variables cilium_enable_host_firewall and cilium_policy_audit_mode for configmap/cilium-config (#11230)
capitalise values for Host Firewall and Policy Audit Mode fix missing quotespull/10939/head
parent
fabf17a10c
commit
0eeac591ad
|
@ -170,14 +170,14 @@ Kubespray currently supports Linux distributions with Wireguard Kernel mode on L
|
||||||
|
|
||||||
## Bandwidth Manager
|
## Bandwidth Manager
|
||||||
|
|
||||||
Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
|
Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
|
||||||
|
|
||||||
Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
|
Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
|
||||||
In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
|
In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
|
||||||
|
|
||||||
Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
|
Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
|
||||||
|
|
||||||
For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/v1.12/gettingstarted/bandwidth-manager/)
|
For further information, make sure to check the official [Cilium documentation](https://docs.cilium.io/en/latest/network/kubernetes/bandwidth-manager/)
|
||||||
|
|
||||||
To use this function, set the following parameters
|
To use this function, set the following parameters
|
||||||
|
|
||||||
|
@ -185,6 +185,26 @@ To use this function, set the following parameters
|
||||||
cilium_enable_bandwidth_manager: true
|
cilium_enable_bandwidth_manager: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Host Firewall
|
||||||
|
|
||||||
|
Host Firewall enforces security policies for Kubernetes nodes. It is disable by default, since it can break the cluster connectivity.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
cilium_enable_host_firewall: true
|
||||||
|
```
|
||||||
|
|
||||||
|
For further information, check [host firewall documentation](https://docs.cilium.io/en/latest/security/host-firewall/)
|
||||||
|
|
||||||
|
## Policy Audit Mode
|
||||||
|
|
||||||
|
When _Policy Audit Mode_ is enabled, no network policy is enforced. This feature helps to validate the impact of host policies before enforcing them.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
cilium_policy_audit_mode: true
|
||||||
|
```
|
||||||
|
|
||||||
|
It is disable by default, and should not be enabled in production.
|
||||||
|
|
||||||
## Install Cilium Hubble
|
## Install Cilium Hubble
|
||||||
|
|
||||||
k8s-net-cilium.yml:
|
k8s-net-cilium.yml:
|
||||||
|
|
|
@ -145,6 +145,10 @@ cilium_l2announcements: false
|
||||||
### A time interval at which the agent attempts to reload config from disk
|
### A time interval at which the agent attempts to reload config from disk
|
||||||
# cilium_ip_masq_resync_interval: 60s
|
# cilium_ip_masq_resync_interval: 60s
|
||||||
|
|
||||||
|
### Host Firewall and Policy Audit Mode
|
||||||
|
# cilium_enable_host_firewall: false
|
||||||
|
# cilium_policy_audit_mode: false
|
||||||
|
|
||||||
# Hubble
|
# Hubble
|
||||||
### Enable Hubble without install
|
### Enable Hubble without install
|
||||||
# cilium_enable_hubble: false
|
# cilium_enable_hubble: false
|
||||||
|
|
|
@ -322,3 +322,5 @@ cilium_certgen_args:
|
||||||
# resourceNames:
|
# resourceNames:
|
||||||
# - toto
|
# - toto
|
||||||
cilium_clusterrole_rules_operator_extra_vars: []
|
cilium_clusterrole_rules_operator_extra_vars: []
|
||||||
|
cilium_enable_host_firewall: false
|
||||||
|
cilium_policy_audit_mode: false
|
||||||
|
|
|
@ -138,7 +138,7 @@ data:
|
||||||
enable-l2-announcements: "{{ cilium_l2announcements }}"
|
enable-l2-announcements: "{{ cilium_l2announcements }}"
|
||||||
|
|
||||||
# Enable Bandwidth Manager
|
# Enable Bandwidth Manager
|
||||||
# Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
|
# Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
|
||||||
# Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
|
# Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
|
||||||
# In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
|
# In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
|
||||||
# Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
|
# Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
|
||||||
|
@ -146,6 +146,10 @@ data:
|
||||||
enable-bandwidth-manager: "true"
|
enable-bandwidth-manager: "true"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# Host Firewall and Policy Audit Mode
|
||||||
|
enable-host-firewall: "{{ cilium_enable_host_firewall | capitalize }}"
|
||||||
|
policy-audit-mode: "{{ cilium_policy_audit_mode | capitalize }}"
|
||||||
|
|
||||||
# Name of the cluster. Only relevant when building a mesh of clusters.
|
# Name of the cluster. Only relevant when building a mesh of clusters.
|
||||||
cluster-name: "{{ cilium_cluster_name }}"
|
cluster-name: "{{ cilium_cluster_name }}"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue