talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Enable hubble.

Browse Source
This commit is contained in:
Tom Alexander 2026-01-04 12:13:58 -05:00 committed by Tom Alexander
parent 44863a1669
commit 1bbaa2689a
Signed by: talexander
GPG Key ID: 36C99E8B3C39D85F
3 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nix/kubernetes/keys/scope.nix
View File

@ -246,6 +246,15 @@ makeScope newScope (
"ipv4NativeRoutingCIDR" = "10.200.0.0/16"; "ipv4NativeRoutingCIDR" = "10.200.0.0/16";
"ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80"; "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";
"hubble" = {
"relay" = {
"enabled" = true;
};
"ui" = {
"enabled" = true;
};
};
# TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/ # TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/
# --set hostFirewall.enabled=true # --set hostFirewall.enabled=true

13
nix/kubernetes/roles/firewall/files/my-fw.nft
View File

@ -71,6 +71,15 @@ set node-to-node-ports {
} }
} }
set pod-to-node-ports {
# Ports open for nodes sending packets to nodes
type inet_proto . inet_service
flags constant, interval
elements = {
tcp . 4244 # hubble ui
}
}
chain rpfilter { chain rpfilter {
type filter hook prerouting priority mangle + 10; policy drop; type filter hook prerouting priority mangle + 10; policy drop;
meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server" meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
@ -114,6 +123,10 @@ chain input-allow {
# Allow node to node # Allow node to node
ip saddr @node-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @node-to-node-ports accept ip saddr @node-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @node-to-node-ports accept
ip6 saddr @node-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @node-to-node-ports accept ip6 saddr @node-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @node-to-node-ports accept
# Allow pod to node
ip saddr @pod-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @pod-to-node-ports accept
ip6 saddr @pod-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @pod-to-node-ports accept
} }
chain forward { chain forward {

4
nix/kubernetes/roles/kubelet/files/resolv.conf Normal file
View File

@ -0,0 +1,4 @@
search svc.cluster.local cluster.local
nameserver 10.197.0.10
nameserver fd00:3e42:e349::10
options ndots:5