diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 7900bc681e..9ed95dab37 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -2116,6 +2116,9 @@ spec: calico: description: CalicoNetworkingSpec declares that we want Calico networking properties: + chainInsertMode: + description: 'ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom. Leaving the default option is safest to prevent accidentally breaking connectivity. Default: ''insert'' (other options: ''append'')' + type: string cpuRequest: anyOf: - type: integer diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index e6bb13dbab..638ca02136 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -100,6 +100,10 @@ type FlannelNetworkingSpec struct { // CalicoNetworkingSpec declares that we want Calico networking type CalicoNetworkingSpec struct { + // ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or + // appends to the bottom. Leaving the default option is safest to prevent accidentally + // breaking connectivity. Default: 'insert' (other options: 'append') + ChainInsertMode string `json:"chainInsertMode,omitempty"` // CPURequest CPU request of Calico container. Default: 100m CPURequest *resource.Quantity `json:"cpuRequest,omitempty"` // CrossSubnet enables Calico's cross-subnet mode when set to true diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 76bce30639..a868f1f584 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -100,6 +100,10 @@ type FlannelNetworkingSpec struct { // CalicoNetworkingSpec declares that we want Calico networking type CalicoNetworkingSpec struct { + // ChainInsertMode controls whether Felix inserts rules to the top of iptables chains, or + // appends to the bottom. Leaving the default option is safest to prevent accidentally + // breaking connectivity. Default: 'insert' (other options: 'append') + ChainInsertMode string `json:"chainInsertMode,omitempty"` // CPURequest CPU request of Calico container. Default: 100m CPURequest *resource.Quantity `json:"cpuRequest,omitempty"` // CrossSubnet enables Calico's cross-subnet mode when set to true diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 88d277492d..1ab4b3dae4 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1305,6 +1305,7 @@ func Convert_kops_CNINetworkingSpec_To_v1alpha2_CNINetworkingSpec(in *kops.CNINe } func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *CalicoNetworkingSpec, out *kops.CalicoNetworkingSpec, s conversion.Scope) error { + out.ChainInsertMode = in.ChainInsertMode out.CPURequest = in.CPURequest out.CrossSubnet = in.CrossSubnet out.LogSeverityScreen = in.LogSeverityScreen @@ -1330,6 +1331,7 @@ func Convert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *Cali } func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *kops.CalicoNetworkingSpec, out *CalicoNetworkingSpec, s conversion.Scope) error { + out.ChainInsertMode = in.ChainInsertMode out.CPURequest = in.CPURequest out.CrossSubnet = in.CrossSubnet out.LogSeverityScreen = in.LogSeverityScreen diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index f0d9d7b007..20ce13adad 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -957,6 +957,11 @@ func validateNetworkingCalico(v *kops.CalicoNetworkingSpec, e kops.EtcdClusterSp } } + if v.ChainInsertMode != "" { + valid := []string{"insert", "append"} + allErrs = append(allErrs, IsValidValue(fldPath.Child("chainInsertMode"), &v.ChainInsertMode, valid)...) + } + if v.IptablesBackend != "" { valid := []string{"Auto", "Legacy", "NFT"} allErrs = append(allErrs, IsValidValue(fldPath.Child("iptablesBackend"), &v.IptablesBackend, valid)...) diff --git a/upup/models/bindata.go b/upup/models/bindata.go index ad7599fcc2..3113db4ee5 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -12837,6 +12837,9 @@ spec: value: "true" # kops additions + # Controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom + - name: FELIX_CHAININSERTMODE + value: "{{- or .Networking.Calico.ChainInsertMode "insert" }}" # Set Felix iptables binary variant, Legacy or NFT - name: FELIX_IPTABLESBACKEND value: "{{- or .Networking.Calico.IptablesBackend "Auto" }}" diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 1906034533..4890c679a5 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -3875,6 +3875,9 @@ spec: value: "true" # kops additions + # Controls whether Felix inserts rules to the top of iptables chains, or appends to the bottom + - name: FELIX_CHAININSERTMODE + value: "{{- or .Networking.Calico.ChainInsertMode "insert" }}" # Set Felix iptables binary variant, Legacy or NFT - name: FELIX_IPTABLESBACKEND value: "{{- or .Networking.Calico.IptablesBackend "Auto" }}" diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index b1e29c0224..a35973d81a 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -815,7 +815,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", "k8s-1.12": "3.9.6-kops.1", - "k8s-1.16": "3.16.1-kops.1", + "k8s-1.16": "3.16.1-kops.2", } {