diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index d98c9031e7703..5944c00772497 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -3427,6 +3427,31 @@ spec: description: 'BPFCTGlobalTCPMax is the maximum number of entries in the TCP CT table. Default: 524288' type: integer + bpfLBAlgorithm: + description: 'BPFLBAlgorithm is the load balancing algorithm + ("random", "maglev"). Default: random' + type: string + bpfLBMaglevTableSize: + description: 'BPFLBMaglevTableSize is the per service backend + table size when going with Maglev (parameter M). Default: + 16381' + type: string + bpfLBMapMax: + description: 'BPFLBMapMax is the maximum number of entries + in bpf lb service, backend and affinity maps. Default: 65536' + type: integer + bpfNATGlobalMax: + description: 'BPFNATGlobalMax is the the maximum number of + entries in the BPF NAT table. Default: 524288' + type: integer + bpfNeighGlobalMax: + description: 'BPFNeighGlobalMax is the the maximum number + of entries in the BPF Neighbor table. Default: 524288' + type: integer + bpfPolicyMapMax: + description: 'BPFPolicyMapMax is the maximum number of entries + in endpoint policy map. Default: 16384' + type: integer bpfRoot: description: BPFRoot is not implemented and may be removed in the future. Setting this has no effect. @@ -3484,6 +3509,10 @@ spec: description: DisableConntrack is not implemented and may be removed in the future. Setting this has no effect. type: boolean + disableEndpointCRD: + description: 'DisableEndpointCRD disables usage of CiliumEndpoint + CRD. Default: false' + type: boolean disableIpv4: description: 'DisableIpv4 is deprecated: Use EnableIpv4 instead. Setting this flag has no effect.' @@ -3500,6 +3529,10 @@ spec: description: 'EnableEncryption enables Cilium Encryption. Default: false' type: boolean + enableEndpointHealthChecking: + description: 'EnableEndpointHealthChecking enables connectivity + health checking between virtual endpoints. Default: true' + type: boolean enableHostReachableServices: description: 'EnableHostReachableServices configures Cilium to enable services to be reached from the host namespace @@ -3553,8 +3586,8 @@ spec: agent. properties: enabled: - description: Enabled specifies whether Hubble is enabled - on the agent. + description: Enabled decides if Hubble is enabled on the + agent or not type: boolean metrics: description: Metrics is a list of metrics to collect. @@ -3563,6 +3596,14 @@ spec: type: string type: array type: object + identityAllocationMode: + description: 'IdentityAllocationMode specifies in which backend + identities are stored ("crd", "kvstore"). Default: crd' + type: string + identityChangeGracePeriod: + description: 'IdentityChangeGracePeriod specifies the duration + to wait before using a changed identity. Default: 5s' + type: string ipam: description: Ipam specifies the IP address allocation mode to use. Possible values are "crd" and "eni". "eni" will @@ -3570,7 +3611,8 @@ spec: to be set to false. "crd" will use CRDs for controlling IP address management. "hostscope" will use hostscope IPAM mode. "kubernetes" will use addersing based on node pod - CIDR. Empty value will use host-scope address management. + CIDR. Empty value will use hostscope for cilum <= 1.7 and + "kubernetes" otherwise. type: string ipv4ClusterCidrMaskSize: description: Ipv4ClusterCIDRMaskSize is not implemented and @@ -3760,7 +3802,7 @@ spec: classic: description: ClassicNetworkingSpec is the specification of classic networking mode, integrated into kubernetes. Support been removed - since kubernetes 1.4. + since Kubernetes 1.4. type: object cni: description: CNINetworkingSpec is the specification