kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update calico and canal to 3.25.1

This commit is contained in:
Jesse Haka 2023-05-24 08:48:19 +03:00
parent 80129abd20
commit de9c5fbf2e
2 changed files with 145 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.25.yaml.template
View File

@ -1,4 +1,4 @@
# Pulled and modified from: https://projectcalico.docs.tigera.io/archive/v3.24/manifests/canal.yaml
# Pulled and modified from: https://projectcalico.docs.tigera.io/archive/v3.25/manifests/calico-typha.yaml
---
# Source: calico/templates/calico-kube-controllers.yaml
# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
@ -185,6 +185,12 @@ spec:
type: string
type: object
type: array
ignoredInterfaces:
description: IgnoredInterfaces indicates the network interfaces that
needs to be excluded when reading device routes.
items:
type: string
type: array
listenPort:
description: ListenPort is the port where BGP protocol should listen.
Defaults to 179
@ -403,12 +409,23 @@ spec:
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
reachableBy:
description: Add an exact, i.e. /32, static route toward peer IP in
order to prevent route flapping. ReachableBy contains the address
of the gateway which peer can be reached by.
type: string
sourceAddress:
description: Specifies whether and how to configure a source address
for the peerings generated by this BGPPeer resource. Default value
"UseNodeIP" means to configure the node IP as the source address. "None"
means not to configure a source address.
type: string
ttlSecurity:
description: TTLSecurity enables the generalized TTL security mechanism
(GTSM) which protects against spoofed packets by ignoring received
packets with a smaller than expected TTL value. The provided value
is the number of hops (edges) between the peers.
type: integer
type: object
type: object
served: true
@ -893,9 +910,10 @@ spec:
[Default: false]'
type: boolean
bpfEnforceRPF:
description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled or Strict. [Default: Strict]'
description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
with BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled, Strict or Loose. [Default:
Strict]'
type: string
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
@ -935,6 +953,14 @@ spec:
kube-proxy. Lower values give reduced set-up latency. Higher values
reduce Felix CPU usage by batching up more work. [Default: 1s]'
type: string
bpfL3IfacePattern:
description: BPFL3IfacePattern is a regular expression that allows
to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
in addition to BPFDataIfacePattern. That is, tunnel interfaces not
created by Calico, that Calico workload traffic flows over as well
as any interfaces that handle incoming traffic to nodeports and
services from outside the cluster.
type: string
bpfLogLevel:
description: 'BPFLogLevel controls the log level of the BPF programs
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
@ -983,10 +1009,10 @@ spec:
- type: string
description: 'BPFPSNATPorts sets the range from which we randomly
pick a port if there is a source port collision. This should be
within the ephemeral range as defined by RFC 6056 (102465535) and
within the ephemeral range as defined by RFC 6056 (1024–65535) and
preferably outside the ephemeral ranges used by common operating
systems. Linux uses 3276860999, while others mostly use the IANA
defined range 4915265535. It is not necessarily a problem if this
systems. Linux uses 32768–60999, while others mostly use the IANA
defined range 49152–65535. It is not necessarily a problem if this
range overlaps with the operating systems. Both ends of the range
are inclusive. [Default: 20000:29999]'
pattern: ^.*
@ -1010,11 +1036,12 @@ spec:
to use. Only used if UseInternalDataplaneDriver is set to false.
type: string
dataplaneWatchdogTimeout:
description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix''s (internal) dataplane driver. Increase this value
description: "DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix's (internal) dataplane driver. Increase this value
if you experience spurious non-ready or non-live events when Felix
is under heavy load. Decrease the value to get felix to report non-live
or non-ready more quickly. [Default: 90s]'
or non-ready more quickly. [Default: 90s] \n Deprecated: replaced
by the generic HealthTimeoutOverrides."
type: string
debugDisableLogDropping:
type: boolean
@ -1118,15 +1145,21 @@ spec:
type: object
type: array
featureDetectOverride:
description: FeatureDetectOverride is used to override the feature
detection. Values are specified in a comma separated list with no
spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
"true" or "false" will force the feature, empty or omitted values
are auto-detected.
description: FeatureDetectOverride is used to override feature detection
based on auto-detected platform capabilities. Values are specified
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
or "false" will force the feature, empty or omitted values are auto-detected.
