variables cilium_enable_host_firewall and cilium_policy_audit_mode for configmap/cilium-config (#11230)

capitalise values for Host Firewall and Policy Audit Mode
fix missing quotes
pull/10939/head
Serge Hartmann 2024-09-30 09:22:02 +02:00 committed by GitHub
parent fabf17a10c
commit 0eeac591ad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 33 additions and 3 deletions

View File

@ -170,14 +170,14 @@ Kubespray currently supports Linux distributions with Wireguard Kernel mode on L
## Bandwidth Manager ## Bandwidth Manager
Ciliums bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation. Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies. Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods. In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
Bandwidth Manager requires a v5.1.x or more recent Linux kernel. Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/v1.12/gettingstarted/bandwidth-manager/) For further information, make sure to check the official [Cilium documentation](https://docs.cilium.io/en/latest/network/kubernetes/bandwidth-manager/)
To use this function, set the following parameters To use this function, set the following parameters
@ -185,6 +185,26 @@ To use this function, set the following parameters
cilium_enable_bandwidth_manager: true cilium_enable_bandwidth_manager: true
``` ```
## Host Firewall
Host Firewall enforces security policies for Kubernetes nodes. It is disable by default, since it can break the cluster connectivity.
```yaml
cilium_enable_host_firewall: true
```
For further information, check [host firewall documentation](https://docs.cilium.io/en/latest/security/host-firewall/)
## Policy Audit Mode
When _Policy Audit Mode_ is enabled, no network policy is enforced. This feature helps to validate the impact of host policies before enforcing them.
```yaml
cilium_policy_audit_mode: true
```
It is disable by default, and should not be enabled in production.
## Install Cilium Hubble ## Install Cilium Hubble
k8s-net-cilium.yml: k8s-net-cilium.yml:

View File

@ -145,6 +145,10 @@ cilium_l2announcements: false
### A time interval at which the agent attempts to reload config from disk ### A time interval at which the agent attempts to reload config from disk
# cilium_ip_masq_resync_interval: 60s # cilium_ip_masq_resync_interval: 60s
### Host Firewall and Policy Audit Mode
# cilium_enable_host_firewall: false
# cilium_policy_audit_mode: false
# Hubble # Hubble
### Enable Hubble without install ### Enable Hubble without install
# cilium_enable_hubble: false # cilium_enable_hubble: false

View File

@ -322,3 +322,5 @@ cilium_certgen_args:
# resourceNames: # resourceNames:
# - toto # - toto
cilium_clusterrole_rules_operator_extra_vars: [] cilium_clusterrole_rules_operator_extra_vars: []
cilium_enable_host_firewall: false
cilium_policy_audit_mode: false

View File

@ -138,7 +138,7 @@ data:
enable-l2-announcements: "{{ cilium_l2announcements }}" enable-l2-announcements: "{{ cilium_l2announcements }}"
# Enable Bandwidth Manager # Enable Bandwidth Manager
# Ciliums bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation. # Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation.
# Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies. # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies.
# In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods. # In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods.
# Bandwidth Manager requires a v5.1.x or more recent Linux kernel. # Bandwidth Manager requires a v5.1.x or more recent Linux kernel.
@ -146,6 +146,10 @@ data:
enable-bandwidth-manager: "true" enable-bandwidth-manager: "true"
{% endif %} {% endif %}
# Host Firewall and Policy Audit Mode
enable-host-firewall: "{{ cilium_enable_host_firewall | capitalize }}"
policy-audit-mode: "{{ cilium_policy_audit_mode | capitalize }}"
# Name of the cluster. Only relevant when building a mesh of clusters. # Name of the cluster. Only relevant when building a mesh of clusters.
cluster-name: "{{ cilium_cluster_name }}" cluster-name: "{{ cilium_cluster_name }}"