for networking @@ -3811,7 +3853,7 @@ spec: type: object lyftvpc: description: LyftVPCNetworkingSpec declares that we want to use - the cni-ipvlan-vpc-k8s CNI networking + the cni-ipvlan-vpc-k8s CNI networking. properties: subnetTags: additionalProperties: diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 091aabd3a42b1..1f10b24a55850 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -256,7 +256,9 @@ type AmazonVPCNetworkingSpec struct { Env []EnvVar `json:"env,omitempty"` } -const CiliumIpamEni = "eni" +type CiliumIpam string + +const CiliumIpamEni CiliumIpam = "eni" // CiliumNetworkingSpec declares that we want Cilium networking type CiliumNetworkingSpec struct { @@ -303,6 +305,9 @@ type CiliumNetworkingSpec struct { // DisableConntrack is not implemented and may be removed in the future. // Setting this has no effect. DisableConntrack bool `json:"disableConntrack,omitempty"` + // DisableEndpointCRD disables usage of CiliumEndpoint CRD. + // Default: false + DisableEndpointCRD bool `json:"disableEndpointCRD,omitempty"` // DisableIpv4 is deprecated: Use EnableIpv4 instead. // Setting this flag has no effect. DisableIpv4 bool `json:"disableIpv4,omitempty"` @@ -315,6 +320,9 @@ type CiliumNetworkingSpec struct { // "never": Cilium allows all traffic regardless of policies in place. // If unspecified, "default" policy mode will be used. EnablePolicy string `json:"enablePolicy,omitempty"` + // EnableEndpointHealthChecking enables connectivity health checking between virtual endpoints. + // Default: true + EnableEndpointHealthChecking *bool `json:"enableEndpointHealthChecking,omitempty"` // EnableTracing is not implemented and may be removed in the future. // Setting this has no effect. EnableTracing bool `json:"enableTracing,omitempty"` @@ -326,6 +334,12 @@ type CiliumNetworkingSpec struct { // EnvoyLog is not implemented and may be removed in the future. // Setting this has no effect. EnvoyLog string `json:"envoyLog,omitempty"` + // IdentityAllocationMode specifies in which backend identities are stored ("crd", "kvstore"). + // Default: crd + IdentityAllocationMode string `json:"identityAllocationMode,omitempty"` + // IdentityChangeGracePeriod specifies the duration to wait before using a changed identity. + // Default: 5s + IdentityChangeGracePeriod string `json:"identityChangeGracePeriod,omitempty"` // Ipv4ClusterCIDRMaskSize is not implemented and may be removed in the future. // Setting this has no effect. Ipv4ClusterCIDRMaskSize int `json:"ipv4ClusterCidrMaskSize,omitempty"` @@ -436,6 +450,24 @@ type CiliumNetworkingSpec struct { // BPFCTGlobalAnyMax is the maximum number of entries in the non-TCP CT table. // Default: 262144 BPFCTGlobalAnyMax int `json:"bpfCTGlobalAnyMax,omitempty"` + // BPFLBAlgorithm is the load balancing algorithm ("random", "maglev"). + // Default: random + BPFLBAlgorithm string `json:"bpfLBAlgorithm,omitempty"` + // BPFLBMaglevTableSize is the per service backend table size when going with Maglev (parameter M). + // Default: 16381 + BPFLBMaglevTableSize string `json:"bpfLBMaglevTableSize,omitempty"` + // BPFNATGlobalMax is the the maximum number of entries in the BPF NAT table. + // Default: 524288 + BPFNATGlobalMax int `json:"bpfNATGlobalMax,omitempty"` + // BPFNeighGlobalMax is the the maximum number of entries in the BPF Neighbor table. + // Default: 524288 + BPFNeighGlobalMax int `json:"bpfNeighGlobalMax,omitempty"` + // BPFPolicyMapMax is the maximum number of entries in endpoint policy map. + // Default: 16384 + BPFPolicyMapMax int `json:"bpfPolicyMapMax,omitempty"` + // BPFLBMapMax is the maximum number of entries in bpf lb service, backend and affinity