Pod Details
Kubectl Commands
- View
- Delete
- Describe
- Debug
Containers
Init Containers
Metadata
Creation Time: 2024-10-24T22:00:27Z
Labels:
- app.kubernetes.io/name: cilium-agent...
- app.kubernetes.io/part-of: cilium...
- controller-revision-hash: 6bdc6b847f...
- doks.digitalocean.com/managed: true...
- k8s-app: cilium
- kubernetes.io/cluster-service: true...
- pod-template-generation: 4...
Annotation:
- clusterlint.digitalocean.com/disabled-checks: privileged-container...
- container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined...
- container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined...
- container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined...
- container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined...
- kubectl.kubernetes.io/default-container: cilium-agent...
- prometheus.io/port: 9090...
- prometheus.io/scrape: true...
name: cilium-rmgzngenerateName: cilium-namespace: kube-systemuid: dd9e26bd-92b5-4eab-a39c-cf5916135cc1resourceVersion: '36451753'creationTimestamp: '2024-10-24T22:00:27Z'labels:app.kubernetes.io/name: cilium-agentapp.kubernetes.io/part-of: ciliumcontroller-revision-hash: 6bdc6b847fdoks.digitalocean.com/managed: 'true'k8s-app: ciliumkubernetes.io/cluster-service: 'true'pod-template-generation: '4'annotations:clusterlint.digitalocean.com/disabled-checks: privileged-containers,non-root-user,resource-requirements,hostpath-volumecontainer.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfinedcontainer.apparmor.security.beta.kubernetes.io/cilium-agent: unconfinedcontainer.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfinedcontainer.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfinedkubectl.kubernetes.io/default-container: cilium-agentprometheus.io/port: '9090'prometheus.io/scrape: 'true'ownerReferences:- apiVersion: apps/v1kind: DaemonSetname: ciliumuid: f644a837-ae29-48a0-89c7-2d886e50903econtroller: trueblockOwnerDeletion: true
- name: cilium-agentimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- cilium-agentargs:- '--config-dir=/tmp/cilium/config-map'- >---k8s-api-server=https://f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- '--ipv4-native-routing-cidr=10.244.0.0/16'ports:- name: peer-servicehostPort: 4244containerPort: 4244protocol: TCP- name: prometheushostPort: 9090containerPort: 9090protocol: TCPenv:- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CILIUM_K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: CILIUM_CLUSTERMESH_CONFIGvalue: /var/lib/cilium/clustermesh/- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources:requests:cpu: 300mmemory: 300MivolumeMounts:- name: host-proc-sys-netmountPath: /host/proc/sys/net- name: host-proc-sys-kernelmountPath: /host/proc/sys/kernel- name: bpf-mapsmountPath: /sys/fs/bpfmountPropagation: HostToContainer- name: cilium-runmountPath: /var/run/cilium- name: etc-cni-netdmountPath: /host/etc/cni/net.d- name: clustermesh-secretsreadOnly: truemountPath: /var/lib/cilium/clustermesh- name: lib-modulesreadOnly: truemountPath: /lib/modules- name: xtables-lockmountPath: /run/xtables.lock- name: hubble-tlsreadOnly: truemountPath: /var/lib/cilium/tls/hubble- name: tmpmountPath: /tmp- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountlivenessProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'initialDelaySeconds: 120timeoutSeconds: 5periodSeconds: 30successThreshold: 1failureThreshold: 10readinessProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'timeoutSeconds: 5periodSeconds: 30successThreshold: 1failureThreshold: 3startupProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'timeoutSeconds: 1periodSeconds: 2successThreshold: 1failureThreshold: 105lifecycle:postStart:exec:command:- bash- '-c'- >set -o errexitset -o pipefailset -o nounset# When running in AWS ENI mode, it's likely that 'aws-node' has# had a chance to install SNAT iptables rules. These can result# in dropped traffic, so we should attempt to remove them.