diff --git a/charts/cni/cni/Chart.yaml b/charts/cni/cni/Chart.yaml index e7c2b8a4d..63e4c23a4 100644 --- a/charts/cni/cni/Chart.yaml +++ b/charts/cni/cni/Chart.yaml @@ -1,5 +1,5 @@ -apiVersion: v1 -appVersion: 1.17.1 +apiVersion: v2 +appVersion: 1.23.3 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,9 +7,9 @@ keywords: - istio name: cni sources: - - https://github.com/istio/istio/tree/master/cni -version: 1.17.1 + - https://github.com/istio/istio +version: 1.23.3 dependencies: - name: cni - version: "1.17.1" + version: "1.23.3" repository: "https://istio-release.storage.googleapis.com/charts" diff --git a/charts/cni/cni/README.md b/charts/cni/cni/README.md index b7fbc5d52..a8b78d5bd 100644 --- a/charts/cni/cni/README.md +++ b/charts/cni/cni/README.md @@ -21,4 +21,45 @@ helm install istio-cni istio/cni -n kube-system ``` Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/charts/cni/cni/charts/cni/Chart.yaml b/charts/cni/cni/charts/cni/Chart.yaml index 5b366889b..ec1870bdb 100644 --- a/charts/cni/cni/charts/cni/Chart.yaml +++ b/charts/cni/cni/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ -apiVersion: v1 -appVersion: 1.17.1 +apiVersion: v2 +appVersion: 1.23.3 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,5 +7,5 @@ keywords: - istio name: cni sources: -- https://github.com/istio/istio/tree/master/cni -version: 1.17.1 +- https://github.com/istio/istio +version: 1.23.3 diff --git a/charts/cni/cni/charts/cni/README.md b/charts/cni/cni/charts/cni/README.md index b7fbc5d52..a8b78d5bd 100644 --- a/charts/cni/cni/charts/cni/README.md +++ b/charts/cni/cni/charts/cni/README.md @@ -21,4 +21,45 @@ helm install istio-cni istio/cni -n kube-system ``` Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/charts/cni/cni/charts/cni/files/profile-ambient.yaml b/charts/cni/cni/charts/cni/files/profile-ambient.yaml new file mode 100644 index 000000000..22db03309 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true + +# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel +variant: distroless diff --git a/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.20.yaml b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.20.yaml new file mode 100644 index 000000000..72fdd5b3c --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.20.yaml @@ -0,0 +1,26 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.21 behavioral changes + ENABLE_EXTERNAL_NAME_ALIAS: "false" + PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" + VERIFY_CERTIFICATE_AT_CLIENT: "false" + ENABLE_AUTO_SNI: "false" + + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/charts/cni/cni/charts/cni/files/profile-demo.yaml b/charts/cni/cni/charts/cni/files/profile-demo.yaml new file mode 100644 index 000000000..83b9d6b66 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-demo.yaml @@ -0,0 +1,73 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/charts/cni/cni/charts/cni/files/profile-openshift-ambient.yaml b/charts/cni/cni/charts/cni/files/profile-openshift-ambient.yaml new file mode 100644 index 000000000..df4532d11 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-openshift-ambient.yaml @@ -0,0 +1,33 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + platform: openshift +cni: + ambient: + enabled: true + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" + variant: distroless + env: + PILOT_ENABLE_AMBIENT: "true" + # Allow sidecars/ingress to send/receive HBONE. This is required for interop. + PILOT_ENABLE_SENDING_HBONE: "true" + PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" +platform: openshift +variant: distroless +seLinuxOptions: + type: spc_t diff --git a/charts/cni/cni/charts/cni/files/profile-openshift.yaml b/charts/cni/cni/charts/cni/files/profile-openshift.yaml new file mode 100644 index 000000000..18f61b88f --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-openshift.yaml @@ -0,0 +1,20 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +# CNI must be installed. +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + logLevel: info + provider: "multus" +global: + platform: openshift +pilot: + cni: + enabled: true + provider: "multus" +platform: openshift diff --git a/charts/cni/cni/charts/cni/files/profile-preview.yaml b/charts/cni/cni/charts/cni/files/profile-preview.yaml new file mode 100644 index 000000000..181d7bda2 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/charts/cni/cni/charts/cni/files/profile-stable.yaml b/charts/cni/cni/charts/cni/files/profile-stable.yaml new file mode 100644 index 000000000..358282e69 --- /dev/null +++ b/charts/cni/cni/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/charts/cni/cni/charts/cni/templates/NOTES.txt b/charts/cni/cni/charts/cni/templates/NOTES.txt index 994628240..fb35525b9 100644 --- a/charts/cni/cni/charts/cni/templates/NOTES.txt +++ b/charts/cni/cni/charts/cni/templates/NOTES.txt @@ -1,5 +1,5 @@ "{{ .Release.Name }}" successfully installed! To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/charts/cni/cni/charts/cni/templates/_helpers.tpl b/charts/cni/cni/charts/cni/templates/_helpers.tpl new file mode 100644 index 000000000..fe5786580 --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/charts/cni/cni/charts/cni/templates/clusterrole.yaml b/charts/cni/cni/charts/cni/templates/clusterrole.yaml index 7f7030de3..453557f38 100644 --- a/charts/cni/cni/charts/cni/templates/clusterrole.yaml +++ b/charts/cni/cni/charts/cni/templates/clusterrole.yaml @@ -1,63 +1,70 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni + name: {{ template "name" . }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" rules: - apiGroups: [""] - resources: - - pods - - nodes - verbs: - - get + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq .Values.platform "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} --- {{- if .Values.cni.repair.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni-repair-role + name: {{ template "name" . }}-repair-role labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete", "patch", "update" ] -- apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.cni.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.cni.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.cni.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} {{- end }} --- - {{- if .Values.cni.taint.enabled }} +{{- if .Values.cni.ambient.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: istio-cni-taint-role + name: {{ template "name" . }}-ambient labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update"] - {{- end }} +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} diff --git a/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml b/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml index deabd5238..dba1238de 100644 --- a/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml +++ b/charts/cni/cni/charts/cni/templates/clusterrolebinding.yaml @@ -1,9 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-cni + name: {{ template "name" . }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} @@ -11,68 +11,50 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-cni + name: {{ template "name" . }} subjects: - kind: ServiceAccount - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace }} --- {{- if .Values.cni.repair.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-cni-repair-rolebinding + name: {{ template "name" . }}-repair-rolebinding labels: - k8s-app: istio-cni-repair + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" subjects: - kind: ServiceAccount - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-cni-repair-role + name: {{ template "name" . }}-repair-role {{- end }} --- -{{- if ne .Values.cni.psp_cluster_role "" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istio-cni-psp - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.cni.psp_cluster_role }} -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} -{{- end }} ---- -{{- if .Values.cni.taint.enabled }} +{{- if .Values.cni.ambient.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: istio-cni-taint-rolebinding + name: {{ template "name" . }}-ambient labels: - k8s-app: istio-cni-taint + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" subjects: - kind: ServiceAccount - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace}} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: istio-cni-taint-role + name: {{ template "name" . }}-ambient {{- end }} diff --git a/charts/cni/cni/charts/cni/templates/configmap-cni.yaml b/charts/cni/cni/charts/cni/templates/configmap-cni.yaml index b18a30d47..131c09a1a 100644 --- a/charts/cni/cni/charts/cni/templates/configmap-cni.yaml +++ b/charts/cni/cni/charts/cni/templates/configmap-cni.yaml @@ -1,51 +1,29 @@ -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} kind: ConfigMap apiVersion: v1 metadata: - name: istio-cni-config + name: {{ template "name" . }}-config namespace: {{ .Release.Namespace }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "Cni" data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": {{ quote .Values.cni.logLevel }}, - "log_uds_address": "__LOG_UDS_ADDRESS__", - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, - "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] - } - } ---- - {{- if .Values.cni.taint.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: "istio-cni-taint-configmap" - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -data: - config: | - - name: istio-cni - selector: k8s-app=istio-cni-node - namespace: {{ .Release.Namespace }} + CURRENT_AGENT_VERSION: {{ .Values.cni.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.cni.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.cni.ambient.dnsCapture | default "false" | quote }} + AMBIENT_IPV6: {{ .Values.cni.ambient.ipv6 | default "false" | quote }} + {{- if .Values.cni.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cni.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. {{- end }} + CNI_NET_DIR: {{ .Values.cni.cniConfDir | default "/etc/cni/net.d" }} # Directory where the CNI config file is going to be created. + CHAINED_CNI_PLUGIN: {{ .Values.cni.chained | quote }} + EXCLUDED_NAMESPACES: "{{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.cni.chained | quote }} + REPAIR_LABEL_PODS: {{ .Values.cni.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.cni.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.cni.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.cni.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.cni.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.cni.repair.brokenPodLabelValue | quote }} diff --git a/charts/cni/cni/charts/cni/templates/daemonset.yaml b/charts/cni/cni/charts/cni/templates/daemonset.yaml index 7ebd7c239..cf0dab5ca 100644 --- a/charts/cni/cni/charts/cni/templates/daemonset.yaml +++ b/charts/cni/cni/charts/cni/templates/daemonset.yaml @@ -9,10 +9,10 @@ kind: DaemonSet apiVersion: apps/v1 metadata: - name: istio-cni-node + name: {{ template "name" . }}-node namespace: {{ .Release.Namespace }} labels: - k8s-app: istio-cni-node + k8s-app: {{ template "name" . }}-node release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} @@ -20,16 +20,17 @@ metadata: spec: selector: matchLabels: - k8s-app: istio-cni-node + k8s-app: {{ template "name" . }}-node updateStrategy: type: RollingUpdate rollingUpdate: - maxUnavailable: 1 + maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} template: metadata: labels: - k8s-app: istio-cni-node + k8s-app: {{ template "name" . }}-node sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none annotations: sidecar.istio.io/inject: "false" # Add Prometheus Scrape annotations @@ -41,8 +42,14 @@ spec: {{ toYaml .Values.cni.podAnnotations | indent 8 }} {{- end }} spec: + {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} nodeSelector: kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.cni.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} tolerations: # Make sure istio-cni-node gets scheduled on all nodes. - effect: NoSchedule @@ -53,7 +60,7 @@ spec: - effect: NoExecute operator: Exists priorityClassName: system-node-critical - serviceAccountName: istio-cni + serviceAccountName: {{ template "name" . }} # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 5 @@ -64,119 +71,138 @@ spec: {{- if contains "/" .Values.cni.image }} image: "{{ .Values.cni.image }}" {{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ template "istio-tag" . }}" {{- end }} {{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} {{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz port: 8000 securityContext: + privileged: true # always requires privilege to be useful (install node plugin, etc) runAsGroup: 0 runAsUser: 0 runAsNonRoot: false - privileged: {{ .Values.cni.privileged }} + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. + # privileged is redundant with CAP_SYS_ADMIN + # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular + # capabilities we actually require + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. + # There does not appear to be a more granular capability for this. + - SYS_ADMIN {{- if .Values.cni.seccompProfile }} seccompProfile: {{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} {{- end }} command: ["install-cni"] args: - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} + {{- if or .Values.cni.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.cni.logging.level .Values.global.logging.level }} {{- end}} {{- if .Values.global.logAsJson }} - --log_as_json {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config env: -{{- if .Values.cni.cniConfFileName }} - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "{{ .Values.cni.cniConfFileName }}" -{{- end }} - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: "{{ .Values.cni.chained }}" - - name: REPAIR_ENABLED - value: "{{ .Values.cni.repair.enabled }}" - name: REPAIR_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: "{{.Values.cni.repair.labelPods}}" - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: "{{.Values.cni.repair.deletePods}}" - name: REPAIR_RUN_AS_DAEMON value: "true" - name: REPAIR_SIDECAR_ANNOTATION value: "sidecar.istio.io/status" - - name: REPAIR_INIT_CONTAINER_NAME - value: "{{ .Values.cni.repair.initContainerName }}" - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: "{{.Values.cni.repair.brokenPodLabelKey}}" - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: "{{.Values.cni.repair.brokenPodLabelValue}}" + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir + {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /var/run/istio-cni - name: cni-log-dir + name: cni-socket-dir + {{- if .Values.cni.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} resources: {{- if .Values.cni.resources }} {{ toYaml .Values.cni.resources | trim | indent 12 }} {{- else }} {{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} -{{- if .Values.cni.taint.enabled }} - - name: taint-controller -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" -{{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - command: ["/opt/local/bin/istio-cni-taint"] - securityContext: - runAsUser: 1337 - runAsGroup: 1337 - runAsNonRoot: true -{{- if .Values.cni.seccompProfile }} - seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} -{{- end }} - env: - - name: "TAINT_RUN-AS-DAEMON" - value: "true" - - name: "TAINT_CONFIGMAP-NAME" - value: "istio-cni-taint-configmap" - - name: "TAINT_CONFIGMAP-NAMESPACE" - value: {{ .Release.Namespace | quote }} {{- end }} volumes: # Used to install CNI. - name: cni-bin-dir hostPath: path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} + {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.cni.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} - name: cni-net-dir hostPath: path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Used for UDS log - - name: cni-log-dir + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir hostPath: path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml b/charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..6c85d0ae7 --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,9 @@ +{{- if eq .Values.cni.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" +{{- end }} diff --git a/charts/cni/cni/charts/cni/templates/resourcequota.yaml b/charts/cni/cni/charts/cni/templates/resourcequota.yaml index 15946ae72..90c16af5f 100644 --- a/charts/cni/cni/charts/cni/templates/resourcequota.yaml +++ b/charts/cni/cni/charts/cni/templates/resourcequota.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ResourceQuota metadata: - name: istio-cni-resource-quota + name: {{ template "name" . }}-resource-quota namespace: {{ .Release.Namespace }} spec: hard: diff --git a/charts/cni/cni/charts/cni/templates/serviceaccount.yaml b/charts/cni/cni/charts/cni/templates/serviceaccount.yaml index 4645db63a..a4798f214 100644 --- a/charts/cni/cni/charts/cni/templates/serviceaccount.yaml +++ b/charts/cni/cni/charts/cni/templates/serviceaccount.yaml @@ -7,10 +7,10 @@ imagePullSecrets: {{- end }} {{- end }} metadata: - name: istio-cni + name: {{ template "name" . }} namespace: {{ .Release.Namespace }} labels: - app: istio-cni + app: {{ template "name" . }} release: {{ .Release.Name }} istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} diff --git a/charts/cni/cni/charts/cni/templates/zzz_profile.yaml b/charts/cni/cni/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/charts/cni/cni/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/charts/cni/cni/charts/cni/values.yaml b/charts/cni/cni/charts/cni/values.yaml index 9c3a6ef5a..ba959c95e 100644 --- a/charts/cni/cni/charts/cni/values.yaml +++ b/charts/cni/cni/charts/cni/values.yaml @@ -1,114 +1,144 @@ -cni: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - - excludeNamespaces: - - istio-system - - kube-system - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # If this value is set a RoleBinding will be created - # in the same namespace as the istio-cni DaemonSet is created. - # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount - # e.g. if you use PodSecurityPolicies - psp_cluster_role: "" - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) - privileged: false - - repair: - enabled: true +# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. +defaults: + cni: hub: "" tag: "" - - labelPods: true - deletePods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - # Experimental taint controller for further race condition mitigation - taint: - enabled: false - - resourceQuotas: - enabled: false - pods: 5000 - -# Revision is set as 'version' label and part of the resource names when installing multiple control planes. -revision: "" - -# For Helm compatibility. -ownerName: "" - -global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.17.1 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.23.3 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi diff --git a/charts/cni/cni/values.schema.json b/charts/cni/cni/values.schema.json index 3b68ce69c..952747cc4 100644 --- a/charts/cni/cni/values.schema.json +++ b/charts/cni/cni/values.schema.json @@ -5,175 +5,203 @@ "cni": { "type": "object", "properties": { - "cni": { + "defaults": { "type": "object", "properties": { - "chained": { - "type": "boolean" - }, - "cniBinDir": { - "type": "string" - }, - "cniConfDir": { - "type": "string" - }, - "cniConfFileName": { - "type": "string" - }, - "excludeNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "hub": { - "type": "string" - }, - "image": { - "type": "string" - }, - "logLevel": { - "type": "string" - }, - "podAnnotations": { - "type": "object" - }, - "privileged": { - "type": "boolean" - }, - "psp_cluster_role": { - "type": "string" - }, - "pullPolicy": { - "type": "string" - }, - "repair": { + "cni": { "type": "object", "properties": { - "brokenPodLabelKey": { + "affinity": { + "type": "object" + }, + "ambient": { + "type": "object", + "properties": { + "configDir": { + "type": "string" + }, + "dnsCapture": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "ipv6": { + "type": "boolean" + } + } + }, + "chained": { + "type": "boolean" + }, + "cniBinDir": { "type": "string" }, - "brokenPodLabelValue": { + "cniConfDir": { "type": "string" }, - "deletePods": { - "type": "boolean" + "cniConfFileName": { + "type": "string" }, - "enabled": { - "type": "boolean" + "cniNetnsDir": { + "type": "null" + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } }, "hub": { "type": "string" }, - "initContainerName": { + "image": { "type": "string" }, - "labelPods": { - "type": "boolean" + "logging": { + "type": "object", + "properties": { + "level": { + "type": "string" + } + } }, - "tag": { + "podAnnotations": { + "type": "object" + }, + "provider": { "type": "string" - } - } - }, - "resourceQuotas": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" }, - "pods": { - "type": "integer" - } - } - }, - "resources": { - "type": "object", - "properties": { - "requests": { + "pullPolicy": { + "type": "string" + }, + "repair": { "type": "object", "properties": { - "cpu": { + "brokenPodLabelKey": { + "type": "string" + }, + "brokenPodLabelValue": { + "type": "string" + }, + "deletePods": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "hub": { "type": "string" }, - "memory": { + "initContainerName": { + "type": "string" + }, + "labelPods": { + "type": "boolean" + }, + "repairPods": { + "type": "boolean" + }, + "tag": { "type": "string" } } + }, + "resourceQuotas": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "pods": { + "type": "integer" + } + } + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "rollingMaxUnavailable": { + "type": "integer" + }, + "seccompProfile": { + "type": "object" + }, + "tag": { + "type": "string" + }, + "variant": { + "type": "string" } } }, - "seccompProfile": { - "type": "object" - }, - "tag": { - "type": "string" - }, - "taint": { + "global": { "type": "object", "properties": { - "enabled": { + "defaultResources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "hub": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "logAsJson": { "type": "boolean" - } - } - }, - "variant": { - "type": "string" - } - } - }, - "global": { - "type": "object", - "properties": { - "defaultResources": { - "type": "object", - "properties": { - "requests": { + }, + "logging": { "type": "object", "properties": { - "cpu": { - "type": "string" - }, - "memory": { + "level": { "type": "string" } } - } - } - }, - "hub": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string" - }, - "imagePullSecrets": { - "type": "array" - }, - "logAsJson": { - "type": "boolean" - }, - "logging": { - "type": "object", - "properties": { - "level": { + }, + "tag": { + "type": "string" + }, + "variant": { "type": "string" } } }, - "tag": { + "ownerName": { "type": "string" }, - "variant": { + "revision": { "type": "string" } } - }, - "ownerName": { - "type": "string" - }, - "revision": { - "type": "string" } } } diff --git a/charts/cni/cni/values.yaml b/charts/cni/cni/values.yaml index 4add5a60f..c0e5a5779 100644 --- a/charts/cni/cni/values.yaml +++ b/charts/cni/cni/values.yaml @@ -1,51 +1,125 @@ # child values cni: - cni: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - excludeNamespaces: - - istio-system - - kube-system - # Custom annotations on pod level, if you need them - podAnnotations: {} - # If this value is set a RoleBinding will be created - # in the same namespace as the istio-cni DaemonSet is created. - # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount - # e.g. if you use PodSecurityPolicies - psp_cluster_role: "" - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) - privileged: false - repair: - enabled: true + # "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. + # For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. + defaults: + cni: hub: "" tag: "" - labelPods: true - deletePods: true - initContainerName: "istio-validation" - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} + variant: "" + image: install-cni + pullPolicy: "" + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + # This directory must exist on the node, if it does not, consult your container runtime + # documentation for the appropriate path. + cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + excludeNamespaces: + - kube-system + # Allows user to set custom affinity for the DaemonSet + affinity: {} + # Custom annotations on pod level, if you need them + podAnnotations: {} + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: false + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + repair: + enabled: true + hub: "" + tag: "" + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + initContainerName: "istio-validation" + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + resources: + requests: + cpu: 100m + memory: 100Mi + resourceQuotas: + enabled: false + pods: 5000 + # The number of pods that can be unavailable during rolling update (see + # `updateStrategy.rollingUpdate.maxUnavailable` here: + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + # May be specified as a number of pods or as a percent of the total number + # of pods at the start of the update. + rollingMaxUnavailable: 1 + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + # For Helm compatibility. + ownerName: "" + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.23.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + logAsJson: false + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + global: + hub: docker.m.daocloud.io/istio + cni: resources: requests: cpu: 10m @@ -53,43 +127,3 @@ cni: limits: cpu: 100m memory: 200Mi - # Experimental taint controller for further race condition mitigation - taint: - enabled: false - resourceQuotas: - enabled: false - pods: 5000 - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - # For Helm compatibility. - ownerName: "" - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.m.daocloud.io/istio - # Default tag for Istio images. - tag: 1.17.1 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - logAsJson: false - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi diff --git a/charts/cni/config b/charts/cni/config index 5514c928b..064c6fc8d 100644 --- a/charts/cni/config +++ b/charts/cni/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://istio-release.storage.googleapis.com/charts export REPO_NAME=istio export CHART_NAME=cni -export VERSION=1.17.1 +export VERSION=1.23.3 # pr, issue, none export UPGRADE_METHOD=pr