Affected by 
Documentation
¶
Index ¶
Constants ¶
View Source
const ( // EndpointGCIntervalDefault is the default time for the CEP GC EndpointGCIntervalDefault = 5 * time.Minute // PrometheusServeAddr is the default server address for operator metrics PrometheusServeAddr = ":9963" // CESMaxCEPsInCESDefault is the maximum number of cilium endpoints allowed in a CES CESMaxCEPsInCESDefault = 100 // CESSlicingModeDefault is default method for grouping CEP in a CES. CESSlicingModeDefault = "cesSliceModeIdentity" // CNPStatusCleanupQPSDefault is the default rate for the CNP NodeStatus updates GC. CNPStatusCleanupQPSDefault = 10 // CNPStatusCleanupBurstDefault is the default maximum burst for the CNP NodeStatus updates GC. CNPStatusCleanupBurstDefault = 20 )
View Source
const ( // BGPAnnounceLBIP announces service IPs of type LoadBalancer via BGP beta (deprecated) BGPAnnounceLBIP = "bgp-announce-lb-ip" // BGPConfigPath is the file path to the BGP configuration. It is // compatible with MetalLB's configuration. BGPConfigPath = "bgp-config-path" // SkipCRDCreation specifies whether the CustomResourceDefinition will be // disabled for the operator SkipCRDCreation = "skip-crd-creation" // CNPNodeStatusGCInterval is the GC interval for nodes which have been // removed from the cluster in CiliumNetworkPolicy and // CiliumClusterwideNetworkPolicy Status. CNPNodeStatusGCInterval = "cnp-node-status-gc-interval" // CNPStatusUpdateInterval is the interval between status updates // being sent to the K8s apiserver for a given CNP. CNPStatusUpdateInterval = "cnp-status-update-interval" // SkipCNPStatusStartupClean specifies if the cleanup of all the CNP // NodeStatus updates at startup must be skipped. SkipCNPStatusStartupClean = "skip-cnp-status-startup-clean" // CNPStatusCleanupQPS is the rate at which the cleanup operation of the status // nodes updates in CNPs is carried out. It is expressed as queries per second, // and for each query a single CNP status update will be deleted. CNPStatusCleanupQPS = "cnp-status-cleanup-qps" // CNPStatusCleanupBurst is the maximum burst of queries allowed for the cleanup // operation of the status nodes updates in CNPs. CNPStatusCleanupBurst = "cnp-status-cleanup-burst" // EnableMetrics enables prometheus metrics. EnableMetrics = "enable-metrics" // EndpointGCInterval is the interval between attempts of the CEP GC // controller. // Note that only one node per cluster should run this, and most iterations // will simply return. EndpointGCInterval = "cilium-endpoint-gc-interval" // IdentityGCInterval is the interval in which allocator identities are // attempted to be expired from the kvstore IdentityGCInterval = "identity-gc-interval" // IdentityGCRateInterval is the interval used for rate limiting the GC of // identities. IdentityGCRateInterval = "identity-gc-rate-interval" // IdentityGCRateLimit is the maximum identities used for rate limiting the // GC of identities. IdentityGCRateLimit = "identity-gc-rate-limit" // IdentityHeartbeatTimeout is the timeout used to GC identities from k8s IdentityHeartbeatTimeout = "identity-heartbeat-timeout" // NodesGCInterval is the duration for which the cilium nodes are GC. NodesGCInterval = "nodes-gc-interval" // OperatorAPIServeAddr IP:Port on which to serve api requests in // operator (pass ":Port" to bind on all interfaces, "" is off) OperatorAPIServeAddr = "operator-api-serve-addr" // OperatorPrometheusServeAddr IP:Port on which to serve prometheus // metrics (pass ":Port" to bind on all interfaces, "" is off). OperatorPrometheusServeAddr = "operator-prometheus-serve-addr" // PProf enabled pprof debugging endpoint PProf = "operator-pprof" // PProfAddress is the port that the pprof listens on PProfAddress = "operator-pprof-address" // PProfPort is the port that the pprof listens on PProfPort = "operator-pprof-port" // SyncK8sServices synchronizes k8s services into the kvstore SyncK8sServices = "synchronize-k8s-services" // SyncK8sNodes synchronizes k8s nodes into the kvstore SyncK8sNodes = "synchronize-k8s-nodes" // UnmanagedPodWatcherInterval is the interval to check for unmanaged kube-dns pods (0 to disable) UnmanagedPodWatcherInterval = "unmanaged-pod-watcher-interval" // IPAMAPIBurst is the burst value allowed when accessing external IPAM APIs IPAMAPIBurst = "limit-ipam-api-burst" // IPAMAPIQPSLimit is the queries per second limit when accessing external IPAM APIs IPAMAPIQPSLimit = "limit-ipam-api-qps" // IPAMSubnetsIDs are optional subnets IDs used to filter subnets and interfaces listing IPAMSubnetsIDs = "subnet-ids-filter" // IPAMSubnetsTags are optional tags used to filter subnets, and interfaces within those subnets IPAMSubnetsTags = "subnet-tags-filter" // IPAMInstanceTagFilter are optional tags used to filter instances for ENI discovery ; only used with AWS IPAM mode for now IPAMInstanceTags = "instance-tags-filter" // ClusterPoolIPv4CIDR is the cluster's IPv4 CIDR to allocate // individual PodCIDR ranges from when using the ClusterPool ipam mode. ClusterPoolIPv4CIDR = "cluster-pool-ipv4-cidr" // ClusterPoolIPv6CIDR is the cluster's IPv6 CIDR to allocate // individual PodCIDR ranges from when using the ClusterPool ipam mode. ClusterPoolIPv6CIDR = "cluster-pool-ipv6-cidr" // NodeCIDRMaskSizeIPv4 is the IPv4 podCIDR mask size that will be used // per node. NodeCIDRMaskSizeIPv4 = "cluster-pool-ipv4-mask-size" // NodeCIDRMaskSizeIPv6 is the IPv6 podCIDR mask size that will be used // per node. NodeCIDRMaskSizeIPv6 = "cluster-pool-ipv6-mask-size" // AWSInstanceLimitMapping allows overwirting AWS instance limits defined in // pkg/aws/eni/limits.go // e.g. {"a1.medium": "2,4,4", "a2.custom2": "4,5,6"} AWSInstanceLimitMapping = "aws-instance-limit-mapping" // AWSReleaseExcessIPs allows releasing excess free IP addresses from ENI. // Enabling this option reduces waste of IP addresses but may increase // the number of API calls to AWS EC2 service. AWSReleaseExcessIPs = "aws-release-excess-ips" // ExcessIPReleaseDelay controls how long operator would wait before an IP previously marked as excess is released. // Defaults to 180 secs ExcessIPReleaseDelay = "excess-ip-release-delay" // AWSEnablePrefixDelegation allows operator to allocate prefixes to ENIs on nitro instances instead of individual // IP addresses. Allows for increased pod density on nodes. AWSEnablePrefixDelegation = "aws-enable-prefix-delegation" // ENITags are the tags that will be added to every ENI created by the // AWS ENI IPAM. ENITags = "eni-tags" // ENIGarbageCollectionTags is a tag that will be added to every ENI // created by the AWS ENI IPAM. // Any stale and unattached ENIs with this tag will be garbage // collected by the operator. ENIGarbageCollectionTags = "eni-gc-tags" // ENIGarbageCollectionInterval defines the interval of ENI GC ENIGarbageCollectionInterval = "eni-gc-interval" // ParallelAllocWorkers specifies the number of parallel workers to be used for IPAM allocation ParallelAllocWorkers = "parallel-alloc-workers" // UpdateEC2AdapterLimitViaAPI configures the operator to use the EC2 // API to fill out the instancetype to adapter limit mapping. UpdateEC2AdapterLimitViaAPI = "update-ec2-adapter-limit-via-api" // EC2APIEndpoint is the custom API endpoint to use for the EC2 AWS service, // e.g. "ec2-fips.us-west-1.amazonaws.com" to use a FIPS endpoint in the us-west-1 region. EC2APIEndpoint = "ec2-api-endpoint" // AWSUsePrimaryAddress specifies whether an interface's primary address should be available for allocations on // node AWSUsePrimaryAddress = "aws-use-primary-address" // AzureSubscriptionID is the subscription ID to use when accessing the Azure API AzureSubscriptionID = "azure-subscription-id" // AzureResourceGroup is the resource group of the nodes used for the cluster AzureResourceGroup = "azure-resource-group" // AzureUserAssignedIdentityID is the id of the user assigned identity used // for retrieving Azure API credentials AzureUserAssignedIdentityID = "azure-user-assigned-identity-id" // AzureUsePrimaryAddress specifies whether we should use or ignore the interface's // primary IPConfiguration AzureUsePrimaryAddress = "azure-use-primary-address" // LeaderElectionLeaseDuration is the duration that non-leader candidates will wait to // force acquire leadership LeaderElectionLeaseDuration = "leader-election-lease-duration" // LeaderElectionRenewDeadline is the duration that the current acting master in HA deployment // will retry refreshing leadership before giving up the lock. LeaderElectionRenewDeadline = "leader-election-renew-deadline" // LeaderElectionRetryPeriod is the duration the LeaderElector clients should wait between // tries of the actions in operator HA deployment. LeaderElectionRetryPeriod = "leader-election-retry-period" // AlibabaCloudVPCID allows user to specific vpc AlibabaCloudVPCID = "alibaba-cloud-vpc-id" // AlibabaCloudReleaseExcessIPs allows releasing excess free IP addresses from ENI. // Enabling this option reduces waste of IP addresses but may increase // the number of API calls to AlibabaCloud ECS service. AlibabaCloudReleaseExcessIPs = "alibaba-cloud-release-excess-ips" // CESMaxCEPsInCES is the maximum number of cilium endpoints allowed in single // a CiliumEndpointSlice resource. CESMaxCEPsInCES = "ces-max-ciliumendpoints-per-ces" // CESSlicingMode instructs how CEPs are grouped in a CES. CESSlicingMode = "ces-slice-mode" // LoadBalancerL7 enables loadbalancer capabilities for services via envoy proxy LoadBalancerL7 = "loadbalancer-l7" // LoadBalancerL7Ports is a list of service ports that will be automatically redirected to backend. LoadBalancerL7Ports = "loadbalancer-l7-ports" // LoadBalancerL7Algorithm is a default LB algorithm for services that do not specify related annotation LoadBalancerL7Algorithm = "loadbalancer-l7-algorithm" // EnableIngressController enables cilium ingress controller // This must be enabled along with enable-envoy-config in cilium agent. EnableIngressController = "enable-ingress-controller" // EnforceIngressHttps enforces https for host having matching TLS host in Ingress. // Incoming traffic to http listener will return 308 http error code with respective location in header. EnforceIngressHttps = "enforce-ingress-https" // EnableIngressSecretsSync enables fan-in TLS secrets from multiple namespaces to singular namespace (specified // by ingress-secrets-namespace flag EnableIngressSecretsSync = "enable-ingress-secrets-sync" // EnableGatewayAPISecretsSync enables fan-in TLS secrets from multiple namespaces to singular namespace (specified // by gateway-api-secrets-namespace flag EnableGatewayAPISecretsSync = "enable-gateway-api-secrets-sync" // IngressSecretsNamespace is the namespace having tls secrets used by Ingress and CEC. IngressSecretsNamespace = "ingress-secrets-namespace" // GatewayAPISecretsNamespace is the namespace having tls secrets used by GatewayAPI and CEC. GatewayAPISecretsNamespace = "gateway-api-secrets-namespace" // EnableGatewayAPI enables support of Gateway API // This must be enabled along with enable-envoy-config in cilium agent. EnableGatewayAPI = "enable-gateway-api" // CiliumK8sNamespace is the namespace where Cilium pods are running. CiliumK8sNamespace = "cilium-pod-namespace" // CiliumPodLabels specifies the pod labels that Cilium pods is running // with. CiliumPodLabels = "cilium-pod-labels" // RemoveCiliumNodeTaints is the flag to define if the Cilium node taint // should be removed in Kubernetes nodes. RemoveCiliumNodeTaints = "remove-cilium-node-taints" // SetCiliumIsUpCondition sets the CiliumIsUp node condition in Kubernetes // nodes. SetCiliumIsUpCondition = "set-cilium-is-up-condition" // IngressLBAnnotationPrefixes are the annotations which are needed to propagate // from Ingress to the Load Balancer IngressLBAnnotationPrefixes = "ingress-lb-annotation-prefixes" IngressSharedLBServiceName = "ingress-shared-lb-service-name" // IngressDefaultLoadbalancerMode is the default loadbalancer mode for Ingress. // Applicable values: dedicated, shared IngressDefaultLoadbalancerMode = "ingress-default-lb-mode" // EnableK8s operation of Kubernet-related services/controllers. // Intended for operating cilium with CNI-compatible orchestrators // other than Kubernetes. (default is true) EnableK8s = "enable-k8s" )
Variables ¶
View Source
var Config = &OperatorConfig{ IPAMSubnetsIDs: make([]string, 0), IPAMSubnetsTags: make(map[string]string), IPAMInstanceTags: make(map[string]string), AWSInstanceLimitMapping: make(map[string]string), ENITags: make(map[string]string), ENIGarbageCollectionTags: make(map[string]string), }
Config represents the operator configuration.
View Source
var IngressLBAnnotationsDefault = []string{"service.beta.kubernetes.io", "service.kubernetes.io", "cloud.google.com"}
Functions ¶
This section is empty.
Types ¶
type OperatorConfig ¶
type OperatorConfig struct {
// CNPNodeStatusGCInterval is the GC interval for nodes which have been
// removed from the cluster in CiliumNetworkPolicy and
// CiliumClusterwideNetworkPolicy Status.
CNPNodeStatusGCInterval time.Duration
// CNPStatusUpdateInterval is the interval between status updates
// being sent to the K8s apiserver for a given CNP.
CNPStatusUpdateInterval time.Duration
// NodesGCInterval is the GC interval for CiliumNodes
NodesGCInterval time.Duration
// SkipCNPStatusStartupClean disables the cleanup of all the CNP
// NodeStatus updates at startup.
SkipCNPStatusStartupClean bool
// CNPStatusCleanupQPS is the rate at which the cleanup operation of the status
// nodes updates in CNPs is carried out. It is expressed as queries per second,
// and for each query a single CNP status update will be deleted.
CNPStatusCleanupQPS float64
// CNPStatusCleanupBurst is the maximum burst of queries allowed for the cleanup
// operation of the status nodes updates in CNPs.
CNPStatusCleanupBurst int
// EnableMetrics enables prometheus metrics.
EnableMetrics bool
// EndpointGCInterval is the interval between attempts of the CEP GC
// controller.
// Note that only one node per cluster should run this, and most iterations
// will simply return.
EndpointGCInterval time.Duration
// IdentityGCInterval is the interval in which allocator identities are
// attempted to be expired from the kvstore
IdentityGCInterval time.Duration
// IdentityGCRateInterval is the interval used for rate limiting the GC of
// identities.
IdentityGCRateInterval time.Duration
// IdentityGCRateLimit is the maximum identities used for rate limiting the
// GC of identities.
IdentityGCRateLimit int64
// IdentityHeartbeatTimeout is the timeout used to GC identities from k8s
IdentityHeartbeatTimeout time.Duration
OperatorAPIServeAddr string
OperatorPrometheusServeAddr string
// PProf enables pprof debugging endpoint
PProf bool
// PProfAddress is the address that the pprof listens on
PProfAddress string
// PProfPort is the port that the pprof listens on
PProfPort int
// SyncK8sServices synchronizes k8s services into the kvstore
SyncK8sServices bool
// SyncK8sNodes synchronizes k8s nodes into the kvstore
SyncK8sNodes bool
// UnmanagedPodWatcherInterval is the interval to check for unmanaged kube-dns pods (0 to disable)
UnmanagedPodWatcherInterval int
// LeaderElectionLeaseDuration is the duration that non-leader candidates will wait to
// force acquire leadership in Cilium Operator HA deployment.
LeaderElectionLeaseDuration time.Duration
// LeaderElectionRenewDeadline is the duration that the current acting master in HA deployment
// will retry refreshing leadership in before giving up the lock.
LeaderElectionRenewDeadline time.Duration
// LeaderElectionRetryPeriod is the duration that LeaderElector clients should wait between
// retries of the actions in operator HA deployment.
LeaderElectionRetryPeriod time.Duration
// BGPAnnounceLBIP announces service IPs of type LoadBalancer via BGP beta (deprecated)
BGPAnnounceLBIP bool
// BGPConfigPath is the file path to the BGP configuration. It is
// compatible with MetalLB's configuration.
BGPConfigPath string
// SkipCRDCreation disables creation of the CustomResourceDefinition
// for the operator
SkipCRDCreation bool
// IPAMAPIBurst is the burst value allowed when accessing external IPAM APIs
IPAMAPIBurst int
// IPAMAPIQPSLimit is the queries per second limit when accessing external IPAM APIs
IPAMAPIQPSLimit float64
// IPAMSubnetsIDs are optional subnets IDs used to filter subnets and interfaces listing
IPAMSubnetsIDs []string
// IPAMSubnetsTags are optional tags used to filter subnets, and interfaces within those subnets
IPAMSubnetsTags map[string]string
// IPAMUInstanceTags are optional tags used to filter AWS EC2 instances, and interfaces (ENI) attached to them
IPAMInstanceTags map[string]string
// ClusterPoolIPv4CIDR is the cluster IPv4 podCIDR that should be used to
// allocate pods in the node.
ClusterPoolIPv4CIDR []string
// ClusterPoolIPv6CIDR is the cluster IPv6 podCIDR that should be used to
// allocate pods in the node.
ClusterPoolIPv6CIDR []string
// NodeCIDRMaskSizeIPv4 is the IPv4 podCIDR mask size that will be used
// per node.
NodeCIDRMaskSizeIPv4 int
// NodeCIDRMaskSizeIPv6 is the IPv6 podCIDR mask size that will be used
// per node.
NodeCIDRMaskSizeIPv6 int
// ENITags are the tags that will be added to every ENI created by the AWS ENI IPAM
ENITags map[string]string
// ENIGarbageCollectionTags is a tag that will be added to every ENI
// created by the AWS ENI IPAM.
// Any stale and unattached ENIs with this tag will be garbage
// collected by the operator.
ENIGarbageCollectionTags map[string]string
// ENIGarbageCollectionInterval defines the interval of ENI GC
ENIGarbageCollectionInterval time.Duration
// ParallelAllocWorkers specifies the number of parallel workers to be used for accessing cloud provider APIs .
ParallelAllocWorkers int64
// AWSInstanceLimitMapping allows overwriting AWS instance limits defined in
// pkg/aws/eni/limits.go
// e.g. {"a1.medium": "2,4,4", "a2.custom2": "4,5,6"}
AWSInstanceLimitMapping map[string]string
// AWSReleaseExcessIps allows releasing excess free IP addresses from ENI.
// Enabling this option reduces waste of IP addresses but may increase
// the number of API calls to AWS EC2 service.
AWSReleaseExcessIPs bool
// AWSEnablePrefixDelegation allows operator to allocate prefixes to ENIs on nitro instances instead of individual
// IP addresses. Allows for increased pod density on nodes.
AWSEnablePrefixDelegation bool
// AWSUsePrimaryAddress specifies whether an interface's primary address should be available for allocations on
// node
AWSUsePrimaryAddress bool
// UpdateEC2AdapterLimitViaAPI configures the operator to use the EC2 API to fill out the
// instancetype to adapter limit mapping.
UpdateEC2AdapterLimitViaAPI bool
// ExcessIPReleaseDelay controls how long operator would wait before an IP previously marked as excess is released.
