--- # Source: cilium/templates/cilium-preflight/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: "cilium-pre-flight" namespace: kube-system --- # Source: cilium/templates/cilium-preflight/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-pre-flight labels: app.kubernetes.io/part-of: cilium rules: - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - "" resources: - namespaces - services - pods - endpoints - nodes verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - list - watch # This is used when validating policies in preflight. This will need to stay # until we figure out how to avoid "get" inside the preflight, and then # should be removed ideally. - get - apiGroups: - "" resources: - secrets verbs: - get - apiGroups: - cilium.io resources: - ciliumloadbalancerippools - ciliumbgppeeringpolicies - ciliumbgpnodeconfigs - ciliumbgpadvertisements - ciliumbgppeerconfigs - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies - ciliumegressgatewaypolicies - ciliumendpoints - ciliumendpointslices - ciliumenvoyconfigs - ciliumidentities - ciliumlocalredirectpolicies - ciliumnetworkpolicies - ciliumnodes - ciliumnodeconfigs - ciliumcidrgroups - ciliuml2announcementpolicies - ciliumpodippools verbs: - list - watch - apiGroups: - cilium.io resources: - ciliumidentities - ciliumendpoints - ciliumnodes verbs: - create - apiGroups: - cilium.io # To synchronize garbage collection of such resources resources: - ciliumidentities verbs: - update - apiGroups: - cilium.io resources: - ciliumendpoints verbs: - delete - get - apiGroups: - cilium.io resources: - ciliumnodes - ciliumnodes/status verbs: - get - update - apiGroups: - cilium.io resources: - ciliumendpoints/status - ciliumendpoints - ciliuml2announcementpolicies/status - ciliumbgpnodeconfigs/status verbs: - patch --- # Source: cilium/templates/cilium-preflight/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium-pre-flight labels: app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cilium-pre-flight subjects: - kind: ServiceAccount name: "cilium-pre-flight" namespace: kube-system --- # Source: cilium/templates/cilium-preflight/daemonset.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: cilium-pre-flight-check namespace: kube-system spec: selector: matchLabels: k8s-app: cilium-pre-flight-check kubernetes.io/cluster-service: "true" template: metadata: labels: app.kubernetes.io/part-of: cilium k8s-app: cilium-pre-flight-check app.kubernetes.io/name: cilium-pre-flight-check kubernetes.io/cluster-service: "true" spec: affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname initContainers: - name: clean-cilium-state image: "quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" imagePullPolicy: IfNotPresent command: ["/bin/echo"] args: - "hello" terminationMessagePolicy: FallbackToLogsOnError containers: - name: cilium-pre-flight-check image: "quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" imagePullPolicy: IfNotPresent command: ["/bin/sh"] args: - -c - "touch /tmp/ready; sleep 1h" livenessProbe: exec: command: - cat - /tmp/ready initialDelaySeconds: 5 periodSeconds: 5 readinessProbe: exec: command: - cat - /tmp/ready initialDelaySeconds: 5 periodSeconds: 5 env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName volumeMounts: - name: cilium-run mountPath: /var/run/cilium terminationMessagePolicy: FallbackToLogsOnError hostNetwork: true dnsPolicy: ClusterFirstWithHostNet restartPolicy: Always priorityClassName: system-node-critical serviceAccountName: "cilium-pre-flight" automountServiceAccountToken: true terminationGracePeriodSeconds: 1 nodeSelector: kubernetes.io/os: linux tolerations: - operator: Exists volumes: # To keep state between restarts / upgrades - name: cilium-run hostPath: path: /var/run/cilium type: DirectoryOrCreate - name: bpf-maps hostPath: path: /sys/fs/bpf type: DirectoryOrCreate --- # Source: cilium/templates/cilium-preflight/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: cilium-pre-flight-check namespace: kube-system labels: app.kubernetes.io/part-of: cilium app.kubernetes.io/name: cilium-pre-flight-check spec: selector: matchLabels: k8s-app: cilium-pre-flight-check-deployment kubernetes.io/cluster-service: "true" template: metadata: labels: app.kubernetes.io/part-of: cilium k8s-app: cilium-pre-flight-check-deployment kubernetes.io/cluster-service: "true" app.kubernetes.io/name: cilium-pre-flight-check spec: containers: - name: cnp-validator image: "quay.io/cilium/cilium:v1.17.8@sha256:6d7ea72ed311eeca4c75a1f17617a3d596fb6038d30d00799090679f82a01636" imagePullPolicy: IfNotPresent command: ["/bin/sh"] args: - -ec - | cilium-dbg preflight validate-cnp; touch /tmp/ready-validate-cnp; sleep 1h; readinessProbe: exec: command: - cat - /tmp/ready-validate-cnp initialDelaySeconds: 5 periodSeconds: 5 env: - name: KUBERNETES_SERVICE_HOST value: "localhost" - name: KUBERNETES_SERVICE_PORT value: "7445" terminationMessagePolicy: FallbackToLogsOnError hostNetwork: true restartPolicy: Always priorityClassName: system-cluster-critical serviceAccountName: "cilium-pre-flight" automountServiceAccountToken: true terminationGracePeriodSeconds: 1 affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname nodeSelector: kubernetes.io/os: linux tolerations: - operator: Exists