website - Incorrect instruction for installation of cilium plugin

gecube commented 7 months ago

Good day!

The instructions here https://www.talos.dev/v1.6/kubernetes-guides/network/deploying-cilium/ tells that we need to use next Cilum CLI command for the installation of this CNI:

cilium install \
    --helm-set=ipam.mode=kubernetes \
    --helm-set=kubeProxyReplacement=true \
    --helm-set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
    --helm-set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
    --helm-set=cgroup.autoMount.enabled=false \
    --helm-set=cgroup.hostRoot=/sys/fs/cgroup \
    --helm-set=k8sServiceHost=localhost \
    --helm-set=k8sServicePort=7445

This command is not working with the next cilium cli:

cilium version
cilium-cli: v0.12.0 compiled with go1.18.4 on darwin/amd64
cilium image (default): v1.12.0
cilium image (stable): v1.14.6
cilium image (running): v1.14.0

I strongly believe that the arguments should be changed and I will investigate what is the proper command. Right now it returns such an error:

cilium install \
    --helm-set=ipam.mode=kubernetes \
    --helm-set=kubeProxyReplacement=true \
    --helm-set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
    --helm-set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
    --helm-set=cgroup.autoMount.enabled=false \
    --helm-set=cgroup.hostRoot=/sys/fs/cgroup \
    --helm-set=k8sServiceHost=localhost \
    --helm-set=k8sServicePort=7445
ℹ️  Using Cilium version 1.12.0
🔮 Auto-detected cluster name: talos-k8s
🔮 Auto-detected datapath mode: tunnel
ℹ️  helm template --namespace kube-system cilium cilium/cilium --version 1.12.0 --set ,,cgroup.autoMount.enabled=false,cgroup.hostRoot=/sys/fs/cgroup,cluster.id=0,cluster.name=talos-k8s,encryption.nodeEncryption=false,ipam.mode=kubernetes,k8sServiceHost=localhost,k8sServicePort=7445,kubeProxyReplacement=true,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
↩️ Rolling back installation...

Error: Unable to install Cilium: template: cilium/templates/cilium-configmap.yaml:572:7: executing "cilium/templates/cilium-configmap.yaml" at <ne $kubeProxyReplacement "disabled">: error calling ne: incompatible types for comparison

At the same time installation with helm works flawlessly:

helm install \
    cilium \
    cilium/cilium \
    --version 1.14.0 \
    --namespace kube-system \
    --set ipam.mode=kubernetes \
    --set=kubeProxyReplacement=true \
    --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
    --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
    --set=cgroup.autoMount.enabled=false \
    --set=cgroup.hostRoot=/sys/fs/cgroup \
    --set=k8sServiceHost=localhost \
    --set=k8sServicePort=7445
NAME: cilium
LAST DEPLOYED: Sun Feb 11 18:34:24 2024
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble.

Your release version is 1.14.0.

For any further help, visit https://docs.cilium.io/en/v1.14/gettinghelp

gecube commented 7 months ago

I was able to move forward with the next command:

cilium install --helm-set-string ipam.mode=kubernetes --helm-set-string kubeProxyReplacement=true --helm-set-string securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"  --helm-set-string securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" --helm-set cgroup.autoMount.enabled=false --helm-set-string cgroup.hostRoot=/sys/fs/cgroup --helm-set-string k8sServiceHost=localhost --helm-set-string k8sServicePort=7445
ℹ️  Using Cilium version 1.12.0
🔮 Auto-detected cluster name: production
🔮 Auto-detected datapath mode: tunnel
ℹ️  helm template --namespace kube-system cilium cilium/cilium --version 1.12.0 --set ,,cgroup.autoMount.enabled=false,cgroup.hostRoot=/sys/fs/cgroup,cluster.id=0,cluster.name=production,encryption.nodeEncryption=false,ipam.mode=kubernetes,k8sServiceHost=localhost,k8sServicePort=7445,kubeProxyReplacement=true,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
ℹ️  Storing helm values file in kube-system/cilium-cli-helm-values Secret
🔑 Created CA in secret cilium-ca
🔑 Generating certificates for Hubble...
🚀 Creating Service accounts...
🚀 Creating Cluster roles...
🚀 Creating ConfigMap for Cilium version 1.12.0...
🚀 Creating Agent DaemonSet...
↩️ Rolling back installation...