maps. + // Default: 65536 + BPFLBMapMax int `json:"bpfLBMapMax,omitempty"` // PreallocateBPFMaps reduces the per-packet latency at the expense of up-front memory allocation. // Default: true PreallocateBPFMaps bool `json:"preallocateBPFMaps,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 29e61d76d22bb..a7a64b1f231ed 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -38,7 +38,7 @@ type NetworkingSpec struct { } // ClassicNetworkingSpec is the specification of classic networking mode, integrated into kubernetes. -// Support been removed since kubernetes 1.4. +// Support been removed since Kubernetes 1.4. type ClassicNetworkingSpec struct { } @@ -256,6 +256,10 @@ type AmazonVPCNetworkingSpec struct { Env []EnvVar `json:"env,omitempty"` } +type CiliumIpam string + +const CiliumIpamEni CiliumIpam = "eni" + // CiliumNetworkingSpec declares that we want Cilium networking type CiliumNetworkingSpec struct { // Version is the version of the Cilium agent and the Cilium Operator. @@ -301,6 +305,9 @@ type CiliumNetworkingSpec struct { // DisableConntrack is not implemented and may be removed in the future. // Setting this has no effect. DisableConntrack bool `json:"disableConntrack,omitempty"` + // DisableEndpointCRD disables usage of CiliumEndpoint CRD. + // Default: false + DisableEndpointCRD bool `json:"disableEndpointCRD,omitempty"` // DisableIpv4 is deprecated: Use EnableIpv4 instead. // Setting this flag has no effect. DisableIpv4 bool `json:"disableIpv4,omitempty"` @@ -313,6 +320,9 @@ type CiliumNetworkingSpec struct { // "never": Cilium allows all traffic regardless of policies in place. // If unspecified, "default" policy mode will be used. EnablePolicy string `json:"enablePolicy,omitempty"` + // EnableEndpointHealthChecking enables connectivity health checking between virtual endpoints. + // Default: true + EnableEndpointHealthChecking *bool `json:"enableEndpointHealthChecking,omitempty"` // EnableTracing is not implemented and may be removed in the future. // Setting this has no effect. EnableTracing bool `json:"enableTracing,omitempty"` @@ -324,6 +334,12 @@ type CiliumNetworkingSpec struct { // EnvoyLog is not implemented and may be removed in the future. // Setting this has no effect. EnvoyLog string `json:"envoyLog,omitempty"` + // IdentityAllocationMode specifies in which backend identities are stored ("crd", "kvstore"). + // Default: crd + IdentityAllocationMode string `json:"identityAllocationMode,omitempty"` + // IdentityChangeGracePeriod specifies the duration to wait before using a changed identity. + // Default: 5s + IdentityChangeGracePeriod string `json:"identityChangeGracePeriod,omitempty"` // Ipv4ClusterCIDRMaskSize is not implemented and may be removed in the future. // Setting this has no effect. Ipv4ClusterCIDRMaskSize int `json:"ipv4ClusterCidrMaskSize,omitempty"` @@ -434,6 +450,24 @@ type CiliumNetworkingSpec struct { // BPFCTGlobalAnyMax is the maximum number of entries in the non-TCP CT table. // Default: 262144 BPFCTGlobalAnyMax int `json:"bpfCTGlobalAnyMax,omitempty"` + // BPFLBAlgorithm is the load balancing algorithm ("random", "maglev"). + // Default: random + BPFLBAlgorithm string `json:"bpfLBAlgorithm,omitempty"` + // BPFLBMaglevTableSize is the per service backend table size when going with Maglev (parameter M). + // Default: 16381 + BPFLBMaglevTableSize string `json:"bpfLBMaglevTableSize,omitempty"` + // BPFNATGlobalMax is the the maximum number of entries in the BPF NAT table. + // Default: 524288 + BPFNATGlobalMax int `json:"bpfNATGlobalMax,omitempty"` + // BPFNeighGlobalMax is the the maximum number of entries in the BPF Neighbor table. + // Default: 524288 + BPFNeighGlobalMax int `json:"bpfNeighGlobalMax,omitempty"` + // BPFPolicyMapMax is the maximum number of entries in endpoint policy map. + // Default: 16384 + BPFPolicyMapMax int `json:"bpfPolicyMapMax,omitempty"` + // BPFLBMapMax is the maximum number of entries in bpf lb service, backend and affinity maps. + // Default: 65536 + BPFLBMapMax int `json:"bpfLBMapMax,omitempty"` // PreallocateBPFMaps reduces the per-packet latency at the expense of up-front memory allocation. // Default: true PreallocateBPFMaps bool `json:"preallocateBPFMaps,omitempty"` @@ -463,7 +497,7 @@ type CiliumNetworkingSpec struct { // "crd" will use CRDs for controlling IP address management. // "hostscope" will use hostscope IPAM mode. // "kubernetes" will use addersing based on node pod CIDR. - // Empty value will use host-scope address management. + // Empty value will use hostscope for cilum <= 1.7 and "kubernetes" otherwise. Ipam string `json:"ipam,omitempty"` // IPTablesRulesNoinstall disables installing the base IPTables rules used for masquerading and kube-proxy. // Default: false @@ -509,7 +543,7 @@ type CiliumNetworkingSpec struct { // HubbleSpec configures the Hubble service on the Cilium agent. type HubbleSpec struct { - // Enabled specifies whether Hubble is enabled on the agent. + // Enabled decides if Hubble is enabled on the agent or not Enabled *bool `json:"enabled,omitempty"` // Metrics is a list of metrics to collect. If empty or null, metrics are disabled. @@ -517,7 +551,7 @@ type HubbleSpec struct { Metrics []string `json:"metrics,omitempty"` } -// LyftVPCNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking +// LyftVPCNetworkingSpec declares that we want to use the cni-ipvlan-vpc-k8s CNI networking. type LyftVPCNetworkingSpec struct { SubnetTags map[string]string `json:"subnetTags,omitempty"` } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 60c526f31a526..719fab2db8843 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1742,13 +1742,17 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.DebugVerbose = in.DebugVerbose out.Device = in.Device out.DisableConntrack = in.DisableConntrack + out.DisableEndpointCRD = in.DisableEndpointCRD out.DisableIpv4 = in.DisableIpv4 out.DisableK8sServices = in.DisableK8sServices out.EnablePolicy = in.EnablePolicy + out.EnableEndpointHealthChecking = in.EnableEndpointHealthChecking out.EnableTracing = in.EnableTracing out.EnablePrometheusMetrics = in.EnablePrometheusMetrics out.EnableEncryption = in.EnableEncryption out.EnvoyLog = in.EnvoyLog + out.IdentityAllocationMode = in.IdentityAllocationMode + out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod out.Ipv4ClusterCIDRMaskSize = in.Ipv4ClusterCIDRMaskSize out.Ipv4Node = in.Ipv4Node out.Ipv4Range = in.Ipv4Range @@ -1786,6 +1790,12 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in * out.MonitorAggregation = in.MonitorAggregation out.BPFCTGlobalTCPMax = in.BPFCTGlobalTCPMax out.BPFCTGlobalAnyMax = in.BPFCTGlobalAnyMax + out.BPFLBAlgorithm = in.BPFLBAlgorithm + out.BPFLBMaglevTableSize = in.BPFLBMaglevTableSize + out.BPFNATGlobalMax = in.BPFNATGlobalMax + out.BPFNeighGlobalMax = in.BPFNeighGlobalMax + out.BPFPolicyMapMax = in.BPFPolicyMapMax + out.BPFLBMapMax = in.BPFLBMapMax out.PreallocateBPFMaps = in.PreallocateBPFMaps out.SidecarIstioProxyImage = in.SidecarIstioProxyImage out.ClusterName = in.ClusterName @@ -1837,13 +1847,17 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * out.DebugVerbose = in.DebugVerbose out.Device = in.Device out.DisableConntrack = in.DisableConntrack + out.DisableEndpointCRD = in.DisableEndpointCRD out.DisableIpv4 = in.DisableIpv4 out.DisableK8sServices = in.DisableK8sServices out.EnablePolicy = in.EnablePolicy + out.EnableEndpointHealthChecking = in.EnableEndpointHealthChecking out.EnableTracing = in.EnableTracing out.EnablePrometheusMetrics = in.EnablePrometheusMetrics out.EnableEncryption = in.EnableEncryption out.EnvoyLog = in.EnvoyLog + out.IdentityAllocationMode = in.IdentityAllocationMode + out.IdentityChangeGracePeriod = in.IdentityChangeGracePeriod out.Ipv4ClusterCIDRMaskSize = in.Ipv4ClusterCIDRMaskSize out.Ipv4Node = in.Ipv4Node out.Ipv4Range = in.Ipv4Range @@ -1881,6 +1895,12 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in * out.MonitorAggregation = in.MonitorAggregation out.BPFCTGlobalTCPMax = in.BPFCTGlobalTCPMax out.BPFCTGlobalAnyMax = in.BPFCTGlobalAnyMax + out.BPFLBAlgorithm = in.BPFLBAlgorithm + out.BPFLBMaglevTableSize = in.BPFLBMaglevTableSize + out.BPFNATGlobalMax = in.BPFNATGlobalMax + out.BPFNeighGlobalMax = in.BPFNeighGlobalMax + out.BPFPolicyMapMax = in.BPFPolicyMapMax + out.BPFLBMapMax = in.BPFLBMapMax out.PreallocateBPFMaps = in.PreallocateBPFMaps out.SidecarIstioProxyImage = in.SidecarIstioProxyImage out.ClusterName = in.ClusterName diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index 0378ce757f416..a971f13ba40ba 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -504,6 +504,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.EnableEndpointHealthChecking != nil { + in, out := &in.EnableEndpointHealthChecking, &out.EnableEndpointHealthChecking + *out = new(bool) + **out = **in + } if in.Labels != nil { in, out := &in.Labels, &out.Labels *out = make([]string, len(*in)) diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index a72d0e4d0caf6..195d94a3e7615 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -837,6 +837,18 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe allErrs = append(allErrs, IsValidValue(fldPath.Child("containerRuntimeLabels"), &v.ContainerRuntimeLabels, []string{"none", "containerd", "crio", "docker", "auto"})...) } + if v.IdentityAllocationMode != "" { + allErrs = append(allErrs, IsValidValue(fldPath.Child("identityAllocationMode"), &v.IdentityAllocationMode, []string{"crd", "kvstore"})...) + + if v.IdentityAllocationMode == "kvstore" && !v.EtcdManaged { + allErrs = append(allErrs, field.Forbidden(fldPath.Child("identityAllocationMode"), "Cilium requires managed etcd to allocate identities on kvstore mode")) + } + } + + if v.BPFLBAlgorithm != "" { + allErrs = append(allErrs, IsValidValue(fldPath.Child("bpfLBAlgorithm"), &v.BPFLBAlgorithm, []string{"random", "maglev"})...) + } + if v.Ipam != "" { // "azure" not supported by kops allErrs = append(allErrs, IsValidValue(fldPath.Child("ipam"), &v.Ipam, []string{"hostscope", "kubernetes", "crd", "eni"})...) diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index 79b03f7d44030..4de072d31f0da 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -831,6 +831,12 @@ func Test_Validate_Cilium(t *testing.T) { }, ExpectedErrors: []string{"Forbidden::cilium.ipam"}, }, + { + Cilium: kops.CiliumNetworkingSpec{ + IdentityAllocationMode: "kvstore", + }, + ExpectedErrors: []string{"Forbidden::cilium.identityAllocationMode"}, + }, { Cilium: kops.CiliumNetworkingSpec{ Version: "v1.0.0", diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 4ca3dd87048de..630d34bc6b32d 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -588,6 +588,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.EnableEndpointHealthChecking != nil { + in, out := &in.EnableEndpointHealthChecking, &out.EnableEndpointHealthChecking + *out = new(bool) + **out = **in + } if in.Labels != nil { in, out := &in.Labels, &out.Labels *out = make([]string, len(*in)) diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go