-# yamllint disable rule:hyphens rule:commas rule:indentation rule:line-length rule:comments rule:comments-indentation
---
# Source: calico/templates/calico-config.yaml
# This ConfigMap is used to configure a self-hosted Calico installation.
64512]'
format: int32
type: integer
+ bindMode:
+ description: BindMode indicates whether to listen for BGP connections
+ on all addresses (None) or only on the node's canonical IP address
+ Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
+ for BGP connections on all addresses.
+ type: string
communities:
description: Communities is a list of BGP community values and their
arbitrary names for tagging routes.
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: INFO]'
type: string
+ nodeMeshMaxRestartTime:
+ description: Time to allow for software restart for node-to-mesh peerings. When
+ specified, this is configured as the graceful restart timeout. When
+ not specified, the BIRD default of 120s is used. This field can
+ only be set on the default BGPConfiguration instance and requires
+ that NodeMesh is enabled
+ type: string
+ nodeMeshPassword:
+ description: Optional BGP password for full node-to-mesh peerings.
+ This field can only be set on the default BGPConfiguration instance
+ and requires that NodeMesh is enabled
+ properties:
+ secretKeyRef:
+ description: Selects a key of a secret in the node pod's namespace.
+ properties:
+ key:
+ description: The key of the secret to select from. Must be
+ a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ optional:
+ description: Specify whether the Secret or its key must be
+ defined
+ type: boolean
+ required:
+ - key
+ type: object
+ type: object
nodeToNodeMeshEnabled:
description: 'NodeToNodeMeshEnabled sets whether full node to node
BGP mesh is enabled. [Default: true]'
Peers node to use the "next hop keep;" instead of "next hop self;"(default)
in the specific branch of the Node on "bird.cfg".
type: boolean
+ maxRestartTime:
+ description: Time to allow for software restart. When specified,
+ this is configured as the graceful restart timeout. When not specified,
+ the BIRD default of 120s is used.
+ type: string
node:
description: The node name identifying the Calico node instance that
is targeted by this peer. If this is not set, and no nodeSelector
description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty.
type: string
+ numAllowedLocalASNumbers:
+ description: Maximum number of local AS numbers that are allowed in
+ the AS path for received routes. This removes BGP loop prevention
+ and should only be used if absolutely necesssary.
+ format: int32
+ type: integer
password:
description: Optional BGP password for the peerings generated by this
BGPPeer resource.
conditions: []
storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ creationTimestamp: null
+ name: caliconodestatuses.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: CalicoNodeStatus
+ listKind: CalicoNodeStatusList
+ plural: caliconodestatuses
+ singular: caliconodestatus
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
+ resource.
+ properties:
+ classes:
+ description: Classes declares the types of information to monitor
+ for this calico/node, and allows for selective status reporting
+ about certain subsets of information.
+ items:
+ type: string
+ type: array
+ node:
+ description: The node name identifies the Calico node instance for
+ node status.
+ type: string
+ updatePeriodSeconds:
+ description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
+ should be updated. Set to 0 to disable CalicoNodeStatus refresh.
+ Maximum update period is one day.
+ format: int32
+ type: integer
+ type: object
+ status:
+ description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
+ No validation needed for status since it is updated by Calico.
+ properties:
+ agent:
+ description: Agent holds agent status on the node.
+ properties:
+ birdV4:
+ description: BIRDV4 represents the latest observed status of bird4.
+ properties:
+ lastBootTime:
+ description: LastBootTime holds the value of lastBootTime
+ from bird.ctl output.
+ type: string
+ lastReconfigurationTime:
+ description: LastReconfigurationTime holds the value of lastReconfigTime
+ from bird.ctl output.
+ type: string
+ routerID:
+ description: Router ID used by bird.
+ type: string
+ state:
+ description: The state of the BGP Daemon.
+ type: string
+ version:
+ description: Version of the BGP daemon
+ type: string
+ type: object
+ birdV6:
+ description: BIRDV6 represents the latest observed status of bird6.
+ properties:
+ lastBootTime:
+ description: LastBootTime holds the value of lastBootTime
+ from bird.ctl output.
+ type: string
+ lastReconfigurationTime:
+ description: LastReconfigurationTime holds the value of lastReconfigTime
+ from bird.ctl output.
+ type: string
+ routerID:
+ description: Router ID used by bird.
