🔧 cilium talos config

2025-09-17 18:24:14 +02:00 · 2023-11-27 10:39:17 +01:00
parent 6042634b7a
commit 7fc839b6ba
2 changed files with 57 additions and 16 deletions
--- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml
+++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml
@@ -59,6 +59,7 @@ spec:
        enabled: true
        ingress:
          enabled: true
+          className: nginx
          hosts:
            - &host "cilium.${SECRET_CLUSTER_DOMAIN}"
          tls:
@@ -68,8 +69,8 @@ spec:
    ipam:
      mode: kubernetes
    ipv4NativeRoutingCIDR: ${CILIUM_POD_CIDR}
-    k8sServiceHost: cluster-0.${SECRET_DOMAIN}
-    k8sServicePort: 6443
+    k8sServiceHost: localhost
+    k8sServicePort: 7445
    kubeProxyReplacement: strict
    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
    loadBalancer:
@@ -80,7 +81,27 @@ spec:
      rollOutPods: true
    rollOutCiliumPods: true
    securityContext:
-      privileged: true
+      capabilities:
+        ciliumAgent:
+          - CHOWN
+          - KILL
+          - NET_ADMIN
+          - NET_RAW
+          - IPC_LOCK
+          - SYS_ADMIN
+          - SYS_RESOURCE
+          - DAC_OVERRIDE
+          - FOWNER
+          - SETGID
+          - SETUID
+        cleanCiliumState:
+          - NET_ADMIN
+          - SYS_ADMIN
+          - SYS_RESOURCE
+    cgroup:
+      autoMount:
+        enabled: false
+      hostRoot: /sys/fs/cgroup
    tunnel: disabled
    l7proxy: true
    ingressController:
@@ -90,13 +111,13 @@ spec:
      loadbalancerMode: shared
      service:
        loadBalancerIP: "${CLUSTER_LB_CILIUM}"
-  # postRenderers:
-  #   - kustomize:
-  #       patchesStrategicMerge:
-  #         - kind: Service
-  #           apiVersion: v1
-  #           metadata:
-  #             name: cilium-ingress
-  #             namespace: *ns
-  #           spec:
-  #             externalTrafficPolicy: Local
+  postRenderers:
+    - kustomize:
+        patchesStrategicMerge:
+          - kind: Service
+            apiVersion: v1
+            metadata:
+              name: cilium-ingress
+              namespace: *ns
+            spec:
+              externalTrafficPolicy: Local
--- a/kubernetes/bootstrap/cilium/values.yaml
+++ b/kubernetes/bootstrap/cilium/values.yaml
@@ -13,8 +13,8 @@ hubble:
 ipam:
  mode: kubernetes
 ipv4NativeRoutingCIDR: 10.69.0.0/16
-k8sServiceHost: 192.168.9.100
-k8sServicePort: 6443
+k8sServiceHost: localhost
+k8sServicePort: 7445
 kubeProxyReplacement: strict
 loadBalancer:
  algorithm: maglev
@@ -24,5 +24,25 @@ operator:
  rollOutPods: true
 rollOutCiliumPods: true
 securityContext:
-  privileged: true
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE
+    cgroup:
+      autoMount:
+        enabled: false
+      hostRoot: /sys/fs/cgroup
 tunnel: disabled