apiVersion: v1 items: - apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined container.apparmor.security.beta.kubernetes.io/config: unconfined container.apparmor.security.beta.kubernetes.io/install-cni-binaries: unconfined container.apparmor.security.beta.kubernetes.io/mount-bpf-fs: unconfined container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" creationTimestamp: "2025-11-02T23:42:16Z" generateName: cilium- labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium controller-revision-hash: 957c85bbd k8s-app: cilium pod-template-generation: "2" name: cilium-dz5tb namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: cilium uid: 0f5033cb-a382-446b-8b7d-ead01e3cdc64 resourceVersion: "2119659" uid: e6aa5803-1ff8-4fc7-adc0-2b2d876883e2 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node3 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns mountPropagation: HostToContainer name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - command: - cilium-dbg - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true - name: WRITE_CNI_CONF_WHEN_READY valueFrom: configMapKeyRef: key: write-cni-conf-when-ready name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true - command: - /install-plugin.sh image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true nodeName: k8s-node3 nodeSelector: kubernetes.io/os: linux preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: appArmorProfile: type: Unconfined serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists - effect: NoSchedule key: node.kubernetes.io/network-unavailable operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /var/run/netns type: DirectoryOrCreate name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - secret: items: - key: tls.key path: local-etcd-client.key - key: tls.crt path: local-etcd-client.crt - key: ca.crt path: local-etcd-client-ca.crt name: clustermesh-apiserver-local-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel - name: hubble-tls projected: defaultMode: 256 sources: - secret: items: - key: tls.crt path: server.crt - key: tls.key path: server.key - key: ca.crt path: client-ca.crt name: hubble-server-certs optional: true - name: kube-api-access-w8z2h projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:56:35Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:42:52Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:27Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:27Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:42:16Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://e2e2831eeb015c7b2680d8ac3e6b8150d599c5ed336e1c68f0529444a90f6900 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: terminated: containerID: containerd://80d9e3dc9712c6f026ef6beb4e3bb5d4a728998fae8407b24afd9840e6e8bd6c exitCode: 255 finishedAt: "2025-11-11T23:56:16Z" message: |- -11T21:50:34Z level=info msg="agent.datapath.agent-liveness-updater.timer-job-agent-liveness-updater (rev=131303)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-ipset-init-finalizer (rev=23)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-reconcile (rev=131335)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-refresh (rev=131336)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.job-iptables-reconciliation-loop (rev=131330)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.l2-responder.job-l2-responder-reconciler (rev=131302)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.maps.bwmap.timer-job-pressure-metric-throttle (rev=131304)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.mtu.job-mtu-updater (rev=131326)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.node-address.job-node-address-update (rev=131333)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.orchestrator.job-reinitialize (rev=131324)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-reconcile (rev=131339)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-refresh (rev=131338)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.k8s-synced-crdsync.job-sync-crds (rev=7)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.job-collect (rev=131320)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.timer-job-cleanup (rev=131319)" module=health time=2025-11-11T21:50:3 reason: Unknown startedAt: "2025-11-10T20:51:18Z" name: cilium-agent ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:08Z" volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true recursiveReadOnly: Disabled - mountPath: /lib/modules name: lib-modules readOnly: true recursiveReadOnly: Disabled - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.13 hostIPs: - ip: 192.168.50.13 - ip: 2404:4400:4181:9200:5054:ff:fe2a:4db1 initContainerStatuses: - containerID: containerd://b4a4bee558788a4b4370ffb735731a4c8e33a4230cccaada59feb1927d87a3c1 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: config ready: true restartCount: 3 started: false state: terminated: containerID: containerd://b4a4bee558788a4b4370ffb735731a4c8e33a4230cccaada59feb1927d87a3c1 exitCode: 0 finishedAt: "2025-11-11T23:56:52Z" reason: Completed startedAt: "2025-11-11T23:56:34Z" volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled - containerID: containerd://0e3684fa418d2194ff9d387b74f740ec05c61cac24af63d6aeaa611de1b1e0b0 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-cgroup ready: true restartCount: 0 started: false state: terminated: containerID: containerd://0e3684fa418d2194ff9d387b74f740ec05c61cac24af63d6aeaa611de1b1e0b0 exitCode: 0 finishedAt: "2025-11-11T23:56:56Z" reason: Completed startedAt: "2025-11-11T23:56:53Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled - containerID: containerd://43a7019fe515c755549e92890f55d934c8773d872d7eaae888294ff952d32beb image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: apply-sysctl-overwrites ready: true restartCount: 0 started: false state: terminated: containerID: containerd://43a7019fe515c755549e92890f55d934c8773d872d7eaae888294ff952d32beb exitCode: 0 finishedAt: "2025-11-11T23:56:57Z" reason: Completed startedAt: "2025-11-11T23:56:57Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled - containerID: containerd://9dbe3a352a76b01cbd1ecc1549e580dec420f8f438fb4fc3004fd139da1ce275 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-bpf-fs ready: true restartCount: 0 started: false state: terminated: containerID: containerd://9dbe3a352a76b01cbd1ecc1549e580dec420f8f438fb4fc3004fd139da1ce275 exitCode: 0 finishedAt: "2025-11-11T23:56:59Z" reason: Completed startedAt: "2025-11-11T23:56:58Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled - containerID: containerd://a89642a78574c3e7a48a3c1925aaf638ee938f3fa8e16876b36a839c09515616 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: clean-cilium-state ready: true restartCount: 0 started: false state: terminated: containerID: containerd://a89642a78574c3e7a48a3c1925aaf638ee938f3fa8e16876b36a839c09515616 exitCode: 0 finishedAt: "2025-11-11T23:57:00Z" reason: Completed startedAt: "2025-11-11T23:57:00Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled - containerID: containerd://1d7b3e0d8f6eae8e750966189b760175a79514039881e5fc02548be35de5879e image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: install-cni-binaries ready: true restartCount: 0 started: false state: terminated: containerID: containerd://1d7b3e0d8f6eae8e750966189b760175a79514039881e5fc02548be35de5879e exitCode: 0 finishedAt: "2025-11-11T23:57:07Z" reason: Completed startedAt: "2025-11-11T23:57:01Z" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-w8z2h readOnly: true recursiveReadOnly: Disabled phase: Running podIP: 192.168.50.13 podIPs: - ip: 192.168.50.13 - ip: 2404:4400:4181:9200:5054:ff:fe2a:4db1 qosClass: Burstable startTime: "2025-11-02T23:42:17Z" - apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined container.apparmor.security.beta.kubernetes.io/config: unconfined container.apparmor.security.beta.kubernetes.io/install-cni-binaries: unconfined container.apparmor.security.beta.kubernetes.io/mount-bpf-fs: unconfined container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" creationTimestamp: "2025-11-02T23:26:28Z" generateName: cilium- labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium controller-revision-hash: 957c85bbd k8s-app: cilium pod-template-generation: "2" name: cilium-f4jnc namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: cilium uid: 0f5033cb-a382-446b-8b7d-ead01e3cdc64 resourceVersion: "2119508" uid: 86f05ab3-3e61-4dd9-9578-7baf9a5030e1 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node1 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns mountPropagation: HostToContainer name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - command: - cilium-dbg - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true - name: WRITE_CNI_CONF_WHEN_READY valueFrom: configMapKeyRef: key: write-cni-conf-when-ready name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true - command: - /install-plugin.sh image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true nodeName: k8s-node1 nodeSelector: kubernetes.io/os: linux preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: appArmorProfile: type: Unconfined serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists - effect: NoSchedule key: node.kubernetes.io/network-unavailable operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /var/run/netns type: DirectoryOrCreate name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - secret: items: - key: tls.key path: local-etcd-client.key - key: tls.crt path: local-etcd-client.crt - key: ca.crt path: local-etcd-client-ca.crt name: clustermesh-apiserver-local-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel - name: hubble-tls projected: defaultMode: 256 sources: - secret: items: - key: tls.crt path: server.crt - key: tls.key path: server.key - key: ca.crt path: client-ca.crt name: hubble-server-certs optional: true - name: kube-api-access-dfgg9 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:55:21Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:35Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:06Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:06Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:28Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://254b67269c40bcb7082c0bcfa422ae7c85c970858f07136f061f5fe75982de07 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: terminated: containerID: containerd://68bb7731aab67ca572b79ba2b7918835d5ee597721db18210a88ead89add2a09 exitCode: 255 finishedAt: "2025-11-11T23:54:41Z" message: |- l=info msg="agent.controlplane.stale-endpoint-cleanup.job-endpoint-cleanup (rev=112)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.agent-liveness-updater.timer-job-agent-liveness-updater (rev=159335)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-ipset-init-finalizer (rev=30)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-reconcile (rev=159368)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-refresh (rev=159369)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.job-iptables-reconciliation-loop (rev=159363)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.l2-responder.job-l2-responder-reconciler (rev=159334)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.maps.bwmap.timer-job-pressure-metric-throttle (rev=159336)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.mtu.job-mtu-updater (rev=159358)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.node-address.job-node-address-update (rev=159366)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.orchestrator.job-reinitialize (rev=159356)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-reconcile (rev=159372)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-refresh (rev=159371)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.k8s-synced-crdsync.job-sync-crds (rev=7)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.job-collect (rev=159352)" module=health time=2025-11-11T21: reason: Unknown startedAt: "2025-11-10T20:51:21Z" name: cilium-agent ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:56:17Z" volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true recursiveReadOnly: Disabled - mountPath: /lib/modules name: lib-modules readOnly: true recursiveReadOnly: Disabled - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.11 hostIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 initContainerStatuses: - containerID: containerd://8e9ec097d12cd404bcacf3574447ae003fe57db27670b9894c00f42c98025a15 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: config ready: true restartCount: 3 started: false state: terminated: containerID: containerd://8e9ec097d12cd404bcacf3574447ae003fe57db27670b9894c00f42c98025a15 exitCode: 0 finishedAt: "2025-11-11T23:55:55Z" reason: Completed startedAt: "2025-11-11T23:55:20Z" volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://6be98d33b982de482f785e8c1a5a3431c0d1467305da3d7d80d9677d90c0dcc3 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-cgroup ready: true restartCount: 0 started: false state: terminated: containerID: containerd://6be98d33b982de482f785e8c1a5a3431c0d1467305da3d7d80d9677d90c0dcc3 exitCode: 0 finishedAt: "2025-11-11T23:55:58Z" reason: Completed startedAt: "2025-11-11T23:55:56Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://ebd10ea799bcd40ab75dd7f5b0c3fad0b26037214f19d259b26967b8d2e9750e image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: apply-sysctl-overwrites ready: true restartCount: 0 started: false state: terminated: containerID: containerd://ebd10ea799bcd40ab75dd7f5b0c3fad0b26037214f19d259b26967b8d2e9750e exitCode: 0 finishedAt: "2025-11-11T23:55:59Z" reason: Completed startedAt: "2025-11-11T23:55:59Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://154553b5685a9235804ed8b662c3c6283e25ccb3fac0afe62522a0b05d0f43b7 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-bpf-fs ready: true restartCount: 0 started: false state: terminated: containerID: containerd://154553b5685a9235804ed8b662c3c6283e25ccb3fac0afe62522a0b05d0f43b7 exitCode: 0 finishedAt: "2025-11-11T23:56:04Z" reason: Completed startedAt: "2025-11-11T23:56:00Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://3d88bd56884d4c1b52e0d90928856708f3567ca9c5a314e9704a5a8d1cc1a9b9 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: clean-cilium-state ready: true restartCount: 0 started: false state: terminated: containerID: containerd://3d88bd56884d4c1b52e0d90928856708f3567ca9c5a314e9704a5a8d1cc1a9b9 exitCode: 0 finishedAt: "2025-11-11T23:56:06Z" reason: Completed startedAt: "2025-11-11T23:56:05Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://080a1a943869e1e62da7db6654f2874a95208b56804efc0936c93cf79db1c4af image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: install-cni-binaries ready: true restartCount: 0 started: false state: terminated: containerID: containerd://080a1a943869e1e62da7db6654f2874a95208b56804efc0936c93cf79db1c4af exitCode: 0 finishedAt: "2025-11-11T23:56:16Z" reason: Completed startedAt: "2025-11-11T23:56:06Z" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-dfgg9 readOnly: true recursiveReadOnly: Disabled phase: Running podIP: 192.168.50.11 podIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 qosClass: Burstable startTime: "2025-11-02T23:26:28Z" - apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined container.apparmor.security.beta.kubernetes.io/config: unconfined container.apparmor.security.beta.kubernetes.io/install-cni-binaries: unconfined container.apparmor.security.beta.kubernetes.io/mount-bpf-fs: unconfined container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" creationTimestamp: "2025-11-04T02:46:15Z" generateName: cilium- labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium controller-revision-hash: 957c85bbd k8s-app: cilium pod-template-generation: "2" name: cilium-kw7r6 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: cilium uid: 0f5033cb-a382-446b-8b7d-ead01e3cdc64 resourceVersion: "2119741" uid: 418263eb-6022-4c52-b317-822c2a0cfd99 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node5 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns mountPropagation: HostToContainer name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - command: - cilium-dbg - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true - name: WRITE_CNI_CONF_WHEN_READY valueFrom: configMapKeyRef: key: write-cni-conf-when-ready name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true - command: - /install-plugin.sh image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true nodeName: k8s-node5 nodeSelector: kubernetes.io/os: linux preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: appArmorProfile: type: Unconfined serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists - effect: NoSchedule key: node.kubernetes.io/network-unavailable operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /var/run/netns type: DirectoryOrCreate name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - secret: items: - key: tls.key path: local-etcd-client.key - key: tls.crt path: local-etcd-client.crt - key: ca.crt path: local-etcd-client-ca.crt name: clustermesh-apiserver-local-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel - name: hubble-tls projected: defaultMode: 256 sources: - secret: items: - key: tls.crt path: server.crt - key: tls.key path: server.key - key: ca.crt path: client-ca.crt name: hubble-server-certs optional: true - name: kube-api-access-qnp6w projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:56:26Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-04T02:46:47Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:36Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:36Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-04T02:46:15Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://5a8639fc948b11edaf9d351493ae99d8ceba4b0be83a00701ff28ac79b129da1 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: terminated: containerID: containerd://425470344e26736531f1e35d3872a430a13c48ee34739d0c9a17e12ec46b0ced exitCode: 255 finishedAt: "2025-11-11T23:56:04Z" message: |- econciler (rev=116210)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.maps.bwmap.timer-job-pressure-metric-throttle (rev=116212)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.mtu.job-mtu-updater (rev=116234)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.node-address.job-node-address-update (rev=116241)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.orchestrator.job-reinitialize (rev=116232)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-reconcile (rev=116247)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-refresh (rev=116246)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.k8s-synced-crdsync.job-sync-crds (rev=7)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.job-collect (rev=116228)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.timer-job-cleanup (rev=116227)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.shell.job-listener (rev=116226)" module=health time=2025-11-11T21:50:34Z level=info msg="health.job-module-status-metrics (rev=116209)" module=health time="2025-11-11T21:50:34.49600263Z" level=info msg="Removed endpoint" ciliumEndpointName=/ containerID= containerInterface= datapathPolicyRevision=1 desiredPolicyRevision=1 endpointID=164 identity=4 ipv4=10.1.4.94 ipv6= k8sPodName=/ subsys=endpoint time="2025-11-11T21:50:34.502098866Z" level=info msg="Stopping fswatcher" config=tls-server subsys=hubble time="2025-11-11T21:50:34.5089139Z" level=info msg="Datapath signal listener exiting" subsys=signal time="2025-11-11T21:50:34.508982532Z" level=info msg=" reason: Unknown startedAt: "2025-11-10T23:40:12Z" name: cilium-agent ready: true restartCount: 4 started: true state: running: startedAt: "2025-11-11T23:57:06Z" volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true recursiveReadOnly: Disabled - mountPath: /lib/modules name: lib-modules readOnly: true recursiveReadOnly: Disabled - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.15 hostIPs: - ip: 192.168.50.15 - ip: 2404:4400:4181:9200:5054:ff:fe9a:4a4d initContainerStatuses: - containerID: containerd://95c856ecd163b849b0c1dedb7ed012a2594d2338561bfa123364d56536733530 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: config ready: true restartCount: 4 started: false state: terminated: containerID: containerd://95c856ecd163b849b0c1dedb7ed012a2594d2338561bfa123364d56536733530 exitCode: 0 finishedAt: "2025-11-11T23:56:52Z" reason: Completed startedAt: "2025-11-11T23:56:25Z" volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled - containerID: containerd://1934842e1f673e17242d63ea68307d53bc789d3cd4361ecb108e6ad9fce4e0f8 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-cgroup ready: true restartCount: 0 started: false state: terminated: containerID: containerd://1934842e1f673e17242d63ea68307d53bc789d3cd4361ecb108e6ad9fce4e0f8 exitCode: 0 finishedAt: "2025-11-11T23:56:56Z" reason: Completed startedAt: "2025-11-11T23:56:53Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled - containerID: containerd://7a1ace36d237e687b587baab31ea5f8a93ba159200119924246e501448b9f69b image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: apply-sysctl-overwrites ready: true restartCount: 0 started: false state: terminated: containerID: containerd://7a1ace36d237e687b587baab31ea5f8a93ba159200119924246e501448b9f69b exitCode: 0 finishedAt: "2025-11-11T23:56:56Z" reason: Completed startedAt: "2025-11-11T23:56:56Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled - containerID: containerd://974d9257f1fb98e481aa757c5aa8c2cc5af7760d4de4ba14801fdef3b32fd5c6 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-bpf-fs ready: true restartCount: 0 started: false state: terminated: containerID: containerd://974d9257f1fb98e481aa757c5aa8c2cc5af7760d4de4ba14801fdef3b32fd5c6 exitCode: 0 finishedAt: "2025-11-11T23:56:58Z" reason: Completed startedAt: "2025-11-11T23:56:57Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled - containerID: containerd://cf9cecf868e5c827c7eb3abc590cd8d43d11d522a7a35dde15f0117e38ef3860 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: clean-cilium-state ready: true restartCount: 0 started: false state: terminated: containerID: containerd://cf9cecf868e5c827c7eb3abc590cd8d43d11d522a7a35dde15f0117e38ef3860 exitCode: 0 finishedAt: "2025-11-11T23:56:59Z" reason: Completed startedAt: "2025-11-11T23:56:59Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled - containerID: containerd://853b7ccf0d7abb99213eb689b778c3406a4fdb469e6d3ea8fea96fd86c7b6734 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: install-cni-binaries ready: true restartCount: 0 started: false state: terminated: containerID: containerd://853b7ccf0d7abb99213eb689b778c3406a4fdb469e6d3ea8fea96fd86c7b6734 exitCode: 0 finishedAt: "2025-11-11T23:57:05Z" reason: Completed startedAt: "2025-11-11T23:57:00Z" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qnp6w readOnly: true recursiveReadOnly: Disabled phase: Running podIP: 192.168.50.15 podIPs: - ip: 192.168.50.15 - ip: 2404:4400:4181:9200:5054:ff:fe9a:4a4d qosClass: Burstable startTime: "2025-11-04T02:46:16Z" - apiVersion: v1 kind: Pod metadata: annotations: kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" prometheus.io/port: "9963" prometheus.io/scrape: "true" creationTimestamp: "2025-11-02T23:26:02Z" generateName: cilium-operator-678d7868c8- labels: app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator pod-template-hash: 678d7868c8 name: cilium-operator-678d7868c8-2rn65 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cilium-operator-678d7868c8 uid: 54d5cbf9-63e4-45f6-a6be-22fcac89aae5 resourceVersion: "2119150" uid: 3f425f4e-da91-4e2d-9a54-5cb54c30ae6a spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: io.cilium/app: operator topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) command: - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium-operator-generic:1.17.1-ck2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 name: cilium-operator ports: - containerPort: 9963 hostPort: 9963 name: prometheus protocol: TCP readinessProbe: failureThreshold: 5 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-22lnl readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true nodeName: k8s-node1 nodeSelector: kubernetes.io/os: linux preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: cilium-operator serviceAccountName: cilium-operator terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - configMap: defaultMode: 420 name: cilium-config name: cilium-config-path - name: kube-api-access-22lnl projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:55:21Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:13Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:56:03Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:56:03Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:13Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://6db5adddca627179cf41860c5883ff27df56c1608c7211a0ad0225100e58b197 image: ghcr.io/canonical/cilium-operator-generic:1.17.1-ck2 imageID: ghcr.io/canonical/cilium-operator-generic@sha256:d584588048b6ae94c1810eaa5ebc9073e3063a019477a03bf3ec23445998e6e5 lastState: terminated: containerID: containerd://55605c9d5753491b368ed971b3d0c971df68106377ee060a595df41f7b6de940 exitCode: 255 finishedAt: "2025-11-11T23:54:41Z" message: | tus tree" module=health error="provider is stopped, no more updates will take place" time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*job.group.Stop duration=84.292589ms time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*resource.resource[*github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2.CiliumNode].Stop duration=832.704µs time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*resource.resource[*github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1.CiliumBGPPeerConfig].Stop duration=269.997µs time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*resource.resource[*github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1.CiliumBGPNodeConfig].Stop duration=12.698µs time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*resource.resource[*github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1.CiliumBGPNodeConfigOverride].Stop duration=33.624µs time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*resource.resource[*github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1.CiliumBGPClusterConfig].Stop duration=13.212µs time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*job.group.Stop duration=193.719µs time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*resource.resource[*github.com/cilium/cilium/pkg/k8s/slim/k8s/api/core/v1.Service].Stop duration=864.496µs time=2025-11-11T21:50:34Z level=error msg="failed to delete reporter status tree" module=health error="provider is stopped, no more updates will take place" time=2025-11-11T21:50:34Z level=info msg="Stop hook executed" module=operator.operator-controlplane function=*job.group.Stop duration=121.359µs reason: Unknown startedAt: "2025-11-10T20:50:42Z" name: cilium-operator ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:55:20Z" volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true recursiveReadOnly: Disabled - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-22lnl readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.11 hostIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 phase: Running podIP: 192.168.50.11 podIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 qosClass: BestEffort startTime: "2025-11-02T23:26:13Z" - apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined container.apparmor.security.beta.kubernetes.io/config: unconfined container.apparmor.security.beta.kubernetes.io/install-cni-binaries: unconfined container.apparmor.security.beta.kubernetes.io/mount-bpf-fs: unconfined container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" creationTimestamp: "2025-11-04T02:41:48Z" generateName: cilium- labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium controller-revision-hash: 957c85bbd k8s-app: cilium pod-template-generation: "2" name: cilium-t8dkh namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: cilium uid: 0f5033cb-a382-446b-8b7d-ead01e3cdc64 resourceVersion: "2119825" uid: 35b69926-c49a-4e61-b1bd-a1137f36dddd spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node4 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns mountPropagation: HostToContainer name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - command: - cilium-dbg - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true - name: WRITE_CNI_CONF_WHEN_READY valueFrom: configMapKeyRef: key: write-cni-conf-when-ready name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true - command: - /install-plugin.sh image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true nodeName: k8s-node4 nodeSelector: kubernetes.io/os: linux preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: appArmorProfile: type: Unconfined serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists - effect: NoSchedule key: node.kubernetes.io/network-unavailable operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /var/run/netns type: DirectoryOrCreate name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - secret: items: - key: tls.key path: local-etcd-client.key - key: tls.crt path: local-etcd-client.crt - key: ca.crt path: local-etcd-client-ca.crt name: clustermesh-apiserver-local-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel - name: hubble-tls projected: defaultMode: 256 sources: - secret: items: - key: tls.crt path: server.crt - key: tls.key path: server.key - key: ca.crt path: client-ca.crt name: hubble-server-certs optional: true - name: kube-api-access-5nqv2 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:56:38Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-04T02:46:44Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:51Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:51Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-04T02:41:48Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://db2da04ca78515ca4473f942f4885f89208ea331316214f60ac902ecae09aac7 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: terminated: containerID: containerd://2aa34d5ab71180e5aca2012ea875cdf8c0f3ace7fdbc9f1b2f72ca6260d4a6be exitCode: 255 finishedAt: "2025-11-11T23:56:20Z" message: |- 025-11-11T21:50:34Z level=info msg="agent.datapath.mtu.job-mtu-updater (rev=131015)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.node-address.job-node-address-update (rev=131022)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.orchestrator.job-reinitialize (rev=131013)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-reconcile (rev=131028)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-refresh (rev=131027)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.k8s-synced-crdsync.job-sync-crds (rev=8)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.job-collect (rev=131009)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.timer-job-cleanup (rev=131008)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.shell.job-listener (rev=131007)" module=health time=2025-11-11T21:50:34Z level=info msg="health.job-module-status-metrics (rev=130990)" module=health time="2025-11-11T21:50:34.487300853Z" level=info msg="Removed endpoint" ciliumEndpointName=/ containerID= containerInterface= datapathPolicyRevision=1 desiredPolicyRevision=1 endpointID=79 identity=4 ipv4=10.1.3.141 ipv6= k8sPodName=/ subsys=endpoint time="2025-11-11T21:50:34.489107118Z" level=info msg="Stopping fswatcher" config=tls-server subsys=hubble time="2025-11-11T21:50:34.494710404Z" level=info msg="Datapath signal listener exiting" subsys=signal time="2025-11-11T21:50:34.494805615Z" level=info msg="Datapath signal listener done" subsys=signal time="2025-11-11T21:50:34.494858625Z" level=info msg="Signal handler closed. Stopping conntrack garbage collector" subsys=ct-na reason: Unknown startedAt: "2025-11-10T20:51:38Z" name: cilium-agent ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:20Z" volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true recursiveReadOnly: Disabled - mountPath: /lib/modules name: lib-modules readOnly: true recursiveReadOnly: Disabled - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.14 hostIPs: - ip: 192.168.50.14 - ip: 2404:4400:4181:9200:5054:ff:fe3a:84fd initContainerStatuses: - containerID: containerd://750bf14f07ee1c2b4c21ceb9ad7bbdf3e51ec8eb171c01507d38a1873f2a8974 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: config ready: true restartCount: 3 started: false state: terminated: containerID: containerd://750bf14f07ee1c2b4c21ceb9ad7bbdf3e51ec8eb171c01507d38a1873f2a8974 exitCode: 0 finishedAt: "2025-11-11T23:57:06Z" reason: Completed startedAt: "2025-11-11T23:56:37Z" volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://f7d02d586ca180f2642fdd4a66945f427f88886eb50b452aa4b8d6d6ff4e0d25 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-cgroup ready: true restartCount: 0 started: false state: terminated: containerID: containerd://f7d02d586ca180f2642fdd4a66945f427f88886eb50b452aa4b8d6d6ff4e0d25 exitCode: 0 finishedAt: "2025-11-11T23:57:09Z" reason: Completed startedAt: "2025-11-11T23:57:07Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://7b86ca82da7e3efc052da212a996c083e4bfd34c8ad44379df41c45240df328f image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: apply-sysctl-overwrites ready: true restartCount: 0 started: false state: terminated: containerID: containerd://7b86ca82da7e3efc052da212a996c083e4bfd34c8ad44379df41c45240df328f exitCode: 0 finishedAt: "2025-11-11T23:57:10Z" reason: Completed startedAt: "2025-11-11T23:57:10Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://d90c6c06ceb7ad7f24cb92973121ac0e287abbb7355127da87ce64bb62087953 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-bpf-fs ready: true restartCount: 0 started: false state: terminated: containerID: containerd://d90c6c06ceb7ad7f24cb92973121ac0e287abbb7355127da87ce64bb62087953 exitCode: 0 finishedAt: "2025-11-11T23:57:12Z" reason: Completed startedAt: "2025-11-11T23:57:11Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://1543205d77323dff8ef2d4fd85927d1945d84f9bb5ee3eb363376bb2409bb8d5 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: clean-cilium-state ready: true restartCount: 0 started: false state: terminated: containerID: containerd://1543205d77323dff8ef2d4fd85927d1945d84f9bb5ee3eb363376bb2409bb8d5 exitCode: 0 finishedAt: "2025-11-11T23:57:13Z" reason: Completed startedAt: "2025-11-11T23:57:13Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://40a5f66cb3f8d9015aac388cadc0bd97a852dd0ce87a2389cf96650d427a2bcb image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: install-cni-binaries ready: true restartCount: 0 started: false state: terminated: containerID: containerd://40a5f66cb3f8d9015aac388cadc0bd97a852dd0ce87a2389cf96650d427a2bcb exitCode: 0 finishedAt: "2025-11-11T23:57:19Z" reason: Completed startedAt: "2025-11-11T23:57:14Z" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5nqv2 readOnly: true recursiveReadOnly: Disabled phase: Running podIP: 192.168.50.14 podIPs: - ip: 192.168.50.14 - ip: 2404:4400:4181:9200:5054:ff:fe3a:84fd qosClass: Burstable startTime: "2025-11-04T02:41:49Z" - apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined container.apparmor.security.beta.kubernetes.io/config: unconfined container.apparmor.security.beta.kubernetes.io/install-cni-binaries: unconfined container.apparmor.security.beta.kubernetes.io/mount-bpf-fs: unconfined container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" creationTimestamp: "2025-11-02T23:41:26Z" generateName: cilium- labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium controller-revision-hash: 957c85bbd k8s-app: cilium pod-template-generation: "2" name: cilium-tkb27 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: cilium uid: 0f5033cb-a382-446b-8b7d-ead01e3cdc64 resourceVersion: "2119638" uid: 2617c977-03c5-43d3-8852-fdc002bf7b62 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node2 podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns mountPropagation: HostToContainer name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostNetwork: true initContainers: - command: - cilium-dbg - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true - name: WRITE_CNI_CONF_WHEN_READY valueFrom: configMapKeyRef: key: write-cni-conf-when-ready name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true - command: - /install-plugin.sh image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true nodeName: k8s-node2 nodeSelector: kubernetes.io/os: linux preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: appArmorProfile: type: Unconfined serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists - effect: NoSchedule key: node.kubernetes.io/network-unavailable operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /var/run/netns type: DirectoryOrCreate name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - secret: items: - key: tls.key path: local-etcd-client.key - key: tls.crt path: local-etcd-client.crt - key: ca.crt path: local-etcd-client-ca.crt name: clustermesh-apiserver-local-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel - name: hubble-tls projected: defaultMode: 256 sources: - secret: items: - key: tls.crt path: server.crt - key: tls.key path: server.key - key: ca.crt path: client-ca.crt name: hubble-server-certs optional: true - name: kube-api-access-hqj7c projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:56:10Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:46:51Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:24Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:24Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:41:26Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://36b8463c78f62196e9106bb9bdc1a911e7b7a8c8ffd03b55b2283cdb5a861735 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: terminated: containerID: containerd://7a7d32498b5f1fd1d4fb557a40b55dfcf9c3be7b8cd0936744a61baa0cca36e2 exitCode: 255 finishedAt: "2025-11-11T23:55:50Z" message: |- l=info msg="agent.controlplane.stale-endpoint-cleanup.job-endpoint-cleanup (rev=100)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.agent-liveness-updater.timer-job-agent-liveness-updater (rev=130756)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-ipset-init-finalizer (rev=29)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-reconcile (rev=130789)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.ipset.job-refresh (rev=130788)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.iptables.job-iptables-reconciliation-loop (rev=130783)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.l2-responder.job-l2-responder-reconciler (rev=130755)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.maps.bwmap.timer-job-pressure-metric-throttle (rev=130757)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.mtu.job-mtu-updater (rev=130779)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.node-address.job-node-address-update (rev=130786)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.orchestrator.job-reinitialize (rev=130777)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-reconcile (rev=130792)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.datapath.sysctl.job-refresh (rev=130791)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.k8s-synced-crdsync.job-sync-crds (rev=7)" module=health time=2025-11-11T21:50:34Z level=info msg="agent.infra.metrics.job-collect (rev=130773)" module=health time=2025-11-11T21: reason: Unknown startedAt: "2025-11-10T20:51:21Z" name: cilium-agent ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:00Z" volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true recursiveReadOnly: Disabled - mountPath: /lib/modules name: lib-modules readOnly: true recursiveReadOnly: Disabled - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true recursiveReadOnly: Disabled - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.12 hostIPs: - ip: 192.168.50.12 - ip: 2404:4400:4181:9200:5054:ff:fe26:38b3 initContainerStatuses: - containerID: containerd://8fd59b3a5cd8c595b3b805788b169fc71b7e8b57e4a43003c49ef9c951fc6e6c image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: config ready: true restartCount: 3 started: false state: terminated: containerID: containerd://8fd59b3a5cd8c595b3b805788b169fc71b7e8b57e4a43003c49ef9c951fc6e6c exitCode: 0 finishedAt: "2025-11-11T23:56:45Z" reason: Completed startedAt: "2025-11-11T23:56:09Z" volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled - containerID: containerd://c1b42a1573966c8bee69384710b533863d646bd4e1844d4ec4aa5cda00e91286 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-cgroup ready: true restartCount: 0 started: false state: terminated: containerID: containerd://c1b42a1573966c8bee69384710b533863d646bd4e1844d4ec4aa5cda00e91286 exitCode: 0 finishedAt: "2025-11-11T23:56:47Z" reason: Completed startedAt: "2025-11-11T23:56:46Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled - containerID: containerd://6266ef449fbac4bbf8a1634e814c1088495cf10936bdc80ccfcd665e0d8293bc image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: apply-sysctl-overwrites ready: true restartCount: 0 started: false state: terminated: containerID: containerd://6266ef449fbac4bbf8a1634e814c1088495cf10936bdc80ccfcd665e0d8293bc exitCode: 0 finishedAt: "2025-11-11T23:56:48Z" reason: Completed startedAt: "2025-11-11T23:56:48Z" volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled - containerID: containerd://7d4794ee63fd693e8afa68665cabab085655bab126603bb95c8cf2795b290d9c image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: mount-bpf-fs ready: true restartCount: 0 started: false state: terminated: containerID: containerd://7d4794ee63fd693e8afa68665cabab085655bab126603bb95c8cf2795b290d9c exitCode: 0 finishedAt: "2025-11-11T23:56:50Z" reason: Completed startedAt: "2025-11-11T23:56:49Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled - containerID: containerd://80f89ffea7743e7a8195b6aacb8b2251ab99f44ddfdf4ea57870a87208b36ae1 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: clean-cilium-state ready: true restartCount: 0 started: false state: terminated: containerID: containerd://80f89ffea7743e7a8195b6aacb8b2251ab99f44ddfdf4ea57870a87208b36ae1 exitCode: 0 finishedAt: "2025-11-11T23:56:51Z" reason: Completed startedAt: "2025-11-11T23:56:51Z" volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled - containerID: containerd://fcae7494936109a46a6d61ed8435171920929dafafbc6c77c305557f8647a006 image: ghcr.io/canonical/cilium:1.17.1-ck2 imageID: ghcr.io/canonical/cilium@sha256:5291fb13d024f015d48b84bb09089032e3ff9deedbe1444a389c9a4f00adc9e3 lastState: {} name: install-cni-binaries ready: true restartCount: 0 started: false state: terminated: containerID: containerd://fcae7494936109a46a6d61ed8435171920929dafafbc6c77c305557f8647a006 exitCode: 0 finishedAt: "2025-11-11T23:56:59Z" reason: Completed startedAt: "2025-11-11T23:56:52Z" volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-hqj7c readOnly: true recursiveReadOnly: Disabled phase: Running podIP: 192.168.50.12 podIPs: - ip: 192.168.50.12 - ip: 2404:4400:4181:9200:5054:ff:fe26:38b3 qosClass: Burstable startTime: "2025-11-02T23:41:26Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-02T23:25:53Z" generateName: ck-storage-rawfile-csi-controller- labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi apps.kubernetes.io/pod-index: "0" component: controller controller-revision-hash: ck-storage-rawfile-csi-controller-6ddc646dbb statefulset.kubernetes.io/pod-name: ck-storage-rawfile-csi-controller-0 name: ck-storage-rawfile-csi-controller-0 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: StatefulSet name: ck-storage-rawfile-csi-controller uid: 80bd7171-7f66-4fac-b489-836a98e06d72 resourceVersion: "2119698" uid: c18a3ca0-3b8d-4963-8db7-238605d0d717 spec: containers: - args: - --args - rawfile - csi-driver - --disable-metrics env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-mk8h9 readOnly: true - args: - --csi-address=$(ADDRESS) - --handle-volume-inuse-error=false env: - name: ADDRESS value: /csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-resizer:v1.11.2 imagePullPolicy: IfNotPresent name: external-resizer resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-mk8h9 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true hostname: ck-storage-rawfile-csi-controller-0 nodeName: k8s-node1 preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver subdomain: ck-storage-rawfile-csi terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Equal value: "true" - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Equal value: "true" - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - emptyDir: {} name: socket-dir - name: kube-api-access-mk8h9 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:29Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:40Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:29Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:29Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:40Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://731a565272b6d3c9f875c4afa6f39494228b1ced1d24a0a755b7aec3bbb133b5 image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imageID: ghcr.io/canonical/rawfile-localpv@sha256:f31db8b52a8399a80e892dea4edeead75ac138c83ba733dfa05b265e7c9ab02f lastState: terminated: containerID: containerd://7c853c66349b22e7f88845aa87a899d9267c131ffe4d9ba051d3a07967543905 exitCode: 255 finishedAt: "2025-11-11T23:54:42Z" reason: Unknown startedAt: "2025-11-10T20:52:26Z" name: csi-driver ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-mk8h9 readOnly: true recursiveReadOnly: Disabled - containerID: containerd://5d90fd45eb0a010ffd92beaaa6f4f6ea539386e2f969b3e05ee57f0d30c0f8a8 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-resizer:v1.11.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-resizer@sha256:be6a7de1d43dba90710b61bd3d0d8f568654a6adadaeea9188cf4cd3554cbb87 lastState: terminated: containerID: containerd://0f457dd211e021b3c84af1a8aaaa7a49a523959c45eb088e7df9e35bca0a7532 exitCode: 255 finishedAt: "2025-11-11T23:54:40Z" reason: Unknown startedAt: "2025-11-10T20:52:27Z" name: external-resizer ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-mk8h9 readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.11 hostIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 phase: Running podIP: 10.1.0.182 podIPs: - ip: 10.1.0.182 qosClass: Burstable startTime: "2025-11-02T23:26:40Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-04T02:41:48Z" generateName: ck-storage-rawfile-csi-node- labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node controller-revision-hash: 5df7f564fd pod-template-generation: "1" name: ck-storage-rawfile-csi-node-dwfr2 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: ck-storage-rawfile-csi-node uid: 4c2066cc-c4f6-46de-add3-6bb4e3184995 resourceVersion: "2119936" uid: eefc14d6-b0ea-47aa-a337-a072507f8390 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node4 containers: - env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv - name: NODE_ID valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9100 name: metrics protocol: TCP - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --health-port=9809 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/rawfile-csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: healthz scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: node-driver-registrar ports: - containerPort: 9809 name: healthz protocol: TCP resources: limits: cpu: 500m memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true - args: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --strict-topology - --immediate-topology=false - --timeout=120s - --enable-capacity=true - --capacity-ownerref-level=1 - --node-deployment=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imagePullPolicy: IfNotPresent name: external-provisioner resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true - args: - --csi-address=$(ADDRESS) - --node-deployment=true - --extra-create-metadata=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imagePullPolicy: IfNotPresent name: external-snapshotter resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node4 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins_registry type: Directory name: registration-dir - hostPath: path: /var/lib/kubelet/plugins/rawfile-csi type: DirectoryOrCreate name: socket-dir - hostPath: path: /var/lib/kubelet type: DirectoryOrCreate name: mountpoint-dir - hostPath: path: /var/snap/k8s/common/rawfile-storage type: DirectoryOrCreate name: data-dir - name: kube-api-access-26r9b projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:11Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-04T02:41:49Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:11Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:11Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-04T02:41:48Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://dcf4a0d556a5330fff422ec5ca95900b090e93a5465cc079b245cf522201e008 image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imageID: ghcr.io/canonical/rawfile-localpv@sha256:f31db8b52a8399a80e892dea4edeead75ac138c83ba733dfa05b265e7c9ab02f lastState: terminated: containerID: containerd://6f38a60340dec104473aedb9de53ec18e0d86fe982b3d5463c68e9a6f8503206 exitCode: 255 finishedAt: "2025-11-11T23:56:21Z" reason: Unknown startedAt: "2025-11-10T20:52:31Z" name: csi-driver ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:58:09Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true recursiveReadOnly: Disabled - containerID: containerd://94cd336f81ba0dfc931ada1cab0510f0c1baba53dc993bfcd3131dc9d77c69b8 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner@sha256:7b9cdb5830d01bda96111b4f138dbddcc01eed2f95aa980a404c45a042d60a10 lastState: terminated: containerID: containerd://1dd107616588d7aa1f225815df9df1f9464fab4cd93554dc05591649b8048733 exitCode: 255 finishedAt: "2025-11-11T23:56:19Z" reason: Unknown startedAt: "2025-11-10T20:52:33Z" name: external-provisioner ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:58:10Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true recursiveReadOnly: Disabled - containerID: containerd://d069cdd97e091286ae9ac5465497b1176775008f7da94989dab4ed8b62d2acc0 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter@sha256:5f051159c95fd13b0b518436cb20808862d2f7f95f45e036da4242f3416befe4 lastState: terminated: containerID: containerd://57e072e1b589deb8e390b289fd12987aa6047a367197551333866639acfe9ff1 exitCode: 255 finishedAt: "2025-11-11T23:56:21Z" reason: Unknown startedAt: "2025-11-10T20:52:33Z" name: external-snapshotter ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:58:10Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true recursiveReadOnly: Disabled - containerID: containerd://1a0deac2cdb8469d4bc78644a497bc0882e83465b380c6490f3764c8db8fae05 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar@sha256:f25af73ee708ff9c82595ae99493cdef9295bd96953366cddf36305f82555dac lastState: terminated: containerID: containerd://4932d2a68fa6e420d903e58d38bd146d62e0ac67f6996f32e393699fe53eb89a exitCode: 255 finishedAt: "2025-11-11T23:56:20Z" reason: Unknown startedAt: "2025-11-10T20:52:32Z" name: node-driver-registrar ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:58:10Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-26r9b readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.14 hostIPs: - ip: 192.168.50.14 - ip: 2404:4400:4181:9200:5054:ff:fe3a:84fd phase: Running podIP: 10.1.3.126 podIPs: - ip: 10.1.3.126 qosClass: Burstable startTime: "2025-11-04T02:41:49Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-04T02:46:15Z" generateName: ck-storage-rawfile-csi-node- labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node controller-revision-hash: 5df7f564fd pod-template-generation: "1" name: ck-storage-rawfile-csi-node-hgmmc namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: ck-storage-rawfile-csi-node uid: 4c2066cc-c4f6-46de-add3-6bb4e3184995 resourceVersion: "2119882" uid: 733eb6e2-6846-4cea-b64a-fa0118f9e0d8 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node5 containers: - env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv - name: NODE_ID valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9100 name: metrics protocol: TCP - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --health-port=9809 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/rawfile-csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: healthz scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: node-driver-registrar ports: - containerPort: 9809 name: healthz protocol: TCP resources: limits: cpu: 500m memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true - args: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --strict-topology - --immediate-topology=false - --timeout=120s - --enable-capacity=true - --capacity-ownerref-level=1 - --node-deployment=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imagePullPolicy: IfNotPresent name: external-provisioner resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true - args: - --csi-address=$(ADDRESS) - --node-deployment=true - --extra-create-metadata=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imagePullPolicy: IfNotPresent name: external-snapshotter resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node5 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins_registry type: Directory name: registration-dir - hostPath: path: /var/lib/kubelet/plugins/rawfile-csi type: DirectoryOrCreate name: socket-dir - hostPath: path: /var/lib/kubelet type: DirectoryOrCreate name: mountpoint-dir - hostPath: path: /var/snap/k8s/common/rawfile-storage type: DirectoryOrCreate name: data-dir - name: kube-api-access-f46jr projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:00Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-04T02:46:16Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:00Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:00Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-04T02:46:15Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://c092afad77e20e70637b3ca56b8d12070b7495d6a60bd1c163943c52d860e7a5 image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imageID: ghcr.io/canonical/rawfile-localpv@sha256:f31db8b52a8399a80e892dea4edeead75ac138c83ba733dfa05b265e7c9ab02f lastState: terminated: containerID: containerd://f7497da39e149c16d30fa47bd0cb6582acdf5fc448847ff1a029d852b1616d41 exitCode: 255 finishedAt: "2025-11-11T23:56:06Z" reason: Unknown startedAt: "2025-11-10T23:40:23Z" name: csi-driver ready: true restartCount: 4 started: true state: running: startedAt: "2025-11-11T23:57:59Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true recursiveReadOnly: Disabled - containerID: containerd://9b91ffc3fab25f8c475c1117d886f261cc087bc7b295bbd2c6a90fb57398dee4 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner@sha256:7b9cdb5830d01bda96111b4f138dbddcc01eed2f95aa980a404c45a042d60a10 lastState: terminated: containerID: containerd://bbc38125e8faf0f9ab6af96b52ff029c34181815ea38210d310c9eeb5010490f exitCode: 255 finishedAt: "2025-11-11T23:56:06Z" reason: Unknown startedAt: "2025-11-10T23:40:23Z" name: external-provisioner ready: true restartCount: 4 started: true state: running: startedAt: "2025-11-11T23:57:59Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true recursiveReadOnly: Disabled - containerID: containerd://f0a0c0d7d8e5105be61d1f955b62319d33d5bdad5e01ba0c9c2b1f19aad171cd image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter@sha256:5f051159c95fd13b0b518436cb20808862d2f7f95f45e036da4242f3416befe4 lastState: terminated: containerID: containerd://6f7828caf9b3d6678cc73668c56405b41041da6f7dd339cc5a539cf01bbe2436 exitCode: 255 finishedAt: "2025-11-11T23:56:05Z" reason: Unknown startedAt: "2025-11-10T23:40:23Z" name: external-snapshotter ready: true restartCount: 4 started: true state: running: startedAt: "2025-11-11T23:58:00Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true recursiveReadOnly: Disabled - containerID: containerd://fd888368ddbaf9ba3f95ef55ae558054b351d77855077942fd681fcba82f475d image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar@sha256:f25af73ee708ff9c82595ae99493cdef9295bd96953366cddf36305f82555dac lastState: terminated: containerID: containerd://7e096fdf9a2d9222d39c10d30bb38307229efa28f0ac53731891d8a1847ab8a9 exitCode: 255 finishedAt: "2025-11-11T23:56:05Z" reason: Unknown startedAt: "2025-11-10T23:40:23Z" name: node-driver-registrar ready: true restartCount: 4 started: true state: running: startedAt: "2025-11-11T23:57:59Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-f46jr readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.15 hostIPs: - ip: 192.168.50.15 - ip: 2404:4400:4181:9200:5054:ff:fe9a:4a4d phase: Running podIP: 10.1.4.226 podIPs: - ip: 10.1.4.226 qosClass: Burstable startTime: "2025-11-04T02:46:16Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-02T23:42:16Z" generateName: ck-storage-rawfile-csi-node- labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node controller-revision-hash: 5df7f564fd pod-template-generation: "1" name: ck-storage-rawfile-csi-node-q5x5n namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: ck-storage-rawfile-csi-node uid: 4c2066cc-c4f6-46de-add3-6bb4e3184995 resourceVersion: "2119847" uid: eecd3fd8-2a54-470b-8651-aeb98645a6d4 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node3 containers: - env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv - name: NODE_ID valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9100 name: metrics protocol: TCP - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --health-port=9809 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/rawfile-csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: healthz scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: node-driver-registrar ports: - containerPort: 9809 name: healthz protocol: TCP resources: limits: cpu: 500m memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true - args: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --strict-topology - --immediate-topology=false - --timeout=120s - --enable-capacity=true - --capacity-ownerref-level=1 - --node-deployment=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imagePullPolicy: IfNotPresent name: external-provisioner resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true - args: - --csi-address=$(ADDRESS) - --node-deployment=true - --extra-create-metadata=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imagePullPolicy: IfNotPresent name: external-snapshotter resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node3 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins_registry type: Directory name: registration-dir - hostPath: path: /var/lib/kubelet/plugins/rawfile-csi type: DirectoryOrCreate name: socket-dir - hostPath: path: /var/lib/kubelet type: DirectoryOrCreate name: mountpoint-dir - hostPath: path: /var/snap/k8s/common/rawfile-storage type: DirectoryOrCreate name: data-dir - name: kube-api-access-82cjb projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:53Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:42:17Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:53Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:53Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:42:16Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://60f90eb21267906242031ba6cd5143b73dcfb4abe23da45f550b0dec6c06c55b image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imageID: ghcr.io/canonical/rawfile-localpv@sha256:f31db8b52a8399a80e892dea4edeead75ac138c83ba733dfa05b265e7c9ab02f lastState: terminated: containerID: containerd://a506401c559a9723fe0766de0eb7d2c479510fa93b8735a2610f3d0180d9318a exitCode: 255 finishedAt: "2025-11-11T23:56:16Z" reason: Unknown startedAt: "2025-11-10T20:52:09Z" name: csi-driver ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:51Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true recursiveReadOnly: Disabled - containerID: containerd://f00972b688221e237144c3c061b6018409808fc6e399e9e3c74a6ffafe7574f4 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner@sha256:7b9cdb5830d01bda96111b4f138dbddcc01eed2f95aa980a404c45a042d60a10 lastState: terminated: containerID: containerd://f25150ad92915b2093cfec7b13a6804ab5532c7a8cdf7397ac822beae6f5512d exitCode: 255 finishedAt: "2025-11-11T23:56:17Z" reason: Unknown startedAt: "2025-11-10T20:52:10Z" name: external-provisioner ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:52Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true recursiveReadOnly: Disabled - containerID: containerd://a43e6eeadc56336091f22ab573a0e93dda2a2d82f6d26d707fb9f84309f08cc6 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter@sha256:5f051159c95fd13b0b518436cb20808862d2f7f95f45e036da4242f3416befe4 lastState: terminated: containerID: containerd://586011d9d37aef716957d9bb3ae9f392e4e5ffbefac32945c7e0d2520c39711d exitCode: 255 finishedAt: "2025-11-11T23:56:16Z" reason: Unknown startedAt: "2025-11-10T20:52:11Z" name: external-snapshotter ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:52Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true recursiveReadOnly: Disabled - containerID: containerd://6bc9a3374cc2c54d19492804160a97aeb1cbae2ad04d6849ed94dc6710c556a0 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar@sha256:f25af73ee708ff9c82595ae99493cdef9295bd96953366cddf36305f82555dac lastState: terminated: containerID: containerd://28b8697d30b7e802b735af9ed792489c575b4e1e09c133a8e09754c07a44f0f3 exitCode: 255 finishedAt: "2025-11-11T23:56:14Z" reason: Unknown startedAt: "2025-11-10T20:52:10Z" name: node-driver-registrar ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:52Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-82cjb readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.13 hostIPs: - ip: 192.168.50.13 - ip: 2404:4400:4181:9200:5054:ff:fe2a:4db1 phase: Running podIP: 10.1.1.209 podIPs: - ip: 10.1.1.209 qosClass: Burstable startTime: "2025-11-02T23:42:17Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-02T23:25:53Z" generateName: ck-storage-rawfile-csi-node- labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node controller-revision-hash: 5df7f564fd pod-template-generation: "1" name: ck-storage-rawfile-csi-node-sthbh namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: ck-storage-rawfile-csi-node uid: 4c2066cc-c4f6-46de-add3-6bb4e3184995 resourceVersion: "2119710" uid: ba253f45-ad78-481f-8777-f22b7577acb5 spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node1 containers: - env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv - name: NODE_ID valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9100 name: metrics protocol: TCP - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --health-port=9809 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/rawfile-csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: healthz scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: node-driver-registrar ports: - containerPort: 9809 name: healthz protocol: TCP resources: limits: cpu: 500m memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true - args: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --strict-topology - --immediate-topology=false - --timeout=120s - --enable-capacity=true - --capacity-ownerref-level=1 - --node-deployment=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imagePullPolicy: IfNotPresent name: external-provisioner resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true - args: - --csi-address=$(ADDRESS) - --node-deployment=true - --extra-create-metadata=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imagePullPolicy: IfNotPresent name: external-snapshotter resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node1 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins_registry type: Directory name: registration-dir - hostPath: path: /var/lib/kubelet/plugins/rawfile-csi type: DirectoryOrCreate name: socket-dir - hostPath: path: /var/lib/kubelet type: DirectoryOrCreate name: mountpoint-dir - hostPath: path: /var/snap/k8s/common/rawfile-storage type: DirectoryOrCreate name: data-dir - name: kube-api-access-qfdmv projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:30Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:25:53Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:30Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:30Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:25:53Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://7697f0796298e083d617fa6249e49c8eb51236bb6ec2eec1f450ebf4ee308936 image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imageID: ghcr.io/canonical/rawfile-localpv@sha256:f31db8b52a8399a80e892dea4edeead75ac138c83ba733dfa05b265e7c9ab02f lastState: terminated: containerID: containerd://2eeb2c021a97284b92aafde0c5c0112712db4d5dee6fa9aa91eca060cc20e800 exitCode: 255 finishedAt: "2025-11-11T23:54:40Z" reason: Unknown startedAt: "2025-11-10T20:52:26Z" name: csi-driver ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true recursiveReadOnly: Disabled - containerID: containerd://f77bc021c6cc78280e3e876a92bd272b371efb9fd7204220ec7cec309ed06230 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner@sha256:7b9cdb5830d01bda96111b4f138dbddcc01eed2f95aa980a404c45a042d60a10 lastState: terminated: containerID: containerd://0ffbf5eee2f00da9324e04e4240b2188c2f0101a146073602f1a840bf8fafcbf exitCode: 255 finishedAt: "2025-11-11T23:54:40Z" reason: Unknown startedAt: "2025-11-10T20:52:27Z" name: external-provisioner ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true recursiveReadOnly: Disabled - containerID: containerd://995951fdd4e62fa447e95294a578b6569caf81ef062cf1aaf38dc28d31204412 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter@sha256:5f051159c95fd13b0b518436cb20808862d2f7f95f45e036da4242f3416befe4 lastState: terminated: containerID: containerd://e41f0ca9e78ed82fb937f6e66a96ba08942490e204e7bed1d4598265e4150aee exitCode: 255 finishedAt: "2025-11-11T23:54:42Z" reason: Unknown startedAt: "2025-11-10T20:52:28Z" name: external-snapshotter ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:29Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true recursiveReadOnly: Disabled - containerID: containerd://1de14485d5de30e8453800858bd6012aaeb4c04b17e2ac4623614016615f94e6 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar@sha256:f25af73ee708ff9c82595ae99493cdef9295bd96953366cddf36305f82555dac lastState: terminated: containerID: containerd://1e4f9ad75c3d75f8aba4a0e008f607ceeaa27acfd4dee2c133f0552b2df3ed56 exitCode: 255 finishedAt: "2025-11-11T23:54:40Z" reason: Unknown startedAt: "2025-11-10T20:52:27Z" name: node-driver-registrar ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qfdmv readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.11 hostIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 phase: Running podIP: 10.1.0.137 podIPs: - ip: 10.1.0.137 qosClass: Burstable startTime: "2025-11-02T23:25:53Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-02T23:41:26Z" generateName: ck-storage-rawfile-csi-node- labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node controller-revision-hash: 5df7f564fd pod-template-generation: "1" name: ck-storage-rawfile-csi-node-vs45x namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: DaemonSet name: ck-storage-rawfile-csi-node uid: 4c2066cc-c4f6-46de-add3-6bb4e3184995 resourceVersion: "2119785" uid: def26a78-bfc9-4196-9d8c-5cb3bb0744bc spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchFields: - key: metadata.name operator: In values: - k8s-node2 containers: - env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv - name: NODE_ID valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9100 name: metrics protocol: TCP - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --health-port=9809 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/rawfile-csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: healthz scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: node-driver-registrar ports: - containerPort: 9809 name: healthz protocol: TCP resources: limits: cpu: 500m memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true - args: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --strict-topology - --immediate-topology=false - --timeout=120s - --enable-capacity=true - --capacity-ownerref-level=1 - --node-deployment=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imagePullPolicy: IfNotPresent name: external-provisioner resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true - args: - --csi-address=$(ADDRESS) - --node-deployment=true - --extra-create-metadata=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imagePullPolicy: IfNotPresent name: external-snapshotter resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node2 preemptionPolicy: PreemptLowerPriority priority: 2000001000 priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - operator: Exists - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists - effect: NoSchedule key: node.kubernetes.io/disk-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/memory-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/pid-pressure operator: Exists - effect: NoSchedule key: node.kubernetes.io/unschedulable operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins_registry type: Directory name: registration-dir - hostPath: path: /var/lib/kubelet/plugins/rawfile-csi type: DirectoryOrCreate name: socket-dir - hostPath: path: /var/lib/kubelet type: DirectoryOrCreate name: mountpoint-dir - hostPath: path: /var/snap/k8s/common/rawfile-storage type: DirectoryOrCreate name: data-dir - name: kube-api-access-4hzkm projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:44Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:41:26Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:44Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:44Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:41:26Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://65002b32f9e1397cb3054fdf9f4a7d3b96b1fc0bbb9d1e780983c3bfdcb1dc98 image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imageID: ghcr.io/canonical/rawfile-localpv@sha256:f31db8b52a8399a80e892dea4edeead75ac138c83ba733dfa05b265e7c9ab02f lastState: terminated: containerID: containerd://1b69db907ed37a0d8f147105f18cfdb4ee31797bce5c6efe7d097b35ae68f433 exitCode: 255 finishedAt: "2025-11-11T23:55:48Z" reason: Unknown startedAt: "2025-11-10T20:52:06Z" name: csi-driver ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:42Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet name: mountpoint-dir - mountPath: /data name: data-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true recursiveReadOnly: Disabled - containerID: containerd://257908701aaeecaceb187207eb0533cfd2e386f62bfdb27509dcfefb627455c4 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner@sha256:7b9cdb5830d01bda96111b4f138dbddcc01eed2f95aa980a404c45a042d60a10 lastState: terminated: containerID: containerd://dc6e331f167ed86022799006976ff2b5e52795e7faa35205bffcafb90c1d8c49 exitCode: 255 finishedAt: "2025-11-11T23:55:53Z" reason: Unknown startedAt: "2025-11-10T20:52:07Z" name: external-provisioner ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:43Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true recursiveReadOnly: Disabled - containerID: containerd://cdec1c79f57c8afae44628b7d572390dcac3bdde4e8138a5eb8e90592527a2da image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter@sha256:5f051159c95fd13b0b518436cb20808862d2f7f95f45e036da4242f3416befe4 lastState: terminated: containerID: containerd://a185be7c6156db8aaad69e06ae72e5ac065db53382fdb2b64581157ec993eb71 exitCode: 255 finishedAt: "2025-11-11T23:55:51Z" reason: Unknown startedAt: "2025-11-10T20:52:08Z" name: external-snapshotter ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:44Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true recursiveReadOnly: Disabled - containerID: containerd://23baa53a6de97dc5148518224f30a84403442f01d289a4a3bec2a1b746efc3e4 image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imageID: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar@sha256:f25af73ee708ff9c82595ae99493cdef9295bd96953366cddf36305f82555dac lastState: terminated: containerID: containerd://c08528ed8c29f3b9aaf2f8595c0c92046e3cca7c5eba3ac10043bc0214a16296 exitCode: 255 finishedAt: "2025-11-11T23:55:52Z" reason: Unknown startedAt: "2025-11-10T20:52:07Z" name: node-driver-registrar ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:43Z" volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-4hzkm readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.12 hostIPs: - ip: 192.168.50.12 - ip: 2404:4400:4181:9200:5054:ff:fe26:38b3 phase: Running podIP: 10.1.2.211 podIPs: - ip: 10.1.2.211 qosClass: Burstable startTime: "2025-11-02T23:41:26Z" - apiVersion: v1 kind: Pod metadata: annotations: checksum/config: fc4c9b56cf9b744229b59b8dd4ae4d31d7bb5b8a21d2589279812d3ddb6e384f scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' creationTimestamp: "2025-11-02T23:25:53Z" generateName: coredns-fc9c778db- labels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns pod-template-hash: fc9c778db name: coredns-fc9c778db-h9jfc namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: coredns-fc9c778db uid: 257997c2-8382-443c-81ee-393aabecc552 resourceVersion: "2119886" uid: 483da0a2-e6fd-4073-bcec-90b0ae16b405 spec: containers: - args: - -conf - /etc/coredns/Corefile image: ghcr.io/canonical/coredns:1.12.0-ck1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 httpGet: path: /health port: 8080 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: coredns ports: - containerPort: 53 name: udp-53 protocol: UDP - containerPort: 53 name: tcp-53 protocol: TCP - containerPort: 9153 name: tcp-9153 protocol: TCP readinessProbe: failureThreshold: 1 httpGet: path: /ready port: 8181 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE readOnlyRootFilesystem: false terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/coredns name: config-volume - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-p9bd7 readOnly: true dnsPolicy: Default enableServiceLinks: true nodeName: k8s-node1 preemptionPolicy: PreemptLowerPriority priority: 0 restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: coredns serviceAccountName: coredns terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - configMap: defaultMode: 420 items: - key: Corefile path: Corefile name: ck-dns-coredns name: config-volume - name: kube-api-access-p9bd7 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:29Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:40Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:01Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:58:01Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:40Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://60d3e5bf55b2b24e7b4c3659181b31c7cb74f7b47d3fb5e94de93dceb4ee8446 image: ghcr.io/canonical/coredns:1.12.0-ck1 imageID: ghcr.io/canonical/coredns@sha256:2a580516c873cfbe2b32682ab3613adaf380769f9020d7e11e30055dba8a993a lastState: terminated: containerID: containerd://990c8eb9da243f60490603730964a6142d1f55b711016197a1618cb9c6c2753d exitCode: 255 finishedAt: "2025-11-11T23:54:42Z" reason: Unknown startedAt: "2025-11-10T20:52:27Z" name: coredns ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /etc/coredns name: config-volume - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-p9bd7 readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.11 hostIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 phase: Running podIP: 10.1.0.223 podIPs: - ip: 10.1.0.223 qosClass: Guaranteed startTime: "2025-11-02T23:26:40Z" - apiVersion: v1 kind: Pod metadata: creationTimestamp: "2025-11-02T23:25:53Z" generateName: metrics-server-8694c96fb7- labels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server pod-template-hash: 8694c96fb7 name: metrics-server-8694c96fb7-rsdhj namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: metrics-server-8694c96fb7 uid: d07039d9-15e5-41cf-af16-2d4e1122b29a resourceVersion: "2119808" uid: 99ddd704-8ce8-40d5-8b81-66bad99c391d spec: containers: - args: - --secure-port=10250 - --cert-dir=/tmp - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s image: ghcr.io/canonical/metrics-server:0.7.2-ck0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: metrics-server ports: - containerPort: 10250 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 200Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5gnb6 readOnly: true dnsPolicy: ClusterFirst enableServiceLinks: true nodeName: k8s-node1 preemptionPolicy: PreemptLowerPriority priority: 2000000000 priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: metrics-server serviceAccountName: metrics-server terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute key: node.kubernetes.io/not-ready operator: Exists tolerationSeconds: 300 - effect: NoExecute key: node.kubernetes.io/unreachable operator: Exists tolerationSeconds: 300 volumes: - emptyDir: {} name: tmp - name: kube-api-access-5gnb6 projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace status: conditions: - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:29Z" status: "True" type: PodReadyToStartContainers - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:40Z" status: "True" type: Initialized - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:50Z" status: "True" type: Ready - lastProbeTime: null lastTransitionTime: "2025-11-11T23:57:50Z" status: "True" type: ContainersReady - lastProbeTime: null lastTransitionTime: "2025-11-02T23:26:40Z" status: "True" type: PodScheduled containerStatuses: - containerID: containerd://5d9414633648316d9db5eb61ef868297098941eed4bc3b6d73e194297341e1fe image: ghcr.io/canonical/metrics-server:0.7.2-ck0 imageID: ghcr.io/canonical/metrics-server@sha256:2b94444cf67479f2fe77e353f64d04aab98a222c057cd40b2000aff9a2fb1682 lastState: terminated: containerID: containerd://31f1de01bb292bf14d6ba18405383c4271ef0ae60b4fa4df91e0eb8950c8d9ea exitCode: 255 finishedAt: "2025-11-11T23:54:41Z" reason: Unknown startedAt: "2025-11-10T20:52:26Z" name: metrics-server ready: true restartCount: 3 started: true state: running: startedAt: "2025-11-11T23:57:28Z" volumeMounts: - mountPath: /tmp name: tmp - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-5gnb6 readOnly: true recursiveReadOnly: Disabled hostIP: 192.168.50.11 hostIPs: - ip: 192.168.50.11 - ip: 2404:4400:4181:9200:5054:ff:fe3f:dcd9 phase: Running podIP: 10.1.0.74 podIPs: - ip: 10.1.0.74 qosClass: Burstable startTime: "2025-11-02T23:26:40Z" - apiVersion: v1 kind: Service metadata: creationTimestamp: "2025-11-10T05:51:26Z" labels: component: apiserver provider: kubernetes name: kubernetes namespace: default resourceVersion: "1720322" uid: 30330406-18a8-4dcb-9f40-cd5e6ab4aac1 spec: clusterIP: 10.152.183.1 clusterIPs: - 10.152.183.1 internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: https port: 443 protocol: TCP targetPort: 6443 sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: v1 kind: Service metadata: annotations: meta.helm.sh/release-name: ck-storage meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:49Z" labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: rawfile-csi app.kubernetes.io/version: 0.8.2 component: controller helm.sh/chart: rawfile-csi-0.9.1 name: ck-storage-rawfile-csi-controller namespace: kube-system resourceVersion: "309" uid: d9016323-802b-404c-94e3-01192745d966 spec: clusterIP: None clusterIPs: - None internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack selector: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: controller sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: v1 kind: Service metadata: annotations: meta.helm.sh/release-name: ck-storage meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:49Z" labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: rawfile-csi app.kubernetes.io/version: 0.8.2 component: node helm.sh/chart: rawfile-csi-0.9.1 name: ck-storage-rawfile-csi-node namespace: kube-system resourceVersion: "312" uid: 5e525e2d-7f3d-476a-9a37-45fec8af017e spec: clusterIP: 10.152.183.72 clusterIPs: - 10.152.183.72 internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: metrics port: 9100 protocol: TCP targetPort: metrics selector: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: v1 kind: Service metadata: annotations: meta.helm.sh/release-name: ck-dns meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:48Z" labels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: coredns helm.sh/chart: coredns-1.39.2 k8s-app: coredns kubernetes.io/cluster-service: "true" kubernetes.io/name: CoreDNS name: coredns namespace: kube-system resourceVersion: "241" uid: 8c67b081-1fce-48a8-acdf-3036396877bd spec: clusterIP: 10.152.183.178 clusterIPs: - 10.152.183.178 internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: udp-53 port: 53 protocol: UDP targetPort: 53 - name: tcp-53 port: 53 protocol: TCP targetPort: 53 selector: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: v1 kind: Service metadata: annotations: meta.helm.sh/release-name: ck-network meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:54Z" labels: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: hubble-peer app.kubernetes.io/part-of: cilium k8s-app: cilium name: hubble-peer namespace: kube-system resourceVersion: "431" uid: b65f55a0-2b4e-45f5-9859-8fc96b0388f2 spec: clusterIP: 10.152.183.76 clusterIPs: - 10.152.183.76 internalTrafficPolicy: Local ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: peer-service port: 443 protocol: TCP targetPort: 4244 selector: k8s-app: cilium sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: v1 kind: Service metadata: annotations: meta.helm.sh/release-name: metrics-server meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:48Z" labels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: metrics-server app.kubernetes.io/version: 0.7.2 helm.sh/chart: metrics-server-3.12.2 name: metrics-server namespace: kube-system resourceVersion: "272" uid: 0ae8c5d5-90ea-49f6-8241-6d8b7a867696 spec: clusterIP: 10.152.183.69 clusterIPs: - 10.152.183.69 internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - appProtocol: https name: https port: 443 protocol: TCP targetPort: https selector: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server sessionAffinity: None type: ClusterIP status: loadBalancer: {} - apiVersion: apps/v1 kind: DaemonSet metadata: annotations: deprecated.daemonset.template.generation: "2" meta.helm.sh/release-name: ck-network meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:54Z" generation: 2 labels: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium name: cilium namespace: kube-system resourceVersion: "2119829" uid: 0f5033cb-a382-446b-8b7d-ead01e3cdc64 spec: revisionHistoryLimit: 10 selector: matchLabels: k8s-app: cilium template: metadata: annotations: kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" creationTimestamp: null labels: app.kubernetes.io/name: cilium-agent app.kubernetes.io/part-of: cilium k8s-app: cilium spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: k8s-app: cilium topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map command: - cilium-agent env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: GOMEMLIMIT valueFrom: resourceFieldRef: divisor: "1" resource: limits.memory - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent lifecycle: postStart: exec: command: - bash - -c - | set -o errexit set -o pipefail set -o nounset # When running in AWS ENI mode, it's likely that 'aws-node' has # had a chance to install SNAT iptables rules. These can result # in dropped traffic, so we should attempt to remove them. # We do it using a 'postStart' hook since this may need to run # for nodes which might have already been init'ed but may still # have dangling rules. This is safe because there are no # dependencies on anything that is part of the startup script # itself, and can be safely run multiple times per node (e.g. in # case of a restart). if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; then echo 'Deleting iptables rules created by the AWS CNI VPC plugin' iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore fi echo 'Done!' preStop: exec: command: - /cni-uninstall.sh livenessProbe: failureThreshold: 10 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 name: cilium-agent readinessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 resources: {} securityContext: capabilities: add: - CHOWN - KILL - NET_ADMIN - NET_RAW - IPC_LOCK - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE - DAC_OVERRIDE - FOWNER - SETGID - SETUID drop: - ALL seLinuxOptions: level: s0 type: spc_t startupProbe: failureThreshold: 105 httpGet: host: 127.0.0.1 httpHeaders: - name: brief value: "true" path: /healthz port: 9879 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/proc/sys/net name: host-proc-sys-net - mountPath: /host/proc/sys/kernel name: host-proc-sys-kernel - mountPath: /sys/fs/bpf mountPropagation: HostToContainer name: bpf-maps - mountPath: /var/run/cilium name: cilium-run - mountPath: /var/run/cilium/netns mountPropagation: HostToContainer name: cilium-netns - mountPath: /host/etc/cni/net.d name: etc-cni-netd - mountPath: /var/lib/cilium/clustermesh name: clustermesh-secrets readOnly: true - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /run/xtables.lock name: xtables-lock - mountPath: /var/lib/cilium/tls/hubble name: hubble-tls readOnly: true - mountPath: /tmp name: tmp dnsPolicy: ClusterFirst hostNetwork: true initContainers: - command: - cilium-dbg - build-config env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: config resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp name: tmp - command: - sh - -ec - | cp /usr/bin/cilium-mount /hostbin/cilium-mount; nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; rm /hostbin/cilium-mount env: - name: CGROUP_ROOT value: /run/cilium/cgroupv2 - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-cgroup resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - command: - sh - -ec - | cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; rm /hostbin/cilium-sysctlfix env: - name: BIN_PATH value: /opt/cni/bin image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: apply-sysctl-overwrites resources: {} securityContext: capabilities: add: - SYS_ADMIN - SYS_CHROOT - SYS_PTRACE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /hostproc name: hostproc - mountPath: /hostbin name: cni-path - args: - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf command: - /bin/bash - -c - -- image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: mount-bpf-fs resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf mountPropagation: Bidirectional name: bpf-maps - command: - /init-container.sh env: - name: CILIUM_ALL_STATE valueFrom: configMapKeyRef: key: clean-cilium-state name: cilium-config optional: true - name: CILIUM_BPF_STATE valueFrom: configMapKeyRef: key: clean-cilium-bpf-state name: cilium-config optional: true - name: WRITE_CNI_CONF_WHEN_READY valueFrom: configMapKeyRef: key: write-cni-conf-when-ready name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: clean-cilium-state resources: {} securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - SYS_ADMIN - SYS_RESOURCE drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /sys/fs/bpf name: bpf-maps - mountPath: /run/cilium/cgroupv2 mountPropagation: HostToContainer name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - command: - /install-plugin.sh image: ghcr.io/canonical/cilium:1.17.1-ck2 imagePullPolicy: IfNotPresent name: install-cni-binaries resources: requests: cpu: 100m memory: 10Mi securityContext: capabilities: drop: - ALL seLinuxOptions: level: s0 type: spc_t terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /host/opt/cni/bin name: cni-path nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: appArmorProfile: type: Unconfined serviceAccount: cilium serviceAccountName: cilium terminationGracePeriodSeconds: 1 tolerations: - operator: Exists volumes: - emptyDir: {} name: tmp - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run - hostPath: path: /var/run/netns type: DirectoryOrCreate name: cilium-netns - hostPath: path: /sys/fs/bpf type: DirectoryOrCreate name: bpf-maps - hostPath: path: /proc type: Directory name: hostproc - hostPath: path: /run/cilium/cgroupv2 type: DirectoryOrCreate name: cilium-cgroup - hostPath: path: /opt/cni/bin type: DirectoryOrCreate name: cni-path - hostPath: path: /etc/cni/net.d type: DirectoryOrCreate name: etc-cni-netd - hostPath: path: /lib/modules type: "" name: lib-modules - hostPath: path: /run/xtables.lock type: FileOrCreate name: xtables-lock - name: clustermesh-secrets projected: defaultMode: 256 sources: - secret: name: cilium-clustermesh optional: true - secret: items: - key: tls.key path: common-etcd-client.key - key: tls.crt path: common-etcd-client.crt - key: ca.crt path: common-etcd-client-ca.crt name: clustermesh-apiserver-remote-cert optional: true - secret: items: - key: tls.key path: local-etcd-client.key - key: tls.crt path: local-etcd-client.crt - key: ca.crt path: local-etcd-client-ca.crt name: clustermesh-apiserver-local-cert optional: true - hostPath: path: /proc/sys/net type: Directory name: host-proc-sys-net - hostPath: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel - name: hubble-tls projected: defaultMode: 256 sources: - secret: items: - key: tls.crt path: server.crt - key: tls.key path: server.key - key: ca.crt path: client-ca.crt name: hubble-server-certs optional: true updateStrategy: rollingUpdate: maxSurge: 0 maxUnavailable: 2 type: RollingUpdate status: currentNumberScheduled: 5 desiredNumberScheduled: 5 numberAvailable: 5 numberMisscheduled: 0 numberReady: 5 observedGeneration: 2 updatedNumberScheduled: 5 - apiVersion: apps/v1 kind: DaemonSet metadata: annotations: deprecated.daemonset.template.generation: "1" meta.helm.sh/release-name: ck-storage meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:49Z" generation: 1 labels: app.kubernetes.io/managed-by: Helm name: ck-storage-rawfile-csi-node namespace: kube-system resourceVersion: "2119939" uid: 4c2066cc-c4f6-46de-add3-6bb4e3184995 spec: revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node template: metadata: creationTimestamp: null labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: node spec: containers: - env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv - name: NODE_ID valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9100 name: metrics protocol: TCP - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: mountpoint-dir - mountPath: /data name: data-dir - args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - --health-port=9809 env: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH value: /var/lib/kubelet/plugins/rawfile-csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-node-driver-registrar:v2.10.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: healthz scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: node-driver-registrar ports: - containerPort: 9809 name: healthz protocol: TCP resources: limits: cpu: 500m memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - mountPath: /registration name: registration-dir - args: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --strict-topology - --immediate-topology=false - --timeout=120s - --enable-capacity=true - --capacity-ownerref-level=1 - --node-deployment=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name image: ghcr.io/canonical/k8s-snap/sig-storage/csi-provisioner:v5.0.2 imagePullPolicy: IfNotPresent name: external-provisioner resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - args: - --csi-address=$(ADDRESS) - --node-deployment=true - --extra-create-metadata=true env: - name: ADDRESS value: /csi/csi.sock - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName image: ghcr.io/canonical/k8s-snap/sig-storage/csi-snapshotter:v8.0.2 imagePullPolicy: IfNotPresent name: external-snapshotter resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir dnsPolicy: ClusterFirst priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins_registry type: Directory name: registration-dir - hostPath: path: /var/lib/kubelet/plugins/rawfile-csi type: DirectoryOrCreate name: socket-dir - hostPath: path: /var/lib/kubelet type: DirectoryOrCreate name: mountpoint-dir - hostPath: path: /var/snap/k8s/common/rawfile-storage type: DirectoryOrCreate name: data-dir updateStrategy: rollingUpdate: maxSurge: 0 maxUnavailable: 100% type: RollingUpdate status: currentNumberScheduled: 5 desiredNumberScheduled: 5 numberAvailable: 5 numberMisscheduled: 0 numberReady: 5 observedGeneration: 1 updatedNumberScheduled: 5 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "2" meta.helm.sh/release-name: ck-network meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:54Z" generation: 2 labels: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator name: cilium-operator namespace: kube-system resourceVersion: "2119152" uid: efe28031-7016-437c-896d-7c183a96b85b spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: io.cilium/app: operator name: cilium-operator strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 100% type: RollingUpdate template: metadata: annotations: kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" prometheus.io/port: "9963" prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: io.cilium/app: operator topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) command: - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium-operator-generic:1.17.1-ck2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 name: cilium-operator ports: - containerPort: 9963 hostPort: 9963 name: prometheus protocol: TCP readinessProbe: failureThreshold: 5 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true dnsPolicy: ClusterFirst hostNetwork: true nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: cilium-operator serviceAccountName: cilium-operator terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - configMap: defaultMode: 420 name: cilium-config name: cilium-config-path status: availableReplicas: 1 conditions: - lastTransitionTime: "2025-11-02T23:25:55Z" lastUpdateTime: "2025-11-02T23:25:55Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2025-11-02T23:25:54Z" lastUpdateTime: "2025-11-02T23:26:14Z" message: ReplicaSet "cilium-operator-678d7868c8" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 2 readyReplicas: 1 replicas: 1 updatedReplicas: 1 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: ck-dns meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:48Z" generation: 1 labels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: coredns app.kubernetes.io/version: 1.12.0-ck1 helm.sh/chart: coredns-1.39.2 k8s-app: coredns kubernetes.io/cluster-service: "true" kubernetes.io/name: CoreDNS name: coredns namespace: kube-system resourceVersion: "2119890" uid: 38a62248-26ac-48f7-8c4d-adb99f162968 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: checksum/config: fc4c9b56cf9b744229b59b8dd4ae4d31d7bb5b8a21d2589279812d3ddb6e384f scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' creationTimestamp: null labels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns spec: containers: - args: - -conf - /etc/coredns/Corefile image: ghcr.io/canonical/coredns:1.12.0-ck1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 httpGet: path: /health port: 8080 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: coredns ports: - containerPort: 53 name: udp-53 protocol: UDP - containerPort: 53 name: tcp-53 protocol: TCP - containerPort: 9153 name: tcp-9153 protocol: TCP readinessProbe: failureThreshold: 1 httpGet: path: /ready port: 8181 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE readOnlyRootFilesystem: false terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/coredns name: config-volume dnsPolicy: Default restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: coredns serviceAccountName: coredns terminationGracePeriodSeconds: 30 volumes: - configMap: defaultMode: 420 items: - key: Corefile path: Corefile name: ck-dns-coredns name: config-volume status: availableReplicas: 1 conditions: - lastTransitionTime: "2025-11-02T23:25:53Z" lastUpdateTime: "2025-11-02T23:25:53Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available - lastTransitionTime: "2025-11-02T23:25:53Z" lastUpdateTime: "2025-11-02T23:27:25Z" message: ReplicaSet "coredns-fc9c778db" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing observedGeneration: 1 readyReplicas: 1 replicas: 1 updatedReplicas: 1 - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: metrics-server meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:49Z" generation: 1 labels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: metrics-server app.kubernetes.io/version: 0.7.2 helm.sh/chart: metrics-server-3.12.2 name: metrics-server namespace: kube-system resourceVersion: "2119812" uid: 8bc2f677-b2a7-4729-85d1-0a8926b847a6 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: creationTimestamp: null labels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server spec: containers: - args: - --secure-port=10250 - --cert-dir=/tmp - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s image: ghcr.io/canonical/metrics-server:0.7.2-ck0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: metrics-server ports: - containerPort: 10250 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 200Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp name: tmp dnsPolicy: ClusterFirst priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: metrics-server serviceAccountName: metrics-server terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: tmp status: availableReplicas: 1 conditions: - lastTransitionTime: "2025-11-02T23:25:53Z" lastUpdateTime: "2025-11-02T23:27:15Z" message: ReplicaSet "metrics-server-8694c96fb7" has successfully progressed. reason: NewReplicaSetAvailable status: "True" type: Progressing - lastTransitionTime: "2025-11-11T23:57:50Z" lastUpdateTime: "2025-11-11T23:57:50Z" message: Deployment has minimum availability. reason: MinimumReplicasAvailable status: "True" type: Available observedGeneration: 1 readyReplicas: 1 replicas: 1 updatedReplicas: 1 - apiVersion: apps/v1 kind: ReplicaSet metadata: annotations: deployment.kubernetes.io/desired-replicas: "1" deployment.kubernetes.io/max-replicas: "2" deployment.kubernetes.io/revision: "2" meta.helm.sh/release-name: ck-network meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:26:02Z" generation: 1 labels: app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator pod-template-hash: 678d7868c8 name: cilium-operator-678d7868c8 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: Deployment name: cilium-operator uid: efe28031-7016-437c-896d-7c183a96b85b resourceVersion: "2119151" uid: 54d5cbf9-63e4-45f6-a6be-22fcac89aae5 spec: replicas: 1 selector: matchLabels: io.cilium/app: operator name: cilium-operator pod-template-hash: 678d7868c8 template: metadata: annotations: kubectl.kubernetes.io/restartedAt: "2025-11-02T23:26:02Z" prometheus.io/port: "9963" prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator pod-template-hash: 678d7868c8 spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: io.cilium/app: operator topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) command: - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium-operator-generic:1.17.1-ck2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 name: cilium-operator ports: - containerPort: 9963 hostPort: 9963 name: prometheus protocol: TCP readinessProbe: failureThreshold: 5 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true dnsPolicy: ClusterFirst hostNetwork: true nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: cilium-operator serviceAccountName: cilium-operator terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - configMap: defaultMode: 420 name: cilium-config name: cilium-config-path status: availableReplicas: 1 fullyLabeledReplicas: 1 observedGeneration: 1 readyReplicas: 1 replicas: 1 - apiVersion: apps/v1 kind: ReplicaSet metadata: annotations: deployment.kubernetes.io/desired-replicas: "1" deployment.kubernetes.io/max-replicas: "2" deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: ck-network meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:54Z" generation: 2 labels: app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator pod-template-hash: c9487b6f6 name: cilium-operator-c9487b6f6 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: Deployment name: cilium-operator uid: efe28031-7016-437c-896d-7c183a96b85b resourceVersion: "517" uid: 366e504f-4280-4870-a59a-2268b2f0617e spec: replicas: 0 selector: matchLabels: io.cilium/app: operator name: cilium-operator pod-template-hash: c9487b6f6 template: metadata: annotations: prometheus.io/port: "9963" prometheus.io/scrape: "true" creationTimestamp: null labels: app.kubernetes.io/name: cilium-operator app.kubernetes.io/part-of: cilium io.cilium/app: operator name: cilium-operator pod-template-hash: c9487b6f6 spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: io.cilium/app: operator topologyKey: kubernetes.io/hostname automountServiceAccountToken: true containers: - args: - --config-dir=/tmp/cilium/config-map - --debug=$(CILIUM_DEBUG) command: - cilium-operator-generic env: - name: K8S_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: CILIUM_K8S_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CILIUM_DEBUG valueFrom: configMapKeyRef: key: debug name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST value: 127.0.0.1 - name: KUBERNETES_SERVICE_PORT value: "6443" image: ghcr.io/canonical/cilium-operator-generic:1.17.1-ck2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 3 name: cilium-operator ports: - containerPort: 9963 hostPort: 9963 name: prometheus protocol: TCP readinessProbe: failureThreshold: 5 httpGet: host: 127.0.0.1 path: /healthz port: 9234 scheme: HTTP periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /tmp/cilium/config-map name: cilium-config-path readOnly: true dnsPolicy: ClusterFirst hostNetwork: true nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: cilium-operator serviceAccountName: cilium-operator terminationGracePeriodSeconds: 30 tolerations: - operator: Exists volumes: - configMap: defaultMode: 420 name: cilium-config name: cilium-config-path status: observedGeneration: 2 replicas: 0 - apiVersion: apps/v1 kind: ReplicaSet metadata: annotations: deployment.kubernetes.io/desired-replicas: "1" deployment.kubernetes.io/max-replicas: "2" deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: ck-dns meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:53Z" generation: 1 labels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns pod-template-hash: fc9c778db name: coredns-fc9c778db namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: Deployment name: coredns uid: 38a62248-26ac-48f7-8c4d-adb99f162968 resourceVersion: "2119889" uid: 257997c2-8382-443c-81ee-393aabecc552 spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns pod-template-hash: fc9c778db template: metadata: annotations: checksum/config: fc4c9b56cf9b744229b59b8dd4ae4d31d7bb5b8a21d2589279812d3ddb6e384f scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' creationTimestamp: null labels: app.kubernetes.io/instance: ck-dns app.kubernetes.io/name: coredns k8s-app: coredns pod-template-hash: fc9c778db spec: containers: - args: - -conf - /etc/coredns/Corefile image: ghcr.io/canonical/coredns:1.12.0-ck1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 httpGet: path: /health port: 8080 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: coredns ports: - containerPort: 53 name: udp-53 protocol: UDP - containerPort: 53 name: tcp-53 protocol: TCP - containerPort: 9153 name: tcp-9153 protocol: TCP readinessProbe: failureThreshold: 1 httpGet: path: /ready port: 8181 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE readOnlyRootFilesystem: false terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/coredns name: config-volume dnsPolicy: Default restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: coredns serviceAccountName: coredns terminationGracePeriodSeconds: 30 volumes: - configMap: defaultMode: 420 items: - key: Corefile path: Corefile name: ck-dns-coredns name: config-volume status: availableReplicas: 1 fullyLabeledReplicas: 1 observedGeneration: 1 readyReplicas: 1 replicas: 1 - apiVersion: apps/v1 kind: ReplicaSet metadata: annotations: deployment.kubernetes.io/desired-replicas: "1" deployment.kubernetes.io/max-replicas: "2" deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: metrics-server meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:53Z" generation: 1 labels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server pod-template-hash: 8694c96fb7 name: metrics-server-8694c96fb7 namespace: kube-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: Deployment name: metrics-server uid: 8bc2f677-b2a7-4729-85d1-0a8926b847a6 resourceVersion: "2119810" uid: d07039d9-15e5-41cf-af16-2d4e1122b29a spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server pod-template-hash: 8694c96fb7 template: metadata: creationTimestamp: null labels: app.kubernetes.io/instance: metrics-server app.kubernetes.io/name: metrics-server pod-template-hash: 8694c96fb7 spec: containers: - args: - --secure-port=10250 - --cert-dir=/tmp - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s image: ghcr.io/canonical/metrics-server:0.7.2-ck0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: metrics-server ports: - containerPort: 10250 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 200Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /tmp name: tmp dnsPolicy: ClusterFirst priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: metrics-server serviceAccountName: metrics-server terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: tmp status: availableReplicas: 1 fullyLabeledReplicas: 1 observedGeneration: 1 readyReplicas: 1 replicas: 1 - apiVersion: apps/v1 kind: StatefulSet metadata: annotations: meta.helm.sh/release-name: ck-storage meta.helm.sh/release-namespace: kube-system creationTimestamp: "2025-11-02T23:25:50Z" generation: 1 labels: app.kubernetes.io/managed-by: Helm name: ck-storage-rawfile-csi-controller namespace: kube-system resourceVersion: "2119701" uid: 80bd7171-7f66-4fac-b489-836a98e06d72 spec: persistentVolumeClaimRetentionPolicy: whenDeleted: Retain whenScaled: Retain podManagementPolicy: OrderedReady replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: controller serviceName: ck-storage-rawfile-csi template: metadata: creationTimestamp: null labels: app.kubernetes.io/instance: ck-storage app.kubernetes.io/name: rawfile-csi component: controller spec: containers: - args: - --args - rawfile - csi-driver - --disable-metrics env: - name: PROVISIONER_NAME value: rawfile.csi.openebs.io - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: IMAGE_REPOSITORY value: ghcr.io/canonical/rawfile-localpv image: ghcr.io/canonical/rawfile-localpv:0.8.2-ck1 imagePullPolicy: IfNotPresent name: csi-driver ports: - containerPort: 9808 name: csi-probe protocol: TCP resources: limits: cpu: "1" memory: 100Mi requests: cpu: 10m memory: 100Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir - args: - --csi-address=$(ADDRESS) - --handle-volume-inuse-error=false env: - name: ADDRESS value: /csi/csi.sock image: ghcr.io/canonical/k8s-snap/sig-storage/csi-resizer:v1.11.2 imagePullPolicy: IfNotPresent name: external-resizer resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /csi name: socket-dir dnsPolicy: ClusterFirst priorityClassName: system-cluster-critical restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: ck-storage-rawfile-csi-driver serviceAccountName: ck-storage-rawfile-csi-driver terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Equal value: "true" - effect: NoSchedule key: node-role.kubernetes.io/control-plane operator: Equal value: "true" volumes: - emptyDir: {} name: socket-dir updateStrategy: rollingUpdate: partition: 0 type: RollingUpdate status: availableReplicas: 1 collisionCount: 0 currentReplicas: 1 currentRevision: ck-storage-rawfile-csi-controller-6ddc646dbb observedGeneration: 1 readyReplicas: 1 replicas: 1 updateRevision: ck-storage-rawfile-csi-controller-6ddc646dbb updatedReplicas: 1 kind: List metadata: resourceVersion: ""