Uprev CNI images for k8s v1.25-v1.29

This commit uprevs the container networking images as follows:

calico: v3.26.4 -> v3.28.0
multus: v3.9.3 -> unchanged
sriov-cni: v2.7.0 -> v2.8.0
sriov-device-plugin: v3.6.2 -> unchanged

The following changes have been made:
- create a new directory for k8s 1.29.2
- symlink k8s 1.25-1.28 directories to k8s v1.29.2
- Apply Starlingx custom changes on top of base

Testing:

- Ensure uprev'd images work on a fresh install with k8s 1.29.2
- Successful system deployment (AIO-SX, AIO-DX, DC)
- Perform several networking operations on k8s 1.29.2:
  - Calico:
    * pod -> pod connectivity
    * pod -> service connectivity
    * ingress connectivity
    * IPAM testing
  - Multus / SR-IOV verification:
    * Run the SR-IOV automated tests with a full pass
  - Test IPv4 and IPv6:
    * Ensure all pods come up under each environment
    * Test pod -> pod connectivity on both
  - Test manual upgrade from k8s 1.24 -> 1.29

Story: 2011124
Task: 50228

Change-Id: I0a00cf2ca0eed06c5d691ca9e09fe9f1f5665c77
Signed-off-by: Mohammad Issa <mohammad.issa@windriver.com>
This commit is contained in:
Mohammad Issa 2024-06-07 17:53:49 +00:00
parent baab9b9401
commit b891e64737
15 changed files with 215 additions and 60 deletions

View File

@ -1,10 +1,10 @@
---
# Calico Version v3.26.4
# Calico Version v3.28.0
# Based off:
# https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/calico.yaml
# https://raw.githubusercontent.com/projectcalico/calico/v3.28.0/manifests/calico.yaml
#
# This file is licensed under Apache 2.0. You can obtain a copy of the license at:
# https://github.com/projectcalico/calico/blob/v3.26.4/calico/LICENSE
# https://github.com/projectcalico/calico/blob/v3.28.0/calico/LICENSE
#
# The following modifications have been made:
#
@ -35,7 +35,7 @@
# health and status
#
# curl -o calicoctl -L https://github.com/projectcalico/calico/releases/download/
# v3.25.0/calicoctl-linux-amd64
# v3.28.0/calicoctl-linux-amd64
# chmod +x calicoctl
# sudo mv calicoctl /usr/local/bin
# export DATASTORE_TYPE=kubernetes
@ -369,12 +369,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
exportV6:
@ -388,12 +390,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
importV4:
@ -407,12 +411,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
importV6:
@ -426,12 +432,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
type: object
@ -511,7 +519,7 @@ spec:
numAllowedLocalASNumbers:
description: Maximum number of local AS numbers that are allowed in
the AS path for received routes. This removes BGP loop prevention
and should only be used if absolutely necesssary.
and should only be used if absolutely necessary.
format: int32
type: integer
password:
@ -1026,12 +1034,32 @@ spec:
- Enable
- Disable
type: string
bpfCTLBLogFilter:
description: 'BPFCTLBLogFilter specifies, what is logged by connect
time load balancer when BPFLogLevel is debug. Currently has to be
specified as ''all'' when BPFLogFilters is set to see CTLB logs.
[Default: unset - means logs are emitted when BPFLogLevel id debug
and BPFLogFilters not set.]'
type: string
bpfConnectTimeLoadBalancing:
description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
whether Felix installs the connect-time load balancer. The connect-time
load balancer is required for the host to be able to reach Kubernetes
services and it improves the performance of pod-to-service connections.When
set to TCP, connect time load balancing is available only for services
with TCP ports. [Default: TCP]'
enum:
- TCP
- Enabled
- Disabled
type: string
bpfConnectTimeLoadBalancingEnabled:
description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
controls whether Felix installs the connection-time load balancer. The
connect-time load balancer is required for the host to be able to
reach Kubernetes services and it improves the performance of pod-to-service
connections. The only reason to disable it is for debugging purposes. [Default:
connections. The only reason to disable it is for debugging purposes.
This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
true]'
type: boolean
bpfDSROptoutCIDRs:
@ -1050,6 +1078,12 @@ spec:
the cluster. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableGROForIfaces:
description: BPFDisableGROForIfaces is a regular expression that controls
which interfaces Felix should disable the Generic Receive Offload
[GRO] option. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableUnprivileged:
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
sysctl to disable unprivileged use of BPF. This ensures that unprivileged
@ -1065,7 +1099,15 @@ spec:
with BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled, Strict or Loose. [Default:
Loose]'
pattern: ^(?i)(Disabled|Strict|Loose)?$
type: string
bpfExcludeCIDRsFromNAT:
description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
be excluded from NAT resolution so that host can handle them. A
typical usecase is node local DNS cache.
items:
type: string
type: array
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local
@ -1082,15 +1124,35 @@ spec:
is sent directly from the remote node. In "DSR" mode, the remote
node appears to use the IP of the ingress node; this requires a
permissive L2 network. [Default: Tunnel]'
pattern: ^(?i)(Tunnel|DSR)?$
type: string
bpfForceTrackPacketsFromIfaces:
description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
traffic from those interfaces to be tracked by Linux conntrack. Should
only be used for interfaces that are not used for the Calico fabric. For
example, a docker bridge device for non-Calico-networked containers.
[Default: docker+]'
items:
type: string
type: array
bpfHostConntrackBypass:
description: 'BPFHostConntrackBypass Controls whether to bypass Linux
conntrack in BPF mode for workloads and services. [Default: true
- bypass Linux conntrack]'
type: boolean
bpfHostNetworkedNATWithoutCTLB:
description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
determines the CTLB behavior. [Default: Enabled]'
enum:
- Enabled
- Disabled
type: string
bpfKubeProxyEndpointSlicesEnabled:
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
whether Felix's embedded kube-proxy accepts EndpointSlices or not.
description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
no effect. BPF kube-proxy always accepts endpoint slices. This option
will be removed in the next release.
type: boolean
bpfKubeProxyIptablesCleanupEnabled:
description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
@ -1103,6 +1165,7 @@ spec:
minimum time between updates to the dataplane for Felix''s embedded
kube-proxy. Lower values give reduced set-up latency. Higher values
reduce Felix CPU usage by batching up more work. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
bpfL3IfacePattern:
description: BPFL3IfacePattern is a regular expression that allows
@ -1112,11 +1175,22 @@ spec:
as any interfaces that handle incoming traffic to nodeports and
services from outside the cluster.
type: string
bpfLogFilters:
additionalProperties:
type: string
description: "BPFLogFilters is a map of key=values where the value
is a pcap filter expression and the key is an interface name with
'all' denoting all interfaces, 'weps' all workload endpoints and
'heps' all host endpoints. \n When specified as an env var, it accepts
a comma-separated list of key=values. [Default: unset - means all
debug logs are emitted]"
type: object
bpfLogLevel:
description: 'BPFLogLevel controls the log level of the BPF programs
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].'
pattern: ^(?i)(Off|Info|Debug)?$
type: string
bpfMapSizeConntrack:
description: 'BPFMapSizeConntrack sets the size for the conntrack
@ -1181,6 +1255,7 @@ spec:
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
pattern: ^(?i)(insert|append)?$
type: string
dataplaneDriver:
description: DataplaneDriver filename of the external dataplane driver
@ -1196,11 +1271,25 @@ spec:
type: string
debugDisableLogDropping:
type: boolean
debugHost:
description: DebugHost is the host IP or hostname to bind the debug
port to. Only used if DebugPort is set. [Default:localhost]
type: string
debugMemoryProfilePath:
type: string
debugPort:
description: DebugPort if set, enables Felix's debug HTTP port, which
allows memory and CPU profiles to be retrieved. The debug port
is not secure, it should not be exposed to the internet.
type: integer
debugSimulateCalcGraphHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneApplyDelay:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
defaultEndpointToHostAction:
description: 'DefaultEndpointToHostAction controls what happens to
@ -1215,6 +1304,7 @@ spec:
endpoint egress policy. Use ACCEPT to unconditionally accept packets
from workloads after processing workload endpoint egress policy.
[Default: Drop]'
pattern: ^(?i)(Drop|Accept|Return)?$
type: string
deviceRouteProtocol:
description: This defines the route protocol added to programmed device
@ -1233,9 +1323,16 @@ spec:
disableConntrackInvalidCheck:
type: boolean
endpointReportingDelay:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
endpointReportingEnabled:
type: boolean
endpointStatusPathPrefix:
description: "EndpointStatusPathPrefix is the path to the directory
where endpoint status will be written. Endpoint status file reporting
is disabled if field is left empty. \n Chosen directory should match
the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
type: string
externalNodesList:
description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
which may source tunnel traffic and have the tunneled traffic be
@ -1300,12 +1397,14 @@ spec:
based on auto-detected platform capabilities. Values are specified
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
or "false" will force the feature, empty or omitted values are auto-detected.
pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
type: string
featureGates:
description: FeatureGates is used to enable or disable tech-preview
Calico features. Values are specified in a comma separated list
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
This is used to enable features that are not fully production ready.
pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
type: string
floatingIPs:
description: FloatingIPs configures whether or not Felix will program
@ -1367,6 +1466,7 @@ spec:
description: InterfaceRefreshInterval is the period at which Felix
rescans local interfaces to verify their state. The rescan can be
disabled by setting the interval to 0.
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
@ -1382,18 +1482,22 @@ spec:
all iptables state to ensure that no other process has accidentally
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesBackend:
description: IptablesBackend specifies which backend of iptables will
be used. The default is Auto.
pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
type: string
iptablesFilterAllowAction:
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesFilterDenyAction:
description: IptablesFilterDenyAction controls what happens to traffic
that is denied by network policy. By default Calico blocks traffic
with an iptables "DROP" action. If you want to use "REJECT" action
instead you can configure it in here.
pattern: ^(?i)(Drop|Reject)?$
type: string
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
@ -1406,6 +1510,7 @@ spec:
wait between attempts to acquire the iptables lock if it is not
available. Lower values make Felix more responsive when the lock
is contended, but use more CPU. [Default: 50ms]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesLockTimeout:
description: 'IptablesLockTimeout is the time that Felix will wait
@ -1414,8 +1519,10 @@ spec:
also take the lock. When running Felix inside a container, this
requires the /run directory of the host to be mounted into the calico/node
or calico/felix container. [Default: 0s disabled]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesMangleAllowAction:
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesMarkMask:
description: 'IptablesMarkMask is the mask that Felix selects its
@ -1432,6 +1539,7 @@ spec:
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesn''t
respect the iptables lock. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
@ -1442,6 +1550,7 @@ spec:
was fixed in kernel version 4.11. If you are using v4.11 or greater
you may want to set this to, a higher value to reduce Felix CPU
usage. [Default: 10s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipv6Support:
description: IPv6Support controls whether Felix enables support for
@ -1476,15 +1585,18 @@ spec:
logSeverityFile:
description: 'LogSeverityFile is the log severity above which logs
are sent to the log file. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeverityScreen:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeveritySys:
description: 'LogSeveritySys is the log severity above which logs
are sent to the syslog. Set to None for no logging to syslog. [Default:
Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
maxIpsetSize:
type: integer
@ -1492,7 +1604,7 @@ spec:
description: 'MetadataAddr is the IP address or domain name of the
server that can answer VM queries for cloud-init metadata. In OpenStack,
this corresponds to the machine running nova-api (or in Ubuntu,
nova-api-metadata). A value of none (case insensitive) means that
nova-api-metadata). A value of none (case-insensitive) means that
Felix should not set up any NAT rule for the metadata path. [Default:
127.0.0.1]'
type: string
@ -1523,6 +1635,7 @@ spec:
pattern: ^.*
x-kubernetes-int-or-string: true
netlinkTimeout:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
openstackRegion:
description: 'OpenstackRegion is the name of the region that a particular
@ -1577,21 +1690,25 @@ spec:
description: 'ReportingInterval is the interval at which Felix reports
its status into the datastore or 0 to disable. Must be non-zero
in OpenStack deployments. [Default: 30s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
reportingTTL:
description: 'ReportingTTL is the time-to-live setting for process-wide
status reports. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeRefreshInterval:
description: 'RouteRefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
[Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeSource:
description: 'RouteSource configures where Felix gets its routing
information. - WorkloadIPs: use workload endpoints to construct
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
type: string
routeSyncDisabled:
description: RouteSyncDisabled will disable all operations performed
@ -1631,6 +1748,7 @@ spec:
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
in which case such routing loops continue to be allowed. [Default:
Drop]'
pattern: ^(?i)(Drop|Reject|Disabled)?$
type: string
sidecarAccelerationEnabled:
description: 'SidecarAccelerationEnabled enables experimental sidecar
@ -1646,10 +1764,12 @@ spec:
usageReportingInitialDelay:
description: 'UsageReportingInitialDelay controls the minimum delay
before Felix makes a report. [Default: 300s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
usageReportingInterval:
description: 'UsageReportingInterval controls the interval at which
Felix makes reports. [Default: 86400s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
useInternalDataplaneDriver:
description: UseInternalDataplaneDriver, if true, Felix will use its
@ -1673,6 +1793,14 @@ spec:
type: integer
vxlanVNI:
type: integer
windowsManageFirewallRules:
description: 'WindowsManageFirewallRules configures whether or not
Felix will program Windows Firewall rules. (to allow inbound access
to its own metrics ports) [Default: Disabled]'
enum:
- Enabled
- Disabled
type: string
wireguardEnabled:
description: 'WireguardEnabled controls whether Wireguard is enabled
for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
@ -1698,6 +1826,7 @@ spec:
wireguardKeepAlive:
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
option. Set 0 to disable. [Default: 0]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used
@ -1724,6 +1853,7 @@ spec:
the allowedSourcePrefixes annotation to send traffic with a source
IP address that is not theirs. This is disabled by default. When
set to "Any", pods can request any prefix.
pattern: ^(?i)(Disabled|Any)?$
type: string
xdpEnabled:
description: 'XDPEnabled enables XDP acceleration for suitable untracked
@ -1734,6 +1864,7 @@ spec:
all XDP state to ensure that no other process has accidentally broken
Calico''s BPF maps or attached programs. Set to 0 to disable XDP
refresh. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
type: object
type: object
@ -2548,22 +2679,35 @@ spec:
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
policy engine to help process the policy more efficiently. Hints
never change the enforcement behaviour of the policy. \n Currently,
the only available hint is \"AssumeNeededOnEveryNode\". When that
hint is set on a policy, Felix will act as if the policy matches
a local endpoint even if it does not. This is useful for \"preloading\"
any large static policies that are known to be used on every node.
If the policy is _not_ used on a particular node then the work done
to preload the policy (and to maintain it) is wasted."
items:
type: string
type: array
preDNAT:
description: PreDNAT indicates to apply the rules in this policy before
any DNAT.
type: boolean
selector:
description: "The selector is an expression used to pick pick out
the endpoints that the policy should be applied to. \n Selector
expressions follow this syntax: \n \tlabel == \"string_literal\"
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
\ -> not equal; also matches if label is not present \tlabel in
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
... } -> true if the value of label X is not one of \"a\", \"b\",
\"c\" \thas(label_name) -> True if that label is present \t! expr
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
description: "The selector is an expression used to pick out the endpoints
that the policy should be applied to. \n Selector expressions follow
this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
equal; also matches if label is not present \tlabel in { \"a\",
\"b\", \"c\", ... } -> true if the value of label X is one of
\"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
\ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
\thas(label_name) -> True if that label is present \t! expr ->
negation of expr \texpr && expr -> Short-circuit and \texpr ||
expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
or the empty selector -> matches all endpoints. \n Label names are
allowed to contain alphanumerics, -, _ and /. String literals are
more permissive but they do not support escape characters. \n Examples
@ -4207,18 +4351,31 @@ spec:
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
policy engine to help process the policy more efficiently. Hints
never change the enforcement behaviour of the policy. \n Currently,
the only available hint is \"AssumeNeededOnEveryNode\". When that
hint is set on a policy, Felix will act as if the policy matches
a local endpoint even if it does not. This is useful for \"preloading\"
any large static policies that are known to be used on every node.
If the policy is _not_ used on a particular node then the work done
to preload the policy (and to maintain it) is wasted."
items:
type: string
type: array
selector:
description: "The selector is an expression used to pick pick out
the endpoints that the policy should be applied to. \n Selector
expressions follow this syntax: \n \tlabel == \"string_literal\"
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
\ -> not equal; also matches if label is not present \tlabel in
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
... } -> true if the value of label X is not one of \"a\", \"b\",
\"c\" \thas(label_name) -> True if that label is present \t! expr
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
description: "The selector is an expression used to pick out the endpoints
that the policy should be applied to. \n Selector expressions follow
this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
equal; also matches if label is not present \tlabel in { \"a\",
\"b\", \"c\", ... } -> true if the value of label X is one of
\"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
\ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
\thas(label_name) -> True if that label is present \t! expr ->
negation of expr \texpr && expr -> Short-circuit and \texpr ||
expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
or the empty selector -> matches all endpoints. \n Label names are
allowed to contain alphanumerics, -, _ and /. String literals are
more permissive but they do not support escape characters. \n Examples
@ -4504,7 +4661,7 @@ rules:
- create
- update
# Calico must update some CRDs.
- apiGroups: [ "crd.projectcalico.org" ]
- apiGroups: ["crd.projectcalico.org"]
resources:
- caliconodestatuses
verbs:

View File

@ -1,10 +1,10 @@
# SRIOV-CNI Version v2.7.0
# SRIOV-CNI Version v2.8.0
# Based on:
# https://raw.githubusercontent.com/k8snetworkplumbingwg/sriov-cni/v2.7.0/images/k8s-v1.16/
# https://raw.githubusercontent.com/k8snetworkplumbingwg/sriov-cni/v2.8.0/images/
# sriov-cni-daemonset.yaml
#
# This file is licensed under Apache 2.0. You can obtain a copy of the license at:
# https://github.com/k8snetworkplumbingwg/sriov-cni/blob/v2.7.0/LICENSE
# https://github.com/k8snetworkplumbingwg/sriov-cni/blob/v2.8.0/LICENSE
#
# The following modifications have been made:
#
@ -75,4 +75,3 @@ spec:
- name: cnibin
hostPath:
path: {{ kubelet_cni_bin_dir }}

View File

@ -2,11 +2,11 @@
# System images that are pre-pulled and pushed to local registry
n3000_opae_img: docker.io/starlingx/n3000-opae:stx.8.0-v1.0.2
kubernetes_entrypoint_img: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
calico_cni_img: quay.io/calico/cni:v3.26.4
calico_node_img: quay.io/calico/node:v3.26.4
calico_kube_controllers_img: quay.io/calico/kube-controllers:v3.26.4
calico_cni_img: quay.io/calico/cni:v3.28.0
calico_node_img: quay.io/calico/node:v3.28.0
calico_kube_controllers_img: quay.io/calico/kube-controllers:v3.28.0
multus_img: ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
sriov_cni_img: ghcr.io/k8snetworkplumbingwg/sriov-cni:v2.7.0
sriov_cni_img: ghcr.io/k8snetworkplumbingwg/sriov-cni:v2.8.0
sriov_network_device_img: ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.6.2
intel_qat_plugin_img: docker.io/intel/intel-qat-plugin:0.26.0
intel_gpu_plugin_img: docker.io/intel/intel-gpu-plugin:0.26.0

View File

@ -2,11 +2,11 @@
# System images that are pre-pulled and pushed to local registry
n3000_opae_img: docker.io/starlingx/n3000-opae:stx.8.0-v1.0.2
kubernetes_entrypoint_img: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
calico_cni_img: quay.io/calico/cni:v3.26.4
calico_node_img: quay.io/calico/node:v3.26.4
calico_kube_controllers_img: quay.io/calico/kube-controllers:v3.26.4
calico_cni_img: quay.io/calico/cni:v3.28.0
calico_node_img: quay.io/calico/node:v3.28.0
calico_kube_controllers_img: quay.io/calico/kube-controllers:v3.28.0
multus_img: ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
sriov_cni_img: ghcr.io/k8snetworkplumbingwg/sriov-cni:v2.7.0
sriov_cni_img: ghcr.io/k8snetworkplumbingwg/sriov-cni:v2.8.0
sriov_network_device_img: ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.6.2
intel_qat_plugin_img: docker.io/intel/intel-qat-plugin:0.26.0
intel_gpu_plugin_img: docker.io/intel/intel-gpu-plugin:0.26.0