The cni-cilium module: configuration

Schema version: 1

• settings

  object
  • settings.activeL2NeighborDiscoveryEnabled

    boolean

    Enables the Cilium L2 neighbor discovery mechanism, which helps ensure that ARP table entries are kept up-to-date on all cluster nodes.

    Default: true

  • settings.bpfLBMode

    string

    eBPF LoadBalancer mode:

    • SNAT — traffic from the client to the pod (and back) passes through NAT, and accordingly the sender’s address is lost.
    • DSR — traffic from the client to the pod passes with the sender’s address preserved, and back - according to the routing rules (bypassing the balancer). This mode saves network traffic and reduces delays, but only works for TCP traffic.
    • Hybrid — TCP traffic is processed in DSR mode, and UDP traffic is processed in SNAT mode.

    Default: Hybrid

    Allowed values: SNAT, Hybrid, DSR

  • settings.createNodeRoutes

    boolean

    Create routes to Pods on other Nodes.

    All Nodes must be located in the same L2 domain.

  • settings.debugLogging

    boolean

    Enabled debug logging for Cilium components.

    Default: false

  • settings.encryption

    object

    CNI Cilium encryption settings.

    • settings.encryption.mode

      string

      Encryption mode:

      • Disabled — encryption is disabled.

      • WireGuard — enables traffic encryption between pods using WireGuard.

        Note! Before using WireGuard encryption, please ensure that the Linux kernel running on the cluster nodes has support WireGuard (either via the CONFIG_WIREGUARD=m kernel config option on Linux 5.6 and newer, or using an external WireGuard module for older kernels).

        Note! Using WireGuard may cause significant CPU consumption by Cilium agent pods.

      Default: Disabled

      Allowed values: Disabled, WireGuard

    • settings.encryption.nodeToNodeModeEnabled

      boolean

      Enabling traffic encryption between nodes and pods in HostNetwork.

      Note! The node-to-node traffic from and to the control-plane nodes is left unencrypted to prevent possible communication issues when renewing WireGuard public keys. At the same time, the traffic between control-plane components is still encrypted at the application layer.

      Note! When this mode is active, NodePort and HostPort are not available from the PodNetwork.

      Default: false

  • settings.exclusiveCNIPlugin

    boolean

    Prevents additional CNI plugins from being enabled on cluster nodes. If the Istio module’s dataPlane.trafficRedirectionSetupMode setting is set to CNIPlugin, the option will be automatically set to false.

    Explicitly disabling this option is recommended only when using an additional CNI or a specific CNI plugin in the cluster. An example of such a use case could be the Linkerd CNI plugin.

    Default: true

  • settings.extraLoadBalancerAlgorithmsEnabled

    boolean

    Allows selectively overriding the load balancing algorithm using eBPF between backends for individual services. The annotation service.cilium.io/lb-algorithm is used for overriding with one of the following values: random, maglev, or least-conn.

    Note! This option requires the Linux kernel version on the nodes to be at least 5.15.

    Default: false

  • settings.labelsRegex

    array of strings

    Cilium creates security identifiers based on the k8s entity labels. The more labels are involved in this process, the higher the access granularity that can be achieved. However, in large clusters, excessive granularity can create a heavy load. You can use the labelsRegex option to explicitly specify which labels are to be used for security policies, and which labels are to be neglected. Refer to the documentation to learn more about reducing the identity cardinality

    Each label must be specified by a RegExp expression in YAML quoted string format. Note that special characters must be escaped.

    Example:

    labelsRegex:
    - k8s:!app\.kubernetes\.io
    - k8s:io\.cilium\.k8s\.policy
    

  • settings.loadBalancerSourceRangeAllTypes

    boolean

    Enable loadBalancerSourceRanges CIDR filtering for all service types, not just LoadBalancer services. The corresponding NodePort and ClusterIP will also apply the CIDR filter. For more detailed information, please visit the link.

    Default: true

  • settings.masqueradeMode

    string

    Cilium masquerade work mode for pods traffic leaving the cluster.

    • BPF - use cilium BPF. Basic operation mode.

      In this mode, masquerade will not be used if the destination IP address is within the podSubnetCIDR or InternalIP/ExternalIP of any of the cluster nodes.

    • Netfilter - use kernel Netfilter(iptables/nf_tables).

      In this mode, masquerade will not be used if the destination IP address is within the podSubnetCIDR or InternalIP/ExternalIP of any of the cluster nodes.

    In BPF mode, if ExternalIP other than InternalIP is specified for a cluster node, and that IP address is not currently assigned to any interface on the node, it will not be reachable from neighboring nodes from pods network. The Netfilter mode allows you to bypass this limitation, but some other features stop working, such as EgressGateway`.

    Default: BPF

    Allowed values: Netfilter, BPF

  • settings.policyAuditMode

    boolean

    Do not enforce any Network Policy. Just log allowed/disallowed connections.

    Default: false

  • settings.resourcesManagement

    Settings for CPU and memory requests and limits by cilium agent pods.

    Examples:

    resourcesManagement:
      mode: VPA
      vpa:
        mode: Auto
        cpu:
          min: 50m
          max: 2
          limitRatio: 1.5
        memory:
          min: 256Mi
          max: 2Gi
          limitRatio: 1.5
    

    resourcesManagement:
      mode: Static
      static:
        requests:
          cpu: 55m
          memory: 256Mi
        limits:
          cpu: 2
          memory: 2Gi
    

    • settings.resourcesManagement.mode

      string

      Resource management mode:

      • Static is a classic one. In it, you specify requests/limits. The parameters of this mode are defined in the static parameter section;
      • VPA mode uses VPA. You can configure this mode by modifying parameters in the vpa parameter section.

      Default: VPA

      Allowed values: VPA, Static

    • settings.resourcesManagement.static

      object

      Resource management options for the Static mode.

      • settings.resourcesManagement.static.limits

        object

        Configuring CPU and memory limits.

        • settings.resourcesManagement.static.limits.cpu

          Configuring CPU limits.

        • settings.resourcesManagement.static.limits.memory

          Configuring memory limits.

      • settings.resourcesManagement.static.requests

        object

        Resource requests settings for pods.

        • settings.resourcesManagement.static.requests.cpu

          Configuring CPU requests.

        • settings.resourcesManagement.static.requests.memory

          Configuring memory requests.

    • settings.resourcesManagement.vpa

      object

      Resource management options for the VPA mode.

      • settings.resourcesManagement.vpa.cpu

        object

        CPU-related VPA settings.

        • settings.resourcesManagement.vpa.cpu.limitRatio

          number

          The CPU limits/requests ratio.

          This ratio is used for calculating the initial CPU limits for a pod.

          If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.

        • settings.resourcesManagement.vpa.cpu.max

          The maximum value that the VPA can set for the CPU requests.

          Default: 4

        • settings.resourcesManagement.vpa.cpu.min

          The minimum value that the VPA can set for the CPU requests.

          Default: 100m

      • settings.resourcesManagement.vpa.memory

        object

        Memory-related VPA settings.

        • settings.resourcesManagement.vpa.memory.limitRatio

          number

          The memory limits/requests ratio.

          This ratio is used for calculating the initial memory limits for a pod.

          If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.

        • settings.resourcesManagement.vpa.memory.max

          The maximum memory requests the VPA can set.

          Default: 4Gi

        • settings.resourcesManagement.vpa.memory.min

          The minimum memory requests the VPA can set.

          Default: 128Mi

      • settings.resourcesManagement.vpa.mode

        string

        VPA operating mode.

        Default: Initial

        Allowed values: Initial, Auto

  • settings.svcSourceRangeCheck

    boolean

    For services of the loadBalancer type, enables checking the source IP for compliance with loadBalancer.sourceRanges. The check is not performed if access is made from within the cluster or the sourceRanges parameter is empty/not specified. Some cloud providers support filtering of incoming traffic based on the sourceRanges parameter in their loadBalancer implementations. In such cases, the cilium documentation recommends disabling the svcSourceRangeCheck option.

    Do not enable if another balancer or any type of SNAT is running in front of the services.

    Default: false

  • settings.tunnelMode

    string

    Tunnel mode.

    Note! After changing the parameter, it is necessary to restart all nodes, otherwise, there may be problems with the availability of Pods!

    Note! VXLAN mode is not compatible with following bpfLBMode modes: Hybrid, DSR. bpfLBMode will be overriden to SNAT if the tunnelMode is VXLAN.

    Default: Disabled

    Allowed values: Disabled, VXLAN