feat(helm): update cilium ( 1.16.6 → 1.19.2 )#56
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Conversation
--- kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium
+++ kubernetes/apps/kube-system/cilium/app Kustomization: flux-system/cilium HelmRelease: kube-system/cilium
@@ -13,13 +13,13 @@
spec:
chart: cilium
sourceRef:
kind: HelmRepository
name: cilium
namespace: flux-system
- version: 1.16.6
+ version: 1.19.2
install:
remediation:
retries: 3
interval: 30m
upgrade:
cleanupOnFail: true |
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard
@@ -9,8456 +9,11195 @@
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
grafana_dashboard: '1'
annotations:
grafana_folder: Cilium
data:
- cilium-dashboard.json: |
+ cilium-dashboard.json: |-
{
"annotations": {
"list": [
{
"builtIn": 1,
- "datasource": "-- Grafana --",
+ "datasource": {
+ "type": "datasource",
+ "uid": "grafana"
+ },
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Dashboard for Cilium (https://cilium.io/) metrics",
"editable": true,
- "gnetId": null,
+ "fiscalYearStartMonth": 0,
"graphTooltip": 1,
- "iteration": 1606309591568,
+ "id": 1,
"links": [],
"panels": [
{
- "aliasColors": {
- "error": "#890f02",
- "warning": "#c15c17"
- },
- "bars": false,
- "dashLength": 10,
- "dashes": false,
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
- "custom": {}
- },
- "overrides": []
- },
- "fill": 1,
- "fillGradient": 0,
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 10,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "never",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "links": [],
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ },
+ "unit": "opm"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "error"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "#890f02",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "warning"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "#c15c17",
+ "mode": "fixed"
+ }
+ }
+ ]
+ }
+ ]
+ },
"gridPos": {
"h": 5,
"w": 12,
"x": 0,
"y": 0
},
- "hiddenSeries": false,
"id": 76,
- "legend": {
- "avg": false,
- "current": false,
- "max": false,
- "min": false,
- "show": true,
- "total": false,
- "values": false
- },
- "lines": true,
- "linewidth": 1,
- "links": [],
- "nullPointMode": "null",
"options": {
- "dataLinks": []
- },
- "paceLength": 10,
- "percentage": false,
- "pointradius": 5,
- "points": false,
- "renderer": "flot",
- "seriesOverrides": [
- {
- "alias": "error",
- "yaxis": 2
- }
- ],
- "spaceLength": 10,
- "stack": false,
- "steppedLine": false,
+ "legend": {
+ "calcs": [],
+ "displayMode": "list",
+ "placement": "bottom",
+ "showLegend": true
+ },
+ "tooltip": {
+ "mode": "multi",
+ "sort": "none"
+ }
+ },
+ "pluginVersion": "11.3.1",
"targets": [
{
+ "datasource": {
+ "type": "prometheus",
+ "uid": "${DS_PROMETHEUS}"
+ },
+ "editorMode": "code",
"expr": "sum(rate(cilium_errors_warnings_total{k8s_app=\"cilium\", pod=~\"$pod\"}[1m])) by (pod, level) * 60",
"format": "time_series",
"intervalFactor": 1,
"legendFormat": "{{level}}",
+ "range": true,
"refId": "A"
}
],
- "thresholds": [],
- "timeFrom": null,
- "timeRegions": [],
- "timeShift": null,
"title": "Errors & Warnings",
- "tooltip": {
- "shared": true,
- "sort": 0,
- "value_type": "individual"
- },
- "type": "graph",
- "xaxis": {
- "buckets": null,
- "mode": "time",
- "name": null,
- "show": true,
- "values": []
- },
- "yaxes": [
- {
- "format": "opm",
- "label": null,
- "logBase": 1,
- "max": null,
- "min": null,
- "show": true
- },
- {
- "format": "opm",
- "label": null,
- "logBase": 1,
- "max": null,
- "min": null,
- "show": true
- }
- ],
- "yaxis": {
- "align": false,
- "alignLevel": null
- }
+ "type": "timeseries"
},
{
- "aliasColors": {
- "avg": "#cffaff"
- },
- "bars": false,
- "dashLength": 10,
- "dashes": false,
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"fieldConfig": {
"defaults": {
- "custom": {}
- },
- "overrides": []
- },
- "fill": 0,
- "fillGradient": 0,
+ "color": {
+ "mode": "palette-classic"
+ },
+ "custom": {
+ "axisBorderShow": false,
+ "axisCenteredZero": false,
+ "axisColorMode": "text",
+ "axisLabel": "",
+ "axisPlacement": "auto",
+ "barAlignment": 0,
+ "barWidthFactor": 0.6,
+ "drawStyle": "line",
+ "fillOpacity": 35,
+ "gradientMode": "none",
+ "hideFrom": {
+ "legend": false,
+ "tooltip": false,
+ "viz": false
+ },
+ "insertNulls": false,
+ "lineInterpolation": "linear",
+ "lineWidth": 1,
+ "pointSize": 5,
+ "scaleDistribution": {
+ "type": "linear"
+ },
+ "showPoints": "never",
+ "spanNulls": false,
+ "stacking": {
+ "group": "A",
+ "mode": "none"
+ },
+ "thresholdsStyle": {
+ "mode": "off"
+ }
+ },
+ "links": [],
+ "mappings": [],
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ },
+ {
+ "color": "red",
+ "value": 80
+ }
+ ]
+ },
+ "unit": "percent"
+ },
+ "overrides": [
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "avg"
+ },
+ "properties": [
+ {
+ "id": "color",
+ "value": {
+ "fixedColor": "#cffaff",
+ "mode": "fixed"
+ }
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "max"
+ },
+ "properties": [
+ {
+ "id": "custom.fillBelowTo",
+ "value": "min"
+ },
+ {
+ "id": "custom.lineWidth",
+ "value": 0
+ }
+ ]
+ },
+ {
+ "matcher": {
+ "id": "byName",
+ "options": "min"
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -9,125 +9,156 @@
identity-heartbeat-timeout: 30m0s
identity-gc-interval: 15m0s
cilium-endpoint-gc-interval: 5m0s
nodes-gc-interval: 5m0s
debug: 'false'
debug-verbose: ''
+ metrics-sampling-interval: 5m
enable-policy: default
policy-cidr-match-mode: ''
prometheus-serve-addr: :9962
controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
proxy-prometheus-port: '9964'
operator-prometheus-serve-addr: :9963
enable-metrics: 'true'
+ enable-policy-secrets-sync: 'true'
+ policy-secrets-only-from-secrets-namespace: 'true'
+ policy-secrets-namespace: cilium-secrets
enable-ipv4: 'true'
enable-ipv6: 'false'
custom-cni-conf: 'false'
enable-bpf-clock-probe: 'false'
monitor-aggregation: medium
monitor-aggregation-interval: 5s
monitor-aggregation-flags: all
bpf-map-dynamic-size-ratio: '0.0025'
bpf-policy-map-max: '16384'
+ bpf-policy-stats-map-max: '65536'
bpf-lb-map-max: '65536'
bpf-lb-external-clusterip: 'false'
+ bpf-lb-source-range-all-types: 'false'
+ bpf-lb-algorithm-annotation: 'false'
+ bpf-lb-mode-annotation: 'false'
+ bpf-distributed-lru: 'false'
bpf-events-drop-enabled: 'true'
bpf-events-policy-verdict-enabled: 'true'
bpf-events-trace-enabled: 'true'
preallocate-bpf-maps: 'false'
cluster-name: athena
cluster-id: '1'
routing-mode: native
+ tunnel-protocol: vxlan
+ tunnel-source-port-range: 0-0
service-no-backend-response: reject
+ policy-deny-response: none
enable-l7-proxy: 'true'
enable-ipv4-masquerade: 'true'
enable-ipv4-big-tcp: 'false'
enable-ipv6-big-tcp: 'false'
enable-ipv6-masquerade: 'true'
+ enable-tunnel-big-tcp: 'false'
enable-tcx: 'true'
datapath-mode: veth
enable-bpf-masquerade: 'false'
enable-masquerade-to-route-source: 'false'
enable-xt-socket-fallback: 'true'
install-no-conntrack-iptables-rules: 'false'
+ iptables-random-fully: 'false'
auto-direct-node-routes: 'true'
direct-routing-skip-unreachable: 'false'
enable-local-redirect-policy: 'true'
ipv4-native-routing-cidr: 10.10.0.0/16
- enable-runtime-device-detection: 'true'
kube-proxy-replacement: 'true'
kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
+ enable-no-service-endpoints-routable: 'true'
bpf-lb-sock: 'false'
bpf-lb-sock-hostns-only: 'true'
nodeport-addresses: ''
enable-health-check-nodeport: 'true'
enable-health-check-loadbalancer-ip: 'false'
node-port-bind-protection: 'true'
enable-auto-protect-node-port-range: 'true'
bpf-lb-mode: dsr
bpf-lb-algorithm: maglev
bpf-lb-acceleration: disabled
- enable-svc-source-range-check: 'true'
- enable-l2-neigh-discovery: 'true'
- arping-refresh-period: 30s
+ enable-service-topology: 'false'
+ enable-l2-neigh-discovery: 'false'
k8s-require-ipv4-pod-cidr: 'false'
k8s-require-ipv6-pod-cidr: 'false'
enable-endpoint-routes: 'true'
enable-k8s-networkpolicy: 'true'
+ enable-endpoint-lockdown-on-policy-overflow: 'false'
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
cni-exclusive: 'false'
cni-log-file: /var/run/cilium/cilium-cni.log
enable-endpoint-health-checking: 'true'
enable-health-checking: 'true'
+ health-check-icmp-failure-threshold: '3'
enable-well-known-identities: 'false'
enable-node-selector-labels: 'false'
synchronize-k8s-nodes: 'true'
operator-api-serve-addr: 127.0.0.1:9234
+ enable-hubble: 'false'
ipam: kubernetes
ipam-cilium-node-update-rate: 15s
+ default-lb-service-ipam: lbipam
egress-gateway-reconciliation-trigger-interval: 1s
enable-vtep: 'false'
vtep-endpoint: ''
vtep-cidr: ''
vtep-mask: ''
vtep-mac: ''
enable-l2-announcements: 'true'
+ packetization-layer-pmtud-mode: blackhole
procfs: /host/proc
bpf-root: /sys/fs/bpf
cgroup-root: /sys/fs/cgroup
- enable-k8s-terminating-endpoint: 'true'
+ identity-management-mode: agent
enable-sctp: 'false'
- k8s-client-qps: '10'
- k8s-client-burst: '20'
remove-cilium-node-taints: 'true'
set-cilium-node-taints: 'true'
set-cilium-is-up-condition: 'true'
- unmanaged-pod-watcher-interval: '15'
+ unmanaged-pod-watcher-interval: 15s
dnsproxy-enable-transparent-mode: 'true'
dnsproxy-socket-linger-timeout: '10'
tofqdns-dns-reject-response-code: refused
tofqdns-enable-dns-compression: 'true'
- tofqdns-endpoint-max-ip-per-hostname: '50'
+ tofqdns-endpoint-max-ip-per-hostname: '1000'
tofqdns-idle-connection-grace-period: 0s
tofqdns-max-deferred-connection-deletes: '10000'
tofqdns-proxy-response-max-delay: 100ms
+ tofqdns-preallocate-identities: 'true'
agent-not-ready-taint-key: node.cilium.io/agent-not-ready
- mesh-auth-enabled: 'true'
+ mesh-auth-enabled: 'false'
mesh-auth-queue-size: '1024'
mesh-auth-rotated-identities-queue-size: '1024'
mesh-auth-gc-interval: 5m0s
proxy-xff-num-trusted-hops-ingress: '0'
proxy-xff-num-trusted-hops-egress: '0'
proxy-connect-timeout: '2'
proxy-initial-fetch-timeout: '30'
+ proxy-max-active-downstream-connections: '50000'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
+ proxy-max-concurrent-retries: '128'
+ proxy-use-original-source-address: 'true'
+ proxy-cluster-max-connections: '1024'
+ proxy-cluster-max-requests: '1024'
+ http-retry-count: '3'
+ http-stream-idle-timeout: '300'
external-envoy-proxy: 'false'
envoy-base-id: '0'
