feat(helm): update cilium ( 1.17.6 → 1.18.0 ) #4828
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![mchesterbot[bot]](https://avatars.githubusercontent.com/in/202745?s=60&v=4){kind=small}
mchesterbot
bot
added
renovate/helm
type/minor
area/kubernetes
--- kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
+++ kubernetes/apps/kube-system/cilium/app Kustomization: kube-system/cilium HelmRelease: kube-system/cilium
@@ -18,13 +18,13 @@
chart: cilium
interval: 15m
sourceRef:
kind: HelmRepository
name: cilium
namespace: flux-system
- version: 1.17.6
+ version: 1.18.0
install:
remediation:
retries: -1
interval: 30m
maxHistory: 2
uninstall: |
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-dashboard
@@ -7,13 +7,13 @@
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
grafana_dashboard: '1'
data:
- cilium-dashboard.json: |
+ cilium-dashboard.json: |-
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
@@ -49,12 +49,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -143,13 +144,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -179,12 +180,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 35,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -286,13 +288,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -327,13 +329,12 @@
],
"title": "CPU Usage per node",
"type": "timeseries"
},
{
"collapsed": false,
- "datasource": null,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 5
},
@@ -356,12 +357,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 35,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -508,13 +510,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -564,12 +566,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -643,13 +646,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -701,12 +704,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -780,13 +784,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -848,12 +852,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -927,13 +932,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -991,12 +996,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -1055,13 +1061,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -1073,13 +1079,12 @@
],
"title": "BPF map pressure",
"type": "timeseries"
},
{
"collapsed": false,
- "datasource": null,
"gridPos": {
"h": 1,
"w": 24,
"x": 0,
"y": 17
},
@@ -1102,12 +1107,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -1208,13 +1214,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -1242,12 +1248,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -1348,13 +1355,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
@@ -1382,12 +1389,13 @@
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
+ "barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 10,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
@@ -1488,13 +1496,13 @@
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
- "pluginVersion": "10.4.3",
+ "pluginVersion": "11.3.1",
"targets": [
{
"datasource": {
"type": "prometheus",
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -9,12 +9,13 @@
identity-heartbeat-timeout: 30m0s
identity-gc-interval: 15m0s
cilium-endpoint-gc-interval: 5m0s
nodes-gc-interval: 5m0s
debug: 'false'
debug-verbose: ''
+ metrics-sampling-interval: 5m
enable-policy: default
policy-cidr-match-mode: ''
prometheus-serve-addr: :9962
controller-group-metrics: write-cni-file sync-host-ips sync-lb-maps-with-k8s-services
proxy-prometheus-port: '9964'
operator-prometheus-serve-addr: :9963
@@ -28,12 +29,13 @@
enable-bpf-clock-probe: 'true'
monitor-aggregation: medium
monitor-aggregation-interval: 5s
monitor-aggregation-flags: all
bpf-map-dynamic-size-ratio: '0.0025'
bpf-policy-map-max: '16384'
+ bpf-policy-stats-map-max: '65536'
bpf-lb-map-max: '65536'
bpf-lb-external-clusterip: 'false'
bpf-lb-source-range-all-types: 'false'
bpf-lb-algorithm-annotation: 'false'
bpf-lb-mode-annotation: 'false'
bpf-distributed-lru: 'false'
@@ -61,31 +63,29 @@
install-no-conntrack-iptables-rules: 'false'
iptables-random-fully: 'false'
auto-direct-node-routes: 'true'
direct-routing-skip-unreachable: 'false'
enable-bandwidth-manager: 'true'
enable-bbr: 'true'
+ enable-bbr-hostns-only: 'false'
enable-local-redirect-policy: 'true'
ipv4-native-routing-cidr: 10.244.0.0/16
devices: bond+
- enable-runtime-device-detection: 'true'
kube-proxy-replacement: 'true'
kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
bpf-lb-sock: 'false'
nodeport-addresses: ''
enable-health-check-nodeport: 'true'
enable-health-check-loadbalancer-ip: 'false'
node-port-bind-protection: 'true'
enable-auto-protect-node-port-range: 'true'
bpf-lb-mode: dsr
bpf-lb-algorithm: maglev
bpf-lb-acceleration: disabled
- enable-experimental-lb: 'false'
enable-svc-source-range-check: 'true'
- enable-l2-neigh-discovery: 'true'
- arping-refresh-period: 30s
+ enable-l2-neigh-discovery: 'false'
k8s-require-ipv4-pod-cidr: 'false'
k8s-require-ipv6-pod-cidr: 'false'
enable-endpoint-routes: 'true'
enable-k8s-networkpolicy: 'true'
enable-endpoint-lockdown-on-policy-overflow: 'false'
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
@@ -101,14 +101,13 @@
enable-hubble: 'true'
hubble-socket-path: /var/run/cilium/hubble.sock
hubble-metrics-server: :9965
hubble-metrics-server-enable-tls: 'false'
enable-hubble-open-metrics: 'false'
hubble-metrics: dns:query drop tcp flow port-distribution icmp http
- hubble-export-file-max-size-mb: '10'
- hubble-export-file-max-backups: '5'
+ hubble-network-policy-correlation-enabled: 'true'
hubble-listen-address: :4244
hubble-disable-tls: 'false'
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
ipam: kubernetes
@@ -120,16 +119,18 @@
vtep-cidr: ''
vtep-mask: ''
vtep-mac: ''
enable-bgp-control-plane: 'true'
bgp-secrets-namespace: kube-system
enable-bgp-control-plane-status-report: 'true'
+ bgp-router-id-allocation-mode: default
+ bgp-router-id-allocation-ip-pool: ''
procfs: /host/proc
bpf-root: /sys/fs/bpf
cgroup-root: /sys/fs/cgroup
- enable-k8s-terminating-endpoint: 'true'
+ identity-management-mode: agent
enable-sctp: 'false'
remove-cilium-node-taints: 'true'
set-cilium-node-taints: 'true'
set-cilium-is-up-condition: 'true'
unmanaged-pod-watcher-interval: '15'
dnsproxy-enable-transparent-mode: 'true'
@@ -137,12 +138,13 @@
tofqdns-dns-reject-response-code: refused
tofqdns-enable-dns-compression: 'true'
tofqdns-endpoint-max-ip-per-hostname: '1000'
tofqdns-idle-connection-grace-period: 0s
tofqdns-max-deferred-connection-deletes: '10000'
tofqdns-proxy-response-max-delay: 100ms
+ tofqdns-preallocate-identities: 'true'
agent-not-ready-taint-key: node.cilium.io/agent-not-ready
mesh-auth-enabled: 'true'
mesh-auth-queue-size: '1024'
mesh-auth-rotated-identities-queue-size: '1024'
mesh-auth-gc-interval: 5m0s
proxy-xff-num-trusted-hops-ingress: '0'
@@ -158,12 +160,13 @@
envoy-base-id: '0'
envoy-access-log-buffer-size: '4096'
envoy-keep-cap-netbindservice: 'false'
max-connected-clusters: '255'
clustermesh-enable-endpoint-sync: 'false'
clustermesh-enable-mcs-api: 'false'
+ policy-default-local-cluster: 'false'
nat-map-stats-entries: '32'
nat-map-stats-interval: 30s
enable-internal-traffic-policy: 'true'
enable-lb-ipam: 'true'
enable-non-default-deny-policies: 'true'
enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-ui-nginx
@@ -2,17 +2,39 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-ui-nginx
namespace: kube-system
data:
- nginx.conf: "server {\n listen 8081;\n listen [::]:8081;\n \
- \ server_name localhost;\n root /app;\n index index.html;\n client_max_body_size\
- \ 1G;\n\n location / {\n proxy_set_header Host $host;\n proxy_set_header\
- \ X-Real-IP $remote_addr;\n\n location /api {\n proxy_http_version\
- \ 1.1;\n proxy_pass_request_headers on;\n proxy_pass http://127.0.0.1:8090;\n\
- \ }\n location / {\n # double `/index.html` is required\
- \ here \n try_files $uri $uri/ /index.html /index.html;\n }\n\
- \n # Liveness probe\n location /healthz {\n access_log\
- \ off;\n add_header Content-Type text/plain;\n return 200\
- \ 'ok';\n }\n }\n}"
+ nginx.conf: |-
+ server {
+ listen 8081;
+ listen [::]:8081;
+ server_name localhost;
+ root /app;
+ index index.html;
+ client_max_body_size 1G;
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ location /api {
+ proxy_http_version 1.1;
+ proxy_pass_request_headers on;
+ proxy_pass http://127.0.0.1:8090;
+ }
+ location / {
+ if ($http_user_agent ~* "kube-probe") { access_log off; }
+ # double `/index.html` is required here
+ try_files $uri $uri/ /index.html /index.html;
+ }
+
+ # Liveness probe
+ location /healthz {
+ access_log off;
+ add_header Content-Type text/plain;
+ return 200 'ok';
+ }
+ }
+ }
+
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
@@ -172,21 +172,21 @@
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- - ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
- ciliumcidrgroups.cilium.io
- ciliuml2announcementpolicies.cilium.io
- ciliumpodippools.cilium.io
+ - ciliumgatewayclassconfigs.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgppeeringpolicies
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -16,24 +16,27 @@
rollingUpdate:
maxUnavailable: 2
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: f7259e55e866f878a66cf2778f37fbf98447723b885b0df811c69245ff550b42
+ cilium.io/cilium-configmap-checksum: 3c3eeccba628d336674224a009c60eb2dd47d55ed3d1ff5891c0cb0469624b43
+ kubectl.kubernetes.io/default-container: cilium-agent
labels:
k8s-app: cilium
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
+ seccompProfile:
+ type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
@@ -42,13 +45,13 @@
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
- failureThreshold: 105
+ failureThreshold: 300
periodSeconds: 2
successThreshold: 1
initialDelaySeconds: 5
livenessProbe:
httpGet:
host: 127.0.0.1
@@ -96,12 +99,16 @@
resource: limits.memory
divisor: '1'
- name: KUBERNETES_SERVICE_HOST
value: 127.0.0.1
- name: KUBERNETES_SERVICE_PORT
value: '7445'
+ - name: KUBE_CLIENT_BACKOFF_BASE
+ value: '1'
+ - name: KUBE_CLIENT_BACKOFF_DURATION
+ value: '120'
lifecycle:
postStart:
exec:
command:
- bash
- -c
@@ -139,16 +146,12 @@
hostPort: 9962
protocol: TCP
- name: envoy-metrics
containerPort: 9964
hostPort: 9964
protocol: TCP
- - name: envoy-admin
- containerPort: 9901
- hostPort: 9901
- protocol: TCP
- name: hubble-metrics
containerPort: 9965
hostPort: 9965
protocol: TCP
securityContext:
seLinuxOptions:
@@ -201,13 +204,13 @@
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -226,13 +229,13 @@
value: '7445'
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: mount-cgroup
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
env:
- name: CGROUP_ROOT
value: /sys/fs/cgroup
- name: BIN_PATH
value: /opt/cni/bin
@@ -258,13 +261,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -288,13 +291,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: mount-bpf-fs
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
@@ -304,13 +307,13 @@
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -352,13 +355,13 @@
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.17.6@sha256:544de3d4fed7acba72758413812780a4972d47c39035f2a06d6145d8644a3353
+ image: quay.io/cilium/cilium:v1.18.0@sha256:dfea023972d06ec183cfa3c9e7809716f85daaff042e573ef366e9ec6a0c0ab2
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
requests:
cpu: 100m
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -20,22 +20,25 @@
maxSurge: 25%
maxUnavailable: 50%
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/cilium-configmap-checksum: f7259e55e866f878a66cf2778f37fbf98447723b885b0df811c69245ff550b42
+ cilium.io/cilium-configmap-checksum: 3c3eeccba628d336674224a009c60eb2dd47d55ed3d1ff5891c0cb0469624b43
labels:
io.cilium/app: operator
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.17.6@sha256:91ac3bf7be7bed30e90218f219d4f3062a63377689ee7246062fa0cc3839d096
+ image: quay.io/cilium/operator-generic:v1.18.0@sha256:398378b4507b6e9db22be2f4455d8f8e509b189470061b0f813f0fabaf944f51
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
@@ -85,12 +88,17 @@
timeoutSeconds: 3
failureThreshold: 5
volumeMounts:
- name: cilium-config-path
mountPath: /tmp/cilium/config-map
readOnly: true
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
terminationMessagePolicy: FallbackToLogsOnError
hostNetwork: true
restartPolicy: Always
priorityClassName: system-cluster-critical
serviceAccountName: cilium-operator
automountServiceAccountToken: true
@@ -101,12 +109,19 @@
matchLabels:
io.cilium/app: operator
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/os: linux
tolerations:
- - operator: Exists
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ - key: node.kubernetes.io/not-ready
+ operator: Exists
+ - key: node.cilium.io/agent-not-ready
+ operator: Exists
volumes:
- name: cilium-config-path
configMap:
name: cilium-config
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
@@ -25,22 +25,27 @@
k8s-app: hubble-relay
app.kubernetes.io/name: hubble-relay
app.kubernetes.io/part-of: cilium
spec:
securityContext:
fsGroup: 65532
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: hubble-relay
securityContext:
+ allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
- image: quay.io/cilium/hubble-relay:v1.17.6@sha256:7d17ec10b3d37341c18ca56165b2f29a715cb8ee81311fd07088d8bf68c01e60
+ seccompProfile:
+ type: RuntimeDefault
+ image: quay.io/cilium/hubble-relay:v1.18.0@sha256:c13679f22ed250457b7f3581189d97f035608fe13c87b51f57f8a755918e793a
imagePullPolicy: IfNotPresent
command:
- hubble-relay
args:
- serve
ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui
@@ -17,13 +17,13 @@
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
- cilium.io/hubble-ui-nginx-configmap-checksum: de069d2597e16e4de004ce684b15d74b2ab6051c717ae073d86199a76d91fcf1
+ cilium.io/hubble-ui-nginx-configmap-checksum: 76283720d1bb70050debf51116121fa9a67ebc9d1cd9167c3dd9bdbfb613df37
labels:
k8s-app: hubble-ui
app.kubernetes.io/name: hubble-ui
app.kubernetes.io/part-of: cilium
spec:
securityContext:
@@ -52,12 +52,14 @@
- name: hubble-ui-nginx-conf
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: tmp-dir
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
+ securityContext:
+ allowPrivilegeEscalation: false
- name: backend
image: quay.io/cilium/hubble-ui-backend:v0.13.2@sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15
imagePullPolicy: IfNotPresent
env:
- name: EVENTS_SERVER_PORT
value: '8090'
@@ -65,12 +67,14 @@
value: hubble-relay:80
ports:
- name: grpc
containerPort: 8090
volumeMounts: null
terminationMessagePolicy: FallbackToLogsOnError
+ securityContext:
+ allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
volumes:
- configMap:
defaultMode: 420
name: hubble-ui-nginx
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent
+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/cilium-agent
@@ -16,13 +16,14 @@
endpoints:
- port: metrics
interval: 10s
honorLabels: true
path: /metrics
relabelings:
- - replacement: ${1}
+ - action: replace
+ replacement: ${1}
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: node
targetLabels:
- k8s-app
--- HelmRelease: kube-system/cilium ServiceMonitor: kube-system/hubble
+++ HelmRelease: kube-system/cilium ServiceMonitor: kube-system/hubble
@@ -17,11 +17,12 @@
- port: hubble-metrics
interval: 10s
honorLabels: true
path: /metrics
scheme: http
relabelings:
- - replacement: ${1}
+ - action: replace
+ replacement: ${1}
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: node
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.17.6->1.18.0Release Notes
cilium/cilium (cilium)
v1.18.0: 1.18.0Compare Source
We are excited to announce the Cilium 1.18.0 release!
A total of 3298 new commits have been contributed to this release by a growing community of over 955 developers and over 22,000 GitHub stars! ⭐
To keep up to date with all the latest Cilium releases, see Announcements
Here's what's new in v1.18.0:
🚠 Networking
🌐 IPv6
🛡️ Policy & Observability
🌅 Performance
⚙️ Operations
🕸️ Service Mesh & Gateway API
🏷️ IP Address Management
🛣️ BGP
🧑💻 Development Experience
🏢 Community
📔 Full CHANGELOG
And finally, we would like to thank you to all contributors of Cilium that helped directly and indirectly with the project. The success of Cilium could not happen without all of you. ❤️ 🧑🤝🧑 ❤️
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.