# Optional phase 2: kube-proxy replacement via Cilium + KubePrism (Talos apid forwards :7445 → :6443).
# Prerequisites:
#   1. Phase 1 Cilium installed and healthy; nodes Ready.
#   2. Add to Talos machine config on ALL nodes:
#        cluster:
#          proxy:
#            disabled: true
#      (keep cluster.network.cni.name: none). Regenerate, apply-config, reboot as needed.
#   3. Remove legacy kube-proxy objects if still present:
#        kubectl delete ds -n kube-system kube-proxy --ignore-not-found
#        kubectl delete cm -n kube-system kube-proxy --ignore-not-found
#   4. helm upgrade cilium ... -f values-kpr.yaml
#
# Ref: https://www.talos.dev/latest/kubernetes-guides/network/deploying-cilium/

ipam:
  mode: kubernetes

kubeProxyReplacement: "true"

k8sServiceHost: localhost
k8sServicePort: "7445"

securityContext:
  capabilities:
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_RAW
      - IPC_LOCK
      - SYS_ADMIN
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    cleanCiliumState:
      - NET_ADMIN
      - SYS_ADMIN
      - SYS_RESOURCE

cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup

bpf:
  masquerade: false