2 # Source: calico/templates/calico-config.yaml
3 # This ConfigMap is used to configure a self-hosted Calico installation.
11 typha_service_name: "none"
12 # Configure the backend to use.
13 calico_backend: "bird"
15 # Configure the MTU to use for workload interfaces and tunnels.
16 # By default, MTU is auto-detected, and explicitly setting this field should not be required.
17 # You can override auto-detection by providing a non-zero value.
20 # The CNI network configuration to install on each node. The special
21 # values in this config will be automatically populated.
22 cni_network_config: |-
24 "name": "k8s-pod-network",
25 "cniVersion": "0.3.1",
30 "log_file_path": "/var/log/calico/cni/cni.log",
31 "datastore_type": "kubernetes",
32 "nodename": "__KUBERNETES_NODE_NAME__",
41 "kubeconfig": "__KUBECONFIG_FILEPATH__"
47 "capabilities": {"portMappings": true}
51 "capabilities": {"bandwidth": true}
57 # Source: calico/templates/kdd-crds.yaml
59 apiVersion: apiextensions.k8s.io/v1
60 kind: CustomResourceDefinition
62 name: bgpconfigurations.crd.projectcalico.org
64 group: crd.projectcalico.org
66 kind: BGPConfiguration
67 listKind: BGPConfigurationList
68 plural: bgpconfigurations
69 singular: bgpconfiguration
75 description: BGPConfiguration contains the configuration for any BGP routing.
78 description: 'APIVersion defines the versioned schema of this representation
79 of an object. Servers should convert recognized schemas to the latest
80 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
83 description: 'Kind is a string value representing the REST resource this
84 object represents. Servers may infer this from the endpoint the client
85 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
90 description: BGPConfigurationSpec contains the values of the BGP configuration.
93 description: 'ASNumber is the default AS number used by a node. [Default:
98 description: BindMode indicates whether to listen for BGP connections
99 on all addresses (None) or only on the node's canonical IP address
100 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
101 for BGP connections on all addresses.
104 description: Communities is a list of BGP community values and their
105 arbitrary names for tagging routes.
107 description: Community contains standard or large community value
111 description: Name given to community value.
114 description: Value must be of format `aa:nn` or `aa:nn:mm`.
115 For standard community use `aa:nn` format, where `aa` and
116 `nn` are 16 bit number. For large community use `aa:nn:mm`
117 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
118 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
119 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
124 description: ListenPort is the port where BGP protocol should listen.
130 description: 'LogSeverityScreen is the log severity above which logs
131 are sent to the stdout. [Default: INFO]'
133 nodeMeshMaxRestartTime:
134 description: Time to allow for software restart for node-to-mesh peerings. When
135 specified, this is configured as the graceful restart timeout. When
136 not specified, the BIRD default of 120s is used. This field can
137 only be set on the default BGPConfiguration instance and requires
138 that NodeMesh is enabled
141 description: Optional BGP password for full node-to-mesh peerings.
142 This field can only be set on the default BGPConfiguration instance
143 and requires that NodeMesh is enabled
146 description: Selects a key of a secret in the node pod's namespace.
149 description: The key of the secret to select from. Must be
153 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
154 TODO: Add other useful fields. apiVersion, kind, uid?'
157 description: Specify whether the Secret or its key must be
164 nodeToNodeMeshEnabled:
165 description: 'NodeToNodeMeshEnabled sets whether full node to node
166 BGP mesh is enabled. [Default: true]'
168 prefixAdvertisements:
169 description: PrefixAdvertisements contains per-prefix advertisement
172 description: PrefixAdvertisement configures advertisement properties
173 for the specified CIDR.
176 description: CIDR for which properties should be advertised.
179 description: Communities can be list of either community names
180 already defined in `Specs.Communities` or community value
181 of format `aa:nn` or `aa:nn:mm`. For standard community use
182 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
183 large community use `aa:nn:mm` format, where `aa`, `nn` and
184 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
185 `mm` are per-AS identifier.
192 description: ServiceClusterIPs are the CIDR blocks from which service
193 cluster IPs are allocated. If specified, Calico will advertise these
194 blocks, as well as any cluster IPs within them.
196 description: ServiceClusterIPBlock represents a single allowed ClusterIP
204 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
205 Service External IPs. Kubernetes Service ExternalIPs will only be
206 advertised if they are within one of these blocks.
208 description: ServiceExternalIPBlock represents a single allowed
209 External IP CIDR block.
215 serviceLoadBalancerIPs:
216 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
217 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
218 IPs will only be advertised if they are within one of these blocks.
220 description: ServiceLoadBalancerIPBlock represents a single allowed
221 LoadBalancer IP CIDR block.
239 apiVersion: apiextensions.k8s.io/v1
240 kind: CustomResourceDefinition
242 name: bgppeers.crd.projectcalico.org
244 group: crd.projectcalico.org
247 listKind: BGPPeerList
257 description: 'APIVersion defines the versioned schema of this representation
258 of an object. Servers should convert recognized schemas to the latest
259 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
262 description: 'Kind is a string value representing the REST resource this
263 object represents. Servers may infer this from the endpoint the client
264 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
269 description: BGPPeerSpec contains the specification for a BGPPeer resource.
272 description: The AS Number of the peer.
276 description: Option to keep the original nexthop field when routes
277 are sent to a BGP Peer. Setting "true" configures the selected BGP
278 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
279 in the specific branch of the Node on "bird.cfg".
282 description: Time to allow for software restart. When specified,
283 this is configured as the graceful restart timeout. When not specified,
284 the BIRD default of 120s is used.
287 description: The node name identifying the Calico node instance that
288 is targeted by this peer. If this is not set, and no nodeSelector
289 is specified, then this BGP peer selects all nodes in the cluster.
292 description: Selector for the nodes that should have this peering. When
293 this is set, the Node field must be empty.
295 numAllowedLocalASNumbers:
296 description: Maximum number of local AS numbers that are allowed in
297 the AS path for received routes. This removes BGP loop prevention
298 and should only be used if absolutely necesssary.
302 description: Optional BGP password for the peerings generated by this
306 description: Selects a key of a secret in the node pod's namespace.
309 description: The key of the secret to select from. Must be
313 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
314 TODO: Add other useful fields. apiVersion, kind, uid?'
317 description: Specify whether the Secret or its key must be
325 description: The IP address of the peer followed by an optional port
326 number to peer with. If port number is given, format should be `[<IPv6>]:port`
327 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
328 and this peer IP and ASNumber belongs to a calico/node with ListenPort
329 set in BGPConfiguration, then we use that port to peer.
332 description: Selector for the remote nodes to peer with. When this
333 is set, the PeerIP and ASNumber fields must be empty. For each
334 peering between the local node and selected remote nodes, we configure
335 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
336 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
337 remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
338 or the global default if that is not set.
341 description: Specifies whether and how to configure a source address
342 for the peerings generated by this BGPPeer resource. Default value
343 "UseNodeIP" means to configure the node IP as the source address. "None"
344 means not to configure a source address.
358 apiVersion: apiextensions.k8s.io/v1
359 kind: CustomResourceDefinition
361 name: blockaffinities.crd.projectcalico.org
363 group: crd.projectcalico.org
366 listKind: BlockAffinityList
367 plural: blockaffinities
368 singular: blockaffinity
376 description: 'APIVersion defines the versioned schema of this representation
377 of an object. Servers should convert recognized schemas to the latest
378 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
381 description: 'Kind is a string value representing the REST resource this
382 object represents. Servers may infer this from the endpoint the client
383 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
388 description: BlockAffinitySpec contains the specification for a BlockAffinity
394 description: Deleted indicates that this block affinity is being deleted.
395 This field is a string for compatibility with older releases that
396 mistakenly treat this field as a string.
419 apiVersion: apiextensions.k8s.io/v1
420 kind: CustomResourceDefinition
423 controller-gen.kubebuilder.io/version: (devel)
424 creationTimestamp: null
425 name: caliconodestatuses.crd.projectcalico.org
427 group: crd.projectcalico.org
429 kind: CalicoNodeStatus
430 listKind: CalicoNodeStatusList
431 plural: caliconodestatuses
432 singular: caliconodestatus
440 description: 'APIVersion defines the versioned schema of this representation
441 of an object. Servers should convert recognized schemas to the latest
442 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
445 description: 'Kind is a string value representing the REST resource this
446 object represents. Servers may infer this from the endpoint the client
447 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
452 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
456 description: Classes declares the types of information to monitor
457 for this calico/node, and allows for selective status reporting
458 about certain subsets of information.
463 description: The node name identifies the Calico node instance for
467 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
468 should be updated. Set to 0 to disable CalicoNodeStatus refresh.
469 Maximum update period is one day.
474 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
475 No validation needed for status since it is updated by Calico.
478 description: Agent holds agent status on the node.
481 description: BIRDV4 represents the latest observed status of bird4.
484 description: LastBootTime holds the value of lastBootTime
485 from bird.ctl output.
487 lastReconfigurationTime:
488 description: LastReconfigurationTime holds the value of lastReconfigTime
489 from bird.ctl output.
492 description: Router ID used by bird.
495 description: The state of the BGP Daemon.
498 description: Version of the BGP daemon
502 description: BIRDV6 represents the latest observed status of bird6.
505 description: LastBootTime holds the value of lastBootTime
506 from bird.ctl output.
508 lastReconfigurationTime:
509 description: LastReconfigurationTime holds the value of lastReconfigTime
510 from bird.ctl output.
513 description: Router ID used by bird.
516 description: The state of the BGP Daemon.
519 description: Version of the BGP daemon
524 description: BGP holds node BGP status.
527 description: The total number of IPv4 established bgp sessions.
530 description: The total number of IPv6 established bgp sessions.
532 numberNotEstablishedV4:
533 description: The total number of IPv4 non-established bgp sessions.
535 numberNotEstablishedV6:
536 description: The total number of IPv6 non-established bgp sessions.
539 description: PeersV4 represents IPv4 BGP peers status on the node.
541 description: CalicoNodePeer contains the status of BGP peers
545 description: IP address of the peer whose condition we are
549 description: Since the state or reason last changed.
552 description: State is the BGP session state.
555 description: Type indicates whether this peer is configured
556 via the node-to-node mesh, or via en explicit global or
557 per-node BGPPeer object.
562 description: PeersV6 represents IPv6 BGP peers status on the node.
564 description: CalicoNodePeer contains the status of BGP peers
568 description: IP address of the peer whose condition we are
572 description: Since the state or reason last changed.
575 description: State is the BGP session state.
578 description: Type indicates whether this peer is configured
579 via the node-to-node mesh, or via en explicit global or
580 per-node BGPPeer object.
585 - numberEstablishedV4
586 - numberEstablishedV6
587 - numberNotEstablishedV4
588 - numberNotEstablishedV6
591 description: LastUpdated is a timestamp representing the server time
592 when CalicoNodeStatus object last updated. It is represented in
593 RFC3339 form and is in UTC.
598 description: Routes reports routes known to the Calico BGP daemon
602 description: RoutesV4 represents IPv4 routes on the node.
604 description: CalicoNodeRoute contains the status of BGP routes
608 description: Destination of the route.
611 description: Gateway for the destination.
614 description: Interface for the destination
617 description: LearnedFrom contains information regarding
618 where this route originated.
621 description: If sourceType is NodeMesh or BGPPeer, IP
622 address of the router that sent us this route.
625 description: Type of the source where a route is learned
630 description: Type indicates if the route is being used for
636 description: RoutesV6 represents IPv6 routes on the node.
638 description: CalicoNodeRoute contains the status of BGP routes
642 description: Destination of the route.
645 description: Gateway for the destination.
648 description: Interface for the destination
651 description: LearnedFrom contains information regarding
652 where this route originated.
655 description: If sourceType is NodeMesh or BGPPeer, IP
656 address of the router that sent us this route.
659 description: Type of the source where a route is learned
664 description: Type indicates if the route is being used for
682 apiVersion: apiextensions.k8s.io/v1
683 kind: CustomResourceDefinition
685 name: clusterinformations.crd.projectcalico.org
687 group: crd.projectcalico.org
689 kind: ClusterInformation
690 listKind: ClusterInformationList
691 plural: clusterinformations
692 singular: clusterinformation
698 description: ClusterInformation contains the cluster specific information.
701 description: 'APIVersion defines the versioned schema of this representation
702 of an object. Servers should convert recognized schemas to the latest
703 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
706 description: 'Kind is a string value representing the REST resource this
707 object represents. Servers may infer this from the endpoint the client
708 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
713 description: ClusterInformationSpec contains the values of describing
717 description: CalicoVersion is the version of Calico that the cluster
721 description: ClusterGUID is the GUID of the cluster
724 description: ClusterType describes the type of the cluster
727 description: DatastoreReady is used during significant datastore migrations
728 to signal to components such as Felix that it should wait before
729 accessing the datastore.
732 description: Variant declares which variant of Calico should be active.
746 apiVersion: apiextensions.k8s.io/v1
747 kind: CustomResourceDefinition
749 name: felixconfigurations.crd.projectcalico.org
751 group: crd.projectcalico.org
753 kind: FelixConfiguration
754 listKind: FelixConfigurationList
755 plural: felixconfigurations
756 singular: felixconfiguration
762 description: Felix Configuration contains the configuration for Felix.
765 description: 'APIVersion defines the versioned schema of this representation
766 of an object. Servers should convert recognized schemas to the latest
767 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
770 description: 'Kind is a string value representing the REST resource this
771 object represents. Servers may infer this from the endpoint the client
772 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
777 description: FelixConfigurationSpec contains the values of the Felix configuration.
779 allowIPIPPacketsFromWorkloads:
780 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
781 will add a rule to drop IPIP encapsulated traffic from workloads
784 allowVXLANPacketsFromWorkloads:
785 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
786 will add a rule to drop VXLAN encapsulated traffic from workloads
790 description: 'Set source-destination-check on AWS EC2 instances. Accepted
791 value must be one of "DoNothing", "Enable" or "Disable". [Default:
798 bpfConnectTimeLoadBalancingEnabled:
799 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
800 controls whether Felix installs the connection-time load balancer. The
801 connect-time load balancer is required for the host to be able to
802 reach Kubernetes services and it improves the performance of pod-to-service
803 connections. The only reason to disable it is for debugging purposes. [Default:
807 description: BPFDataIfacePattern is a regular expression that controls
808 which interfaces Felix should attach BPF programs to in order to
809 catch traffic to/from the network. This needs to match the interfaces
810 that Calico workload traffic flows over as well as any interfaces
811 that handle incoming traffic to nodeports and services from outside
812 the cluster. It should not match the workload interfaces (usually
815 bpfDisableUnprivileged:
816 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
817 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
818 users cannot access Calico''s BPF maps and cannot insert their own
819 BPF programs to interfere with Calico''s. [Default: true]'
822 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
826 description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
827 BPF programs regardless of what is the per-interfaces or global
828 setting. Possible values are Disabled or Strict. [Default: Strict]'
830 bpfExtToServiceConnmark:
831 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
832 mark that is set on connections from an external client to a local
833 service. This mark allows us to control how packets of that connection
834 are routed within the host and how is routing intepreted by RPF
837 bpfExternalServiceMode:
838 description: 'BPFExternalServiceMode in BPF mode, controls how connections
839 from outside the cluster to services (node ports and cluster IPs)
840 are forwarded to remote workloads. If set to "Tunnel" then both
841 request and response traffic is tunneled to the remote node. If
842 set to "DSR", the request traffic is tunneled but the response traffic
843 is sent directly from the remote node. In "DSR" mode, the remote
844 node appears to use the IP of the ingress node; this requires a
845 permissive L2 network. [Default: Tunnel]'
847 bpfKubeProxyEndpointSlicesEnabled:
848 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
849 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
851 bpfKubeProxyIptablesCleanupEnabled:
852 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
853 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
854 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
857 bpfKubeProxyMinSyncPeriod:
858 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
859 minimum time between updates to the dataplane for Felix''s embedded
860 kube-proxy. Lower values give reduced set-up latency. Higher values
861 reduce Felix CPU usage by batching up more work. [Default: 1s]'
864 description: 'BPFLogLevel controls the log level of the BPF programs
865 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
866 logs are emitted to the BPF trace pipe, accessible with the command
867 `tc exec bpf debug`. [Default: Off].'
870 description: 'BPFMapSizeConntrack sets the size for the conntrack
871 map. This map must be large enough to hold an entry for each active
872 connection. Warning: changing the size of the conntrack map can
876 description: BPFMapSizeIPSets sets the size for ipsets map. The IP
877 sets map must be large enough to hold an entry for each endpoint
878 matched by every selector in the source/destination matches in network
879 policy. Selectors such as "all()" can result in large numbers of
880 entries (one entry per endpoint in that case).
882 bpfMapSizeNATAffinity:
884 bpfMapSizeNATBackend:
885 description: BPFMapSizeNATBackend sets the size for nat back end map.
886 This is the total number of endpoints. This is mostly more than
887 the size of the number of services.
889 bpfMapSizeNATFrontend:
890 description: BPFMapSizeNATFrontend sets the size for nat front end
891 map. FrontendMap should be large enough to hold an entry for each
892 nodeport, external IP and each port in each service.
895 description: BPFMapSizeRoute sets the size for the routes map. The
896 routes map should be large enough to hold one entry per workload
897 and a handful of entries per host (enough to cover its own IPs and
904 description: 'BPFPSNATPorts sets the range from which we randomly
905 pick a port if there is a source port collision. This should be
906 within the ephemeral range as defined by RFC 6056 (1024–65535) and
907 preferably outside the ephemeral ranges used by common operating
908 systems. Linux uses 32768–60999, while others mostly use the IANA
909 defined range 49152–65535. It is not necessarily a problem if this
910 range overlaps with the operating systems. Both ends of the range
911 are inclusive. [Default: 20000:29999]'
913 x-kubernetes-int-or-string: true
915 description: 'ChainInsertMode controls whether Felix hooks the kernel''s
916 top-level iptables chains by inserting a rule at the top of the
917 chain or by appending a rule at the bottom. insert is the safe default
918 since it prevents Calico''s rules from being bypassed. If you switch
919 to append mode, be sure that the other rules in the chains signal
920 acceptance by falling through to the Calico rules, otherwise the
921 Calico policy will be bypassed. [Default: insert]'
924 description: DataplaneDriver filename of the external dataplane driver
925 to use. Only used if UseInternalDataplaneDriver is set to false.
927 dataplaneWatchdogTimeout:
928 description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
929 used for Felix''s (internal) dataplane driver. Increase this value
930 if you experience spurious non-ready or non-live events when Felix
931 is under heavy load. Decrease the value to get felix to report non-live
932 or non-ready more quickly. [Default: 90s]'
934 debugDisableLogDropping:
936 debugMemoryProfilePath:
938 debugSimulateCalcGraphHangAfter:
940 debugSimulateDataplaneHangAfter:
942 defaultEndpointToHostAction:
943 description: 'DefaultEndpointToHostAction controls what happens to
944 traffic that goes from a workload endpoint to the host itself (after
945 the traffic hits the endpoint egress policy). By default Calico
946 blocks traffic from workload endpoints to the host itself with an
947 iptables "DROP" action. If you want to allow some or all traffic
948 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
949 RETURN if you have your own rules in the iptables "INPUT" chain;
950 Calico will insert its rules at the top of that chain, then "RETURN"
951 packets to the "INPUT" chain once it has completed processing workload
952 endpoint egress policy. Use ACCEPT to unconditionally accept packets
953 from workloads after processing workload endpoint egress policy.
957 description: This defines the route protocol added to programmed device
958 routes, by default this will be RTPROT_BOOT when left blank.
960 deviceRouteSourceAddress:
961 description: This is the IPv4 source address to use on programmed
962 device routes. By default the source address is left blank, leaving
963 the kernel to choose the source address used.
965 deviceRouteSourceAddressIPv6:
966 description: This is the IPv6 source address to use on programmed
967 device routes. By default the source address is left blank, leaving
968 the kernel to choose the source address used.
970 disableConntrackInvalidCheck:
972 endpointReportingDelay:
974 endpointReportingEnabled:
977 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
978 which may source tunnel traffic and have the tunneled traffic be
979 accepted at calico nodes.
983 failsafeInboundHostPorts:
984 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
985 and CIDRs that Felix will allow incoming traffic to host endpoints
986 on irrespective of the security policy. This is useful to avoid
987 accidentally cutting off a host with incorrect configuration. For
988 back-compatibility, if the protocol is not specified, it defaults
989 to "tcp". If a CIDR is not specified, it will allow traffic from
990 all addresses. To disable all inbound host ports, use the value
991 none. The default value allows ssh access and DHCP. [Default: tcp:22,
992 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
994 description: ProtoPort is combination of protocol, port, and CIDR.
995 Protocol and port must be specified.
1008 failsafeOutboundHostPorts:
1009 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
1010 and CIDRs that Felix will allow outgoing traffic from host endpoints
1011 to irrespective of the security policy. This is useful to avoid
1012 accidentally cutting off a host with incorrect configuration. For
1013 back-compatibility, if the protocol is not specified, it defaults
1014 to "tcp". If a CIDR is not specified, it will allow traffic from
1015 all addresses. To disable all outbound host ports, use the value
1016 none. The default value opens etcd''s standard ports to ensure that
1017 Felix does not get cut off from etcd as well as allowing DHCP and
1018 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
1019 tcp:6667, udp:53, udp:67]'
1021 description: ProtoPort is combination of protocol, port, and CIDR.
1022 Protocol and port must be specified.
1035 featureDetectOverride:
1036 description: FeatureDetectOverride is used to override the feature
1037 detection. Values are specified in a comma separated list with no
1038 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
1039 "true" or "false" will force the feature, empty or omitted values
1044 description: FloatingIPs configures whether or not Felix will program
1045 floating IP addresses.
1051 description: 'GenericXDPEnabled enables Generic XDP so network cards
1052 that don''t support XDP offload or driver modes can use XDP. This
1053 is not recommended since it doesn''t provide better performance
1054 than iptables. [Default: false]'
1063 description: 'InterfaceExclude is a comma-separated list of interfaces
1064 that Felix should exclude when monitoring for host endpoints. The
1065 default value ensures that Felix ignores Kubernetes'' IPVS dummy
1066 interface, which is used internally by kube-proxy. If you want to
1067 exclude multiple interface names using a single value, the list
1068 supports regular expressions. For regular expressions you must wrap
1069 the value with ''/''. For example having values ''/^kube/,veth1''
1070 will exclude all interfaces that begin with ''kube'' and also the
1071 interface ''veth1''. [Default: kube-ipvs0]'
1074 description: 'InterfacePrefix is the interface name prefix that identifies
1075 workload endpoints and so distinguishes them from host endpoint
1076 interfaces. Note: in environments other than bare metal, the orchestrators
1077 configure this appropriately. For example our Kubernetes and Docker
1078 integrations set the ''cali'' value, and our OpenStack integration
1079 sets the ''tap'' value. [Default: cali]'
1081 interfaceRefreshInterval:
1082 description: InterfaceRefreshInterval is the period at which Felix
1083 rescans local interfaces to verify their state. The rescan can be
1084 disabled by setting the interval to 0.
1087 description: 'IPIPEnabled overrides whether Felix should configure
1088 an IPIP interface on the host. Optional as Felix determines this
1089 based on the existing IP pools. [Default: nil (unset)]'
1092 description: 'IPIPMTU is the MTU to set on the tunnel device. See
1093 Configuring MTU [Default: 1440]'
1095 ipsetsRefreshInterval:
1096 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
1097 all iptables state to ensure that no other process has accidentally
1098 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
1102 description: IptablesBackend specifies which backend of iptables will
1103 be used. The default is legacy.
1105 iptablesFilterAllowAction:
1107 iptablesLockFilePath:
1108 description: 'IptablesLockFilePath is the location of the iptables
1109 lock file. You may need to change this if the lock file is not in
1110 its standard location (for example if you have mapped it into Felix''s
1111 container at a different path). [Default: /run/xtables.lock]'
1113 iptablesLockProbeInterval:
1114 description: 'IptablesLockProbeInterval is the time that Felix will
1115 wait between attempts to acquire the iptables lock if it is not
1116 available. Lower values make Felix more responsive when the lock
1117 is contended, but use more CPU. [Default: 50ms]'
1119 iptablesLockTimeout:
1120 description: 'IptablesLockTimeout is the time that Felix will wait
1121 for the iptables lock, or 0, to disable. To use this feature, Felix
1122 must share the iptables lock file with all other processes that
1123 also take the lock. When running Felix inside a container, this
1124 requires the /run directory of the host to be mounted into the calico/node
1125 or calico/felix container. [Default: 0s disabled]'
1127 iptablesMangleAllowAction:
1130 description: 'IptablesMarkMask is the mask that Felix selects its
1131 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
1132 at least 8 bits set, none of which clash with any other mark bits
1133 in use on the system. [Default: 0xff000000]'
1136 iptablesNATOutgoingInterfaceFilter:
1138 iptablesPostWriteCheckInterval:
1139 description: 'IptablesPostWriteCheckInterval is the period after Felix
1140 has done a write to the dataplane that it schedules an extra read
1141 back in order to check the write was not clobbered by another process.
1142 This should only occur if another application on the system doesn''t
1143 respect the iptables lock. [Default: 1s]'
1145 iptablesRefreshInterval:
1146 description: 'IptablesRefreshInterval is the period at which Felix
1147 re-checks the IP sets in the dataplane to ensure that no other process
1148 has accidentally broken Calico''s rules. Set to 0 to disable IP
1149 sets refresh. Note: the default for this value is lower than the
1150 other refresh intervals as a workaround for a Linux kernel bug that
1151 was fixed in kernel version 4.11. If you are using v4.11 or greater
1152 you may want to set this to, a higher value to reduce Felix CPU
1153 usage. [Default: 10s]'
1156 description: IPv6Support controls whether Felix enables support for
1157 IPv6 (if supported by the in-use dataplane).
1160 description: 'KubeNodePortRanges holds list of port ranges used for
1161 service node ports. Only used if felix detects kube-proxy running
1162 in ipvs mode. Felix uses these ranges to separate host and workload
1163 traffic. [Default: 30000:32767].'
1169 x-kubernetes-int-or-string: true
1171 logDebugFilenameRegex:
1172 description: LogDebugFilenameRegex controls which source code files
1173 have their Debug log output included in the logs. Only logs from
1174 files with names that match the given regular expression are included. The
1175 filter only applies to Debug level logs.
