.
identityHeartbeatTimeout: "30m0s"
# -- Enable prometheus metrics for cilium-operator on the configured port at
# /metrics
prometheus:
enabled: false
port: 6942
serviceMonitor:
# -- Enable service monitors.
# This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
##
enabled: false
# -- Labels to add to ServiceMonitor cilium-operator
labels: {}
# -- Skip CRDs creation for cilium-operator
skipCRDCreation: false
nodeinit:
# -- Enable the node initialization DaemonSet
enabled: false
# -- node-init image.
image:
repository: quay.io/cilium/startup-script
tag: 62bfbe88c17778aad7bef9fa57ff9e2d4a9ba0d8
pullPolicy: IfNotPresent
# -- The priority class to use for the nodeinit pod.
priorityClassName: ""
# -- node-init update strategy
updateStrategy:
type: RollingUpdate
# -- Additional nodeinit environment variables.
extraEnv: {}
# -- Additional nodeinit init containers.
extraInitContainers: []
# -- Additional nodeinit host path mounts.
extraHostPathMounts: []
# - name: textfile-dir
# mountPath: /srv/txt_collector
# hostPath: /var/lib/nodeinit
# readOnly: true
# mountPropagation: HostToContainer
# -- Additional nodeinit ConfigMap mounts.
extraConfigmapMounts: []
# - name: certs-configmap
# mountPath: /certs
# configMap: certs-configmap
# readOnly: true
# -- Node tolerations for nodeinit scheduling to nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
#
tolerations:
- operator: Exists
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
# -- Node labels for nodeinit pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
#
nodeSelector: {}
# -- Annotations to be added to node-init pods.
podAnnotations: {}
# -- Labels to be added to node-init pods.
podLabels: {}
# -- PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
enabled: true
maxUnavailable: 2
# -- nodeinit resource limits & requests
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
#
resources:
requests:
cpu: 100m
memory: 100Mi
# -- Security context to be added to nodeinit pods.
#
securityContext: {}
# runAsUser: 0
# -- bootstrapFile is the location of the file where the bootstrap timestamp is
# written by the node-init DaemonSet
bootstrapFile: "/tmp/cilium-bootstrap-time"
preflight:
# -- Enable Cilium pre-flight resources (required for upgrade)
enabled: false
# -- Cilium pre-flight image.
image:
repository: quay.io/cilium/cilium
tag: v1.10.7
# cilium-digest
digest: "sha256:e23f55e80e1988db083397987a89967aa204ad6fc32da243b9160fbcea29b0ca"
useDigest: true
pullPolicy: IfNotPresent
# -- The priority class to use for the preflight pod.
priorityClassName: ""
# -- preflight update strategy
updateStrategy:
type: RollingUpdate
# -- Additional preflight environment variables.
extraEnv: {}
# -- Additional preflight init containers.
extraInitContainers: []
# -- Additional preflight host path mounts.
extraHostPathMounts: []
# - name: textfile-dir
# mountPath: /srv/txt_collector
# hostPath: /var/lib/preflight
# readOnly: true
# mountPropagation: HostToContainer
# -- Additional preflight ConfigMap mounts.
extraConfigmapMounts: []
# - name: certs-configmap
# mountPath: /certs
# configMap: certs-configmap
# readOnly: true
# -- Node tolerations for preflight scheduling to nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
#
tolerations:
- effect: NoSchedule
key: node.kubernetes.io/not-ready
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
- key: CriticalAddonsOnly
operator: "Exists"
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
# -- Node labels for preflight pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
#
nodeSelector: {}
# -- Annotations to be added to preflight pods
podAnnotations: {}
# -- Labels to be added to the preflight pod.
podLabels: {}
# -- PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
enabled: true
maxUnavailable: 2
# -- preflight resource limits & requests
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
#
resources: {}
# limits:
# cpu: 4000m
# memory: 4Gi
# requests:
# cpu: 100m
# memory: 512Mi
# -- Security context to be added to preflight pods
#
securityContext: {}
# runAsUser: 0
# -- Path to write the `--tofqdns-pre-cache` file to.
tofqdnsPreCache: ""
