├── README.md ├── cilium-minikube.yaml ├── create-minikube.sh ├── deathstar.yaml ├── examples ├── delay-response.yaml └── service_failure.yaml └── falcon.yaml /README.md: -------------------------------------------------------------------------------- 1 | > [!IMPORTANT] 2 | > This repository is archived and unmaintained. 3 | -------------------------------------------------------------------------------- /cilium-minikube.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cilium-config 6 | namespace: kube-system 7 | data: 8 | # This etcd-config contains the etcd endpoints of your cluster. If you use 9 | # TLS please make sure you follow the tutorial in https://cilium.link/etcd-config 10 | etcd-config: |- 11 | --- 12 | endpoints: 13 | - https://127.0.0.1:2379 14 | # 15 | # In case you want to use TLS in etcd, uncomment the 'ca-file' line 16 | # and create a kubernetes secret by following the tutorial in 17 | # https://cilium.link/etcd-config 18 | ca-file: '/var/lib/etcd-secrets/etcd/ca.crt' 19 | # 20 | # In case you want client to server authentication, uncomment the following 21 | # lines and create a kubernetes secret by following the tutorial in 22 | # https://cilium.link/etcd-config 23 | key-file: '/var/lib/etcd-secrets/apiserver-etcd-client.key' 24 | cert-file: '/var/lib/etcd-secrets/apiserver-etcd-client.crt' 25 | 26 | # If you want to run cilium in debug mode change this value to true 27 | debug: "false" 28 | 29 | # If you want metrics enabled in all of your Cilium agents, set the port for 30 | # which the Cilium agents will have their metrics exposed. 31 | # This option deprecates the "prometheus-serve-addr" in the 32 | # "cilium-metrics-config" ConfigMap 33 | # NOTE that this will open the port on ALL nodes where Cilium pods are 34 | # scheduled. 35 | # prometheus-serve-addr: ":9090" 36 | 37 | # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4 38 | # address. 39 | enable-ipv4: "true" 40 | 41 | # Enable IPv6 addressing. If enabled, all endpoints are allocated an IPv6 42 | # address. 43 | enable-ipv6: "false" 44 | 45 | # If a serious issue occurs during Cilium startup, this 46 | # invasive option may be set to true to remove all persistent 47 | # state. Endpoints will not be restored using knowledge from a 48 | # prior Cilium run, so they may receive new IP addresses upon 49 | # restart. This also triggers clean-cilium-bpf-state. 50 | clean-cilium-state: "false" 51 | # If you want to clean cilium BPF state, set this to true; 52 | # Removes all BPF maps from the filesystem. Upon restart, 53 | # endpoints are restored with the same IP addresses, however 54 | # any ongoing connections may be disrupted briefly. 55 | # Loadbalancing decisions will be reset, so any ongoing 56 | # connections via a service may be loadbalanced to a different 57 | # backend after restart. 58 | clean-cilium-bpf-state: "false" 59 | 60 | # Users who wish to specify their own custom CNI configuration file must set 61 | # custom-cni-conf to "true", otherwise Cilium may overwrite the configuration. 62 | custom-cni-conf: "false" 63 | 64 | # If you want cilium monitor to aggregate tracing for packets, set this level 65 | # to "low", "medium", or "maximum". The higher the level, the less packets 66 | # that will be seen in monitor output. 67 | monitor-aggregation: "none" 68 | 69 | # ct-global-max-entries-* specifies the maximum number of connections 70 | # supported across all endpoints, split by protocol: tcp or other. One pair 71 | # of maps uses these values for IPv4 connections, and another pair of maps 72 | # use these values for IPv6 connections. 73 | # 74 | # If these values are modified, then during the next Cilium startup the 75 | # tracking of ongoing connections may be disrupted. This may lead to brief 76 | # policy drops or a change in loadbalancing decisions for a connection. 