当前位置:   article > 正文

ARM架构部署k8s1.21.1_value: "interface=eth0

value: "interface=eth0
  • Kubenetes:v1.21.1
  • docker:20.10.10
  • helm:v3.12.3
  • 操作系统:Bclinux-Euler
  • linux内核:4.19.90-2107.6.0.0192.8.oe1.bclinux.aarch64

参考文档

ARM架构下部署docker_docker arm_Ango_Cango的博客-CSDN博客

helm安装rancher(2.6.4)_wnfee的博客-CSDN博客

最新版V1.21.1版k8s,Kubeadm 安装部署_k8s1.21支持docker最新版本是20.10_学的好秃的早的博客-CSDN博客


配置基础环境

1.配置yum源
  1. #kubernetes yam源
  2. kubernetes.repo
  3. [kubernetes]
  4. name=Kubernetes
  5. baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-aarch64
  6. enabled=1
  7. gpgcheck=1
  8. repo_gpgcheck=1
  9. gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
  10. http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
  11. #BClinux Euler 自带yum源
  12. [OS]
  13. name=BC-Linux-release - OS
  14. baseurl=http://mirrors.cmecloud.cn/bclinux/oe21.10U3/OS/$basearch/
  15. gpgcheck=1
  16. enabled=1
  17. gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
  18. [everything]
  19. name=BC-Linux-release - everything
  20. baseurl=http://mirrors.cmecloud.cn/bclinux/oe21.10U3/everything/$basearch/
  21. gpgcheck=1
  22. enabled=1
  23. gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
  24. [update]
  25. name=BC-Linux-release - update
  26. baseurl=http://mirrors.cmecloud.cn/bclinux/oe21.10U3/update/$basearch/
  27. gpgcheck=1
  28. enabled=1
  29. gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
  30. [EPOL]
  31. name=EPOL
  32. baseurl=http://mirrors.cmecloud.cn/openeuler/openEuler-20.03-LTS-SP3/EPOL/main/$basearch/
  33. enabled=0
  34. gpgcheck=1
  35. gpgkey=http://mirrors.cmecloud.cn/openeuler/openEuler-20.03-LTS-SP3/OS/$basearch/RPM-GPG-KEY-openEuler
  36. #华为Euler yum源
  37. [base]
  38. name=EulerOS-2.0SP8 base
  39. baseurl=http://mirrors.huaweicloud.com/euler/2.8/os/aarch64/
  40. enabled=1
  41. gpgcheck=1
  42. gpgkey=http://mirrors.huaweicloud.com/euler/2.8/os/RPM-GPG-KEY-EulerOS
2.配置环境
  1. 1.修改主机名
  2. hostnamectl set-hostname
  3. 2.关闭selinnx swap
  4. sed -i s#SELINUX=enforcing#SELINUX=disabled# /etc/selinux/config #永久关闭
  5. setenforce 0 #临时关闭
  6. 3.关闭防火墙
  7. systemctl stop firewalld
  8. systemctl disable firewalld
  9. 4.关闭swap分区
  10. swapoff -a #临时关闭
  11. 注释掉 /etc/fstab 文件中的 swap配置 #永久关闭
  12. 5.文件数配置
  13. ulimit -SHn 65535
  14. cat <<EOF >> /etc/security/limits.conf
  15. * soft nofile 655360
  16. * hard nofile 131072
  17. * soft nproc 655350
  18. * hard nproc 655350
  19. * soft memlock unlimited
  20. * hard memlock unlimited
  21. EOF
  22. 6.ipvs配置
  23. yum install ipvsadm ipset sysstat conntrack libseccomp -y
  24. modprobe -- ip_vs
  25. modprobe -- ip_vs_rr
  26. modprobe -- ip_vs_wrr
  27. modprobe -- ip_vs_sh
  28. modprobe -- nf_conntrack_ipv4
  29. cat >/etc/modules-load.d/ipvs.conf <<EOF
  30. ip_vs
  31. ip_vs_lc
  32. ip_vs_wlc
  33. ip_vs_rr
  34. ip_vs_wrr
  35. ip_vs_lblc
  36. ip_vs_lblcr
  37. ip_vs_dh
  38. ip_vs_sh
  39. ip_vs_nq
  40. ip_vs_sed
  41. ip_vs_ftp
  42. ip_vs_sh
  43. nf_conntrack_ipv4
  44. ip_tables
  45. ip_set
  46. xt_set
  47. ipt_set
  48. ipt_rpfilter
  49. ipt_REJECT
  50. ipip
  51. EOF
  52. systemctl enable systemd-modules-load.service && systemctl daemon-reload
  53. 7.内核优化
  54. cat <<EOF > /etc/sysctl.d/k8s.conf
  55. net.ipv4.ip_forward = 1
  56. net.bridge.bridge-nf-call-iptables = 1
  57. net.bridge.bridge-nf-call-ip6tables = 1
  58. fs.may_detach_mounts = 1
  59. vm.overcommit_memory=1
  60. vm.panic_on_oom=0
  61. fs.inotify.max_user_watches=89100
  62. fs.file-max=52706963
  63. fs.nr_open=52706963
  64. net.netfilter.nf_conntrack_max=2310720
  65. net.ipv4.tcp_keepalive_time = 600
  66. net.ipv4.tcp_keepalive_probes = 3
  67. net.ipv4.tcp_keepalive_intvl =15
  68. net.ipv4.tcp_max_tw_buckets = 36000
  69. net.ipv4.tcp_tw_reuse = 1
  70. net.ipv4.tcp_max_orphans = 327680
  71. net.ipv4.tcp_orphan_retries = 3
  72. net.ipv4.tcp_syncookies = 1
  73. net.ipv4.tcp_max_syn_backlog = 16384
  74. net.ipv4.ip_conntrack_max = 131072
  75. net.ipv4.tcp_max_syn_backlog = 16384
  76. net.ipv4.tcp_timestamps = 0
  77. net.core.somaxconn = 16384
  78. EOF
  79. 8.docker daemon.json配置
  80. mkdir -p /etc/docker/
  81. tee /etc/docker/daemon.json <<-'EOF'
  82. {
  83. "registry-mirrors": [
  84. "https://docker.m.daocloud.io",
  85. "https://dockerproxy.com",
  86. "https://docker.mirrors.ustc.edu.cn",
  87. "https://docker.nju.edu.cn",
  88. "https://cvtby7bo.mirror.aliyuncs.com"],
  89. "exec-opts": ["native.cgroupdriver=systemd"]
  90. }
  91. EOF
  92. 注意:环境配置非全部适用,无法保证所有环境适配,尤其是国产化环境下谨慎选择!!!
 3.docker安装配置
  1. docker下载地址
  2. https://download.docker.com/linux/static/stable/aarch64/
  3. #配置docker systemctl
  4. cat >/usr/lib/systemd/system/docker.service <<EOF
  5. [Unit]
  6. Description=Docker Application Container Engine
  7. Documentation=http://docs.docker.com
  8. After=network.target docker.socket
  9. [Service]
  10. Type=notify
  11. EnvironmentFile=-/run/flannel/docker
  12. WorkingDirectory=/usr/local/bin
  13. ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock --selinux-enabled=false --log-opt max-size=1g
  14. ExecReload=/bin/kill -s HUP $MAINPID
  15. # Having non-zero Limit*s causes performance problems due to accounting overhead
  16. # in the kernel. We recommend using cgroups to do container-local accounting.
  17. LimitNOFILE=infinity
  18. LimitNPROC=infinity
  19. LimitCORE=infinity
  20. # Uncomment TasksMax if your systemd version supports it.
  21. # Only systemd 226 and above support this version.
  22. #TasksMax=infinity
  23. TimeoutStartSec=0
  24. # set delegate yes so that systemd does not reset the cgroups of docker containers
  25. Delegate=yes
  26. # kill only the docker process, not all processes in the cgroup
  27. KillMode=process
  28. Restart=on-failure
  29. [Install]
  30. WantedBy=multi-user.target
  31. EOF
  32. #启动docker
  33. systemctl start docker
  34. docker info

K8s1.21.1部署 

1.部署k8s
  1. #yum安装kubeadm kubectl kubelet
  2. yum -y install kubeadm-1.21.1 kubectl-1.21.1 kubelet-1.21.1
  3. #下载国内k8s镜像
  4. kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.21.1
  5. 注意:cronedns会有问题,把cronedns/cronedns改成cronedns
  6. #镜像打标签,也可以不打指定镜像仓库来部署使用
  7. docker tag registry.aliyuncs.com/google_containers/kube-apiserver:v1.21.1 k8s.gcr.io/kube-apiserver:v1.21.1
  8. docker tag registry.aliyuncs.com/google_containers/kube-proxy:v1.21.1 k8s.gcr.io/kube-proxy:v1.21.1
  9. docker tag registry.aliyuncs.com/google_containers/kube-controller-manager:v1.21.1 k8s.gcr.io/kube-controller-manager:v1.21.1
  10. docker tag registry.aliyuncs.com/google_containers/kube-scheduler:v1.21.1 k8s.gcr.io/kube-scheduler:v1.21.1
  11. docker tag registry.aliyuncs.com/google_containers/pause:3.4.1 k8s.gcr.io/pause:3.4.1
  12. docker tag registry.aliyuncs.com/google_containers/coredns:v1.8.0 k8s.gcr.io/coredns/coredns:v1.8.0
  13. docker tag registry.aliyuncs.com/google_containers/etcd:3.4.13-0 k8s.gcr.io/etcd:3.4.13-0
  14. #删除旧镜像
  15. docker images | grep registry.aliyuncs.com | awk '{print $1":"$2}' | xargs docker rmi -f
  16. #初始化节点 kubeadm
  17. kubeadm init \
  18. --apiserver-advertise-address=192.168.229.29 \
  19. --kubernetes-version v1.21.1 \
  20. --service-cidr=10.96.0.0/12 \
  21. --pod-network-cidr=10.244.0.0/16 \
  22. --service-dns-domain=cluster.local \
  23. --upload-certs \
  24. --v=5
  25. #解决node节点8080问题
  26. scp /etc/kubernetes/admin.conf root@k8s-node:/etc/kubernetes/admin.conf
  27. node节点执行:
  28. echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
  29. source ~/.bash_profile
  30. #kubectl支持补全
  31. yum install -y bash-completion
  32. echo 'source <(kubectl completion bash)' >>/root/.bashrc
  33. source /root/.bashrc
2.部署网络插件calico

 - name: IP_AUTODETECTION_METHOD

   value: "interface=eth0"        #国产化网卡名称不一样,注意修改

 - name: CALICO_IPV4POOL_CIDR

   value: "10.244.0.0/16"        #要跟init时候配置一致

calico/pod2daemon-flexvolv3.17.185a7dc8c60a0
calico/cniv3.17.15605570997cc
calico/nodev3.17.1723ee8f82f0e

vim Calico.yaml

kubectl apply -f Calico.yaml

  1. ---
  2. # Source: calico/templates/calico-config.yaml
  3. # This ConfigMap is used to configure a self-hosted Calico installation.
  4. kind: ConfigMap
  5. apiVersion: v1
  6. metadata:
  7. name: calico-config
  8. namespace: kube-system
  9. data:
  10. # Typha is disabled.
  11. typha_service_name: "none"
  12. # Configure the backend to use.
  13. calico_backend: "bird"
  14. # Configure the MTU to use for workload interfaces and tunnels.
  15. # By default, MTU is auto-detected, and explicitly setting this field should not be required.
  16. # You can override auto-detection by providing a non-zero value.
  17. veth_mtu: "0"
  18. # The CNI network configuration to install on each node. The special
  19. # values in this config will be automatically populated.
  20. cni_network_config: |-
  21. {
  22. "name": "k8s-pod-network",
  23. "cniVersion": "0.3.1",
  24. "plugins": [
  25. {
  26. "type": "calico",
  27. "log_level": "info",
  28. "log_file_path": "/var/log/calico/cni/cni.log",
  29. "datastore_type": "kubernetes",
  30. "nodename": "__KUBERNETES_NODE_NAME__",
  31. "mtu": __CNI_MTU__,
  32. "ipam": {
  33. "type": "calico-ipam"
  34. },
  35. "policy": {
  36. "type": "k8s"
  37. },
  38. "kubernetes": {
  39. "kubeconfig": "__KUBECONFIG_FILEPATH__"
  40. }
  41. },
  42. {
  43. "type": "portmap",
  44. "snat": true,
  45. "capabilities": {"portMappings": true}
  46. },
  47. {
  48. "type": "bandwidth",
  49. "capabilities": {"bandwidth": true}
  50. }
  51. ]
  52. }
  53. ---
  54. # Source: calico/templates/kdd-crds.yaml
  55. apiVersion: apiextensions.k8s.io/v1
  56. kind: CustomResourceDefinition
  57. metadata:
  58. name: bgpconfigurations.crd.projectcalico.org
  59. spec:
  60. group: crd.projectcalico.org
  61. names:
  62. kind: BGPConfiguration
  63. listKind: BGPConfigurationList
  64. plural: bgpconfigurations
  65. singular: bgpconfiguration
  66. scope: Cluster
  67. versions:
  68. - name: v1
  69. schema:
  70. openAPIV3Schema:
  71. description: BGPConfiguration contains the configuration for any BGP routing.
  72. properties:
  73. apiVersion:
  74. description: 'APIVersion defines the versioned schema of this representation
  75. of an object. Servers should convert recognized schemas to the latest
  76. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  77. type: string
  78. kind:
  79. description: 'Kind is a string value representing the REST resource this
  80. object represents. Servers may infer this from the endpoint the client
  81. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  82. type: string
  83. metadata:
  84. type: object
  85. spec:
  86. description: BGPConfigurationSpec contains the values of the BGP configuration.
  87. properties:
  88. asNumber:
  89. description: 'ASNumber is the default AS number used by a node. [Default:
  90. 64512]'
  91. format: int32
  92. type: integer
  93. communities:
  94. description: Communities is a list of BGP community values and their
  95. arbitrary names for tagging routes.
  96. items:
  97. description: Community contains standard or large community value
  98. and its name.
  99. properties:
  100. name:
  101. description: Name given to community value.
  102. type: string
  103. value:
  104. description: Value must be of format `aa:nn` or `aa:nn:mm`.
  105. For standard community use `aa:nn` format, where `aa` and
  106. `nn` are 16 bit number. For large community use `aa:nn:mm`
  107. format, where `aa`, `nn` and `mm` are 32 bit number. Where,
  108. `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
  109. pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
  110. type: string
  111. type: object
  112. type: array
  113. listenPort:
  114. description: ListenPort is the port where BGP protocol should listen.
  115. Defaults to 179
  116. maximum: 65535
  117. minimum: 1
  118. type: integer
  119. logSeverityScreen:
  120. description: 'LogSeverityScreen is the log severity above which logs
  121. are sent to the stdout. [Default: INFO]'
  122. type: string
  123. nodeToNodeMeshEnabled:
  124. description: 'NodeToNodeMeshEnabled sets whether full node to node
  125. BGP mesh is enabled. [Default: true]'
  126. type: boolean
  127. prefixAdvertisements:
  128. description: PrefixAdvertisements contains per-prefix advertisement
  129. configuration.
  130. items:
  131. description: PrefixAdvertisement configures advertisement properties
  132. for the specified CIDR.
  133. properties:
  134. cidr:
  135. description: CIDR for which properties should be advertised.
  136. type: string
  137. communities:
  138. description: Communities can be list of either community names
  139. already defined in `Specs.Communities` or community value
  140. of format `aa:nn` or `aa:nn:mm`. For standard community use
  141. `aa:nn` format, where `aa` and `nn` are 16 bit number. For
  142. large community use `aa:nn:mm` format, where `aa`, `nn` and
  143. `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
  144. `mm` are per-AS identifier.
  145. items:
  146. type: string
  147. type: array
  148. type: object
  149. type: array
  150. serviceClusterIPs:
  151. description: ServiceClusterIPs are the CIDR blocks from which service
  152. cluster IPs are allocated. If specified, Calico will advertise these
  153. blocks, as well as any cluster IPs within them.
  154. items:
  155. description: ServiceClusterIPBlock represents a single allowed ClusterIP
  156. CIDR block.
  157. properties:
  158. cidr:
  159. type: string
  160. type: object
  161. type: array
  162. serviceExternalIPs:
  163. description: ServiceExternalIPs are the CIDR blocks for Kubernetes
  164. Service External IPs. Kubernetes Service ExternalIPs will only be
  165. advertised if they are within one of these blocks.
  166. items:
  167. description: ServiceExternalIPBlock represents a single allowed
  168. External IP CIDR block.
  169. properties:
  170. cidr:
  171. type: string
  172. type: object
  173. type: array
  174. type: object
  175. type: object
  176. served: true
  177. storage: true
  178. status:
  179. acceptedNames:
  180. kind: ""
  181. plural: ""
  182. conditions: []
  183. storedVersions: []
  184. ---
  185. apiVersion: apiextensions.k8s.io/v1
  186. kind: CustomResourceDefinition
  187. metadata:
  188. name: bgppeers.crd.projectcalico.org
  189. spec:
  190. group: crd.projectcalico.org
  191. names:
  192. kind: BGPPeer
  193. listKind: BGPPeerList
  194. plural: bgppeers
  195. singular: bgppeer
  196. scope: Cluster
  197. versions:
  198. - name: v1
  199. schema:
  200. openAPIV3Schema:
  201. properties:
  202. apiVersion:
  203. description: 'APIVersion defines the versioned schema of this representation
  204. of an object. Servers should convert recognized schemas to the latest
  205. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  206. type: string
  207. kind:
  208. description: 'Kind is a string value representing the REST resource this
  209. object represents. Servers may infer this from the endpoint the client
  210. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  211. type: string
  212. metadata:
  213. type: object
  214. spec:
  215. description: BGPPeerSpec contains the specification for a BGPPeer resource.
  216. properties:
  217. asNumber:
  218. description: The AS Number of the peer.
  219. format: int32
  220. type: integer
  221. keepOriginalNextHop:
  222. description: Option to keep the original nexthop field when routes
  223. are sent to a BGP Peer. Setting "true" configures the selected BGP
  224. Peers node to use the "next hop keep;" instead of "next hop self;"(default)
  225. in the specific branch of the Node on "bird.cfg".
  226. type: boolean
  227. node:
  228. description: The node name identifying the Calico node instance that
  229. is targeted by this peer. If this is not set, and no nodeSelector
  230. is specified, then this BGP peer selects all nodes in the cluster.
  231. type: string
  232. nodeSelector:
  233. description: Selector for the nodes that should have this peering. When
  234. this is set, the Node field must be empty.
  235. type: string
  236. password:
  237. description: Optional BGP password for the peerings generated by this
  238. BGPPeer resource.
  239. properties:
  240. secretKeyRef:
  241. description: Selects a key of a secret in the node pod's namespace.
  242. properties:
  243. key:
  244. description: The key of the secret to select from. Must be
  245. a valid secret key.
  246. type: string
  247. name:
  248. description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  249. TODO: Add other useful fields. apiVersion, kind, uid?'
  250. type: string
  251. optional:
  252. description: Specify whether the Secret or its key must be
  253. defined
  254. type: boolean
  255. required:
  256. - key
  257. type: object
  258. type: object
  259. peerIP:
  260. description: The IP address of the peer followed by an optional port
  261. number to peer with. If port number is given, format should be `[<IPv6>]:port`
  262. or `<IPv4>:<port>` for IPv4. If optional port number is not set,
  263. and this peer IP and ASNumber belongs to a calico/node with ListenPort
  264. set in BGPConfiguration, then we use that port to peer.
  265. type: string
  266. peerSelector:
  267. description: Selector for the remote nodes to peer with. When this
  268. is set, the PeerIP and ASNumber fields must be empty. For each
  269. peering between the local node and selected remote nodes, we configure
  270. an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
  271. and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
  272. remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
  273. or the global default if that is not set.
  274. type: string
  275. type: object
  276. type: object
  277. served: true
  278. storage: true
  279. status:
  280. acceptedNames:
  281. kind: ""
  282. plural: ""
  283. conditions: []
  284. storedVersions: []
  285. ---
  286. apiVersion: apiextensions.k8s.io/v1
  287. kind: CustomResourceDefinition
  288. metadata:
  289. name: blockaffinities.crd.projectcalico.org
  290. spec:
  291. group: crd.projectcalico.org
  292. names:
  293. kind: BlockAffinity
  294. listKind: BlockAffinityList
  295. plural: blockaffinities
  296. singular: blockaffinity
  297. scope: Cluster
  298. versions:
  299. - name: v1
  300. schema:
  301. openAPIV3Schema:
  302. properties:
  303. apiVersion:
  304. description: 'APIVersion defines the versioned schema of this representation
  305. of an object. Servers should convert recognized schemas to the latest
  306. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  307. type: string
  308. kind:
  309. description: 'Kind is a string value representing the REST resource this
  310. object represents. Servers may infer this from the endpoint the client
  311. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  312. type: string
  313. metadata:
  314. type: object
  315. spec:
  316. description: BlockAffinitySpec contains the specification for a BlockAffinity
  317. resource.
  318. properties:
  319. cidr:
  320. type: string
  321. deleted:
  322. description: Deleted indicates that this block affinity is being deleted.
  323. This field is a string for compatibility with older releases that
  324. mistakenly treat this field as a string.
  325. type: string
  326. node:
  327. type: string
  328. state:
  329. type: string
  330. required:
  331. - cidr
  332. - deleted
  333. - node
  334. - state
  335. type: object
  336. type: object
  337. served: true
  338. storage: true
  339. status:
  340. acceptedNames:
  341. kind: ""
  342. plural: ""
  343. conditions: []
  344. storedVersions: []
  345. ---
  346. apiVersion: apiextensions.k8s.io/v1
  347. kind: CustomResourceDefinition
  348. metadata:
  349. name: clusterinformations.crd.projectcalico.org
  350. spec:
  351. group: crd.projectcalico.org
  352. names:
  353. kind: ClusterInformation
  354. listKind: ClusterInformationList
  355. plural: clusterinformations
  356. singular: clusterinformation
  357. scope: Cluster
  358. versions:
  359. - name: v1
  360. schema:
  361. openAPIV3Schema:
  362. description: ClusterInformation contains the cluster specific information.
  363. properties:
  364. apiVersion:
  365. description: 'APIVersion defines the versioned schema of this representation
  366. of an object. Servers should convert recognized schemas to the latest
  367. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  368. type: string
  369. kind:
  370. description: 'Kind is a string value representing the REST resource this
  371. object represents. Servers may infer this from the endpoint the client
  372. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  373. type: string
  374. metadata:
  375. type: object
  376. spec:
  377. description: ClusterInformationSpec contains the values of describing
  378. the cluster.
  379. properties:
  380. calicoVersion:
  381. description: CalicoVersion is the version of Calico that the cluster
  382. is running
  383. type: string
  384. clusterGUID:
  385. description: ClusterGUID is the GUID of the cluster
  386. type: string
  387. clusterType:
  388. description: ClusterType describes the type of the cluster
  389. type: string
  390. datastoreReady:
  391. description: DatastoreReady is used during significant datastore migrations
  392. to signal to components such as Felix that it should wait before
  393. accessing the datastore.
  394. type: boolean
  395. variant:
  396. description: Variant declares which variant of Calico should be active.
  397. type: string
  398. type: object
  399. type: object
  400. served: true
  401. storage: true
  402. status:
  403. acceptedNames:
  404. kind: ""
  405. plural: ""
  406. conditions: []
  407. storedVersions: []
  408. ---
  409. apiVersion: apiextensions.k8s.io/v1
  410. kind: CustomResourceDefinition
  411. metadata:
  412. name: felixconfigurations.crd.projectcalico.org
  413. spec:
  414. group: crd.projectcalico.org
  415. names:
  416. kind: FelixConfiguration
  417. listKind: FelixConfigurationList
  418. plural: felixconfigurations
  419. singular: felixconfiguration
  420. scope: Cluster
  421. versions:
  422. - name: v1
  423. schema:
  424. openAPIV3Schema:
  425. description: Felix Configuration contains the configuration for Felix.
  426. properties:
  427. apiVersion:
  428. description: 'APIVersion defines the versioned schema of this representation
  429. of an object. Servers should convert recognized schemas to the latest
  430. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  431. type: string
  432. kind:
  433. description: 'Kind is a string value representing the REST resource this
  434. object represents. Servers may infer this from the endpoint the client
  435. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  436. type: string
  437. metadata:
  438. type: object
  439. spec:
  440. description: FelixConfigurationSpec contains the values of the Felix configuration.
  441. properties:
  442. allowIPIPPacketsFromWorkloads:
  443. description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
  444. will add a rule to drop IPIP encapsulated traffic from workloads
  445. [Default: false]'
  446. type: boolean
  447. allowVXLANPacketsFromWorkloads:
  448. description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
  449. will add a rule to drop VXLAN encapsulated traffic from workloads
  450. [Default: false]'
  451. type: boolean
  452. awsSrcDstCheck:
  453. description: 'Set source-destination-check on AWS EC2 instances. Accepted
  454. value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
  455. DoNothing]'
  456. enum:
  457. - DoNothing
  458. - Enable
  459. - Disable
  460. type: string
  461. bpfConnectTimeLoadBalancingEnabled:
  462. description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
  463. controls whether Felix installs the connection-time load balancer. The
  464. connect-time load balancer is required for the host to be able to
  465. reach Kubernetes services and it improves the performance of pod-to-service
  466. connections. The only reason to disable it is for debugging purposes. [Default:
  467. true]'
  468. type: boolean
  469. bpfDataIfacePattern:
  470. description: BPFDataIfacePattern is a regular expression that controls
  471. which interfaces Felix should attach BPF programs to in order to
  472. catch traffic to/from the network. This needs to match the interfaces
  473. that Calico workload traffic flows over as well as any interfaces
  474. that handle incoming traffic to nodeports and services from outside
  475. the cluster. It should not match the workload interfaces (usually
  476. named cali...).
  477. type: string
  478. bpfDisableUnprivileged:
  479. description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
  480. sysctl to disable unprivileged use of BPF. This ensures that unprivileged
  481. users cannot access Calico''s BPF maps and cannot insert their own
  482. BPF programs to interfere with Calico''s. [Default: true]'
  483. type: boolean
  484. bpfEnabled:
  485. description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
  486. [Default: false]'
  487. type: boolean
  488. bpfExternalServiceMode:
  489. description: 'BPFExternalServiceMode in BPF mode, controls how connections
  490. from outside the cluster to services (node ports and cluster IPs)
  491. are forwarded to remote workloads. If set to "Tunnel" then both
  492. request and response traffic is tunneled to the remote node. If
  493. set to "DSR", the request traffic is tunneled but the response traffic
  494. is sent directly from the remote node. In "DSR" mode, the remote
  495. node appears to use the IP of the ingress node; this requires a
  496. permissive L2 network. [Default: Tunnel]'
  497. type: string
  498. bpfKubeProxyEndpointSlicesEnabled:
  499. description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
  500. whether Felix's embedded kube-proxy accepts EndpointSlices or not.
  501. type: boolean
  502. bpfKubeProxyIptablesCleanupEnabled:
  503. description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
  504. mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
  505. iptables chains. Should only be enabled if kube-proxy is not running. [Default:
  506. true]'
  507. type: boolean
  508. bpfKubeProxyMinSyncPeriod:
  509. description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
  510. minimum time between updates to the dataplane for Felix''s embedded
  511. kube-proxy. Lower values give reduced set-up latency. Higher values
  512. reduce Felix CPU usage by batching up more work. [Default: 1s]'
  513. type: string
  514. bpfLogLevel:
  515. description: 'BPFLogLevel controls the log level of the BPF programs
  516. when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
  517. logs are emitted to the BPF trace pipe, accessible with the command
  518. `tc exec bpf debug`. [Default: Off].'
  519. type: string
  520. chainInsertMode:
  521. description: 'ChainInsertMode controls whether Felix hooks the kernel''s
  522. top-level iptables chains by inserting a rule at the top of the
  523. chain or by appending a rule at the bottom. insert is the safe default
  524. since it prevents Calico''s rules from being bypassed. If you switch
  525. to append mode, be sure that the other rules in the chains signal
  526. acceptance by falling through to the Calico rules, otherwise the
  527. Calico policy will be bypassed. [Default: insert]'
  528. type: string
  529. dataplaneDriver:
  530. type: string
  531. debugDisableLogDropping:
  532. type: boolean
  533. debugMemoryProfilePath:
  534. type: string
  535. debugSimulateCalcGraphHangAfter:
  536. type: string
  537. debugSimulateDataplaneHangAfter:
  538. type: string
  539. defaultEndpointToHostAction:
  540. description: 'DefaultEndpointToHostAction controls what happens to
  541. traffic that goes from a workload endpoint to the host itself (after
  542. the traffic hits the endpoint egress policy). By default Calico
  543. blocks traffic from workload endpoints to the host itself with an
  544. iptables 鈥淒ROP鈥� action. If you want to allow some or all traffic
  545. from endpoint to host, set this parameter to RETURN or ACCEPT. Use
  546. RETURN if you have your own rules in the iptables 鈥淚NPUT鈥� chain;
  547. Calico will insert its rules at the top of that chain, then 鈥淩ETURN鈥�
  548. packets to the 鈥淚NPUT鈥� chain once it has completed processing workload
  549. endpoint egress policy. Use ACCEPT to unconditionally accept packets
  550. from workloads after processing workload endpoint egress policy.
  551. [Default: Drop]'
  552. type: string
  553. deviceRouteProtocol:
  554. description: This defines the route protocol added to programmed device
  555. routes, by default this will be RTPROT_BOOT when left blank.
  556. type: integer
  557. deviceRouteSourceAddress:
  558. description: This is the source address to use on programmed device
  559. routes. By default the source address is left blank, leaving the
  560. kernel to choose the source address used.
  561. type: string
  562. disableConntrackInvalidCheck:
  563. type: boolean
  564. endpointReportingDelay:
  565. type: string
  566. endpointReportingEnabled:
  567. type: boolean
  568. externalNodesList:
  569. description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
  570. which may source tunnel traffic and have the tunneled traffic be
  571. accepted at calico nodes.
  572. items:
  573. type: string
  574. type: array
  575. failsafeInboundHostPorts:
  576. description: 'FailsafeInboundHostPorts is a comma-delimited list of
  577. UDP/TCP ports that Felix will allow incoming traffic to host endpoints
  578. on irrespective of the security policy. This is useful to avoid
  579. accidentally cutting off a host with incorrect configuration. Each
  580. port should be specified as tcp:<port-number> or udp:<port-number>.
  581. For back-compatibility, if the protocol is not specified, it defaults
  582. to 鈥渢cp鈥�. To disable all inbound host ports, use the value none.
  583. The default value allows ssh access and DHCP. [Default: tcp:22,
  584. udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
  585. items:
  586. description: ProtoPort is combination of protocol and port, both
  587. must be specified.
  588. properties:
  589. port:
  590. type: integer
  591. protocol:
  592. type: string
  593. required:
  594. - port
  595. - protocol
  596. type: object
  597. type: array
  598. failsafeOutboundHostPorts:
  599. description: 'FailsafeOutboundHostPorts is a comma-delimited list
  600. of UDP/TCP ports that Felix will allow outgoing traffic from host
  601. endpoints to irrespective of the security policy. This is useful
  602. to avoid accidentally cutting off a host with incorrect configuration.
  603. Each port should be specified as tcp:<port-number> or udp:<port-number>.
  604. For back-compatibility, if the protocol is not specified, it defaults
  605. to 鈥渢cp鈥�. To disable all outbound host ports, use the value none.
  606. The default value opens etcd''s standard ports to ensure that Felix
  607. does not get cut off from etcd as well as allowing DHCP and DNS.
  608. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
  609. udp:53, udp:67]'
  610. items:
  611. description: ProtoPort is combination of protocol and port, both
  612. must be specified.
  613. properties:
  614. port:
  615. type: integer
  616. protocol:
  617. type: string
  618. required:
  619. - port
  620. - protocol
  621. type: object
  622. type: array
  623. featureDetectOverride:
  624. description: FeatureDetectOverride is used to override the feature
  625. detection. Values are specified in a comma separated list with no
  626. spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
  627. "true" or "false" will force the feature, empty or omitted values
  628. are auto-detected.
  629. type: string
  630. genericXDPEnabled:
  631. description: 'GenericXDPEnabled enables Generic XDP so network cards
  632. that don''t support XDP offload or driver modes can use XDP. This
  633. is not recommended since it doesn''t provide better performance
  634. than iptables. [Default: false]'
  635. type: boolean
  636. healthEnabled:
  637. type: boolean
  638. healthHost:
  639. type: string
  640. healthPort:
  641. type: integer
  642. interfaceExclude:
  643. description: 'InterfaceExclude is a comma-separated list of interfaces
  644. that Felix should exclude when monitoring for host endpoints. The
  645. default value ensures that Felix ignores Kubernetes'' IPVS dummy
  646. interface, which is used internally by kube-proxy. If you want to
  647. exclude multiple interface names using a single value, the list
  648. supports regular expressions. For regular expressions you must wrap
  649. the value with ''/''. For example having values ''/^kube/,veth1''
  650. will exclude all interfaces that begin with ''kube'' and also the
  651. interface ''veth1''. [Default: kube-ipvs0]'
  652. type: string
  653. interfacePrefix:
  654. description: 'InterfacePrefix is the interface name prefix that identifies
  655. workload endpoints and so distinguishes them from host endpoint
  656. interfaces. Note: in environments other than bare metal, the orchestrators
  657. configure this appropriately. For example our Kubernetes and Docker
  658. integrations set the ''cali'' value, and our OpenStack integration
  659. sets the ''tap'' value. [Default: cali]'
  660. type: string
  661. interfaceRefreshInterval:
  662. description: InterfaceRefreshInterval is the period at which Felix
  663. rescans local interfaces to verify their state. The rescan can be
  664. disabled by setting the interval to 0.
  665. type: string
  666. ipipEnabled:
  667. type: boolean
  668. ipipMTU:
  669. description: 'IPIPMTU is the MTU to set on the tunnel device. See
  670. Configuring MTU [Default: 1440]'
  671. type: integer
  672. ipsetsRefreshInterval:
  673. description: 'IpsetsRefreshInterval is the period at which Felix re-checks
  674. all iptables state to ensure that no other process has accidentally
  675. broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
  676. 90s]'
  677. type: string
  678. iptablesBackend:
  679. description: IptablesBackend specifies which backend of iptables will
  680. be used. The default is legacy.
  681. type: string
  682. iptablesFilterAllowAction:
  683. type: string
  684. iptablesLockFilePath:
  685. description: 'IptablesLockFilePath is the location of the iptables
  686. lock file. You may need to change this if the lock file is not in
  687. its standard location (for example if you have mapped it into Felix''s
  688. container at a different path). [Default: /run/xtables.lock]'
  689. type: string
  690. iptablesLockProbeInterval:
  691. description: 'IptablesLockProbeInterval is the time that Felix will
  692. wait between attempts to acquire the iptables lock if it is not
  693. available. Lower values make Felix more responsive when the lock
  694. is contended, but use more CPU. [Default: 50ms]'
  695. type: string
  696. iptablesLockTimeout:
  697. description: 'IptablesLockTimeout is the time that Felix will wait
  698. for the iptables lock, or 0, to disable. To use this feature, Felix
  699. must share the iptables lock file with all other processes that
  700. also take the lock. When running Felix inside a container, this
  701. requires the /run directory of the host to be mounted into the calico/node
  702. or calico/felix container. [Default: 0s disabled]'
  703. type: string
  704. iptablesMangleAllowAction:
  705. type: string
  706. iptablesMarkMask:
  707. description: 'IptablesMarkMask is the mask that Felix selects its
  708. IPTables Mark bits from. Should be a 32 bit hexadecimal number with
  709. at least 8 bits set, none of which clash with any other mark bits
  710. in use on the system. [Default: 0xff000000]'
  711. format: int32
  712. type: integer
  713. iptablesNATOutgoingInterfaceFilter:
  714. type: string
  715. iptablesPostWriteCheckInterval:
  716. description: 'IptablesPostWriteCheckInterval is the period after Felix
  717. has done a write to the dataplane that it schedules an extra read
  718. back in order to check the write was not clobbered by another process.
  719. This should only occur if another application on the system doesn''t
  720. respect the iptables lock. [Default: 1s]'
  721. type: string
  722. iptablesRefreshInterval:
  723. description: 'IptablesRefreshInterval is the period at which Felix
  724. re-checks the IP sets in the dataplane to ensure that no other process
  725. has accidentally broken Calico''s rules. Set to 0 to disable IP
  726. sets refresh. Note: the default for this value is lower than the
  727. other refresh intervals as a workaround for a Linux kernel bug that
  728. was fixed in kernel version 4.11. If you are using v4.11 or greater
  729. you may want to set this to, a higher value to reduce Felix CPU
  730. usage. [Default: 10s]'
  731. type: string
  732. ipv6Support:
  733. type: boolean
  734. kubeNodePortRanges:
  735. description: 'KubeNodePortRanges holds list of port ranges used for
  736. service node ports. Only used if felix detects kube-proxy running
  737. in ipvs mode. Felix uses these ranges to separate host and workload
  738. traffic. [Default: 30000:32767].'
  739. items:
  740. anyOf:
  741. - type: integer
  742. - type: string
  743. pattern: ^.*
  744. x-kubernetes-int-or-string: true
  745. type: array
  746. logFilePath:
  747. description: 'LogFilePath is the full path to the Felix log. Set to
  748. none to disable file logging. [Default: /var/log/calico/felix.log]'
  749. type: string
  750. logPrefix:
  751. description: 'LogPrefix is the log prefix that Felix uses when rendering
  752. LOG rules. [Default: calico-packet]'
  753. type: string
  754. logSeverityFile:
  755. description: 'LogSeverityFile is the log severity above which logs
  756. are sent to the log file. [Default: Info]'
  757. type: string
  758. logSeverityScreen:
  759. description: 'LogSeverityScreen is the log severity above which logs
  760. are sent to the stdout. [Default: Info]'
  761. type: string
  762. logSeveritySys:
  763. description: 'LogSeveritySys is the log severity above which logs
  764. are sent to the syslog. Set to None for no logging to syslog. [Default:
  765. Info]'
  766. type: string
  767. maxIpsetSize:
  768. type: integer
  769. metadataAddr:
  770. description: 'MetadataAddr is the IP address or domain name of the
  771. server that can answer VM queries for cloud-init metadata. In OpenStack,
  772. this corresponds to the machine running nova-api (or in Ubuntu,
  773. nova-api-metadata). A value of none (case insensitive) means that
  774. Felix should not set up any NAT rule for the metadata path. [Default:
  775. 127.0.0.1]'
  776. type: string
  777. metadataPort:
  778. description: 'MetadataPort is the port of the metadata server. This,
  779. combined with global.MetadataAddr (if not ''None''), is used to
  780. set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
  781. In most cases this should not need to be changed [Default: 8775].'
  782. type: integer
  783. mtuIfacePattern:
  784. description: MTUIfacePattern is a regular expression that controls
  785. which interfaces Felix should scan in order to calculate the host's
  786. MTU. This should not match workload interfaces (usually named cali...).
  787. type: string
  788. natOutgoingAddress:
  789. description: NATOutgoingAddress specifies an address to use when performing
  790. source NAT for traffic in a natOutgoing pool that is leaving the
  791. network. By default the address used is an address on the interface
  792. the traffic is leaving on (ie it uses the iptables MASQUERADE target)
  793. type: string
  794. natPortRange:
  795. anyOf:
  796. - type: integer
  797. - type: string
  798. description: NATPortRange specifies the range of ports that is used
  799. for port mapping when doing outgoing NAT. When unset the default
  800. behavior of the network stack is used.
  801. pattern: ^.*
  802. x-kubernetes-int-or-string: true
  803. netlinkTimeout:
  804. type: string
  805. openstackRegion:
  806. description: 'OpenstackRegion is the name of the region that a particular
  807. Felix belongs to. In a multi-region Calico/OpenStack deployment,
  808. this must be configured somehow for each Felix (here in the datamodel,
  809. or in felix.cfg or the environment on each compute node), and must
  810. match the [calico] openstack_region value configured in neutron.conf
  811. on each node. [Default: Empty]'
  812. type: string
  813. policySyncPathPrefix:
  814. description: 'PolicySyncPathPrefix is used to by Felix to communicate
  815. policy changes to external services, like Application layer policy.
  816. [Default: Empty]'
  817. type: string
  818. prometheusGoMetricsEnabled:
  819. description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
  820. collection, which the Prometheus client does by default, when set
  821. to false. This reduces the number of metrics reported, reducing
  822. Prometheus load. [Default: true]'
  823. type: boolean
  824. prometheusMetricsEnabled:
  825. description: 'PrometheusMetricsEnabled enables the Prometheus metrics
  826. server in Felix if set to true. [Default: false]'
  827. type: boolean
  828. prometheusMetricsHost:
  829. description: 'PrometheusMetricsHost is the host that the Prometheus
  830. metrics server should bind to. [Default: empty]'
  831. type: string
  832. prometheusMetricsPort:
  833. description: 'PrometheusMetricsPort is the TCP port that the Prometheus
  834. metrics server should bind to. [Default: 9091]'
  835. type: integer
  836. prometheusProcessMetricsEnabled:
  837. description: 'PrometheusProcessMetricsEnabled disables process metrics
  838. collection, which the Prometheus client does by default, when set
  839. to false. This reduces the number of metrics reported, reducing
  840. Prometheus load. [Default: true]'
  841. type: boolean
  842. removeExternalRoutes:
  843. description: Whether or not to remove device routes that have not
  844. been programmed by Felix. Disabling this will allow external applications
  845. to also add device routes. This is enabled by default which means
  846. we will remove externally added routes.
  847. type: boolean
  848. reportingInterval:
  849. description: 'ReportingInterval is the interval at which Felix reports
  850. its status into the datastore or 0 to disable. Must be non-zero
  851. in OpenStack deployments. [Default: 30s]'
  852. type: string
  853. reportingTTL:
  854. description: 'ReportingTTL is the time-to-live setting for process-wide
  855. status reports. [Default: 90s]'
  856. type: string
  857. routeRefreshInterval:
  858. description: 'RouteRefreshInterval is the period at which Felix re-checks
  859. the routes in the dataplane to ensure that no other process has
  860. accidentally broken Calico''s rules. Set to 0 to disable route refresh.
  861. [Default: 90s]'
  862. type: string
  863. routeSource:
  864. description: 'RouteSource configures where Felix gets its routing
  865. information. - WorkloadIPs: use workload endpoints to construct
  866. routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
  867. type: string
  868. routeTableRange:
  869. description: Calico programs additional Linux route tables for various
