kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10310 from hakman/calico-3.17.0 

Update Calico to v3.17.0
This commit is contained in:
Kubernetes Prow Robot 2020-11-24 23:36:39 -08:00 committed by GitHub
parent 97336181bd 8b9fb1ffe8
commit bafa96220e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 133 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
upup/models/bindata.go
View File

@ -6685,7 +6685,7 @@ func cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s112YamlTemplate() (*asse
return a, nil
}
var _cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplate = []byte(`# Pulled and modified from: https://docs.projectcalico.org/v3.16/manifests/calico-typha.yaml
var _cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplate = []byte(`# Pulled and modified from: https://docs.projectcalico.org/v3.17/manifests/calico-typha.yaml
{{- if .Networking.Calico.BPFEnabled }}
---
@ -6716,15 +6716,14 @@ data:
typha_service_name: "{{- if .Networking.Calico.TyphaReplicas -}}calico-typha{{- else -}}none{{- end -}}"
# Configure the backend to use.
calico_backend: "bird"
# Configure the MTU to use for workload interfaces and tunnels.
# - If Wireguard is enabled, set to your network MTU - 60
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
# - Otherwise, if not using any encapsulation, set to your network MTU.
# By default, MTU is auto-detected, and explicitly setting this field should not be required.
# You can override auto-detection by providing a non-zero value.
{{- if .Networking.Calico.MTU }}
veth_mtu: "{{ .Networking.Calico.MTU }}"
{{- else }}
veth_mtu: "{{- if eq .CloudProvider "openstack" -}}1430{{- else -}}1440{{- end -}}"
veth_mtu: "0"
{{- end }}
# The CNI network configuration to install on each node. The special
@ -6771,8 +6770,6 @@ data:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: bgpconfigurations.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -6908,8 +6905,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: bgppeers.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -6946,6 +6941,7 @@ spec:
format: int32
type: integer
keepOriginalNextHop:
default: false
description: Option to keep the original nexthop field when routes
are sent to a BGP Peer. Setting "true" configures the selected BGP
Peers node to use the "next hop keep;" instead of "next hop self;"(default)
@ -6953,8 +6949,8 @@ spec:
type: boolean
node:
description: The node name identifying the Calico node instance that
is peering with this peer. If this is not set, this represents a
global peer, i.e. a peer that peers with every node in the deployment.
is targeted by this peer. If this is not set, and no nodeSelector
is specified, then this BGP peer selects all nodes in the cluster.
type: string
nodeSelector:
description: Selector for the nodes that should have this peering. When
@ -6996,12 +6992,9 @@ spec:
peering between the local node and selected remote nodes, we configure
an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
remote AS number comes from the remote nodes NodeBGPSpec.ASNumber,
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
required:
- asNumber
- peerIP
type: object
type: object
served: true
@ -7019,8 +7012,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: blockaffinities.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -7086,8 +7077,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: clusterinformations.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -7156,8 +7145,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: felixconfigurations.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -7218,13 +7205,13 @@ spec:
true]'
type: boolean
bpfDataIfacePattern:
description: 'BPFDataIfacePattern is a regular expression that controls
description: BPFDataIfacePattern is a regular expression that controls
which interfaces Felix should attach BPF programs to in order to
catch traffic to/from the network. This needs to match the interfaces
that Calico workload traffic flows over as well as any interfaces
that handle incoming traffic to nodeports and services from outside
the cluster. It should not match the workload interfaces (usually
named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
named cali...).
type: string
bpfDisableUnprivileged:
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
@ -7269,10 +7256,10 @@ spec:
` + "`" + `tc exec bpf debug` + "`" + `. [Default: Off].'
type: string
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernels
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
chain or by appending a rule at the bottom. insert is the safe default
since it prevents Calicos rules from being bypassed. If you switch
since it prevents Calico''s rules from being bypassed. If you switch
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
@ -7354,7 +7341,7 @@ spec:
Each port should be specified as tcp:<port-number> or udp:<port-number>.
For back-compatibility, if the protocol is not specified, it defaults
to tcp. To disable all outbound host ports, use the value none.
The default value opens etcds standard ports to ensure that Felix
The default value opens etcd''s standard ports to ensure that Felix
does not get cut off from etcd as well as allowing DHCP and DNS.
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
udp:53, udp:67]'
@ -7406,8 +7393,8 @@ spec:
workload endpoints and so distinguishes them from host endpoint
interfaces. Note: in environments other than bare metal, the orchestrators
configure this appropriately. For example our Kubernetes and Docker
integrations set the cali value, and our OpenStack integration
sets the tap value. [Default: cali]'
integrations set the ''cali'' value, and our OpenStack integration
sets the ''tap'' value. [Default: cali]'
type: string
interfaceRefreshInterval:
description: InterfaceRefreshInterval is the period at which Felix
@ -7423,7 +7410,7 @@ spec:
ipsetsRefreshInterval:
description: 'IpsetsRefreshInterval is the period at which Felix re-checks
all iptables state to ensure that no other process has accidentally
broken Calicos rules. Set to 0 to disable iptables refresh. [Default:
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
90s]'
type: string
iptablesBackend:
@ -7435,7 +7422,7 @@ spec:
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
lock file. You may need to change this if the lock file is not in
its standard location (for example if you have mapped it into Felixs
its standard location (for example if you have mapped it into Felix''s
container at a different path). [Default: /run/xtables.lock]'
type: string
iptablesLockProbeInterval:
@ -7467,16 +7454,16 @@ spec:
description: 'IptablesPostWriteCheckInterval is the period after Felix
has done a write to the dataplane that it schedules an extra read
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesnt
This should only occur if another application on the system doesn''t
respect the iptables lock. [Default: 1s]'
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
re-checks the IP sets in the dataplane to ensure that no other process
has accidentally broken Calicos rules. Set to 0 to disable IP sets
refresh. Note: the default for this value is lower than the other
refresh intervals as a workaround for a Linux kernel bug that was
fixed in kernel version 4.11. If you are using v4.11 or greater
has accidentally broken Calico''s rules. Set to 0 to disable IP
sets refresh. Note: the default for this value is lower than the
other refresh intervals as a workaround for a Linux kernel bug that
was fixed in kernel version 4.11. If you are using v4.11 or greater
you may want to set this to, a higher value to reduce Felix CPU
usage. [Default: 10s]'
type: string
@ -7527,10 +7514,15 @@ spec:
type: string
metadataPort:
description: 'MetadataPort is the port of the metadata server. This,
combined with global.MetadataAddr (if not None), is used to set
up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
combined with global.MetadataAddr (if not ''None''), is used to
set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
In most cases this should not need to be changed [Default: 8775].'
type: integer
mtuIfacePattern:
description: MTUIfacePattern is a regular expression that controls
which interfaces Felix should scan in order to calculate the host's
MTU. This should not match workload interfaces (usually named cali...).
type: string
natOutgoingAddress:
description: NATOutgoingAddress specifies an address to use when performing
source NAT for traffic in a natOutgoing pool that is leaving the
@ -7601,9 +7593,9 @@ spec:
status reports. [Default: 90s]'
type: string
routeRefreshInterval:
description: 'RouterefreshInterval is the period at which Felix re-checks
description: 'RouteRefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calicos rules. Set to 0 to disable route refresh.
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
[Default: 90s]'
type: string
routeSource:
@ -7624,6 +7616,13 @@ spec:
- max
- min
type: object
serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
in which case such routing loops continue to be allowed. [Default:
Drop]'
type: string
sidecarAccelerationEnabled:
description: 'SidecarAccelerationEnabled enables experimental sidecar
acceleration [Default: false]'
@ -7702,8 +7701,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: globalnetworkpolicies.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -7908,7 +7905,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -7937,7 +7934,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -8239,7 +8236,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -8268,7 +8265,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -8479,8 +8476,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: globalnetworksets.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -8538,8 +8533,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: hostendpoints.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -8652,8 +8645,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ipamblocks.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -8720,7 +8711,6 @@ spec:
- allocations
- attributes
- cidr
- deleted
- strictAffinity
- unallocated
type: object
@ -8740,8 +8730,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ipamconfigs.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -8776,6 +8764,10 @@ spec:
properties:
autoAllocateBlocks:
type: boolean
maxBlocksPerHost:
description: MaxBlocksPerHost, if non-zero, is the max number of blocks
that can be affine to each host.
