Cilium

cilium is a Commodore component to manage the Cilium networkplugin.

See the parameters reference for further details on how to use the component to configure and deploy Cilium.

Metrics scraping

By default, the component enables the metrics endpoint for the Cilium agent. The component assumes that prometheus-operator will be present on the target cluster, and creates a ServiceMonitor resource for the agent metrics endpoint.

See the Cilium docs for available agent metrics.

Enabled features recording rule

When component parameter release is set to enterprise, the component renders a PrometheusRule named cilium-features. This PrometheusRule emits one time series for each managed feature via the feature label. The component currently knows features clustermesh, egress-gateway, and transparent-encryption. Each feature time series has value 1 when the feature is enabled and 0 otherwise, which makes it easy to use in alerts and/or dashboards.

Aggregated permissions

The component creates the following ClusterRoles which are aggregated to the cluster’s default ClusterRoles:

Name Resources Aggregated to

syn-cilium-view

  • ciliumnetworkpolicies.cilium.io

  • ciliumendpoints.cilium.io

  • view

  • edit

  • admin

syn-cilium-edit

  • ciliumnetworkpolicies.cilium.io

  • edit

  • admin

syn-cilium-cluster-reader

All resources in cilium.io

cluster-reader

This enables users to view[1] ciliumnetworkpolicy and ciliumendpoint resources in their namespaces. Users which have edit or admin permissions in a namespace, can additionally create, modify, and delete ciliumnetworkpolicy resources in that namespace. Finally, users which have cluster-reader permissions can view[1] at all resources in cilium.io in all namespaces.


1. View permission grants RBAC verbs get, list and watch