diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content index 026c00f09a..39864d444a 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content @@ -106,7 +106,7 @@ spec: version: 9.99.0 - id: k8s-1.25 manifest: networking.projectcalico.org/k8s-1.25.yaml - manifestHash: 5898b8d3b8178048ad8777ba31094d24684e11627cf167923b622cfb4afb12bf + manifestHash: 123b89a7c5832c2479741310c8ae2a121000365ab4c8c5bcf43de9527ce55452 name: networking.projectcalico.org prune: kinds: diff --git a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content index 99e3c201cb..477c98f07e 100644 --- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content +++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.25_content @@ -43,6 +43,19 @@ metadata: --- +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: calico-cni-plugin + namespace: kube-system + +--- + apiVersion: v1 data: calico_backend: none @@ -289,6 +302,135 @@ status: --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -331,6 +473,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP @@ -900,6 +1047,13 @@ spec: connections. The only reason to disable it is for debugging purposes. [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -923,7 +1077,7 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -1188,7 +1342,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -1248,6 +1402,12 @@ spec: type: string iptablesFilterAllowAction: type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in @@ -4324,7 +4484,7 @@ rules: - apiGroups: - "" resourceNames: - - calico-node + - calico-cni-plugin resources: - serviceaccounts/token verbs: @@ -4394,6 +4554,7 @@ rules: - globalfelixconfigs - felixconfigurations - bgppeers + - bgpfilters - globalbgpconfigs - bgpconfigurations - ippools @@ -4476,6 +4637,49 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: calico-cni-plugin +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - crd.projectcalico.org + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -4516,6 +4720,26 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -4626,7 +4850,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.25.2 + image: docker.io/calico/node:v3.26.4 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -4706,7 +4930,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.25.2 + image: docker.io/calico/cni:v3.26.4 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -4720,7 +4944,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.25.2 + image: docker.io/calico/node:v3.26.4 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: @@ -4843,7 +5067,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.25.2 + image: docker.io/calico/kube-controllers:v3.26.4 imagePullPolicy: IfNotPresent livenessProbe: exec: diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content index c011143049..1a8125d801 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content @@ -106,7 +106,7 @@ spec: version: 9.99.0 - id: k8s-1.25 manifest: networking.projectcalico.org/k8s-1.25.yaml - manifestHash: 36e27a220f36800fe4dba1c00904fc41b0a3398f553549235c8bbbd205b47205 + manifestHash: 32e515d75ab7f76488de85484e9da3a7116ee2b2d23b271be46a7172ed7fc448 name: networking.projectcalico.org prune: kinds: diff --git a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content index abba25df1a..a9af65e390 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content +++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.25_content @@ -43,6 +43,19 @@ metadata: --- +apiVersion: v1 +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: calico-cni-plugin + namespace: kube-system + +--- + apiVersion: v1 data: calico_backend: bird @@ -288,6 +301,135 @@ status: --- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -330,6 +472,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP @@ -899,6 +1046,13 @@ spec: connections. The only reason to disable it is for debugging purposes. [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -922,7 +1076,7 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -1187,7 +1341,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -1247,6 +1401,12 @@ spec: type: string iptablesFilterAllowAction: type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in @@ -4323,7 +4483,7 @@ rules: - apiGroups: - "" resourceNames: - - calico-node + - calico-cni-plugin resources: - serviceaccounts/token verbs: @@ -4393,6 +4553,7 @@ rules: - globalfelixconfigs - felixconfigurations - bgppeers + - bgpfilters - globalbgpconfigs - bgpconfigurations - ippools @@ -4475,6 +4636,49 @@ rules: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: calico-cni-plugin +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch +- apiGroups: + - crd.projectcalico.org + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -4515,6 +4719,26 @@ subjects: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: networking.projectcalico.org + app.kubernetes.io/managed-by: kops + role.kubernetes.io/networking: "1" + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system + +--- + apiVersion: apps/v1 kind: DaemonSet metadata: @@ -4621,7 +4845,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.25.2 + image: docker.io/calico/node:v3.26.4 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -4695,7 +4919,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.25.2 + image: docker.io/calico/cni:v3.26.4 imagePullPolicy: IfNotPresent name: upgrade-ipam securityContext: @@ -4730,7 +4954,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.25.2 + image: docker.io/calico/cni:v3.26.4 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -4744,7 +4968,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.25.2 + image: docker.io/calico/node:v3.26.4 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: @@ -4870,7 +5094,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.25.2 + image: docker.io/calico/kube-controllers:v3.26.4 imagePullPolicy: IfNotPresent livenessProbe: exec: diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template index a446c6c9d3..eb3d59e624 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.25.yaml.template @@ -1,4 +1,4 @@ -# Pulled and modified from: https://projectcalico.docs.tigera.io/archive/v3.25/manifests/calico-typha.yaml +# Pulled and modified from: https://raw.githubusercontent.com/projectcalico/calico/v3.26.4/manifests/calico-typha.yaml --- {{- if .Networking.Calico.BPFEnabled }} # Set these to the IP and port of your API server; In BPF mode, we need to connect directly to the @@ -61,6 +61,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -317,6 +324,130 @@ status: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgppeers.crd.projectcalico.org spec: @@ -352,6 +483,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP @@ -898,6 +1034,13 @@ spec: connections. The only reason to disable it is for debugging purposes. [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -921,7 +1064,7 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -1186,7 +1329,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -1246,6 +1389,12 @@ spec: type: string iptablesFilterAllowAction: type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in @@ -4256,7 +4405,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4273,7 +4422,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4327,6 +4476,7 @@ rules: - globalfelixconfigs - felixconfigurations - bgppeers + - bgpfilters - globalbgpconfigs - bgpconfigurations - ippools @@ -4410,6 +4560,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4438,6 +4623,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- {{ if .Networking.Calico.TyphaReplicas -}} # Source: calico/templates/calico-typha.yaml # This manifest creates a Service, which will be backed by Calico's Typha daemon. @@ -4507,7 +4706,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.25.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.26.4" }} imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4536,7 +4735,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.25.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.26.4" }} imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4579,7 +4778,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.25.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.26.4" }} imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4605,7 +4804,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.25.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.26.4" }} imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4934,7 +5133,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.25.2" }} + image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.26.4" }} imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -5011,10 +5210,11 @@ spec: # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule + # Make sure Typha can get scheduled on any nodes. + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists # Since Calico can't network a pod until Typha is up, we need to run Typha itself # as a host-networked pod. serviceAccountName: calico-node @@ -5023,7 +5223,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.25.2" }} + - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.26.4" }} imagePullPolicy: IfNotPresent name: calico-typha ports: