kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing pieces from Calico v3.23 manifests

This commit is contained in:
Ciprian Hacman 2022-05-14 09:11:29 +03:00
parent f5afc80a1e
commit 6435c3d69f
2 changed files with 480 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template
View File

@ -113,6 +113,12 @@ spec:
64512]' 64512]'
format: int32 format: int32
type: integer type: integer
bindMode:
description: BindMode indicates whether to listen for BGP connections
on all addresses (None) or only on the node's canonical IP address
Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
for BGP connections on all addresses.
type: string
communities: communities:
description: Communities is a list of BGP community values and their description: Communities is a list of BGP community values and their
arbitrary names for tagging routes. arbitrary names for tagging routes.
@ -143,6 +149,37 @@ spec:
description: 'LogSeverityScreen is the log severity above which logs description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: INFO]' are sent to the stdout. [Default: INFO]'
type: string type: string
nodeMeshMaxRestartTime:
description: Time to allow for software restart for node-to-mesh peerings. When
specified, this is configured as the graceful restart timeout. When
not specified, the BIRD default of 120s is used. This field can
only be set on the default BGPConfiguration instance and requires
that NodeMesh is enabled
type: string
nodeMeshPassword:
description: Optional BGP password for full node-to-mesh peerings.
This field can only be set on the default BGPConfiguration instance
and requires that NodeMesh is enabled
properties:
secretKeyRef:
description: Selects a key of a secret in the node pod's namespace.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be
defined
type: boolean
required:
- key
type: object
type: object
nodeToNodeMeshEnabled: nodeToNodeMeshEnabled:
description: 'NodeToNodeMeshEnabled sets whether full node to node description: 'NodeToNodeMeshEnabled sets whether full node to node
BGP mesh is enabled. [Default: true]' BGP mesh is enabled. [Default: true]'
@ -274,6 +311,12 @@ spec:
description: Selector for the nodes that should have this peering. When description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty. this is set, the Node field must be empty.
type: string type: string
numAllowedLocalASNumbers:
description: Maximum number of local AS numbers that are allowed in
the AS path for received routes. This removes BGP loop prevention
and should only be used if absolutely necesssary.
format: int32
type: integer
password: password:
description: Optional BGP password for the peerings generated by this description: Optional BGP password for the peerings generated by this
BGPPeer resource. BGPPeer resource.
@ -800,6 +843,11 @@ spec:
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]' [Default: false]'
type: boolean type: boolean
bpfEnforceRPF:
description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled or Strict. [Default: Strict]'
type: string
bpfExtToServiceConnmark: bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local mark that is set on connections from an external client to a local
@ -839,6 +887,51 @@ spec:
logs are emitted to the BPF trace pipe, accessible with the command logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].' `tc exec bpf debug`. [Default: Off].'
type: string type: string
bpfMapSizeConntrack:
description: 'BPFMapSizeConntrack sets the size for the conntrack
map. This map must be large enough to hold an entry for each active
connection. Warning: changing the size of the conntrack map can
cause disruption.'
type: integer
bpfMapSizeIPSets:
description: BPFMapSizeIPSets sets the size for ipsets map. The IP
sets map must be large enough to hold an entry for each endpoint
matched by every selector in the source/destination matches in network
policy. Selectors such as "all()" can result in large numbers of
entries (one entry per endpoint in that case).
type: integer
bpfMapSizeNATAffinity:
type: integer
bpfMapSizeNATBackend:
description: BPFMapSizeNATBackend sets the size for nat back end map.
This is the total number of endpoints. This is mostly more than
the size of the number of services.
type: integer
bpfMapSizeNATFrontend:
description: BPFMapSizeNATFrontend sets the size for nat front end
map. FrontendMap should be large enough to hold an entry for each
nodeport, external IP and each port in each service.
type: integer
bpfMapSizeRoute:
description: BPFMapSizeRoute sets the size for the routes map. The
routes map should be large enough to hold one entry per workload
and a handful of entries per host (enough to cover its own IPs and
tunnel IPs).
type: integer
bpfPSNATPorts:
anyOf:
- type: integer
- type: string
description: 'BPFPSNATPorts sets the range from which we randomly
pick a port if there is a source port collision. This should be
within the ephemeral range as defined by RFC 6056 (102465535) and
preferably outside the ephemeral ranges used by common operating
systems. Linux uses 3276860999, while others mostly use the IANA
defined range 4915265535. It is not necessarily a problem if this
range overlaps with the operating systems. Both ends of the range
are inclusive. [Default: 20000:29999]'
pattern: ^.*
x-kubernetes-int-or-string: true
chainInsertMode: chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the top-level iptables chains by inserting a rule at the top of the
@ -849,6 +942,15 @@ spec:
Calico policy will be bypassed. [Default: insert]' Calico policy will be bypassed. [Default: insert]'
type: string type: string
dataplaneDriver: dataplaneDriver:
description: DataplaneDriver filename of the external dataplane driver
to use. Only used if UseInternalDataplaneDriver is set to false.
