Skip to content

Commit

Permalink
fix(cilium): disable kube-proxy replacement, adjust cgroup and capabi…
Browse files Browse the repository at this point in the history
…lities
  • Loading branch information
tyriis committed Apr 6, 2024
1 parent df49c21 commit 47ba4ce
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 2 deletions.
2 changes: 1 addition & 1 deletion infra/talos/talconfig.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ domain: cluster.local
allowSchedulingOnMasters: true
allowSchedulingOnControlPlanes: true
cniConfig:
name: flannel
name: none

controlPlane:
schematic:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,4 +133,25 @@ spec:
rollOutCiliumPods: true
securityContext:
privileged: true
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cleanCiliumState:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE
cgroup:
autoMount:
enabled: false
hostRoot: /sys/fs/cgroup
routingMode: native
23 changes: 22 additions & 1 deletion kubernetes/talos-flux/bootstrap/cilium/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ endpointRoutes:
ipam:
mode: kubernetes
ipv4NativeRoutingCIDR: 10.245.0.0/16
# kubeProxyReplacement: strict
kubeProxyReplacement: disabled
# kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
l2announcements:
enabled: false
Expand Down Expand Up @@ -106,4 +106,25 @@ dashboards:
rollOutCiliumPods: true
securityContext:
privileged: true
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cleanCiliumState:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE
cgroup:
autoMount:
enabled: false
hostRoot: /sys/fs/cgroup
# routingMode: native

0 comments on commit 47ba4ce

Please sign in to comment.