# -- By default we should always validate the installed CNPs before upgrading
# Cilium. This will make sure the user will have the policies deployed in the
# cluster with the right schema.
validateCNPs: true
# -- Explicitly enable or disable priority class.
# .Capabilities.KubeVersion is unsettable in `helm template` calls,
# it depends on k8s libraries version that Helm was compiled against.
# This option allows to explicitly disable setting the priority class, which
# is useful for rendering charts for gke clusters in advance.
enableCriticalPriorityClass: true
# disableEnvoyVersionCheck removes the check for Envoy, which can be useful
# on AArch64 as the images do not currently ship a version of Envoy.
#disableEnvoyVersionCheck: false
clustermesh:
# -- Deploy clustermesh-apiserver for clustermesh
useAPIServer: false
apiserver:
# -- Clustermesh API server image.
image:
repository: quay.io/cilium/clustermesh-apiserver
tag: v1.10.7
# clustermesh-apiserver-digest
digest: "sha256:9afb0a15afffdf84812c8174df9de86e35239fb87a6ffd9539877a9e643d8132"
useDigest: true
pullPolicy: IfNotPresent
etcd:
# -- Clustermesh API server etcd image.
image:
repository: quay.io/coreos/etcd
tag: v3.4.13
pullPolicy: IfNotPresent
service:
# -- The type of service used for apiserver access.
type: NodePort
# -- Optional port to use as the node port for apiserver access.
nodePort: 32379
# -- Optional loadBalancer IP address to use with type LoadBalancer.
# loadBalancerIP:
# -- Annotations for the clustermesh-apiserver
# For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal"
# For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
annotations: {}
# -- Number of replicas run for the clustermesh-apiserver deployment.
replicas: 1
# -- Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# -- Annotations to be added to clustermesh-apiserver pods
podAnnotations: {}
# -- Labels to be added to clustermesh-apiserver pods
podLabels: {}
# -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as
# resources:
# limits:
# cpu: 1000m
# memory: 1024M
# requests:
# cpu: 100m
# memory: 64Mi
resources: {}
# -- Node tolerations for pod assignment on nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
tolerations: []
# -- clustermesh-apiserver update strategy
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
tls:
# -- Configure automatic TLS certificates generation.
# A Kubernetes CronJob is used the generate any
# certificates not provided by the user at installation
# time.
auto:
# -- When set to true, automatically generate a CA and certificates to
# enable mTLS between clustermesh-apiserver and external workload instances.
# If set to false, the certs to be provided by setting appropriate values below.
enabled: true
# Sets the method to auto-generate certificates. Supported values:
# - helm: This method uses Helm to generate all certificates.
# - cronJob: This method uses a Kubernetes CronJob the generate any
# certificates not provided by the user at installation
# time.
method: helm
# -- Generated certificates validity duration in days.
certValidityDuration: 1095
# -- Schedule for certificates regeneration (regardless of their expiration date).
# Only used if method is "cronJob". If nil, then no recurring job will be created.
# Instead, only the one-shot job is deployed to generate the certificates at
# installation time.
#
# Due to the out-of-band distribution of client certs to external workloads the
# CA is (re)regenerated only if it is not provided as a helm value and the k8s
# secret is manually deleted.
#
# Defaults to none. Commented syntax gives midnight of the first day of every
# fourth month. For syntax, see
# https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
# schedule: "0 0 1 */4 *"
# -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key.
ca:
# -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to
# generate all other certificates. Otherwise, an ephemeral CA is generated.
cert: ""
# -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to
# generate all other certificates. Otherwise, an ephemeral CA is generated.
key: ""
# -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key.
# Used if 'auto' is not enabled.
server:
cert: ""
key: ""
# -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key.
# Used if 'auto' is not enabled.
admin:
cert: ""
key: ""
# -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key.
# Used if 'auto' is not enabled.
client:
cert: ""
key: ""
# -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key.
# Used if 'auto' is not enabled.
remote:
cert: ""
key: ""
# -- Configure external workloads support
externalWorkloads:
# -- Enable support for external workloads, such as VMs (false by default).
enabled: false
# -- Configure cgroup related configuration
cgroup:
autoMount:
# -- Enable auto mount of cgroup2 filesystem.
# When `autoMount` is enabled, cgroup2 filesystem is mounted at
# `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.
# If users disable `autoMount`, it's expected that users have mounted
# cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
# volume will be mounted inside the cilium agent pod at the same path.
enabled: true
# -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
hostRoot: /run/cilium/cgroupv2