+ envoy-access-log-buffer-size: '4096'
envoy-keep-cap-netbindservice: 'false'
max-connected-clusters: '255'
+ clustermesh-cache-ttl: 0s
clustermesh-enable-endpoint-sync: 'false'
clustermesh-enable-mcs-api: 'false'
+ clustermesh-mcs-api-install-crds: 'true'
+ policy-default-local-cluster: 'true'
nat-map-stats-entries: '32'
nat-map-stats-interval: 30s
+ enable-lb-ipam: 'true'
+ enable-non-default-deny-policies: 'true'
+ enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-operator-dashboard
@@ -1013,13 +1013,19 @@
],
"refresh": false,
"schemaVersion": 25,
"style": "dark",
"tags": [],
"templating": {
- "list": []
+ "list": [
+ {
+ "type": "datasource",
+ "name": "DS_PROMETHEUS",
+ "query": "prometheus"
+ }
+ ]
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium
@@ -53,13 +53,12 @@
- watch
- get
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- - ciliumbgppeeringpolicies
- ciliumbgpnodeconfigs
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
@@ -53,12 +53,13 @@
- update
- patch
- apiGroups:
- ''
resources:
- namespaces
+ - secrets
verbs:
- get
- list
- watch
- apiGroups:
- ''
@@ -136,12 +137,19 @@
- get
- list
- watch
- delete
- patch
- apiGroups:
+ - cilium.io
+ resources:
+ - ciliumbgpclusterconfigs/status
+ - ciliumbgppeerconfigs/status
+ verbs:
+ - update
+- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
@@ -152,41 +160,40 @@
resources:
- customresourcedefinitions
verbs:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
- - ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- - ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
- ciliumcidrgroups.cilium.io
- ciliuml2announcementpolicies.cilium.io
- ciliumpodippools.cilium.io
+ - ciliumgatewayclassconfigs.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- - ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
+ - ciliumbgppeerconfigs
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
@@ -205,7 +212,13 @@
resources:
- leases
verbs:
- create
- get
- update
+- apiGroups:
+ - cilium.io
+ resources:
+ - ciliumendpointslices
+ verbs:
+ - deletecollection
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -16,60 +16,65 @@
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: 1d9dd7de44a4535a928ffeef0787b5c79723050a2e399a92043be004c3791c74
+ cilium.io/cilium-configmap-checksum: f2fee52c57980c313d98b616a952c363112ae55d67b217665f72cb8311f7c5c2
+ kubectl.kubernetes.io/default-container: cilium-agent
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
+ seccompProfile:
+ type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9879
+ port: health
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
- failureThreshold: 105
+ failureThreshold: 300
periodSeconds: 2
successThreshold: 1
initialDelaySeconds: 5
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9879
+ port: health
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
+ - name: require-k8s-connectivity
+ value: 'false'
periodSeconds: 30
successThreshold: 1
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9879
+ port: health
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
periodSeconds: 30
successThreshold: 1
@@ -94,12 +99,16 @@
resource: limits.memory
divisor: '1'
- name: KUBERNETES_SERVICE_HOST
value: 127.0.0.1
- name: KUBERNETES_SERVICE_PORT
value: '7445'
+ - name: KUBE_CLIENT_BACKOFF_BASE
+ value: '1'
+ - name: KUBE_CLIENT_BACKOFF_DURATION
+ value: '120'
lifecycle:
postStart:
exec:
command:
- bash
- -c
@@ -125,27 +134,23 @@
echo 'Done!'