type: string
dataplaneWatchdogTimeout:
description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix''s (internal) dataplane driver. Increase this value
if you experience spurious non-ready or non-live events when Felix
is under heavy load. Decrease the value to get felix to report non-live
or non-ready more quickly. [Default: 90s]'
type: string type: string
debugDisableLogDropping: debugDisableLogDropping:
type: boolean type: boolean
@ -877,9 +979,14 @@ spec:
routes, by default this will be RTPROT_BOOT when left blank. routes, by default this will be RTPROT_BOOT when left blank.
type: integer type: integer
deviceRouteSourceAddress: deviceRouteSourceAddress:
description: This is the source address to use on programmed device description: This is the IPv4 source address to use on programmed
routes. By default the source address is left blank, leaving the device routes. By default the source address is left blank, leaving
kernel to choose the source address used. the kernel to choose the source address used.
type: string
deviceRouteSourceAddressIPv6:
description: This is the IPv6 source address to use on programmed
device routes. By default the source address is left blank, leaving
the kernel to choose the source address used.
type: string type: string
disableConntrackInvalidCheck: disableConntrackInvalidCheck:
type: boolean type: boolean
@ -953,6 +1060,14 @@ spec:
"true" or "false" will force the feature, empty or omitted values "true" or "false" will force the feature, empty or omitted values
are auto-detected. are auto-detected.
type: string type: string
floatingIPs:
default: Disabled
description: FloatingIPs configures whether or not Felix will program
floating IP addresses.
enum:
- Enabled
- Disabled
type: string
genericXDPEnabled: genericXDPEnabled:
description: 'GenericXDPEnabled enables Generic XDP so network cards description: 'GenericXDPEnabled enables Generic XDP so network cards
that don''t support XDP offload or driver modes can use XDP. This that don''t support XDP offload or driver modes can use XDP. This
@ -990,6 +1105,9 @@ spec:
disabled by setting the interval to 0. disabled by setting the interval to 0.
type: string type: string
ipipEnabled: ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
an IPIP interface on the host. Optional as Felix determines this
based on the existing IP pools. [Default: nil (unset)]'
type: boolean type: boolean
ipipMTU: ipipMTU:
description: 'IPIPMTU is the MTU to set on the tunnel device. See description: 'IPIPMTU is the MTU to set on the tunnel device. See
@ -1056,6 +1174,8 @@ spec:
usage. [Default: 10s]' usage. [Default: 10s]'
type: string type: string
ipv6Support: ipv6Support:
description: IPv6Support controls whether Felix enables support for
IPv6 (if supported by the in-use dataplane).
type: boolean type: boolean
kubeNodePortRanges: kubeNodePortRanges:
description: 'KubeNodePortRanges holds list of port ranges used for description: 'KubeNodePortRanges holds list of port ranges used for
@ -1069,6 +1189,12 @@ spec:
pattern: ^.* pattern: ^.*
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
type: array type: array
logDebugFilenameRegex:
description: LogDebugFilenameRegex controls which source code files
have their Debug log output included in the logs. Only logs from
files with names that match the given regular expression are included. The
filter only applies to Debug level logs.
type: string
logFilePath: logFilePath:
description: 'LogFilePath is the full path to the Felix log. Set to description: 'LogFilePath is the full path to the Felix log. Set to
none to disable file logging. [Default: /var/log/calico/felix.log]' none to disable file logging. [Default: /var/log/calico/felix.log]'
@ -1198,9 +1324,9 @@ spec:
routes. - CalicoIPAM: the default - use IPAM data to construct routes.' routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
type: string type: string
routeTableRange: routeTableRange:
description: Calico programs additional Linux route tables for various description: Deprecated in favor of RouteTableRanges. Calico programs
purposes. RouteTableRange specifies the indices of the route tables additional Linux route tables for various purposes. RouteTableRange
that Calico should use. specifies the indices of the route tables that Calico should use.
properties: properties:
max: max:
type: integer type: integer
@ -1210,6 +1336,21 @@ spec:
- max - max
- min - min
type: object type: object
routeTableRanges:
description: Calico programs additional Linux route tables for various
purposes. RouteTableRanges specifies a set of table index ranges
that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
items:
properties:
max:
type: integer
min:
type: integer
required:
- max
- min
type: object
type: array
serviceLoopPrevention: serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting loops to service IPs that are not in use, by dropping or rejecting
@ -1237,12 +1378,22 @@ spec:
Felix makes reports. [Default: 86400s]' Felix makes reports. [Default: 86400s]'
type: string type: string
useInternalDataplaneDriver: useInternalDataplaneDriver:
description: UseInternalDataplaneDriver, if true, Felix will use its
internal dataplane programming logic. If false, it will launch
an external dataplane driver and communicate with it over protobuf.
type: boolean type: boolean
vxlanEnabled: vxlanEnabled:
description: 'VXLANEnabled overrides whether Felix should create the
VXLAN tunnel device for VXLAN networking. Optional as Felix determines
this based on the existing IP pools. [Default: nil (unset)]'
type: boolean type: boolean
vxlanMTU: vxlanMTU:
description: 'VXLANMTU is the MTU to set on the tunnel device. See description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
Configuring MTU [Default: 1440]' device. See Configuring MTU [Default: 1410]'
type: integer
vxlanMTUV6:
description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
device. See Configuring MTU [Default: 1390]'
type: integer type: integer
vxlanPort: vxlanPort:
type: integer type: integer
@ -1260,6 +1411,10 @@ spec:
description: 'WireguardInterfaceName specifies the name to use for description: 'WireguardInterfaceName specifies the name to use for
the Wireguard interface. [Default: wg.calico]' the Wireguard interface. [Default: wg.calico]'
type: string type: string
wireguardKeepAlive:
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
option. Set 0 to disable. [Default: 0]'
type: string
wireguardListeningPort: wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used description: 'WireguardListeningPort controls the listening port used
by Wireguard. [Default: 51820]' by Wireguard. [Default: 51820]'
@ -1272,6 +1427,12 @@ spec:
description: 'WireguardRoutingRulePriority controls the priority value description: 'WireguardRoutingRulePriority controls the priority value
to use for the Wireguard routing rule. [Default: 99]' to use for the Wireguard routing rule. [Default: 99]'
type: integer type: integer
workloadSourceSpoofing:
description: WorkloadSourceSpoofing controls whether pods can use
the allowedSourcePrefixes annotation to send traffic with a source
IP address that is not theirs. This is disabled by default. When
set to "Any", pods can request any prefix.
type: string
xdpEnabled: xdpEnabled:
description: 'XDPEnabled enables XDP acceleration for suitable untracked description: 'XDPEnabled enables XDP acceleration for suitable untracked
incoming deny rules. [Default: true]' incoming deny rules. [Default: true]'
@ -2344,8 +2505,16 @@ spec:
resource. resource.
properties: properties:
affinity: affinity:
description: Affinity of the block, if this block has one. If set,
it will be of the form "host:<hostname>". If not set, this block
is not affine to a host.
type: string type: string
allocations: allocations:
description: Array of allocations in-use within this block. nil entries
mean the allocation is free. For non-nil entries at index i, the
index is the ordinal of the allocation within this block and the
value is the index of the associated attributes in the Attributes
array.
items: items:
type: integer type: integer
# TODO: This nullable is manually added in. We should update controller-gen # TODO: This nullable is manually added in. We should update controller-gen
@ -2353,6 +2522,10 @@ spec:
nullable: true nullable: true
type: array type: array
attributes: attributes:
description: Attributes is an array of arbitrary metadata associated
with allocations in the block. To find attributes for a given allocation,
use the value of the allocation's entry in the Allocations array
as the index of the element in this array.
items: items:
properties: properties:
handle_id: handle_id:
@ -2364,12 +2537,38 @@ spec:
type: object type: object
type: array type: array
cidr: cidr:
description: The block's CIDR.
type: string type: string
deleted: deleted:
description: Deleted is an internal boolean used to workaround a limitation
in the Kubernetes API whereby deletion will not return a conflict
error if the block has been updated. It should not be set manually.
type: boolean type: boolean
sequenceNumber:
default: 0
description: We store a sequence number that is updated each time
the block is written. Each allocation will also store the sequence
number of the block at the time of its creation. When releasing
an IP, passing the sequence number associated with the allocation
allows us to protect against a race condition and ensure the IP
hasn't been released and re-allocated since the release request.
format: int64
type: integer
sequenceNumberForAllocation:
additionalProperties:
format: int64
type: integer
description: Map of allocated ordinal within the block to sequence
number of the block at the time of allocation. Kubernetes does not
allow numerical keys for maps, so the key is cast to a string.
type: object
strictAffinity: strictAffinity:
description: StrictAffinity on the IPAMBlock is deprecated and no
longer used by the code. Use IPAMConfig StrictAffinity instead.
type: boolean type: boolean
unallocated: unallocated:
description: Unallocated is an ordered list of allocations which are
free in the block.
items: items:
type: integer type: integer
type: array type: array
@ -2543,19 +2742,19 @@ spec:
type: array type: array
blockSize: blockSize:
description: The block size to use for IP address assignments from description: The block size to use for IP address assignments from
this pool. Defaults to 26 for IPv4 and 112 for IPv6. this pool. Defaults to 26 for IPv4 and 122 for IPv6.
type: integer type: integer
cidr: cidr:
description: The pool CIDR. description: The pool CIDR.
type: string type: string
disableBGPExport:
description: 'Disable exporting routes from this IP Pool''s CIDR over
BGP. [Default: false]'
type: boolean
disabled: disabled:
description: When disabled is true, Calico IPAM will not assign addresses description: When disabled is true, Calico IPAM will not assign addresses
from this pool. from this pool.
type: boolean type: boolean
disableBGPExport:
description: 'Disable exporting routes from this IP Pools CIDR over
BGP. [Default: false]'
type: boolean
ipip: ipip:
description: 'Deprecated: this field is only used for APIv1 backwards description: 'Deprecated: this field is only used for APIv1 backwards
compatibility. Setting this field is not allowed, this field is compatibility. Setting this field is not allowed, this field is
@ -2615,6 +2814,9 @@ status:
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: ipreservations.crd.projectcalico.org name: ipreservations.crd.projectcalico.org
spec: spec:
group: crd.projectcalico.org group: crd.projectcalico.org
@ -2764,6 +2966,11 @@ spec:
type: string type: string
type: object type: object
type: object type: object
debugProfilePort:
description: DebugProfilePort configures the port to serve memory
and cpu profiles on. If not specified, profiling is disabled.
format: int32
type: integer
etcdV3CompactionPeriod: etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3 description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]' compaction requests. Set to 0 to disable. [Default: 10m]'
@ -2874,6 +3081,11 @@ spec:
type: string type: string
type: object type: object
type: object type: object
debugProfilePort:
description: DebugProfilePort configures the port to serve memory
and cpu profiles on. If not specified, profiling is disabled.
format: int32
type: integer
etcdV3CompactionPeriod: etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3 description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]' compaction requests. Set to 0 to disable. [Default: 10m]'
@ -3819,10 +4031,9 @@ rules:
- get - get
- list - list
- watch - watch
# IPAM resources are manipulated when nodes are deleted. # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
- ippools
- ipreservations - ipreservations
verbs: verbs:
- list - list
@ -3838,6 +4049,13 @@ rules:
- update - update
- delete - delete
- watch - watch
# Pools are watched to maintain a mapping of blocks to IP pools.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
verbs:
- list
- watch
# kube-controllers manages hostendpoints. # kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
@ -3854,8 +4072,10 @@ rules:
- clusterinformations - clusterinformations
verbs: verbs:
- get - get
- list
- create - create
- update - update
- watch
# KubeControllersConfiguration is where it gets its config # KubeControllersConfiguration is where it gets its config
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
@ -4097,13 +4317,13 @@ metadata:
labels: labels:
k8s-app: calico-typha k8s-app: calico-typha
spec: spec:
# Number of Typha replicas. To enable Typha, set this to a non-zero value *and* set the # Number of Typha replicas. To enable Typha, set this to a non-zero value *and* set the
# typha_service_name variable in the canal-config ConfigMap above. # typha_service_name variable in the canal-config ConfigMap above.
# #
# We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is essential # We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is essential
# (when using the Kubernetes datastore). Use one replica for every 100-200 nodes. In # (when using the Kubernetes datastore). Use one replica for every 100-200 nodes. In
# production, we recommend running at least 3 replicas to reduce the impact of rolling upgrade. # production, we recommend running at least 3 replicas to reduce the impact of rolling upgrade.
replicas: {{ or .Networking.Canal.TyphaReplicas 0 }} replicas: {{ or .Networking.Canal.TyphaReplicas "0" }}
revisionHistoryLimit: 2 revisionHistoryLimit: 2
selector: selector:
matchLabels: matchLabels:
@ -4172,6 +4392,7 @@ spec:
host: localhost host: localhost
periodSeconds: 30 periodSeconds: 30
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 10
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
@ -4181,6 +4402,7 @@ spec:
port: 9098 port: 9098
host: localhost host: localhost
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 10
--- ---
@ -4284,15 +4506,6 @@ spec:
name: cni-net-dir name: cni-net-dir
securityContext: securityContext:
privileged: true privileged: true
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: docker.io/calico/pod2daemon-flexvol:v3.23.0
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
securityContext:
privileged: true
containers: containers:
# Runs canal container on each Kubernetes node. This # Runs canal container on each Kubernetes node. This
# container programs network policy and routes on each # container programs network policy and routes on each
@ -4515,11 +4728,6 @@ spec:
hostPath: hostPath:
type: DirectoryOrCreate type: DirectoryOrCreate
path: /var/run/nodeagent path: /var/run/nodeagent
# Used to install Flex Volume Driver
- name: flexvol-driver-host
hostPath:
type: DirectoryOrCreate
path: "{{- or .Kubelet.VolumePluginDirectory "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" }}nodeagent~uds"
--- ---
apiVersion: v1 apiVersion: v1
@ -4618,7 +4826,7 @@ metadata:
# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
apiVersion: policy/v1beta1 apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: calico-kube-controllers name: calico-kube-controllers

268
upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
View File

@ -122,6 +122,12 @@ spec:
64512]' 64512]'
format: int32 format: int32
type: integer type: integer
bindMode:
description: BindMode indicates whether to listen for BGP connections
on all addresses (None) or only on the node's canonical IP address
Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
for BGP connections on all addresses.
