Skip to content

Commit

Permalink
docs: update cilium instructions
Browse files Browse the repository at this point in the history 
Update cilium instructions to skip mounting `bpffs`.

Also fix the TPM example in release notes.

Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
@frezbo
frezbo committed Aug 3, 2023
1 parent 87fe8f1 commit 76fa45a
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 7 deletions.
3 changes: 2 additions & 1 deletion hack/release.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,12 @@ Example machine config:
```
systemDiskEncryption:
ephemeral:
provider: luks2
keys:
- slot: 0
tpm: {}
state:
provider: luks2
keys:
- slot: 0
tpm: {}
Expand All @@ -163,7 +165,6 @@ Both new commands accept `--namespace` flag with two possible values:
* `cri` (default): images managed by the CRI (Kubernetes workloads)
* `system`: images managed by Talos (`etcd` and `kubelet`)
```
"""

[notes.upgrade-k8s]
Expand Down
17 changes: 11 additions & 6 deletions website/content/v1.5/kubernetes-guides/network/deploying-cilium.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ aliases:

> Cilium can be installed either via the `cilium` cli or using `helm`.
This documentation will outline installing Cilium CNI v1.13.0 on Talos in six different ways.
Adhering to Talos principles we'll deploy Cilium with IPAM mode set to Kubernetes, and using the `cgroupv2` mount that talos already provides.
This documentation will outline installing Cilium CNI v1.14.0 on Talos in six different ways.
Adhering to Talos principles we'll deploy Cilium with IPAM mode set to Kubernetes, and using the `cgroupv2` and `bpffs` mount that talos already provides.
As Talos does not allow loading kernel modules by Kubernetes workloads, `SYS_MODULE` capability needs to be dropped from the Cilium default set of values, this override can be seen in the helm/cilium cli install commands.
Each method can either install Cilium using kube proxy (default) or without: [Kubernetes Without kube-proxy](https://docs.cilium.io/en/v1.13/network/kubernetes/kubeproxy-free/)

Expand Down Expand Up @@ -90,6 +90,7 @@ cilium install \
--helm-set=kubeProxyReplacement=strict \
--helm-set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--helm-set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--helm-set=bpf.autoMount.enabled=false \
--helm-set=cgroup.autoMount.enabled=false \
--helm-set=cgroup.hostRoot=/sys/fs/cgroup \
--helm-set=k8sServiceHost=localhost \
Expand Down Expand Up @@ -119,12 +120,13 @@ During this window you can install Cilium manually by running the following:
helm install \
cilium \
cilium/cilium \
--version 1.13.0 \
--version 1.14.0 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set=kubeProxyReplacement=disabled \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=bpf.autoMount.enabled=false \
--set=cgroup.autoMount.enabled=false \
--set=cgroup.hostRoot=/sys/fs/cgroup
```
Expand All @@ -135,12 +137,13 @@ Or if you want to deploy Cilium in strict mode without kube-proxy, also set some
helm install \
cilium \
cilium/cilium \
--version 1.13.0 \
--version 1.14.0 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set=kubeProxyReplacement=strict \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=bpf.autoMount.enabled=false \
--set=cgroup.autoMount.enabled=false \
--set=cgroup.hostRoot=/sys/fs/cgroup \
--set=k8sServiceHost=localhost \
Expand All @@ -157,12 +160,13 @@ Instead of directly installing Cilium you can instead first generate the manifes
helm template \
cilium \
cilium/cilium \
--version 1.13.0 \
--version 1.14.0 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set=kubeProxyReplacement=disabled \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=bpf.autoMount.enabled=false \
--set=cgroup.autoMount.enabled=false \
--set=cgroup.hostRoot=/sys/fs/cgroup > cilium.yaml

Expand All @@ -178,12 +182,13 @@ export KUBERNETES_API_SERVER_PORT=6443
helm template \
cilium \
cilium/cilium \
--version 1.13.0 \
--version 1.14.0 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set=kubeProxyReplacement=strict \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=bpf.autoMount.enabled=false \
--set=cgroup.autoMount.enabled=false \
--set=cgroup.hostRoot=/sys/fs/cgroup \
--set=k8sServiceHost=localhost \
Expand Down

0 comments on commit 76fa45a

Please sign in to comment.