Update cilium to 1.8.0 (#6314)

2026-02-15 18:20:02 -03:30 · 2020-06-25 15:16:38 +02:00
parent 93951f2ed5
commit f54f63ec3f
5 changed files with 37 additions and 14 deletions
--- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
@@ -26,10 +26,12 @@ rules:
 - apiGroups:
  - ""
  resources:
+{% if cilium_version | regex_replace('v') is version('1.8', '<') %}
  # to automatically read from k8s and import the node's pod CIDR to cilium's
  # etcd so all nodes know how to reach another pod running in in a different
  # node.
  - nodes
+{% endif %}
  # to perform the translation of a CNP that contains `ToGroup` to its endpoints
  - services
  - endpoints
@@ -59,6 +61,14 @@ rules:
 {% endif %}
  verbs:
  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -92,7 +92,7 @@ spec:
 {% if cilium_enable_ipv4 %}
              host: 127.0.0.1
 {% else %}
-              host: host: '[::1]'
+              host: '::1'
 {% endif %}
              path: /healthz
              port: 9234
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -59,11 +59,14 @@ spec:
              command:
              - /cni-uninstall.sh
        livenessProbe:
-          exec:
-            command:
-            - cilium
-            - status
-            - --brief
+          httpGet:
+            host: '127.0.0.1'
+            path: /healthz
+            port: 9876
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
          failureThreshold: 10
          # The initial delay for the liveness probe is intentionally large to
          # avoid an endless kill & restart cycle if in the event that the initial
@@ -81,11 +84,14 @@ spec:
          protocol: TCP
 {% endif %}
        readinessProbe:
-          exec:
-            command:
-            - cilium
-            - status
-            - --brief
+          httpGet:
+            host: '127.0.0.1'
+            path: /healthz
+            port: 9876
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
          failureThreshold: 3
          initialDelaySeconds: 5
          periodSeconds: 30
@@ -131,6 +137,8 @@ spec:
        - mountPath: /lib/modules
          name: lib-modules
          readOnly: true
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      hostPID: false
@@ -138,7 +146,7 @@ spec:
      - command:
        - /init-container.sh
        env:
-        - name: CLEAN_CILIUM_STATE
+        - name: CILIUM_ALL_STATE
          valueFrom:
            configMapKeyRef:
              key: clean-cilium-state
@@ -214,6 +222,11 @@ spec:
      - hostPath:
          path: /lib/modules
        name: lib-modules
+        # To access iptables concurrently with other processes (e.g. kube-proxy)
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
        # To read the etcd config stored in config maps
      - configMap:
          defaultMode: 420