cilium:
  enabled: true
  # WireGuard cannot be used during migration -- Flannel nodes have no WireGuard
  # keys so encrypted traffic is unreadable by them.
  # TODO: re-enable after migration
  encryption:
    enabled: false
  envoy:
    enabled: true
  # kube-proxy stays running during migration; disable replacement until done.
  # TODO: set to true after migration
  kubeProxyReplacement: false
  # Direct apiserver connection -- do not rely on the kubernetes service IP
  # during migration since we are touching the CNI layer.
  # TODO: remove k8sServiceHost / k8sServicePort (or keep pointing at apiserver localhost)
  k8sServiceHost: 10.255.241.99
  k8sServicePort: 6443
  policyAuditMode: true
  upgradeCompatability: 1.18