2 # Source: calico/templates/calico-kube-controllers.yaml
3 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
6 kind: PodDisruptionBudget
8 name: calico-kube-controllers
11 k8s-app: calico-kube-controllers
16 k8s-app: calico-kube-controllers
18 # Source: calico/templates/calico-kube-controllers.yaml
22 name: calico-kube-controllers
23 namespace: kube-system
25 # Source: calico/templates/calico-node.yaml
30 namespace: kube-system
32 # Source: calico/templates/calico-config.yaml
33 # This ConfigMap is used to configure a self-hosted Calico installation.
38 namespace: kube-system
41 typha_service_name: "none"
42 # Configure the backend to use.
43 calico_backend: "bird"
45 # Configure the MTU to use for workload interfaces and tunnels.
46 # By default, MTU is auto-detected, and explicitly setting this field should not be required.
47 # You can override auto-detection by providing a non-zero value.
50 # The CNI network configuration to install on each node. The special
51 # values in this config will be automatically populated.
52 cni_network_config: |-
54 "name": "k8s-pod-network",
55 "cniVersion": "0.3.1",
60 "log_file_path": "/var/log/calico/cni/cni.log",
61 "datastore_type": "kubernetes",
62 "nodename": "__KUBERNETES_NODE_NAME__",
71 "kubeconfig": "__KUBECONFIG_FILEPATH__"
77 "capabilities": {"portMappings": true}
81 "capabilities": {"bandwidth": true}
86 # Source: calico/templates/kdd-crds.yaml
87 apiVersion: apiextensions.k8s.io/v1
88 kind: CustomResourceDefinition
90 name: bgpconfigurations.crd.projectcalico.org
92 group: crd.projectcalico.org
94 kind: BGPConfiguration
95 listKind: BGPConfigurationList
96 plural: bgpconfigurations
97 singular: bgpconfiguration
98 preserveUnknownFields: false
104 description: BGPConfiguration contains the configuration for any BGP routing.
107 description: 'APIVersion defines the versioned schema of this representation
108 of an object. Servers should convert recognized schemas to the latest
109 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
112 description: 'Kind is a string value representing the REST resource this
113 object represents. Servers may infer this from the endpoint the client
114 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
119 description: BGPConfigurationSpec contains the values of the BGP configuration.
122 description: 'ASNumber is the default AS number used by a node. [Default:
127 description: BindMode indicates whether to listen for BGP connections
128 on all addresses (None) or only on the node's canonical IP address
129 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
130 for BGP connections on all addresses.
133 description: Communities is a list of BGP community values and their
134 arbitrary names for tagging routes.
136 description: Community contains standard or large community value
140 description: Name given to community value.
143 description: Value must be of format `aa:nn` or `aa:nn:mm`.
144 For standard community use `aa:nn` format, where `aa` and
145 `nn` are 16 bit number. For large community use `aa:nn:mm`
146 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
147 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
148 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
153 description: ListenPort is the port where BGP protocol should listen.
159 description: 'LogSeverityScreen is the log severity above which logs
160 are sent to the stdout. [Default: INFO]'
162 nodeMeshMaxRestartTime:
163 description: Time to allow for software restart for node-to-mesh peerings. When
164 specified, this is configured as the graceful restart timeout. When
165 not specified, the BIRD default of 120s is used. This field can
166 only be set on the default BGPConfiguration instance and requires
167 that NodeMesh is enabled
170 description: Optional BGP password for full node-to-mesh peerings.
171 This field can only be set on the default BGPConfiguration instance
172 and requires that NodeMesh is enabled
175 description: Selects a key of a secret in the node pod's namespace.
178 description: The key of the secret to select from. Must be
182 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
183 TODO: Add other useful fields. apiVersion, kind, uid?'
186 description: Specify whether the Secret or its key must be
193 nodeToNodeMeshEnabled:
194 description: 'NodeToNodeMeshEnabled sets whether full node to node
195 BGP mesh is enabled. [Default: true]'
197 prefixAdvertisements:
198 description: PrefixAdvertisements contains per-prefix advertisement
201 description: PrefixAdvertisement configures advertisement properties
202 for the specified CIDR.
205 description: CIDR for which properties should be advertised.
208 description: Communities can be list of either community names
209 already defined in `Specs.Communities` or community value
210 of format `aa:nn` or `aa:nn:mm`. For standard community use
211 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
212 large community use `aa:nn:mm` format, where `aa`, `nn` and
213 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
214 `mm` are per-AS identifier.
221 description: ServiceClusterIPs are the CIDR blocks from which service
222 cluster IPs are allocated. If specified, Calico will advertise these
223 blocks, as well as any cluster IPs within them.
225 description: ServiceClusterIPBlock represents a single allowed ClusterIP
233 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
234 Service External IPs. Kubernetes Service ExternalIPs will only be
235 advertised if they are within one of these blocks.
237 description: ServiceExternalIPBlock represents a single allowed
238 External IP CIDR block.
244 serviceLoadBalancerIPs:
245 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
246 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
247 IPs will only be advertised if they are within one of these blocks.
249 description: ServiceLoadBalancerIPBlock represents a single allowed
250 LoadBalancer IP CIDR block.
267 # Source: calico/templates/kdd-crds.yaml
268 apiVersion: apiextensions.k8s.io/v1
269 kind: CustomResourceDefinition
271 name: bgppeers.crd.projectcalico.org
273 group: crd.projectcalico.org
276 listKind: BGPPeerList
279 preserveUnknownFields: false
287 description: 'APIVersion defines the versioned schema of this representation
288 of an object. Servers should convert recognized schemas to the latest
289 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
292 description: 'Kind is a string value representing the REST resource this
293 object represents. Servers may infer this from the endpoint the client
294 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
299 description: BGPPeerSpec contains the specification for a BGPPeer resource.
302 description: The AS Number of the peer.
306 description: Option to keep the original nexthop field when routes
307 are sent to a BGP Peer. Setting "true" configures the selected BGP
308 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
309 in the specific branch of the Node on "bird.cfg".
312 description: Time to allow for software restart. When specified,
313 this is configured as the graceful restart timeout. When not specified,
314 the BIRD default of 120s is used.
317 description: The node name identifying the Calico node instance that
318 is targeted by this peer. If this is not set, and no nodeSelector
319 is specified, then this BGP peer selects all nodes in the cluster.
322 description: Selector for the nodes that should have this peering. When
323 this is set, the Node field must be empty.
325 numAllowedLocalASNumbers:
326 description: Maximum number of local AS numbers that are allowed in
327 the AS path for received routes. This removes BGP loop prevention
328 and should only be used if absolutely necesssary.
332 description: Optional BGP password for the peerings generated by this
336 description: Selects a key of a secret in the node pod's namespace.
339 description: The key of the secret to select from. Must be
343 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
344 TODO: Add other useful fields. apiVersion, kind, uid?'
347 description: Specify whether the Secret or its key must be
355 description: The IP address of the peer followed by an optional port
356 number to peer with. If port number is given, format should be `[<IPv6>]:port`
357 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
358 and this peer IP and ASNumber belongs to a calico/node with ListenPort
359 set in BGPConfiguration, then we use that port to peer.
362 description: Selector for the remote nodes to peer with. When this
363 is set, the PeerIP and ASNumber fields must be empty. For each
364 peering between the local node and selected remote nodes, we configure
365 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
366 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
367 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
368 or the global default if that is not set.
371 description: Specifies whether and how to configure a source address
372 for the peerings generated by this BGPPeer resource. Default value
373 "UseNodeIP" means to configure the node IP as the source address. "None"
374 means not to configure a source address.
387 # Source: calico/templates/kdd-crds.yaml
388 apiVersion: apiextensions.k8s.io/v1
389 kind: CustomResourceDefinition
391 name: blockaffinities.crd.projectcalico.org
393 group: crd.projectcalico.org
396 listKind: BlockAffinityList
397 plural: blockaffinities
398 singular: blockaffinity
399 preserveUnknownFields: false
407 description: 'APIVersion defines the versioned schema of this representation
408 of an object. Servers should convert recognized schemas to the latest
409 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
412 description: 'Kind is a string value representing the REST resource this
413 object represents. Servers may infer this from the endpoint the client
414 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
419 description: BlockAffinitySpec contains the specification for a BlockAffinity
425 description: Deleted indicates that this block affinity is being deleted.
426 This field is a string for compatibility with older releases that
427 mistakenly treat this field as a string.
449 # Source: calico/templates/kdd-crds.yaml
450 apiVersion: apiextensions.k8s.io/v1
451 kind: CustomResourceDefinition
454 controller-gen.kubebuilder.io/version: (devel)
455 creationTimestamp: null
456 name: caliconodestatuses.crd.projectcalico.org
458 group: crd.projectcalico.org
460 kind: CalicoNodeStatus
461 listKind: CalicoNodeStatusList
462 plural: caliconodestatuses
463 singular: caliconodestatus
464 preserveUnknownFields: false
472 description: 'APIVersion defines the versioned schema of this representation
473 of an object. Servers should convert recognized schemas to the latest
474 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
477 description: 'Kind is a string value representing the REST resource this
478 object represents. Servers may infer this from the endpoint the client
479 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
484 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
488 description: Classes declares the types of information to monitor
489 for this calico/node, and allows for selective status reporting
490 about certain subsets of information.
495 description: The node name identifies the Calico node instance for
499 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
500 should be updated. Set to 0 to disable CalicoNodeStatus refresh.
501 Maximum update period is one day.
506 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
507 No validation needed for status since it is updated by Calico.
510 description: Agent holds agent status on the node.
513 description: BIRDV4 represents the latest observed status of bird4.
516 description: LastBootTime holds the value of lastBootTime
517 from bird.ctl output.
519 lastReconfigurationTime:
520 description: LastReconfigurationTime holds the value of lastReconfigTime
521 from bird.ctl output.
524 description: Router ID used by bird.
527 description: The state of the BGP Daemon.
530 description: Version of the BGP daemon
534 description: BIRDV6 represents the latest observed status of bird6.
537 description: LastBootTime holds the value of lastBootTime
538 from bird.ctl output.
540 lastReconfigurationTime:
541 description: LastReconfigurationTime holds the value of lastReconfigTime
542 from bird.ctl output.
545 description: Router ID used by bird.
548 description: The state of the BGP Daemon.
551 description: Version of the BGP daemon
556 description: BGP holds node BGP status.
559 description: The total number of IPv4 established bgp sessions.
562 description: The total number of IPv6 established bgp sessions.
564 numberNotEstablishedV4:
565 description: The total number of IPv4 non-established bgp sessions.
567 numberNotEstablishedV6:
568 description: The total number of IPv6 non-established bgp sessions.
571 description: PeersV4 represents IPv4 BGP peers status on the node.
573 description: CalicoNodePeer contains the status of BGP peers
577 description: IP address of the peer whose condition we are
581 description: Since the state or reason last changed.
584 description: State is the BGP session state.
587 description: Type indicates whether this peer is configured
588 via the node-to-node mesh, or via en explicit global or
589 per-node BGPPeer object.
594 description: PeersV6 represents IPv6 BGP peers status on the node.
596 description: CalicoNodePeer contains the status of BGP peers
600 description: IP address of the peer whose condition we are
604 description: Since the state or reason last changed.
607 description: State is the BGP session state.
610 description: Type indicates whether this peer is configured
611 via the node-to-node mesh, or via en explicit global or
612 per-node BGPPeer object.
617 - numberEstablishedV4
618 - numberEstablishedV6
619 - numberNotEstablishedV4
620 - numberNotEstablishedV6
623 description: LastUpdated is a timestamp representing the server time
624 when CalicoNodeStatus object last updated. It is represented in
625 RFC3339 form and is in UTC.
630 description: Routes reports routes known to the Calico BGP daemon
634 description: RoutesV4 represents IPv4 routes on the node.
636 description: CalicoNodeRoute contains the status of BGP routes
640 description: Destination of the route.
643 description: Gateway for the destination.
646 description: Interface for the destination
649 description: LearnedFrom contains information regarding
650 where this route originated.
653 description: If sourceType is NodeMesh or BGPPeer, IP
654 address of the router that sent us this route.
657 description: Type of the source where a route is learned
662 description: Type indicates if the route is being used for
668 description: RoutesV6 represents IPv6 routes on the node.
670 description: CalicoNodeRoute contains the status of BGP routes
674 description: Destination of the route.
677 description: Gateway for the destination.
680 description: Interface for the destination
683 description: LearnedFrom contains information regarding
684 where this route originated.
687 description: If sourceType is NodeMesh or BGPPeer, IP
688 address of the router that sent us this route.
691 description: Type of the source where a route is learned
696 description: Type indicates if the route is being used for
713 # Source: calico/templates/kdd-crds.yaml
714 apiVersion: apiextensions.k8s.io/v1
715 kind: CustomResourceDefinition
717 name: clusterinformations.crd.projectcalico.org
719 group: crd.projectcalico.org
721 kind: ClusterInformation
722 listKind: ClusterInformationList
723 plural: clusterinformations
724 singular: clusterinformation
725 preserveUnknownFields: false
731 description: ClusterInformation contains the cluster specific information.
734 description: 'APIVersion defines the versioned schema of this representation
735 of an object. Servers should convert recognized schemas to the latest
736 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
739 description: 'Kind is a string value representing the REST resource this
740 object represents. Servers may infer this from the endpoint the client
741 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
746 description: ClusterInformationSpec contains the values of describing
750 description: CalicoVersion is the version of Calico that the cluster
754 description: ClusterGUID is the GUID of the cluster
757 description: ClusterType describes the type of the cluster
760 description: DatastoreReady is used during significant datastore migrations
761 to signal to components such as Felix that it should wait before
762 accessing the datastore.
765 description: Variant declares which variant of Calico should be active.
778 # Source: calico/templates/kdd-crds.yaml
779 apiVersion: apiextensions.k8s.io/v1
780 kind: CustomResourceDefinition
782 name: felixconfigurations.crd.projectcalico.org
784 group: crd.projectcalico.org
786 kind: FelixConfiguration
787 listKind: FelixConfigurationList
788 plural: felixconfigurations
789 singular: felixconfiguration
790 preserveUnknownFields: false
796 description: Felix Configuration contains the configuration for Felix.
799 description: 'APIVersion defines the versioned schema of this representation
800 of an object. Servers should convert recognized schemas to the latest
801 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
804 description: 'Kind is a string value representing the REST resource this
805 object represents. Servers may infer this from the endpoint the client
806 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
811 description: FelixConfigurationSpec contains the values of the Felix configuration.
813 allowIPIPPacketsFromWorkloads:
814 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
815 will add a rule to drop IPIP encapsulated traffic from workloads
818 allowVXLANPacketsFromWorkloads:
819 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
820 will add a rule to drop VXLAN encapsulated traffic from workloads
824 description: 'Set source-destination-check on AWS EC2 instances. Accepted
825 value must be one of "DoNothing", "Enable" or "Disable". [Default:
832 bpfConnectTimeLoadBalancingEnabled:
833 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
834 controls whether Felix installs the connection-time load balancer. The
835 connect-time load balancer is required for the host to be able to
836 reach Kubernetes services and it improves the performance of pod-to-service
837 connections. The only reason to disable it is for debugging purposes. [Default:
841 description: BPFDataIfacePattern is a regular expression that controls
842 which interfaces Felix should attach BPF programs to in order to
843 catch traffic to/from the network. This needs to match the interfaces
844 that Calico workload traffic flows over as well as any interfaces
845 that handle incoming traffic to nodeports and services from outside
846 the cluster. It should not match the workload interfaces (usually
849 bpfDisableUnprivileged:
850 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
851 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
852 users cannot access Calico''s BPF maps and cannot insert their own
853 BPF programs to interfere with Calico''s. [Default: true]'
856 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
860 description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
861 BPF programs regardless of what is the per-interfaces or global
862 setting. Possible values are Disabled or Strict. [Default: Strict]'
864 bpfExtToServiceConnmark:
865 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
866 mark that is set on connections from an external client to a local
867 service. This mark allows us to control how packets of that connection
868 are routed within the host and how is routing interpreted by RPF
871 bpfExternalServiceMode:
872 description: 'BPFExternalServiceMode in BPF mode, controls how connections
873 from outside the cluster to services (node ports and cluster IPs)
874 are forwarded to remote workloads. If set to "Tunnel" then both
875 request and response traffic is tunneled to the remote node. If
876 set to "DSR", the request traffic is tunneled but the response traffic
877 is sent directly from the remote node. In "DSR" mode, the remote
878 node appears to use the IP of the ingress node; this requires a
879 permissive L2 network. [Default: Tunnel]'
881 bpfHostConntrackBypass:
882 description: 'BPFHostConntrackBypass Controls whether to bypass Linux
883 conntrack in BPF mode for workloads and services. [Default: true
884 - bypass Linux conntrack]'
886 bpfKubeProxyEndpointSlicesEnabled:
887 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
888 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
890 bpfKubeProxyIptablesCleanupEnabled:
891 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
892 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
893 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
896 bpfKubeProxyMinSyncPeriod:
897 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
898 minimum time between updates to the dataplane for Felix''s embedded
899 kube-proxy. Lower values give reduced set-up latency. Higher values
900 reduce Felix CPU usage by batching up more work. [Default: 1s]'
903 description: 'BPFLogLevel controls the log level of the BPF programs
904 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
905 logs are emitted to the BPF trace pipe, accessible with the command
906 `tc exec bpf debug`. [Default: Off].'
909 description: 'BPFMapSizeConntrack sets the size for the conntrack
910 map. This map must be large enough to hold an entry for each active
911 connection. Warning: changing the size of the conntrack map can
915 description: BPFMapSizeIPSets sets the size for ipsets map. The IP
916 sets map must be large enough to hold an entry for each endpoint
917 matched by every selector in the source/destination matches in network
918 policy. Selectors such as "all()" can result in large numbers of
919 entries (one entry per endpoint in that case).
922 description: BPFMapSizeIfState sets the size for ifstate map. The
923 ifstate map must be large enough to hold an entry for each device
924 (host + workloads) on a host.
926 bpfMapSizeNATAffinity:
928 bpfMapSizeNATBackend:
929 description: BPFMapSizeNATBackend sets the size for nat back end map.
930 This is the total number of endpoints. This is mostly more than
931 the size of the number of services.
933 bpfMapSizeNATFrontend:
934 description: BPFMapSizeNATFrontend sets the size for nat front end
935 map. FrontendMap should be large enough to hold an entry for each
936 nodeport, external IP and each port in each service.
939 description: BPFMapSizeRoute sets the size for the routes map. The
940 routes map should be large enough to hold one entry per workload
941 and a handful of entries per host (enough to cover its own IPs and
948 description: 'BPFPSNATPorts sets the range from which we randomly
949 pick a port if there is a source port collision. This should be
950 within the ephemeral range as defined by RFC 6056 (1024–65535) and
951 preferably outside the ephemeral ranges used by common operating
952 systems. Linux uses 32768–60999, while others mostly use the IANA
953 defined range 49152–65535. It is not necessarily a problem if this
954 range overlaps with the operating systems. Both ends of the range
955 are inclusive. [Default: 20000:29999]'
957 x-kubernetes-int-or-string: true
958 bpfPolicyDebugEnabled:
959 description: BPFPolicyDebugEnabled when true, Felix records detailed
960 information about the BPF policy programs, which can be examined
961 with the calico-bpf command-line tool.
964 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
965 top-level iptables chains by inserting a rule at the top of the
966 chain or by appending a rule at the bottom. insert is the safe default
967 since it prevents Calico''s rules from being bypassed. If you switch
968 to append mode, be sure that the other rules in the chains signal
969 acceptance by falling through to the Calico rules, otherwise the
970 Calico policy will be bypassed. [Default: insert]'
973 description: DataplaneDriver filename of the external dataplane driver
974 to use. Only used if UseInternalDataplaneDriver is set to false.
976 dataplaneWatchdogTimeout:
977 description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
978 used for Felix''s (internal) dataplane driver. Increase this value
979 if you experience spurious non-ready or non-live events when Felix
980 is under heavy load. Decrease the value to get felix to report non-live
981 or non-ready more quickly. [Default: 90s]'
983 debugDisableLogDropping:
985 debugMemoryProfilePath:
987 debugSimulateCalcGraphHangAfter:
989 debugSimulateDataplaneHangAfter:
991 defaultEndpointToHostAction:
992 description: 'DefaultEndpointToHostAction controls what happens to
993 traffic that goes from a workload endpoint to the host itself (after
994 the traffic hits the endpoint egress policy). By default Calico
995 blocks traffic from workload endpoints to the host itself with an
996 iptables "DROP" action. If you want to allow some or all traffic
997 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
998 RETURN if you have your own rules in the iptables "INPUT" chain;
999 Calico will insert its rules at the top of that chain, then "RETURN"
1000 packets to the "INPUT" chain once it has completed processing workload
1001 endpoint egress policy. Use ACCEPT to unconditionally accept packets
1002 from workloads after processing workload endpoint egress policy.
1005 deviceRouteProtocol:
1006 description: This defines the route protocol added to programmed device
1007 routes, by default this will be RTPROT_BOOT when left blank.
1009 deviceRouteSourceAddress:
1010 description: This is the IPv4 source address to use on programmed
1011 device routes. By default the source address is left blank, leaving
1012 the kernel to choose the source address used.
1014 deviceRouteSourceAddressIPv6:
1015 description: This is the IPv6 source address to use on programmed
1016 device routes. By default the source address is left blank, leaving
1017 the kernel to choose the source address used.
1019 disableConntrackInvalidCheck:
1021 endpointReportingDelay:
1023 endpointReportingEnabled:
1026 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
1027 which may source tunnel traffic and have the tunneled traffic be
1028 accepted at calico nodes.
1032 failsafeInboundHostPorts:
1033 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
1034 and CIDRs that Felix will allow incoming traffic to host endpoints
1035 on irrespective of the security policy. This is useful to avoid
1036 accidentally cutting off a host with incorrect configuration. For
1037 back-compatibility, if the protocol is not specified, it defaults
1038 to "tcp". If a CIDR is not specified, it will allow traffic from
1039 all addresses. To disable all inbound host ports, use the value
1040 none. The default value allows ssh access and DHCP. [Default: tcp:22,
1041 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
1043 description: ProtoPort is combination of protocol, port, and CIDR.
1044 Protocol and port must be specified.
1057 failsafeOutboundHostPorts:
1058 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
1059 and CIDRs that Felix will allow outgoing traffic from host endpoints
1060 to irrespective of the security policy. This is useful to avoid
1061 accidentally cutting off a host with incorrect configuration. For
1062 back-compatibility, if the protocol is not specified, it defaults
1063 to "tcp". If a CIDR is not specified, it will allow traffic from
1064 all addresses. To disable all outbound host ports, use the value
1065 none. The default value opens etcd''s standard ports to ensure that
1066 Felix does not get cut off from etcd as well as allowing DHCP and
1067 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
1068 tcp:6667, udp:53, udp:67]'
1070 description: ProtoPort is combination of protocol, port, and CIDR.
1071 Protocol and port must be specified.
1084 featureDetectOverride:
1085 description: FeatureDetectOverride is used to override the feature
1086 detection. Values are specified in a comma separated list with no
1087 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
1088 "true" or "false" will force the feature, empty or omitted values
1092 description: FloatingIPs configures whether or not Felix will program
1093 floating IP addresses.
1099 description: 'GenericXDPEnabled enables Generic XDP so network cards
1100 that don''t support XDP offload or driver modes can use XDP. This
1101 is not recommended since it doesn''t provide better performance
1102 than iptables. [Default: false]'
1111 description: 'InterfaceExclude is a comma-separated list of interfaces
1112 that Felix should exclude when monitoring for host endpoints. The
1113 default value ensures that Felix ignores Kubernetes'' IPVS dummy
1114 interface, which is used internally by kube-proxy. If you want to
1115 exclude multiple interface names using a single value, the list
1116 supports regular expressions. For regular expressions you must wrap
1117 the value with ''/''. For example having values ''/^kube/,veth1''
1118 will exclude all interfaces that begin with ''kube'' and also the
1119 interface ''veth1''. [Default: kube-ipvs0]'
1122 description: 'InterfacePrefix is the interface name prefix that identifies
1123 workload endpoints and so distinguishes them from host endpoint
1124 interfaces. Note: in environments other than bare metal, the orchestrators
1125 configure this appropriately. For example our Kubernetes and Docker
1126 integrations set the ''cali'' value, and our OpenStack integration
1127 sets the ''tap'' value. [Default: cali]'
1129 interfaceRefreshInterval:
1130 description: InterfaceRefreshInterval is the period at which Felix
1131 rescans local interfaces to verify their state. The rescan can be
1132 disabled by setting the interval to 0.
1135 description: 'IPIPEnabled overrides whether Felix should configure
1136 an IPIP interface on the host. Optional as Felix determines this
1137 based on the existing IP pools. [Default: nil (unset)]'
1140 description: 'IPIPMTU is the MTU to set on the tunnel device. See
1141 Configuring MTU [Default: 1440]'
1143 ipsetsRefreshInterval:
1144 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
1145 all iptables state to ensure that no other process has accidentally
1146 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
1150 description: IptablesBackend specifies which backend of iptables will
1151 be used. The default is legacy.
1153 iptablesFilterAllowAction:
1155 iptablesLockFilePath:
1156 description: 'IptablesLockFilePath is the location of the iptables
1157 lock file. You may need to change this if the lock file is not in
1158 its standard location (for example if you have mapped it into Felix''s
1159 container at a different path). [Default: /run/xtables.lock]'
1161 iptablesLockProbeInterval:
1162 description: 'IptablesLockProbeInterval is the time that Felix will
1163 wait between attempts to acquire the iptables lock if it is not
1164 available. Lower values make Felix more responsive when the lock
1165 is contended, but use more CPU. [Default: 50ms]'
1167 iptablesLockTimeout:
1168 description: 'IptablesLockTimeout is the time that Felix will wait
1169 for the iptables lock, or 0, to disable. To use this feature, Felix
1170 must share the iptables lock file with all other processes that
1171 also take the lock. When running Felix inside a container, this
1172 requires the /run directory of the host to be mounted into the calico/node
1173 or calico/felix container. [Default: 0s disabled]'
1175 iptablesMangleAllowAction:
1178 description: 'IptablesMarkMask is the mask that Felix selects its
1179 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
1180 at least 8 bits set, none of which clash with any other mark bits
1181 in use on the system. [Default: 0xff000000]'
1184 iptablesNATOutgoingInterfaceFilter:
1186 iptablesPostWriteCheckInterval:
1187 description: 'IptablesPostWriteCheckInterval is the period after Felix
1188 has done a write to the dataplane that it schedules an extra read
1189 back in order to check the write was not clobbered by another process.
1190 This should only occur if another application on the system doesn''t
1191 respect the iptables lock. [Default: 1s]'
1193 iptablesRefreshInterval:
1194 description: 'IptablesRefreshInterval is the period at which Felix
1195 re-checks the IP sets in the dataplane to ensure that no other process
1196 has accidentally broken Calico''s rules. Set to 0 to disable IP
1197 sets refresh. Note: the default for this value is lower than the
1198 other refresh intervals as a workaround for a Linux kernel bug that
1199 was fixed in kernel version 4.11. If you are using v4.11 or greater
1200 you may want to set this to, a higher value to reduce Felix CPU
1201 usage. [Default: 10s]'
1204 description: IPv6Support controls whether Felix enables support for
1205 IPv6 (if supported by the in-use dataplane).
1208 description: 'KubeNodePortRanges holds list of port ranges used for
1209 service node ports. Only used if felix detects kube-proxy running
1210 in ipvs mode. Felix uses these ranges to separate host and workload
1211 traffic. [Default: 30000:32767].'
1217 x-kubernetes-int-or-string: true
1219 logDebugFilenameRegex:
1220 description: LogDebugFilenameRegex controls which source code files
1221 have their Debug log output included in the logs. Only logs from
1222 files with names that match the given regular expression are included. The
1223 filter only applies to Debug level logs.
1226 description: 'LogFilePath is the full path to the Felix log. Set to
1227 none to disable file logging. [Default: /var/log/calico/felix.log]'
1230 description: 'LogPrefix is the log prefix that Felix uses when rendering
1231 LOG rules. [Default: calico-packet]'
1234 description: 'LogSeverityFile is the log severity above which logs
1235 are sent to the log file. [Default: Info]'
1238 description: 'LogSeverityScreen is the log severity above which logs
1239 are sent to the stdout. [Default: Info]'
1242 description: 'LogSeveritySys is the log severity above which logs
1243 are sent to the syslog. Set to None for no logging to syslog. [Default:
1249 description: 'MetadataAddr is the IP address or domain name of the
1250 server that can answer VM queries for cloud-init metadata. In OpenStack,
1251 this corresponds to the machine running nova-api (or in Ubuntu,
1252 nova-api-metadata). A value of none (case insensitive) means that
1253 Felix should not set up any NAT rule for the metadata path. [Default:
1257 description: 'MetadataPort is the port of the metadata server. This,
1258 combined with global.MetadataAddr (if not ''None''), is used to
1259 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
1260 In most cases this should not need to be changed [Default: 8775].'
1263 description: MTUIfacePattern is a regular expression that controls
1264 which interfaces Felix should scan in order to calculate the host's
1265 MTU. This should not match workload interfaces (usually named cali...).
1268 description: NATOutgoingAddress specifies an address to use when performing
1269 source NAT for traffic in a natOutgoing pool that is leaving the
1270 network. By default the address used is an address on the interface
1271 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
1277 description: NATPortRange specifies the range of ports that is used
1278 for port mapping when doing outgoing NAT. When unset the default
1279 behavior of the network stack is used.
1281 x-kubernetes-int-or-string: true
1285 description: 'OpenstackRegion is the name of the region that a particular
1286 Felix belongs to. In a multi-region Calico/OpenStack deployment,
1287 this must be configured somehow for each Felix (here in the datamodel,
1288 or in felix.cfg or the environment on each compute node), and must
1289 match the [calico] openstack_region value configured in neutron.conf
1290 on each node. [Default: Empty]'
1292 policySyncPathPrefix:
1293 description: 'PolicySyncPathPrefix is used to by Felix to communicate
1294 policy changes to external services, like Application layer policy.
1297 prometheusGoMetricsEnabled:
1298 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
1299 collection, which the Prometheus client does by default, when set
1300 to false. This reduces the number of metrics reported, reducing
1301 Prometheus load. [Default: true]'
1303 prometheusMetricsEnabled:
1304 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
1305 server in Felix if set to true. [Default: false]'
1307 prometheusMetricsHost:
1308 description: 'PrometheusMetricsHost is the host that the Prometheus
1309 metrics server should bind to. [Default: empty]'
1311 prometheusMetricsPort:
1312 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
1313 metrics server should bind to. [Default: 9091]'
1315 prometheusProcessMetricsEnabled:
1316 description: 'PrometheusProcessMetricsEnabled disables process metrics
1317 collection, which the Prometheus client does by default, when set
1318 to false. This reduces the number of metrics reported, reducing
1319 Prometheus load. [Default: true]'
1321 prometheusWireGuardMetricsEnabled:
1322 description: 'PrometheusWireGuardMetricsEnabled disables wireguard
1323 metrics collection, which the Prometheus client does by default,
1324 when set to false. This reduces the number of metrics reported,
1325 reducing Prometheus load. [Default: true]'
1327 removeExternalRoutes:
1328 description: Whether or not to remove device routes that have not
1329 been programmed by Felix. Disabling this will allow external applications
1330 to also add device routes. This is enabled by default which means
1331 we will remove externally added routes.
1334 description: 'ReportingInterval is the interval at which Felix reports
1335 its status into the datastore or 0 to disable. Must be non-zero
1336 in OpenStack deployments. [Default: 30s]'
1339 description: 'ReportingTTL is the time-to-live setting for process-wide
1340 status reports. [Default: 90s]'
1342 routeRefreshInterval:
1343 description: 'RouteRefreshInterval is the period at which Felix re-checks
1344 the routes in the dataplane to ensure that no other process has
1345 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
1349 description: 'RouteSource configures where Felix gets its routing
1350 information. - WorkloadIPs: use workload endpoints to construct
1351 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
1354 description: RouteSyncDisabled will disable all operations performed
1355 on the route table. Set to true to run in network-policy mode only.
1358 description: Deprecated in favor of RouteTableRanges. Calico programs
1359 additional Linux route tables for various purposes. RouteTableRange
1360 specifies the indices of the route tables that Calico should use.
1371 description: Calico programs additional Linux route tables for various
1372 purposes. RouteTableRanges specifies a set of table index ranges
1373 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
1385 serviceLoopPrevention:
1386 description: 'When service IP advertisement is enabled, prevent routing
1387 loops to service IPs that are not in use, by dropping or rejecting
1388 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
1389 in which case such routing loops continue to be allowed. [Default:
1392 sidecarAccelerationEnabled:
1393 description: 'SidecarAccelerationEnabled enables experimental sidecar
1394 acceleration [Default: false]'
1396 usageReportingEnabled:
1397 description: 'UsageReportingEnabled reports anonymous Calico version
1398 number and cluster size to projectcalico.org. Logs warnings returned
1399 by the usage server. For example, if a significant security vulnerability
1400 has been discovered in the version of Calico being used. [Default:
1403 usageReportingInitialDelay:
1404 description: 'UsageReportingInitialDelay controls the minimum delay
1405 before Felix makes a report. [Default: 300s]'
1407 usageReportingInterval:
1408 description: 'UsageReportingInterval controls the interval at which
1409 Felix makes reports. [Default: 86400s]'
1411 useInternalDataplaneDriver:
1412 description: UseInternalDataplaneDriver, if true, Felix will use its
1413 internal dataplane programming logic. If false, it will launch
1414 an external dataplane driver and communicate with it over protobuf.
1417 description: 'VXLANEnabled overrides whether Felix should create the
1418 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
1419 determines this based on the existing IP pools. [Default: nil (unset)]'
1422 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
1423 device. See Configuring MTU [Default: 1410]'
1426 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
1427 device. See Configuring MTU [Default: 1390]'
1434 description: 'WireguardEnabled controls whether Wireguard is enabled
1435 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
1439 description: 'WireguardEnabledV6 controls whether Wireguard is enabled
1440 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
1443 wireguardHostEncryptionEnabled:
1444 description: 'WireguardHostEncryptionEnabled controls whether Wireguard
1445 host-to-host encryption is enabled. [Default: false]'
1447 wireguardInterfaceName:
1448 description: 'WireguardInterfaceName specifies the name to use for
1449 the IPv4 Wireguard interface. [Default: wireguard.cali]'
1451 wireguardInterfaceNameV6:
1452 description: 'WireguardInterfaceNameV6 specifies the name to use for
1453 the IPv6 Wireguard interface. [Default: wg-v6.cali]'
1456 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
1457 option. Set 0 to disable. [Default: 0]'
1459 wireguardListeningPort:
1460 description: 'WireguardListeningPort controls the listening port used
1461 by IPv4 Wireguard. [Default: 51820]'
1463 wireguardListeningPortV6:
1464 description: 'WireguardListeningPortV6 controls the listening port
1465 used by IPv6 Wireguard. [Default: 51821]'
1468 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
1469 interface. See Configuring MTU [Default: 1440]'
1472 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
1473 interface. See Configuring MTU [Default: 1420]'
1475 wireguardRoutingRulePriority:
1476 description: 'WireguardRoutingRulePriority controls the priority value
1477 to use for the Wireguard routing rule. [Default: 99]'
1479 workloadSourceSpoofing:
1480 description: WorkloadSourceSpoofing controls whether pods can use
1481 the allowedSourcePrefixes annotation to send traffic with a source
1482 IP address that is not theirs. This is disabled by default. When
1483 set to "Any", pods can request any prefix.
1486 description: 'XDPEnabled enables XDP acceleration for suitable untracked
1487 incoming deny rules. [Default: true]'
1490 description: 'XDPRefreshInterval is the period at which Felix re-checks
1491 all XDP state to ensure that no other process has accidentally broken
1492 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
1493 refresh. [Default: 90s]'
1506 # Source: calico/templates/kdd-crds.yaml
1507 apiVersion: apiextensions.k8s.io/v1
1508 kind: CustomResourceDefinition
1510 name: globalnetworkpolicies.crd.projectcalico.org
1512 group: crd.projectcalico.org
1514 kind: GlobalNetworkPolicy
1515 listKind: GlobalNetworkPolicyList
1516 plural: globalnetworkpolicies
1517 singular: globalnetworkpolicy
1518 preserveUnknownFields: false
1526 description: 'APIVersion defines the versioned schema of this representation
1527 of an object. Servers should convert recognized schemas to the latest
1528 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1531 description: 'Kind is a string value representing the REST resource this
1532 object represents. Servers may infer this from the endpoint the client
1533 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1540 description: ApplyOnForward indicates to apply the rules in this policy
1544 description: DoNotTrack indicates whether packets matched by the rules
1545 in this policy should go through the data plane's connection tracking,
1546 such as Linux conntrack. If True, the rules in this policy are
1547 applied before any data plane connection tracking, and packets allowed
1548 by this policy are marked as not to be tracked.
1551 description: The ordered set of egress rules. Each rule contains
1552 a set of packet match criteria and a corresponding action to apply.
1554 description: "A Rule encapsulates a set of match criteria and an
1555 action. Both selector-based security Policy and security Profiles
1556 reference rules - separated out as a list of rules for both ingress
1557 and egress packet matching. \n Each positive match criteria has
1558 a negated version, prefixed with \"Not\". All the match criteria
1559 within a rule must be satisfied for a packet to match. A single
1560 rule can contain the positive and negative version of a match
1561 and both must be satisfied for the rule to match."
1566 description: Destination contains the match criteria that apply
1567 to destination entity.
1570 description: "NamespaceSelector is an optional field that
1571 contains a selector expression. Only traffic that originates
1572 from (or terminates at) endpoints within the selected
1573 namespaces will be matched. When both NamespaceSelector
1574 and another selector are defined on the same rule, then
1575 only workload endpoints that are matched by both selectors
1576 will be selected by the rule. \n For NetworkPolicy, an
1577 empty NamespaceSelector implies that the Selector is limited
1578 to selecting only workload endpoints in the same namespace
1579 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1580 NamespaceSelector implies that the Selector is limited
1581 to selecting only GlobalNetworkSet or HostEndpoint. \n
1582 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1583 the Selector applies to workload endpoints across all
1587 description: Nets is an optional field that restricts the
1588 rule to only apply to traffic that originates from (or
1589 terminates at) IP addresses in any of the given subnets.
1594 description: NotNets is the negated version of the Nets
1600 description: NotPorts is the negated version of the Ports
1601 field. Since only some protocols have ports, if any ports
1602 are specified it requires the Protocol match in the Rule
1603 to be set to "TCP" or "UDP".
1609 x-kubernetes-int-or-string: true
1612 description: NotSelector is the negated version of the Selector
1613 field. See Selector field for subtleties with negated
1617 description: "Ports is an optional field that restricts
1618 the rule to only apply to traffic that has a source (destination)
1619 port that matches one of these ranges/values. This value
1620 is a list of integers or strings that represent ranges
1621 of ports. \n Since only some protocols have ports, if
1622 any ports are specified it requires the Protocol match
1623 in the Rule to be set to \"TCP\" or \"UDP\"."
1629 x-kubernetes-int-or-string: true
1632 description: "Selector is an optional field that contains
1633 a selector expression (see Policy for sample syntax).
1634 \ Only traffic that originates from (terminates at) endpoints
1635 matching the selector will be matched. \n Note that: in
1636 addition to the negated version of the Selector (see NotSelector
1637 below), the selector expression syntax itself supports
1638 negation. The two types of negation are subtly different.
1639 One negates the set of matched endpoints, the other negates
1640 the whole match: \n \tSelector = \"!has(my_label)\" matches
1641 packets that are from other Calico-controlled \tendpoints
1642 that do not have the label \"my_label\". \n \tNotSelector
1643 = \"has(my_label)\" matches packets that are not from
1644 Calico-controlled \tendpoints that do have the label \"my_label\".
1645 \n The effect is that the latter will accept packets from
1646 non-Calico sources whereas the former is limited to packets
1647 from Calico-controlled endpoints."
1650 description: ServiceAccounts is an optional field that restricts
1651 the rule to only apply to traffic that originates from
1652 (or terminates at) a pod running as a matching service
1656 description: Names is an optional field that restricts
1657 the rule to only apply to traffic that originates
1658 from (or terminates at) a pod running as a service
1659 account whose name is in the list.
1664 description: Selector is an optional field that restricts
1665 the rule to only apply to traffic that originates
1666 from (or terminates at) a pod running as a service
1667 account that matches the given label selector. If
1668 both Names and Selector are specified then they are
1673 description: "Services is an optional field that contains
1674 options for matching Kubernetes Services. If specified,
1675 only traffic that originates from or terminates at endpoints
1676 within the selected service(s) will be matched, and only
1677 to/from each endpoint's port. \n Services cannot be specified
1678 on the same rule as Selector, NotSelector, NamespaceSelector,
1679 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1680 can only be specified with Services on ingress rules."
1683 description: Name specifies the name of a Kubernetes
1687 description: Namespace specifies the namespace of the
1688 given Service. If left empty, the rule will match
1689 within this policy's namespace.
1694 description: HTTP contains match criteria that apply to HTTP
1698 description: Methods is an optional field that restricts
1699 the rule to apply only to HTTP requests that use one of
1700 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1701 methods are OR'd together.
1706 description: 'Paths is an optional field that restricts
1707 the rule to apply to HTTP requests that use one of the
1708 listed HTTP Paths. Multiple paths are OR''d together.
1709 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1710 ONLY specify either a `exact` or a `prefix` match. The
1711 validator will check for it.'
1713 description: 'HTTPPath specifies an HTTP path to match.
1714 It may be either of the form: exact: <path>: which matches
1715 the path exactly or prefix: <path-prefix>: which matches
1726 description: ICMP is an optional field that restricts the rule
1727 to apply to a specific type and code of ICMP traffic. This
1728 should only be specified if the Protocol field is set to "ICMP"
1732 description: Match on a specific ICMP code. If specified,
1733 the Type value must also be specified. This is a technical
1734 limitation imposed by the kernel's iptables firewall,
1735 which Calico uses to enforce the rule.
1738 description: Match on a specific ICMP type. For example
1739 a value of 8 refers to ICMP Echo Request (i.e. pings).
1743 description: IPVersion is an optional field that restricts the
1744 rule to only match a specific IP version.
1747 description: Metadata contains additional information for this
1751 additionalProperties:
1753 description: Annotations is a set of key value pairs that
1754 give extra information about the rule
1758 description: NotICMP is the negated version of the ICMP field.
1761 description: Match on a specific ICMP code. If specified,
1762 the Type value must also be specified. This is a technical
1763 limitation imposed by the kernel's iptables firewall,
1764 which Calico uses to enforce the rule.
1767 description: Match on a specific ICMP type. For example
1768 a value of 8 refers to ICMP Echo Request (i.e. pings).
1775 description: NotProtocol is the negated version of the Protocol
1778 x-kubernetes-int-or-string: true
1783 description: "Protocol is an optional field that restricts the
1784 rule to only apply to traffic of a specific IP protocol. Required
1785 if any of the EntityRules contain Ports (because ports only
1786 apply to certain protocols). \n Must be one of these string
1787 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1788 \"UDPLite\" or an integer in the range 1-255."
1790 x-kubernetes-int-or-string: true
1792 description: Source contains the match criteria that apply to
1796 description: "NamespaceSelector is an optional field that
1797 contains a selector expression. Only traffic that originates
1798 from (or terminates at) endpoints within the selected
1799 namespaces will be matched. When both NamespaceSelector
1800 and another selector are defined on the same rule, then
1801 only workload endpoints that are matched by both selectors
1802 will be selected by the rule. \n For NetworkPolicy, an
1803 empty NamespaceSelector implies that the Selector is limited
1804 to selecting only workload endpoints in the same namespace
1805 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1806 NamespaceSelector implies that the Selector is limited
1807 to selecting only GlobalNetworkSet or HostEndpoint. \n
1808 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1809 the Selector applies to workload endpoints across all
1813 description: Nets is an optional field that restricts the
1814 rule to only apply to traffic that originates from (or
1815 terminates at) IP addresses in any of the given subnets.
1820 description: NotNets is the negated version of the Nets
1826 description: NotPorts is the negated version of the Ports
1827 field. Since only some protocols have ports, if any ports
1828 are specified it requires the Protocol match in the Rule
1829 to be set to "TCP" or "UDP".
1835 x-kubernetes-int-or-string: true
1838 description: NotSelector is the negated version of the Selector
1839 field. See Selector field for subtleties with negated
1843 description: "Ports is an optional field that restricts
1844 the rule to only apply to traffic that has a source (destination)
1845 port that matches one of these ranges/values. This value
1846 is a list of integers or strings that represent ranges
1847 of ports. \n Since only some protocols have ports, if
1848 any ports are specified it requires the Protocol match
1849 in the Rule to be set to \"TCP\" or \"UDP\"."
1855 x-kubernetes-int-or-string: true
1858 description: "Selector is an optional field that contains
1859 a selector expression (see Policy for sample syntax).
1860 \ Only traffic that originates from (terminates at) endpoints
1861 matching the selector will be matched. \n Note that: in
1862 addition to the negated version of the Selector (see NotSelector
1863 below), the selector expression syntax itself supports
1864 negation. The two types of negation are subtly different.
1865 One negates the set of matched endpoints, the other negates
1866 the whole match: \n \tSelector = \"!has(my_label)\" matches
1867 packets that are from other Calico-controlled \tendpoints
1868 that do not have the label \"my_label\". \n \tNotSelector
1869 = \"has(my_label)\" matches packets that are not from
1870 Calico-controlled \tendpoints that do have the label \"my_label\".
1871 \n The effect is that the latter will accept packets from
1872 non-Calico sources whereas the former is limited to packets
1873 from Calico-controlled endpoints."
1876 description: ServiceAccounts is an optional field that restricts
1877 the rule to only apply to traffic that originates from
1878 (or terminates at) a pod running as a matching service
1882 description: Names is an optional field that restricts
1883 the rule to only apply to traffic that originates
1884 from (or terminates at) a pod running as a service
1885 account whose name is in the list.
1890 description: Selector is an optional field that restricts
1891 the rule to only apply to traffic that originates
1892 from (or terminates at) a pod running as a service
1893 account that matches the given label selector. If
1894 both Names and Selector are specified then they are
1899 description: "Services is an optional field that contains
1900 options for matching Kubernetes Services. If specified,
1901 only traffic that originates from or terminates at endpoints
1902 within the selected service(s) will be matched, and only
1903 to/from each endpoint's port. \n Services cannot be specified
1904 on the same rule as Selector, NotSelector, NamespaceSelector,
1905 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1906 can only be specified with Services on ingress rules."
1909 description: Name specifies the name of a Kubernetes
1913 description: Namespace specifies the namespace of the
1914 given Service. If left empty, the rule will match
1915 within this policy's namespace.
1924 description: The ordered set of ingress rules. Each rule contains
1925 a set of packet match criteria and a corresponding action to apply.
1927 description: "A Rule encapsulates a set of match criteria and an
1928 action. Both selector-based security Policy and security Profiles
1929 reference rules - separated out as a list of rules for both ingress
1930 and egress packet matching. \n Each positive match criteria has
1931 a negated version, prefixed with \"Not\". All the match criteria
1932 within a rule must be satisfied for a packet to match. A single
1933 rule can contain the positive and negative version of a match
1934 and both must be satisfied for the rule to match."
1939 description: Destination contains the match criteria that apply
1940 to destination entity.
1943 description: "NamespaceSelector is an optional field that
1944 contains a selector expression. Only traffic that originates
1945 from (or terminates at) endpoints within the selected
1946 namespaces will be matched. When both NamespaceSelector
1947 and another selector are defined on the same rule, then
1948 only workload endpoints that are matched by both selectors
1949 will be selected by the rule. \n For NetworkPolicy, an
1950 empty NamespaceSelector implies that the Selector is limited
1951 to selecting only workload endpoints in the same namespace
1952 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1953 NamespaceSelector implies that the Selector is limited
1954 to selecting only GlobalNetworkSet or HostEndpoint. \n
1955 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1956 the Selector applies to workload endpoints across all
1960 description: Nets is an optional field that restricts the
1961 rule to only apply to traffic that originates from (or
1962 terminates at) IP addresses in any of the given subnets.
1967 description: NotNets is the negated version of the Nets
1973 description: NotPorts is the negated version of the Ports
1974 field. Since only some protocols have ports, if any ports
1975 are specified it requires the Protocol match in the Rule
1976 to be set to "TCP" or "UDP".
1982 x-kubernetes-int-or-string: true
1985 description: NotSelector is the negated version of the Selector
1986 field. See Selector field for subtleties with negated
1990 description: "Ports is an optional field that restricts
1991 the rule to only apply to traffic that has a source (destination)
1992 port that matches one of these ranges/values. This value
1993 is a list of integers or strings that represent ranges
1994 of ports. \n Since only some protocols have ports, if
1995 any ports are specified it requires the Protocol match
1996 in the Rule to be set to \"TCP\" or \"UDP\"."
2002 x-kubernetes-int-or-string: true
2005 description: "Selector is an optional field that contains
2006 a selector expression (see Policy for sample syntax).
2007 \ Only traffic that originates from (terminates at) endpoints
2008 matching the selector will be matched. \n Note that: in
2009 addition to the negated version of the Selector (see NotSelector
2010 below), the selector expression syntax itself supports
2011 negation. The two types of negation are subtly different.
2012 One negates the set of matched endpoints, the other negates
2013 the whole match: \n \tSelector = \"!has(my_label)\" matches
2014 packets that are from other Calico-controlled \tendpoints
2015 that do not have the label \"my_label\". \n \tNotSelector
2016 = \"has(my_label)\" matches packets that are not from
2017 Calico-controlled \tendpoints that do have the label \"my_label\".
2018 \n The effect is that the latter will accept packets from
2019 non-Calico sources whereas the former is limited to packets
2020 from Calico-controlled endpoints."
2023 description: ServiceAccounts is an optional field that restricts
2024 the rule to only apply to traffic that originates from
2025 (or terminates at) a pod running as a matching service
2029 description: Names is an optional field that restricts
2030 the rule to only apply to traffic that originates
2031 from (or terminates at) a pod running as a service
2032 account whose name is in the list.
2037 description: Selector is an optional field that restricts
2038 the rule to only apply to traffic that originates
2039 from (or terminates at) a pod running as a service
2040 account that matches the given label selector. If
2041 both Names and Selector are specified then they are
2046 description: "Services is an optional field that contains
2047 options for matching Kubernetes Services. If specified,
2048 only traffic that originates from or terminates at endpoints
2049 within the selected service(s) will be matched, and only
2050 to/from each endpoint's port. \n Services cannot be specified
2051 on the same rule as Selector, NotSelector, NamespaceSelector,
2052 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2053 can only be specified with Services on ingress rules."
2056 description: Name specifies the name of a Kubernetes
2060 description: Namespace specifies the namespace of the
2061 given Service. If left empty, the rule will match
2062 within this policy's namespace.
2067 description: HTTP contains match criteria that apply to HTTP
2071 description: Methods is an optional field that restricts
2072 the rule to apply only to HTTP requests that use one of
2073 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2074 methods are OR'd together.
2079 description: 'Paths is an optional field that restricts
2080 the rule to apply to HTTP requests that use one of the
2081 listed HTTP Paths. Multiple paths are OR''d together.
2082 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2083 ONLY specify either a `exact` or a `prefix` match. The
2084 validator will check for it.'
2086 description: 'HTTPPath specifies an HTTP path to match.
2087 It may be either of the form: exact: <path>: which matches
2088 the path exactly or prefix: <path-prefix>: which matches
2099 description: ICMP is an optional field that restricts the rule
2100 to apply to a specific type and code of ICMP traffic. This
2101 should only be specified if the Protocol field is set to "ICMP"
2105 description: Match on a specific ICMP code. If specified,
2106 the Type value must also be specified. This is a technical
2107 limitation imposed by the kernel's iptables firewall,
2108 which Calico uses to enforce the rule.
2111 description: Match on a specific ICMP type. For example
2112 a value of 8 refers to ICMP Echo Request (i.e. pings).
2116 description: IPVersion is an optional field that restricts the
2117 rule to only match a specific IP version.
2120 description: Metadata contains additional information for this
2124 additionalProperties:
2126 description: Annotations is a set of key value pairs that
2127 give extra information about the rule
2131 description: NotICMP is the negated version of the ICMP field.
2134 description: Match on a specific ICMP code. If specified,
2135 the Type value must also be specified. This is a technical
2136 limitation imposed by the kernel's iptables firewall,
2137 which Calico uses to enforce the rule.
2140 description: Match on a specific ICMP type. For example
2141 a value of 8 refers to ICMP Echo Request (i.e. pings).
2148 description: NotProtocol is the negated version of the Protocol
2151 x-kubernetes-int-or-string: true
2156 description: "Protocol is an optional field that restricts the
2157 rule to only apply to traffic of a specific IP protocol. Required
2158 if any of the EntityRules contain Ports (because ports only
2159 apply to certain protocols). \n Must be one of these string
2160 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2161 \"UDPLite\" or an integer in the range 1-255."
2163 x-kubernetes-int-or-string: true
2165 description: Source contains the match criteria that apply to
2169 description: "NamespaceSelector is an optional field that
2170 contains a selector expression. Only traffic that originates
2171 from (or terminates at) endpoints within the selected
2172 namespaces will be matched. When both NamespaceSelector
2173 and another selector are defined on the same rule, then
2174 only workload endpoints that are matched by both selectors
2175 will be selected by the rule. \n For NetworkPolicy, an
2176 empty NamespaceSelector implies that the Selector is limited
2177 to selecting only workload endpoints in the same namespace
2178 as the NetworkPolicy. \n For NetworkPolicy, `global()`
2179 NamespaceSelector implies that the Selector is limited
2180 to selecting only GlobalNetworkSet or HostEndpoint. \n
2181 For GlobalNetworkPolicy, an empty NamespaceSelector implies
2182 the Selector applies to workload endpoints across all
2186 description: Nets is an optional field that restricts the
2187 rule to only apply to traffic that originates from (or
2188 terminates at) IP addresses in any of the given subnets.
2193 description: NotNets is the negated version of the Nets
2199 description: NotPorts is the negated version of the Ports
2200 field. Since only some protocols have ports, if any ports
2201 are specified it requires the Protocol match in the Rule
2202 to be set to "TCP" or "UDP".
2208 x-kubernetes-int-or-string: true
2211 description: NotSelector is the negated version of the Selector
2212 field. See Selector field for subtleties with negated
2216 description: "Ports is an optional field that restricts
2217 the rule to only apply to traffic that has a source (destination)
2218 port that matches one of these ranges/values. This value
2219 is a list of integers or strings that represent ranges
2220 of ports. \n Since only some protocols have ports, if
2221 any ports are specified it requires the Protocol match
2222 in the Rule to be set to \"TCP\" or \"UDP\"."
2228 x-kubernetes-int-or-string: true
2231 description: "Selector is an optional field that contains
2232 a selector expression (see Policy for sample syntax).
2233 \ Only traffic that originates from (terminates at) endpoints
2234 matching the selector will be matched. \n Note that: in
2235 addition to the negated version of the Selector (see NotSelector
2236 below), the selector expression syntax itself supports
2237 negation. The two types of negation are subtly different.
2238 One negates the set of matched endpoints, the other negates
2239 the whole match: \n \tSelector = \"!has(my_label)\" matches
2240 packets that are from other Calico-controlled \tendpoints
2241 that do not have the label \"my_label\". \n \tNotSelector
2242 = \"has(my_label)\" matches packets that are not from
2243 Calico-controlled \tendpoints that do have the label \"my_label\".
2244 \n The effect is that the latter will accept packets from
2245 non-Calico sources whereas the former is limited to packets
2246 from Calico-controlled endpoints."
2249 description: ServiceAccounts is an optional field that restricts
2250 the rule to only apply to traffic that originates from
2251 (or terminates at) a pod running as a matching service
2255 description: Names is an optional field that restricts
2256 the rule to only apply to traffic that originates
2257 from (or terminates at) a pod running as a service
2258 account whose name is in the list.
2263 description: Selector is an optional field that restricts
2264 the rule to only apply to traffic that originates
2265 from (or terminates at) a pod running as a service
2266 account that matches the given label selector. If
2267 both Names and Selector are specified then they are
2272 description: "Services is an optional field that contains
2273 options for matching Kubernetes Services. If specified,
2274 only traffic that originates from or terminates at endpoints
2275 within the selected service(s) will be matched, and only
2276 to/from each endpoint's port. \n Services cannot be specified
2277 on the same rule as Selector, NotSelector, NamespaceSelector,
2278 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2279 can only be specified with Services on ingress rules."
2282 description: Name specifies the name of a Kubernetes
2286 description: Namespace specifies the namespace of the
2287 given Service. If left empty, the rule will match
2288 within this policy's namespace.
2297 description: NamespaceSelector is an optional field for an expression
2298 used to select a pod based on namespaces.
2301 description: Order is an optional field that specifies the order in
2302 which the policy is applied. Policies with higher "order" are applied
2303 after those with lower order. If the order is omitted, it may be
2304 considered to be "infinite" - i.e. the policy will be applied last. Policies
2305 with identical order will be applied in alphanumerical order based
2306 on the Policy "Name".
2309 description: PreDNAT indicates to apply the rules in this policy before
2313 description: "The selector is an expression used to pick pick out
2314 the endpoints that the policy should be applied to. \n Selector
2315 expressions follow this syntax: \n \tlabel == \"string_literal\"
2316 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
2317 \ -> not equal; also matches if label is not present \tlabel in
2318 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
2319 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
2320 ... } -> true if the value of label X is not one of \"a\", \"b\",
2321 \"c\" \thas(label_name) -> True if that label is present \t! expr
2322 -> negation of expr \texpr && expr -> Short-circuit and \texpr
2323 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
2324 or the empty selector -> matches all endpoints. \n Label names are
2325 allowed to contain alphanumerics, -, _ and /. String literals are
2326 more permissive but they do not support escape characters. \n Examples
2327 (with made-up labels): \n \ttype == \"webserver\" && deployment
2328 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
2329 \"dev\" \t! has(label_name)"
2331 serviceAccountSelector:
2332 description: ServiceAccountSelector is an optional field for an expression
2333 used to select a pod based on service accounts.
2336 description: "Types indicates whether this policy applies to ingress,
2337 or to egress, or to both. When not explicitly specified (and so
2338 the value on creation is empty or nil), Calico defaults Types according
2339 to what Ingress and Egress rules are present in the policy. The
2340 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
2341 (including the case where there are also no Ingress rules) \n
2342 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
2343 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
2344 both Ingress and Egress rules. \n When the policy is read back again,
2345 Types will always be one of these values, never empty or nil."
2347 description: PolicyType enumerates the possible values of the PolicySpec
2362 # Source: calico/templates/kdd-crds.yaml
2363 apiVersion: apiextensions.k8s.io/v1
2364 kind: CustomResourceDefinition
2366 name: globalnetworksets.crd.projectcalico.org
2368 group: crd.projectcalico.org
2370 kind: GlobalNetworkSet
2371 listKind: GlobalNetworkSetList
2372 plural: globalnetworksets
2373 singular: globalnetworkset
2374 preserveUnknownFields: false
2380 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
2381 that share labels to allow rules to refer to them via selectors. The labels
2382 of GlobalNetworkSet are not namespaced.
2385 description: 'APIVersion defines the versioned schema of this representation
2386 of an object. Servers should convert recognized schemas to the latest
2387 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2390 description: 'Kind is a string value representing the REST resource this
2391 object represents. Servers may infer this from the endpoint the client
2392 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2397 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
2401 description: The list of IP networks that belong to this set.
2416 # Source: calico/templates/kdd-crds.yaml
2417 apiVersion: apiextensions.k8s.io/v1
2418 kind: CustomResourceDefinition
2420 name: hostendpoints.crd.projectcalico.org
2422 group: crd.projectcalico.org
2425 listKind: HostEndpointList
2426 plural: hostendpoints
2427 singular: hostendpoint
2428 preserveUnknownFields: false
2436 description: 'APIVersion defines the versioned schema of this representation
2437 of an object. Servers should convert recognized schemas to the latest
2438 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2441 description: 'Kind is a string value representing the REST resource this
2442 object represents. Servers may infer this from the endpoint the client
2443 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2448 description: HostEndpointSpec contains the specification for a HostEndpoint
2452 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
2453 If \"InterfaceName\" is not present, Calico will look for an interface
2454 matching any of the IPs in the list and apply policy to that. Note:
2455 \tWhen using the selector match criteria in an ingress or egress
2456 security Policy \tor Profile, Calico converts the selector into
2457 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
2458 is used for that purpose. (If only the interface \tname is specified,
2459 Calico does not learn the IPs of the interface for use in match
2465 description: "Either \"*\", or the name of a specific Linux interface
2466 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
2467 governs all traffic to, from or through the default network namespace
2468 of the host named by the \"Node\" field; entering and leaving that
2469 namespace via any interface, including those from/to non-host-networked
2470 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
2471 only governs traffic that enters or leaves the host through the
2472 specific interface named by InterfaceName, or - when InterfaceName
2473 is empty - through the specific interface that has one of the IPs
2474 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
2475 one expected IP must be specified. Only external interfaces (such
2476 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
2477 to protect traffic through a specific local workload interface.
2478 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
2479 initially just pre-DNAT policy. Please check Calico documentation
2480 for the latest position."
2483 description: The node name identifying the Calico node instance.
2486 description: Ports contains the endpoint's named ports, which may
2487 be referenced in security policy rules.
2499 x-kubernetes-int-or-string: true
2507 description: A list of identifiers of security Profile objects that
2508 apply to this endpoint. Each profile is applied in the order that
2509 they appear in this list. Profile rules are applied after the selector-based
2525 # Source: calico/templates/kdd-crds.yaml
2526 apiVersion: apiextensions.k8s.io/v1
2527 kind: CustomResourceDefinition
2529 name: ipamblocks.crd.projectcalico.org
2531 group: crd.projectcalico.org
2534 listKind: IPAMBlockList
2537 preserveUnknownFields: false
2545 description: 'APIVersion defines the versioned schema of this representation
2546 of an object. Servers should convert recognized schemas to the latest
2547 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2550 description: 'Kind is a string value representing the REST resource this
2551 object represents. Servers may infer this from the endpoint the client
2552 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2557 description: IPAMBlockSpec contains the specification for an IPAMBlock
2561 description: Affinity of the block, if this block has one. If set,
2562 it will be of the form "host:<hostname>". If not set, this block
2563 is not affine to a host.
2566 description: Array of allocations in-use within this block. nil entries
2567 mean the allocation is free. For non-nil entries at index i, the
2568 index is the ordinal of the allocation within this block and the
2569 value is the index of the associated attributes in the Attributes
2573 # TODO: This nullable is manually added in. We should update controller-gen
2574 # to handle []*int properly itself.
2578 description: Attributes is an array of arbitrary metadata associated
2579 with allocations in the block. To find attributes for a given allocation,
2580 use the value of the allocation's entry in the Allocations array
2581 as the index of the element in this array.
2587 additionalProperties:
2593 description: The block's CIDR.
2596 description: Deleted is an internal boolean used to workaround a limitation
2597 in the Kubernetes API whereby deletion will not return a conflict
2598 error if the block has been updated. It should not be set manually.
2602 description: We store a sequence number that is updated each time
2603 the block is written. Each allocation will also store the sequence
2604 number of the block at the time of its creation. When releasing
2605 an IP, passing the sequence number associated with the allocation
2606 allows us to protect against a race condition and ensure the IP
2607 hasn't been released and re-allocated since the release request.
2610 sequenceNumberForAllocation:
2611 additionalProperties:
2614 description: Map of allocated ordinal within the block to sequence
2615 number of the block at the time of allocation. Kubernetes does not
2616 allow numerical keys for maps, so the key is cast to a string.
2619 description: StrictAffinity on the IPAMBlock is deprecated and no
2620 longer used by the code. Use IPAMConfig StrictAffinity instead.
2623 description: Unallocated is an ordered list of allocations which are
2645 # Source: calico/templates/kdd-crds.yaml
2646 apiVersion: apiextensions.k8s.io/v1
2647 kind: CustomResourceDefinition
2649 name: ipamconfigs.crd.projectcalico.org
2651 group: crd.projectcalico.org
2654 listKind: IPAMConfigList
2656 singular: ipamconfig
2657 preserveUnknownFields: false
2665 description: 'APIVersion defines the versioned schema of this representation
2666 of an object. Servers should convert recognized schemas to the latest
2667 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2670 description: 'Kind is a string value representing the REST resource this
2671 object represents. Servers may infer this from the endpoint the client
2672 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2677 description: IPAMConfigSpec contains the specification for an IPAMConfig
2683 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
2684 that can be affine to each host.
2691 - autoAllocateBlocks
2704 # Source: calico/templates/kdd-crds.yaml
2705 apiVersion: apiextensions.k8s.io/v1
2706 kind: CustomResourceDefinition
2708 name: ipamhandles.crd.projectcalico.org
2710 group: crd.projectcalico.org
2713 listKind: IPAMHandleList
2715 singular: ipamhandle
2716 preserveUnknownFields: false
2724 description: 'APIVersion defines the versioned schema of this representation
2725 of an object. Servers should convert recognized schemas to the latest
2726 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2729 description: 'Kind is a string value representing the REST resource this
2730 object represents. Servers may infer this from the endpoint the client
2731 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2736 description: IPAMHandleSpec contains the specification for an IPAMHandle
2740 additionalProperties:
2761 # Source: calico/templates/kdd-crds.yaml
2762 apiVersion: apiextensions.k8s.io/v1
2763 kind: CustomResourceDefinition
2765 name: ippools.crd.projectcalico.org
2767 group: crd.projectcalico.org
2770 listKind: IPPoolList
2773 preserveUnknownFields: false
2781 description: 'APIVersion defines the versioned schema of this representation
2782 of an object. Servers should convert recognized schemas to the latest
2783 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2786 description: 'Kind is a string value representing the REST resource this
2787 object represents. Servers may infer this from the endpoint the client
2788 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2793 description: IPPoolSpec contains the specification for an IPPool resource.
2796 description: AllowedUse controls what the IP pool will be used for. If
2797 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
2802 description: The block size to use for IP address assignments from
2803 this pool. Defaults to 26 for IPv4 and 122 for IPv6.
2806 description: The pool CIDR.
2809 description: 'Disable exporting routes from this IP Pool''s CIDR over
2810 BGP. [Default: false]'
2813 description: When disabled is true, Calico IPAM will not assign addresses
2817 description: 'Deprecated: this field is only used for APIv1 backwards
2818 compatibility. Setting this field is not allowed, this field is
2819 for internal use only.'
2822 description: When enabled is true, ipip tunneling will be used
2823 to deliver packets to destinations within this pool.
2826 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2827 mode of "always" will also use IPIP tunneling for routing to
2828 destination IP addresses within this pool. A mode of "cross-subnet"
2829 will only use IPIP tunneling when the destination node is on
2830 a different subnet to the originating node. The default value
2831 (if not specified) is "always".
2835 description: Contains configuration for IPIP tunneling for this pool.
2836 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2840 description: 'Deprecated: this field is only used for APIv1 backwards
2841 compatibility. Setting this field is not allowed, this field is
2842 for internal use only.'
2845 description: When natOutgoing is true, packets sent from Calico networked
2846 containers in this pool to destinations outside of this pool will
2850 description: Allows IPPool to allocate for a specific node by label
2854 description: Contains configuration for VXLAN tunneling for this pool.
2855 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2856 tunneling is disabled).
2871 # Source: calico/templates/kdd-crds.yaml
2872 apiVersion: apiextensions.k8s.io/v1
2873 kind: CustomResourceDefinition
2876 controller-gen.kubebuilder.io/version: (devel)
2877 creationTimestamp: null
2878 name: ipreservations.crd.projectcalico.org
2880 group: crd.projectcalico.org
2883 listKind: IPReservationList
2884 plural: ipreservations
2885 singular: ipreservation
2886 preserveUnknownFields: false
2894 description: 'APIVersion defines the versioned schema of this representation
2895 of an object. Servers should convert recognized schemas to the latest
2896 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2899 description: 'Kind is a string value representing the REST resource this
2900 object represents. Servers may infer this from the endpoint the client
2901 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2906 description: IPReservationSpec contains the specification for an IPReservation
2910 description: ReservedCIDRs is a list of CIDRs and/or IP addresses
2911 that Calico IPAM will exclude from new allocations.
2926 # Source: calico/templates/kdd-crds.yaml
2927 apiVersion: apiextensions.k8s.io/v1
2928 kind: CustomResourceDefinition
2930 name: kubecontrollersconfigurations.crd.projectcalico.org
2932 group: crd.projectcalico.org
2934 kind: KubeControllersConfiguration
2935 listKind: KubeControllersConfigurationList
2936 plural: kubecontrollersconfigurations
2937 singular: kubecontrollersconfiguration
2938 preserveUnknownFields: false
2946 description: 'APIVersion defines the versioned schema of this representation
2947 of an object. Servers should convert recognized schemas to the latest
2948 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2951 description: 'Kind is a string value representing the REST resource this
2952 object represents. Servers may infer this from the endpoint the client
2953 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2958 description: KubeControllersConfigurationSpec contains the values of the
2959 Kubernetes controllers configuration.
2962 description: Controllers enables and configures individual Kubernetes
2966 description: Namespace enables and configures the namespace controller.
2967 Enabled by default, set to nil to disable.
2970 description: 'ReconcilerPeriod is the period to perform reconciliation
2971 with the Calico datastore. [Default: 5m]'
2975 description: Node enables and configures the node controller.
2976 Enabled by default, set to nil to disable.
2979 description: HostEndpoint controls syncing nodes to host endpoints.
2980 Disabled by default, set to nil to disable.
2983 description: 'AutoCreate enables automatic creation of
2984 host endpoints for every node. [Default: Disabled]'
2988 description: 'LeakGracePeriod is the period used by the controller
2989 to determine if an IP address has been leaked. Set to 0
2990 to disable IP garbage collection. [Default: 15m]'
2993 description: 'ReconcilerPeriod is the period to perform reconciliation
2994 with the Calico datastore. [Default: 5m]'
2997 description: 'SyncLabels controls whether to copy Kubernetes
2998 node labels to Calico nodes. [Default: Enabled]'
3002 description: Policy enables and configures the policy controller.
3003 Enabled by default, set to nil to disable.
3006 description: 'ReconcilerPeriod is the period to perform reconciliation
3007 with the Calico datastore. [Default: 5m]'
3011 description: ServiceAccount enables and configures the service
3012 account controller. Enabled by default, set to nil to disable.
3015 description: 'ReconcilerPeriod is the period to perform reconciliation
3016 with the Calico datastore. [Default: 5m]'
3020 description: WorkloadEndpoint enables and configures the workload
3021 endpoint controller. Enabled by default, set to nil to disable.
3024 description: 'ReconcilerPeriod is the period to perform reconciliation
3025 with the Calico datastore. [Default: 5m]'
3030 description: DebugProfilePort configures the port to serve memory
3031 and cpu profiles on. If not specified, profiling is disabled.
3034 etcdV3CompactionPeriod:
3035 description: 'EtcdV3CompactionPeriod is the period between etcdv3
3036 compaction requests. Set to 0 to disable. [Default: 10m]'
3039 description: 'HealthChecks enables or disables support for health
3040 checks [Default: Enabled]'
3043 description: 'LogSeverityScreen is the log severity above which logs
3044 are sent to the stdout. [Default: Info]'
3046 prometheusMetricsPort:
3047 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
3048 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
3054 description: KubeControllersConfigurationStatus represents the status
3055 of the configuration. It's useful for admins to be able to see the actual
3056 config that was applied, which can be modified by environment variables
3057 on the kube-controllers process.
3060 additionalProperties:
3062 description: EnvironmentVars contains the environment variables on
3063 the kube-controllers that influenced the RunningConfig.
3066 description: RunningConfig contains the effective config that is running
3067 in the kube-controllers pod, after merging the API resource with
3068 any environment variables.
3071 description: Controllers enables and configures individual Kubernetes
3075 description: Namespace enables and configures the namespace
3076 controller. Enabled by default, set to nil to disable.
3079 description: 'ReconcilerPeriod is the period to perform
3080 reconciliation with the Calico datastore. [Default:
3085 description: Node enables and configures the node controller.
3086 Enabled by default, set to nil to disable.
3089 description: HostEndpoint controls syncing nodes to host
3090 endpoints. Disabled by default, set to nil to disable.
3093 description: 'AutoCreate enables automatic creation
3094 of host endpoints for every node. [Default: Disabled]'
3098 description: 'LeakGracePeriod is the period used by the
3099 controller to determine if an IP address has been leaked.
3100 Set to 0 to disable IP garbage collection. [Default:
3104 description: 'ReconcilerPeriod is the period to perform
3105 reconciliation with the Calico datastore. [Default:
3109 description: 'SyncLabels controls whether to copy Kubernetes
3110 node labels to Calico nodes. [Default: Enabled]'
3114 description: Policy enables and configures the policy controller.
3115 Enabled by default, set to nil to disable.
3118 description: 'ReconcilerPeriod is the period to perform
3119 reconciliation with the Calico datastore. [Default:
3124 description: ServiceAccount enables and configures the service
3125 account controller. Enabled by default, set to nil to disable.
3128 description: 'ReconcilerPeriod is the period to perform
3129 reconciliation with the Calico datastore. [Default:
3134 description: WorkloadEndpoint enables and configures the workload
3135 endpoint controller. Enabled by default, set to nil to disable.
3138 description: 'ReconcilerPeriod is the period to perform
3139 reconciliation with the Calico datastore. [Default:
3145 description: DebugProfilePort configures the port to serve memory
3146 and cpu profiles on. If not specified, profiling is disabled.
3149 etcdV3CompactionPeriod:
3150 description: 'EtcdV3CompactionPeriod is the period between etcdv3
3151 compaction requests. Set to 0 to disable. [Default: 10m]'
3154 description: 'HealthChecks enables or disables support for health
3155 checks [Default: Enabled]'
3158 description: 'LogSeverityScreen is the log severity above which
3159 logs are sent to the stdout. [Default: Info]'
3161 prometheusMetricsPort:
3162 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
3163 metrics server should bind to. Set to 0 to disable. [Default:
3180 # Source: calico/templates/kdd-crds.yaml
3181 apiVersion: apiextensions.k8s.io/v1
3182 kind: CustomResourceDefinition
3184 name: networkpolicies.crd.projectcalico.org
3186 group: crd.projectcalico.org
3189 listKind: NetworkPolicyList
3190 plural: networkpolicies
3191 singular: networkpolicy
3192 preserveUnknownFields: false
3200 description: 'APIVersion defines the versioned schema of this representation
3201 of an object. Servers should convert recognized schemas to the latest
3202 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3205 description: 'Kind is a string value representing the REST resource this
3206 object represents. Servers may infer this from the endpoint the client
3207 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3214 description: The ordered set of egress rules. Each rule contains
3215 a set of packet match criteria and a corresponding action to apply.
3217 description: "A Rule encapsulates a set of match criteria and an
3218 action. Both selector-based security Policy and security Profiles
3219 reference rules - separated out as a list of rules for both ingress
3220 and egress packet matching. \n Each positive match criteria has
3221 a negated version, prefixed with \"Not\". All the match criteria
3222 within a rule must be satisfied for a packet to match. A single
3223 rule can contain the positive and negative version of a match
3224 and both must be satisfied for the rule to match."
3229 description: Destination contains the match criteria that apply
3230 to destination entity.
3233 description: "NamespaceSelector is an optional field that
3234 contains a selector expression. Only traffic that originates
3235 from (or terminates at) endpoints within the selected
3236 namespaces will be matched. When both NamespaceSelector
3237 and another selector are defined on the same rule, then
3238 only workload endpoints that are matched by both selectors
3239 will be selected by the rule. \n For NetworkPolicy, an
3240 empty NamespaceSelector implies that the Selector is limited
3241 to selecting only workload endpoints in the same namespace
3242 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3243 NamespaceSelector implies that the Selector is limited
3244 to selecting only GlobalNetworkSet or HostEndpoint. \n
3245 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3246 the Selector applies to workload endpoints across all
3250 description: Nets is an optional field that restricts the
3251 rule to only apply to traffic that originates from (or
3252 terminates at) IP addresses in any of the given subnets.
3257 description: NotNets is the negated version of the Nets
3263 description: NotPorts is the negated version of the Ports
3264 field. Since only some protocols have ports, if any ports
3265 are specified it requires the Protocol match in the Rule
3266 to be set to "TCP" or "UDP".
3272 x-kubernetes-int-or-string: true
3275 description: NotSelector is the negated version of the Selector
3276 field. See Selector field for subtleties with negated
3280 description: "Ports is an optional field that restricts
3281 the rule to only apply to traffic that has a source (destination)
3282 port that matches one of these ranges/values. This value
3283 is a list of integers or strings that represent ranges
3284 of ports. \n Since only some protocols have ports, if
3285 any ports are specified it requires the Protocol match
3286 in the Rule to be set to \"TCP\" or \"UDP\"."
3292 x-kubernetes-int-or-string: true
3295 description: "Selector is an optional field that contains
3296 a selector expression (see Policy for sample syntax).
3297 \ Only traffic that originates from (terminates at) endpoints
3298 matching the selector will be matched. \n Note that: in
3299 addition to the negated version of the Selector (see NotSelector
3300 below), the selector expression syntax itself supports
3301 negation. The two types of negation are subtly different.
3302 One negates the set of matched endpoints, the other negates
3303 the whole match: \n \tSelector = \"!has(my_label)\" matches
3304 packets that are from other Calico-controlled \tendpoints
3305 that do not have the label \"my_label\". \n \tNotSelector
3306 = \"has(my_label)\" matches packets that are not from
3307 Calico-controlled \tendpoints that do have the label \"my_label\".
3308 \n The effect is that the latter will accept packets from
3309 non-Calico sources whereas the former is limited to packets
3310 from Calico-controlled endpoints."
3313 description: ServiceAccounts is an optional field that restricts
3314 the rule to only apply to traffic that originates from
3315 (or terminates at) a pod running as a matching service
3319 description: Names is an optional field that restricts
3320 the rule to only apply to traffic that originates
3321 from (or terminates at) a pod running as a service
3322 account whose name is in the list.
3327 description: Selector is an optional field that restricts
3328 the rule to only apply to traffic that originates
3329 from (or terminates at) a pod running as a service
3330 account that matches the given label selector. If
3331 both Names and Selector are specified then they are
3336 description: "Services is an optional field that contains
3337 options for matching Kubernetes Services. If specified,
3338 only traffic that originates from or terminates at endpoints
3339 within the selected service(s) will be matched, and only
3340 to/from each endpoint's port. \n Services cannot be specified
3341 on the same rule as Selector, NotSelector, NamespaceSelector,
3342 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3343 can only be specified with Services on ingress rules."
3346 description: Name specifies the name of a Kubernetes
3350 description: Namespace specifies the namespace of the
3351 given Service. If left empty, the rule will match
3352 within this policy's namespace.
3357 description: HTTP contains match criteria that apply to HTTP
3361 description: Methods is an optional field that restricts
3362 the rule to apply only to HTTP requests that use one of
3363 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3364 methods are OR'd together.
3369 description: 'Paths is an optional field that restricts
3370 the rule to apply to HTTP requests that use one of the
3371 listed HTTP Paths. Multiple paths are OR''d together.
3372 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3373 ONLY specify either a `exact` or a `prefix` match. The
3374 validator will check for it.'
3376 description: 'HTTPPath specifies an HTTP path to match.
3377 It may be either of the form: exact: <path>: which matches
3378 the path exactly or prefix: <path-prefix>: which matches
3389 description: ICMP is an optional field that restricts the rule
3390 to apply to a specific type and code of ICMP traffic. This
3391 should only be specified if the Protocol field is set to "ICMP"
3395 description: Match on a specific ICMP code. If specified,
3396 the Type value must also be specified. This is a technical
3397 limitation imposed by the kernel's iptables firewall,
3398 which Calico uses to enforce the rule.
3401 description: Match on a specific ICMP type. For example
3402 a value of 8 refers to ICMP Echo Request (i.e. pings).
3406 description: IPVersion is an optional field that restricts the
3407 rule to only match a specific IP version.
3410 description: Metadata contains additional information for this
3414 additionalProperties:
3416 description: Annotations is a set of key value pairs that
3417 give extra information about the rule
3421 description: NotICMP is the negated version of the ICMP field.
3424 description: Match on a specific ICMP code. If specified,
3425 the Type value must also be specified. This is a technical
3426 limitation imposed by the kernel's iptables firewall,
3427 which Calico uses to enforce the rule.
3430 description: Match on a specific ICMP type. For example
3431 a value of 8 refers to ICMP Echo Request (i.e. pings).
3438 description: NotProtocol is the negated version of the Protocol
3441 x-kubernetes-int-or-string: true
3446 description: "Protocol is an optional field that restricts the
3447 rule to only apply to traffic of a specific IP protocol. Required
3448 if any of the EntityRules contain Ports (because ports only
3449 apply to certain protocols). \n Must be one of these string
3450 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3451 \"UDPLite\" or an integer in the range 1-255."
3453 x-kubernetes-int-or-string: true
3455 description: Source contains the match criteria that apply to
3459 description: "NamespaceSelector is an optional field that
3460 contains a selector expression. Only traffic that originates
3461 from (or terminates at) endpoints within the selected
3462 namespaces will be matched. When both NamespaceSelector
3463 and another selector are defined on the same rule, then
3464 only workload endpoints that are matched by both selectors
3465 will be selected by the rule. \n For NetworkPolicy, an
3466 empty NamespaceSelector implies that the Selector is limited
3467 to selecting only workload endpoints in the same namespace
3468 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3469 NamespaceSelector implies that the Selector is limited
3470 to selecting only GlobalNetworkSet or HostEndpoint. \n
3471 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3472 the Selector applies to workload endpoints across all
3476 description: Nets is an optional field that restricts the
3477 rule to only apply to traffic that originates from (or
3478 terminates at) IP addresses in any of the given subnets.
3483 description: NotNets is the negated version of the Nets
3489 description: NotPorts is the negated version of the Ports
3490 field. Since only some protocols have ports, if any ports
3491 are specified it requires the Protocol match in the Rule
3492 to be set to "TCP" or "UDP".
3498 x-kubernetes-int-or-string: true
3501 description: NotSelector is the negated version of the Selector
3502 field. See Selector field for subtleties with negated
3506 description: "Ports is an optional field that restricts
3507 the rule to only apply to traffic that has a source (destination)
3508 port that matches one of these ranges/values. This value
3509 is a list of integers or strings that represent ranges
3510 of ports. \n Since only some protocols have ports, if
3511 any ports are specified it requires the Protocol match
3512 in the Rule to be set to \"TCP\" or \"UDP\"."
3518 x-kubernetes-int-or-string: true
3521 description: "Selector is an optional field that contains
3522 a selector expression (see Policy for sample syntax).
3523 \ Only traffic that originates from (terminates at) endpoints
3524 matching the selector will be matched. \n Note that: in
3525 addition to the negated version of the Selector (see NotSelector
3526 below), the selector expression syntax itself supports
3527 negation. The two types of negation are subtly different.
3528 One negates the set of matched endpoints, the other negates
3529 the whole match: \n \tSelector = \"!has(my_label)\" matches
3530 packets that are from other Calico-controlled \tendpoints
3531 that do not have the label \"my_label\". \n \tNotSelector
3532 = \"has(my_label)\" matches packets that are not from
3533 Calico-controlled \tendpoints that do have the label \"my_label\".
3534 \n The effect is that the latter will accept packets from
3535 non-Calico sources whereas the former is limited to packets
3536 from Calico-controlled endpoints."
3539 description: ServiceAccounts is an optional field that restricts
3540 the rule to only apply to traffic that originates from
3541 (or terminates at) a pod running as a matching service
3545 description: Names is an optional field that restricts
3546 the rule to only apply to traffic that originates
3547 from (or terminates at) a pod running as a service
3548 account whose name is in the list.
3553 description: Selector is an optional field that restricts
3554 the rule to only apply to traffic that originates
3555 from (or terminates at) a pod running as a service
3556 account that matches the given label selector. If
3557 both Names and Selector are specified then they are
3562 description: "Services is an optional field that contains
3563 options for matching Kubernetes Services. If specified,
3564 only traffic that originates from or terminates at endpoints
3565 within the selected service(s) will be matched, and only
3566 to/from each endpoint's port. \n Services cannot be specified
3567 on the same rule as Selector, NotSelector, NamespaceSelector,
3568 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3569 can only be specified with Services on ingress rules."
3572 description: Name specifies the name of a Kubernetes
3576 description: Namespace specifies the namespace of the
3577 given Service. If left empty, the rule will match
3578 within this policy's namespace.
3587 description: The ordered set of ingress rules. Each rule contains
3588 a set of packet match criteria and a corresponding action to apply.
3590 description: "A Rule encapsulates a set of match criteria and an
3591 action. Both selector-based security Policy and security Profiles
3592 reference rules - separated out as a list of rules for both ingress
3593 and egress packet matching. \n Each positive match criteria has
3594 a negated version, prefixed with \"Not\". All the match criteria
3595 within a rule must be satisfied for a packet to match. A single
3596 rule can contain the positive and negative version of a match
3597 and both must be satisfied for the rule to match."
3602 description: Destination contains the match criteria that apply
3603 to destination entity.
3606 description: "NamespaceSelector is an optional field that
3607 contains a selector expression. Only traffic that originates
3608 from (or terminates at) endpoints within the selected
3609 namespaces will be matched. When both NamespaceSelector
3610 and another selector are defined on the same rule, then
3611 only workload endpoints that are matched by both selectors
3612 will be selected by the rule. \n For NetworkPolicy, an
3613 empty NamespaceSelector implies that the Selector is limited
3614 to selecting only workload endpoints in the same namespace
3615 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3616 NamespaceSelector implies that the Selector is limited
3617 to selecting only GlobalNetworkSet or HostEndpoint. \n
3618 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3619 the Selector applies to workload endpoints across all
3623 description: Nets is an optional field that restricts the
3624 rule to only apply to traffic that originates from (or
3625 terminates at) IP addresses in any of the given subnets.
3630 description: NotNets is the negated version of the Nets
3636 description: NotPorts is the negated version of the Ports
3637 field. Since only some protocols have ports, if any ports
3638 are specified it requires the Protocol match in the Rule
3639 to be set to "TCP" or "UDP".
3645 x-kubernetes-int-or-string: true
3648 description: NotSelector is the negated version of the Selector
3649 field. See Selector field for subtleties with negated
3653 description: "Ports is an optional field that restricts
3654 the rule to only apply to traffic that has a source (destination)
3655 port that matches one of these ranges/values. This value
3656 is a list of integers or strings that represent ranges
3657 of ports. \n Since only some protocols have ports, if
3658 any ports are specified it requires the Protocol match
3659 in the Rule to be set to \"TCP\" or \"UDP\"."
3665 x-kubernetes-int-or-string: true
3668 description: "Selector is an optional field that contains
3669 a selector expression (see Policy for sample syntax).
3670 \ Only traffic that originates from (terminates at) endpoints
3671 matching the selector will be matched. \n Note that: in
3672 addition to the negated version of the Selector (see NotSelector
3673 below), the selector expression syntax itself supports
3674 negation. The two types of negation are subtly different.
3675 One negates the set of matched endpoints, the other negates
3676 the whole match: \n \tSelector = \"!has(my_label)\" matches
3677 packets that are from other Calico-controlled \tendpoints
3678 that do not have the label \"my_label\". \n \tNotSelector
3679 = \"has(my_label)\" matches packets that are not from
3680 Calico-controlled \tendpoints that do have the label \"my_label\".
3681 \n The effect is that the latter will accept packets from
3682 non-Calico sources whereas the former is limited to packets
3683 from Calico-controlled endpoints."
3686 description: ServiceAccounts is an optional field that restricts
3687 the rule to only apply to traffic that originates from
3688 (or terminates at) a pod running as a matching service
3692 description: Names is an optional field that restricts
3693 the rule to only apply to traffic that originates
3694 from (or terminates at) a pod running as a service
3695 account whose name is in the list.
3700 description: Selector is an optional field that restricts
3701 the rule to only apply to traffic that originates
3702 from (or terminates at) a pod running as a service
3703 account that matches the given label selector. If
3704 both Names and Selector are specified then they are
3709 description: "Services is an optional field that contains
3710 options for matching Kubernetes Services. If specified,
3711 only traffic that originates from or terminates at endpoints
3712 within the selected service(s) will be matched, and only
3713 to/from each endpoint's port. \n Services cannot be specified
3714 on the same rule as Selector, NotSelector, NamespaceSelector,
3715 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3716 can only be specified with Services on ingress rules."
3719 description: Name specifies the name of a Kubernetes
3723 description: Namespace specifies the namespace of the
3724 given Service. If left empty, the rule will match
3725 within this policy's namespace.
3730 description: HTTP contains match criteria that apply to HTTP
3734 description: Methods is an optional field that restricts
3735 the rule to apply only to HTTP requests that use one of
3736 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3737 methods are OR'd together.
3742 description: 'Paths is an optional field that restricts
3743 the rule to apply to HTTP requests that use one of the
3744 listed HTTP Paths. Multiple paths are OR''d together.
3745 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3746 ONLY specify either a `exact` or a `prefix` match. The
3747 validator will check for it.'
3749 description: 'HTTPPath specifies an HTTP path to match.
3750 It may be either of the form: exact: <path>: which matches
3751 the path exactly or prefix: <path-prefix>: which matches
3762 description: ICMP is an optional field that restricts the rule
3763 to apply to a specific type and code of ICMP traffic. This
3764 should only be specified if the Protocol field is set to "ICMP"
3768 description: Match on a specific ICMP code. If specified,
3769 the Type value must also be specified. This is a technical
3770 limitation imposed by the kernel's iptables firewall,
3771 which Calico uses to enforce the rule.
3774 description: Match on a specific ICMP type. For example
3775 a value of 8 refers to ICMP Echo Request (i.e. pings).
3779 description: IPVersion is an optional field that restricts the
3780 rule to only match a specific IP version.
3783 description: Metadata contains additional information for this
3787 additionalProperties:
3789 description: Annotations is a set of key value pairs that
3790 give extra information about the rule
3794 description: NotICMP is the negated version of the ICMP field.
3797 description: Match on a specific ICMP code. If specified,
3798 the Type value must also be specified. This is a technical
3799 limitation imposed by the kernel's iptables firewall,
3800 which Calico uses to enforce the rule.
3803 description: Match on a specific ICMP type. For example
3804 a value of 8 refers to ICMP Echo Request (i.e. pings).
3811 description: NotProtocol is the negated version of the Protocol
3814 x-kubernetes-int-or-string: true
3819 description: "Protocol is an optional field that restricts the
3820 rule to only apply to traffic of a specific IP protocol. Required
3821 if any of the EntityRules contain Ports (because ports only
3822 apply to certain protocols). \n Must be one of these string
3823 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3824 \"UDPLite\" or an integer in the range 1-255."
3826 x-kubernetes-int-or-string: true
3828 description: Source contains the match criteria that apply to
3832 description: "NamespaceSelector is an optional field that
3833 contains a selector expression. Only traffic that originates
3834 from (or terminates at) endpoints within the selected
3835 namespaces will be matched. When both NamespaceSelector
3836 and another selector are defined on the same rule, then
3837 only workload endpoints that are matched by both selectors
3838 will be selected by the rule. \n For NetworkPolicy, an
3839 empty NamespaceSelector implies that the Selector is limited
3840 to selecting only workload endpoints in the same namespace
3841 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3842 NamespaceSelector implies that the Selector is limited
3843 to selecting only GlobalNetworkSet or HostEndpoint. \n
3844 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3845 the Selector applies to workload endpoints across all
3849 description: Nets is an optional field that restricts the
3850 rule to only apply to traffic that originates from (or
3851 terminates at) IP addresses in any of the given subnets.
3856 description: NotNets is the negated version of the Nets
3862 description: NotPorts is the negated version of the Ports
3863 field. Since only some protocols have ports, if any ports
3864 are specified it requires the Protocol match in the Rule
3865 to be set to "TCP" or "UDP".
3871 x-kubernetes-int-or-string: true
3874 description: NotSelector is the negated version of the Selector
3875 field. See Selector field for subtleties with negated
3879 description: "Ports is an optional field that restricts
3880 the rule to only apply to traffic that has a source (destination)
3881 port that matches one of these ranges/values. This value
3882 is a list of integers or strings that represent ranges
3883 of ports. \n Since only some protocols have ports, if
3884 any ports are specified it requires the Protocol match
3885 in the Rule to be set to \"TCP\" or \"UDP\"."
3891 x-kubernetes-int-or-string: true
3894 description: "Selector is an optional field that contains
3895 a selector expression (see Policy for sample syntax).
3896 \ Only traffic that originates from (terminates at) endpoints
3897 matching the selector will be matched. \n Note that: in
3898 addition to the negated version of the Selector (see NotSelector
3899 below), the selector expression syntax itself supports
3900 negation. The two types of negation are subtly different.
3901 One negates the set of matched endpoints, the other negates
3902 the whole match: \n \tSelector = \"!has(my_label)\" matches
3903 packets that are from other Calico-controlled \tendpoints
3904 that do not have the label \"my_label\". \n \tNotSelector
3905 = \"has(my_label)\" matches packets that are not from
3906 Calico-controlled \tendpoints that do have the label \"my_label\".
3907 \n The effect is that the latter will accept packets from
3908 non-Calico sources whereas the former is limited to packets
3909 from Calico-controlled endpoints."
3912 description: ServiceAccounts is an optional field that restricts
3913 the rule to only apply to traffic that originates from
3914 (or terminates at) a pod running as a matching service
3918 description: Names is an optional field that restricts
3919 the rule to only apply to traffic that originates
3920 from (or terminates at) a pod running as a service
3921 account whose name is in the list.
3926 description: Selector is an optional field that restricts
3927 the rule to only apply to traffic that originates
3928 from (or terminates at) a pod running as a service
3929 account that matches the given label selector. If
3930 both Names and Selector are specified then they are
3935 description: "Services is an optional field that contains
3936 options for matching Kubernetes Services. If specified,
3937 only traffic that originates from or terminates at endpoints
3938 within the selected service(s) will be matched, and only
3939 to/from each endpoint's port. \n Services cannot be specified
3940 on the same rule as Selector, NotSelector, NamespaceSelector,
3941 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3942 can only be specified with Services on ingress rules."
3945 description: Name specifies the name of a Kubernetes
3949 description: Namespace specifies the namespace of the
3950 given Service. If left empty, the rule will match
3951 within this policy's namespace.
3960 description: Order is an optional field that specifies the order in
3961 which the policy is applied. Policies with higher "order" are applied
3962 after those with lower order. If the order is omitted, it may be
3963 considered to be "infinite" - i.e. the policy will be applied last. Policies
3964 with identical order will be applied in alphanumerical order based
3965 on the Policy "Name".
3968 description: "The selector is an expression used to pick pick out
3969 the endpoints that the policy should be applied to. \n Selector
3970 expressions follow this syntax: \n \tlabel == \"string_literal\"
3971 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3972 \ -> not equal; also matches if label is not present \tlabel in
3973 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3974 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3975 ... } -> true if the value of label X is not one of \"a\", \"b\",
3976 \"c\" \thas(label_name) -> True if that label is present \t! expr
3977 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3978 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3979 or the empty selector -> matches all endpoints. \n Label names are
3980 allowed to contain alphanumerics, -, _ and /. String literals are
3981 more permissive but they do not support escape characters. \n Examples
3982 (with made-up labels): \n \ttype == \"webserver\" && deployment
3983 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3984 \"dev\" \t! has(label_name)"
3986 serviceAccountSelector:
3987 description: ServiceAccountSelector is an optional field for an expression
3988 used to select a pod based on service accounts.
3991 description: "Types indicates whether this policy applies to ingress,
3992 or to egress, or to both. When not explicitly specified (and so
3993 the value on creation is empty or nil), Calico defaults Types according
3994 to what Ingress and Egress are present in the policy. The default
3995 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3996 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3997 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3998 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3999 \n When the policy is read back again, Types will always be one
4000 of these values, never empty or nil."
4002 description: PolicyType enumerates the possible values of the PolicySpec
4017 # Source: calico/templates/kdd-crds.yaml
4018 apiVersion: apiextensions.k8s.io/v1
4019 kind: CustomResourceDefinition
4021 name: networksets.crd.projectcalico.org
4023 group: crd.projectcalico.org
4026 listKind: NetworkSetList
4028 singular: networkset
4029 preserveUnknownFields: false
4035 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
4038 description: 'APIVersion defines the versioned schema of this representation
4039 of an object. Servers should convert recognized schemas to the latest
4040 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4043 description: 'Kind is a string value representing the REST resource this
4044 object represents. Servers may infer this from the endpoint the client
4045 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4050 description: NetworkSetSpec contains the specification for a NetworkSet
4054 description: The list of IP networks that belong to this set.
4069 # Source: calico/templates/calico-kube-controllers-rbac.yaml
4070 # Include a clusterrole for the kube-controllers component,
4071 # and bind it to the calico-kube-controllers serviceaccount.
4073 apiVersion: rbac.authorization.k8s.io/v1
4075 name: calico-kube-controllers
4077 # Nodes are watched to monitor for deletions.
4085 # Pods are watched to check for existence as part of IPAM controller.
4093 # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
4094 - apiGroups: ["crd.projectcalico.org"]
4099 - apiGroups: ["crd.projectcalico.org"]
4111 # Pools are watched to maintain a mapping of blocks to IP pools.
4112 - apiGroups: ["crd.projectcalico.org"]
4118 # kube-controllers manages hostendpoints.
4119 - apiGroups: ["crd.projectcalico.org"]
4128 # Needs access to update clusterinformations.
4129 - apiGroups: ["crd.projectcalico.org"]
4131 - clusterinformations
4138 # KubeControllersConfiguration is where it gets its config
4139 - apiGroups: ["crd.projectcalico.org"]
4141 - kubecontrollersconfigurations
4143 # read its own config
4145 # create a default if none exists
4152 # Source: calico/templates/calico-node-rbac.yaml
4153 # Include a clusterrole for the calico-node DaemonSet,
4154 # and bind it to the calico-node serviceaccount.
4156 apiVersion: rbac.authorization.k8s.io/v1
4160 # Used for creating service account tokens to be used by the CNI plugin
4163 - serviceaccounts/token
4168 # The CNI plugin needs to get pods, nodes, and namespaces.
4176 # EndpointSlices are used for Service-based network policy rule
4178 - apiGroups: ["discovery.k8s.io"]
4189 # Used to discover service IPs for advertisement.
4192 # Used to discover Typhas.
4194 # Pod CIDR auto-detection on kubeadm needs access to config maps.
4204 # Needed for clearing NodeNetworkUnavailable flag.
4206 # Calico stores some configuration information in node annotations.
4208 # Watch for changes to Kubernetes NetworkPolicies.
4209 - apiGroups: ["networking.k8s.io"]
4215 # Used by Calico for policy information.
4224 # The CNI plugin patches pods/status.
4230 # Calico monitors various CRDs for config.
4231 - apiGroups: ["crd.projectcalico.org"]
4233 - globalfelixconfigs
4234 - felixconfigurations
4241 - globalnetworkpolicies
4245 - clusterinformations
4248 - caliconodestatuses
4253 # Calico must create and update some CRDs on startup.
4254 - apiGroups: ["crd.projectcalico.org"]
4257 - felixconfigurations
4258 - clusterinformations
4262 # Calico must update some CRDs.
4263 - apiGroups: [ "crd.projectcalico.org" ]
4265 - caliconodestatuses
4268 # Calico stores some configuration information on the node.
4276 # These permissions are only required for upgrade from v2.6, and can
4277 # be removed after upgrade or on fresh installations.
4278 - apiGroups: ["crd.projectcalico.org"]
4285 # These permissions are required for Calico CNI to perform IPAM allocations.
4286 - apiGroups: ["crd.projectcalico.org"]
4297 # The CNI plugin and calico/node need to be able to create a default
4299 - apiGroups: ["crd.projectcalico.org"]
4305 # Block affinities must also be watchable by confd for route aggregation.
4306 - apiGroups: ["crd.projectcalico.org"]
4311 # The Calico IPAM migration needs to get daemonsets. These permissions can be
4312 # removed if not upgrading from an installation using host-local IPAM.
4313 - apiGroups: ["apps"]
4319 # Source: calico/templates/calico-kube-controllers-rbac.yaml
4320 kind: ClusterRoleBinding
4321 apiVersion: rbac.authorization.k8s.io/v1
4323 name: calico-kube-controllers
4325 apiGroup: rbac.authorization.k8s.io
4327 name: calico-kube-controllers
4329 - kind: ServiceAccount
4330 name: calico-kube-controllers
4331 namespace: kube-system
4333 # Source: calico/templates/calico-node-rbac.yaml
4334 apiVersion: rbac.authorization.k8s.io/v1
4335 kind: ClusterRoleBinding
4339 apiGroup: rbac.authorization.k8s.io
4343 - kind: ServiceAccount
4345 namespace: kube-system
4347 # Source: calico/templates/calico-node.yaml
4348 # This manifest installs the calico-node container, as well
4349 # as the CNI plugins and network config on
4350 # each master and worker node in a Kubernetes cluster.
4355 namespace: kube-system
4357 k8s-app: calico-node
4361 k8s-app: calico-node
4369 k8s-app: calico-node
4372 kubernetes.io/os: linux
4375 # Make sure calico-node gets scheduled on all nodes.
4376 - effect: NoSchedule
4378 # Mark the pod as a critical add-on for rescheduling.
4379 - key: CriticalAddonsOnly
4383 serviceAccountName: calico-node
4384 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
4385 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
4386 terminationGracePeriodSeconds: 0
4387 priorityClassName: system-node-critical
4389 # This container performs upgrade from host-local IPAM to calico-ipam.
4390 # It can be deleted if this is a fresh installation, or if you have already
4391 # upgraded to use calico-ipam.
4392 - name: upgrade-ipam
4393 image: docker.io/calico/cni:v3.24.3
4394 imagePullPolicy: IfNotPresent
4395 command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
4398 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
4399 name: kubernetes-services-endpoint
4402 - name: KUBERNETES_NODE_NAME
4405 fieldPath: spec.nodeName
4406 - name: CALICO_NETWORKING_BACKEND
4412 - mountPath: /var/lib/cni/networks
4413 name: host-local-net-dir
4414 - mountPath: /host/opt/cni/bin
4418 # This container installs the CNI binaries
4419 # and CNI network config file on each node.
4421 image: docker.io/calico/cni:v3.24.3
4422 imagePullPolicy: IfNotPresent
4423 command: ["/opt/cni/bin/install"]
4426 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
4427 name: kubernetes-services-endpoint
4430 # Name of the CNI config file to create.
4431 - name: CNI_CONF_NAME
4432 value: "10-calico.conflist"
4433 # The CNI network config to install on each node.
4434 - name: CNI_NETWORK_CONFIG
4438 key: cni_network_config
4439 # Set the hostname based on the k8s node name.
4440 - name: KUBERNETES_NODE_NAME
4443 fieldPath: spec.nodeName
4444 # CNI MTU Config variable
4450 # Prevents the container from sleeping forever.
4454 - mountPath: /host/opt/cni/bin
4456 - mountPath: /host/etc/cni/net.d
4460 # This init container mounts the necessary filesystems needed by the BPF data plane
4461 # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
4462 # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
4463 - name: "mount-bpffs"
4464 image: docker.io/calico/node:v3.24.3
4465 imagePullPolicy: IfNotPresent
4466 command: ["calico-node", "-init", "-best-effort"]
4468 - mountPath: /sys/fs
4470 # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
4471 # so that it outlives the init container.
4472 mountPropagation: Bidirectional
4473 - mountPath: /var/run/calico
4474 name: var-run-calico
4475 # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
4476 # so that it outlives the init container.
4477 mountPropagation: Bidirectional
4478 # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
4479 # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
4480 - mountPath: /nodeproc
4486 # Runs calico-node container on each Kubernetes node. This
4487 # container programs network policy and routes on each
4490 image: docker.io/calico/node:v3.24.3
4491 imagePullPolicy: IfNotPresent
4494 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
4495 name: kubernetes-services-endpoint
4498 # Use Kubernetes API as the backing datastore.
4499 - name: DATASTORE_TYPE
4501 # Wait for the datastore.
4502 - name: WAIT_FOR_DATASTORE
4504 # Set based on the k8s node name.
4508 fieldPath: spec.nodeName
4509 # Choose the backend to use.
4510 - name: CALICO_NETWORKING_BACKEND
4515 # Cluster type to identify the deployment type
4516 - name: CLUSTER_TYPE
4518 # Auto-detect the BGP IP address.
4521 - name: IP_AUTODETECTION_METHOD
4522 value: "can-reach=8.8.8.8"
4524 - name: CALICO_IPV4POOL_IPIP
4526 # Enable or Disable VXLAN on the default IP pool.
4527 - name: CALICO_IPV4POOL_VXLAN
4529 # Enable or Disable VXLAN on the default IPv6 IP pool.
4530 - name: CALICO_IPV6POOL_VXLAN
4532 # Set MTU for tunnel device used if ipip is enabled
4533 - name: FELIX_IPINIPMTU
4538 # Set MTU for the VXLAN tunnel device.
4539 - name: FELIX_VXLANMTU
4544 # Set MTU for the Wireguard tunnel device.
4545 - name: FELIX_WIREGUARDMTU
4550 # The default IPv4 pool to create on startup if none exists. Pod IPs will be
4551 # chosen from this range. Changing this value after installation will have
4552 # no effect. This should fall within `--cluster-cidr`.
4553 # - name: CALICO_IPV4POOL_CIDR
4554 # value: "192.168.0.0/16"
4555 # Disable file logging so `kubectl logs` works.
4556 - name: CALICO_DISABLE_FILE_LOGGING
4558 # Set Felix endpoint to host default action to ACCEPT.
4559 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
4561 # Disable IPv6 on Kubernetes.
4562 - name: FELIX_IPV6SUPPORT
4564 - name: FELIX_HEALTHENABLED
4584 initialDelaySeconds: 10
4596 # For maintaining CNI plugin API credentials.
4597 - mountPath: /host/etc/cni/net.d
4600 - mountPath: /lib/modules
4603 - mountPath: /run/xtables.lock
4606 - mountPath: /var/run/calico
4607 name: var-run-calico
4609 - mountPath: /var/lib/calico
4610 name: var-lib-calico
4613 mountPath: /var/run/nodeagent
4614 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
4617 mountPath: /sys/fs/bpf
4619 mountPath: /var/log/calico/cni
4622 # Used by calico-node.
4626 - name: var-run-calico
4628 path: /var/run/calico
4629 - name: var-lib-calico
4631 path: /var/lib/calico
4632 - name: xtables-lock
4634 path: /run/xtables.lock
4639 type: DirectoryOrCreate
4644 # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
4648 # Used to install CNI.
4654 path: /etc/cni/net.d
4655 # Used to access CNI logs.
4658 path: /var/log/calico/cni
4659 # Mount in the directory for host-local IPAM allocations. This is
4660 # used when upgrading from host-local to calico-ipam, and can be removed
4661 # if not using the upgrade-ipam init container.
4662 - name: host-local-net-dir
4664 path: /var/lib/cni/networks
4665 # Used to create per-pod Unix Domain Sockets
4668 type: DirectoryOrCreate
4669 path: /var/run/nodeagent
4671 # Source: calico/templates/calico-kube-controllers.yaml
4672 # See https://github.com/projectcalico/kube-controllers
4676 name: calico-kube-controllers
4677 namespace: kube-system
4679 k8s-app: calico-kube-controllers
4681 # The controllers can only have a single active instance.
4685 k8s-app: calico-kube-controllers
4690 name: calico-kube-controllers
4691 namespace: kube-system
4693 k8s-app: calico-kube-controllers
4696 kubernetes.io/os: linux
4698 # Mark the pod as a critical add-on for rescheduling.
4699 - key: CriticalAddonsOnly
4701 - key: node-role.kubernetes.io/master
4703 - key: node-role.kubernetes.io/control-plane
4705 serviceAccountName: calico-kube-controllers
4706 priorityClassName: system-cluster-critical
4708 - name: calico-kube-controllers
4709 image: docker.io/calico/kube-controllers:v3.24.3
4710 imagePullPolicy: IfNotPresent
4712 # Choose which controllers to run.
4713 - name: ENABLED_CONTROLLERS
4715 - name: DATASTORE_TYPE
4720 - /usr/bin/check-status
4723 initialDelaySeconds: 10
4729 - /usr/bin/check-status