diff --git a/bin/apply.bash b/bin/apply.bash index 128cf249..b630c694 100755 --- a/bin/apply.bash +++ b/bin/apply.bash @@ -32,7 +32,10 @@ if [ -z "${CK8S_KUBESPRAY_NO_VENV+x}" ]; then fi log_info "Running kubespray" -ansible-playbook -i "${config[inventory_file]}" cluster.yml -b "${@}" +ansible-playbook \ + -i "${config[inventory_file]}" \ + -i "${here}/../config/cilium-values-inventory.yaml" \ + cluster.yml -b "${@}" log_info "Kubespray done" diff --git a/config/cilium-values-inventory.yaml b/config/cilium-values-inventory.yaml new file mode 100644 index 00000000..75cf3d02 --- /dev/null +++ b/config/cilium-values-inventory.yaml @@ -0,0 +1,48 @@ +all: + vars: + cilium_extra_values: "{{ cilium_extra_values_template | from_yaml }}" + cilium_extra_values_template: | + {% if ck8s_cilium | default(false) %} + policyEnforcementMode: {{ ck8s_cilium.policyEnforcementMode }} + + policyAuditMode: {{ ck8s_cilium.policyAuditMode }} + + operator: + unmanagedPodWatcher: + restart: {{ ck8s_cilium.operator.unmanagedPodWatcher.restart }} + prometheus: + enabled: {{ ck8s_cilium.operator.monitoring.enabled }} + serviceMonitor: + enabled: {{ ck8s_cilium.operator.monitoring.installServiceMonitor }} + + encryption: + enabled: {{ ck8s_cilium.wireguard.enabled }} + type: wireguard + strictMode: + enabled: {{ ck8s_cilium.wireguard.strictMode }} + + hubble: + enabled: {{ ck8s_cilium.hubble.enabled }} + metrics: + enabled: {{ ck8s_cilium.hubble.metrics }} + serviceMonitor: + enabled: {{ ck8s_cilium.hubble.monitoring.installServiceMonitor }} + + prometheus: + enabled: {{ ck8s_cilium.prometheus.enabled }} + serviceMonitor: + enabled: {{ ck8s_cilium.prometheus.installServiceMonitor }} + trustCRDsExist: true + + envoy: + enabled: {{ ck8s_cilium.envoy.enabled }} + + {% if ck8s_cilium.enableNodeSelectability | default(false) %} + policyCIDRMatchMode: nodes + {% endif %} + + annotateK8sNode: true + + {% else %} + {} + {% endif %} diff --git a/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml b/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml new file mode 100644 index 00000000..ff07d400 --- /dev/null +++ b/config/common/group_vars/k8s_cluster/ck8s-cilium.yaml @@ -0,0 +1,51 @@ +ck8s_cilium: + # policyEnforcementMode: Determine whether an endpoint accepts traffic from a source or not + # + # Has three options: + # - default: endpoints have unrestricted network access until selected by policy + # - always: policy enforcement is enabled on all endpoints even if no rules select specific endpoints. + # - never: All traffic is allowed from any source (on ingress) or destination (on egress) + policyEnforcementMode: default + + # policyAuditMode: when true, no network policy is enforced. + # + # This feature helps to validate the impact of host policies before enforcing them. + policyAuditMode: false + + # enableNodeSelectability: when true, allows Kubernetes nodes to be selected + # by cidr block selectors in classic NetworkPolicies. + # + # Without this, access to the Kubernets API Server pods might be restricted. + # + # See: https://github.com/cilium/cilium/issues/20550 + enableNodeSelectability: true + + operator: + unmanagedPodWatcher: + restart: true + monitoring: + enabled: true + installServiceMonitor: false + + wireguard: + enabled: true + strictMode: false + + hubble: + enabled: true + monitoring: + installServiceMonitor: false + metrics: + - dns + - drop + - tcp + - flow + - icmp + - http + + prometheus: + enabled: true + installServiceMonitor: false + + envoy: + enabled: false diff --git a/kubespray b/kubespray index b8c2ec4e..760fbec2 160000 --- a/kubespray +++ b/kubespray @@ -1 +1 @@ -Subproject commit b8c2ec4e69841fbd887167c039cced5730788ba1 +Subproject commit 760fbec269d339c312c64552236e27cfd66621ed