77 | # 78 | # For users upgrading from Cilium 1.2 or earlier, to minimize disruption 79 | # during the upgrade process, comment out these options. 80 | bpf-ct-global-tcp-max: "524288" 81 | bpf-ct-global-any-max: "262144" 82 | 83 | # Pre-allocation of map entries allows per-packet latency to be reduced, at 84 | # the expense of up-front memory allocation for the entries in the maps. The 85 | # default value below will minimize memory usage in the default installation; 86 | # users who are sensitive to latency may consider setting this to "true". 87 | # 88 | # This option was introduced in Cilium 1.4. Cilium 1.3 and earlier ignore 89 | # this option and behave as though it is set to "true". 90 | # 91 | # If this value is modified, then during the next Cilium startup the restore 92 | # of existing endpoints and tracking of ongoing connections may be disrupted. 93 | # This may lead to policy drops or a change in loadbalancing decisions for a 94 | # connection for some time. Endpoints may need to be recreated to restore 95 | # connectivity. 96 | # 97 | # If this option is set to "false" during an upgrade from 1.3 or earlier to 98 | # 1.4 or later, then it may cause one-time disruptions during the upgrade. 99 | preallocate-bpf-maps: "false" 100 | 101 | # Regular expression matching compatible Istio sidecar istio-proxy 102 | # container image names 103 | sidecar-istio-proxy-image: "cilium/istio_proxy" 104 | 105 | # Encapsulation mode for communication between nodes 106 | # Possible values: 107 | # - disabled 108 | # - vxlan (default) 109 | # - geneve 110 | tunnel: "vxlan" 111 | 112 | # Name of the cluster. Only relevant when building a mesh of clusters. 113 | cluster-name: default 114 | 115 | # Unique ID of the cluster. Must be unique across all conneted clusters and 116 | # in the range of 1 and 255. Only relevant when building a mesh of clusters. 117 | #cluster-id: 1 118 | 119 | # Interface to be used when running Cilium on top of a CNI plugin. 120 | # For flannel, use "cni0" 121 | flannel-master-device: "" 122 | # When running Cilium with policy enforcement enabled on top of a CNI plugin 123 | # the BPF programs will be installed on the network interface specified in 124 | # 'flannel-master-device' and on all network interfaces belonging to 125 | # a container. When the Cilium DaemonSet is removed, the BPF programs will 126 | # be kept in the interfaces unless this option is set to "true". 127 | flannel-uninstall-on-exit: "false" 128 | # Installs a BPF program to allow for policy enforcement in already running 129 | # containers managed by Flannel. 130 | # NOTE: This requires Cilium DaemonSet to be running in the hostPID. 131 | # To run in this mode in Kubernetes change the value of the hostPID from 132 | # false to true. Can be found under the path `spec.spec.hostPID` 133 | flannel-manage-existing-containers: "false" 134 | 135 | # DNS Polling periodically issues a DNS lookup for each `matchName` from 136 | # cilium-agent. The result is used to regenerate endpoint policy. 137 | # DNS lookups are repeated with an interval of 5 seconds, and are made for 138 | # A(IPv4) and AAAA(IPv6) addresses. Should a lookup fail, the most recent IP 139 | # data is used instead. An IP change will trigger a regeneration of the Cilium 140 | # policy for each endpoint and increment the per cilium-agent policy 141 | # repository revision. 142 | # 143 | # This option is disabled by default starting from version 1.4.x in favor 144 | # of a more powerful DNS proxy-based implementation, see [0] for details. 145 | # Enable this option if you want to use FQDN policies but do not want to use 146 | # the DNS proxy. 147 | # 148 | # To ease upgrade, users may opt to set this option to "true". 149 | # Otherwise please refer to the Upgrade Guide [1] which explains how to 150 | # prepare policy rules for upgrade. 151 | # 152 | # [0] http://docs.cilium.io/en/stable/policy/language/#dns-based 153 | # [1] http://docs.cilium.io/en/stable/install/upgrade/#changes-that-may-require-action 154 | tofqdns-enable-poller: "false" 155 | 156 | # wait-bpf-mount makes init container wait until bpf filesystem is mounted 157 | wait-bpf-mount: "false" 158 | 159 | # Enable legacy services (prior v1.5) to prevent from terminating existing 160 | # connections with services when upgrading Cilium from < v1.5 to v1.5. 161 | enable-legacy-services: "false" 162 | --- 163 | apiVersion: apps/v1 164 | kind: DaemonSet 165 | metadata: 166 | labels: 167 | k8s-app: cilium 168 | kubernetes.io/cluster-service: "true" 169 | name: cilium 170 | namespace: kube-system 171 | spec: 172 | selector: 173 | matchLabels: 174 | k8s-app: cilium 175 | kubernetes.io/cluster-service: "true" 176 | template: 177 | metadata: 178 | annotations: 179 | prometheus.io/port: "9090" 180 | prometheus.io/scrape: "true" 181 | # This annotation plus the CriticalAddonsOnly toleration makes 182 | # cilium to be a critical pod in the cluster, which ensures cilium 183 | # gets priority scheduling. 184 | # https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ 185 | scheduler.alpha.kubernetes.io/critical-pod: "" 186 | scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","operator":"Equal","value":"master","effect":"NoSchedule"}]' 187 | labels: 188 | k8s-app: cilium 189 | kubernetes.io/cluster-service: "true" 190 | spec: 191 | containers: 192 | - args: 193 | - --kvstore=etcd 194 | - --kvstore-opt=etcd.config=/var/lib/etcd-config/etcd.config 195 | - --config-dir=/tmp/cilium/config-map 196 | command: 197 | - cilium-agent 198 | env: 199 | - name: K8S_NODE_NAME 200 | valueFrom: 201 | fieldRef: 202 | apiVersion: v1 203 | fieldPath: spec.nodeName 204 | - name: CILIUM_K8S_NAMESPACE 205 | valueFrom: 206 | fieldRef: 207 | apiVersion: v1 208 | fieldPath: metadata.namespace 209 | - name: CILIUM_FLANNEL_MASTER_DEVICE 210 | valueFrom: 211 | configMapKeyRef: 212 | key: flannel-master-device 213 | name: cilium-config 214 | optional: true 215 | - name: CILIUM_FLANNEL_UNINSTALL_ON_EXIT 216 | valueFrom: 217 | configMapKeyRef: 218 | key: flannel-uninstall-on-exit 219 | name: cilium-config 220 | optional: true 221 | # To be removed in Cilium 1.6, use prometheus-serve-addr in the 222 | # cilium-config ConfigMap 223 | - name: CILIUM_PROMETHEUS_SERVE_ADDR 224 | valueFrom: 225 | configMapKeyRef: 226 | key: prometheus-serve-addr 227 | name: cilium-metrics-config 228 | optional: true 229 | - name: CILIUM_CLUSTERMESH_CONFIG 230 | value: /var/lib/cilium/clustermesh/ 231 | image: docker.io/cilium/cilium-dev:chaos-testing 232 | imagePullPolicy: IfNotPresent 233 | lifecycle: 234 | postStart: 235 | exec: 236 | command: 237 | - /cni-install.sh 238 | preStop: 239 | exec: 240 | command: 241 | - /cni-uninstall.sh 242 | livenessProbe: 243 | exec: 244 | command: 245 | - cilium 246 | - status 247 | - --brief 248 | failureThreshold: 10 249 | # The initial delay for the liveness probe is intentionally large to 250 | # avoid an endless kill & restart cycle if in the event that the initial 251 | # bootstrapping takes longer than expected. 252 | initialDelaySeconds: 120 253 | periodSeconds: 30 254 | successThreshold: 1 255 | timeoutSeconds: 5 256 | name: cilium-agent 257 | ports: 258 | - containerPort: 9090 259 | hostPort: 9090 260 | name: prometheus 261 | protocol: TCP 262 | readinessProbe: 263 | exec: 264 | command: 265 | - cilium 266 | - status 267 | - --brief 268 | failureThreshold: 3 269 | initialDelaySeconds: 5 270 | periodSeconds: 30 271 | successThreshold: 1 272 | timeoutSeconds: 5 273 | securityContext: 274 | capabilities: 275 | add: 276 | - NET_ADMIN 277 | - SYS_MODULE 278 | privileged: true 279 | volumeMounts: 280 | - mountPath: /sys/fs/bpf 281 | name: bpf-maps 282 | - mountPath: /var/run/cilium 283 | name: cilium-run 284 | - mountPath: /host/opt/cni/bin 285 | name: cni-path 286 | - mountPath: /host/etc/cni/net.d 287 | name: etc-cni-netd 288 | - mountPath: /var/run/docker.sock 289 | name: docker-socket 290 | readOnly: true 291 | - mountPath: /var/lib/etcd-config 292 | name: etcd-config-path 293 | readOnly: true 294 | - mountPath: /var/lib/etcd-secrets 295 | name: etcd-secrets 296 | readOnly: true 297 | - mountPath: /var/lib/cilium/clustermesh 298 | name: clustermesh-secrets 299 | readOnly: true 300 | - mountPath: /tmp/cilium/config-map 301 | name: cilium-config-path 302 | readOnly: true 303 | # Needed to be able to load kernel modules 304 | - mountPath: /lib/modules 305 | name: lib-modules 306 | readOnly: true 307 | dnsPolicy: ClusterFirstWithHostNet 308 | hostNetwork: true 309 | hostPID: false 310 | initContainers: 311 | - command: 312 | - /init-container.sh 313 | env: 314 | - name: CLEAN_CILIUM_STATE 315 | valueFrom: 316 | configMapKeyRef: 317 | key: clean-cilium-state 318 | name: cilium-config 319 | optional: true 320 | - name: CLEAN_CILIUM_BPF_STATE 321 | valueFrom: 322 | configMapKeyRef: 323 | key: clean-cilium-bpf-state 324 | name: cilium-config 325 | optional: true 326 | image: docker.io/cilium/cilium-init:2019-04-05 327 | imagePullPolicy: IfNotPresent 328 | name: clean-cilium-state 329 | securityContext: 330 | capabilities: 331 | add: 332 | - NET_ADMIN 333 | privileged: true 334 | volumeMounts: 335 | - mountPath: /sys/fs/bpf 336 | name: bpf-maps 337 | - mountPath: /var/run/cilium 338 | name: cilium-run 339 | priorityClassName: system-node-critical 340 | restartPolicy: Always 341 | serviceAccount: cilium 342 | serviceAccountName: cilium 343 | terminationGracePeriodSeconds: 1 344 | tolerations: 345 | - operator: Exists 346 | volumes: 347 | # To keep state between restarts / upgrades 348 | - hostPath: 349 | path: /var/run/cilium 350 | type: DirectoryOrCreate 351 | name: cilium-run 352 | # To keep state between restarts / upgrades for bpf maps 353 | - hostPath: 354 | path: /sys/fs/bpf 355 | type: DirectoryOrCreate 356 | name: bpf-maps 357 | # To read docker events from the node 358 | - hostPath: 359 | path: /var/run/docker.sock 360 | type: Socket 361 | name: docker-socket 362 | # To install cilium cni plugin in the host 363 | - hostPath: 364 | path: /opt/cni/bin 365 | type: DirectoryOrCreate 366 | name: cni-path 367 | # To install cilium cni configuration in the host 368 | - hostPath: 369 | path: /etc/cni/net.d 370 | type: DirectoryOrCreate 371 | name: etc-cni-netd 372 | # To be able to load kernel modules 373 | - hostPath: 374 | path: /lib/modules 375 | name: lib-modules 376 | # To read the etcd config stored in config maps 377 | - configMap: 378 | defaultMode: 420 379 | items: 380 | - key: etcd-config 381 | path: etcd.config 382 | name: cilium-config 383 | name: etcd-config-path 384 | # To read the k8s etcd secrets in case the user might want to use TLS 385 | - name: etcd-secrets 386 | hostPath: 387 | path: /var/lib/minikube/certs/ 388 | type: DirectoryOrCreate 389 | # To read the clustermesh configuration 390 | - name: clustermesh-secrets 391 | secret: 392 | defaultMode: 420 393 | optional: true 394 | secretName: cilium-clustermesh 395 | # To read the configuration from the config map 396 | - configMap: 397 | name: cilium-config 398 | name: cilium-config-path 399 | updateStrategy: 400 | rollingUpdate: 401 | # Specifies the maximum number of Pods that can be unavailable during the update process. 