cilium:
  enabled: true
  clustermesh:
    enabled: false
    clusterId: 2
    # NodePort until L2LB is available (kubeproxyless)
    apiserverServiceType: NodePort
  # TODO: WireGuard blocks all traffic on ekman -- disable until root cause is found.
  encryption:
    enabled: false
  envoy:
    enabled: true
  # kube-proxy stays running during migration; disable replacement until done.
  # TODO: set to true after migration
  kubeProxyReplacement: true
  # Direct apiserver connection -- do not rely on the kubernetes service IP
  # during migration since we are touching the CNI layer.
  # TODO: remove k8sServiceHost / k8sServicePort (or keep pointing at apiserver localhost)
  k8sServiceHost: 10.255.241.99
  k8sServicePort: 6443
  policyAuditMode: true
  upgradeCompatability: 1.18