The cni-cilium module: configuration

Schema version: 1

• bpfLBModestring

  eBPF LoadBalancer mode:

  • SNAT - traffic from the client to the pod (and back) passes through NAT, and accordingly the sender’s address is lost.
  • DSR - traffic from the client to the pod passes with the sender’s address preserved, and back - according to the routing rules (bypassing the balancer). This mode saves network traffic and reduces delays, but only works for TCP traffic.
  • Hybrid - TCP traffic is processed in DSR mode, and UDP traffic is processed in SNAT mode.

  Default: "Hybrid"

  Allowed values: SNAT, Hybrid, DSR

• createNodeRoutesboolean

  Create routes to Pods on other Nodes.

  All Nodes must be located in the same L2 domain.

• debugLoggingboolean

  Enabled debug logging for Cilium components.

  Default: false

• labelsRegexarray of strings

  Cilium creates security identifiers based on the k8s entity labels. The more labels are involved in this process, the higher the access granularity that can be achieved. However, in large clusters, excessive granularity can create a heavy load. You can use the labelsRegex option to explicitly specify which labels are to be used for security policies, and which labels are to be neglected. Refer to the documentation to learn more about reducing the identity cardinality

  Each label must be specified by a RegExp expression in YAML quoted string format. Note that special characters must be escaped.

  Example:

  labelsRegex:
  - k8s:!app\.kubernetes\.io
  - k8s:io\.cilium\.k8s\.policy
  

• policyAuditModeboolean

  Do not enforce any Network Policy. Just log allowed/disallowed connections.

  Default: false

• resourcesManagement

  Settings for CPU and memory requests and limits by cilium agent pods.

  Examples:

  resourcesManagement:
    mode: VPA
    vpa:
      mode: Auto
      cpu:
        min: 50m
        max: 2
        limitRatio: 1.5
      memory:
        min: 256Mi
        max: 2Gi
        limitRatio: 1.5
  

  resourcesManagement:
    mode: Static
    static:
      requests:
        cpu: 55m
        memory: 256Mi
      limits:
        cpu: 2
        memory: 2Gi
  

  • resourcesManagement.modestring

    Resource management mode:

    • Static is a classic one. In it, you specify requests/limits. The parameters of this mode are defined in the static parameter section;
    • VPA mode uses VPA. You can configure this mode by modifying parameters in the vpa parameter section.

    Default: "VPA"

    Allowed values: VPA, Static

  • resourcesManagement.staticobject

    Resource management options for the Static mode.

    • resourcesManagement.static.limitsobject

      Configuring CPU and memory limits.

      • resourcesManagement.static.limits.cpu

        Configuring CPU limits.

      • resourcesManagement.static.limits.memory

        Configuring memory limits.

    • resourcesManagement.static.requestsobject

      Resource requests settings for pods.

      • resourcesManagement.static.requests.cpu

        Configuring CPU requests.

      • resourcesManagement.static.requests.memory

        Configuring memory requests.

  • resourcesManagement.vpaobject

    Resource management options for the VPA mode.

    • resourcesManagement.vpa.cpuobject

      CPU-related VPA settings.

      • resourcesManagement.vpa.cpu.limitRationumber

        The CPU limits/requests ratio.

        This ratio is used for calculating the initial CPU limits for a pod.

        If this parameter is set, the VPA will recalculate the CPU limits while maintaining the specified limits/requests ratio.

      • resourcesManagement.vpa.cpu.max

        The maximum value that the VPA can set for the CPU requests.

        Default: 4

      • resourcesManagement.vpa.cpu.min

        The minimum value that the VPA can set for the CPU requests.

        Default: 100m

    • resourcesManagement.vpa.memoryobject

      Memory-related VPA settings.

      • resourcesManagement.vpa.memory.limitRationumber

        The memory limits/requests ratio.

        This ratio is used for calculating the initial memory limits for a pod.

        If this parameter is set, the VPA will recalculate the memory limits while maintaining the specified limits/requests ratio.

      • resourcesManagement.vpa.memory.max

        The maximum memory requests the VPA can set.

        Default: 4Gi

      • resourcesManagement.vpa.memory.min

        The minimum memory requests the VPA can set.

        Default: 128Mi

    • resourcesManagement.vpa.modestring

      VPA operating mode.

      Default: "Initial"

      Allowed values: Initial, Auto

• svcSourceRangeCheckboolean

  For services of the loadBalancer type, enables checking the source IP for compliance with loadBalancer.sourceRanges. The check is not performed if access is made from within the cluster or the sourceRanges parameter is empty/not specified. Some cloud providers support filtering of incoming traffic based on the sourceRanges parameter in their loadBalancer implementations. In such cases, the cilium documentation recommends disabling the svcSourceRangeCheck option.

  Do not enable if another balancer or any type of SNAT is running in front of the services.

  Default: false

• tunnelModestring

  Tunnel mode.

  Note! After changing the parameter, it is necessary to restart all nodes, otherwise, there may be problems with the availability of Pods!

  Note! VXLAN mode is not compatible with following bpfLBMode modes: Hybrid, DSR. bpfLBMode will be overriden to SNAT if the tunnelMode is VXLAN.

  Default: "Disabled"

  Allowed values: Disabled, VXLAN