From b391c10adb9df1bcc287bb655d7683c8df3f31bd Mon Sep 17 00:00:00 2001 From: Nat Allan <19149206+Truxnell@users.noreply.github.com> Date: Sat, 9 Mar 2024 18:16:33 +1100 Subject: [PATCH] fix: ns --- .../hegira/apps/cert-manager/namespace.yaml | 4 + .../hegira/apps/databases/namespace.yaml | 4 + .../hegira/apps/downloads/namespace.yaml | 4 +- .../hegira/apps/flux-system/namespace.yaml | 2 + kubernetes/hegira/apps/games/namespace.yaml | 2 + .../apps/home-automation/namespace.yaml | 2 + .../hegira/apps/kube-system/namespace.yaml | 2 + kubernetes/hegira/apps/media/namespace.yaml | 2 + .../hegira/apps/monitoring/namespace.yaml | 2 + .../hegira/apps/networking/namespace.yaml | 2 + .../hegira/apps/organizarrs/namespace.yaml | 4 +- .../hegira/apps/rook-ceph/namespace.yaml | 2 + kubernetes/hegira/apps/scripts/namespace.yaml | 2 + .../hegira/apps/security/namespace.yaml | 2 + .../hegira/apps/services/namespace.yaml | 4 +- .../apps/system-controllers/namespace.yaml | 2 + kubernetes/hegira/apps/volsync/namespace.yaml | 2 + kubernetes/hegira/apps/vpn/namespace.yaml | 2 + kubernetes/hegira/bootstrap/cilium.yaml | 809 ------------------ .../hegira/bootstrap/talos/apps/helmfile.yaml | 30 - .../bootstrap/talos/cni/kustomization.yaml | 16 + .../hegira/bootstrap/talos/cni/values.yaml | 27 + .../kubelet-csr-approver/kustomization.yaml | 16 + .../talos/kubelet-csr-approver/values.yaml | 2 + 24 files changed, 104 insertions(+), 842 deletions(-) delete mode 100644 kubernetes/hegira/bootstrap/cilium.yaml delete mode 100644 kubernetes/hegira/bootstrap/talos/apps/helmfile.yaml create mode 100644 kubernetes/hegira/bootstrap/talos/cni/kustomization.yaml create mode 100644 kubernetes/hegira/bootstrap/talos/cni/values.yaml create mode 100644 kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/kustomization.yaml create mode 100644 kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/values.yaml diff --git a/kubernetes/hegira/apps/cert-manager/namespace.yaml b/kubernetes/hegira/apps/cert-manager/namespace.yaml index b170310e00..e075fa1f43 100644 --- a/kubernetes/hegira/apps/cert-manager/namespace.yaml +++ b/kubernetes/hegira/apps/cert-manager/namespace.yaml @@ -4,6 +4,10 @@ kind: Namespace metadata: name: cert-manager labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/databases/namespace.yaml b/kubernetes/hegira/apps/databases/namespace.yaml index 01de12d5e9..2351acb0fb 100644 --- a/kubernetes/hegira/apps/databases/namespace.yaml +++ b/kubernetes/hegira/apps/databases/namespace.yaml @@ -6,4 +6,8 @@ metadata: annotations: volsync.backube/privileged-movers: "true" labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/hegira/apps/downloads/namespace.yaml b/kubernetes/hegira/apps/downloads/namespace.yaml index 669c848f85..4288abed6c 100644 --- a/kubernetes/hegira/apps/downloads/namespace.yaml +++ b/kubernetes/hegira/apps/downloads/namespace.yaml @@ -4,7 +4,9 @@ kind: Namespace metadata: name: downloads labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled - routed-gateway: 'true' + routed-gateway: "true" annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/flux-system/namespace.yaml b/kubernetes/hegira/apps/flux-system/namespace.yaml index 7902d3b818..b07bafc520 100644 --- a/kubernetes/hegira/apps/flux-system/namespace.yaml +++ b/kubernetes/hegira/apps/flux-system/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: flux-system labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/games/namespace.yaml b/kubernetes/hegira/apps/games/namespace.yaml index 60e6207d76..bcca44ccf3 100644 --- a/kubernetes/hegira/apps/games/namespace.yaml +++ b/kubernetes/hegira/apps/games/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: games labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/home-automation/namespace.yaml b/kubernetes/hegira/apps/home-automation/namespace.yaml index 8226b083a9..2b16353dd7 100644 --- a/kubernetes/hegira/apps/home-automation/namespace.yaml +++ b/kubernetes/hegira/apps/home-automation/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: home-automation labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/kube-system/namespace.yaml b/kubernetes/hegira/apps/kube-system/namespace.yaml index 85754ba0e4..3494bfb04a 100644 --- a/kubernetes/hegira/apps/kube-system/namespace.yaml +++ b/kubernetes/hegira/apps/kube-system/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: kube-system labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/media/namespace.yaml b/kubernetes/hegira/apps/media/namespace.yaml index 0afbffce16..df832c4a7f 100644 --- a/kubernetes/hegira/apps/media/namespace.yaml +++ b/kubernetes/hegira/apps/media/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: media labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/monitoring/namespace.yaml b/kubernetes/hegira/apps/monitoring/namespace.yaml index c4215d7a43..9153ad1655 100644 --- a/kubernetes/hegira/apps/monitoring/namespace.yaml +++ b/kubernetes/hegira/apps/monitoring/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: monitoring labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/networking/namespace.yaml b/kubernetes/hegira/apps/networking/namespace.yaml index 219f0a98d8..645173cf84 100644 --- a/kubernetes/hegira/apps/networking/namespace.yaml +++ b/kubernetes/hegira/apps/networking/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: networking labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/organizarrs/namespace.yaml b/kubernetes/hegira/apps/organizarrs/namespace.yaml index b0635e22aa..3561be687f 100644 --- a/kubernetes/hegira/apps/organizarrs/namespace.yaml +++ b/kubernetes/hegira/apps/organizarrs/namespace.yaml @@ -4,7 +4,9 @@ kind: Namespace metadata: name: organizarrs labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled - routed-gateway: 'true' + routed-gateway: "true" annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/rook-ceph/namespace.yaml b/kubernetes/hegira/apps/rook-ceph/namespace.yaml index e62cdfe0db..9abd3e5b4d 100644 --- a/kubernetes/hegira/apps/rook-ceph/namespace.yaml +++ b/kubernetes/hegira/apps/rook-ceph/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: rook-ceph labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/scripts/namespace.yaml b/kubernetes/hegira/apps/scripts/namespace.yaml index f985449c28..e55ccd7d3f 100644 --- a/kubernetes/hegira/apps/scripts/namespace.yaml +++ b/kubernetes/hegira/apps/scripts/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: scripts labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/security/namespace.yaml b/kubernetes/hegira/apps/security/namespace.yaml index 04c990ae02..243342659c 100644 --- a/kubernetes/hegira/apps/security/namespace.yaml +++ b/kubernetes/hegira/apps/security/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: security labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/services/namespace.yaml b/kubernetes/hegira/apps/services/namespace.yaml index a977df4aa3..023a01858a 100644 --- a/kubernetes/hegira/apps/services/namespace.yaml +++ b/kubernetes/hegira/apps/services/namespace.yaml @@ -4,7 +4,9 @@ kind: Namespace metadata: name: services labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled - routed-gateway: 'true' + routed-gateway: "true" annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/system-controllers/namespace.yaml b/kubernetes/hegira/apps/system-controllers/namespace.yaml index ee3a50e682..af2aa1960c 100644 --- a/kubernetes/hegira/apps/system-controllers/namespace.yaml +++ b/kubernetes/hegira/apps/system-controllers/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: system-controllers labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled k8tz.io/controller-namespace: "true" annotations: diff --git a/kubernetes/hegira/apps/volsync/namespace.yaml b/kubernetes/hegira/apps/volsync/namespace.yaml index 005f445913..6171007551 100644 --- a/kubernetes/hegira/apps/volsync/namespace.yaml +++ b/kubernetes/hegira/apps/volsync/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: volsync labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/apps/vpn/namespace.yaml b/kubernetes/hegira/apps/vpn/namespace.yaml index 4b5eea699d..ffaa0b605e 100644 --- a/kubernetes/hegira/apps/vpn/namespace.yaml +++ b/kubernetes/hegira/apps/vpn/namespace.yaml @@ -4,6 +4,8 @@ kind: Namespace metadata: name: vpn labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled annotations: volsync.backube/privileged-movers: "true" diff --git a/kubernetes/hegira/bootstrap/cilium.yaml b/kubernetes/hegira/bootstrap/cilium.yaml deleted file mode 100644 index 0392ea8a34..0000000000 --- a/kubernetes/hegira/bootstrap/cilium.yaml +++ /dev/null @@ -1,809 +0,0 @@ ---- -# Source: cilium/templates/cilium-agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "cilium" - namespace: kube-system - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm ---- -# Source: cilium/templates/cilium-operator/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "cilium-operator" - namespace: kube-system - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm ---- -# Source: cilium/templates/cilium-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: cilium-config - namespace: kube-system - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm -data: - # Identity allocation mode selects how identities are shared between cilium - # nodes by setting how they are stored. The options are "crd" or "kvstore". - # - "crd" stores identities in kubernetes as CRDs (custom resource definition). - # These can be queried with: - # kubectl get ciliumid - # - "kvstore" stores identities in an etcd kvstore, that is - # configured below. Cilium versions before 1.6 supported only the kvstore - # backend. Upgrades from these older cilium versions should continue using - # the kvstore by commenting out the identity-allocation-mode below, or - # setting it to "kvstore". - identity-allocation-mode: crd - cilium-endpoint-gc-interval: "5m0s" - # Disable the usage of CiliumEndpoint CRD - disable-endpoint-crd: "false" - - # If you want to run cilium in debug mode change this value to true - debug: "false" - # The agent can be put into the following three policy enforcement modes - # default, always and never. - # https://docs.cilium.io/en/latest/policy/intro/#policy-enforcement-modes - enable-policy: "default" - - # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 - # address. - enable-ipv4: "true" - - # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 - # address. - enable-ipv6: "false" - # Users who wish to specify their own custom CNI configuration file must set - # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. - custom-cni-conf: "false" - enable-bpf-clock-probe: "true" - # If you want cilium monitor to aggregate tracing for packets, set this level - # to "low", "medium", or "maximum". The higher the level, the less packets - # that will be seen in monitor output. - monitor-aggregation: medium - - # The monitor aggregation interval governs the typical time between monitor - # notification events for each allowed connection. - # - # Only effective when monitor aggregation is set to "medium" or higher. - monitor-aggregation-interval: 5s - - # The monitor aggregation flags determine which TCP flags which, upon the - # first observation, cause monitor notifications to be generated. - # - # Only effective when monitor aggregation is set to "medium" or higher. - monitor-aggregation-flags: all - # Specifies the ratio (0.0-1.0) of total system memory to use for dynamic - # sizing of the TCP CT, non-TCP CT, NAT and policy BPF maps. - bpf-map-dynamic-size-ratio: "0.0025" - # bpf-policy-map-max specifies the maximum number of entries in endpoint - # policy map (per endpoint) - bpf-policy-map-max: "16384" - # bpf-lb-map-max specifies the maximum number of entries in bpf lb service, - # backend and affinity maps. - bpf-lb-map-max: "65536" - # bpf-lb-bypass-fib-lookup instructs Cilium to enable the FIB lookup bypass - # optimization for nodeport reverse NAT handling. - bpf-lb-external-clusterip: "false" - - # Pre-allocation of map entries allows per-packet latency to be reduced, at - # the expense of up-front memory allocation for the entries in the maps. The - # default value below will minimize memory usage in the default installation; - # users who are sensitive to latency may consider setting this to "true". - # - # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore - # this option and behave as though it is set to "true". - # - # If this value is modified, then during the next Cilium startup the restore - # of existing endpoints and tracking of ongoing connections may be disrupted. - # As a result, reply packets may be dropped and the load-balancing decisions - # for established connections may change. - # - # If this option is set to "false" during an upgrade from 1.3 or earlier to - # 1.4 or later, then it may cause one-time disruptions during the upgrade. - preallocate-bpf-maps: "false" - - # Regular expression matching compatible Istio sidecar istio-proxy - # container image names - sidecar-istio-proxy-image: "cilium/istio_proxy" - - # Name of the cluster. Only relevant when building a mesh of clusters. - cluster-name: default - # Unique ID of the cluster. Must be unique across all conneted clusters and - # in the range of 1 and 255. Only relevant when building a mesh of clusters. - cluster-id: "" - - # Encapsulation mode for communication between nodes - # Possible values: - # - disabled - # - vxlan (default) - # - geneve - tunnel: vxlan - # Enables L7 proxy for L7 policy enforcement and visibility - enable-l7-proxy: "true" - - enable-ipv4-masquerade: "true" - enable-ipv6-masquerade: "true" - - enable-xt-socket-fallback: "true" - install-iptables-rules: "true" - install-no-conntrack-iptables-rules: "false" - - auto-direct-node-routes: "false" - enable-bandwidth-manager: "false" - enable-local-redirect-policy: "false" - - kube-proxy-replacement: "strict" - kube-proxy-replacement-healthz-bind-address: "" - enable-health-check-nodeport: "true" - node-port-bind-protection: "true" - enable-auto-protect-node-port-range: "true" - enable-session-affinity: "true" - enable-l2-neigh-discovery: "true" - enable-endpoint-health-checking: "true" - enable-health-checking: "true" - enable-well-known-identities: "false" - enable-remote-node-identity: "true" - operator-api-serve-addr: "127.0.0.1:9234" - ipam: "kubernetes" - disable-cnp-status-updates: "true" - cgroup-root: "/run/cilium/cgroupv2" - enable-k8s-terminating-endpoint: "true" ---- -# Source: cilium/templates/cilium-agent/clusterrole.yaml - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cilium - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - - services - - nodes - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - - pods/finalizers - verbs: - - get - - list - - watch - - update - - delete - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - update - - apiGroups: - - "" - resources: - - nodes - - nodes/status - verbs: - - patch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - # Deprecated for removal in v1.10 - - create - - list - - watch - - update - - # This is used when validating policies in preflight. This will need to stay - # until we figure out how to avoid "get" inside the preflight, and then - # should be removed ideally. - - get - - apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - - ciliumnetworkpolicies/status - - ciliumnetworkpolicies/finalizers - - ciliumclusterwidenetworkpolicies - - ciliumclusterwidenetworkpolicies/status - - ciliumclusterwidenetworkpolicies/finalizers - - ciliumendpoints - - ciliumendpoints/status - - ciliumendpoints/finalizers - - ciliumnodes - - ciliumnodes/status - - ciliumnodes/finalizers - - ciliumidentities - - ciliumidentities/finalizers - - ciliumlocalredirectpolicies - - ciliumlocalredirectpolicies/status - - ciliumlocalredirectpolicies/finalizers - - ciliumegressnatpolicies - - ciliumendpointslices - verbs: - - "*" ---- -# Source: cilium/templates/cilium-operator/clusterrole.yaml - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cilium-operator - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm -rules: - - apiGroups: - - "" - resources: - # to automatically delete [core|kube]dns pods so that are starting to being - # managed by Cilium - - pods - verbs: - - get - - list - - watch - - delete - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - # to perform LB IP allocation for BGP - - services/status - verbs: - - update - - apiGroups: - - "" - resources: - # to perform the translation of a CNP that contains `ToGroup` to its endpoints - - services - - endpoints - # to check apiserver connectivity - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - - ciliumnetworkpolicies/status - - ciliumnetworkpolicies/finalizers - - ciliumclusterwidenetworkpolicies - - ciliumclusterwidenetworkpolicies/status - - ciliumclusterwidenetworkpolicies/finalizers - - ciliumendpoints - - ciliumendpoints/status - - ciliumendpoints/finalizers - - ciliumnodes - - ciliumnodes/status - - ciliumnodes/finalizers - - ciliumidentities - - ciliumendpointslices - - ciliumidentities/status - - ciliumidentities/finalizers - - ciliumlocalredirectpolicies - - ciliumlocalredirectpolicies/status - - ciliumlocalredirectpolicies/finalizers - verbs: - - "*" - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - get - - list - - update - - watch - # For cilium-operator running in HA mode. - # - # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election - # between multiple running instances. - # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less - # common and fewer objects in the cluster watch "all Leases". - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update ---- -# Source: cilium/templates/cilium-agent/clusterrolebinding.yaml - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cilium - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium -subjects: - - kind: ServiceAccount - name: "cilium" - namespace: kube-system ---- -# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cilium-operator - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium-operator -subjects: - - kind: ServiceAccount - name: "cilium-operator" - namespace: kube-system ---- -# Source: cilium/templates/cilium-agent/daemonset.yaml - -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: cilium - namespace: kube-system - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - k8s-app: cilium - app.kubernetes.io/managed-by: Helm -spec: - selector: - matchLabels: - k8s-app: cilium - updateStrategy: - rollingUpdate: - maxUnavailable: 2 - type: RollingUpdate - template: - metadata: - annotations: - # This annotation plus the CriticalAddonsOnly toleration makes - # cilium to be a critical pod in the cluster, which ensures cilium - # gets priority scheduling. - # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ - scheduler.alpha.kubernetes.io/critical-pod: "" - labels: - k8s-app: cilium - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/os - operator: In - values: - - linux - - matchExpressions: - - key: beta.kubernetes.io/os - operator: In - values: - - linux - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: k8s-app - operator: In - values: - - cilium - topologyKey: kubernetes.io/hostname - containers: - - name: cilium-agent - image: "quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a" - imagePullPolicy: IfNotPresent - command: - - cilium-agent - args: - - --config-dir=/tmp/cilium/config-map - startupProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9876 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - failureThreshold: 105 - periodSeconds: 2 - successThreshold: 1 - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9876 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 10 - timeoutSeconds: 5 - readinessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9876 - scheme: HTTP - httpHeaders: - - name: "brief" - value: "true" - periodSeconds: 30 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_CLUSTERMESH_CONFIG - value: /var/lib/cilium/clustermesh/ - - name: CILIUM_CNI_CHAINING_MODE - valueFrom: - configMapKeyRef: - name: cilium-config - key: cni-chaining-mode - optional: true - - name: CILIUM_CUSTOM_CNI_CONF - valueFrom: - configMapKeyRef: - name: cilium-config - key: custom-cni-conf - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "10.8.20.30" - - name: KUBERNETES_SERVICE_PORT - value: "6443" - lifecycle: - postStart: - exec: - command: - - "/cni-install.sh" - - "--enable-debug=false" - - "--cni-exclusive=true" - preStop: - exec: - command: - - /cni-uninstall.sh - securityContext: - privileged: true - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - mountPropagation: Bidirectional - - name: cilium-run - mountPath: /var/run/cilium - - name: cni-path - mountPath: /host/opt/cni/bin - - name: etc-cni-netd - mountPath: /host/etc/cni/net.d - - name: clustermesh-secrets - mountPath: /var/lib/cilium/clustermesh - readOnly: true - - name: cilium-config-path - mountPath: /tmp/cilium/config-map - readOnly: true - # Needed to be able to load kernel modules - - name: lib-modules - mountPath: /lib/modules - readOnly: true - - name: xtables-lock - mountPath: /run/xtables.lock - hostNetwork: true - initContainers: - # Required to mount cgroup2 filesystem on the underlying Kubernetes node. - # We use nsenter command with host's cgroup and mount namespaces enabled. - - name: mount-cgroup - image: "quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a" - imagePullPolicy: IfNotPresent - env: - - name: CGROUP_ROOT - value: /run/cilium/cgroupv2 - - name: BIN_PATH - value: /opt/cni/bin - command: - - sh - - -ec - # The statically linked Go program binary is invoked to avoid any - # dependency on utilities like sh and mount that can be missing on certain - # distros installed on the underlying host. Copy the binary to the - # same directory where we install cilium cni plugin so that exec permissions - # are available. - - | - cp /usr/bin/cilium-mount /hostbin/cilium-mount; - nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; - rm /hostbin/cilium-mount - volumeMounts: - - name: hostproc - mountPath: /hostproc - - name: cni-path - mountPath: /hostbin - securityContext: - privileged: true - - name: clean-cilium-state - image: "quay.io/cilium/cilium:v1.14.6@sha256:37a49f1abb333279a9b802ee8a21c61cde9dd9138b5ac55f77bdfca733ba852a" - imagePullPolicy: IfNotPresent - command: - - /init-container.sh - env: - - name: CILIUM_ALL_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-state - optional: true - - name: CILIUM_BPF_STATE - valueFrom: - configMapKeyRef: - name: cilium-config - key: clean-cilium-bpf-state - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "10.8.20.30" - - name: KUBERNETES_SERVICE_PORT - value: "6443" - securityContext: - privileged: true - volumeMounts: - - name: bpf-maps - mountPath: /sys/fs/bpf - # Required to mount cgroup filesystem from the host to cilium agent pod - - name: cilium-cgroup - mountPath: /run/cilium/cgroupv2 - mountPropagation: HostToContainer - - name: cilium-run - mountPath: /var/run/cilium - resources: - requests: - cpu: 20m - memory: 100Mi - restartPolicy: Always - priorityClassName: system-node-critical - serviceAccount: "cilium" - serviceAccountName: "cilium" - terminationGracePeriodSeconds: 1 - tolerations: - - operator: Exists - volumes: - # To keep state between restarts / upgrades - - name: cilium-run - hostPath: - path: /var/run/cilium - type: DirectoryOrCreate - # To keep state between restarts / upgrades for bpf maps - - name: bpf-maps - hostPath: - path: /sys/fs/bpf - type: DirectoryOrCreate - # To mount cgroup2 filesystem on the host - - name: hostproc - hostPath: - path: /proc - type: Directory - # To keep state between restarts / upgrades for cgroup2 filesystem - - name: cilium-cgroup - hostPath: - path: /run/cilium/cgroupv2 - type: DirectoryOrCreate - # To install cilium cni plugin in the host - - name: cni-path - hostPath: - path: /opt/cni/bin - type: DirectoryOrCreate - # To install cilium cni configuration in the host - - name: etc-cni-netd - hostPath: - path: /etc/cni/net.d - type: DirectoryOrCreate - # To be able to load kernel modules - - name: lib-modules - hostPath: - path: /lib/modules - # To access iptables concurrently with other processes (e.g. kube-proxy) - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - # To read the clustermesh configuration - - name: clustermesh-secrets - secret: - secretName: cilium-clustermesh - # note: the leading zero means this number is in octal representation: do not remove it - defaultMode: 0400 - optional: true - # To read the configuration from the config map - - name: cilium-config-path - configMap: - name: cilium-config ---- -# Source: cilium/templates/cilium-operator/deployment.yaml - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cilium-operator - namespace: kube-system - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - io.cilium/app: operator - name: cilium-operator -spec: - # See docs on ServerCapabilities.LeasesResourceLock in file pkg/k8s/version/version.go - # for more details. - replicas: 2 - selector: - matchLabels: - io.cilium/app: operator - name: cilium-operator - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - annotations: - labels: - io.cilium/app: operator - name: cilium-operator - spec: - # In HA mode, cilium-operator pods must not be scheduled on the same - # node as they will clash with each other. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: io.cilium/app - operator: In - values: - - operator - topologyKey: kubernetes.io/hostname - containers: - - name: cilium-operator - image: quay.io/cilium/operator-generic:v1.14.6@sha256:2f0bf8fb8362c7379f3bf95036b90ad5b67378ed05cd8eb0410c1afc13423848 - imagePullPolicy: IfNotPresent - command: - - cilium-operator-generic - args: - - --config-dir=/tmp/cilium/config-map - - --debug=$(CILIUM_DEBUG) - env: - - name: K8S_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: CILIUM_K8S_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CILIUM_DEBUG - valueFrom: - configMapKeyRef: - key: debug - name: cilium-config - optional: true - - name: KUBERNETES_SERVICE_HOST - value: "10.8.20.30" - - name: KUBERNETES_SERVICE_PORT - value: "6443" - livenessProbe: - httpGet: - host: "127.0.0.1" - path: /healthz - port: 9234 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 3 - volumeMounts: - - name: cilium-config-path - mountPath: /tmp/cilium/config-map - readOnly: true - hostNetwork: true - restartPolicy: Always - priorityClassName: system-cluster-critical - serviceAccount: "cilium-operator" - serviceAccountName: "cilium-operator" - tolerations: - - operator: Exists - volumes: - # To read the configuration from the config map - - name: cilium-config-path - configMap: - name: cilium-config diff --git a/kubernetes/hegira/bootstrap/talos/apps/helmfile.yaml b/kubernetes/hegira/bootstrap/talos/apps/helmfile.yaml deleted file mode 100644 index 4b3ff231a4..0000000000 --- a/kubernetes/hegira/bootstrap/talos/apps/helmfile.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/helmfile.json -repositories: - - name: coredns - url: https://coredns.github.io/helm - - name: cilium - url: https://helm.cilium.io - - name: postfinance - url: https://postfinance.github.io/kubelet-csr-approver - -releases: - - name: cilium - namespace: kube-system - chart: cilium/cilium - version: 1.15.1 - values: ["../../../apps/kube-system/cilium/app/helm-values.yaml"] - wait: true - - name: coredns - namespace: kube-system - chart: coredns/coredns - version: 1.29.0 - values: ["../../../apps/kube-system/coredns/app/helm-values.yaml"] - wait: true - - name: kubelet-csr-approver - namespace: kube-system - chart: postfinance/kubelet-csr-approver - version: 1.0.7 - values: - ["../../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"] - wait: true diff --git a/kubernetes/hegira/bootstrap/talos/cni/kustomization.yaml b/kubernetes/hegira/bootstrap/talos/cni/kustomization.yaml new file mode 100644 index 0000000000..7ca73e0184 --- /dev/null +++ b/kubernetes/hegira/bootstrap/talos/cni/kustomization.yaml @@ -0,0 +1,16 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +helmCharts: + - name: cilium + repo: https://helm.cilium.io + version: 1.15.1 + releaseName: cilium + namespace: kube-system + valuesFile: values.yaml +commonAnnotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system +commonLabels: + app.kubernetes.io/managed-by: Helm diff --git a/kubernetes/hegira/bootstrap/talos/cni/values.yaml b/kubernetes/hegira/bootstrap/talos/cni/values.yaml new file mode 100644 index 0000000000..73f5d28e71 --- /dev/null +++ b/kubernetes/hegira/bootstrap/talos/cni/values.yaml @@ -0,0 +1,27 @@ +--- +ipam: + mode: kubernetes +kubeProxyReplacement: disabled +securityContext: + capabilities: + ciliumAgent: + [ + CHOWN, + KILL, + NET_ADMIN, + NET_RAW, + IPC_LOCK, + SYS_ADMIN, + SYS_RESOURCE, + DAC_OVERRIDE, + FOWNER, + SETGID, + SETUID, + ] + cleanCiliumState: [NET_ADMIN, SYS_ADMIN, SYS_RESOURCE] +cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup +k8sServiceHost: "127.0.0.1" +k8sServicePort: 7445 diff --git a/kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/kustomization.yaml b/kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/kustomization.yaml new file mode 100644 index 0000000000..89dd6cdcbe --- /dev/null +++ b/kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/kustomization.yaml @@ -0,0 +1,16 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +helmCharts: + - name: kubelet-csr-approver + repo: https://postfinance.github.io/kubelet-csr-approver + version: 1.0.7 + releaseName: kubelet-csr-approver + namespace: kube-system + valuesFile: values.yaml +commonAnnotations: + meta.helm.sh/release-name: kubelet-csr-approver + meta.helm.sh/release-namespace: kube-system +commonLabels: + app.kubernetes.io/managed-by: Helm diff --git a/kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/values.yaml b/kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/values.yaml new file mode 100644 index 0000000000..14b124832a --- /dev/null +++ b/kubernetes/hegira/bootstrap/talos/kubelet-csr-approver/values.yaml @@ -0,0 +1,2 @@ +--- +providerRegex: ^(xerxes|shodan|icarus)$