1 {{- if eq .Values.cni "calico" }}
6 apiVersion: apiextensions.k8s.io/v1
7 kind: CustomResourceDefinition
9 name: bgpconfigurations.crd.projectcalico.org
11 group: crd.projectcalico.org
13 kind: BGPConfiguration
14 listKind: BGPConfigurationList
15 plural: bgpconfigurations
16 singular: bgpconfiguration
22 description: BGPConfiguration contains the configuration for any BGP routing.
25 description: 'APIVersion defines the versioned schema of this representation
26 of an object. Servers should convert recognized schemas to the latest
27 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
30 description: 'Kind is a string value representing the REST resource this
31 object represents. Servers may infer this from the endpoint the client
32 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
37 description: BGPConfigurationSpec contains the values of the BGP configuration.
40 description: 'ASNumber is the default AS number used by a node. [Default:
45 description: Communities is a list of BGP community values and their
46 arbitrary names for tagging routes.
48 description: Community contains standard or large community value
52 description: Name given to community value.
55 description: Value must be of format `aa:nn` or `aa:nn:mm`.
56 For standard community use `aa:nn` format, where `aa` and
57 `nn` are 16 bit number. For large community use `aa:nn:mm`
58 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
59 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
60 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
65 description: ListenPort is the port where BGP protocol should listen.
71 description: 'LogSeverityScreen is the log severity above which logs
72 are sent to the stdout. [Default: INFO]'
74 nodeToNodeMeshEnabled:
75 description: 'NodeToNodeMeshEnabled sets whether full node to node
76 BGP mesh is enabled. [Default: true]'
79 description: PrefixAdvertisements contains per-prefix advertisement
82 description: PrefixAdvertisement configures advertisement properties
83 for the specified CIDR.
86 description: CIDR for which properties should be advertised.
89 description: Communities can be list of either community names
90 already defined in `Specs.Communities` or community value
91 of format `aa:nn` or `aa:nn:mm`. For standard community use
92 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
93 large community use `aa:nn:mm` format, where `aa`, `nn` and
94 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
95 `mm` are per-AS identifier.
102 description: ServiceClusterIPs are the CIDR blocks from which service
103 cluster IPs are allocated. If specified, Calico will advertise these
104 blocks, as well as any cluster IPs within them.
106 description: ServiceClusterIPBlock represents a single allowed ClusterIP
114 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
115 Service External IPs. Kubernetes Service ExternalIPs will only be
116 advertised if they are within one of these blocks.
118 description: ServiceExternalIPBlock represents a single allowed
119 External IP CIDR block.
125 serviceLoadBalancerIPs:
126 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
127 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
128 IPs will only be advertised if they are within one of these blocks.
130 description: ServiceLoadBalancerIPBlock represents a single allowed
131 LoadBalancer IP CIDR block.
148 apiVersion: apiextensions.k8s.io/v1
149 kind: CustomResourceDefinition
151 name: bgppeers.crd.projectcalico.org
153 group: crd.projectcalico.org
156 listKind: BGPPeerList
166 description: 'APIVersion defines the versioned schema of this representation
167 of an object. Servers should convert recognized schemas to the latest
168 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
171 description: 'Kind is a string value representing the REST resource this
172 object represents. Servers may infer this from the endpoint the client
173 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
178 description: BGPPeerSpec contains the specification for a BGPPeer resource.
181 description: The AS Number of the peer.
185 description: Option to keep the original nexthop field when routes
186 are sent to a BGP Peer. Setting "true" configures the selected BGP
187 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
188 in the specific branch of the Node on "bird.cfg".
191 description: Time to allow for software restart. When specified,
192 this is configured as the graceful restart timeout. When not specified,
193 the BIRD default of 120s is used.
196 description: The node name identifying the Calico node instance that
197 is targeted by this peer. If this is not set, and no nodeSelector
198 is specified, then this BGP peer selects all nodes in the cluster.
201 description: Selector for the nodes that should have this peering. When
202 this is set, the Node field must be empty.
205 description: Optional BGP password for the peerings generated by this
209 description: Selects a key of a secret in the node pod's namespace.
212 description: The key of the secret to select from. Must be
216 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
217 TODO: Add other useful fields. apiVersion, kind, uid?'
220 description: Specify whether the Secret or its key must be
228 description: The IP address of the peer followed by an optional port
229 number to peer with. If port number is given, format should be `[<IPv6>]:port`
230 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
231 and this peer IP and ASNumber belongs to a calico/node with ListenPort
232 set in BGPConfiguration, then we use that port to peer.
235 description: Selector for the remote nodes to peer with. When this
236 is set, the PeerIP and ASNumber fields must be empty. For each
237 peering between the local node and selected remote nodes, we configure
238 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
239 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
240 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
241 or the global default if that is not set.
244 description: Specifies whether and how to configure a source address
245 for the peerings generated by this BGPPeer resource. Default value
246 "UseNodeIP" means to configure the node IP as the source address. "None"
247 means not to configure a source address.
260 apiVersion: apiextensions.k8s.io/v1
261 kind: CustomResourceDefinition
263 name: blockaffinities.crd.projectcalico.org
265 group: crd.projectcalico.org
268 listKind: BlockAffinityList
269 plural: blockaffinities
270 singular: blockaffinity
278 description: 'APIVersion defines the versioned schema of this representation
279 of an object. Servers should convert recognized schemas to the latest
280 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
283 description: 'Kind is a string value representing the REST resource this
284 object represents. Servers may infer this from the endpoint the client
285 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
290 description: BlockAffinitySpec contains the specification for a BlockAffinity
296 description: Deleted indicates that this block affinity is being deleted.
297 This field is a string for compatibility with older releases that
298 mistakenly treat this field as a string.
320 apiVersion: apiextensions.k8s.io/v1
321 kind: CustomResourceDefinition
324 controller-gen.kubebuilder.io/version: (devel)
325 creationTimestamp: null
326 name: caliconodestatuses.crd.projectcalico.org
328 group: crd.projectcalico.org
330 kind: CalicoNodeStatus
331 listKind: CalicoNodeStatusList
332 plural: caliconodestatuses
333 singular: caliconodestatus
341 description: 'APIVersion defines the versioned schema of this representation
342 of an object. Servers should convert recognized schemas to the latest
343 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
346 description: 'Kind is a string value representing the REST resource this
347 object represents. Servers may infer this from the endpoint the client
348 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
353 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
357 description: Classes declares the types of information to monitor
358 for this calico/node, and allows for selective status reporting
359 about certain subsets of information.
364 description: The node name identifies the Calico node instance for
368 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
369 should be updated. Set to 0 to disable CalicoNodeStatus refresh.
370 Maximum update period is one day.
375 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
376 No validation needed for status since it is updated by Calico.
379 description: Agent holds agent status on the node.
382 description: BIRDV4 represents the latest observed status of bird4.
385 description: LastBootTime holds the value of lastBootTime
386 from bird.ctl output.
388 lastReconfigurationTime:
389 description: LastReconfigurationTime holds the value of lastReconfigTime
390 from bird.ctl output.
393 description: Router ID used by bird.
396 description: The state of the BGP Daemon.
399 description: Version of the BGP daemon
403 description: BIRDV6 represents the latest observed status of bird6.
406 description: LastBootTime holds the value of lastBootTime
407 from bird.ctl output.
409 lastReconfigurationTime:
410 description: LastReconfigurationTime holds the value of lastReconfigTime
411 from bird.ctl output.
414 description: Router ID used by bird.
417 description: The state of the BGP Daemon.
420 description: Version of the BGP daemon
425 description: BGP holds node BGP status.
428 description: The total number of IPv4 established bgp sessions.
431 description: The total number of IPv6 established bgp sessions.
433 numberNotEstablishedV4:
434 description: The total number of IPv4 non-established bgp sessions.
436 numberNotEstablishedV6:
437 description: The total number of IPv6 non-established bgp sessions.
440 description: PeersV4 represents IPv4 BGP peers status on the node.
442 description: CalicoNodePeer contains the status of BGP peers
446 description: IP address of the peer whose condition we are
450 description: Since the state or reason last changed.
453 description: State is the BGP session state.
456 description: Type indicates whether this peer is configured
457 via the node-to-node mesh, or via en explicit global or
458 per-node BGPPeer object.
463 description: PeersV6 represents IPv6 BGP peers status on the node.
465 description: CalicoNodePeer contains the status of BGP peers
469 description: IP address of the peer whose condition we are
473 description: Since the state or reason last changed.
476 description: State is the BGP session state.
479 description: Type indicates whether this peer is configured
480 via the node-to-node mesh, or via en explicit global or
481 per-node BGPPeer object.
486 - numberEstablishedV4
487 - numberEstablishedV6
488 - numberNotEstablishedV4
489 - numberNotEstablishedV6
492 description: LastUpdated is a timestamp representing the server time
493 when CalicoNodeStatus object last updated. It is represented in
494 RFC3339 form and is in UTC.
499 description: Routes reports routes known to the Calico BGP daemon
503 description: RoutesV4 represents IPv4 routes on the node.
505 description: CalicoNodeRoute contains the status of BGP routes
509 description: Destination of the route.
512 description: Gateway for the destination.
515 description: Interface for the destination
518 description: LearnedFrom contains information regarding
519 where this route originated.
522 description: If sourceType is NodeMesh or BGPPeer, IP
523 address of the router that sent us this route.
526 description: Type of the source where a route is learned
531 description: Type indicates if the route is being used for
537 description: RoutesV6 represents IPv6 routes on the node.
539 description: CalicoNodeRoute contains the status of BGP routes
543 description: Destination of the route.
546 description: Gateway for the destination.
549 description: Interface for the destination
552 description: LearnedFrom contains information regarding
553 where this route originated.
556 description: If sourceType is NodeMesh or BGPPeer, IP
557 address of the router that sent us this route.
560 description: Type of the source where a route is learned
565 description: Type indicates if the route is being used for
582 apiVersion: apiextensions.k8s.io/v1
583 kind: CustomResourceDefinition
585 name: clusterinformations.crd.projectcalico.org
587 group: crd.projectcalico.org
589 kind: ClusterInformation
590 listKind: ClusterInformationList
591 plural: clusterinformations
592 singular: clusterinformation
598 description: ClusterInformation contains the cluster specific information.
601 description: 'APIVersion defines the versioned schema of this representation
602 of an object. Servers should convert recognized schemas to the latest
603 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
606 description: 'Kind is a string value representing the REST resource this
607 object represents. Servers may infer this from the endpoint the client
608 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
613 description: ClusterInformationSpec contains the values of describing
617 description: CalicoVersion is the version of Calico that the cluster
621 description: ClusterGUID is the GUID of the cluster
624 description: ClusterType describes the type of the cluster
627 description: DatastoreReady is used during significant datastore migrations
628 to signal to components such as Felix that it should wait before
629 accessing the datastore.
632 description: Variant declares which variant of Calico should be active.
645 apiVersion: apiextensions.k8s.io/v1
646 kind: CustomResourceDefinition
648 name: felixconfigurations.crd.projectcalico.org
650 group: crd.projectcalico.org
652 kind: FelixConfiguration
653 listKind: FelixConfigurationList
654 plural: felixconfigurations
655 singular: felixconfiguration
661 description: Felix Configuration contains the configuration for Felix.
664 description: 'APIVersion defines the versioned schema of this representation
665 of an object. Servers should convert recognized schemas to the latest
666 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
669 description: 'Kind is a string value representing the REST resource this
670 object represents. Servers may infer this from the endpoint the client
671 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
676 description: FelixConfigurationSpec contains the values of the Felix configuration.
