|
|
|
|
@ -1,10 +1,10 @@
|
|
|
|
|
---
|
|
|
|
|
# Calico Version v3.26.4
|
|
|
|
|
# Calico Version v3.28.0
|
|
|
|
|
# Based off:
|
|
|
|
|
# https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/calico.yaml
|
|
|
|
|
# https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml
|
|
|
|
|
#
|
|
|
|
|
# This file is licensed under Apache 2.0. You can obtain a copy of the license at:
|
|
|
|
|
# https://github.com/projectcalico/calico/blob/v3.26.4/calico/LICENSE
|
|
|
|
|
# https://github.com/projectcalico/calico/blob/v3.28.0/calico/LICENSE
|
|
|
|
|
#
|
|
|
|
|
# The following modifications have been made:
|
|
|
|
|
#
|
|
|
|
|
@ -35,7 +35,7 @@
|
|
|
|
|
# health and status
|
|
|
|
|
#
|
|
|
|
|
# curl -o calicoctl -L https://github.com/projectcalico/calico/releases/download/
|
|
|
|
|
# v3.25.0/calicoctl-linux-amd64
|
|
|
|
|
# v3.28.0/calicoctl-linux-amd64
|
|
|
|
|
# chmod +x calicoctl
|
|
|
|
|
# sudo mv calicoctl /usr/local/bin
|
|
|
|
|
# export DATASTORE_TYPE=kubernetes
|
|
|
|
|
@ -369,12 +369,14 @@ spec:
|
|
|
|
|
type: string
|
|
|
|
|
cidr:
|
|
|
|
|
type: string
|
|
|
|
|
interface:
|
|
|
|
|
type: string
|
|
|
|
|
matchOperator:
|
|
|
|
|
type: string
|
|
|
|
|
source:
|
|
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- action
|
|
|
|
|
- cidr
|
|
|
|
|
- matchOperator
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
exportV6:
|
|
|
|
|
@ -388,12 +390,14 @@ spec:
|
|
|
|
|
type: string
|
|
|
|
|
cidr:
|
|
|
|
|
type: string
|
|
|
|
|
interface:
|
|
|
|
|
type: string
|
|
|
|
|
matchOperator:
|
|
|
|
|
type: string
|
|
|
|
|
source:
|
|
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- action
|
|
|
|
|
- cidr
|
|
|
|
|
- matchOperator
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
importV4:
|
|
|
|
|
@ -407,12 +411,14 @@ spec:
|
|
|
|
|
type: string
|
|
|
|
|
cidr:
|
|
|
|
|
type: string
|
|
|
|
|
interface:
|
|
|
|
|
type: string
|
|
|
|
|
matchOperator:
|
|
|
|
|
type: string
|
|
|
|
|
source:
|
|
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- action
|
|
|
|
|
- cidr
|
|
|
|
|
- matchOperator
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
importV6:
|
|
|
|
|
@ -426,12 +432,14 @@ spec:
|
|
|
|
|
type: string
|
|
|
|
|
cidr:
|
|
|
|
|
type: string
|
|
|
|
|
interface:
|
|
|
|
|
type: string
|
|
|
|
|
matchOperator:
|
|
|
|
|
type: string
|
|
|
|
|
source:
|
|
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- action
|
|
|
|
|
- cidr
|
|
|
|
|
- matchOperator
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
type: object
|
|
|
|
|
@ -511,7 +519,7 @@ spec:
|
|
|
|
|
numAllowedLocalASNumbers:
|
|
|
|
|
description: Maximum number of local AS numbers that are allowed in
|
|
|
|
|
the AS path for received routes. This removes BGP loop prevention
|
|
|
|
|
and should only be used if absolutely necesssary.
|
|
|
|
|
and should only be used if absolutely necessary.
|
|
|
|
|
format: int32
|
|
|
|
|
type: integer
|
|
|
|
|
password:
|
|
|
|
|
@ -1026,12 +1034,32 @@ spec:
|
|
|
|
|
- Enable
|
|
|
|
|
- Disable
|
|
|
|
|
type: string
|
|
|
|
|
bpfCTLBLogFilter:
|
|
|
|
|
description: 'BPFCTLBLogFilter specifies, what is logged by connect
|
|
|
|
|
time load balancer when BPFLogLevel is debug. Currently has to be
|
|
|
|
|
specified as ''all'' when BPFLogFilters is set to see CTLB logs.
|
|
|
|
|
[Default: unset - means logs are emitted when BPFLogLevel id debug
|
|
|
|
|
and BPFLogFilters not set.]'
|
|
|
|
|
type: string
|
|
|
|
|
bpfConnectTimeLoadBalancing:
|
|
|
|
|
description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
|
|
|
|
|
whether Felix installs the connect-time load balancer. The connect-time
|
|
|
|
|
load balancer is required for the host to be able to reach Kubernetes
|
|
|
|
|
services and it improves the performance of pod-to-service connections.When
|
|
|
|
|
set to TCP, connect time load balancing is available only for services
|
|
|
|
|
with TCP ports. [Default: TCP]'
|
|
|
|
|
enum:
|
|
|
|
|
- TCP
|
|
|
|
|
- Enabled
|
|
|
|
|
- Disabled
|
|
|
|
|
type: string
|
|
|
|
|
bpfConnectTimeLoadBalancingEnabled:
|
|
|
|
|
description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
|
|
|
|
|
controls whether Felix installs the connection-time load balancer. The
|
|
|
|
|
connect-time load balancer is required for the host to be able to
|
|
|
|
|
reach Kubernetes services and it improves the performance of pod-to-service
|
|
|
|
|
connections. The only reason to disable it is for debugging purposes. [Default:
|
|
|
|
|
connections. The only reason to disable it is for debugging purposes.
|
|
|
|
|
This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
|
|
|
|
|
true]'
|
|
|
|
|
type: boolean
|
|
|
|
|
bpfDSROptoutCIDRs:
|
|
|
|
|
@ -1050,6 +1078,12 @@ spec:
|
|
|
|
|
the cluster. It should not match the workload interfaces (usually
|
|
|
|
|
named cali...).
|
|
|
|
|
type: string
|
|
|
|
|
bpfDisableGROForIfaces:
|
|
|
|
|
description: BPFDisableGROForIfaces is a regular expression that controls
|
|
|
|
|
which interfaces Felix should disable the Generic Receive Offload
|
|
|
|
|
[GRO] option. It should not match the workload interfaces (usually
|
|
|
|
|
named cali...).
|
|
|
|
|
type: string
|
|
|
|
|
bpfDisableUnprivileged:
|
|
|
|
|
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
|
|
|
|
|
sysctl to disable unprivileged use of BPF. This ensures that unprivileged
|
|
|
|
|
@ -1065,7 +1099,15 @@ spec:
|
|
|
|
|
with BPF programs regardless of what is the per-interfaces or global
|
|
|
|
|
setting. Possible values are Disabled, Strict or Loose. [Default:
|
|
|
|
|
Loose]'
|
|
|
|
|
pattern: ^(?i)(Disabled|Strict|Loose)?$
|
|
|
|
|
type: string
|
|
|
|
|
bpfExcludeCIDRsFromNAT:
|
|
|
|
|
description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
|
|
|
|
|
be excluded from NAT resolution so that host can handle them. A
|
|
|
|
|
typical usecase is node local DNS cache.
|
|
|
|
|
items:
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
|
|
|
|
bpfExtToServiceConnmark:
|
|
|
|
|
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
|
|
|
|
|
mark that is set on connections from an external client to a local
|
|
|
|
|
@ -1082,15 +1124,35 @@ spec:
|
|
|
|
|
is sent directly from the remote node. In "DSR" mode, the remote
|
|
|
|
|
node appears to use the IP of the ingress node; this requires a
|
|
|
|
|
permissive L2 network. [Default: Tunnel]'
|
|
|
|
|
pattern: ^(?i)(Tunnel|DSR)?$
|
|
|
|
|
type: string
|
|
|
|
|
bpfForceTrackPacketsFromIfaces:
|
|
|
|
|
description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
|
|
|
|
|
from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
|
|
|
|
|
traffic from those interfaces to be tracked by Linux conntrack. Should
|
|
|
|
|
only be used for interfaces that are not used for the Calico fabric. For
|
|
|
|
|
example, a docker bridge device for non-Calico-networked containers.
|
|
|
|
|
[Default: docker+]'
|
|
|
|
|
items:
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
|
|
|
|
bpfHostConntrackBypass:
|
|
|
|
|
description: 'BPFHostConntrackBypass Controls whether to bypass Linux
|
|
|
|
|
conntrack in BPF mode for workloads and services. [Default: true
|
|
|
|
|
- bypass Linux conntrack]'
|
|
|
|
|
type: boolean
|
|
|
|
|
bpfHostNetworkedNATWithoutCTLB:
|
|
|
|
|
description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
|
|
|
|
|
whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
|
|
|
|
|
determines the CTLB behavior. [Default: Enabled]'
|
|
|
|
|
enum:
|
|
|
|
|
- Enabled
|
|
|
|
|
- Disabled
|
|
|
|
|
type: string
|
|
|
|
|
bpfKubeProxyEndpointSlicesEnabled:
|
|
|
|
|
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
|
|
|
|
|
whether Felix's embedded kube-proxy accepts EndpointSlices or not.
|
|
|
|
|
description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
|
|
|
|
|
no effect. BPF kube-proxy always accepts endpoint slices. This option
|
|
|
|
|
will be removed in the next release.
|
|
|
|
|
type: boolean
|
|
|
|
|
bpfKubeProxyIptablesCleanupEnabled:
|
|
|
|
|
description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
|
|
|
|
|
@ -1103,6 +1165,7 @@ spec:
|
|
|
|
|
minimum time between updates to the dataplane for Felix''s embedded
|
|
|
|
|
kube-proxy. Lower values give reduced set-up latency. Higher values
|
|
|
|
|
reduce Felix CPU usage by batching up more work. [Default: 1s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
bpfL3IfacePattern:
|
|
|
|
|
description: BPFL3IfacePattern is a regular expression that allows
|
|
|
|
|
@ -1112,11 +1175,22 @@ spec:
|
|
|
|
|
as any interfaces that handle incoming traffic to nodeports and
|
|
|
|
|
services from outside the cluster.
|
|
|
|
|
type: string
|
|
|
|
|
bpfLogFilters:
|
|
|
|
|
additionalProperties:
|
|
|
|
|
type: string
|
|
|
|
|
description: "BPFLogFilters is a map of key=values where the value
|
|
|
|
|
is a pcap filter expression and the key is an interface name with
|
|
|
|
|
'all' denoting all interfaces, 'weps' all workload endpoints and
|
|
|
|
|
'heps' all host endpoints. \n When specified as an env var, it accepts
|
|
|
|
|
a comma-separated list of key=values. [Default: unset - means all
|
|
|
|
|
debug logs are emitted]"
|
|
|
|
|
type: object
|
|
|
|
|
bpfLogLevel:
|
|
|
|
|
description: 'BPFLogLevel controls the log level of the BPF programs
|
|
|
|
|
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
|
|
|
|
|
logs are emitted to the BPF trace pipe, accessible with the command
|
|
|
|
|
`tc exec bpf debug`. [Default: Off].'
|
|
|
|
|
pattern: ^(?i)(Off|Info|Debug)?$
|
|
|
|
|
type: string
|
|
|
|
|
bpfMapSizeConntrack:
|
|
|
|
|
description: 'BPFMapSizeConntrack sets the size for the conntrack
|
|
|
|
|
@ -1181,6 +1255,7 @@ spec:
|
|
|
|
|
to append mode, be sure that the other rules in the chains signal
|
|
|
|
|
acceptance by falling through to the Calico rules, otherwise the
|
|
|
|
|
Calico policy will be bypassed. [Default: insert]'
|
|
|
|
|
pattern: ^(?i)(insert|append)?$
|
|
|
|
|
type: string
|
|
|
|
|
dataplaneDriver:
|
|
|
|
|
description: DataplaneDriver filename of the external dataplane driver
|
|
|
|
|
@ -1196,11 +1271,25 @@ spec:
|
|
|
|
|
type: string
|
|
|
|
|
debugDisableLogDropping:
|
|
|
|
|
type: boolean
|
|
|
|
|
debugHost:
|
|
|
|
|
description: DebugHost is the host IP or hostname to bind the debug
|
|
|
|
|
port to. Only used if DebugPort is set. [Default:localhost]
|
|
|
|
|
type: string
|
|
|
|
|
debugMemoryProfilePath:
|
|
|
|
|
type: string
|
|
|
|
|
debugPort:
|
|
|
|
|
description: DebugPort if set, enables Felix's debug HTTP port, which
|
|
|
|
|
allows memory and CPU profiles to be retrieved. The debug port
|
|
|
|
|
is not secure, it should not be exposed to the internet.
|
|
|
|
|
type: integer
|
|
|
|
|
debugSimulateCalcGraphHangAfter:
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
debugSimulateDataplaneApplyDelay:
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
debugSimulateDataplaneHangAfter:
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
defaultEndpointToHostAction:
|
|
|
|
|
description: 'DefaultEndpointToHostAction controls what happens to
|
|
|
|
|
@ -1215,6 +1304,7 @@ spec:
|
|
|
|
|
endpoint egress policy. Use ACCEPT to unconditionally accept packets
|
|
|
|
|
from workloads after processing workload endpoint egress policy.
|
|
|
|
|
[Default: Drop]'
|
|
|
|
|
pattern: ^(?i)(Drop|Accept|Return)?$
|
|
|
|
|
type: string
|
|
|
|
|
deviceRouteProtocol:
|
|
|
|
|
description: This defines the route protocol added to programmed device
|
|
|
|
|
@ -1233,9 +1323,16 @@ spec:
|
|
|
|
|
disableConntrackInvalidCheck:
|
|
|
|
|
type: boolean
|
|
|
|
|
endpointReportingDelay:
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
endpointReportingEnabled:
|
|
|
|
|
type: boolean
|
|
|
|
|
endpointStatusPathPrefix:
|
|
|
|
|
description: "EndpointStatusPathPrefix is the path to the directory
|
|
|
|
|
where endpoint status will be written. Endpoint status file reporting
|
|
|
|
|
is disabled if field is left empty. \n Chosen directory should match
|
|
|
|
|
the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
|
|
|
|
|
type: string
|
|
|
|
|
externalNodesList:
|
|
|
|
|
description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
|
|
|
|
|
which may source tunnel traffic and have the tunneled traffic be
|
|
|
|
|
@ -1300,12 +1397,14 @@ spec:
|
|
|
|
|
based on auto-detected platform capabilities. Values are specified
|
|
|
|
|
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
|
|
|
|
|
or "false" will force the feature, empty or omitted values are auto-detected.
|
|
|
|
|
pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
|
|
|
|
|
type: string
|
|
|
|
|
featureGates:
|
|
|
|
|
description: FeatureGates is used to enable or disable tech-preview
|
|
|
|
|
Calico features. Values are specified in a comma separated list
|
|
|
|
|
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
|
|
|
|
|
This is used to enable features that are not fully production ready.
|
|
|
|
|
pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
|
|
|
|
|
type: string
|
|
|
|
|
floatingIPs:
|
|
|
|
|
description: FloatingIPs configures whether or not Felix will program
|
|
|
|
|
@ -1367,6 +1466,7 @@ spec:
|
|
|
|
|
description: InterfaceRefreshInterval is the period at which Felix
|
|
|
|
|
rescans local interfaces to verify their state. The rescan can be
|
|
|
|
|
disabled by setting the interval to 0.
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
ipipEnabled:
|
|
|
|
|
description: 'IPIPEnabled overrides whether Felix should configure
|
|
|
|
|
@ -1382,18 +1482,22 @@ spec:
|
|
|
|
|
all iptables state to ensure that no other process has accidentally
|
|
|
|
|
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
|
|
|
|
|
90s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesBackend:
|
|
|
|
|
description: IptablesBackend specifies which backend of iptables will
|
|
|
|
|
be used. The default is Auto.
|
|
|
|
|
pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesFilterAllowAction:
|
|
|
|
|
pattern: ^(?i)(Accept|Return)?$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesFilterDenyAction:
|
|
|
|
|
description: IptablesFilterDenyAction controls what happens to traffic
|
|
|
|
|
that is denied by network policy. By default Calico blocks traffic
|
|
|
|
|
with an iptables "DROP" action. If you want to use "REJECT" action
|
|
|
|
|
instead you can configure it in here.
|
|
|
|
|
pattern: ^(?i)(Drop|Reject)?$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesLockFilePath:
|
|
|
|
|
description: 'IptablesLockFilePath is the location of the iptables
|
|
|
|
|
@ -1406,6 +1510,7 @@ spec:
|
|
|
|
|
wait between attempts to acquire the iptables lock if it is not
|
|
|
|
|
available. Lower values make Felix more responsive when the lock
|
|
|
|
|
is contended, but use more CPU. [Default: 50ms]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesLockTimeout:
|
|
|
|
|
description: 'IptablesLockTimeout is the time that Felix will wait
|
|
|
|
|
@ -1414,8 +1519,10 @@ spec:
|
|
|
|
|
also take the lock. When running Felix inside a container, this
|
|
|
|
|
requires the /run directory of the host to be mounted into the calico/node
|
|
|
|
|
or calico/felix container. [Default: 0s disabled]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesMangleAllowAction:
|
|
|
|
|
pattern: ^(?i)(Accept|Return)?$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesMarkMask:
|
|
|
|
|
description: 'IptablesMarkMask is the mask that Felix selects its
|
|
|
|
|
@ -1432,6 +1539,7 @@ spec:
|
|
|
|
|
back in order to check the write was not clobbered by another process.
|
|
|
|
|
This should only occur if another application on the system doesn''t
|
|
|
|
|
respect the iptables lock. [Default: 1s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
iptablesRefreshInterval:
|
|
|
|
|
description: 'IptablesRefreshInterval is the period at which Felix
|
|
|
|
|
@ -1442,6 +1550,7 @@ spec:
|
|
|
|
|
was fixed in kernel version 4.11. If you are using v4.11 or greater
|
|
|
|
|
you may want to set this to, a higher value to reduce Felix CPU
|
|
|
|
|
usage. [Default: 10s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
ipv6Support:
|
|
|
|
|
description: IPv6Support controls whether Felix enables support for
|
|
|
|
|
@ -1476,15 +1585,18 @@ spec:
|
|
|
|
|
logSeverityFile:
|
|
|
|
|
description: 'LogSeverityFile is the log severity above which logs
|
|
|
|
|
are sent to the log file. [Default: Info]'
|
|
|
|
|
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
|
|
|
|
|
type: string
|
|
|
|
|
logSeverityScreen:
|
|
|
|
|
description: 'LogSeverityScreen is the log severity above which logs
|
|
|
|
|
are sent to the stdout. [Default: Info]'
|
|
|
|
|
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
|
|
|
|
|
type: string
|
|
|
|
|
logSeveritySys:
|
|
|
|
|
description: 'LogSeveritySys is the log severity above which logs
|
|
|
|
|
are sent to the syslog. Set to None for no logging to syslog. [Default:
|
|
|
|
|
Info]'
|
|
|
|
|
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
|
|
|
|
|
type: string
|
|
|
|
|
maxIpsetSize:
|
|
|
|
|
type: integer
|
|
|
|
|
@ -1492,7 +1604,7 @@ spec:
|
|
|
|
|
description: 'MetadataAddr is the IP address or domain name of the
|
|
|
|
|
server that can answer VM queries for cloud-init metadata. In OpenStack,
|
|
|
|
|
this corresponds to the machine running nova-api (or in Ubuntu,
|
|
|
|
|
nova-api-metadata). A value of none (case insensitive) means that
|
|
|
|
|
nova-api-metadata). A value of none (case-insensitive) means that
|
|
|
|
|
Felix should not set up any NAT rule for the metadata path. [Default:
|
|
|
|
|
127.0.0.1]'
|
|
|
|
|
type: string
|
|
|
|
|
@ -1523,6 +1635,7 @@ spec:
|
|
|
|
|
pattern: ^.*
|
|
|
|
|
x-kubernetes-int-or-string: true
|
|
|
|
|
netlinkTimeout:
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
openstackRegion:
|
|
|
|
|
description: 'OpenstackRegion is the name of the region that a particular
|
|
|
|
|
@ -1577,21 +1690,25 @@ spec:
|
|
|
|
|
description: 'ReportingInterval is the interval at which Felix reports
|
|
|
|
|
its status into the datastore or 0 to disable. Must be non-zero
|
|
|
|
|
in OpenStack deployments. [Default: 30s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
reportingTTL:
|
|
|
|
|
description: 'ReportingTTL is the time-to-live setting for process-wide
|
|
|
|
|
status reports. [Default: 90s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
routeRefreshInterval:
|
|
|
|
|
description: 'RouteRefreshInterval is the period at which Felix re-checks
|
|
|
|
|
the routes in the dataplane to ensure that no other process has
|
|
|
|
|
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
|
|
|
|
|
[Default: 90s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
routeSource:
|
|
|
|
|
description: 'RouteSource configures where Felix gets its routing
|
|
|
|
|
information. - WorkloadIPs: use workload endpoints to construct
|
|
|
|
|
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
|
|
|
|
|
pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
|
|
|
|
|
type: string
|
|
|
|
|
routeSyncDisabled:
|
|
|
|
|
description: RouteSyncDisabled will disable all operations performed
|
|
|
|
|
@ -1631,6 +1748,7 @@ spec:
|
|
|
|
|
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
|
|
|
|
|
in which case such routing loops continue to be allowed. [Default:
|
|
|
|
|
Drop]'
|
|
|
|
|
pattern: ^(?i)(Drop|Reject|Disabled)?$
|
|
|
|
|
type: string
|
|
|
|
|
sidecarAccelerationEnabled:
|
|
|
|
|
description: 'SidecarAccelerationEnabled enables experimental sidecar
|
|
|
|
|
@ -1646,10 +1764,12 @@ spec:
|
|
|
|
|
usageReportingInitialDelay:
|
|
|
|
|
description: 'UsageReportingInitialDelay controls the minimum delay
|
|
|
|
|
before Felix makes a report. [Default: 300s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
usageReportingInterval:
|
|
|
|
|
description: 'UsageReportingInterval controls the interval at which
|
|
|
|
|
Felix makes reports. [Default: 86400s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
useInternalDataplaneDriver:
|
|
|
|
|
description: UseInternalDataplaneDriver, if true, Felix will use its
|
|
|
|
|
@ -1673,6 +1793,14 @@ spec:
|
|
|
|
|
type: integer
|
|
|
|
|
vxlanVNI:
|
|
|
|
|
type: integer
|
|
|
|
|
windowsManageFirewallRules:
|
|
|
|
|
description: 'WindowsManageFirewallRules configures whether or not
|
|
|
|
|
Felix will program Windows Firewall rules. (to allow inbound access
|
|
|
|
|
to its own metrics ports) [Default: Disabled]'
|
|
|
|
|
enum:
|
|
|
|
|
- Enabled
|
|
|
|
|
- Disabled
|
|
|
|
|
type: string
|
|
|
|
|
wireguardEnabled:
|
|
|
|
|
description: 'WireguardEnabled controls whether Wireguard is enabled
|
|
|
|
|
for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
|
|
|
|
|
@ -1698,6 +1826,7 @@ spec:
|
|
|
|
|
wireguardKeepAlive:
|
|
|
|
|
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
|
|
|
|
|
option. Set 0 to disable. [Default: 0]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
wireguardListeningPort:
|
|
|
|
|
description: 'WireguardListeningPort controls the listening port used
|
|
|
|
|
@ -1724,6 +1853,7 @@ spec:
|
|
|
|
|
the allowedSourcePrefixes annotation to send traffic with a source
|
|
|
|
|
IP address that is not theirs. This is disabled by default. When
|
|
|
|
|
set to "Any", pods can request any prefix.
|
|
|
|
|
pattern: ^(?i)(Disabled|Any)?$
|
|
|
|
|
type: string
|
|
|
|
|
xdpEnabled:
|
|
|
|
|
description: 'XDPEnabled enables XDP acceleration for suitable untracked
|
|
|
|
|
@ -1734,6 +1864,7 @@ spec:
|
|
|
|
|
all XDP state to ensure that no other process has accidentally broken
|
|
|
|
|
Calico''s BPF maps or attached programs. Set to 0 to disable XDP
|
|
|
|
|
refresh. [Default: 90s]'
|
|
|
|
|
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
|
|
|
|
|
type: string
|
|
|
|
|
type: object
|
|
|
|
|
type: object
|
|
|
|
|
@ -2548,22 +2679,35 @@ spec:
|
|
|
|
|
with identical order will be applied in alphanumerical order based
|
|
|
|
|
on the Policy "Name".
|
|
|
|
|
type: number
|
|
|
|
|
performanceHints:
|
|
|
|
|
description: "PerformanceHints contains a list of hints to Calico's
|
|
|
|
|
policy engine to help process the policy more efficiently. Hints
|
|
|
|
|
never change the enforcement behaviour of the policy. \n Currently,
|
|
|
|
|
the only available hint is \"AssumeNeededOnEveryNode\". When that
|
|
|
|
|
hint is set on a policy, Felix will act as if the policy matches
|
|
|
|
|
a local endpoint even if it does not. This is useful for \"preloading\"
|
|
|
|
|
any large static policies that are known to be used on every node.
|
|
|
|
|
If the policy is _not_ used on a particular node then the work done
|
|
|
|
|
to preload the policy (and to maintain it) is wasted."
|
|
|
|
|
items:
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
|
|
|
|
preDNAT:
|
|
|
|
|
description: PreDNAT indicates to apply the rules in this policy before
|
|
|
|
|
any DNAT.
|
|
|
|
|
type: boolean
|
|
|
|
|
selector:
|
|
|
|
|
description: "The selector is an expression used to pick pick out
|
|
|
|
|
the endpoints that the policy should be applied to. \n Selector
|
|
|
|
|
expressions follow this syntax: \n \tlabel == \"string_literal\"
|
|
|
|
|
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
|
|
|
|
|
\ -> not equal; also matches if label is not present \tlabel in
|
|
|
|
|
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
|
|
|
|
|
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
|
|
|
|
|
... } -> true if the value of label X is not one of \"a\", \"b\",
|
|
|
|
|
\"c\" \thas(label_name) -> True if that label is present \t! expr
|
|
|
|
|
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|
|
|
|
|
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
|
|
|
|
|
description: "The selector is an expression used to pick out the endpoints
|
|
|
|
|
that the policy should be applied to. \n Selector expressions follow
|
|
|
|
|
this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
|
|
|
|
|
my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
|
|
|
|
|
equal; also matches if label is not present \tlabel in { \"a\",
|
|
|
|
|
\"b\", \"c\", ... } -> true if the value of label X is one of
|
|
|
|
|
\"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
|
|
|
|
|
\ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
|
|
|
|
|
\thas(label_name) -> True if that label is present \t! expr ->
|
|
|
|
|
negation of expr \texpr && expr -> Short-circuit and \texpr ||
|
|
|
|
|
expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
|
|
|
|
|
or the empty selector -> matches all endpoints. \n Label names are
|
|
|
|
|
allowed to contain alphanumerics, -, _ and /. String literals are
|
|
|
|
|
more permissive but they do not support escape characters. \n Examples
|
|
|
|
|
@ -4207,18 +4351,31 @@ spec:
|
|
|
|
|
with identical order will be applied in alphanumerical order based
|
|
|
|
|
on the Policy "Name".
|
|
|
|
|
type: number
|
|
|
|
|
performanceHints:
|
|
|
|
|
description: "PerformanceHints contains a list of hints to Calico's
|
|
|
|
|
policy engine to help process the policy more efficiently. Hints
|
|
|
|
|
never change the enforcement behaviour of the policy. \n Currently,
|
|
|
|
|
the only available hint is \"AssumeNeededOnEveryNode\". When that
|
|
|
|
|
hint is set on a policy, Felix will act as if the policy matches
|
|
|
|
|
a local endpoint even if it does not. This is useful for \"preloading\"
|
|
|
|
|
any large static policies that are known to be used on every node.
|
|
|
|
|
If the policy is _not_ used on a particular node then the work done
|
|
|
|
|
to preload the policy (and to maintain it) is wasted."
|
|
|
|
|
items:
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
|
|
|
|
selector:
|
|
|
|
|
description: "The selector is an expression used to pick pick out
|
|
|
|
|
the endpoints that the policy should be applied to. \n Selector
|
|
|
|
|
expressions follow this syntax: \n \tlabel == \"string_literal\"
|
|
|
|
|
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
|
|
|
|
|
\ -> not equal; also matches if label is not present \tlabel in
|
|
|
|
|
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
|
|
|
|
|
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
|
|
|
|
|
... } -> true if the value of label X is not one of \"a\", \"b\",
|
|
|
|
|
\"c\" \thas(label_name) -> True if that label is present \t! expr
|
|
|
|
|
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|
|
|
|
|
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
|
|
|
|
|
description: "The selector is an expression used to pick out the endpoints
|
|
|
|
|
that the policy should be applied to. \n Selector expressions follow
|
|
|
|
|
this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
|
|
|
|
|
my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
|
|
|
|
|
equal; also matches if label is not present \tlabel in { \"a\",
|
|
|
|
|
\"b\", \"c\", ... } -> true if the value of label X is one of
|
|
|
|
|
\"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
|
|
|
|
|
\ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
|
|
|
|
|
\thas(label_name) -> True if that label is present \t! expr ->
|
|
|
|
|
negation of expr \texpr && expr -> Short-circuit and \texpr ||
|
|
|
|
|
expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
|
|
|
|
|
or the empty selector -> matches all endpoints. \n Label names are
|
|
|
|
|
allowed to contain alphanumerics, -, _ and /. String literals are
|
|
|
|
|
more permissive but they do not support escape characters. \n Examples
|
|
|
|
|
@ -4504,7 +4661,7 @@ rules:
|
|
|
|
|
- create
|
|
|
|
|
- update
|
|
|
|
|
# Calico must update some CRDs.
|
|
|
|
|
- apiGroups: [ "crd.projectcalico.org" ]
|
|
|
|
|
- apiGroups: ["crd.projectcalico.org"]
|
|
|
|
|
resources:
|
|
|
|
|
- caliconodestatuses
|
|
|
|
|
verbs:
|
Mohammad Issa