feat: replace kube-proxy with cni functionality

vexxhost · Mar 7, 2024 · 5edc615 · 5edc615
1 parent 5711e3c
commit 5edc615
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 0 deletions.
diff --git a/roles/cilium/defaults/main.yml b/roles/cilium/defaults/main.yml
@@ -7,3 +7,5 @@ cilium_helm_values: {}
 
 cilium_node_image: quay.io/cilium/cilium:v1.13.3@sha256:77176464a1e11ea7e89e984ac7db365e7af39851507e94f137dcf56c87746314
 cilium_operator_image: quay.io/cilium/operator-generic:v1.13.3@sha256:fa7003cbfdf8358cb71786afebc711b26e5e44a2ed99bd4944930bba915b8910
+
+cilium_replace_kube_proxy: false
diff --git a/roles/cilium/templates/values.yml.j2 b/roles/cilium/templates/values.yml.j2
@@ -20,3 +20,9 @@ operator:
 ipam:
   operator:
     clusterPoolIPv4PodCIDR: "{{ cilium_ipv4_cidr | default('10.0.0.0/8') }}"
+{% if cilium_replace_kube_proxy %}
+k8sServiceHost: "{{ kubernetes_hostname }}"
+k8sServicePort: 6443
+# NOTE(fitbeard): In a newer chart versions this value should be changed to 'true'.
+kubeProxyReplacement: "strict"
+{% endif %}
diff --git a/roles/kubernetes/defaults/main.yml b/roles/kubernetes/defaults/main.yml
@@ -43,3 +43,6 @@ kubernetes_coredns_node_selector:
 
 # Allow custom CA usage in the cluster
 kubernetes_allow_custom_ca: false
+
+# Do not use kube-proxy. Instead use/configure cni replacement.
+kubernetes_remove_kube_proxy: false
diff --git a/roles/kubernetes/tasks/bootstrap-cluster.yml b/roles/kubernetes/tasks/bootstrap-cluster.yml
@@ -102,6 +102,7 @@
   throttle: 1
   ansible.builtin.shell: |
     kubeadm init --config /etc/kubernetes/kubeadm.yaml --upload-certs \
+                 {% if kubernetes_remove_kube_proxy %}--skip-phases=addon/kube-proxy \{% endif %}
                  --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests{% if kubernetes_allow_unsafe_swap %},Swap{% endif %}
   args:
     creates: /etc/kubernetes/admin.conf

diff --git a/roles/kubernetes/tasks/control-plane.yml b/roles/kubernetes/tasks/control-plane.yml
@@ -55,6 +55,18 @@
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
 
+- name: Remove kube-proxy resources
+  kubernetes.core.k8s:
+    state: absent
+    api_version: v1
+    kind: "{{ item }}"
+    namespace: kube-system
+    name: kube-proxy
+  with_items:
+    - DaemonSet
+    - ConfigMap
+  when: kubernetes_remove_kube_proxy | bool
+
 - name: Upgrade if necessary
   when:
     - kubernetes_upgrade_check_upgrade_required is defined