type: string
featureGates:
description: FeatureGates is used to enable or disable tech-preview
Calico features. Values are specified in a comma separated list
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
This is used to enable features that are not fully production ready.
type: string
floatingIPs:
description: FloatingIPs configures whether or not Felix will program
floating IP addresses.
non-OpenStack floating IP addresses. (OpenStack-derived floating
IPs are always programmed, regardless of this setting.)
enum:
- Enabled
- Disabled
@ -1143,6 +1176,23 @@ spec:
type: string
healthPort:
type: integer
healthTimeoutOverrides:
description: HealthTimeoutOverrides allows the internal watchdog timeouts
of individual subcomponents to be overriden. This is useful for
working around "false positive" liveness timeouts that can occur
in particularly stressful workloads or if CPU is constrained. For
a list of active subcomponents, see Felix's logs.
items:
properties:
name:
type: string
timeout:
type: string
required:
- name
- timeout
type: object
type: array
interfaceExclude:
description: 'InterfaceExclude is a comma-separated list of interfaces
that Felix should exclude when monitoring for host endpoints. The
@ -1184,7 +1234,7 @@ spec:
type: string
iptablesBackend:
description: IptablesBackend specifies which backend of iptables will
be used. The default is legacy.
be used. The default is Auto.
type: string
iptablesFilterAllowAction:
type: string
@ -4454,7 +4504,7 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: docker.io/calico/cni:v3.24.5
image: docker.io/calico/cni:v3.25.1
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/install"]
envFrom:
@ -4503,7 +4553,7 @@ spec:
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
image: docker.io/calico/node:v3.24.5
image: docker.io/calico/node:v3.25.1
imagePullPolicy: IfNotPresent
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
@ -4529,7 +4579,7 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
image: docker.io/calico/node:v3.24.5
image: docker.io/calico/node:v3.25.1
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
@ -4814,7 +4864,7 @@ spec:
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
image: docker.io/calico/kube-controllers:v3.24.5
image: docker.io/calico/kube-controllers:v3.25.1
imagePullPolicy: IfNotPresent
env:
# Choose which controllers to run.
@ -4891,7 +4941,7 @@ spec:
securityContext:
fsGroup: 65534
containers:
- image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.24.5" }}
- image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
name: calico-typha
ports:

96
upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template
View File

@ -1,4 +1,4 @@
# Pulled and modified from: https://projectcalico.docs.tigera.io/archive/v3.24/manifests/calico-typha.yaml
# Pulled and modified from: https://projectcalico.docs.tigera.io/archive/v3.25/manifests/calico-typha.yaml
---
{{- if .Networking.Calico.BPFEnabled }}
# Set these to the IP and port of your API server; In BPF mode, we need to connect directly to the
@ -193,6 +193,12 @@ spec:
type: string
type: object
type: array
ignoredInterfaces:
description: IgnoredInterfaces indicates the network interfaces that
needs to be excluded when reading device routes.
items:
type: string
type: array
listenPort:
description: ListenPort is the port where BGP protocol should listen.
Defaults to 179
@ -411,12 +417,23 @@ spec:
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
reachableBy:
description: Add an exact, i.e. /32, static route toward peer IP in
order to prevent route flapping. ReachableBy contains the address
of the gateway which peer can be reached by.
type: string
sourceAddress:
description: Specifies whether and how to configure a source address
for the peerings generated by this BGPPeer resource. Default value
"UseNodeIP" means to configure the node IP as the source address. "None"
means not to configure a source address.
type: string
ttlSecurity:
description: TTLSecurity enables the generalized TTL security mechanism
(GTSM) which protects against spoofed packets by ignoring received
packets with a smaller than expected TTL value. The provided value
is the number of hops (edges) between the peers.
type: integer
type: object
type: object
served: true
@ -901,9 +918,10 @@ spec:
[Default: false]'
type: boolean
bpfEnforceRPF:
description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled or Strict. [Default: Strict]'
description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
with BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled, Strict or Loose. [Default:
Strict]'
type: string
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
@ -943,6 +961,14 @@ spec:
kube-proxy. Lower values give reduced set-up latency. Higher values
reduce Felix CPU usage by batching up more work. [Default: 1s]'
type: string
bpfL3IfacePattern:
description: BPFL3IfacePattern is a regular expression that allows
to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
in addition to BPFDataIfacePattern. That is, tunnel interfaces not
created by Calico, that Calico workload traffic flows over as well
as any interfaces that handle incoming traffic to nodeports and
services from outside the cluster.
