1 {{- if eq .Values.cni "calico" }}
2 {{- if eq .Values.ipam "ipv4" }}
7 apiVersion: apiextensions.k8s.io/v1
8 kind: CustomResourceDefinition
10 name: bgpconfigurations.crd.projectcalico.org
12 group: crd.projectcalico.org
14 kind: BGPConfiguration
15 listKind: BGPConfigurationList
16 plural: bgpconfigurations
17 singular: bgpconfiguration
23 description: BGPConfiguration contains the configuration for any BGP routing.
26 description: 'APIVersion defines the versioned schema of this representation
27 of an object. Servers should convert recognized schemas to the latest
28 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
31 description: 'Kind is a string value representing the REST resource this
32 object represents. Servers may infer this from the endpoint the client
33 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
38 description: BGPConfigurationSpec contains the values of the BGP configuration.
41 description: 'ASNumber is the default AS number used by a node. [Default:
46 description: Communities is a list of BGP community values and their
47 arbitrary names for tagging routes.
49 description: Community contains standard or large community value
53 description: Name given to community value.
56 description: Value must be of format `aa:nn` or `aa:nn:mm`.
57 For standard community use `aa:nn` format, where `aa` and
58 `nn` are 16 bit number. For large community use `aa:nn:mm`
59 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
60 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
61 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
66 description: ListenPort is the port where BGP protocol should listen.
72 description: 'LogSeverityScreen is the log severity above which logs
73 are sent to the stdout. [Default: INFO]'
75 nodeToNodeMeshEnabled:
76 description: 'NodeToNodeMeshEnabled sets whether full node to node
77 BGP mesh is enabled. [Default: true]'
80 description: PrefixAdvertisements contains per-prefix advertisement
83 description: PrefixAdvertisement configures advertisement properties
84 for the specified CIDR.
87 description: CIDR for which properties should be advertised.
90 description: Communities can be list of either community names
91 already defined in `Specs.Communities` or community value
92 of format `aa:nn` or `aa:nn:mm`. For standard community use
93 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
94 large community use `aa:nn:mm` format, where `aa`, `nn` and
95 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
96 `mm` are per-AS identifier.
103 description: ServiceClusterIPs are the CIDR blocks from which service
104 cluster IPs are allocated. If specified, Calico will advertise these
105 blocks, as well as any cluster IPs within them.
107 description: ServiceClusterIPBlock represents a single allowed ClusterIP
115 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
116 Service External IPs. Kubernetes Service ExternalIPs will only be
117 advertised if they are within one of these blocks.
119 description: ServiceExternalIPBlock represents a single allowed
120 External IP CIDR block.
126 serviceLoadBalancerIPs:
127 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
128 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
129 IPs will only be advertised if they are within one of these blocks.
131 description: ServiceLoadBalancerIPBlock represents a single allowed
132 LoadBalancer IP CIDR block.
149 apiVersion: apiextensions.k8s.io/v1
150 kind: CustomResourceDefinition
152 name: bgppeers.crd.projectcalico.org
154 group: crd.projectcalico.org
157 listKind: BGPPeerList
167 description: 'APIVersion defines the versioned schema of this representation
168 of an object. Servers should convert recognized schemas to the latest
169 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
172 description: 'Kind is a string value representing the REST resource this
173 object represents. Servers may infer this from the endpoint the client
174 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
179 description: BGPPeerSpec contains the specification for a BGPPeer resource.
182 description: The AS Number of the peer.
186 description: Option to keep the original nexthop field when routes
187 are sent to a BGP Peer. Setting "true" configures the selected BGP
188 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
189 in the specific branch of the Node on "bird.cfg".
192 description: Time to allow for software restart. When specified,
193 this is configured as the graceful restart timeout. When not specified,
194 the BIRD default of 120s is used.
197 description: The node name identifying the Calico node instance that
198 is targeted by this peer. If this is not set, and no nodeSelector
199 is specified, then this BGP peer selects all nodes in the cluster.
202 description: Selector for the nodes that should have this peering. When
203 this is set, the Node field must be empty.
206 description: Optional BGP password for the peerings generated by this
210 description: Selects a key of a secret in the node pod's namespace.
213 description: The key of the secret to select from. Must be
217 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
218 TODO: Add other useful fields. apiVersion, kind, uid?'
221 description: Specify whether the Secret or its key must be
229 description: The IP address of the peer followed by an optional port
230 number to peer with. If port number is given, format should be `[<IPv6>]:port`
231 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
232 and this peer IP and ASNumber belongs to a calico/node with ListenPort
233 set in BGPConfiguration, then we use that port to peer.
236 description: Selector for the remote nodes to peer with. When this
237 is set, the PeerIP and ASNumber fields must be empty. For each
238 peering between the local node and selected remote nodes, we configure
239 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
240 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
241 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
242 or the global default if that is not set.
245 description: Specifies whether and how to configure a source address
246 for the peerings generated by this BGPPeer resource. Default value
247 "UseNodeIP" means to configure the node IP as the source address. "None"
248 means not to configure a source address.
261 apiVersion: apiextensions.k8s.io/v1
262 kind: CustomResourceDefinition
264 name: blockaffinities.crd.projectcalico.org
266 group: crd.projectcalico.org
269 listKind: BlockAffinityList
270 plural: blockaffinities
271 singular: blockaffinity
279 description: 'APIVersion defines the versioned schema of this representation
280 of an object. Servers should convert recognized schemas to the latest
281 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
284 description: 'Kind is a string value representing the REST resource this
285 object represents. Servers may infer this from the endpoint the client
286 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
291 description: BlockAffinitySpec contains the specification for a BlockAffinity
297 description: Deleted indicates that this block affinity is being deleted.
298 This field is a string for compatibility with older releases that
299 mistakenly treat this field as a string.
321 apiVersion: apiextensions.k8s.io/v1
322 kind: CustomResourceDefinition
325 controller-gen.kubebuilder.io/version: (devel)
326 creationTimestamp: null
327 name: caliconodestatuses.crd.projectcalico.org
329 group: crd.projectcalico.org
331 kind: CalicoNodeStatus
332 listKind: CalicoNodeStatusList
333 plural: caliconodestatuses
334 singular: caliconodestatus
342 description: 'APIVersion defines the versioned schema of this representation
343 of an object. Servers should convert recognized schemas to the latest
344 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
347 description: 'Kind is a string value representing the REST resource this
348 object represents. Servers may infer this from the endpoint the client
349 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
354 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
358 description: Classes declares the types of information to monitor
359 for this calico/node, and allows for selective status reporting
360 about certain subsets of information.
365 description: The node name identifies the Calico node instance for
369 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
370 should be updated. Set to 0 to disable CalicoNodeStatus refresh.
371 Maximum update period is one day.
376 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
377 No validation needed for status since it is updated by Calico.
380 description: Agent holds agent status on the node.
383 description: BIRDV4 represents the latest observed status of bird4.
386 description: LastBootTime holds the value of lastBootTime
387 from bird.ctl output.
389 lastReconfigurationTime:
390 description: LastReconfigurationTime holds the value of lastReconfigTime
391 from bird.ctl output.
394 description: Router ID used by bird.
397 description: The state of the BGP Daemon.
400 description: Version of the BGP daemon
404 description: BIRDV6 represents the latest observed status of bird6.
407 description: LastBootTime holds the value of lastBootTime
408 from bird.ctl output.
410 lastReconfigurationTime:
411 description: LastReconfigurationTime holds the value of lastReconfigTime
412 from bird.ctl output.
415 description: Router ID used by bird.
418 description: The state of the BGP Daemon.
421 description: Version of the BGP daemon
426 description: BGP holds node BGP status.
429 description: The total number of IPv4 established bgp sessions.
432 description: The total number of IPv6 established bgp sessions.
434 numberNotEstablishedV4:
435 description: The total number of IPv4 non-established bgp sessions.
437 numberNotEstablishedV6:
438 description: The total number of IPv6 non-established bgp sessions.
441 description: PeersV4 represents IPv4 BGP peers status on the node.
443 description: CalicoNodePeer contains the status of BGP peers
447 description: IP address of the peer whose condition we are
451 description: Since the state or reason last changed.
454 description: State is the BGP session state.
457 description: Type indicates whether this peer is configured
458 via the node-to-node mesh, or via en explicit global or
459 per-node BGPPeer object.
464 description: PeersV6 represents IPv6 BGP peers status on the node.
466 description: CalicoNodePeer contains the status of BGP peers
470 description: IP address of the peer whose condition we are
474 description: Since the state or reason last changed.
477 description: State is the BGP session state.
480 description: Type indicates whether this peer is configured
481 via the node-to-node mesh, or via en explicit global or
482 per-node BGPPeer object.
487 - numberEstablishedV4
488 - numberEstablishedV6
489 - numberNotEstablishedV4
490 - numberNotEstablishedV6
493 description: LastUpdated is a timestamp representing the server time
494 when CalicoNodeStatus object last updated. It is represented in
495 RFC3339 form and is in UTC.
500 description: Routes reports routes known to the Calico BGP daemon
504 description: RoutesV4 represents IPv4 routes on the node.
506 description: CalicoNodeRoute contains the status of BGP routes
510 description: Destination of the route.
513 description: Gateway for the destination.
516 description: Interface for the destination
519 description: LearnedFrom contains information regarding
520 where this route originated.
523 description: If sourceType is NodeMesh or BGPPeer, IP
524 address of the router that sent us this route.
527 description: Type of the source where a route is learned
532 description: Type indicates if the route is being used for
538 description: RoutesV6 represents IPv6 routes on the node.
540 description: CalicoNodeRoute contains the status of BGP routes
544 description: Destination of the route.
547 description: Gateway for the destination.
550 description: Interface for the destination
553 description: LearnedFrom contains information regarding
554 where this route originated.
557 description: If sourceType is NodeMesh or BGPPeer, IP
558 address of the router that sent us this route.
561 description: Type of the source where a route is learned
566 description: Type indicates if the route is being used for
583 apiVersion: apiextensions.k8s.io/v1
584 kind: CustomResourceDefinition
586 name: clusterinformations.crd.projectcalico.org
588 group: crd.projectcalico.org
590 kind: ClusterInformation
591 listKind: ClusterInformationList
592 plural: clusterinformations
593 singular: clusterinformation
599 description: ClusterInformation contains the cluster specific information.
602 description: 'APIVersion defines the versioned schema of this representation
603 of an object. Servers should convert recognized schemas to the latest
604 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
607 description: 'Kind is a string value representing the REST resource this
608 object represents. Servers may infer this from the endpoint the client
609 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
614 description: ClusterInformationSpec contains the values of describing
618 description: CalicoVersion is the version of Calico that the cluster
622 description: ClusterGUID is the GUID of the cluster
625 description: ClusterType describes the type of the cluster
628 description: DatastoreReady is used during significant datastore migrations
629 to signal to components such as Felix that it should wait before
630 accessing the datastore.
633 description: Variant declares which variant of Calico should be active.
646 apiVersion: apiextensions.k8s.io/v1
647 kind: CustomResourceDefinition
649 name: felixconfigurations.crd.projectcalico.org
651 group: crd.projectcalico.org
653 kind: FelixConfiguration
654 listKind: FelixConfigurationList
655 plural: felixconfigurations
656 singular: felixconfiguration
662 description: Felix Configuration contains the configuration for Felix.
665 description: 'APIVersion defines the versioned schema of this representation
666 of an object. Servers should convert recognized schemas to the latest
667 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
670 description: 'Kind is a string value representing the REST resource this
671 object represents. Servers may infer this from the endpoint the client
672 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
677 description: FelixConfigurationSpec contains the values of the Felix configuration.
679 allowIPIPPacketsFromWorkloads:
680 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
681 will add a rule to drop IPIP encapsulated traffic from workloads
684 allowVXLANPacketsFromWorkloads:
685 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
686 will add a rule to drop VXLAN encapsulated traffic from workloads
690 description: 'Set source-destination-check on AWS EC2 instances. Accepted
691 value must be one of "DoNothing", "Enable" or "Disable". [Default:
698 bpfConnectTimeLoadBalancingEnabled:
699 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
700 controls whether Felix installs the connection-time load balancer. The
701 connect-time load balancer is required for the host to be able to
702 reach Kubernetes services and it improves the performance of pod-to-service
703 connections. The only reason to disable it is for debugging purposes. [Default:
707 description: BPFDataIfacePattern is a regular expression that controls
708 which interfaces Felix should attach BPF programs to in order to
709 catch traffic to/from the network. This needs to match the interfaces
710 that Calico workload traffic flows over as well as any interfaces
711 that handle incoming traffic to nodeports and services from outside
712 the cluster. It should not match the workload interfaces (usually
715 bpfDisableUnprivileged:
716 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
717 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
718 users cannot access Calico''s BPF maps and cannot insert their own
719 BPF programs to interfere with Calico''s. [Default: true]'
722 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
725 bpfExtToServiceConnmark:
726 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
727 mark that is set on connections from an external client to a local
728 service. This mark allows us to control how packets of that connection
729 are routed within the host and how is routing intepreted by RPF
732 bpfExternalServiceMode:
733 description: 'BPFExternalServiceMode in BPF mode, controls how connections
734 from outside the cluster to services (node ports and cluster IPs)
735 are forwarded to remote workloads. If set to "Tunnel" then both
736 request and response traffic is tunneled to the remote node. If
737 set to "DSR", the request traffic is tunneled but the response traffic
738 is sent directly from the remote node. In "DSR" mode, the remote
739 node appears to use the IP of the ingress node; this requires a
740 permissive L2 network. [Default: Tunnel]'
742 bpfKubeProxyEndpointSlicesEnabled:
743 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
744 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
746 bpfKubeProxyIptablesCleanupEnabled:
747 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
748 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
749 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
752 bpfKubeProxyMinSyncPeriod:
753 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
754 minimum time between updates to the dataplane for Felix''s embedded
755 kube-proxy. Lower values give reduced set-up latency. Higher values
756 reduce Felix CPU usage by batching up more work. [Default: 1s]'
759 description: 'BPFLogLevel controls the log level of the BPF programs
760 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
761 logs are emitted to the BPF trace pipe, accessible with the command
762 `tc exec bpf debug`. [Default: Off].'
765 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
766 top-level iptables chains by inserting a rule at the top of the
767 chain or by appending a rule at the bottom. insert is the safe default
768 since it prevents Calico''s rules from being bypassed. If you switch
769 to append mode, be sure that the other rules in the chains signal
770 acceptance by falling through to the Calico rules, otherwise the
771 Calico policy will be bypassed. [Default: insert]'
775 debugDisableLogDropping:
777 debugMemoryProfilePath:
779 debugSimulateCalcGraphHangAfter:
781 debugSimulateDataplaneHangAfter:
783 defaultEndpointToHostAction:
784 description: 'DefaultEndpointToHostAction controls what happens to
785 traffic that goes from a workload endpoint to the host itself (after
786 the traffic hits the endpoint egress policy). By default Calico
787 blocks traffic from workload endpoints to the host itself with an
788 iptables "DROP" action. If you want to allow some or all traffic
789 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
790 RETURN if you have your own rules in the iptables "INPUT" chain;
791 Calico will insert its rules at the top of that chain, then "RETURN"
792 packets to the "INPUT" chain once it has completed processing workload
793 endpoint egress policy. Use ACCEPT to unconditionally accept packets
794 from workloads after processing workload endpoint egress policy.
798 description: This defines the route protocol added to programmed device
799 routes, by default this will be RTPROT_BOOT when left blank.
801 deviceRouteSourceAddress:
802 description: This is the source address to use on programmed device
803 routes. By default the source address is left blank, leaving the
804 kernel to choose the source address used.
806 disableConntrackInvalidCheck:
808 endpointReportingDelay:
810 endpointReportingEnabled:
813 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
814 which may source tunnel traffic and have the tunneled traffic be
815 accepted at calico nodes.
819 failsafeInboundHostPorts:
820 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
821 and CIDRs that Felix will allow incoming traffic to host endpoints
822 on irrespective of the security policy. This is useful to avoid
823 accidentally cutting off a host with incorrect configuration. For
824 back-compatibility, if the protocol is not specified, it defaults
825 to "tcp". If a CIDR is not specified, it will allow traffic from
826 all addresses. To disable all inbound host ports, use the value
827 none. The default value allows ssh access and DHCP. [Default: tcp:22,
828 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
830 description: ProtoPort is combination of protocol, port, and CIDR.
831 Protocol and port must be specified.
844 failsafeOutboundHostPorts:
845 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
846 and CIDRs that Felix will allow outgoing traffic from host endpoints
847 to irrespective of the security policy. This is useful to avoid
848 accidentally cutting off a host with incorrect configuration. For
849 back-compatibility, if the protocol is not specified, it defaults
850 to "tcp". If a CIDR is not specified, it will allow traffic from
851 all addresses. To disable all outbound host ports, use the value
852 none. The default value opens etcd''s standard ports to ensure that
853 Felix does not get cut off from etcd as well as allowing DHCP and
854 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
855 tcp:6667, udp:53, udp:67]'
857 description: ProtoPort is combination of protocol, port, and CIDR.
858 Protocol and port must be specified.
871 featureDetectOverride:
872 description: FeatureDetectOverride is used to override the feature
873 detection. Values are specified in a comma separated list with no
874 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
875 "true" or "false" will force the feature, empty or omitted values
879 description: 'GenericXDPEnabled enables Generic XDP so network cards
880 that don''t support XDP offload or driver modes can use XDP. This
881 is not recommended since it doesn''t provide better performance
882 than iptables. [Default: false]'
891 description: 'InterfaceExclude is a comma-separated list of interfaces
892 that Felix should exclude when monitoring for host endpoints. The
893 default value ensures that Felix ignores Kubernetes'' IPVS dummy
894 interface, which is used internally by kube-proxy. If you want to
895 exclude multiple interface names using a single value, the list
896 supports regular expressions. For regular expressions you must wrap
897 the value with ''/''. For example having values ''/^kube/,veth1''
898 will exclude all interfaces that begin with ''kube'' and also the
899 interface ''veth1''. [Default: kube-ipvs0]'
902 description: 'InterfacePrefix is the interface name prefix that identifies
903 workload endpoints and so distinguishes them from host endpoint
904 interfaces. Note: in environments other than bare metal, the orchestrators
905 configure this appropriately. For example our Kubernetes and Docker
906 integrations set the ''cali'' value, and our OpenStack integration
907 sets the ''tap'' value. [Default: cali]'
909 interfaceRefreshInterval:
910 description: InterfaceRefreshInterval is the period at which Felix
911 rescans local interfaces to verify their state. The rescan can be
912 disabled by setting the interval to 0.
917 description: 'IPIPMTU is the MTU to set on the tunnel device. See
918 Configuring MTU [Default: 1440]'
920 ipsetsRefreshInterval:
921 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
922 all iptables state to ensure that no other process has accidentally
923 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
927 description: IptablesBackend specifies which backend of iptables will
928 be used. The default is legacy.
930 iptablesFilterAllowAction:
932 iptablesLockFilePath:
933 description: 'IptablesLockFilePath is the location of the iptables
934 lock file. You may need to change this if the lock file is not in
935 its standard location (for example if you have mapped it into Felix''s
936 container at a different path). [Default: /run/xtables.lock]'
938 iptablesLockProbeInterval:
939 description: 'IptablesLockProbeInterval is the time that Felix will
940 wait between attempts to acquire the iptables lock if it is not
941 available. Lower values make Felix more responsive when the lock
942 is contended, but use more CPU. [Default: 50ms]'
945 description: 'IptablesLockTimeout is the time that Felix will wait
946 for the iptables lock, or 0, to disable. To use this feature, Felix
947 must share the iptables lock file with all other processes that
948 also take the lock. When running Felix inside a container, this
949 requires the /run directory of the host to be mounted into the calico/node
950 or calico/felix container. [Default: 0s disabled]'
952 iptablesMangleAllowAction:
955 description: 'IptablesMarkMask is the mask that Felix selects its
956 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
957 at least 8 bits set, none of which clash with any other mark bits
958 in use on the system. [Default: 0xff000000]'
961 iptablesNATOutgoingInterfaceFilter:
963 iptablesPostWriteCheckInterval:
964 description: 'IptablesPostWriteCheckInterval is the period after Felix
965 has done a write to the dataplane that it schedules an extra read
966 back in order to check the write was not clobbered by another process.
967 This should only occur if another application on the system doesn''t
968 respect the iptables lock. [Default: 1s]'
970 iptablesRefreshInterval:
971 description: 'IptablesRefreshInterval is the period at which Felix
972 re-checks the IP sets in the dataplane to ensure that no other process
973 has accidentally broken Calico''s rules. Set to 0 to disable IP
974 sets refresh. Note: the default for this value is lower than the
975 other refresh intervals as a workaround for a Linux kernel bug that
976 was fixed in kernel version 4.11. If you are using v4.11 or greater
977 you may want to set this to, a higher value to reduce Felix CPU
978 usage. [Default: 10s]'
983 description: 'KubeNodePortRanges holds list of port ranges used for
984 service node ports. Only used if felix detects kube-proxy running
985 in ipvs mode. Felix uses these ranges to separate host and workload
986 traffic. [Default: 30000:32767].'
992 x-kubernetes-int-or-string: true
995 description: 'LogFilePath is the full path to the Felix log. Set to
996 none to disable file logging. [Default: /var/log/calico/felix.log]'
999 description: 'LogPrefix is the log prefix that Felix uses when rendering
1000 LOG rules. [Default: calico-packet]'
1003 description: 'LogSeverityFile is the log severity above which logs
1004 are sent to the log file. [Default: Info]'
1007 description: 'LogSeverityScreen is the log severity above which logs
1008 are sent to the stdout. [Default: Info]'
1011 description: 'LogSeveritySys is the log severity above which logs
1012 are sent to the syslog. Set to None for no logging to syslog. [Default:
1018 description: 'MetadataAddr is the IP address or domain name of the
1019 server that can answer VM queries for cloud-init metadata. In OpenStack,
1020 this corresponds to the machine running nova-api (or in Ubuntu,
1021 nova-api-metadata). A value of none (case insensitive) means that
1022 Felix should not set up any NAT rule for the metadata path. [Default:
1026 description: 'MetadataPort is the port of the metadata server. This,
1027 combined with global.MetadataAddr (if not ''None''), is used to
1028 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
1029 In most cases this should not need to be changed [Default: 8775].'
1032 description: MTUIfacePattern is a regular expression that controls
1033 which interfaces Felix should scan in order to calculate the host's
1034 MTU. This should not match workload interfaces (usually named cali...).
1037 description: NATOutgoingAddress specifies an address to use when performing
1038 source NAT for traffic in a natOutgoing pool that is leaving the
1039 network. By default the address used is an address on the interface
1040 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
1046 description: NATPortRange specifies the range of ports that is used
1047 for port mapping when doing outgoing NAT. When unset the default
1048 behavior of the network stack is used.
1050 x-kubernetes-int-or-string: true
1054 description: 'OpenstackRegion is the name of the region that a particular
1055 Felix belongs to. In a multi-region Calico/OpenStack deployment,
1056 this must be configured somehow for each Felix (here in the datamodel,
1057 or in felix.cfg or the environment on each compute node), and must
1058 match the [calico] openstack_region value configured in neutron.conf
1059 on each node. [Default: Empty]'
1061 policySyncPathPrefix:
1062 description: 'PolicySyncPathPrefix is used to by Felix to communicate
1063 policy changes to external services, like Application layer policy.
1066 prometheusGoMetricsEnabled:
1067 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
1068 collection, which the Prometheus client does by default, when set
1069 to false. This reduces the number of metrics reported, reducing
1070 Prometheus load. [Default: true]'
1072 prometheusMetricsEnabled:
1073 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
1074 server in Felix if set to true. [Default: false]'
1076 prometheusMetricsHost:
1077 description: 'PrometheusMetricsHost is the host that the Prometheus
1078 metrics server should bind to. [Default: empty]'
1080 prometheusMetricsPort:
1081 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
1082 metrics server should bind to. [Default: 9091]'
1084 prometheusProcessMetricsEnabled:
1085 description: 'PrometheusProcessMetricsEnabled disables process metrics
1086 collection, which the Prometheus client does by default, when set
1087 to false. This reduces the number of metrics reported, reducing
1088 Prometheus load. [Default: true]'
1090 prometheusWireGuardMetricsEnabled:
1091 description: 'PrometheusWireGuardMetricsEnabled disables wireguard
1092 metrics collection, which the Prometheus client does by default,
1093 when set to false. This reduces the number of metrics reported,
1094 reducing Prometheus load. [Default: true]'
1096 removeExternalRoutes:
1097 description: Whether or not to remove device routes that have not
1098 been programmed by Felix. Disabling this will allow external applications
1099 to also add device routes. This is enabled by default which means
1100 we will remove externally added routes.
1103 description: 'ReportingInterval is the interval at which Felix reports
1104 its status into the datastore or 0 to disable. Must be non-zero
1105 in OpenStack deployments. [Default: 30s]'
1108 description: 'ReportingTTL is the time-to-live setting for process-wide
1109 status reports. [Default: 90s]'
1111 routeRefreshInterval:
1112 description: 'RouteRefreshInterval is the period at which Felix re-checks
1113 the routes in the dataplane to ensure that no other process has
1114 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
1118 description: 'RouteSource configures where Felix gets its routing
1119 information. - WorkloadIPs: use workload endpoints to construct
1120 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
1123 description: Calico programs additional Linux route tables for various
1124 purposes. RouteTableRange specifies the indices of the route tables
1125 that Calico should use.
1135 serviceLoopPrevention:
1136 description: 'When service IP advertisement is enabled, prevent routing
1137 loops to service IPs that are not in use, by dropping or rejecting
1138 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
1139 in which case such routing loops continue to be allowed. [Default:
1142 sidecarAccelerationEnabled:
1143 description: 'SidecarAccelerationEnabled enables experimental sidecar
1144 acceleration [Default: false]'
1146 usageReportingEnabled:
1147 description: 'UsageReportingEnabled reports anonymous Calico version
1148 number and cluster size to projectcalico.org. Logs warnings returned
1149 by the usage server. For example, if a significant security vulnerability
1150 has been discovered in the version of Calico being used. [Default:
1153 usageReportingInitialDelay:
1154 description: 'UsageReportingInitialDelay controls the minimum delay
1155 before Felix makes a report. [Default: 300s]'
1157 usageReportingInterval:
1158 description: 'UsageReportingInterval controls the interval at which
1159 Felix makes reports. [Default: 86400s]'
1161 useInternalDataplaneDriver:
1166 description: 'VXLANMTU is the MTU to set on the tunnel device. See
1167 Configuring MTU [Default: 1440]'
1174 description: 'WireguardEnabled controls whether Wireguard is enabled.
1177 wireguardHostEncryptionEnabled:
1178 description: 'WireguardHostEncryptionEnabled controls whether Wireguard
1179 host-to-host encryption is enabled. [Default: false]'
1181 wireguardInterfaceName:
1182 description: 'WireguardInterfaceName specifies the name to use for
1183 the Wireguard interface. [Default: wg.calico]'
1185 wireguardListeningPort:
1186 description: 'WireguardListeningPort controls the listening port used
1187 by Wireguard. [Default: 51820]'
1190 description: 'WireguardMTU controls the MTU on the Wireguard interface.
1191 See Configuring MTU [Default: 1420]'
1193 wireguardRoutingRulePriority:
1194 description: 'WireguardRoutingRulePriority controls the priority value
1195 to use for the Wireguard routing rule. [Default: 99]'
1198 description: 'XDPEnabled enables XDP acceleration for suitable untracked
1199 incoming deny rules. [Default: true]'
1202 description: 'XDPRefreshInterval is the period at which Felix re-checks
1203 all XDP state to ensure that no other process has accidentally broken
1204 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
1205 refresh. [Default: 90s]'
1218 apiVersion: apiextensions.k8s.io/v1
1219 kind: CustomResourceDefinition
1221 name: globalnetworkpolicies.crd.projectcalico.org
1223 group: crd.projectcalico.org
1225 kind: GlobalNetworkPolicy
1226 listKind: GlobalNetworkPolicyList
1227 plural: globalnetworkpolicies
1228 singular: globalnetworkpolicy
1236 description: 'APIVersion defines the versioned schema of this representation
1237 of an object. Servers should convert recognized schemas to the latest
1238 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1241 description: 'Kind is a string value representing the REST resource this
1242 object represents. Servers may infer this from the endpoint the client
1243 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1250 description: ApplyOnForward indicates to apply the rules in this policy
1254 description: DoNotTrack indicates whether packets matched by the rules
1255 in this policy should go through the data plane's connection tracking,
1256 such as Linux conntrack. If True, the rules in this policy are
1257 applied before any data plane connection tracking, and packets allowed
1258 by this policy are marked as not to be tracked.
1261 description: The ordered set of egress rules. Each rule contains
1262 a set of packet match criteria and a corresponding action to apply.
1264 description: "A Rule encapsulates a set of match criteria and an
1265 action. Both selector-based security Policy and security Profiles
1266 reference rules - separated out as a list of rules for both ingress
1267 and egress packet matching. \n Each positive match criteria has
1268 a negated version, prefixed with \"Not\". All the match criteria
1269 within a rule must be satisfied for a packet to match. A single
1270 rule can contain the positive and negative version of a match
1271 and both must be satisfied for the rule to match."
1276 description: Destination contains the match criteria that apply
1277 to destination entity.
1280 description: "NamespaceSelector is an optional field that
1281 contains a selector expression. Only traffic that originates
1282 from (or terminates at) endpoints within the selected
1283 namespaces will be matched. When both NamespaceSelector
1284 and another selector are defined on the same rule, then
1285 only workload endpoints that are matched by both selectors
1286 will be selected by the rule. \n For NetworkPolicy, an
1287 empty NamespaceSelector implies that the Selector is limited
1288 to selecting only workload endpoints in the same namespace
1289 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1290 NamespaceSelector implies that the Selector is limited
1291 to selecting only GlobalNetworkSet or HostEndpoint. \n
1292 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1293 the Selector applies to workload endpoints across all
1297 description: Nets is an optional field that restricts the
1298 rule to only apply to traffic that originates from (or
1299 terminates at) IP addresses in any of the given subnets.
1304 description: NotNets is the negated version of the Nets
1310 description: NotPorts is the negated version of the Ports
1311 field. Since only some protocols have ports, if any ports
1312 are specified it requires the Protocol match in the Rule
1313 to be set to "TCP" or "UDP".
1319 x-kubernetes-int-or-string: true
1322 description: NotSelector is the negated version of the Selector
1323 field. See Selector field for subtleties with negated
1327 description: "Ports is an optional field that restricts
1328 the rule to only apply to traffic that has a source (destination)
1329 port that matches one of these ranges/values. This value
1330 is a list of integers or strings that represent ranges
1331 of ports. \n Since only some protocols have ports, if
1332 any ports are specified it requires the Protocol match
1333 in the Rule to be set to \"TCP\" or \"UDP\"."
1339 x-kubernetes-int-or-string: true
1342 description: "Selector is an optional field that contains
1343 a selector expression (see Policy for sample syntax).
1344 \ Only traffic that originates from (terminates at) endpoints
1345 matching the selector will be matched. \n Note that: in
1346 addition to the negated version of the Selector (see NotSelector
1347 below), the selector expression syntax itself supports
1348 negation. The two types of negation are subtly different.
1349 One negates the set of matched endpoints, the other negates
1350 the whole match: \n \tSelector = \"!has(my_label)\" matches
1351 packets that are from other Calico-controlled \tendpoints
1352 that do not have the label \"my_label\". \n \tNotSelector
1353 = \"has(my_label)\" matches packets that are not from
1354 Calico-controlled \tendpoints that do have the label \"my_label\".
1355 \n The effect is that the latter will accept packets from
1356 non-Calico sources whereas the former is limited to packets
1357 from Calico-controlled endpoints."
1360 description: ServiceAccounts is an optional field that restricts
1361 the rule to only apply to traffic that originates from
1362 (or terminates at) a pod running as a matching service
1366 description: Names is an optional field that restricts
1367 the rule to only apply to traffic that originates
1368 from (or terminates at) a pod running as a service
1369 account whose name is in the list.
1374 description: Selector is an optional field that restricts
1375 the rule to only apply to traffic that originates
1376 from (or terminates at) a pod running as a service
1377 account that matches the given label selector. If
1378 both Names and Selector are specified then they are
1383 description: "Services is an optional field that contains
1384 options for matching Kubernetes Services. If specified,
1385 only traffic that originates from or terminates at endpoints
1386 within the selected service(s) will be matched, and only
1387 to/from each endpoint's port. \n Services cannot be specified
1388 on the same rule as Selector, NotSelector, NamespaceSelector,
1389 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1390 can only be specified with Services on ingress rules."
1393 description: Name specifies the name of a Kubernetes
1397 description: Namespace specifies the namespace of the
1398 given Service. If left empty, the rule will match
1399 within this policy's namespace.
1404 description: HTTP contains match criteria that apply to HTTP
1408 description: Methods is an optional field that restricts
1409 the rule to apply only to HTTP requests that use one of
1410 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1411 methods are OR'd together.
1416 description: 'Paths is an optional field that restricts
1417 the rule to apply to HTTP requests that use one of the
1418 listed HTTP Paths. Multiple paths are OR''d together.
1419 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1420 ONLY specify either a `exact` or a `prefix` match. The
1421 validator will check for it.'
1423 description: 'HTTPPath specifies an HTTP path to match.
1424 It may be either of the form: exact: <path>: which matches
1425 the path exactly or prefix: <path-prefix>: which matches
1436 description: ICMP is an optional field that restricts the rule
1437 to apply to a specific type and code of ICMP traffic. This
1438 should only be specified if the Protocol field is set to "ICMP"
1442 description: Match on a specific ICMP code. If specified,
1443 the Type value must also be specified. This is a technical
1444 limitation imposed by the kernel's iptables firewall,
1445 which Calico uses to enforce the rule.
1448 description: Match on a specific ICMP type. For example
1449 a value of 8 refers to ICMP Echo Request (i.e. pings).
1453 description: IPVersion is an optional field that restricts the
1454 rule to only match a specific IP version.
1457 description: Metadata contains additional information for this
1461 additionalProperties:
1463 description: Annotations is a set of key value pairs that
1464 give extra information about the rule
1468 description: NotICMP is the negated version of the ICMP field.
1471 description: Match on a specific ICMP code. If specified,
1472 the Type value must also be specified. This is a technical
1473 limitation imposed by the kernel's iptables firewall,
1474 which Calico uses to enforce the rule.
1477 description: Match on a specific ICMP type. For example
1478 a value of 8 refers to ICMP Echo Request (i.e. pings).
1485 description: NotProtocol is the negated version of the Protocol
1488 x-kubernetes-int-or-string: true
1493 description: "Protocol is an optional field that restricts the
1494 rule to only apply to traffic of a specific IP protocol. Required
1495 if any of the EntityRules contain Ports (because ports only
1496 apply to certain protocols). \n Must be one of these string
1497 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1498 \"UDPLite\" or an integer in the range 1-255."
1500 x-kubernetes-int-or-string: true
1502 description: Source contains the match criteria that apply to
1506 description: "NamespaceSelector is an optional field that
1507 contains a selector expression. Only traffic that originates
1508 from (or terminates at) endpoints within the selected
1509 namespaces will be matched. When both NamespaceSelector
1510 and another selector are defined on the same rule, then
1511 only workload endpoints that are matched by both selectors
1512 will be selected by the rule. \n For NetworkPolicy, an
1513 empty NamespaceSelector implies that the Selector is limited
1514 to selecting only workload endpoints in the same namespace
1515 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1516 NamespaceSelector implies that the Selector is limited
1517 to selecting only GlobalNetworkSet or HostEndpoint. \n
1518 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1519 the Selector applies to workload endpoints across all
1523 description: Nets is an optional field that restricts the
1524 rule to only apply to traffic that originates from (or
1525 terminates at) IP addresses in any of the given subnets.
1530 description: NotNets is the negated version of the Nets
1536 description: NotPorts is the negated version of the Ports
1537 field. Since only some protocols have ports, if any ports
1538 are specified it requires the Protocol match in the Rule
1539 to be set to "TCP" or "UDP".
1545 x-kubernetes-int-or-string: true
1548 description: NotSelector is the negated version of the Selector
1549 field. See Selector field for subtleties with negated
1553 description: "Ports is an optional field that restricts
1554 the rule to only apply to traffic that has a source (destination)
1555 port that matches one of these ranges/values. This value
1556 is a list of integers or strings that represent ranges
1557 of ports. \n Since only some protocols have ports, if
1558 any ports are specified it requires the Protocol match
1559 in the Rule to be set to \"TCP\" or \"UDP\"."
1565 x-kubernetes-int-or-string: true
1568 description: "Selector is an optional field that contains
1569 a selector expression (see Policy for sample syntax).
1570 \ Only traffic that originates from (terminates at) endpoints
1571 matching the selector will be matched. \n Note that: in
1572 addition to the negated version of the Selector (see NotSelector
1573 below), the selector expression syntax itself supports
1574 negation. The two types of negation are subtly different.
1575 One negates the set of matched endpoints, the other negates
1576 the whole match: \n \tSelector = \"!has(my_label)\" matches
1577 packets that are from other Calico-controlled \tendpoints
1578 that do not have the label \"my_label\". \n \tNotSelector
1579 = \"has(my_label)\" matches packets that are not from
1580 Calico-controlled \tendpoints that do have the label \"my_label\".
1581 \n The effect is that the latter will accept packets from
1582 non-Calico sources whereas the former is limited to packets
1583 from Calico-controlled endpoints."
1586 description: ServiceAccounts is an optional field that restricts
1587 the rule to only apply to traffic that originates from
1588 (or terminates at) a pod running as a matching service
1592 description: Names is an optional field that restricts
1593 the rule to only apply to traffic that originates
1594 from (or terminates at) a pod running as a service
1595 account whose name is in the list.
1600 description: Selector is an optional field that restricts
1601 the rule to only apply to traffic that originates
1602 from (or terminates at) a pod running as a service
1603 account that matches the given label selector. If
1604 both Names and Selector are specified then they are
1609 description: "Services is an optional field that contains
1610 options for matching Kubernetes Services. If specified,
1611 only traffic that originates from or terminates at endpoints
1612 within the selected service(s) will be matched, and only
1613 to/from each endpoint's port. \n Services cannot be specified
1614 on the same rule as Selector, NotSelector, NamespaceSelector,
1615 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1616 can only be specified with Services on ingress rules."
1619 description: Name specifies the name of a Kubernetes
1623 description: Namespace specifies the namespace of the
1624 given Service. If left empty, the rule will match
1625 within this policy's namespace.
1634 description: The ordered set of ingress rules. Each rule contains
1635 a set of packet match criteria and a corresponding action to apply.
1637 description: "A Rule encapsulates a set of match criteria and an
1638 action. Both selector-based security Policy and security Profiles
1639 reference rules - separated out as a list of rules for both ingress
1640 and egress packet matching. \n Each positive match criteria has
1641 a negated version, prefixed with \"Not\". All the match criteria
1642 within a rule must be satisfied for a packet to match. A single
1643 rule can contain the positive and negative version of a match
1644 and both must be satisfied for the rule to match."
1649 description: Destination contains the match criteria that apply
1650 to destination entity.
1653 description: "NamespaceSelector is an optional field that
1654 contains a selector expression. Only traffic that originates
1655 from (or terminates at) endpoints within the selected
1656 namespaces will be matched. When both NamespaceSelector
1657 and another selector are defined on the same rule, then
1658 only workload endpoints that are matched by both selectors
1659 will be selected by the rule. \n For NetworkPolicy, an
1660 empty NamespaceSelector implies that the Selector is limited
1661 to selecting only workload endpoints in the same namespace
1662 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1663 NamespaceSelector implies that the Selector is limited
1664 to selecting only GlobalNetworkSet or HostEndpoint. \n
1665 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1666 the Selector applies to workload endpoints across all
1670 description: Nets is an optional field that restricts the
1671 rule to only apply to traffic that originates from (or
1672 terminates at) IP addresses in any of the given subnets.
1677 description: NotNets is the negated version of the Nets
1683 description: NotPorts is the negated version of the Ports
1684 field. Since only some protocols have ports, if any ports
1685 are specified it requires the Protocol match in the Rule
1686 to be set to "TCP" or "UDP".
1692 x-kubernetes-int-or-string: true
1695 description: NotSelector is the negated version of the Selector
1696 field. See Selector field for subtleties with negated
1700 description: "Ports is an optional field that restricts
1701 the rule to only apply to traffic that has a source (destination)
1702 port that matches one of these ranges/values. This value
1703 is a list of integers or strings that represent ranges
1704 of ports. \n Since only some protocols have ports, if
1705 any ports are specified it requires the Protocol match
1706 in the Rule to be set to \"TCP\" or \"UDP\"."
1712 x-kubernetes-int-or-string: true
1715 description: "Selector is an optional field that contains
1716 a selector expression (see Policy for sample syntax).
1717 \ Only traffic that originates from (terminates at) endpoints
1718 matching the selector will be matched. \n Note that: in
1719 addition to the negated version of the Selector (see NotSelector
1720 below), the selector expression syntax itself supports
1721 negation. The two types of negation are subtly different.
1722 One negates the set of matched endpoints, the other negates
1723 the whole match: \n \tSelector = \"!has(my_label)\" matches
1724 packets that are from other Calico-controlled \tendpoints
1725 that do not have the label \"my_label\". \n \tNotSelector
1726 = \"has(my_label)\" matches packets that are not from
1727 Calico-controlled \tendpoints that do have the label \"my_label\".
1728 \n The effect is that the latter will accept packets from
1729 non-Calico sources whereas the former is limited to packets
1730 from Calico-controlled endpoints."
1733 description: ServiceAccounts is an optional field that restricts
1734 the rule to only apply to traffic that originates from
1735 (or terminates at) a pod running as a matching service
1739 description: Names is an optional field that restricts
1740 the rule to only apply to traffic that originates
1741 from (or terminates at) a pod running as a service
1742 account whose name is in the list.
1747 description: Selector is an optional field that restricts
1748 the rule to only apply to traffic that originates
1749 from (or terminates at) a pod running as a service
1750 account that matches the given label selector. If
1751 both Names and Selector are specified then they are
1756 description: "Services is an optional field that contains
1757 options for matching Kubernetes Services. If specified,
1758 only traffic that originates from or terminates at endpoints
1759 within the selected service(s) will be matched, and only
1760 to/from each endpoint's port. \n Services cannot be specified
1761 on the same rule as Selector, NotSelector, NamespaceSelector,
1762 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1763 can only be specified with Services on ingress rules."
1766 description: Name specifies the name of a Kubernetes
1770 description: Namespace specifies the namespace of the
1771 given Service. If left empty, the rule will match
1772 within this policy's namespace.
1777 description: HTTP contains match criteria that apply to HTTP
1781 description: Methods is an optional field that restricts
1782 the rule to apply only to HTTP requests that use one of
1783 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1784 methods are OR'd together.
1789 description: 'Paths is an optional field that restricts
1790 the rule to apply to HTTP requests that use one of the
1791 listed HTTP Paths. Multiple paths are OR''d together.
1792 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1793 ONLY specify either a `exact` or a `prefix` match. The
1794 validator will check for it.'
1796 description: 'HTTPPath specifies an HTTP path to match.
1797 It may be either of the form: exact: <path>: which matches
1798 the path exactly or prefix: <path-prefix>: which matches
1809 description: ICMP is an optional field that restricts the rule
1810 to apply to a specific type and code of ICMP traffic. This
1811 should only be specified if the Protocol field is set to "ICMP"
1815 description: Match on a specific ICMP code. If specified,
1816 the Type value must also be specified. This is a technical
1817 limitation imposed by the kernel's iptables firewall,
1818 which Calico uses to enforce the rule.
1821 description: Match on a specific ICMP type. For example
1822 a value of 8 refers to ICMP Echo Request (i.e. pings).
1826 description: IPVersion is an optional field that restricts the
1827 rule to only match a specific IP version.
1830 description: Metadata contains additional information for this
1834 additionalProperties:
1836 description: Annotations is a set of key value pairs that
1837 give extra information about the rule
1841 description: NotICMP is the negated version of the ICMP field.
1844 description: Match on a specific ICMP code. If specified,
1845 the Type value must also be specified. This is a technical
1846 limitation imposed by the kernel's iptables firewall,
1847 which Calico uses to enforce the rule.
1850 description: Match on a specific ICMP type. For example
1851 a value of 8 refers to ICMP Echo Request (i.e. pings).
1858 description: NotProtocol is the negated version of the Protocol
1861 x-kubernetes-int-or-string: true
1866 description: "Protocol is an optional field that restricts the
1867 rule to only apply to traffic of a specific IP protocol. Required
1868 if any of the EntityRules contain Ports (because ports only
1869 apply to certain protocols). \n Must be one of these string
1870 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1871 \"UDPLite\" or an integer in the range 1-255."
1873 x-kubernetes-int-or-string: true
1875 description: Source contains the match criteria that apply to
1879 description: "NamespaceSelector is an optional field that
1880 contains a selector expression. Only traffic that originates
1881 from (or terminates at) endpoints within the selected
1882 namespaces will be matched. When both NamespaceSelector
1883 and another selector are defined on the same rule, then
1884 only workload endpoints that are matched by both selectors
1885 will be selected by the rule. \n For NetworkPolicy, an
1886 empty NamespaceSelector implies that the Selector is limited
1887 to selecting only workload endpoints in the same namespace
1888 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1889 NamespaceSelector implies that the Selector is limited
1890 to selecting only GlobalNetworkSet or HostEndpoint. \n
1891 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1892 the Selector applies to workload endpoints across all
1896 description: Nets is an optional field that restricts the
1897 rule to only apply to traffic that originates from (or
1898 terminates at) IP addresses in any of the given subnets.
1903 description: NotNets is the negated version of the Nets
1909 description: NotPorts is the negated version of the Ports
1910 field. Since only some protocols have ports, if any ports
1911 are specified it requires the Protocol match in the Rule
1912 to be set to "TCP" or "UDP".
1918 x-kubernetes-int-or-string: true
1921 description: NotSelector is the negated version of the Selector
1922 field. See Selector field for subtleties with negated
1926 description: "Ports is an optional field that restricts
1927 the rule to only apply to traffic that has a source (destination)
1928 port that matches one of these ranges/values. This value
1929 is a list of integers or strings that represent ranges
1930 of ports. \n Since only some protocols have ports, if
1931 any ports are specified it requires the Protocol match
1932 in the Rule to be set to \"TCP\" or \"UDP\"."
1938 x-kubernetes-int-or-string: true
1941 description: "Selector is an optional field that contains
1942 a selector expression (see Policy for sample syntax).
1943 \ Only traffic that originates from (terminates at) endpoints
1944 matching the selector will be matched. \n Note that: in
1945 addition to the negated version of the Selector (see NotSelector
1946 below), the selector expression syntax itself supports
1947 negation. The two types of negation are subtly different.
1948 One negates the set of matched endpoints, the other negates
1949 the whole match: \n \tSelector = \"!has(my_label)\" matches
1950 packets that are from other Calico-controlled \tendpoints
1951 that do not have the label \"my_label\". \n \tNotSelector
1952 = \"has(my_label)\" matches packets that are not from
1953 Calico-controlled \tendpoints that do have the label \"my_label\".
1954 \n The effect is that the latter will accept packets from
1955 non-Calico sources whereas the former is limited to packets
1956 from Calico-controlled endpoints."
1959 description: ServiceAccounts is an optional field that restricts
1960 the rule to only apply to traffic that originates from
1961 (or terminates at) a pod running as a matching service
1965 description: Names is an optional field that restricts
1966 the rule to only apply to traffic that originates
1967 from (or terminates at) a pod running as a service
1968 account whose name is in the list.
1973 description: Selector is an optional field that restricts
1974 the rule to only apply to traffic that originates
1975 from (or terminates at) a pod running as a service
1976 account that matches the given label selector. If
1977 both Names and Selector are specified then they are
1982 description: "Services is an optional field that contains
1983 options for matching Kubernetes Services. If specified,
1984 only traffic that originates from or terminates at endpoints
1985 within the selected service(s) will be matched, and only
1986 to/from each endpoint's port. \n Services cannot be specified
1987 on the same rule as Selector, NotSelector, NamespaceSelector,
1988 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1989 can only be specified with Services on ingress rules."
1992 description: Name specifies the name of a Kubernetes
1996 description: Namespace specifies the namespace of the
1997 given Service. If left empty, the rule will match
1998 within this policy's namespace.
2007 description: NamespaceSelector is an optional field for an expression
2008 used to select a pod based on namespaces.
2011 description: Order is an optional field that specifies the order in
2012 which the policy is applied. Policies with higher "order" are applied
2013 after those with lower order. If the order is omitted, it may be
2014 considered to be "infinite" - i.e. the policy will be applied last. Policies
2015 with identical order will be applied in alphanumerical order based
2016 on the Policy "Name".
2019 description: PreDNAT indicates to apply the rules in this policy before
2023 description: "The selector is an expression used to pick pick out
2024 the endpoints that the policy should be applied to. \n Selector
2025 expressions follow this syntax: \n \tlabel == \"string_literal\"
2026 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
2027 \ -> not equal; also matches if label is not present \tlabel in
2028 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
2029 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
2030 ... } -> true if the value of label X is not one of \"a\", \"b\",
2031 \"c\" \thas(label_name) -> True if that label is present \t! expr
2032 -> negation of expr \texpr && expr -> Short-circuit and \texpr
2033 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
2034 or the empty selector -> matches all endpoints. \n Label names are
2035 allowed to contain alphanumerics, -, _ and /. String literals are
2036 more permissive but they do not support escape characters. \n Examples
2037 (with made-up labels): \n \ttype == \"webserver\" && deployment
2038 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
2039 \"dev\" \t! has(label_name)"
2041 serviceAccountSelector:
2042 description: ServiceAccountSelector is an optional field for an expression
2043 used to select a pod based on service accounts.
2046 description: "Types indicates whether this policy applies to ingress,
2047 or to egress, or to both. When not explicitly specified (and so
2048 the value on creation is empty or nil), Calico defaults Types according
2049 to what Ingress and Egress rules are present in the policy. The
2050 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
2051 (including the case where there are also no Ingress rules) \n
2052 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
2053 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
2054 both Ingress and Egress rules. \n When the policy is read back again,
2055 Types will always be one of these values, never empty or nil."
2057 description: PolicyType enumerates the possible values of the PolicySpec
2072 apiVersion: apiextensions.k8s.io/v1
2073 kind: CustomResourceDefinition
2075 name: globalnetworksets.crd.projectcalico.org
2077 group: crd.projectcalico.org
2079 kind: GlobalNetworkSet
2080 listKind: GlobalNetworkSetList
2081 plural: globalnetworksets
2082 singular: globalnetworkset
2088 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
2089 that share labels to allow rules to refer to them via selectors. The labels
2090 of GlobalNetworkSet are not namespaced.
2093 description: 'APIVersion defines the versioned schema of this representation
2094 of an object. Servers should convert recognized schemas to the latest
2095 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2098 description: 'Kind is a string value representing the REST resource this
2099 object represents. Servers may infer this from the endpoint the client
2100 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2105 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
2109 description: The list of IP networks that belong to this set.
2124 apiVersion: apiextensions.k8s.io/v1
2125 kind: CustomResourceDefinition
2127 name: hostendpoints.crd.projectcalico.org
2129 group: crd.projectcalico.org
2132 listKind: HostEndpointList
2133 plural: hostendpoints
2134 singular: hostendpoint
2142 description: 'APIVersion defines the versioned schema of this representation
2143 of an object. Servers should convert recognized schemas to the latest
2144 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2147 description: 'Kind is a string value representing the REST resource this
2148 object represents. Servers may infer this from the endpoint the client
2149 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2154 description: HostEndpointSpec contains the specification for a HostEndpoint
2158 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
2159 If \"InterfaceName\" is not present, Calico will look for an interface
2160 matching any of the IPs in the list and apply policy to that. Note:
2161 \tWhen using the selector match criteria in an ingress or egress
2162 security Policy \tor Profile, Calico converts the selector into
2163 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
2164 is used for that purpose. (If only the interface \tname is specified,
2165 Calico does not learn the IPs of the interface for use in match
2171 description: "Either \"*\", or the name of a specific Linux interface
2172 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
2173 governs all traffic to, from or through the default network namespace
2174 of the host named by the \"Node\" field; entering and leaving that
2175 namespace via any interface, including those from/to non-host-networked
2176 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
2177 only governs traffic that enters or leaves the host through the
2178 specific interface named by InterfaceName, or - when InterfaceName
2179 is empty - through the specific interface that has one of the IPs
2180 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
2181 one expected IP must be specified. Only external interfaces (such
2182 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
2183 to protect traffic through a specific local workload interface.
2184 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
2185 initially just pre-DNAT policy. Please check Calico documentation
2186 for the latest position."
2189 description: The node name identifying the Calico node instance.
2192 description: Ports contains the endpoint's named ports, which may
2193 be referenced in security policy rules.
2205 x-kubernetes-int-or-string: true
2213 description: A list of identifiers of security Profile objects that
2214 apply to this endpoint. Each profile is applied in the order that
2215 they appear in this list. Profile rules are applied after the selector-based
2231 apiVersion: apiextensions.k8s.io/v1
2232 kind: CustomResourceDefinition
2234 name: ipamblocks.crd.projectcalico.org
2236 group: crd.projectcalico.org
2239 listKind: IPAMBlockList
2249 description: 'APIVersion defines the versioned schema of this representation
2250 of an object. Servers should convert recognized schemas to the latest
2251 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2254 description: 'Kind is a string value representing the REST resource this
2255 object represents. Servers may infer this from the endpoint the client
2256 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2261 description: IPAMBlockSpec contains the specification for an IPAMBlock
2277 additionalProperties:
2309 apiVersion: apiextensions.k8s.io/v1
2310 kind: CustomResourceDefinition
2312 name: ipamconfigs.crd.projectcalico.org
2314 group: crd.projectcalico.org
2317 listKind: IPAMConfigList
2319 singular: ipamconfig
2327 description: 'APIVersion defines the versioned schema of this representation
2328 of an object. Servers should convert recognized schemas to the latest
2329 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2332 description: 'Kind is a string value representing the REST resource this
2333 object represents. Servers may infer this from the endpoint the client
2334 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2339 description: IPAMConfigSpec contains the specification for an IPAMConfig
2345 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
2346 that can be affine to each host.
2351 - autoAllocateBlocks
2364 apiVersion: apiextensions.k8s.io/v1
2365 kind: CustomResourceDefinition
2367 name: ipamhandles.crd.projectcalico.org
2369 group: crd.projectcalico.org
2372 listKind: IPAMHandleList
2374 singular: ipamhandle
2382 description: 'APIVersion defines the versioned schema of this representation
2383 of an object. Servers should convert recognized schemas to the latest
2384 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2387 description: 'Kind is a string value representing the REST resource this
2388 object represents. Servers may infer this from the endpoint the client
2389 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2394 description: IPAMHandleSpec contains the specification for an IPAMHandle
2398 additionalProperties:
2419 apiVersion: apiextensions.k8s.io/v1
2420 kind: CustomResourceDefinition
2422 name: ippools.crd.projectcalico.org
2424 group: crd.projectcalico.org
2427 listKind: IPPoolList
2437 description: 'APIVersion defines the versioned schema of this representation
2438 of an object. Servers should convert recognized schemas to the latest
2439 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2442 description: 'Kind is a string value representing the REST resource this
2443 object represents. Servers may infer this from the endpoint the client
2444 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2449 description: IPPoolSpec contains the specification for an IPPool resource.
2452 description: AllowedUse controls what the IP pool will be used for. If
2453 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
2458 description: The block size to use for IP address assignments from
2459 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
2462 description: The pool CIDR.
2465 description: 'Disable exporting routes from this IP Pool''s CIDR over
2466 BGP. [Default: false]'
2469 description: When disabled is true, Calico IPAM will not assign addresses
2473 description: 'Deprecated: this field is only used for APIv1 backwards
2474 compatibility. Setting this field is not allowed, this field is
2475 for internal use only.'
2478 description: When enabled is true, ipip tunneling will be used
2479 to deliver packets to destinations within this pool.
2482 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2483 mode of "always" will also use IPIP tunneling for routing to
2484 destination IP addresses within this pool. A mode of "cross-subnet"
2485 will only use IPIP tunneling when the destination node is on
2486 a different subnet to the originating node. The default value
2487 (if not specified) is "always".
2491 description: Contains configuration for IPIP tunneling for this pool.
2492 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2496 description: 'Deprecated: this field is only used for APIv1 backwards
2497 compatibility. Setting this field is not allowed, this field is
2498 for internal use only.'
2501 description: When nat-outgoing is true, packets sent from Calico networked
2502 containers in this pool to destinations outside of this pool will
2506 description: Allows IPPool to allocate for a specific node by label
2510 description: Contains configuration for VXLAN tunneling for this pool.
2511 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2512 tunneling is disabled).
2527 apiVersion: apiextensions.k8s.io/v1
2528 kind: CustomResourceDefinition
2530 name: ipreservations.crd.projectcalico.org
2532 group: crd.projectcalico.org
2535 listKind: IPReservationList
2536 plural: ipreservations
2537 singular: ipreservation
2545 description: 'APIVersion defines the versioned schema of this representation
2546 of an object. Servers should convert recognized schemas to the latest
2547 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2550 description: 'Kind is a string value representing the REST resource this
2551 object represents. Servers may infer this from the endpoint the client
2552 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2557 description: IPReservationSpec contains the specification for an IPReservation
2561 description: ReservedCIDRs is a list of CIDRs and/or IP addresses
2562 that Calico IPAM will exclude from new allocations.
2577 apiVersion: apiextensions.k8s.io/v1
2578 kind: CustomResourceDefinition
2580 name: kubecontrollersconfigurations.crd.projectcalico.org
2582 group: crd.projectcalico.org
2584 kind: KubeControllersConfiguration
2585 listKind: KubeControllersConfigurationList
2586 plural: kubecontrollersconfigurations
2587 singular: kubecontrollersconfiguration
2595 description: 'APIVersion defines the versioned schema of this representation
2596 of an object. Servers should convert recognized schemas to the latest
2597 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2600 description: 'Kind is a string value representing the REST resource this
2601 object represents. Servers may infer this from the endpoint the client
2602 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2607 description: KubeControllersConfigurationSpec contains the values of the
2608 Kubernetes controllers configuration.
2611 description: Controllers enables and configures individual Kubernetes
2615 description: Namespace enables and configures the namespace controller.
2616 Enabled by default, set to nil to disable.
2619 description: 'ReconcilerPeriod is the period to perform reconciliation
2620 with the Calico datastore. [Default: 5m]'
2624 description: Node enables and configures the node controller.
2625 Enabled by default, set to nil to disable.
2628 description: HostEndpoint controls syncing nodes to host endpoints.
2629 Disabled by default, set to nil to disable.
2632 description: 'AutoCreate enables automatic creation of
2633 host endpoints for every node. [Default: Disabled]'
2637 description: 'LeakGracePeriod is the period used by the controller
2638 to determine if an IP address has been leaked. Set to 0
2639 to disable IP garbage collection. [Default: 15m]'
2642 description: 'ReconcilerPeriod is the period to perform reconciliation
2643 with the Calico datastore. [Default: 5m]'
2646 description: 'SyncLabels controls whether to copy Kubernetes
2647 node labels to Calico nodes. [Default: Enabled]'
2651 description: Policy enables and configures the policy controller.
2652 Enabled by default, set to nil to disable.
2655 description: 'ReconcilerPeriod is the period to perform reconciliation
2656 with the Calico datastore. [Default: 5m]'
2660 description: ServiceAccount enables and configures the service
2661 account controller. Enabled by default, set to nil to disable.
2664 description: 'ReconcilerPeriod is the period to perform reconciliation
2665 with the Calico datastore. [Default: 5m]'
2669 description: WorkloadEndpoint enables and configures the workload
2670 endpoint controller. Enabled by default, set to nil to disable.
2673 description: 'ReconcilerPeriod is the period to perform reconciliation
2674 with the Calico datastore. [Default: 5m]'
2678 etcdV3CompactionPeriod:
2679 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2680 compaction requests. Set to 0 to disable. [Default: 10m]'
2683 description: 'HealthChecks enables or disables support for health
2684 checks [Default: Enabled]'
2687 description: 'LogSeverityScreen is the log severity above which logs
2688 are sent to the stdout. [Default: Info]'
2690 prometheusMetricsPort:
2691 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2692 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
2698 description: KubeControllersConfigurationStatus represents the status
2699 of the configuration. It's useful for admins to be able to see the actual
2700 config that was applied, which can be modified by environment variables
2701 on the kube-controllers process.
2704 additionalProperties:
2706 description: EnvironmentVars contains the environment variables on
2707 the kube-controllers that influenced the RunningConfig.
2710 description: RunningConfig contains the effective config that is running
2711 in the kube-controllers pod, after merging the API resource with
2712 any environment variables.
2715 description: Controllers enables and configures individual Kubernetes
2719 description: Namespace enables and configures the namespace
2720 controller. Enabled by default, set to nil to disable.
2723 description: 'ReconcilerPeriod is the period to perform
2724 reconciliation with the Calico datastore. [Default:
2729 description: Node enables and configures the node controller.
2730 Enabled by default, set to nil to disable.
2733 description: HostEndpoint controls syncing nodes to host
2734 endpoints. Disabled by default, set to nil to disable.
2737 description: 'AutoCreate enables automatic creation
2738 of host endpoints for every node. [Default: Disabled]'
2742 description: 'LeakGracePeriod is the period used by the
2743 controller to determine if an IP address has been leaked.
2744 Set to 0 to disable IP garbage collection. [Default:
2748 description: 'ReconcilerPeriod is the period to perform
2749 reconciliation with the Calico datastore. [Default:
2753 description: 'SyncLabels controls whether to copy Kubernetes
2754 node labels to Calico nodes. [Default: Enabled]'
2758 description: Policy enables and configures the policy controller.
2759 Enabled by default, set to nil to disable.
2762 description: 'ReconcilerPeriod is the period to perform
2763 reconciliation with the Calico datastore. [Default:
2768 description: ServiceAccount enables and configures the service
2769 account controller. Enabled by default, set to nil to disable.
2772 description: 'ReconcilerPeriod is the period to perform
2773 reconciliation with the Calico datastore. [Default:
2778 description: WorkloadEndpoint enables and configures the workload
2779 endpoint controller. Enabled by default, set to nil to disable.
2782 description: 'ReconcilerPeriod is the period to perform
2783 reconciliation with the Calico datastore. [Default:
2788 etcdV3CompactionPeriod:
2789 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2790 compaction requests. Set to 0 to disable. [Default: 10m]'
2793 description: 'HealthChecks enables or disables support for health
2794 checks [Default: Enabled]'
2797 description: 'LogSeverityScreen is the log severity above which
2798 logs are sent to the stdout. [Default: Info]'
2800 prometheusMetricsPort:
2801 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2802 metrics server should bind to. Set to 0 to disable. [Default:
2819 apiVersion: apiextensions.k8s.io/v1
2820 kind: CustomResourceDefinition
2822 name: networkpolicies.crd.projectcalico.org
2824 group: crd.projectcalico.org
2827 listKind: NetworkPolicyList
2828 plural: networkpolicies
2829 singular: networkpolicy
2837 description: 'APIVersion defines the versioned schema of this representation
2838 of an object. Servers should convert recognized schemas to the latest
2839 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2842 description: 'Kind is a string value representing the REST resource this
2843 object represents. Servers may infer this from the endpoint the client
2844 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2851 description: The ordered set of egress rules. Each rule contains
2852 a set of packet match criteria and a corresponding action to apply.
2854 description: "A Rule encapsulates a set of match criteria and an
2855 action. Both selector-based security Policy and security Profiles
2856 reference rules - separated out as a list of rules for both ingress
2857 and egress packet matching. \n Each positive match criteria has
2858 a negated version, prefixed with \"Not\". All the match criteria
2859 within a rule must be satisfied for a packet to match. A single
2860 rule can contain the positive and negative version of a match
2861 and both must be satisfied for the rule to match."
2866 description: Destination contains the match criteria that apply
2867 to destination entity.
2870 description: "NamespaceSelector is an optional field that
2871 contains a selector expression. Only traffic that originates
2872 from (or terminates at) endpoints within the selected
2873 namespaces will be matched. When both NamespaceSelector
2874 and another selector are defined on the same rule, then
2875 only workload endpoints that are matched by both selectors
2876 will be selected by the rule. \n For NetworkPolicy, an
2877 empty NamespaceSelector implies that the Selector is limited
2878 to selecting only workload endpoints in the same namespace
2879 as the NetworkPolicy. \n For NetworkPolicy, `global()`
2880 NamespaceSelector implies that the Selector is limited
2881 to selecting only GlobalNetworkSet or HostEndpoint. \n
2882 For GlobalNetworkPolicy, an empty NamespaceSelector implies
2883 the Selector applies to workload endpoints across all
2887 description: Nets is an optional field that restricts the
2888 rule to only apply to traffic that originates from (or
2889 terminates at) IP addresses in any of the given subnets.
2894 description: NotNets is the negated version of the Nets
2900 description: NotPorts is the negated version of the Ports
2901 field. Since only some protocols have ports, if any ports
2902 are specified it requires the Protocol match in the Rule
2903 to be set to "TCP" or "UDP".
2909 x-kubernetes-int-or-string: true
2912 description: NotSelector is the negated version of the Selector
2913 field. See Selector field for subtleties with negated
2917 description: "Ports is an optional field that restricts
2918 the rule to only apply to traffic that has a source (destination)
2919 port that matches one of these ranges/values. This value
2920 is a list of integers or strings that represent ranges
2921 of ports. \n Since only some protocols have ports, if
2922 any ports are specified it requires the Protocol match
2923 in the Rule to be set to \"TCP\" or \"UDP\"."
2929 x-kubernetes-int-or-string: true
2932 description: "Selector is an optional field that contains
2933 a selector expression (see Policy for sample syntax).
2934 \ Only traffic that originates from (terminates at) endpoints
2935 matching the selector will be matched. \n Note that: in
2936 addition to the negated version of the Selector (see NotSelector
2937 below), the selector expression syntax itself supports
2938 negation. The two types of negation are subtly different.
2939 One negates the set of matched endpoints, the other negates
2940 the whole match: \n \tSelector = \"!has(my_label)\" matches
2941 packets that are from other Calico-controlled \tendpoints
2942 that do not have the label \"my_label\". \n \tNotSelector
2943 = \"has(my_label)\" matches packets that are not from
2944 Calico-controlled \tendpoints that do have the label \"my_label\".
2945 \n The effect is that the latter will accept packets from
2946 non-Calico sources whereas the former is limited to packets
2947 from Calico-controlled endpoints."
2950 description: ServiceAccounts is an optional field that restricts
2951 the rule to only apply to traffic that originates from
2952 (or terminates at) a pod running as a matching service
2956 description: Names is an optional field that restricts
2957 the rule to only apply to traffic that originates
2958 from (or terminates at) a pod running as a service
2959 account whose name is in the list.
2964 description: Selector is an optional field that restricts
2965 the rule to only apply to traffic that originates
2966 from (or terminates at) a pod running as a service
2967 account that matches the given label selector. If
2968 both Names and Selector are specified then they are
2973 description: "Services is an optional field that contains
2974 options for matching Kubernetes Services. If specified,
2975 only traffic that originates from or terminates at endpoints
2976 within the selected service(s) will be matched, and only
2977 to/from each endpoint's port. \n Services cannot be specified
2978 on the same rule as Selector, NotSelector, NamespaceSelector,
2979 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2980 can only be specified with Services on ingress rules."
2983 description: Name specifies the name of a Kubernetes
2987 description: Namespace specifies the namespace of the
2988 given Service. If left empty, the rule will match
2989 within this policy's namespace.
2994 description: HTTP contains match criteria that apply to HTTP
2998 description: Methods is an optional field that restricts
2999 the rule to apply only to HTTP requests that use one of
3000 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3001 methods are OR'd together.
3006 description: 'Paths is an optional field that restricts
3007 the rule to apply to HTTP requests that use one of the
3008 listed HTTP Paths. Multiple paths are OR''d together.
3009 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3010 ONLY specify either a `exact` or a `prefix` match. The
3011 validator will check for it.'
3013 description: 'HTTPPath specifies an HTTP path to match.
3014 It may be either of the form: exact: <path>: which matches
3015 the path exactly or prefix: <path-prefix>: which matches
3026 description: ICMP is an optional field that restricts the rule
3027 to apply to a specific type and code of ICMP traffic. This
3028 should only be specified if the Protocol field is set to "ICMP"
3032 description: Match on a specific ICMP code. If specified,
3033 the Type value must also be specified. This is a technical
3034 limitation imposed by the kernel's iptables firewall,
3035 which Calico uses to enforce the rule.
3038 description: Match on a specific ICMP type. For example
3039 a value of 8 refers to ICMP Echo Request (i.e. pings).
3043 description: IPVersion is an optional field that restricts the
3044 rule to only match a specific IP version.
3047 description: Metadata contains additional information for this
3051 additionalProperties:
3053 description: Annotations is a set of key value pairs that
3054 give extra information about the rule
3058 description: NotICMP is the negated version of the ICMP field.
3061 description: Match on a specific ICMP code. If specified,
3062 the Type value must also be specified. This is a technical
3063 limitation imposed by the kernel's iptables firewall,
3064 which Calico uses to enforce the rule.
3067 description: Match on a specific ICMP type. For example
3068 a value of 8 refers to ICMP Echo Request (i.e. pings).
3075 description: NotProtocol is the negated version of the Protocol
3078 x-kubernetes-int-or-string: true
3083 description: "Protocol is an optional field that restricts the
3084 rule to only apply to traffic of a specific IP protocol. Required
3085 if any of the EntityRules contain Ports (because ports only
3086 apply to certain protocols). \n Must be one of these string
3087 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3088 \"UDPLite\" or an integer in the range 1-255."
3090 x-kubernetes-int-or-string: true
3092 description: Source contains the match criteria that apply to
3096 description: "NamespaceSelector is an optional field that
3097 contains a selector expression. Only traffic that originates
3098 from (or terminates at) endpoints within the selected
3099 namespaces will be matched. When both NamespaceSelector
3100 and another selector are defined on the same rule, then
3101 only workload endpoints that are matched by both selectors
3102 will be selected by the rule. \n For NetworkPolicy, an
3103 empty NamespaceSelector implies that the Selector is limited
3104 to selecting only workload endpoints in the same namespace
3105 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3106 NamespaceSelector implies that the Selector is limited
3107 to selecting only GlobalNetworkSet or HostEndpoint. \n
3108 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3109 the Selector applies to workload endpoints across all
3113 description: Nets is an optional field that restricts the
3114 rule to only apply to traffic that originates from (or
3115 terminates at) IP addresses in any of the given subnets.
3120 description: NotNets is the negated version of the Nets
3126 description: NotPorts is the negated version of the Ports
3127 field. Since only some protocols have ports, if any ports
3128 are specified it requires the Protocol match in the Rule
3129 to be set to "TCP" or "UDP".
3135 x-kubernetes-int-or-string: true
3138 description: NotSelector is the negated version of the Selector
3139 field. See Selector field for subtleties with negated
3143 description: "Ports is an optional field that restricts
3144 the rule to only apply to traffic that has a source (destination)
3145 port that matches one of these ranges/values. This value
3146 is a list of integers or strings that represent ranges
3147 of ports. \n Since only some protocols have ports, if
3148 any ports are specified it requires the Protocol match
3149 in the Rule to be set to \"TCP\" or \"UDP\"."
3155 x-kubernetes-int-or-string: true
3158 description: "Selector is an optional field that contains
3159 a selector expression (see Policy for sample syntax).
3160 \ Only traffic that originates from (terminates at) endpoints
3161 matching the selector will be matched. \n Note that: in
3162 addition to the negated version of the Selector (see NotSelector
3163 below), the selector expression syntax itself supports
3164 negation. The two types of negation are subtly different.
3165 One negates the set of matched endpoints, the other negates
3166 the whole match: \n \tSelector = \"!has(my_label)\" matches
3167 packets that are from other Calico-controlled \tendpoints
3168 that do not have the label \"my_label\". \n \tNotSelector
3169 = \"has(my_label)\" matches packets that are not from
3170 Calico-controlled \tendpoints that do have the label \"my_label\".
3171 \n The effect is that the latter will accept packets from
3172 non-Calico sources whereas the former is limited to packets
3173 from Calico-controlled endpoints."
3176 description: ServiceAccounts is an optional field that restricts
3177 the rule to only apply to traffic that originates from
3178 (or terminates at) a pod running as a matching service
3182 description: Names is an optional field that restricts
3183 the rule to only apply to traffic that originates
3184 from (or terminates at) a pod running as a service
3185 account whose name is in the list.
3190 description: Selector is an optional field that restricts
3191 the rule to only apply to traffic that originates
3192 from (or terminates at) a pod running as a service
3193 account that matches the given label selector. If
3194 both Names and Selector are specified then they are
3199 description: "Services is an optional field that contains
3200 options for matching Kubernetes Services. If specified,
3201 only traffic that originates from or terminates at endpoints
3202 within the selected service(s) will be matched, and only
3203 to/from each endpoint's port. \n Services cannot be specified
3204 on the same rule as Selector, NotSelector, NamespaceSelector,
3205 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3206 can only be specified with Services on ingress rules."
3209 description: Name specifies the name of a Kubernetes
3213 description: Namespace specifies the namespace of the
3214 given Service. If left empty, the rule will match
3215 within this policy's namespace.
3224 description: The ordered set of ingress rules. Each rule contains
3225 a set of packet match criteria and a corresponding action to apply.
3227 description: "A Rule encapsulates a set of match criteria and an
3228 action. Both selector-based security Policy and security Profiles
3229 reference rules - separated out as a list of rules for both ingress
3230 and egress packet matching. \n Each positive match criteria has
3231 a negated version, prefixed with \"Not\". All the match criteria
3232 within a rule must be satisfied for a packet to match. A single
3233 rule can contain the positive and negative version of a match
3234 and both must be satisfied for the rule to match."
3239 description: Destination contains the match criteria that apply
3240 to destination entity.
3243 description: "NamespaceSelector is an optional field that
3244 contains a selector expression. Only traffic that originates
3245 from (or terminates at) endpoints within the selected
3246 namespaces will be matched. When both NamespaceSelector
3247 and another selector are defined on the same rule, then
3248 only workload endpoints that are matched by both selectors
3249 will be selected by the rule. \n For NetworkPolicy, an
3250 empty NamespaceSelector implies that the Selector is limited
3251 to selecting only workload endpoints in the same namespace
3252 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3253 NamespaceSelector implies that the Selector is limited
3254 to selecting only GlobalNetworkSet or HostEndpoint. \n
3255 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3256 the Selector applies to workload endpoints across all
3260 description: Nets is an optional field that restricts the
3261 rule to only apply to traffic that originates from (or
3262 terminates at) IP addresses in any of the given subnets.
3267 description: NotNets is the negated version of the Nets
3273 description: NotPorts is the negated version of the Ports
3274 field. Since only some protocols have ports, if any ports
3275 are specified it requires the Protocol match in the Rule
3276 to be set to "TCP" or "UDP".
3282 x-kubernetes-int-or-string: true
3285 description: NotSelector is the negated version of the Selector
3286 field. See Selector field for subtleties with negated
3290 description: "Ports is an optional field that restricts
3291 the rule to only apply to traffic that has a source (destination)
3292 port that matches one of these ranges/values. This value
3293 is a list of integers or strings that represent ranges
3294 of ports. \n Since only some protocols have ports, if
3295 any ports are specified it requires the Protocol match
3296 in the Rule to be set to \"TCP\" or \"UDP\"."
3302 x-kubernetes-int-or-string: true
3305 description: "Selector is an optional field that contains
3306 a selector expression (see Policy for sample syntax).
3307 \ Only traffic that originates from (terminates at) endpoints
3308 matching the selector will be matched. \n Note that: in
3309 addition to the negated version of the Selector (see NotSelector
3310 below), the selector expression syntax itself supports
3311 negation. The two types of negation are subtly different.
3312 One negates the set of matched endpoints, the other negates
3313 the whole match: \n \tSelector = \"!has(my_label)\" matches
3314 packets that are from other Calico-controlled \tendpoints
3315 that do not have the label \"my_label\". \n \tNotSelector
3316 = \"has(my_label)\" matches packets that are not from
3317 Calico-controlled \tendpoints that do have the label \"my_label\".
3318 \n The effect is that the latter will accept packets from
3319 non-Calico sources whereas the former is limited to packets
3320 from Calico-controlled endpoints."
3323 description: ServiceAccounts is an optional field that restricts
3324 the rule to only apply to traffic that originates from
3325 (or terminates at) a pod running as a matching service
3329 description: Names is an optional field that restricts
3330 the rule to only apply to traffic that originates
3331 from (or terminates at) a pod running as a service
3332 account whose name is in the list.
3337 description: Selector is an optional field that restricts
3338 the rule to only apply to traffic that originates
3339 from (or terminates at) a pod running as a service
3340 account that matches the given label selector. If
3341 both Names and Selector are specified then they are
3346 description: "Services is an optional field that contains
3347 options for matching Kubernetes Services. If specified,
3348 only traffic that originates from or terminates at endpoints
3349 within the selected service(s) will be matched, and only
3350 to/from each endpoint's port. \n Services cannot be specified
3351 on the same rule as Selector, NotSelector, NamespaceSelector,
3352 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3353 can only be specified with Services on ingress rules."
3356 description: Name specifies the name of a Kubernetes
3360 description: Namespace specifies the namespace of the
3361 given Service. If left empty, the rule will match
3362 within this policy's namespace.
3367 description: HTTP contains match criteria that apply to HTTP
3371 description: Methods is an optional field that restricts
3372 the rule to apply only to HTTP requests that use one of
3373 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3374 methods are OR'd together.
3379 description: 'Paths is an optional field that restricts
3380 the rule to apply to HTTP requests that use one of the
3381 listed HTTP Paths. Multiple paths are OR''d together.
3382 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3383 ONLY specify either a `exact` or a `prefix` match. The
3384 validator will check for it.'
3386 description: 'HTTPPath specifies an HTTP path to match.
3387 It may be either of the form: exact: <path>: which matches
3388 the path exactly or prefix: <path-prefix>: which matches
3399 description: ICMP is an optional field that restricts the rule
3400 to apply to a specific type and code of ICMP traffic. This
3401 should only be specified if the Protocol field is set to "ICMP"
3405 description: Match on a specific ICMP code. If specified,
3406 the Type value must also be specified. This is a technical
3407 limitation imposed by the kernel's iptables firewall,
3408 which Calico uses to enforce the rule.
3411 description: Match on a specific ICMP type. For example
3412 a value of 8 refers to ICMP Echo Request (i.e. pings).
3416 description: IPVersion is an optional field that restricts the
3417 rule to only match a specific IP version.
3420 description: Metadata contains additional information for this
3424 additionalProperties:
3426 description: Annotations is a set of key value pairs that
3427 give extra information about the rule
3431 description: NotICMP is the negated version of the ICMP field.
3434 description: Match on a specific ICMP code. If specified,
3435 the Type value must also be specified. This is a technical
3436 limitation imposed by the kernel's iptables firewall,
3437 which Calico uses to enforce the rule.
3440 description: Match on a specific ICMP type. For example
3441 a value of 8 refers to ICMP Echo Request (i.e. pings).
3448 description: NotProtocol is the negated version of the Protocol
3451 x-kubernetes-int-or-string: true
3456 description: "Protocol is an optional field that restricts the
3457 rule to only apply to traffic of a specific IP protocol. Required
3458 if any of the EntityRules contain Ports (because ports only
3459 apply to certain protocols). \n Must be one of these string
3460 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3461 \"UDPLite\" or an integer in the range 1-255."
3463 x-kubernetes-int-or-string: true
3465 description: Source contains the match criteria that apply to
3469 description: "NamespaceSelector is an optional field that
3470 contains a selector expression. Only traffic that originates
3471 from (or terminates at) endpoints within the selected
3472 namespaces will be matched. When both NamespaceSelector
3473 and another selector are defined on the same rule, then
3474 only workload endpoints that are matched by both selectors
3475 will be selected by the rule. \n For NetworkPolicy, an
3476 empty NamespaceSelector implies that the Selector is limited
3477 to selecting only workload endpoints in the same namespace
3478 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3479 NamespaceSelector implies that the Selector is limited
3480 to selecting only GlobalNetworkSet or HostEndpoint. \n
3481 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3482 the Selector applies to workload endpoints across all
3486 description: Nets is an optional field that restricts the
3487 rule to only apply to traffic that originates from (or
3488 terminates at) IP addresses in any of the given subnets.
3493 description: NotNets is the negated version of the Nets
3499 description: NotPorts is the negated version of the Ports
3500 field. Since only some protocols have ports, if any ports
3501 are specified it requires the Protocol match in the Rule
3502 to be set to "TCP" or "UDP".
3508 x-kubernetes-int-or-string: true
3511 description: NotSelector is the negated version of the Selector
3512 field. See Selector field for subtleties with negated
3516 description: "Ports is an optional field that restricts
3517 the rule to only apply to traffic that has a source (destination)
3518 port that matches one of these ranges/values. This value
3519 is a list of integers or strings that represent ranges
3520 of ports. \n Since only some protocols have ports, if
3521 any ports are specified it requires the Protocol match
3522 in the Rule to be set to \"TCP\" or \"UDP\"."
3528 x-kubernetes-int-or-string: true
3531 description: "Selector is an optional field that contains
3532 a selector expression (see Policy for sample syntax).
3533 \ Only traffic that originates from (terminates at) endpoints
3534 matching the selector will be matched. \n Note that: in
3535 addition to the negated version of the Selector (see NotSelector
3536 below), the selector expression syntax itself supports
3537 negation. The two types of negation are subtly different.
3538 One negates the set of matched endpoints, the other negates
3539 the whole match: \n \tSelector = \"!has(my_label)\" matches
3540 packets that are from other Calico-controlled \tendpoints
3541 that do not have the label \"my_label\". \n \tNotSelector
3542 = \"has(my_label)\" matches packets that are not from
3543 Calico-controlled \tendpoints that do have the label \"my_label\".
3544 \n The effect is that the latter will accept packets from
3545 non-Calico sources whereas the former is limited to packets
3546 from Calico-controlled endpoints."
3549 description: ServiceAccounts is an optional field that restricts
3550 the rule to only apply to traffic that originates from
3551 (or terminates at) a pod running as a matching service
3555 description: Names is an optional field that restricts
3556 the rule to only apply to traffic that originates
3557 from (or terminates at) a pod running as a service
3558 account whose name is in the list.
3563 description: Selector is an optional field that restricts
3564 the rule to only apply to traffic that originates
3565 from (or terminates at) a pod running as a service
3566 account that matches the given label selector. If
3567 both Names and Selector are specified then they are
3572 description: "Services is an optional field that contains
3573 options for matching Kubernetes Services. If specified,
3574 only traffic that originates from or terminates at endpoints
3575 within the selected service(s) will be matched, and only
3576 to/from each endpoint's port. \n Services cannot be specified
3577 on the same rule as Selector, NotSelector, NamespaceSelector,
3578 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3579 can only be specified with Services on ingress rules."
3582 description: Name specifies the name of a Kubernetes
3586 description: Namespace specifies the namespace of the
3587 given Service. If left empty, the rule will match
3588 within this policy's namespace.
3597 description: Order is an optional field that specifies the order in
3598 which the policy is applied. Policies with higher "order" are applied
3599 after those with lower order. If the order is omitted, it may be
3600 considered to be "infinite" - i.e. the policy will be applied last. Policies
3601 with identical order will be applied in alphanumerical order based
3602 on the Policy "Name".
3605 description: "The selector is an expression used to pick pick out
3606 the endpoints that the policy should be applied to. \n Selector
3607 expressions follow this syntax: \n \tlabel == \"string_literal\"
3608 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3609 \ -> not equal; also matches if label is not present \tlabel in
3610 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3611 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3612 ... } -> true if the value of label X is not one of \"a\", \"b\",
3613 \"c\" \thas(label_name) -> True if that label is present \t! expr
3614 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3615 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3616 or the empty selector -> matches all endpoints. \n Label names are
3617 allowed to contain alphanumerics, -, _ and /. String literals are
3618 more permissive but they do not support escape characters. \n Examples
3619 (with made-up labels): \n \ttype == \"webserver\" && deployment
3620 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3621 \"dev\" \t! has(label_name)"
3623 serviceAccountSelector:
3624 description: ServiceAccountSelector is an optional field for an expression
3625 used to select a pod based on service accounts.
3628 description: "Types indicates whether this policy applies to ingress,
3629 or to egress, or to both. When not explicitly specified (and so
3630 the value on creation is empty or nil), Calico defaults Types according
3631 to what Ingress and Egress are present in the policy. The default
3632 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3633 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3634 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3635 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3636 \n When the policy is read back again, Types will always be one
3637 of these values, never empty or nil."
3639 description: PolicyType enumerates the possible values of the PolicySpec
3654 apiVersion: apiextensions.k8s.io/v1
3655 kind: CustomResourceDefinition
3657 name: networksets.crd.projectcalico.org
3659 group: crd.projectcalico.org
3662 listKind: NetworkSetList
3664 singular: networkset
3670 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3673 description: 'APIVersion defines the versioned schema of this representation
3674 of an object. Servers should convert recognized schemas to the latest
3675 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3678 description: 'Kind is a string value representing the REST resource this
3679 object represents. Servers may infer this from the endpoint the client
3680 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3685 description: NetworkSetSpec contains the specification for a NetworkSet
3689 description: The list of IP networks that belong to this set.
3705 kind: ServiceAccount
3707 name: calico-kube-controllers
3708 namespace: kube-system
3711 kind: ServiceAccount
3714 namespace: kube-system
3716 apiVersion: rbac.authorization.k8s.io/v1
3719 name: calico-kube-controllers
3738 - crd.projectcalico.org
3745 - crd.projectcalico.org
3758 - crd.projectcalico.org
3768 - crd.projectcalico.org
3770 - clusterinformations
3776 - crd.projectcalico.org
3778 - kubecontrollersconfigurations
3785 apiVersion: rbac.authorization.k8s.io/v1
3850 - crd.projectcalico.org
3852 - globalfelixconfigs
3853 - felixconfigurations
3860 - globalnetworkpolicies
3864 - clusterinformations
3867 - caliconodestatuses
3873 - crd.projectcalico.org
3876 - felixconfigurations
3877 - clusterinformations
3882 - crd.projectcalico.org
3884 - caliconodestatuses
3896 - crd.projectcalico.org
3904 - crd.projectcalico.org
3916 - crd.projectcalico.org
3922 - crd.projectcalico.org
3934 apiVersion: rbac.authorization.k8s.io/v1
3935 kind: ClusterRoleBinding
3937 name: calico-kube-controllers
3939 apiGroup: rbac.authorization.k8s.io
3941 name: calico-kube-controllers
3943 - kind: ServiceAccount
3944 name: calico-kube-controllers
3945 namespace: kube-system
3947 apiVersion: rbac.authorization.k8s.io/v1
3948 kind: ClusterRoleBinding
3952 apiGroup: rbac.authorization.k8s.io
3956 - kind: ServiceAccount
3958 namespace: kube-system
3962 calico_backend: bird
3963 cni_network_config: |-
3965 "name": "k8s-pod-network",
3966 "cniVersion": "0.3.1",
3970 "log_level": "info",
3971 "log_file_path": "/var/log/calico/cni/cni.log",
3972 "datastore_type": "kubernetes",
3973 "nodename": "__KUBERNETES_NODE_NAME__",
3976 "type": "calico-ipam"
3982 "kubeconfig": "__KUBECONFIG_FILEPATH__"
3988 "capabilities": {"portMappings": true}
3991 "type": "bandwidth",
3992 "capabilities": {"bandwidth": true}
3996 typha_service_name: none
4001 namespace: kube-system
4007 k8s-app: calico-kube-controllers
4008 name: calico-kube-controllers
4009 namespace: kube-system
4014 k8s-app: calico-kube-controllers
4020 k8s-app: calico-kube-controllers
4021 name: calico-kube-controllers
4022 namespace: kube-system
4026 - name: ENABLED_CONTROLLERS
4028 - name: DATASTORE_TYPE
4030 image: docker.io/calico/kube-controllers:v3.22.1
4034 - /usr/bin/check-status
4037 initialDelaySeconds: 10
4040 name: calico-kube-controllers
4044 - /usr/bin/check-status
4048 kubernetes.io/os: linux
4049 priorityClassName: system-cluster-critical
4050 serviceAccountName: calico-kube-controllers
4052 - key: CriticalAddonsOnly
4054 - effect: NoSchedule
4055 key: node-role.kubernetes.io/master
4057 apiVersion: policy/v1beta1
4058 kind: PodDisruptionBudget
4061 k8s-app: calico-kube-controllers
4062 name: calico-kube-controllers
4063 namespace: kube-system
4068 k8s-app: calico-kube-controllers
4074 k8s-app: calico-node
4076 namespace: kube-system
4080 k8s-app: calico-node
4084 k8s-app: calico-node
4088 - name: IP_AUTODETECTION_METHOD
4089 value: can-reach=www.google.com
4090 - name: DATASTORE_TYPE
4092 - name: WAIT_FOR_DATASTORE
4097 fieldPath: spec.nodeName
4098 - name: CALICO_NETWORKING_BACKEND
4103 - name: CLUSTER_TYPE
4107 - name: CALICO_IPV4POOL_IPIP
4109 - name: CALICO_IPV4POOL_VXLAN
4111 - name: FELIX_IPINIPMTU
4116 - name: FELIX_VXLANMTU
4121 - name: FELIX_WIREGUARDMTU
4126 - name: CALICO_DISABLE_FILE_LOGGING
4128 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
4130 - name: FELIX_IPV6SUPPORT
4132 - name: FELIX_HEALTHENABLED
4136 name: kubernetes-services-endpoint
4138 image: docker.io/calico/node:v3.22.1
4152 initialDelaySeconds: 10
4170 - mountPath: /host/etc/cni/net.d
4173 - mountPath: /lib/modules
4176 - mountPath: /run/xtables.lock
4179 - mountPath: /var/run/calico
4180 name: var-run-calico
4182 - mountPath: /var/lib/calico
4183 name: var-lib-calico
4185 - mountPath: /var/run/nodeagent
4187 - mountPath: /sys/fs/
4188 mountPropagation: Bidirectional
4190 - mountPath: /var/log/calico/cni
4196 - /opt/cni/bin/calico-ipam
4199 - name: KUBERNETES_NODE_NAME
4202 fieldPath: spec.nodeName
4203 - name: CALICO_NETWORKING_BACKEND
4210 name: kubernetes-services-endpoint
4212 image: docker.io/calico/cni:v3.22.1
4217 - mountPath: /var/lib/cni/networks
4218 name: host-local-net-dir
4219 - mountPath: /host/opt/cni/bin
4222 - /opt/cni/bin/install
4224 - name: CNI_CONF_NAME
4225 value: 10-calico.conflist
4226 - name: CNI_NETWORK_CONFIG
4229 key: cni_network_config
4231 - name: KUBERNETES_NODE_NAME
4234 fieldPath: spec.nodeName
4244 name: kubernetes-services-endpoint
4246 image: docker.io/calico/cni:v3.22.1
4251 - mountPath: /host/opt/cni/bin
4253 - mountPath: /host/etc/cni/net.d
4255 - image: docker.io/calico/pod2daemon-flexvol:v3.22.1
4256 name: flexvol-driver
4260 - mountPath: /host/driver
4261 name: flexvol-driver-host
4263 kubernetes.io/os: linux
4264 priorityClassName: system-node-critical
4265 serviceAccountName: calico-node
4266 terminationGracePeriodSeconds: 0
4268 - effect: NoSchedule
4270 - key: CriticalAddonsOnly
4279 path: /var/run/calico
4280 name: var-run-calico
4282 path: /var/lib/calico
4283 name: var-lib-calico
4285 path: /run/xtables.lock
4290 type: DirectoryOrCreate
4296 path: /etc/cni/net.d
4299 path: /var/log/calico/cni
4302 path: /var/lib/cni/networks
4303 name: host-local-net-dir
4305 path: /var/run/nodeagent
4306 type: DirectoryOrCreate
4309 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
4310 type: DirectoryOrCreate
4311 name: flexvol-driver-host
4318 creationTimestamp: null
4319 name: {{ .Values.clusterName }}-calico-addon
4321 {{- if eq .Values.ipam "dualstack" }}
4326 apiVersion: apiextensions.k8s.io/v1
4327 kind: CustomResourceDefinition
4329 name: bgpconfigurations.crd.projectcalico.org
4331 group: crd.projectcalico.org
4333 kind: BGPConfiguration
4334 listKind: BGPConfigurationList
4335 plural: bgpconfigurations
4336 singular: bgpconfiguration
4342 description: BGPConfiguration contains the configuration for any BGP routing.
4345 description: 'APIVersion defines the versioned schema of this representation
4346 of an object. Servers should convert recognized schemas to the latest
4347 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4350 description: 'Kind is a string value representing the REST resource this
4351 object represents. Servers may infer this from the endpoint the client
4352 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4357 description: BGPConfigurationSpec contains the values of the BGP configuration.
4360 description: 'ASNumber is the default AS number used by a node. [Default:
4365 description: Communities is a list of BGP community values and their
4366 arbitrary names for tagging routes.
4368 description: Community contains standard or large community value
4372 description: Name given to community value.
4375 description: Value must be of format `aa:nn` or `aa:nn:mm`.
4376 For standard community use `aa:nn` format, where `aa` and
4377 `nn` are 16 bit number. For large community use `aa:nn:mm`
4378 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
4379 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
4380 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
4385 description: ListenPort is the port where BGP protocol should listen.
4391 description: 'LogSeverityScreen is the log severity above which logs
4392 are sent to the stdout. [Default: INFO]'
4394 nodeToNodeMeshEnabled:
4395 description: 'NodeToNodeMeshEnabled sets whether full node to node
4396 BGP mesh is enabled. [Default: true]'
4398 prefixAdvertisements:
4399 description: PrefixAdvertisements contains per-prefix advertisement
4402 description: PrefixAdvertisement configures advertisement properties
4403 for the specified CIDR.
4406 description: CIDR for which properties should be advertised.
4409 description: Communities can be list of either community names
4410 already defined in `Specs.Communities` or community value
4411 of format `aa:nn` or `aa:nn:mm`. For standard community use
4412 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
4413 large community use `aa:nn:mm` format, where `aa`, `nn` and
4414 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
4415 `mm` are per-AS identifier.
4422 description: ServiceClusterIPs are the CIDR blocks from which service
4423 cluster IPs are allocated. If specified, Calico will advertise these
4424 blocks, as well as any cluster IPs within them.
4426 description: ServiceClusterIPBlock represents a single allowed ClusterIP
4434 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
4435 Service External IPs. Kubernetes Service ExternalIPs will only be
4436 advertised if they are within one of these blocks.
4438 description: ServiceExternalIPBlock represents a single allowed
4439 External IP CIDR block.
4445 serviceLoadBalancerIPs:
4446 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
4447 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
4448 IPs will only be advertised if they are within one of these blocks.
4450 description: ServiceLoadBalancerIPBlock represents a single allowed
4451 LoadBalancer IP CIDR block.
4468 apiVersion: apiextensions.k8s.io/v1
4469 kind: CustomResourceDefinition
4471 name: bgppeers.crd.projectcalico.org
4473 group: crd.projectcalico.org
4476 listKind: BGPPeerList
4486 description: 'APIVersion defines the versioned schema of this representation
4487 of an object. Servers should convert recognized schemas to the latest
4488 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4491 description: 'Kind is a string value representing the REST resource this
4492 object represents. Servers may infer this from the endpoint the client
4493 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4498 description: BGPPeerSpec contains the specification for a BGPPeer resource.
4501 description: The AS Number of the peer.
4504 keepOriginalNextHop:
4505 description: Option to keep the original nexthop field when routes
4506 are sent to a BGP Peer. Setting "true" configures the selected BGP
4507 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
4508 in the specific branch of the Node on "bird.cfg".
4511 description: Time to allow for software restart. When specified,
4512 this is configured as the graceful restart timeout. When not specified,
4513 the BIRD default of 120s is used.
4516 description: The node name identifying the Calico node instance that
4517 is targeted by this peer. If this is not set, and no nodeSelector
4518 is specified, then this BGP peer selects all nodes in the cluster.
4521 description: Selector for the nodes that should have this peering. When
4522 this is set, the Node field must be empty.
4525 description: Optional BGP password for the peerings generated by this
4529 description: Selects a key of a secret in the node pod's namespace.
4532 description: The key of the secret to select from. Must be
4536 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
4537 TODO: Add other useful fields. apiVersion, kind, uid?'
4540 description: Specify whether the Secret or its key must be
4548 description: The IP address of the peer followed by an optional port
4549 number to peer with. If port number is given, format should be `[<IPv6>]:port`
4550 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
4551 and this peer IP and ASNumber belongs to a calico/node with ListenPort
4552 set in BGPConfiguration, then we use that port to peer.
4555 description: Selector for the remote nodes to peer with. When this
4556 is set, the PeerIP and ASNumber fields must be empty. For each
4557 peering between the local node and selected remote nodes, we configure
4558 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
4559 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
4560 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
4561 or the global default if that is not set.
4564 description: Specifies whether and how to configure a source address
4565 for the peerings generated by this BGPPeer resource. Default value
4566 "UseNodeIP" means to configure the node IP as the source address. "None"
4567 means not to configure a source address.
4580 apiVersion: apiextensions.k8s.io/v1
4581 kind: CustomResourceDefinition
4583 name: blockaffinities.crd.projectcalico.org
4585 group: crd.projectcalico.org
4588 listKind: BlockAffinityList
4589 plural: blockaffinities
4590 singular: blockaffinity
4598 description: 'APIVersion defines the versioned schema of this representation
4599 of an object. Servers should convert recognized schemas to the latest
4600 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4603 description: 'Kind is a string value representing the REST resource this
4604 object represents. Servers may infer this from the endpoint the client
4605 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4610 description: BlockAffinitySpec contains the specification for a BlockAffinity
4616 description: Deleted indicates that this block affinity is being deleted.
4617 This field is a string for compatibility with older releases that
4618 mistakenly treat this field as a string.
4640 apiVersion: apiextensions.k8s.io/v1
4641 kind: CustomResourceDefinition
4644 controller-gen.kubebuilder.io/version: (devel)
4645 creationTimestamp: null
4646 name: caliconodestatuses.crd.projectcalico.org
4648 group: crd.projectcalico.org
4650 kind: CalicoNodeStatus
4651 listKind: CalicoNodeStatusList
4652 plural: caliconodestatuses
4653 singular: caliconodestatus
4661 description: 'APIVersion defines the versioned schema of this representation
4662 of an object. Servers should convert recognized schemas to the latest
4663 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4666 description: 'Kind is a string value representing the REST resource this
4667 object represents. Servers may infer this from the endpoint the client
4668 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4673 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
4677 description: Classes declares the types of information to monitor
4678 for this calico/node, and allows for selective status reporting
4679 about certain subsets of information.
4684 description: The node name identifies the Calico node instance for
4687 updatePeriodSeconds:
4688 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
4689 should be updated. Set to 0 to disable CalicoNodeStatus refresh.
4690 Maximum update period is one day.
4695 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
4696 No validation needed for status since it is updated by Calico.
4699 description: Agent holds agent status on the node.
4702 description: BIRDV4 represents the latest observed status of bird4.
4705 description: LastBootTime holds the value of lastBootTime
4706 from bird.ctl output.
4708 lastReconfigurationTime:
4709 description: LastReconfigurationTime holds the value of lastReconfigTime
4710 from bird.ctl output.
4713 description: Router ID used by bird.
4716 description: The state of the BGP Daemon.
4719 description: Version of the BGP daemon
4723 description: BIRDV6 represents the latest observed status of bird6.
4726 description: LastBootTime holds the value of lastBootTime
4727 from bird.ctl output.
4729 lastReconfigurationTime:
4730 description: LastReconfigurationTime holds the value of lastReconfigTime
4731 from bird.ctl output.
4734 description: Router ID used by bird.
4737 description: The state of the BGP Daemon.
4740 description: Version of the BGP daemon
4745 description: BGP holds node BGP status.
4747 numberEstablishedV4:
4748 description: The total number of IPv4 established bgp sessions.
4750 numberEstablishedV6:
4751 description: The total number of IPv6 established bgp sessions.
4753 numberNotEstablishedV4:
4754 description: The total number of IPv4 non-established bgp sessions.
4756 numberNotEstablishedV6:
4757 description: The total number of IPv6 non-established bgp sessions.
4760 description: PeersV4 represents IPv4 BGP peers status on the node.
4762 description: CalicoNodePeer contains the status of BGP peers
4766 description: IP address of the peer whose condition we are
4770 description: Since the state or reason last changed.
4773 description: State is the BGP session state.
4776 description: Type indicates whether this peer is configured
4777 via the node-to-node mesh, or via en explicit global or
4778 per-node BGPPeer object.
4783 description: PeersV6 represents IPv6 BGP peers status on the node.
4785 description: CalicoNodePeer contains the status of BGP peers
4789 description: IP address of the peer whose condition we are
4793 description: Since the state or reason last changed.
4796 description: State is the BGP session state.
4799 description: Type indicates whether this peer is configured
4800 via the node-to-node mesh, or via en explicit global or
4801 per-node BGPPeer object.
4806 - numberEstablishedV4
4807 - numberEstablishedV6
4808 - numberNotEstablishedV4
4809 - numberNotEstablishedV6
4812 description: LastUpdated is a timestamp representing the server time
4813 when CalicoNodeStatus object last updated. It is represented in
4814 RFC3339 form and is in UTC.
4819 description: Routes reports routes known to the Calico BGP daemon
4823 description: RoutesV4 represents IPv4 routes on the node.
4825 description: CalicoNodeRoute contains the status of BGP routes
4829 description: Destination of the route.
4832 description: Gateway for the destination.
4835 description: Interface for the destination
4838 description: LearnedFrom contains information regarding
4839 where this route originated.
4842 description: If sourceType is NodeMesh or BGPPeer, IP
4843 address of the router that sent us this route.
4846 description: Type of the source where a route is learned
4851 description: Type indicates if the route is being used for
4857 description: RoutesV6 represents IPv6 routes on the node.
4859 description: CalicoNodeRoute contains the status of BGP routes
4863 description: Destination of the route.
4866 description: Gateway for the destination.
4869 description: Interface for the destination
4872 description: LearnedFrom contains information regarding
4873 where this route originated.
4876 description: If sourceType is NodeMesh or BGPPeer, IP
4877 address of the router that sent us this route.
4880 description: Type of the source where a route is learned
4885 description: Type indicates if the route is being used for
4902 apiVersion: apiextensions.k8s.io/v1
4903 kind: CustomResourceDefinition
4905 name: clusterinformations.crd.projectcalico.org
4907 group: crd.projectcalico.org
4909 kind: ClusterInformation
4910 listKind: ClusterInformationList
4911 plural: clusterinformations
4912 singular: clusterinformation
4918 description: ClusterInformation contains the cluster specific information.
4921 description: 'APIVersion defines the versioned schema of this representation
4922 of an object. Servers should convert recognized schemas to the latest
4923 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4926 description: 'Kind is a string value representing the REST resource this
4927 object represents. Servers may infer this from the endpoint the client
4928 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4933 description: ClusterInformationSpec contains the values of describing
4937 description: CalicoVersion is the version of Calico that the cluster
4941 description: ClusterGUID is the GUID of the cluster
4944 description: ClusterType describes the type of the cluster
4947 description: DatastoreReady is used during significant datastore migrations
4948 to signal to components such as Felix that it should wait before
4949 accessing the datastore.
4952 description: Variant declares which variant of Calico should be active.
4965 apiVersion: apiextensions.k8s.io/v1
4966 kind: CustomResourceDefinition
4968 name: felixconfigurations.crd.projectcalico.org
4970 group: crd.projectcalico.org
4972 kind: FelixConfiguration
4973 listKind: FelixConfigurationList
4974 plural: felixconfigurations
4975 singular: felixconfiguration
4981 description: Felix Configuration contains the configuration for Felix.
4984 description: 'APIVersion defines the versioned schema of this representation
4985 of an object. Servers should convert recognized schemas to the latest
4986 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
4989 description: 'Kind is a string value representing the REST resource this
4990 object represents. Servers may infer this from the endpoint the client
4991 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
4996 description: FelixConfigurationSpec contains the values of the Felix configuration.
4998 allowIPIPPacketsFromWorkloads:
4999 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
5000 will add a rule to drop IPIP encapsulated traffic from workloads
5003 allowVXLANPacketsFromWorkloads:
5004 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
5005 will add a rule to drop VXLAN encapsulated traffic from workloads
5009 description: 'Set source-destination-check on AWS EC2 instances. Accepted
5010 value must be one of "DoNothing", "Enable" or "Disable". [Default:
5017 bpfConnectTimeLoadBalancingEnabled:
5018 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
5019 controls whether Felix installs the connection-time load balancer. The
5020 connect-time load balancer is required for the host to be able to
5021 reach Kubernetes services and it improves the performance of pod-to-service
5022 connections. The only reason to disable it is for debugging purposes. [Default:
5025 bpfDataIfacePattern:
5026 description: BPFDataIfacePattern is a regular expression that controls
5027 which interfaces Felix should attach BPF programs to in order to
5028 catch traffic to/from the network. This needs to match the interfaces
5029 that Calico workload traffic flows over as well as any interfaces
5030 that handle incoming traffic to nodeports and services from outside
5031 the cluster. It should not match the workload interfaces (usually
5034 bpfDisableUnprivileged:
5035 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
5036 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
5037 users cannot access Calico''s BPF maps and cannot insert their own
5038 BPF programs to interfere with Calico''s. [Default: true]'
5041 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
5044 bpfExtToServiceConnmark:
5045 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
5046 mark that is set on connections from an external client to a local
5047 service. This mark allows us to control how packets of that connection
5048 are routed within the host and how is routing intepreted by RPF
5049 check. [Default: 0]'
5051 bpfExternalServiceMode:
5052 description: 'BPFExternalServiceMode in BPF mode, controls how connections
5053 from outside the cluster to services (node ports and cluster IPs)
5054 are forwarded to remote workloads. If set to "Tunnel" then both
5055 request and response traffic is tunneled to the remote node. If
5056 set to "DSR", the request traffic is tunneled but the response traffic
5057 is sent directly from the remote node. In "DSR" mode, the remote
5058 node appears to use the IP of the ingress node; this requires a
5059 permissive L2 network. [Default: Tunnel]'
5061 bpfKubeProxyEndpointSlicesEnabled:
5062 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
5063 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
5065 bpfKubeProxyIptablesCleanupEnabled:
5066 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
5067 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
5068 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
5071 bpfKubeProxyMinSyncPeriod:
5072 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
5073 minimum time between updates to the dataplane for Felix''s embedded
5074 kube-proxy. Lower values give reduced set-up latency. Higher values
5075 reduce Felix CPU usage by batching up more work. [Default: 1s]'
5078 description: 'BPFLogLevel controls the log level of the BPF programs
5079 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
5080 logs are emitted to the BPF trace pipe, accessible with the command
5081 `tc exec bpf debug`. [Default: Off].'
5084 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
5085 top-level iptables chains by inserting a rule at the top of the
5086 chain or by appending a rule at the bottom. insert is the safe default
5087 since it prevents Calico''s rules from being bypassed. If you switch
5088 to append mode, be sure that the other rules in the chains signal
5089 acceptance by falling through to the Calico rules, otherwise the
5090 Calico policy will be bypassed. [Default: insert]'
5094 debugDisableLogDropping:
5096 debugMemoryProfilePath:
5098 debugSimulateCalcGraphHangAfter:
5100 debugSimulateDataplaneHangAfter:
5102 defaultEndpointToHostAction:
5103 description: 'DefaultEndpointToHostAction controls what happens to
5104 traffic that goes from a workload endpoint to the host itself (after
5105 the traffic hits the endpoint egress policy). By default Calico
5106 blocks traffic from workload endpoints to the host itself with an
5107 iptables "DROP" action. If you want to allow some or all traffic
5108 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
5109 RETURN if you have your own rules in the iptables "INPUT" chain;
5110 Calico will insert its rules at the top of that chain, then "RETURN"
5111 packets to the "INPUT" chain once it has completed processing workload
5112 endpoint egress policy. Use ACCEPT to unconditionally accept packets
5113 from workloads after processing workload endpoint egress policy.
5116 deviceRouteProtocol:
5117 description: This defines the route protocol added to programmed device
5118 routes, by default this will be RTPROT_BOOT when left blank.
5120 deviceRouteSourceAddress:
5121 description: This is the source address to use on programmed device
5122 routes. By default the source address is left blank, leaving the
5123 kernel to choose the source address used.
5125 disableConntrackInvalidCheck:
5127 endpointReportingDelay:
5129 endpointReportingEnabled:
5132 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
5133 which may source tunnel traffic and have the tunneled traffic be
5134 accepted at calico nodes.
5138 failsafeInboundHostPorts:
5139 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
5140 and CIDRs that Felix will allow incoming traffic to host endpoints
5141 on irrespective of the security policy. This is useful to avoid
5142 accidentally cutting off a host with incorrect configuration. For
5143 back-compatibility, if the protocol is not specified, it defaults
5144 to "tcp". If a CIDR is not specified, it will allow traffic from
5145 all addresses. To disable all inbound host ports, use the value
5146 none. The default value allows ssh access and DHCP. [Default: tcp:22,
5147 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
5149 description: ProtoPort is combination of protocol, port, and CIDR.
5150 Protocol and port must be specified.
5163 failsafeOutboundHostPorts:
5164 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
5165 and CIDRs that Felix will allow outgoing traffic from host endpoints
5166 to irrespective of the security policy. This is useful to avoid
5167 accidentally cutting off a host with incorrect configuration. For
5168 back-compatibility, if the protocol is not specified, it defaults
5169 to "tcp". If a CIDR is not specified, it will allow traffic from
5170 all addresses. To disable all outbound host ports, use the value
5171 none. The default value opens etcd''s standard ports to ensure that
5172 Felix does not get cut off from etcd as well as allowing DHCP and
5173 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
5174 tcp:6667, udp:53, udp:67]'
5176 description: ProtoPort is combination of protocol, port, and CIDR.
5177 Protocol and port must be specified.
5190 featureDetectOverride:
5191 description: FeatureDetectOverride is used to override the feature
5192 detection. Values are specified in a comma separated list with no
5193 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
5194 "true" or "false" will force the feature, empty or omitted values
5198 description: 'GenericXDPEnabled enables Generic XDP so network cards
5199 that don''t support XDP offload or driver modes can use XDP. This
5200 is not recommended since it doesn''t provide better performance
5201 than iptables. [Default: false]'
5210 description: 'InterfaceExclude is a comma-separated list of interfaces
5211 that Felix should exclude when monitoring for host endpoints. The
5212 default value ensures that Felix ignores Kubernetes'' IPVS dummy
5213 interface, which is used internally by kube-proxy. If you want to
5214 exclude multiple interface names using a single value, the list
5215 supports regular expressions. For regular expressions you must wrap
5216 the value with ''/''. For example having values ''/^kube/,veth1''
5217 will exclude all interfaces that begin with ''kube'' and also the
5218 interface ''veth1''. [Default: kube-ipvs0]'
5221 description: 'InterfacePrefix is the interface name prefix that identifies
5222 workload endpoints and so distinguishes them from host endpoint
5223 interfaces. Note: in environments other than bare metal, the orchestrators
5224 configure this appropriately. For example our Kubernetes and Docker
5225 integrations set the ''cali'' value, and our OpenStack integration
5226 sets the ''tap'' value. [Default: cali]'
5228 interfaceRefreshInterval:
5229 description: InterfaceRefreshInterval is the period at which Felix
5230 rescans local interfaces to verify their state. The rescan can be
5231 disabled by setting the interval to 0.
5236 description: 'IPIPMTU is the MTU to set on the tunnel device. See
5237 Configuring MTU [Default: 1440]'
5239 ipsetsRefreshInterval:
5240 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
5241 all iptables state to ensure that no other process has accidentally
5242 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
5246 description: IptablesBackend specifies which backend of iptables will
5247 be used. The default is legacy.
5249 iptablesFilterAllowAction:
5251 iptablesLockFilePath:
5252 description: 'IptablesLockFilePath is the location of the iptables
5253 lock file. You may need to change this if the lock file is not in
5254 its standard location (for example if you have mapped it into Felix''s
5255 container at a different path). [Default: /run/xtables.lock]'
5257 iptablesLockProbeInterval:
5258 description: 'IptablesLockProbeInterval is the time that Felix will
5259 wait between attempts to acquire the iptables lock if it is not
5260 available. Lower values make Felix more responsive when the lock
5261 is contended, but use more CPU. [Default: 50ms]'
5263 iptablesLockTimeout:
5264 description: 'IptablesLockTimeout is the time that Felix will wait
5265 for the iptables lock, or 0, to disable. To use this feature, Felix
5266 must share the iptables lock file with all other processes that
5267 also take the lock. When running Felix inside a container, this
5268 requires the /run directory of the host to be mounted into the calico/node
5269 or calico/felix container. [Default: 0s disabled]'
5271 iptablesMangleAllowAction:
5274 description: 'IptablesMarkMask is the mask that Felix selects its
5275 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
5276 at least 8 bits set, none of which clash with any other mark bits
5277 in use on the system. [Default: 0xff000000]'
5280 iptablesNATOutgoingInterfaceFilter:
5282 iptablesPostWriteCheckInterval:
5283 description: 'IptablesPostWriteCheckInterval is the period after Felix
5284 has done a write to the dataplane that it schedules an extra read
5285 back in order to check the write was not clobbered by another process.
5286 This should only occur if another application on the system doesn''t
5287 respect the iptables lock. [Default: 1s]'
5289 iptablesRefreshInterval:
5290 description: 'IptablesRefreshInterval is the period at which Felix
5291 re-checks the IP sets in the dataplane to ensure that no other process
5292 has accidentally broken Calico''s rules. Set to 0 to disable IP
5293 sets refresh. Note: the default for this value is lower than the
5294 other refresh intervals as a workaround for a Linux kernel bug that
5295 was fixed in kernel version 4.11. If you are using v4.11 or greater
5296 you may want to set this to, a higher value to reduce Felix CPU
5297 usage. [Default: 10s]'
5302 description: 'KubeNodePortRanges holds list of port ranges used for
5303 service node ports. Only used if felix detects kube-proxy running
5304 in ipvs mode. Felix uses these ranges to separate host and workload
5305 traffic. [Default: 30000:32767].'
5311 x-kubernetes-int-or-string: true
5314 description: 'LogFilePath is the full path to the Felix log. Set to
5315 none to disable file logging. [Default: /var/log/calico/felix.log]'
5318 description: 'LogPrefix is the log prefix that Felix uses when rendering
5319 LOG rules. [Default: calico-packet]'
5322 description: 'LogSeverityFile is the log severity above which logs
5323 are sent to the log file. [Default: Info]'
5326 description: 'LogSeverityScreen is the log severity above which logs
5327 are sent to the stdout. [Default: Info]'
5330 description: 'LogSeveritySys is the log severity above which logs
5331 are sent to the syslog. Set to None for no logging to syslog. [Default:
5337 description: 'MetadataAddr is the IP address or domain name of the
5338 server that can answer VM queries for cloud-init metadata. In OpenStack,
5339 this corresponds to the machine running nova-api (or in Ubuntu,
5340 nova-api-metadata). A value of none (case insensitive) means that
5341 Felix should not set up any NAT rule for the metadata path. [Default:
5345 description: 'MetadataPort is the port of the metadata server. This,
5346 combined with global.MetadataAddr (if not ''None''), is used to
5347 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
5348 In most cases this should not need to be changed [Default: 8775].'
5351 description: MTUIfacePattern is a regular expression that controls
5352 which interfaces Felix should scan in order to calculate the host's
5353 MTU. This should not match workload interfaces (usually named cali...).
5356 description: NATOutgoingAddress specifies an address to use when performing
5357 source NAT for traffic in a natOutgoing pool that is leaving the
5358 network. By default the address used is an address on the interface
5359 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
5365 description: NATPortRange specifies the range of ports that is used
5366 for port mapping when doing outgoing NAT. When unset the default
5367 behavior of the network stack is used.
5369 x-kubernetes-int-or-string: true
5373 description: 'OpenstackRegion is the name of the region that a particular
5374 Felix belongs to. In a multi-region Calico/OpenStack deployment,
5375 this must be configured somehow for each Felix (here in the datamodel,
5376 or in felix.cfg or the environment on each compute node), and must
5377 match the [calico] openstack_region value configured in neutron.conf
5378 on each node. [Default: Empty]'
5380 policySyncPathPrefix:
5381 description: 'PolicySyncPathPrefix is used to by Felix to communicate
5382 policy changes to external services, like Application layer policy.
5385 prometheusGoMetricsEnabled:
5386 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
5387 collection, which the Prometheus client does by default, when set
5388 to false. This reduces the number of metrics reported, reducing
5389 Prometheus load. [Default: true]'
5391 prometheusMetricsEnabled:
5392 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
5393 server in Felix if set to true. [Default: false]'
5395 prometheusMetricsHost:
5396 description: 'PrometheusMetricsHost is the host that the Prometheus
5397 metrics server should bind to. [Default: empty]'
5399 prometheusMetricsPort:
5400 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
5401 metrics server should bind to. [Default: 9091]'
5403 prometheusProcessMetricsEnabled:
5404 description: 'PrometheusProcessMetricsEnabled disables process metrics
5405 collection, which the Prometheus client does by default, when set
5406 to false. This reduces the number of metrics reported, reducing
5407 Prometheus load. [Default: true]'
5409 prometheusWireGuardMetricsEnabled:
5410 description: 'PrometheusWireGuardMetricsEnabled disables wireguard
5411 metrics collection, which the Prometheus client does by default,
5412 when set to false. This reduces the number of metrics reported,
5413 reducing Prometheus load. [Default: true]'
5415 removeExternalRoutes:
5416 description: Whether or not to remove device routes that have not
5417 been programmed by Felix. Disabling this will allow external applications
5418 to also add device routes. This is enabled by default which means
5419 we will remove externally added routes.
5422 description: 'ReportingInterval is the interval at which Felix reports
5423 its status into the datastore or 0 to disable. Must be non-zero
5424 in OpenStack deployments. [Default: 30s]'
5427 description: 'ReportingTTL is the time-to-live setting for process-wide
5428 status reports. [Default: 90s]'
5430 routeRefreshInterval:
5431 description: 'RouteRefreshInterval is the period at which Felix re-checks
5432 the routes in the dataplane to ensure that no other process has
5433 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
5437 description: 'RouteSource configures where Felix gets its routing
5438 information. - WorkloadIPs: use workload endpoints to construct
5439 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
5442 description: Calico programs additional Linux route tables for various
5443 purposes. RouteTableRange specifies the indices of the route tables
5444 that Calico should use.
5454 serviceLoopPrevention:
5455 description: 'When service IP advertisement is enabled, prevent routing
5456 loops to service IPs that are not in use, by dropping or rejecting
5457 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
5458 in which case such routing loops continue to be allowed. [Default:
5461 sidecarAccelerationEnabled:
5462 description: 'SidecarAccelerationEnabled enables experimental sidecar
5463 acceleration [Default: false]'
5465 usageReportingEnabled:
5466 description: 'UsageReportingEnabled reports anonymous Calico version
5467 number and cluster size to projectcalico.org. Logs warnings returned
5468 by the usage server. For example, if a significant security vulnerability
5469 has been discovered in the version of Calico being used. [Default:
5472 usageReportingInitialDelay:
5473 description: 'UsageReportingInitialDelay controls the minimum delay
5474 before Felix makes a report. [Default: 300s]'
5476 usageReportingInterval:
5477 description: 'UsageReportingInterval controls the interval at which
5478 Felix makes reports. [Default: 86400s]'
5480 useInternalDataplaneDriver:
5485 description: 'VXLANMTU is the MTU to set on the tunnel device. See
5486 Configuring MTU [Default: 1440]'
5493 description: 'WireguardEnabled controls whether Wireguard is enabled.
5496 wireguardHostEncryptionEnabled:
5497 description: 'WireguardHostEncryptionEnabled controls whether Wireguard
5498 host-to-host encryption is enabled. [Default: false]'
5500 wireguardInterfaceName:
5501 description: 'WireguardInterfaceName specifies the name to use for
5502 the Wireguard interface. [Default: wg.calico]'
5504 wireguardListeningPort:
5505 description: 'WireguardListeningPort controls the listening port used
5506 by Wireguard. [Default: 51820]'
5509 description: 'WireguardMTU controls the MTU on the Wireguard interface.
5510 See Configuring MTU [Default: 1420]'
5512 wireguardRoutingRulePriority:
5513 description: 'WireguardRoutingRulePriority controls the priority value
5514 to use for the Wireguard routing rule. [Default: 99]'
5517 description: 'XDPEnabled enables XDP acceleration for suitable untracked
5518 incoming deny rules. [Default: true]'
5521 description: 'XDPRefreshInterval is the period at which Felix re-checks
5522 all XDP state to ensure that no other process has accidentally broken
5523 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
5524 refresh. [Default: 90s]'
5537 apiVersion: apiextensions.k8s.io/v1
5538 kind: CustomResourceDefinition
5540 name: globalnetworkpolicies.crd.projectcalico.org
5542 group: crd.projectcalico.org
5544 kind: GlobalNetworkPolicy
5545 listKind: GlobalNetworkPolicyList
5546 plural: globalnetworkpolicies
5547 singular: globalnetworkpolicy
5555 description: 'APIVersion defines the versioned schema of this representation
5556 of an object. Servers should convert recognized schemas to the latest
5557 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
5560 description: 'Kind is a string value representing the REST resource this
5561 object represents. Servers may infer this from the endpoint the client
5562 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
5569 description: ApplyOnForward indicates to apply the rules in this policy
5573 description: DoNotTrack indicates whether packets matched by the rules
5574 in this policy should go through the data plane's connection tracking,
5575 such as Linux conntrack. If True, the rules in this policy are
5576 applied before any data plane connection tracking, and packets allowed
5577 by this policy are marked as not to be tracked.
5580 description: The ordered set of egress rules. Each rule contains
5581 a set of packet match criteria and a corresponding action to apply.
5583 description: "A Rule encapsulates a set of match criteria and an
5584 action. Both selector-based security Policy and security Profiles
5585 reference rules - separated out as a list of rules for both ingress
5586 and egress packet matching. \n Each positive match criteria has
5587 a negated version, prefixed with \"Not\". All the match criteria
5588 within a rule must be satisfied for a packet to match. A single
5589 rule can contain the positive and negative version of a match
5590 and both must be satisfied for the rule to match."
5595 description: Destination contains the match criteria that apply
5596 to destination entity.
5599 description: "NamespaceSelector is an optional field that
5600 contains a selector expression. Only traffic that originates
5601 from (or terminates at) endpoints within the selected
5602 namespaces will be matched. When both NamespaceSelector
5603 and another selector are defined on the same rule, then
5604 only workload endpoints that are matched by both selectors
5605 will be selected by the rule. \n For NetworkPolicy, an
5606 empty NamespaceSelector implies that the Selector is limited
5607 to selecting only workload endpoints in the same namespace
5608 as the NetworkPolicy. \n For NetworkPolicy, `global()`
5609 NamespaceSelector implies that the Selector is limited
5610 to selecting only GlobalNetworkSet or HostEndpoint. \n
5611 For GlobalNetworkPolicy, an empty NamespaceSelector implies
5612 the Selector applies to workload endpoints across all
5616 description: Nets is an optional field that restricts the
5617 rule to only apply to traffic that originates from (or
5618 terminates at) IP addresses in any of the given subnets.
5623 description: NotNets is the negated version of the Nets
5629 description: NotPorts is the negated version of the Ports
5630 field. Since only some protocols have ports, if any ports
5631 are specified it requires the Protocol match in the Rule
5632 to be set to "TCP" or "UDP".
5638 x-kubernetes-int-or-string: true
5641 description: NotSelector is the negated version of the Selector
5642 field. See Selector field for subtleties with negated
5646 description: "Ports is an optional field that restricts
5647 the rule to only apply to traffic that has a source (destination)
5648 port that matches one of these ranges/values. This value
5649 is a list of integers or strings that represent ranges
5650 of ports. \n Since only some protocols have ports, if
5651 any ports are specified it requires the Protocol match
5652 in the Rule to be set to \"TCP\" or \"UDP\"."
5658 x-kubernetes-int-or-string: true
5661 description: "Selector is an optional field that contains
5662 a selector expression (see Policy for sample syntax).
5663 \ Only traffic that originates from (terminates at) endpoints
5664 matching the selector will be matched. \n Note that: in
5665 addition to the negated version of the Selector (see NotSelector
5666 below), the selector expression syntax itself supports
5667 negation. The two types of negation are subtly different.
5668 One negates the set of matched endpoints, the other negates
5669 the whole match: \n \tSelector = \"!has(my_label)\" matches
5670 packets that are from other Calico-controlled \tendpoints
5671 that do not have the label \"my_label\". \n \tNotSelector
5672 = \"has(my_label)\" matches packets that are not from
5673 Calico-controlled \tendpoints that do have the label \"my_label\".
5674 \n The effect is that the latter will accept packets from
5675 non-Calico sources whereas the former is limited to packets
5676 from Calico-controlled endpoints."
5679 description: ServiceAccounts is an optional field that restricts
5680 the rule to only apply to traffic that originates from
5681 (or terminates at) a pod running as a matching service
5685 description: Names is an optional field that restricts
5686 the rule to only apply to traffic that originates
5687 from (or terminates at) a pod running as a service
5688 account whose name is in the list.
5693 description: Selector is an optional field that restricts
5694 the rule to only apply to traffic that originates
5695 from (or terminates at) a pod running as a service
5696 account that matches the given label selector. If
5697 both Names and Selector are specified then they are
5702 description: "Services is an optional field that contains
5703 options for matching Kubernetes Services. If specified,
5704 only traffic that originates from or terminates at endpoints
5705 within the selected service(s) will be matched, and only
5706 to/from each endpoint's port. \n Services cannot be specified
5707 on the same rule as Selector, NotSelector, NamespaceSelector,
5708 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
5709 can only be specified with Services on ingress rules."
5712 description: Name specifies the name of a Kubernetes
5716 description: Namespace specifies the namespace of the
5717 given Service. If left empty, the rule will match
5718 within this policy's namespace.
5723 description: HTTP contains match criteria that apply to HTTP
5727 description: Methods is an optional field that restricts
5728 the rule to apply only to HTTP requests that use one of
5729 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
5730 methods are OR'd together.
5735 description: 'Paths is an optional field that restricts
5736 the rule to apply to HTTP requests that use one of the
5737 listed HTTP Paths. Multiple paths are OR''d together.
5738 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
5739 ONLY specify either a `exact` or a `prefix` match. The
5740 validator will check for it.'
5742 description: 'HTTPPath specifies an HTTP path to match.
5743 It may be either of the form: exact: <path>: which matches
5744 the path exactly or prefix: <path-prefix>: which matches
5755 description: ICMP is an optional field that restricts the rule
5756 to apply to a specific type and code of ICMP traffic. This
5757 should only be specified if the Protocol field is set to "ICMP"
5761 description: Match on a specific ICMP code. If specified,
5762 the Type value must also be specified. This is a technical
5763 limitation imposed by the kernel's iptables firewall,
5764 which Calico uses to enforce the rule.
5767 description: Match on a specific ICMP type. For example
5768 a value of 8 refers to ICMP Echo Request (i.e. pings).
5772 description: IPVersion is an optional field that restricts the
5773 rule to only match a specific IP version.
5776 description: Metadata contains additional information for this
5780 additionalProperties:
5782 description: Annotations is a set of key value pairs that
5783 give extra information about the rule
5787 description: NotICMP is the negated version of the ICMP field.
5790 description: Match on a specific ICMP code. If specified,
5791 the Type value must also be specified. This is a technical
5792 limitation imposed by the kernel's iptables firewall,
5793 which Calico uses to enforce the rule.
5796 description: Match on a specific ICMP type. For example
5797 a value of 8 refers to ICMP Echo Request (i.e. pings).
5804 description: NotProtocol is the negated version of the Protocol
5807 x-kubernetes-int-or-string: true
5812 description: "Protocol is an optional field that restricts the
5813 rule to only apply to traffic of a specific IP protocol. Required
5814 if any of the EntityRules contain Ports (because ports only
5815 apply to certain protocols). \n Must be one of these string
5816 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
5817 \"UDPLite\" or an integer in the range 1-255."
5819 x-kubernetes-int-or-string: true
5821 description: Source contains the match criteria that apply to
5825 description: "NamespaceSelector is an optional field that
5826 contains a selector expression. Only traffic that originates
5827 from (or terminates at) endpoints within the selected
5828 namespaces will be matched. When both NamespaceSelector
5829 and another selector are defined on the same rule, then
5830 only workload endpoints that are matched by both selectors
5831 will be selected by the rule. \n For NetworkPolicy, an
5832 empty NamespaceSelector implies that the Selector is limited
5833 to selecting only workload endpoints in the same namespace
5834 as the NetworkPolicy. \n For NetworkPolicy, `global()`
5835 NamespaceSelector implies that the Selector is limited
5836 to selecting only GlobalNetworkSet or HostEndpoint. \n
5837 For GlobalNetworkPolicy, an empty NamespaceSelector implies
5838 the Selector applies to workload endpoints across all
5842 description: Nets is an optional field that restricts the
5843 rule to only apply to traffic that originates from (or
5844 terminates at) IP addresses in any of the given subnets.
5849 description: NotNets is the negated version of the Nets
5855 description: NotPorts is the negated version of the Ports
5856 field. Since only some protocols have ports, if any ports
5857 are specified it requires the Protocol match in the Rule
5858 to be set to "TCP" or "UDP".
5864 x-kubernetes-int-or-string: true
5867 description: NotSelector is the negated version of the Selector
5868 field. See Selector field for subtleties with negated
5872 description: "Ports is an optional field that restricts
5873 the rule to only apply to traffic that has a source (destination)
5874 port that matches one of these ranges/values. This value
5875 is a list of integers or strings that represent ranges
5876 of ports. \n Since only some protocols have ports, if
5877 any ports are specified it requires the Protocol match
5878 in the Rule to be set to \"TCP\" or \"UDP\"."
5884 x-kubernetes-int-or-string: true
5887 description: "Selector is an optional field that contains
5888 a selector expression (see Policy for sample syntax).
5889 \ Only traffic that originates from (terminates at) endpoints
5890 matching the selector will be matched. \n Note that: in
5891 addition to the negated version of the Selector (see NotSelector
5892 below), the selector expression syntax itself supports
5893 negation. The two types of negation are subtly different.
5894 One negates the set of matched endpoints, the other negates
5895 the whole match: \n \tSelector = \"!has(my_label)\" matches
5896 packets that are from other Calico-controlled \tendpoints
5897 that do not have the label \"my_label\". \n \tNotSelector
5898 = \"has(my_label)\" matches packets that are not from
5899 Calico-controlled \tendpoints that do have the label \"my_label\".
5900 \n The effect is that the latter will accept packets from
5901 non-Calico sources whereas the former is limited to packets
5902 from Calico-controlled endpoints."
5905 description: ServiceAccounts is an optional field that restricts
5906 the rule to only apply to traffic that originates from
5907 (or terminates at) a pod running as a matching service
5911 description: Names is an optional field that restricts
5912 the rule to only apply to traffic that originates
5913 from (or terminates at) a pod running as a service
5914 account whose name is in the list.
5919 description: Selector is an optional field that restricts
5920 the rule to only apply to traffic that originates
5921 from (or terminates at) a pod running as a service
5922 account that matches the given label selector. If
5923 both Names and Selector are specified then they are
5928 description: "Services is an optional field that contains
5929 options for matching Kubernetes Services. If specified,
5930 only traffic that originates from or terminates at endpoints
5931 within the selected service(s) will be matched, and only
5932 to/from each endpoint's port. \n Services cannot be specified
5933 on the same rule as Selector, NotSelector, NamespaceSelector,
5934 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
5935 can only be specified with Services on ingress rules."
5938 description: Name specifies the name of a Kubernetes
5942 description: Namespace specifies the namespace of the
5943 given Service. If left empty, the rule will match
5944 within this policy's namespace.
5953 description: The ordered set of ingress rules. Each rule contains
5954 a set of packet match criteria and a corresponding action to apply.
5956 description: "A Rule encapsulates a set of match criteria and an
5957 action. Both selector-based security Policy and security Profiles
5958 reference rules - separated out as a list of rules for both ingress
5959 and egress packet matching. \n Each positive match criteria has
5960 a negated version, prefixed with \"Not\". All the match criteria
5961 within a rule must be satisfied for a packet to match. A single
5962 rule can contain the positive and negative version of a match
5963 and both must be satisfied for the rule to match."
5968 description: Destination contains the match criteria that apply
5969 to destination entity.
5972 description: "NamespaceSelector is an optional field that
5973 contains a selector expression. Only traffic that originates
5974 from (or terminates at) endpoints within the selected
5975 namespaces will be matched. When both NamespaceSelector
5976 and another selector are defined on the same rule, then
5977 only workload endpoints that are matched by both selectors
5978 will be selected by the rule. \n For NetworkPolicy, an
5979 empty NamespaceSelector implies that the Selector is limited
5980 to selecting only workload endpoints in the same namespace
5981 as the NetworkPolicy. \n For NetworkPolicy, `global()`
5982 NamespaceSelector implies that the Selector is limited
5983 to selecting only GlobalNetworkSet or HostEndpoint. \n
5984 For GlobalNetworkPolicy, an empty NamespaceSelector implies
5985 the Selector applies to workload endpoints across all
5989 description: Nets is an optional field that restricts the
5990 rule to only apply to traffic that originates from (or
5991 terminates at) IP addresses in any of the given subnets.
5996 description: NotNets is the negated version of the Nets
6002 description: NotPorts is the negated version of the Ports
6003 field. Since only some protocols have ports, if any ports
6004 are specified it requires the Protocol match in the Rule
6005 to be set to "TCP" or "UDP".
6011 x-kubernetes-int-or-string: true
6014 description: NotSelector is the negated version of the Selector
6015 field. See Selector field for subtleties with negated
6019 description: "Ports is an optional field that restricts
6020 the rule to only apply to traffic that has a source (destination)
6021 port that matches one of these ranges/values. This value
6022 is a list of integers or strings that represent ranges
6023 of ports. \n Since only some protocols have ports, if
6024 any ports are specified it requires the Protocol match
6025 in the Rule to be set to \"TCP\" or \"UDP\"."
6031 x-kubernetes-int-or-string: true
6034 description: "Selector is an optional field that contains
6035 a selector expression (see Policy for sample syntax).
6036 \ Only traffic that originates from (terminates at) endpoints
6037 matching the selector will be matched. \n Note that: in
6038 addition to the negated version of the Selector (see NotSelector
6039 below), the selector expression syntax itself supports
6040 negation. The two types of negation are subtly different.
6041 One negates the set of matched endpoints, the other negates
6042 the whole match: \n \tSelector = \"!has(my_label)\" matches
6043 packets that are from other Calico-controlled \tendpoints
6044 that do not have the label \"my_label\". \n \tNotSelector
6045 = \"has(my_label)\" matches packets that are not from
6046 Calico-controlled \tendpoints that do have the label \"my_label\".
6047 \n The effect is that the latter will accept packets from
6048 non-Calico sources whereas the former is limited to packets
6049 from Calico-controlled endpoints."
6052 description: ServiceAccounts is an optional field that restricts
6053 the rule to only apply to traffic that originates from
6054 (or terminates at) a pod running as a matching service
6058 description: Names is an optional field that restricts
6059 the rule to only apply to traffic that originates
6060 from (or terminates at) a pod running as a service
6061 account whose name is in the list.
6066 description: Selector is an optional field that restricts
6067 the rule to only apply to traffic that originates
6068 from (or terminates at) a pod running as a service
6069 account that matches the given label selector. If
6070 both Names and Selector are specified then they are
6075 description: "Services is an optional field that contains
6076 options for matching Kubernetes Services. If specified,
6077 only traffic that originates from or terminates at endpoints
6078 within the selected service(s) will be matched, and only
6079 to/from each endpoint's port. \n Services cannot be specified
6080 on the same rule as Selector, NotSelector, NamespaceSelector,
6081 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
6082 can only be specified with Services on ingress rules."
6085 description: Name specifies the name of a Kubernetes
6089 description: Namespace specifies the namespace of the
6090 given Service. If left empty, the rule will match
6091 within this policy's namespace.
6096 description: HTTP contains match criteria that apply to HTTP
6100 description: Methods is an optional field that restricts
6101 the rule to apply only to HTTP requests that use one of
6102 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
6103 methods are OR'd together.
6108 description: 'Paths is an optional field that restricts
6109 the rule to apply to HTTP requests that use one of the
6110 listed HTTP Paths. Multiple paths are OR''d together.
6111 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
6112 ONLY specify either a `exact` or a `prefix` match. The
6113 validator will check for it.'
6115 description: 'HTTPPath specifies an HTTP path to match.
6116 It may be either of the form: exact: <path>: which matches
6117 the path exactly or prefix: <path-prefix>: which matches
6128 description: ICMP is an optional field that restricts the rule
6129 to apply to a specific type and code of ICMP traffic. This
6130 should only be specified if the Protocol field is set to "ICMP"
6134 description: Match on a specific ICMP code. If specified,
6135 the Type value must also be specified. This is a technical
6136 limitation imposed by the kernel's iptables firewall,
6137 which Calico uses to enforce the rule.
6140 description: Match on a specific ICMP type. For example
6141 a value of 8 refers to ICMP Echo Request (i.e. pings).
6145 description: IPVersion is an optional field that restricts the
6146 rule to only match a specific IP version.
6149 description: Metadata contains additional information for this
6153 additionalProperties:
6155 description: Annotations is a set of key value pairs that
6156 give extra information about the rule
6160 description: NotICMP is the negated version of the ICMP field.
6163 description: Match on a specific ICMP code. If specified,
6164 the Type value must also be specified. This is a technical
6165 limitation imposed by the kernel's iptables firewall,
6166 which Calico uses to enforce the rule.
6169 description: Match on a specific ICMP type. For example
6170 a value of 8 refers to ICMP Echo Request (i.e. pings).
6177 description: NotProtocol is the negated version of the Protocol
6180 x-kubernetes-int-or-string: true
6185 description: "Protocol is an optional field that restricts the
6186 rule to only apply to traffic of a specific IP protocol. Required
6187 if any of the EntityRules contain Ports (because ports only
6188 apply to certain protocols). \n Must be one of these string
6189 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
6190 \"UDPLite\" or an integer in the range 1-255."
6192 x-kubernetes-int-or-string: true
6194 description: Source contains the match criteria that apply to
6198 description: "NamespaceSelector is an optional field that
6199 contains a selector expression. Only traffic that originates
6200 from (or terminates at) endpoints within the selected
6201 namespaces will be matched. When both NamespaceSelector
6202 and another selector are defined on the same rule, then
6203 only workload endpoints that are matched by both selectors
6204 will be selected by the rule. \n For NetworkPolicy, an
6205 empty NamespaceSelector implies that the Selector is limited
6206 to selecting only workload endpoints in the same namespace
6207 as the NetworkPolicy. \n For NetworkPolicy, `global()`
6208 NamespaceSelector implies that the Selector is limited
6209 to selecting only GlobalNetworkSet or HostEndpoint. \n
6210 For GlobalNetworkPolicy, an empty NamespaceSelector implies
6211 the Selector applies to workload endpoints across all
6215 description: Nets is an optional field that restricts the
6216 rule to only apply to traffic that originates from (or
6217 terminates at) IP addresses in any of the given subnets.
6222 description: NotNets is the negated version of the Nets
6228 description: NotPorts is the negated version of the Ports
6229 field. Since only some protocols have ports, if any ports
6230 are specified it requires the Protocol match in the Rule
6231 to be set to "TCP" or "UDP".
6237 x-kubernetes-int-or-string: true
6240 description: NotSelector is the negated version of the Selector
6241 field. See Selector field for subtleties with negated
6245 description: "Ports is an optional field that restricts
6246 the rule to only apply to traffic that has a source (destination)
6247 port that matches one of these ranges/values. This value
6248 is a list of integers or strings that represent ranges
6249 of ports. \n Since only some protocols have ports, if
6250 any ports are specified it requires the Protocol match
6251 in the Rule to be set to \"TCP\" or \"UDP\"."
6257 x-kubernetes-int-or-string: true
6260 description: "Selector is an optional field that contains
6261 a selector expression (see Policy for sample syntax).
6262 \ Only traffic that originates from (terminates at) endpoints
6263 matching the selector will be matched. \n Note that: in
6264 addition to the negated version of the Selector (see NotSelector
6265 below), the selector expression syntax itself supports
6266 negation. The two types of negation are subtly different.
6267 One negates the set of matched endpoints, the other negates
6268 the whole match: \n \tSelector = \"!has(my_label)\" matches
6269 packets that are from other Calico-controlled \tendpoints
6270 that do not have the label \"my_label\". \n \tNotSelector
6271 = \"has(my_label)\" matches packets that are not from
6272 Calico-controlled \tendpoints that do have the label \"my_label\".
6273 \n The effect is that the latter will accept packets from
6274 non-Calico sources whereas the former is limited to packets
6275 from Calico-controlled endpoints."
6278 description: ServiceAccounts is an optional field that restricts
6279 the rule to only apply to traffic that originates from
6280 (or terminates at) a pod running as a matching service
6284 description: Names is an optional field that restricts
6285 the rule to only apply to traffic that originates
6286 from (or terminates at) a pod running as a service
6287 account whose name is in the list.
6292 description: Selector is an optional field that restricts
6293 the rule to only apply to traffic that originates
6294 from (or terminates at) a pod running as a service
6295 account that matches the given label selector. If
6296 both Names and Selector are specified then they are
6301 description: "Services is an optional field that contains
6302 options for matching Kubernetes Services. If specified,
6303 only traffic that originates from or terminates at endpoints
6304 within the selected service(s) will be matched, and only
6305 to/from each endpoint's port. \n Services cannot be specified
6306 on the same rule as Selector, NotSelector, NamespaceSelector,
6307 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
6308 can only be specified with Services on ingress rules."
6311 description: Name specifies the name of a Kubernetes
6315 description: Namespace specifies the namespace of the
6316 given Service. If left empty, the rule will match
6317 within this policy's namespace.
6326 description: NamespaceSelector is an optional field for an expression
6327 used to select a pod based on namespaces.
6330 description: Order is an optional field that specifies the order in
6331 which the policy is applied. Policies with higher "order" are applied
6332 after those with lower order. If the order is omitted, it may be
6333 considered to be "infinite" - i.e. the policy will be applied last. Policies
6334 with identical order will be applied in alphanumerical order based
6335 on the Policy "Name".
6338 description: PreDNAT indicates to apply the rules in this policy before
6342 description: "The selector is an expression used to pick pick out
6343 the endpoints that the policy should be applied to. \n Selector
6344 expressions follow this syntax: \n \tlabel == \"string_literal\"
6345 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
6346 \ -> not equal; also matches if label is not present \tlabel in
6347 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
6348 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
6349 ... } -> true if the value of label X is not one of \"a\", \"b\",
6350 \"c\" \thas(label_name) -> True if that label is present \t! expr
6351 -> negation of expr \texpr && expr -> Short-circuit and \texpr
6352 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
6353 or the empty selector -> matches all endpoints. \n Label names are
6354 allowed to contain alphanumerics, -, _ and /. String literals are
6355 more permissive but they do not support escape characters. \n Examples
6356 (with made-up labels): \n \ttype == \"webserver\" && deployment
6357 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
6358 \"dev\" \t! has(label_name)"
6360 serviceAccountSelector:
6361 description: ServiceAccountSelector is an optional field for an expression
6362 used to select a pod based on service accounts.
6365 description: "Types indicates whether this policy applies to ingress,
6366 or to egress, or to both. When not explicitly specified (and so
6367 the value on creation is empty or nil), Calico defaults Types according
6368 to what Ingress and Egress rules are present in the policy. The
6369 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
6370 (including the case where there are also no Ingress rules) \n
6371 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
6372 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
6373 both Ingress and Egress rules. \n When the policy is read back again,
6374 Types will always be one of these values, never empty or nil."
6376 description: PolicyType enumerates the possible values of the PolicySpec
6391 apiVersion: apiextensions.k8s.io/v1
6392 kind: CustomResourceDefinition
6394 name: globalnetworksets.crd.projectcalico.org
6396 group: crd.projectcalico.org
6398 kind: GlobalNetworkSet
6399 listKind: GlobalNetworkSetList
6400 plural: globalnetworksets
6401 singular: globalnetworkset
6407 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
6408 that share labels to allow rules to refer to them via selectors. The labels
6409 of GlobalNetworkSet are not namespaced.
6412 description: 'APIVersion defines the versioned schema of this representation
6413 of an object. Servers should convert recognized schemas to the latest
6414 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6417 description: 'Kind is a string value representing the REST resource this
6418 object represents. Servers may infer this from the endpoint the client
6419 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6424 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
6428 description: The list of IP networks that belong to this set.
6443 apiVersion: apiextensions.k8s.io/v1
6444 kind: CustomResourceDefinition
6446 name: hostendpoints.crd.projectcalico.org
6448 group: crd.projectcalico.org
6451 listKind: HostEndpointList
6452 plural: hostendpoints
6453 singular: hostendpoint
6461 description: 'APIVersion defines the versioned schema of this representation
6462 of an object. Servers should convert recognized schemas to the latest
6463 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6466 description: 'Kind is a string value representing the REST resource this
6467 object represents. Servers may infer this from the endpoint the client
6468 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6473 description: HostEndpointSpec contains the specification for a HostEndpoint
6477 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
6478 If \"InterfaceName\" is not present, Calico will look for an interface
6479 matching any of the IPs in the list and apply policy to that. Note:
6480 \tWhen using the selector match criteria in an ingress or egress
6481 security Policy \tor Profile, Calico converts the selector into
6482 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
6483 is used for that purpose. (If only the interface \tname is specified,
6484 Calico does not learn the IPs of the interface for use in match
6490 description: "Either \"*\", or the name of a specific Linux interface
6491 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
6492 governs all traffic to, from or through the default network namespace
6493 of the host named by the \"Node\" field; entering and leaving that
6494 namespace via any interface, including those from/to non-host-networked
6495 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
6496 only governs traffic that enters or leaves the host through the
6497 specific interface named by InterfaceName, or - when InterfaceName
6498 is empty - through the specific interface that has one of the IPs
6499 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
6500 one expected IP must be specified. Only external interfaces (such
6501 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
6502 to protect traffic through a specific local workload interface.
6503 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
6504 initially just pre-DNAT policy. Please check Calico documentation
6505 for the latest position."
6508 description: The node name identifying the Calico node instance.
6511 description: Ports contains the endpoint's named ports, which may
6512 be referenced in security policy rules.
6524 x-kubernetes-int-or-string: true
6532 description: A list of identifiers of security Profile objects that
6533 apply to this endpoint. Each profile is applied in the order that
6534 they appear in this list. Profile rules are applied after the selector-based
6550 apiVersion: apiextensions.k8s.io/v1
6551 kind: CustomResourceDefinition
6553 name: ipamblocks.crd.projectcalico.org
6555 group: crd.projectcalico.org
6558 listKind: IPAMBlockList
6568 description: 'APIVersion defines the versioned schema of this representation
6569 of an object. Servers should convert recognized schemas to the latest
6570 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6573 description: 'Kind is a string value representing the REST resource this
6574 object represents. Servers may infer this from the endpoint the client
6575 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6580 description: IPAMBlockSpec contains the specification for an IPAMBlock
6596 additionalProperties:
6628 apiVersion: apiextensions.k8s.io/v1
6629 kind: CustomResourceDefinition
6631 name: ipamconfigs.crd.projectcalico.org
6633 group: crd.projectcalico.org
6636 listKind: IPAMConfigList
6638 singular: ipamconfig
6646 description: 'APIVersion defines the versioned schema of this representation
6647 of an object. Servers should convert recognized schemas to the latest
6648 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6651 description: 'Kind is a string value representing the REST resource this
6652 object represents. Servers may infer this from the endpoint the client
6653 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6658 description: IPAMConfigSpec contains the specification for an IPAMConfig
6664 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
6665 that can be affine to each host.
6670 - autoAllocateBlocks
6683 apiVersion: apiextensions.k8s.io/v1
6684 kind: CustomResourceDefinition
6686 name: ipamhandles.crd.projectcalico.org
6688 group: crd.projectcalico.org
6691 listKind: IPAMHandleList
6693 singular: ipamhandle
6701 description: 'APIVersion defines the versioned schema of this representation
6702 of an object. Servers should convert recognized schemas to the latest
6703 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6706 description: 'Kind is a string value representing the REST resource this
6707 object represents. Servers may infer this from the endpoint the client
6708 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6713 description: IPAMHandleSpec contains the specification for an IPAMHandle
6717 additionalProperties:
6738 apiVersion: apiextensions.k8s.io/v1
6739 kind: CustomResourceDefinition
6741 name: ippools.crd.projectcalico.org
6743 group: crd.projectcalico.org
6746 listKind: IPPoolList
6756 description: 'APIVersion defines the versioned schema of this representation
6757 of an object. Servers should convert recognized schemas to the latest
6758 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6761 description: 'Kind is a string value representing the REST resource this
6762 object represents. Servers may infer this from the endpoint the client
6763 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6768 description: IPPoolSpec contains the specification for an IPPool resource.
6771 description: AllowedUse controls what the IP pool will be used for. If
6772 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
6777 description: The block size to use for IP address assignments from
6778 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
6781 description: The pool CIDR.
6784 description: 'Disable exporting routes from this IP Pool''s CIDR over
6785 BGP. [Default: false]'
6788 description: When disabled is true, Calico IPAM will not assign addresses
6792 description: 'Deprecated: this field is only used for APIv1 backwards
6793 compatibility. Setting this field is not allowed, this field is
6794 for internal use only.'
6797 description: When enabled is true, ipip tunneling will be used
6798 to deliver packets to destinations within this pool.
6801 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
6802 mode of "always" will also use IPIP tunneling for routing to
6803 destination IP addresses within this pool. A mode of "cross-subnet"
6804 will only use IPIP tunneling when the destination node is on
6805 a different subnet to the originating node. The default value
6806 (if not specified) is "always".
6810 description: Contains configuration for IPIP tunneling for this pool.
6811 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
6815 description: 'Deprecated: this field is only used for APIv1 backwards
6816 compatibility. Setting this field is not allowed, this field is
6817 for internal use only.'
6820 description: When nat-outgoing is true, packets sent from Calico networked
6821 containers in this pool to destinations outside of this pool will
6825 description: Allows IPPool to allocate for a specific node by label
6829 description: Contains configuration for VXLAN tunneling for this pool.
6830 If not specified, then this is defaulted to "Never" (i.e. VXLAN
6831 tunneling is disabled).
6846 apiVersion: apiextensions.k8s.io/v1
6847 kind: CustomResourceDefinition
6849 name: ipreservations.crd.projectcalico.org
6851 group: crd.projectcalico.org
6854 listKind: IPReservationList
6855 plural: ipreservations
6856 singular: ipreservation
6864 description: 'APIVersion defines the versioned schema of this representation
6865 of an object. Servers should convert recognized schemas to the latest
6866 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6869 description: 'Kind is a string value representing the REST resource this
6870 object represents. Servers may infer this from the endpoint the client
6871 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6876 description: IPReservationSpec contains the specification for an IPReservation
6880 description: ReservedCIDRs is a list of CIDRs and/or IP addresses
6881 that Calico IPAM will exclude from new allocations.
6896 apiVersion: apiextensions.k8s.io/v1
6897 kind: CustomResourceDefinition
6899 name: kubecontrollersconfigurations.crd.projectcalico.org
6901 group: crd.projectcalico.org
6903 kind: KubeControllersConfiguration
6904 listKind: KubeControllersConfigurationList
6905 plural: kubecontrollersconfigurations
6906 singular: kubecontrollersconfiguration
6914 description: 'APIVersion defines the versioned schema of this representation
6915 of an object. Servers should convert recognized schemas to the latest
6916 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
6919 description: 'Kind is a string value representing the REST resource this
6920 object represents. Servers may infer this from the endpoint the client
6921 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
6926 description: KubeControllersConfigurationSpec contains the values of the
6927 Kubernetes controllers configuration.
6930 description: Controllers enables and configures individual Kubernetes
6934 description: Namespace enables and configures the namespace controller.
6935 Enabled by default, set to nil to disable.
6938 description: 'ReconcilerPeriod is the period to perform reconciliation
6939 with the Calico datastore. [Default: 5m]'
6943 description: Node enables and configures the node controller.
6944 Enabled by default, set to nil to disable.
6947 description: HostEndpoint controls syncing nodes to host endpoints.
6948 Disabled by default, set to nil to disable.
6951 description: 'AutoCreate enables automatic creation of
6952 host endpoints for every node. [Default: Disabled]'
6956 description: 'LeakGracePeriod is the period used by the controller
6957 to determine if an IP address has been leaked. Set to 0
6958 to disable IP garbage collection. [Default: 15m]'
6961 description: 'ReconcilerPeriod is the period to perform reconciliation
6962 with the Calico datastore. [Default: 5m]'
6965 description: 'SyncLabels controls whether to copy Kubernetes
6966 node labels to Calico nodes. [Default: Enabled]'
6970 description: Policy enables and configures the policy controller.
6971 Enabled by default, set to nil to disable.
6974 description: 'ReconcilerPeriod is the period to perform reconciliation
6975 with the Calico datastore. [Default: 5m]'
6979 description: ServiceAccount enables and configures the service
6980 account controller. Enabled by default, set to nil to disable.
6983 description: 'ReconcilerPeriod is the period to perform reconciliation
6984 with the Calico datastore. [Default: 5m]'
6988 description: WorkloadEndpoint enables and configures the workload
6989 endpoint controller. Enabled by default, set to nil to disable.
6992 description: 'ReconcilerPeriod is the period to perform reconciliation
6993 with the Calico datastore. [Default: 5m]'
6997 etcdV3CompactionPeriod:
6998 description: 'EtcdV3CompactionPeriod is the period between etcdv3
6999 compaction requests. Set to 0 to disable. [Default: 10m]'
7002 description: 'HealthChecks enables or disables support for health
7003 checks [Default: Enabled]'
7006 description: 'LogSeverityScreen is the log severity above which logs
7007 are sent to the stdout. [Default: Info]'
7009 prometheusMetricsPort:
7010 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
7011 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
7017 description: KubeControllersConfigurationStatus represents the status
7018 of the configuration. It's useful for admins to be able to see the actual
7019 config that was applied, which can be modified by environment variables
7020 on the kube-controllers process.
7023 additionalProperties:
7025 description: EnvironmentVars contains the environment variables on
7026 the kube-controllers that influenced the RunningConfig.
7029 description: RunningConfig contains the effective config that is running
7030 in the kube-controllers pod, after merging the API resource with
7031 any environment variables.
7034 description: Controllers enables and configures individual Kubernetes
7038 description: Namespace enables and configures the namespace
7039 controller. Enabled by default, set to nil to disable.
7042 description: 'ReconcilerPeriod is the period to perform
7043 reconciliation with the Calico datastore. [Default:
7048 description: Node enables and configures the node controller.
7049 Enabled by default, set to nil to disable.
7052 description: HostEndpoint controls syncing nodes to host
7053 endpoints. Disabled by default, set to nil to disable.
7056 description: 'AutoCreate enables automatic creation
7057 of host endpoints for every node. [Default: Disabled]'
7061 description: 'LeakGracePeriod is the period used by the
7062 controller to determine if an IP address has been leaked.
7063 Set to 0 to disable IP garbage collection. [Default:
7067 description: 'ReconcilerPeriod is the period to perform
7068 reconciliation with the Calico datastore. [Default:
7072 description: 'SyncLabels controls whether to copy Kubernetes
7073 node labels to Calico nodes. [Default: Enabled]'
7077 description: Policy enables and configures the policy controller.
7078 Enabled by default, set to nil to disable.
7081 description: 'ReconcilerPeriod is the period to perform
7082 reconciliation with the Calico datastore. [Default:
7087 description: ServiceAccount enables and configures the service
7088 account controller. Enabled by default, set to nil to disable.
7091 description: 'ReconcilerPeriod is the period to perform
7092 reconciliation with the Calico datastore. [Default:
7097 description: WorkloadEndpoint enables and configures the workload
7098 endpoint controller. Enabled by default, set to nil to disable.
7101 description: 'ReconcilerPeriod is the period to perform
7102 reconciliation with the Calico datastore. [Default:
7107 etcdV3CompactionPeriod:
7108 description: 'EtcdV3CompactionPeriod is the period between etcdv3
7109 compaction requests. Set to 0 to disable. [Default: 10m]'
7112 description: 'HealthChecks enables or disables support for health
7113 checks [Default: Enabled]'
7116 description: 'LogSeverityScreen is the log severity above which
7117 logs are sent to the stdout. [Default: Info]'
7119 prometheusMetricsPort:
7120 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
7121 metrics server should bind to. Set to 0 to disable. [Default:
7138 apiVersion: apiextensions.k8s.io/v1
7139 kind: CustomResourceDefinition
7141 name: networkpolicies.crd.projectcalico.org
7143 group: crd.projectcalico.org
7146 listKind: NetworkPolicyList
7147 plural: networkpolicies
7148 singular: networkpolicy
7156 description: 'APIVersion defines the versioned schema of this representation
7157 of an object. Servers should convert recognized schemas to the latest
7158 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
7161 description: 'Kind is a string value representing the REST resource this
7162 object represents. Servers may infer this from the endpoint the client
7163 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
7170 description: The ordered set of egress rules. Each rule contains
7171 a set of packet match criteria and a corresponding action to apply.
7173 description: "A Rule encapsulates a set of match criteria and an
7174 action. Both selector-based security Policy and security Profiles
7175 reference rules - separated out as a list of rules for both ingress
7176 and egress packet matching. \n Each positive match criteria has
7177 a negated version, prefixed with \"Not\". All the match criteria
7178 within a rule must be satisfied for a packet to match. A single
7179 rule can contain the positive and negative version of a match
7180 and both must be satisfied for the rule to match."
7185 description: Destination contains the match criteria that apply
7186 to destination entity.
7189 description: "NamespaceSelector is an optional field that
7190 contains a selector expression. Only traffic that originates
7191 from (or terminates at) endpoints within the selected
7192 namespaces will be matched. When both NamespaceSelector
7193 and another selector are defined on the same rule, then
7194 only workload endpoints that are matched by both selectors
7195 will be selected by the rule. \n For NetworkPolicy, an
7196 empty NamespaceSelector implies that the Selector is limited
7197 to selecting only workload endpoints in the same namespace
7198 as the NetworkPolicy. \n For NetworkPolicy, `global()`
7199 NamespaceSelector implies that the Selector is limited
7200 to selecting only GlobalNetworkSet or HostEndpoint. \n
7201 For GlobalNetworkPolicy, an empty NamespaceSelector implies
7202 the Selector applies to workload endpoints across all
7206 description: Nets is an optional field that restricts the
7207 rule to only apply to traffic that originates from (or
7208 terminates at) IP addresses in any of the given subnets.
7213 description: NotNets is the negated version of the Nets
7219 description: NotPorts is the negated version of the Ports
7220 field. Since only some protocols have ports, if any ports
7221 are specified it requires the Protocol match in the Rule
7222 to be set to "TCP" or "UDP".
7228 x-kubernetes-int-or-string: true
7231 description: NotSelector is the negated version of the Selector
7232 field. See Selector field for subtleties with negated
7236 description: "Ports is an optional field that restricts
7237 the rule to only apply to traffic that has a source (destination)
7238 port that matches one of these ranges/values. This value
7239 is a list of integers or strings that represent ranges
7240 of ports. \n Since only some protocols have ports, if
7241 any ports are specified it requires the Protocol match
7242 in the Rule to be set to \"TCP\" or \"UDP\"."
7248 x-kubernetes-int-or-string: true
7251 description: "Selector is an optional field that contains
7252 a selector expression (see Policy for sample syntax).
7253 \ Only traffic that originates from (terminates at) endpoints
7254 matching the selector will be matched. \n Note that: in
7255 addition to the negated version of the Selector (see NotSelector
7256 below), the selector expression syntax itself supports
7257 negation. The two types of negation are subtly different.
7258 One negates the set of matched endpoints, the other negates
7259 the whole match: \n \tSelector = \"!has(my_label)\" matches
7260 packets that are from other Calico-controlled \tendpoints
7261 that do not have the label \"my_label\". \n \tNotSelector
7262 = \"has(my_label)\" matches packets that are not from
7263 Calico-controlled \tendpoints that do have the label \"my_label\".
7264 \n The effect is that the latter will accept packets from
7265 non-Calico sources whereas the former is limited to packets
7266 from Calico-controlled endpoints."
7269 description: ServiceAccounts is an optional field that restricts
7270 the rule to only apply to traffic that originates from
7271 (or terminates at) a pod running as a matching service
7275 description: Names is an optional field that restricts
7276 the rule to only apply to traffic that originates
7277 from (or terminates at) a pod running as a service
7278 account whose name is in the list.
7283 description: Selector is an optional field that restricts
7284 the rule to only apply to traffic that originates
7285 from (or terminates at) a pod running as a service
7286 account that matches the given label selector. If
7287 both Names and Selector are specified then they are
7292 description: "Services is an optional field that contains
7293 options for matching Kubernetes Services. If specified,
7294 only traffic that originates from or terminates at endpoints
7295 within the selected service(s) will be matched, and only
7296 to/from each endpoint's port. \n Services cannot be specified
7297 on the same rule as Selector, NotSelector, NamespaceSelector,
7298 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
7299 can only be specified with Services on ingress rules."
7302 description: Name specifies the name of a Kubernetes
7306 description: Namespace specifies the namespace of the
7307 given Service. If left empty, the rule will match
7308 within this policy's namespace.
7313 description: HTTP contains match criteria that apply to HTTP
7317 description: Methods is an optional field that restricts
7318 the rule to apply only to HTTP requests that use one of
7319 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
7320 methods are OR'd together.
7325 description: 'Paths is an optional field that restricts
7326 the rule to apply to HTTP requests that use one of the
7327 listed HTTP Paths. Multiple paths are OR''d together.
7328 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
7329 ONLY specify either a `exact` or a `prefix` match. The
7330 validator will check for it.'
7332 description: 'HTTPPath specifies an HTTP path to match.
7333 It may be either of the form: exact: <path>: which matches
7334 the path exactly or prefix: <path-prefix>: which matches
7345 description: ICMP is an optional field that restricts the rule
7346 to apply to a specific type and code of ICMP traffic. This
7347 should only be specified if the Protocol field is set to "ICMP"
7351 description: Match on a specific ICMP code. If specified,
7352 the Type value must also be specified. This is a technical
7353 limitation imposed by the kernel's iptables firewall,
7354 which Calico uses to enforce the rule.
7357 description: Match on a specific ICMP type. For example
7358 a value of 8 refers to ICMP Echo Request (i.e. pings).
7362 description: IPVersion is an optional field that restricts the
7363 rule to only match a specific IP version.
7366 description: Metadata contains additional information for this
7370 additionalProperties:
7372 description: Annotations is a set of key value pairs that
7373 give extra information about the rule
7377 description: NotICMP is the negated version of the ICMP field.
7380 description: Match on a specific ICMP code. If specified,
7381 the Type value must also be specified. This is a technical
7382 limitation imposed by the kernel's iptables firewall,
7383 which Calico uses to enforce the rule.
7386 description: Match on a specific ICMP type. For example
7387 a value of 8 refers to ICMP Echo Request (i.e. pings).
7394 description: NotProtocol is the negated version of the Protocol
7397 x-kubernetes-int-or-string: true
7402 description: "Protocol is an optional field that restricts the
7403 rule to only apply to traffic of a specific IP protocol. Required
7404 if any of the EntityRules contain Ports (because ports only
7405 apply to certain protocols). \n Must be one of these string
7406 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
7407 \"UDPLite\" or an integer in the range 1-255."
7409 x-kubernetes-int-or-string: true
7411 description: Source contains the match criteria that apply to
7415 description: "NamespaceSelector is an optional field that
7416 contains a selector expression. Only traffic that originates
7417 from (or terminates at) endpoints within the selected
7418 namespaces will be matched. When both NamespaceSelector
7419 and another selector are defined on the same rule, then
7420 only workload endpoints that are matched by both selectors
7421 will be selected by the rule. \n For NetworkPolicy, an
7422 empty NamespaceSelector implies that the Selector is limited
7423 to selecting only workload endpoints in the same namespace
7424 as the NetworkPolicy. \n For NetworkPolicy, `global()`
7425 NamespaceSelector implies that the Selector is limited
7426 to selecting only GlobalNetworkSet or HostEndpoint. \n
7427 For GlobalNetworkPolicy, an empty NamespaceSelector implies
7428 the Selector applies to workload endpoints across all
7432 description: Nets is an optional field that restricts the
7433 rule to only apply to traffic that originates from (or
7434 terminates at) IP addresses in any of the given subnets.
7439 description: NotNets is the negated version of the Nets
7445 description: NotPorts is the negated version of the Ports
7446 field. Since only some protocols have ports, if any ports
7447 are specified it requires the Protocol match in the Rule
7448 to be set to "TCP" or "UDP".
7454 x-kubernetes-int-or-string: true
7457 description: NotSelector is the negated version of the Selector
7458 field. See Selector field for subtleties with negated
7462 description: "Ports is an optional field that restricts
7463 the rule to only apply to traffic that has a source (destination)
7464 port that matches one of these ranges/values. This value
7465 is a list of integers or strings that represent ranges
7466 of ports. \n Since only some protocols have ports, if
7467 any ports are specified it requires the Protocol match
7468 in the Rule to be set to \"TCP\" or \"UDP\"."
7474 x-kubernetes-int-or-string: true
7477 description: "Selector is an optional field that contains
7478 a selector expression (see Policy for sample syntax).
7479 \ Only traffic that originates from (terminates at) endpoints
7480 matching the selector will be matched. \n Note that: in
7481 addition to the negated version of the Selector (see NotSelector
7482 below), the selector expression syntax itself supports
7483 negation. The two types of negation are subtly different.
7484 One negates the set of matched endpoints, the other negates
7485 the whole match: \n \tSelector = \"!has(my_label)\" matches
7486 packets that are from other Calico-controlled \tendpoints
7487 that do not have the label \"my_label\". \n \tNotSelector
7488 = \"has(my_label)\" matches packets that are not from
7489 Calico-controlled \tendpoints that do have the label \"my_label\".
7490 \n The effect is that the latter will accept packets from
7491 non-Calico sources whereas the former is limited to packets
7492 from Calico-controlled endpoints."
7495 description: ServiceAccounts is an optional field that restricts
7496 the rule to only apply to traffic that originates from
7497 (or terminates at) a pod running as a matching service
7501 description: Names is an optional field that restricts
7502 the rule to only apply to traffic that originates
7503 from (or terminates at) a pod running as a service
7504 account whose name is in the list.
7509 description: Selector is an optional field that restricts
7510 the rule to only apply to traffic that originates
7511 from (or terminates at) a pod running as a service
7512 account that matches the given label selector. If
7513 both Names and Selector are specified then they are
7518 description: "Services is an optional field that contains
7519 options for matching Kubernetes Services. If specified,
7520 only traffic that originates from or terminates at endpoints
7521 within the selected service(s) will be matched, and only
7522 to/from each endpoint's port. \n Services cannot be specified
7523 on the same rule as Selector, NotSelector, NamespaceSelector,
7524 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
7525 can only be specified with Services on ingress rules."
7528 description: Name specifies the name of a Kubernetes
7532 description: Namespace specifies the namespace of the
7533 given Service. If left empty, the rule will match
7534 within this policy's namespace.
7543 description: The ordered set of ingress rules. Each rule contains
7544 a set of packet match criteria and a corresponding action to apply.
7546 description: "A Rule encapsulates a set of match criteria and an
7547 action. Both selector-based security Policy and security Profiles
7548 reference rules - separated out as a list of rules for both ingress
7549 and egress packet matching. \n Each positive match criteria has
7550 a negated version, prefixed with \"Not\". All the match criteria
7551 within a rule must be satisfied for a packet to match. A single
7552 rule can contain the positive and negative version of a match
7553 and both must be satisfied for the rule to match."
7558 description: Destination contains the match criteria that apply
7559 to destination entity.
7562 description: "NamespaceSelector is an optional field that
7563 contains a selector expression. Only traffic that originates
7564 from (or terminates at) endpoints within the selected
7565 namespaces will be matched. When both NamespaceSelector
7566 and another selector are defined on the same rule, then
7567 only workload endpoints that are matched by both selectors
7568 will be selected by the rule. \n For NetworkPolicy, an
7569 empty NamespaceSelector implies that the Selector is limited
7570 to selecting only workload endpoints in the same namespace
7571 as the NetworkPolicy. \n For NetworkPolicy, `global()`
7572 NamespaceSelector implies that the Selector is limited
7573 to selecting only GlobalNetworkSet or HostEndpoint. \n
7574 For GlobalNetworkPolicy, an empty NamespaceSelector implies
7575 the Selector applies to workload endpoints across all
7579 description: Nets is an optional field that restricts the
7580 rule to only apply to traffic that originates from (or
7581 terminates at) IP addresses in any of the given subnets.
7586 description: NotNets is the negated version of the Nets
7592 description: NotPorts is the negated version of the Ports
7593 field. Since only some protocols have ports, if any ports
7594 are specified it requires the Protocol match in the Rule
7595 to be set to "TCP" or "UDP".
7601 x-kubernetes-int-or-string: true
7604 description: NotSelector is the negated version of the Selector
7605 field. See Selector field for subtleties with negated
7609 description: "Ports is an optional field that restricts
7610 the rule to only apply to traffic that has a source (destination)
7611 port that matches one of these ranges/values. This value
7612 is a list of integers or strings that represent ranges
7613 of ports. \n Since only some protocols have ports, if
7614 any ports are specified it requires the Protocol match
7615 in the Rule to be set to \"TCP\" or \"UDP\"."
7621 x-kubernetes-int-or-string: true
7624 description: "Selector is an optional field that contains
7625 a selector expression (see Policy for sample syntax).
7626 \ Only traffic that originates from (terminates at) endpoints
7627 matching the selector will be matched. \n Note that: in
7628 addition to the negated version of the Selector (see NotSelector
7629 below), the selector expression syntax itself supports
7630 negation. The two types of negation are subtly different.
7631 One negates the set of matched endpoints, the other negates
7632 the whole match: \n \tSelector = \"!has(my_label)\" matches
7633 packets that are from other Calico-controlled \tendpoints
7634 that do not have the label \"my_label\". \n \tNotSelector
7635 = \"has(my_label)\" matches packets that are not from
7636 Calico-controlled \tendpoints that do have the label \"my_label\".
7637 \n The effect is that the latter will accept packets from
7638 non-Calico sources whereas the former is limited to packets
7639 from Calico-controlled endpoints."
7642 description: ServiceAccounts is an optional field that restricts
7643 the rule to only apply to traffic that originates from
7644 (or terminates at) a pod running as a matching service
7648 description: Names is an optional field that restricts
7649 the rule to only apply to traffic that originates
7650 from (or terminates at) a pod running as a service
7651 account whose name is in the list.
7656 description: Selector is an optional field that restricts
7657 the rule to only apply to traffic that originates
7658 from (or terminates at) a pod running as a service
7659 account that matches the given label selector. If
7660 both Names and Selector are specified then they are
7665 description: "Services is an optional field that contains
7666 options for matching Kubernetes Services. If specified,
7667 only traffic that originates from or terminates at endpoints
7668 within the selected service(s) will be matched, and only
7669 to/from each endpoint's port. \n Services cannot be specified
7670 on the same rule as Selector, NotSelector, NamespaceSelector,
7671 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
7672 can only be specified with Services on ingress rules."
7675 description: Name specifies the name of a Kubernetes
7679 description: Namespace specifies the namespace of the
7680 given Service. If left empty, the rule will match
7681 within this policy's namespace.
7686 description: HTTP contains match criteria that apply to HTTP
7690 description: Methods is an optional field that restricts
7691 the rule to apply only to HTTP requests that use one of
7692 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
7693 methods are OR'd together.
7698 description: 'Paths is an optional field that restricts
7699 the rule to apply to HTTP requests that use one of the
7700 listed HTTP Paths. Multiple paths are OR''d together.
7701 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
7702 ONLY specify either a `exact` or a `prefix` match. The
7703 validator will check for it.'
7705 description: 'HTTPPath specifies an HTTP path to match.
7706 It may be either of the form: exact: <path>: which matches
7707 the path exactly or prefix: <path-prefix>: which matches
7718 description: ICMP is an optional field that restricts the rule
7719 to apply to a specific type and code of ICMP traffic. This
7720 should only be specified if the Protocol field is set to "ICMP"
7724 description: Match on a specific ICMP code. If specified,
7725 the Type value must also be specified. This is a technical
7726 limitation imposed by the kernel's iptables firewall,
7727 which Calico uses to enforce the rule.
7730 description: Match on a specific ICMP type. For example
7731 a value of 8 refers to ICMP Echo Request (i.e. pings).
7735 description: IPVersion is an optional field that restricts the
7736 rule to only match a specific IP version.
7739 description: Metadata contains additional information for this
7743 additionalProperties:
7745 description: Annotations is a set of key value pairs that
7746 give extra information about the rule
7750 description: NotICMP is the negated version of the ICMP field.
7753 description: Match on a specific ICMP code. If specified,
7754 the Type value must also be specified. This is a technical
7755 limitation imposed by the kernel's iptables firewall,
7756 which Calico uses to enforce the rule.
7759 description: Match on a specific ICMP type. For example
7760 a value of 8 refers to ICMP Echo Request (i.e. pings).
7767 description: NotProtocol is the negated version of the Protocol
7770 x-kubernetes-int-or-string: true
7775 description: "Protocol is an optional field that restricts the
7776 rule to only apply to traffic of a specific IP protocol. Required
7777 if any of the EntityRules contain Ports (because ports only
7778 apply to certain protocols). \n Must be one of these string
7779 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
7780 \"UDPLite\" or an integer in the range 1-255."
7782 x-kubernetes-int-or-string: true
7784 description: Source contains the match criteria that apply to
7788 description: "NamespaceSelector is an optional field that
7789 contains a selector expression. Only traffic that originates
7790 from (or terminates at) endpoints within the selected
7791 namespaces will be matched. When both NamespaceSelector
7792 and another selector are defined on the same rule, then
7793 only workload endpoints that are matched by both selectors
7794 will be selected by the rule. \n For NetworkPolicy, an
7795 empty NamespaceSelector implies that the Selector is limited
7796 to selecting only workload endpoints in the same namespace
7797 as the NetworkPolicy. \n For NetworkPolicy, `global()`
7798 NamespaceSelector implies that the Selector is limited
7799 to selecting only GlobalNetworkSet or HostEndpoint. \n
7800 For GlobalNetworkPolicy, an empty NamespaceSelector implies
7801 the Selector applies to workload endpoints across all
7805 description: Nets is an optional field that restricts the
7806 rule to only apply to traffic that originates from (or
7807 terminates at) IP addresses in any of the given subnets.
7812 description: NotNets is the negated version of the Nets
7818 description: NotPorts is the negated version of the Ports
7819 field. Since only some protocols have ports, if any ports
7820 are specified it requires the Protocol match in the Rule
7821 to be set to "TCP" or "UDP".
7827 x-kubernetes-int-or-string: true
7830 description: NotSelector is the negated version of the Selector
7831 field. See Selector field for subtleties with negated
7835 description: "Ports is an optional field that restricts
7836 the rule to only apply to traffic that has a source (destination)
7837 port that matches one of these ranges/values. This value
7838 is a list of integers or strings that represent ranges
7839 of ports. \n Since only some protocols have ports, if
7840 any ports are specified it requires the Protocol match
7841 in the Rule to be set to \"TCP\" or \"UDP\"."
7847 x-kubernetes-int-or-string: true
7850 description: "Selector is an optional field that contains
7851 a selector expression (see Policy for sample syntax).
7852 \ Only traffic that originates from (terminates at) endpoints
7853 matching the selector will be matched. \n Note that: in
7854 addition to the negated version of the Selector (see NotSelector
7855 below), the selector expression syntax itself supports
7856 negation. The two types of negation are subtly different.
7857 One negates the set of matched endpoints, the other negates
7858 the whole match: \n \tSelector = \"!has(my_label)\" matches
7859 packets that are from other Calico-controlled \tendpoints
7860 that do not have the label \"my_label\". \n \tNotSelector
7861 = \"has(my_label)\" matches packets that are not from
7862 Calico-controlled \tendpoints that do have the label \"my_label\".
7863 \n The effect is that the latter will accept packets from
7864 non-Calico sources whereas the former is limited to packets
7865 from Calico-controlled endpoints."
7868 description: ServiceAccounts is an optional field that restricts
7869 the rule to only apply to traffic that originates from
7870 (or terminates at) a pod running as a matching service
7874 description: Names is an optional field that restricts
7875 the rule to only apply to traffic that originates
7876 from (or terminates at) a pod running as a service
7877 account whose name is in the list.
7882 description: Selector is an optional field that restricts
7883 the rule to only apply to traffic that originates
7884 from (or terminates at) a pod running as a service
7885 account that matches the given label selector. If
7886 both Names and Selector are specified then they are
7891 description: "Services is an optional field that contains
7892 options for matching Kubernetes Services. If specified,
7893 only traffic that originates from or terminates at endpoints
7894 within the selected service(s) will be matched, and only
7895 to/from each endpoint's port. \n Services cannot be specified
7896 on the same rule as Selector, NotSelector, NamespaceSelector,
7897 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
7898 can only be specified with Services on ingress rules."
7901 description: Name specifies the name of a Kubernetes
7905 description: Namespace specifies the namespace of the
7906 given Service. If left empty, the rule will match
7907 within this policy's namespace.
7916 description: Order is an optional field that specifies the order in
7917 which the policy is applied. Policies with higher "order" are applied
7918 after those with lower order. If the order is omitted, it may be
7919 considered to be "infinite" - i.e. the policy will be applied last. Policies
7920 with identical order will be applied in alphanumerical order based
7921 on the Policy "Name".
7924 description: "The selector is an expression used to pick pick out
7925 the endpoints that the policy should be applied to. \n Selector
7926 expressions follow this syntax: \n \tlabel == \"string_literal\"
7927 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
7928 \ -> not equal; also matches if label is not present \tlabel in
7929 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
7930 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
7931 ... } -> true if the value of label X is not one of \"a\", \"b\",
7932 \"c\" \thas(label_name) -> True if that label is present \t! expr
7933 -> negation of expr \texpr && expr -> Short-circuit and \texpr
7934 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
7935 or the empty selector -> matches all endpoints. \n Label names are
7936 allowed to contain alphanumerics, -, _ and /. String literals are
7937 more permissive but they do not support escape characters. \n Examples
7938 (with made-up labels): \n \ttype == \"webserver\" && deployment
7939 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
7940 \"dev\" \t! has(label_name)"
7942 serviceAccountSelector:
7943 description: ServiceAccountSelector is an optional field for an expression
7944 used to select a pod based on service accounts.
7947 description: "Types indicates whether this policy applies to ingress,
7948 or to egress, or to both. When not explicitly specified (and so
7949 the value on creation is empty or nil), Calico defaults Types according
7950 to what Ingress and Egress are present in the policy. The default
7951 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
7952 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
7953 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
7954 PolicyTypeEgress ], if there are both Ingress and Egress rules.
7955 \n When the policy is read back again, Types will always be one
7956 of these values, never empty or nil."
7958 description: PolicyType enumerates the possible values of the PolicySpec
7973 apiVersion: apiextensions.k8s.io/v1
7974 kind: CustomResourceDefinition
7976 name: networksets.crd.projectcalico.org
7978 group: crd.projectcalico.org
7981 listKind: NetworkSetList
7983 singular: networkset
7989 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
7992 description: 'APIVersion defines the versioned schema of this representation
7993 of an object. Servers should convert recognized schemas to the latest
7994 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
7997 description: 'Kind is a string value representing the REST resource this
7998 object represents. Servers may infer this from the endpoint the client
7999 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8004 description: NetworkSetSpec contains the specification for a NetworkSet
8008 description: The list of IP networks that belong to this set.
8024 kind: ServiceAccount
8026 name: calico-kube-controllers
8027 namespace: kube-system
8030 kind: ServiceAccount
8033 namespace: kube-system
8035 apiVersion: rbac.authorization.k8s.io/v1
8038 name: calico-kube-controllers
8057 - crd.projectcalico.org
8064 - crd.projectcalico.org
8077 - crd.projectcalico.org
8087 - crd.projectcalico.org
8089 - clusterinformations
8095 - crd.projectcalico.org
8097 - kubecontrollersconfigurations
8104 apiVersion: rbac.authorization.k8s.io/v1
8169 - crd.projectcalico.org
8171 - globalfelixconfigs
8172 - felixconfigurations
8179 - globalnetworkpolicies
8183 - clusterinformations
8186 - caliconodestatuses
8192 - crd.projectcalico.org
8195 - felixconfigurations
8196 - clusterinformations
8201 - crd.projectcalico.org
8203 - caliconodestatuses
8215 - crd.projectcalico.org
8223 - crd.projectcalico.org
8235 - crd.projectcalico.org
8241 - crd.projectcalico.org
8253 apiVersion: rbac.authorization.k8s.io/v1
8254 kind: ClusterRoleBinding
8256 name: calico-kube-controllers
8258 apiGroup: rbac.authorization.k8s.io
8260 name: calico-kube-controllers
8262 - kind: ServiceAccount
8263 name: calico-kube-controllers
8264 namespace: kube-system
8266 apiVersion: rbac.authorization.k8s.io/v1
8267 kind: ClusterRoleBinding
8271 apiGroup: rbac.authorization.k8s.io
8275 - kind: ServiceAccount
8277 namespace: kube-system
8281 calico_backend: bird
8282 cni_network_config: |-
8284 "name": "k8s-pod-network",
8285 "cniVersion": "0.3.1",
8289 "log_level": "info",
8290 "log_file_path": "/var/log/calico/cni/cni.log",
8291 "datastore_type": "kubernetes",
8292 "nodename": "__KUBERNETES_NODE_NAME__",
8295 "type": "calico-ipam",
8296 "assign_ipv4": "true",
8297 "assign_ipv6": "true"
8303 "kubeconfig": "__KUBECONFIG_FILEPATH__"
8309 "capabilities": {"portMappings": true}
8312 "type": "bandwidth",
8313 "capabilities": {"bandwidth": true}
8317 typha_service_name: none
8322 namespace: kube-system
8328 k8s-app: calico-kube-controllers
8329 name: calico-kube-controllers
8330 namespace: kube-system
8335 k8s-app: calico-kube-controllers
8341 k8s-app: calico-kube-controllers
8342 name: calico-kube-controllers
8343 namespace: kube-system
8347 - name: ENABLED_CONTROLLERS
8349 - name: DATASTORE_TYPE
8351 image: docker.io/calico/kube-controllers:v3.22.1
8355 - /usr/bin/check-status
8358 initialDelaySeconds: 10
8361 name: calico-kube-controllers
8365 - /usr/bin/check-status
8369 kubernetes.io/os: linux
8370 priorityClassName: system-cluster-critical
8371 serviceAccountName: calico-kube-controllers
8373 - key: CriticalAddonsOnly
8375 - effect: NoSchedule
8376 key: node-role.kubernetes.io/master
8378 apiVersion: policy/v1beta1
8379 kind: PodDisruptionBudget
8382 k8s-app: calico-kube-controllers
8383 name: calico-kube-controllers
8384 namespace: kube-system
8389 k8s-app: calico-kube-controllers
8395 k8s-app: calico-node
8397 namespace: kube-system
8401 k8s-app: calico-node
8405 k8s-app: calico-node
8409 - name: IP_AUTODETECTION_METHOD
8410 value: can-reach=www.google.com
8411 - name: IP6_AUTODETECTION_METHOD
8412 value: can-reach=www.google.com
8415 - name: FELIX_IPV6SUPPORT
8417 - name: DATASTORE_TYPE
8419 - name: WAIT_FOR_DATASTORE
8424 fieldPath: spec.nodeName
8425 - name: CALICO_NETWORKING_BACKEND
8430 - name: CLUSTER_TYPE
8434 - name: CALICO_IPV4POOL_IPIP
8436 - name: CALICO_IPV4POOL_VXLAN
8438 - name: FELIX_IPINIPMTU
8443 - name: FELIX_VXLANMTU
8448 - name: FELIX_WIREGUARDMTU
8453 - name: CALICO_DISABLE_FILE_LOGGING
8455 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
8457 - name: FELIX_HEALTHENABLED
8461 name: kubernetes-services-endpoint
8463 image: docker.io/calico/node:v3.22.1
8477 initialDelaySeconds: 10
8495 - mountPath: /host/etc/cni/net.d
8498 - mountPath: /lib/modules
8501 - mountPath: /run/xtables.lock
8504 - mountPath: /var/run/calico
8505 name: var-run-calico
8507 - mountPath: /var/lib/calico
8508 name: var-lib-calico
8510 - mountPath: /var/run/nodeagent
8512 - mountPath: /sys/fs/
8513 mountPropagation: Bidirectional
8515 - mountPath: /var/log/calico/cni
8521 - /opt/cni/bin/calico-ipam
8524 - name: KUBERNETES_NODE_NAME
8527 fieldPath: spec.nodeName
8528 - name: CALICO_NETWORKING_BACKEND
8535 name: kubernetes-services-endpoint
8537 image: docker.io/calico/cni:v3.22.1
8542 - mountPath: /var/lib/cni/networks
8543 name: host-local-net-dir
8544 - mountPath: /host/opt/cni/bin
8547 - /opt/cni/bin/install
8549 - name: CNI_CONF_NAME
8550 value: 10-calico.conflist
8551 - name: CNI_NETWORK_CONFIG
8554 key: cni_network_config
8556 - name: KUBERNETES_NODE_NAME
8559 fieldPath: spec.nodeName
8569 name: kubernetes-services-endpoint
8571 image: docker.io/calico/cni:v3.22.1
8576 - mountPath: /host/opt/cni/bin
8578 - mountPath: /host/etc/cni/net.d
8580 - image: docker.io/calico/pod2daemon-flexvol:v3.22.1
8581 name: flexvol-driver
8585 - mountPath: /host/driver
8586 name: flexvol-driver-host
8588 kubernetes.io/os: linux
8589 priorityClassName: system-node-critical
8590 serviceAccountName: calico-node
8591 terminationGracePeriodSeconds: 0
8593 - effect: NoSchedule
8595 - key: CriticalAddonsOnly
8604 path: /var/run/calico
8605 name: var-run-calico
8607 path: /var/lib/calico
8608 name: var-lib-calico
8610 path: /run/xtables.lock
8615 type: DirectoryOrCreate
8621 path: /etc/cni/net.d
8624 path: /var/log/calico/cni
8627 path: /var/lib/cni/networks
8628 name: host-local-net-dir
8630 path: /var/run/nodeagent
8631 type: DirectoryOrCreate
8634 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
8635 type: DirectoryOrCreate
8636 name: flexvol-driver-host
8643 creationTimestamp: null
8644 name: {{ .Values.clusterName }}-calico-addon
8646 {{- if eq .Values.ipam "ipv6" }}
8651 apiVersion: apiextensions.k8s.io/v1
8652 kind: CustomResourceDefinition
8654 name: bgpconfigurations.crd.projectcalico.org
8656 group: crd.projectcalico.org
8658 kind: BGPConfiguration
8659 listKind: BGPConfigurationList
8660 plural: bgpconfigurations
8661 singular: bgpconfiguration
8667 description: BGPConfiguration contains the configuration for any BGP routing.
8670 description: 'APIVersion defines the versioned schema of this representation
8671 of an object. Servers should convert recognized schemas to the latest
8672 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8675 description: 'Kind is a string value representing the REST resource this
8676 object represents. Servers may infer this from the endpoint the client
8677 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8682 description: BGPConfigurationSpec contains the values of the BGP configuration.
8685 description: 'ASNumber is the default AS number used by a node. [Default:
8690 description: Communities is a list of BGP community values and their
8691 arbitrary names for tagging routes.
8693 description: Community contains standard or large community value
8697 description: Name given to community value.
8700 description: Value must be of format `aa:nn` or `aa:nn:mm`.
8701 For standard community use `aa:nn` format, where `aa` and
8702 `nn` are 16 bit number. For large community use `aa:nn:mm`
8703 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
8704 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
8705 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
8710 description: ListenPort is the port where BGP protocol should listen.
8716 description: 'LogSeverityScreen is the log severity above which logs
8717 are sent to the stdout. [Default: INFO]'
8719 nodeToNodeMeshEnabled:
8720 description: 'NodeToNodeMeshEnabled sets whether full node to node
8721 BGP mesh is enabled. [Default: true]'
8723 prefixAdvertisements:
8724 description: PrefixAdvertisements contains per-prefix advertisement
8727 description: PrefixAdvertisement configures advertisement properties
8728 for the specified CIDR.
8731 description: CIDR for which properties should be advertised.
8734 description: Communities can be list of either community names
8735 already defined in `Specs.Communities` or community value
8736 of format `aa:nn` or `aa:nn:mm`. For standard community use
8737 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
8738 large community use `aa:nn:mm` format, where `aa`, `nn` and
8739 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
8740 `mm` are per-AS identifier.
8747 description: ServiceClusterIPs are the CIDR blocks from which service
8748 cluster IPs are allocated. If specified, Calico will advertise these
8749 blocks, as well as any cluster IPs within them.
8751 description: ServiceClusterIPBlock represents a single allowed ClusterIP
8759 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
8760 Service External IPs. Kubernetes Service ExternalIPs will only be
8761 advertised if they are within one of these blocks.
8763 description: ServiceExternalIPBlock represents a single allowed
8764 External IP CIDR block.
8770 serviceLoadBalancerIPs:
8771 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
8772 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
8773 IPs will only be advertised if they are within one of these blocks.
8775 description: ServiceLoadBalancerIPBlock represents a single allowed
8776 LoadBalancer IP CIDR block.
8793 apiVersion: apiextensions.k8s.io/v1
8794 kind: CustomResourceDefinition
8796 name: bgppeers.crd.projectcalico.org
8798 group: crd.projectcalico.org
8801 listKind: BGPPeerList
8811 description: 'APIVersion defines the versioned schema of this representation
8812 of an object. Servers should convert recognized schemas to the latest
8813 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8816 description: 'Kind is a string value representing the REST resource this
8817 object represents. Servers may infer this from the endpoint the client
8818 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8823 description: BGPPeerSpec contains the specification for a BGPPeer resource.
8826 description: The AS Number of the peer.
8829 keepOriginalNextHop:
8830 description: Option to keep the original nexthop field when routes
8831 are sent to a BGP Peer. Setting "true" configures the selected BGP
8832 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
8833 in the specific branch of the Node on "bird.cfg".
8836 description: Time to allow for software restart. When specified,
8837 this is configured as the graceful restart timeout. When not specified,
8838 the BIRD default of 120s is used.
8841 description: The node name identifying the Calico node instance that
8842 is targeted by this peer. If this is not set, and no nodeSelector
8843 is specified, then this BGP peer selects all nodes in the cluster.
8846 description: Selector for the nodes that should have this peering. When
8847 this is set, the Node field must be empty.
8850 description: Optional BGP password for the peerings generated by this
8854 description: Selects a key of a secret in the node pod's namespace.
8857 description: The key of the secret to select from. Must be
8861 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
8862 TODO: Add other useful fields. apiVersion, kind, uid?'
8865 description: Specify whether the Secret or its key must be
8873 description: The IP address of the peer followed by an optional port
8874 number to peer with. If port number is given, format should be `[<IPv6>]:port`
8875 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
8876 and this peer IP and ASNumber belongs to a calico/node with ListenPort
8877 set in BGPConfiguration, then we use that port to peer.
8880 description: Selector for the remote nodes to peer with. When this
8881 is set, the PeerIP and ASNumber fields must be empty. For each
8882 peering between the local node and selected remote nodes, we configure
8883 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
8884 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
8885 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
8886 or the global default if that is not set.
8889 description: Specifies whether and how to configure a source address
8890 for the peerings generated by this BGPPeer resource. Default value
8891 "UseNodeIP" means to configure the node IP as the source address. "None"
8892 means not to configure a source address.
8905 apiVersion: apiextensions.k8s.io/v1
8906 kind: CustomResourceDefinition
8908 name: blockaffinities.crd.projectcalico.org
8910 group: crd.projectcalico.org
8913 listKind: BlockAffinityList
8914 plural: blockaffinities
8915 singular: blockaffinity
8923 description: 'APIVersion defines the versioned schema of this representation
8924 of an object. Servers should convert recognized schemas to the latest
8925 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8928 description: 'Kind is a string value representing the REST resource this
8929 object represents. Servers may infer this from the endpoint the client
8930 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8935 description: BlockAffinitySpec contains the specification for a BlockAffinity
8941 description: Deleted indicates that this block affinity is being deleted.
8942 This field is a string for compatibility with older releases that
8943 mistakenly treat this field as a string.
8965 apiVersion: apiextensions.k8s.io/v1
8966 kind: CustomResourceDefinition
8969 controller-gen.kubebuilder.io/version: (devel)
8970 creationTimestamp: null
8971 name: caliconodestatuses.crd.projectcalico.org
8973 group: crd.projectcalico.org
8975 kind: CalicoNodeStatus
8976 listKind: CalicoNodeStatusList
8977 plural: caliconodestatuses
8978 singular: caliconodestatus
8986 description: 'APIVersion defines the versioned schema of this representation
8987 of an object. Servers should convert recognized schemas to the latest
8988 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
8991 description: 'Kind is a string value representing the REST resource this
8992 object represents. Servers may infer this from the endpoint the client
8993 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
8998 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
9002 description: Classes declares the types of information to monitor
9003 for this calico/node, and allows for selective status reporting
9004 about certain subsets of information.
9009 description: The node name identifies the Calico node instance for
9012 updatePeriodSeconds:
9013 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
9014 should be updated. Set to 0 to disable CalicoNodeStatus refresh.
9015 Maximum update period is one day.
9020 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
9021 No validation needed for status since it is updated by Calico.
9024 description: Agent holds agent status on the node.
9027 description: BIRDV4 represents the latest observed status of bird4.
9030 description: LastBootTime holds the value of lastBootTime
9031 from bird.ctl output.
9033 lastReconfigurationTime:
9034 description: LastReconfigurationTime holds the value of lastReconfigTime
9035 from bird.ctl output.
9038 description: Router ID used by bird.
9041 description: The state of the BGP Daemon.
9044 description: Version of the BGP daemon
9048 description: BIRDV6 represents the latest observed status of bird6.
9051 description: LastBootTime holds the value of lastBootTime
9052 from bird.ctl output.
9054 lastReconfigurationTime:
9055 description: LastReconfigurationTime holds the value of lastReconfigTime
9056 from bird.ctl output.
9059 description: Router ID used by bird.
9062 description: The state of the BGP Daemon.
9065 description: Version of the BGP daemon
9070 description: BGP holds node BGP status.
9072 numberEstablishedV4:
9073 description: The total number of IPv4 established bgp sessions.
9075 numberEstablishedV6:
9076 description: The total number of IPv6 established bgp sessions.
9078 numberNotEstablishedV4:
9079 description: The total number of IPv4 non-established bgp sessions.
9081 numberNotEstablishedV6:
9082 description: The total number of IPv6 non-established bgp sessions.
9085 description: PeersV4 represents IPv4 BGP peers status on the node.
9087 description: CalicoNodePeer contains the status of BGP peers
9091 description: IP address of the peer whose condition we are
9095 description: Since the state or reason last changed.
9098 description: State is the BGP session state.
9101 description: Type indicates whether this peer is configured
9102 via the node-to-node mesh, or via en explicit global or
9103 per-node BGPPeer object.
9108 description: PeersV6 represents IPv6 BGP peers status on the node.
9110 description: CalicoNodePeer contains the status of BGP peers
9114 description: IP address of the peer whose condition we are
9118 description: Since the state or reason last changed.
9121 description: State is the BGP session state.
9124 description: Type indicates whether this peer is configured
9125 via the node-to-node mesh, or via en explicit global or
9126 per-node BGPPeer object.
9131 - numberEstablishedV4
9132 - numberEstablishedV6
9133 - numberNotEstablishedV4
9134 - numberNotEstablishedV6
9137 description: LastUpdated is a timestamp representing the server time
9138 when CalicoNodeStatus object last updated. It is represented in
9139 RFC3339 form and is in UTC.
9144 description: Routes reports routes known to the Calico BGP daemon
9148 description: RoutesV4 represents IPv4 routes on the node.
9150 description: CalicoNodeRoute contains the status of BGP routes
9154 description: Destination of the route.
9157 description: Gateway for the destination.
9160 description: Interface for the destination
9163 description: LearnedFrom contains information regarding
9164 where this route originated.
9167 description: If sourceType is NodeMesh or BGPPeer, IP
9168 address of the router that sent us this route.
9171 description: Type of the source where a route is learned
9176 description: Type indicates if the route is being used for
9182 description: RoutesV6 represents IPv6 routes on the node.
9184 description: CalicoNodeRoute contains the status of BGP routes
9188 description: Destination of the route.
9191 description: Gateway for the destination.
9194 description: Interface for the destination
9197 description: LearnedFrom contains information regarding
9198 where this route originated.
9201 description: If sourceType is NodeMesh or BGPPeer, IP
9202 address of the router that sent us this route.
9205 description: Type of the source where a route is learned
9210 description: Type indicates if the route is being used for
9227 apiVersion: apiextensions.k8s.io/v1
9228 kind: CustomResourceDefinition
9230 name: clusterinformations.crd.projectcalico.org
9232 group: crd.projectcalico.org
9234 kind: ClusterInformation
9235 listKind: ClusterInformationList
9236 plural: clusterinformations
9237 singular: clusterinformation
9243 description: ClusterInformation contains the cluster specific information.
9246 description: 'APIVersion defines the versioned schema of this representation
9247 of an object. Servers should convert recognized schemas to the latest
9248 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9251 description: 'Kind is a string value representing the REST resource this
9252 object represents. Servers may infer this from the endpoint the client
9253 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9258 description: ClusterInformationSpec contains the values of describing
9262 description: CalicoVersion is the version of Calico that the cluster
9266 description: ClusterGUID is the GUID of the cluster
9269 description: ClusterType describes the type of the cluster
9272 description: DatastoreReady is used during significant datastore migrations
9273 to signal to components such as Felix that it should wait before
9274 accessing the datastore.
9277 description: Variant declares which variant of Calico should be active.
9290 apiVersion: apiextensions.k8s.io/v1
9291 kind: CustomResourceDefinition
9293 name: felixconfigurations.crd.projectcalico.org
9295 group: crd.projectcalico.org
9297 kind: FelixConfiguration
9298 listKind: FelixConfigurationList
9299 plural: felixconfigurations
9300 singular: felixconfiguration
9306 description: Felix Configuration contains the configuration for Felix.
9309 description: 'APIVersion defines the versioned schema of this representation
9310 of an object. Servers should convert recognized schemas to the latest
9311 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9314 description: 'Kind is a string value representing the REST resource this
9315 object represents. Servers may infer this from the endpoint the client
9316 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9321 description: FelixConfigurationSpec contains the values of the Felix configuration.
9323 allowIPIPPacketsFromWorkloads:
9324 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
9325 will add a rule to drop IPIP encapsulated traffic from workloads
9328 allowVXLANPacketsFromWorkloads:
9329 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
9330 will add a rule to drop VXLAN encapsulated traffic from workloads
9334 description: 'Set source-destination-check on AWS EC2 instances. Accepted
9335 value must be one of "DoNothing", "Enable" or "Disable". [Default:
9342 bpfConnectTimeLoadBalancingEnabled:
9343 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
9344 controls whether Felix installs the connection-time load balancer. The
9345 connect-time load balancer is required for the host to be able to
9346 reach Kubernetes services and it improves the performance of pod-to-service
9347 connections. The only reason to disable it is for debugging purposes. [Default:
9350 bpfDataIfacePattern:
9351 description: BPFDataIfacePattern is a regular expression that controls
9352 which interfaces Felix should attach BPF programs to in order to
9353 catch traffic to/from the network. This needs to match the interfaces
9354 that Calico workload traffic flows over as well as any interfaces
9355 that handle incoming traffic to nodeports and services from outside
9356 the cluster. It should not match the workload interfaces (usually
9359 bpfDisableUnprivileged:
9360 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
9361 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
9362 users cannot access Calico''s BPF maps and cannot insert their own
9363 BPF programs to interfere with Calico''s. [Default: true]'
9366 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
9369 bpfExtToServiceConnmark:
9370 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
9371 mark that is set on connections from an external client to a local
9372 service. This mark allows us to control how packets of that connection
9373 are routed within the host and how is routing intepreted by RPF
9374 check. [Default: 0]'
9376 bpfExternalServiceMode:
9377 description: 'BPFExternalServiceMode in BPF mode, controls how connections
9378 from outside the cluster to services (node ports and cluster IPs)
9379 are forwarded to remote workloads. If set to "Tunnel" then both
9380 request and response traffic is tunneled to the remote node. If
9381 set to "DSR", the request traffic is tunneled but the response traffic
9382 is sent directly from the remote node. In "DSR" mode, the remote
9383 node appears to use the IP of the ingress node; this requires a
9384 permissive L2 network. [Default: Tunnel]'
9386 bpfKubeProxyEndpointSlicesEnabled:
9387 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
9388 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
9390 bpfKubeProxyIptablesCleanupEnabled:
9391 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
9392 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
9393 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
9396 bpfKubeProxyMinSyncPeriod:
9397 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
9398 minimum time between updates to the dataplane for Felix''s embedded
9399 kube-proxy. Lower values give reduced set-up latency. Higher values
9400 reduce Felix CPU usage by batching up more work. [Default: 1s]'
9403 description: 'BPFLogLevel controls the log level of the BPF programs
9404 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
9405 logs are emitted to the BPF trace pipe, accessible with the command
9406 `tc exec bpf debug`. [Default: Off].'
9409 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
9410 top-level iptables chains by inserting a rule at the top of the
9411 chain or by appending a rule at the bottom. insert is the safe default
9412 since it prevents Calico''s rules from being bypassed. If you switch
9413 to append mode, be sure that the other rules in the chains signal
9414 acceptance by falling through to the Calico rules, otherwise the
9415 Calico policy will be bypassed. [Default: insert]'
9419 debugDisableLogDropping:
9421 debugMemoryProfilePath:
9423 debugSimulateCalcGraphHangAfter:
9425 debugSimulateDataplaneHangAfter:
9427 defaultEndpointToHostAction:
9428 description: 'DefaultEndpointToHostAction controls what happens to
9429 traffic that goes from a workload endpoint to the host itself (after
9430 the traffic hits the endpoint egress policy). By default Calico
9431 blocks traffic from workload endpoints to the host itself with an
9432 iptables "DROP" action. If you want to allow some or all traffic
9433 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
9434 RETURN if you have your own rules in the iptables "INPUT" chain;
9435 Calico will insert its rules at the top of that chain, then "RETURN"
9436 packets to the "INPUT" chain once it has completed processing workload
9437 endpoint egress policy. Use ACCEPT to unconditionally accept packets
9438 from workloads after processing workload endpoint egress policy.
9441 deviceRouteProtocol:
9442 description: This defines the route protocol added to programmed device
9443 routes, by default this will be RTPROT_BOOT when left blank.
9445 deviceRouteSourceAddress:
9446 description: This is the source address to use on programmed device
9447 routes. By default the source address is left blank, leaving the
9448 kernel to choose the source address used.
9450 disableConntrackInvalidCheck:
9452 endpointReportingDelay:
9454 endpointReportingEnabled:
9457 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
9458 which may source tunnel traffic and have the tunneled traffic be
9459 accepted at calico nodes.
9463 failsafeInboundHostPorts:
9464 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
9465 and CIDRs that Felix will allow incoming traffic to host endpoints
9466 on irrespective of the security policy. This is useful to avoid
9467 accidentally cutting off a host with incorrect configuration. For
9468 back-compatibility, if the protocol is not specified, it defaults
9469 to "tcp". If a CIDR is not specified, it will allow traffic from
9470 all addresses. To disable all inbound host ports, use the value
9471 none. The default value allows ssh access and DHCP. [Default: tcp:22,
9472 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
9474 description: ProtoPort is combination of protocol, port, and CIDR.
9475 Protocol and port must be specified.
9488 failsafeOutboundHostPorts:
9489 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
9490 and CIDRs that Felix will allow outgoing traffic from host endpoints
9491 to irrespective of the security policy. This is useful to avoid
9492 accidentally cutting off a host with incorrect configuration. For
9493 back-compatibility, if the protocol is not specified, it defaults
9494 to "tcp". If a CIDR is not specified, it will allow traffic from
9495 all addresses. To disable all outbound host ports, use the value
9496 none. The default value opens etcd''s standard ports to ensure that
9497 Felix does not get cut off from etcd as well as allowing DHCP and
9498 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
9499 tcp:6667, udp:53, udp:67]'
9501 description: ProtoPort is combination of protocol, port, and CIDR.
9502 Protocol and port must be specified.
9515 featureDetectOverride:
9516 description: FeatureDetectOverride is used to override the feature
9517 detection. Values are specified in a comma separated list with no
9518 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
9519 "true" or "false" will force the feature, empty or omitted values
9523 description: 'GenericXDPEnabled enables Generic XDP so network cards
9524 that don''t support XDP offload or driver modes can use XDP. This
9525 is not recommended since it doesn''t provide better performance
9526 than iptables. [Default: false]'
9535 description: 'InterfaceExclude is a comma-separated list of interfaces
9536 that Felix should exclude when monitoring for host endpoints. The
9537 default value ensures that Felix ignores Kubernetes'' IPVS dummy
9538 interface, which is used internally by kube-proxy. If you want to
9539 exclude multiple interface names using a single value, the list
9540 supports regular expressions. For regular expressions you must wrap
9541 the value with ''/''. For example having values ''/^kube/,veth1''
9542 will exclude all interfaces that begin with ''kube'' and also the
9543 interface ''veth1''. [Default: kube-ipvs0]'
9546 description: 'InterfacePrefix is the interface name prefix that identifies
9547 workload endpoints and so distinguishes them from host endpoint
9548 interfaces. Note: in environments other than bare metal, the orchestrators
9549 configure this appropriately. For example our Kubernetes and Docker
9550 integrations set the ''cali'' value, and our OpenStack integration
9551 sets the ''tap'' value. [Default: cali]'
9553 interfaceRefreshInterval:
9554 description: InterfaceRefreshInterval is the period at which Felix
9555 rescans local interfaces to verify their state. The rescan can be
9556 disabled by setting the interval to 0.
9561 description: 'IPIPMTU is the MTU to set on the tunnel device. See
9562 Configuring MTU [Default: 1440]'
9564 ipsetsRefreshInterval:
9565 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
9566 all iptables state to ensure that no other process has accidentally
9567 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
9571 description: IptablesBackend specifies which backend of iptables will
9572 be used. The default is legacy.
9574 iptablesFilterAllowAction:
9576 iptablesLockFilePath:
9577 description: 'IptablesLockFilePath is the location of the iptables
9578 lock file. You may need to change this if the lock file is not in
9579 its standard location (for example if you have mapped it into Felix''s
9580 container at a different path). [Default: /run/xtables.lock]'
9582 iptablesLockProbeInterval:
9583 description: 'IptablesLockProbeInterval is the time that Felix will
9584 wait between attempts to acquire the iptables lock if it is not
9585 available. Lower values make Felix more responsive when the lock
9586 is contended, but use more CPU. [Default: 50ms]'
9588 iptablesLockTimeout:
9589 description: 'IptablesLockTimeout is the time that Felix will wait
9590 for the iptables lock, or 0, to disable. To use this feature, Felix
9591 must share the iptables lock file with all other processes that
9592 also take the lock. When running Felix inside a container, this
9593 requires the /run directory of the host to be mounted into the calico/node
9594 or calico/felix container. [Default: 0s disabled]'
9596 iptablesMangleAllowAction:
9599 description: 'IptablesMarkMask is the mask that Felix selects its
9600 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
9601 at least 8 bits set, none of which clash with any other mark bits
9602 in use on the system. [Default: 0xff000000]'
9605 iptablesNATOutgoingInterfaceFilter:
9607 iptablesPostWriteCheckInterval:
9608 description: 'IptablesPostWriteCheckInterval is the period after Felix
9609 has done a write to the dataplane that it schedules an extra read
9610 back in order to check the write was not clobbered by another process.
9611 This should only occur if another application on the system doesn''t
9612 respect the iptables lock. [Default: 1s]'
9614 iptablesRefreshInterval:
9615 description: 'IptablesRefreshInterval is the period at which Felix
9616 re-checks the IP sets in the dataplane to ensure that no other process
9617 has accidentally broken Calico''s rules. Set to 0 to disable IP
9618 sets refresh. Note: the default for this value is lower than the
9619 other refresh intervals as a workaround for a Linux kernel bug that
9620 was fixed in kernel version 4.11. If you are using v4.11 or greater
9621 you may want to set this to, a higher value to reduce Felix CPU
9622 usage. [Default: 10s]'
9627 description: 'KubeNodePortRanges holds list of port ranges used for
9628 service node ports. Only used if felix detects kube-proxy running
9629 in ipvs mode. Felix uses these ranges to separate host and workload
9630 traffic. [Default: 30000:32767].'
9636 x-kubernetes-int-or-string: true
9639 description: 'LogFilePath is the full path to the Felix log. Set to
9640 none to disable file logging. [Default: /var/log/calico/felix.log]'
9643 description: 'LogPrefix is the log prefix that Felix uses when rendering
9644 LOG rules. [Default: calico-packet]'
9647 description: 'LogSeverityFile is the log severity above which logs
9648 are sent to the log file. [Default: Info]'
9651 description: 'LogSeverityScreen is the log severity above which logs
9652 are sent to the stdout. [Default: Info]'
9655 description: 'LogSeveritySys is the log severity above which logs
9656 are sent to the syslog. Set to None for no logging to syslog. [Default:
9662 description: 'MetadataAddr is the IP address or domain name of the
9663 server that can answer VM queries for cloud-init metadata. In OpenStack,
9664 this corresponds to the machine running nova-api (or in Ubuntu,
9665 nova-api-metadata). A value of none (case insensitive) means that
9666 Felix should not set up any NAT rule for the metadata path. [Default:
9670 description: 'MetadataPort is the port of the metadata server. This,
9671 combined with global.MetadataAddr (if not ''None''), is used to
9672 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
9673 In most cases this should not need to be changed [Default: 8775].'
9676 description: MTUIfacePattern is a regular expression that controls
9677 which interfaces Felix should scan in order to calculate the host's
9678 MTU. This should not match workload interfaces (usually named cali...).
9681 description: NATOutgoingAddress specifies an address to use when performing
9682 source NAT for traffic in a natOutgoing pool that is leaving the
9683 network. By default the address used is an address on the interface
9684 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
9690 description: NATPortRange specifies the range of ports that is used
9691 for port mapping when doing outgoing NAT. When unset the default
9692 behavior of the network stack is used.
9694 x-kubernetes-int-or-string: true
9698 description: 'OpenstackRegion is the name of the region that a particular
9699 Felix belongs to. In a multi-region Calico/OpenStack deployment,
9700 this must be configured somehow for each Felix (here in the datamodel,
9701 or in felix.cfg or the environment on each compute node), and must
9702 match the [calico] openstack_region value configured in neutron.conf
9703 on each node. [Default: Empty]'
9705 policySyncPathPrefix:
9706 description: 'PolicySyncPathPrefix is used to by Felix to communicate
9707 policy changes to external services, like Application layer policy.
9710 prometheusGoMetricsEnabled:
9711 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
9712 collection, which the Prometheus client does by default, when set
9713 to false. This reduces the number of metrics reported, reducing
9714 Prometheus load. [Default: true]'
9716 prometheusMetricsEnabled:
9717 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
9718 server in Felix if set to true. [Default: false]'
9720 prometheusMetricsHost:
9721 description: 'PrometheusMetricsHost is the host that the Prometheus
9722 metrics server should bind to. [Default: empty]'
9724 prometheusMetricsPort:
9725 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
9726 metrics server should bind to. [Default: 9091]'
9728 prometheusProcessMetricsEnabled:
9729 description: 'PrometheusProcessMetricsEnabled disables process metrics
9730 collection, which the Prometheus client does by default, when set
9731 to false. This reduces the number of metrics reported, reducing
9732 Prometheus load. [Default: true]'
9734 prometheusWireGuardMetricsEnabled:
9735 description: 'PrometheusWireGuardMetricsEnabled disables wireguard
9736 metrics collection, which the Prometheus client does by default,
9737 when set to false. This reduces the number of metrics reported,
9738 reducing Prometheus load. [Default: true]'
9740 removeExternalRoutes:
9741 description: Whether or not to remove device routes that have not
9742 been programmed by Felix. Disabling this will allow external applications
9743 to also add device routes. This is enabled by default which means
9744 we will remove externally added routes.
9747 description: 'ReportingInterval is the interval at which Felix reports
9748 its status into the datastore or 0 to disable. Must be non-zero
9749 in OpenStack deployments. [Default: 30s]'
9752 description: 'ReportingTTL is the time-to-live setting for process-wide
9753 status reports. [Default: 90s]'
9755 routeRefreshInterval:
9756 description: 'RouteRefreshInterval is the period at which Felix re-checks
9757 the routes in the dataplane to ensure that no other process has
9758 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
9762 description: 'RouteSource configures where Felix gets its routing
9763 information. - WorkloadIPs: use workload endpoints to construct
9764 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
9767 description: Calico programs additional Linux route tables for various
9768 purposes. RouteTableRange specifies the indices of the route tables
9769 that Calico should use.
9779 serviceLoopPrevention:
9780 description: 'When service IP advertisement is enabled, prevent routing
9781 loops to service IPs that are not in use, by dropping or rejecting
9782 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
9783 in which case such routing loops continue to be allowed. [Default:
9786 sidecarAccelerationEnabled:
9787 description: 'SidecarAccelerationEnabled enables experimental sidecar
9788 acceleration [Default: false]'
9790 usageReportingEnabled:
9791 description: 'UsageReportingEnabled reports anonymous Calico version
9792 number and cluster size to projectcalico.org. Logs warnings returned
9793 by the usage server. For example, if a significant security vulnerability
9794 has been discovered in the version of Calico being used. [Default:
9797 usageReportingInitialDelay:
9798 description: 'UsageReportingInitialDelay controls the minimum delay
9799 before Felix makes a report. [Default: 300s]'
9801 usageReportingInterval:
9802 description: 'UsageReportingInterval controls the interval at which
9803 Felix makes reports. [Default: 86400s]'
9805 useInternalDataplaneDriver:
9810 description: 'VXLANMTU is the MTU to set on the tunnel device. See
9811 Configuring MTU [Default: 1440]'
9818 description: 'WireguardEnabled controls whether Wireguard is enabled.
9821 wireguardHostEncryptionEnabled:
9822 description: 'WireguardHostEncryptionEnabled controls whether Wireguard
9823 host-to-host encryption is enabled. [Default: false]'
9825 wireguardInterfaceName:
9826 description: 'WireguardInterfaceName specifies the name to use for
9827 the Wireguard interface. [Default: wg.calico]'
9829 wireguardListeningPort:
9830 description: 'WireguardListeningPort controls the listening port used
9831 by Wireguard. [Default: 51820]'
9834 description: 'WireguardMTU controls the MTU on the Wireguard interface.
9835 See Configuring MTU [Default: 1420]'
9837 wireguardRoutingRulePriority:
9838 description: 'WireguardRoutingRulePriority controls the priority value
9839 to use for the Wireguard routing rule. [Default: 99]'
9842 description: 'XDPEnabled enables XDP acceleration for suitable untracked
9843 incoming deny rules. [Default: true]'
9846 description: 'XDPRefreshInterval is the period at which Felix re-checks
9847 all XDP state to ensure that no other process has accidentally broken
9848 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
9849 refresh. [Default: 90s]'
9862 apiVersion: apiextensions.k8s.io/v1
9863 kind: CustomResourceDefinition
9865 name: globalnetworkpolicies.crd.projectcalico.org
9867 group: crd.projectcalico.org
9869 kind: GlobalNetworkPolicy
9870 listKind: GlobalNetworkPolicyList
9871 plural: globalnetworkpolicies
9872 singular: globalnetworkpolicy
9880 description: 'APIVersion defines the versioned schema of this representation
9881 of an object. Servers should convert recognized schemas to the latest
9882 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
9885 description: 'Kind is a string value representing the REST resource this
9886 object represents. Servers may infer this from the endpoint the client
9887 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
9894 description: ApplyOnForward indicates to apply the rules in this policy
9898 description: DoNotTrack indicates whether packets matched by the rules
9899 in this policy should go through the data plane's connection tracking,
9900 such as Linux conntrack. If True, the rules in this policy are
9901 applied before any data plane connection tracking, and packets allowed
9902 by this policy are marked as not to be tracked.
9905 description: The ordered set of egress rules. Each rule contains
9906 a set of packet match criteria and a corresponding action to apply.
9908 description: "A Rule encapsulates a set of match criteria and an
9909 action. Both selector-based security Policy and security Profiles
9910 reference rules - separated out as a list of rules for both ingress
9911 and egress packet matching. \n Each positive match criteria has
9912 a negated version, prefixed with \"Not\". All the match criteria
9913 within a rule must be satisfied for a packet to match. A single
9914 rule can contain the positive and negative version of a match
9915 and both must be satisfied for the rule to match."
9920 description: Destination contains the match criteria that apply
9921 to destination entity.
9924 description: "NamespaceSelector is an optional field that
9925 contains a selector expression. Only traffic that originates
9926 from (or terminates at) endpoints within the selected
9927 namespaces will be matched. When both NamespaceSelector
9928 and another selector are defined on the same rule, then
9929 only workload endpoints that are matched by both selectors
9930 will be selected by the rule. \n For NetworkPolicy, an
9931 empty NamespaceSelector implies that the Selector is limited
9932 to selecting only workload endpoints in the same namespace
9933 as the NetworkPolicy. \n For NetworkPolicy, `global()`
9934 NamespaceSelector implies that the Selector is limited
9935 to selecting only GlobalNetworkSet or HostEndpoint. \n
9936 For GlobalNetworkPolicy, an empty NamespaceSelector implies
9937 the Selector applies to workload endpoints across all
9941 description: Nets is an optional field that restricts the
9942 rule to only apply to traffic that originates from (or
9943 terminates at) IP addresses in any of the given subnets.
9948 description: NotNets is the negated version of the Nets
9954 description: NotPorts is the negated version of the Ports
9955 field. Since only some protocols have ports, if any ports
9956 are specified it requires the Protocol match in the Rule
9957 to be set to "TCP" or "UDP".
9963 x-kubernetes-int-or-string: true
9966 description: NotSelector is the negated version of the Selector
9967 field. See Selector field for subtleties with negated
9971 description: "Ports is an optional field that restricts
9972 the rule to only apply to traffic that has a source (destination)
9973 port that matches one of these ranges/values. This value
9974 is a list of integers or strings that represent ranges
9975 of ports. \n Since only some protocols have ports, if
9976 any ports are specified it requires the Protocol match
9977 in the Rule to be set to \"TCP\" or \"UDP\"."
9983 x-kubernetes-int-or-string: true
9986 description: "Selector is an optional field that contains
9987 a selector expression (see Policy for sample syntax).
9988 \ Only traffic that originates from (terminates at) endpoints
9989 matching the selector will be matched. \n Note that: in
9990 addition to the negated version of the Selector (see NotSelector
9991 below), the selector expression syntax itself supports
9992 negation. The two types of negation are subtly different.
9993 One negates the set of matched endpoints, the other negates
9994 the whole match: \n \tSelector = \"!has(my_label)\" matches
9995 packets that are from other Calico-controlled \tendpoints
9996 that do not have the label \"my_label\". \n \tNotSelector
9997 = \"has(my_label)\" matches packets that are not from
9998 Calico-controlled \tendpoints that do have the label \"my_label\".
9999 \n The effect is that the latter will accept packets from
10000 non-Calico sources whereas the former is limited to packets
10001 from Calico-controlled endpoints."
10004 description: ServiceAccounts is an optional field that restricts
10005 the rule to only apply to traffic that originates from
10006 (or terminates at) a pod running as a matching service
10010 description: Names is an optional field that restricts
10011 the rule to only apply to traffic that originates
10012 from (or terminates at) a pod running as a service
10013 account whose name is in the list.
10018 description: Selector is an optional field that restricts
10019 the rule to only apply to traffic that originates
10020 from (or terminates at) a pod running as a service
10021 account that matches the given label selector. If
10022 both Names and Selector are specified then they are
10027 description: "Services is an optional field that contains
10028 options for matching Kubernetes Services. If specified,
10029 only traffic that originates from or terminates at endpoints
10030 within the selected service(s) will be matched, and only
10031 to/from each endpoint's port. \n Services cannot be specified
10032 on the same rule as Selector, NotSelector, NamespaceSelector,
10033 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
10034 can only be specified with Services on ingress rules."
10037 description: Name specifies the name of a Kubernetes
10041 description: Namespace specifies the namespace of the
10042 given Service. If left empty, the rule will match
10043 within this policy's namespace.
10048 description: HTTP contains match criteria that apply to HTTP
10052 description: Methods is an optional field that restricts
10053 the rule to apply only to HTTP requests that use one of
10054 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
10055 methods are OR'd together.
10060 description: 'Paths is an optional field that restricts
10061 the rule to apply to HTTP requests that use one of the
10062 listed HTTP Paths. Multiple paths are OR''d together.
10063 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
10064 ONLY specify either a `exact` or a `prefix` match. The
10065 validator will check for it.'
10067 description: 'HTTPPath specifies an HTTP path to match.
10068 It may be either of the form: exact: <path>: which matches
10069 the path exactly or prefix: <path-prefix>: which matches
10080 description: ICMP is an optional field that restricts the rule
10081 to apply to a specific type and code of ICMP traffic. This
10082 should only be specified if the Protocol field is set to "ICMP"
10086 description: Match on a specific ICMP code. If specified,
10087 the Type value must also be specified. This is a technical
10088 limitation imposed by the kernel's iptables firewall,
10089 which Calico uses to enforce the rule.
10092 description: Match on a specific ICMP type. For example
10093 a value of 8 refers to ICMP Echo Request (i.e. pings).
10097 description: IPVersion is an optional field that restricts the
10098 rule to only match a specific IP version.
10101 description: Metadata contains additional information for this
10105 additionalProperties:
10107 description: Annotations is a set of key value pairs that
10108 give extra information about the rule
10112 description: NotICMP is the negated version of the ICMP field.
10115 description: Match on a specific ICMP code. If specified,
10116 the Type value must also be specified. This is a technical
10117 limitation imposed by the kernel's iptables firewall,
10118 which Calico uses to enforce the rule.
10121 description: Match on a specific ICMP type. For example
10122 a value of 8 refers to ICMP Echo Request (i.e. pings).
10129 description: NotProtocol is the negated version of the Protocol
10132 x-kubernetes-int-or-string: true
10137 description: "Protocol is an optional field that restricts the
10138 rule to only apply to traffic of a specific IP protocol. Required
10139 if any of the EntityRules contain Ports (because ports only
10140 apply to certain protocols). \n Must be one of these string
10141 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
10142 \"UDPLite\" or an integer in the range 1-255."
10144 x-kubernetes-int-or-string: true
10146 description: Source contains the match criteria that apply to
10150 description: "NamespaceSelector is an optional field that
10151 contains a selector expression. Only traffic that originates
10152 from (or terminates at) endpoints within the selected
10153 namespaces will be matched. When both NamespaceSelector
10154 and another selector are defined on the same rule, then
10155 only workload endpoints that are matched by both selectors
10156 will be selected by the rule. \n For NetworkPolicy, an
10157 empty NamespaceSelector implies that the Selector is limited
10158 to selecting only workload endpoints in the same namespace
10159 as the NetworkPolicy. \n For NetworkPolicy, `global()`
10160 NamespaceSelector implies that the Selector is limited
10161 to selecting only GlobalNetworkSet or HostEndpoint. \n
10162 For GlobalNetworkPolicy, an empty NamespaceSelector implies
10163 the Selector applies to workload endpoints across all
10167 description: Nets is an optional field that restricts the
10168 rule to only apply to traffic that originates from (or
10169 terminates at) IP addresses in any of the given subnets.
10174 description: NotNets is the negated version of the Nets
10180 description: NotPorts is the negated version of the Ports
10181 field. Since only some protocols have ports, if any ports
10182 are specified it requires the Protocol match in the Rule
10183 to be set to "TCP" or "UDP".
10189 x-kubernetes-int-or-string: true
10192 description: NotSelector is the negated version of the Selector
10193 field. See Selector field for subtleties with negated
10197 description: "Ports is an optional field that restricts
10198 the rule to only apply to traffic that has a source (destination)
10199 port that matches one of these ranges/values. This value
10200 is a list of integers or strings that represent ranges
10201 of ports. \n Since only some protocols have ports, if
10202 any ports are specified it requires the Protocol match
10203 in the Rule to be set to \"TCP\" or \"UDP\"."
10209 x-kubernetes-int-or-string: true
10212 description: "Selector is an optional field that contains
10213 a selector expression (see Policy for sample syntax).
10214 \ Only traffic that originates from (terminates at) endpoints
10215 matching the selector will be matched. \n Note that: in
10216 addition to the negated version of the Selector (see NotSelector
10217 below), the selector expression syntax itself supports
10218 negation. The two types of negation are subtly different.
10219 One negates the set of matched endpoints, the other negates
10220 the whole match: \n \tSelector = \"!has(my_label)\" matches
10221 packets that are from other Calico-controlled \tendpoints
10222 that do not have the label \"my_label\". \n \tNotSelector
10223 = \"has(my_label)\" matches packets that are not from
10224 Calico-controlled \tendpoints that do have the label \"my_label\".
10225 \n The effect is that the latter will accept packets from
10226 non-Calico sources whereas the former is limited to packets
10227 from Calico-controlled endpoints."
10230 description: ServiceAccounts is an optional field that restricts
10231 the rule to only apply to traffic that originates from
10232 (or terminates at) a pod running as a matching service
10236 description: Names is an optional field that restricts
10237 the rule to only apply to traffic that originates
10238 from (or terminates at) a pod running as a service
10239 account whose name is in the list.
10244 description: Selector is an optional field that restricts
10245 the rule to only apply to traffic that originates
10246 from (or terminates at) a pod running as a service
10247 account that matches the given label selector. If
10248 both Names and Selector are specified then they are
10253 description: "Services is an optional field that contains
10254 options for matching Kubernetes Services. If specified,
10255 only traffic that originates from or terminates at endpoints
10256 within the selected service(s) will be matched, and only
10257 to/from each endpoint's port. \n Services cannot be specified
10258 on the same rule as Selector, NotSelector, NamespaceSelector,
10259 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
10260 can only be specified with Services on ingress rules."
10263 description: Name specifies the name of a Kubernetes
10267 description: Namespace specifies the namespace of the
10268 given Service. If left empty, the rule will match
10269 within this policy's namespace.
10278 description: The ordered set of ingress rules. Each rule contains
10279 a set of packet match criteria and a corresponding action to apply.
10281 description: "A Rule encapsulates a set of match criteria and an
10282 action. Both selector-based security Policy and security Profiles
10283 reference rules - separated out as a list of rules for both ingress
10284 and egress packet matching. \n Each positive match criteria has
10285 a negated version, prefixed with \"Not\". All the match criteria
10286 within a rule must be satisfied for a packet to match. A single
10287 rule can contain the positive and negative version of a match
10288 and both must be satisfied for the rule to match."
10293 description: Destination contains the match criteria that apply
10294 to destination entity.
10297 description: "NamespaceSelector is an optional field that
10298 contains a selector expression. Only traffic that originates
10299 from (or terminates at) endpoints within the selected
10300 namespaces will be matched. When both NamespaceSelector
10301 and another selector are defined on the same rule, then
10302 only workload endpoints that are matched by both selectors
10303 will be selected by the rule. \n For NetworkPolicy, an
10304 empty NamespaceSelector implies that the Selector is limited
10305 to selecting only workload endpoints in the same namespace
10306 as the NetworkPolicy. \n For NetworkPolicy, `global()`
10307 NamespaceSelector implies that the Selector is limited
10308 to selecting only GlobalNetworkSet or HostEndpoint. \n
10309 For GlobalNetworkPolicy, an empty NamespaceSelector implies
10310 the Selector applies to workload endpoints across all
10314 description: Nets is an optional field that restricts the
10315 rule to only apply to traffic that originates from (or
10316 terminates at) IP addresses in any of the given subnets.
10321 description: NotNets is the negated version of the Nets
10327 description: NotPorts is the negated version of the Ports
10328 field. Since only some protocols have ports, if any ports
10329 are specified it requires the Protocol match in the Rule
10330 to be set to "TCP" or "UDP".
10336 x-kubernetes-int-or-string: true
10339 description: NotSelector is the negated version of the Selector
10340 field. See Selector field for subtleties with negated
10344 description: "Ports is an optional field that restricts
10345 the rule to only apply to traffic that has a source (destination)
10346 port that matches one of these ranges/values. This value
10347 is a list of integers or strings that represent ranges
10348 of ports. \n Since only some protocols have ports, if
10349 any ports are specified it requires the Protocol match
10350 in the Rule to be set to \"TCP\" or \"UDP\"."
10356 x-kubernetes-int-or-string: true
10359 description: "Selector is an optional field that contains
10360 a selector expression (see Policy for sample syntax).
10361 \ Only traffic that originates from (terminates at) endpoints
10362 matching the selector will be matched. \n Note that: in
10363 addition to the negated version of the Selector (see NotSelector
10364 below), the selector expression syntax itself supports
10365 negation. The two types of negation are subtly different.
10366 One negates the set of matched endpoints, the other negates
10367 the whole match: \n \tSelector = \"!has(my_label)\" matches
10368 packets that are from other Calico-controlled \tendpoints
10369 that do not have the label \"my_label\". \n \tNotSelector
10370 = \"has(my_label)\" matches packets that are not from
10371 Calico-controlled \tendpoints that do have the label \"my_label\".
10372 \n The effect is that the latter will accept packets from
10373 non-Calico sources whereas the former is limited to packets
10374 from Calico-controlled endpoints."
10377 description: ServiceAccounts is an optional field that restricts
10378 the rule to only apply to traffic that originates from
10379 (or terminates at) a pod running as a matching service
10383 description: Names is an optional field that restricts
10384 the rule to only apply to traffic that originates
10385 from (or terminates at) a pod running as a service
10386 account whose name is in the list.
10391 description: Selector is an optional field that restricts
10392 the rule to only apply to traffic that originates
10393 from (or terminates at) a pod running as a service
10394 account that matches the given label selector. If
10395 both Names and Selector are specified then they are
10400 description: "Services is an optional field that contains
10401 options for matching Kubernetes Services. If specified,
10402 only traffic that originates from or terminates at endpoints
10403 within the selected service(s) will be matched, and only
10404 to/from each endpoint's port. \n Services cannot be specified
10405 on the same rule as Selector, NotSelector, NamespaceSelector,
10406 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
10407 can only be specified with Services on ingress rules."
10410 description: Name specifies the name of a Kubernetes
10414 description: Namespace specifies the namespace of the
10415 given Service. If left empty, the rule will match
10416 within this policy's namespace.
10421 description: HTTP contains match criteria that apply to HTTP
10425 description: Methods is an optional field that restricts
10426 the rule to apply only to HTTP requests that use one of
10427 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
10428 methods are OR'd together.
10433 description: 'Paths is an optional field that restricts
10434 the rule to apply to HTTP requests that use one of the
10435 listed HTTP Paths. Multiple paths are OR''d together.
10436 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
10437 ONLY specify either a `exact` or a `prefix` match. The
10438 validator will check for it.'
10440 description: 'HTTPPath specifies an HTTP path to match.
10441 It may be either of the form: exact: <path>: which matches
10442 the path exactly or prefix: <path-prefix>: which matches
10453 description: ICMP is an optional field that restricts the rule
10454 to apply to a specific type and code of ICMP traffic. This
10455 should only be specified if the Protocol field is set to "ICMP"
10459 description: Match on a specific ICMP code. If specified,
10460 the Type value must also be specified. This is a technical
10461 limitation imposed by the kernel's iptables firewall,
10462 which Calico uses to enforce the rule.
10465 description: Match on a specific ICMP type. For example
10466 a value of 8 refers to ICMP Echo Request (i.e. pings).
10470 description: IPVersion is an optional field that restricts the
10471 rule to only match a specific IP version.
10474 description: Metadata contains additional information for this
10478 additionalProperties:
10480 description: Annotations is a set of key value pairs that
10481 give extra information about the rule
10485 description: NotICMP is the negated version of the ICMP field.
10488 description: Match on a specific ICMP code. If specified,
10489 the Type value must also be specified. This is a technical
10490 limitation imposed by the kernel's iptables firewall,
10491 which Calico uses to enforce the rule.
10494 description: Match on a specific ICMP type. For example
10495 a value of 8 refers to ICMP Echo Request (i.e. pings).
10502 description: NotProtocol is the negated version of the Protocol
10505 x-kubernetes-int-or-string: true
10510 description: "Protocol is an optional field that restricts the
10511 rule to only apply to traffic of a specific IP protocol. Required
10512 if any of the EntityRules contain Ports (because ports only
10513 apply to certain protocols). \n Must be one of these string
10514 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
10515 \"UDPLite\" or an integer in the range 1-255."
10517 x-kubernetes-int-or-string: true
10519 description: Source contains the match criteria that apply to
10523 description: "NamespaceSelector is an optional field that
10524 contains a selector expression. Only traffic that originates
10525 from (or terminates at) endpoints within the selected
10526 namespaces will be matched. When both NamespaceSelector
10527 and another selector are defined on the same rule, then
10528 only workload endpoints that are matched by both selectors
10529 will be selected by the rule. \n For NetworkPolicy, an
10530 empty NamespaceSelector implies that the Selector is limited
10531 to selecting only workload endpoints in the same namespace
10532 as the NetworkPolicy. \n For NetworkPolicy, `global()`
10533 NamespaceSelector implies that the Selector is limited
10534 to selecting only GlobalNetworkSet or HostEndpoint. \n
10535 For GlobalNetworkPolicy, an empty NamespaceSelector implies
10536 the Selector applies to workload endpoints across all
10540 description: Nets is an optional field that restricts the
10541 rule to only apply to traffic that originates from (or
10542 terminates at) IP addresses in any of the given subnets.
10547 description: NotNets is the negated version of the Nets
10553 description: NotPorts is the negated version of the Ports
10554 field. Since only some protocols have ports, if any ports
10555 are specified it requires the Protocol match in the Rule
10556 to be set to "TCP" or "UDP".
10562 x-kubernetes-int-or-string: true
10565 description: NotSelector is the negated version of the Selector
10566 field. See Selector field for subtleties with negated
10570 description: "Ports is an optional field that restricts
10571 the rule to only apply to traffic that has a source (destination)
10572 port that matches one of these ranges/values. This value
10573 is a list of integers or strings that represent ranges
10574 of ports. \n Since only some protocols have ports, if
10575 any ports are specified it requires the Protocol match
10576 in the Rule to be set to \"TCP\" or \"UDP\"."
10582 x-kubernetes-int-or-string: true
10585 description: "Selector is an optional field that contains
10586 a selector expression (see Policy for sample syntax).
10587 \ Only traffic that originates from (terminates at) endpoints
10588 matching the selector will be matched. \n Note that: in
10589 addition to the negated version of the Selector (see NotSelector
10590 below), the selector expression syntax itself supports
10591 negation. The two types of negation are subtly different.
10592 One negates the set of matched endpoints, the other negates
10593 the whole match: \n \tSelector = \"!has(my_label)\" matches
10594 packets that are from other Calico-controlled \tendpoints
10595 that do not have the label \"my_label\". \n \tNotSelector
10596 = \"has(my_label)\" matches packets that are not from
10597 Calico-controlled \tendpoints that do have the label \"my_label\".
10598 \n The effect is that the latter will accept packets from
10599 non-Calico sources whereas the former is limited to packets
10600 from Calico-controlled endpoints."
10603 description: ServiceAccounts is an optional field that restricts
10604 the rule to only apply to traffic that originates from
10605 (or terminates at) a pod running as a matching service
10609 description: Names is an optional field that restricts
10610 the rule to only apply to traffic that originates
10611 from (or terminates at) a pod running as a service
10612 account whose name is in the list.
10617 description: Selector is an optional field that restricts
10618 the rule to only apply to traffic that originates
10619 from (or terminates at) a pod running as a service
10620 account that matches the given label selector. If
10621 both Names and Selector are specified then they are
10626 description: "Services is an optional field that contains
10627 options for matching Kubernetes Services. If specified,
10628 only traffic that originates from or terminates at endpoints
10629 within the selected service(s) will be matched, and only
10630 to/from each endpoint's port. \n Services cannot be specified
10631 on the same rule as Selector, NotSelector, NamespaceSelector,
10632 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
10633 can only be specified with Services on ingress rules."
10636 description: Name specifies the name of a Kubernetes
10640 description: Namespace specifies the namespace of the
10641 given Service. If left empty, the rule will match
10642 within this policy's namespace.
10651 description: NamespaceSelector is an optional field for an expression
10652 used to select a pod based on namespaces.
10655 description: Order is an optional field that specifies the order in
10656 which the policy is applied. Policies with higher "order" are applied
10657 after those with lower order. If the order is omitted, it may be
10658 considered to be "infinite" - i.e. the policy will be applied last. Policies
10659 with identical order will be applied in alphanumerical order based
10660 on the Policy "Name".
10663 description: PreDNAT indicates to apply the rules in this policy before
10667 description: "The selector is an expression used to pick pick out
10668 the endpoints that the policy should be applied to. \n Selector
10669 expressions follow this syntax: \n \tlabel == \"string_literal\"
10670 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
10671 \ -> not equal; also matches if label is not present \tlabel in
10672 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
10673 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
10674 ... } -> true if the value of label X is not one of \"a\", \"b\",
10675 \"c\" \thas(label_name) -> True if that label is present \t! expr
10676 -> negation of expr \texpr && expr -> Short-circuit and \texpr
10677 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
10678 or the empty selector -> matches all endpoints. \n Label names are
10679 allowed to contain alphanumerics, -, _ and /. String literals are
10680 more permissive but they do not support escape characters. \n Examples
10681 (with made-up labels): \n \ttype == \"webserver\" && deployment
10682 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
10683 \"dev\" \t! has(label_name)"
10685 serviceAccountSelector:
10686 description: ServiceAccountSelector is an optional field for an expression
10687 used to select a pod based on service accounts.
10690 description: "Types indicates whether this policy applies to ingress,
10691 or to egress, or to both. When not explicitly specified (and so
10692 the value on creation is empty or nil), Calico defaults Types according
10693 to what Ingress and Egress rules are present in the policy. The
10694 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
10695 (including the case where there are also no Ingress rules) \n
10696 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
10697 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
10698 both Ingress and Egress rules. \n When the policy is read back again,
10699 Types will always be one of these values, never empty or nil."
10701 description: PolicyType enumerates the possible values of the PolicySpec
10716 apiVersion: apiextensions.k8s.io/v1
10717 kind: CustomResourceDefinition
10719 name: globalnetworksets.crd.projectcalico.org
10721 group: crd.projectcalico.org
10723 kind: GlobalNetworkSet
10724 listKind: GlobalNetworkSetList
10725 plural: globalnetworksets
10726 singular: globalnetworkset
10732 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
10733 that share labels to allow rules to refer to them via selectors. The labels
10734 of GlobalNetworkSet are not namespaced.
10737 description: 'APIVersion defines the versioned schema of this representation
10738 of an object. Servers should convert recognized schemas to the latest
10739 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10742 description: 'Kind is a string value representing the REST resource this
10743 object represents. Servers may infer this from the endpoint the client
10744 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10749 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
10753 description: The list of IP networks that belong to this set.
10768 apiVersion: apiextensions.k8s.io/v1
10769 kind: CustomResourceDefinition
10771 name: hostendpoints.crd.projectcalico.org
10773 group: crd.projectcalico.org
10776 listKind: HostEndpointList
10777 plural: hostendpoints
10778 singular: hostendpoint
10786 description: 'APIVersion defines the versioned schema of this representation
10787 of an object. Servers should convert recognized schemas to the latest
10788 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10791 description: 'Kind is a string value representing the REST resource this
10792 object represents. Servers may infer this from the endpoint the client
10793 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10798 description: HostEndpointSpec contains the specification for a HostEndpoint
10802 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
10803 If \"InterfaceName\" is not present, Calico will look for an interface
10804 matching any of the IPs in the list and apply policy to that. Note:
10805 \tWhen using the selector match criteria in an ingress or egress
10806 security Policy \tor Profile, Calico converts the selector into
10807 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
10808 is used for that purpose. (If only the interface \tname is specified,
10809 Calico does not learn the IPs of the interface for use in match
10815 description: "Either \"*\", or the name of a specific Linux interface
10816 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
10817 governs all traffic to, from or through the default network namespace
10818 of the host named by the \"Node\" field; entering and leaving that
10819 namespace via any interface, including those from/to non-host-networked
10820 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
10821 only governs traffic that enters or leaves the host through the
10822 specific interface named by InterfaceName, or - when InterfaceName
10823 is empty - through the specific interface that has one of the IPs
10824 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
10825 one expected IP must be specified. Only external interfaces (such
10826 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
10827 to protect traffic through a specific local workload interface.
10828 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
10829 initially just pre-DNAT policy. Please check Calico documentation
10830 for the latest position."
10833 description: The node name identifying the Calico node instance.
10836 description: Ports contains the endpoint's named ports, which may
10837 be referenced in security policy rules.
10849 x-kubernetes-int-or-string: true
10857 description: A list of identifiers of security Profile objects that
10858 apply to this endpoint. Each profile is applied in the order that
10859 they appear in this list. Profile rules are applied after the selector-based
10875 apiVersion: apiextensions.k8s.io/v1
10876 kind: CustomResourceDefinition
10878 name: ipamblocks.crd.projectcalico.org
10880 group: crd.projectcalico.org
10883 listKind: IPAMBlockList
10885 singular: ipamblock
10893 description: 'APIVersion defines the versioned schema of this representation
10894 of an object. Servers should convert recognized schemas to the latest
10895 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10898 description: 'Kind is a string value representing the REST resource this
10899 object represents. Servers may infer this from the endpoint the client
10900 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10905 description: IPAMBlockSpec contains the specification for an IPAMBlock
10921 additionalProperties:
10953 apiVersion: apiextensions.k8s.io/v1
10954 kind: CustomResourceDefinition
10956 name: ipamconfigs.crd.projectcalico.org
10958 group: crd.projectcalico.org
10961 listKind: IPAMConfigList
10962 plural: ipamconfigs
10963 singular: ipamconfig
10971 description: 'APIVersion defines the versioned schema of this representation
10972 of an object. Servers should convert recognized schemas to the latest
10973 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
10976 description: 'Kind is a string value representing the REST resource this
10977 object represents. Servers may infer this from the endpoint the client
10978 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
10983 description: IPAMConfigSpec contains the specification for an IPAMConfig
10986 autoAllocateBlocks:
10989 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
10990 that can be affine to each host.
10995 - autoAllocateBlocks
11008 apiVersion: apiextensions.k8s.io/v1
11009 kind: CustomResourceDefinition
11011 name: ipamhandles.crd.projectcalico.org
11013 group: crd.projectcalico.org
11016 listKind: IPAMHandleList
11017 plural: ipamhandles
11018 singular: ipamhandle
11026 description: 'APIVersion defines the versioned schema of this representation
11027 of an object. Servers should convert recognized schemas to the latest
11028 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11031 description: 'Kind is a string value representing the REST resource this
11032 object represents. Servers may infer this from the endpoint the client
11033 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11038 description: IPAMHandleSpec contains the specification for an IPAMHandle
11042 additionalProperties:
11063 apiVersion: apiextensions.k8s.io/v1
11064 kind: CustomResourceDefinition
11066 name: ippools.crd.projectcalico.org
11068 group: crd.projectcalico.org
11071 listKind: IPPoolList
11081 description: 'APIVersion defines the versioned schema of this representation
11082 of an object. Servers should convert recognized schemas to the latest
11083 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11086 description: 'Kind is a string value representing the REST resource this
11087 object represents. Servers may infer this from the endpoint the client
11088 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11093 description: IPPoolSpec contains the specification for an IPPool resource.
11096 description: AllowedUse controls what the IP pool will be used for. If
11097 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
11102 description: The block size to use for IP address assignments from
11103 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
11106 description: The pool CIDR.
11109 description: 'Disable exporting routes from this IP Pool''s CIDR over
11110 BGP. [Default: false]'
11113 description: When disabled is true, Calico IPAM will not assign addresses
11117 description: 'Deprecated: this field is only used for APIv1 backwards
11118 compatibility. Setting this field is not allowed, this field is
11119 for internal use only.'
11122 description: When enabled is true, ipip tunneling will be used
11123 to deliver packets to destinations within this pool.
11126 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
11127 mode of "always" will also use IPIP tunneling for routing to
11128 destination IP addresses within this pool. A mode of "cross-subnet"
11129 will only use IPIP tunneling when the destination node is on
11130 a different subnet to the originating node. The default value
11131 (if not specified) is "always".
11135 description: Contains configuration for IPIP tunneling for this pool.
11136 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
11140 description: 'Deprecated: this field is only used for APIv1 backwards
11141 compatibility. Setting this field is not allowed, this field is
11142 for internal use only.'
11145 description: When nat-outgoing is true, packets sent from Calico networked
11146 containers in this pool to destinations outside of this pool will
11150 description: Allows IPPool to allocate for a specific node by label
11154 description: Contains configuration for VXLAN tunneling for this pool.
11155 If not specified, then this is defaulted to "Never" (i.e. VXLAN
11156 tunneling is disabled).
11171 apiVersion: apiextensions.k8s.io/v1
11172 kind: CustomResourceDefinition
11174 name: ipreservations.crd.projectcalico.org
11176 group: crd.projectcalico.org
11178 kind: IPReservation
11179 listKind: IPReservationList
11180 plural: ipreservations
11181 singular: ipreservation
11189 description: 'APIVersion defines the versioned schema of this representation
11190 of an object. Servers should convert recognized schemas to the latest
11191 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11194 description: 'Kind is a string value representing the REST resource this
11195 object represents. Servers may infer this from the endpoint the client
11196 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11201 description: IPReservationSpec contains the specification for an IPReservation
11205 description: ReservedCIDRs is a list of CIDRs and/or IP addresses
11206 that Calico IPAM will exclude from new allocations.
11221 apiVersion: apiextensions.k8s.io/v1
11222 kind: CustomResourceDefinition
11224 name: kubecontrollersconfigurations.crd.projectcalico.org
11226 group: crd.projectcalico.org
11228 kind: KubeControllersConfiguration
11229 listKind: KubeControllersConfigurationList
11230 plural: kubecontrollersconfigurations
11231 singular: kubecontrollersconfiguration
11239 description: 'APIVersion defines the versioned schema of this representation
11240 of an object. Servers should convert recognized schemas to the latest
11241 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11244 description: 'Kind is a string value representing the REST resource this
11245 object represents. Servers may infer this from the endpoint the client
11246 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11251 description: KubeControllersConfigurationSpec contains the values of the
11252 Kubernetes controllers configuration.
11255 description: Controllers enables and configures individual Kubernetes
11259 description: Namespace enables and configures the namespace controller.
11260 Enabled by default, set to nil to disable.
11263 description: 'ReconcilerPeriod is the period to perform reconciliation
11264 with the Calico datastore. [Default: 5m]'
11268 description: Node enables and configures the node controller.
11269 Enabled by default, set to nil to disable.
11272 description: HostEndpoint controls syncing nodes to host endpoints.
11273 Disabled by default, set to nil to disable.
11276 description: 'AutoCreate enables automatic creation of
11277 host endpoints for every node. [Default: Disabled]'
11281 description: 'LeakGracePeriod is the period used by the controller
11282 to determine if an IP address has been leaked. Set to 0
11283 to disable IP garbage collection. [Default: 15m]'
11286 description: 'ReconcilerPeriod is the period to perform reconciliation
11287 with the Calico datastore. [Default: 5m]'
11290 description: 'SyncLabels controls whether to copy Kubernetes
11291 node labels to Calico nodes. [Default: Enabled]'
11295 description: Policy enables and configures the policy controller.
11296 Enabled by default, set to nil to disable.
11299 description: 'ReconcilerPeriod is the period to perform reconciliation
11300 with the Calico datastore. [Default: 5m]'
11304 description: ServiceAccount enables and configures the service
11305 account controller. Enabled by default, set to nil to disable.
11308 description: 'ReconcilerPeriod is the period to perform reconciliation
11309 with the Calico datastore. [Default: 5m]'
11313 description: WorkloadEndpoint enables and configures the workload
11314 endpoint controller. Enabled by default, set to nil to disable.
11317 description: 'ReconcilerPeriod is the period to perform reconciliation
11318 with the Calico datastore. [Default: 5m]'
11322 etcdV3CompactionPeriod:
11323 description: 'EtcdV3CompactionPeriod is the period between etcdv3
11324 compaction requests. Set to 0 to disable. [Default: 10m]'
11327 description: 'HealthChecks enables or disables support for health
11328 checks [Default: Enabled]'
11331 description: 'LogSeverityScreen is the log severity above which logs
11332 are sent to the stdout. [Default: Info]'
11334 prometheusMetricsPort:
11335 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
11336 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
11342 description: KubeControllersConfigurationStatus represents the status
11343 of the configuration. It's useful for admins to be able to see the actual
11344 config that was applied, which can be modified by environment variables
11345 on the kube-controllers process.
11348 additionalProperties:
11350 description: EnvironmentVars contains the environment variables on
11351 the kube-controllers that influenced the RunningConfig.
11354 description: RunningConfig contains the effective config that is running
11355 in the kube-controllers pod, after merging the API resource with
11356 any environment variables.
11359 description: Controllers enables and configures individual Kubernetes
11363 description: Namespace enables and configures the namespace
11364 controller. Enabled by default, set to nil to disable.
11367 description: 'ReconcilerPeriod is the period to perform
11368 reconciliation with the Calico datastore. [Default:
11373 description: Node enables and configures the node controller.
11374 Enabled by default, set to nil to disable.
11377 description: HostEndpoint controls syncing nodes to host
11378 endpoints. Disabled by default, set to nil to disable.
11381 description: 'AutoCreate enables automatic creation
11382 of host endpoints for every node. [Default: Disabled]'
11386 description: 'LeakGracePeriod is the period used by the
11387 controller to determine if an IP address has been leaked.
11388 Set to 0 to disable IP garbage collection. [Default:
11392 description: 'ReconcilerPeriod is the period to perform
11393 reconciliation with the Calico datastore. [Default:
11397 description: 'SyncLabels controls whether to copy Kubernetes
11398 node labels to Calico nodes. [Default: Enabled]'
11402 description: Policy enables and configures the policy controller.
11403 Enabled by default, set to nil to disable.
11406 description: 'ReconcilerPeriod is the period to perform
11407 reconciliation with the Calico datastore. [Default:
11412 description: ServiceAccount enables and configures the service
11413 account controller. Enabled by default, set to nil to disable.
11416 description: 'ReconcilerPeriod is the period to perform
11417 reconciliation with the Calico datastore. [Default:
11422 description: WorkloadEndpoint enables and configures the workload
11423 endpoint controller. Enabled by default, set to nil to disable.
11426 description: 'ReconcilerPeriod is the period to perform
11427 reconciliation with the Calico datastore. [Default:
11432 etcdV3CompactionPeriod:
11433 description: 'EtcdV3CompactionPeriod is the period between etcdv3
11434 compaction requests. Set to 0 to disable. [Default: 10m]'
11437 description: 'HealthChecks enables or disables support for health
11438 checks [Default: Enabled]'
11441 description: 'LogSeverityScreen is the log severity above which
11442 logs are sent to the stdout. [Default: Info]'
11444 prometheusMetricsPort:
11445 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
11446 metrics server should bind to. Set to 0 to disable. [Default:
11463 apiVersion: apiextensions.k8s.io/v1
11464 kind: CustomResourceDefinition
11466 name: networkpolicies.crd.projectcalico.org
11468 group: crd.projectcalico.org
11470 kind: NetworkPolicy
11471 listKind: NetworkPolicyList
11472 plural: networkpolicies
11473 singular: networkpolicy
11481 description: 'APIVersion defines the versioned schema of this representation
11482 of an object. Servers should convert recognized schemas to the latest
11483 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
11486 description: 'Kind is a string value representing the REST resource this
11487 object represents. Servers may infer this from the endpoint the client
11488 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
11495 description: The ordered set of egress rules. Each rule contains
11496 a set of packet match criteria and a corresponding action to apply.
11498 description: "A Rule encapsulates a set of match criteria and an
11499 action. Both selector-based security Policy and security Profiles
11500 reference rules - separated out as a list of rules for both ingress
11501 and egress packet matching. \n Each positive match criteria has
11502 a negated version, prefixed with \"Not\". All the match criteria
11503 within a rule must be satisfied for a packet to match. A single
11504 rule can contain the positive and negative version of a match
11505 and both must be satisfied for the rule to match."
11510 description: Destination contains the match criteria that apply
11511 to destination entity.
11514 description: "NamespaceSelector is an optional field that
11515 contains a selector expression. Only traffic that originates
11516 from (or terminates at) endpoints within the selected
11517 namespaces will be matched. When both NamespaceSelector
11518 and another selector are defined on the same rule, then
11519 only workload endpoints that are matched by both selectors
11520 will be selected by the rule. \n For NetworkPolicy, an
11521 empty NamespaceSelector implies that the Selector is limited
11522 to selecting only workload endpoints in the same namespace
11523 as the NetworkPolicy. \n For NetworkPolicy, `global()`
11524 NamespaceSelector implies that the Selector is limited
11525 to selecting only GlobalNetworkSet or HostEndpoint. \n
11526 For GlobalNetworkPolicy, an empty NamespaceSelector implies
11527 the Selector applies to workload endpoints across all
11531 description: Nets is an optional field that restricts the
11532 rule to only apply to traffic that originates from (or
11533 terminates at) IP addresses in any of the given subnets.
11538 description: NotNets is the negated version of the Nets
11544 description: NotPorts is the negated version of the Ports
11545 field. Since only some protocols have ports, if any ports
11546 are specified it requires the Protocol match in the Rule
11547 to be set to "TCP" or "UDP".
11553 x-kubernetes-int-or-string: true
11556 description: NotSelector is the negated version of the Selector
11557 field. See Selector field for subtleties with negated
11561 description: "Ports is an optional field that restricts
11562 the rule to only apply to traffic that has a source (destination)
11563 port that matches one of these ranges/values. This value
11564 is a list of integers or strings that represent ranges
11565 of ports. \n Since only some protocols have ports, if
11566 any ports are specified it requires the Protocol match
11567 in the Rule to be set to \"TCP\" or \"UDP\"."
11573 x-kubernetes-int-or-string: true
11576 description: "Selector is an optional field that contains
11577 a selector expression (see Policy for sample syntax).
11578 \ Only traffic that originates from (terminates at) endpoints
11579 matching the selector will be matched. \n Note that: in
11580 addition to the negated version of the Selector (see NotSelector
11581 below), the selector expression syntax itself supports
11582 negation. The two types of negation are subtly different.
11583 One negates the set of matched endpoints, the other negates
11584 the whole match: \n \tSelector = \"!has(my_label)\" matches
11585 packets that are from other Calico-controlled \tendpoints
11586 that do not have the label \"my_label\". \n \tNotSelector
11587 = \"has(my_label)\" matches packets that are not from
11588 Calico-controlled \tendpoints that do have the label \"my_label\".
11589 \n The effect is that the latter will accept packets from
11590 non-Calico sources whereas the former is limited to packets
11591 from Calico-controlled endpoints."
11594 description: ServiceAccounts is an optional field that restricts
11595 the rule to only apply to traffic that originates from
11596 (or terminates at) a pod running as a matching service
11600 description: Names is an optional field that restricts
11601 the rule to only apply to traffic that originates
11602 from (or terminates at) a pod running as a service
11603 account whose name is in the list.
11608 description: Selector is an optional field that restricts
11609 the rule to only apply to traffic that originates
11610 from (or terminates at) a pod running as a service
11611 account that matches the given label selector. If
11612 both Names and Selector are specified then they are
11617 description: "Services is an optional field that contains
11618 options for matching Kubernetes Services. If specified,
11619 only traffic that originates from or terminates at endpoints
11620 within the selected service(s) will be matched, and only
11621 to/from each endpoint's port. \n Services cannot be specified
11622 on the same rule as Selector, NotSelector, NamespaceSelector,
11623 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
11624 can only be specified with Services on ingress rules."
11627 description: Name specifies the name of a Kubernetes
11631 description: Namespace specifies the namespace of the
11632 given Service. If left empty, the rule will match
11633 within this policy's namespace.
11638 description: HTTP contains match criteria that apply to HTTP
11642 description: Methods is an optional field that restricts
11643 the rule to apply only to HTTP requests that use one of
11644 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
11645 methods are OR'd together.
11650 description: 'Paths is an optional field that restricts
11651 the rule to apply to HTTP requests that use one of the
11652 listed HTTP Paths. Multiple paths are OR''d together.
11653 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
11654 ONLY specify either a `exact` or a `prefix` match. The
11655 validator will check for it.'
11657 description: 'HTTPPath specifies an HTTP path to match.
11658 It may be either of the form: exact: <path>: which matches
11659 the path exactly or prefix: <path-prefix>: which matches
11670 description: ICMP is an optional field that restricts the rule
11671 to apply to a specific type and code of ICMP traffic. This
11672 should only be specified if the Protocol field is set to "ICMP"
11676 description: Match on a specific ICMP code. If specified,
11677 the Type value must also be specified. This is a technical
11678 limitation imposed by the kernel's iptables firewall,
11679 which Calico uses to enforce the rule.
11682 description: Match on a specific ICMP type. For example
11683 a value of 8 refers to ICMP Echo Request (i.e. pings).
11687 description: IPVersion is an optional field that restricts the
11688 rule to only match a specific IP version.
11691 description: Metadata contains additional information for this
11695 additionalProperties:
11697 description: Annotations is a set of key value pairs that
11698 give extra information about the rule
11702 description: NotICMP is the negated version of the ICMP field.
11705 description: Match on a specific ICMP code. If specified,
11706 the Type value must also be specified. This is a technical
11707 limitation imposed by the kernel's iptables firewall,
11708 which Calico uses to enforce the rule.
11711 description: Match on a specific ICMP type. For example
11712 a value of 8 refers to ICMP Echo Request (i.e. pings).
11719 description: NotProtocol is the negated version of the Protocol
11722 x-kubernetes-int-or-string: true
11727 description: "Protocol is an optional field that restricts the
11728 rule to only apply to traffic of a specific IP protocol. Required
11729 if any of the EntityRules contain Ports (because ports only
11730 apply to certain protocols). \n Must be one of these string
11731 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
11732 \"UDPLite\" or an integer in the range 1-255."
11734 x-kubernetes-int-or-string: true
11736 description: Source contains the match criteria that apply to
11740 description: "NamespaceSelector is an optional field that
11741 contains a selector expression. Only traffic that originates
11742 from (or terminates at) endpoints within the selected
11743 namespaces will be matched. When both NamespaceSelector
11744 and another selector are defined on the same rule, then
11745 only workload endpoints that are matched by both selectors
11746 will be selected by the rule. \n For NetworkPolicy, an
11747 empty NamespaceSelector implies that the Selector is limited
11748 to selecting only workload endpoints in the same namespace
11749 as the NetworkPolicy. \n For NetworkPolicy, `global()`
11750 NamespaceSelector implies that the Selector is limited
11751 to selecting only GlobalNetworkSet or HostEndpoint. \n
11752 For GlobalNetworkPolicy, an empty NamespaceSelector implies
11753 the Selector applies to workload endpoints across all
11757 description: Nets is an optional field that restricts the
11758 rule to only apply to traffic that originates from (or
11759 terminates at) IP addresses in any of the given subnets.
11764 description: NotNets is the negated version of the Nets
11770 description: NotPorts is the negated version of the Ports
11771 field. Since only some protocols have ports, if any ports
11772 are specified it requires the Protocol match in the Rule
11773 to be set to "TCP" or "UDP".
11779 x-kubernetes-int-or-string: true
11782 description: NotSelector is the negated version of the Selector
11783 field. See Selector field for subtleties with negated
11787 description: "Ports is an optional field that restricts
11788 the rule to only apply to traffic that has a source (destination)
11789 port that matches one of these ranges/values. This value
11790 is a list of integers or strings that represent ranges
11791 of ports. \n Since only some protocols have ports, if
11792 any ports are specified it requires the Protocol match
11793 in the Rule to be set to \"TCP\" or \"UDP\"."
11799 x-kubernetes-int-or-string: true
11802 description: "Selector is an optional field that contains
11803 a selector expression (see Policy for sample syntax).
11804 \ Only traffic that originates from (terminates at) endpoints
11805 matching the selector will be matched. \n Note that: in
11806 addition to the negated version of the Selector (see NotSelector
11807 below), the selector expression syntax itself supports
11808 negation. The two types of negation are subtly different.
11809 One negates the set of matched endpoints, the other negates
11810 the whole match: \n \tSelector = \"!has(my_label)\" matches
11811 packets that are from other Calico-controlled \tendpoints
11812 that do not have the label \"my_label\". \n \tNotSelector
11813 = \"has(my_label)\" matches packets that are not from
11814 Calico-controlled \tendpoints that do have the label \"my_label\".
11815 \n The effect is that the latter will accept packets from
11816 non-Calico sources whereas the former is limited to packets
11817 from Calico-controlled endpoints."
11820 description: ServiceAccounts is an optional field that restricts
11821 the rule to only apply to traffic that originates from
11822 (or terminates at) a pod running as a matching service
11826 description: Names is an optional field that restricts
11827 the rule to only apply to traffic that originates
11828 from (or terminates at) a pod running as a service
11829 account whose name is in the list.
11834 description: Selector is an optional field that restricts
11835 the rule to only apply to traffic that originates
11836 from (or terminates at) a pod running as a service
11837 account that matches the given label selector. If
11838 both Names and Selector are specified then they are
11843 description: "Services is an optional field that contains
11844 options for matching Kubernetes Services. If specified,
11845 only traffic that originates from or terminates at endpoints
11846 within the selected service(s) will be matched, and only
11847 to/from each endpoint's port. \n Services cannot be specified
11848 on the same rule as Selector, NotSelector, NamespaceSelector,
11849 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
11850 can only be specified with Services on ingress rules."
11853 description: Name specifies the name of a Kubernetes
11857 description: Namespace specifies the namespace of the
11858 given Service. If left empty, the rule will match
11859 within this policy's namespace.
11868 description: The ordered set of ingress rules. Each rule contains
11869 a set of packet match criteria and a corresponding action to apply.
11871 description: "A Rule encapsulates a set of match criteria and an
11872 action. Both selector-based security Policy and security Profiles
11873 reference rules - separated out as a list of rules for both ingress
11874 and egress packet matching. \n Each positive match criteria has
11875 a negated version, prefixed with \"Not\". All the match criteria
11876 within a rule must be satisfied for a packet to match. A single
11877 rule can contain the positive and negative version of a match
11878 and both must be satisfied for the rule to match."
11883 description: Destination contains the match criteria that apply
11884 to destination entity.
11887 description: "NamespaceSelector is an optional field that
11888 contains a selector expression. Only traffic that originates
11889 from (or terminates at) endpoints within the selected
11890 namespaces will be matched. When both NamespaceSelector
11891 and another selector are defined on the same rule, then
11892 only workload endpoints that are matched by both selectors
11893 will be selected by the rule. \n For NetworkPolicy, an
11894 empty NamespaceSelector implies that the Selector is limited
11895 to selecting only workload endpoints in the same namespace
11896 as the NetworkPolicy. \n For NetworkPolicy, `global()`
11897 NamespaceSelector implies that the Selector is limited
11898 to selecting only GlobalNetworkSet or HostEndpoint. \n
11899 For GlobalNetworkPolicy, an empty NamespaceSelector implies
11900 the Selector applies to workload endpoints across all
11904 description: Nets is an optional field that restricts the
11905 rule to only apply to traffic that originates from (or
11906 terminates at) IP addresses in any of the given subnets.
11911 description: NotNets is the negated version of the Nets
11917 description: NotPorts is the negated version of the Ports
11918 field. Since only some protocols have ports, if any ports
11919 are specified it requires the Protocol match in the Rule
11920 to be set to "TCP" or "UDP".
11926 x-kubernetes-int-or-string: true
11929 description: NotSelector is the negated version of the Selector
11930 field. See Selector field for subtleties with negated
11934 description: "Ports is an optional field that restricts
11935 the rule to only apply to traffic that has a source (destination)
11936 port that matches one of these ranges/values. This value
11937 is a list of integers or strings that represent ranges
11938 of ports. \n Since only some protocols have ports, if
11939 any ports are specified it requires the Protocol match
11940 in the Rule to be set to \"TCP\" or \"UDP\"."
11946 x-kubernetes-int-or-string: true
11949 description: "Selector is an optional field that contains
11950 a selector expression (see Policy for sample syntax).
11951 \ Only traffic that originates from (terminates at) endpoints
11952 matching the selector will be matched. \n Note that: in
11953 addition to the negated version of the Selector (see NotSelector
11954 below), the selector expression syntax itself supports
11955 negation. The two types of negation are subtly different.
11956 One negates the set of matched endpoints, the other negates
11957 the whole match: \n \tSelector = \"!has(my_label)\" matches
11958 packets that are from other Calico-controlled \tendpoints
11959 that do not have the label \"my_label\". \n \tNotSelector
11960 = \"has(my_label)\" matches packets that are not from
11961 Calico-controlled \tendpoints that do have the label \"my_label\".
11962 \n The effect is that the latter will accept packets from
11963 non-Calico sources whereas the former is limited to packets
11964 from Calico-controlled endpoints."
11967 description: ServiceAccounts is an optional field that restricts
11968 the rule to only apply to traffic that originates from
11969 (or terminates at) a pod running as a matching service
11973 description: Names is an optional field that restricts
11974 the rule to only apply to traffic that originates
11975 from (or terminates at) a pod running as a service
11976 account whose name is in the list.
11981 description: Selector is an optional field that restricts
11982 the rule to only apply to traffic that originates
11983 from (or terminates at) a pod running as a service
11984 account that matches the given label selector. If
11985 both Names and Selector are specified then they are
11990 description: "Services is an optional field that contains
11991 options for matching Kubernetes Services. If specified,
11992 only traffic that originates from or terminates at endpoints
11993 within the selected service(s) will be matched, and only
11994 to/from each endpoint's port. \n Services cannot be specified
11995 on the same rule as Selector, NotSelector, NamespaceSelector,
11996 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
11997 can only be specified with Services on ingress rules."
12000 description: Name specifies the name of a Kubernetes
12004 description: Namespace specifies the namespace of the
12005 given Service. If left empty, the rule will match
12006 within this policy's namespace.
12011 description: HTTP contains match criteria that apply to HTTP
12015 description: Methods is an optional field that restricts
12016 the rule to apply only to HTTP requests that use one of
12017 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
12018 methods are OR'd together.
12023 description: 'Paths is an optional field that restricts
12024 the rule to apply to HTTP requests that use one of the
12025 listed HTTP Paths. Multiple paths are OR''d together.
12026 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
12027 ONLY specify either a `exact` or a `prefix` match. The
12028 validator will check for it.'
12030 description: 'HTTPPath specifies an HTTP path to match.
12031 It may be either of the form: exact: <path>: which matches
12032 the path exactly or prefix: <path-prefix>: which matches
12043 description: ICMP is an optional field that restricts the rule
12044 to apply to a specific type and code of ICMP traffic. This
12045 should only be specified if the Protocol field is set to "ICMP"
12049 description: Match on a specific ICMP code. If specified,
12050 the Type value must also be specified. This is a technical
12051 limitation imposed by the kernel's iptables firewall,
12052 which Calico uses to enforce the rule.
12055 description: Match on a specific ICMP type. For example
12056 a value of 8 refers to ICMP Echo Request (i.e. pings).
12060 description: IPVersion is an optional field that restricts the
12061 rule to only match a specific IP version.
12064 description: Metadata contains additional information for this
12068 additionalProperties:
12070 description: Annotations is a set of key value pairs that
12071 give extra information about the rule
12075 description: NotICMP is the negated version of the ICMP field.
12078 description: Match on a specific ICMP code. If specified,
12079 the Type value must also be specified. This is a technical
12080 limitation imposed by the kernel's iptables firewall,
12081 which Calico uses to enforce the rule.
12084 description: Match on a specific ICMP type. For example
12085 a value of 8 refers to ICMP Echo Request (i.e. pings).
12092 description: NotProtocol is the negated version of the Protocol
12095 x-kubernetes-int-or-string: true
12100 description: "Protocol is an optional field that restricts the
12101 rule to only apply to traffic of a specific IP protocol. Required
12102 if any of the EntityRules contain Ports (because ports only
12103 apply to certain protocols). \n Must be one of these string
12104 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
12105 \"UDPLite\" or an integer in the range 1-255."
12107 x-kubernetes-int-or-string: true
12109 description: Source contains the match criteria that apply to
12113 description: "NamespaceSelector is an optional field that
12114 contains a selector expression. Only traffic that originates
12115 from (or terminates at) endpoints within the selected
12116 namespaces will be matched. When both NamespaceSelector
12117 and another selector are defined on the same rule, then
12118 only workload endpoints that are matched by both selectors
12119 will be selected by the rule. \n For NetworkPolicy, an
12120 empty NamespaceSelector implies that the Selector is limited
12121 to selecting only workload endpoints in the same namespace
12122 as the NetworkPolicy. \n For NetworkPolicy, `global()`
12123 NamespaceSelector implies that the Selector is limited
12124 to selecting only GlobalNetworkSet or HostEndpoint. \n
12125 For GlobalNetworkPolicy, an empty NamespaceSelector implies
12126 the Selector applies to workload endpoints across all
12130 description: Nets is an optional field that restricts the
12131 rule to only apply to traffic that originates from (or
12132 terminates at) IP addresses in any of the given subnets.
12137 description: NotNets is the negated version of the Nets
12143 description: NotPorts is the negated version of the Ports
12144 field. Since only some protocols have ports, if any ports
12145 are specified it requires the Protocol match in the Rule
12146 to be set to "TCP" or "UDP".
12152 x-kubernetes-int-or-string: true
12155 description: NotSelector is the negated version of the Selector
12156 field. See Selector field for subtleties with negated
12160 description: "Ports is an optional field that restricts
12161 the rule to only apply to traffic that has a source (destination)
12162 port that matches one of these ranges/values. This value
12163 is a list of integers or strings that represent ranges
12164 of ports. \n Since only some protocols have ports, if
12165 any ports are specified it requires the Protocol match
12166 in the Rule to be set to \"TCP\" or \"UDP\"."
12172 x-kubernetes-int-or-string: true
12175 description: "Selector is an optional field that contains
12176 a selector expression (see Policy for sample syntax).
12177 \ Only traffic that originates from (terminates at) endpoints
12178 matching the selector will be matched. \n Note that: in
12179 addition to the negated version of the Selector (see NotSelector
12180 below), the selector expression syntax itself supports
12181 negation. The two types of negation are subtly different.
12182 One negates the set of matched endpoints, the other negates
12183 the whole match: \n \tSelector = \"!has(my_label)\" matches
12184 packets that are from other Calico-controlled \tendpoints
12185 that do not have the label \"my_label\". \n \tNotSelector
12186 = \"has(my_label)\" matches packets that are not from
12187 Calico-controlled \tendpoints that do have the label \"my_label\".
12188 \n The effect is that the latter will accept packets from
12189 non-Calico sources whereas the former is limited to packets
12190 from Calico-controlled endpoints."
12193 description: ServiceAccounts is an optional field that restricts
12194 the rule to only apply to traffic that originates from
12195 (or terminates at) a pod running as a matching service
12199 description: Names is an optional field that restricts
12200 the rule to only apply to traffic that originates
12201 from (or terminates at) a pod running as a service
12202 account whose name is in the list.
12207 description: Selector is an optional field that restricts
12208 the rule to only apply to traffic that originates
12209 from (or terminates at) a pod running as a service
12210 account that matches the given label selector. If
12211 both Names and Selector are specified then they are
12216 description: "Services is an optional field that contains
12217 options for matching Kubernetes Services. If specified,
12218 only traffic that originates from or terminates at endpoints
12219 within the selected service(s) will be matched, and only
12220 to/from each endpoint's port. \n Services cannot be specified
12221 on the same rule as Selector, NotSelector, NamespaceSelector,
12222 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
12223 can only be specified with Services on ingress rules."
12226 description: Name specifies the name of a Kubernetes
12230 description: Namespace specifies the namespace of the
12231 given Service. If left empty, the rule will match
12232 within this policy's namespace.
12241 description: Order is an optional field that specifies the order in
12242 which the policy is applied. Policies with higher "order" are applied
12243 after those with lower order. If the order is omitted, it may be
12244 considered to be "infinite" - i.e. the policy will be applied last. Policies
12245 with identical order will be applied in alphanumerical order based
12246 on the Policy "Name".
12249 description: "The selector is an expression used to pick pick out
12250 the endpoints that the policy should be applied to. \n Selector
12251 expressions follow this syntax: \n \tlabel == \"string_literal\"
12252 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
12253 \ -> not equal; also matches if label is not present \tlabel in
12254 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
12255 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
12256 ... } -> true if the value of label X is not one of \"a\", \"b\",
12257 \"c\" \thas(label_name) -> True if that label is present \t! expr
12258 -> negation of expr \texpr && expr -> Short-circuit and \texpr
12259 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
12260 or the empty selector -> matches all endpoints. \n Label names are
12261 allowed to contain alphanumerics, -, _ and /. String literals are
12262 more permissive but they do not support escape characters. \n Examples
12263 (with made-up labels): \n \ttype == \"webserver\" && deployment
12264 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
12265 \"dev\" \t! has(label_name)"
12267 serviceAccountSelector:
12268 description: ServiceAccountSelector is an optional field for an expression
12269 used to select a pod based on service accounts.
12272 description: "Types indicates whether this policy applies to ingress,
12273 or to egress, or to both. When not explicitly specified (and so
12274 the value on creation is empty or nil), Calico defaults Types according
12275 to what Ingress and Egress are present in the policy. The default
12276 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
12277 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
12278 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
12279 PolicyTypeEgress ], if there are both Ingress and Egress rules.
12280 \n When the policy is read back again, Types will always be one
12281 of these values, never empty or nil."
12283 description: PolicyType enumerates the possible values of the PolicySpec
12298 apiVersion: apiextensions.k8s.io/v1
12299 kind: CustomResourceDefinition
12301 name: networksets.crd.projectcalico.org
12303 group: crd.projectcalico.org
12306 listKind: NetworkSetList
12307 plural: networksets
12308 singular: networkset
12314 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
12317 description: 'APIVersion defines the versioned schema of this representation
12318 of an object. Servers should convert recognized schemas to the latest
12319 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
12322 description: 'Kind is a string value representing the REST resource this
12323 object represents. Servers may infer this from the endpoint the client
12324 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
12329 description: NetworkSetSpec contains the specification for a NetworkSet
12333 description: The list of IP networks that belong to this set.
12349 kind: ServiceAccount
12351 name: calico-kube-controllers
12352 namespace: kube-system
12355 kind: ServiceAccount
12358 namespace: kube-system
12360 apiVersion: rbac.authorization.k8s.io/v1
12363 name: calico-kube-controllers
12382 - crd.projectcalico.org
12389 - crd.projectcalico.org
12402 - crd.projectcalico.org
12412 - crd.projectcalico.org
12414 - clusterinformations
12420 - crd.projectcalico.org
12422 - kubecontrollersconfigurations
12429 apiVersion: rbac.authorization.k8s.io/v1
12472 - networking.k8s.io
12494 - crd.projectcalico.org
12496 - globalfelixconfigs
12497 - felixconfigurations
12500 - bgpconfigurations
12504 - globalnetworkpolicies
12505 - globalnetworksets
12508 - clusterinformations
12511 - caliconodestatuses
12517 - crd.projectcalico.org
12520 - felixconfigurations
12521 - clusterinformations
12526 - crd.projectcalico.org
12528 - caliconodestatuses
12540 - crd.projectcalico.org
12542 - bgpconfigurations
12548 - crd.projectcalico.org
12560 - crd.projectcalico.org
12566 - crd.projectcalico.org
12578 apiVersion: rbac.authorization.k8s.io/v1
12579 kind: ClusterRoleBinding
12581 name: calico-kube-controllers
12583 apiGroup: rbac.authorization.k8s.io
12585 name: calico-kube-controllers
12587 - kind: ServiceAccount
12588 name: calico-kube-controllers
12589 namespace: kube-system
12591 apiVersion: rbac.authorization.k8s.io/v1
12592 kind: ClusterRoleBinding
12596 apiGroup: rbac.authorization.k8s.io
12600 - kind: ServiceAccount
12602 namespace: kube-system
12606 calico_backend: bird
12607 cni_network_config: |-
12609 "name": "k8s-pod-network",
12610 "cniVersion": "0.3.1",
12614 "log_level": "info",
12615 "log_file_path": "/var/log/calico/cni/cni.log",
12616 "datastore_type": "kubernetes",
12617 "nodename": "__KUBERNETES_NODE_NAME__",
12618 "mtu": __CNI_MTU__,
12620 "type": "calico-ipam",
12621 "assign_ipv4": "false",
12622 "assign_ipv6": "true"
12628 "kubeconfig": "__KUBECONFIG_FILEPATH__"
12634 "capabilities": {"portMappings": true}
12637 "type": "bandwidth",
12638 "capabilities": {"bandwidth": true}
12642 typha_service_name: none
12646 name: calico-config
12647 namespace: kube-system
12649 apiVersion: apps/v1
12653 k8s-app: calico-kube-controllers
12654 name: calico-kube-controllers
12655 namespace: kube-system
12660 k8s-app: calico-kube-controllers
12666 k8s-app: calico-kube-controllers
12667 name: calico-kube-controllers
12668 namespace: kube-system
12672 - name: ENABLED_CONTROLLERS
12674 - name: DATASTORE_TYPE
12676 image: docker.io/calico/kube-controllers:v3.22.1
12680 - /usr/bin/check-status
12682 failureThreshold: 6
12683 initialDelaySeconds: 10
12686 name: calico-kube-controllers
12690 - /usr/bin/check-status
12694 kubernetes.io/os: linux
12695 priorityClassName: system-cluster-critical
12696 serviceAccountName: calico-kube-controllers
12698 - key: CriticalAddonsOnly
12700 - effect: NoSchedule
12701 key: node-role.kubernetes.io/master
12703 apiVersion: policy/v1beta1
12704 kind: PodDisruptionBudget
12707 k8s-app: calico-kube-controllers
12708 name: calico-kube-controllers
12709 namespace: kube-system
12714 k8s-app: calico-kube-controllers
12716 apiVersion: apps/v1
12720 k8s-app: calico-node
12722 namespace: kube-system
12726 k8s-app: calico-node
12730 k8s-app: calico-node
12734 - name: IP6_AUTODETECTION_METHOD
12735 value: can-reach=www.google.com
12738 - name: FELIX_IPV6SUPPORT
12742 - name: CALICO_ROUTER_ID
12744 - name: DATASTORE_TYPE
12746 - name: WAIT_FOR_DATASTORE
12751 fieldPath: spec.nodeName
12752 - name: CALICO_NETWORKING_BACKEND
12755 key: calico_backend
12756 name: calico-config
12757 - name: CLUSTER_TYPE
12759 - name: CALICO_IPV4POOL_IPIP
12761 - name: CALICO_IPV4POOL_VXLAN
12763 - name: FELIX_IPINIPMTU
12767 name: calico-config
12768 - name: FELIX_VXLANMTU
12772 name: calico-config
12773 - name: FELIX_WIREGUARDMTU
12777 name: calico-config
12778 - name: CALICO_DISABLE_FILE_LOGGING
12780 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
12782 - name: FELIX_HEALTHENABLED
12786 name: kubernetes-services-endpoint
12788 image: docker.io/calico/node:v3.22.1
12801 failureThreshold: 6
12802 initialDelaySeconds: 10
12820 - mountPath: /host/etc/cni/net.d
12823 - mountPath: /lib/modules
12826 - mountPath: /run/xtables.lock
12829 - mountPath: /var/run/calico
12830 name: var-run-calico
12832 - mountPath: /var/lib/calico
12833 name: var-lib-calico
12835 - mountPath: /var/run/nodeagent
12837 - mountPath: /sys/fs/
12838 mountPropagation: Bidirectional
12840 - mountPath: /var/log/calico/cni
12846 - /opt/cni/bin/calico-ipam
12849 - name: KUBERNETES_NODE_NAME
12852 fieldPath: spec.nodeName
12853 - name: CALICO_NETWORKING_BACKEND
12856 key: calico_backend
12857 name: calico-config
12860 name: kubernetes-services-endpoint
12862 image: docker.io/calico/cni:v3.22.1
12867 - mountPath: /var/lib/cni/networks
12868 name: host-local-net-dir
12869 - mountPath: /host/opt/cni/bin
12872 - /opt/cni/bin/install
12874 - name: CNI_CONF_NAME
12875 value: 10-calico.conflist
12876 - name: CNI_NETWORK_CONFIG
12879 key: cni_network_config
12880 name: calico-config
12881 - name: KUBERNETES_NODE_NAME
12884 fieldPath: spec.nodeName
12889 name: calico-config
12894 name: kubernetes-services-endpoint
12896 image: docker.io/calico/cni:v3.22.1
12901 - mountPath: /host/opt/cni/bin
12903 - mountPath: /host/etc/cni/net.d
12905 - image: docker.io/calico/pod2daemon-flexvol:v3.22.1
12906 name: flexvol-driver
12910 - mountPath: /host/driver
12911 name: flexvol-driver-host
12913 kubernetes.io/os: linux
12914 priorityClassName: system-node-critical
12915 serviceAccountName: calico-node
12916 terminationGracePeriodSeconds: 0
12918 - effect: NoSchedule
12920 - key: CriticalAddonsOnly
12922 - effect: NoExecute
12929 path: /var/run/calico
12930 name: var-run-calico
12932 path: /var/lib/calico
12933 name: var-lib-calico
12935 path: /run/xtables.lock
12940 type: DirectoryOrCreate
12946 path: /etc/cni/net.d
12949 path: /var/log/calico/cni
12952 path: /var/lib/cni/networks
12953 name: host-local-net-dir
12955 path: /var/run/nodeagent
12956 type: DirectoryOrCreate
12959 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
12960 type: DirectoryOrCreate
12961 name: flexvol-driver-host
12965 type: RollingUpdate
12968 creationTimestamp: null
12969 name: {{ .Values.clusterName }}-calico-addon