---
+# Source: calico/templates/calico-kube-controllers.yaml
+# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
+
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: calico-kube-controllers
+ namespace: kube-system
+ labels:
+ k8s-app: calico-kube-controllers
+spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ k8s-app: calico-kube-controllers
+---
+# Source: calico/templates/calico-kube-controllers.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-kube-controllers
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-node
+ namespace: kube-system
+---
# Source: calico/templates/calico-config.yaml
# This ConfigMap is used to configure a self-hosted Calico installation.
kind: ConfigMap
}
]
}
-
---
# Source: calico/templates/kdd-crds.yaml
-
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: BGPConfigurationList
plural: bgpconfigurations
singular: bgpconfiguration
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: BGPPeerList
plural: bgppeers
singular: bgppeer
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: BlockAffinityList
plural: blockaffinities
singular: blockaffinity
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: CalicoNodeStatusList
plural: caliconodestatuses
singular: caliconodestatus
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: ClusterInformationList
plural: clusterinformations
singular: clusterinformation
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: FelixConfigurationList
plural: felixconfigurations
singular: felixconfiguration
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local
service. This mark allows us to control how packets of that connection
- are routed within the host and how is routing intepreted by RPF
+ are routed within the host and how is routing interpreted by RPF
check. [Default: 0]'
type: integer
bpfExternalServiceMode:
node appears to use the IP of the ingress node; this requires a
permissive L2 network. [Default: Tunnel]'
type: string
+ bpfHostConntrackBypass:
+ description: 'BPFHostConntrackBypass Controls whether to bypass Linux
+ conntrack in BPF mode for workloads and services. [Default: true
+ - bypass Linux conntrack]'
+ type: boolean
bpfKubeProxyEndpointSlicesEnabled:
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
whether Felix's embedded kube-proxy accepts EndpointSlices or not.
policy. Selectors such as "all()" can result in large numbers of
entries (one entry per endpoint in that case).
type: integer
+ bpfMapSizeIfState:
+ description: BPFMapSizeIfState sets the size for ifstate map. The
+ ifstate map must be large enough to hold an entry for each device
+ (host + workloads) on a host.
+ type: integer
bpfMapSizeNATAffinity:
type: integer
bpfMapSizeNATBackend:
are inclusive. [Default: 20000:29999]'
pattern: ^.*
x-kubernetes-int-or-string: true
+ bpfPolicyDebugEnabled:
+ description: BPFPolicyDebugEnabled when true, Felix records detailed
+ information about the BPF policy programs, which can be examined
+ with the calico-bpf command-line tool.
+ type: boolean
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
are auto-detected.
type: string
floatingIPs:
- default: Disabled
description: FloatingIPs configures whether or not Felix will program
floating IP addresses.
enum:
information. - WorkloadIPs: use workload endpoints to construct
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
type: string
+ routeSyncDisabled:
+ description: RouteSyncDisabled will disable all operations performed
+ on the route table. Set to true to run in network-policy mode only.
+ type: boolean
routeTableRange:
description: Deprecated in favor of RouteTableRanges. Calico programs
additional Linux route tables for various purposes. RouteTableRange
type: boolean
vxlanEnabled:
description: 'VXLANEnabled overrides whether Felix should create the
- VXLAN tunnel device for VXLAN networking. Optional as Felix determines
- this based on the existing IP pools. [Default: nil (unset)]'
+ VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
+ determines this based on the existing IP pools. [Default: nil (unset)]'
type: boolean
vxlanMTU:
description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
vxlanVNI:
type: integer
wireguardEnabled:
- description: 'WireguardEnabled controls whether Wireguard is enabled.