preStop:
exec:
command:
- /cni-uninstall.sh
ports:
- - name: peer-service
- containerPort: 4244
- hostPort: 4244
+ - name: health
+ containerPort: 9879
+ hostPort: 9879
protocol: TCP
- name: prometheus
containerPort: 9962
hostPort: 9962
protocol: TCP
- name: envoy-metrics
containerPort: 9964
hostPort: 9964
- protocol: TCP
- - name: envoy-admin
- containerPort: 9901
- hostPort: 9901
protocol: TCP
securityContext:
seLinuxOptions:
level: s0
type: spc_t
capabilities:
@@ -190,13 +195,13 @@
- name: xtables-lock
mountPath: /run/xtables.lock
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -214,14 +219,20 @@
- name: KUBERNETES_SERVICE_PORT
value: '7445'
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
+ securityContext:
+ capabilities:
+ add:
+ - NET_ADMIN
+ drop:
+ - ALL
- name: mount-cgroup
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
env:
- name: CGROUP_ROOT
value: /sys/fs/cgroup
- name: BIN_PATH
value: /opt/cni/bin
@@ -247,13 +258,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -277,13 +288,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: mount-bpf-fs
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
@@ -293,13 +304,13 @@
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -341,17 +352,20 @@
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.19.2@sha256:7bc7e0be845cae0a70241e622cd03c3b169001c9383dd84329c59ca86a8b1341
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
+ limits:
+ cpu: 1
+ memory: 1Gi
requests:
cpu: 100m
memory: 10Mi
securityContext:
seLinuxOptions:
level: s0
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -20,22 +20,25 @@
maxSurge: 25%
maxUnavailable: 100%
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: 1d9dd7de44a4535a928ffeef0787b5c79723050a2e399a92043be004c3791c74
+ cilium.io/cilium-configmap-checksum: f2fee52c57980c313d98b616a952c363112ae55d67b217665f72cb8311f7c5c2
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
+ image: quay.io/cilium/operator-generic:v1.19.2@sha256:e363f4f634c2a66a36e01618734ea17e7b541b949b9a5632f9c180ab16de23f0
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
@@ -58,39 +61,47 @@
optional: true
- name: KUBERNETES_SERVICE_HOST
value: 127.0.0.1
- name: KUBERNETES_SERVICE_PORT
value: '7445'
ports:
+ - name: health
+ containerPort: 9234
+ hostPort: 9234
- name: prometheus
containerPort: 9963
hostPort: 9963
protocol: TCP
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9234
+ port: health
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
readinessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
- port: 9234
+ port: health
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 5
volumeMounts:
- name: cilium-config-path
mountPath: /tmp/cilium/config-map
readOnly: true
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
terminationMessagePolicy: FallbackToLogsOnError
hostNetwork: true
restartPolicy: Always
priorityClassName: system-cluster-critical
serviceAccountName: cilium-operator
automountServiceAccountToken: true
@@ -101,12 +112,21 @@
matchLabels:
io.cilium/app: operator
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- - operator: Exists
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node.kubernetes.io/not-ready
+ operator: Exists
+ - key: node.cloudprovider.kubernetes.io/uninitialized
+ operator: Exists
+ - key: node.cilium.io/agent-not-ready
+ operator: Exists
volumes:
- name: cilium-config-path
configMap:
name: cilium-config
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent
+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent
@@ -3,26 +3,28 @@
kind: ServiceMonitor
metadata:
name: cilium-agent
namespace: kube-system
labels:
app.kubernetes.io/part-of: cilium
+ app.kubernetes.io/name: cilium-agent
spec:
selector:
matchLabels:
- k8s-app: cilium
+ app.kubernetes.io/name: cilium-agent
namespaceSelector:
matchNames:
- kube-system
endpoints:
- port: metrics
interval: 10s
honorLabels: true
path: /metrics
relabelings:
- - replacement: ${1}
+ - action: replace
+ replacement: ${1}
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: node
targetLabels:
- k8s-app
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel
+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-operator-ztunnel
@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-ztunnel
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel
+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-operator-ztunnel
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-ztunnel
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-ztunnel
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+ |
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cilium-1.x
branch
from
35ed4f9 to
898f8c0
Compare
eivarin
force-pushed
the
main
branch
7 times, most recently
from
b854a53 to
05a2961
Compare
renovate
bot
force-pushed
the
renovate/cilium-1.x
branch
from
898f8c0 to
42595ee
Compare
renovate
bot
changed the title
eivarin
force-pushed
the
main
branch
14 times, most recently
from
cf65ea8 to
a605820
Compare
eivarin
force-pushed
the
main
branch
29 times, most recently
from
fef0cc0 to
234272b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.16.6→1.19.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
cilium/cilium (cilium)
v1.19.2Compare Source
v1.19.1: 1.19.1Compare Source
Summary of Changes
Bugfixes:
operator.enabled=falseby aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #44280, Upstream PR #44159, @puwun)CI Changes:
kernelto workflow job names (Backport PR #44127, Upstream PR #44291, @smagnani96)Misc Changes:
b3255e7(v1.19) (#44242, @cilium-renovate[bot])85c0ab0(v1.19) (#44364, @cilium-renovate[bot])f9f84bd(v1.19) (#44243, @cilium-renovate[bot])Other Changes:
Docker Manifests
cilium
quay.io/cilium/cilium:v1.19.1@​sha256:41f1f74a0000de8656f1de4088ea00c8f2d49d6edea579034c73c5fd5fe01792clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.19.1@​sha256:56d6c3dc13b50126b80ecb571707a0ea97f6db694182b9d61efd386d04e5bb28docker-plugin
quay.io/cilium/docker-plugin:v1.19.1@​sha256:6edfbf46ca484b1ed961f3c7382159ba7f0227e7af692159e99e8d4810ecaf34hubble-relay
quay.io/cilium/hubble-relay:v1.19.1@​sha256:d8c4e13bc36a56179292bb52bc6255379cb94cb873700d316ea3139b1bdb8165operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.19.1@​sha256:837b12f4239e88ea5b4b5708ab982c319a94ee05edaecaafe5fd0e5b1962f554operator-aws
quay.io/cilium/operator-aws:v1.19.1@​sha256:18913d05a6c4d205f0b7126c4723bb9ccbd4dc24403da46ed0f9f4bf2a142804operator-azure
quay.io/cilium/operator-azure:v1.19.1@​sha256:82bce78603056e709d4c4e9f9ebb25c222c36d8a07f8c05381c2372d9078eca8operator-generic
quay.io/cilium/operator-generic:v1.19.1@​sha256:e7278d763e448bf6c184b0682cf98cdca078d58a27e1b2f3c906792670aa211aoperator
quay.io/cilium/operator:v1.19.1@​sha256:93a6306d4543f1d8eccd79d6770c00ef4d4791f66326d97f9851f9d316e70141v1.19.0: 1.19.0Compare Source
🎉 Release Announcement 🎉: We are excited to announce the Cilium 1.19.0 release!
A total of 2934 new commits have been contributed to this release by a growing community of over 1010 developers and over 23,600 GitHub stars! 🤩
The full changelog can be found here.
Here are some of the highlights:
🛡️ Network Policy
**.) to match multilevel subdomain as pattern prefix. (cilium/cilium#43420, @fristonio)ToRequiresandFromRequirespolicy fields. (cilium/cilium#43167, @sayboras; cilium/cilium#40967, @TheBeeZee)🔒 Encryption & Authentication
🚠 Networking
🕸️ Services and Service Mesh
🛣️ Border Gateway Protocol (BGP)
sourceInterfaceto allow binding the BGP connection to the loopback address which is not tied to the specific physical interface's lifecycle (cilium/cilium#42583, @rastislavs)externalTrafficPolicy=Cluster(cilium/cilium#40717, @oblazek)cilium.io/v2API: The support for the olderCiliumBGPPeeringPolicyv1 API is now removed and should be replaced with v2 APIs. (cilium/cilium#42278, @rastislavs)🛰️ Observability
hubblecommand line to understand the encryption status of the traffic, either--encryptedor--unencrypted. (cilium/cilium#43096, @SRodi)🌅 Performance and Scale
⚙️ Operations
quay.io/cilium/charts/cilium(cilium/cilium#43624, @aanm)🏠 Community
To keep up to date with all the latest Cilium releases, join #release 🎉
🎂❤️❤️❤️🎂
This is a very special release for Cilium, as it celebrates 10 years since the first commit. We couldn’t be more proud of what this project has accomplished. All the GitHub issues, pull requests, reviews, stars, forks, Docker pulls, Helm installs, Kubernetes applies, CI runs, bug reports, design docs, discussions, meetings, Slack messages, YouTube streams, eCHO episodes, conference talks, blog posts, demos, and presentations have made the project the success it is today.
🎂❤️❤️❤️🎂
Docker Manifests
cilium
quay.io/cilium/cilium:v1.19.0@​sha256:be9f8571c2e114b3e12e41f785f2356ade703b2eac936aa878805565f0468c60clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.19.0@​sha256:0e3b89fdb116eb0f5579fe8ee3fabb1a7c4d97987a1ae927491d9185785d4a49docker-plugin
quay.io/cilium/docker-plugin:v1.19.0@​sha256:35727047384f3d7a2684885003b266bf7a7add8fc66ca564b222f71c16057f50hubble-relay
quay.io/cilium/hubble-relay:v1.19.0@​sha256:7f17e5bb51a9f35bbc8e7a9ad5e347f03ff8003c2e5cc81171e8727a10bf03b4operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.19.0@​sha256:5cb3d6981c233616037f3e13b5bc0020d114ad8db1b7360618b224e4c0b02ef0operator-aws
quay.io/cilium/operator-aws:v1.19.0@​sha256:7a236ae256a4fbd3f72d516921131eba5b43f401ba37cdee5cd0e8c26f9263e6operator-azure
quay.io/cilium/operator-azure:v1.19.0@​sha256:6ae7e0d75c74836af3600b775201c89ea7fcc13d6e08fdb0c52927309f31cd2aoperator-generic
quay.io/cilium/operator-generic:v1.19.0@​sha256:5b04006015e5800307dc6314676edc4c0bb7ac2fc7848be2b94b43bb030ab648operator
quay.io/cilium/operator:v1.19.0@​sha256:deca84f442752dca0745dd09b13e8004569414839019ad79ac58f9fcaa3b9d65v1.18.8: 1.18.8Compare Source
Known issues
Summary of Changes
Minor Changes:
Bugfixes:
ip get -l reserved:host(Backport PR #44519, Upstream PR #44443, @aanm)CI Changes:
Misc Changes:
d1e2e92(v1.18) (#44476, @cilium-renovate[bot])e3f9456(v1.18) (#44797, @cilium-renovate[bot])f512d81(v1.18) (#44575, @cilium-renovate[bot])0f775a3(v1.18) (#44576, @cilium-renovate[bot])15301c2(v1.18) (#44675, @cilium-renovate[bot])Other Changes:
Docker Manifests
cilium
quay.io/cilium/cilium:v1.18.8@​sha256:070a63cc414869cf6c53202cb50929a87adb7d5b25de0f2f40ab39eb6434b706clustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.18.8@​sha256:5cb08daad7397f52ce5c36fcbfe83c56494f340d9b8f10f8bc7a3f2a812c33d5docker-plugin
quay.io/cilium/docker-plugin:v1.18.8@​sha256:8e1c89bc4ef3bbc55a10edc96a9f2915af45181e46ff189c00f3d8fb7825a0b7hubble-relay
quay.io/cilium/hubble-relay:v1.18.8@​sha256:dcf324aa35ab59c8fe6d002e3df6a63fff18280da464d09e4a97d58c085bb015operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.18.8@​sha256:36c1702c8afd0b0221e3d88ca08537100caef509de6a6bb7244d5fa4643a7252operator-aws
quay.io/cilium/operator-aws:v1.18.8@​sha256:7ab154b269eae378456d63cc9085d96c4f472e11a1496ca4c62af68ff4b31da3operator-azure
quay.io/cilium/operator-azure:v1.18.8@​sha256:a4027d349e817bda9168af1e27231be491a3026c748128a79026e366321f6332operator-generic
quay.io/cilium/operator-generic:v1.18.8@​sha256:f9d1715932751b1454d0f59b492497cb1636dea6335beab0f9026fa8b5a6f62foperator
quay.io/cilium/operator:v1.18.8@​sha256:cc3f7bdf9e443b807d3cb9b0bd30eddac5591c3f4b1e6fa053bfaa8697a7ee58v1.18.7: 1.18.7Compare Source
Summary of Changes
Minor Changes:
hubble.relay.logOptions.formatandhubble.relay.logOptions.levelHelm values to configure log format (text, text-ts, json, json-ts) and level (debug, info, warn, error) (Backport PR #44004, Upstream PR #43644, @puwun)Bugfixes:
operator.enabled=falseby aligning cilium-tlsinterception-secrets Role/RoleBinding conditionals (Backport PR #44281, Upstream PR #44159, @puwun)CI Changes:
Misc Changes:
b3255e7(v1.18) (#44249, @cilium-renovate[bot])e226d63(v1.18) (#43979, @cilium-renovate[bot])cd1dba6(v1.18) (#43980, @cilium-renovate[bot])f9f84bd(v1.18) (#44250, @cilium-renovate[bot])Other Changes:
Docker Manifests
cilium
quay.io/cilium/cilium:v1.18.7@​sha256:99b029a0a7c2224dac8c1cc3b6b3ba52af00e2ff981d927e84260ee781e9753cclustermesh-apiserver
quay.io/cilium/clustermesh-apiserver:v1.18.7@​sha256:3d4512153afc5d8ceda3517f9b243619b55a67f9abaebcc92c4be2df94d43cfadocker-plugin
quay.io/cilium/docker-plugin:v1.18.7@​sha256:e9f15016c7247dffeb2a9216cccc2ab6d36345a2504d34e319c6e9a7873bf3e9hubble-relay
quay.io/cilium/hubble-relay:v1.18.7@​sha256:9bb9b2b1a4f4bef12a77738756cfbf970daa701e536e42f0a9c64a621bc7c9d5operator-alibabacloud
quay.io/cilium/operator-alibabacloud:v1.18.7@​sha256:ca3f0dd26a4b447524dce51ee8ef82485a08187b840c21ce4a1398c02b5174a0operator-aws
quay.io/cilium/operator-aws:v1.18.7@​sha256:fe56a6289afea7f6420f8de0218710ccaaa7af891df5fc180ddd33e6c7509b45operator-azure
quay.io/cilium/operator-azure:v1.18.7@​sha256:5fb753344c84ab0989d525f789738c874f3fa8f07fbb5cfce06034d027c9728foperator-generic
`quay.io/cilium/operator-generic:v1.18.7@sha256:244306c5e7c6b73
Configuration
📅 Schedule: Branch creation - "every weekend" in timezone Europe/Lisbon, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.