Error: Unable to install Cilium: DaemonSet.apps "cilium" is invalid: [spec.template.annotations[container.apparmor.security.beta.kubernetes.io/mount-cgroup]: Invalid value: "mount-cgroup": container not found, spec.template.spec.initContainers[0].volumeMounts[0].name: Not found: "hostproc"]

I am debugging further

gecube commented 7 months ago

If use the next command:

cilium install --helm-set-string ipam.mode=kubernetes \ 
  --helm-set-string kubeProxyReplacement=true \
  --helm-set-string securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"  \
  --helm-set-string securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
  --helm-set-string cgroup.autoMount.enabled=false \
  --helm-set-string cgroup.hostRoot=/sys/fs/cgroup \
  --helm-set-string k8sServiceHost=localhost \
  --helm-set-string k8sServicePort=7445
ℹ️  Using Cilium version 1.12.0
🔮 Auto-detected cluster name: production
🔮 Auto-detected datapath mode: tunnel
ℹ️  helm template --namespace kube-system cilium cilium/cilium --version 1.12.0 --set ,,cgroup.autoMount.enabled=false,cgroup.hostRoot=/sys/fs/cgroup,cluster.id=0,cluster.name=production,encryption.nodeEncryption=false,ipam.mode=kubernetes,k8sServiceHost=localhost,k8sServicePort=7445,kubeProxyReplacement=true,operator.replicas=1,serviceAccounts.cilium.name=cilium,serviceAccounts.operator.name=cilium-operator,tunnel=vxlan
ℹ️  Storing helm values file in kube-system/cilium-cli-helm-values Secret
🔑 Found CA in secret cilium-ca
🔑 Generating certificates for Hubble...
🚀 Creating Service accounts...
🚀 Creating Cluster roles...
🚀 Creating ConfigMap for Cilium version 1.12.0...
🚀 Creating Agent DaemonSet...
🚀 Creating Operator Deployment...
⌛ Waiting for Cilium to be installed and ready...

The process hangs.

kubectl get pods -n kube-system 
NAME                                            READY   STATUS                   RESTARTS        AGE
cilium-g5ql8                                    0/1     Init:RunContainerError   3 (9s ago)      62s
cilium-hxjkw                                    0/1     Init:RunContainerError   3 (7s ago)      62s
cilium-m2ph7                                    0/1     Init:CrashLoopBackOff    3 (14s ago)     62s
cilium-operator-8447cd5bb-656c5                 1/1     Running                  0               62s
cilium-ps6zg                                    0/1     Init:RunContainerError   3 (10s ago)     62s
cilium-rxrrc                                    0/1     Init:RunContainerError   3 (10s ago)     62s
coredns-85b955d87b-tm47c                        0/1     Pending                  0               6m13s
coredns-85b955d87b-vx9zg                        0/1     Pending                  0               6m13s
kube-apiserver-talos-control-plane-1            1/1     Running                  0               5m58s
kube-apiserver-talos-control-plane-2            1/1     Running                  0               5m15s
kube-apiserver-talos-control-plane-3            1/1     Running                  0               5m35s
kube-controller-manager-talos-control-plane-1   1/1     Running                  2 (6m52s ago)   5m12s
kube-controller-manager-talos-control-plane-2   1/1     Running                  0               4m58s
kube-controller-manager-talos-control-plane-3   1/1     Running                  1 (6m38s ago)   5m4s
kube-scheduler-talos-control-plane-1            1/1     Running                  2 (6m52s ago)   5m13s
kube-scheduler-talos-control-plane-2            1/1     Running                  0               5m14s
kube-scheduler-talos-control-plane-3            1/1     Running                  1 (6m39s ago)   5m8s

kubectl describe pod -n kube-system cilium-g5ql8
Name:                 cilium-g5ql8
Namespace:            kube-system
Priority:             2000001000
Priority Class Name:  system-node-critical
Service Account:      cilium
Node:                 talos-worker-1/65.108.90.3
Start Time:           Sun, 18 Feb 2024 09:36:59 +0100
Labels:               controller-revision-hash=fbbf5bb5d
                      k8s-app=cilium
                      pod-template-generation=1
Annotations:          container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
                      container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
                      container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
                      container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
Status:               Pending
IP:                   65.108.90.3
IPs:
  IP:           65.108.90.3
Controlled By:  DaemonSet/cilium
Init Containers:
  mount-cgroup:
    Container ID:  containerd://ca0bd623235a2de20f7cd14b18636b315612337508bde265a1d3705c97087ced
    Image:         quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Image ID:      quay.io/cilium/cilium@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
      -ec
      cp /usr/bin/cilium-mount /hostbin/cilium-mount;
      nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT;
      rm /hostbin/cilium-mount

    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sun, 18 Feb 2024 09:37:06 +0100
      Finished:     Sun, 18 Feb 2024 09:37:06 +0100
    Ready:          True
    Restart Count:  0
    Environment:
      CGROUP_ROOT:  /sys/fs/cgroup
      BIN_PATH:     /opt/cni/bin
    Mounts:
      /hostbin from cni-path (rw)
      /hostproc from hostproc (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-szbmp (ro)
  apply-sysctl-overwrites:
    Container ID:  containerd://3c562a30fa23f655908ad8b45b5813213b21e8f6197f86f2e955e6032b3c2695
    Image:         quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Image ID:      quay.io/cilium/cilium@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
      -ec
      cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix;
      nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix";
      rm /hostbin/cilium-sysctlfix

    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sun, 18 Feb 2024 09:37:06 +0100
      Finished:     Sun, 18 Feb 2024 09:37:06 +0100
    Ready:          True
    Restart Count:  0
    Environment:
      BIN_PATH:  /opt/cni/bin
    Mounts:
      /hostbin from cni-path (rw)
      /hostproc from hostproc (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-szbmp (ro)
  mount-bpf-fs:
    Container ID:  containerd://bd749fa83d068cb51544f11f466cc7c7f8c754000f025d3e89f5ea7face8366c
    Image:         quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Image ID:      quay.io/cilium/cilium@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/bash
      -c
      --
    Args:
      mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Sun, 18 Feb 2024 09:37:07 +0100
      Finished:     Sun, 18 Feb 2024 09:37:07 +0100
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /sys/fs/bpf from bpf-maps (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-szbmp (ro)
  clean-cilium-state:
    Container ID:  containerd://96dd132a85d773705cb3c8cc9a6d9b81d83915cb64d1ebdc18fa75947639a8ff
    Image:         quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Image ID:      quay.io/cilium/cilium@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Port:          <none>
    Host Port:     <none>
    Command:
      /init-container.sh
    State:          Waiting
      Reason:       RunContainerError
    Last State:     Terminated
      Reason:       StartError
      Message:      failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply caps: operation not permitted: unknown
      Exit Code:    128
      Started:      Thu, 01 Jan 1970 01:00:00 +0100
      Finished:     Sun, 18 Feb 2024 09:38:45 +0100
    Ready:          False
    Restart Count:  4
    Requests:
      cpu:     100m
      memory:  100Mi
    Environment:
      CILIUM_ALL_STATE:         <set to the key 'clean-cilium-state' of config map 'cilium-config'>      Optional: true
      CILIUM_BPF_STATE:         <set to the key 'clean-cilium-bpf-state' of config map 'cilium-config'>  Optional: true
      KUBERNETES_SERVICE_HOST:  localhost
      KUBERNETES_SERVICE_PORT:  7445
    Mounts:
      /sys/fs/bpf from bpf-maps (rw)
      /sys/fs/cgroup from cilium-cgroup (rw)
      /var/run/cilium from cilium-run (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-szbmp (ro)
Containers:
  cilium-agent:
    Container ID:  
    Image:         quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade
    Image ID:      
    Port:          <none>
    Host Port:     <none>
    Command:
      cilium-agent
    Args:
      --config-dir=/tmp/cilium/config-map
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False
    Restart Count:  0
    Liveness:       http-get http://127.0.0.1:9879/healthz delay=0s timeout=5s period=30s #success=1 #failure=10
    Readiness:      http-get http://127.0.0.1:9879/healthz delay=0s timeout=5s period=30s #success=1 #failure=3
    Startup:        http-get http://127.0.0.1:9879/healthz delay=0s timeout=1s period=2s #success=1 #failure=105
    Environment:
      K8S_NODE_NAME:               (v1:spec.nodeName)
      CILIUM_K8S_NAMESPACE:       kube-system (v1:metadata.namespace)
      CILIUM_CLUSTERMESH_CONFIG:  /var/lib/cilium/clustermesh/
      CILIUM_CNI_CHAINING_MODE:   <set to the key 'cni-chaining-mode' of config map 'cilium-config'>  Optional: true
      CILIUM_CUSTOM_CNI_CONF:     <set to the key 'custom-cni-conf' of config map 'cilium-config'>    Optional: true
      KUBERNETES_SERVICE_HOST:    localhost
      KUBERNETES_SERVICE_PORT:    7445
    Mounts:
      /host/etc/cni/net.d from etc-cni-netd (rw)
      /host/opt/cni/bin from cni-path (rw)
      /host/proc/sys/kernel from host-proc-sys-kernel (rw)
      /host/proc/sys/net from host-proc-sys-net (rw)
      /lib/modules from lib-modules (ro)
      /run/xtables.lock from xtables-lock (rw)
      /sys/fs/bpf from bpf-maps (rw)
      /sys/fs/cgroup from cilium-cgroup (rw)
      /tmp/cilium/config-map from cilium-config-path (ro)
      /var/lib/cilium/clustermesh from clustermesh-secrets (ro)
      /var/lib/cilium/tls/hubble from hubble-tls (ro)
      /var/run/cilium from cilium-run (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-szbmp (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 False 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  cilium-run:
    Type:          HostPath (bare host directory volume)
    Path:          /var/run/cilium
    HostPathType:  DirectoryOrCreate
  bpf-maps:
    Type:          HostPath (bare host directory volume)
    Path:          /sys/fs/bpf
    HostPathType:  DirectoryOrCreate
  hostproc:
    Type:          HostPath (bare host directory volume)
    Path:          /proc
    HostPathType:  Directory
  cilium-cgroup:
    Type:          HostPath (bare host directory volume)
    Path:          /sys/fs/cgroup
    HostPathType:  DirectoryOrCreate
  cni-path:
    Type:          HostPath (bare host directory volume)
    Path:          /opt/cni/bin
    HostPathType:  DirectoryOrCreate
  etc-cni-netd:
    Type:          HostPath (bare host directory volume)
    Path:          /etc/cni/net.d
    HostPathType:  DirectoryOrCreate
  lib-modules:
    Type:          HostPath (bare host directory volume)
    Path:          /lib/modules
    HostPathType:  
  xtables-lock:
    Type:          HostPath (bare host directory volume)
    Path:          /run/xtables.lock
    HostPathType:  FileOrCreate
  clustermesh-secrets:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  cilium-clustermesh
    Optional:    true
  cilium-config-path:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      cilium-config
    Optional:  false
  host-proc-sys-net:
    Type:          HostPath (bare host directory volume)
    Path:          /proc/sys/net
    HostPathType:  Directory
  host-proc-sys-kernel:
    Type:          HostPath (bare host directory volume)
    Path:          /proc/sys/kernel
    HostPathType:  Directory
  hubble-tls:
    Type:                Projected (a volume that contains injected data from multiple sources)
    SecretName:          hubble-server-certs
    SecretOptionalName:  0xc0005655ea
  kube-api-access-szbmp:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              kubernetes.io/os=linux
Tolerations:                 op=Exists
                             node.kubernetes.io/disk-pressure:NoSchedule op=Exists
                             node.kubernetes.io/memory-pressure:NoSchedule op=Exists
                             node.kubernetes.io/network-unavailable:NoSchedule op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists
                             node.kubernetes.io/pid-pressure:NoSchedule op=Exists
                             node.kubernetes.io/unreachable:NoExecute op=Exists
                             node.kubernetes.io/unschedulable:NoSchedule op=Exists
Events:
  Type     Reason     Age                 From               Message
  ----     ------     ----                ----               -------
  Normal   Scheduled  110s                default-scheduler  Successfully assigned kube-system/cilium-g5ql8 to talos-worker-1
  Normal   Pulling    109s                kubelet            Pulling image "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade"
  Normal   Created    103s                kubelet            Created container apply-sysctl-overwrites
  Normal   Created    103s                kubelet            Created container mount-cgroup
  Normal   Started    103s                kubelet            Started container mount-cgroup
  Normal   Pulled     103s                kubelet            Container image "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" already present on machine
  Normal   Pulled     103s                kubelet            Successfully pulled image "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" in 5.387s (5.387s including waiting)
  Normal   Started    103s                kubelet            Started container apply-sysctl-overwrites
  Normal   Pulled     102s                kubelet            Container image "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" already present on machine
  Normal   Created    102s                kubelet            Created container mount-bpf-fs
  Normal   Started    102s                kubelet            Started container mount-bpf-fs
  Warning  Failed     84s (x3 over 101s)  kubelet            Error: failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply caps: operation not permitted: unknown
  Warning  BackOff    70s (x4 over 99s)   kubelet            Back-off restarting failed container clean-cilium-state in pod cilium-g5ql8_kube-system(13bbb123-2e09-4b54-9478-bc2f09a76aba)
  Normal   Pulled     57s (x4 over 101s)  kubelet            Container image "quay.io/cilium/cilium:v1.12.0@sha256:079baa4fa1b9fe638f96084f4e0297c84dd4fb215d29d2321dcbe54273f63ade" already present on machine
  Normal   Created    57s (x4 over 101s)  kubelet            Created container clean-cilium-state

pavanrsalibindla commented 7 months ago

cilium install \ --helm-set=ipam.mode=kubernetes \ —helm-set hubble.ui.enabled=true \ --helm-set=kubeProxyReplacement=strict \ --helm-set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \ --helm-set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \ --helm-set=cgroup.autoMount.enabled=false \ --helm-set=cgroup.hostRoot=/sys/fs/cgroup \ --helm-set=k8sServiceHost=192.168.5.175 \ --helm-set=k8sServicePort=6443 --> changed from 7445 to 6443 worked.

stevefan1999-personal commented 6 months ago

Try using kubeProxyReplacement="true"

Also I noticed you are using a pretty old version of Cilium CLI. Here's mine:

cilium-cli: v0.15.17 compiled with go1.21.4 on windows/amd64
cilium image (default): v1.14.4
cilium image (stable): v1.15.1
cilium image (running): 1.16.0-dev

gecube commented 6 months ago

@stevefan1999-personal Hi! Thanks for the suggestions. Looks like there are different cilium CLI with different semantics of command line arguments.

gecube commented 6 months ago

BTW, the current version is:

% brew install cilium-cli
...
% cilium version
cilium-cli: v0.15.23 compiled with go1.22.0 on darwin/amd64
cilium image (default): v1.15.0
cilium image (stable): v1.15.1

siderolabs / talos

website - Incorrect instruction for installation of cilium plugin #8305