type: integer
strictAffinity:
type: boolean
required:
@ -8798,8 +8790,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ipamhandles.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -8836,6 +8826,8 @@ spec:
additionalProperties:
type: integer
type: object
deleted:
type: boolean
handleID:
type: string
required:
@ -8858,8 +8850,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ippools.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -9190,8 +9180,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: networkpolicies.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -9385,7 +9373,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -9414,7 +9402,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -9716,7 +9704,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -9745,7 +9733,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -9948,8 +9936,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: networksets.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -10326,7 +10312,7 @@ spec:
securityContext:
fsGroup: 65534
containers:
- image: calico/typha:v3.16.4
- image: docker.io/calico/typha:v3.17.0
name: calico-typha
ports:
- containerPort: 5473
@ -10443,7 +10429,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
image: calico/cni:v3.16.4
image: docker.io/calico/cni:v3.17.0
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
- configMapRef:
@ -10470,7 +10456,7 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: calico/cni:v3.16.4
image: docker.io/calico/cni:v3.17.0
command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
@ -10511,7 +10497,7 @@ spec:
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: calico/pod2daemon-flexvol:v3.16.4
image: docker.io/calico/pod2daemon-flexvol:v3.17.0
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
@ -10522,7 +10508,7 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
image: calico/node:v3.16.4
image: docker.io/calico/node:v3.17.0
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -10688,6 +10674,9 @@ spec:
# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
# If the host is known to mount that filesystem already then Bidirectional can be omitted.
mountPropagation: Bidirectional
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
volumes:
# Used by calico-node.
- name: lib-modules
@ -10714,6 +10703,10 @@ spec:
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Used to access CNI logs.
- name: cni-log-dir
hostPath:
path: /var/log/calico/cni
# Mount in the directory for host-local IPAM allocations. This is
# used when upgrading from host-local to calico-ipam, and can be removed
# if not using the upgrade-ipam init container.
@ -10779,7 +10772,7 @@ spec:
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
image: calico/kube-controllers:v3.16.4
image: docker.io/calico/kube-controllers:v3.17.0
env:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS

139
upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
View File

@ -1,4 +1,4 @@
# Pulled and modified from: https://docs.projectcalico.org/v3.16/manifests/calico-typha.yaml
# Pulled and modified from: https://docs.projectcalico.org/v3.17/manifests/calico-typha.yaml
{{- if .Networking.Calico.BPFEnabled }}
---
@ -29,15 +29,14 @@ data:
typha_service_name: "{{- if .Networking.Calico.TyphaReplicas -}}calico-typha{{- else -}}none{{- end -}}"
# Configure the backend to use.
calico_backend: "bird"
# Configure the MTU to use for workload interfaces and tunnels.
# - If Wireguard is enabled, set to your network MTU - 60
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
# - Otherwise, if not using any encapsulation, set to your network MTU.
# By default, MTU is auto-detected, and explicitly setting this field should not be required.
# You can override auto-detection by providing a non-zero value.
{{- if .Networking.Calico.MTU }}
veth_mtu: "{{ .Networking.Calico.MTU }}"
{{- else }}
veth_mtu: "{{- if eq .CloudProvider "openstack" -}}1430{{- else -}}1440{{- end -}}"
veth_mtu: "0"
{{- end }}
# The CNI network configuration to install on each node. The special
@ -84,8 +83,6 @@ data:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: bgpconfigurations.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -221,8 +218,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: bgppeers.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -259,6 +254,7 @@ spec:
format: int32
type: integer
keepOriginalNextHop:
default: false
description: Option to keep the original nexthop field when routes
are sent to a BGP Peer. Setting "true" configures the selected BGP
Peers node to use the "next hop keep;" instead of "next hop self;"(default)
@ -266,8 +262,8 @@ spec:
type: boolean
node:
description: The node name identifying the Calico node instance that
is peering with this peer. If this is not set, this represents a
global peer, i.e. a peer that peers with every node in the deployment.
is targeted by this peer. If this is not set, and no nodeSelector
is specified, then this BGP peer selects all nodes in the cluster.