# We do it using a 'postStart' hook since this may need to run# for nodes which might have already been init'ed but may still# have dangling rules. This is safe because there are no# dependencies on anything that is part of the startup script# itself, and can be safely run multiple times per node (e.g. in# case of a restart).if [[ "$(iptables-save | grep -E -c'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];thenecho 'Deleting iptables rules created by the AWS CNI VPC plugin'iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restorefiecho 'Done!'preStop:exec:command:- /cni-uninstall.shterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- CHOWN- KILL- NET_ADMIN- NET_RAW- IPC_LOCK- SYS_MODULE- SYS_ADMIN- SYS_RESOURCE- DAC_OVERRIDE- FOWNER- SETGID- SETUIDdrop:- ALLseLinuxOptions:type: spc_tlevel: s0
volumes:- name: host-kubectlhostPath:path: /usr/bin/kubectltype: File- name: tmpemptyDir: {}- name: cilium-runhostPath:path: /var/run/ciliumtype: DirectoryOrCreate- name: bpf-mapshostPath:path: /sys/fs/bpftype: DirectoryOrCreate- name: hostprochostPath:path: /proctype: Directory- name: cilium-cgrouphostPath:path: /run/cilium/cgroupv2type: DirectoryOrCreate- name: cni-pathhostPath:path: /opt/cni/bintype: DirectoryOrCreate- name: etc-cni-netdhostPath:path: /etc/cni/net.dtype: DirectoryOrCreate- name: lib-moduleshostPath:path: /lib/modulestype: ''- name: xtables-lockhostPath:path: /run/xtables.locktype: FileOrCreate- name: clustermesh-secretsprojected:sources:- secret:name: cilium-clustermeshoptional: true- secret:name: clustermesh-apiserver-remote-certitems:- key: tls.keypath: common-etcd-client.key- key: tls.crtpath: common-etcd-client.crt- key: ca.crtpath: common-etcd-client-ca.crtoptional: truedefaultMode: 256- name: host-proc-sys-nethostPath:path: /proc/sys/nettype: Directory- name: host-proc-sys-kernelhostPath:path: /proc/sys/kerneltype: Directory- name: hubble-tlsprojected:sources:- secret:name: hubble-server-certsitems:- key: tls.crtpath: server.crt- key: tls.keypath: server.key- key: ca.crtpath: client-ca.crtoptional: truedefaultMode: 256- name: kube-api-access-xwk5pprojected:sources:- serviceAccountToken:expirationSeconds: 3607path: token- configMap:name: kube-root-ca.crtitems:- key: ca.crtpath: ca.crt- downwardAPI:items:- path: namespacefieldRef:apiVersion: v1fieldPath: metadata.namespacedefaultMode: 420initContainers:- name: delay-cilium-for-ccmimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- bash- '-e'- '-c'- ># This will get the node object for the local node and search through# the assigned addresses in the object in order to check whether CCM# already set the internal AND external IP since cilium needs both# for a clean startup.# The grep matches regardless of the order of IPs.until /host/usr/bin/kubectl get node ${HOSTNAME} -ojsonpath="{.status.addresses[*].type}" | grep -E"InternalIP.*ExternalIP|ExternalIP.*InternalIP"; do echo "waiting forCCM to store internal and external IP addresses in node object:${HOSTNAME}" && sleep 3; done;env:- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources:requests:cpu: 100mmemory: 100MivolumeMounts:- name: host-kubectlmountPath: /host/usr/bin/kubectl- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FileimagePullPolicy: IfNotPresent- name: configimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- cilium- build-config- '--source=config-map:cilium-config'env:- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CILIUM_K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources: {}volumeMounts:- name: tmpmountPath: /tmp- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresent- name: mount-cgroupimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- sh- '-ec'- >cp /usr/bin/cilium-mount /hostbin/cilium-mount;nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt"${BIN_PATH}/cilium-mount" $CGROUP_ROOT;rm /hostbin/cilium-mountenv:- name: CGROUP_ROOTvalue: /run/cilium/cgroupv2- name: BIN_PATHvalue: /opt/cni/binresources: {}volumeMounts:- name: hostprocmountPath: /hostproc- name: cni-pathmountPath: /hostbin- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- SYS_ADMIN- SYS_CHROOT- SYS_PTRACEdrop:- ALLseLinuxOptions:type: spc_tlevel: s0- name: apply-sysctl-overwritesimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- sh- '-ec'- |cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";rm /hostbin/cilium-sysctlfixenv:- name: BIN_PATHvalue: /opt/cni/binresources: {}volumeMounts:- name: hostprocmountPath: /hostproc- name: cni-pathmountPath: /hostbin- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- SYS_ADMIN- SYS_CHROOT- SYS_PTRACEdrop:- ALLseLinuxOptions:type: spc_tlevel: s0- name: mount-bpf-fsimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- /bin/bash- '-c'- '--'args:- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpfresources: {}volumeMounts:- name: bpf-mapsmountPath: /sys/fs/bpfmountPropagation: Bidirectional- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:privileged: true- name: clean-cilium-stateimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- /init-container.shenv:- name: CILIUM_ALL_STATEvalueFrom:configMapKeyRef:name: cilium-configkey: clean-cilium-stateoptional: true- name: CILIUM_BPF_STATEvalueFrom:configMapKeyRef:name: cilium-configkey: clean-cilium-bpf-stateoptional: true- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources: {}volumeMounts:- name: bpf-mapsmountPath: /sys/fs/bpf- name: cilium-cgroupmountPath: /run/cilium/cgroupv2mountPropagation: HostToContainer- name: cilium-runmountPath: /var/run/cilium- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- NET_ADMIN- SYS_MODULE- SYS_ADMIN- SYS_RESOURCEdrop:- ALLseLinuxOptions:type: spc_tlevel: s0- name: install-cni-binariesimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- /install-plugin.shresources:requests:cpu: 100mmemory: 10MivolumeMounts:- name: cni-pathmountPath: /host/opt/cni/bin- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:drop:- ALLseLinuxOptions:type: spc_tlevel: s0containers:- name: cilium-agentimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- cilium-agentargs:- '--config-dir=/tmp/cilium/config-map'- >---k8s-api-server=https://f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- '--ipv4-native-routing-cidr=10.244.0.0/16'ports:- name: peer-servicehostPort: 4244containerPort: 4244protocol: TCP- name: prometheushostPort: 9090containerPort: 9090protocol: TCPenv:- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CILIUM_K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: CILIUM_CLUSTERMESH_CONFIGvalue: /var/lib/cilium/clustermesh/- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources:requests:cpu: 300mmemory: 300MivolumeMounts:- name: host-proc-sys-netmountPath: /host/proc/sys/net- name: host-proc-sys-kernelmountPath: /host/proc/sys/kernel- name: bpf-mapsmountPath: /sys/fs/bpfmountPropagation: HostToContainer- name: cilium-runmountPath: /var/run/cilium- name: etc-cni-netdmountPath: /host/etc/cni/net.d- name: clustermesh-secretsreadOnly: truemountPath: /var/lib/cilium/clustermesh- name: lib-modulesreadOnly: truemountPath: /lib/modules- name: xtables-lockmountPath: /run/xtables.lock- name: hubble-tlsreadOnly: truemountPath: /var/lib/cilium/tls/hubble- name: tmpmountPath: /tmp- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountlivenessProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'initialDelaySeconds: 120timeoutSeconds: 5periodSeconds: 30successThreshold: 1failureThreshold: 10readinessProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'timeoutSeconds: 5periodSeconds: 30successThreshold: 1failureThreshold: 3startupProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'timeoutSeconds: 1periodSeconds: 2successThreshold: 1failureThreshold: 105lifecycle:postStart:exec:command:- bash- '-c'- >set -o errexitset -o pipefailset -o nounset# When running in AWS ENI mode, it's likely that 'aws-node' has# had a chance to install SNAT iptables rules. These can result# in dropped traffic, so we should attempt to remove them.# We do it using a 'postStart' hook since this may need to run# for nodes which might have already been init'ed but may still# have dangling rules. This is safe because there are no# dependencies on anything that is part of the startup script# itself, and can be safely run multiple times per node (e.g. in# case of a restart).if [[ "$(iptables-save | grep -E -c'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];thenecho 'Deleting iptables rules created by the AWS CNI VPC plugin'iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restorefiecho 'Done!'preStop:exec:command:- /cni-uninstall.shterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- CHOWN- KILL- NET_ADMIN- NET_RAW- IPC_LOCK- SYS_MODULE- SYS_ADMIN- SYS_RESOURCE- DAC_OVERRIDE- FOWNER- SETGID- SETUIDdrop:- ALLseLinuxOptions:type: spc_tlevel: s0restartPolicy: AlwaysterminationGracePeriodSeconds: 1dnsPolicy: ClusterFirstnodeSelector:kubernetes.io/os: linuxserviceAccountName: ciliumserviceAccount: ciliumautomountServiceAccountToken: truenodeName: system-0-bf7s0hostNetwork: truesecurityContext: {}affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchFields:- key: metadata.nameoperator: Invalues:- system-0-bf7s0podAntiAffinity:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchLabels:k8s-app: ciliumtopologyKey: kubernetes.io/hostnameschedulerName: default-schedulertolerations:- operator: Exists- key: node.kubernetes.io/not-readyoperator: Existseffect: NoExecute- key: node.kubernetes.io/unreachableoperator: Existseffect: NoExecute- key: node.kubernetes.io/disk-pressureoperator: Existseffect: NoSchedule- key: node.kubernetes.io/memory-pressureoperator: Existseffect: NoSchedule- key: node.kubernetes.io/pid-pressureoperator: Existseffect: NoSchedule- key: node.kubernetes.io/unschedulableoperator: Existseffect: NoSchedule- key: node.kubernetes.io/network-unavailableoperator: Existseffect: NoSchedulepriorityClassName: system-node-criticalpriority: 2000001000enableServiceLinks: truepreemptionPolicy: PreemptLowerPriority
phase: Runningconditions:- type: Initializedstatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:44Z'- type: Readystatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:49Z'- type: ContainersReadystatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:49Z'- type: PodScheduledstatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:27Z'hostIP: 10.108.0.2podIP: 10.108.0.2podIPs:- ip: 10.108.0.2startTime: '2024-10-24T22:00:27Z'initContainerStatuses:- name: delay-cilium-for-ccmstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:36Z'finishedAt: '2024-10-24T22:00:37Z'containerID: >-containerd://d5c26781d0d174d24f6dede8f1f18a68bf85b0d767f4d291b8647106630a69a1lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://d5c26781d0d174d24f6dede8f1f18a68bf85b0d767f4d291b8647106630a69a1started: false- name: configstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:38Z'finishedAt: '2024-10-24T22:00:38Z'containerID: >-containerd://ac368fcdbf90e7833146fed9bd68cd33d07d60e6cb7e59288c53136acd05438clastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://ac368fcdbf90e7833146fed9bd68cd33d07d60e6cb7e59288c53136acd05438cstarted: false- name: mount-cgroupstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:39Z'finishedAt: '2024-10-24T22:00:39Z'containerID: >-containerd://7163abdb598560747529831b716a20bd44f2e1c3af0b7ca15283379b0a1d3a5flastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://7163abdb598560747529831b716a20bd44f2e1c3af0b7ca15283379b0a1d3a5fstarted: false- name: apply-sysctl-overwritesstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:40Z'finishedAt: '2024-10-24T22:00:40Z'containerID: >-containerd://0010760fed7e508fb0773c6c9378a7167a593bc3a6a3e8ff4515465195a433a9lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://0010760fed7e508fb0773c6c9378a7167a593bc3a6a3e8ff4515465195a433a9started: false- name: mount-bpf-fsstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:41Z'finishedAt: '2024-10-24T22:00:41Z'containerID: >-containerd://62f891424c885906eb258b87a0695979e80678b2bbf81319c1735333c71ab81blastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://62f891424c885906eb258b87a0695979e80678b2bbf81319c1735333c71ab81bstarted: false- name: clean-cilium-statestate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:42Z'finishedAt: '2024-10-24T22:00:42Z'containerID: >-containerd://6b713e3fdaf2543198f9eefeed7bd2002ac830e1659b0295795f2dd85f48d587lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://6b713e3fdaf2543198f9eefeed7bd2002ac830e1659b0295795f2dd85f48d587started: false- name: install-cni-binariesstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:43Z'finishedAt: '2024-10-24T22:00:43Z'containerID: >-containerd://50837fc6dad9e48b58beb0985a1d6728d364c12967323acc649b82552233d5aalastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://50837fc6dad9e48b58beb0985a1d6728d364c12967323acc649b82552233d5aastarted: falsecontainerStatuses:- name: cilium-agentstate:running:startedAt: '2024-10-24T22:00:44Z'lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://ef038c148707991bd0f24c9768aa77452529fab66d4977fa6498c2b2882ebec7started: trueqosClass: Burstable
metadata:name: cilium-rmgzngenerateName: cilium-namespace: kube-systemuid: dd9e26bd-92b5-4eab-a39c-cf5916135cc1resourceVersion: '36451753'creationTimestamp: '2024-10-24T22:00:27Z'labels:app.kubernetes.io/name: cilium-agentapp.kubernetes.io/part-of: ciliumcontroller-revision-hash: 6bdc6b847fdoks.digitalocean.com/managed: 'true'k8s-app: ciliumkubernetes.io/cluster-service: 'true'pod-template-generation: '4'annotations:clusterlint.digitalocean.com/disabled-checks: privileged-containers,non-root-user,resource-requirements,hostpath-volumecontainer.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfinedcontainer.apparmor.security.beta.kubernetes.io/cilium-agent: unconfinedcontainer.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfinedcontainer.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfinedkubectl.kubernetes.io/default-container: cilium-agentprometheus.io/port: '9090'prometheus.io/scrape: 'true'ownerReferences:- apiVersion: apps/v1kind: DaemonSetname: ciliumuid: f644a837-ae29-48a0-89c7-2d886e50903econtroller: trueblockOwnerDeletion: truespec:volumes:- name: host-kubectlhostPath:path: /usr/bin/kubectltype: File- name: tmpemptyDir: {}- name: cilium-runhostPath:path: /var/run/ciliumtype: DirectoryOrCreate- name: bpf-mapshostPath:path: /sys/fs/bpftype: DirectoryOrCreate- name: hostprochostPath:path: /proctype: Directory- name: cilium-cgrouphostPath:path: /run/cilium/cgroupv2type: DirectoryOrCreate- name: cni-pathhostPath:path: /opt/cni/bintype: DirectoryOrCreate- name: etc-cni-netdhostPath:path: /etc/cni/net.dtype: DirectoryOrCreate- name: lib-moduleshostPath:path: /lib/modulestype: ''- name: xtables-lockhostPath:path: /run/xtables.locktype: FileOrCreate- name: clustermesh-secretsprojected:sources:- secret:name: cilium-clustermeshoptional: true- secret:name: clustermesh-apiserver-remote-certitems:- key: tls.keypath: common-etcd-client.key- key: tls.crtpath: common-etcd-client.crt- key: ca.crtpath: common-etcd-client-ca.crtoptional: truedefaultMode: 256- name: host-proc-sys-nethostPath:path: /proc/sys/nettype: Directory- name: host-proc-sys-kernelhostPath:path: /proc/sys/kerneltype: Directory- name: hubble-tlsprojected:sources:- secret:name: hubble-server-certsitems:- key: tls.crtpath: server.crt- key: tls.keypath: server.key- key: ca.crtpath: client-ca.crtoptional: truedefaultMode: 256- name: kube-api-access-xwk5pprojected:sources:- serviceAccountToken:expirationSeconds: 3607path: token- configMap:name: kube-root-ca.crtitems:- key: ca.crtpath: ca.crt- downwardAPI:items:- path: namespacefieldRef:apiVersion: v1fieldPath: metadata.namespacedefaultMode: 420initContainers:- name: delay-cilium-for-ccmimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- bash- '-e'- '-c'- ># This will get the node object for the local node and search through# the assigned addresses in the object in order to check whether CCM# already set the internal AND external IP since cilium needs both# for a clean startup.# The grep matches regardless of the order of IPs.until /host/usr/bin/kubectl get node ${HOSTNAME} -ojsonpath="{.status.addresses[*].type}" | grep -E"InternalIP.*ExternalIP|ExternalIP.*InternalIP"; do echo "waiting forCCM to store internal and external IP addresses in node object:${HOSTNAME}" && sleep 3; done;env:- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources:requests:cpu: 100mmemory: 100MivolumeMounts:- name: host-kubectlmountPath: /host/usr/bin/kubectl- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FileimagePullPolicy: IfNotPresent- name: configimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- cilium- build-config- '--source=config-map:cilium-config'env:- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CILIUM_K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources: {}volumeMounts:- name: tmpmountPath: /tmp- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresent- name: mount-cgroupimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- sh- '-ec'- >cp /usr/bin/cilium-mount /hostbin/cilium-mount;nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt"${BIN_PATH}/cilium-mount" $CGROUP_ROOT;rm /hostbin/cilium-mountenv:- name: CGROUP_ROOTvalue: /run/cilium/cgroupv2- name: BIN_PATHvalue: /opt/cni/binresources: {}volumeMounts:- name: hostprocmountPath: /hostproc- name: cni-pathmountPath: /hostbin- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- SYS_ADMIN- SYS_CHROOT- SYS_PTRACEdrop:- ALLseLinuxOptions:type: spc_tlevel: s0- name: apply-sysctl-overwritesimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- sh- '-ec'- |cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";rm /hostbin/cilium-sysctlfixenv:- name: BIN_PATHvalue: /opt/cni/binresources: {}volumeMounts:- name: hostprocmountPath: /hostproc- name: cni-pathmountPath: /hostbin- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- SYS_ADMIN- SYS_CHROOT- SYS_PTRACEdrop:- ALLseLinuxOptions:type: spc_tlevel: s0- name: mount-bpf-fsimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- /bin/bash- '-c'- '--'args:- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpfresources: {}volumeMounts:- name: bpf-mapsmountPath: /sys/fs/bpfmountPropagation: Bidirectional- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:privileged: true- name: clean-cilium-stateimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- /init-container.shenv:- name: CILIUM_ALL_STATEvalueFrom:configMapKeyRef:name: cilium-configkey: clean-cilium-stateoptional: true- name: CILIUM_BPF_STATEvalueFrom:configMapKeyRef:name: cilium-configkey: clean-cilium-bpf-stateoptional: true- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources: {}volumeMounts:- name: bpf-mapsmountPath: /sys/fs/bpf- name: cilium-cgroupmountPath: /run/cilium/cgroupv2mountPropagation: HostToContainer- name: cilium-runmountPath: /var/run/cilium- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- NET_ADMIN- SYS_MODULE- SYS_ADMIN- SYS_RESOURCEdrop:- ALLseLinuxOptions:type: spc_tlevel: s0- name: install-cni-binariesimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- /install-plugin.shresources:requests:cpu: 100mmemory: 10MivolumeMounts:- name: cni-pathmountPath: /host/opt/cni/bin- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:drop:- ALLseLinuxOptions:type: spc_tlevel: s0containers:- name: cilium-agentimage: docker.io/digitalocean/cilium:v1.14.14-conformance-fixcommand:- cilium-agentargs:- '--config-dir=/tmp/cilium/config-map'- >---k8s-api-server=https://f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- '--ipv4-native-routing-cidr=10.244.0.0/16'ports:- name: peer-servicehostPort: 4244containerPort: 4244protocol: TCP- name: prometheushostPort: 9090containerPort: 9090protocol: TCPenv:- name: K8S_NODE_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: spec.nodeName- name: CILIUM_K8S_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: CILIUM_CLUSTERMESH_CONFIGvalue: /var/lib/cilium/clustermesh/- name: KUBERNETES_SERVICE_HOSTvalue: f6ce2907-8531-4ab3-861e-4e2affa620b1.k8s.ondigitalocean.com- name: KUBERNETES_SERVICE_PORTvalue: '443'resources:requests:cpu: 300mmemory: 300MivolumeMounts:- name: host-proc-sys-netmountPath: /host/proc/sys/net- name: host-proc-sys-kernelmountPath: /host/proc/sys/kernel- name: bpf-mapsmountPath: /sys/fs/bpfmountPropagation: HostToContainer- name: cilium-runmountPath: /var/run/cilium- name: etc-cni-netdmountPath: /host/etc/cni/net.d- name: clustermesh-secretsreadOnly: truemountPath: /var/lib/cilium/clustermesh- name: lib-modulesreadOnly: truemountPath: /lib/modules- name: xtables-lockmountPath: /run/xtables.lock- name: hubble-tlsreadOnly: truemountPath: /var/lib/cilium/tls/hubble- name: tmpmountPath: /tmp- name: kube-api-access-xwk5preadOnly: truemountPath: /var/run/secrets/kubernetes.io/serviceaccountlivenessProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'initialDelaySeconds: 120timeoutSeconds: 5periodSeconds: 30successThreshold: 1failureThreshold: 10readinessProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'timeoutSeconds: 5periodSeconds: 30successThreshold: 1failureThreshold: 3startupProbe:httpGet:path: /healthzport: 9879host: 127.0.0.1scheme: HTTPhttpHeaders:- name: briefvalue: 'true'timeoutSeconds: 1periodSeconds: 2successThreshold: 1failureThreshold: 105lifecycle:postStart:exec:command:- bash- '-c'- >set -o errexitset -o pipefailset -o nounset# When running in AWS ENI mode, it's likely that 'aws-node' has# had a chance to install SNAT iptables rules. These can result# in dropped traffic, so we should attempt to remove them.# We do it using a 'postStart' hook since this may need to run# for nodes which might have already been init'ed but may still# have dangling rules. This is safe because there are no# dependencies on anything that is part of the startup script# itself, and can be safely run multiple times per node (e.g. in# case of a restart).if [[ "$(iptables-save | grep -E -c'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];thenecho 'Deleting iptables rules created by the AWS CNI VPC plugin'iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restorefiecho 'Done!'preStop:exec:command:- /cni-uninstall.shterminationMessagePath: /dev/termination-logterminationMessagePolicy: FallbackToLogsOnErrorimagePullPolicy: IfNotPresentsecurityContext:capabilities:add:- CHOWN- KILL- NET_ADMIN- NET_RAW- IPC_LOCK- SYS_MODULE- SYS_ADMIN- SYS_RESOURCE- DAC_OVERRIDE- FOWNER- SETGID- SETUIDdrop:- ALLseLinuxOptions:type: spc_tlevel: s0restartPolicy: AlwaysterminationGracePeriodSeconds: 1dnsPolicy: ClusterFirstnodeSelector:kubernetes.io/os: linuxserviceAccountName: ciliumserviceAccount: ciliumautomountServiceAccountToken: truenodeName: system-0-bf7s0hostNetwork: truesecurityContext: {}affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchFields:- key: metadata.nameoperator: Invalues:- system-0-bf7s0podAntiAffinity:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:matchLabels:k8s-app: ciliumtopologyKey: kubernetes.io/hostnameschedulerName: default-schedulertolerations:- operator: Exists- key: node.kubernetes.io/not-readyoperator: Existseffect: NoExecute- key: node.kubernetes.io/unreachableoperator: Existseffect: NoExecute- key: node.kubernetes.io/disk-pressureoperator: Existseffect: NoSchedule- key: node.kubernetes.io/memory-pressureoperator: Existseffect: NoSchedule- key: node.kubernetes.io/pid-pressureoperator: Existseffect: NoSchedule- key: node.kubernetes.io/unschedulableoperator: Existseffect: NoSchedule- key: node.kubernetes.io/network-unavailableoperator: Existseffect: NoSchedulepriorityClassName: system-node-criticalpriority: 2000001000enableServiceLinks: truepreemptionPolicy: PreemptLowerPrioritystatus:phase: Runningconditions:- type: Initializedstatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:44Z'- type: Readystatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:49Z'- type: ContainersReadystatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:49Z'- type: PodScheduledstatus: 'True'lastProbeTime: nulllastTransitionTime: '2024-10-24T22:00:27Z'hostIP: 10.108.0.2podIP: 10.108.0.2podIPs:- ip: 10.108.0.2startTime: '2024-10-24T22:00:27Z'initContainerStatuses:- name: delay-cilium-for-ccmstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:36Z'finishedAt: '2024-10-24T22:00:37Z'containerID: >-containerd://d5c26781d0d174d24f6dede8f1f18a68bf85b0d767f4d291b8647106630a69a1lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://d5c26781d0d174d24f6dede8f1f18a68bf85b0d767f4d291b8647106630a69a1started: false- name: configstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:38Z'finishedAt: '2024-10-24T22:00:38Z'containerID: >-containerd://ac368fcdbf90e7833146fed9bd68cd33d07d60e6cb7e59288c53136acd05438clastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://ac368fcdbf90e7833146fed9bd68cd33d07d60e6cb7e59288c53136acd05438cstarted: false- name: mount-cgroupstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:39Z'finishedAt: '2024-10-24T22:00:39Z'containerID: >-containerd://7163abdb598560747529831b716a20bd44f2e1c3af0b7ca15283379b0a1d3a5flastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://7163abdb598560747529831b716a20bd44f2e1c3af0b7ca15283379b0a1d3a5fstarted: false- name: apply-sysctl-overwritesstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:40Z'finishedAt: '2024-10-24T22:00:40Z'containerID: >-containerd://0010760fed7e508fb0773c6c9378a7167a593bc3a6a3e8ff4515465195a433a9lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://0010760fed7e508fb0773c6c9378a7167a593bc3a6a3e8ff4515465195a433a9started: false- name: mount-bpf-fsstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:41Z'finishedAt: '2024-10-24T22:00:41Z'containerID: >-containerd://62f891424c885906eb258b87a0695979e80678b2bbf81319c1735333c71ab81blastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://62f891424c885906eb258b87a0695979e80678b2bbf81319c1735333c71ab81bstarted: false- name: clean-cilium-statestate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:42Z'finishedAt: '2024-10-24T22:00:42Z'containerID: >-containerd://6b713e3fdaf2543198f9eefeed7bd2002ac830e1659b0295795f2dd85f48d587lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://6b713e3fdaf2543198f9eefeed7bd2002ac830e1659b0295795f2dd85f48d587started: false- name: install-cni-binariesstate:terminated:exitCode: 0reason: CompletedstartedAt: '2024-10-24T22:00:43Z'finishedAt: '2024-10-24T22:00:43Z'containerID: >-containerd://50837fc6dad9e48b58beb0985a1d6728d364c12967323acc649b82552233d5aalastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://50837fc6dad9e48b58beb0985a1d6728d364c12967323acc649b82552233d5aastarted: falsecontainerStatuses:- name: cilium-agentstate:running:startedAt: '2024-10-24T22:00:44Z'lastState: {}ready: truerestartCount: 0image: docker.io/digitalocean/cilium:v1.14.14-conformance-fiximageID: >-docker.io/digitalocean/cilium@sha256:241e51bbd436c0d3b6c9b438e26bbf6808e91e25559f04ceb3638f83c3d73549containerID: >-containerd://ef038c148707991bd0f24c9768aa77452529fab66d4977fa6498c2b2882ebec7started: trueqosClass: Burstable
cilium-agent