From a340d24985219baee767d1ddab82fc80ccd6c02c Mon Sep 17 00:00:00 2001 From: serge Hartmann Date: Thu, 23 May 2024 14:27:00 +0200 Subject: [PATCH] variables cilium_enable_host_firewall and cilium_policy_audit_mode for configmap/cilium-config capitalise values for Host Firewall and Policy Audit Mode fix missing quotes --- docs/CNI/cilium.md | 24 +++++++++++++++++-- .../group_vars/k8s_cluster/k8s-net-cilium.yml | 4 ++++ roles/network_plugin/cilium/defaults/main.yml | 2 ++ .../cilium/templates/cilium/config.yml.j2 | 6 ++++- 4 files changed, 33 insertions(+), 3 deletions(-) diff --git a/docs/CNI/cilium.md b/docs/CNI/cilium.md index e0a23006265..ad42f88bf85 100644 --- a/docs/CNI/cilium.md +++ b/docs/CNI/cilium.md @@ -170,14 +170,14 @@ Kubespray currently supports Linux distributions with Wireguard Kernel mode on L ## Bandwidth Manager -Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation. +Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation. Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies. In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods. Bandwidth Manager requires a v5.1.x or more recent Linux kernel. -For further information, make sure to check the official [Cilium documentation.](https://docs.cilium.io/en/v1.12/gettingstarted/bandwidth-manager/) +For further information, make sure to check the official [Cilium documentation](https://docs.cilium.io/en/latest/network/kubernetes/bandwidth-manager/) To use this function, set the following parameters @@ -185,6 +185,26 @@ To use this function, set the following parameters cilium_enable_bandwidth_manager: true ``` +## Host Firewall + +Host Firewall enforces security policies for Kubernetes nodes. It is disable by default, since it can break the cluster connectivity. + +```yaml +cilium_enable_host_firewall: true +``` + +For further information, check [host firewall documentation](https://docs.cilium.io/en/latest/security/host-firewall/) + +## Policy Audit Mode + +When _Policy Audit Mode_ is enabled, no network policy is enforced. This feature helps to validate the impact of host policies before enforcing them. + +```yaml +cilium_policy_audit_mode: true +``` + +It is disable by default, and should not be enabled in production. + ## Install Cilium Hubble k8s-net-cilium.yml: diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml index a583540bad2..da56c46e3ee 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml @@ -145,6 +145,10 @@ cilium_l2announcements: false ### A time interval at which the agent attempts to reload config from disk # cilium_ip_masq_resync_interval: 60s +### Host Firewall and Policy Audit Mode +# cilium_enable_host_firewall: false +# cilium_policy_audit_mode: false + # Hubble ### Enable Hubble without install # cilium_enable_hubble: false diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index 7e65e7faf7a..fae0ceeae56 100644 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -322,3 +322,5 @@ cilium_certgen_args: # resourceNames: # - toto cilium_clusterrole_rules_operator_extra_vars: [] +cilium_enable_host_firewall: false +cilium_policy_audit_mode: false diff --git a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 b/roles/network_plugin/cilium/templates/cilium/config.yml.j2 index ed37f122f27..38f3baede29 100644 --- a/roles/network_plugin/cilium/templates/cilium/config.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium/config.yml.j2 @@ -138,7 +138,7 @@ data: enable-l2-announcements: "{{ cilium_l2announcements }}" # Enable Bandwidth Manager - # Cilium’s bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation. + # Cilium's bandwidth manager supports the kubernetes.io/egress-bandwidth Pod annotation. # Bandwidth enforcement currently does not work in combination with L7 Cilium Network Policies. # In case they select the Pod at egress, then the bandwidth enforcement will be disabled for those Pods. # Bandwidth Manager requires a v5.1.x or more recent Linux kernel. @@ -146,6 +146,10 @@ data: enable-bandwidth-manager: "true" {% endif %} + # Host Firewall and Policy Audit Mode + enable-host-firewall: "{{ cilium_enable_host_firewall | capitalize }}" + policy-audit-mode: "{{ cilium_policy_audit_mode | capitalize }}" + # Name of the cluster. Only relevant when building a mesh of clusters. cluster-name: "{{ cilium_cluster_name }}"