+ description: 'WireguardEnabled controls whether Wireguard is enabled
+ for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
+ [Default: false]'
+ type: boolean
+ wireguardEnabledV6:
+ description: 'WireguardEnabledV6 controls whether Wireguard is enabled
+ for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
[Default: false]'
type: boolean
wireguardHostEncryptionEnabled:
type: boolean
wireguardInterfaceName:
description: 'WireguardInterfaceName specifies the name to use for
- the Wireguard interface. [Default: wg.calico]'
+ the IPv4 Wireguard interface. [Default: wireguard.cali]'
+ type: string
+ wireguardInterfaceNameV6:
+ description: 'WireguardInterfaceNameV6 specifies the name to use for
+ the IPv6 Wireguard interface. [Default: wg-v6.cali]'
type: string
wireguardKeepAlive:
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
type: string
wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used
- by Wireguard. [Default: 51820]'
+ by IPv4 Wireguard. [Default: 51820]'
+ type: integer
+ wireguardListeningPortV6:
+ description: 'WireguardListeningPortV6 controls the listening port
+ used by IPv6 Wireguard. [Default: 51821]'
type: integer
wireguardMTU:
- description: 'WireguardMTU controls the MTU on the Wireguard interface.
- See Configuring MTU [Default: 1420]'
+ description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
+ interface. See Configuring MTU [Default: 1440]'
+ type: integer
+ wireguardMTUV6:
+ description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
+ interface. See Configuring MTU [Default: 1420]'
type: integer
wireguardRoutingRulePriority:
description: 'WireguardRoutingRulePriority controls the priority value
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: GlobalNetworkPolicyList
plural: globalnetworkpolicies
singular: globalnetworkpolicy
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: GlobalNetworkSetList
plural: globalnetworksets
singular: globalnetworkset
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: HostEndpointList
plural: hostendpoints
singular: hostendpoint
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: IPAMBlockList
plural: ipamblocks
singular: ipamblock
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: IPAMConfigList
plural: ipamconfigs
singular: ipamconfig
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
maxBlocksPerHost:
description: MaxBlocksPerHost, if non-zero, is the max number of blocks
that can be affine to each host.
+ maximum: 2147483647
+ minimum: 0
type: integer
strictAffinity:
type: boolean
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: IPAMHandleList
plural: ipamhandles
singular: ipamhandle
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: IPPoolList
plural: ippools
singular: ippool
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
for internal use only.'
type: boolean
natOutgoing:
- description: When nat-outgoing is true, packets sent from Calico networked
+ description: When natOutgoing is true, packets sent from Calico networked
containers in this pool to destinations outside of this pool will
be masqueraded.
type: boolean
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: IPReservationList
plural: ipreservations
singular: ipreservation
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: KubeControllersConfigurationList
plural: kubecontrollersconfigurations
singular: kubecontrollersconfiguration
+ preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: NetworkPolicyList
plural: networkpolicies
singular: networkpolicy
+ preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
---
+# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
listKind: NetworkSetList
plural: networksets
singular: networkset
+ preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1
plural: ""
conditions: []
storedVersions: []
-
----
---
# Source: calico/templates/calico-kube-controllers-rbac.yaml
-
# Include a clusterrole for the kube-controllers component,
# and bind it to the calico-kube-controllers serviceaccount.
kind: ClusterRole
- update
# watch for changes
- watch
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: calico-kube-controllers
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-kube-controllers
-subjects:
-- kind: ServiceAccount
- name: calico-kube-controllers
- namespace: kube-system
----
-
---
# Source: calico/templates/calico-node-rbac.yaml
# Include a clusterrole for the calico-node DaemonSet,
metadata:
name: calico-node
rules:
+ # Used for creating service account tokens to be used by the CNI plugin
+ - apiGroups: [""]
+ resources:
+ - serviceaccounts/token
+ resourceNames:
+ - calico-node
+ verbs:
+ - create
# The CNI plugin needs to get pods, nodes, and namespaces.
- apiGroups: [""]
resources:
- create
- update
- delete
+ # The CNI plugin and calico/node need to be able to create a default
+ # IPAMConfiguration
- apiGroups: ["crd.projectcalico.org"]
resources:
- ipamconfigs
verbs:
- get
+ - create
# Block affinities must also be watchable by confd for route aggregation.
- apiGroups: ["crd.projectcalico.org"]
resources:
- daemonsets
verbs:
- get
-
---
+# Source: calico/templates/calico-kube-controllers-rbac.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: calico-kube-controllers
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+ name: calico-kube-controllers
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- kind: ServiceAccount
name: calico-node
namespace: kube-system
-
---
# Source: calico/templates/calico-node.yaml
# This manifest installs the calico-node container, as well
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
- image: docker.io/calico/cni:v3.23.1
+ image: docker.io/calico/cni:v3.24.3
+ imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
- configMapRef:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
- image: docker.io/calico/cni:v3.23.1
+ image: docker.io/calico/cni:v3.24.3
+ imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
name: cni-net-dir
securityContext:
privileged: true
+ # This init container mounts the necessary filesystems needed by the BPF data plane
+ # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
+ # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
+ - name: "mount-bpffs"
+ image: docker.io/calico/node:v3.24.3
+ imagePullPolicy: IfNotPresent
+ command: ["calico-node", "-init", "-best-effort"]
+ volumeMounts:
+ - mountPath: /sys/fs
+ name: sys-fs
+ # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
+ # so that it outlives the init container.
+ mountPropagation: Bidirectional
+ - mountPath: /var/run/calico
+ name: var-run-calico
+ # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
+ # so that it outlives the init container.
+ mountPropagation: Bidirectional
+ # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
+ # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
+ - mountPath: /nodeproc
+ name: nodeproc
+ readOnly: true
+ securityContext:
+ privileged: true
containers:
# Runs calico-node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
- image: docker.io/calico/node:v3.23.1
+ image: docker.io/calico/node:v3.24.3
+ imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
# chosen from this range. Changing this value after installation will have
# no effect. This should fall within `--cluster-cidr`.
- - name: CALICO_IPV4POOL_CIDR
- value: "192.168.0.0/16"
+ # - name: CALICO_IPV4POOL_CIDR
+ # value: "192.168.0.0/16"
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
mountPath: /var/run/nodeagent
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
# parent directory.
- - name: sysfs
- mountPath: /sys/fs/
- # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
- # If the host is known to mount that filesystem already then Bidirectional can be omitted.
- mountPropagation: Bidirectional
+ - name: bpffs
+ mountPath: /sys/fs/bpf
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- - name: sysfs
+ - name: sys-fs
hostPath:
path: /sys/fs/
type: DirectoryOrCreate
+ - name: bpffs
+ hostPath:
+ path: /sys/fs/bpf
+ type: Directory
+ # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
+ - name: nodeproc
+ hostPath:
+ path: /proc
# Used to install CNI.
- name: cni-bin-dir
hostPath:
type: DirectoryOrCreate
path: /var/run/nodeagent
---
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: calico-node
- namespace: kube-system
-
----
# Source: calico/templates/calico-kube-controllers.yaml
# See https://github.com/projectcalico/kube-controllers
apiVersion: apps/v1
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
+ - key: node-role.kubernetes.io/control-plane
+ effect: NoSchedule
serviceAccountName: calico-kube-controllers
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
- image: docker.io/calico/kube-controllers:v3.23.1
+ image: docker.io/calico/kube-controllers:v3.24.3
+ imagePullPolicy: IfNotPresent
env:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
- /usr/bin/check-status
- -r
periodSeconds: 10
-
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: calico-kube-controllers
- namespace: kube-system
-
----
-
-# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
-
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: calico-kube-controllers
- namespace: kube-system
- labels:
- k8s-app: calico-kube-controllers
-spec:
- maxUnavailable: 1
- selector:
- matchLabels:
- k8s-app: calico-kube-controllers
-
----
-# Source: calico/templates/calico-etcd-secrets.yaml
-
----
-# Source: calico/templates/calico-typha.yaml
-
----
-# Source: calico/templates/configure-canal.yaml
-
-
Code Review / iec.git / commitdiff