1 # yamllint disable rule:hyphens rule:commas rule:indentation rule:line-length rule:comments rule:comments-indentation
3 # Source: calico/templates/calico-config.yaml
4 # This ConfigMap is used to configure a self-hosted Calico installation.
12 typha_service_name: "none"
13 # Configure the backend to use.
14 calico_backend: "bird"
16 # Configure the MTU to use for workload interfaces and tunnels.
17 # By default, MTU is auto-detected, and explicitly setting this field should not be required.
18 # You can override auto-detection by providing a non-zero value.
21 # The CNI network configuration to install on each node. The special
22 # values in this config will be automatically populated.
23 cni_network_config: |-
25 "name": "k8s-pod-network",
26 "cniVersion": "0.3.1",
31 "log_file_path": "/var/log/calico/cni/cni.log",
32 "datastore_type": "kubernetes",
33 "nodename": "__KUBERNETES_NODE_NAME__",
42 "kubeconfig": "__KUBECONFIG_FILEPATH__"
48 "capabilities": {"portMappings": true}
52 "capabilities": {"bandwidth": true}
58 # Source: calico/templates/kdd-crds.yaml
60 apiVersion: apiextensions.k8s.io/v1
61 kind: CustomResourceDefinition
63 name: bgpconfigurations.crd.projectcalico.org
65 group: crd.projectcalico.org
67 kind: BGPConfiguration
68 listKind: BGPConfigurationList
69 plural: bgpconfigurations
70 singular: bgpconfiguration
76 description: BGPConfiguration contains the configuration for any BGP routing.
79 description: 'APIVersion defines the versioned schema of this representation
80 of an object. Servers should convert recognized schemas to the latest
81 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
84 description: 'Kind is a string value representing the REST resource this
85 object represents. Servers may infer this from the endpoint the client
86 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
91 description: BGPConfigurationSpec contains the values of the BGP configuration.
94 description: 'ASNumber is the default AS number used by a node. [Default:
99 description: Communities is a list of BGP community values and their
100 arbitrary names for tagging routes.
102 description: Community contains standard or large community value
106 description: Name given to community value.
109 description: Value must be of format `aa:nn` or `aa:nn:mm`.
110 For standard community use `aa:nn` format, where `aa` and
111 `nn` are 16 bit number. For large community use `aa:nn:mm`
112 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
113 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
114 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
119 description: ListenPort is the port where BGP protocol should listen.
125 description: 'LogSeverityScreen is the log severity above which logs
126 are sent to the stdout. [Default: INFO]'
128 nodeToNodeMeshEnabled:
129 description: 'NodeToNodeMeshEnabled sets whether full node to node
130 BGP mesh is enabled. [Default: true]'
132 prefixAdvertisements:
133 description: PrefixAdvertisements contains per-prefix advertisement
136 description: PrefixAdvertisement configures advertisement properties
137 for the specified CIDR.
140 description: CIDR for which properties should be advertised.
143 description: Communities can be list of either community names
144 already defined in `Specs.Communities` or community value
145 of format `aa:nn` or `aa:nn:mm`. For standard community use
146 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
147 large community use `aa:nn:mm` format, where `aa`, `nn` and
148 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
149 `mm` are per-AS identifier.
156 description: ServiceClusterIPs are the CIDR blocks from which service
157 cluster IPs are allocated. If specified, Calico will advertise these
158 blocks, as well as any cluster IPs within them.
160 description: ServiceClusterIPBlock represents a single allowed ClusterIP
168 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
169 Service External IPs. Kubernetes Service ExternalIPs will only be
170 advertised if they are within one of these blocks.
172 description: ServiceExternalIPBlock represents a single allowed
173 External IP CIDR block.
179 serviceLoadBalancerIPs:
180 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
181 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
182 IPs will only be advertised if they are within one of these blocks.
184 description: ServiceLoadBalancerIPBlock represents a single allowed
185 LoadBalancer IP CIDR block.
203 apiVersion: apiextensions.k8s.io/v1
204 kind: CustomResourceDefinition
206 name: bgppeers.crd.projectcalico.org
208 group: crd.projectcalico.org
211 listKind: BGPPeerList
221 description: 'APIVersion defines the versioned schema of this representation
222 of an object. Servers should convert recognized schemas to the latest
223 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
226 description: 'Kind is a string value representing the REST resource this
227 object represents. Servers may infer this from the endpoint the client
228 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
233 description: BGPPeerSpec contains the specification for a BGPPeer resource.
236 description: The AS Number of the peer.
240 description: Option to keep the original nexthop field when routes
241 are sent to a BGP Peer. Setting "true" configures the selected BGP
242 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
243 in the specific branch of the Node on "bird.cfg".
246 description: The node name identifying the Calico node instance that
247 is targeted by this peer. If this is not set, and no nodeSelector
248 is specified, then this BGP peer selects all nodes in the cluster.
251 description: Selector for the nodes that should have this peering. When
252 this is set, the Node field must be empty.
255 description: Optional BGP password for the peerings generated by this
259 description: Selects a key of a secret in the node pod's namespace.
262 description: The key of the secret to select from. Must be
266 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
267 TODO: Add other useful fields. apiVersion, kind, uid?'
270 description: Specify whether the Secret or its key must be
278 description: The IP address of the peer followed by an optional port
279 number to peer with. If port number is given, format should be `[<IPv6>]:port`
280 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
281 and this peer IP and ASNumber belongs to a calico/node with ListenPort
282 set in BGPConfiguration, then we use that port to peer.
285 description: Selector for the remote nodes to peer with. When this
286 is set, the PeerIP and ASNumber fields must be empty. For each
287 peering between the local node and selected remote nodes, we configure
288 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
289 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
290 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
291 or the global default if that is not set.
294 description: Specifies whether and how to configure a source address
295 for the peerings generated by this BGPPeer resource. Default value
296 "UseNodeIP" means to configure the node IP as the source address. "None"
297 means not to configure a source address.
311 apiVersion: apiextensions.k8s.io/v1
312 kind: CustomResourceDefinition
314 name: blockaffinities.crd.projectcalico.org
316 group: crd.projectcalico.org
319 listKind: BlockAffinityList
320 plural: blockaffinities
321 singular: blockaffinity
329 description: 'APIVersion defines the versioned schema of this representation
330 of an object. Servers should convert recognized schemas to the latest
331 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
334 description: 'Kind is a string value representing the REST resource this
335 object represents. Servers may infer this from the endpoint the client
336 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
341 description: BlockAffinitySpec contains the specification for a BlockAffinity
347 description: Deleted indicates that this block affinity is being deleted.
348 This field is a string for compatibility with older releases that
349 mistakenly treat this field as a string.
372 apiVersion: apiextensions.k8s.io/v1
373 kind: CustomResourceDefinition
375 name: clusterinformations.crd.projectcalico.org
377 group: crd.projectcalico.org
379 kind: ClusterInformation
380 listKind: ClusterInformationList
381 plural: clusterinformations
382 singular: clusterinformation
388 description: ClusterInformation contains the cluster specific information.
391 description: 'APIVersion defines the versioned schema of this representation
392 of an object. Servers should convert recognized schemas to the latest
393 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
396 description: 'Kind is a string value representing the REST resource this
397 object represents. Servers may infer this from the endpoint the client
398 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
403 description: ClusterInformationSpec contains the values of describing
407 description: CalicoVersion is the version of Calico that the cluster
411 description: ClusterGUID is the GUID of the cluster
414 description: ClusterType describes the type of the cluster
417 description: DatastoreReady is used during significant datastore migrations
418 to signal to components such as Felix that it should wait before
419 accessing the datastore.
422 description: Variant declares which variant of Calico should be active.
436 apiVersion: apiextensions.k8s.io/v1
437 kind: CustomResourceDefinition
439 name: felixconfigurations.crd.projectcalico.org
441 group: crd.projectcalico.org
443 kind: FelixConfiguration
444 listKind: FelixConfigurationList
445 plural: felixconfigurations
446 singular: felixconfiguration
452 description: Felix Configuration contains the configuration for Felix.
455 description: 'APIVersion defines the versioned schema of this representation
456 of an object. Servers should convert recognized schemas to the latest
457 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
460 description: 'Kind is a string value representing the REST resource this
461 object represents. Servers may infer this from the endpoint the client
462 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
467 description: FelixConfigurationSpec contains the values of the Felix configuration.
469 allowIPIPPacketsFromWorkloads:
470 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
471 will add a rule to drop IPIP encapsulated traffic from workloads
474 allowVXLANPacketsFromWorkloads:
475 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
476 will add a rule to drop VXLAN encapsulated traffic from workloads
480 description: 'Set source-destination-check on AWS EC2 instances. Accepted
481 value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
488 bpfConnectTimeLoadBalancingEnabled:
489 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
490 controls whether Felix installs the connection-time load balancer. The
491 connect-time load balancer is required for the host to be able to
492 reach Kubernetes services and it improves the performance of pod-to-service
493 connections. The only reason to disable it is for debugging purposes. [Default:
497 description: BPFDataIfacePattern is a regular expression that controls
498 which interfaces Felix should attach BPF programs to in order to
499 catch traffic to/from the network. This needs to match the interfaces
500 that Calico workload traffic flows over as well as any interfaces
501 that handle incoming traffic to nodeports and services from outside
502 the cluster. It should not match the workload interfaces (usually
505 bpfDisableUnprivileged:
506 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
507 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
508 users cannot access Calico''s BPF maps and cannot insert their own
509 BPF programs to interfere with Calico''s. [Default: true]'
512 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
515 bpfExternalServiceMode:
516 description: 'BPFExternalServiceMode in BPF mode, controls how connections
517 from outside the cluster to services (node ports and cluster IPs)
518 are forwarded to remote workloads. If set to "Tunnel" then both
519 request and response traffic is tunneled to the remote node. If
520 set to "DSR", the request traffic is tunneled but the response traffic
521 is sent directly from the remote node. In "DSR" mode, the remote
522 node appears to use the IP of the ingress node; this requires a
523 permissive L2 network. [Default: Tunnel]'
525 bpfKubeProxyEndpointSlicesEnabled:
526 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
527 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
529 bpfKubeProxyIptablesCleanupEnabled:
530 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
531 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
532 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
535 bpfKubeProxyMinSyncPeriod:
536 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
537 minimum time between updates to the dataplane for Felix''s embedded
538 kube-proxy. Lower values give reduced set-up latency. Higher values
539 reduce Felix CPU usage by batching up more work. [Default: 1s]'
542 description: 'BPFLogLevel controls the log level of the BPF programs
543 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
544 logs are emitted to the BPF trace pipe, accessible with the command
545 `tc exec bpf debug`. [Default: Off].'
548 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
549 top-level iptables chains by inserting a rule at the top of the
550 chain or by appending a rule at the bottom. insert is the safe default
551 since it prevents Calico''s rules from being bypassed. If you switch
552 to append mode, be sure that the other rules in the chains signal
553 acceptance by falling through to the Calico rules, otherwise the
554 Calico policy will be bypassed. [Default: insert]'
558 debugDisableLogDropping:
560 debugMemoryProfilePath:
562 debugSimulateCalcGraphHangAfter:
564 debugSimulateDataplaneHangAfter:
566 defaultEndpointToHostAction:
567 description: 'DefaultEndpointToHostAction controls what happens to
568 traffic that goes from a workload endpoint to the host itself (after
569 the traffic hits the endpoint egress policy). By default Calico
570 blocks traffic from workload endpoints to the host itself with an
571 iptables "DROP" action. If you want to allow some or all traffic
572 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
573 RETURN if you have your own rules in the iptables "INPUT" chain;
574 Calico will insert its rules at the top of that chain, then "RETURN"
575 packets to the "INPUT" chain once it has completed processing workload
576 endpoint egress policy. Use ACCEPT to unconditionally accept packets
577 from workloads after processing workload endpoint egress policy.
581 description: This defines the route protocol added to programmed device
582 routes, by default this will be RTPROT_BOOT when left blank.
584 deviceRouteSourceAddress:
585 description: This is the source address to use on programmed device
586 routes. By default the source address is left blank, leaving the
587 kernel to choose the source address used.
589 disableConntrackInvalidCheck:
591 endpointReportingDelay:
593 endpointReportingEnabled:
596 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
597 which may source tunnel traffic and have the tunneled traffic be
598 accepted at calico nodes.
602 failsafeInboundHostPorts:
603 description: 'FailsafeInboundHostPorts is a comma-delimited list of
604 UDP/TCP ports that Felix will allow incoming traffic to host endpoints
605 on irrespective of the security policy. This is useful to avoid
606 accidentally cutting off a host with incorrect configuration. Each
607 port should be specified as tcp:<port-number> or udp:<port-number>.
608 For back-compatibility, if the protocol is not specified, it defaults
609 to "tcp". To disable all inbound host ports, use the value none.
610 The default value allows ssh access and DHCP. [Default: tcp:22,
611 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
613 description: ProtoPort is combination of protocol and port, both
625 failsafeOutboundHostPorts:
626 description: 'FailsafeOutboundHostPorts is a comma-delimited list
627 of UDP/TCP ports that Felix will allow outgoing traffic from host
628 endpoints to irrespective of the security policy. This is useful
629 to avoid accidentally cutting off a host with incorrect configuration.
630 Each port should be specified as tcp:<port-number> or udp:<port-number>.
631 For back-compatibility, if the protocol is not specified, it defaults
632 to "tcp". To disable all outbound host ports, use the value none.
633 The default value opens etcd''s standard ports to ensure that Felix
634 does not get cut off from etcd as well as allowing DHCP and DNS.
635 [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
638 description: ProtoPort is combination of protocol and port, both
650 featureDetectOverride:
651 description: FeatureDetectOverride is used to override the feature
652 detection. Values are specified in a comma separated list with no
653 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
654 "true" or "false" will force the feature, empty or omitted values
658 description: 'GenericXDPEnabled enables Generic XDP so network cards
659 that don''t support XDP offload or driver modes can use XDP. This
660 is not recommended since it doesn''t provide better performance
661 than iptables. [Default: false]'
670 description: 'InterfaceExclude is a comma-separated list of interfaces
671 that Felix should exclude when monitoring for host endpoints. The
672 default value ensures that Felix ignores Kubernetes'' IPVS dummy
673 interface, which is used internally by kube-proxy. If you want to
674 exclude multiple interface names using a single value, the list
675 supports regular expressions. For regular expressions you must wrap
676 the value with ''/''. For example having values ''/^kube/,veth1''
677 will exclude all interfaces that begin with ''kube'' and also the
678 interface ''veth1''. [Default: kube-ipvs0]'
681 description: 'InterfacePrefix is the interface name prefix that identifies
682 workload endpoints and so distinguishes them from host endpoint
683 interfaces. Note: in environments other than bare metal, the orchestrators
684 configure this appropriately. For example our Kubernetes and Docker
685 integrations set the ''cali'' value, and our OpenStack integration
686 sets the ''tap'' value. [Default: cali]'
688 interfaceRefreshInterval:
689 description: InterfaceRefreshInterval is the period at which Felix
690 rescans local interfaces to verify their state. The rescan can be
691 disabled by setting the interval to 0.
696 description: 'IPIPMTU is the MTU to set on the tunnel device. See
697 Configuring MTU [Default: 1440]'
699 ipsetsRefreshInterval:
700 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
701 all iptables state to ensure that no other process has accidentally
702 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
706 description: IptablesBackend specifies which backend of iptables will
707 be used. The default is legacy.
709 iptablesFilterAllowAction:
711 iptablesLockFilePath:
712 description: 'IptablesLockFilePath is the location of the iptables
713 lock file. You may need to change this if the lock file is not in
714 its standard location (for example if you have mapped it into Felix''s
715 container at a different path). [Default: /run/xtables.lock]'
717 iptablesLockProbeInterval:
718 description: 'IptablesLockProbeInterval is the time that Felix will
719 wait between attempts to acquire the iptables lock if it is not
720 available. Lower values make Felix more responsive when the lock
721 is contended, but use more CPU. [Default: 50ms]'
724 description: 'IptablesLockTimeout is the time that Felix will wait
725 for the iptables lock, or 0, to disable. To use this feature, Felix
726 must share the iptables lock file with all other processes that
727 also take the lock. When running Felix inside a container, this
728 requires the /run directory of the host to be mounted into the calico/node
729 or calico/felix container. [Default: 0s disabled]'
731 iptablesMangleAllowAction:
734 description: 'IptablesMarkMask is the mask that Felix selects its
735 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
736 at least 8 bits set, none of which clash with any other mark bits
737 in use on the system. [Default: 0xff000000]'
740 iptablesNATOutgoingInterfaceFilter:
742 iptablesPostWriteCheckInterval:
743 description: 'IptablesPostWriteCheckInterval is the period after Felix
744 has done a write to the dataplane that it schedules an extra read
745 back in order to check the write was not clobbered by another process.
746 This should only occur if another application on the system doesn''t
747 respect the iptables lock. [Default: 1s]'
749 iptablesRefreshInterval:
750 description: 'IptablesRefreshInterval is the period at which Felix
751 re-checks the IP sets in the dataplane to ensure that no other process
752 has accidentally broken Calico''s rules. Set to 0 to disable IP
753 sets refresh. Note: the default for this value is lower than the
754 other refresh intervals as a workaround for a Linux kernel bug that
755 was fixed in kernel version 4.11. If you are using v4.11 or greater
756 you may want to set this to, a higher value to reduce Felix CPU
757 usage. [Default: 10s]'
762 description: 'KubeNodePortRanges holds list of port ranges used for
763 service node ports. Only used if felix detects kube-proxy running
764 in ipvs mode. Felix uses these ranges to separate host and workload
765 traffic. [Default: 30000:32767].'
771 x-kubernetes-int-or-string: true
774 description: 'LogFilePath is the full path to the Felix log. Set to
775 none to disable file logging. [Default: /var/log/calico/felix.log]'
778 description: 'LogPrefix is the log prefix that Felix uses when rendering
779 LOG rules. [Default: calico-packet]'
782 description: 'LogSeverityFile is the log severity above which logs
783 are sent to the log file. [Default: Info]'
786 description: 'LogSeverityScreen is the log severity above which logs
787 are sent to the stdout. [Default: Info]'
790 description: 'LogSeveritySys is the log severity above which logs
791 are sent to the syslog. Set to None for no logging to syslog. [Default:
797 description: 'MetadataAddr is the IP address or domain name of the
798 server that can answer VM queries for cloud-init metadata. In OpenStack,
799 this corresponds to the machine running nova-api (or in Ubuntu,
800 nova-api-metadata). A value of none (case insensitive) means that
801 Felix should not set up any NAT rule for the metadata path. [Default:
805 description: 'MetadataPort is the port of the metadata server. This,
806 combined with global.MetadataAddr (if not ''None''), is used to
807 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
808 In most cases this should not need to be changed [Default: 8775].'
811 description: MTUIfacePattern is a regular expression that controls
812 which interfaces Felix should scan in order to calculate the host's
813 MTU. This should not match workload interfaces (usually named cali...).
816 description: NATOutgoingAddress specifies an address to use when performing
817 source NAT for traffic in a natOutgoing pool that is leaving the
818 network. By default the address used is an address on the interface
819 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
825 description: NATPortRange specifies the range of ports that is used
826 for port mapping when doing outgoing NAT. When unset the default
827 behavior of the network stack is used.
829 x-kubernetes-int-or-string: true
833 description: 'OpenstackRegion is the name of the region that a particular
834 Felix belongs to. In a multi-region Calico/OpenStack deployment,
835 this must be configured somehow for each Felix (here in the datamodel,
836 or in felix.cfg or the environment on each compute node), and must
837 match the [calico] openstack_region value configured in neutron.conf
838 on each node. [Default: Empty]'
840 policySyncPathPrefix:
841 description: 'PolicySyncPathPrefix is used to by Felix to communicate
842 policy changes to external services, like Application layer policy.
845 prometheusGoMetricsEnabled:
846 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
847 collection, which the Prometheus client does by default, when set
848 to false. This reduces the number of metrics reported, reducing
849 Prometheus load. [Default: true]'
851 prometheusMetricsEnabled:
852 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
853 server in Felix if set to true. [Default: false]'
855 prometheusMetricsHost:
856 description: 'PrometheusMetricsHost is the host that the Prometheus
857 metrics server should bind to. [Default: empty]'
859 prometheusMetricsPort:
860 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
861 metrics server should bind to. [Default: 9091]'
863 prometheusProcessMetricsEnabled:
864 description: 'PrometheusProcessMetricsEnabled disables process metrics
865 collection, which the Prometheus client does by default, when set
866 to false. This reduces the number of metrics reported, reducing
867 Prometheus load. [Default: true]'
869 removeExternalRoutes:
870 description: Whether or not to remove device routes that have not
871 been programmed by Felix. Disabling this will allow external applications
872 to also add device routes. This is enabled by default which means
873 we will remove externally added routes.
876 description: 'ReportingInterval is the interval at which Felix reports
877 its status into the datastore or 0 to disable. Must be non-zero
878 in OpenStack deployments. [Default: 30s]'
881 description: 'ReportingTTL is the time-to-live setting for process-wide
882 status reports. [Default: 90s]'
884 routeRefreshInterval:
885 description: 'RouteRefreshInterval is the period at which Felix re-checks
886 the routes in the dataplane to ensure that no other process has
887 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
891 description: 'RouteSource configures where Felix gets its routing
892 information. - WorkloadIPs: use workload endpoints to construct
893 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
896 description: Calico programs additional Linux route tables for various
897 purposes. RouteTableRange specifies the indices of the route tables
898 that Calico should use.
908 serviceLoopPrevention:
909 description: 'When service IP advertisement is enabled, prevent routing
910 loops to service IPs that are not in use, by dropping or rejecting
911 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
912 in which case such routing loops continue to be allowed. [Default:
915 sidecarAccelerationEnabled:
916 description: 'SidecarAccelerationEnabled enables experimental sidecar
917 acceleration [Default: false]'
919 usageReportingEnabled:
920 description: 'UsageReportingEnabled reports anonymous Calico version
921 number and cluster size to projectcalico.org. Logs warnings returned
922 by the usage server. For example, if a significant security vulnerability
923 has been discovered in the version of Calico being used. [Default:
926 usageReportingInitialDelay:
927 description: 'UsageReportingInitialDelay controls the minimum delay
928 before Felix makes a report. [Default: 300s]'
930 usageReportingInterval:
931 description: 'UsageReportingInterval controls the interval at which
932 Felix makes reports. [Default: 86400s]'
934 useInternalDataplaneDriver:
939 description: 'VXLANMTU is the MTU to set on the tunnel device. See
940 Configuring MTU [Default: 1440]'
947 description: 'WireguardEnabled controls whether Wireguard is enabled.
950 wireguardInterfaceName:
951 description: 'WireguardInterfaceName specifies the name to use for
952 the Wireguard interface. [Default: wg.calico]'
954 wireguardListeningPort:
955 description: 'WireguardListeningPort controls the listening port used
956 by Wireguard. [Default: 51820]'
959 description: 'WireguardMTU controls the MTU on the Wireguard interface.
960 See Configuring MTU [Default: 1420]'
962 wireguardRoutingRulePriority:
963 description: 'WireguardRoutingRulePriority controls the priority value
964 to use for the Wireguard routing rule. [Default: 99]'
967 description: 'XDPEnabled enables XDP acceleration for suitable untracked
968 incoming deny rules. [Default: true]'
971 description: 'XDPRefreshInterval is the period at which Felix re-checks
972 all XDP state to ensure that no other process has accidentally broken
973 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
974 refresh. [Default: 90s]'
988 apiVersion: apiextensions.k8s.io/v1
989 kind: CustomResourceDefinition
991 name: globalnetworkpolicies.crd.projectcalico.org
993 group: crd.projectcalico.org
995 kind: GlobalNetworkPolicy
996 listKind: GlobalNetworkPolicyList
997 plural: globalnetworkpolicies
998 singular: globalnetworkpolicy
1006 description: 'APIVersion defines the versioned schema of this representation
1007 of an object. Servers should convert recognized schemas to the latest
1008 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1011 description: 'Kind is a string value representing the REST resource this
1012 object represents. Servers may infer this from the endpoint the client
1013 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1020 description: ApplyOnForward indicates to apply the rules in this policy
1024 description: DoNotTrack indicates whether packets matched by the rules
1025 in this policy should go through the data plane's connection tracking,
1026 such as Linux conntrack. If True, the rules in this policy are
1027 applied before any data plane connection tracking, and packets allowed
1028 by this policy are marked as not to be tracked.
1031 description: The ordered set of egress rules. Each rule contains
1032 a set of packet match criteria and a corresponding action to apply.
1034 description: "A Rule encapsulates a set of match criteria and an
1035 action. Both selector-based security Policy and security Profiles
1036 reference rules - separated out as a list of rules for both ingress
1037 and egress packet matching. \n Each positive match criteria has
1038 a negated version, prefixed with \"Not\". All the match criteria
1039 within a rule must be satisfied for a packet to match. A single
1040 rule can contain the positive and negative version of a match
1041 and both must be satisfied for the rule to match."
1046 description: Destination contains the match criteria that apply
1047 to destination entity.
1050 description: "NamespaceSelector is an optional field that
1051 contains a selector expression. Only traffic that originates
1052 from (or terminates at) endpoints within the selected
1053 namespaces will be matched. When both NamespaceSelector
1054 and Selector are defined on the same rule, then only workload
1055 endpoints that are matched by both selectors will be selected
1056 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1057 implies that the Selector is limited to selecting only
1058 workload endpoints in the same namespace as the NetworkPolicy.
1059 \n For NetworkPolicy, `global()` NamespaceSelector implies
1060 that the Selector is limited to selecting only GlobalNetworkSet
1061 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1062 NamespaceSelector implies the Selector applies to workload
1063 endpoints across all namespaces."
1066 description: Nets is an optional field that restricts the
1067 rule to only apply to traffic that originates from (or
1068 terminates at) IP addresses in any of the given subnets.
1073 description: NotNets is the negated version of the Nets
1079 description: NotPorts is the negated version of the Ports
1080 field. Since only some protocols have ports, if any ports
1081 are specified it requires the Protocol match in the Rule
1082 to be set to "TCP" or "UDP".
1088 x-kubernetes-int-or-string: true
1091 description: NotSelector is the negated version of the Selector
1092 field. See Selector field for subtleties with negated
1096 description: "Ports is an optional field that restricts
1097 the rule to only apply to traffic that has a source (destination)
1098 port that matches one of these ranges/values. This value
1099 is a list of integers or strings that represent ranges
1100 of ports. \n Since only some protocols have ports, if
1101 any ports are specified it requires the Protocol match
1102 in the Rule to be set to \"TCP\" or \"UDP\"."
1108 x-kubernetes-int-or-string: true
1111 description: "Selector is an optional field that contains
1112 a selector expression (see Policy for sample syntax).
1113 \ Only traffic that originates from (terminates at) endpoints
1114 matching the selector will be matched. \n Note that: in
1115 addition to the negated version of the Selector (see NotSelector
1116 below), the selector expression syntax itself supports
1117 negation. The two types of negation are subtly different.
1118 One negates the set of matched endpoints, the other negates
1119 the whole match: \n \tSelector = \"!has(my_label)\" matches
1120 packets that are from other Calico-controlled \tendpoints
1121 that do not have the label \"my_label\". \n \tNotSelector
1122 = \"has(my_label)\" matches packets that are not from
1123 Calico-controlled \tendpoints that do have the label \"my_label\".
1124 \n The effect is that the latter will accept packets from
1125 non-Calico sources whereas the former is limited to packets
1126 from Calico-controlled endpoints."
1129 description: ServiceAccounts is an optional field that restricts
1130 the rule to only apply to traffic that originates from
1131 (or terminates at) a pod running as a matching service
1135 description: Names is an optional field that restricts
1136 the rule to only apply to traffic that originates
1137 from (or terminates at) a pod running as a service
1138 account whose name is in the list.
1143 description: Selector is an optional field that restricts
1144 the rule to only apply to traffic that originates
1145 from (or terminates at) a pod running as a service
1146 account that matches the given label selector. If
1147 both Names and Selector are specified then they are
1153 description: HTTP contains match criteria that apply to HTTP
1157 description: Methods is an optional field that restricts
1158 the rule to apply only to HTTP requests that use one of
1159 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1160 methods are OR'd together.
1165 description: 'Paths is an optional field that restricts
1166 the rule to apply to HTTP requests that use one of the
1167 listed HTTP Paths. Multiple paths are OR''d together.
1168 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1169 ONLY specify either a `exact` or a `prefix` match. The
1170 validator will check for it.'
1172 description: 'HTTPPath specifies an HTTP path to match.
1173 It may be either of the form: exact: <path>: which matches
1174 the path exactly or prefix: <path-prefix>: which matches
1185 description: ICMP is an optional field that restricts the rule
1186 to apply to a specific type and code of ICMP traffic. This
1187 should only be specified if the Protocol field is set to "ICMP"
1191 description: Match on a specific ICMP code. If specified,
1192 the Type value must also be specified. This is a technical
1193 limitation imposed by the kernel's iptables firewall,
1194 which Calico uses to enforce the rule.
1197 description: Match on a specific ICMP type. For example
1198 a value of 8 refers to ICMP Echo Request (i.e. pings).
1202 description: IPVersion is an optional field that restricts the
1203 rule to only match a specific IP version.
1206 description: Metadata contains additional information for this
1210 additionalProperties:
1212 description: Annotations is a set of key value pairs that
1213 give extra information about the rule
1217 description: NotICMP is the negated version of the ICMP field.
1220 description: Match on a specific ICMP code. If specified,
1221 the Type value must also be specified. This is a technical
1222 limitation imposed by the kernel's iptables firewall,
1223 which Calico uses to enforce the rule.
1226 description: Match on a specific ICMP type. For example
1227 a value of 8 refers to ICMP Echo Request (i.e. pings).
1234 description: NotProtocol is the negated version of the Protocol
1237 x-kubernetes-int-or-string: true
1242 description: "Protocol is an optional field that restricts the
1243 rule to only apply to traffic of a specific IP protocol. Required
1244 if any of the EntityRules contain Ports (because ports only
1245 apply to certain protocols). \n Must be one of these string
1246 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1247 \"UDPLite\" or an integer in the range 1-255."
1249 x-kubernetes-int-or-string: true
1251 description: Source contains the match criteria that apply to
1255 description: "NamespaceSelector is an optional field that
1256 contains a selector expression. Only traffic that originates
1257 from (or terminates at) endpoints within the selected
1258 namespaces will be matched. When both NamespaceSelector
1259 and Selector are defined on the same rule, then only workload
1260 endpoints that are matched by both selectors will be selected
1261 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1262 implies that the Selector is limited to selecting only
1263 workload endpoints in the same namespace as the NetworkPolicy.
1264 \n For NetworkPolicy, `global()` NamespaceSelector implies
1265 that the Selector is limited to selecting only GlobalNetworkSet
1266 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1267 NamespaceSelector implies the Selector applies to workload
1268 endpoints across all namespaces."
1271 description: Nets is an optional field that restricts the
1272 rule to only apply to traffic that originates from (or
1273 terminates at) IP addresses in any of the given subnets.
1278 description: NotNets is the negated version of the Nets
1284 description: NotPorts is the negated version of the Ports
1285 field. Since only some protocols have ports, if any ports
1286 are specified it requires the Protocol match in the Rule
1287 to be set to "TCP" or "UDP".
1293 x-kubernetes-int-or-string: true
1296 description: NotSelector is the negated version of the Selector
1297 field. See Selector field for subtleties with negated
1301 description: "Ports is an optional field that restricts
1302 the rule to only apply to traffic that has a source (destination)
1303 port that matches one of these ranges/values. This value
1304 is a list of integers or strings that represent ranges
1305 of ports. \n Since only some protocols have ports, if
1306 any ports are specified it requires the Protocol match
1307 in the Rule to be set to \"TCP\" or \"UDP\"."
1313 x-kubernetes-int-or-string: true
1316 description: "Selector is an optional field that contains
1317 a selector expression (see Policy for sample syntax).
1318 \ Only traffic that originates from (terminates at) endpoints
1319 matching the selector will be matched. \n Note that: in
1320 addition to the negated version of the Selector (see NotSelector
1321 below), the selector expression syntax itself supports
1322 negation. The two types of negation are subtly different.
1323 One negates the set of matched endpoints, the other negates
1324 the whole match: \n \tSelector = \"!has(my_label)\" matches
1325 packets that are from other Calico-controlled \tendpoints
1326 that do not have the label \"my_label\". \n \tNotSelector
1327 = \"has(my_label)\" matches packets that are not from
1328 Calico-controlled \tendpoints that do have the label \"my_label\".
1329 \n The effect is that the latter will accept packets from
1330 non-Calico sources whereas the former is limited to packets
1331 from Calico-controlled endpoints."
1334 description: ServiceAccounts is an optional field that restricts
1335 the rule to only apply to traffic that originates from
1336 (or terminates at) a pod running as a matching service
1340 description: Names is an optional field that restricts
1341 the rule to only apply to traffic that originates
1342 from (or terminates at) a pod running as a service
1343 account whose name is in the list.
1348 description: Selector is an optional field that restricts
1349 the rule to only apply to traffic that originates
1350 from (or terminates at) a pod running as a service
1351 account that matches the given label selector. If
1352 both Names and Selector are specified then they are
1362 description: The ordered set of ingress rules. Each rule contains
1363 a set of packet match criteria and a corresponding action to apply.
1365 description: "A Rule encapsulates a set of match criteria and an
1366 action. Both selector-based security Policy and security Profiles
1367 reference rules - separated out as a list of rules for both ingress
1368 and egress packet matching. \n Each positive match criteria has
1369 a negated version, prefixed with \"Not\". All the match criteria
1370 within a rule must be satisfied for a packet to match. A single
1371 rule can contain the positive and negative version of a match
1372 and both must be satisfied for the rule to match."
1377 description: Destination contains the match criteria that apply
1378 to destination entity.
1381 description: "NamespaceSelector is an optional field that
1382 contains a selector expression. Only traffic that originates
1383 from (or terminates at) endpoints within the selected
1384 namespaces will be matched. When both NamespaceSelector
1385 and Selector are defined on the same rule, then only workload
1386 endpoints that are matched by both selectors will be selected
1387 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1388 implies that the Selector is limited to selecting only
1389 workload endpoints in the same namespace as the NetworkPolicy.
1390 \n For NetworkPolicy, `global()` NamespaceSelector implies
1391 that the Selector is limited to selecting only GlobalNetworkSet
1392 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1393 NamespaceSelector implies the Selector applies to workload
1394 endpoints across all namespaces."
1397 description: Nets is an optional field that restricts the
1398 rule to only apply to traffic that originates from (or
1399 terminates at) IP addresses in any of the given subnets.
1404 description: NotNets is the negated version of the Nets
1410 description: NotPorts is the negated version of the Ports
1411 field. Since only some protocols have ports, if any ports
1412 are specified it requires the Protocol match in the Rule
1413 to be set to "TCP" or "UDP".
1419 x-kubernetes-int-or-string: true
1422 description: NotSelector is the negated version of the Selector
1423 field. See Selector field for subtleties with negated
1427 description: "Ports is an optional field that restricts
1428 the rule to only apply to traffic that has a source (destination)
1429 port that matches one of these ranges/values. This value
1430 is a list of integers or strings that represent ranges
1431 of ports. \n Since only some protocols have ports, if
1432 any ports are specified it requires the Protocol match
1433 in the Rule to be set to \"TCP\" or \"UDP\"."
1439 x-kubernetes-int-or-string: true
1442 description: "Selector is an optional field that contains
1443 a selector expression (see Policy for sample syntax).
1444 \ Only traffic that originates from (terminates at) endpoints
1445 matching the selector will be matched. \n Note that: in
1446 addition to the negated version of the Selector (see NotSelector
1447 below), the selector expression syntax itself supports
1448 negation. The two types of negation are subtly different.
1449 One negates the set of matched endpoints, the other negates
1450 the whole match: \n \tSelector = \"!has(my_label)\" matches
1451 packets that are from other Calico-controlled \tendpoints
1452 that do not have the label \"my_label\". \n \tNotSelector
1453 = \"has(my_label)\" matches packets that are not from
1454 Calico-controlled \tendpoints that do have the label \"my_label\".
1455 \n The effect is that the latter will accept packets from
1456 non-Calico sources whereas the former is limited to packets
1457 from Calico-controlled endpoints."
1460 description: ServiceAccounts is an optional field that restricts
1461 the rule to only apply to traffic that originates from
1462 (or terminates at) a pod running as a matching service
1466 description: Names is an optional field that restricts
1467 the rule to only apply to traffic that originates
1468 from (or terminates at) a pod running as a service
1469 account whose name is in the list.
1474 description: Selector is an optional field that restricts
1475 the rule to only apply to traffic that originates
1476 from (or terminates at) a pod running as a service
1477 account that matches the given label selector. If
1478 both Names and Selector are specified then they are
1484 description: HTTP contains match criteria that apply to HTTP
1488 description: Methods is an optional field that restricts
1489 the rule to apply only to HTTP requests that use one of
1490 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1491 methods are OR'd together.
1496 description: 'Paths is an optional field that restricts
1497 the rule to apply to HTTP requests that use one of the
1498 listed HTTP Paths. Multiple paths are OR''d together.
1499 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1500 ONLY specify either a `exact` or a `prefix` match. The
1501 validator will check for it.'
1503 description: 'HTTPPath specifies an HTTP path to match.
1504 It may be either of the form: exact: <path>: which matches
1505 the path exactly or prefix: <path-prefix>: which matches
1516 description: ICMP is an optional field that restricts the rule
1517 to apply to a specific type and code of ICMP traffic. This
1518 should only be specified if the Protocol field is set to "ICMP"
1522 description: Match on a specific ICMP code. If specified,
1523 the Type value must also be specified. This is a technical
1524 limitation imposed by the kernel's iptables firewall,
1525 which Calico uses to enforce the rule.
1528 description: Match on a specific ICMP type. For example
1529 a value of 8 refers to ICMP Echo Request (i.e. pings).
1533 description: IPVersion is an optional field that restricts the
1534 rule to only match a specific IP version.
1537 description: Metadata contains additional information for this
1541 additionalProperties:
1543 description: Annotations is a set of key value pairs that
1544 give extra information about the rule
1548 description: NotICMP is the negated version of the ICMP field.
1551 description: Match on a specific ICMP code. If specified,
1552 the Type value must also be specified. This is a technical
1553 limitation imposed by the kernel's iptables firewall,
1554 which Calico uses to enforce the rule.
1557 description: Match on a specific ICMP type. For example
1558 a value of 8 refers to ICMP Echo Request (i.e. pings).
1565 description: NotProtocol is the negated version of the Protocol
1568 x-kubernetes-int-or-string: true
1573 description: "Protocol is an optional field that restricts the
1574 rule to only apply to traffic of a specific IP protocol. Required
1575 if any of the EntityRules contain Ports (because ports only
1576 apply to certain protocols). \n Must be one of these string
1577 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1578 \"UDPLite\" or an integer in the range 1-255."
1580 x-kubernetes-int-or-string: true
1582 description: Source contains the match criteria that apply to
1586 description: "NamespaceSelector is an optional field that
1587 contains a selector expression. Only traffic that originates
1588 from (or terminates at) endpoints within the selected
1589 namespaces will be matched. When both NamespaceSelector
1590 and Selector are defined on the same rule, then only workload
1591 endpoints that are matched by both selectors will be selected
1592 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1593 implies that the Selector is limited to selecting only
1594 workload endpoints in the same namespace as the NetworkPolicy.
1595 \n For NetworkPolicy, `global()` NamespaceSelector implies
1596 that the Selector is limited to selecting only GlobalNetworkSet
1597 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1598 NamespaceSelector implies the Selector applies to workload
1599 endpoints across all namespaces."
1602 description: Nets is an optional field that restricts the
1603 rule to only apply to traffic that originates from (or
1604 terminates at) IP addresses in any of the given subnets.
1609 description: NotNets is the negated version of the Nets
1615 description: NotPorts is the negated version of the Ports
1616 field. Since only some protocols have ports, if any ports
1617 are specified it requires the Protocol match in the Rule
1618 to be set to "TCP" or "UDP".
1624 x-kubernetes-int-or-string: true
1627 description: NotSelector is the negated version of the Selector
1628 field. See Selector field for subtleties with negated
1632 description: "Ports is an optional field that restricts
1633 the rule to only apply to traffic that has a source (destination)
1634 port that matches one of these ranges/values. This value
1635 is a list of integers or strings that represent ranges
1636 of ports. \n Since only some protocols have ports, if
1637 any ports are specified it requires the Protocol match
1638 in the Rule to be set to \"TCP\" or \"UDP\"."
1644 x-kubernetes-int-or-string: true
1647 description: "Selector is an optional field that contains
1648 a selector expression (see Policy for sample syntax).
1649 \ Only traffic that originates from (terminates at) endpoints
1650 matching the selector will be matched. \n Note that: in
1651 addition to the negated version of the Selector (see NotSelector
1652 below), the selector expression syntax itself supports
1653 negation. The two types of negation are subtly different.
1654 One negates the set of matched endpoints, the other negates
1655 the whole match: \n \tSelector = \"!has(my_label)\" matches
1656 packets that are from other Calico-controlled \tendpoints
1657 that do not have the label \"my_label\". \n \tNotSelector
1658 = \"has(my_label)\" matches packets that are not from
1659 Calico-controlled \tendpoints that do have the label \"my_label\".
1660 \n The effect is that the latter will accept packets from
1661 non-Calico sources whereas the former is limited to packets
1662 from Calico-controlled endpoints."
1665 description: ServiceAccounts is an optional field that restricts
1666 the rule to only apply to traffic that originates from
1667 (or terminates at) a pod running as a matching service
1671 description: Names is an optional field that restricts
1672 the rule to only apply to traffic that originates
1673 from (or terminates at) a pod running as a service
1674 account whose name is in the list.
1679 description: Selector is an optional field that restricts
1680 the rule to only apply to traffic that originates
1681 from (or terminates at) a pod running as a service
1682 account that matches the given label selector. If
1683 both Names and Selector are specified then they are
1693 description: NamespaceSelector is an optional field for an expression
1694 used to select a pod based on namespaces.
1697 description: Order is an optional field that specifies the order in
1698 which the policy is applied. Policies with higher "order" are applied
1699 after those with lower order. If the order is omitted, it may be
1700 considered to be "infinite" - i.e. the policy will be applied last. Policies
1701 with identical order will be applied in alphanumerical order based
1702 on the Policy "Name".
1705 description: PreDNAT indicates to apply the rules in this policy before
1709 description: "The selector is an expression used to pick pick out
1710 the endpoints that the policy should be applied to. \n Selector
1711 expressions follow this syntax: \n \tlabel == \"string_literal\"
1712 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
1713 \ -> not equal; also matches if label is not present \tlabel in
1714 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
1715 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
1716 ... } -> true if the value of label X is not one of \"a\", \"b\",
1717 \"c\" \thas(label_name) -> True if that label is present \t! expr
1718 -> negation of expr \texpr && expr -> Short-circuit and \texpr
1719 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
1720 or the empty selector -> matches all endpoints. \n Label names are
1721 allowed to contain alphanumerics, -, _ and /. String literals are
1722 more permissive but they do not support escape characters. \n Examples
1723 (with made-up labels): \n \ttype == \"webserver\" && deployment
1724 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
1725 \"dev\" \t! has(label_name)"
1727 serviceAccountSelector:
1728 description: ServiceAccountSelector is an optional field for an expression
1729 used to select a pod based on service accounts.
1732 description: "Types indicates whether this policy applies to ingress,
1733 or to egress, or to both. When not explicitly specified (and so
1734 the value on creation is empty or nil), Calico defaults Types according
1735 to what Ingress and Egress rules are present in the policy. The
1736 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
1737 (including the case where there are also no Ingress rules) \n
1738 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
1739 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
1740 both Ingress and Egress rules. \n When the policy is read back again,
1741 Types will always be one of these values, never empty or nil."
1743 description: PolicyType enumerates the possible values of the PolicySpec
1759 apiVersion: apiextensions.k8s.io/v1
1760 kind: CustomResourceDefinition
1762 name: globalnetworksets.crd.projectcalico.org
1764 group: crd.projectcalico.org
1766 kind: GlobalNetworkSet
1767 listKind: GlobalNetworkSetList
1768 plural: globalnetworksets
1769 singular: globalnetworkset
1775 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
1776 that share labels to allow rules to refer to them via selectors. The labels
1777 of GlobalNetworkSet are not namespaced.
1780 description: 'APIVersion defines the versioned schema of this representation
1781 of an object. Servers should convert recognized schemas to the latest
1782 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1785 description: 'Kind is a string value representing the REST resource this
1786 object represents. Servers may infer this from the endpoint the client
1787 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1792 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
1796 description: The list of IP networks that belong to this set.
1812 apiVersion: apiextensions.k8s.io/v1
1813 kind: CustomResourceDefinition
1815 name: hostendpoints.crd.projectcalico.org
1817 group: crd.projectcalico.org
1820 listKind: HostEndpointList
1821 plural: hostendpoints
1822 singular: hostendpoint
1830 description: 'APIVersion defines the versioned schema of this representation
1831 of an object. Servers should convert recognized schemas to the latest
1832 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1835 description: 'Kind is a string value representing the REST resource this
1836 object represents. Servers may infer this from the endpoint the client
1837 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1842 description: HostEndpointSpec contains the specification for a HostEndpoint
1846 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
1847 If \"InterfaceName\" is not present, Calico will look for an interface
1848 matching any of the IPs in the list and apply policy to that. Note:
1849 \tWhen using the selector match criteria in an ingress or egress
1850 security Policy \tor Profile, Calico converts the selector into
1851 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
1852 is used for that purpose. (If only the interface \tname is specified,
1853 Calico does not learn the IPs of the interface for use in match
1859 description: "Either \"*\", or the name of a specific Linux interface
1860 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
1861 governs all traffic to, from or through the default network namespace
1862 of the host named by the \"Node\" field; entering and leaving that
1863 namespace via any interface, including those from/to non-host-networked
1864 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
1865 only governs traffic that enters or leaves the host through the
1866 specific interface named by InterfaceName, or - when InterfaceName
1867 is empty - through the specific interface that has one of the IPs
1868 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
1869 one expected IP must be specified. Only external interfaces (such
1870 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
1871 to protect traffic through a specific local workload interface.
1872 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
1873 initially just pre-DNAT policy. Please check Calico documentation
1874 for the latest position."
1877 description: The node name identifying the Calico node instance.
1880 description: Ports contains the endpoint's named ports, which may
1881 be referenced in security policy rules.
1893 x-kubernetes-int-or-string: true
1901 description: A list of identifiers of security Profile objects that
1902 apply to this endpoint. Each profile is applied in the order that
1903 they appear in this list. Profile rules are applied after the selector-based
1920 apiVersion: apiextensions.k8s.io/v1
1921 kind: CustomResourceDefinition
1923 name: ipamblocks.crd.projectcalico.org
1925 group: crd.projectcalico.org
1928 listKind: IPAMBlockList
1938 description: 'APIVersion defines the versioned schema of this representation
1939 of an object. Servers should convert recognized schemas to the latest
1940 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1943 description: 'Kind is a string value representing the REST resource this
1944 object represents. Servers may infer this from the endpoint the client
1945 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1950 description: IPAMBlockSpec contains the specification for an IPAMBlock
1958 # TODO: This nullable is manually added in. We should update controller-gen
1959 # to handle []*int properly itself.
1968 additionalProperties:
2001 apiVersion: apiextensions.k8s.io/v1
2002 kind: CustomResourceDefinition
2004 name: ipamconfigs.crd.projectcalico.org
2006 group: crd.projectcalico.org
2009 listKind: IPAMConfigList
2011 singular: ipamconfig
2019 description: 'APIVersion defines the versioned schema of this representation
2020 of an object. Servers should convert recognized schemas to the latest
2021 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2024 description: 'Kind is a string value representing the REST resource this
2025 object represents. Servers may infer this from the endpoint the client
2026 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2031 description: IPAMConfigSpec contains the specification for an IPAMConfig
2037 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
2038 that can be affine to each host.
2043 - autoAllocateBlocks
2057 apiVersion: apiextensions.k8s.io/v1
2058 kind: CustomResourceDefinition
2060 name: ipamhandles.crd.projectcalico.org
2062 group: crd.projectcalico.org
2065 listKind: IPAMHandleList
2067 singular: ipamhandle
2075 description: 'APIVersion defines the versioned schema of this representation
2076 of an object. Servers should convert recognized schemas to the latest
2077 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2080 description: 'Kind is a string value representing the REST resource this
2081 object represents. Servers may infer this from the endpoint the client
2082 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2087 description: IPAMHandleSpec contains the specification for an IPAMHandle
2091 additionalProperties:
2113 apiVersion: apiextensions.k8s.io/v1
2114 kind: CustomResourceDefinition
2116 name: ippools.crd.projectcalico.org
2118 group: crd.projectcalico.org
2121 listKind: IPPoolList
2131 description: 'APIVersion defines the versioned schema of this representation
2132 of an object. Servers should convert recognized schemas to the latest
2133 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2136 description: 'Kind is a string value representing the REST resource this
2137 object represents. Servers may infer this from the endpoint the client
2138 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2143 description: IPPoolSpec contains the specification for an IPPool resource.
2146 description: The block size to use for IP address assignments from
2147 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
2150 description: The pool CIDR.
2153 description: When disabled is true, Calico IPAM will not assign addresses
2157 description: 'Deprecated: this field is only used for APIv1 backwards
2158 compatibility. Setting this field is not allowed, this field is
2159 for internal use only.'
2162 description: When enabled is true, ipip tunneling will be used
2163 to deliver packets to destinations within this pool.
2166 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2167 mode of "always" will also use IPIP tunneling for routing to
2168 destination IP addresses within this pool. A mode of "cross-subnet"
2169 will only use IPIP tunneling when the destination node is on
2170 a different subnet to the originating node. The default value
2171 (if not specified) is "always".
2175 description: Contains configuration for IPIP tunneling for this pool.
2176 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2180 description: 'Deprecated: this field is only used for APIv1 backwards
2181 compatibility. Setting this field is not allowed, this field is
2182 for internal use only.'
2185 description: When nat-outgoing is true, packets sent from Calico networked
2186 containers in this pool to destinations outside of this pool will
2190 description: Allows IPPool to allocate for a specific node by label
2194 description: Contains configuration for VXLAN tunneling for this pool.
2195 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2196 tunneling is disabled).
2212 apiVersion: apiextensions.k8s.io/v1
2213 kind: CustomResourceDefinition
2215 name: kubecontrollersconfigurations.crd.projectcalico.org
2217 group: crd.projectcalico.org
2219 kind: KubeControllersConfiguration
2220 listKind: KubeControllersConfigurationList
2221 plural: kubecontrollersconfigurations
2222 singular: kubecontrollersconfiguration
2230 description: 'APIVersion defines the versioned schema of this representation
2231 of an object. Servers should convert recognized schemas to the latest
2232 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2235 description: 'Kind is a string value representing the REST resource this
2236 object represents. Servers may infer this from the endpoint the client
2237 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2242 description: KubeControllersConfigurationSpec contains the values of the
2243 Kubernetes controllers configuration.
2246 description: Controllers enables and configures individual Kubernetes
2250 description: Namespace enables and configures the namespace controller.
2251 Enabled by default, set to nil to disable.
2254 description: 'ReconcilerPeriod is the period to perform reconciliation
2255 with the Calico datastore. [Default: 5m]'
2259 description: Node enables and configures the node controller.
2260 Enabled by default, set to nil to disable.
2263 description: HostEndpoint controls syncing nodes to host endpoints.
2264 Disabled by default, set to nil to disable.
2267 description: 'AutoCreate enables automatic creation of
2268 host endpoints for every node. [Default: Disabled]'
2272 description: 'ReconcilerPeriod is the period to perform reconciliation
2273 with the Calico datastore. [Default: 5m]'
2276 description: 'SyncLabels controls whether to copy Kubernetes
2277 node labels to Calico nodes. [Default: Enabled]'
2281 description: Policy enables and configures the policy controller.
2282 Enabled by default, set to nil to disable.
2285 description: 'ReconcilerPeriod is the period to perform reconciliation
2286 with the Calico datastore. [Default: 5m]'
2290 description: ServiceAccount enables and configures the service
2291 account controller. Enabled by default, set to nil to disable.
2294 description: 'ReconcilerPeriod is the period to perform reconciliation
2295 with the Calico datastore. [Default: 5m]'
2299 description: WorkloadEndpoint enables and configures the workload
2300 endpoint controller. Enabled by default, set to nil to disable.
2303 description: 'ReconcilerPeriod is the period to perform reconciliation
2304 with the Calico datastore. [Default: 5m]'
2308 etcdV3CompactionPeriod:
2309 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2310 compaction requests. Set to 0 to disable. [Default: 10m]'
2313 description: 'HealthChecks enables or disables support for health
2314 checks [Default: Enabled]'
2317 description: 'LogSeverityScreen is the log severity above which logs
2318 are sent to the stdout. [Default: Info]'
2320 prometheusMetricsPort:
2321 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2322 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
2328 description: KubeControllersConfigurationStatus represents the status
2329 of the configuration. It's useful for admins to be able to see the actual
2330 config that was applied, which can be modified by environment variables
2331 on the kube-controllers process.
2334 additionalProperties:
2336 description: EnvironmentVars contains the environment variables on
2337 the kube-controllers that influenced the RunningConfig.
2340 description: RunningConfig contains the effective config that is running
2341 in the kube-controllers pod, after merging the API resource with
2342 any environment variables.
2345 description: Controllers enables and configures individual Kubernetes
2349 description: Namespace enables and configures the namespace
2350 controller. Enabled by default, set to nil to disable.
2353 description: 'ReconcilerPeriod is the period to perform
2354 reconciliation with the Calico datastore. [Default:
2359 description: Node enables and configures the node controller.
2360 Enabled by default, set to nil to disable.
2363 description: HostEndpoint controls syncing nodes to host
2364 endpoints. Disabled by default, set to nil to disable.
2367 description: 'AutoCreate enables automatic creation
2368 of host endpoints for every node. [Default: Disabled]'
2372 description: 'ReconcilerPeriod is the period to perform
2373 reconciliation with the Calico datastore. [Default:
2377 description: 'SyncLabels controls whether to copy Kubernetes
2378 node labels to Calico nodes. [Default: Enabled]'
2382 description: Policy enables and configures the policy controller.
2383 Enabled by default, set to nil to disable.
2386 description: 'ReconcilerPeriod is the period to perform
2387 reconciliation with the Calico datastore. [Default:
2392 description: ServiceAccount enables and configures the service
2393 account controller. Enabled by default, set to nil to disable.
2396 description: 'ReconcilerPeriod is the period to perform
2397 reconciliation with the Calico datastore. [Default:
2402 description: WorkloadEndpoint enables and configures the workload
2403 endpoint controller. Enabled by default, set to nil to disable.
2406 description: 'ReconcilerPeriod is the period to perform
2407 reconciliation with the Calico datastore. [Default:
2412 etcdV3CompactionPeriod:
2413 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2414 compaction requests. Set to 0 to disable. [Default: 10m]'
2417 description: 'HealthChecks enables or disables support for health
2418 checks [Default: Enabled]'
2421 description: 'LogSeverityScreen is the log severity above which
2422 logs are sent to the stdout. [Default: Info]'
2424 prometheusMetricsPort:
2425 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2426 metrics server should bind to. Set to 0 to disable. [Default:
2444 apiVersion: apiextensions.k8s.io/v1
2445 kind: CustomResourceDefinition
2447 name: networkpolicies.crd.projectcalico.org
2449 group: crd.projectcalico.org
2452 listKind: NetworkPolicyList
2453 plural: networkpolicies
2454 singular: networkpolicy
2462 description: 'APIVersion defines the versioned schema of this representation
2463 of an object. Servers should convert recognized schemas to the latest
2464 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2467 description: 'Kind is a string value representing the REST resource this
2468 object represents. Servers may infer this from the endpoint the client
2469 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2476 description: The ordered set of egress rules. Each rule contains
2477 a set of packet match criteria and a corresponding action to apply.
2479 description: "A Rule encapsulates a set of match criteria and an
2480 action. Both selector-based security Policy and security Profiles
2481 reference rules - separated out as a list of rules for both ingress
2482 and egress packet matching. \n Each positive match criteria has
2483 a negated version, prefixed with \"Not\". All the match criteria
2484 within a rule must be satisfied for a packet to match. A single
2485 rule can contain the positive and negative version of a match
2486 and both must be satisfied for the rule to match."
2491 description: Destination contains the match criteria that apply
2492 to destination entity.
2495 description: "NamespaceSelector is an optional field that
2496 contains a selector expression. Only traffic that originates
2497 from (or terminates at) endpoints within the selected
2498 namespaces will be matched. When both NamespaceSelector
2499 and Selector are defined on the same rule, then only workload
2500 endpoints that are matched by both selectors will be selected
2501 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2502 implies that the Selector is limited to selecting only
2503 workload endpoints in the same namespace as the NetworkPolicy.
2504 \n For NetworkPolicy, `global()` NamespaceSelector implies
2505 that the Selector is limited to selecting only GlobalNetworkSet
2506 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2507 NamespaceSelector implies the Selector applies to workload
2508 endpoints across all namespaces."
2511 description: Nets is an optional field that restricts the
2512 rule to only apply to traffic that originates from (or
2513 terminates at) IP addresses in any of the given subnets.
2518 description: NotNets is the negated version of the Nets
2524 description: NotPorts is the negated version of the Ports
2525 field. Since only some protocols have ports, if any ports
2526 are specified it requires the Protocol match in the Rule
2527 to be set to "TCP" or "UDP".
2533 x-kubernetes-int-or-string: true
2536 description: NotSelector is the negated version of the Selector
2537 field. See Selector field for subtleties with negated
2541 description: "Ports is an optional field that restricts
2542 the rule to only apply to traffic that has a source (destination)
2543 port that matches one of these ranges/values. This value
2544 is a list of integers or strings that represent ranges
2545 of ports. \n Since only some protocols have ports, if
2546 any ports are specified it requires the Protocol match
2547 in the Rule to be set to \"TCP\" or \"UDP\"."
2553 x-kubernetes-int-or-string: true
2556 description: "Selector is an optional field that contains
2557 a selector expression (see Policy for sample syntax).
2558 \ Only traffic that originates from (terminates at) endpoints
2559 matching the selector will be matched. \n Note that: in
2560 addition to the negated version of the Selector (see NotSelector
2561 below), the selector expression syntax itself supports
2562 negation. The two types of negation are subtly different.
2563 One negates the set of matched endpoints, the other negates
2564 the whole match: \n \tSelector = \"!has(my_label)\" matches
2565 packets that are from other Calico-controlled \tendpoints
2566 that do not have the label \"my_label\". \n \tNotSelector
2567 = \"has(my_label)\" matches packets that are not from
2568 Calico-controlled \tendpoints that do have the label \"my_label\".
2569 \n The effect is that the latter will accept packets from
2570 non-Calico sources whereas the former is limited to packets
2571 from Calico-controlled endpoints."
2574 description: ServiceAccounts is an optional field that restricts
2575 the rule to only apply to traffic that originates from
2576 (or terminates at) a pod running as a matching service
2580 description: Names is an optional field that restricts
2581 the rule to only apply to traffic that originates
2582 from (or terminates at) a pod running as a service
2583 account whose name is in the list.
2588 description: Selector is an optional field that restricts
2589 the rule to only apply to traffic that originates
2590 from (or terminates at) a pod running as a service
2591 account that matches the given label selector. If
2592 both Names and Selector are specified then they are
2598 description: HTTP contains match criteria that apply to HTTP
2602 description: Methods is an optional field that restricts
2603 the rule to apply only to HTTP requests that use one of
2604 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2605 methods are OR'd together.
2610 description: 'Paths is an optional field that restricts
2611 the rule to apply to HTTP requests that use one of the
2612 listed HTTP Paths. Multiple paths are OR''d together.
2613 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2614 ONLY specify either a `exact` or a `prefix` match. The
2615 validator will check for it.'
2617 description: 'HTTPPath specifies an HTTP path to match.
2618 It may be either of the form: exact: <path>: which matches
2619 the path exactly or prefix: <path-prefix>: which matches
2630 description: ICMP is an optional field that restricts the rule
2631 to apply to a specific type and code of ICMP traffic. This
2632 should only be specified if the Protocol field is set to "ICMP"
2636 description: Match on a specific ICMP code. If specified,
2637 the Type value must also be specified. This is a technical
2638 limitation imposed by the kernel's iptables firewall,
2639 which Calico uses to enforce the rule.
2642 description: Match on a specific ICMP type. For example
2643 a value of 8 refers to ICMP Echo Request (i.e. pings).
2647 description: IPVersion is an optional field that restricts the
2648 rule to only match a specific IP version.
2651 description: Metadata contains additional information for this
2655 additionalProperties:
2657 description: Annotations is a set of key value pairs that
2658 give extra information about the rule
2662 description: NotICMP is the negated version of the ICMP field.
2665 description: Match on a specific ICMP code. If specified,
2666 the Type value must also be specified. This is a technical
2667 limitation imposed by the kernel's iptables firewall,
2668 which Calico uses to enforce the rule.
2671 description: Match on a specific ICMP type. For example
2672 a value of 8 refers to ICMP Echo Request (i.e. pings).
2679 description: NotProtocol is the negated version of the Protocol
2682 x-kubernetes-int-or-string: true
2687 description: "Protocol is an optional field that restricts the
2688 rule to only apply to traffic of a specific IP protocol. Required
2689 if any of the EntityRules contain Ports (because ports only
2690 apply to certain protocols). \n Must be one of these string
2691 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2692 \"UDPLite\" or an integer in the range 1-255."
2694 x-kubernetes-int-or-string: true
2696 description: Source contains the match criteria that apply to
2700 description: "NamespaceSelector is an optional field that
2701 contains a selector expression. Only traffic that originates
2702 from (or terminates at) endpoints within the selected
2703 namespaces will be matched. When both NamespaceSelector
2704 and Selector are defined on the same rule, then only workload
2705 endpoints that are matched by both selectors will be selected
2706 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2707 implies that the Selector is limited to selecting only
2708 workload endpoints in the same namespace as the NetworkPolicy.
2709 \n For NetworkPolicy, `global()` NamespaceSelector implies
2710 that the Selector is limited to selecting only GlobalNetworkSet
2711 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2712 NamespaceSelector implies the Selector applies to workload
2713 endpoints across all namespaces."
2716 description: Nets is an optional field that restricts the
2717 rule to only apply to traffic that originates from (or
2718 terminates at) IP addresses in any of the given subnets.
2723 description: NotNets is the negated version of the Nets
2729 description: NotPorts is the negated version of the Ports
2730 field. Since only some protocols have ports, if any ports
2731 are specified it requires the Protocol match in the Rule
2732 to be set to "TCP" or "UDP".
2738 x-kubernetes-int-or-string: true
2741 description: NotSelector is the negated version of the Selector
2742 field. See Selector field for subtleties with negated
2746 description: "Ports is an optional field that restricts
2747 the rule to only apply to traffic that has a source (destination)
2748 port that matches one of these ranges/values. This value
2749 is a list of integers or strings that represent ranges
2750 of ports. \n Since only some protocols have ports, if
2751 any ports are specified it requires the Protocol match
2752 in the Rule to be set to \"TCP\" or \"UDP\"."
2758 x-kubernetes-int-or-string: true
2761 description: "Selector is an optional field that contains
2762 a selector expression (see Policy for sample syntax).
2763 \ Only traffic that originates from (terminates at) endpoints
2764 matching the selector will be matched. \n Note that: in
2765 addition to the negated version of the Selector (see NotSelector
2766 below), the selector expression syntax itself supports
2767 negation. The two types of negation are subtly different.
2768 One negates the set of matched endpoints, the other negates
2769 the whole match: \n \tSelector = \"!has(my_label)\" matches
2770 packets that are from other Calico-controlled \tendpoints
2771 that do not have the label \"my_label\". \n \tNotSelector
2772 = \"has(my_label)\" matches packets that are not from
2773 Calico-controlled \tendpoints that do have the label \"my_label\".
2774 \n The effect is that the latter will accept packets from
2775 non-Calico sources whereas the former is limited to packets
2776 from Calico-controlled endpoints."
2779 description: ServiceAccounts is an optional field that restricts
2780 the rule to only apply to traffic that originates from
2781 (or terminates at) a pod running as a matching service
2785 description: Names is an optional field that restricts
2786 the rule to only apply to traffic that originates
2787 from (or terminates at) a pod running as a service
2788 account whose name is in the list.
2793 description: Selector is an optional field that restricts
2794 the rule to only apply to traffic that originates
2795 from (or terminates at) a pod running as a service
2796 account that matches the given label selector. If
2797 both Names and Selector are specified then they are
2807 description: The ordered set of ingress rules. Each rule contains
2808 a set of packet match criteria and a corresponding action to apply.
2810 description: "A Rule encapsulates a set of match criteria and an
2811 action. Both selector-based security Policy and security Profiles
2812 reference rules - separated out as a list of rules for both ingress
2813 and egress packet matching. \n Each positive match criteria has
2814 a negated version, prefixed with \"Not\". All the match criteria
2815 within a rule must be satisfied for a packet to match. A single
2816 rule can contain the positive and negative version of a match
2817 and both must be satisfied for the rule to match."
2822 description: Destination contains the match criteria that apply
2823 to destination entity.
2826 description: "NamespaceSelector is an optional field that
2827 contains a selector expression. Only traffic that originates
2828 from (or terminates at) endpoints within the selected
2829 namespaces will be matched. When both NamespaceSelector
2830 and Selector are defined on the same rule, then only workload
2831 endpoints that are matched by both selectors will be selected
2832 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2833 implies that the Selector is limited to selecting only
2834 workload endpoints in the same namespace as the NetworkPolicy.
2835 \n For NetworkPolicy, `global()` NamespaceSelector implies
2836 that the Selector is limited to selecting only GlobalNetworkSet
2837 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2838 NamespaceSelector implies the Selector applies to workload
2839 endpoints across all namespaces."
2842 description: Nets is an optional field that restricts the
2843 rule to only apply to traffic that originates from (or
2844 terminates at) IP addresses in any of the given subnets.
2849 description: NotNets is the negated version of the Nets
2855 description: NotPorts is the negated version of the Ports
2856 field. Since only some protocols have ports, if any ports
2857 are specified it requires the Protocol match in the Rule
2858 to be set to "TCP" or "UDP".
2864 x-kubernetes-int-or-string: true
2867 description: NotSelector is the negated version of the Selector
2868 field. See Selector field for subtleties with negated
2872 description: "Ports is an optional field that restricts
2873 the rule to only apply to traffic that has a source (destination)
2874 port that matches one of these ranges/values. This value
2875 is a list of integers or strings that represent ranges
2876 of ports. \n Since only some protocols have ports, if
2877 any ports are specified it requires the Protocol match
2878 in the Rule to be set to \"TCP\" or \"UDP\"."
2884 x-kubernetes-int-or-string: true
2887 description: "Selector is an optional field that contains
2888 a selector expression (see Policy for sample syntax).
2889 \ Only traffic that originates from (terminates at) endpoints
2890 matching the selector will be matched. \n Note that: in
2891 addition to the negated version of the Selector (see NotSelector
2892 below), the selector expression syntax itself supports
2893 negation. The two types of negation are subtly different.
2894 One negates the set of matched endpoints, the other negates
2895 the whole match: \n \tSelector = \"!has(my_label)\" matches
2896 packets that are from other Calico-controlled \tendpoints
2897 that do not have the label \"my_label\". \n \tNotSelector
2898 = \"has(my_label)\" matches packets that are not from
2899 Calico-controlled \tendpoints that do have the label \"my_label\".
2900 \n The effect is that the latter will accept packets from
2901 non-Calico sources whereas the former is limited to packets
2902 from Calico-controlled endpoints."
2905 description: ServiceAccounts is an optional field that restricts
2906 the rule to only apply to traffic that originates from
2907 (or terminates at) a pod running as a matching service
2911 description: Names is an optional field that restricts
2912 the rule to only apply to traffic that originates
2913 from (or terminates at) a pod running as a service
2914 account whose name is in the list.
2919 description: Selector is an optional field that restricts
2920 the rule to only apply to traffic that originates
2921 from (or terminates at) a pod running as a service
2922 account that matches the given label selector. If
2923 both Names and Selector are specified then they are
2929 description: HTTP contains match criteria that apply to HTTP
2933 description: Methods is an optional field that restricts
2934 the rule to apply only to HTTP requests that use one of
2935 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2936 methods are OR'd together.
2941 description: 'Paths is an optional field that restricts
2942 the rule to apply to HTTP requests that use one of the
2943 listed HTTP Paths. Multiple paths are OR''d together.
2944 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2945 ONLY specify either a `exact` or a `prefix` match. The
2946 validator will check for it.'
2948 description: 'HTTPPath specifies an HTTP path to match.
2949 It may be either of the form: exact: <path>: which matches
2950 the path exactly or prefix: <path-prefix>: which matches
2961 description: ICMP is an optional field that restricts the rule
2962 to apply to a specific type and code of ICMP traffic. This
2963 should only be specified if the Protocol field is set to "ICMP"
2967 description: Match on a specific ICMP code. If specified,
2968 the Type value must also be specified. This is a technical
2969 limitation imposed by the kernel's iptables firewall,
2970 which Calico uses to enforce the rule.
2973 description: Match on a specific ICMP type. For example
2974 a value of 8 refers to ICMP Echo Request (i.e. pings).
2978 description: IPVersion is an optional field that restricts the
2979 rule to only match a specific IP version.
2982 description: Metadata contains additional information for this
2986 additionalProperties:
2988 description: Annotations is a set of key value pairs that
2989 give extra information about the rule
2993 description: NotICMP is the negated version of the ICMP field.
2996 description: Match on a specific ICMP code. If specified,
2997 the Type value must also be specified. This is a technical
2998 limitation imposed by the kernel's iptables firewall,
2999 which Calico uses to enforce the rule.
3002 description: Match on a specific ICMP type. For example
3003 a value of 8 refers to ICMP Echo Request (i.e. pings).
3010 description: NotProtocol is the negated version of the Protocol
3013 x-kubernetes-int-or-string: true
3018 description: "Protocol is an optional field that restricts the
3019 rule to only apply to traffic of a specific IP protocol. Required
3020 if any of the EntityRules contain Ports (because ports only
3021 apply to certain protocols). \n Must be one of these string
3022 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3023 \"UDPLite\" or an integer in the range 1-255."
3025 x-kubernetes-int-or-string: true
3027 description: Source contains the match criteria that apply to
3031 description: "NamespaceSelector is an optional field that
3032 contains a selector expression. Only traffic that originates
3033 from (or terminates at) endpoints within the selected
3034 namespaces will be matched. When both NamespaceSelector
3035 and Selector are defined on the same rule, then only workload
3036 endpoints that are matched by both selectors will be selected
3037 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
3038 implies that the Selector is limited to selecting only
3039 workload endpoints in the same namespace as the NetworkPolicy.
3040 \n For NetworkPolicy, `global()` NamespaceSelector implies
3041 that the Selector is limited to selecting only GlobalNetworkSet
3042 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
3043 NamespaceSelector implies the Selector applies to workload
3044 endpoints across all namespaces."
3047 description: Nets is an optional field that restricts the
3048 rule to only apply to traffic that originates from (or
3049 terminates at) IP addresses in any of the given subnets.
3054 description: NotNets is the negated version of the Nets
3060 description: NotPorts is the negated version of the Ports
3061 field. Since only some protocols have ports, if any ports
3062 are specified it requires the Protocol match in the Rule
3063 to be set to "TCP" or "UDP".
3069 x-kubernetes-int-or-string: true
3072 description: NotSelector is the negated version of the Selector
3073 field. See Selector field for subtleties with negated
3077 description: "Ports is an optional field that restricts
3078 the rule to only apply to traffic that has a source (destination)
3079 port that matches one of these ranges/values. This value
3080 is a list of integers or strings that represent ranges
3081 of ports. \n Since only some protocols have ports, if
3082 any ports are specified it requires the Protocol match
3083 in the Rule to be set to \"TCP\" or \"UDP\"."
3089 x-kubernetes-int-or-string: true
3092 description: "Selector is an optional field that contains
3093 a selector expression (see Policy for sample syntax).
3094 \ Only traffic that originates from (terminates at) endpoints
3095 matching the selector will be matched. \n Note that: in
3096 addition to the negated version of the Selector (see NotSelector
3097 below), the selector expression syntax itself supports
3098 negation. The two types of negation are subtly different.
3099 One negates the set of matched endpoints, the other negates
3100 the whole match: \n \tSelector = \"!has(my_label)\" matches
3101 packets that are from other Calico-controlled \tendpoints
3102 that do not have the label \"my_label\". \n \tNotSelector
3103 = \"has(my_label)\" matches packets that are not from
3104 Calico-controlled \tendpoints that do have the label \"my_label\".
3105 \n The effect is that the latter will accept packets from
3106 non-Calico sources whereas the former is limited to packets
3107 from Calico-controlled endpoints."
3110 description: ServiceAccounts is an optional field that restricts
3111 the rule to only apply to traffic that originates from
3112 (or terminates at) a pod running as a matching service
3116 description: Names is an optional field that restricts
3117 the rule to only apply to traffic that originates
3118 from (or terminates at) a pod running as a service
3119 account whose name is in the list.
3124 description: Selector is an optional field that restricts
3125 the rule to only apply to traffic that originates
3126 from (or terminates at) a pod running as a service
3127 account that matches the given label selector. If
3128 both Names and Selector are specified then they are
3138 description: Order is an optional field that specifies the order in
3139 which the policy is applied. Policies with higher "order" are applied
3140 after those with lower order. If the order is omitted, it may be
3141 considered to be "infinite" - i.e. the policy will be applied last. Policies
3142 with identical order will be applied in alphanumerical order based
3143 on the Policy "Name".
3146 description: "The selector is an expression used to pick pick out
3147 the endpoints that the policy should be applied to. \n Selector
3148 expressions follow this syntax: \n \tlabel == \"string_literal\"
3149 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3150 \ -> not equal; also matches if label is not present \tlabel in
3151 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3152 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3153 ... } -> true if the value of label X is not one of \"a\", \"b\",
3154 \"c\" \thas(label_name) -> True if that label is present \t! expr
3155 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3156 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3157 or the empty selector -> matches all endpoints. \n Label names are
3158 allowed to contain alphanumerics, -, _ and /. String literals are
3159 more permissive but they do not support escape characters. \n Examples
3160 (with made-up labels): \n \ttype == \"webserver\" && deployment
3161 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3162 \"dev\" \t! has(label_name)"
3164 serviceAccountSelector:
3165 description: ServiceAccountSelector is an optional field for an expression
3166 used to select a pod based on service accounts.
3169 description: "Types indicates whether this policy applies to ingress,
3170 or to egress, or to both. When not explicitly specified (and so
3171 the value on creation is empty or nil), Calico defaults Types according
3172 to what Ingress and Egress are present in the policy. The default
3173 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3174 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3175 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3176 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3177 \n When the policy is read back again, Types will always be one
3178 of these values, never empty or nil."
3180 description: PolicyType enumerates the possible values of the PolicySpec
3196 apiVersion: apiextensions.k8s.io/v1
3197 kind: CustomResourceDefinition
3199 name: networksets.crd.projectcalico.org
3201 group: crd.projectcalico.org
3204 listKind: NetworkSetList
3206 singular: networkset
3212 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3215 description: 'APIVersion defines the versioned schema of this representation
3216 of an object. Servers should convert recognized schemas to the latest
3217 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3220 description: 'Kind is a string value representing the REST resource this
3221 object represents. Servers may infer this from the endpoint the client
3222 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3227 description: NetworkSetSpec contains the specification for a NetworkSet
3231 description: The list of IP networks that belong to this set.
3248 # Source: calico/templates/calico-kube-controllers-rbac.yaml
3250 # Include a clusterrole for the kube-controllers component,
3251 # and bind it to the calico-kube-controllers serviceaccount.
3253 apiVersion: rbac.authorization.k8s.io/v1
3255 name: calico-kube-controllers
3257 # Nodes are watched to monitor for deletions.
3265 # Pods are queried to check for existence.
3271 # IPAM resources are manipulated when nodes are deleted.
3272 - apiGroups: ["crd.projectcalico.org"]
3277 - apiGroups: ["crd.projectcalico.org"]
3289 # kube-controllers manages hostendpoints.
3290 - apiGroups: ["crd.projectcalico.org"]
3299 # Needs access to update clusterinformations.
3300 - apiGroups: ["crd.projectcalico.org"]
3302 - clusterinformations
3307 # KubeControllersConfiguration is where it gets its config
3308 - apiGroups: ["crd.projectcalico.org"]
3310 - kubecontrollersconfigurations
3312 # read its own config
3314 # create a default if none exists
3321 kind: ClusterRoleBinding
3322 apiVersion: rbac.authorization.k8s.io/v1
3324 name: calico-kube-controllers
3326 apiGroup: rbac.authorization.k8s.io
3328 name: calico-kube-controllers
3330 - kind: ServiceAccount
3331 name: calico-kube-controllers
3332 namespace: kube-system
3336 # Source: calico/templates/calico-node-rbac.yaml
3337 # Include a clusterrole for the calico-node DaemonSet,
3338 # and bind it to the calico-node serviceaccount.
3340 apiVersion: rbac.authorization.k8s.io/v1
3344 # The CNI plugin needs to get pods, nodes, and namespaces.
3357 # Used to discover service IPs for advertisement.
3360 # Used to discover Typhas.
3362 # Pod CIDR auto-detection on kubeadm needs access to config maps.
3372 # Needed for clearing NodeNetworkUnavailable flag.
3374 # Calico stores some configuration information in node annotations.
3376 # Watch for changes to Kubernetes NetworkPolicies.
3377 - apiGroups: ["networking.k8s.io"]
3383 # Used by Calico for policy information.
3392 # The CNI plugin patches pods/status.
3398 # Calico monitors various CRDs for config.
3399 - apiGroups: ["crd.projectcalico.org"]
3401 - globalfelixconfigs
3402 - felixconfigurations
3408 - globalnetworkpolicies
3412 - clusterinformations
3419 # Calico must create and update some CRDs on startup.
3420 - apiGroups: ["crd.projectcalico.org"]
3423 - felixconfigurations
3424 - clusterinformations
3428 # Calico stores some configuration information on the node.
3436 # These permissions are only required for upgrade from v2.6, and can
3437 # be removed after upgrade or on fresh installations.
3438 - apiGroups: ["crd.projectcalico.org"]
3445 # These permissions are required for Calico CNI to perform IPAM allocations.
3446 - apiGroups: ["crd.projectcalico.org"]
3457 - apiGroups: ["crd.projectcalico.org"]
3462 # Block affinities must also be watchable by confd for route aggregation.
3463 - apiGroups: ["crd.projectcalico.org"]
3468 # The Calico IPAM migration needs to get daemonsets. These permissions can be
3469 # removed if not upgrading from an installation using host-local IPAM.
3470 - apiGroups: ["apps"]
3477 apiVersion: rbac.authorization.k8s.io/v1
3478 kind: ClusterRoleBinding
3482 apiGroup: rbac.authorization.k8s.io
3486 - kind: ServiceAccount
3488 namespace: kube-system
3491 # Source: calico/templates/calico-node.yaml
3492 # This manifest installs the calico-node container, as well
3493 # as the CNI plugins and network config on
3494 # each master and worker node in a Kubernetes cluster.
3499 namespace: kube-system
3501 k8s-app: calico-node
3505 k8s-app: calico-node
3513 k8s-app: calico-node
3516 kubernetes.io/os: linux
3519 # Make sure calico-node gets scheduled on all nodes.
3520 - effect: NoSchedule
3522 # Mark the pod as a critical add-on for rescheduling.
3523 - key: CriticalAddonsOnly
3527 serviceAccountName: calico-node
3528 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
3529 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
3530 terminationGracePeriodSeconds: 0
3531 priorityClassName: system-node-critical
3533 # This container performs upgrade from host-local IPAM to calico-ipam.
3534 # It can be deleted if this is a fresh installation, or if you have already
3535 # upgraded to use calico-ipam.
3536 - name: upgrade-ipam
3537 #image: docker.io/calico/cni:v3.18.1
3538 image: docker.io/calico/cni:release-v3.18
3539 command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
3542 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3543 name: kubernetes-services-endpoint
3546 - name: KUBERNETES_NODE_NAME
3549 fieldPath: spec.nodeName
3550 - name: CALICO_NETWORKING_BACKEND
3556 - mountPath: /var/lib/cni/networks
3557 name: host-local-net-dir
3558 - mountPath: /host/opt/cni/bin
3562 # This container installs the CNI binaries
3563 # and CNI network config file on each node.
3565 #image: docker.io/calico/cni:v3.18.1
3566 image: docker.io/calico/cni:release-v3.18
3567 command: ["/opt/cni/bin/install"]
3570 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3571 name: kubernetes-services-endpoint
3574 # Name of the CNI config file to create.
3575 - name: CNI_CONF_NAME
3576 value: "10-calico.conflist"
3577 # The CNI network config to install on each node.
3578 - name: CNI_NETWORK_CONFIG
3582 key: cni_network_config
3583 # Set the hostname based on the k8s node name.
3584 - name: KUBERNETES_NODE_NAME
3587 fieldPath: spec.nodeName
3588 # CNI MTU Config variable
3594 # Prevents the container from sleeping forever.
3598 - mountPath: /host/opt/cni/bin
3600 - mountPath: /host/etc/cni/net.d
3604 # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
3605 # to communicate with Felix over the Policy Sync API.
3606 - name: flexvol-driver
3607 #image: docker.io/calico/pod2daemon-flexvol:v3.18.1
3608 image: docker.io/calico/pod2daemon-flexvol:release-v3.18
3610 - name: flexvol-driver-host
3611 mountPath: /host/driver
3615 # Runs calico-node container on each Kubernetes node. This
3616 # container programs network policy and routes on each
3619 image: docker.io/calico/node:release-v3.18
3622 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3623 name: kubernetes-services-endpoint
3626 # Use Kubernetes API as the backing datastore.
3627 - name: DATASTORE_TYPE
3629 # Wait for the datastore.
3630 - name: WAIT_FOR_DATASTORE
3632 # Set based on the k8s node name.
3636 fieldPath: spec.nodeName
3637 # Choose the backend to use.
3638 - name: CALICO_NETWORKING_BACKEND
3643 # Cluster type to identify the deployment type
3644 - name: CLUSTER_TYPE
3646 # Auto-detect the BGP IP address.
3650 - name: CALICO_IPV4POOL_IPIP
3652 # Enable or Disable VXLAN on the default IP pool.
3653 - name: CALICO_IPV4POOL_VXLAN
3655 # Set MTU for tunnel device used if ipip is enabled
3656 - name: FELIX_IPINIPMTU
3661 # Set MTU for the VXLAN tunnel device.
3662 - name: FELIX_VXLANMTU
3667 # Set MTU for the Wireguard tunnel device.
3668 - name: FELIX_WIREGUARDMTU
3673 # The default IPv4 pool to create on startup if none exists. Pod IPs will be
3674 # chosen from this range. Changing this value after installation will have
3675 # no effect. This should fall within `--cluster-cidr`.
3676 - name: CALICO_IPV4POOL_CIDR
3677 value: "192.168.0.0/16"
3678 # Disable file logging so `kubectl logs` works.
3679 - name: CALICO_DISABLE_FILE_LOGGING
3681 # Set Felix endpoint to host default action to ACCEPT.
3682 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
3684 # Disable IPv6 on Kubernetes.
3685 - name: FELIX_IPV6SUPPORT
3687 # Set Felix logging to "info"
3688 - name: FELIX_LOGSEVERITYSCREEN
3690 - name: FELIX_HEALTHENABLED
3704 initialDelaySeconds: 10
3714 - mountPath: /lib/modules
3717 - mountPath: /run/xtables.lock
3720 - mountPath: /var/run/calico
3721 name: var-run-calico
3723 - mountPath: /var/lib/calico
3724 name: var-lib-calico
3727 mountPath: /var/run/nodeagent
3728 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
3732 # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
3733 # If the host is known to mount that filesystem already then Bidirectional can be omitted.
3734 mountPropagation: Bidirectional
3736 mountPath: /var/log/calico/cni
3739 # Used by calico-node.
3743 - name: var-run-calico
3745 path: /var/run/calico
3746 - name: var-lib-calico
3748 path: /var/lib/calico
3749 - name: xtables-lock
3751 path: /run/xtables.lock
3756 type: DirectoryOrCreate
3757 # Used to install CNI.
3763 path: /etc/cni/net.d
3764 # Used to access CNI logs.
3767 path: /var/log/calico/cni
3768 # Mount in the directory for host-local IPAM allocations. This is
3769 # used when upgrading from host-local to calico-ipam, and can be removed
3770 # if not using the upgrade-ipam init container.
3771 - name: host-local-net-dir
3773 path: /var/lib/cni/networks
3774 # Used to create per-pod Unix Domain Sockets
3777 type: DirectoryOrCreate
3778 path: /var/run/nodeagent
3779 # Used to install Flex Volume Driver
3780 - name: flexvol-driver-host
3782 type: DirectoryOrCreate
3783 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
3787 kind: ServiceAccount
3790 namespace: kube-system
3793 # Source: calico/templates/calico-kube-controllers.yaml
3794 # See https://github.com/projectcalico/kube-controllers
3798 name: calico-kube-controllers
3799 namespace: kube-system
3801 k8s-app: calico-kube-controllers
3803 # The controllers can only have a single active instance.
3807 k8s-app: calico-kube-controllers
3812 name: calico-kube-controllers
3813 namespace: kube-system
3815 k8s-app: calico-kube-controllers
3818 kubernetes.io/os: linux
3820 # Mark the pod as a critical add-on for rescheduling.
3821 - key: CriticalAddonsOnly
3823 - key: node-role.kubernetes.io/master
3825 serviceAccountName: calico-kube-controllers
3826 priorityClassName: system-cluster-critical
3828 - name: calico-kube-controllers
3829 #image: docker.io/calico/kube-controllers:v3.18.1
3830 #image: docker.io/calico/kube-controllers:release-v3.18
3831 image: docker.io/calico/kube-controllers:v3.18.1-6-g4a6327b94a4a
3833 # Choose which controllers to run.
3834 - name: ENABLED_CONTROLLERS
3836 - name: DATASTORE_TYPE
3841 - /usr/bin/check-status
3847 kind: ServiceAccount
3849 name: calico-kube-controllers
3850 namespace: kube-system
3854 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
3856 apiVersion: policy/v1beta1
3857 kind: PodDisruptionBudget
3859 name: calico-kube-controllers
3860 namespace: kube-system
3862 k8s-app: calico-kube-controllers
3867 k8s-app: calico-kube-controllers
3870 # Source: calico/templates/calico-etcd-secrets.yaml
3873 # Source: calico/templates/calico-typha.yaml
3876 # Source: calico/templates/configure-canal.yaml