402 | maxUnavailable: 2 403 | type: RollingUpdate 404 | --- 405 | apiVersion: rbac.authorization.k8s.io/v1 406 | kind: ClusterRoleBinding 407 | metadata: 408 | name: cilium 409 | roleRef: 410 | apiGroup: rbac.authorization.k8s.io 411 | kind: ClusterRole 412 | name: cilium 413 | subjects: 414 | - kind: ServiceAccount 415 | name: cilium 416 | namespace: kube-system 417 | - apiGroup: rbac.authorization.k8s.io 418 | kind: Group 419 | name: system:nodes 420 | --- 421 | apiVersion: rbac.authorization.k8s.io/v1 422 | kind: ClusterRole 423 | metadata: 424 | name: cilium 425 | rules: 426 | - apiGroups: 427 | - networking.k8s.io 428 | resources: 429 | - networkpolicies 430 | verbs: 431 | - get 432 | - list 433 | - watch 434 | - apiGroups: 435 | - "" 436 | resources: 437 | - namespaces 438 | - services 439 | - nodes 440 | - endpoints 441 | - componentstatuses 442 | verbs: 443 | - get 444 | - list 445 | - watch 446 | - apiGroups: 447 | - "" 448 | resources: 449 | - pods 450 | - nodes 451 | verbs: 452 | - get 453 | - list 454 | - watch 455 | - update 456 | - apiGroups: 457 | - "" 458 | resources: 459 | - nodes 460 | - nodes/status 461 | verbs: 462 | - patch 463 | - apiGroups: 464 | - extensions 465 | resources: 466 | - ingresses 467 | verbs: 468 | - create 469 | - get 470 | - list 471 | - watch 472 | - apiGroups: 473 | - apiextensions.k8s.io 474 | resources: 475 | - customresourcedefinitions 476 | verbs: 477 | - create 478 | - get 479 | - list 480 | - watch 481 | - update 482 | - apiGroups: 483 | - cilium.io 484 | resources: 485 | - ciliumnetworkpolicies 486 | - ciliumnetworkpolicies/status 487 | - ciliumendpoints 488 | - ciliumendpoints/status 489 | verbs: 490 | - '*' 491 | --- 492 | apiVersion: v1 493 | kind: ServiceAccount 494 | metadata: 495 | name: cilium 496 | namespace: kube-system 497 | -------------------------------------------------------------------------------- /create-minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | minikube start --network-plugin=cni --memory=4096 3 | -------------------------------------------------------------------------------- /deathstar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: deathstar 5 | labels: 6 | app: deathstar 7 | spec: 8 | ports: 9 | - name: http 10 | port: 80 11 | selector: 12 | app: deathstar 13 | --- 14 | apiVersion: extensions/v1beta1 15 | kind: Deployment 16 | metadata: 17 | name: deathstar 18 | spec: 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | app: deathstar 24 | version: v1 25 | spec: 26 | containers: 27 | - image: docker.io/kennethreitz/httpbin 28 | imagePullPolicy: IfNotPresent 29 | name: deathstar 30 | -------------------------------------------------------------------------------- /examples/delay-response.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cilium.io/v2" 2 | kind: CiliumNetworkPolicy 3 | metadata: 4 | name: "chaos-delay-request" 5 | specs: 6 | - endpointSelector: 7 | matchLabels: 8 | app: deathstar 9 | ingress: 10 | - toPorts: 11 | - ports: 12 | - port: "80" 13 | protocol: TCP 14 | rules: 15 | l7proto: chaos 16 | l7: 17 | - probability: "0.5" 18 | delay-request: 1s 19 | -------------------------------------------------------------------------------- /examples/service_failure.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cilium.io/v2" 2 | kind: CiliumNetworkPolicy 3 | metadata: 4 | name: "chaos-rewrite-status" 5 | specs: 6 | - endpointSelector: 7 | matchLabels: 8 | app: deathstar 9 | ingress: 10 | - toPorts: 11 | - ports: 12 | - port: "80" 13 | protocol: TCP 14 | rules: 15 | l7proto: chaos 16 | l7: 17 | - probability: "0.8" 18 | rewrite-status: 504 Application Error 19 | -------------------------------------------------------------------------------- /falcon.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: falcon 5 | spec: 6 | replicas: 1 7 | template: 8 | metadata: 9 | labels: 10 | app: curl 11 | spec: 12 | containers: 13 | - image: docker.io/tutum/curl 14 | imagePullPolicy: IfNotPresent 15 | name: curl 16 | command: [ "sleep" ] 17 | args: 18 | - 1000h 19 | --------------------------------------------------------------------------------