Cilium 1.12 Upgrade (#9225)

* Drop support for Cilium < 1.10 Signed-off-by: necatican <necaticanyildirim@gmail.com> * Synchronize Cilium templates for 1.11.7 Signed-off-by: necatican <contact@necatican.com> * Set Cilium v1.12.1 as the default version Signed-off-by: necatican <contact@necatican.com> Signed-off-by: necatican <necaticanyildirim@gmail.com> Signed-off-by: necatican <contact@necatican.com>
2026-03-10 20:29:18 +03:00 · 2022-09-19 12:14:31 +03:00
parent 680293e79c
commit 7da3dbcb39
12 changed files with 291 additions and 374 deletions
--- a/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
@@ -7,9 +7,6 @@ rules:
 - apiGroups:
  - networking.k8s.io
  resources:
-{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
-  - ingresses
-{% endif %}
  - networkpolicies
  verbs:
  - get
@@ -28,34 +25,25 @@ rules:
  resources:
  - namespaces
  - services
-  - nodes
+  - pods
  - endpoints
-{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
-  - componentstatuses
-{% endif %}
+  - nodes
  verbs:
  - get
  - list
  - watch
-{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- apiGroups:
-  - extensions
-  resources:
-  - ingresses
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-{% endif %}
-{% if cilium_version | regex_replace('v') is version('1.7', '>') %}
+{% if cilium_version | regex_replace('v') is version('1.12', '<') %}
 - apiGroups:
  - ""
  resources:
+  - pods
  - pods/finalizers
  verbs:
+  - get
+  - list
+  - watch
  - update
-{% endif %}
+  - delete
 - apiGroups:
  - ""
  resources:
@@ -66,6 +54,7 @@ rules:
  - list
  - watch
  - update
+{% endif %}
 - apiGroups:
  - ""
  resources:
@@ -78,47 +67,45 @@ rules:
  resources:
  - customresourcedefinitions
  verbs:
+  # Deprecated for removal in v1.10
  - create
-  - get
  - list
  - watch
  - update
+
+  # This is used when validating policies in preflight. This will need to stay
+  # until we figure out how to avoid "get" inside the preflight, and then
+  # should be removed ideally.
+  - get
 - apiGroups:
  - cilium.io
  resources:
  - ciliumnetworkpolicies
  - ciliumnetworkpolicies/status
-{% if cilium_version | regex_replace('v') is version('1.7', '>=') %}
  - ciliumclusterwidenetworkpolicies
  - ciliumclusterwidenetworkpolicies/status
-{% endif %}
  - ciliumendpoints
  - ciliumendpoints/status
-{% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
  - ciliumnodes
  - ciliumnodes/status
  - ciliumidentities
-  - ciliumidentities/status
-{% endif %}
-{% if cilium_version | regex_replace('v') is version('1.9', '>=') %}
-  - ciliumnetworkpolicies/finalizers
-  - ciliumclusterwidenetworkpolicies/finalizers
-  - ciliumendpoints/finalizers
-  - ciliumnodes/finalizers
-  - ciliumidentities/finalizers
  - ciliumlocalredirectpolicies
  - ciliumlocalredirectpolicies/status
-  - ciliumlocalredirectpolicies/finalizers
-{% endif %}
-{% if cilium_version | regex_replace('v') is version('1.10', '>=') %}
  - ciliumegressnatpolicies
-{% endif %}
 {% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
  - ciliumendpointslices
 {% endif %}
 {% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
  - ciliumbgploadbalancerippools
  - ciliumbgppeeringpolicies
+{% endif %}
+{% if cilium_version | regex_replace('v') is version('1.11.5', '<') %}
+  - ciliumnetworkpolicies/finalizers
+  - ciliumclusterwidenetworkpolicies/finalizers
+  - ciliumendpoints/finalizers
+  - ciliumnodes/finalizers
+  - ciliumidentities/finalizers
+  - ciliumlocalredirectpolicies/finalizers
 {% endif %}
  verbs:
  - '*'
@@ -128,6 +115,7 @@ rules:
  resources:
  - ciliumclusterwideenvoyconfigs
  - ciliumenvoyconfigs
+  - ciliumegressgatewaypolicies
  verbs:
  - list
  - watch