type: string
nodeSelector:
description: Selector for the nodes that should have this peering. When
@ -309,12 +305,9 @@ spec:
peering between the local node and selected remote nodes, we configure
an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
remote AS number comes from the remote nodes NodeBGPSpec.ASNumber,
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
required:
- asNumber
- peerIP
type: object
type: object
served: true
@ -332,8 +325,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: blockaffinities.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -399,8 +390,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: clusterinformations.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -469,8 +458,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: felixconfigurations.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -531,13 +518,13 @@ spec:
true]'
type: boolean
bpfDataIfacePattern:
description: 'BPFDataIfacePattern is a regular expression that controls
description: BPFDataIfacePattern is a regular expression that controls
which interfaces Felix should attach BPF programs to in order to
catch traffic to/from the network. This needs to match the interfaces
that Calico workload traffic flows over as well as any interfaces
that handle incoming traffic to nodeports and services from outside
the cluster. It should not match the workload interfaces (usually
named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
named cali...).
type: string
bpfDisableUnprivileged:
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
@ -582,10 +569,10 @@ spec:
`tc exec bpf debug`. [Default: Off].'
type: string
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernels
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
chain or by appending a rule at the bottom. insert is the safe default
since it prevents Calicos rules from being bypassed. If you switch
since it prevents Calico''s rules from being bypassed. If you switch
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
@ -667,7 +654,7 @@ spec:
Each port should be specified as tcp:<port-number> or udp:<port-number>.
For back-compatibility, if the protocol is not specified, it defaults
to “tcp”. To disable all outbound host ports, use the value none.
The default value opens etcds standard ports to ensure that Felix
The default value opens etcd''s standard ports to ensure that Felix
does not get cut off from etcd as well as allowing DHCP and DNS.
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
udp:53, udp:67]'
@ -719,8 +706,8 @@ spec:
workload endpoints and so distinguishes them from host endpoint
interfaces. Note: in environments other than bare metal, the orchestrators
configure this appropriately. For example our Kubernetes and Docker
integrations set the cali value, and our OpenStack integration
sets the tap value. [Default: cali]'
integrations set the ''cali'' value, and our OpenStack integration
sets the ''tap'' value. [Default: cali]'
type: string
interfaceRefreshInterval:
description: InterfaceRefreshInterval is the period at which Felix
@ -736,7 +723,7 @@ spec:
ipsetsRefreshInterval:
description: 'IpsetsRefreshInterval is the period at which Felix re-checks
all iptables state to ensure that no other process has accidentally
broken Calicos rules. Set to 0 to disable iptables refresh. [Default:
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
90s]'
type: string
iptablesBackend:
@ -748,7 +735,7 @@ spec:
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
lock file. You may need to change this if the lock file is not in
its standard location (for example if you have mapped it into Felixs
its standard location (for example if you have mapped it into Felix''s
container at a different path). [Default: /run/xtables.lock]'
type: string
iptablesLockProbeInterval:
@ -780,16 +767,16 @@ spec:
description: 'IptablesPostWriteCheckInterval is the period after Felix
has done a write to the dataplane that it schedules an extra read
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesnt
This should only occur if another application on the system doesn''t
respect the iptables lock. [Default: 1s]'
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
re-checks the IP sets in the dataplane to ensure that no other process
has accidentally broken Calicos rules. Set to 0 to disable IP sets
refresh. Note: the default for this value is lower than the other
refresh intervals as a workaround for a Linux kernel bug that was
fixed in kernel version 4.11. If you are using v4.11 or greater
has accidentally broken Calico''s rules. Set to 0 to disable IP
sets refresh. Note: the default for this value is lower than the
other refresh intervals as a workaround for a Linux kernel bug that
was fixed in kernel version 4.11. If you are using v4.11 or greater
you may want to set this to, a higher value to reduce Felix CPU
usage. [Default: 10s]'
type: string
@ -840,10 +827,15 @@ spec:
type: string
metadataPort:
description: 'MetadataPort is the port of the metadata server. This,
combined with global.MetadataAddr (if not None), is used to set
up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
combined with global.MetadataAddr (if not ''None''), is used to
set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
In most cases this should not need to be changed [Default: 8775].'
type: integer
mtuIfacePattern:
description: MTUIfacePattern is a regular expression that controls
which interfaces Felix should scan in order to calculate the host's
MTU. This should not match workload interfaces (usually named cali...).
type: string
natOutgoingAddress:
description: NATOutgoingAddress specifies an address to use when performing
source NAT for traffic in a natOutgoing pool that is leaving the
@ -914,9 +906,9 @@ spec:
status reports. [Default: 90s]'
type: string
routeRefreshInterval:
description: 'RouterefreshInterval is the period at which Felix re-checks
description: 'RouteRefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calicos rules. Set to 0 to disable route refresh.