+ type: string
+ state:
+ description: The state of the BGP Daemon.
+ type: string
+ version:
+ description: Version of the BGP daemon
+ type: string
+ type: object
+ type: object
+ bgp:
+ description: BGP holds node BGP status.
+ properties:
+ numberEstablishedV4:
+ description: The total number of IPv4 established bgp sessions.
+ type: integer
+ numberEstablishedV6:
+ description: The total number of IPv6 established bgp sessions.
+ type: integer
+ numberNotEstablishedV4:
+ description: The total number of IPv4 non-established bgp sessions.
+ type: integer
+ numberNotEstablishedV6:
+ description: The total number of IPv6 non-established bgp sessions.
+ type: integer
+ peersV4:
+ description: PeersV4 represents IPv4 BGP peers status on the node.
+ items:
+ description: CalicoNodePeer contains the status of BGP peers
+ on the node.
+ properties:
+ peerIP:
+ description: IP address of the peer whose condition we are
+ reporting.
+ type: string
+ since:
+ description: Since the state or reason last changed.
+ type: string
+ state:
+ description: State is the BGP session state.
+ type: string
+ type:
+ description: Type indicates whether this peer is configured
+ via the node-to-node mesh, or via en explicit global or
+ per-node BGPPeer object.
+ type: string
+ type: object
+ type: array
+ peersV6:
+ description: PeersV6 represents IPv6 BGP peers status on the node.
+ items:
+ description: CalicoNodePeer contains the status of BGP peers
+ on the node.
+ properties:
+ peerIP:
+ description: IP address of the peer whose condition we are
+ reporting.
+ type: string
+ since:
+ description: Since the state or reason last changed.
+ type: string
+ state:
+ description: State is the BGP session state.
+ type: string
+ type:
+ description: Type indicates whether this peer is configured
+ via the node-to-node mesh, or via en explicit global or
+ per-node BGPPeer object.
+ type: string
+ type: object
+ type: array
+ required:
+ - numberEstablishedV4
+ - numberEstablishedV6
+ - numberNotEstablishedV4
+ - numberNotEstablishedV6
+ type: object
+ lastUpdated:
+ description: LastUpdated is a timestamp representing the server time
+ when CalicoNodeStatus object last updated. It is represented in
+ RFC3339 form and is in UTC.
+ format: date-time
+ nullable: true
+ type: string
+ routes:
+ description: Routes reports routes known to the Calico BGP daemon
+ on the node.
+ properties:
+ routesV4:
+ description: RoutesV4 represents IPv4 routes on the node.
+ items:
+ description: CalicoNodeRoute contains the status of BGP routes
+ on the node.
+ properties:
+ destination:
+ description: Destination of the route.
+ type: string
+ gateway:
+ description: Gateway for the destination.
+ type: string
+ interface:
+ description: Interface for the destination
+ type: string
+ learnedFrom:
+ description: LearnedFrom contains information regarding
+ where this route originated.
+ properties:
+ peerIP:
+ description: If sourceType is NodeMesh or BGPPeer, IP
+ address of the router that sent us this route.
+ type: string
+ sourceType:
+ description: Type of the source where a route is learned
+ from.
+ type: string
+ type: object
+ type:
+ description: Type indicates if the route is being used for
+ forwarding or not.
+ type: string
+ type: object
+ type: array
+ routesV6:
+ description: RoutesV6 represents IPv6 routes on the node.
+ items:
+ description: CalicoNodeRoute contains the status of BGP routes
+ on the node.
+ properties:
+ destination:
+ description: Destination of the route.
+ type: string
+ gateway:
+ description: Gateway for the destination.
+ type: string
+ interface:
+ description: Interface for the destination
+ type: string
+ learnedFrom:
+ description: LearnedFrom contains information regarding
+ where this route originated.
+ properties:
+ peerIP:
+ description: If sourceType is NodeMesh or BGPPeer, IP
+ address of the router that sent us this route.
+ type: string
+ sourceType:
+ description: Type of the source where a route is learned
+ from.
+ type: string
+ type: object
+ type:
+ description: Type indicates if the route is being used for
+ forwarding or not.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
type: boolean
awsSrcDstCheck:
description: 'Set source-destination-check on AWS EC2 instances. Accepted
- value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
+ value must be one of "DoNothing", "Enable" or "Disable". [Default:
DoNothing]'
enum:
- DoNothing
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]'
type: boolean
+ bpfEnforceRPF:
+ description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
+ BPF programs regardless of what is the per-interfaces or global
+ setting. Possible values are Disabled or Strict. [Default: Strict]'
+ type: string
+ bpfExtToServiceConnmark:
+ description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
+ mark that is set on connections from an external client to a local
+ service. This mark allows us to control how packets of that connection
+ are routed within the host and how is routing intepreted by RPF
+ check. [Default: 0]'
+ type: integer
bpfExternalServiceMode:
description: 'BPFExternalServiceMode in BPF mode, controls how connections
from outside the cluster to services (node ports and cluster IPs)
logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].'
type: string
+ bpfMapSizeConntrack:
+ description: 'BPFMapSizeConntrack sets the size for the conntrack
+ map. This map must be large enough to hold an entry for each active
+ connection. Warning: changing the size of the conntrack map can
+ cause disruption.'
+ type: integer
+ bpfMapSizeIPSets:
+ description: BPFMapSizeIPSets sets the size for ipsets map. The IP
+ sets map must be large enough to hold an entry for each endpoint
+ matched by every selector in the source/destination matches in network
+ policy. Selectors such as "all()" can result in large numbers of
+ entries (one entry per endpoint in that case).
+ type: integer
+ bpfMapSizeNATAffinity:
+ type: integer
+ bpfMapSizeNATBackend:
+ description: BPFMapSizeNATBackend sets the size for nat back end map.
+ This is the total number of endpoints. This is mostly more than
+ the size of the number of services.
+ type: integer
+ bpfMapSizeNATFrontend:
+ description: BPFMapSizeNATFrontend sets the size for nat front end
+ map. FrontendMap should be large enough to hold an entry for each
+ nodeport, external IP and each port in each service.
+ type: integer
+ bpfMapSizeRoute:
+ description: BPFMapSizeRoute sets the size for the routes map. The
+ routes map should be large enough to hold one entry per workload
+ and a handful of entries per host (enough to cover its own IPs and
+ tunnel IPs).
+ type: integer
+ bpfPSNATPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: 'BPFPSNATPorts sets the range from which we randomly
+ pick a port if there is a source port collision. This should be
+ within the ephemeral range as defined by RFC 6056 (1024–65535) and
+ preferably outside the ephemeral ranges used by common operating
+ systems. Linux uses 32768–60999, while others mostly use the IANA
+ defined range 49152–65535. It is not necessarily a problem if this
+ range overlaps with the operating systems. Both ends of the range
+ are inclusive. [Default: 20000:29999]'
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
Calico policy will be bypassed. [Default: insert]'
type: string
dataplaneDriver:
+ description: DataplaneDriver filename of the external dataplane driver
+ to use. Only used if UseInternalDataplaneDriver is set to false.
+ type: string
+ dataplaneWatchdogTimeout:
+ description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
+ used for Felix''s (internal) dataplane driver. Increase this value
+ if you experience spurious non-ready or non-live events when Felix
+ is under heavy load. Decrease the value to get felix to report non-live
+ or non-ready more quickly. [Default: 90s]'
type: string
debugDisableLogDropping:
type: boolean
routes, by default this will be RTPROT_BOOT when left blank.
type: integer
deviceRouteSourceAddress:
- description: This is the source address to use on programmed device
- routes. By default the source address is left blank, leaving the
- kernel to choose the source address used.
+ description: This is the IPv4 source address to use on programmed
+ device routes. By default the source address is left blank, leaving
+ the kernel to choose the source address used.
+ type: string
+ deviceRouteSourceAddressIPv6:
+ description: This is the IPv6 source address to use on programmed
+ device routes. By default the source address is left blank, leaving
+ the kernel to choose the source address used.
type: string
disableConntrackInvalidCheck:
type: boolean
type: string
type: array
failsafeInboundHostPorts:
- description: 'FailsafeInboundHostPorts is a comma-delimited list of
- UDP/TCP ports that Felix will allow incoming traffic to host endpoints
+ description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
+ and CIDRs that Felix will allow incoming traffic to host endpoints
on irrespective of the security policy. This is useful to avoid
- accidentally cutting off a host with incorrect configuration. Each
- port should be specified as tcp:<port-number> or udp:<port-number>.
- For back-compatibility, if the protocol is not specified, it defaults
- to "tcp". To disable all inbound host ports, use the value none.
- The default value allows ssh access and DHCP. [Default: tcp:22,
+ accidentally cutting off a host with incorrect configuration. For
+ back-compatibility, if the protocol is not specified, it defaults
+ to "tcp". If a CIDR is not specified, it will allow traffic from
+ all addresses. To disable all inbound host ports, use the value
+ none. The default value allows ssh access and DHCP. [Default: tcp:22,
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
items:
- description: ProtoPort is combination of protocol and port, both
- must be specified.
+ description: ProtoPort is combination of protocol, port, and CIDR.
+ Protocol and port must be specified.
properties:
+ net:
+ type: string
port:
type: integer
protocol:
type: object
type: array
failsafeOutboundHostPorts:
- description: 'FailsafeOutboundHostPorts is a comma-delimited list
- of UDP/TCP ports that Felix will allow outgoing traffic from host
- endpoints to irrespective of the security policy. This is useful
- to avoid accidentally cutting off a host with incorrect configuration.
- Each port should be specified as tcp:<port-number> or udp:<port-number>.
- For back-compatibility, if the protocol is not specified, it defaults
- to "tcp". To disable all outbound host ports, use the value none.
- The default value opens etcd''s standard ports to ensure that Felix
- does not get cut off from etcd as well as allowing DHCP and DNS.
- [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
- udp:53, udp:67]'
+ description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
+ and CIDRs that Felix will allow outgoing traffic from host endpoints
+ to irrespective of the security policy. This is useful to avoid
+ accidentally cutting off a host with incorrect configuration. For
+ back-compatibility, if the protocol is not specified, it defaults
+ to "tcp". If a CIDR is not specified, it will allow traffic from
+ all addresses. To disable all outbound host ports, use the value
+ none. The default value opens etcd''s standard ports to ensure that
+ Felix does not get cut off from etcd as well as allowing DHCP and
+ DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
+ tcp:6667, udp:53, udp:67]'
items:
- description: ProtoPort is combination of protocol and port, both
- must be specified.
+ description: ProtoPort is combination of protocol, port, and CIDR.
+ Protocol and port must be specified.
properties:
+ net:
+ type: string
port:
type: integer
protocol:
"true" or "false" will force the feature, empty or omitted values
are auto-detected.
type: string
+ floatingIPs:
+ default: Disabled
+ description: FloatingIPs configures whether or not Felix will program
+ floating IP addresses.
+ enum:
+ - Enabled
+ - Disabled
+ type: string
genericXDPEnabled:
description: 'GenericXDPEnabled enables Generic XDP so network cards
that don''t support XDP offload or driver modes can use XDP. This
disabled by setting the interval to 0.
type: string
ipipEnabled:
+ description: 'IPIPEnabled overrides whether Felix should configure
+ an IPIP interface on the host. Optional as Felix determines this
+ based on the existing IP pools. [Default: nil (unset)]'
type: boolean
ipipMTU:
description: 'IPIPMTU is the MTU to set on the tunnel device. See
usage. [Default: 10s]'
type: string
ipv6Support:
+ description: IPv6Support controls whether Felix enables support for
+ IPv6 (if supported by the in-use dataplane).
type: boolean
kubeNodePortRanges:
description: 'KubeNodePortRanges holds list of port ranges used for
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
+ logDebugFilenameRegex:
+ description: LogDebugFilenameRegex controls which source code files
+ have their Debug log output included in the logs. Only logs from
+ files with names that match the given regular expression are included. The
+ filter only applies to Debug level logs.
+ type: string
logFilePath:
description: 'LogFilePath is the full path to the Felix log. Set to
none to disable file logging. [Default: /var/log/calico/felix.log]'
to false. This reduces the number of metrics reported, reducing
Prometheus load. [Default: true]'
type: boolean
+ prometheusWireGuardMetricsEnabled:
+ description: 'PrometheusWireGuardMetricsEnabled disables wireguard
+ metrics collection, which the Prometheus client does by default,
+ when set to false. This reduces the number of metrics reported,
+ reducing Prometheus load. [Default: true]'
+ type: boolean
removeExternalRoutes:
description: Whether or not to remove device routes that have not
been programmed by Felix. Disabling this will allow external applications
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
type: string
routeTableRange:
- description: Calico programs additional Linux route tables for various
- purposes. RouteTableRange specifies the indices of the route tables
- that Calico should use.
+ description: Deprecated in favor of RouteTableRanges. Calico programs
+ additional Linux route tables for various purposes. RouteTableRange
+ specifies the indices of the route tables that Calico should use.
properties:
max:
type: integer
- max
- min
type: object
+ routeTableRanges:
+ description: Calico programs additional Linux route tables for various
+ purposes. RouteTableRanges specifies a set of table index ranges
+ that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
+ items:
+ properties:
+ max:
+ type: integer
+ min:
+ type: integer
+ required:
+ - max
+ - min
+ type: object
+ type: array
serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting
Felix makes reports. [Default: 86400s]'
type: string
useInternalDataplaneDriver:
+ description: UseInternalDataplaneDriver, if true, Felix will use its
+ internal dataplane programming logic. If false, it will launch
+ an external dataplane driver and communicate with it over protobuf.
type: boolean
vxlanEnabled:
+ description: 'VXLANEnabled overrides whether Felix should create the
+ VXLAN tunnel device for VXLAN networking. Optional as Felix determines
+ this based on the existing IP pools. [Default: nil (unset)]'
type: boolean
vxlanMTU:
- description: 'VXLANMTU is the MTU to set on the tunnel device. See
- Configuring MTU [Default: 1440]'
+ description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
+ device. See Configuring MTU [Default: 1410]'
+ type: integer
+ vxlanMTUV6:
+ description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
+ device. See Configuring MTU [Default: 1390]'
type: integer
vxlanPort:
type: integer
description: 'WireguardEnabled controls whether Wireguard is enabled.
[Default: false]'
type: boolean
+ wireguardHostEncryptionEnabled:
+ description: 'WireguardHostEncryptionEnabled controls whether Wireguard
+ host-to-host encryption is enabled. [Default: false]'
+ type: boolean
wireguardInterfaceName:
description: 'WireguardInterfaceName specifies the name to use for
the Wireguard interface. [Default: wg.calico]'
type: string
+ wireguardKeepAlive:
+ description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
+ option. Set 0 to disable. [Default: 0]'
+ type: string
wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used
by Wireguard. [Default: 51820]'
description: 'WireguardRoutingRulePriority controls the priority value
to use for the Wireguard routing rule. [Default: 99]'
type: integer
+ workloadSourceSpoofing:
+ description: WorkloadSourceSpoofing controls whether pods can use
+ the allowedSourcePrefixes annotation to send traffic with a source
+ IP address that is not theirs. This is disabled by default. When
+ set to "Any", pods can request any prefix.
+ type: string
xdpEnabled:
description: 'XDPEnabled enables XDP acceleration for suitable untracked
incoming deny rules. [Default: true]'
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
http:
description: HTTP contains match criteria that apply to HTTP
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
required:
- action
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
http:
description: HTTP contains match criteria that apply to HTTP
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
required:
- action
resource.
properties:
affinity:
+ description: Affinity of the block, if this block has one. If set,
+ it will be of the form "host:<hostname>". If not set, this block
+ is not affine to a host.
type: string
allocations:
+ description: Array of allocations in-use within this block. nil entries
+ mean the allocation is free. For non-nil entries at index i, the
+ index is the ordinal of the allocation within this block and the
+ value is the index of the associated attributes in the Attributes
+ array.
items:
type: integer
# TODO: This nullable is manually added in. We should update controller-gen
nullable: true
type: array
attributes:
+ description: Attributes is an array of arbitrary metadata associated
+ with allocations in the block. To find attributes for a given allocation,
+ use the value of the allocation's entry in the Allocations array
+ as the index of the element in this array.
items:
properties:
handle_id:
type: object
type: array
cidr:
+ description: The block's CIDR.
type: string
deleted:
+ description: Deleted is an internal boolean used to workaround a limitation
+ in the Kubernetes API whereby deletion will not return a conflict
+ error if the block has been updated. It should not be set manually.
type: boolean
+ sequenceNumber:
+ default: 0
+ description: We store a sequence number that is updated each time
+ the block is written. Each allocation will also store the sequence
+ number of the block at the time of its creation. When releasing
+ an IP, passing the sequence number associated with the allocation
+ allows us to protect against a race condition and ensure the IP
+ hasn't been released and re-allocated since the release request.
+ format: int64
+ type: integer
+ sequenceNumberForAllocation:
+ additionalProperties:
+ format: int64
+ type: integer
+ description: Map of allocated ordinal within the block to sequence
+ number of the block at the time of allocation. Kubernetes does not
+ allow numerical keys for maps, so the key is cast to a string.
+ type: object
strictAffinity:
+ description: StrictAffinity on the IPAMBlock is deprecated and no
+ longer used by the code. Use IPAMConfig StrictAffinity instead.
type: boolean
unallocated:
+ description: Unallocated is an ordered list of allocations which are
+ free in the block.
items:
type: integer
type: array
spec:
description: IPPoolSpec contains the specification for an IPPool resource.
properties:
+ allowedUses:
+ description: AllowedUse controls what the IP pool will be used for. If
+ not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
+ items:
+ type: string
+ type: array
blockSize:
description: The block size to use for IP address assignments from
- this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+ this pool. Defaults to 26 for IPv4 and 122 for IPv6.
type: integer
cidr:
description: The pool CIDR.
type: string
+ disableBGPExport:
+ description: 'Disable exporting routes from this IP Pool''s CIDR over
+ BGP. [Default: false]'
+ type: boolean
disabled:
description: When disabled is true, Calico IPAM will not assign addresses
from this pool.
conditions: []
storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ creationTimestamp: null
+ name: ipreservations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPReservation
+ listKind: IPReservationList
+ plural: ipreservations
+ singular: ipreservation
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPReservationSpec contains the specification for an IPReservation
+ resource.
+ properties:
+ reservedCIDRs:
+ description: ReservedCIDRs is a list of CIDRs and/or IP addresses
+ that Calico IPAM will exclude from new allocations.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
host endpoints for every node. [Default: Disabled]'
type: string
type: object
+ leakGracePeriod:
+ description: 'LeakGracePeriod is the period used by the controller
+ to determine if an IP address has been leaked. Set to 0
+ to disable IP garbage collection. [Default: 15m]'
+ type: string
reconcilerPeriod:
description: 'ReconcilerPeriod is the period to perform reconciliation
with the Calico datastore. [Default: 5m]'
type: string
type: object
type: object
+ debugProfilePort:
+ description: DebugProfilePort configures the port to serve memory
+ and cpu profiles on. If not specified, profiling is disabled.
+ format: int32
+ type: integer
etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]'
of host endpoints for every node. [Default: Disabled]'
type: string
type: object
+ leakGracePeriod:
+ description: 'LeakGracePeriod is the period used by the
+ controller to determine if an IP address has been leaked.
+ Set to 0 to disable IP garbage collection. [Default:
+ 15m]'
+ type: string
reconcilerPeriod:
description: 'ReconcilerPeriod is the period to perform
reconciliation with the Calico datastore. [Default:
type: string
type: object
type: object
+ debugProfilePort:
+ description: DebugProfilePort configures the port to serve memory
+ and cpu profiles on. If not specified, profiling is disabled.
+ format: int32
+ type: integer
etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]'
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
http:
description: HTTP contains match criteria that apply to HTTP
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
required:
- action
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
http:
description: HTTP contains match criteria that apply to HTTP
contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector
- and Selector are defined on the same rule, then only workload
- endpoints that are matched by both selectors will be selected
- by the rule. \n For NetworkPolicy, an empty NamespaceSelector
- implies that the Selector is limited to selecting only
- workload endpoints in the same namespace as the NetworkPolicy.
- \n For NetworkPolicy, `global()` NamespaceSelector implies
- that the Selector is limited to selecting only GlobalNetworkSet
- or HostEndpoint. \n For GlobalNetworkPolicy, an empty
- NamespaceSelector implies the Selector applies to workload
- endpoints across all namespaces."
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
AND'ed.
type: string
type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
type: object
required:
- action
- watch
- list
- get
- # Pods are queried to check for existence.
+ # Pods are watched to check for existence as part of IPAM controller.
- apiGroups: [""]
resources:
- pods
verbs:
- get
- # IPAM resources are manipulated when nodes are deleted.
+ - list
+ - watch
+ # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
- apiGroups: ["crd.projectcalico.org"]
resources:
- - ippools
+ - ipreservations
verbs:
- list
- apiGroups: ["crd.projectcalico.org"]
- update
- delete
- watch
+ # Pools are watched to maintain a mapping of blocks to IP pools.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - ippools
+ verbs:
+ - list
+ - watch
# kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"]
resources:
- clusterinformations
verbs:
- get
+ - list
- create
- update
+ - watch
# KubeControllersConfiguration is where it gets its config
- apiGroups: ["crd.projectcalico.org"]
resources:
- namespaces
verbs:
- get
+ # EndpointSlices are used for Service-based network policy rule
+ # enforcement.
+ - apiGroups: ["discovery.k8s.io"]
+ resources:
+ - endpointslices
+ verbs:
+ - watch
+ - list
- apiGroups: [""]
resources:
- endpoints
- globalbgpconfigs
- bgpconfigurations
- ippools
+ - ipreservations
- ipamblocks
- globalnetworkpolicies
- globalnetworksets
- clusterinformations
- hostendpoints
- blockaffinities
+ - caliconodestatuses
verbs:
- get
- list
verbs:
- create
- update
+ # Calico must update some CRDs.
+ - apiGroups: [ "crd.projectcalico.org" ]
+ resources:
+ - caliconodestatuses
+ verbs:
+ - update
# Calico stores some configuration information on the node.
- apiGroups: [""]
resources:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
- #image: docker.io/calico/cni:v3.18.1
- image: docker.io/calico/cni:release-v3.18
+ image: docker.io/calico/cni:v3.23.1
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
- configMapRef:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
- #image: docker.io/calico/cni:v3.18.1
- image: docker.io/calico/cni:release-v3.18
+ image: docker.io/calico/cni:v3.23.1
command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
name: cni-net-dir
securityContext:
privileged: true
- # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
- # to communicate with Felix over the Policy Sync API.
- - name: flexvol-driver
- #image: docker.io/calico/pod2daemon-flexvol:v3.18.1
- image: docker.io/calico/pod2daemon-flexvol:release-v3.18
- volumeMounts:
- - name: flexvol-driver-host
- mountPath: /host/driver
- securityContext:
- privileged: true
containers:
# Runs calico-node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
- image: docker.io/calico/node:release-v3.18
+ image: docker.io/calico/node:v3.23.1
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
+ - name: IP_AUTODETECTION_METHOD
+ value: "can-reach=8.8.8.8"
# Enable IPIP
- name: CALICO_IPV4POOL_IPIP
- value: "Always"
+ value: "Never"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
+ value: "Always"
+ # Enable or Disable VXLAN on the default IPv6 IP pool.
+ - name: CALICO_IPV6POOL_VXLAN
value: "Never"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
- # Set Felix logging to "info"
- - name: FELIX_LOGSEVERITYSCREEN
- value: "info"
- name: FELIX_HEALTHENABLED
value: "true"
securityContext:
resources:
requests:
cpu: 250m
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /bin/calico-node
+ - -shutdown
livenessProbe:
exec:
command:
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
+ timeoutSeconds: 10
readinessProbe:
exec:
command:
- -felix-ready
- -bird-ready
periodSeconds: 10
+ timeoutSeconds: 10
volumeMounts:
+ # For maintaining CNI plugin API credentials.
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ readOnly: false
- mountPath: /lib/modules
name: lib-modules
readOnly: true
hostPath:
type: DirectoryOrCreate
path: /var/run/nodeagent
- # Used to install Flex Volume Driver
- - name: flexvol-driver-host
- hostPath:
- type: DirectoryOrCreate
- path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
---
apiVersion: v1
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
- #image: docker.io/calico/kube-controllers:v3.18.1
- #image: docker.io/calico/kube-controllers:release-v3.18
- image: docker.io/calico/kube-controllers:v3.18.1-6-g4a6327b94a4a
+ image: docker.io/calico/kube-controllers:v3.23.1
env:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
value: node
- name: DATASTORE_TYPE
value: kubernetes
+ livenessProbe:
+ exec:
+ command:
+ - /usr/bin/check-status
+ - -l
+ periodSeconds: 10
+ initialDelaySeconds: 10
+ failureThreshold: 6
+ timeoutSeconds: 10
readinessProbe:
exec:
command:
- /usr/bin/check-status
- -r
+ periodSeconds: 10
---
# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: calico-kube-controllers
Code Review / iec.git / commitdiff