1178 description: 'LogFilePath is the full path to the Felix log. Set to
1179 none to disable file logging. [Default: /var/log/calico/felix.log]'
1182 description: 'LogPrefix is the log prefix that Felix uses when rendering
1183 LOG rules. [Default: calico-packet]'
1186 description: 'LogSeverityFile is the log severity above which logs
1187 are sent to the log file. [Default: Info]'
1190 description: 'LogSeverityScreen is the log severity above which logs
1191 are sent to the stdout. [Default: Info]'
1194 description: 'LogSeveritySys is the log severity above which logs
1195 are sent to the syslog. Set to None for no logging to syslog. [Default:
1201 description: 'MetadataAddr is the IP address or domain name of the
1202 server that can answer VM queries for cloud-init metadata. In OpenStack,
1203 this corresponds to the machine running nova-api (or in Ubuntu,
1204 nova-api-metadata). A value of none (case insensitive) means that
1205 Felix should not set up any NAT rule for the metadata path. [Default:
1209 description: 'MetadataPort is the port of the metadata server. This,
1210 combined with global.MetadataAddr (if not ''None''), is used to
1211 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
1212 In most cases this should not need to be changed [Default: 8775].'
1215 description: MTUIfacePattern is a regular expression that controls
1216 which interfaces Felix should scan in order to calculate the host's
1217 MTU. This should not match workload interfaces (usually named cali...).
1220 description: NATOutgoingAddress specifies an address to use when performing
1221 source NAT for traffic in a natOutgoing pool that is leaving the
1222 network. By default the address used is an address on the interface
1223 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
1229 description: NATPortRange specifies the range of ports that is used
1230 for port mapping when doing outgoing NAT. When unset the default
1231 behavior of the network stack is used.
1233 x-kubernetes-int-or-string: true
1237 description: 'OpenstackRegion is the name of the region that a particular
1238 Felix belongs to. In a multi-region Calico/OpenStack deployment,
1239 this must be configured somehow for each Felix (here in the datamodel,
1240 or in felix.cfg or the environment on each compute node), and must
1241 match the [calico] openstack_region value configured in neutron.conf
1242 on each node. [Default: Empty]'
1244 policySyncPathPrefix:
1245 description: 'PolicySyncPathPrefix is used to by Felix to communicate
1246 policy changes to external services, like Application layer policy.
1249 prometheusGoMetricsEnabled:
1250 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
1251 collection, which the Prometheus client does by default, when set
1252 to false. This reduces the number of metrics reported, reducing
1253 Prometheus load. [Default: true]'
1255 prometheusMetricsEnabled:
1256 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
1257 server in Felix if set to true. [Default: false]'
1259 prometheusMetricsHost:
1260 description: 'PrometheusMetricsHost is the host that the Prometheus
1261 metrics server should bind to. [Default: empty]'
1263 prometheusMetricsPort:
1264 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
1265 metrics server should bind to. [Default: 9091]'
1267 prometheusProcessMetricsEnabled:
1268 description: 'PrometheusProcessMetricsEnabled disables process metrics
1269 collection, which the Prometheus client does by default, when set
1270 to false. This reduces the number of metrics reported, reducing
1271 Prometheus load. [Default: true]'
1273 prometheusWireGuardMetricsEnabled:
1274 description: 'PrometheusWireGuardMetricsEnabled disables wireguard
1275 metrics collection, which the Prometheus client does by default,
1276 when set to false. This reduces the number of metrics reported,
1277 reducing Prometheus load. [Default: true]'
1279 removeExternalRoutes:
1280 description: Whether or not to remove device routes that have not
1281 been programmed by Felix. Disabling this will allow external applications
1282 to also add device routes. This is enabled by default which means
1283 we will remove externally added routes.
1286 description: 'ReportingInterval is the interval at which Felix reports
1287 its status into the datastore or 0 to disable. Must be non-zero
1288 in OpenStack deployments. [Default: 30s]'
1291 description: 'ReportingTTL is the time-to-live setting for process-wide
1292 status reports. [Default: 90s]'
1294 routeRefreshInterval:
1295 description: 'RouteRefreshInterval is the period at which Felix re-checks
1296 the routes in the dataplane to ensure that no other process has
1297 accidentally broken Calico''s rules. Set to 0 to disable route refresh.
1301 description: 'RouteSource configures where Felix gets its routing
1302 information. - WorkloadIPs: use workload endpoints to construct
1303 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
1306 description: Deprecated in favor of RouteTableRanges. Calico programs
1307 additional Linux route tables for various purposes. RouteTableRange
1308 specifies the indices of the route tables that Calico should use.
1319 description: Calico programs additional Linux route tables for various
1320 purposes. RouteTableRanges specifies a set of table index ranges
1321 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
1333 serviceLoopPrevention:
1334 description: 'When service IP advertisement is enabled, prevent routing
1335 loops to service IPs that are not in use, by dropping or rejecting
1336 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
1337 in which case such routing loops continue to be allowed. [Default:
1340 sidecarAccelerationEnabled:
1341 description: 'SidecarAccelerationEnabled enables experimental sidecar
1342 acceleration [Default: false]'
1344 usageReportingEnabled:
1345 description: 'UsageReportingEnabled reports anonymous Calico version
1346 number and cluster size to projectcalico.org. Logs warnings returned
1347 by the usage server. For example, if a significant security vulnerability
1348 has been discovered in the version of Calico being used. [Default:
1351 usageReportingInitialDelay:
1352 description: 'UsageReportingInitialDelay controls the minimum delay
1353 before Felix makes a report. [Default: 300s]'
1355 usageReportingInterval:
1356 description: 'UsageReportingInterval controls the interval at which
1357 Felix makes reports. [Default: 86400s]'
1359 useInternalDataplaneDriver:
1360 description: UseInternalDataplaneDriver, if true, Felix will use its
1361 internal dataplane programming logic. If false, it will launch
1362 an external dataplane driver and communicate with it over protobuf.
1365 description: 'VXLANEnabled overrides whether Felix should create the
1366 VXLAN tunnel device for VXLAN networking. Optional as Felix determines
1367 this based on the existing IP pools. [Default: nil (unset)]'
1370 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
1371 device. See Configuring MTU [Default: 1410]'
1374 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
1375 device. See Configuring MTU [Default: 1390]'
1382 description: 'WireguardEnabled controls whether Wireguard is enabled.
1385 wireguardHostEncryptionEnabled:
1386 description: 'WireguardHostEncryptionEnabled controls whether Wireguard
1387 host-to-host encryption is enabled. [Default: false]'
1389 wireguardInterfaceName:
1390 description: 'WireguardInterfaceName specifies the name to use for
1391 the Wireguard interface. [Default: wg.calico]'
1394 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
1395 option. Set 0 to disable. [Default: 0]'
1397 wireguardListeningPort:
1398 description: 'WireguardListeningPort controls the listening port used
1399 by Wireguard. [Default: 51820]'
1402 description: 'WireguardMTU controls the MTU on the Wireguard interface.
1403 See Configuring MTU [Default: 1420]'
1405 wireguardRoutingRulePriority:
1406 description: 'WireguardRoutingRulePriority controls the priority value
1407 to use for the Wireguard routing rule. [Default: 99]'
1409 workloadSourceSpoofing:
1410 description: WorkloadSourceSpoofing controls whether pods can use
1411 the allowedSourcePrefixes annotation to send traffic with a source
1412 IP address that is not theirs. This is disabled by default. When
1413 set to "Any", pods can request any prefix.
1416 description: 'XDPEnabled enables XDP acceleration for suitable untracked
1417 incoming deny rules. [Default: true]'
1420 description: 'XDPRefreshInterval is the period at which Felix re-checks
1421 all XDP state to ensure that no other process has accidentally broken
1422 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
1423 refresh. [Default: 90s]'
1437 apiVersion: apiextensions.k8s.io/v1
1438 kind: CustomResourceDefinition
1440 name: globalnetworkpolicies.crd.projectcalico.org
1442 group: crd.projectcalico.org
1444 kind: GlobalNetworkPolicy
1445 listKind: GlobalNetworkPolicyList
1446 plural: globalnetworkpolicies
1447 singular: globalnetworkpolicy
1455 description: 'APIVersion defines the versioned schema of this representation
1456 of an object. Servers should convert recognized schemas to the latest
1457 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1460 description: 'Kind is a string value representing the REST resource this
1461 object represents. Servers may infer this from the endpoint the client
1462 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1469 description: ApplyOnForward indicates to apply the rules in this policy
1473 description: DoNotTrack indicates whether packets matched by the rules
1474 in this policy should go through the data plane's connection tracking,
1475 such as Linux conntrack. If True, the rules in this policy are
1476 applied before any data plane connection tracking, and packets allowed
1477 by this policy are marked as not to be tracked.
1480 description: The ordered set of egress rules. Each rule contains
1481 a set of packet match criteria and a corresponding action to apply.
1483 description: "A Rule encapsulates a set of match criteria and an
1484 action. Both selector-based security Policy and security Profiles
1485 reference rules - separated out as a list of rules for both ingress
1486 and egress packet matching. \n Each positive match criteria has
1487 a negated version, prefixed with \"Not\". All the match criteria
1488 within a rule must be satisfied for a packet to match. A single
1489 rule can contain the positive and negative version of a match
1490 and both must be satisfied for the rule to match."
1495 description: Destination contains the match criteria that apply
1496 to destination entity.
1499 description: "NamespaceSelector is an optional field that
1500 contains a selector expression. Only traffic that originates
1501 from (or terminates at) endpoints within the selected
1502 namespaces will be matched. When both NamespaceSelector
1503 and another selector are defined on the same rule, then
1504 only workload endpoints that are matched by both selectors
1505 will be selected by the rule. \n For NetworkPolicy, an
1506 empty NamespaceSelector implies that the Selector is limited
1507 to selecting only workload endpoints in the same namespace
1508 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1509 NamespaceSelector implies that the Selector is limited
1510 to selecting only GlobalNetworkSet or HostEndpoint. \n
1511 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1512 the Selector applies to workload endpoints across all
1516 description: Nets is an optional field that restricts the
1517 rule to only apply to traffic that originates from (or
1518 terminates at) IP addresses in any of the given subnets.
1523 description: NotNets is the negated version of the Nets
1529 description: NotPorts is the negated version of the Ports
1530 field. Since only some protocols have ports, if any ports
1531 are specified it requires the Protocol match in the Rule
1532 to be set to "TCP" or "UDP".
1538 x-kubernetes-int-or-string: true
1541 description: NotSelector is the negated version of the Selector
1542 field. See Selector field for subtleties with negated
1546 description: "Ports is an optional field that restricts
1547 the rule to only apply to traffic that has a source (destination)
1548 port that matches one of these ranges/values. This value
1549 is a list of integers or strings that represent ranges
1550 of ports. \n Since only some protocols have ports, if
1551 any ports are specified it requires the Protocol match
1552 in the Rule to be set to \"TCP\" or \"UDP\"."
1558 x-kubernetes-int-or-string: true
1561 description: "Selector is an optional field that contains
1562 a selector expression (see Policy for sample syntax).
1563 \ Only traffic that originates from (terminates at) endpoints
1564 matching the selector will be matched. \n Note that: in
1565 addition to the negated version of the Selector (see NotSelector
1566 below), the selector expression syntax itself supports
1567 negation. The two types of negation are subtly different.
1568 One negates the set of matched endpoints, the other negates
1569 the whole match: \n \tSelector = \"!has(my_label)\" matches
1570 packets that are from other Calico-controlled \tendpoints
1571 that do not have the label \"my_label\". \n \tNotSelector
1572 = \"has(my_label)\" matches packets that are not from
1573 Calico-controlled \tendpoints that do have the label \"my_label\".
1574 \n The effect is that the latter will accept packets from
1575 non-Calico sources whereas the former is limited to packets
1576 from Calico-controlled endpoints."
1579 description: ServiceAccounts is an optional field that restricts
1580 the rule to only apply to traffic that originates from
1581 (or terminates at) a pod running as a matching service
1585 description: Names is an optional field that restricts
1586 the rule to only apply to traffic that originates
1587 from (or terminates at) a pod running as a service
1588 account whose name is in the list.
1593 description: Selector is an optional field that restricts
1594 the rule to only apply to traffic that originates
1595 from (or terminates at) a pod running as a service
1596 account that matches the given label selector. If
1597 both Names and Selector are specified then they are
1602 description: "Services is an optional field that contains
1603 options for matching Kubernetes Services. If specified,
1604 only traffic that originates from or terminates at endpoints
1605 within the selected service(s) will be matched, and only
1606 to/from each endpoint's port. \n Services cannot be specified
1607 on the same rule as Selector, NotSelector, NamespaceSelector,
1608 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1609 can only be specified with Services on ingress rules."
1612 description: Name specifies the name of a Kubernetes
1616 description: Namespace specifies the namespace of the
1617 given Service. If left empty, the rule will match
1618 within this policy's namespace.
1623 description: HTTP contains match criteria that apply to HTTP
1627 description: Methods is an optional field that restricts
1628 the rule to apply only to HTTP requests that use one of
1629 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1630 methods are OR'd together.
1635 description: 'Paths is an optional field that restricts
1636 the rule to apply to HTTP requests that use one of the
1637 listed HTTP Paths. Multiple paths are OR''d together.
1638 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1639 ONLY specify either a `exact` or a `prefix` match. The
1640 validator will check for it.'
1642 description: 'HTTPPath specifies an HTTP path to match.
1643 It may be either of the form: exact: <path>: which matches
1644 the path exactly or prefix: <path-prefix>: which matches
1655 description: ICMP is an optional field that restricts the rule
1656 to apply to a specific type and code of ICMP traffic. This
1657 should only be specified if the Protocol field is set to "ICMP"
1661 description: Match on a specific ICMP code. If specified,
1662 the Type value must also be specified. This is a technical
1663 limitation imposed by the kernel's iptables firewall,
1664 which Calico uses to enforce the rule.
1667 description: Match on a specific ICMP type. For example
1668 a value of 8 refers to ICMP Echo Request (i.e. pings).
1672 description: IPVersion is an optional field that restricts the
1673 rule to only match a specific IP version.
1676 description: Metadata contains additional information for this
1680 additionalProperties:
1682 description: Annotations is a set of key value pairs that
1683 give extra information about the rule
1687 description: NotICMP is the negated version of the ICMP field.
1690 description: Match on a specific ICMP code. If specified,
1691 the Type value must also be specified. This is a technical
1692 limitation imposed by the kernel's iptables firewall,
1693 which Calico uses to enforce the rule.
1696 description: Match on a specific ICMP type. For example
1697 a value of 8 refers to ICMP Echo Request (i.e. pings).
1704 description: NotProtocol is the negated version of the Protocol
1707 x-kubernetes-int-or-string: true
1712 description: "Protocol is an optional field that restricts the
1713 rule to only apply to traffic of a specific IP protocol. Required
1714 if any of the EntityRules contain Ports (because ports only
1715 apply to certain protocols). \n Must be one of these string
1716 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1717 \"UDPLite\" or an integer in the range 1-255."
1719 x-kubernetes-int-or-string: true
1721 description: Source contains the match criteria that apply to
1725 description: "NamespaceSelector is an optional field that
1726 contains a selector expression. Only traffic that originates
1727 from (or terminates at) endpoints within the selected
1728 namespaces will be matched. When both NamespaceSelector
1729 and another selector are defined on the same rule, then
1730 only workload endpoints that are matched by both selectors
1731 will be selected by the rule. \n For NetworkPolicy, an
1732 empty NamespaceSelector implies that the Selector is limited
1733 to selecting only workload endpoints in the same namespace
1734 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1735 NamespaceSelector implies that the Selector is limited
1736 to selecting only GlobalNetworkSet or HostEndpoint. \n
1737 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1738 the Selector applies to workload endpoints across all
1742 description: Nets is an optional field that restricts the
1743 rule to only apply to traffic that originates from (or
1744 terminates at) IP addresses in any of the given subnets.
1749 description: NotNets is the negated version of the Nets
1755 description: NotPorts is the negated version of the Ports
1756 field. Since only some protocols have ports, if any ports
1757 are specified it requires the Protocol match in the Rule
1758 to be set to "TCP" or "UDP".
1764 x-kubernetes-int-or-string: true
1767 description: NotSelector is the negated version of the Selector
1768 field. See Selector field for subtleties with negated
1772 description: "Ports is an optional field that restricts
1773 the rule to only apply to traffic that has a source (destination)
1774 port that matches one of these ranges/values. This value
1775 is a list of integers or strings that represent ranges
1776 of ports. \n Since only some protocols have ports, if
1777 any ports are specified it requires the Protocol match
1778 in the Rule to be set to \"TCP\" or \"UDP\"."
1784 x-kubernetes-int-or-string: true
1787 description: "Selector is an optional field that contains
1788 a selector expression (see Policy for sample syntax).
1789 \ Only traffic that originates from (terminates at) endpoints
1790 matching the selector will be matched. \n Note that: in
1791 addition to the negated version of the Selector (see NotSelector
1792 below), the selector expression syntax itself supports
1793 negation. The two types of negation are subtly different.
1794 One negates the set of matched endpoints, the other negates
1795 the whole match: \n \tSelector = \"!has(my_label)\" matches
1796 packets that are from other Calico-controlled \tendpoints
1797 that do not have the label \"my_label\". \n \tNotSelector
1798 = \"has(my_label)\" matches packets that are not from
1799 Calico-controlled \tendpoints that do have the label \"my_label\".
1800 \n The effect is that the latter will accept packets from
1801 non-Calico sources whereas the former is limited to packets
1802 from Calico-controlled endpoints."
1805 description: ServiceAccounts is an optional field that restricts
1806 the rule to only apply to traffic that originates from
1807 (or terminates at) a pod running as a matching service
1811 description: Names is an optional field that restricts
1812 the rule to only apply to traffic that originates
1813 from (or terminates at) a pod running as a service
1814 account whose name is in the list.
1819 description: Selector is an optional field that restricts
1820 the rule to only apply to traffic that originates
1821 from (or terminates at) a pod running as a service
1822 account that matches the given label selector. If
1823 both Names and Selector are specified then they are
1828 description: "Services is an optional field that contains
1829 options for matching Kubernetes Services. If specified,
1830 only traffic that originates from or terminates at endpoints
1831 within the selected service(s) will be matched, and only
1832 to/from each endpoint's port. \n Services cannot be specified
1833 on the same rule as Selector, NotSelector, NamespaceSelector,
1834 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1835 can only be specified with Services on ingress rules."
1838 description: Name specifies the name of a Kubernetes
1842 description: Namespace specifies the namespace of the
1843 given Service. If left empty, the rule will match
1844 within this policy's namespace.
1853 description: The ordered set of ingress rules. Each rule contains
1854 a set of packet match criteria and a corresponding action to apply.
1856 description: "A Rule encapsulates a set of match criteria and an
1857 action. Both selector-based security Policy and security Profiles
1858 reference rules - separated out as a list of rules for both ingress
1859 and egress packet matching. \n Each positive match criteria has
1860 a negated version, prefixed with \"Not\". All the match criteria
1861 within a rule must be satisfied for a packet to match. A single
1862 rule can contain the positive and negative version of a match
1863 and both must be satisfied for the rule to match."
1868 description: Destination contains the match criteria that apply
1869 to destination entity.
1872 description: "NamespaceSelector is an optional field that
1873 contains a selector expression. Only traffic that originates
1874 from (or terminates at) endpoints within the selected
1875 namespaces will be matched. When both NamespaceSelector
1876 and another selector are defined on the same rule, then
1877 only workload endpoints that are matched by both selectors
1878 will be selected by the rule. \n For NetworkPolicy, an
1879 empty NamespaceSelector implies that the Selector is limited
1880 to selecting only workload endpoints in the same namespace
1881 as the NetworkPolicy. \n For NetworkPolicy, `global()`
1882 NamespaceSelector implies that the Selector is limited
1883 to selecting only GlobalNetworkSet or HostEndpoint. \n
1884 For GlobalNetworkPolicy, an empty NamespaceSelector implies
1885 the Selector applies to workload endpoints across all
1889 description: Nets is an optional field that restricts the
1890 rule to only apply to traffic that originates from (or
1891 terminates at) IP addresses in any of the given subnets.
1896 description: NotNets is the negated version of the Nets
1902 description: NotPorts is the negated version of the Ports
1903 field. Since only some protocols have ports, if any ports
1904 are specified it requires the Protocol match in the Rule
1905 to be set to "TCP" or "UDP".
1911 x-kubernetes-int-or-string: true
1914 description: NotSelector is the negated version of the Selector
1915 field. See Selector field for subtleties with negated
1919 description: "Ports is an optional field that restricts
1920 the rule to only apply to traffic that has a source (destination)
1921 port that matches one of these ranges/values. This value
1922 is a list of integers or strings that represent ranges
1923 of ports. \n Since only some protocols have ports, if
1924 any ports are specified it requires the Protocol match
1925 in the Rule to be set to \"TCP\" or \"UDP\"."
1931 x-kubernetes-int-or-string: true
1934 description: "Selector is an optional field that contains
1935 a selector expression (see Policy for sample syntax).
1936 \ Only traffic that originates from (terminates at) endpoints
1937 matching the selector will be matched. \n Note that: in
1938 addition to the negated version of the Selector (see NotSelector
1939 below), the selector expression syntax itself supports
1940 negation. The two types of negation are subtly different.
1941 One negates the set of matched endpoints, the other negates
1942 the whole match: \n \tSelector = \"!has(my_label)\" matches
1943 packets that are from other Calico-controlled \tendpoints
1944 that do not have the label \"my_label\". \n \tNotSelector
1945 = \"has(my_label)\" matches packets that are not from
1946 Calico-controlled \tendpoints that do have the label \"my_label\".
1947 \n The effect is that the latter will accept packets from
1948 non-Calico sources whereas the former is limited to packets
1949 from Calico-controlled endpoints."
1952 description: ServiceAccounts is an optional field that restricts
1953 the rule to only apply to traffic that originates from
1954 (or terminates at) a pod running as a matching service
1958 description: Names is an optional field that restricts
1959 the rule to only apply to traffic that originates
1960 from (or terminates at) a pod running as a service
1961 account whose name is in the list.
1966 description: Selector is an optional field that restricts
1967 the rule to only apply to traffic that originates
1968 from (or terminates at) a pod running as a service
1969 account that matches the given label selector. If
1970 both Names and Selector are specified then they are
1975 description: "Services is an optional field that contains
1976 options for matching Kubernetes Services. If specified,
1977 only traffic that originates from or terminates at endpoints
1978 within the selected service(s) will be matched, and only
1979 to/from each endpoint's port. \n Services cannot be specified
1980 on the same rule as Selector, NotSelector, NamespaceSelector,
1981 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1982 can only be specified with Services on ingress rules."
1985 description: Name specifies the name of a Kubernetes
1989 description: Namespace specifies the namespace of the
1990 given Service. If left empty, the rule will match
1991 within this policy's namespace.
1996 description: HTTP contains match criteria that apply to HTTP
2000 description: Methods is an optional field that restricts
2001 the rule to apply only to HTTP requests that use one of
2002 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2003 methods are OR'd together.
2008 description: 'Paths is an optional field that restricts
2009 the rule to apply to HTTP requests that use one of the
2010 listed HTTP Paths. Multiple paths are OR''d together.
2011 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2012 ONLY specify either a `exact` or a `prefix` match. The
2013 validator will check for it.'
2015 description: 'HTTPPath specifies an HTTP path to match.
2016 It may be either of the form: exact: <path>: which matches
2017 the path exactly or prefix: <path-prefix>: which matches
2028 description: ICMP is an optional field that restricts the rule
2029 to apply to a specific type and code of ICMP traffic. This
2030 should only be specified if the Protocol field is set to "ICMP"
2034 description: Match on a specific ICMP code. If specified,
2035 the Type value must also be specified. This is a technical
2036 limitation imposed by the kernel's iptables firewall,
2037 which Calico uses to enforce the rule.
2040 description: Match on a specific ICMP type. For example
2041 a value of 8 refers to ICMP Echo Request (i.e. pings).
2045 description: IPVersion is an optional field that restricts the
2046 rule to only match a specific IP version.
2049 description: Metadata contains additional information for this
2053 additionalProperties:
2055 description: Annotations is a set of key value pairs that
2056 give extra information about the rule
2060 description: NotICMP is the negated version of the ICMP field.
2063 description: Match on a specific ICMP code. If specified,
2064 the Type value must also be specified. This is a technical
2065 limitation imposed by the kernel's iptables firewall,
2066 which Calico uses to enforce the rule.
2069 description: Match on a specific ICMP type. For example
2070 a value of 8 refers to ICMP Echo Request (i.e. pings).
2077 description: NotProtocol is the negated version of the Protocol
2080 x-kubernetes-int-or-string: true
2085 description: "Protocol is an optional field that restricts the
2086 rule to only apply to traffic of a specific IP protocol. Required
2087 if any of the EntityRules contain Ports (because ports only
2088 apply to certain protocols). \n Must be one of these string
2089 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2090 \"UDPLite\" or an integer in the range 1-255."
2092 x-kubernetes-int-or-string: true
2094 description: Source contains the match criteria that apply to
2098 description: "NamespaceSelector is an optional field that
2099 contains a selector expression. Only traffic that originates
2100 from (or terminates at) endpoints within the selected
2101 namespaces will be matched. When both NamespaceSelector
2102 and another selector are defined on the same rule, then
2103 only workload endpoints that are matched by both selectors
2104 will be selected by the rule. \n For NetworkPolicy, an
2105 empty NamespaceSelector implies that the Selector is limited
2106 to selecting only workload endpoints in the same namespace
2107 as the NetworkPolicy. \n For NetworkPolicy, `global()`
2108 NamespaceSelector implies that the Selector is limited
2109 to selecting only GlobalNetworkSet or HostEndpoint. \n
2110 For GlobalNetworkPolicy, an empty NamespaceSelector implies
2111 the Selector applies to workload endpoints across all
2115 description: Nets is an optional field that restricts the
2116 rule to only apply to traffic that originates from (or
2117 terminates at) IP addresses in any of the given subnets.
2122 description: NotNets is the negated version of the Nets
2128 description: NotPorts is the negated version of the Ports
2129 field. Since only some protocols have ports, if any ports
2130 are specified it requires the Protocol match in the Rule
2131 to be set to "TCP" or "UDP".
2137 x-kubernetes-int-or-string: true
2140 description: NotSelector is the negated version of the Selector
2141 field. See Selector field for subtleties with negated
2145 description: "Ports is an optional field that restricts
2146 the rule to only apply to traffic that has a source (destination)
2147 port that matches one of these ranges/values. This value
2148 is a list of integers or strings that represent ranges
2149 of ports. \n Since only some protocols have ports, if
2150 any ports are specified it requires the Protocol match
2151 in the Rule to be set to \"TCP\" or \"UDP\"."
2157 x-kubernetes-int-or-string: true
2160 description: "Selector is an optional field that contains
2161 a selector expression (see Policy for sample syntax).
2162 \ Only traffic that originates from (terminates at) endpoints
2163 matching the selector will be matched. \n Note that: in
2164 addition to the negated version of the Selector (see NotSelector
2165 below), the selector expression syntax itself supports
2166 negation. The two types of negation are subtly different.
2167 One negates the set of matched endpoints, the other negates
2168 the whole match: \n \tSelector = \"!has(my_label)\" matches
2169 packets that are from other Calico-controlled \tendpoints
2170 that do not have the label \"my_label\". \n \tNotSelector
2171 = \"has(my_label)\" matches packets that are not from
2172 Calico-controlled \tendpoints that do have the label \"my_label\".
2173 \n The effect is that the latter will accept packets from
2174 non-Calico sources whereas the former is limited to packets
2175 from Calico-controlled endpoints."
2178 description: ServiceAccounts is an optional field that restricts
2179 the rule to only apply to traffic that originates from
2180 (or terminates at) a pod running as a matching service
2184 description: Names is an optional field that restricts
2185 the rule to only apply to traffic that originates
2186 from (or terminates at) a pod running as a service
2187 account whose name is in the list.
2192 description: Selector is an optional field that restricts
2193 the rule to only apply to traffic that originates
2194 from (or terminates at) a pod running as a service
2195 account that matches the given label selector. If
2196 both Names and Selector are specified then they are
2201 description: "Services is an optional field that contains
2202 options for matching Kubernetes Services. If specified,
2203 only traffic that originates from or terminates at endpoints
2204 within the selected service(s) will be matched, and only
2205 to/from each endpoint's port. \n Services cannot be specified
2206 on the same rule as Selector, NotSelector, NamespaceSelector,
2207 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2208 can only be specified with Services on ingress rules."
2211 description: Name specifies the name of a Kubernetes
2215 description: Namespace specifies the namespace of the
2216 given Service. If left empty, the rule will match
2217 within this policy's namespace.
2226 description: NamespaceSelector is an optional field for an expression
2227 used to select a pod based on namespaces.
2230 description: Order is an optional field that specifies the order in
2231 which the policy is applied. Policies with higher "order" are applied
2232 after those with lower order. If the order is omitted, it may be
2233 considered to be "infinite" - i.e. the policy will be applied last. Policies
2234 with identical order will be applied in alphanumerical order based
2235 on the Policy "Name".
2238 description: PreDNAT indicates to apply the rules in this policy before
2242 description: "The selector is an expression used to pick pick out
2243 the endpoints that the policy should be applied to. \n Selector
2244 expressions follow this syntax: \n \tlabel == \"string_literal\"
2245 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
2246 \ -> not equal; also matches if label is not present \tlabel in
2247 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
2248 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
2249 ... } -> true if the value of label X is not one of \"a\", \"b\",
2250 \"c\" \thas(label_name) -> True if that label is present \t! expr
2251 -> negation of expr \texpr && expr -> Short-circuit and \texpr
2252 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
2253 or the empty selector -> matches all endpoints. \n Label names are
2254 allowed to contain alphanumerics, -, _ and /. String literals are
2255 more permissive but they do not support escape characters. \n Examples
2256 (with made-up labels): \n \ttype == \"webserver\" && deployment
2257 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
2258 \"dev\" \t! has(label_name)"
2260 serviceAccountSelector:
2261 description: ServiceAccountSelector is an optional field for an expression
2262 used to select a pod based on service accounts.
2265 description: "Types indicates whether this policy applies to ingress,
2266 or to egress, or to both. When not explicitly specified (and so
2267 the value on creation is empty or nil), Calico defaults Types according
2268 to what Ingress and Egress rules are present in the policy. The
2269 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
2270 (including the case where there are also no Ingress rules) \n
2271 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
2272 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
2273 both Ingress and Egress rules. \n When the policy is read back again,
2274 Types will always be one of these values, never empty or nil."
2276 description: PolicyType enumerates the possible values of the PolicySpec
2292 apiVersion: apiextensions.k8s.io/v1
2293 kind: CustomResourceDefinition
2295 name: globalnetworksets.crd.projectcalico.org
2297 group: crd.projectcalico.org
2299 kind: GlobalNetworkSet
2300 listKind: GlobalNetworkSetList
2301 plural: globalnetworksets
2302 singular: globalnetworkset
2308 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
2309 that share labels to allow rules to refer to them via selectors. The labels
2310 of GlobalNetworkSet are not namespaced.
2313 description: 'APIVersion defines the versioned schema of this representation
2314 of an object. Servers should convert recognized schemas to the latest
2315 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2318 description: 'Kind is a string value representing the REST resource this
2319 object represents. Servers may infer this from the endpoint the client
2320 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2325 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
2329 description: The list of IP networks that belong to this set.
2345 apiVersion: apiextensions.k8s.io/v1
2346 kind: CustomResourceDefinition
2348 name: hostendpoints.crd.projectcalico.org
2350 group: crd.projectcalico.org
2353 listKind: HostEndpointList
2354 plural: hostendpoints
2355 singular: hostendpoint
2363 description: 'APIVersion defines the versioned schema of this representation
2364 of an object. Servers should convert recognized schemas to the latest
2365 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2368 description: 'Kind is a string value representing the REST resource this
2369 object represents. Servers may infer this from the endpoint the client
2370 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2375 description: HostEndpointSpec contains the specification for a HostEndpoint
2379 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
2380 If \"InterfaceName\" is not present, Calico will look for an interface
2381 matching any of the IPs in the list and apply policy to that. Note:
2382 \tWhen using the selector match criteria in an ingress or egress
2383 security Policy \tor Profile, Calico converts the selector into
2384 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
2385 is used for that purpose. (If only the interface \tname is specified,
2386 Calico does not learn the IPs of the interface for use in match
2392 description: "Either \"*\", or the name of a specific Linux interface
2393 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
2394 governs all traffic to, from or through the default network namespace
2395 of the host named by the \"Node\" field; entering and leaving that
2396 namespace via any interface, including those from/to non-host-networked
2397 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
2398 only governs traffic that enters or leaves the host through the
2399 specific interface named by InterfaceName, or - when InterfaceName
2400 is empty - through the specific interface that has one of the IPs
2401 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
2402 one expected IP must be specified. Only external interfaces (such
2403 as \"eth0\") are supported here; it isn't possible for a HostEndpoint
2404 to protect traffic through a specific local workload interface.
2405 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
2406 initially just pre-DNAT policy. Please check Calico documentation
2407 for the latest position."
2410 description: The node name identifying the Calico node instance.
2413 description: Ports contains the endpoint's named ports, which may
2414 be referenced in security policy rules.
2426 x-kubernetes-int-or-string: true
2434 description: A list of identifiers of security Profile objects that
2435 apply to this endpoint. Each profile is applied in the order that
2436 they appear in this list. Profile rules are applied after the selector-based
2453 apiVersion: apiextensions.k8s.io/v1
2454 kind: CustomResourceDefinition
2456 name: ipamblocks.crd.projectcalico.org
2458 group: crd.projectcalico.org
2461 listKind: IPAMBlockList
2471 description: 'APIVersion defines the versioned schema of this representation
2472 of an object. Servers should convert recognized schemas to the latest
2473 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2476 description: 'Kind is a string value representing the REST resource this
2477 object represents. Servers may infer this from the endpoint the client
2478 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2483 description: IPAMBlockSpec contains the specification for an IPAMBlock
2487 description: Affinity of the block, if this block has one. If set,
2488 it will be of the form "host:<hostname>". If not set, this block
2489 is not affine to a host.
2492 description: Array of allocations in-use within this block. nil entries
2493 mean the allocation is free. For non-nil entries at index i, the
2494 index is the ordinal of the allocation within this block and the
2495 value is the index of the associated attributes in the Attributes
2499 # TODO: This nullable is manually added in. We should update controller-gen
2500 # to handle []*int properly itself.
2504 description: Attributes is an array of arbitrary metadata associated
2505 with allocations in the block. To find attributes for a given allocation,
2506 use the value of the allocation's entry in the Allocations array
2507 as the index of the element in this array.
2513 additionalProperties:
2519 description: The block's CIDR.
2522 description: Deleted is an internal boolean used to workaround a limitation
2523 in the Kubernetes API whereby deletion will not return a conflict
2524 error if the block has been updated. It should not be set manually.
2528 description: We store a sequence number that is updated each time
2529 the block is written. Each allocation will also store the sequence
2530 number of the block at the time of its creation. When releasing
2531 an IP, passing the sequence number associated with the allocation
2532 allows us to protect against a race condition and ensure the IP
2533 hasn't been released and re-allocated since the release request.
2536 sequenceNumberForAllocation:
2537 additionalProperties:
2540 description: Map of allocated ordinal within the block to sequence
2541 number of the block at the time of allocation. Kubernetes does not
2542 allow numerical keys for maps, so the key is cast to a string.
2545 description: StrictAffinity on the IPAMBlock is deprecated and no
2546 longer used by the code. Use IPAMConfig StrictAffinity instead.
2549 description: Unallocated is an ordered list of allocations which are
2572 apiVersion: apiextensions.k8s.io/v1
2573 kind: CustomResourceDefinition
2575 name: ipamconfigs.crd.projectcalico.org
2577 group: crd.projectcalico.org
2580 listKind: IPAMConfigList
2582 singular: ipamconfig
2590 description: 'APIVersion defines the versioned schema of this representation
2591 of an object. Servers should convert recognized schemas to the latest
2592 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2595 description: 'Kind is a string value representing the REST resource this
2596 object represents. Servers may infer this from the endpoint the client
2597 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2602 description: IPAMConfigSpec contains the specification for an IPAMConfig
2608 description: MaxBlocksPerHost, if non-zero, is the max number of blocks
2609 that can be affine to each host.
2614 - autoAllocateBlocks
2628 apiVersion: apiextensions.k8s.io/v1
2629 kind: CustomResourceDefinition
2631 name: ipamhandles.crd.projectcalico.org
2633 group: crd.projectcalico.org
2636 listKind: IPAMHandleList
2638 singular: ipamhandle
2646 description: 'APIVersion defines the versioned schema of this representation
2647 of an object. Servers should convert recognized schemas to the latest
2648 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2651 description: 'Kind is a string value representing the REST resource this
2652 object represents. Servers may infer this from the endpoint the client
2653 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2658 description: IPAMHandleSpec contains the specification for an IPAMHandle
2662 additionalProperties:
2684 apiVersion: apiextensions.k8s.io/v1
2685 kind: CustomResourceDefinition
2687 name: ippools.crd.projectcalico.org
2689 group: crd.projectcalico.org
2692 listKind: IPPoolList
2702 description: 'APIVersion defines the versioned schema of this representation
2703 of an object. Servers should convert recognized schemas to the latest
2704 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2707 description: 'Kind is a string value representing the REST resource this
2708 object represents. Servers may infer this from the endpoint the client
2709 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2714 description: IPPoolSpec contains the specification for an IPPool resource.
2717 description: AllowedUse controls what the IP pool will be used for. If
2718 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
2723 description: The block size to use for IP address assignments from
2724 this pool. Defaults to 26 for IPv4 and 122 for IPv6.
2727 description: The pool CIDR.
2730 description: 'Disable exporting routes from this IP Pool''s CIDR over
2731 BGP. [Default: false]'
2734 description: When disabled is true, Calico IPAM will not assign addresses
2738 description: 'Deprecated: this field is only used for APIv1 backwards
2739 compatibility. Setting this field is not allowed, this field is
2740 for internal use only.'
2743 description: When enabled is true, ipip tunneling will be used
2744 to deliver packets to destinations within this pool.
2747 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2748 mode of "always" will also use IPIP tunneling for routing to
2749 destination IP addresses within this pool. A mode of "cross-subnet"
2750 will only use IPIP tunneling when the destination node is on
2751 a different subnet to the originating node. The default value
2752 (if not specified) is "always".
2756 description: Contains configuration for IPIP tunneling for this pool.
2757 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2761 description: 'Deprecated: this field is only used for APIv1 backwards
2762 compatibility. Setting this field is not allowed, this field is
2763 for internal use only.'
2766 description: When nat-outgoing is true, packets sent from Calico networked
2767 containers in this pool to destinations outside of this pool will
2771 description: Allows IPPool to allocate for a specific node by label
2775 description: Contains configuration for VXLAN tunneling for this pool.
2776 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2777 tunneling is disabled).
2793 apiVersion: apiextensions.k8s.io/v1
2794 kind: CustomResourceDefinition
2797 controller-gen.kubebuilder.io/version: (devel)
2798 creationTimestamp: null
2799 name: ipreservations.crd.projectcalico.org
2801 group: crd.projectcalico.org
2804 listKind: IPReservationList
2805 plural: ipreservations
2806 singular: ipreservation
2814 description: 'APIVersion defines the versioned schema of this representation
2815 of an object. Servers should convert recognized schemas to the latest
2816 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2819 description: 'Kind is a string value representing the REST resource this
2820 object represents. Servers may infer this from the endpoint the client
2821 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2826 description: IPReservationSpec contains the specification for an IPReservation
2830 description: ReservedCIDRs is a list of CIDRs and/or IP addresses
2831 that Calico IPAM will exclude from new allocations.
2847 apiVersion: apiextensions.k8s.io/v1
2848 kind: CustomResourceDefinition
2850 name: kubecontrollersconfigurations.crd.projectcalico.org
2852 group: crd.projectcalico.org
2854 kind: KubeControllersConfiguration
2855 listKind: KubeControllersConfigurationList
2856 plural: kubecontrollersconfigurations
2857 singular: kubecontrollersconfiguration
2865 description: 'APIVersion defines the versioned schema of this representation
2866 of an object. Servers should convert recognized schemas to the latest
2867 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2870 description: 'Kind is a string value representing the REST resource this
2871 object represents. Servers may infer this from the endpoint the client
2872 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2877 description: KubeControllersConfigurationSpec contains the values of the
2878 Kubernetes controllers configuration.
2881 description: Controllers enables and configures individual Kubernetes
2885 description: Namespace enables and configures the namespace controller.
2886 Enabled by default, set to nil to disable.
2889 description: 'ReconcilerPeriod is the period to perform reconciliation
2890 with the Calico datastore. [Default: 5m]'
2894 description: Node enables and configures the node controller.
2895 Enabled by default, set to nil to disable.
2898 description: HostEndpoint controls syncing nodes to host endpoints.
2899 Disabled by default, set to nil to disable.
2902 description: 'AutoCreate enables automatic creation of
2903 host endpoints for every node. [Default: Disabled]'
2907 description: 'LeakGracePeriod is the period used by the controller
2908 to determine if an IP address has been leaked. Set to 0
2909 to disable IP garbage collection. [Default: 15m]'
2912 description: 'ReconcilerPeriod is the period to perform reconciliation
2913 with the Calico datastore. [Default: 5m]'
2916 description: 'SyncLabels controls whether to copy Kubernetes
2917 node labels to Calico nodes. [Default: Enabled]'
2921 description: Policy enables and configures the policy controller.
2922 Enabled by default, set to nil to disable.
2925 description: 'ReconcilerPeriod is the period to perform reconciliation
2926 with the Calico datastore. [Default: 5m]'
2930 description: ServiceAccount enables and configures the service
2931 account controller. Enabled by default, set to nil to disable.
2934 description: 'ReconcilerPeriod is the period to perform reconciliation
2935 with the Calico datastore. [Default: 5m]'
2939 description: WorkloadEndpoint enables and configures the workload
2940 endpoint controller. Enabled by default, set to nil to disable.
2943 description: 'ReconcilerPeriod is the period to perform reconciliation
2944 with the Calico datastore. [Default: 5m]'
2949 description: DebugProfilePort configures the port to serve memory
2950 and cpu profiles on. If not specified, profiling is disabled.
2953 etcdV3CompactionPeriod:
2954 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2955 compaction requests. Set to 0 to disable. [Default: 10m]'
2958 description: 'HealthChecks enables or disables support for health
2959 checks [Default: Enabled]'
2962 description: 'LogSeverityScreen is the log severity above which logs
2963 are sent to the stdout. [Default: Info]'
2965 prometheusMetricsPort:
2966 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
2967 metrics server should bind to. Set to 0 to disable. [Default: 9094]'
2973 description: KubeControllersConfigurationStatus represents the status
2974 of the configuration. It's useful for admins to be able to see the actual
2975 config that was applied, which can be modified by environment variables
2976 on the kube-controllers process.
2979 additionalProperties:
2981 description: EnvironmentVars contains the environment variables on
2982 the kube-controllers that influenced the RunningConfig.
2985 description: RunningConfig contains the effective config that is running
2986 in the kube-controllers pod, after merging the API resource with
2987 any environment variables.
2990 description: Controllers enables and configures individual Kubernetes
2994 description: Namespace enables and configures the namespace
2995 controller. Enabled by default, set to nil to disable.
2998 description: 'ReconcilerPeriod is the period to perform
2999 reconciliation with the Calico datastore. [Default:
3004 description: Node enables and configures the node controller.
3005 Enabled by default, set to nil to disable.
3008 description: HostEndpoint controls syncing nodes to host
3009 endpoints. Disabled by default, set to nil to disable.
3012 description: 'AutoCreate enables automatic creation
3013 of host endpoints for every node. [Default: Disabled]'
3017 description: 'LeakGracePeriod is the period used by the
3018 controller to determine if an IP address has been leaked.
3019 Set to 0 to disable IP garbage collection. [Default:
3023 description: 'ReconcilerPeriod is the period to perform
3024 reconciliation with the Calico datastore. [Default:
3028 description: 'SyncLabels controls whether to copy Kubernetes
3029 node labels to Calico nodes. [Default: Enabled]'
3033 description: Policy enables and configures the policy controller.
3034 Enabled by default, set to nil to disable.
3037 description: 'ReconcilerPeriod is the period to perform
3038 reconciliation with the Calico datastore. [Default:
3043 description: ServiceAccount enables and configures the service
3044 account controller. Enabled by default, set to nil to disable.
3047 description: 'ReconcilerPeriod is the period to perform
3048 reconciliation with the Calico datastore. [Default:
3053 description: WorkloadEndpoint enables and configures the workload
3054 endpoint controller. Enabled by default, set to nil to disable.
3057 description: 'ReconcilerPeriod is the period to perform
3058 reconciliation with the Calico datastore. [Default:
3064 description: DebugProfilePort configures the port to serve memory
3065 and cpu profiles on. If not specified, profiling is disabled.
3068 etcdV3CompactionPeriod:
3069 description: 'EtcdV3CompactionPeriod is the period between etcdv3
3070 compaction requests. Set to 0 to disable. [Default: 10m]'
3073 description: 'HealthChecks enables or disables support for health
3074 checks [Default: Enabled]'
3077 description: 'LogSeverityScreen is the log severity above which
3078 logs are sent to the stdout. [Default: Info]'
3080 prometheusMetricsPort:
3081 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
3082 metrics server should bind to. Set to 0 to disable. [Default:
3100 apiVersion: apiextensions.k8s.io/v1
3101 kind: CustomResourceDefinition
3103 name: networkpolicies.crd.projectcalico.org
3105 group: crd.projectcalico.org
3108 listKind: NetworkPolicyList
3109 plural: networkpolicies
3110 singular: networkpolicy
3118 description: 'APIVersion defines the versioned schema of this representation
3119 of an object. Servers should convert recognized schemas to the latest
3120 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3123 description: 'Kind is a string value representing the REST resource this
3124 object represents. Servers may infer this from the endpoint the client
3125 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3132 description: The ordered set of egress rules. Each rule contains
3133 a set of packet match criteria and a corresponding action to apply.
3135 description: "A Rule encapsulates a set of match criteria and an
3136 action. Both selector-based security Policy and security Profiles
3137 reference rules - separated out as a list of rules for both ingress
3138 and egress packet matching. \n Each positive match criteria has
3139 a negated version, prefixed with \"Not\". All the match criteria
3140 within a rule must be satisfied for a packet to match. A single
3141 rule can contain the positive and negative version of a match
3142 and both must be satisfied for the rule to match."
3147 description: Destination contains the match criteria that apply
3148 to destination entity.
3151 description: "NamespaceSelector is an optional field that
3152 contains a selector expression. Only traffic that originates
3153 from (or terminates at) endpoints within the selected
3154 namespaces will be matched. When both NamespaceSelector
3155 and another selector are defined on the same rule, then
3156 only workload endpoints that are matched by both selectors
3157 will be selected by the rule. \n For NetworkPolicy, an
3158 empty NamespaceSelector implies that the Selector is limited
3159 to selecting only workload endpoints in the same namespace
3160 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3161 NamespaceSelector implies that the Selector is limited
3162 to selecting only GlobalNetworkSet or HostEndpoint. \n
3163 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3164 the Selector applies to workload endpoints across all
3168 description: Nets is an optional field that restricts the
3169 rule to only apply to traffic that originates from (or
3170 terminates at) IP addresses in any of the given subnets.
3175 description: NotNets is the negated version of the Nets
3181 description: NotPorts is the negated version of the Ports
3182 field. Since only some protocols have ports, if any ports
3183 are specified it requires the Protocol match in the Rule
3184 to be set to "TCP" or "UDP".
3190 x-kubernetes-int-or-string: true
3193 description: NotSelector is the negated version of the Selector
3194 field. See Selector field for subtleties with negated
3198 description: "Ports is an optional field that restricts
3199 the rule to only apply to traffic that has a source (destination)
3200 port that matches one of these ranges/values. This value
3201 is a list of integers or strings that represent ranges
3202 of ports. \n Since only some protocols have ports, if
3203 any ports are specified it requires the Protocol match
3204 in the Rule to be set to \"TCP\" or \"UDP\"."
3210 x-kubernetes-int-or-string: true
3213 description: "Selector is an optional field that contains
3214 a selector expression (see Policy for sample syntax).
3215 \ Only traffic that originates from (terminates at) endpoints
3216 matching the selector will be matched. \n Note that: in
3217 addition to the negated version of the Selector (see NotSelector
3218 below), the selector expression syntax itself supports
3219 negation. The two types of negation are subtly different.
3220 One negates the set of matched endpoints, the other negates
3221 the whole match: \n \tSelector = \"!has(my_label)\" matches
3222 packets that are from other Calico-controlled \tendpoints
3223 that do not have the label \"my_label\". \n \tNotSelector
3224 = \"has(my_label)\" matches packets that are not from
3225 Calico-controlled \tendpoints that do have the label \"my_label\".
3226 \n The effect is that the latter will accept packets from
3227 non-Calico sources whereas the former is limited to packets
3228 from Calico-controlled endpoints."
3231 description: ServiceAccounts is an optional field that restricts
3232 the rule to only apply to traffic that originates from
3233 (or terminates at) a pod running as a matching service
3237 description: Names is an optional field that restricts
3238 the rule to only apply to traffic that originates
3239 from (or terminates at) a pod running as a service
3240 account whose name is in the list.
3245 description: Selector is an optional field that restricts
3246 the rule to only apply to traffic that originates
3247 from (or terminates at) a pod running as a service
3248 account that matches the given label selector. If
3249 both Names and Selector are specified then they are
3254 description: "Services is an optional field that contains
3255 options for matching Kubernetes Services. If specified,
3256 only traffic that originates from or terminates at endpoints
3257 within the selected service(s) will be matched, and only
3258 to/from each endpoint's port. \n Services cannot be specified
3259 on the same rule as Selector, NotSelector, NamespaceSelector,
3260 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3261 can only be specified with Services on ingress rules."
3264 description: Name specifies the name of a Kubernetes
3268 description: Namespace specifies the namespace of the
3269 given Service. If left empty, the rule will match
3270 within this policy's namespace.
3275 description: HTTP contains match criteria that apply to HTTP
3279 description: Methods is an optional field that restricts
3280 the rule to apply only to HTTP requests that use one of
3281 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3282 methods are OR'd together.
3287 description: 'Paths is an optional field that restricts
3288 the rule to apply to HTTP requests that use one of the
3289 listed HTTP Paths. Multiple paths are OR''d together.
3290 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3291 ONLY specify either a `exact` or a `prefix` match. The
3292 validator will check for it.'
3294 description: 'HTTPPath specifies an HTTP path to match.
3295 It may be either of the form: exact: <path>: which matches
3296 the path exactly or prefix: <path-prefix>: which matches
3307 description: ICMP is an optional field that restricts the rule
3308 to apply to a specific type and code of ICMP traffic. This
3309 should only be specified if the Protocol field is set to "ICMP"
3313 description: Match on a specific ICMP code. If specified,
3314 the Type value must also be specified. This is a technical
3315 limitation imposed by the kernel's iptables firewall,
3316 which Calico uses to enforce the rule.
3319 description: Match on a specific ICMP type. For example
3320 a value of 8 refers to ICMP Echo Request (i.e. pings).
3324 description: IPVersion is an optional field that restricts the
3325 rule to only match a specific IP version.
3328 description: Metadata contains additional information for this
3332 additionalProperties:
3334 description: Annotations is a set of key value pairs that
3335 give extra information about the rule
3339 description: NotICMP is the negated version of the ICMP field.
3342 description: Match on a specific ICMP code. If specified,
3343 the Type value must also be specified. This is a technical
3344 limitation imposed by the kernel's iptables firewall,
3345 which Calico uses to enforce the rule.
3348 description: Match on a specific ICMP type. For example
3349 a value of 8 refers to ICMP Echo Request (i.e. pings).
3356 description: NotProtocol is the negated version of the Protocol
3359 x-kubernetes-int-or-string: true
3364 description: "Protocol is an optional field that restricts the
3365 rule to only apply to traffic of a specific IP protocol. Required
3366 if any of the EntityRules contain Ports (because ports only
3367 apply to certain protocols). \n Must be one of these string
3368 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3369 \"UDPLite\" or an integer in the range 1-255."
3371 x-kubernetes-int-or-string: true
3373 description: Source contains the match criteria that apply to
3377 description: "NamespaceSelector is an optional field that
3378 contains a selector expression. Only traffic that originates
3379 from (or terminates at) endpoints within the selected
3380 namespaces will be matched. When both NamespaceSelector
3381 and another selector are defined on the same rule, then
3382 only workload endpoints that are matched by both selectors
3383 will be selected by the rule. \n For NetworkPolicy, an
3384 empty NamespaceSelector implies that the Selector is limited
3385 to selecting only workload endpoints in the same namespace
3386 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3387 NamespaceSelector implies that the Selector is limited
3388 to selecting only GlobalNetworkSet or HostEndpoint. \n
3389 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3390 the Selector applies to workload endpoints across all
3394 description: Nets is an optional field that restricts the
3395 rule to only apply to traffic that originates from (or
3396 terminates at) IP addresses in any of the given subnets.
3401 description: NotNets is the negated version of the Nets
3407 description: NotPorts is the negated version of the Ports
3408 field. Since only some protocols have ports, if any ports
3409 are specified it requires the Protocol match in the Rule
3410 to be set to "TCP" or "UDP".
3416 x-kubernetes-int-or-string: true
3419 description: NotSelector is the negated version of the Selector
3420 field. See Selector field for subtleties with negated
3424 description: "Ports is an optional field that restricts
3425 the rule to only apply to traffic that has a source (destination)
3426 port that matches one of these ranges/values. This value
3427 is a list of integers or strings that represent ranges
3428 of ports. \n Since only some protocols have ports, if
3429 any ports are specified it requires the Protocol match
3430 in the Rule to be set to \"TCP\" or \"UDP\"."
3436 x-kubernetes-int-or-string: true
3439 description: "Selector is an optional field that contains
3440 a selector expression (see Policy for sample syntax).
3441 \ Only traffic that originates from (terminates at) endpoints
3442 matching the selector will be matched. \n Note that: in
3443 addition to the negated version of the Selector (see NotSelector
3444 below), the selector expression syntax itself supports
3445 negation. The two types of negation are subtly different.
3446 One negates the set of matched endpoints, the other negates
3447 the whole match: \n \tSelector = \"!has(my_label)\" matches
3448 packets that are from other Calico-controlled \tendpoints
3449 that do not have the label \"my_label\". \n \tNotSelector
3450 = \"has(my_label)\" matches packets that are not from
3451 Calico-controlled \tendpoints that do have the label \"my_label\".
3452 \n The effect is that the latter will accept packets from
3453 non-Calico sources whereas the former is limited to packets
3454 from Calico-controlled endpoints."
3457 description: ServiceAccounts is an optional field that restricts
3458 the rule to only apply to traffic that originates from
3459 (or terminates at) a pod running as a matching service
3463 description: Names is an optional field that restricts
3464 the rule to only apply to traffic that originates
3465 from (or terminates at) a pod running as a service
3466 account whose name is in the list.
3471 description: Selector is an optional field that restricts
3472 the rule to only apply to traffic that originates
3473 from (or terminates at) a pod running as a service
3474 account that matches the given label selector. If
3475 both Names and Selector are specified then they are
3480 description: "Services is an optional field that contains
3481 options for matching Kubernetes Services. If specified,
3482 only traffic that originates from or terminates at endpoints
3483 within the selected service(s) will be matched, and only
3484 to/from each endpoint's port. \n Services cannot be specified
3485 on the same rule as Selector, NotSelector, NamespaceSelector,
3486 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3487 can only be specified with Services on ingress rules."
3490 description: Name specifies the name of a Kubernetes
3494 description: Namespace specifies the namespace of the
3495 given Service. If left empty, the rule will match
3496 within this policy's namespace.
3505 description: The ordered set of ingress rules. Each rule contains
3506 a set of packet match criteria and a corresponding action to apply.
3508 description: "A Rule encapsulates a set of match criteria and an
3509 action. Both selector-based security Policy and security Profiles
3510 reference rules - separated out as a list of rules for both ingress
3511 and egress packet matching. \n Each positive match criteria has
3512 a negated version, prefixed with \"Not\". All the match criteria
3513 within a rule must be satisfied for a packet to match. A single
3514 rule can contain the positive and negative version of a match
3515 and both must be satisfied for the rule to match."
3520 description: Destination contains the match criteria that apply
3521 to destination entity.
3524 description: "NamespaceSelector is an optional field that
3525 contains a selector expression. Only traffic that originates
3526 from (or terminates at) endpoints within the selected
3527 namespaces will be matched. When both NamespaceSelector
3528 and another selector are defined on the same rule, then
3529 only workload endpoints that are matched by both selectors
3530 will be selected by the rule. \n For NetworkPolicy, an
3531 empty NamespaceSelector implies that the Selector is limited
3532 to selecting only workload endpoints in the same namespace
3533 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3534 NamespaceSelector implies that the Selector is limited
3535 to selecting only GlobalNetworkSet or HostEndpoint. \n
3536 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3537 the Selector applies to workload endpoints across all
3541 description: Nets is an optional field that restricts the
3542 rule to only apply to traffic that originates from (or
3543 terminates at) IP addresses in any of the given subnets.
3548 description: NotNets is the negated version of the Nets
3554 description: NotPorts is the negated version of the Ports
3555 field. Since only some protocols have ports, if any ports
3556 are specified it requires the Protocol match in the Rule
3557 to be set to "TCP" or "UDP".
3563 x-kubernetes-int-or-string: true
3566 description: NotSelector is the negated version of the Selector
3567 field. See Selector field for subtleties with negated
3571 description: "Ports is an optional field that restricts
3572 the rule to only apply to traffic that has a source (destination)
3573 port that matches one of these ranges/values. This value
3574 is a list of integers or strings that represent ranges
3575 of ports. \n Since only some protocols have ports, if
3576 any ports are specified it requires the Protocol match
3577 in the Rule to be set to \"TCP\" or \"UDP\"."
3583 x-kubernetes-int-or-string: true
3586 description: "Selector is an optional field that contains
3587 a selector expression (see Policy for sample syntax).
3588 \ Only traffic that originates from (terminates at) endpoints
3589 matching the selector will be matched. \n Note that: in
3590 addition to the negated version of the Selector (see NotSelector
3591 below), the selector expression syntax itself supports
3592 negation. The two types of negation are subtly different.
3593 One negates the set of matched endpoints, the other negates
3594 the whole match: \n \tSelector = \"!has(my_label)\" matches
3595 packets that are from other Calico-controlled \tendpoints
3596 that do not have the label \"my_label\". \n \tNotSelector
3597 = \"has(my_label)\" matches packets that are not from
3598 Calico-controlled \tendpoints that do have the label \"my_label\".
3599 \n The effect is that the latter will accept packets from
3600 non-Calico sources whereas the former is limited to packets
3601 from Calico-controlled endpoints."
3604 description: ServiceAccounts is an optional field that restricts
3605 the rule to only apply to traffic that originates from
3606 (or terminates at) a pod running as a matching service
3610 description: Names is an optional field that restricts
3611 the rule to only apply to traffic that originates
3612 from (or terminates at) a pod running as a service
3613 account whose name is in the list.
3618 description: Selector is an optional field that restricts
3619 the rule to only apply to traffic that originates
3620 from (or terminates at) a pod running as a service
3621 account that matches the given label selector. If
3622 both Names and Selector are specified then they are
3627 description: "Services is an optional field that contains
3628 options for matching Kubernetes Services. If specified,
3629 only traffic that originates from or terminates at endpoints
3630 within the selected service(s) will be matched, and only
3631 to/from each endpoint's port. \n Services cannot be specified
3632 on the same rule as Selector, NotSelector, NamespaceSelector,
3633 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3634 can only be specified with Services on ingress rules."
3637 description: Name specifies the name of a Kubernetes
3641 description: Namespace specifies the namespace of the
3642 given Service. If left empty, the rule will match
3643 within this policy's namespace.
3648 description: HTTP contains match criteria that apply to HTTP
3652 description: Methods is an optional field that restricts
3653 the rule to apply only to HTTP requests that use one of
3654 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3655 methods are OR'd together.
3660 description: 'Paths is an optional field that restricts
3661 the rule to apply to HTTP requests that use one of the
3662 listed HTTP Paths. Multiple paths are OR''d together.
3663 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3664 ONLY specify either a `exact` or a `prefix` match. The
3665 validator will check for it.'
3667 description: 'HTTPPath specifies an HTTP path to match.
3668 It may be either of the form: exact: <path>: which matches
3669 the path exactly or prefix: <path-prefix>: which matches
3680 description: ICMP is an optional field that restricts the rule
3681 to apply to a specific type and code of ICMP traffic. This
3682 should only be specified if the Protocol field is set to "ICMP"
3686 description: Match on a specific ICMP code. If specified,
3687 the Type value must also be specified. This is a technical
3688 limitation imposed by the kernel's iptables firewall,
3689 which Calico uses to enforce the rule.
3692 description: Match on a specific ICMP type. For example
3693 a value of 8 refers to ICMP Echo Request (i.e. pings).
3697 description: IPVersion is an optional field that restricts the
3698 rule to only match a specific IP version.
3701 description: Metadata contains additional information for this
3705 additionalProperties:
3707 description: Annotations is a set of key value pairs that
3708 give extra information about the rule
3712 description: NotICMP is the negated version of the ICMP field.
3715 description: Match on a specific ICMP code. If specified,
3716 the Type value must also be specified. This is a technical
3717 limitation imposed by the kernel's iptables firewall,
3718 which Calico uses to enforce the rule.
3721 description: Match on a specific ICMP type. For example
3722 a value of 8 refers to ICMP Echo Request (i.e. pings).
3729 description: NotProtocol is the negated version of the Protocol
3732 x-kubernetes-int-or-string: true
3737 description: "Protocol is an optional field that restricts the
3738 rule to only apply to traffic of a specific IP protocol. Required
3739 if any of the EntityRules contain Ports (because ports only
3740 apply to certain protocols). \n Must be one of these string
3741 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3742 \"UDPLite\" or an integer in the range 1-255."
3744 x-kubernetes-int-or-string: true
3746 description: Source contains the match criteria that apply to
3750 description: "NamespaceSelector is an optional field that
3751 contains a selector expression. Only traffic that originates
3752 from (or terminates at) endpoints within the selected
3753 namespaces will be matched. When both NamespaceSelector
3754 and another selector are defined on the same rule, then
3755 only workload endpoints that are matched by both selectors
3756 will be selected by the rule. \n For NetworkPolicy, an
3757 empty NamespaceSelector implies that the Selector is limited
3758 to selecting only workload endpoints in the same namespace
3759 as the NetworkPolicy. \n For NetworkPolicy, `global()`
3760 NamespaceSelector implies that the Selector is limited
3761 to selecting only GlobalNetworkSet or HostEndpoint. \n
3762 For GlobalNetworkPolicy, an empty NamespaceSelector implies
3763 the Selector applies to workload endpoints across all
3767 description: Nets is an optional field that restricts the
3768 rule to only apply to traffic that originates from (or
3769 terminates at) IP addresses in any of the given subnets.
3774 description: NotNets is the negated version of the Nets
3780 description: NotPorts is the negated version of the Ports
3781 field. Since only some protocols have ports, if any ports
3782 are specified it requires the Protocol match in the Rule
3783 to be set to "TCP" or "UDP".
3789 x-kubernetes-int-or-string: true
3792 description: NotSelector is the negated version of the Selector
3793 field. See Selector field for subtleties with negated
3797 description: "Ports is an optional field that restricts
3798 the rule to only apply to traffic that has a source (destination)
3799 port that matches one of these ranges/values. This value
3800 is a list of integers or strings that represent ranges
3801 of ports. \n Since only some protocols have ports, if
3802 any ports are specified it requires the Protocol match
3803 in the Rule to be set to \"TCP\" or \"UDP\"."
3809 x-kubernetes-int-or-string: true
3812 description: "Selector is an optional field that contains
3813 a selector expression (see Policy for sample syntax).
3814 \ Only traffic that originates from (terminates at) endpoints
3815 matching the selector will be matched. \n Note that: in
3816 addition to the negated version of the Selector (see NotSelector
3817 below), the selector expression syntax itself supports
3818 negation. The two types of negation are subtly different.
3819 One negates the set of matched endpoints, the other negates
3820 the whole match: \n \tSelector = \"!has(my_label)\" matches
3821 packets that are from other Calico-controlled \tendpoints
3822 that do not have the label \"my_label\". \n \tNotSelector
3823 = \"has(my_label)\" matches packets that are not from
3824 Calico-controlled \tendpoints that do have the label \"my_label\".
3825 \n The effect is that the latter will accept packets from
3826 non-Calico sources whereas the former is limited to packets
3827 from Calico-controlled endpoints."
3830 description: ServiceAccounts is an optional field that restricts
3831 the rule to only apply to traffic that originates from
3832 (or terminates at) a pod running as a matching service
3836 description: Names is an optional field that restricts
3837 the rule to only apply to traffic that originates
3838 from (or terminates at) a pod running as a service
3839 account whose name is in the list.
3844 description: Selector is an optional field that restricts
3845 the rule to only apply to traffic that originates
3846 from (or terminates at) a pod running as a service
3847 account that matches the given label selector. If
3848 both Names and Selector are specified then they are
3853 description: "Services is an optional field that contains
3854 options for matching Kubernetes Services. If specified,
3855 only traffic that originates from or terminates at endpoints
3856 within the selected service(s) will be matched, and only
3857 to/from each endpoint's port. \n Services cannot be specified
3858 on the same rule as Selector, NotSelector, NamespaceSelector,
3859 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3860 can only be specified with Services on ingress rules."
3863 description: Name specifies the name of a Kubernetes
3867 description: Namespace specifies the namespace of the
3868 given Service. If left empty, the rule will match
3869 within this policy's namespace.
3878 description: Order is an optional field that specifies the order in
3879 which the policy is applied. Policies with higher "order" are applied
3880 after those with lower order. If the order is omitted, it may be
3881 considered to be "infinite" - i.e. the policy will be applied last. Policies
3882 with identical order will be applied in alphanumerical order based
3883 on the Policy "Name".
3886 description: "The selector is an expression used to pick pick out
3887 the endpoints that the policy should be applied to. \n Selector
3888 expressions follow this syntax: \n \tlabel == \"string_literal\"
3889 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3890 \ -> not equal; also matches if label is not present \tlabel in
3891 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3892 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3893 ... } -> true if the value of label X is not one of \"a\", \"b\",
3894 \"c\" \thas(label_name) -> True if that label is present \t! expr
3895 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3896 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3897 or the empty selector -> matches all endpoints. \n Label names are
3898 allowed to contain alphanumerics, -, _ and /. String literals are
3899 more permissive but they do not support escape characters. \n Examples
3900 (with made-up labels): \n \ttype == \"webserver\" && deployment
3901 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3902 \"dev\" \t! has(label_name)"
3904 serviceAccountSelector:
3905 description: ServiceAccountSelector is an optional field for an expression
3906 used to select a pod based on service accounts.
3909 description: "Types indicates whether this policy applies to ingress,
3910 or to egress, or to both. When not explicitly specified (and so
3911 the value on creation is empty or nil), Calico defaults Types according
3912 to what Ingress and Egress are present in the policy. The default
3913 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3914 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3915 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3916 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3917 \n When the policy is read back again, Types will always be one
3918 of these values, never empty or nil."
3920 description: PolicyType enumerates the possible values of the PolicySpec
3936 apiVersion: apiextensions.k8s.io/v1
3937 kind: CustomResourceDefinition
3939 name: networksets.crd.projectcalico.org
3941 group: crd.projectcalico.org
3944 listKind: NetworkSetList
3946 singular: networkset
3952 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3955 description: 'APIVersion defines the versioned schema of this representation
3956 of an object. Servers should convert recognized schemas to the latest
3957 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3960 description: 'Kind is a string value representing the REST resource this
3961 object represents. Servers may infer this from the endpoint the client
3962 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3967 description: NetworkSetSpec contains the specification for a NetworkSet
3971 description: The list of IP networks that belong to this set.
3988 # Source: calico/templates/calico-kube-controllers-rbac.yaml
3990 # Include a clusterrole for the kube-controllers component,
3991 # and bind it to the calico-kube-controllers serviceaccount.
3993 apiVersion: rbac.authorization.k8s.io/v1
3995 name: calico-kube-controllers
3997 # Nodes are watched to monitor for deletions.
4005 # Pods are watched to check for existence as part of IPAM controller.
4013 # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
4014 - apiGroups: ["crd.projectcalico.org"]
4019 - apiGroups: ["crd.projectcalico.org"]
4031 # Pools are watched to maintain a mapping of blocks to IP pools.
4032 - apiGroups: ["crd.projectcalico.org"]
4038 # kube-controllers manages hostendpoints.
4039 - apiGroups: ["crd.projectcalico.org"]
4048 # Needs access to update clusterinformations.
4049 - apiGroups: ["crd.projectcalico.org"]
4051 - clusterinformations
4058 # KubeControllersConfiguration is where it gets its config
4059 - apiGroups: ["crd.projectcalico.org"]
4061 - kubecontrollersconfigurations
4063 # read its own config
4065 # create a default if none exists
4072 kind: ClusterRoleBinding
4073 apiVersion: rbac.authorization.k8s.io/v1
4075 name: calico-kube-controllers
4077 apiGroup: rbac.authorization.k8s.io
4079 name: calico-kube-controllers
4081 - kind: ServiceAccount
4082 name: calico-kube-controllers
4083 namespace: kube-system
4087 # Source: calico/templates/calico-node-rbac.yaml
4088 # Include a clusterrole for the calico-node DaemonSet,
4089 # and bind it to the calico-node serviceaccount.
4091 apiVersion: rbac.authorization.k8s.io/v1
4095 # The CNI plugin needs to get pods, nodes, and namespaces.
4103 # EndpointSlices are used for Service-based network policy rule
4105 - apiGroups: ["discovery.k8s.io"]
4116 # Used to discover service IPs for advertisement.
4119 # Used to discover Typhas.
4121 # Pod CIDR auto-detection on kubeadm needs access to config maps.
4131 # Needed for clearing NodeNetworkUnavailable flag.
4133 # Calico stores some configuration information in node annotations.
4135 # Watch for changes to Kubernetes NetworkPolicies.
4136 - apiGroups: ["networking.k8s.io"]
4142 # Used by Calico for policy information.
4151 # The CNI plugin patches pods/status.
4157 # Calico monitors various CRDs for config.
4158 - apiGroups: ["crd.projectcalico.org"]
4160 - globalfelixconfigs
4161 - felixconfigurations
4168 - globalnetworkpolicies
4172 - clusterinformations
4175 - caliconodestatuses
4180 # Calico must create and update some CRDs on startup.
4181 - apiGroups: ["crd.projectcalico.org"]
4184 - felixconfigurations
4185 - clusterinformations
4189 # Calico must update some CRDs.
4190 - apiGroups: [ "crd.projectcalico.org" ]
4192 - caliconodestatuses
4195 # Calico stores some configuration information on the node.
4203 # These permissions are only required for upgrade from v2.6, and can
4204 # be removed after upgrade or on fresh installations.
4205 - apiGroups: ["crd.projectcalico.org"]
4212 # These permissions are required for Calico CNI to perform IPAM allocations.
4213 - apiGroups: ["crd.projectcalico.org"]
4224 - apiGroups: ["crd.projectcalico.org"]
4229 # Block affinities must also be watchable by confd for route aggregation.
4230 - apiGroups: ["crd.projectcalico.org"]
4235 # The Calico IPAM migration needs to get daemonsets. These permissions can be
4236 # removed if not upgrading from an installation using host-local IPAM.
4237 - apiGroups: ["apps"]
4244 apiVersion: rbac.authorization.k8s.io/v1
4245 kind: ClusterRoleBinding
4249 apiGroup: rbac.authorization.k8s.io
4253 - kind: ServiceAccount
4255 namespace: kube-system
4258 # Source: calico/templates/calico-node.yaml
4259 # This manifest installs the calico-node container, as well
4260 # as the CNI plugins and network config on
4261 # each master and worker node in a Kubernetes cluster.
4266 namespace: kube-system
4268 k8s-app: calico-node
4272 k8s-app: calico-node
4280 k8s-app: calico-node
4283 kubernetes.io/os: linux
4286 # Make sure calico-node gets scheduled on all nodes.
4287 - effect: NoSchedule
4289 # Mark the pod as a critical add-on for rescheduling.
4290 - key: CriticalAddonsOnly
4294 serviceAccountName: calico-node
4295 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
4296 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
4297 terminationGracePeriodSeconds: 0
4298 priorityClassName: system-node-critical
4300 # This container performs upgrade from host-local IPAM to calico-ipam.
4301 # It can be deleted if this is a fresh installation, or if you have already
4302 # upgraded to use calico-ipam.
4303 - name: upgrade-ipam
4304 image: docker.io/calico/cni:v3.23.1
4305 command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
4308 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
4309 name: kubernetes-services-endpoint
4312 - name: KUBERNETES_NODE_NAME
4315 fieldPath: spec.nodeName
4316 - name: CALICO_NETWORKING_BACKEND
4322 - mountPath: /var/lib/cni/networks
4323 name: host-local-net-dir
4324 - mountPath: /host/opt/cni/bin
4328 # This container installs the CNI binaries
4329 # and CNI network config file on each node.
4331 image: docker.io/calico/cni:v3.23.1
4332 command: ["/opt/cni/bin/install"]
4335 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
4336 name: kubernetes-services-endpoint
4339 # Name of the CNI config file to create.
4340 - name: CNI_CONF_NAME
4341 value: "10-calico.conflist"
4342 # The CNI network config to install on each node.
4343 - name: CNI_NETWORK_CONFIG
4347 key: cni_network_config
4348 # Set the hostname based on the k8s node name.
4349 - name: KUBERNETES_NODE_NAME
4352 fieldPath: spec.nodeName
4353 # CNI MTU Config variable
4359 # Prevents the container from sleeping forever.
4363 - mountPath: /host/opt/cni/bin
4365 - mountPath: /host/etc/cni/net.d
4370 # Runs calico-node container on each Kubernetes node. This
4371 # container programs network policy and routes on each
4374 image: docker.io/calico/node:v3.23.1
4377 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
4378 name: kubernetes-services-endpoint
4381 # Use Kubernetes API as the backing datastore.
4382 - name: DATASTORE_TYPE
4384 # Wait for the datastore.
4385 - name: WAIT_FOR_DATASTORE
4387 # Set based on the k8s node name.
4391 fieldPath: spec.nodeName
4392 # Choose the backend to use.
4393 - name: CALICO_NETWORKING_BACKEND
4398 # Cluster type to identify the deployment type
4399 - name: CLUSTER_TYPE
4401 # Auto-detect the BGP IP address.
4404 - name: IP_AUTODETECTION_METHOD
4405 value: "can-reach=8.8.8.8"
4407 - name: CALICO_IPV4POOL_IPIP
4409 # Enable or Disable VXLAN on the default IP pool.
4410 - name: CALICO_IPV4POOL_VXLAN
4412 # Enable or Disable VXLAN on the default IPv6 IP pool.
4413 - name: CALICO_IPV6POOL_VXLAN
4415 # Set MTU for tunnel device used if ipip is enabled
4416 - name: FELIX_IPINIPMTU
4421 # Set MTU for the VXLAN tunnel device.
4422 - name: FELIX_VXLANMTU
4427 # Set MTU for the Wireguard tunnel device.
4428 - name: FELIX_WIREGUARDMTU
4433 # The default IPv4 pool to create on startup if none exists. Pod IPs will be
4434 # chosen from this range. Changing this value after installation will have
4435 # no effect. This should fall within `--cluster-cidr`.
4436 - name: CALICO_IPV4POOL_CIDR
4437 value: "192.168.0.0/16"
4438 # Disable file logging so `kubectl logs` works.
4439 - name: CALICO_DISABLE_FILE_LOGGING
4441 # Set Felix endpoint to host default action to ACCEPT.
4442 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
4444 # Disable IPv6 on Kubernetes.
4445 - name: FELIX_IPV6SUPPORT
4447 - name: FELIX_HEALTHENABLED
4467 initialDelaySeconds: 10
4479 # For maintaining CNI plugin API credentials.
4480 - mountPath: /host/etc/cni/net.d
4483 - mountPath: /lib/modules
4486 - mountPath: /run/xtables.lock
4489 - mountPath: /var/run/calico
4490 name: var-run-calico
4492 - mountPath: /var/lib/calico
4493 name: var-lib-calico
4496 mountPath: /var/run/nodeagent
4497 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
4501 # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
4502 # If the host is known to mount that filesystem already then Bidirectional can be omitted.
4503 mountPropagation: Bidirectional
4505 mountPath: /var/log/calico/cni
4508 # Used by calico-node.
4512 - name: var-run-calico
4514 path: /var/run/calico
4515 - name: var-lib-calico
4517 path: /var/lib/calico
4518 - name: xtables-lock
4520 path: /run/xtables.lock
4525 type: DirectoryOrCreate
4526 # Used to install CNI.
4532 path: /etc/cni/net.d
4533 # Used to access CNI logs.
4536 path: /var/log/calico/cni
4537 # Mount in the directory for host-local IPAM allocations. This is
4538 # used when upgrading from host-local to calico-ipam, and can be removed
4539 # if not using the upgrade-ipam init container.
4540 - name: host-local-net-dir
4542 path: /var/lib/cni/networks
4543 # Used to create per-pod Unix Domain Sockets
4546 type: DirectoryOrCreate
4547 path: /var/run/nodeagent
4551 kind: ServiceAccount
4554 namespace: kube-system
4557 # Source: calico/templates/calico-kube-controllers.yaml
4558 # See https://github.com/projectcalico/kube-controllers
4562 name: calico-kube-controllers
4563 namespace: kube-system
4565 k8s-app: calico-kube-controllers
4567 # The controllers can only have a single active instance.
4571 k8s-app: calico-kube-controllers
4576 name: calico-kube-controllers
4577 namespace: kube-system
4579 k8s-app: calico-kube-controllers
4582 kubernetes.io/os: linux
4584 # Mark the pod as a critical add-on for rescheduling.
4585 - key: CriticalAddonsOnly
4587 - key: node-role.kubernetes.io/master
4589 serviceAccountName: calico-kube-controllers
4590 priorityClassName: system-cluster-critical
4592 - name: calico-kube-controllers
4593 image: docker.io/calico/kube-controllers:v3.23.1
4595 # Choose which controllers to run.
4596 - name: ENABLED_CONTROLLERS
4598 - name: DATASTORE_TYPE
4603 - /usr/bin/check-status
4606 initialDelaySeconds: 10
4612 - /usr/bin/check-status
4619 kind: ServiceAccount
4621 name: calico-kube-controllers
4622 namespace: kube-system
4626 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
4628 apiVersion: policy/v1
4629 kind: PodDisruptionBudget
4631 name: calico-kube-controllers
4632 namespace: kube-system
4634 k8s-app: calico-kube-controllers
4639 k8s-app: calico-kube-controllers
4642 # Source: calico/templates/calico-etcd-secrets.yaml
4645 # Source: calico/templates/calico-typha.yaml
4648 # Source: calico/templates/configure-canal.yaml