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
[Default: 90s]'
type: string
routeSource:
@ -937,6 +929,13 @@ spec:
- max
- min
type: object
serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
in which case such routing loops continue to be allowed. [Default:
Drop]'
type: string
sidecarAccelerationEnabled:
description: 'SidecarAccelerationEnabled enables experimental sidecar
acceleration [Default: false]'
@ -1015,8 +1014,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: globalnetworkpolicies.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -1221,7 +1218,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -1250,7 +1247,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -1552,7 +1549,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -1581,7 +1578,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -1792,8 +1789,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: globalnetworksets.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -1851,8 +1846,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: hostendpoints.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -1965,8 +1958,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ipamblocks.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -2033,7 +2024,6 @@ spec:
- allocations
- attributes
- cidr
- deleted
- strictAffinity
- unallocated
type: object
@ -2053,8 +2043,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ipamconfigs.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -2089,6 +2077,10 @@ spec:
properties:
autoAllocateBlocks:
type: boolean
maxBlocksPerHost:
description: MaxBlocksPerHost, if non-zero, is the max number of blocks
that can be affine to each host.
type: integer
strictAffinity:
type: boolean
required:
@ -2111,8 +2103,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ipamhandles.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -2149,6 +2139,8 @@ spec:
additionalProperties:
type: integer
type: object
deleted:
type: boolean
handleID:
type: string
required:
@ -2171,8 +2163,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: ippools.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -2503,8 +2493,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: networkpolicies.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -2698,7 +2686,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -2727,7 +2715,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -3029,7 +3017,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -3058,7 +3046,7 @@ spec:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernels iptables firewall,
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
@ -3261,8 +3249,6 @@ status:
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: networksets.crd.projectcalico.org
labels:
role.kubernetes.io/networking: "1"
@ -3639,7 +3625,7 @@ spec:
securityContext:
fsGroup: 65534
containers:
- image: calico/typha:v3.16.4
- image: docker.io/calico/typha:v3.17.0
name: calico-typha
ports:
- containerPort: 5473
@ -3756,7 +3742,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
image: calico/cni:v3.16.4
image: docker.io/calico/cni:v3.17.0
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
- configMapRef:
@ -3783,7 +3769,7 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: calico/cni:v3.16.4
image: docker.io/calico/cni:v3.17.0
command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
@ -3824,7 +3810,7 @@ spec:
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: calico/pod2daemon-flexvol:v3.16.4
image: docker.io/calico/pod2daemon-flexvol:v3.17.0
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
@ -3835,7 +3821,7 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
image: calico/node:v3.16.4
image: docker.io/calico/node:v3.17.0
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -4001,6 +3987,9 @@ spec:
# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
# If the host is known to mount that filesystem already then Bidirectional can be omitted.
mountPropagation: Bidirectional
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
volumes:
# Used by calico-node.
- name: lib-modules
@ -4027,6 +4016,10 @@ spec:
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Used to access CNI logs.
- name: cni-log-dir
hostPath:
path: /var/log/calico/cni
# Mount in the directory for host-local IPAM allocations. This is
# used when upgrading from host-local to calico-ipam, and can be removed
# if not using the upgrade-ipam init container.
@ -4092,7 +4085,7 @@ spec:
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
image: calico/kube-controllers:v3.16.4
image: docker.io/calico/kube-controllers:v3.17.0
env:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS

2
upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
View File

@ -711,7 +711,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann
key := "networking.projectcalico.org"
versions := map[string]string{
"k8s-1.12": "3.9.6-kops.1",
"k8s-1.16": "3.16.3-kops.2",
"k8s-1.16": "3.17.0-kops.1",
}
{