diff --git a/bastion/src/modules/modules/k3s/src/operations/cilium.ts b/bastion/src/modules/modules/k3s/src/operations/cilium.ts index 621c146..6c319cb 100644 --- a/bastion/src/modules/modules/k3s/src/operations/cilium.ts +++ b/bastion/src/modules/modules/k3s/src/operations/cilium.ts @@ -35,21 +35,15 @@ export const installCilium: Operation = async (ctx): Promise => } details.push(`Installed cilium CLI ${version} (${cliArch})`); - // Detect default network device (avoid tailscale/wireguard) - const devResult = await ctx.ssh.exec( - "ip -4 route show default | awk '{print $5}' | head -1", - sshOpts(ctx), - ); - const defaultDev = devResult.stdout.trim(); - details.push(`Network device: ${defaultDev}`); - // Install Cilium + // - No hardcoded devices: Cilium auto-detects per node (heterogeneous NICs like eno1 vs enP7s7) + // - k8sServiceHost/Port: k3s agents proxy the API on 127.0.0.1:6444 (not 6443) const installResult = await ctx.ssh.exec( `KUBECONFIG=/etc/rancher/k3s/k3s.yaml cilium install \ --set kubeProxyReplacement=true \ --set ipam.mode=kubernetes \ - --set devices="${defaultDev}" \ - --set nodePort.directRoutingDevice="${defaultDev}"`, + --set k8sServiceHost=127.0.0.1 \ + --set k8sServicePort=6444`, { timeoutMs: 300_000 }, ); if (installResult.exitCode !== 0) { diff --git a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts index 542dd7e..0c749a6 100644 --- a/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts +++ b/bastion/src/modules/modules/k3s/src/operations/k3s-config.ts @@ -42,6 +42,8 @@ ${tlsSans.map((s) => ` - "${s}"`).join("\n")} function generateAgentConfig(): string { return `protect-kernel-defaults: true +node-label: + - "node-role.kubernetes.io/worker=true" kubelet-arg: - "protect-kernel-defaults=true" - "streaming-connection-idle-timeout=5m"