type: string
bpfLogLevel:
description: 'BPFLogLevel controls the log level of the BPF programs
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
@ -991,10 +1017,10 @@ spec:
- type: string
description: 'BPFPSNATPorts sets the range from which we randomly
pick a port if there is a source port collision. This should be
within the ephemeral range as defined by RFC 6056 (102465535) and
within the ephemeral range as defined by RFC 6056 (1024–65535) and
preferably outside the ephemeral ranges used by common operating
systems. Linux uses 3276860999, while others mostly use the IANA
defined range 4915265535. It is not necessarily a problem if this
systems. Linux uses 32768–60999, while others mostly use the IANA
defined range 49152–65535. It is not necessarily a problem if this
range overlaps with the operating systems. Both ends of the range
are inclusive. [Default: 20000:29999]'
pattern: ^.*
@ -1018,11 +1044,12 @@ spec:
to use. Only used if UseInternalDataplaneDriver is set to false.
type: string
dataplaneWatchdogTimeout:
description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix''s (internal) dataplane driver. Increase this value
description: "DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix's (internal) dataplane driver. Increase this value
if you experience spurious non-ready or non-live events when Felix
is under heavy load. Decrease the value to get felix to report non-live
or non-ready more quickly. [Default: 90s]'
or non-ready more quickly. [Default: 90s] \n Deprecated: replaced
by the generic HealthTimeoutOverrides."
type: string
debugDisableLogDropping:
type: boolean
@ -1126,15 +1153,21 @@ spec:
type: object
type: array
featureDetectOverride:
description: FeatureDetectOverride is used to override the feature
detection. Values are specified in a comma separated list with no
spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
"true" or "false" will force the feature, empty or omitted values
are auto-detected.
description: FeatureDetectOverride is used to override feature detection
based on auto-detected platform capabilities. Values are specified
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
or "false" will force the feature, empty or omitted values are auto-detected.
type: string
featureGates:
description: FeatureGates is used to enable or disable tech-preview
Calico features. Values are specified in a comma separated list
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
This is used to enable features that are not fully production ready.
type: string
floatingIPs:
description: FloatingIPs configures whether or not Felix will program
floating IP addresses.
non-OpenStack floating IP addresses. (OpenStack-derived floating
IPs are always programmed, regardless of this setting.)
enum:
- Enabled
- Disabled
@ -1151,6 +1184,23 @@ spec:
type: string
healthPort:
type: integer
healthTimeoutOverrides:
description: HealthTimeoutOverrides allows the internal watchdog timeouts
of individual subcomponents to be overriden. This is useful for
working around "false positive" liveness timeouts that can occur
in particularly stressful workloads or if CPU is constrained. For
a list of active subcomponents, see Felix's logs.
items:
properties:
name:
type: string
timeout:
type: string
required:
- name
- timeout
type: object
type: array
interfaceExclude:
description: 'InterfaceExclude is a comma-separated list of interfaces
that Felix should exclude when monitoring for host endpoints. The
@ -1192,7 +1242,7 @@ spec:
type: string
iptablesBackend:
description: IptablesBackend specifies which backend of iptables will
be used. The default is legacy.
be used. The default is Auto.
type: string
iptablesFilterAllowAction:
type: string
@ -4457,7 +4507,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.24.5" }}
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
@ -4486,7 +4536,7 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.24.5" }}
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/install"]
envFrom:
@ -4529,7 +4579,7 @@ spec:
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.24.5" }}
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
@ -4555,7 +4605,7 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.24.5" }}
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
@ -4884,7 +4934,7 @@ spec:
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.24.5" }}
image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
env:
# Choose which controllers to run.
@ -4961,7 +5011,7 @@ spec:
securityContext:
fsGroup: 65534
containers:
- image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.24.5" }}
- image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.25.1" }}
imagePullPolicy: IfNotPresent
name: calico-typha
ports: