184 lines
7.1 KiB
YAML
184 lines
7.1 KiB
YAML
---
|
|
# Log-level
|
|
cilium_debug: false
|
|
|
|
cilium_mtu: ""
|
|
cilium_enable_ipv4: true
|
|
cilium_enable_ipv6: false
|
|
|
|
# Identity allocation mode selects how identities are shared between cilium
|
|
# nodes by setting how they are stored. The options are "crd" or "kvstore".
|
|
# - "crd" stores identities in kubernetes as CRDs (custom resource definition).
|
|
# These can be queried with:
|
|
# `kubectl get ciliumid`
|
|
# - "kvstore" stores identities in an etcd kvstore.
|
|
# - In order to support External Workloads, "crd" is required
|
|
# - Ref: https://docs.cilium.io/en/stable/gettingstarted/external-workloads/#setting-up-support-for-external-workloads-beta
|
|
# - KVStore operations are only required when cilium-operator is running with any of the below options:
|
|
# - --synchronize-k8s-services
|
|
# - --synchronize-k8s-nodes
|
|
# - --identity-allocation-mode=kvstore
|
|
# - Ref: https://docs.cilium.io/en/stable/internals/cilium_operator/#kvstore-operations
|
|
cilium_identity_allocation_mode: kvstore
|
|
|
|
# Etcd SSL dirs
|
|
cilium_cert_dir: /etc/cilium/certs
|
|
kube_etcd_cacert_file: ca.pem
|
|
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
|
|
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
|
|
|
|
# Limits for apps
|
|
cilium_memory_limit: 500M
|
|
cilium_cpu_limit: 500m
|
|
cilium_memory_requests: 64M
|
|
cilium_cpu_requests: 100m
|
|
|
|
# Overlay Network Mode
|
|
cilium_tunnel_mode: vxlan
|
|
# Optional features
|
|
cilium_enable_prometheus: false
|
|
# Enable if you want to make use of hostPort mappings
|
|
cilium_enable_portmap: false
|
|
# Monitor aggregation level (none/low/medium/maximum)
|
|
cilium_monitor_aggregation: medium
|
|
# Kube Proxy Replacement mode (strict/probe/partial)
|
|
cilium_kube_proxy_replacement: probe
|
|
|
|
# If upgrading from Cilium < 1.5, you may want to override some of these options
|
|
# to prevent service disruptions. See also:
|
|
# http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action
|
|
cilium_preallocate_bpf_maps: false
|
|
|
|
# `cilium_tofqdns_enable_poller` is deprecated in 1.8, removed in 1.9
|
|
cilium_tofqdns_enable_poller: false
|
|
|
|
# `cilium_enable_legacy_services` is deprecated in 1.6, removed in 1.9
|
|
cilium_enable_legacy_services: false
|
|
|
|
# Deploy cilium even if kube_network_plugin is not cilium.
|
|
# This enables to deploy cilium alongside another CNI to replace kube-proxy.
|
|
cilium_deploy_additionally: false
|
|
|
|
# Auto direct nodes routes can be used to advertise pods routes in your cluster
|
|
# without any tunelling (with `cilium_tunnel_mode` sets to `disabled`).
|
|
# This works only if you have a L2 connectivity between all your nodes.
|
|
# You wil also have to specify the variable `cilium_native_routing_cidr` to
|
|
# make this work. Please refer to the cilium documentation for more
|
|
# information about this kind of setups.
|
|
cilium_auto_direct_node_routes: false
|
|
|
|
# Allows to explicitly specify the IPv4 CIDR for native routing.
|
|
# When specified, Cilium assumes networking for this CIDR is preconfigured and
|
|
# hands traffic destined for that range to the Linux network stack without
|
|
# applying any SNAT.
|
|
# Generally speaking, specifying a native routing CIDR implies that Cilium can
|
|
# depend on the underlying networking stack to route packets to their
|
|
# destination. To offer a concrete example, if Cilium is configured to use
|
|
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
|
|
# the user must configure the routes to reach pods, either manually or by
|
|
# setting the auto-direct-node-routes flag.
|
|
cilium_native_routing_cidr: ""
|
|
|
|
# Allows to explicitly specify the IPv6 CIDR for native routing.
|
|
cilium_native_routing_cidr_ipv6: ""
|
|
|
|
# Enable transparent network encryption.
|
|
cilium_encryption_enabled: false
|
|
|
|
# Encryption method. Can be either ipsec or wireguard.
|
|
# Only effective when `cilium_encryption_enabled` is set to true.
|
|
cilium_encryption_type: "ipsec"
|
|
|
|
# Enable encryption for pure node to node traffic.
|
|
# This option is only effective when `cilium_encryption_type` is set to `ipsec`.
|
|
cilium_ipsec_node_encryption: "false"
|
|
|
|
# If your kernel or distribution does not support WireGuard, Cilium agent can be configured to fall back on the user-space implementation.
|
|
# When this flag is enabled and Cilium detects that the kernel has no native support for WireGuard,
|
|
# it will fallback on the wireguard-go user-space implementation of WireGuard.
|
|
# This option is only effective when `cilium_encryption_type` is set to `wireguard`.
|
|
cilium_wireguard_userspace_fallback: "false"
|
|
|
|
# IP Masquerade Agent
|
|
# https://docs.cilium.io/en/stable/concepts/networking/masquerading/
|
|
# By default, all packets from a pod destined to an IP address outside of the cilium_native_routing_cidr range are masqueraded
|
|
cilium_ip_masq_agent_enable: false
|
|
### A packet sent from a pod to a destination which belongs to any CIDR from the nonMasqueradeCIDRs is not going to be masqueraded
|
|
cilium_non_masquerade_cidrs:
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
- 100.64.0.0/10
|
|
- 192.0.0.0/24
|
|
- 192.0.2.0/24
|
|
- 192.88.99.0/24
|
|
- 198.18.0.0/15
|
|
- 198.51.100.0/24
|
|
- 203.0.113.0/24
|
|
- 240.0.0.0/4
|
|
### Indicates whether to masquerade traffic to the link local prefix.
|
|
### If the masqLinkLocal is not set or set to false, then 169.254.0.0/16 is appended to the non-masquerade CIDRs list.
|
|
cilium_masq_link_local: false
|
|
### A time interval at which the agent attempts to reload config from disk
|
|
cilium_ip_masq_resync_interval: 60s
|
|
|
|
# Hubble
|
|
### Enable Hubble without install
|
|
cilium_enable_hubble: false
|
|
### Enable Hubble Metrics
|
|
cilium_enable_hubble_metrics: false
|
|
### if cilium_enable_hubble_metrics: true
|
|
cilium_hubble_metrics: {}
|
|
# - dns
|
|
# - drop
|
|
# - tcp
|
|
# - flow
|
|
# - icmp
|
|
# - http
|
|
### Enable Hubble install
|
|
cilium_hubble_install: false
|
|
### Enable auto generate certs if cilium_hubble_install: true
|
|
cilium_hubble_tls_generate: false
|
|
|
|
# IP address management mode for v1.9+.
|
|
# https://docs.cilium.io/en/v1.9/concepts/networking/ipam/
|
|
cilium_ipam_mode: kubernetes
|
|
|
|
# Extra arguments for the Cilium agent
|
|
cilium_agent_custom_args: []
|
|
|
|
# For adding and mounting extra volumes to the cilium agent
|
|
cilium_agent_extra_volumes: []
|
|
cilium_agent_extra_volume_mounts: []
|
|
|
|
cilium_agent_extra_env_vars: []
|
|
|
|
# The address at which the cillium operator bind health check api
|
|
cilium_operator_api_serve_addr: "127.0.0.1:9234"
|
|
|
|
## A dictionary of extra config variables to add to cilium-config, formatted like:
|
|
## cilium_config_extra_vars:
|
|
## var1: "value1"
|
|
## var2: "value2"
|
|
cilium_config_extra_vars: {}
|
|
|
|
# For adding and mounting extra volumes to the cilium operator
|
|
cilium_operator_extra_volumes: []
|
|
cilium_operator_extra_volume_mounts: []
|
|
|
|
# Extra arguments for the Cilium Operator
|
|
cilium_operator_custom_args: []
|
|
|
|
# Name of the cluster. Only relevant when building a mesh of clusters.
|
|
cilium_cluster_name: default
|
|
|
|
# Make Cilium take ownership over the `/etc/cni/net.d` directory on the node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
|
|
# This ensures no Pods can be scheduled using other CNI plugins during Cilium agent downtime.
|
|
# Available for Cilium v1.10 and up.
|
|
cilium_cni_exclusive: "true"
|
|
|
|
# Configure the log file for CNI logging with retention policy of 7 days.
|
|
# Disable CNI file logging by setting this field to empty explicitly.
|
|
# Available for Cilium v1.12 and up.
|
|
cilium_cni_log_file: "/var/run/cilium/cilium-cni.log"
|