From a8ebde2a9f31978c5c259ce95f0de90d927dd545 Mon Sep 17 00:00:00 2001 From: anthr76 Date: Mon, 25 Jan 2021 16:18:47 -0500 Subject: [PATCH] Template out some variable values and disable BPF by default Signed-off-by: anthr76 --- ansible/roles/cni/defaults/main.yml | 5 ++++- ansible/roles/cni/templates/values.yaml.j2 | 22 +++++++++++++++++----- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/ansible/roles/cni/defaults/main.yml b/ansible/roles/cni/defaults/main.yml index 87b5a3ac..e26c0563 100644 --- a/ansible/roles/cni/defaults/main.yml +++ b/ansible/roles/cni/defaults/main.yml @@ -6,9 +6,12 @@ cni_cilium_image_repository: docker.io/cilium/cilium-dev cni_cilium_helm_version: 1.9.3 cni_cilium_image_version: v1.9.3 cni_cilium_enovy_proxy_image_version: v1.17.0 +cni_cilium_bpf_hostrouting: "false" +cni_cilium_bpf_tproxy: "false" +cni_cilium_bpf_masquerade: "false" +cni_cilium_endpoint_routes: "fase" k8s_service_host: '{{ cluster_control_plane_endpoint | regex_search("[a-z0-9\-._~%]+") }}' k8s_service_port: '{{ cluster_control_plane_endpoint | regex_search("(?<=:)(?P[0-9]+)$") }}' kube_router_image: docker.io/cloudnativelabs/kube-router cluster_pod_subnet: 10.0.0.0/8 -cni_cilium_endpoint_routes: "false" k8s_native_cluster_cidr: "{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ipaddr('network/prefix') }}" diff --git a/ansible/roles/cni/templates/values.yaml.j2 b/ansible/roles/cni/templates/values.yaml.j2 index 1eb67cec..e34e9be5 100644 --- a/ansible/roles/cni/templates/values.yaml.j2 +++ b/ansible/roles/cni/templates/values.yaml.j2 @@ -8,13 +8,17 @@ autoDirectNodeRoutes: true bpf: # -- Enable native IP masquerade support in eBPF - masquerade: true + masquerade: {{ cni_cilium_bpf_masquerade }} # -- Configure whether direct routing mode should route traffic via # host stack (true) or directly and more efficiently out of BPF (false) if # the kernel supports it. The latter has the implication that it will also # bypass netfilter in the host namespace. - hostRouting: false + hostRouting: {{ cni_cilium_bpf_hostrouting }} + + # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules + # for implementing Layer 7 policy. + tproxy: {{ cni_cilium_bpf_tproxy }} # externalIPs is the configuration for ExternalIPs service handling externalIPs: @@ -76,7 +80,11 @@ ipam: clusterPoolIPv4MaskSize: 24 # kubeProxyReplacement enables kube-proxy replacement in Cilium BPF datapath -kubeProxyReplacement: strict +{% if cluster_kube_proxy == "disabled" %} +kubeProxyReplacement: "strct" +{% elif cluster_kube_proxy == "enabled" %} +kubeProxyReplacement: "probe" +{% endif %} # kubeProxyReplacement healthz server bind address # To enable set the value to '0.0.0.0:10256' for all ipv4 @@ -96,7 +104,7 @@ prometheus: operator: image: repository: docker.io/cilium/operator-dev - tag: v1.9.1 + tag: "{{ cni_cilium_image_version }}" # Enables metrics for cilium-operator. prometheus: enabled: true @@ -116,7 +124,11 @@ nativeRoutingCIDR: {{ k8s_native_cluster_cidr }} # - disabled # - vxlan (default) # - geneve +{% if cluster_kube_proxy == "disabled" %} tunnel: "disabled" +{% elif cluster_kube_proxy == "enabled" %} +tunnel: "vxlan" +{% endif %} # loadBalancer is the general configuration for service load balancing loadBalancer: @@ -125,7 +137,7 @@ loadBalancer: algorithm: maglev # mode is the operation mode of load balancing for remote backends # e.g. snat, dsr, hybrid - mode: dsr + mode: snat # disableEnvoyVersionCheck removes the check for Envoy, which can be useful on # AArch64 as the images do not currently ship a version of Envoy.