index 0d0ca8ff5beac..88d0362f9b2f1 100644 --- a/pkg/model/components/cilium.go +++ b/pkg/model/components/cilium.go @@ -45,14 +45,51 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error { version, _ := semver.ParseTolerant(c.Version) + if c.EnableEndpointHealthChecking == nil { + c.EnableEndpointHealthChecking = fi.Bool(true) + } + + if c.IdentityAllocationMode == "" { + c.IdentityAllocationMode = "crd" + } + + if c.IdentityChangeGracePeriod == "" { + c.IdentityChangeGracePeriod = "5s" + } + if c.BPFCTGlobalAnyMax == 0 { c.BPFCTGlobalAnyMax = 262144 } + if c.BPFCTGlobalTCPMax == 0 { c.BPFCTGlobalTCPMax = 524288 } + if c.BPFLBAlgorithm == "" { + c.BPFLBAlgorithm = "random" + } + + if c.BPFLBMaglevTableSize == "" { + c.BPFLBMaglevTableSize = "16381" + } + + if c.BPFNATGlobalMax == 0 { + c.BPFNATGlobalMax = 524288 + } + + if c.BPFNeighGlobalMax == 0 { + c.BPFNeighGlobalMax = 524288 + } + + if c.BPFPolicyMapMax == 0 { + c.BPFPolicyMapMax = 16384 + } + + if c.BPFLBMapMax == 0 { + c.BPFLBMapMax = 65536 + } + if c.ClusterName == "" { c.ClusterName = "default" } diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template index c056ab479739a..831de4378d8ac 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.12-v1.9.yaml.template @@ -61,7 +61,9 @@ data: # backend. Upgrades from these older cilium versions should continue using # the kvstore by commenting out the identity-allocation-mode below, or # setting it to "kvstore". - identity-allocation-mode: crd + # (default crd) + identity-allocation-mode: "{{ .IdentityAllocationMode }}" + # If you want to run cilium in debug mode change this value to true debug: "{{ .Debug }}" {{ if .EnablePrometheusMetrics }} @@ -103,6 +105,28 @@ data: bpf-ct-global-tcp-max: "{{ .BPFCTGlobalTCPMax }}" bpf-ct-global-any-max: "{{ .BPFCTGlobalAnyMax }}" + # BPF load balancing algorithm ("random", "maglev") (default "random") + bpf-lb-algorithm: "{{ .BPFLBAlgorithm }}" + + # Maglev per service backend table size (parameter M) (default 16381) + bpf-lb-maglev-table-size: "{{ .BPFLBMaglevTableSize }}" + + # bpf-nat-global-max specified the maximum number of entries in the + # BPF NAT table. (default 524288) + bpf-nat-global-max: "{{ .BPFNATGlobalMax }}" + + # bpf-neigh-global-max specified the maximum number of entries in the + # BPF neighbor table. (default 524288) + bpf-neigh-global-max: "{{ .BPFNeighGlobalMax }}" + + # bpf-policy-map-max specifies the maximum number of entries in endpoint + # policy map (per endpoint) (default 16384) + bpf-policy-map-max: "{{ .BPFPolicyMapMax }}" + + # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, + # backend and affinity maps. (default 65536) + bpf-lb-map-max: "{{ .BPFLBMapMax }}" + # Pre-allocation of map entries allows per-packet latency to be reduced, at # the expense of up-front memory allocation for the entries in the maps. The # default value below will minimize memory usage in the default installation; @@ -178,7 +202,7 @@ data: {{ end }} enable-node-port: "{{ .EnableNodePort }}" kube-proxy-replacement: "{{- if .EnableNodePort -}}strict{{- else -}}partial{{- end -}}" - enable-remote-node-identity: "{{ .EnableRemoteNodeIdentity -}}" + {{ with .Ipam }} ipam: {{ . }} {{ if eq . "eni" }} @@ -188,6 +212,15 @@ data: {{ end }} {{ end }} + # Disables usage of CiliumEndpoint CRD + disable-endpoint-crd: "{{ .DisableEndpointCRD }}" + + # Enable connectivity health checking between virtual endpoints (default true) + enable-endpoint-health-checking: "{{ .EnableEndpointHealthChecking }}" + + # Enable use of remote node identity (default false) + enable-remote-node-identity: "{{ .EnableRemoteNodeIdentity }}" + {{ if WithDefaultBool .Hubble.Enabled false }} # Enable Hubble gRPC service. enable-hubble: "true" diff --git a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template index bccf84fc3c957..d70aa8e3c7b0c 100644 --- a/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.10.yaml.template @@ -61,9 +61,15 @@ data: # backend. Upgrades from these older cilium versions should continue using # the kvstore by commenting out the identity-allocation-mode below, or # setting it to "kvstore". - identity-allocation-mode: crd + # (default crd) + identity-allocation-mode: "{{ .IdentityAllocationMode }}" + + # Time to wait before using new identity on endpoint identity change (default 5s) + identity-change-grace-period: "{{ .IdentityChangeGracePeriod }}" + # If you want to run cilium in debug mode change this value to true debug: "{{ .Debug }}" + {{ if .EnablePrometheusMetrics }} # If you want metrics enabled in all of your Cilium agents, set the port for # which the Cilium agents will have their metrics exposed. @@ -103,6 +109,28 @@ data: bpf-ct-global-tcp-max: "{{ .BPFCTGlobalTCPMax }}" bpf-ct-global-any-max: "{{ .BPFCTGlobalAnyMax }}" + # BPF load balancing algorithm ("random", "maglev") (default "random") + bpf-lb-algorithm: "{{ .BPFLBAlgorithm }}" + + # Maglev per service backend table size (parameter M) (default 16381) + bpf-lb-maglev-table-size: "{{ .BPFLBMaglevTableSize }}" + + # bpf-nat-global-max specified the maximum number of entries in the + # BPF NAT table. (default 524288) + bpf-nat-global-max: "{{ .BPFNATGlobalMax }}" + + # bpf-neigh-global-max specified the maximum number of entries in the + # BPF neighbor table. (default 524288) + bpf-neigh-global-max: "{{ .BPFNeighGlobalMax }}" + + # bpf-policy-map-max specifies the maximum number of entries in endpoint + # policy map (per endpoint) (default 16384) + bpf-policy-map-max: "{{ .BPFPolicyMapMax }}" + + # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, + # backend and affinity maps. (default 65536) + bpf-lb-map-max: "{{ .BPFLBMapMax }}" + # Pre-allocation of map entries allows per-packet latency to be reduced, at # the expense of up-front memory allocation for the entries in the maps. The # default value below will minimize memory usage in the default installation; @@ -178,7 +206,7 @@ data: {{ end }} enable-node-port: "{{ .EnableNodePort }}" kube-proxy-replacement: "{{- if .EnableNodePort -}}strict{{- else -}}partial{{- end -}}" - enable-remote-node-identity: "{{ .EnableRemoteNodeIdentity -}}" + {{ with .Ipam }} ipam: {{ . }} {{ if eq . "eni" }} @@ -188,6 +216,15 @@ data: {{ end }} {{ end }} + # Disables usage of CiliumEndpoint CRD + disable-endpoint-crd: "{{ .DisableEndpointCRD }}" + + # Enable connectivity health checking between virtual endpoints (default true) + enable-endpoint-health-checking: "{{ .EnableEndpointHealthChecking }}" + + # Enable use of remote node identity (default false) + enable-remote-node-identity: "{{ .EnableRemoteNodeIdentity }}" + {{ if WithDefaultBool .Hubble.Enabled false }} # Enable Hubble gRPC service. enable-hubble: "true" @@ -563,7 +600,7 @@ spec: value: "true" failureThreshold: 24 periodSeconds: 2 - successThreshold: + successThreshold: livenessProbe: httpGet: host: '127.0.0.1' diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml index 7ab8ebaa95fc2..733aa221cfce8 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml @@ -61,7 +61,7 @@ spec: version: 1.17.0 - id: k8s-1.16 manifest: networking.cilium.io/k8s-1.16-v1.10.yaml - manifestHash: 461df69665b35c37bc1cc503edba447c205af8f3 + manifestHash: 58a8b7d86202626309156e11d4279d42403d1c57 name: networking.cilium.io needsRollingUpdate: all selector: