2 # Source: calico/templates/calico-config.yaml
3 # This ConfigMap is used to configure a self-hosted Calico installation.
11 typha_service_name: "none"
12 # Configure the backend to use.
13 calico_backend: "bird"
15 # Configure the MTU to use for workload interfaces and tunnels.
16 # By default, MTU is auto-detected, and explicitly setting this field should not be required.
17 # You can override auto-detection by providing a non-zero value.
20 # The CNI network configuration to install on each node. The special
21 # values in this config will be automatically populated.
22 cni_network_config: |-
24 "name": "k8s-pod-network",
25 "cniVersion": "0.3.1",
30 "log_file_path": "/var/log/calico/cni/cni.log",
31 "datastore_type": "kubernetes",
32 "nodename": "__KUBERNETES_NODE_NAME__",
41 "kubeconfig": "__KUBECONFIG_FILEPATH__"
47 "capabilities": {"portMappings": true}
51 "capabilities": {"bandwidth": true}
57 # Source: calico/templates/kdd-crds.yaml
59 apiVersion: apiextensions.k8s.io/v1
60 kind: CustomResourceDefinition
62 name: bgpconfigurations.crd.projectcalico.org
64 group: crd.projectcalico.org
66 kind: BGPConfiguration
67 listKind: BGPConfigurationList
68 plural: bgpconfigurations
69 singular: bgpconfiguration
75 description: BGPConfiguration contains the configuration for any BGP routing.
78 description: 'APIVersion defines the versioned schema of this representation
79 of an object. Servers should convert recognized schemas to the latest
80 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
83 description: 'Kind is a string value representing the REST resource this
84 object represents. Servers may infer this from the endpoint the client
85 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
90 description: BGPConfigurationSpec contains the values of the BGP configuration.
93 description: 'ASNumber is the default AS number used by a node. [Default:
98 description: Communities is a list of BGP community values and their
99 arbitrary names for tagging routes.
101 description: Community contains standard or large community value
105 description: Name given to community value.
108 description: Value must be of format `aa:nn` or `aa:nn:mm`.
109 For standard community use `aa:nn` format, where `aa` and
110 `nn` are 16 bit number. For large community use `aa:nn:mm`
111 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
112 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
113 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
118 description: ListenPort is the port where BGP protocol should listen.
124 description: 'LogSeverityScreen is the log severity above which logs
125 are sent to the stdout. [Default: INFO]'
127 nodeToNodeMeshEnabled:
128 description: 'NodeToNodeMeshEnabled sets whether full node to node
129 BGP mesh is enabled. [Default: true]'
131 prefixAdvertisements:
132 description: PrefixAdvertisements contains per-prefix advertisement
135 description: PrefixAdvertisement configures advertisement properties
136 for the specified CIDR.
139 description: CIDR for which properties should be advertised.
142 description: Communities can be list of either community names
143 already defined in `Specs.Communities` or community value
144 of format `aa:nn` or `aa:nn:mm`. For standard community use
145 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
146 large community use `aa:nn:mm` format, where `aa`, `nn` and
147 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
148 `mm` are per-AS identifier.
155 description: ServiceClusterIPs are the CIDR blocks from which service
156 cluster IPs are allocated. If specified, Calico will advertise these
157 blocks, as well as any cluster IPs within them.
159 description: ServiceClusterIPBlock represents a single allowed ClusterIP
167 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
168 Service External IPs. Kubernetes Service ExternalIPs will only be
169 advertised if they are within one of these blocks.
171 description: ServiceExternalIPBlock represents a single allowed
172 External IP CIDR block.
178 serviceLoadBalancerIPs:
179 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
180 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
181 IPs will only be advertised if they are within one of these blocks.
183 description: ServiceLoadBalancerIPBlock represents a single allowed
184 LoadBalancer IP CIDR block.
202 apiVersion: apiextensions.k8s.io/v1
203 kind: CustomResourceDefinition
205 name: bgppeers.crd.projectcalico.org
207 group: crd.projectcalico.org
210 listKind: BGPPeerList
220 description: 'APIVersion defines the versioned schema of this representation
221 of an object. Servers should convert recognized schemas to the latest
222 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
225 description: 'Kind is a string value representing the REST resource this
226 object represents. Servers may infer this from the endpoint the client
227 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
232 description: BGPPeerSpec contains the specification for a BGPPeer resource.
235 description: The AS Number of the peer.
239 description: Option to keep the original nexthop field when routes
240 are sent to a BGP Peer. Setting "true" configures the selected BGP
241 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
242 in the specific branch of the Node on "bird.cfg".
245 description: The node name identifying the Calico node instance that
246 is targeted by this peer. If this is not set, and no nodeSelector
247 is specified, then this BGP peer selects all nodes in the cluster.
250 description: Selector for the nodes that should have this peering. When
251 this is set, the Node field must be empty.
254 description: Optional BGP password for the peerings generated by this
258 description: Selects a key of a secret in the node pod's namespace.
261 description: The key of the secret to select from. Must be
265 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
266 TODO: Add other useful fields. apiVersion, kind, uid?'
269 description: Specify whether the Secret or its key must be
277 description: The IP address of the peer followed by an optional port
278 number to peer with. If port number is given, format should be `[<IPv6>]:port`
279 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
280 and this peer IP and ASNumber belongs to a calico/node with ListenPort
281 set in BGPConfiguration, then we use that port to peer.
284 description: Selector for the remote nodes to peer with. When this
285 is set, the PeerIP and ASNumber fields must be empty. For each
286 peering between the local node and selected remote nodes, we configure
287 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
288 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
289 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
290 or the global default if that is not set.
293 description: Specifies whether and how to configure a source address
294 for the peerings generated by this BGPPeer resource. Default value
295 "UseNodeIP" means to configure the node IP as the source address. "None"
296 means not to configure a source address.
310 apiVersion: apiextensions.k8s.io/v1
311 kind: CustomResourceDefinition
313 name: blockaffinities.crd.projectcalico.org
315 group: crd.projectcalico.org
318 listKind: BlockAffinityList
319 plural: blockaffinities
320 singular: blockaffinity
328 description: 'APIVersion defines the versioned schema of this representation
329 of an object. Servers should convert recognized schemas to the latest
330 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
333 description: 'Kind is a string value representing the REST resource this
334 object represents. Servers may infer this from the endpoint the client
335 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
340 description: BlockAffinitySpec contains the specification for a BlockAffinity
346 description: Deleted indicates that this block affinity is being deleted.
347 This field is a string for compatibility with older releases that
348 mistakenly treat this field as a string.
371 apiVersion: apiextensions.k8s.io/v1
372 kind: CustomResourceDefinition
374 name: clusterinformations.crd.projectcalico.org
376 group: crd.projectcalico.org
378 kind: ClusterInformation
379 listKind: ClusterInformationList
380 plural: clusterinformations
381 singular: clusterinformation
387 description: ClusterInformation contains the cluster specific information.
390 description: 'APIVersion defines the versioned schema of this representation
391 of an object. Servers should convert recognized schemas to the latest
392 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
395 description: 'Kind is a string value representing the REST resource this
396 object represents. Servers may infer this from the endpoint the client
397 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
402 description: ClusterInformationSpec contains the values of describing
406 description: CalicoVersion is the version of Calico that the cluster
410 description: ClusterGUID is the GUID of the cluster
413 description: ClusterType describes the type of the cluster
416 description: DatastoreReady is used during significant datastore migrations
417 to signal to components such as Felix that it should wait before
418 accessing the datastore.
421 description: Variant declares which variant of Calico should be active.
435 apiVersion: apiextensions.k8s.io/v1
436 kind: CustomResourceDefinition
438 name: felixconfigurations.crd.projectcalico.org
440 group: crd.projectcalico.org
442 kind: FelixConfiguration
443 listKind: FelixConfigurationList
444 plural: felixconfigurations
445 singular: felixconfiguration
451 description: Felix Configuration contains the configuration for Felix.
454 description: 'APIVersion defines the versioned schema of this representation
455 of an object. Servers should convert recognized schemas to the latest
456 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
459 description: 'Kind is a string value representing the REST resource this
460 object represents. Servers may infer this from the endpoint the client
461 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
466 description: FelixConfigurationSpec contains the values of the Felix configuration.
468 allowIPIPPacketsFromWorkloads:
469 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
470 will add a rule to drop IPIP encapsulated traffic from workloads
473 allowVXLANPacketsFromWorkloads:
474 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
475 will add a rule to drop VXLAN encapsulated traffic from workloads
479 description: 'Set source-destination-check on AWS EC2 instances. Accepted
480 value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
487 bpfConnectTimeLoadBalancingEnabled:
488 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
489 controls whether Felix installs the connection-time load balancer. The
490 connect-time load balancer is required for the host to be able to
491 reach Kubernetes services and it improves the performance of pod-to-service
492 connections. The only reason to disable it is for debugging purposes. [Default:
496 description: BPFDataIfacePattern is a regular expression that controls
497 which interfaces Felix should attach BPF programs to in order to
498 catch traffic to/from the network. This needs to match the interfaces
499 that Calico workload traffic flows over as well as any interfaces
500 that handle incoming traffic to nodeports and services from outside
501 the cluster. It should not match the workload interfaces (usually
504 bpfDisableUnprivileged:
505 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
506 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
507 users cannot access Calico''s BPF maps and cannot insert their own
508 BPF programs to interfere with Calico''s. [Default: true]'
511 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
514 bpfExtToServiceConnmark:
515 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
516 mark that is set on connections from an external client to a local
517 service. This mark allows us to control how packets of that connection
518 are routed within the host and how is routing intepreted by RPF
521 bpfExternalServiceMode:
522 description: 'BPFExternalServiceMode in BPF mode, controls how connections
523 from outside the cluster to services (node ports and cluster IPs)
524 are forwarded to remote workloads. If set to "Tunnel" then both
525 request and response traffic is tunneled to the remote node. If
526 set to "DSR", the request traffic is tunneled but the response traffic
527 is sent directly from the remote node. In "DSR" mode, the remote
528 node appears to use the IP of the ingress node; this requires a
529 permissive L2 network. [Default: Tunnel]'
531 bpfKubeProxyEndpointSlicesEnabled:
532 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
533 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
535 bpfKubeProxyIptablesCleanupEnabled:
536 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
537 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
538 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
541 bpfKubeProxyMinSyncPeriod:
542 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
543 minimum time between updates to the dataplane for Felix''s embedded
544 kube-proxy. Lower values give reduced set-up latency. Higher values
545 reduce Felix CPU usage by batching up more work. [Default: 1s]'
548 description: 'BPFLogLevel controls the log level of the BPF programs
549 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
550 logs are emitted to the BPF trace pipe, accessible with the command
551 `tc exec bpf debug`. [Default: Off].'
554 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
555 top-level iptables chains by inserting a rule at the top of the
556 chain or by appending a rule at the bottom. insert is the safe default
557 since it prevents Calico''s rules from being bypassed. If you switch
558 to append mode, be sure that the other rules in the chains signal
559 acceptance by falling through to the Calico rules, otherwise the
560 Calico policy will be bypassed. [Default: insert]'
564 debugDisableLogDropping:
566 debugMemoryProfilePath:
568 debugSimulateCalcGraphHangAfter:
570 debugSimulateDataplaneHangAfter:
572 defaultEndpointToHostAction:
573 description: 'DefaultEndpointToHostAction controls what happens to
574 traffic that goes from a workload endpoint to the host itself (after
575 the traffic hits the endpoint egress policy). By default Calico
576 blocks traffic from workload endpoints to the host itself with an
577 iptables "DROP" action. If you want to allow some or all traffic
578 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
579 RETURN if you have your own rules in the iptables "INPUT" chain;
580 Calico will insert its rules at the top of that chain, then "RETURN"
581 packets to the "INPUT" chain once it has completed processing workload
582 endpoint egress policy. Use ACCEPT to unconditionally accept packets
583 from workloads after processing workload endpoint egress policy.
587 description: This defines the route protocol added to programmed device
588 routes, by default this will be RTPROT_BOOT when left blank.
590 deviceRouteSourceAddress:
591 description: This is the source address to use on programmed device
592 routes. By default the source address is left blank, leaving the
593 kernel to choose the source address used.
595 disableConntrackInvalidCheck:
597 endpointReportingDelay:
599 endpointReportingEnabled:
602 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
603 which may source tunnel traffic and have the tunneled traffic be
604 accepted at calico nodes.
608 failsafeInboundHostPorts:
609 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
610 and CIDRs that Felix will allow incoming traffic to host endpoints
611 on irrespective of the security policy. This is useful to avoid
612 accidentally cutting off a host with incorrect configuration. For
613 back-compatibility, if the protocol is not specified, it defaults
614 to "tcp". If a CIDR is not specified, it will allow traffic from
615 all addresses. To disable all inbound host ports, use the value
616 none. The default value allows ssh access and DHCP. [Default: tcp:22,
617 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
619 description: ProtoPort is combination of protocol, port, and CIDR.
620 Protocol and port must be specified.
633 failsafeOutboundHostPorts:
634 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
635 and CIDRs that Felix will allow outgoing traffic from host endpoints
636 to irrespective of the security policy. This is useful to avoid
637 accidentally cutting off a host with incorrect configuration. For
638 back-compatibility, if the protocol is not specified, it defaults
639 to "tcp". If a CIDR is not specified, it will allow traffic from
640 all addresses. To disable all outbound host ports, use the value
641 none. The default value opens etcd''s standard ports to ensure that
642 Felix does not get cut off from etcd as well as allowing DHCP and
643 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
644 tcp:6667, udp:53, udp:67]'
646 description: ProtoPort is combination of protocol, port, and CIDR.
647 Protocol and port must be specified.
660 featureDetectOverride:
661 description: FeatureDetectOverride is used to override the feature
662 detection. Values are specified in a comma separated list with no
663 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
664 "true" or "false" will force the feature, empty or omitted values
668 description: 'GenericXDPEnabled enables Generic XDP so network cards
669 that don''t support XDP offload or driver modes can use XDP. This
670 is not recommended since it doesn''t provide better performance
671 than iptables. [Default: false]'
680 description: 'InterfaceExclude is a comma-separated list of interfaces
681 that Felix should exclude when monitoring for host endpoints. The
682 default value ensures that Felix ignores Kubernetes'' IPVS dummy
683 interface, which is used internally by kube-proxy. If you want to
684 exclude multiple interface names using a single value, the list
685 supports regular expressions. For regular expressions you must wrap
686 the value with ''/''. For example having values ''/^kube/,veth1''
687 will exclude all interfaces that begin with ''kube'' and also the
688 interface ''veth1''. [Default: kube-ipvs0]'
691 description: 'InterfacePrefix is the interface name prefix that identifies
692 workload endpoints and so distinguishes them from host endpoint
693 interfaces. Note: in environments other than bare metal, the orchestrators
694 configure this appropriately. For example our Kubernetes and Docker
695 integrations set the ''cali'' value, and our OpenStack integration
696 sets the ''tap'' value. [Default: cali]'
698 interfaceRefreshInterval:
699 description: InterfaceRefreshInterval is the period at which Felix
700 rescans local interfaces to verify their state. The rescan can be
701 disabled by setting the interval to 0.
706 description: 'IPIPMTU is the MTU to set on the tunnel device. See
707 Configuring MTU [Default: 1440]'
709 ipsetsRefreshInterval:
710 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
711 all iptables state to ensure that no other process has accidentally
712 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
716 description: IptablesBackend specifies which backend of iptables will
717 be used. The default is legacy.
719 iptablesFilterAllowAction:
721 iptablesLockFilePath:
722 description: 'IptablesLockFilePath is the location of the iptables
723 lock file. You may need to change this if the lock file is not in
724 its standard location (for example if you have mapped it into Felix''s
725 container at a different path). [Default: /run/xtables.lock]'
727 iptablesLockProbeInterval:
728 description: 'IptablesLockProbeInterval is the time that Felix will
729 wait between attempts to acquire the iptables lock if it is not
730 available. Lower values make Felix more responsive when the lock
731 is contended, but use more CPU. [Default: 50ms]'
734 description: 'IptablesLockTimeout is the time that Felix will wait
735 for the iptables lock, or 0, to disable. To use this feature, Felix
736 must share the iptables lock file with all other processes that
737 also take the lock. When running Felix inside a container, this
738 requires the /run directory of the host to be mounted into the calico/node
739 or calico/felix container. [Default: 0s disabled]'
741 iptablesMangleAllowAction:
744 description: 'IptablesMarkMask is the mask that Felix selects its
745 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
746 at least 8 bits set, none of which clash with any other mark bits
747 in use on the system. [Default: 0xff000000]'
750 iptablesNATOutgoingInterfaceFilter:
752 iptablesPostWriteCheckInterval:
753 description: 'IptablesPostWriteCheckInterval is the period after Felix
754 has done a write to the dataplane that it schedules an extra read
755 back in order to check the write was not clobbered by another process.
756 This should only occur if another application on the system doesn''t
757 respect the iptables lock. [Default: 1s]'
759 iptablesRefreshInterval:
760 description: 'IptablesRefreshInterval is the period at which Felix
761 re-checks the IP sets in the dataplane to ensure that no other process
762 has accidentally broken Calico''s rules. Set to 0 to disable IP
763 sets refresh. Note: the default for this value is lower than the
764 other refresh intervals as a workaround for a Linux kernel bug that
765 was fixed in kernel version 4.11. If you are using v4.11 or greater
766 you may want to set this to, a higher value to reduce Felix CPU
767 usage. [Default: 10s]'
772 description: 'KubeNodePortRanges holds list of port ranges used for
773 service node ports. Only used if felix detects kube-proxy running
774 in ipvs mode. Felix uses these ranges to separate host and workload
775 traffic. [Default: 30000:32767].'
781 x-kubernetes-int-or-string: true
784 description: 'LogFilePath is the full path to the Felix log. Set to
785 none to disable file logging. [Default: /var/log/calico/felix.log]'
788 description: 'LogPrefix is the log prefix that Felix uses when rendering
789 LOG rules. [Default: calico-packet]'
792 description: 'LogSeverityFile is the log severity above which logs
793 are sent to the log file. [Default: Info]'
796 description: 'LogSeverityScreen is the log severity above which logs
797 are sent to the stdout. [Default: Info]'
800 description: 'LogSeveritySys is the log severity above which logs
801 are sent to the syslog. Set to None for no logging to syslog. [Default:
807 description: 'MetadataAddr is the IP address or domain name of the
808 server that can answer VM queries for cloud-init metadata. In OpenStack,
809 this corresponds to the machine running nova-api (or in Ubuntu,
810 nova-api-metadata). A value of none (case insensitive) means that
811 Felix should not set up any NAT rule for the metadata path. [Default:
815 description: 'MetadataPort is the port of the metadata server. This,
816 combined with global.MetadataAddr (if not ''None''), is used to
817 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
818 In most cases this should not need to be changed [Default: 8775].'
821 description: MTUIfacePattern is a regular expression that controls
822 which interfaces Felix should scan in order to calculate the host's
823 MTU. This should not match workload interfaces (usually named cali...).
826 description: NATOutgoingAddress specifies an address to use when performing
827 source NAT for traffic in a natOutgoing pool that is leaving the
828 network. By default the address used is an address on the interface
829 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
835 description: NATPortRange specifies the range of ports that is used
836 for port mapping when doing outgoing NAT. When unset the default
837 behavior of the network stack is used.
839 x-kubernetes-int-or-string: true
843 description: 'OpenstackRegion is the name of the region that a particular
844 Felix belongs to. In a multi-region Calico/OpenStack deployment,
845 this must be configured somehow for each Felix (here in the datamodel,
846 or in felix.cfg or the environment on each compute node), and must
847 match the [calico] openstack_region value configured in neutron.conf
848 on each node. [Default: Empty]'
850 policySyncPathPrefix:
851 description: 'PolicySyncPathPrefix is used to by Felix to communicate
852 policy changes to external services, like Application layer policy.
855 prometheusGoMetricsEnabled:
856 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
857 collection, which the Prometheus client does by default, when set
858 to false. This reduces the number of metrics reported, reducing
859 Prometheus load. [Default: true]'
861 prometheusMetricsEnabled:
862 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
863 server in Felix if set to true. [Default: false]'
865 prometheusMetricsHost:
866 description: 'PrometheusMetricsHost is the host that the Prometheus
867 metrics server should bind to. [Default: empty]'
869 prometheusMetricsPort:
870 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
871 metrics server should bind to. [Default: 9091]'
873 prometheusProcessMetricsEnabled:
874 description: 'PrometheusProcessMetricsEnabled disables process metrics
875 collection, which the Prometheus client does by default, when set
876 to false. This reduces the number of metrics reported, reducing
877 Prometheus load. [Default: true]'
879 removeExternalRoutes:
880 description: Whether or not to remove device routes that have not
881 been programmed by Felix. Disabling this will allow external applications
882 to also add device routes. This is enabled by default which means
883 we will remove externally added routes.
886 description: 'ReportingInterval is the interval at which Felix reports
887 its status into the datastore or 0 to disable. Must be non-zero
888 in OpenStack deployments. [Default: 30s]'
891 description: 'ReportingTTL is the time-to-live setting for process-wide
892 status reports. [Default: 90s]'
894 routeRefreshInterval:
895 description: 'RouteRefreshInterval is the period at which Felix re-checks
896 the routes in the dataplane to ensure that no other process has
897 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
901 description: 'RouteSource configures where Felix gets its routing
902 information. - WorkloadIPs: use workload endpoints to construct
903 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
906 description: Calico programs additional Linux route tables for various
907 purposes. RouteTableRange specifies the indices of the route tables
908 that Calico should use.
918 serviceLoopPrevention:
919 description: 'When service IP advertisement is enabled, prevent routing
920 loops to service IPs that are not in use, by dropping or rejecting
921 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
922 in which case such routing loops continue to be allowed. [Default:
925 sidecarAccelerationEnabled:
926 description: 'SidecarAccelerationEnabled enables experimental sidecar
927 acceleration [Default: false]'
929 usageReportingEnabled:
930 description: 'UsageReportingEnabled reports anonymous Calico version
931 number and cluster size to projectcalico.org. Logs warnings returned
932 by the usage server. For example, if a significant security vulnerability
933 has been discovered in the version of Calico being used. [Default:
936 usageReportingInitialDelay:
937 description: 'UsageReportingInitialDelay controls the minimum delay
938 before Felix makes a report. [Default: 300s]'
940 usageReportingInterval:
941 description: 'UsageReportingInterval controls the interval at which
942 Felix makes reports. [Default: 86400s]'
944 useInternalDataplaneDriver:
949 description: 'VXLANMTU is the MTU to set on the tunnel device. See
950 Configuring MTU [Default: 1440]'
957 description: 'WireguardEnabled controls whether Wireguard is enabled.
960 wireguardInterfaceName:
961 description: 'WireguardInterfaceName specifies the name to use for
962 the Wireguard interface. [Default: wg.calico]'
964 wireguardListeningPort:
965 description: 'WireguardListeningPort controls the listening port used
966 by Wireguard. [Default: 51820]'
969 description: 'WireguardMTU controls the MTU on the Wireguard interface.
970 See Configuring MTU [Default: 1420]'
972 wireguardRoutingRulePriority:
973 description: 'WireguardRoutingRulePriority controls the priority value
974 to use for the Wireguard routing rule. [Default: 99]'
977 description: 'XDPEnabled enables XDP acceleration for suitable untracked
978 incoming deny rules. [Default: true]'
981 description: 'XDPRefreshInterval is the period at which Felix re-checks
982 all XDP state to ensure that no other process has accidentally broken
983 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
984 refresh. [Default: 90s]'
998 apiVersion: apiextensions.k8s.io/v1
999 kind: CustomResourceDefinition
1001 name: globalnetworkpolicies.crd.projectcalico.org
1003 group: crd.projectcalico.org
1005 kind: GlobalNetworkPolicy
1006 listKind: GlobalNetworkPolicyList
1007 plural: globalnetworkpolicies
1008 singular: globalnetworkpolicy
1016 description: 'APIVersion defines the versioned schema of this representation
1017 of an object. Servers should convert recognized schemas to the latest
1018 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1021 description: 'Kind is a string value representing the REST resource this
1022 object represents. Servers may infer this from the endpoint the client
1023 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1030 description: ApplyOnForward indicates to apply the rules in this policy
1034 description: DoNotTrack indicates whether packets matched by the rules
1035 in this policy should go through the data plane's connection tracking,
1036 such as Linux conntrack. If True, the rules in this policy are
1037 applied before any data plane connection tracking, and packets allowed
1038 by this policy are marked as not to be tracked.
1041 description: The ordered set of egress rules. Each rule contains
1042 a set of packet match criteria and a corresponding action to apply.
1044 description: "A Rule encapsulates a set of match criteria and an
1045 action. Both selector-based security Policy and security Profiles
1046 reference rules - separated out as a list of rules for both ingress
1047 and egress packet matching. \n Each positive match criteria has
1048 a negated version, prefixed with \"Not\". All the match criteria
1049 within a rule must be satisfied for a packet to match. A single
1050 rule can contain the positive and negative version of a match
1051 and both must be satisfied for the rule to match."
1056 description: Destination contains the match criteria that apply
1057 to destination entity.
1060 description: "NamespaceSelector is an optional field that
1061 contains a selector expression. Only traffic that originates
1062 from (or terminates at) endpoints within the selected
1063 namespaces will be matched. When both NamespaceSelector
1064 and Selector are defined on the same rule, then only workload
1065 endpoints that are matched by both selectors will be selected
1066 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1067 implies that the Selector is limited to selecting only
1068 workload endpoints in the same namespace as the NetworkPolicy.
1069 \n For NetworkPolicy, `global()` NamespaceSelector implies
1070 that the Selector is limited to selecting only GlobalNetworkSet
1071 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1072 NamespaceSelector implies the Selector applies to workload
1073 endpoints across all namespaces."
1076 description: Nets is an optional field that restricts the
1077 rule to only apply to traffic that originates from (or
1078 terminates at) IP addresses in any of the given subnets.
1083 description: NotNets is the negated version of the Nets
1089 description: NotPorts is the negated version of the Ports
1090 field. Since only some protocols have ports, if any ports
1091 are specified it requires the Protocol match in the Rule
1092 to be set to "TCP" or "UDP".
1098 x-kubernetes-int-or-string: true
1101 description: NotSelector is the negated version of the Selector
1102 field. See Selector field for subtleties with negated
1106 description: "Ports is an optional field that restricts
1107 the rule to only apply to traffic that has a source (destination)
1108 port that matches one of these ranges/values. This value
1109 is a list of integers or strings that represent ranges
1110 of ports. \n Since only some protocols have ports, if
1111 any ports are specified it requires the Protocol match
1112 in the Rule to be set to \"TCP\" or \"UDP\"."
1118 x-kubernetes-int-or-string: true
1121 description: "Selector is an optional field that contains
1122 a selector expression (see Policy for sample syntax).
1123 \ Only traffic that originates from (terminates at) endpoints
1124 matching the selector will be matched. \n Note that: in
1125 addition to the negated version of the Selector (see NotSelector
1126 below), the selector expression syntax itself supports
1127 negation. The two types of negation are subtly different.
1128 One negates the set of matched endpoints, the other negates
1129 the whole match: \n \tSelector = \"!has(my_label)\" matches
1130 packets that are from other Calico-controlled \tendpoints
1131 that do not have the label \"my_label\". \n \tNotSelector
1132 = \"has(my_label)\" matches packets that are not from
1133 Calico-controlled \tendpoints that do have the label \"my_label\".
1134 \n The effect is that the latter will accept packets from
1135 non-Calico sources whereas the former is limited to packets
1136 from Calico-controlled endpoints."
1139 description: ServiceAccounts is an optional field that restricts
1140 the rule to only apply to traffic that originates from
1141 (or terminates at) a pod running as a matching service
1145 description: Names is an optional field that restricts
1146 the rule to only apply to traffic that originates
1147 from (or terminates at) a pod running as a service
1148 account whose name is in the list.
1153 description: Selector is an optional field that restricts
1154 the rule to only apply to traffic that originates
1155 from (or terminates at) a pod running as a service
1156 account that matches the given label selector. If
1157 both Names and Selector are specified then they are
1163 description: HTTP contains match criteria that apply to HTTP
1167 description: Methods is an optional field that restricts
1168 the rule to apply only to HTTP requests that use one of
1169 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1170 methods are OR'd together.
1175 description: 'Paths is an optional field that restricts
1176 the rule to apply to HTTP requests that use one of the
1177 listed HTTP Paths. Multiple paths are OR''d together.
1178 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1179 ONLY specify either a `exact` or a `prefix` match. The
1180 validator will check for it.'
1182 description: 'HTTPPath specifies an HTTP path to match.
1183 It may be either of the form: exact: <path>: which matches
1184 the path exactly or prefix: <path-prefix>: which matches
1195 description: ICMP is an optional field that restricts the rule
1196 to apply to a specific type and code of ICMP traffic. This
1197 should only be specified if the Protocol field is set to "ICMP"
1201 description: Match on a specific ICMP code. If specified,
1202 the Type value must also be specified. This is a technical
1203 limitation imposed by the kernel's iptables firewall,
1204 which Calico uses to enforce the rule.
1207 description: Match on a specific ICMP type. For example
1208 a value of 8 refers to ICMP Echo Request (i.e. pings).
1212 description: IPVersion is an optional field that restricts the
1213 rule to only match a specific IP version.
1216 description: Metadata contains additional information for this
1220 additionalProperties:
1222 description: Annotations is a set of key value pairs that
1223 give extra information about the rule
1227 description: NotICMP is the negated version of the ICMP field.
1230 description: Match on a specific ICMP code. If specified,
1231 the Type value must also be specified. This is a technical
1232 limitation imposed by the kernel's iptables firewall,
1233 which Calico uses to enforce the rule.
1236 description: Match on a specific ICMP type. For example
1237 a value of 8 refers to ICMP Echo Request (i.e. pings).
1244 description: NotProtocol is the negated version of the Protocol
1247 x-kubernetes-int-or-string: true
1252 description: "Protocol is an optional field that restricts the
1253 rule to only apply to traffic of a specific IP protocol. Required
1254 if any of the EntityRules contain Ports (because ports only
1255 apply to certain protocols). \n Must be one of these string
1256 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1257 \"UDPLite\" or an integer in the range 1-255."
1259 x-kubernetes-int-or-string: true
1261 description: Source contains the match criteria that apply to
1265 description: "NamespaceSelector is an optional field that
1266 contains a selector expression. Only traffic that originates
1267 from (or terminates at) endpoints within the selected
1268 namespaces will be matched. When both NamespaceSelector
1269 and Selector are defined on the same rule, then only workload
1270 endpoints that are matched by both selectors will be selected
1271 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1272 implies that the Selector is limited to selecting only
1273 workload endpoints in the same namespace as the NetworkPolicy.
1274 \n For NetworkPolicy, `global()` NamespaceSelector implies
1275 that the Selector is limited to selecting only GlobalNetworkSet
1276 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1277 NamespaceSelector implies the Selector applies to workload
1278 endpoints across all namespaces."
1281 description: Nets is an optional field that restricts the
1282 rule to only apply to traffic that originates from (or
1283 terminates at) IP addresses in any of the given subnets.
1288 description: NotNets is the negated version of the Nets
1294 description: NotPorts is the negated version of the Ports
1295 field. Since only some protocols have ports, if any ports
1296 are specified it requires the Protocol match in the Rule
1297 to be set to "TCP" or "UDP".
1303 x-kubernetes-int-or-string: true
1306 description: NotSelector is the negated version of the Selector
1307 field. See Selector field for subtleties with negated
1311 description: "Ports is an optional field that restricts
1312 the rule to only apply to traffic that has a source (destination)
1313 port that matches one of these ranges/values. This value
1314 is a list of integers or strings that represent ranges
1315 of ports. \n Since only some protocols have ports, if
1316 any ports are specified it requires the Protocol match
1317 in the Rule to be set to \"TCP\" or \"UDP\"."
1323 x-kubernetes-int-or-string: true
1326 description: "Selector is an optional field that contains
1327 a selector expression (see Policy for sample syntax).
1328 \ Only traffic that originates from (terminates at) endpoints
1329 matching the selector will be matched. \n Note that: in
1330 addition to the negated version of the Selector (see NotSelector
1331 below), the selector expression syntax itself supports
1332 negation. The two types of negation are subtly different.
1333 One negates the set of matched endpoints, the other negates
1334 the whole match: \n \tSelector = \"!has(my_label)\" matches
1335 packets that are from other Calico-controlled \tendpoints
1336 that do not have the label \"my_label\". \n \tNotSelector
1337 = \"has(my_label)\" matches packets that are not from
1338 Calico-controlled \tendpoints that do have the label \"my_label\".
1339 \n The effect is that the latter will accept packets from
1340 non-Calico sources whereas the former is limited to packets
1341 from Calico-controlled endpoints."
1344 description: ServiceAccounts is an optional field that restricts
1345 the rule to only apply to traffic that originates from
1346 (or terminates at) a pod running as a matching service
1350 description: Names is an optional field that restricts
1351 the rule to only apply to traffic that originates
1352 from (or terminates at) a pod running as a service
1353 account whose name is in the list.
1358 description: Selector is an optional field that restricts
1359 the rule to only apply to traffic that originates
1360 from (or terminates at) a pod running as a service
1361 account that matches the given label selector. If
1362 both Names and Selector are specified then they are
1372 description: The ordered set of ingress rules. Each rule contains
1373 a set of packet match criteria and a corresponding action to apply.
1375 description: "A Rule encapsulates a set of match criteria and an
1376 action. Both selector-based security Policy and security Profiles
1377 reference rules - separated out as a list of rules for both ingress
1378 and egress packet matching. \n Each positive match criteria has
1379 a negated version, prefixed with \"Not\". All the match criteria
1380 within a rule must be satisfied for a packet to match. A single
1381 rule can contain the positive and negative version of a match
1382 and both must be satisfied for the rule to match."
1387 description: Destination contains the match criteria that apply
1388 to destination entity.
1391 description: "NamespaceSelector is an optional field that
1392 contains a selector expression. Only traffic that originates
1393 from (or terminates at) endpoints within the selected
1394 namespaces will be matched. When both NamespaceSelector
1395 and Selector are defined on the same rule, then only workload
1396 endpoints that are matched by both selectors will be selected
1397 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1398 implies that the Selector is limited to selecting only
1399 workload endpoints in the same namespace as the NetworkPolicy.
1400 \n For NetworkPolicy, `global()` NamespaceSelector implies
1401 that the Selector is limited to selecting only GlobalNetworkSet
1402 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1403 NamespaceSelector implies the Selector applies to workload
1404 endpoints across all namespaces."
1407 description: Nets is an optional field that restricts the
1408 rule to only apply to traffic that originates from (or
1409 terminates at) IP addresses in any of the given subnets.
1414 description: NotNets is the negated version of the Nets
1420 description: NotPorts is the negated version of the Ports
1421 field. Since only some protocols have ports, if any ports
1422 are specified it requires the Protocol match in the Rule
1423 to be set to "TCP" or "UDP".
1429 x-kubernetes-int-or-string: true
1432 description: NotSelector is the negated version of the Selector
1433 field. See Selector field for subtleties with negated
1437 description: "Ports is an optional field that restricts
1438 the rule to only apply to traffic that has a source (destination)
1439 port that matches one of these ranges/values. This value
1440 is a list of integers or strings that represent ranges
1441 of ports. \n Since only some protocols have ports, if
1442 any ports are specified it requires the Protocol match
1443 in the Rule to be set to \"TCP\" or \"UDP\"."
1449 x-kubernetes-int-or-string: true
1452 description: "Selector is an optional field that contains
1453 a selector expression (see Policy for sample syntax).
1454 \ Only traffic that originates from (terminates at) endpoints
1455 matching the selector will be matched. \n Note that: in
1456 addition to the negated version of the Selector (see NotSelector
1457 below), the selector expression syntax itself supports
1458 negation. The two types of negation are subtly different.
1459 One negates the set of matched endpoints, the other negates
1460 the whole match: \n \tSelector = \"!has(my_label)\" matches
1461 packets that are from other Calico-controlled \tendpoints
1462 that do not have the label \"my_label\". \n \tNotSelector
1463 = \"has(my_label)\" matches packets that are not from
1464 Calico-controlled \tendpoints that do have the label \"my_label\".
1465 \n The effect is that the latter will accept packets from
1466 non-Calico sources whereas the former is limited to packets
1467 from Calico-controlled endpoints."
1470 description: ServiceAccounts is an optional field that restricts
1471 the rule to only apply to traffic that originates from
1472 (or terminates at) a pod running as a matching service
1476 description: Names is an optional field that restricts
1477 the rule to only apply to traffic that originates
1478 from (or terminates at) a pod running as a service
1479 account whose name is in the list.
1484 description: Selector is an optional field that restricts
1485 the rule to only apply to traffic that originates
1486 from (or terminates at) a pod running as a service
1487 account that matches the given label selector. If
1488 both Names and Selector are specified then they are
1494 description: HTTP contains match criteria that apply to HTTP
1498 description: Methods is an optional field that restricts
1499 the rule to apply only to HTTP requests that use one of
1500 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1501 methods are OR'd together.
1506 description: 'Paths is an optional field that restricts
1507 the rule to apply to HTTP requests that use one of the
1508 listed HTTP Paths. Multiple paths are OR''d together.
1509 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1510 ONLY specify either a `exact` or a `prefix` match. The
1511 validator will check for it.'
1513 description: 'HTTPPath specifies an HTTP path to match.
1514 It may be either of the form: exact: <path>: which matches
1515 the path exactly or prefix: <path-prefix>: which matches
1526 description: ICMP is an optional field that restricts the rule
1527 to apply to a specific type and code of ICMP traffic. This
1528 should only be specified if the Protocol field is set to "ICMP"
1532 description: Match on a specific ICMP code. If specified,
1533 the Type value must also be specified. This is a technical
1534 limitation imposed by the kernel's iptables firewall,
1535 which Calico uses to enforce the rule.
1538 description: Match on a specific ICMP type. For example
1539 a value of 8 refers to ICMP Echo Request (i.e. pings).
1543 description: IPVersion is an optional field that restricts the
1544 rule to only match a specific IP version.
1547 description: Metadata contains additional information for this
1551 additionalProperties:
1553 description: Annotations is a set of key value pairs that
1554 give extra information about the rule
1558 description: NotICMP is the negated version of the ICMP field.
1561 description: Match on a specific ICMP code. If specified,
1562 the Type value must also be specified. This is a technical
1563 limitation imposed by the kernel's iptables firewall,
1564 which Calico uses to enforce the rule.
1567 description: Match on a specific ICMP type. For example
1568 a value of 8 refers to ICMP Echo Request (i.e. pings).
1575 description: NotProtocol is the negated version of the Protocol
1578 x-kubernetes-int-or-string: true
1583 description: "Protocol is an optional field that restricts the
1584 rule to only apply to traffic of a specific IP protocol. Required
1585 if any of the EntityRules contain Ports (because ports only
1586 apply to certain protocols). \n Must be one of these string
1587 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1588 \"UDPLite\" or an integer in the range 1-255."
1590 x-kubernetes-int-or-string: true
1592 description: Source contains the match criteria that apply to
1596 description: "NamespaceSelector is an optional field that
1597 contains a selector expression. Only traffic that originates
1598 from (or terminates at) endpoints within the selected
1599 namespaces will be matched. When both NamespaceSelector
1600 and Selector are defined on the same rule, then only workload
1601 endpoints that are matched by both selectors will be selected
1602 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1603 implies that the Selector is limited to selecting only
1604 workload endpoints in the same namespace as the NetworkPolicy.
1605 \n For NetworkPolicy, `global()` NamespaceSelector implies
1606 that the Selector is limited to selecting only GlobalNetworkSet
1607 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1608 NamespaceSelector implies the Selector applies to workload
1609 endpoints across all namespaces."
1612 description: Nets is an optional field that restricts the
1613 rule to only apply to traffic that originates from (or
1614 terminates at) IP addresses in any of the given subnets.
1619 description: NotNets is the negated version of the Nets
1625 description: NotPorts is the negated version of the Ports
1626 field. Since only some protocols have ports, if any ports
1627 are specified it requires the Protocol match in the Rule
1628 to be set to "TCP" or "UDP".
1634 x-kubernetes-int-or-string: true
1637 description: NotSelector is the negated version of the Selector
1638 field. See Selector field for subtleties with negated
1642 description: "Ports is an optional field that restricts
1643 the rule to only apply to traffic that has a source (destination)
1644 port that matches one of these ranges/values. This value
1645 is a list of integers or strings that represent ranges
1646 of ports. \n Since only some protocols have ports, if
1647 any ports are specified it requires the Protocol match
1648 in the Rule to be set to \"TCP\" or \"UDP\"."
1654 x-kubernetes-int-or-string: true
1657 description: "Selector is an optional field that contains
1658 a selector expression (see Policy for sample syntax).
1659 \ Only traffic that originates from (terminates at) endpoints
1660 matching the selector will be matched. \n Note that: in
1661 addition to the negated version of the Selector (see NotSelector
1662 below), the selector expression syntax itself supports
1663 negation. The two types of negation are subtly different.
1664 One negates the set of matched endpoints, the other negates
1665 the whole match: \n \tSelector = \"!has(my_label)\" matches
1666 packets that are from other Calico-controlled \tendpoints
1667 that do not have the label \"my_label\". \n \tNotSelector
1668 = \"has(my_label)\" matches packets that are not from
1669 Calico-controlled \tendpoints that do have the label \"my_label\".
1670 \n The effect is that the latter will accept packets from
1671 non-Calico sources whereas the former is limited to packets
1672 from Calico-controlled endpoints."
1675 description: ServiceAccounts is an optional field that restricts
1676 the rule to only apply to traffic that originates from
1677 (or terminates at) a pod running as a matching service
1681 description: Names is an optional field that restricts
1682 the rule to only apply to traffic that originates
1683 from (or terminates at) a pod running as a service
1684 account whose name is in the list.
1689 description: Selector is an optional field that restricts
1690 the rule to only apply to traffic that originates
1691 from (or terminates at) a pod running as a service
1692 account that matches the given label selector. If
1693 both Names and Selector are specified then they are
1703 description: NamespaceSelector is an optional field for an expression
1704 used to select a pod based on namespaces.
1707 description: Order is an optional field that specifies the order in
1708 which the policy is applied. Policies with higher "order" are applied
1709 after those with lower order. If the order is omitted, it may be
1710 considered to be "infinite" - i.e. the policy will be applied last. Policies
1711 with identical order will be applied in alphanumerical order based
1712 on the Policy "Name".
1715 description: PreDNAT indicates to apply the rules in this policy before
1719 description: "The selector is an expression used to pick pick out
1720 the endpoints that the policy should be applied to. \n Selector
1721 expressions follow this syntax: \n \tlabel == \"string_literal\"
1722 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
1723 \ -> not equal; also matches if label is not present \tlabel in
1724 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
1725 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
1726 ... } -> true if the value of label X is not one of \"a\", \"b\",
1727 \"c\" \thas(label_name) -> True if that label is present \t! expr
1728 -> negation of expr \texpr && expr -> Short-circuit and \texpr
1729 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
1730 or the empty selector -> matches all endpoints. \n Label names are
1731 allowed to contain alphanumerics, -, _ and /. String literals are
1732 more permissive but they do not support escape characters. \n Examples
1733 (with made-up labels): \n \ttype == \"webserver\" && deployment
1734 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
1735 \"dev\" \t! has(label_name)"
1737 serviceAccountSelector:
1738 description: ServiceAccountSelector is an optional field for an expression
1739 used to select a pod based on service accounts.
1742 description: "Types indicates whether this policy applies to ingress,
1743 or to egress, or to both. When not explicitly specified (and so
1744 the value on creation is empty or nil), Calico defaults Types according
1745 to what Ingress and Egress rules are present in the policy. The
1746 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
1747 (including the case where there are also no Ingress rules) \n
1748 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
1749 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
1750 both Ingress and Egress rules. \n When the policy is read back again,
1751 Types will always be one of these values, never empty or nil."
1753 description: PolicyType enumerates the possible values of the PolicySpec
1769 apiVersion: apiextensions.k8s.io/v1
1770 kind: CustomResourceDefinition
1772 name: globalnetworksets.crd.projectcalico.org
1774 group: crd.projectcalico.org
1776 kind: GlobalNetworkSet
1777 listKind: GlobalNetworkSetList
1778 plural: globalnetworksets
1779 singular: globalnetworkset
1785 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
1786 that share labels to allow rules to refer to them via selectors. The labels
1787 of GlobalNetworkSet are not namespaced.
1790 description: 'APIVersion defines the versioned schema of this representation
1791 of an object. Servers should convert recognized schemas to the latest
1792 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1795 description: 'Kind is a string value representing the REST resource this
1796 object represents. Servers may infer this from the endpoint the client
1797 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1802 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
1806 description: The list of IP networks that belong to this set.
1822 apiVersion: apiextensions.k8s.io/v1
1823 kind: CustomResourceDefinition
1825 name: hostendpoints.crd.projectcalico.org
1827 group: crd.projectcalico.org
1830 listKind: HostEndpointList
1831 plural: hostendpoints
1832 singular: hostendpoint
1840 description: 'APIVersion defines the versioned schema of this representation
1841 of an object. Servers should convert recognized schemas to the latest
1842 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1845 description: 'Kind is a string value representing the REST resource this
1846 object represents. Servers may infer this from the endpoint the client
1847 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1852 description: HostEndpointSpec contains the specification for a HostEndpoint
1856 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
1857 If \"InterfaceName\" is not present, Calico will look for an interface
1858 matching any of the IPs in the list and apply policy to that. Note:
1859 \tWhen using the selector match criteria in an ingress or egress
1860 security Policy \tor Profile, Calico converts the selector into
1861 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
1862 is used for that purpose. (If only the interface \tname is specified,
1863 Calico does not learn the IPs of the interface for use in match
1869 description: "Either \"*\", or the name of a specific Linux interface
1870 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
1871 governs all traffic to, from or through the default network namespace
1872 of the host named by the \"Node\" field; entering and leaving that
1873 namespace via any interface, including those from/to non-host-networked
1874 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
1875 only governs traffic that enters or leaves the host through the
1876 specific interface named by InterfaceName, or - when InterfaceName
1877 is empty - through the specific interface that has one of the IPs
1878 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
1879 one expected IP must be specified. Only external interfaces (such
1880 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
1881 to protect traffic through a specific local workload interface.
1882 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
1883 initially just pre-DNAT policy. Please check Calico documentation
1884 for the latest position."
1887 description: The node name identifying the Calico node instance.
1890 description: Ports contains the endpoint's named ports, which may
1891 be referenced in security policy rules.
1903 x-kubernetes-int-or-string: true
1911 description: A list of identifiers of security Profile objects that
1912 apply to this endpoint. Each profile is applied in the order that
1913 they appear in this list. Profile rules are applied after the selector-based
1930 apiVersion: apiextensions.k8s.io/v1
1931 kind: CustomResourceDefinition
1933 name: ipamblocks.crd.projectcalico.org
1935 group: crd.projectcalico.org
1938 listKind: IPAMBlockList
1948 description: 'APIVersion defines the versioned schema of this representation
1949 of an object. Servers should convert recognized schemas to the latest
1950 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1953 description: 'Kind is a string value representing the REST resource this
1954 object represents. Servers may infer this from the endpoint the client
1955 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1960 description: IPAMBlockSpec contains the specification for an IPAMBlock
1968 # TODO: This nullable is manually added in. We should update controller-gen
1969 # to handle []*int properly itself.
1978 additionalProperties:
2011 apiVersion: apiextensions.k8s.io/v1
2012 kind: CustomResourceDefinition
2014 name: ipamconfigs.crd.projectcalico.org
2016 group: crd.projectcalico.org
2019 listKind: IPAMConfigList
2021 singular: ipamconfig
2029 description: 'APIVersion defines the versioned schema of this representation
2030 of an object. Servers should convert recognized schemas to the latest
2031 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2034 description: 'Kind is a string value representing the REST resource this
2035 object represents. Servers may infer this from the endpoint the client
2036 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2041 description: IPAMConfigSpec contains the specification for an IPAMConfig
2047 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
2048 that can be affine to each host.
2053 - autoAllocateBlocks
2067 apiVersion: apiextensions.k8s.io/v1
2068 kind: CustomResourceDefinition
2070 name: ipamhandles.crd.projectcalico.org
2072 group: crd.projectcalico.org
2075 listKind: IPAMHandleList
2077 singular: ipamhandle
2085 description: 'APIVersion defines the versioned schema of this representation
2086 of an object. Servers should convert recognized schemas to the latest
2087 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2090 description: 'Kind is a string value representing the REST resource this
2091 object represents. Servers may infer this from the endpoint the client
2092 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2097 description: IPAMHandleSpec contains the specification for an IPAMHandle
2101 additionalProperties:
2123 apiVersion: apiextensions.k8s.io/v1
2124 kind: CustomResourceDefinition
2126 name: ippools.crd.projectcalico.org
2128 group: crd.projectcalico.org
2131 listKind: IPPoolList
2141 description: 'APIVersion defines the versioned schema of this representation
2142 of an object. Servers should convert recognized schemas to the latest
2143 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2146 description: 'Kind is a string value representing the REST resource this
2147 object represents. Servers may infer this from the endpoint the client
2148 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2153 description: IPPoolSpec contains the specification for an IPPool resource.
2156 description: The block size to use for IP address assignments from
2157 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
2160 description: The pool CIDR.
2163 description: When disabled is true, Calico IPAM will not assign addresses
2167 description: 'Deprecated: this field is only used for APIv1 backwards
2168 compatibility. Setting this field is not allowed, this field is
2169 for internal use only.'
2172 description: When enabled is true, ipip tunneling will be used
2173 to deliver packets to destinations within this pool.
2176 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2177 mode of "always" will also use IPIP tunneling for routing to
2178 destination IP addresses within this pool. A mode of "cross-subnet"
2179 will only use IPIP tunneling when the destination node is on
2180 a different subnet to the originating node. The default value
2181 (if not specified) is "always".
2185 description: Contains configuration for IPIP tunneling for this pool.
2186 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2190 description: 'Deprecated: this field is only used for APIv1 backwards
2191 compatibility. Setting this field is not allowed, this field is
2192 for internal use only.'
2195 description: When nat-outgoing is true, packets sent from Calico networked
2196 containers in this pool to destinations outside of this pool will
2200 description: Allows IPPool to allocate for a specific node by label
2204 description: Contains configuration for VXLAN tunneling for this pool.
2205 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2206 tunneling is disabled).
2222 apiVersion: apiextensions.k8s.io/v1
2223 kind: CustomResourceDefinition
2225 name: kubecontrollersconfigurations.crd.projectcalico.org
2227 group: crd.projectcalico.org
2229 kind: KubeControllersConfiguration
2230 listKind: KubeControllersConfigurationList
2231 plural: kubecontrollersconfigurations
2232 singular: kubecontrollersconfiguration
2240 description: 'APIVersion defines the versioned schema of this representation
2241 of an object. Servers should convert recognized schemas to the latest
2242 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2245 description: 'Kind is a string value representing the REST resource this
2246 object represents. Servers may infer this from the endpoint the client
2247 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2252 description: KubeControllersConfigurationSpec contains the values of the
2253 Kubernetes controllers configuration.
2256 description: Controllers enables and configures individual Kubernetes
2260 description: Namespace enables and configures the namespace controller.
2261 Enabled by default, set to nil to disable.
2264 description: 'ReconcilerPeriod is the period to perform reconciliation
2265 with the Calico datastore. [Default: 5m]'
2269 description: Node enables and configures the node controller.
2270 Enabled by default, set to nil to disable.
2273 description: HostEndpoint controls syncing nodes to host endpoints.
2274 Disabled by default, set to nil to disable.
2277 description: 'AutoCreate enables automatic creation of
2278 host endpoints for every node. [Default: Disabled]'
2282 description: 'ReconcilerPeriod is the period to perform reconciliation
2283 with the Calico datastore. [Default: 5m]'
2286 description: 'SyncLabels controls whether to copy Kubernetes
2287 node labels to Calico nodes. [Default: Enabled]'
2291 description: Policy enables and configures the policy controller.
2292 Enabled by default, set to nil to disable.
2295 description: 'ReconcilerPeriod is the period to perform reconciliation
2296 with the Calico datastore. [Default: 5m]'
2300 description: ServiceAccount enables and configures the service
2301 account controller. Enabled by default, set to nil to disable.
2304 description: 'ReconcilerPeriod is the period to perform reconciliation
2305 with the Calico datastore. [Default: 5m]'
2309 description: WorkloadEndpoint enables and configures the workload
2310 endpoint controller. Enabled by default, set to nil to disable.
2313 description: 'ReconcilerPeriod is the period to perform reconciliation
2314 with the Calico datastore. [Default: 5m]'
2318 etcdV3CompactionPeriod:
2319 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2320 compaction requests. Set to 0 to disable. [Default: 10m]'
2323 description: 'HealthChecks enables or disables support for health
2324 checks [Default: Enabled]'
2327 description: 'LogSeverityScreen is the log severity above which logs
2328 are sent to the stdout. [Default: Info]'
2330 prometheusMetricsPort:
2331 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2332 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
2338 description: KubeControllersConfigurationStatus represents the status
2339 of the configuration. It's useful for admins to be able to see the actual
2340 config that was applied, which can be modified by environment variables
2341 on the kube-controllers process.
2344 additionalProperties:
2346 description: EnvironmentVars contains the environment variables on
2347 the kube-controllers that influenced the RunningConfig.
2350 description: RunningConfig contains the effective config that is running
2351 in the kube-controllers pod, after merging the API resource with
2352 any environment variables.
2355 description: Controllers enables and configures individual Kubernetes
2359 description: Namespace enables and configures the namespace
2360 controller. Enabled by default, set to nil to disable.
2363 description: 'ReconcilerPeriod is the period to perform
2364 reconciliation with the Calico datastore. [Default:
2369 description: Node enables and configures the node controller.
2370 Enabled by default, set to nil to disable.
2373 description: HostEndpoint controls syncing nodes to host
2374 endpoints. Disabled by default, set to nil to disable.
2377 description: 'AutoCreate enables automatic creation
2378 of host endpoints for every node. [Default: Disabled]'
2382 description: 'ReconcilerPeriod is the period to perform
2383 reconciliation with the Calico datastore. [Default:
2387 description: 'SyncLabels controls whether to copy Kubernetes
2388 node labels to Calico nodes. [Default: Enabled]'
2392 description: Policy enables and configures the policy controller.
2393 Enabled by default, set to nil to disable.
2396 description: 'ReconcilerPeriod is the period to perform
2397 reconciliation with the Calico datastore. [Default:
2402 description: ServiceAccount enables and configures the service
2403 account controller. Enabled by default, set to nil to disable.
2406 description: 'ReconcilerPeriod is the period to perform
2407 reconciliation with the Calico datastore. [Default:
2412 description: WorkloadEndpoint enables and configures the workload
2413 endpoint controller. Enabled by default, set to nil to disable.
2416 description: 'ReconcilerPeriod is the period to perform
2417 reconciliation with the Calico datastore. [Default:
2422 etcdV3CompactionPeriod:
2423 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2424 compaction requests. Set to 0 to disable. [Default: 10m]'
2427 description: 'HealthChecks enables or disables support for health
2428 checks [Default: Enabled]'
2431 description: 'LogSeverityScreen is the log severity above which
2432 logs are sent to the stdout. [Default: Info]'
2434 prometheusMetricsPort:
2435 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2436 metrics server should bind to. Set to 0 to disable. [Default:
2454 apiVersion: apiextensions.k8s.io/v1
2455 kind: CustomResourceDefinition
2457 name: networkpolicies.crd.projectcalico.org
2459 group: crd.projectcalico.org
2462 listKind: NetworkPolicyList
2463 plural: networkpolicies
2464 singular: networkpolicy
2472 description: 'APIVersion defines the versioned schema of this representation
2473 of an object. Servers should convert recognized schemas to the latest
2474 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2477 description: 'Kind is a string value representing the REST resource this
2478 object represents. Servers may infer this from the endpoint the client
2479 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2486 description: The ordered set of egress rules. Each rule contains
2487 a set of packet match criteria and a corresponding action to apply.
2489 description: "A Rule encapsulates a set of match criteria and an
2490 action. Both selector-based security Policy and security Profiles
2491 reference rules - separated out as a list of rules for both ingress
2492 and egress packet matching. \n Each positive match criteria has
2493 a negated version, prefixed with \"Not\". All the match criteria
2494 within a rule must be satisfied for a packet to match. A single
2495 rule can contain the positive and negative version of a match
2496 and both must be satisfied for the rule to match."
2501 description: Destination contains the match criteria that apply
2502 to destination entity.
2505 description: "NamespaceSelector is an optional field that
2506 contains a selector expression. Only traffic that originates
2507 from (or terminates at) endpoints within the selected
2508 namespaces will be matched. When both NamespaceSelector
2509 and Selector are defined on the same rule, then only workload
2510 endpoints that are matched by both selectors will be selected
2511 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2512 implies that the Selector is limited to selecting only
2513 workload endpoints in the same namespace as the NetworkPolicy.
2514 \n For NetworkPolicy, `global()` NamespaceSelector implies
2515 that the Selector is limited to selecting only GlobalNetworkSet
2516 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2517 NamespaceSelector implies the Selector applies to workload
2518 endpoints across all namespaces."
2521 description: Nets is an optional field that restricts the
2522 rule to only apply to traffic that originates from (or
2523 terminates at) IP addresses in any of the given subnets.
2528 description: NotNets is the negated version of the Nets
2534 description: NotPorts is the negated version of the Ports
2535 field. Since only some protocols have ports, if any ports
2536 are specified it requires the Protocol match in the Rule
2537 to be set to "TCP" or "UDP".
2543 x-kubernetes-int-or-string: true
2546 description: NotSelector is the negated version of the Selector
2547 field. See Selector field for subtleties with negated
2551 description: "Ports is an optional field that restricts
2552 the rule to only apply to traffic that has a source (destination)
2553 port that matches one of these ranges/values. This value
2554 is a list of integers or strings that represent ranges
2555 of ports. \n Since only some protocols have ports, if
2556 any ports are specified it requires the Protocol match
2557 in the Rule to be set to \"TCP\" or \"UDP\"."
2563 x-kubernetes-int-or-string: true
2566 description: "Selector is an optional field that contains
2567 a selector expression (see Policy for sample syntax).
2568 \ Only traffic that originates from (terminates at) endpoints
2569 matching the selector will be matched. \n Note that: in
2570 addition to the negated version of the Selector (see NotSelector
2571 below), the selector expression syntax itself supports
2572 negation. The two types of negation are subtly different.
2573 One negates the set of matched endpoints, the other negates
2574 the whole match: \n \tSelector = \"!has(my_label)\" matches
2575 packets that are from other Calico-controlled \tendpoints
2576 that do not have the label \"my_label\". \n \tNotSelector
2577 = \"has(my_label)\" matches packets that are not from
2578 Calico-controlled \tendpoints that do have the label \"my_label\".
2579 \n The effect is that the latter will accept packets from
2580 non-Calico sources whereas the former is limited to packets
2581 from Calico-controlled endpoints."
2584 description: ServiceAccounts is an optional field that restricts
2585 the rule to only apply to traffic that originates from
2586 (or terminates at) a pod running as a matching service
2590 description: Names is an optional field that restricts
2591 the rule to only apply to traffic that originates
2592 from (or terminates at) a pod running as a service
2593 account whose name is in the list.
2598 description: Selector is an optional field that restricts
2599 the rule to only apply to traffic that originates
2600 from (or terminates at) a pod running as a service
2601 account that matches the given label selector. If
2602 both Names and Selector are specified then they are
2608 description: HTTP contains match criteria that apply to HTTP
2612 description: Methods is an optional field that restricts
2613 the rule to apply only to HTTP requests that use one of
2614 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2615 methods are OR'd together.
2620 description: 'Paths is an optional field that restricts
2621 the rule to apply to HTTP requests that use one of the
2622 listed HTTP Paths. Multiple paths are OR''d together.
2623 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2624 ONLY specify either a `exact` or a `prefix` match. The
2625 validator will check for it.'
2627 description: 'HTTPPath specifies an HTTP path to match.
2628 It may be either of the form: exact: <path>: which matches
2629 the path exactly or prefix: <path-prefix>: which matches
2640 description: ICMP is an optional field that restricts the rule
2641 to apply to a specific type and code of ICMP traffic. This
2642 should only be specified if the Protocol field is set to "ICMP"
2646 description: Match on a specific ICMP code. If specified,
2647 the Type value must also be specified. This is a technical
2648 limitation imposed by the kernel's iptables firewall,
2649 which Calico uses to enforce the rule.
2652 description: Match on a specific ICMP type. For example
2653 a value of 8 refers to ICMP Echo Request (i.e. pings).
2657 description: IPVersion is an optional field that restricts the
2658 rule to only match a specific IP version.
2661 description: Metadata contains additional information for this
2665 additionalProperties:
2667 description: Annotations is a set of key value pairs that
2668 give extra information about the rule
2672 description: NotICMP is the negated version of the ICMP field.
2675 description: Match on a specific ICMP code. If specified,
2676 the Type value must also be specified. This is a technical
2677 limitation imposed by the kernel's iptables firewall,
2678 which Calico uses to enforce the rule.
2681 description: Match on a specific ICMP type. For example
2682 a value of 8 refers to ICMP Echo Request (i.e. pings).
2689 description: NotProtocol is the negated version of the Protocol
2692 x-kubernetes-int-or-string: true
2697 description: "Protocol is an optional field that restricts the
2698 rule to only apply to traffic of a specific IP protocol. Required
2699 if any of the EntityRules contain Ports (because ports only
2700 apply to certain protocols). \n Must be one of these string
2701 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2702 \"UDPLite\" or an integer in the range 1-255."
2704 x-kubernetes-int-or-string: true
2706 description: Source contains the match criteria that apply to
2710 description: "NamespaceSelector is an optional field that
2711 contains a selector expression. Only traffic that originates
2712 from (or terminates at) endpoints within the selected
2713 namespaces will be matched. When both NamespaceSelector
2714 and Selector are defined on the same rule, then only workload
2715 endpoints that are matched by both selectors will be selected
2716 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2717 implies that the Selector is limited to selecting only
2718 workload endpoints in the same namespace as the NetworkPolicy.
2719 \n For NetworkPolicy, `global()` NamespaceSelector implies
2720 that the Selector is limited to selecting only GlobalNetworkSet
2721 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2722 NamespaceSelector implies the Selector applies to workload
2723 endpoints across all namespaces."
2726 description: Nets is an optional field that restricts the
2727 rule to only apply to traffic that originates from (or
2728 terminates at) IP addresses in any of the given subnets.
2733 description: NotNets is the negated version of the Nets
2739 description: NotPorts is the negated version of the Ports
2740 field. Since only some protocols have ports, if any ports
2741 are specified it requires the Protocol match in the Rule
2742 to be set to "TCP" or "UDP".
2748 x-kubernetes-int-or-string: true
2751 description: NotSelector is the negated version of the Selector
2752 field. See Selector field for subtleties with negated
2756 description: "Ports is an optional field that restricts
2757 the rule to only apply to traffic that has a source (destination)
2758 port that matches one of these ranges/values. This value
2759 is a list of integers or strings that represent ranges
2760 of ports. \n Since only some protocols have ports, if
2761 any ports are specified it requires the Protocol match
2762 in the Rule to be set to \"TCP\" or \"UDP\"."
2768 x-kubernetes-int-or-string: true
2771 description: "Selector is an optional field that contains
2772 a selector expression (see Policy for sample syntax).
2773 \ Only traffic that originates from (terminates at) endpoints
2774 matching the selector will be matched. \n Note that: in
2775 addition to the negated version of the Selector (see NotSelector
2776 below), the selector expression syntax itself supports
2777 negation. The two types of negation are subtly different.
2778 One negates the set of matched endpoints, the other negates
2779 the whole match: \n \tSelector = \"!has(my_label)\" matches
2780 packets that are from other Calico-controlled \tendpoints
2781 that do not have the label \"my_label\". \n \tNotSelector
2782 = \"has(my_label)\" matches packets that are not from
2783 Calico-controlled \tendpoints that do have the label \"my_label\".
2784 \n The effect is that the latter will accept packets from
2785 non-Calico sources whereas the former is limited to packets
2786 from Calico-controlled endpoints."
2789 description: ServiceAccounts is an optional field that restricts
2790 the rule to only apply to traffic that originates from
2791 (or terminates at) a pod running as a matching service
2795 description: Names is an optional field that restricts
2796 the rule to only apply to traffic that originates
2797 from (or terminates at) a pod running as a service
2798 account whose name is in the list.
2803 description: Selector is an optional field that restricts
2804 the rule to only apply to traffic that originates
2805 from (or terminates at) a pod running as a service
2806 account that matches the given label selector. If
2807 both Names and Selector are specified then they are
2817 description: The ordered set of ingress rules. Each rule contains
2818 a set of packet match criteria and a corresponding action to apply.
2820 description: "A Rule encapsulates a set of match criteria and an
2821 action. Both selector-based security Policy and security Profiles
2822 reference rules - separated out as a list of rules for both ingress
2823 and egress packet matching. \n Each positive match criteria has
2824 a negated version, prefixed with \"Not\". All the match criteria
2825 within a rule must be satisfied for a packet to match. A single
2826 rule can contain the positive and negative version of a match
2827 and both must be satisfied for the rule to match."
2832 description: Destination contains the match criteria that apply
2833 to destination entity.
2836 description: "NamespaceSelector is an optional field that
2837 contains a selector expression. Only traffic that originates
2838 from (or terminates at) endpoints within the selected
2839 namespaces will be matched. When both NamespaceSelector
2840 and Selector are defined on the same rule, then only workload
2841 endpoints that are matched by both selectors will be selected
2842 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2843 implies that the Selector is limited to selecting only
2844 workload endpoints in the same namespace as the NetworkPolicy.
2845 \n For NetworkPolicy, `global()` NamespaceSelector implies
2846 that the Selector is limited to selecting only GlobalNetworkSet
2847 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2848 NamespaceSelector implies the Selector applies to workload
2849 endpoints across all namespaces."
2852 description: Nets is an optional field that restricts the
2853 rule to only apply to traffic that originates from (or
2854 terminates at) IP addresses in any of the given subnets.
2859 description: NotNets is the negated version of the Nets
2865 description: NotPorts is the negated version of the Ports
2866 field. Since only some protocols have ports, if any ports
2867 are specified it requires the Protocol match in the Rule
2868 to be set to "TCP" or "UDP".
2874 x-kubernetes-int-or-string: true
2877 description: NotSelector is the negated version of the Selector
2878 field. See Selector field for subtleties with negated
2882 description: "Ports is an optional field that restricts
2883 the rule to only apply to traffic that has a source (destination)
2884 port that matches one of these ranges/values. This value
2885 is a list of integers or strings that represent ranges
2886 of ports. \n Since only some protocols have ports, if
2887 any ports are specified it requires the Protocol match
2888 in the Rule to be set to \"TCP\" or \"UDP\"."
2894 x-kubernetes-int-or-string: true
2897 description: "Selector is an optional field that contains
2898 a selector expression (see Policy for sample syntax).
2899 \ Only traffic that originates from (terminates at) endpoints
2900 matching the selector will be matched. \n Note that: in
2901 addition to the negated version of the Selector (see NotSelector
2902 below), the selector expression syntax itself supports
2903 negation. The two types of negation are subtly different.
2904 One negates the set of matched endpoints, the other negates
2905 the whole match: \n \tSelector = \"!has(my_label)\" matches
2906 packets that are from other Calico-controlled \tendpoints
2907 that do not have the label \"my_label\". \n \tNotSelector
2908 = \"has(my_label)\" matches packets that are not from
2909 Calico-controlled \tendpoints that do have the label \"my_label\".
2910 \n The effect is that the latter will accept packets from
2911 non-Calico sources whereas the former is limited to packets
2912 from Calico-controlled endpoints."
2915 description: ServiceAccounts is an optional field that restricts
2916 the rule to only apply to traffic that originates from
2917 (or terminates at) a pod running as a matching service
2921 description: Names is an optional field that restricts
2922 the rule to only apply to traffic that originates
2923 from (or terminates at) a pod running as a service
2924 account whose name is in the list.
2929 description: Selector is an optional field that restricts
2930 the rule to only apply to traffic that originates
2931 from (or terminates at) a pod running as a service
2932 account that matches the given label selector. If
2933 both Names and Selector are specified then they are
2939 description: HTTP contains match criteria that apply to HTTP
2943 description: Methods is an optional field that restricts
2944 the rule to apply only to HTTP requests that use one of
2945 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2946 methods are OR'd together.
2951 description: 'Paths is an optional field that restricts
2952 the rule to apply to HTTP requests that use one of the
2953 listed HTTP Paths. Multiple paths are OR''d together.
2954 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2955 ONLY specify either a `exact` or a `prefix` match. The
2956 validator will check for it.'
2958 description: 'HTTPPath specifies an HTTP path to match.
2959 It may be either of the form: exact: <path>: which matches
2960 the path exactly or prefix: <path-prefix>: which matches
2971 description: ICMP is an optional field that restricts the rule
2972 to apply to a specific type and code of ICMP traffic. This
2973 should only be specified if the Protocol field is set to "ICMP"
2977 description: Match on a specific ICMP code. If specified,
2978 the Type value must also be specified. This is a technical
2979 limitation imposed by the kernel's iptables firewall,
2980 which Calico uses to enforce the rule.
2983 description: Match on a specific ICMP type. For example
2984 a value of 8 refers to ICMP Echo Request (i.e. pings).
2988 description: IPVersion is an optional field that restricts the
2989 rule to only match a specific IP version.
2992 description: Metadata contains additional information for this
2996 additionalProperties:
2998 description: Annotations is a set of key value pairs that
2999 give extra information about the rule
3003 description: NotICMP is the negated version of the ICMP field.
3006 description: Match on a specific ICMP code. If specified,
3007 the Type value must also be specified. This is a technical
3008 limitation imposed by the kernel's iptables firewall,
3009 which Calico uses to enforce the rule.
3012 description: Match on a specific ICMP type. For example
3013 a value of 8 refers to ICMP Echo Request (i.e. pings).
3020 description: NotProtocol is the negated version of the Protocol
3023 x-kubernetes-int-or-string: true
3028 description: "Protocol is an optional field that restricts the
3029 rule to only apply to traffic of a specific IP protocol. Required
3030 if any of the EntityRules contain Ports (because ports only
3031 apply to certain protocols). \n Must be one of these string
3032 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3033 \"UDPLite\" or an integer in the range 1-255."
3035 x-kubernetes-int-or-string: true
3037 description: Source contains the match criteria that apply to
3041 description: "NamespaceSelector is an optional field that
3042 contains a selector expression. Only traffic that originates
3043 from (or terminates at) endpoints within the selected
3044 namespaces will be matched. When both NamespaceSelector
3045 and Selector are defined on the same rule, then only workload
3046 endpoints that are matched by both selectors will be selected
3047 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
3048 implies that the Selector is limited to selecting only
3049 workload endpoints in the same namespace as the NetworkPolicy.
3050 \n For NetworkPolicy, `global()` NamespaceSelector implies
3051 that the Selector is limited to selecting only GlobalNetworkSet
3052 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
3053 NamespaceSelector implies the Selector applies to workload
3054 endpoints across all namespaces."
3057 description: Nets is an optional field that restricts the
3058 rule to only apply to traffic that originates from (or
3059 terminates at) IP addresses in any of the given subnets.
3064 description: NotNets is the negated version of the Nets
3070 description: NotPorts is the negated version of the Ports
3071 field. Since only some protocols have ports, if any ports
3072 are specified it requires the Protocol match in the Rule
3073 to be set to "TCP" or "UDP".
3079 x-kubernetes-int-or-string: true
3082 description: NotSelector is the negated version of the Selector
3083 field. See Selector field for subtleties with negated
3087 description: "Ports is an optional field that restricts
3088 the rule to only apply to traffic that has a source (destination)
3089 port that matches one of these ranges/values. This value
3090 is a list of integers or strings that represent ranges
3091 of ports. \n Since only some protocols have ports, if
3092 any ports are specified it requires the Protocol match
3093 in the Rule to be set to \"TCP\" or \"UDP\"."
3099 x-kubernetes-int-or-string: true
3102 description: "Selector is an optional field that contains
3103 a selector expression (see Policy for sample syntax).
3104 \ Only traffic that originates from (terminates at) endpoints
3105 matching the selector will be matched. \n Note that: in
3106 addition to the negated version of the Selector (see NotSelector
3107 below), the selector expression syntax itself supports
3108 negation. The two types of negation are subtly different.
3109 One negates the set of matched endpoints, the other negates
3110 the whole match: \n \tSelector = \"!has(my_label)\" matches
3111 packets that are from other Calico-controlled \tendpoints
3112 that do not have the label \"my_label\". \n \tNotSelector
3113 = \"has(my_label)\" matches packets that are not from
3114 Calico-controlled \tendpoints that do have the label \"my_label\".
3115 \n The effect is that the latter will accept packets from
3116 non-Calico sources whereas the former is limited to packets
3117 from Calico-controlled endpoints."
3120 description: ServiceAccounts is an optional field that restricts
3121 the rule to only apply to traffic that originates from
3122 (or terminates at) a pod running as a matching service
3126 description: Names is an optional field that restricts
3127 the rule to only apply to traffic that originates
3128 from (or terminates at) a pod running as a service
3129 account whose name is in the list.
3134 description: Selector is an optional field that restricts
3135 the rule to only apply to traffic that originates
3136 from (or terminates at) a pod running as a service
3137 account that matches the given label selector. If
3138 both Names and Selector are specified then they are
3148 description: Order is an optional field that specifies the order in
3149 which the policy is applied. Policies with higher "order" are applied
3150 after those with lower order. If the order is omitted, it may be
3151 considered to be "infinite" - i.e. the policy will be applied last. Policies
3152 with identical order will be applied in alphanumerical order based
3153 on the Policy "Name".
3156 description: "The selector is an expression used to pick pick out
3157 the endpoints that the policy should be applied to. \n Selector
3158 expressions follow this syntax: \n \tlabel == \"string_literal\"
3159 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3160 \ -> not equal; also matches if label is not present \tlabel in
3161 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3162 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3163 ... } -> true if the value of label X is not one of \"a\", \"b\",
3164 \"c\" \thas(label_name) -> True if that label is present \t! expr
3165 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3166 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3167 or the empty selector -> matches all endpoints. \n Label names are
3168 allowed to contain alphanumerics, -, _ and /. String literals are
3169 more permissive but they do not support escape characters. \n Examples
3170 (with made-up labels): \n \ttype == \"webserver\" && deployment
3171 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3172 \"dev\" \t! has(label_name)"
3174 serviceAccountSelector:
3175 description: ServiceAccountSelector is an optional field for an expression
3176 used to select a pod based on service accounts.
3179 description: "Types indicates whether this policy applies to ingress,
3180 or to egress, or to both. When not explicitly specified (and so
3181 the value on creation is empty or nil), Calico defaults Types according
3182 to what Ingress and Egress are present in the policy. The default
3183 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3184 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3185 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3186 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3187 \n When the policy is read back again, Types will always be one
3188 of these values, never empty or nil."
3190 description: PolicyType enumerates the possible values of the PolicySpec
3206 apiVersion: apiextensions.k8s.io/v1
3207 kind: CustomResourceDefinition
3209 name: networksets.crd.projectcalico.org
3211 group: crd.projectcalico.org
3214 listKind: NetworkSetList
3216 singular: networkset
3222 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3225 description: 'APIVersion defines the versioned schema of this representation
3226 of an object. Servers should convert recognized schemas to the latest
3227 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3230 description: 'Kind is a string value representing the REST resource this
3231 object represents. Servers may infer this from the endpoint the client
3232 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3237 description: NetworkSetSpec contains the specification for a NetworkSet
3241 description: The list of IP networks that belong to this set.
3258 # Source: calico/templates/calico-kube-controllers-rbac.yaml
3260 # Include a clusterrole for the kube-controllers component,
3261 # and bind it to the calico-kube-controllers serviceaccount.
3263 apiVersion: rbac.authorization.k8s.io/v1
3265 name: calico-kube-controllers
3267 # Nodes are watched to monitor for deletions.
3275 # Pods are queried to check for existence.
3281 # IPAM resources are manipulated when nodes are deleted.
3282 - apiGroups: ["crd.projectcalico.org"]
3287 - apiGroups: ["crd.projectcalico.org"]
3299 # kube-controllers manages hostendpoints.
3300 - apiGroups: ["crd.projectcalico.org"]
3309 # Needs access to update clusterinformations.
3310 - apiGroups: ["crd.projectcalico.org"]
3312 - clusterinformations
3317 # KubeControllersConfiguration is where it gets its config
3318 - apiGroups: ["crd.projectcalico.org"]
3320 - kubecontrollersconfigurations
3322 # read its own config
3324 # create a default if none exists
3331 kind: ClusterRoleBinding
3332 apiVersion: rbac.authorization.k8s.io/v1
3334 name: calico-kube-controllers
3336 apiGroup: rbac.authorization.k8s.io
3338 name: calico-kube-controllers
3340 - kind: ServiceAccount
3341 name: calico-kube-controllers
3342 namespace: kube-system
3346 # Source: calico/templates/calico-node-rbac.yaml
3347 # Include a clusterrole for the calico-node DaemonSet,
3348 # and bind it to the calico-node serviceaccount.
3350 apiVersion: rbac.authorization.k8s.io/v1
3354 # The CNI plugin needs to get pods, nodes, and namespaces.
3367 # Used to discover service IPs for advertisement.
3370 # Used to discover Typhas.
3372 # Pod CIDR auto-detection on kubeadm needs access to config maps.
3382 # Needed for clearing NodeNetworkUnavailable flag.
3384 # Calico stores some configuration information in node annotations.
3386 # Watch for changes to Kubernetes NetworkPolicies.
3387 - apiGroups: ["networking.k8s.io"]
3393 # Used by Calico for policy information.
3402 # The CNI plugin patches pods/status.
3408 # Calico monitors various CRDs for config.
3409 - apiGroups: ["crd.projectcalico.org"]
3411 - globalfelixconfigs
3412 - felixconfigurations
3418 - globalnetworkpolicies
3422 - clusterinformations
3429 # Calico must create and update some CRDs on startup.
3430 - apiGroups: ["crd.projectcalico.org"]
3433 - felixconfigurations
3434 - clusterinformations
3438 # Calico stores some configuration information on the node.
3446 # These permissions are only required for upgrade from v2.6, and can
3447 # be removed after upgrade or on fresh installations.
3448 - apiGroups: ["crd.projectcalico.org"]
3455 # These permissions are required for Calico CNI to perform IPAM allocations.
3456 - apiGroups: ["crd.projectcalico.org"]
3467 - apiGroups: ["crd.projectcalico.org"]
3472 # Block affinities must also be watchable by confd for route aggregation.
3473 - apiGroups: ["crd.projectcalico.org"]
3478 # The Calico IPAM migration needs to get daemonsets. These permissions can be
3479 # removed if not upgrading from an installation using host-local IPAM.
3480 - apiGroups: ["apps"]
3487 apiVersion: rbac.authorization.k8s.io/v1
3488 kind: ClusterRoleBinding
3492 apiGroup: rbac.authorization.k8s.io
3496 - kind: ServiceAccount
3498 namespace: kube-system
3501 # Source: calico/templates/calico-node.yaml
3502 # This manifest installs the calico-node container, as well
3503 # as the CNI plugins and network config on
3504 # each master and worker node in a Kubernetes cluster.
3509 namespace: kube-system
3511 k8s-app: calico-node
3515 k8s-app: calico-node
3523 k8s-app: calico-node
3526 kubernetes.io/os: linux
3529 # Make sure calico-node gets scheduled on all nodes.
3530 - effect: NoSchedule
3532 # Mark the pod as a critical add-on for rescheduling.
3533 - key: CriticalAddonsOnly
3537 serviceAccountName: calico-node
3538 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
3539 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
3540 terminationGracePeriodSeconds: 0
3541 priorityClassName: system-node-critical
3543 # This container performs upgrade from host-local IPAM to calico-ipam.
3544 # It can be deleted if this is a fresh installation, or if you have already
3545 # upgraded to use calico-ipam.
3546 - name: upgrade-ipam
3547 image: docker.io/calico/cni:v3.19.2
3548 command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
3551 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3552 name: kubernetes-services-endpoint
3555 - name: KUBERNETES_NODE_NAME
3558 fieldPath: spec.nodeName
3559 - name: CALICO_NETWORKING_BACKEND
3565 - mountPath: /var/lib/cni/networks
3566 name: host-local-net-dir
3567 - mountPath: /host/opt/cni/bin
3571 # This container installs the CNI binaries
3572 # and CNI network config file on each node.
3574 image: docker.io/calico/cni:v3.19.2
3575 command: ["/opt/cni/bin/install"]
3578 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3579 name: kubernetes-services-endpoint
3582 # Name of the CNI config file to create.
3583 - name: CNI_CONF_NAME
3584 value: "10-calico.conflist"
3585 # The CNI network config to install on each node.
3586 - name: CNI_NETWORK_CONFIG
3590 key: cni_network_config
3591 # Set the hostname based on the k8s node name.
3592 - name: KUBERNETES_NODE_NAME
3595 fieldPath: spec.nodeName
3596 # CNI MTU Config variable
3602 # Prevents the container from sleeping forever.
3606 - mountPath: /host/opt/cni/bin
3608 - mountPath: /host/etc/cni/net.d
3612 # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
3613 # to communicate with Felix over the Policy Sync API.
3614 - name: flexvol-driver
3615 image: docker.io/calico/pod2daemon-flexvol:v3.19.2
3617 - name: flexvol-driver-host
3618 mountPath: /host/driver
3622 # Runs calico-node container on each Kubernetes node. This
3623 # container programs network policy and routes on each
3626 image: docker.io/calico/node:v3.19.2
3629 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3630 name: kubernetes-services-endpoint
3633 # Use Kubernetes API as the backing datastore.
3634 - name: DATASTORE_TYPE
3636 # Wait for the datastore.
3637 - name: WAIT_FOR_DATASTORE
3639 # Set based on the k8s node name.
3643 fieldPath: spec.nodeName
3644 # Choose the backend to use.
3645 - name: CALICO_NETWORKING_BACKEND
3650 # Cluster type to identify the deployment type
3651 - name: CLUSTER_TYPE
3653 # Auto-detect the BGP IP address.
3656 - name: IP_AUTODETECTION_METHOD
3657 value: "can-reach=8.8.8.8"
3659 - name: CALICO_IPV4POOL_IPIP
3661 # Enable or Disable VXLAN on the default IP pool.
3662 - name: CALICO_IPV4POOL_VXLAN
3664 # Set MTU for tunnel device used if ipip is enabled
3665 - name: FELIX_IPINIPMTU
3670 # Set MTU for the VXLAN tunnel device.
3671 - name: FELIX_VXLANMTU
3676 # Set MTU for the Wireguard tunnel device.
3677 - name: FELIX_WIREGUARDMTU
3682 # The default IPv4 pool to create on startup if none exists. Pod IPs will be
3683 # chosen from this range. Changing this value after installation will have
3684 # no effect. This should fall within `--cluster-cidr`.
3685 - name: CALICO_IPV4POOL_CIDR
3686 value: "192.168.0.0/16"
3687 # Disable file logging so `kubectl logs` works.
3688 - name: CALICO_DISABLE_FILE_LOGGING
3690 # Set Felix endpoint to host default action to ACCEPT.
3691 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
3693 # Disable IPv6 on Kubernetes.
3694 - name: FELIX_IPV6SUPPORT
3696 - name: FELIX_HEALTHENABLED
3710 initialDelaySeconds: 10
3720 - mountPath: /lib/modules
3723 - mountPath: /run/xtables.lock
3726 - mountPath: /var/run/calico
3727 name: var-run-calico
3729 - mountPath: /var/lib/calico
3730 name: var-lib-calico
3733 mountPath: /var/run/nodeagent
3734 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
3738 # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
3739 # If the host is known to mount that filesystem already then Bidirectional can be omitted.
3740 mountPropagation: Bidirectional
3742 mountPath: /var/log/calico/cni
3745 # Used by calico-node.
3749 - name: var-run-calico
3751 path: /var/run/calico
3752 - name: var-lib-calico
3754 path: /var/lib/calico
3755 - name: xtables-lock
3757 path: /run/xtables.lock
3762 type: DirectoryOrCreate
3763 # Used to install CNI.
3769 path: /etc/cni/net.d
3770 # Used to access CNI logs.
3773 path: /var/log/calico/cni
3774 # Mount in the directory for host-local IPAM allocations. This is
3775 # used when upgrading from host-local to calico-ipam, and can be removed
3776 # if not using the upgrade-ipam init container.
3777 - name: host-local-net-dir
3779 path: /var/lib/cni/networks
3780 # Used to create per-pod Unix Domain Sockets
3783 type: DirectoryOrCreate
3784 path: /var/run/nodeagent
3785 # Used to install Flex Volume Driver
3786 - name: flexvol-driver-host
3788 type: DirectoryOrCreate
3789 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
3793 kind: ServiceAccount
3796 namespace: kube-system
3799 # Source: calico/templates/calico-kube-controllers.yaml
3800 # See https://github.com/projectcalico/kube-controllers
3804 name: calico-kube-controllers
3805 namespace: kube-system
3807 k8s-app: calico-kube-controllers
3809 # The controllers can only have a single active instance.
3813 k8s-app: calico-kube-controllers
3818 name: calico-kube-controllers
3819 namespace: kube-system
3821 k8s-app: calico-kube-controllers
3824 kubernetes.io/os: linux
3826 # Mark the pod as a critical add-on for rescheduling.
3827 - key: CriticalAddonsOnly
3829 - key: node-role.kubernetes.io/master
3831 serviceAccountName: calico-kube-controllers
3832 priorityClassName: system-cluster-critical
3834 - name: calico-kube-controllers
3835 image: docker.io/calico/kube-controllers:v3.19.2
3837 # Choose which controllers to run.
3838 - name: ENABLED_CONTROLLERS
3840 - name: DATASTORE_TYPE
3845 - /usr/bin/check-status
3848 initialDelaySeconds: 10
3853 - /usr/bin/check-status
3860 kind: ServiceAccount
3862 name: calico-kube-controllers
3863 namespace: kube-system
3867 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
3869 apiVersion: policy/v1beta1
3870 kind: PodDisruptionBudget
3872 name: calico-kube-controllers
3873 namespace: kube-system
3875 k8s-app: calico-kube-controllers
3880 k8s-app: calico-kube-controllers
3883 # Source: calico/templates/calico-etcd-secrets.yaml
3886 # Source: calico/templates/calico-typha.yaml
3889 # Source: calico/templates/configure-canal.yaml