678 allowIPIPPacketsFromWorkloads:
679 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
680 will add a rule to drop IPIP encapsulated traffic from workloads
683 allowVXLANPacketsFromWorkloads:
684 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
685 will add a rule to drop VXLAN encapsulated traffic from workloads
689 description: 'Set source-destination-check on AWS EC2 instances. Accepted
690 value must be one of "DoNothing", "Enable" or "Disable". [Default:
697 bpfConnectTimeLoadBalancingEnabled:
698 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
699 controls whether Felix installs the connection-time load balancer. The
700 connect-time load balancer is required for the host to be able to
701 reach Kubernetes services and it improves the performance of pod-to-service
702 connections. The only reason to disable it is for debugging purposes. [Default:
706 description: BPFDataIfacePattern is a regular expression that controls
707 which interfaces Felix should attach BPF programs to in order to
708 catch traffic to/from the network. This needs to match the interfaces
709 that Calico workload traffic flows over as well as any interfaces
710 that handle incoming traffic to nodeports and services from outside
711 the cluster. It should not match the workload interfaces (usually
714 bpfDisableUnprivileged:
715 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
716 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
717 users cannot access Calico''s BPF maps and cannot insert their own
718 BPF programs to interfere with Calico''s. [Default: true]'
721 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
724 bpfExtToServiceConnmark:
725 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
726 mark that is set on connections from an external client to a local
727 service. This mark allows us to control how packets of that connection
728 are routed within the host and how is routing intepreted by RPF
731 bpfExternalServiceMode:
732 description: 'BPFExternalServiceMode in BPF mode, controls how connections
733 from outside the cluster to services (node ports and cluster IPs)
734 are forwarded to remote workloads. If set to "Tunnel" then both
735 request and response traffic is tunneled to the remote node. If
736 set to "DSR", the request traffic is tunneled but the response traffic
737 is sent directly from the remote node. In "DSR" mode, the remote
738 node appears to use the IP of the ingress node; this requires a
739 permissive L2 network. [Default: Tunnel]'
741 bpfKubeProxyEndpointSlicesEnabled:
742 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
743 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
745 bpfKubeProxyIptablesCleanupEnabled:
746 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
747 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
748 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
751 bpfKubeProxyMinSyncPeriod:
752 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
753 minimum time between updates to the dataplane for Felix''s embedded
754 kube-proxy. Lower values give reduced set-up latency. Higher values
755 reduce Felix CPU usage by batching up more work. [Default: 1s]'
758 description: 'BPFLogLevel controls the log level of the BPF programs
759 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
760 logs are emitted to the BPF trace pipe, accessible with the command
761 `tc exec bpf debug`. [Default: Off].'
764 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
765 top-level iptables chains by inserting a rule at the top of the
766 chain or by appending a rule at the bottom. insert is the safe default
767 since it prevents Calico''s rules from being bypassed. If you switch
768 to append mode, be sure that the other rules in the chains signal
769 acceptance by falling through to the Calico rules, otherwise the
770 Calico policy will be bypassed. [Default: insert]'
774 debugDisableLogDropping:
776 debugMemoryProfilePath:
778 debugSimulateCalcGraphHangAfter:
780 debugSimulateDataplaneHangAfter:
782 defaultEndpointToHostAction:
783 description: 'DefaultEndpointToHostAction controls what happens to
784 traffic that goes from a workload endpoint to the host itself (after
785 the traffic hits the endpoint egress policy). By default Calico
786 blocks traffic from workload endpoints to the host itself with an
787 iptables "DROP" action. If you want to allow some or all traffic
788 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
789 RETURN if you have your own rules in the iptables "INPUT" chain;
790 Calico will insert its rules at the top of that chain, then "RETURN"
791 packets to the "INPUT" chain once it has completed processing workload
792 endpoint egress policy. Use ACCEPT to unconditionally accept packets
793 from workloads after processing workload endpoint egress policy.
797 description: This defines the route protocol added to programmed device
798 routes, by default this will be RTPROT_BOOT when left blank.
800 deviceRouteSourceAddress:
801 description: This is the source address to use on programmed device
802 routes. By default the source address is left blank, leaving the
803 kernel to choose the source address used.
805 disableConntrackInvalidCheck:
807 endpointReportingDelay:
809 endpointReportingEnabled:
812 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
813 which may source tunnel traffic and have the tunneled traffic be
814 accepted at calico nodes.
818 failsafeInboundHostPorts:
819 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
820 and CIDRs that Felix will allow incoming traffic to host endpoints
821 on irrespective of the security policy. This is useful to avoid
822 accidentally cutting off a host with incorrect configuration. For
823 back-compatibility, if the protocol is not specified, it defaults
824 to "tcp". If a CIDR is not specified, it will allow traffic from
825 all addresses. To disable all inbound host ports, use the value
826 none. The default value allows ssh access and DHCP. [Default: tcp:22,
827 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
829 description: ProtoPort is combination of protocol, port, and CIDR.
830 Protocol and port must be specified.
843 failsafeOutboundHostPorts:
844 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
845 and CIDRs that Felix will allow outgoing traffic from host endpoints
846 to irrespective of the security policy. This is useful to avoid
847 accidentally cutting off a host with incorrect configuration. For
848 back-compatibility, if the protocol is not specified, it defaults
849 to "tcp". If a CIDR is not specified, it will allow traffic from
850 all addresses. To disable all outbound host ports, use the value
851 none. The default value opens etcd''s standard ports to ensure that
852 Felix does not get cut off from etcd as well as allowing DHCP and
853 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
854 tcp:6667, udp:53, udp:67]'
856 description: ProtoPort is combination of protocol, port, and CIDR.
857 Protocol and port must be specified.
870 featureDetectOverride:
871 description: FeatureDetectOverride is used to override the feature
872 detection. Values are specified in a comma separated list with no
873 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
874 "true" or "false" will force the feature, empty or omitted values
878 description: 'GenericXDPEnabled enables Generic XDP so network cards
879 that don''t support XDP offload or driver modes can use XDP. This
880 is not recommended since it doesn''t provide better performance
881 than iptables. [Default: false]'
890 description: 'InterfaceExclude is a comma-separated list of interfaces
891 that Felix should exclude when monitoring for host endpoints. The
892 default value ensures that Felix ignores Kubernetes'' IPVS dummy
893 interface, which is used internally by kube-proxy. If you want to
894 exclude multiple interface names using a single value, the list
895 supports regular expressions. For regular expressions you must wrap
896 the value with ''/''. For example having values ''/^kube/,veth1''
897 will exclude all interfaces that begin with ''kube'' and also the
898 interface ''veth1''. [Default: kube-ipvs0]'
901 description: 'InterfacePrefix is the interface name prefix that identifies
902 workload endpoints and so distinguishes them from host endpoint
903 interfaces. Note: in environments other than bare metal, the orchestrators
904 configure this appropriately. For example our Kubernetes and Docker
905 integrations set the ''cali'' value, and our OpenStack integration
906 sets the ''tap'' value. [Default: cali]'
908 interfaceRefreshInterval:
909 description: InterfaceRefreshInterval is the period at which Felix
910 rescans local interfaces to verify their state. The rescan can be
911 disabled by setting the interval to 0.
916 description: 'IPIPMTU is the MTU to set on the tunnel device. See
917 Configuring MTU [Default: 1440]'
919 ipsetsRefreshInterval:
920 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
921 all iptables state to ensure that no other process has accidentally
922 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
926 description: IptablesBackend specifies which backend of iptables will
927 be used. The default is legacy.
929 iptablesFilterAllowAction:
931 iptablesLockFilePath:
932 description: 'IptablesLockFilePath is the location of the iptables
933 lock file. You may need to change this if the lock file is not in
934 its standard location (for example if you have mapped it into Felix''s
935 container at a different path). [Default: /run/xtables.lock]'
937 iptablesLockProbeInterval:
938 description: 'IptablesLockProbeInterval is the time that Felix will
939 wait between attempts to acquire the iptables lock if it is not
940 available. Lower values make Felix more responsive when the lock
941 is contended, but use more CPU. [Default: 50ms]'
944 description: 'IptablesLockTimeout is the time that Felix will wait
945 for the iptables lock, or 0, to disable. To use this feature, Felix
946 must share the iptables lock file with all other processes that
947 also take the lock. When running Felix inside a container, this
948 requires the /run directory of the host to be mounted into the calico/node
949 or calico/felix container. [Default: 0s disabled]'
951 iptablesMangleAllowAction:
954 description: 'IptablesMarkMask is the mask that Felix selects its
955 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
956 at least 8 bits set, none of which clash with any other mark bits
957 in use on the system. [Default: 0xff000000]'
960 iptablesNATOutgoingInterfaceFilter:
962 iptablesPostWriteCheckInterval:
963 description: 'IptablesPostWriteCheckInterval is the period after Felix
964 has done a write to the dataplane that it schedules an extra read
965 back in order to check the write was not clobbered by another process.
966 This should only occur if another application on the system doesn''t
967 respect the iptables lock. [Default: 1s]'
969 iptablesRefreshInterval:
970 description: 'IptablesRefreshInterval is the period at which Felix
971 re-checks the IP sets in the dataplane to ensure that no other process
972 has accidentally broken Calico''s rules. Set to 0 to disable IP
973 sets refresh. Note: the default for this value is lower than the
974 other refresh intervals as a workaround for a Linux kernel bug that
975 was fixed in kernel version 4.11. If you are using v4.11 or greater
976 you may want to set this to, a higher value to reduce Felix CPU
977 usage. [Default: 10s]'
982 description: 'KubeNodePortRanges holds list of port ranges used for
983 service node ports. Only used if felix detects kube-proxy running
984 in ipvs mode. Felix uses these ranges to separate host and workload
985 traffic. [Default: 30000:32767].'
991 x-kubernetes-int-or-string: true
994 description: 'LogFilePath is the full path to the Felix log. Set to
995 none to disable file logging. [Default: /var/log/calico/felix.log]'
998 description: 'LogPrefix is the log prefix that Felix uses when rendering
999 LOG rules. [Default: calico-packet]'
1002 description: 'LogSeverityFile is the log severity above which logs
1003 are sent to the log file. [Default: Info]'
1006 description: 'LogSeverityScreen is the log severity above which logs
1007 are sent to the stdout. [Default: Info]'
1010 description: 'LogSeveritySys is the log severity above which logs
1011 are sent to the syslog. Set to None for no logging to syslog. [Default:
1017 description: 'MetadataAddr is the IP address or domain name of the
1018 server that can answer VM queries for cloud-init metadata. In OpenStack,
1019 this corresponds to the machine running nova-api (or in Ubuntu,
1020 nova-api-metadata). A value of none (case insensitive) means that
1021 Felix should not set up any NAT rule for the metadata path. [Default:
1025 description: 'MetadataPort is the port of the metadata server. This,
1026 combined with global.MetadataAddr (if not ''None''), is used to
1027 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
1028 In most cases this should not need to be changed [Default: 8775].'
1031 description: MTUIfacePattern is a regular expression that controls
1032 which interfaces Felix should scan in order to calculate the host's
1033 MTU. This should not match workload interfaces (usually named cali...).
1036 description: NATOutgoingAddress specifies an address to use when performing
1037 source NAT for traffic in a natOutgoing pool that is leaving the
1038 network. By default the address used is an address on the interface
1039 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
1045 description: NATPortRange specifies the range of ports that is used
1046 for port mapping when doing outgoing NAT. When unset the default
1047 behavior of the network stack is used.
1049 x-kubernetes-int-or-string: true
1053 description: 'OpenstackRegion is the name of the region that a particular
1054 Felix belongs to. In a multi-region Calico/OpenStack deployment,
1055 this must be configured somehow for each Felix (here in the datamodel,
1056 or in felix.cfg or the environment on each compute node), and must
1057 match the [calico] openstack_region value configured in neutron.conf
1058 on each node. [Default: Empty]'
1060 policySyncPathPrefix:
1061 description: 'PolicySyncPathPrefix is used to by Felix to communicate
1062 policy changes to external services, like Application layer policy.
1065 prometheusGoMetricsEnabled:
1066 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
1067 collection, which the Prometheus client does by default, when set
1068 to false. This reduces the number of metrics reported, reducing
1069 Prometheus load. [Default: true]'
1071 prometheusMetricsEnabled:
1072 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
1073 server in Felix if set to true. [Default: false]'
1075 prometheusMetricsHost:
1076 description: 'PrometheusMetricsHost is the host that the Prometheus
1077 metrics server should bind to. [Default: empty]'
1079 prometheusMetricsPort:
1080 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
1081 metrics server should bind to. [Default: 9091]'
1083 prometheusProcessMetricsEnabled:
1084 description: 'PrometheusProcessMetricsEnabled disables process metrics
1085 collection, which the Prometheus client does by default, when set
1086 to false. This reduces the number of metrics reported, reducing
1087 Prometheus load. [Default: true]'
1089 prometheusWireGuardMetricsEnabled:
1090 description: 'PrometheusWireGuardMetricsEnabled disables wireguard
1091 metrics collection, which the Prometheus client does by default,
1092 when set to false. This reduces the number of metrics reported,
1093 reducing Prometheus load. [Default: true]'
1095 removeExternalRoutes:
1096 description: Whether or not to remove device routes that have not
1097 been programmed by Felix. Disabling this will allow external applications
1098 to also add device routes. This is enabled by default which means
1099 we will remove externally added routes.
1102 description: 'ReportingInterval is the interval at which Felix reports
1103 its status into the datastore or 0 to disable. Must be non-zero
1104 in OpenStack deployments. [Default: 30s]'
1107 description: 'ReportingTTL is the time-to-live setting for process-wide
1108 status reports. [Default: 90s]'
1110 routeRefreshInterval:
1111 description: 'RouteRefreshInterval is the period at which Felix re-checks
1112 the routes in the dataplane to ensure that no other process has
1113 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
1117 description: 'RouteSource configures where Felix gets its routing
1118 information. - WorkloadIPs: use workload endpoints to construct
1119 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
1122 description: Calico programs additional Linux route tables for various
1123 purposes. RouteTableRange specifies the indices of the route tables
1124 that Calico should use.
1134 serviceLoopPrevention:
1135 description: 'When service IP advertisement is enabled, prevent routing
1136 loops to service IPs that are not in use, by dropping or rejecting
1137 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
1138 in which case such routing loops continue to be allowed. [Default:
1141 sidecarAccelerationEnabled:
1142 description: 'SidecarAccelerationEnabled enables experimental sidecar
1143 acceleration [Default: false]'
1145 usageReportingEnabled:
1146 description: 'UsageReportingEnabled reports anonymous Calico version
1147 number and cluster size to projectcalico.org. Logs warnings returned
1148 by the usage server. For example, if a significant security vulnerability
1149 has been discovered in the version of Calico being used. [Default:
1152 usageReportingInitialDelay:
1153 description: 'UsageReportingInitialDelay controls the minimum delay
1154 before Felix makes a report. [Default: 300s]'
1156 usageReportingInterval:
1157 description: 'UsageReportingInterval controls the interval at which
1158 Felix makes reports. [Default: 86400s]'
1160 useInternalDataplaneDriver:
1165 description: 'VXLANMTU is the MTU to set on the tunnel device. See
1166 Configuring MTU [Default: 1440]'
1173 description: 'WireguardEnabled controls whether Wireguard is enabled.
1176 wireguardHostEncryptionEnabled:
1177 description: 'WireguardHostEncryptionEnabled controls whether Wireguard
1178 host-to-host encryption is enabled. [Default: false]'
1180 wireguardInterfaceName:
1181 description: 'WireguardInterfaceName specifies the name to use for
1182 the Wireguard interface. [Default: wg.calico]'
1184 wireguardListeningPort:
1185 description: 'WireguardListeningPort controls the listening port used
1186 by Wireguard. [Default: 51820]'
1189 description: 'WireguardMTU controls the MTU on the Wireguard interface.
1190 See Configuring MTU [Default: 1420]'
1192 wireguardRoutingRulePriority:
1193 description: 'WireguardRoutingRulePriority controls the priority value
1194 to use for the Wireguard routing rule. [Default: 99]'
1197 description: 'XDPEnabled enables XDP acceleration for suitable untracked
1198 incoming deny rules. [Default: true]'
1201 description: 'XDPRefreshInterval is the period at which Felix re-checks
1202 all XDP state to ensure that no other process has accidentally broken
1203 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
1204 refresh. [Default: 90s]'
1217 apiVersion: apiextensions.k8s.io/v1
1218 kind: CustomResourceDefinition
1220 name: globalnetworkpolicies.crd.projectcalico.org
1222 group: crd.projectcalico.org
1224 kind: GlobalNetworkPolicy
1225 listKind: GlobalNetworkPolicyList
1226 plural: globalnetworkpolicies
1227 singular: globalnetworkpolicy
1235 description: 'APIVersion defines the versioned schema of this representation
1236 of an object. Servers should convert recognized schemas to the latest
1237 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1240 description: 'Kind is a string value representing the REST resource this
1241 object represents. Servers may infer this from the endpoint the client
1242 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1249 description: ApplyOnForward indicates to apply the rules in this policy
1253 description: DoNotTrack indicates whether packets matched by the rules
1254 in this policy should go through the data plane's connection tracking,
1255 such as Linux conntrack. If True, the rules in this policy are
1256 applied before any data plane connection tracking, and packets allowed
1257 by this policy are marked as not to be tracked.
1260 description: The ordered set of egress rules. Each rule contains
1261 a set of packet match criteria and a corresponding action to apply.
1263 description: "A Rule encapsulates a set of match criteria and an
1264 action. Both selector-based security Policy and security Profiles
1265 reference rules - separated out as a list of rules for both ingress
1266 and egress packet matching. \n Each positive match criteria has
1267 a negated version, prefixed with \"Not\". All the match criteria
1268 within a rule must be satisfied for a packet to match. A single
1269 rule can contain the positive and negative version of a match
1270 and both must be satisfied for the rule to match."
1275 description: Destination contains the match criteria that apply
1276 to destination entity.
1279 description: "NamespaceSelector is an optional field that
1280 contains a selector expression. Only traffic that originates
1281 from (or terminates at) endpoints within the selected
1282 namespaces will be matched. When both NamespaceSelector
1283 and another selector are defined on the same rule, then
1284 only workload endpoints that are matched by both selectors
1285 will be selected by the rule. \n For NetworkPolicy, an
1286 empty NamespaceSelector implies that the Selector is limited
1287 to selecting only workload endpoints in the same namespace
1288 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1289 NamespaceSelector implies that the Selector is limited
1290 to selecting only GlobalNetworkSet or HostEndpoint. \n
1291 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1292 the Selector applies to workload endpoints across all
1296 description: Nets is an optional field that restricts the
1297 rule to only apply to traffic that originates from (or
1298 terminates at) IP addresses in any of the given subnets.
1303 description: NotNets is the negated version of the Nets
1309 description: NotPorts is the negated version of the Ports
1310 field. Since only some protocols have ports, if any ports
1311 are specified it requires the Protocol match in the Rule
1312 to be set to "TCP" or "UDP".
1318 x-kubernetes-int-or-string: true
1321 description: NotSelector is the negated version of the Selector
1322 field. See Selector field for subtleties with negated
1326 description: "Ports is an optional field that restricts
1327 the rule to only apply to traffic that has a source (destination)
1328 port that matches one of these ranges/values. This value
1329 is a list of integers or strings that represent ranges
1330 of ports. \n Since only some protocols have ports, if
1331 any ports are specified it requires the Protocol match
1332 in the Rule to be set to \"TCP\" or \"UDP\"."
1338 x-kubernetes-int-or-string: true
1341 description: "Selector is an optional field that contains
1342 a selector expression (see Policy for sample syntax).
1343 \ Only traffic that originates from (terminates at) endpoints
1344 matching the selector will be matched. \n Note that: in
1345 addition to the negated version of the Selector (see NotSelector
1346 below), the selector expression syntax itself supports
1347 negation. The two types of negation are subtly different.
1348 One negates the set of matched endpoints, the other negates
1349 the whole match: \n \tSelector = \"!has(my_label)\" matches
1350 packets that are from other Calico-controlled \tendpoints
1351 that do not have the label \"my_label\". \n \tNotSelector
1352 = \"has(my_label)\" matches packets that are not from
1353 Calico-controlled \tendpoints that do have the label \"my_label\".
1354 \n The effect is that the latter will accept packets from
1355 non-Calico sources whereas the former is limited to packets
1356 from Calico-controlled endpoints."
1359 description: ServiceAccounts is an optional field that restricts
1360 the rule to only apply to traffic that originates from
1361 (or terminates at) a pod running as a matching service
1365 description: Names is an optional field that restricts
1366 the rule to only apply to traffic that originates
1367 from (or terminates at) a pod running as a service
1368 account whose name is in the list.
1373 description: Selector is an optional field that restricts
1374 the rule to only apply to traffic that originates
1375 from (or terminates at) a pod running as a service
1376 account that matches the given label selector. If
1377 both Names and Selector are specified then they are
1382 description: "Services is an optional field that contains
1383 options for matching Kubernetes Services. If specified,
1384 only traffic that originates from or terminates at endpoints
1385 within the selected service(s) will be matched, and only
1386 to/from each endpoint's port. \n Services cannot be specified
1387 on the same rule as Selector, NotSelector, NamespaceSelector,
1388 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1389 can only be specified with Services on ingress rules."
1392 description: Name specifies the name of a Kubernetes
1396 description: Namespace specifies the namespace of the
1397 given Service. If left empty, the rule will match
1398 within this policy's namespace.
1403 description: HTTP contains match criteria that apply to HTTP
1407 description: Methods is an optional field that restricts
1408 the rule to apply only to HTTP requests that use one of
1409 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1410 methods are OR'd together.
1415 description: 'Paths is an optional field that restricts
1416 the rule to apply to HTTP requests that use one of the
1417 listed HTTP Paths. Multiple paths are OR''d together.
1418 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1419 ONLY specify either a `exact` or a `prefix` match. The
1420 validator will check for it.'
1422 description: 'HTTPPath specifies an HTTP path to match.
1423 It may be either of the form: exact: <path>: which matches
1424 the path exactly or prefix: <path-prefix>: which matches
1435 description: ICMP is an optional field that restricts the rule
1436 to apply to a specific type and code of ICMP traffic. This
1437 should only be specified if the Protocol field is set to "ICMP"
1441 description: Match on a specific ICMP code. If specified,
1442 the Type value must also be specified. This is a technical
1443 limitation imposed by the kernel's iptables firewall,
1444 which Calico uses to enforce the rule.
1447 description: Match on a specific ICMP type. For example
1448 a value of 8 refers to ICMP Echo Request (i.e. pings).
1452 description: IPVersion is an optional field that restricts the
1453 rule to only match a specific IP version.
1456 description: Metadata contains additional information for this
1460 additionalProperties:
1462 description: Annotations is a set of key value pairs that
1463 give extra information about the rule
1467 description: NotICMP is the negated version of the ICMP field.
1470 description: Match on a specific ICMP code. If specified,
1471 the Type value must also be specified. This is a technical
1472 limitation imposed by the kernel's iptables firewall,
1473 which Calico uses to enforce the rule.
1476 description: Match on a specific ICMP type. For example
1477 a value of 8 refers to ICMP Echo Request (i.e. pings).
1484 description: NotProtocol is the negated version of the Protocol
1487 x-kubernetes-int-or-string: true
1492 description: "Protocol is an optional field that restricts the
1493 rule to only apply to traffic of a specific IP protocol. Required
1494 if any of the EntityRules contain Ports (because ports only
1495 apply to certain protocols). \n Must be one of these string
1496 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1497 \"UDPLite\" or an integer in the range 1-255."
1499 x-kubernetes-int-or-string: true
1501 description: Source contains the match criteria that apply to
1505 description: "NamespaceSelector is an optional field that
1506 contains a selector expression. Only traffic that originates
1507 from (or terminates at) endpoints within the selected
1508 namespaces will be matched. When both NamespaceSelector
1509 and another selector are defined on the same rule, then
1510 only workload endpoints that are matched by both selectors
1511 will be selected by the rule. \n For NetworkPolicy, an
1512 empty NamespaceSelector implies that the Selector is limited
1513 to selecting only workload endpoints in the same namespace
1514 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1515 NamespaceSelector implies that the Selector is limited
1516 to selecting only GlobalNetworkSet or HostEndpoint. \n
1517 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1518 the Selector applies to workload endpoints across all
1522 description: Nets is an optional field that restricts the
1523 rule to only apply to traffic that originates from (or
1524 terminates at) IP addresses in any of the given subnets.
1529 description: NotNets is the negated version of the Nets
1535 description: NotPorts is the negated version of the Ports
1536 field. Since only some protocols have ports, if any ports
1537 are specified it requires the Protocol match in the Rule
1538 to be set to "TCP" or "UDP".
1544 x-kubernetes-int-or-string: true
1547 description: NotSelector is the negated version of the Selector
1548 field. See Selector field for subtleties with negated
1552 description: "Ports is an optional field that restricts
1553 the rule to only apply to traffic that has a source (destination)
1554 port that matches one of these ranges/values. This value
1555 is a list of integers or strings that represent ranges
1556 of ports. \n Since only some protocols have ports, if
1557 any ports are specified it requires the Protocol match
1558 in the Rule to be set to \"TCP\" or \"UDP\"."
1564 x-kubernetes-int-or-string: true
1567 description: "Selector is an optional field that contains
1568 a selector expression (see Policy for sample syntax).
1569 \ Only traffic that originates from (terminates at) endpoints
1570 matching the selector will be matched. \n Note that: in
1571 addition to the negated version of the Selector (see NotSelector
1572 below), the selector expression syntax itself supports
1573 negation. The two types of negation are subtly different.
1574 One negates the set of matched endpoints, the other negates
1575 the whole match: \n \tSelector = \"!has(my_label)\" matches
1576 packets that are from other Calico-controlled \tendpoints
1577 that do not have the label \"my_label\". \n \tNotSelector
1578 = \"has(my_label)\" matches packets that are not from
1579 Calico-controlled \tendpoints that do have the label \"my_label\".
1580 \n The effect is that the latter will accept packets from
1581 non-Calico sources whereas the former is limited to packets
1582 from Calico-controlled endpoints."
1585 description: ServiceAccounts is an optional field that restricts
1586 the rule to only apply to traffic that originates from
1587 (or terminates at) a pod running as a matching service
1591 description: Names is an optional field that restricts
1592 the rule to only apply to traffic that originates
1593 from (or terminates at) a pod running as a service
1594 account whose name is in the list.
1599 description: Selector is an optional field that restricts
1600 the rule to only apply to traffic that originates
1601 from (or terminates at) a pod running as a service
1602 account that matches the given label selector. If
1603 both Names and Selector are specified then they are
1608 description: "Services is an optional field that contains
1609 options for matching Kubernetes Services. If specified,
1610 only traffic that originates from or terminates at endpoints
1611 within the selected service(s) will be matched, and only
1612 to/from each endpoint's port. \n Services cannot be specified
1613 on the same rule as Selector, NotSelector, NamespaceSelector,
1614 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1615 can only be specified with Services on ingress rules."
1618 description: Name specifies the name of a Kubernetes
1622 description: Namespace specifies the namespace of the
1623 given Service. If left empty, the rule will match
1624 within this policy's namespace.
1633 description: The ordered set of ingress rules. Each rule contains
1634 a set of packet match criteria and a corresponding action to apply.
1636 description: "A Rule encapsulates a set of match criteria and an
1637 action. Both selector-based security Policy and security Profiles
1638 reference rules - separated out as a list of rules for both ingress
1639 and egress packet matching. \n Each positive match criteria has
1640 a negated version, prefixed with \"Not\". All the match criteria
1641 within a rule must be satisfied for a packet to match. A single
1642 rule can contain the positive and negative version of a match
1643 and both must be satisfied for the rule to match."
1648 description: Destination contains the match criteria that apply
1649 to destination entity.
1652 description: "NamespaceSelector is an optional field that
1653 contains a selector expression. Only traffic that originates
1654 from (or terminates at) endpoints within the selected
1655 namespaces will be matched. When both NamespaceSelector
1656 and another selector are defined on the same rule, then
1657 only workload endpoints that are matched by both selectors
1658 will be selected by the rule. \n For NetworkPolicy, an
1659 empty NamespaceSelector implies that the Selector is limited
1660 to selecting only workload endpoints in the same namespace
1661 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1662 NamespaceSelector implies that the Selector is limited
1663 to selecting only GlobalNetworkSet or HostEndpoint. \n
1664 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1665 the Selector applies to workload endpoints across all
1669 description: Nets is an optional field that restricts the
1670 rule to only apply to traffic that originates from (or
1671 terminates at) IP addresses in any of the given subnets.
1676 description: NotNets is the negated version of the Nets
1682 description: NotPorts is the negated version of the Ports
1683 field. Since only some protocols have ports, if any ports
1684 are specified it requires the Protocol match in the Rule
1685 to be set to "TCP" or "UDP".
1691 x-kubernetes-int-or-string: true
1694 description: NotSelector is the negated version of the Selector
1695 field. See Selector field for subtleties with negated
1699 description: "Ports is an optional field that restricts
1700 the rule to only apply to traffic that has a source (destination)
1701 port that matches one of these ranges/values. This value
1702 is a list of integers or strings that represent ranges
1703 of ports. \n Since only some protocols have ports, if
1704 any ports are specified it requires the Protocol match
1705 in the Rule to be set to \"TCP\" or \"UDP\"."
1711 x-kubernetes-int-or-string: true
1714 description: "Selector is an optional field that contains
1715 a selector expression (see Policy for sample syntax).
1716 \ Only traffic that originates from (terminates at) endpoints
1717 matching the selector will be matched. \n Note that: in
1718 addition to the negated version of the Selector (see NotSelector
1719 below), the selector expression syntax itself supports
1720 negation. The two types of negation are subtly different.
1721 One negates the set of matched endpoints, the other negates
1722 the whole match: \n \tSelector = \"!has(my_label)\" matches
1723 packets that are from other Calico-controlled \tendpoints
1724 that do not have the label \"my_label\". \n \tNotSelector
1725 = \"has(my_label)\" matches packets that are not from
1726 Calico-controlled \tendpoints that do have the label \"my_label\".
1727 \n The effect is that the latter will accept packets from
1728 non-Calico sources whereas the former is limited to packets
1729 from Calico-controlled endpoints."
1732 description: ServiceAccounts is an optional field that restricts
1733 the rule to only apply to traffic that originates from
1734 (or terminates at) a pod running as a matching service
1738 description: Names is an optional field that restricts
1739 the rule to only apply to traffic that originates
1740 from (or terminates at) a pod running as a service
1741 account whose name is in the list.
1746 description: Selector is an optional field that restricts
1747 the rule to only apply to traffic that originates
1748 from (or terminates at) a pod running as a service
1749 account that matches the given label selector. If
1750 both Names and Selector are specified then they are
1755 description: "Services is an optional field that contains
1756 options for matching Kubernetes Services. If specified,
1757 only traffic that originates from or terminates at endpoints
1758 within the selected service(s) will be matched, and only
1759 to/from each endpoint's port. \n Services cannot be specified
1760 on the same rule as Selector, NotSelector, NamespaceSelector,
1761 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1762 can only be specified with Services on ingress rules."
1765 description: Name specifies the name of a Kubernetes
1769 description: Namespace specifies the namespace of the
1770 given Service. If left empty, the rule will match
1771 within this policy's namespace.
1776 description: HTTP contains match criteria that apply to HTTP
1780 description: Methods is an optional field that restricts
1781 the rule to apply only to HTTP requests that use one of
1782 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1783 methods are OR'd together.
1788 description: 'Paths is an optional field that restricts
1789 the rule to apply to HTTP requests that use one of the
1790 listed HTTP Paths. Multiple paths are OR''d together.
1791 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1792 ONLY specify either a `exact` or a `prefix` match. The
1793 validator will check for it.'
1795 description: 'HTTPPath specifies an HTTP path to match.
1796 It may be either of the form: exact: <path>: which matches
1797 the path exactly or prefix: <path-prefix>: which matches
1808 description: ICMP is an optional field that restricts the rule
1809 to apply to a specific type and code of ICMP traffic. This
1810 should only be specified if the Protocol field is set to "ICMP"
1814 description: Match on a specific ICMP code. If specified,
1815 the Type value must also be specified. This is a technical
1816 limitation imposed by the kernel's iptables firewall,
1817 which Calico uses to enforce the rule.
1820 description: Match on a specific ICMP type. For example
1821 a value of 8 refers to ICMP Echo Request (i.e. pings).
1825 description: IPVersion is an optional field that restricts the
1826 rule to only match a specific IP version.
1829 description: Metadata contains additional information for this
1833 additionalProperties:
1835 description: Annotations is a set of key value pairs that
1836 give extra information about the rule
1840 description: NotICMP is the negated version of the ICMP field.
1843 description: Match on a specific ICMP code. If specified,
1844 the Type value must also be specified. This is a technical
1845 limitation imposed by the kernel's iptables firewall,
1846 which Calico uses to enforce the rule.
1849 description: Match on a specific ICMP type. For example
1850 a value of 8 refers to ICMP Echo Request (i.e. pings).
1857 description: NotProtocol is the negated version of the Protocol
1860 x-kubernetes-int-or-string: true
1865 description: "Protocol is an optional field that restricts the
1866 rule to only apply to traffic of a specific IP protocol. Required
1867 if any of the EntityRules contain Ports (because ports only
1868 apply to certain protocols). \n Must be one of these string
1869 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1870 \"UDPLite\" or an integer in the range 1-255."
1872 x-kubernetes-int-or-string: true
1874 description: Source contains the match criteria that apply to
1878 description: "NamespaceSelector is an optional field that
1879 contains a selector expression. Only traffic that originates
1880 from (or terminates at) endpoints within the selected
1881 namespaces will be matched. When both NamespaceSelector
1882 and another selector are defined on the same rule, then
1883 only workload endpoints that are matched by both selectors
1884 will be selected by the rule. \n For NetworkPolicy, an
1885 empty NamespaceSelector implies that the Selector is limited
1886 to selecting only workload endpoints in the same namespace
1887 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1888 NamespaceSelector implies that the Selector is limited
1889 to selecting only GlobalNetworkSet or HostEndpoint. \n
1890 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1891 the Selector applies to workload endpoints across all
1895 description: Nets is an optional field that restricts the
1896 rule to only apply to traffic that originates from (or
1897 terminates at) IP addresses in any of the given subnets.
1902 description: NotNets is the negated version of the Nets
1908 description: NotPorts is the negated version of the Ports
1909 field. Since only some protocols have ports, if any ports
1910 are specified it requires the Protocol match in the Rule
1911 to be set to "TCP" or "UDP".
1917 x-kubernetes-int-or-string: true
1920 description: NotSelector is the negated version of the Selector
1921 field. See Selector field for subtleties with negated
1925 description: "Ports is an optional field that restricts
1926 the rule to only apply to traffic that has a source (destination)
1927 port that matches one of these ranges/values. This value
1928 is a list of integers or strings that represent ranges
1929 of ports. \n Since only some protocols have ports, if
1930 any ports are specified it requires the Protocol match
1931 in the Rule to be set to \"TCP\" or \"UDP\"."
1937 x-kubernetes-int-or-string: true
1940 description: "Selector is an optional field that contains
1941 a selector expression (see Policy for sample syntax).
1942 \ Only traffic that originates from (terminates at) endpoints
1943 matching the selector will be matched. \n Note that: in
1944 addition to the negated version of the Selector (see NotSelector
1945 below), the selector expression syntax itself supports
1946 negation. The two types of negation are subtly different.
1947 One negates the set of matched endpoints, the other negates
1948 the whole match: \n \tSelector = \"!has(my_label)\" matches
1949 packets that are from other Calico-controlled \tendpoints
1950 that do not have the label \"my_label\". \n \tNotSelector
1951 = \"has(my_label)\" matches packets that are not from
1952 Calico-controlled \tendpoints that do have the label \"my_label\".
1953 \n The effect is that the latter will accept packets from
1954 non-Calico sources whereas the former is limited to packets
1955 from Calico-controlled endpoints."
1958 description: ServiceAccounts is an optional field that restricts
1959 the rule to only apply to traffic that originates from
1960 (or terminates at) a pod running as a matching service
1964 description: Names is an optional field that restricts
1965 the rule to only apply to traffic that originates
1966 from (or terminates at) a pod running as a service
1967 account whose name is in the list.
1972 description: Selector is an optional field that restricts
1973 the rule to only apply to traffic that originates
1974 from (or terminates at) a pod running as a service
1975 account that matches the given label selector. If
1976 both Names and Selector are specified then they are
1981 description: "Services is an optional field that contains
1982 options for matching Kubernetes Services. If specified,
1983 only traffic that originates from or terminates at endpoints
1984 within the selected service(s) will be matched, and only
1985 to/from each endpoint's port. \n Services cannot be specified
1986 on the same rule as Selector, NotSelector, NamespaceSelector,
1987 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1988 can only be specified with Services on ingress rules."
1991 description: Name specifies the name of a Kubernetes
1995 description: Namespace specifies the namespace of the
1996 given Service. If left empty, the rule will match
1997 within this policy's namespace.
2006 description: NamespaceSelector is an optional field for an expression
2007 used to select a pod based on namespaces.
2010 description: Order is an optional field that specifies the order in
2011 which the policy is applied. Policies with higher "order" are applied
2012 after those with lower order. If the order is omitted, it may be
2013 considered to be "infinite" - i.e. the policy will be applied last. Policies
2014 with identical order will be applied in alphanumerical order based
2015 on the Policy "Name".
2018 description: PreDNAT indicates to apply the rules in this policy before
2022 description: "The selector is an expression used to pick pick out
2023 the endpoints that the policy should be applied to. \n Selector
2024 expressions follow this syntax: \n \tlabel == \"string_literal\"
2025 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
2026 \ -> not equal; also matches if label is not present \tlabel in
2027 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
2028 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
2029 ... } -> true if the value of label X is not one of \"a\", \"b\",
2030 \"c\" \thas(label_name) -> True if that label is present \t! expr
2031 -> negation of expr \texpr && expr -> Short-circuit and \texpr
2032 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
2033 or the empty selector -> matches all endpoints. \n Label names are
2034 allowed to contain alphanumerics, -, _ and /. String literals are
2035 more permissive but they do not support escape characters. \n Examples
2036 (with made-up labels): \n \ttype == \"webserver\" && deployment
2037 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
2038 \"dev\" \t! has(label_name)"
2040 serviceAccountSelector:
2041 description: ServiceAccountSelector is an optional field for an expression
2042 used to select a pod based on service accounts.
2045 description: "Types indicates whether this policy applies to ingress,
2046 or to egress, or to both. When not explicitly specified (and so
2047 the value on creation is empty or nil), Calico defaults Types according
2048 to what Ingress and Egress rules are present in the policy. The
2049 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
2050 (including the case where there are also no Ingress rules) \n
2051 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
2052 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
2053 both Ingress and Egress rules. \n When the policy is read back again,
2054 Types will always be one of these values, never empty or nil."
2056 description: PolicyType enumerates the possible values of the PolicySpec
2071 apiVersion: apiextensions.k8s.io/v1
2072 kind: CustomResourceDefinition
2074 name: globalnetworksets.crd.projectcalico.org
2076 group: crd.projectcalico.org
2078 kind: GlobalNetworkSet
2079 listKind: GlobalNetworkSetList
2080 plural: globalnetworksets
2081 singular: globalnetworkset
2087 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
2088 that share labels to allow rules to refer to them via selectors. The labels
2089 of GlobalNetworkSet are not namespaced.
2092 description: 'APIVersion defines the versioned schema of this representation
2093 of an object. Servers should convert recognized schemas to the latest
2094 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2097 description: 'Kind is a string value representing the REST resource this
2098 object represents. Servers may infer this from the endpoint the client
2099 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2104 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
2108 description: The list of IP networks that belong to this set.
2123 apiVersion: apiextensions.k8s.io/v1
2124 kind: CustomResourceDefinition
2126 name: hostendpoints.crd.projectcalico.org
2128 group: crd.projectcalico.org
2131 listKind: HostEndpointList
2132 plural: hostendpoints
2133 singular: hostendpoint
2141 description: 'APIVersion defines the versioned schema of this representation
2142 of an object. Servers should convert recognized schemas to the latest
2143 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2146 description: 'Kind is a string value representing the REST resource this
2147 object represents. Servers may infer this from the endpoint the client
2148 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2153 description: HostEndpointSpec contains the specification for a HostEndpoint
2157 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
2158 If \"InterfaceName\" is not present, Calico will look for an interface
2159 matching any of the IPs in the list and apply policy to that. Note:
2160 \tWhen using the selector match criteria in an ingress or egress
2161 security Policy \tor Profile, Calico converts the selector into
2162 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
2163 is used for that purpose. (If only the interface \tname is specified,
2164 Calico does not learn the IPs of the interface for use in match
2170 description: "Either \"*\", or the name of a specific Linux interface
2171 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
2172 governs all traffic to, from or through the default network namespace
2173 of the host named by the \"Node\" field; entering and leaving that
2174 namespace via any interface, including those from/to non-host-networked
2175 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
2176 only governs traffic that enters or leaves the host through the
2177 specific interface named by InterfaceName, or - when InterfaceName
2178 is empty - through the specific interface that has one of the IPs
2179 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
2180 one expected IP must be specified. Only external interfaces (such
2181 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
2182 to protect traffic through a specific local workload interface.
2183 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
2184 initially just pre-DNAT policy. Please check Calico documentation
2185 for the latest position."
2188 description: The node name identifying the Calico node instance.
2191 description: Ports contains the endpoint's named ports, which may
2192 be referenced in security policy rules.
2204 x-kubernetes-int-or-string: true
2212 description: A list of identifiers of security Profile objects that
2213 apply to this endpoint. Each profile is applied in the order that
2214 they appear in this list. Profile rules are applied after the selector-based
2230 apiVersion: apiextensions.k8s.io/v1
2231 kind: CustomResourceDefinition
2233 name: ipamblocks.crd.projectcalico.org
2235 group: crd.projectcalico.org
2238 listKind: IPAMBlockList
2248 description: 'APIVersion defines the versioned schema of this representation
2249 of an object. Servers should convert recognized schemas to the latest
2250 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2253 description: 'Kind is a string value representing the REST resource this
2254 object represents. Servers may infer this from the endpoint the client
2255 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2260 description: IPAMBlockSpec contains the specification for an IPAMBlock
2276 additionalProperties:
2308 apiVersion: apiextensions.k8s.io/v1
2309 kind: CustomResourceDefinition
2311 name: ipamconfigs.crd.projectcalico.org
2313 group: crd.projectcalico.org
2316 listKind: IPAMConfigList
2318 singular: ipamconfig
2326 description: 'APIVersion defines the versioned schema of this representation
2327 of an object. Servers should convert recognized schemas to the latest
2328 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2331 description: 'Kind is a string value representing the REST resource this
2332 object represents. Servers may infer this from the endpoint the client
2333 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2338 description: IPAMConfigSpec contains the specification for an IPAMConfig
2344 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
2345 that can be affine to each host.
2350 - autoAllocateBlocks
2363 apiVersion: apiextensions.k8s.io/v1
2364 kind: CustomResourceDefinition
2366 name: ipamhandles.crd.projectcalico.org
2368 group: crd.projectcalico.org
2371 listKind: IPAMHandleList
2373 singular: ipamhandle
2381 description: 'APIVersion defines the versioned schema of this representation
2382 of an object. Servers should convert recognized schemas to the latest
2383 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2386 description: 'Kind is a string value representing the REST resource this
2387 object represents. Servers may infer this from the endpoint the client
2388 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2393 description: IPAMHandleSpec contains the specification for an IPAMHandle
2397 additionalProperties:
2418 apiVersion: apiextensions.k8s.io/v1
2419 kind: CustomResourceDefinition
2421 name: ippools.crd.projectcalico.org
2423 group: crd.projectcalico.org
2426 listKind: IPPoolList
2436 description: 'APIVersion defines the versioned schema of this representation
2437 of an object. Servers should convert recognized schemas to the latest
2438 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2441 description: 'Kind is a string value representing the REST resource this
2442 object represents. Servers may infer this from the endpoint the client
2443 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2448 description: IPPoolSpec contains the specification for an IPPool resource.
2451 description: AllowedUse controls what the IP pool will be used for. If
2452 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
2457 description: The block size to use for IP address assignments from
2458 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
2461 description: The pool CIDR.
2464 description: 'Disable exporting routes from this IP Pool''s CIDR over
2465 BGP. [Default: false]'
2468 description: When disabled is true, Calico IPAM will not assign addresses
2472 description: 'Deprecated: this field is only used for APIv1 backwards
2473 compatibility. Setting this field is not allowed, this field is
2474 for internal use only.'
2477 description: When enabled is true, ipip tunneling will be used
2478 to deliver packets to destinations within this pool.
2481 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2482 mode of "always" will also use IPIP tunneling for routing to
2483 destination IP addresses within this pool. A mode of "cross-subnet"
2484 will only use IPIP tunneling when the destination node is on
2485 a different subnet to the originating node. The default value
2486 (if not specified) is "always".
2490 description: Contains configuration for IPIP tunneling for this pool.
2491 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2495 description: 'Deprecated: this field is only used for APIv1 backwards
2496 compatibility. Setting this field is not allowed, this field is
2497 for internal use only.'
2500 description: When nat-outgoing is true, packets sent from Calico networked
2501 containers in this pool to destinations outside of this pool will
2505 description: Allows IPPool to allocate for a specific node by label
2509 description: Contains configuration for VXLAN tunneling for this pool.
2510 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2511 tunneling is disabled).
2526 apiVersion: apiextensions.k8s.io/v1
2527 kind: CustomResourceDefinition
2529 name: ipreservations.crd.projectcalico.org
2531 group: crd.projectcalico.org
2534 listKind: IPReservationList
2535 plural: ipreservations
2536 singular: ipreservation
2544 description: 'APIVersion defines the versioned schema of this representation
2545 of an object. Servers should convert recognized schemas to the latest
2546 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2549 description: 'Kind is a string value representing the REST resource this
2550 object represents. Servers may infer this from the endpoint the client
2551 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2556 description: IPReservationSpec contains the specification for an IPReservation
2560 description: ReservedCIDRs is a list of CIDRs and/or IP addresses
2561 that Calico IPAM will exclude from new allocations.
2576 apiVersion: apiextensions.k8s.io/v1
2577 kind: CustomResourceDefinition
2579 name: kubecontrollersconfigurations.crd.projectcalico.org
2581 group: crd.projectcalico.org
2583 kind: KubeControllersConfiguration
2584 listKind: KubeControllersConfigurationList
2585 plural: kubecontrollersconfigurations
2586 singular: kubecontrollersconfiguration
2594 description: 'APIVersion defines the versioned schema of this representation
2595 of an object. Servers should convert recognized schemas to the latest
2596 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2599 description: 'Kind is a string value representing the REST resource this
2600 object represents. Servers may infer this from the endpoint the client
2601 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2606 description: KubeControllersConfigurationSpec contains the values of the
2607 Kubernetes controllers configuration.
2610 description: Controllers enables and configures individual Kubernetes
2614 description: Namespace enables and configures the namespace controller.
2615 Enabled by default, set to nil to disable.
2618 description: 'ReconcilerPeriod is the period to perform reconciliation
2619 with the Calico datastore. [Default: 5m]'
2623 description: Node enables and configures the node controller.
2624 Enabled by default, set to nil to disable.
2627 description: HostEndpoint controls syncing nodes to host endpoints.
2628 Disabled by default, set to nil to disable.
2631 description: 'AutoCreate enables automatic creation of
2632 host endpoints for every node. [Default: Disabled]'
2636 description: 'LeakGracePeriod is the period used by the controller
2637 to determine if an IP address has been leaked. Set to 0
2638 to disable IP garbage collection. [Default: 15m]'
2641 description: 'ReconcilerPeriod is the period to perform reconciliation
2642 with the Calico datastore. [Default: 5m]'
2645 description: 'SyncLabels controls whether to copy Kubernetes
2646 node labels to Calico nodes. [Default: Enabled]'
2650 description: Policy enables and configures the policy controller.
2651 Enabled by default, set to nil to disable.
2654 description: 'ReconcilerPeriod is the period to perform reconciliation
2655 with the Calico datastore. [Default: 5m]'
2659 description: ServiceAccount enables and configures the service
2660 account controller. Enabled by default, set to nil to disable.
2663 description: 'ReconcilerPeriod is the period to perform reconciliation
2664 with the Calico datastore. [Default: 5m]'
2668 description: WorkloadEndpoint enables and configures the workload
2669 endpoint controller. Enabled by default, set to nil to disable.
2672 description: 'ReconcilerPeriod is the period to perform reconciliation
2673 with the Calico datastore. [Default: 5m]'
2677 etcdV3CompactionPeriod:
2678 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2679 compaction requests. Set to 0 to disable. [Default: 10m]'
2682 description: 'HealthChecks enables or disables support for health
2683 checks [Default: Enabled]'
2686 description: 'LogSeverityScreen is the log severity above which logs
2687 are sent to the stdout. [Default: Info]'
2689 prometheusMetricsPort:
2690 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2691 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
2697 description: KubeControllersConfigurationStatus represents the status
2698 of the configuration. It's useful for admins to be able to see the actual
2699 config that was applied, which can be modified by environment variables
2700 on the kube-controllers process.
2703 additionalProperties:
2705 description: EnvironmentVars contains the environment variables on
2706 the kube-controllers that influenced the RunningConfig.
2709 description: RunningConfig contains the effective config that is running
2710 in the kube-controllers pod, after merging the API resource with
2711 any environment variables.
2714 description: Controllers enables and configures individual Kubernetes
2718 description: Namespace enables and configures the namespace
2719 controller. Enabled by default, set to nil to disable.
2722 description: 'ReconcilerPeriod is the period to perform
2723 reconciliation with the Calico datastore. [Default:
2728 description: Node enables and configures the node controller.
2729 Enabled by default, set to nil to disable.
2732 description: HostEndpoint controls syncing nodes to host
2733 endpoints. Disabled by default, set to nil to disable.
2736 description: 'AutoCreate enables automatic creation
2737 of host endpoints for every node. [Default: Disabled]'
2741 description: 'LeakGracePeriod is the period used by the
2742 controller to determine if an IP address has been leaked.
2743 Set to 0 to disable IP garbage collection. [Default:
2747 description: 'ReconcilerPeriod is the period to perform
2748 reconciliation with the Calico datastore. [Default:
2752 description: 'SyncLabels controls whether to copy Kubernetes
2753 node labels to Calico nodes. [Default: Enabled]'
2757 description: Policy enables and configures the policy controller.
2758 Enabled by default, set to nil to disable.
2761 description: 'ReconcilerPeriod is the period to perform
2762 reconciliation with the Calico datastore. [Default:
2767 description: ServiceAccount enables and configures the service
2768 account controller. Enabled by default, set to nil to disable.
2771 description: 'ReconcilerPeriod is the period to perform
2772 reconciliation with the Calico datastore. [Default:
2777 description: WorkloadEndpoint enables and configures the workload
2778 endpoint controller. Enabled by default, set to nil to disable.
2781 description: 'ReconcilerPeriod is the period to perform
2782 reconciliation with the Calico datastore. [Default:
2787 etcdV3CompactionPeriod:
2788 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2789 compaction requests. Set to 0 to disable. [Default: 10m]'
2792 description: 'HealthChecks enables or disables support for health
2793 checks [Default: Enabled]'
2796 description: 'LogSeverityScreen is the log severity above which
2797 logs are sent to the stdout. [Default: Info]'
2799 prometheusMetricsPort:
2800 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2801 metrics server should bind to. Set to 0 to disable. [Default:
2818 apiVersion: apiextensions.k8s.io/v1
2819 kind: CustomResourceDefinition
2821 name: networkpolicies.crd.projectcalico.org
2823 group: crd.projectcalico.org
2826 listKind: NetworkPolicyList
2827 plural: networkpolicies
2828 singular: networkpolicy
2836 description: 'APIVersion defines the versioned schema of this representation
2837 of an object. Servers should convert recognized schemas to the latest
2838 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2841 description: 'Kind is a string value representing the REST resource this
2842 object represents. Servers may infer this from the endpoint the client
2843 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2850 description: The ordered set of egress rules. Each rule contains
2851 a set of packet match criteria and a corresponding action to apply.
2853 description: "A Rule encapsulates a set of match criteria and an
2854 action. Both selector-based security Policy and security Profiles
2855 reference rules - separated out as a list of rules for both ingress
2856 and egress packet matching. \n Each positive match criteria has
2857 a negated version, prefixed with \"Not\". All the match criteria
2858 within a rule must be satisfied for a packet to match. A single
2859 rule can contain the positive and negative version of a match
2860 and both must be satisfied for the rule to match."
2865 description: Destination contains the match criteria that apply
2866 to destination entity.
2869 description: "NamespaceSelector is an optional field that
2870 contains a selector expression. Only traffic that originates
2871 from (or terminates at) endpoints within the selected
2872 namespaces will be matched. When both NamespaceSelector
2873 and another selector are defined on the same rule, then
2874 only workload endpoints that are matched by both selectors
2875 will be selected by the rule. \n For NetworkPolicy, an
2876 empty NamespaceSelector implies that the Selector is limited
2877 to selecting only workload endpoints in the same namespace
2878 as the NetworkPolicy. \n For NetworkPolicy, `global()`
2879 NamespaceSelector implies that the Selector is limited
2880 to selecting only GlobalNetworkSet or HostEndpoint. \n
2881 For GlobalNetworkPolicy, an empty NamespaceSelector implies
2882 the Selector applies to workload endpoints across all
2886 description: Nets is an optional field that restricts the
2887 rule to only apply to traffic that originates from (or
2888 terminates at) IP addresses in any of the given subnets.
2893 description: NotNets is the negated version of the Nets
2899 description: NotPorts is the negated version of the Ports
2900 field. Since only some protocols have ports, if any ports
2901 are specified it requires the Protocol match in the Rule
2902 to be set to "TCP" or "UDP".
2908 x-kubernetes-int-or-string: true
2911 description: NotSelector is the negated version of the Selector
2912 field. See Selector field for subtleties with negated
2916 description: "Ports is an optional field that restricts
2917 the rule to only apply to traffic that has a source (destination)
2918 port that matches one of these ranges/values. This value
2919 is a list of integers or strings that represent ranges
2920 of ports. \n Since only some protocols have ports, if
2921 any ports are specified it requires the Protocol match
2922 in the Rule to be set to \"TCP\" or \"UDP\"."
2928 x-kubernetes-int-or-string: true
2931 description: "Selector is an optional field that contains
2932 a selector expression (see Policy for sample syntax).
2933 \ Only traffic that originates from (terminates at) endpoints
2934 matching the selector will be matched. \n Note that: in
2935 addition to the negated version of the Selector (see NotSelector
2936 below), the selector expression syntax itself supports
2937 negation. The two types of negation are subtly different.
2938 One negates the set of matched endpoints, the other negates
2939 the whole match: \n \tSelector = \"!has(my_label)\" matches
2940 packets that are from other Calico-controlled \tendpoints
2941 that do not have the label \"my_label\". \n \tNotSelector
2942 = \"has(my_label)\" matches packets that are not from
2943 Calico-controlled \tendpoints that do have the label \"my_label\".
2944 \n The effect is that the latter will accept packets from
2945 non-Calico sources whereas the former is limited to packets
2946 from Calico-controlled endpoints."
2949 description: ServiceAccounts is an optional field that restricts
2950 the rule to only apply to traffic that originates from
2951 (or terminates at) a pod running as a matching service
2955 description: Names is an optional field that restricts
2956 the rule to only apply to traffic that originates
2957 from (or terminates at) a pod running as a service
2958 account whose name is in the list.
2963 description: Selector is an optional field that restricts
2964 the rule to only apply to traffic that originates
2965 from (or terminates at) a pod running as a service
2966 account that matches the given label selector. If
2967 both Names and Selector are specified then they are
2972 description: "Services is an optional field that contains
2973 options for matching Kubernetes Services. If specified,
2974 only traffic that originates from or terminates at endpoints
2975 within the selected service(s) will be matched, and only
2976 to/from each endpoint's port. \n Services cannot be specified
2977 on the same rule as Selector, NotSelector, NamespaceSelector,
2978 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2979 can only be specified with Services on ingress rules."
2982 description: Name specifies the name of a Kubernetes
2986 description: Namespace specifies the namespace of the
2987 given Service. If left empty, the rule will match
2988 within this policy's namespace.
2993 description: HTTP contains match criteria that apply to HTTP
2997 description: Methods is an optional field that restricts
2998 the rule to apply only to HTTP requests that use one of
2999 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3000 methods are OR'd together.
3005 description: 'Paths is an optional field that restricts
3006 the rule to apply to HTTP requests that use one of the
3007 listed HTTP Paths. Multiple paths are OR''d together.
3008 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3009 ONLY specify either a `exact` or a `prefix` match. The
3010 validator will check for it.'
3012 description: 'HTTPPath specifies an HTTP path to match.
3013 It may be either of the form: exact: <path>: which matches
3014 the path exactly or prefix: <path-prefix>: which matches
3025 description: ICMP is an optional field that restricts the rule
3026 to apply to a specific type and code of ICMP traffic. This
3027 should only be specified if the Protocol field is set to "ICMP"
3031 description: Match on a specific ICMP code. If specified,
3032 the Type value must also be specified. This is a technical
3033 limitation imposed by the kernel's iptables firewall,
3034 which Calico uses to enforce the rule.
3037 description: Match on a specific ICMP type. For example
3038 a value of 8 refers to ICMP Echo Request (i.e. pings).
3042 description: IPVersion is an optional field that restricts the
3043 rule to only match a specific IP version.
3046 description: Metadata contains additional information for this
3050 additionalProperties:
3052 description: Annotations is a set of key value pairs that
3053 give extra information about the rule
3057 description: NotICMP is the negated version of the ICMP field.
3060 description: Match on a specific ICMP code. If specified,
3061 the Type value must also be specified. This is a technical
3062 limitation imposed by the kernel's iptables firewall,
3063 which Calico uses to enforce the rule.
3066 description: Match on a specific ICMP type. For example
3067 a value of 8 refers to ICMP Echo Request (i.e. pings).
3074 description: NotProtocol is the negated version of the Protocol
3077 x-kubernetes-int-or-string: true
3082 description: "Protocol is an optional field that restricts the
3083 rule to only apply to traffic of a specific IP protocol. Required
3084 if any of the EntityRules contain Ports (because ports only
3085 apply to certain protocols). \n Must be one of these string
3086 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3087 \"UDPLite\" or an integer in the range 1-255."
3089 x-kubernetes-int-or-string: true
3091 description: Source contains the match criteria that apply to
3095 description: "NamespaceSelector is an optional field that
3096 contains a selector expression. Only traffic that originates
3097 from (or terminates at) endpoints within the selected
3098 namespaces will be matched. When both NamespaceSelector
3099 and another selector are defined on the same rule, then
3100 only workload endpoints that are matched by both selectors
3101 will be selected by the rule. \n For NetworkPolicy, an
3102 empty NamespaceSelector implies that the Selector is limited
3103 to selecting only workload endpoints in the same namespace
3104 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3105 NamespaceSelector implies that the Selector is limited
3106 to selecting only GlobalNetworkSet or HostEndpoint. \n
3107 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3108 the Selector applies to workload endpoints across all
3112 description: Nets is an optional field that restricts the
3113 rule to only apply to traffic that originates from (or
3114 terminates at) IP addresses in any of the given subnets.
3119 description: NotNets is the negated version of the Nets
3125 description: NotPorts is the negated version of the Ports
3126 field. Since only some protocols have ports, if any ports
3127 are specified it requires the Protocol match in the Rule
3128 to be set to "TCP" or "UDP".
3134 x-kubernetes-int-or-string: true
3137 description: NotSelector is the negated version of the Selector
3138 field. See Selector field for subtleties with negated
3142 description: "Ports is an optional field that restricts
3143 the rule to only apply to traffic that has a source (destination)
3144 port that matches one of these ranges/values. This value
3145 is a list of integers or strings that represent ranges
3146 of ports. \n Since only some protocols have ports, if
3147 any ports are specified it requires the Protocol match
3148 in the Rule to be set to \"TCP\" or \"UDP\"."
3154 x-kubernetes-int-or-string: true
3157 description: "Selector is an optional field that contains
3158 a selector expression (see Policy for sample syntax).
3159 \ Only traffic that originates from (terminates at) endpoints
3160 matching the selector will be matched. \n Note that: in
3161 addition to the negated version of the Selector (see NotSelector
3162 below), the selector expression syntax itself supports
3163 negation. The two types of negation are subtly different.
3164 One negates the set of matched endpoints, the other negates
3165 the whole match: \n \tSelector = \"!has(my_label)\" matches
3166 packets that are from other Calico-controlled \tendpoints
3167 that do not have the label \"my_label\". \n \tNotSelector
3168 = \"has(my_label)\" matches packets that are not from
3169 Calico-controlled \tendpoints that do have the label \"my_label\".
3170 \n The effect is that the latter will accept packets from
3171 non-Calico sources whereas the former is limited to packets
3172 from Calico-controlled endpoints."
3175 description: ServiceAccounts is an optional field that restricts
3176 the rule to only apply to traffic that originates from
3177 (or terminates at) a pod running as a matching service
3181 description: Names is an optional field that restricts
3182 the rule to only apply to traffic that originates
3183 from (or terminates at) a pod running as a service
3184 account whose name is in the list.
3189 description: Selector is an optional field that restricts
3190 the rule to only apply to traffic that originates
3191 from (or terminates at) a pod running as a service
3192 account that matches the given label selector. If
3193 both Names and Selector are specified then they are
3198 description: "Services is an optional field that contains
3199 options for matching Kubernetes Services. If specified,
3200 only traffic that originates from or terminates at endpoints
3201 within the selected service(s) will be matched, and only
3202 to/from each endpoint's port. \n Services cannot be specified
3203 on the same rule as Selector, NotSelector, NamespaceSelector,
3204 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3205 can only be specified with Services on ingress rules."
3208 description: Name specifies the name of a Kubernetes
3212 description: Namespace specifies the namespace of the
3213 given Service. If left empty, the rule will match
3214 within this policy's namespace.
3223 description: The ordered set of ingress rules. Each rule contains
3224 a set of packet match criteria and a corresponding action to apply.
3226 description: "A Rule encapsulates a set of match criteria and an
3227 action. Both selector-based security Policy and security Profiles
3228 reference rules - separated out as a list of rules for both ingress
3229 and egress packet matching. \n Each positive match criteria has
3230 a negated version, prefixed with \"Not\". All the match criteria
3231 within a rule must be satisfied for a packet to match. A single
3232 rule can contain the positive and negative version of a match
3233 and both must be satisfied for the rule to match."
3238 description: Destination contains the match criteria that apply
3239 to destination entity.
3242 description: "NamespaceSelector is an optional field that
3243 contains a selector expression. Only traffic that originates
3244 from (or terminates at) endpoints within the selected
3245 namespaces will be matched. When both NamespaceSelector
3246 and another selector are defined on the same rule, then
3247 only workload endpoints that are matched by both selectors
3248 will be selected by the rule. \n For NetworkPolicy, an
3249 empty NamespaceSelector implies that the Selector is limited
3250 to selecting only workload endpoints in the same namespace
3251 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3252 NamespaceSelector implies that the Selector is limited
3253 to selecting only GlobalNetworkSet or HostEndpoint. \n
3254 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3255 the Selector applies to workload endpoints across all
3259 description: Nets is an optional field that restricts the
3260 rule to only apply to traffic that originates from (or
3261 terminates at) IP addresses in any of the given subnets.
3266 description: NotNets is the negated version of the Nets
3272 description: NotPorts is the negated version of the Ports
3273 field. Since only some protocols have ports, if any ports
3274 are specified it requires the Protocol match in the Rule
3275 to be set to "TCP" or "UDP".
3281 x-kubernetes-int-or-string: true
3284 description: NotSelector is the negated version of the Selector
3285 field. See Selector field for subtleties with negated
3289 description: "Ports is an optional field that restricts
3290 the rule to only apply to traffic that has a source (destination)
3291 port that matches one of these ranges/values. This value
3292 is a list of integers or strings that represent ranges
3293 of ports. \n Since only some protocols have ports, if
3294 any ports are specified it requires the Protocol match
3295 in the Rule to be set to \"TCP\" or \"UDP\"."
3301 x-kubernetes-int-or-string: true
3304 description: "Selector is an optional field that contains
3305 a selector expression (see Policy for sample syntax).
3306 \ Only traffic that originates from (terminates at) endpoints
3307 matching the selector will be matched. \n Note that: in
3308 addition to the negated version of the Selector (see NotSelector
3309 below), the selector expression syntax itself supports
3310 negation. The two types of negation are subtly different.
3311 One negates the set of matched endpoints, the other negates
3312 the whole match: \n \tSelector = \"!has(my_label)\" matches
3313 packets that are from other Calico-controlled \tendpoints
3314 that do not have the label \"my_label\". \n \tNotSelector
3315 = \"has(my_label)\" matches packets that are not from
3316 Calico-controlled \tendpoints that do have the label \"my_label\".
3317 \n The effect is that the latter will accept packets from
3318 non-Calico sources whereas the former is limited to packets
3319 from Calico-controlled endpoints."
3322 description: ServiceAccounts is an optional field that restricts
3323 the rule to only apply to traffic that originates from
3324 (or terminates at) a pod running as a matching service
3328 description: Names is an optional field that restricts
3329 the rule to only apply to traffic that originates
3330 from (or terminates at) a pod running as a service
3331 account whose name is in the list.
3336 description: Selector is an optional field that restricts
3337 the rule to only apply to traffic that originates
3338 from (or terminates at) a pod running as a service
3339 account that matches the given label selector. If
3340 both Names and Selector are specified then they are
3345 description: "Services is an optional field that contains
3346 options for matching Kubernetes Services. If specified,
3347 only traffic that originates from or terminates at endpoints
3348 within the selected service(s) will be matched, and only
3349 to/from each endpoint's port. \n Services cannot be specified
3350 on the same rule as Selector, NotSelector, NamespaceSelector,
3351 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3352 can only be specified with Services on ingress rules."
3355 description: Name specifies the name of a Kubernetes
3359 description: Namespace specifies the namespace of the
3360 given Service. If left empty, the rule will match
3361 within this policy's namespace.
3366 description: HTTP contains match criteria that apply to HTTP
3370 description: Methods is an optional field that restricts
3371 the rule to apply only to HTTP requests that use one of
3372 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3373 methods are OR'd together.
3378 description: 'Paths is an optional field that restricts
3379 the rule to apply to HTTP requests that use one of the
3380 listed HTTP Paths. Multiple paths are OR''d together.
3381 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3382 ONLY specify either a `exact` or a `prefix` match. The
3383 validator will check for it.'
3385 description: 'HTTPPath specifies an HTTP path to match.
3386 It may be either of the form: exact: <path>: which matches
3387 the path exactly or prefix: <path-prefix>: which matches
3398 description: ICMP is an optional field that restricts the rule
3399 to apply to a specific type and code of ICMP traffic. This
3400 should only be specified if the Protocol field is set to "ICMP"
3404 description: Match on a specific ICMP code. If specified,
3405 the Type value must also be specified. This is a technical
3406 limitation imposed by the kernel's iptables firewall,
3407 which Calico uses to enforce the rule.
3410 description: Match on a specific ICMP type. For example
3411 a value of 8 refers to ICMP Echo Request (i.e. pings).
3415 description: IPVersion is an optional field that restricts the
3416 rule to only match a specific IP version.
3419 description: Metadata contains additional information for this
3423 additionalProperties:
3425 description: Annotations is a set of key value pairs that
3426 give extra information about the rule
3430 description: NotICMP is the negated version of the ICMP field.
3433 description: Match on a specific ICMP code. If specified,
3434 the Type value must also be specified. This is a technical
3435 limitation imposed by the kernel's iptables firewall,
3436 which Calico uses to enforce the rule.
3439 description: Match on a specific ICMP type. For example
3440 a value of 8 refers to ICMP Echo Request (i.e. pings).
3447 description: NotProtocol is the negated version of the Protocol
3450 x-kubernetes-int-or-string: true
3455 description: "Protocol is an optional field that restricts the
3456 rule to only apply to traffic of a specific IP protocol. Required
3457 if any of the EntityRules contain Ports (because ports only
3458 apply to certain protocols). \n Must be one of these string
3459 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3460 \"UDPLite\" or an integer in the range 1-255."
3462 x-kubernetes-int-or-string: true
3464 description: Source contains the match criteria that apply to
3468 description: "NamespaceSelector is an optional field that
3469 contains a selector expression. Only traffic that originates
3470 from (or terminates at) endpoints within the selected
3471 namespaces will be matched. When both NamespaceSelector
3472 and another selector are defined on the same rule, then
3473 only workload endpoints that are matched by both selectors
3474 will be selected by the rule. \n For NetworkPolicy, an
3475 empty NamespaceSelector implies that the Selector is limited
3476 to selecting only workload endpoints in the same namespace
3477 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3478 NamespaceSelector implies that the Selector is limited
3479 to selecting only GlobalNetworkSet or HostEndpoint. \n
3480 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3481 the Selector applies to workload endpoints across all
3485 description: Nets is an optional field that restricts the
3486 rule to only apply to traffic that originates from (or
3487 terminates at) IP addresses in any of the given subnets.
3492 description: NotNets is the negated version of the Nets
3498 description: NotPorts is the negated version of the Ports
3499 field. Since only some protocols have ports, if any ports
3500 are specified it requires the Protocol match in the Rule
3501 to be set to "TCP" or "UDP".
3507 x-kubernetes-int-or-string: true
3510 description: NotSelector is the negated version of the Selector
3511 field. See Selector field for subtleties with negated
3515 description: "Ports is an optional field that restricts
3516 the rule to only apply to traffic that has a source (destination)
3517 port that matches one of these ranges/values. This value
3518 is a list of integers or strings that represent ranges
3519 of ports. \n Since only some protocols have ports, if
3520 any ports are specified it requires the Protocol match
3521 in the Rule to be set to \"TCP\" or \"UDP\"."
3527 x-kubernetes-int-or-string: true
3530 description: "Selector is an optional field that contains
3531 a selector expression (see Policy for sample syntax).
3532 \ Only traffic that originates from (terminates at) endpoints
3533 matching the selector will be matched. \n Note that: in
3534 addition to the negated version of the Selector (see NotSelector
3535 below), the selector expression syntax itself supports
3536 negation. The two types of negation are subtly different.
3537 One negates the set of matched endpoints, the other negates
3538 the whole match: \n \tSelector = \"!has(my_label)\" matches
3539 packets that are from other Calico-controlled \tendpoints
3540 that do not have the label \"my_label\". \n \tNotSelector
3541 = \"has(my_label)\" matches packets that are not from
3542 Calico-controlled \tendpoints that do have the label \"my_label\".
3543 \n The effect is that the latter will accept packets from
3544 non-Calico sources whereas the former is limited to packets
3545 from Calico-controlled endpoints."
3548 description: ServiceAccounts is an optional field that restricts
3549 the rule to only apply to traffic that originates from
3550 (or terminates at) a pod running as a matching service
3554 description: Names is an optional field that restricts
3555 the rule to only apply to traffic that originates
3556 from (or terminates at) a pod running as a service
3557 account whose name is in the list.
3562 description: Selector is an optional field that restricts
3563 the rule to only apply to traffic that originates
3564 from (or terminates at) a pod running as a service
3565 account that matches the given label selector. If
3566 both Names and Selector are specified then they are
3571 description: "Services is an optional field that contains
3572 options for matching Kubernetes Services. If specified,
3573 only traffic that originates from or terminates at endpoints
3574 within the selected service(s) will be matched, and only
3575 to/from each endpoint's port. \n Services cannot be specified
3576 on the same rule as Selector, NotSelector, NamespaceSelector,
3577 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3578 can only be specified with Services on ingress rules."
3581 description: Name specifies the name of a Kubernetes
3585 description: Namespace specifies the namespace of the
3586 given Service. If left empty, the rule will match
3587 within this policy's namespace.
3596 description: Order is an optional field that specifies the order in
3597 which the policy is applied. Policies with higher "order" are applied
3598 after those with lower order. If the order is omitted, it may be
3599 considered to be "infinite" - i.e. the policy will be applied last. Policies
3600 with identical order will be applied in alphanumerical order based
3601 on the Policy "Name".
3604 description: "The selector is an expression used to pick pick out
3605 the endpoints that the policy should be applied to. \n Selector
3606 expressions follow this syntax: \n \tlabel == \"string_literal\"
3607 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3608 \ -> not equal; also matches if label is not present \tlabel in
3609 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3610 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3611 ... } -> true if the value of label X is not one of \"a\", \"b\",
3612 \"c\" \thas(label_name) -> True if that label is present \t! expr
3613 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3614 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3615 or the empty selector -> matches all endpoints. \n Label names are
3616 allowed to contain alphanumerics, -, _ and /. String literals are
3617 more permissive but they do not support escape characters. \n Examples
3618 (with made-up labels): \n \ttype == \"webserver\" && deployment
3619 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3620 \"dev\" \t! has(label_name)"
3622 serviceAccountSelector:
3623 description: ServiceAccountSelector is an optional field for an expression
3624 used to select a pod based on service accounts.
3627 description: "Types indicates whether this policy applies to ingress,
3628 or to egress, or to both. When not explicitly specified (and so
3629 the value on creation is empty or nil), Calico defaults Types according
3630 to what Ingress and Egress are present in the policy. The default
3631 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3632 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3633 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3634 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3635 \n When the policy is read back again, Types will always be one
3636 of these values, never empty or nil."
3638 description: PolicyType enumerates the possible values of the PolicySpec
3653 apiVersion: apiextensions.k8s.io/v1
3654 kind: CustomResourceDefinition
3656 name: networksets.crd.projectcalico.org
3658 group: crd.projectcalico.org
3661 listKind: NetworkSetList
3663 singular: networkset
3669 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3672 description: 'APIVersion defines the versioned schema of this representation
3673 of an object. Servers should convert recognized schemas to the latest
3674 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3677 description: 'Kind is a string value representing the REST resource this
3678 object represents. Servers may infer this from the endpoint the client
3679 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3684 description: NetworkSetSpec contains the specification for a NetworkSet
3688 description: The list of IP networks that belong to this set.
3704 kind: ServiceAccount
3706 name: calico-kube-controllers
3707 namespace: kube-system
3710 kind: ServiceAccount
3713 namespace: kube-system
3715 apiVersion: rbac.authorization.k8s.io/v1
3718 name: calico-kube-controllers
3737 - crd.projectcalico.org
3744 - crd.projectcalico.org
3757 - crd.projectcalico.org
3767 - crd.projectcalico.org
3769 - clusterinformations
3775 - crd.projectcalico.org
3777 - kubecontrollersconfigurations
3784 apiVersion: rbac.authorization.k8s.io/v1
3849 - crd.projectcalico.org
3851 - globalfelixconfigs
3852 - felixconfigurations
3859 - globalnetworkpolicies
3863 - clusterinformations
3866 - caliconodestatuses
3872 - crd.projectcalico.org
3875 - felixconfigurations
3876 - clusterinformations
3881 - crd.projectcalico.org
3883 - caliconodestatuses
3895 - crd.projectcalico.org
3903 - crd.projectcalico.org
3915 - crd.projectcalico.org
3921 - crd.projectcalico.org
3933 apiVersion: rbac.authorization.k8s.io/v1
3934 kind: ClusterRoleBinding
3936 name: calico-kube-controllers
3938 apiGroup: rbac.authorization.k8s.io
3940 name: calico-kube-controllers
3942 - kind: ServiceAccount
3943 name: calico-kube-controllers
3944 namespace: kube-system
3946 apiVersion: rbac.authorization.k8s.io/v1
3947 kind: ClusterRoleBinding
3951 apiGroup: rbac.authorization.k8s.io
3955 - kind: ServiceAccount
3957 namespace: kube-system
3961 calico_backend: bird
3962 cni_network_config: |-
3964 "name": "k8s-pod-network",
3965 "cniVersion": "0.3.1",
3969 "log_level": "info",
3970 "log_file_path": "/var/log/calico/cni/cni.log",
3971 "datastore_type": "kubernetes",
3972 "nodename": "__KUBERNETES_NODE_NAME__",
3975 "type": "calico-ipam"
3981 "kubeconfig": "__KUBECONFIG_FILEPATH__"
3987 "capabilities": {"portMappings": true}
3990 "type": "bandwidth",
3991 "capabilities": {"bandwidth": true}
3995 typha_service_name: none
4000 namespace: kube-system
4006 k8s-app: calico-kube-controllers
4007 name: calico-kube-controllers
4008 namespace: kube-system
4013 k8s-app: calico-kube-controllers
4019 k8s-app: calico-kube-controllers
4020 name: calico-kube-controllers
4021 namespace: kube-system
4025 - name: ENABLED_CONTROLLERS
4027 - name: DATASTORE_TYPE
4029 image: docker.io/calico/kube-controllers:v3.22.0
4033 - /usr/bin/check-status
4036 initialDelaySeconds: 10
4039 name: calico-kube-controllers
4043 - /usr/bin/check-status
4047 kubernetes.io/os: linux
4048 priorityClassName: system-cluster-critical
4049 serviceAccountName: calico-kube-controllers
4051 - key: CriticalAddonsOnly
4053 - effect: NoSchedule
4054 key: node-role.kubernetes.io/master
4056 apiVersion: policy/v1beta1
4057 kind: PodDisruptionBudget
4060 k8s-app: calico-kube-controllers
4061 name: calico-kube-controllers
4062 namespace: kube-system
4067 k8s-app: calico-kube-controllers
4073 k8s-app: calico-node
4075 namespace: kube-system
4079 k8s-app: calico-node
4083 k8s-app: calico-node
4087 - name: IP_AUTODETECTION_METHOD
4088 value: can-reach=www.google.com
4089 - name: DATASTORE_TYPE
4091 - name: WAIT_FOR_DATASTORE
4096 fieldPath: spec.nodeName
4097 - name: CALICO_NETWORKING_BACKEND
4102 - name: CLUSTER_TYPE
4106 - name: CALICO_IPV4POOL_IPIP
4108 - name: CALICO_IPV4POOL_VXLAN
4110 - name: FELIX_IPINIPMTU
4115 - name: FELIX_VXLANMTU
4120 - name: FELIX_WIREGUARDMTU
4125 - name: CALICO_DISABLE_FILE_LOGGING
4127 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
4129 - name: FELIX_IPV6SUPPORT
4131 - name: FELIX_HEALTHENABLED
4135 name: kubernetes-services-endpoint
4137 image: docker.io/calico/node:v3.22.0
4151 initialDelaySeconds: 10
4169 - mountPath: /host/etc/cni/net.d
4172 - mountPath: /lib/modules
4175 - mountPath: /run/xtables.lock
4178 - mountPath: /var/run/calico
4179 name: var-run-calico
4181 - mountPath: /var/lib/calico
4182 name: var-lib-calico
4184 - mountPath: /var/run/nodeagent
4186 - mountPath: /sys/fs/
4187 mountPropagation: Bidirectional
4189 - mountPath: /var/log/calico/cni
4195 - /opt/cni/bin/calico-ipam
4198 - name: KUBERNETES_NODE_NAME
4201 fieldPath: spec.nodeName
4202 - name: CALICO_NETWORKING_BACKEND
4209 name: kubernetes-services-endpoint
4211 image: docker.io/calico/cni:v3.22.0
4216 - mountPath: /var/lib/cni/networks
4217 name: host-local-net-dir
4218 - mountPath: /host/opt/cni/bin
4221 - /opt/cni/bin/install
4223 - name: CNI_CONF_NAME
4224 value: 10-calico.conflist
4225 - name: CNI_NETWORK_CONFIG
4228 key: cni_network_config
4230 - name: KUBERNETES_NODE_NAME
4233 fieldPath: spec.nodeName
4243 name: kubernetes-services-endpoint
4245 image: docker.io/calico/cni:v3.22.0
4250 - mountPath: /host/opt/cni/bin
4252 - mountPath: /host/etc/cni/net.d
4254 - image: docker.io/calico/pod2daemon-flexvol:v3.22.0
4255 name: flexvol-driver
4259 - mountPath: /host/driver
4260 name: flexvol-driver-host
4262 kubernetes.io/os: linux
4263 priorityClassName: system-node-critical
4264 serviceAccountName: calico-node
4265 terminationGracePeriodSeconds: 0
4267 - effect: NoSchedule
4269 - key: CriticalAddonsOnly
4278 path: /var/run/calico
4279 name: var-run-calico
4281 path: /var/lib/calico
4282 name: var-lib-calico
4284 path: /run/xtables.lock
4289 type: DirectoryOrCreate
4295 path: /etc/cni/net.d
4298 path: /var/log/calico/cni
4301 path: /var/lib/cni/networks
4302 name: host-local-net-dir
4304 path: /var/run/nodeagent
4305 type: DirectoryOrCreate
4308 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
4309 type: DirectoryOrCreate
4310 name: flexvol-driver-host
4317 creationTimestamp: null
4318 name: {{ .Values.clusterName }}-calico-addon