--- # Source: cilium/charts/cilium/templates/hubble-relay/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: hubble-relay namespace: kube-system labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay app.kubernetes.io/part-of: cilium spec: replicas: 1 selector: matchLabels: k8s-app: hubble-relay strategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: labels: k8s-app: hubble-relay app.kubernetes.io/name: hubble-relay app.kubernetes.io/part-of: cilium spec: securityContext: fsGroup: 65532 seccompProfile: type: RuntimeDefault containers: - name: hubble-relay securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: type: RuntimeDefault image: "quay.io/cilium/hubble-relay:v1.18.4@sha256:6d350cb1c84b847adb152173debef1f774126c69de21a5921a1e6a23b8779723" imagePullPolicy: IfNotPresent command: - hubble-relay args: - serve ports: - name: grpc containerPort: 4245 readinessProbe: grpc: port: 4222 timeoutSeconds: 3 # livenessProbe will kill the pod, we should be very conservative # here on failures since killing the pod should be a last resort, and # we should provide enough time for relay to retry before killing it. livenessProbe: grpc: port: 4222 timeoutSeconds: 10 # Give relay time to establish connections and make a few retries # before starting livenessProbes. initialDelaySeconds: 10 # 10 second * 12 failures = 2 minutes of failure. # If relay cannot become healthy after 2 minutes, then killing it # might resolve whatever issue is occurring. # # 10 seconds is a reasonable retry period so we can see if it's # failing regularly or only sporadically. periodSeconds: 10 failureThreshold: 12 startupProbe: grpc: port: 4222 # Give relay time to get it's certs and establish connections and # make a few retries before starting startupProbes. initialDelaySeconds: 10 # 20 * 3 seconds = 1 minute of failure before we consider startup as failed. failureThreshold: 20 # Retry more frequently at startup so that it can be considered started more quickly. periodSeconds: 3 volumeMounts: - name: config mountPath: /etc/hubble-relay readOnly: true - name: tls mountPath: /var/lib/hubble-relay/tls readOnly: true terminationMessagePolicy: FallbackToLogsOnError restartPolicy: Always priorityClassName: serviceAccountName: "hubble-relay" automountServiceAccountToken: false terminationGracePeriodSeconds: 1 affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname nodeSelector: kubernetes.io/os: linux volumes: - name: config configMap: name: hubble-relay-config items: - key: config.yaml path: config.yaml - name: tls projected: # note: the leading zero means this number is in octal representation: do not remove it defaultMode: 0400 sources: - secret: name: hubble-relay-client-certs items: - key: tls.crt path: client.crt - key: tls.key path: client.key - key: ca.crt path: hubble-server-ca.crt