From 47ba4cef57917e3662c61502662b3137effa34bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nils=20M=C3=BCller?= <tyriis@users.noreply.github.com>
Date: Sat, 6 Apr 2024 23:25:29 +0200
Subject: [PATCH] fix(cilium): disable kube-proxy replacement, adjust cgroup
 and capabilities

---
 infra/talos/talconfig.yaml                    |  2 +-
 .../kube-system/cilium/app/helm-release.yaml  | 21 +++++++++++++++++
 .../talos-flux/bootstrap/cilium/values.yaml   | 23 ++++++++++++++++++-
 3 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/infra/talos/talconfig.yaml b/infra/talos/talconfig.yaml
index adffd8a03..6cdf8f5e6 100644
--- a/infra/talos/talconfig.yaml
+++ b/infra/talos/talconfig.yaml
@@ -75,7 +75,7 @@ domain: cluster.local
 allowSchedulingOnMasters: true
 allowSchedulingOnControlPlanes: true
 cniConfig:
-  name: flannel
+  name: none
 
 controlPlane:
   schematic:
diff --git a/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml b/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml
index a453c4349..41dfaf991 100644
--- a/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml
+++ b/kubernetes/talos-flux/apps/kube-system/cilium/app/helm-release.yaml
@@ -133,4 +133,25 @@ spec:
     rollOutCiliumPods: true
     securityContext:
       privileged: true
+      capabilities:
+        ciliumAgent:
+          - CHOWN
+          - KILL
+          - NET_ADMIN
+          - NET_RAW
+          - IPC_LOCK
+          - SYS_ADMIN
+          - SYS_RESOURCE
+          - DAC_OVERRIDE
+          - FOWNER
+          - SETGID
+          - SETUID
+        cleanCiliumState:
+          - NET_ADMIN
+          - SYS_ADMIN
+          - SYS_RESOURCE
+    cgroup:
+      autoMount:
+        enabled: false
+      hostRoot: /sys/fs/cgroup
     routingMode: native
diff --git a/kubernetes/talos-flux/bootstrap/cilium/values.yaml b/kubernetes/talos-flux/bootstrap/cilium/values.yaml
index d14a55754..e617a1d85 100644
--- a/kubernetes/talos-flux/bootstrap/cilium/values.yaml
+++ b/kubernetes/talos-flux/bootstrap/cilium/values.yaml
@@ -72,7 +72,7 @@ endpointRoutes:
 ipam:
   mode: kubernetes
 ipv4NativeRoutingCIDR: 10.245.0.0/16
-# kubeProxyReplacement: strict
+kubeProxyReplacement: disabled
 # kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
 l2announcements:
   enabled: false
@@ -106,4 +106,25 @@ dashboards:
 rollOutCiliumPods: true
 securityContext:
   privileged: true
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+  cgroup:
+    autoMount:
+      enabled: false
+    hostRoot: /sys/fs/cgroup
 # routingMode: native