type: string
communities: communities:
description: Communities is a list of BGP community values and their description: Communities is a list of BGP community values and their
arbitrary names for tagging routes. arbitrary names for tagging routes.
@ -152,6 +158,37 @@ spec:
description: 'LogSeverityScreen is the log severity above which logs description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: INFO]' are sent to the stdout. [Default: INFO]'
type: string type: string
nodeMeshMaxRestartTime:
description: Time to allow for software restart for node-to-mesh peerings. When
specified, this is configured as the graceful restart timeout. When
not specified, the BIRD default of 120s is used. This field can
only be set on the default BGPConfiguration instance and requires
that NodeMesh is enabled
type: string
nodeMeshPassword:
description: Optional BGP password for full node-to-mesh peerings.
This field can only be set on the default BGPConfiguration instance
and requires that NodeMesh is enabled
properties:
secretKeyRef:
description: Selects a key of a secret in the node pod's namespace.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be
defined
type: boolean
required:
- key
type: object
type: object
nodeToNodeMeshEnabled: nodeToNodeMeshEnabled:
description: 'NodeToNodeMeshEnabled sets whether full node to node description: 'NodeToNodeMeshEnabled sets whether full node to node
BGP mesh is enabled. [Default: true]' BGP mesh is enabled. [Default: true]'
@ -283,6 +320,12 @@ spec:
description: Selector for the nodes that should have this peering. When description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty. this is set, the Node field must be empty.
type: string type: string
numAllowedLocalASNumbers:
description: Maximum number of local AS numbers that are allowed in
the AS path for received routes. This removes BGP loop prevention
and should only be used if absolutely necesssary.
format: int32
type: integer
password: password:
description: Optional BGP password for the peerings generated by this description: Optional BGP password for the peerings generated by this
BGPPeer resource. BGPPeer resource.
@ -809,6 +852,11 @@ spec:
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]' [Default: false]'
type: boolean type: boolean
bpfEnforceRPF:
description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled or Strict. [Default: Strict]'
type: string
bpfExtToServiceConnmark: bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local mark that is set on connections from an external client to a local
@ -848,6 +896,51 @@ spec:
logs are emitted to the BPF trace pipe, accessible with the command logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].' `tc exec bpf debug`. [Default: Off].'
type: string type: string
bpfMapSizeConntrack:
description: 'BPFMapSizeConntrack sets the size for the conntrack
map. This map must be large enough to hold an entry for each active
connection. Warning: changing the size of the conntrack map can
cause disruption.'
type: integer
bpfMapSizeIPSets:
description: BPFMapSizeIPSets sets the size for ipsets map. The IP
sets map must be large enough to hold an entry for each endpoint
matched by every selector in the source/destination matches in network
policy. Selectors such as "all()" can result in large numbers of
entries (one entry per endpoint in that case).
type: integer
bpfMapSizeNATAffinity:
type: integer
bpfMapSizeNATBackend:
description: BPFMapSizeNATBackend sets the size for nat back end map.
This is the total number of endpoints. This is mostly more than
the size of the number of services.
type: integer
bpfMapSizeNATFrontend:
description: BPFMapSizeNATFrontend sets the size for nat front end
map. FrontendMap should be large enough to hold an entry for each
nodeport, external IP and each port in each service.
type: integer
bpfMapSizeRoute:
description: BPFMapSizeRoute sets the size for the routes map. The
routes map should be large enough to hold one entry per workload
and a handful of entries per host (enough to cover its own IPs and
tunnel IPs).
type: integer
bpfPSNATPorts:
anyOf:
- type: integer
- type: string
description: 'BPFPSNATPorts sets the range from which we randomly
pick a port if there is a source port collision. This should be
within the ephemeral range as defined by RFC 6056 (102465535) and
preferably outside the ephemeral ranges used by common operating
systems. Linux uses 3276860999, while others mostly use the IANA
defined range 4915265535. It is not necessarily a problem if this
range overlaps with the operating systems. Both ends of the range
are inclusive. [Default: 20000:29999]'
pattern: ^.*
x-kubernetes-int-or-string: true
chainInsertMode: chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the top-level iptables chains by inserting a rule at the top of the
@ -858,6 +951,15 @@ spec:
Calico policy will be bypassed. [Default: insert]' Calico policy will be bypassed. [Default: insert]'
type: string type: string
dataplaneDriver: dataplaneDriver:
description: DataplaneDriver filename of the external dataplane driver
to use. Only used if UseInternalDataplaneDriver is set to false.
type: string
dataplaneWatchdogTimeout:
description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix''s (internal) dataplane driver. Increase this value
if you experience spurious non-ready or non-live events when Felix
is under heavy load. Decrease the value to get felix to report non-live
or non-ready more quickly. [Default: 90s]'
type: string type: string
debugDisableLogDropping: debugDisableLogDropping:
type: boolean type: boolean
@ -886,9 +988,14 @@ spec:
routes, by default this will be RTPROT_BOOT when left blank. routes, by default this will be RTPROT_BOOT when left blank.
type: integer type: integer
deviceRouteSourceAddress: deviceRouteSourceAddress:
description: This is the source address to use on programmed device description: This is the IPv4 source address to use on programmed
routes. By default the source address is left blank, leaving the device routes. By default the source address is left blank, leaving
kernel to choose the source address used. the kernel to choose the source address used.
type: string
deviceRouteSourceAddressIPv6:
description: This is the IPv6 source address to use on programmed
device routes. By default the source address is left blank, leaving
the kernel to choose the source address used.
type: string type: string
disableConntrackInvalidCheck: disableConntrackInvalidCheck:
type: boolean type: boolean
@ -962,6 +1069,14 @@ spec:
"true" or "false" will force the feature, empty or omitted values "true" or "false" will force the feature, empty or omitted values
are auto-detected. are auto-detected.
type: string type: string
floatingIPs:
default: Disabled
description: FloatingIPs configures whether or not Felix will program
floating IP addresses.
enum:
- Enabled
- Disabled
type: string
genericXDPEnabled: genericXDPEnabled:
description: 'GenericXDPEnabled enables Generic XDP so network cards description: 'GenericXDPEnabled enables Generic XDP so network cards
that don''t support XDP offload or driver modes can use XDP. This that don''t support XDP offload or driver modes can use XDP. This
@ -999,6 +1114,9 @@ spec:
disabled by setting the interval to 0. disabled by setting the interval to 0.
type: string type: string
ipipEnabled: ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
an IPIP interface on the host. Optional as Felix determines this
based on the existing IP pools. [Default: nil (unset)]'
type: boolean type: boolean
ipipMTU: ipipMTU:
description: 'IPIPMTU is the MTU to set on the tunnel device. See description: 'IPIPMTU is the MTU to set on the tunnel device. See
@ -1065,6 +1183,8 @@ spec:
usage. [Default: 10s]' usage. [Default: 10s]'
type: string type: string
ipv6Support: ipv6Support:
description: IPv6Support controls whether Felix enables support for
IPv6 (if supported by the in-use dataplane).
type: boolean type: boolean
kubeNodePortRanges: kubeNodePortRanges:
description: 'KubeNodePortRanges holds list of port ranges used for description: 'KubeNodePortRanges holds list of port ranges used for
@ -1078,6 +1198,12 @@ spec:
pattern: ^.* pattern: ^.*
x-kubernetes-int-or-string: true x-kubernetes-int-or-string: true
type: array type: array
logDebugFilenameRegex:
description: LogDebugFilenameRegex controls which source code files
have their Debug log output included in the logs. Only logs from
files with names that match the given regular expression are included. The
filter only applies to Debug level logs.
type: string
logFilePath: logFilePath:
description: 'LogFilePath is the full path to the Felix log. Set to description: 'LogFilePath is the full path to the Felix log. Set to
none to disable file logging. [Default: /var/log/calico/felix.log]' none to disable file logging. [Default: /var/log/calico/felix.log]'
@ -1207,9 +1333,9 @@ spec:
routes. - CalicoIPAM: the default - use IPAM data to construct routes.' routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
type: string type: string
routeTableRange: routeTableRange:
description: Calico programs additional Linux route tables for various description: Deprecated in favor of RouteTableRanges. Calico programs
purposes. RouteTableRange specifies the indices of the route tables additional Linux route tables for various purposes. RouteTableRange
that Calico should use. specifies the indices of the route tables that Calico should use.