// Defaults to 180 secs
ExcessIPReleaseDelay int
// EC2APIEndpoint is the custom API endpoint to use for the EC2 AWS service,
// e.g. "ec2-fips.us-west-1.amazonaws.com" to use a FIPS endpoint in the us-west-1 region.
EC2APIEndpoint string
// AzureSubscriptionID is the subscription ID to use when accessing the Azure API
AzureSubscriptionID string
// AzureResourceGroup is the resource group of the nodes used for the cluster
AzureResourceGroup string
// AzureUserAssignedIdentityID is the id of the user assigned identity used
// for retrieving Azure API credentials
AzureUserAssignedIdentityID string
// AzureUsePrimaryAddress specify wether we should use or ignore the interface's
// primary IPConfiguration
AzureUsePrimaryAddress bool
// AlibabaCloudVPCID allow user to specific vpc
AlibabaCloudVPCID string
// AlibabaCloudReleaseExcessIPs allows releasing excess free IP addresses from ENI.
// Enabling this option reduces waste of IP addresses but may increase
// the number of API calls to AlibabaCloud ECS service.
AlibabaCloudReleaseExcessIPs bool
// CESMaxCEPsInCES is the maximum number of CiliumEndpoints allowed in single
// a CiliumEndpointSlice resource.
// The default value of maximum CiliumEndpoints allowed in a CiliumEndpointSlice resource is 100.
CESMaxCEPsInCES int
// CESSlicingMode instructs how CEPs are grouped in a CES.
CESSlicingMode string
// LoadBalancerL7 enables loadbalancer capabilities for services.
LoadBalancerL7 string
// EnvoyLoadBalancerPorts is a list of service ports that will be automatically redirected to Envoy
LoadBalancerL7Ports []string
// LoadBalancerL7Algorithm is a default LB algorithm for services that do not specify related annotation
LoadBalancerL7Algorithm string
// EnableIngressController enables cilium ingress controller
EnableIngressController bool
// EnableGatewayAPI enables support of Gateway API
EnableGatewayAPI bool
// EnforceIngressHTTPS enforces https if required
EnforceIngressHTTPS bool
// EnableIngressSecretsSync enables background TLS secret sync for Ingress
EnableIngressSecretsSync bool
// EnableGatewayAPISecretsSync enables background TLS secret sync for Gateway API
EnableGatewayAPISecretsSync bool
// IngressSecretsNamespace is the namespace having tls secrets used by CEC for Ingress.
IngressSecretsNamespace string
// GatewayAPISecretsNamespace is the namespace having tls secrets used by CEC for Gateway API.
GatewayAPISecretsNamespace string
// CiliumK8sNamespace is the namespace where Cilium pods are running.
CiliumK8sNamespace string
// CiliumPodLabels specifies the pod labels that Cilium pods is running
// with.
CiliumPodLabels string
// RemoveCiliumNodeTaints is the flag to define if the Cilium node taint
// should be removed in Kubernetes nodes.
RemoveCiliumNodeTaints bool
// SetCiliumIsUpCondition sets the CiliumIsUp node condition in Kubernetes
// nodes.
SetCiliumIsUpCondition bool
// IngressLBAnnotationPrefixes IngressLBAnnotations are the annotation prefixes,
// which are used to filter annotations to propagate from Ingress to the Load Balancer
IngressLBAnnotationPrefixes []string
IngressSharedLBServiceName string
// IngressDefaultLoadbalancerMode is the default loadbalancer mode for Ingress.
// Applicable values: dedicated, shared
IngressDefaultLoadbalancerMode string
// Enables/Disables operation of kubernet-related services/controllers.
// Intended for operating cilium with CNI-compatible orquestrators
// othern than Kubernetes. (default is true)
EnableK8s bool
}
OperatorConfig is the configuration used by the operator.
func (*OperatorConfig) Populate ¶
func (c *OperatorConfig) Populate(vp *viper.Viper)
Populate sets all options with the values from viper.
Source Files
Click to show internal directories.
Click to hide internal directories.