diff --git a/upup/models/bindata.go b/upup/models/bindata.go index f65d3e70c7..19c7dc415a 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -35469,7 +35469,7 @@ func cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s112YamlTemplate() (*asse return a, nil } -var _cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplate = []byte(`# Pulled and modified from: https://docs.projectcalico.org/v3.17/manifests/calico-typha.yaml +var _cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplate = []byte(`# Pulled and modified from: https://docs.projectcalico.org/v3.18/manifests/calico-typha.yaml {{- if .Networking.Calico.BPFEnabled }} --- @@ -35549,8 +35549,6 @@ data: --- # Source: calico/templates/kdd-crds.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -35672,6 +35670,18 @@ spec: type: string type: object type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array type: object type: object served: true @@ -35683,8 +35693,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -35725,7 +35733,6 @@ spec: format: int32 type: integer keepOriginalNextHop: - default: false description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP Peers node to use the "next hop keep;" instead of "next hop self;"(default) @@ -35779,6 +35786,12 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string type: object type: object served: true @@ -35790,8 +35803,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -35855,8 +35866,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -35923,8 +35932,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -36063,11 +36070,11 @@ spec: traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an - iptables “DROP” action. If you want to allow some or all traffic + iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables “INPUT” chain; - Calico will insert its rules at the top of that chain, then “RETURN” - packets to the “INPUT” chain once it has completed processing workload + RETURN if you have your own rules in the iptables "INPUT" chain; + Calico will insert its rules at the top of that chain, then "RETURN" + packets to the "INPUT" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' @@ -36101,7 +36108,7 @@ spec: accidentally cutting off a host with incorrect configuration. Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all inbound host ports, use the value none. + to "tcp". To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' items: @@ -36124,7 +36131,7 @@ spec: to avoid accidentally cutting off a host with incorrect configuration. Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all outbound host ports, use the value none. + to "tcp". To disable all outbound host ports, use the value none. The default value opens etcd''s standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, @@ -36479,8 +36486,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -36534,7 +36539,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -36617,9 +36622,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -36822,9 +36827,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -36865,7 +36870,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -36948,9 +36953,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -37153,9 +37158,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -37254,8 +37259,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37311,8 +37314,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37374,7 +37375,7 @@ spec: is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such - as “eth0”) are supported here; it isn't possible for a HostEndpoint + as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation @@ -37423,8 +37424,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37508,8 +37507,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37568,8 +37565,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37628,8 +37623,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37731,8 +37724,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -37844,6 +37835,10 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer required: - controllers type: object @@ -37944,6 +37939,11 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer required: - controllers type: object @@ -37958,8 +37958,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -38002,7 +38000,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -38085,9 +38083,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -38290,9 +38288,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -38333,7 +38331,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -38416,9 +38414,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -38621,9 +38619,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -38714,8 +38712,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -38813,6 +38809,7 @@ rules: - create - update - delete + - watch # kube-controllers manages hostendpoints. - apiGroups: ["crd.projectcalico.org"] resources: @@ -39096,7 +39093,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.17.2" }} + - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.18.0" }} name: calico-typha ports: - containerPort: 5473 @@ -39218,7 +39215,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.18.0" }} command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -39245,7 +39242,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.18.0" }} command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -39286,7 +39283,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/pod2daemon-flexvol:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/pod2daemon-flexvol:{{ or .Networking.Calico.Version "v3.18.0" }} volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -39297,7 +39294,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.18.0" }} envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -39571,7 +39568,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.18.0" }} env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS @@ -39600,117 +39597,30 @@ metadata: labels: role.kubernetes.io/networking: "1" -{{ if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}} -# This manifest installs the "k8s-ec2-srcdst" container, which -# disables source/destination IP address checks for ENIs attached to -# EC2 instances hosting Kubernetes nodes. -# -# Disabling these checks allows Calico to send unencapsulated packets -# to and from pods within the same VPC subnet, where either a given -# packet's source address (originating from a pod) may not match the -# sending machine's address or the destination address (heading to a -# pod) may not match the receiving machine's address. -# -# This only applies for AWS environments. -# This is a deprecated setting, use awsSrcDstCheck instead --- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: k8s-ec2-srcdst - labels: - role.kubernetes.io/networking: "1" -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - update - - patch +# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict ---- - -apiVersion: v1 -kind: ServiceAccount +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget metadata: - name: k8s-ec2-srcdst + name: calico-kube-controllers namespace: kube-system labels: - role.kubernetes.io/networking: "1" ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: k8s-ec2-srcdst - labels: - role.kubernetes.io/networking: "1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: k8s-ec2-srcdst -subjects: -- kind: ServiceAccount - name: k8s-ec2-srcdst - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: k8s-ec2-srcdst - namespace: kube-system - labels: - k8s-app: k8s-ec2-srcdst - role.kubernetes.io/networking: "1" + k8s-app: calico-kube-controllers spec: - replicas: 0 + maxUnavailable: 1 selector: matchLabels: - k8s-app: k8s-ec2-srcdst - template: - metadata: - labels: - k8s-app: k8s-ec2-srcdst - role.kubernetes.io/networking: "1" - spec: - hostNetwork: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: CriticalAddonsOnly - operator: Exists - serviceAccountName: k8s-ec2-srcdst - priorityClassName: system-cluster-critical - containers: - - image: ottoyiu/k8s-ec2-srcdst:v0.3.0 - name: k8s-ec2-srcdst - resources: - requests: - cpu: 10m - memory: 64Mi - env: - - name: AWS_REGION - value: {{ Region }} - volumeMounts: - - name: ssl-certs - mountPath: "/etc/ssl/certs" - readOnly: true - imagePullPolicy: "Always" - volumes: - - name: ssl-certs - hostPath: - path: "/etc/ssl/certs" - type: Directory - nodeSelector: - node-role.kubernetes.io/master: "" -{{ end -}} + k8s-app: calico-kube-controllers + +--- +# Source: calico/templates/calico-etcd-secrets.yaml + +--- +# Source: calico/templates/configure-canal.yaml + + `) func cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplateBytes() ([]byte, error) { diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index bd21ad6a45..7110d67550 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -1,4 +1,4 @@ -# Pulled and modified from: https://docs.projectcalico.org/v3.17/manifests/calico-typha.yaml +# Pulled and modified from: https://docs.projectcalico.org/v3.18/manifests/calico-typha.yaml {{- if .Networking.Calico.BPFEnabled }} --- @@ -78,8 +78,6 @@ data: --- # Source: calico/templates/kdd-crds.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -201,6 +199,18 @@ spec: type: string type: object type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array type: object type: object served: true @@ -212,8 +222,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -254,7 +262,6 @@ spec: format: int32 type: integer keepOriginalNextHop: - default: false description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP Peers node to use the "next hop keep;" instead of "next hop self;"(default) @@ -308,6 +315,12 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string type: object type: object served: true @@ -319,8 +332,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -384,8 +395,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -452,8 +461,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -592,11 +599,11 @@ spec: traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an - iptables “DROP” action. If you want to allow some or all traffic + iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables “INPUT” chain; - Calico will insert its rules at the top of that chain, then “RETURN” - packets to the “INPUT” chain once it has completed processing workload + RETURN if you have your own rules in the iptables "INPUT" chain; + Calico will insert its rules at the top of that chain, then "RETURN" + packets to the "INPUT" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' @@ -630,7 +637,7 @@ spec: accidentally cutting off a host with incorrect configuration. Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all inbound host ports, use the value none. + to "tcp". To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' items: @@ -653,7 +660,7 @@ spec: to avoid accidentally cutting off a host with incorrect configuration. Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all outbound host ports, use the value none. + to "tcp". To disable all outbound host ports, use the value none. The default value opens etcd''s standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, @@ -1008,8 +1015,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1063,7 +1068,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -1146,9 +1151,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1351,9 +1356,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1394,7 +1399,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -1477,9 +1482,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1682,9 +1687,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1783,8 +1788,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1840,8 +1843,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1903,7 +1904,7 @@ spec: is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such - as “eth0”) are supported here; it isn't possible for a HostEndpoint + as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation @@ -1952,8 +1953,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2037,8 +2036,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2097,8 +2094,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2157,8 +2152,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2260,8 +2253,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2373,6 +2364,10 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer required: - controllers type: object @@ -2473,6 +2468,11 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer required: - controllers type: object @@ -2487,8 +2487,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2531,7 +2529,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -2614,9 +2612,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -2819,9 +2817,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -2862,7 +2860,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -2945,9 +2943,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -3150,9 +3148,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -3243,8 +3241,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3342,6 +3338,7 @@ rules: - create - update - delete + - watch # kube-controllers manages hostendpoints. - apiGroups: ["crd.projectcalico.org"] resources: @@ -3625,7 +3622,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.17.2" }} + - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.18.0" }} name: calico-typha ports: - containerPort: 5473 @@ -3747,7 +3744,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.18.0" }} command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -3774,7 +3771,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.18.0" }} command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -3815,7 +3812,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/pod2daemon-flexvol:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/pod2daemon-flexvol:{{ or .Networking.Calico.Version "v3.18.0" }} volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -3826,7 +3823,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.18.0" }} envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -4100,7 +4097,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.17.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.18.0" }} env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS @@ -4129,114 +4126,27 @@ metadata: labels: role.kubernetes.io/networking: "1" -{{ if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}} -# This manifest installs the "k8s-ec2-srcdst" container, which -# disables source/destination IP address checks for ENIs attached to -# EC2 instances hosting Kubernetes nodes. -# -# Disabling these checks allows Calico to send unencapsulated packets -# to and from pods within the same VPC subnet, where either a given -# packet's source address (originating from a pod) may not match the -# sending machine's address or the destination address (heading to a -# pod) may not match the receiving machine's address. -# -# This only applies for AWS environments. -# This is a deprecated setting, use awsSrcDstCheck instead --- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: k8s-ec2-srcdst - labels: - role.kubernetes.io/networking: "1" -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - update - - patch +# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict ---- - -apiVersion: v1 -kind: ServiceAccount +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget metadata: - name: k8s-ec2-srcdst + name: calico-kube-controllers namespace: kube-system labels: - role.kubernetes.io/networking: "1" ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: k8s-ec2-srcdst - labels: - role.kubernetes.io/networking: "1" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: k8s-ec2-srcdst -subjects: -- kind: ServiceAccount - name: k8s-ec2-srcdst - namespace: kube-system - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: k8s-ec2-srcdst - namespace: kube-system - labels: - k8s-app: k8s-ec2-srcdst - role.kubernetes.io/networking: "1" + k8s-app: calico-kube-controllers spec: - replicas: 0 + maxUnavailable: 1 selector: matchLabels: - k8s-app: k8s-ec2-srcdst - template: - metadata: - labels: - k8s-app: k8s-ec2-srcdst - role.kubernetes.io/networking: "1" - spec: - hostNetwork: true - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: CriticalAddonsOnly - operator: Exists - serviceAccountName: k8s-ec2-srcdst - priorityClassName: system-cluster-critical - containers: - - image: ottoyiu/k8s-ec2-srcdst:v0.3.0 - name: k8s-ec2-srcdst - resources: - requests: - cpu: 10m - memory: 64Mi - env: - - name: AWS_REGION - value: {{ Region }} - volumeMounts: - - name: ssl-certs - mountPath: "/etc/ssl/certs" - readOnly: true - imagePullPolicy: "Always" - volumes: - - name: ssl-certs - hostPath: - path: "/etc/ssl/certs" - type: Directory - nodeSelector: - node-role.kubernetes.io/master: "" -{{ end -}} + k8s-app: calico-kube-controllers + +--- +# Source: calico/templates/calico-etcd-secrets.yaml + +--- +# Source: calico/templates/configure-canal.yaml + + diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go index 871f51000f..dac6f375ba 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go @@ -762,7 +762,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann key := "networking.projectcalico.org" versions := map[string]string{ "k8s-1.12": "3.9.6-kops.2", - "k8s-1.16": "3.17.2-kops.2", + "k8s-1.16": "3.18.0-kops.1", } {