From 9929c37464fafb9d8048b5dc5a11e791f341d9b4 Mon Sep 17 00:00:00 2001 From: Timtor Chen Date: Tue, 31 Dec 2024 19:16:46 +0800 Subject: [PATCH] chore: cilium 1.16 upgrade --- kubernetes/kube-system/cilium/netpol.yaml | 13 ++++++++++++- kubernetes/kube-system/cilium/release.yaml | 11 +++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/kubernetes/kube-system/cilium/netpol.yaml b/kubernetes/kube-system/cilium/netpol.yaml index 5015621f..f0e67096 100644 --- a/kubernetes/kube-system/cilium/netpol.yaml +++ b/kubernetes/kube-system/cilium/netpol.yaml @@ -22,9 +22,20 @@ specs: - ports: - protocol: TCP port: "6443" - # allow connection to ciliums + # allow connection to peer service (cilium-agents) - endpointSelector: *self egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - protocol: ANY + port: "53" + rules: + dns: + - matchName: "hubble-peer.kube-system.svc.cluster.local." - toEntities: ["host", "remote-node"] toPorts: - ports: diff --git a/kubernetes/kube-system/cilium/release.yaml b/kubernetes/kube-system/cilium/release.yaml index 5a2e4e92..37dcb08c 100644 --- a/kubernetes/kube-system/cilium/release.yaml +++ b/kubernetes/kube-system/cilium/release.yaml @@ -12,13 +12,13 @@ spec: kind: HelmRepository name: cilium chart: cilium - version: 1.14.0-snapshot.4 + version: 1.16.5 interval: 1h maxHistory: 1 values: ipam: mode: kubernetes - kubeProxyReplacement: strict + kubeProxyReplacement: true securityContext: capabilities: ciliumAgent: @@ -37,6 +37,11 @@ spec: - NET_ADMIN - SYS_ADMIN - SYS_RESOURCE + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 cgroup: autoMount: enabled: false @@ -49,3 +54,5 @@ spec: enabled: true ui: enabled: true + envoy: + enabled: false