Cilium

cilium is a Commodore component to manage the Cilium networkplugin.

See the parameters reference for further details on how to use the component to configure and deploy Cilium.

Metrics scraping

By default, the component enables the metrics endpoint for the Cilium agent. The component assumes that prometheus-operator will be present on the target cluster, and creates a ServiceMonitor resource for the agent metrics endpoint.

See the Cilium docs for available agent metrics.

Aggregated permissions

The component creates the following ClusterRoles which are aggregated to the cluster’s default ClusterRoles:

Name Resources Aggregated to

Name	Resources	Aggregated to
`syn-cilium-view`	`ciliumnetworkpolicies.cilium.io` `ciliumendpoints.cilium.io`	`view` `edit` `admin`
`syn-cilium-edit`	`ciliumnetworkpolicies.cilium.io`	`edit` `admin`
`syn-cilium-cluster-reader`	All resources in `cilium.io`	`cluster-reader`

syn-cilium-view

ciliumnetworkpolicies.cilium.io
ciliumendpoints.cilium.io

view
edit
admin

syn-cilium-edit

ciliumnetworkpolicies.cilium.io

edit
admin

syn-cilium-cluster-reader

All resources in cilium.io

cluster-reader

This enables users to view^[1] ciliumnetworkpolicy and ciliumendpoint resources in their namespaces. Users which have edit or admin permissions in a namespace, can additionally create, modify, and delete ciliumnetworkpolicy resources in that namespace. Finally, users which have cluster-reader permissions can view^[1] at all resources in cilium.io in all namespaces.

1. View permission grants RBAC verbs get, list and watch