diff --git a/infra/talos/talconfig.yaml b/infra/talos/talconfig.yaml index adffd8a03..6cdf8f5e6 100644 --- a/infra/talos/talconfig.yaml +++ b/infra/talos/talconfig.yaml @@ -75,7 +75,7 @@ domain: cluster.local allowSchedulingOnMasters: true allowSchedulingOnControlPlanes: true cniConfig: - name: flannel + name: none controlPlane: schematic: diff --git a/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml b/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml index a453c4349..41dfaf991 100644 --- a/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml +++ b/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml @@ -133,4 +133,25 @@ spec: rollOutCiliumPods: true securityContext: privileged: true + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup routingMode: native diff --git a/kubernetes/talos-flux/bootstrap/cilium/values.yaml b/kubernetes/talos-flux/bootstrap/cilium/values.yaml index d14a55754..e617a1d85 100644 --- a/kubernetes/talos-flux/bootstrap/cilium/values.yaml +++ b/kubernetes/talos-flux/bootstrap/cilium/values.yaml @@ -72,7 +72,7 @@ endpointRoutes: ipam: mode: kubernetes ipv4NativeRoutingCIDR: 10.245.0.0/16 -# kubeProxyReplacement: strict +kubeProxyReplacement: disabled # kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 l2announcements: enabled: false @@ -106,4 +106,25 @@ dashboards: rollOutCiliumPods: true securityContext: privileged: true + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup # routingMode: native