fix(cilium): tune cilium

- disable envoy - enable bpf.preallocateMaps - increase operator replica to 2 - add missing linux caps - remove unnecessary post render
jfroy · Jan 8, 2025 · bee3df8 · bee3df8
1 parent ce245e9
commit bee3df8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 25 deletions.
diff --git a/kubernetes/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml
@@ -1,13 +1,14 @@
 ---
 autoDirectNodeRoutes: true
-bgpControlPlane:
-  enabled: true
 bandwidthManager:
   enabled: true
   bbr: true
+bgpControlPlane:
+  enabled: true
 bpf:
   datapathMode: netkit
   masquerade: true # See https://github.com/siderolabs/talos/issues/8836 (forwardKubeDNSToHost)
+  preallocateMaps: true
   tproxy: true
 cgroup:
   automount:
@@ -24,6 +25,8 @@ enableIPv6BIGTCP: true
 enableIPv6Masquerade: false
 endpointRoutes:
   enabled: true
+envoy:
+  enabled: false
 hubble:
   enabled: false
 ipam:
@@ -45,24 +48,26 @@ loadBalancer:
   mode: dsr
 localRedirectPolicy: true
 operator:
-  replicas: 1
+  replicas: 2
   rollOutPods: true
 rollOutCiliumPods: true
 routingMode: native
 securityContext:
   capabilities:
     ciliumAgent:
+      - BPF
       - CHOWN
+      - DAC_OVERRIDE
+      - FOWNER
+      - IPC_LOCK
       - KILL
       - NET_ADMIN
       - NET_RAW
-      - IPC_LOCK
-      - SYS_ADMIN
-      - SYS_RESOURCE
-      - DAC_OVERRIDE
-      - FOWNER
+      - PERFMON
       - SETGID
       - SETUID
+      - SYS_ADMIN
+      - SYS_RESOURCE
     cleanCiliumState:
       - NET_ADMIN
       - SYS_ADMIN

diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml
@@ -67,9 +67,6 @@ spec:
           enabled: true
           className: internal
           hosts: ["hubble.${PUBLIC_DOMAIN0}"]
-    loadBalancer:
-      l7:
-        backend: envoy
     operator:
       prometheus:
         enabled: true
@@ -98,17 +95,3 @@ spec:
       enabled: true
       annotations:
         grafana_folder: Cilium
-  postRenderers:
-    - kustomize:
-        patches:
-          # hubble-ui backend container file permissions issue on loading client cert for hubble-relay
-          # https://github.com/cilium/cilium/issues/18816
-          - target:
-              group: apps
-              version: v1
-              kind: Deployment
-              name: hubble-ui
-            patch: |
-              - op: replace
-                path: /spec/template/spec/volumes/2/projected/defaultMode
-                value: 0404