Switched to k3os and removed cilium

2021-12-05 10:50:51 +01:00
parent 8113016f86
commit 8de7171cf5
7 changed files with 35 additions and 341 deletions
--- a/manifests/helm/cilium/values.yaml
+++ b/manifests/helm/cilium/values.yaml
@@ -1,117 +0,0 @@
-upgradeCompatibility: '1.10'
-
-debug:
-  # -- Enable debug logging
-  enabled: false
-  # verbose:
-
-# gke:
-  # enabled: true
-
-ipam:
-  # -- Configure IP Address Management mode.
-  # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/
-  mode: kubernetes
-
-# -- Configure the encapsulation configuration for communication between nodes.
-# Possible values:
-#   - disabled (native routing works, however I feel that geneve is more stable, but I may be wrong)
-#   - vxlan
-#   - geneve
-tunnel: geneve
-
-# -- Specify the IPv4 CIDR for native routing (ie to avoid IP masquerade for).
-# This value corresponds to the configured cluster-cidr.
-nativeRoutingCIDR: 10.0.0.0/8
-
-# When enabled, causes legacy routing
-# endpointRoutes:
-  # -- Enable use of per endpoint routes instead of routing via
-  # the cilium_host interface.
-  # enabled: false
-
-# -- Enable installation of PodCIDR routes between worker
-# nodes if worker nodes share a common L2 network segment.
-autoDirectNodeRoutes: false
-
-bpf:
-  # -- Allow cluster external access to ClusterIP services.
-  lbExternalClusterIP: false
-
-  # -- Enable native IP masquerade support in eBPF
-  masquerade: true
-
-endpointHealthChecking:
-  # -- Enable connectivity health checking between virtual endpoints.
-  enabled: true
-
-# -- Configure ClusterIP service handling in the host namespace (the node).
-hostServices:
-  # -- Enable host reachable services.
-  enabled: true
-
-  # -- Supported list of protocols to apply ClusterIP translation to.
-  protocols: tcp,udp
-
-externalIPs:
-  # -- Enable ExternalIPs service support.
-  enabled: true
-
-hostPort:
-  # -- Enable hostPort service support.
-  enabled: true
-
-# -- Configure N-S k8s service loadbalancing
-nodePort:
-  # -- Enable the Cilium NodePort service implementation.
-  enabled: true
-
-# -- Enable connectivity health checking.
-healthChecking: true
-
-ipv4:
-  # -- Enable IPv4 support.
-  enabled: true
-
-ipv6:
-  # -- Enable IPv6 support.
-  enabled: false
-
-# -- Configure Kubernetes specific configuration
-k8s:
-  # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
-  # range via the Kubernetes node resource
-  requireIPv4PodCIDR: true
-
-# -- Configure the kube-proxy replacement in Cilium BPF datapath
-# Valid options are "disabled", "probe", "partial", "strict".
-# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/
-kubeProxyReplacement: strict
-
-# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
-enableIPv4Masquerade: true
-
-monitor:
-  # -- Enable the cilium-monitor sidecar.
-  enabled: false
-
-# -- Configure service load balancing
-loadBalancer:
-  # -- standalone enables the standalone L4LB which does not connect to
-  # kube-apiserver.
-  # standalone: false
-
-  # -- algorithm is the name of the load balancing algorithm for backend
-  # selection e.g. random or maglev
-  algorithm: maglev
-  
-  # dsr mode did probably caused packet drops, so falling back to snat
-  mode: snat
-
-# -- The agent can be put into one of the three policy enforcement modes:
-# default, always and never.
-# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes
-policyEnforcementMode: never
-
-# -- Enables the enforcement of host policies in the eBPF datapath.
-hostFirewall: false
--- a/manifests/upgrade/kured.yaml
+++ b/manifests/upgrade/kured.yaml
@@ -1,139 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kured
-rules:
-# Allow kured to read spec.unschedulable
-# Allow kubectl to drain/uncordon
-#
-# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below
-# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
-#
- apiGroups: [""]
-  resources: ["nodes"]
-  verbs:     ["get", "patch"]
- apiGroups: [""]
-  resources: ["pods"]
-  verbs:     ["list","delete","get"]
- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs:     ["get"]
- apiGroups: [""]
-  resources: ["pods/eviction"]
-  verbs:     ["create"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kured
-subjects:
- kind: ServiceAccount
-  name: kured
-  namespace: kube-system
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: kube-system
-  name: kured
-rules:
-# Allow kured to lock/unlock itself
- apiGroups:     ["apps"]
-  resources:     ["daemonsets"]
-  resourceNames: ["kured"]
-  verbs:         ["update"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: kube-system
-  name: kured
-subjects:
- kind: ServiceAccount
-  namespace: kube-system
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kured
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kured
-  namespace: kube-system
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kured            # Must match `--ds-name`
-  namespace: kube-system # Must match `--ds-namespace`
-spec:
-  selector:
-    matchLabels:
-      name: kured
-  updateStrategy:
-   type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        name: kured
-    spec:
-      serviceAccountName: kured
-      tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-      hostPID: true # Facilitate entering the host mount namespace via init
-      restartPolicy: Always
-      containers:
-        - name: kured
-          image: docker.io/weaveworks/kured:1.8.0
-                 # If you find yourself here wondering why there is no
-                 # :latest tag on Docker Hub,see the FAQ in the README
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true # Give permission to nsenter /proc/1/ns/mnt
-          env:
-            # Pass in the name of the node on which this pod is scheduled
-            # for use with drain/uncordon operations and lock acquisition
-            - name: KURED_NODE_ID
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          command:
-            - /usr/bin/kured
-            - --reboot-sentinel-command="/usr/bin/needs-restarting -r"
-#            - --force-reboot=false
-#            - --drain-grace-period=-1
-#            - --skip-wait-for-delete-timeout=0
-#            - --drain-timeout=0
-#            - --period=1h
-#            - --ds-namespace=kube-system
-#            - --ds-name=kured
-#            - --lock-annotation=weave.works/kured-node-lock
-#            - --lock-ttl=0
-#            - --prometheus-url=http://prometheus.monitoring.svc.cluster.local
-#            - --alert-filter-regexp=^RebootRequired$
-#            - --alert-firing-only=false
-#            - --reboot-sentinel=/var/run/reboot-required
-#            - --prefer-no-schedule-taint=""
-#            - --slack-hook-url=https://hooks.slack.com/...
-#            - --slack-username=prod
-#            - --slack-channel=alerting
-#            - --notify-url="" # See also shoutrrr url format
-#            - --message-template-drain=Draining node %s
-#            - --message-template-drain=Rebooting node %s
-#            - --blocking-pod-selector=runtime=long,cost=expensive
-#            - --blocking-pod-selector=name=temperamental
-#            - --blocking-pod-selector=...
-#            - --reboot-days=sun,mon,tue,wed,thu,fri,sat
-#            - --start-time=0:00
-#            - --end-time=23:59:59
-#            - --time-zone=UTC
-#            - --annotate-nodes=false
-#            - --lock-release-delay=30m