apiVersion: apps/v1 kind: DaemonSet metadata: annotations: deprecated.daemonset.template.generation: "1" meta.helm.sh/release-name: cilium meta.helm.sh/release-namespace: kube-system creationTimestamp: "2026-02-24T18:56:12Z" generation: 1 labels: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium name: cilium namespace: kube-system resourceVersion: "651" uid: 0d35beef-eb3d-440d-b039-a1ba118a570d spec: revisionHistoryLimit: 10 selector: matchLabels: k8s-app: cilium template: metadata: annotations: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /tmp name: tmp dnsPolicy: ClusterFirst hostNetwork: true initContainers: - command: - cilium - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - command: - /install-plugin.sh image: quay.io/cilium/cilium:v1.14.8 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel updateStrategy: rollingUpdate: maxSurge: 0 maxUnavailable: 2 type: RollingUpdate status: currentNumberScheduled: 1 desiredNumberScheduled: 1 numberAvailable: 1 numberMisscheduled: 0 numberReady: 1 observedGeneration: 1 updatedNumberScheduled: 1