properties: properties:
max: max:
type: integer type: integer
@ -1219,6 +1345,21 @@ spec:
- max - max
- min - min
type: object type: object
routeTableRanges:
description: Calico programs additional Linux route tables for various
purposes. RouteTableRanges specifies a set of table index ranges
that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
items:
properties:
max:
type: integer
min:
type: integer
required:
- max
- min
type: object
type: array
serviceLoopPrevention: serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting loops to service IPs that are not in use, by dropping or rejecting
@ -1246,12 +1387,22 @@ spec:
Felix makes reports. [Default: 86400s]' Felix makes reports. [Default: 86400s]'
type: string type: string
useInternalDataplaneDriver: useInternalDataplaneDriver:
description: UseInternalDataplaneDriver, if true, Felix will use its
internal dataplane programming logic. If false, it will launch
an external dataplane driver and communicate with it over protobuf.
type: boolean type: boolean
vxlanEnabled: vxlanEnabled:
description: 'VXLANEnabled overrides whether Felix should create the
VXLAN tunnel device for VXLAN networking. Optional as Felix determines
this based on the existing IP pools. [Default: nil (unset)]'
type: boolean type: boolean
vxlanMTU: vxlanMTU:
description: 'VXLANMTU is the MTU to set on the tunnel device. See description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
Configuring MTU [Default: 1440]' device. See Configuring MTU [Default: 1410]'
type: integer
vxlanMTUV6:
description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
device. See Configuring MTU [Default: 1390]'
type: integer type: integer
vxlanPort: vxlanPort:
type: integer type: integer
@ -1269,6 +1420,10 @@ spec:
description: 'WireguardInterfaceName specifies the name to use for description: 'WireguardInterfaceName specifies the name to use for
the Wireguard interface. [Default: wg.calico]' the Wireguard interface. [Default: wg.calico]'
type: string type: string
wireguardKeepAlive:
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
option. Set 0 to disable. [Default: 0]'
type: string
wireguardListeningPort: wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used description: 'WireguardListeningPort controls the listening port used
by Wireguard. [Default: 51820]' by Wireguard. [Default: 51820]'
@ -1281,6 +1436,12 @@ spec:
description: 'WireguardRoutingRulePriority controls the priority value description: 'WireguardRoutingRulePriority controls the priority value
to use for the Wireguard routing rule. [Default: 99]' to use for the Wireguard routing rule. [Default: 99]'
type: integer type: integer
workloadSourceSpoofing:
description: WorkloadSourceSpoofing controls whether pods can use
the allowedSourcePrefixes annotation to send traffic with a source
IP address that is not theirs. This is disabled by default. When
set to "Any", pods can request any prefix.
type: string
xdpEnabled: xdpEnabled:
description: 'XDPEnabled enables XDP acceleration for suitable untracked description: 'XDPEnabled enables XDP acceleration for suitable untracked
incoming deny rules. [Default: true]' incoming deny rules. [Default: true]'
@ -2353,8 +2514,16 @@ spec:
resource. resource.
properties: properties:
affinity: affinity:
description: Affinity of the block, if this block has one. If set,
it will be of the form "host:<hostname>". If not set, this block
is not affine to a host.
type: string type: string
allocations: allocations:
description: Array of allocations in-use within this block. nil entries
mean the allocation is free. For non-nil entries at index i, the
index is the ordinal of the allocation within this block and the
value is the index of the associated attributes in the Attributes
array.
items: items:
type: integer type: integer
# TODO: This nullable is manually added in. We should update controller-gen # TODO: This nullable is manually added in. We should update controller-gen
@ -2362,6 +2531,10 @@ spec:
nullable: true nullable: true
type: array type: array
attributes: attributes:
description: Attributes is an array of arbitrary metadata associated
with allocations in the block. To find attributes for a given allocation,
use the value of the allocation's entry in the Allocations array
as the index of the element in this array.
items: items:
properties: properties:
handle_id: handle_id:
@ -2373,12 +2546,38 @@ spec:
type: object type: object
type: array type: array
cidr: cidr:
description: The block's CIDR.
type: string type: string
deleted: deleted:
description: Deleted is an internal boolean used to workaround a limitation
in the Kubernetes API whereby deletion will not return a conflict
error if the block has been updated. It should not be set manually.
type: boolean type: boolean
sequenceNumber:
default: 0
description: We store a sequence number that is updated each time
the block is written. Each allocation will also store the sequence
number of the block at the time of its creation. When releasing
an IP, passing the sequence number associated with the allocation
allows us to protect against a race condition and ensure the IP
hasn't been released and re-allocated since the release request.
format: int64
type: integer
sequenceNumberForAllocation:
additionalProperties:
format: int64
type: integer
description: Map of allocated ordinal within the block to sequence
number of the block at the time of allocation. Kubernetes does not
allow numerical keys for maps, so the key is cast to a string.
type: object
strictAffinity: strictAffinity:
description: StrictAffinity on the IPAMBlock is deprecated and no
longer used by the code. Use IPAMConfig StrictAffinity instead.
type: boolean type: boolean
unallocated: unallocated:
description: Unallocated is an ordered list of allocations which are
free in the block.
items: items:
type: integer type: integer
type: array type: array
@ -2552,19 +2751,19 @@ spec:
type: array type: array
blockSize: blockSize:
description: The block size to use for IP address assignments from description: The block size to use for IP address assignments from
this pool. Defaults to 26 for IPv4 and 112 for IPv6. this pool. Defaults to 26 for IPv4 and 122 for IPv6.
type: integer type: integer
cidr: cidr:
description: The pool CIDR. description: The pool CIDR.
type: string type: string
disableBGPExport:
description: 'Disable exporting routes from this IP Pool''s CIDR over
BGP. [Default: false]'
type: boolean
disabled: disabled:
description: When disabled is true, Calico IPAM will not assign addresses description: When disabled is true, Calico IPAM will not assign addresses
from this pool. from this pool.
type: boolean type: boolean
disableBGPExport:
description: 'Disable exporting routes from this IP Pools CIDR over
BGP. [Default: false]'
type: boolean
ipip: ipip:
description: 'Deprecated: this field is only used for APIv1 backwards description: 'Deprecated: this field is only used for APIv1 backwards
compatibility. Setting this field is not allowed, this field is compatibility. Setting this field is not allowed, this field is
@ -2624,6 +2823,9 @@ status:
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: ipreservations.crd.projectcalico.org name: ipreservations.crd.projectcalico.org
spec: spec:
group: crd.projectcalico.org group: crd.projectcalico.org
@ -2773,6 +2975,11 @@ spec:
type: string type: string
type: object type: object
type: object type: object
debugProfilePort:
description: DebugProfilePort configures the port to serve memory
and cpu profiles on. If not specified, profiling is disabled.
format: int32
type: integer
etcdV3CompactionPeriod: etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3 description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]' compaction requests. Set to 0 to disable. [Default: 10m]'
@ -2883,6 +3090,11 @@ spec:
type: string type: string
type: object type: object
type: object type: object
debugProfilePort:
description: DebugProfilePort configures the port to serve memory
and cpu profiles on. If not specified, profiling is disabled.
format: int32
type: integer
etcdV3CompactionPeriod: etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3 description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]' compaction requests. Set to 0 to disable. [Default: 10m]'
@ -3828,10 +4040,9 @@ rules:
- get - get
- list - list
- watch - watch
# IPAM resources are manipulated when nodes are deleted. # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
- ippools
- ipreservations - ipreservations
verbs: verbs:
- list - list
@ -3847,6 +4058,13 @@ rules:
- update - update
- delete - delete
- watch - watch
# Pools are watched to maintain a mapping of blocks to IP pools.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
verbs:
- list
- watch
# kube-controllers manages hostendpoints. # kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
@ -3863,8 +4081,10 @@ rules:
- clusterinformations - clusterinformations
verbs: verbs:
- get - get
- list
- create - create
- update - update
- watch
# KubeControllersConfiguration is where it gets its config # KubeControllersConfiguration is where it gets its config
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
@ -4199,7 +4419,7 @@ spec:
# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict
apiVersion: policy/v1beta1 apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: calico-typha name: calico-typha
@ -4325,15 +4545,6 @@ spec:
name: cni-net-dir name: cni-net-dir
securityContext: securityContext:
privileged: true privileged: true
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/pod2daemon-flexvol:{{ or .Networking.Calico.Version "v3.23.0" }}
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
securityContext:
privileged: true
containers: containers:
# Runs calico-node container on each Kubernetes node. This # Runs calico-node container on each Kubernetes node. This
# container programs network policy and routes on each # container programs network policy and routes on each
@ -4605,11 +4816,6 @@ spec:
hostPath: hostPath:
type: DirectoryOrCreate type: DirectoryOrCreate
path: /var/run/nodeagent path: /var/run/nodeagent
# Used to install Flex Volume Driver
- name: flexvol-driver-host
hostPath:
type: DirectoryOrCreate
path: "{{- or .Kubelet.VolumePluginDirectory "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" }}nodeagent~uds"
--- ---
apiVersion: v1 apiVersion: v1
@ -4692,7 +4898,7 @@ metadata:
# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
apiVersion: policy/v1beta1 apiVersion: policy/v1
kind: PodDisruptionBudget kind: PodDisruptionBudget
metadata: metadata:
name: calico-kube-controllers name: calico-kube-controllers