  870. purposes. RouteTableRange specifies the indices of the route tables
  871. that Calico should use.
  872. properties:
  873. max:
  874. type: integer
  875. min:
  876. type: integer
  877. required:
  878. - max
  879. - min
  880. type: object
  881. serviceLoopPrevention:
  882. description: 'When service IP advertisement is enabled, prevent routing
  883. loops to service IPs that are not in use, by dropping or rejecting
  884. packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
  885. in which case such routing loops continue to be allowed. [Default:
  886. Drop]'
  887. type: string
  888. sidecarAccelerationEnabled:
  889. description: 'SidecarAccelerationEnabled enables experimental sidecar
  890. acceleration [Default: false]'
  891. type: boolean
  892. usageReportingEnabled:
  893. description: 'UsageReportingEnabled reports anonymous Calico version
  894. number and cluster size to projectcalico.org. Logs warnings returned
  895. by the usage server. For example, if a significant security vulnerability
  896. has been discovered in the version of Calico being used. [Default:
  897. true]'
  898. type: boolean
  899. usageReportingInitialDelay:
  900. description: 'UsageReportingInitialDelay controls the minimum delay
  901. before Felix makes a report. [Default: 300s]'
  902. type: string
  903. usageReportingInterval:
  904. description: 'UsageReportingInterval controls the interval at which
  905. Felix makes reports. [Default: 86400s]'
  906. type: string
  907. useInternalDataplaneDriver:
  908. type: boolean
  909. vxlanEnabled:
  910. type: boolean
  911. vxlanMTU:
  912. description: 'VXLANMTU is the MTU to set on the tunnel device. See
  913. Configuring MTU [Default: 1440]'
  914. type: integer
  915. vxlanPort:
  916. type: integer
  917. vxlanVNI:
  918. type: integer
  919. wireguardEnabled:
  920. description: 'WireguardEnabled controls whether Wireguard is enabled.
  921. [Default: false]'
  922. type: boolean
  923. wireguardInterfaceName:
  924. description: 'WireguardInterfaceName specifies the name to use for
  925. the Wireguard interface. [Default: wg.calico]'
  926. type: string
  927. wireguardListeningPort:
  928. description: 'WireguardListeningPort controls the listening port used
  929. by Wireguard. [Default: 51820]'
  930. type: integer
  931. wireguardMTU:
  932. description: 'WireguardMTU controls the MTU on the Wireguard interface.
  933. See Configuring MTU [Default: 1420]'
  934. type: integer
  935. wireguardRoutingRulePriority:
  936. description: 'WireguardRoutingRulePriority controls the priority value
  937. to use for the Wireguard routing rule. [Default: 99]'
  938. type: integer
  939. xdpEnabled:
  940. description: 'XDPEnabled enables XDP acceleration for suitable untracked
  941. incoming deny rules. [Default: true]'
  942. type: boolean
  943. xdpRefreshInterval:
  944. description: 'XDPRefreshInterval is the period at which Felix re-checks
  945. all XDP state to ensure that no other process has accidentally broken
  946. Calico''s BPF maps or attached programs. Set to 0 to disable XDP
  947. refresh. [Default: 90s]'
  948. type: string
  949. type: object
  950. type: object
  951. served: true
  952. storage: true
  953. status:
  954. acceptedNames:
  955. kind: ""
  956. plural: ""
  957. conditions: []
  958. storedVersions: []
  959. ---
  960. apiVersion: apiextensions.k8s.io/v1
  961. kind: CustomResourceDefinition
  962. metadata:
  963. name: globalnetworkpolicies.crd.projectcalico.org
  964. spec:
  965. group: crd.projectcalico.org
  966. names:
  967. kind: GlobalNetworkPolicy
  968. listKind: GlobalNetworkPolicyList
  969. plural: globalnetworkpolicies
  970. singular: globalnetworkpolicy
  971. scope: Cluster
  972. versions:
  973. - name: v1
  974. schema:
  975. openAPIV3Schema:
  976. properties:
  977. apiVersion:
  978. description: 'APIVersion defines the versioned schema of this representation
  979. of an object. Servers should convert recognized schemas to the latest
  980. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  981. type: string
  982. kind:
  983. description: 'Kind is a string value representing the REST resource this
  984. object represents. Servers may infer this from the endpoint the client
  985. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  986. type: string
  987. metadata:
  988. type: object
  989. spec:
  990. properties:
  991. applyOnForward:
  992. description: ApplyOnForward indicates to apply the rules in this policy
  993. on forward traffic.
  994. type: boolean
  995. doNotTrack:
  996. description: DoNotTrack indicates whether packets matched by the rules
  997. in this policy should go through the data plane's connection tracking,
  998. such as Linux conntrack. If True, the rules in this policy are
  999. applied before any data plane connection tracking, and packets allowed
  1000. by this policy are marked as not to be tracked.
  1001. type: boolean
  1002. egress:
  1003. description: The ordered set of egress rules. Each rule contains
  1004. a set of packet match criteria and a corresponding action to apply.
  1005. items:
  1006. description: "A Rule encapsulates a set of match criteria and an
  1007. action. Both selector-based security Policy and security Profiles
  1008. reference rules - separated out as a list of rules for both ingress
  1009. and egress packet matching. \n Each positive match criteria has
  1010. a negated version, prefixed with 鈥漀ot鈥�. All the match criteria
  1011. within a rule must be satisfied for a packet to match. A single
  1012. rule can contain the positive and negative version of a match
  1013. and both must be satisfied for the rule to match."
  1014. properties:
  1015. action:
  1016. type: string
  1017. destination:
  1018. description: Destination contains the match criteria that apply
  1019. to destination entity.
  1020. properties:
  1021. namespaceSelector:
  1022. description: "NamespaceSelector is an optional field that
  1023. contains a selector expression. Only traffic that originates
  1024. from (or terminates at) endpoints within the selected
  1025. namespaces will be matched. When both NamespaceSelector
  1026. and Selector are defined on the same rule, then only workload
  1027. endpoints that are matched by both selectors will be selected
  1028. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  1029. implies that the Selector is limited to selecting only
  1030. workload endpoints in the same namespace as the NetworkPolicy.
  1031. \n For NetworkPolicy, `global()` NamespaceSelector implies
  1032. that the Selector is limited to selecting only GlobalNetworkSet
  1033. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  1034. NamespaceSelector implies the Selector applies to workload
  1035. endpoints across all namespaces."
  1036. type: string
  1037. nets:
  1038. description: Nets is an optional field that restricts the
  1039. rule to only apply to traffic that originates from (or
  1040. terminates at) IP addresses in any of the given subnets.
  1041. items:
  1042. type: string
  1043. type: array
  1044. notNets:
  1045. description: NotNets is the negated version of the Nets
  1046. field.
  1047. items:
  1048. type: string
  1049. type: array
  1050. notPorts:
  1051. description: NotPorts is the negated version of the Ports
  1052. field. Since only some protocols have ports, if any ports
  1053. are specified it requires the Protocol match in the Rule
  1054. to be set to "TCP" or "UDP".
  1055. items:
  1056. anyOf:
  1057. - type: integer
  1058. - type: string
  1059. pattern: ^.*
  1060. x-kubernetes-int-or-string: true
  1061. type: array
  1062. notSelector:
  1063. description: NotSelector is the negated version of the Selector
  1064. field. See Selector field for subtleties with negated
  1065. selectors.
  1066. type: string
  1067. ports:
  1068. description: "Ports is an optional field that restricts
  1069. the rule to only apply to traffic that has a source (destination)
  1070. port that matches one of these ranges/values. This value
  1071. is a list of integers or strings that represent ranges
  1072. of ports. \n Since only some protocols have ports, if
  1073. any ports are specified it requires the Protocol match
  1074. in the Rule to be set to \"TCP\" or \"UDP\"."
  1075. items:
  1076. anyOf:
  1077. - type: integer
  1078. - type: string
  1079. pattern: ^.*
  1080. x-kubernetes-int-or-string: true
  1081. type: array
  1082. selector:
  1083. description: "Selector is an optional field that contains
  1084. a selector expression (see Policy for sample syntax).
  1085. \ Only traffic that originates from (terminates at) endpoints
  1086. matching the selector will be matched. \n Note that: in
  1087. addition to the negated version of the Selector (see NotSelector
  1088. below), the selector expression syntax itself supports
  1089. negation. The two types of negation are subtly different.
  1090. One negates the set of matched endpoints, the other negates
  1091. the whole match: \n \tSelector = \"!has(my_label)\" matches
  1092. packets that are from other Calico-controlled \tendpoints
  1093. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  1094. = \"has(my_label)\" matches packets that are not from
  1095. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  1096. \n The effect is that the latter will accept packets from
  1097. non-Calico sources whereas the former is limited to packets
  1098. from Calico-controlled endpoints."
  1099. type: string
  1100. serviceAccounts:
  1101. description: ServiceAccounts is an optional field that restricts
  1102. the rule to only apply to traffic that originates from
  1103. (or terminates at) a pod running as a matching service
  1104. account.
  1105. properties:
  1106. names:
  1107. description: Names is an optional field that restricts
  1108. the rule to only apply to traffic that originates
  1109. from (or terminates at) a pod running as a service
  1110. account whose name is in the list.
  1111. items:
  1112. type: string
  1113. type: array
  1114. selector:
  1115. description: Selector is an optional field that restricts
  1116. the rule to only apply to traffic that originates
  1117. from (or terminates at) a pod running as a service
  1118. account that matches the given label selector. If
  1119. both Names and Selector are specified then they are
  1120. AND'ed.
  1121. type: string
  1122. type: object
  1123. type: object
  1124. http:
  1125. description: HTTP contains match criteria that apply to HTTP
  1126. requests.
  1127. properties:
  1128. methods:
  1129. description: Methods is an optional field that restricts
  1130. the rule to apply only to HTTP requests that use one of
  1131. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
  1132. methods are OR'd together.
  1133. items:
  1134. type: string
  1135. type: array
  1136. paths:
  1137. description: 'Paths is an optional field that restricts
  1138. the rule to apply to HTTP requests that use one of the
  1139. listed HTTP Paths. Multiple paths are OR''d together.
  1140. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
  1141. ONLY specify either a `exact` or a `prefix` match. The
  1142. validator will check for it.'
  1143. items:
  1144. description: 'HTTPPath specifies an HTTP path to match.
  1145. It may be either of the form: exact: <path>: which matches
  1146. the path exactly or prefix: <path-prefix>: which matches
  1147. the path prefix'
  1148. properties:
  1149. exact:
  1150. type: string
  1151. prefix:
  1152. type: string
  1153. type: object
  1154. type: array
  1155. type: object
  1156. icmp:
  1157. description: ICMP is an optional field that restricts the rule
  1158. to apply to a specific type and code of ICMP traffic. This
  1159. should only be specified if the Protocol field is set to "ICMP"
  1160. or "ICMPv6".
  1161. properties:
  1162. code:
  1163. description: Match on a specific ICMP code. If specified,
  1164. the Type value must also be specified. This is a technical
  1165. limitation imposed by the kernel's iptables firewall,
  1166. which Calico uses to enforce the rule.
  1167. type: integer
  1168. type:
  1169. description: Match on a specific ICMP type. For example
  1170. a value of 8 refers to ICMP Echo Request (i.e. pings).
  1171. type: integer
  1172. type: object
  1173. ipVersion:
  1174. description: IPVersion is an optional field that restricts the
  1175. rule to only match a specific IP version.
  1176. type: integer
  1177. metadata:
  1178. description: Metadata contains additional information for this
  1179. rule
  1180. properties:
  1181. annotations:
  1182. additionalProperties:
  1183. type: string
  1184. description: Annotations is a set of key value pairs that
  1185. give extra information about the rule
  1186. type: object
  1187. type: object
  1188. notICMP:
  1189. description: NotICMP is the negated version of the ICMP field.
  1190. properties:
  1191. code:
  1192. description: Match on a specific ICMP code. If specified,
  1193. the Type value must also be specified. This is a technical
  1194. limitation imposed by the kernel's iptables firewall,
  1195. which Calico uses to enforce the rule.
  1196. type: integer
  1197. type:
  1198. description: Match on a specific ICMP type. For example
  1199. a value of 8 refers to ICMP Echo Request (i.e. pings).
  1200. type: integer
  1201. type: object
  1202. notProtocol:
  1203. anyOf:
  1204. - type: integer
  1205. - type: string
  1206. description: NotProtocol is the negated version of the Protocol
  1207. field.
  1208. pattern: ^.*
  1209. x-kubernetes-int-or-string: true
  1210. protocol:
  1211. anyOf:
  1212. - type: integer
  1213. - type: string
  1214. description: "Protocol is an optional field that restricts the
  1215. rule to only apply to traffic of a specific IP protocol. Required
  1216. if any of the EntityRules contain Ports (because ports only
  1217. apply to certain protocols). \n Must be one of these string
  1218. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
  1219. \"UDPLite\" or an integer in the range 1-255."
  1220. pattern: ^.*
  1221. x-kubernetes-int-or-string: true
  1222. source:
  1223. description: Source contains the match criteria that apply to
  1224. source entity.
  1225. properties:
  1226. namespaceSelector:
  1227. description: "NamespaceSelector is an optional field that
  1228. contains a selector expression. Only traffic that originates
  1229. from (or terminates at) endpoints within the selected
  1230. namespaces will be matched. When both NamespaceSelector
  1231. and Selector are defined on the same rule, then only workload
  1232. endpoints that are matched by both selectors will be selected
  1233. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  1234. implies that the Selector is limited to selecting only
  1235. workload endpoints in the same namespace as the NetworkPolicy.
  1236. \n For NetworkPolicy, `global()` NamespaceSelector implies
  1237. that the Selector is limited to selecting only GlobalNetworkSet
  1238. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  1239. NamespaceSelector implies the Selector applies to workload
  1240. endpoints across all namespaces."
  1241. type: string
  1242. nets:
  1243. description: Nets is an optional field that restricts the
  1244. rule to only apply to traffic that originates from (or
  1245. terminates at) IP addresses in any of the given subnets.
  1246. items:
  1247. type: string
  1248. type: array
  1249. notNets:
  1250. description: NotNets is the negated version of the Nets
  1251. field.
  1252. items:
  1253. type: string
  1254. type: array
  1255. notPorts:
  1256. description: NotPorts is the negated version of the Ports
  1257. field. Since only some protocols have ports, if any ports
  1258. are specified it requires the Protocol match in the Rule
  1259. to be set to "TCP" or "UDP".
  1260. items:
  1261. anyOf:
  1262. - type: integer
  1263. - type: string
  1264. pattern: ^.*
  1265. x-kubernetes-int-or-string: true
  1266. type: array
  1267. notSelector:
  1268. description: NotSelector is the negated version of the Selector
  1269. field. See Selector field for subtleties with negated
  1270. selectors.
  1271. type: string
  1272. ports:
  1273. description: "Ports is an optional field that restricts
  1274. the rule to only apply to traffic that has a source (destination)
  1275. port that matches one of these ranges/values. This value
  1276. is a list of integers or strings that represent ranges
  1277. of ports. \n Since only some protocols have ports, if
  1278. any ports are specified it requires the Protocol match
  1279. in the Rule to be set to \"TCP\" or \"UDP\"."
  1280. items:
  1281. anyOf:
  1282. - type: integer
  1283. - type: string
  1284. pattern: ^.*
  1285. x-kubernetes-int-or-string: true
  1286. type: array
  1287. selector:
  1288. description: "Selector is an optional field that contains
  1289. a selector expression (see Policy for sample syntax).
  1290. \ Only traffic that originates from (terminates at) endpoints
  1291. matching the selector will be matched. \n Note that: in
  1292. addition to the negated version of the Selector (see NotSelector
  1293. below), the selector expression syntax itself supports
  1294. negation. The two types of negation are subtly different.
  1295. One negates the set of matched endpoints, the other negates
  1296. the whole match: \n \tSelector = \"!has(my_label)\" matches
  1297. packets that are from other Calico-controlled \tendpoints
  1298. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  1299. = \"has(my_label)\" matches packets that are not from
  1300. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  1301. \n The effect is that the latter will accept packets from
  1302. non-Calico sources whereas the former is limited to packets
  1303. from Calico-controlled endpoints."
  1304. type: string
  1305. serviceAccounts:
  1306. description: ServiceAccounts is an optional field that restricts
  1307. the rule to only apply to traffic that originates from
  1308. (or terminates at) a pod running as a matching service
  1309. account.
  1310. properties:
  1311. names:
  1312. description: Names is an optional field that restricts
  1313. the rule to only apply to traffic that originates
  1314. from (or terminates at) a pod running as a service
  1315. account whose name is in the list.
  1316. items:
  1317. type: string
  1318. type: array
  1319. selector:
  1320. description: Selector is an optional field that restricts
  1321. the rule to only apply to traffic that originates
  1322. from (or terminates at) a pod running as a service
  1323. account that matches the given label selector. If
  1324. both Names and Selector are specified then they are
  1325. AND'ed.
  1326. type: string
  1327. type: object
  1328. type: object
  1329. required:
  1330. - action
  1331. type: object
  1332. type: array
  1333. ingress:
  1334. description: The ordered set of ingress rules. Each rule contains
  1335. a set of packet match criteria and a corresponding action to apply.
  1336. items:
  1337. description: "A Rule encapsulates a set of match criteria and an
  1338. action. Both selector-based security Policy and security Profiles
  1339. reference rules - separated out as a list of rules for both ingress
  1340. and egress packet matching. \n Each positive match criteria has
  1341. a negated version, prefixed with 鈥漀ot鈥�. All the match criteria
  1342. within a rule must be satisfied for a packet to match. A single
  1343. rule can contain the positive and negative version of a match
  1344. and both must be satisfied for the rule to match."
  1345. properties:
  1346. action:
  1347. type: string
  1348. destination:
  1349. description: Destination contains the match criteria that apply
  1350. to destination entity.
  1351. properties:
  1352. namespaceSelector:
  1353. description: "NamespaceSelector is an optional field that
  1354. contains a selector expression. Only traffic that originates
  1355. from (or terminates at) endpoints within the selected
  1356. namespaces will be matched. When both NamespaceSelector
  1357. and Selector are defined on the same rule, then only workload
  1358. endpoints that are matched by both selectors will be selected
  1359. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  1360. implies that the Selector is limited to selecting only
  1361. workload endpoints in the same namespace as the NetworkPolicy.
  1362. \n For NetworkPolicy, `global()` NamespaceSelector implies
  1363. that the Selector is limited to selecting only GlobalNetworkSet
  1364. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  1365. NamespaceSelector implies the Selector applies to workload
  1366. endpoints across all namespaces."
  1367. type: string
  1368. nets:
  1369. description: Nets is an optional field that restricts the
  1370. rule to only apply to traffic that originates from (or
  1371. terminates at) IP addresses in any of the given subnets.
  1372. items:
  1373. type: string
  1374. type: array
  1375. notNets:
  1376. description: NotNets is the negated version of the Nets
  1377. field.
  1378. items:
  1379. type: string
  1380. type: array
  1381. notPorts:
  1382. description: NotPorts is the negated version of the Ports
  1383. field. Since only some protocols have ports, if any ports
  1384. are specified it requires the Protocol match in the Rule
  1385. to be set to "TCP" or "UDP".
  1386. items:
  1387. anyOf:
  1388. - type: integer
  1389. - type: string
  1390. pattern: ^.*
  1391. x-kubernetes-int-or-string: true
  1392. type: array
  1393. notSelector:
  1394. description: NotSelector is the negated version of the Selector
  1395. field. See Selector field for subtleties with negated
  1396. selectors.
  1397. type: string
  1398. ports:
  1399. description: "Ports is an optional field that restricts
  1400. the rule to only apply to traffic that has a source (destination)
  1401. port that matches one of these ranges/values. This value
  1402. is a list of integers or strings that represent ranges
  1403. of ports. \n Since only some protocols have ports, if
  1404. any ports are specified it requires the Protocol match
  1405. in the Rule to be set to \"TCP\" or \"UDP\"."
  1406. items:
  1407. anyOf:
  1408. - type: integer
  1409. - type: string
  1410. pattern: ^.*
  1411. x-kubernetes-int-or-string: true
  1412. type: array
  1413. selector:
  1414. description: "Selector is an optional field that contains
  1415. a selector expression (see Policy for sample syntax).
  1416. \ Only traffic that originates from (terminates at) endpoints
  1417. matching the selector will be matched. \n Note that: in
  1418. addition to the negated version of the Selector (see NotSelector
  1419. below), the selector expression syntax itself supports
  1420. negation. The two types of negation are subtly different.
  1421. One negates the set of matched endpoints, the other negates
  1422. the whole match: \n \tSelector = \"!has(my_label)\" matches
  1423. packets that are from other Calico-controlled \tendpoints
  1424. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  1425. = \"has(my_label)\" matches packets that are not from
  1426. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  1427. \n The effect is that the latter will accept packets from
  1428. non-Calico sources whereas the former is limited to packets
  1429. from Calico-controlled endpoints."
  1430. type: string
  1431. serviceAccounts:
  1432. description: ServiceAccounts is an optional field that restricts
  1433. the rule to only apply to traffic that originates from
  1434. (or terminates at) a pod running as a matching service
  1435. account.
  1436. properties:
  1437. names:
  1438. description: Names is an optional field that restricts
  1439. the rule to only apply to traffic that originates
  1440. from (or terminates at) a pod running as a service
  1441. account whose name is in the list.
  1442. items:
  1443. type: string
  1444. type: array
  1445. selector:
  1446. description: Selector is an optional field that restricts
  1447. the rule to only apply to traffic that originates
  1448. from (or terminates at) a pod running as a service
  1449. account that matches the given label selector. If
  1450. both Names and Selector are specified then they are
  1451. AND'ed.
  1452. type: string
  1453. type: object
  1454. type: object
  1455. http:
  1456. description: HTTP contains match criteria that apply to HTTP
  1457. requests.
  1458. properties:
  1459. methods:
  1460. description: Methods is an optional field that restricts
  1461. the rule to apply only to HTTP requests that use one of
  1462. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
  1463. methods are OR'd together.
  1464. items:
  1465. type: string
  1466. type: array
  1467. paths:
  1468. description: 'Paths is an optional field that restricts
  1469. the rule to apply to HTTP requests that use one of the
  1470. listed HTTP Paths. Multiple paths are OR''d together.
  1471. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
  1472. ONLY specify either a `exact` or a `prefix` match. The
  1473. validator will check for it.'
  1474. items:
  1475. description: 'HTTPPath specifies an HTTP path to match.
  1476. It may be either of the form: exact: <path>: which matches
  1477. the path exactly or prefix: <path-prefix>: which matches
  1478. the path prefix'
  1479. properties:
  1480. exact:
  1481. type: string
  1482. prefix:
  1483. type: string
  1484. type: object
  1485. type: array
  1486. type: object
  1487. icmp:
  1488. description: ICMP is an optional field that restricts the rule
  1489. to apply to a specific type and code of ICMP traffic. This
  1490. should only be specified if the Protocol field is set to "ICMP"
  1491. or "ICMPv6".
  1492. properties:
  1493. code:
  1494. description: Match on a specific ICMP code. If specified,
  1495. the Type value must also be specified. This is a technical
  1496. limitation imposed by the kernel's iptables firewall,
  1497. which Calico uses to enforce the rule.
  1498. type: integer
  1499. type:
  1500. description: Match on a specific ICMP type. For example
  1501. a value of 8 refers to ICMP Echo Request (i.e. pings).
  1502. type: integer
  1503. type: object
  1504. ipVersion:
  1505. description: IPVersion is an optional field that restricts the
  1506. rule to only match a specific IP version.
  1507. type: integer
  1508. metadata:
  1509. description: Metadata contains additional information for this
  1510. rule
  1511. properties:
  1512. annotations:
  1513. additionalProperties:
  1514. type: string
  1515. description: Annotations is a set of key value pairs that
  1516. give extra information about the rule
  1517. type: object
  1518. type: object
  1519. notICMP:
  1520. description: NotICMP is the negated version of the ICMP field.
  1521. properties:
  1522. code:
  1523. description: Match on a specific ICMP code. If specified,
  1524. the Type value must also be specified. This is a technical
  1525. limitation imposed by the kernel's iptables firewall,
  1526. which Calico uses to enforce the rule.
  1527. type: integer
  1528. type:
  1529. description: Match on a specific ICMP type. For example
  1530. a value of 8 refers to ICMP Echo Request (i.e. pings).
  1531. type: integer
  1532. type: object
  1533. notProtocol:
  1534. anyOf:
  1535. - type: integer
  1536. - type: string
  1537. description: NotProtocol is the negated version of the Protocol
  1538. field.
  1539. pattern: ^.*
  1540. x-kubernetes-int-or-string: true
  1541. protocol:
  1542. anyOf:
  1543. - type: integer
  1544. - type: string
  1545. description: "Protocol is an optional field that restricts the
  1546. rule to only apply to traffic of a specific IP protocol. Required
  1547. if any of the EntityRules contain Ports (because ports only
  1548. apply to certain protocols). \n Must be one of these string
  1549. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
  1550. \"UDPLite\" or an integer in the range 1-255."
  1551. pattern: ^.*
  1552. x-kubernetes-int-or-string: true
  1553. source:
  1554. description: Source contains the match criteria that apply to
  1555. source entity.
  1556. properties:
  1557. namespaceSelector:
  1558. description: "NamespaceSelector is an optional field that
  1559. contains a selector expression. Only traffic that originates
  1560. from (or terminates at) endpoints within the selected
  1561. namespaces will be matched. When both NamespaceSelector
  1562. and Selector are defined on the same rule, then only workload
  1563. endpoints that are matched by both selectors will be selected
  1564. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  1565. implies that the Selector is limited to selecting only
  1566. workload endpoints in the same namespace as the NetworkPolicy.
  1567. \n For NetworkPolicy, `global()` NamespaceSelector implies
  1568. that the Selector is limited to selecting only GlobalNetworkSet
  1569. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  1570. NamespaceSelector implies the Selector applies to workload
  1571. endpoints across all namespaces."
  1572. type: string
  1573. nets:
  1574. description: Nets is an optional field that restricts the
  1575. rule to only apply to traffic that originates from (or
  1576. terminates at) IP addresses in any of the given subnets.
  1577. items:
  1578. type: string
  1579. type: array
  1580. notNets:
  1581. description: NotNets is the negated version of the Nets
  1582. field.
  1583. items:
  1584. type: string
  1585. type: array
  1586. notPorts:
  1587. description: NotPorts is the negated version of the Ports
  1588. field. Since only some protocols have ports, if any ports
  1589. are specified it requires the Protocol match in the Rule
  1590. to be set to "TCP" or "UDP".
  1591. items:
  1592. anyOf:
  1593. - type: integer
  1594. - type: string
  1595. pattern: ^.*
  1596. x-kubernetes-int-or-string: true
  1597. type: array
  1598. notSelector:
  1599. description: NotSelector is the negated version of the Selector
  1600. field. See Selector field for subtleties with negated
  1601. selectors.
  1602. type: string
  1603. ports:
  1604. description: "Ports is an optional field that restricts
  1605. the rule to only apply to traffic that has a source (destination)
  1606. port that matches one of these ranges/values. This value
  1607. is a list of integers or strings that represent ranges
  1608. of ports. \n Since only some protocols have ports, if
  1609. any ports are specified it requires the Protocol match
  1610. in the Rule to be set to \"TCP\" or \"UDP\"."
  1611. items:
  1612. anyOf:
  1613. - type: integer
  1614. - type: string
  1615. pattern: ^.*
  1616. x-kubernetes-int-or-string: true
  1617. type: array
  1618. selector:
  1619. description: "Selector is an optional field that contains
  1620. a selector expression (see Policy for sample syntax).
  1621. \ Only traffic that originates from (terminates at) endpoints
  1622. matching the selector will be matched. \n Note that: in
  1623. addition to the negated version of the Selector (see NotSelector
  1624. below), the selector expression syntax itself supports
  1625. negation. The two types of negation are subtly different.
  1626. One negates the set of matched endpoints, the other negates
  1627. the whole match: \n \tSelector = \"!has(my_label)\" matches
  1628. packets that are from other Calico-controlled \tendpoints
  1629. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  1630. = \"has(my_label)\" matches packets that are not from
  1631. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  1632. \n The effect is that the latter will accept packets from
  1633. non-Calico sources whereas the former is limited to packets
  1634. from Calico-controlled endpoints."
  1635. type: string
  1636. serviceAccounts:
  1637. description: ServiceAccounts is an optional field that restricts
  1638. the rule to only apply to traffic that originates from
  1639. (or terminates at) a pod running as a matching service
  1640. account.
  1641. properties:
  1642. names:
  1643. description: Names is an optional field that restricts
  1644. the rule to only apply to traffic that originates
  1645. from (or terminates at) a pod running as a service
  1646. account whose name is in the list.
  1647. items:
  1648. type: string
  1649. type: array
  1650. selector:
  1651. description: Selector is an optional field that restricts
  1652. the rule to only apply to traffic that originates
  1653. from (or terminates at) a pod running as a service
  1654. account that matches the given label selector. If
  1655. both Names and Selector are specified then they are
  1656. AND'ed.
  1657. type: string
  1658. type: object
  1659. type: object
  1660. required:
  1661. - action
  1662. type: object
  1663. type: array
  1664. namespaceSelector:
  1665. description: NamespaceSelector is an optional field for an expression
  1666. used to select a pod based on namespaces.
  1667. type: string
  1668. order:
  1669. description: Order is an optional field that specifies the order in
  1670. which the policy is applied. Policies with higher "order" are applied
  1671. after those with lower order. If the order is omitted, it may be
  1672. considered to be "infinite" - i.e. the policy will be applied last. Policies
  1673. with identical order will be applied in alphanumerical order based
  1674. on the Policy "Name".
  1675. type: number
  1676. preDNAT:
  1677. description: PreDNAT indicates to apply the rules in this policy before
  1678. any DNAT.
  1679. type: boolean
  1680. selector:
  1681. description: "The selector is an expression used to pick pick out
  1682. the endpoints that the policy should be applied to. \n Selector
  1683. expressions follow this syntax: \n \tlabel == \"string_literal\"
  1684. \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
  1685. \ -> not equal; also matches if label is not present \tlabel in
  1686. { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
  1687. one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
  1688. ... } -> true if the value of label X is not one of \"a\", \"b\",
  1689. \"c\" \thas(label_name) -> True if that label is present \t! expr
  1690. -> negation of expr \texpr && expr -> Short-circuit and \texpr
  1691. || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
  1692. or the empty selector -> matches all endpoints. \n Label names are
  1693. allowed to contain alphanumerics, -, _ and /. String literals are
  1694. more permissive but they do not support escape characters. \n Examples
  1695. (with made-up labels): \n \ttype == \"webserver\" && deployment
  1696. == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
  1697. \"dev\" \t! has(label_name)"
  1698. type: string
  1699. serviceAccountSelector:
  1700. description: ServiceAccountSelector is an optional field for an expression
  1701. used to select a pod based on service accounts.
  1702. type: string
  1703. types:
  1704. description: "Types indicates whether this policy applies to ingress,
  1705. or to egress, or to both. When not explicitly specified (and so
  1706. the value on creation is empty or nil), Calico defaults Types according
  1707. to what Ingress and Egress rules are present in the policy. The
  1708. default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
  1709. (including the case where there are also no Ingress rules) \n
  1710. - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
  1711. rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
  1712. both Ingress and Egress rules. \n When the policy is read back again,
  1713. Types will always be one of these values, never empty or nil."
  1714. items:
  1715. description: PolicyType enumerates the possible values of the PolicySpec
  1716. Types field.
  1717. type: string
  1718. type: array
  1719. type: object
  1720. type: object
  1721. served: true
  1722. storage: true
  1723. status:
  1724. acceptedNames:
  1725. kind: ""
  1726. plural: ""
  1727. conditions: []
  1728. storedVersions: []
  1729. ---
  1730. apiVersion: apiextensions.k8s.io/v1
  1731. kind: CustomResourceDefinition
  1732. metadata:
  1733. name: globalnetworksets.crd.projectcalico.org
  1734. spec:
  1735. group: crd.projectcalico.org
  1736. names:
  1737. kind: GlobalNetworkSet
  1738. listKind: GlobalNetworkSetList
  1739. plural: globalnetworksets
  1740. singular: globalnetworkset
  1741. scope: Cluster
  1742. versions:
  1743. - name: v1
  1744. schema:
  1745. openAPIV3Schema:
  1746. description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
  1747. that share labels to allow rules to refer to them via selectors. The labels
  1748. of GlobalNetworkSet are not namespaced.
  1749. properties:
  1750. apiVersion:
  1751. description: 'APIVersion defines the versioned schema of this representation
  1752. of an object. Servers should convert recognized schemas to the latest
  1753. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1754. type: string
  1755. kind:
  1756. description: 'Kind is a string value representing the REST resource this
  1757. object represents. Servers may infer this from the endpoint the client
  1758. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1759. type: string
  1760. metadata:
  1761. type: object
  1762. spec:
  1763. description: GlobalNetworkSetSpec contains the specification for a NetworkSet
  1764. resource.
  1765. properties:
  1766. nets:
  1767. description: The list of IP networks that belong to this set.
  1768. items:
  1769. type: string
  1770. type: array
  1771. type: object
  1772. type: object
  1773. served: true
  1774. storage: true
  1775. status:
  1776. acceptedNames:
  1777. kind: ""
  1778. plural: ""
  1779. conditions: []
  1780. storedVersions: []
  1781. ---
  1782. apiVersion: apiextensions.k8s.io/v1
  1783. kind: CustomResourceDefinition
  1784. metadata:
  1785. name: hostendpoints.crd.projectcalico.org
  1786. spec:
  1787. group: crd.projectcalico.org
  1788. names:
  1789. kind: HostEndpoint
  1790. listKind: HostEndpointList
  1791. plural: hostendpoints
  1792. singular: hostendpoint
  1793. scope: Cluster
  1794. versions:
  1795. - name: v1
  1796. schema:
  1797. openAPIV3Schema:
  1798. properties:
  1799. apiVersion:
  1800. description: 'APIVersion defines the versioned schema of this representation
  1801. of an object. Servers should convert recognized schemas to the latest
  1802. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1803. type: string
  1804. kind:
  1805. description: 'Kind is a string value representing the REST resource this
  1806. object represents. Servers may infer this from the endpoint the client
  1807. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1808. type: string
  1809. metadata:
  1810. type: object
  1811. spec:
  1812. description: HostEndpointSpec contains the specification for a HostEndpoint
  1813. resource.
  1814. properties:
  1815. expectedIPs:
  1816. description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
  1817. If \"InterfaceName\" is not present, Calico will look for an interface
  1818. matching any of the IPs in the list and apply policy to that. Note:
  1819. \tWhen using the selector match criteria in an ingress or egress
  1820. security Policy \tor Profile, Calico converts the selector into
  1821. a set of IP addresses. For host \tendpoints, the ExpectedIPs field
  1822. is used for that purpose. (If only the interface \tname is specified,
  1823. Calico does not learn the IPs of the interface for use in match
  1824. \tcriteria.)"
  1825. items:
  1826. type: string
  1827. type: array
  1828. interfaceName:
  1829. description: "Either \"*\", or the name of a specific Linux interface
  1830. to apply policy to; or empty. \"*\" indicates that this HostEndpoint
  1831. governs all traffic to, from or through the default network namespace
  1832. of the host named by the \"Node\" field; entering and leaving that
  1833. namespace via any interface, including those from/to non-host-networked
  1834. local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
  1835. only governs traffic that enters or leaves the host through the
  1836. specific interface named by InterfaceName, or - when InterfaceName
  1837. is empty - through the specific interface that has one of the IPs
  1838. in ExpectedIPs. Therefore, when InterfaceName is empty, at least
  1839. one expected IP must be specified. Only external interfaces (such
  1840. as 鈥渆th0鈥�) are supported here; it isn't possible for a HostEndpoint
  1841. to protect traffic through a specific local workload interface.
  1842. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
  1843. initially just pre-DNAT policy. Please check Calico documentation
  1844. for the latest position."
  1845. type: string
  1846. node:
  1847. description: The node name identifying the Calico node instance.
  1848. type: string
  1849. ports:
  1850. description: Ports contains the endpoint's named ports, which may
  1851. be referenced in security policy rules.
  1852. items:
  1853. properties:
  1854. name:
  1855. type: string
  1856. port:
  1857. type: integer
  1858. protocol:
  1859. anyOf:
  1860. - type: integer
  1861. - type: string
  1862. pattern: ^.*
  1863. x-kubernetes-int-or-string: true
  1864. required:
  1865. - name
  1866. - port
  1867. - protocol
  1868. type: object
  1869. type: array
  1870. profiles:
  1871. description: A list of identifiers of security Profile objects that
  1872. apply to this endpoint. Each profile is applied in the order that
  1873. they appear in this list. Profile rules are applied after the selector-based
  1874. security policy.
  1875. items:
  1876. type: string
  1877. type: array
  1878. type: object
  1879. type: object
  1880. served: true
  1881. storage: true
  1882. status:
  1883. acceptedNames:
  1884. kind: ""
  1885. plural: ""
  1886. conditions: []
  1887. storedVersions: []
  1888. ---
  1889. apiVersion: apiextensions.k8s.io/v1
  1890. kind: CustomResourceDefinition
  1891. metadata:
  1892. name: ipamblocks.crd.projectcalico.org
  1893. spec:
  1894. group: crd.projectcalico.org
  1895. names:
  1896. kind: IPAMBlock
  1897. listKind: IPAMBlockList
  1898. plural: ipamblocks
  1899. singular: ipamblock
  1900. scope: Cluster
  1901. versions:
  1902. - name: v1
  1903. schema:
  1904. openAPIV3Schema:
  1905. properties:
  1906. apiVersion:
  1907. description: 'APIVersion defines the versioned schema of this representation
  1908. of an object. Servers should convert recognized schemas to the latest
  1909. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1910. type: string
  1911. kind:
  1912. description: 'Kind is a string value representing the REST resource this
  1913. object represents. Servers may infer this from the endpoint the client
  1914. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1915. type: string
  1916. metadata:
  1917. type: object
  1918. spec:
  1919. description: IPAMBlockSpec contains the specification for an IPAMBlock
  1920. resource.
  1921. properties:
  1922. affinity:
  1923. type: string
  1924. allocations:
  1925. items:
  1926. type: integer
  1927. # TODO: This nullable is manually added in. We should update controller-gen
  1928. # to handle []*int properly itself.
  1929. nullable: true
  1930. type: array
  1931. attributes:
  1932. items:
  1933. properties:
  1934. handle_id:
  1935. type: string
  1936. secondary:
  1937. additionalProperties:
  1938. type: string
  1939. type: object
  1940. type: object
  1941. type: array
  1942. cidr:
  1943. type: string
  1944. deleted:
  1945. type: boolean
  1946. strictAffinity:
  1947. type: boolean
  1948. unallocated:
  1949. items:
  1950. type: integer
  1951. type: array
  1952. required:
  1953. - allocations
  1954. - attributes
  1955. - cidr
  1956. - strictAffinity
  1957. - unallocated
  1958. type: object
  1959. type: object
  1960. served: true
  1961. storage: true
  1962. status:
  1963. acceptedNames:
  1964. kind: ""
  1965. plural: ""
  1966. conditions: []
  1967. storedVersions: []
  1968. ---
  1969. apiVersion: apiextensions.k8s.io/v1
  1970. kind: CustomResourceDefinition
  1971. metadata:
  1972. name: ipamconfigs.crd.projectcalico.org
  1973. spec:
  1974. group: crd.projectcalico.org
  1975. names:
  1976. kind: IPAMConfig
  1977. listKind: IPAMConfigList
  1978. plural: ipamconfigs
  1979. singular: ipamconfig
  1980. scope: Cluster
  1981. versions:
  1982. - name: v1
  1983. schema:
  1984. openAPIV3Schema:
  1985. properties:
  1986. apiVersion:
  1987. description: 'APIVersion defines the versioned schema of this representation
  1988. of an object. Servers should convert recognized schemas to the latest
  1989. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1990. type: string
  1991. kind:
  1992. description: 'Kind is a string value representing the REST resource this
  1993. object represents. Servers may infer this from the endpoint the client
  1994. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1995. type: string
  1996. metadata:
  1997. type: object
  1998. spec:
  1999. description: IPAMConfigSpec contains the specification for an IPAMConfig
  2000. resource.
  2001. properties:
  2002. autoAllocateBlocks:
  2003. type: boolean
  2004. maxBlocksPerHost:
  2005. description: MaxBlocksPerHost, if non-zero, is the max number of blocks
  2006. that can be affine to each host.
  2007. type: integer
  2008. strictAffinity:
  2009. type: boolean
  2010. required:
  2011. - autoAllocateBlocks
  2012. - strictAffinity
  2013. type: object
  2014. type: object
  2015. served: true
  2016. storage: true
  2017. status:
  2018. acceptedNames:
  2019. kind: ""
  2020. plural: ""
  2021. conditions: []
  2022. storedVersions: []
  2023. ---
  2024. apiVersion: apiextensions.k8s.io/v1
  2025. kind: CustomResourceDefinition
  2026. metadata:
  2027. name: ipamhandles.crd.projectcalico.org
  2028. spec:
  2029. group: crd.projectcalico.org
  2030. names:
  2031. kind: IPAMHandle
  2032. listKind: IPAMHandleList
  2033. plural: ipamhandles
  2034. singular: ipamhandle
  2035. scope: Cluster
  2036. versions:
  2037. - name: v1
  2038. schema:
  2039. openAPIV3Schema:
  2040. properties:
  2041. apiVersion:
  2042. description: 'APIVersion defines the versioned schema of this representation
  2043. of an object. Servers should convert recognized schemas to the latest
  2044. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2045. type: string
  2046. kind:
  2047. description: 'Kind is a string value representing the REST resource this
  2048. object represents. Servers may infer this from the endpoint the client
  2049. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2050. type: string
  2051. metadata:
  2052. type: object
  2053. spec:
  2054. description: IPAMHandleSpec contains the specification for an IPAMHandle
  2055. resource.
  2056. properties:
  2057. block:
  2058. additionalProperties:
  2059. type: integer
  2060. type: object
  2061. deleted:
  2062. type: boolean
  2063. handleID:
  2064. type: string
  2065. required:
  2066. - block
  2067. - handleID
  2068. type: object
  2069. type: object
  2070. served: true
  2071. storage: true
  2072. status:
  2073. acceptedNames:
  2074. kind: ""
  2075. plural: ""
  2076. conditions: []
  2077. storedVersions: []
  2078. ---
  2079. apiVersion: apiextensions.k8s.io/v1
  2080. kind: CustomResourceDefinition
  2081. metadata:
  2082. name: ippools.crd.projectcalico.org
  2083. spec:
  2084. group: crd.projectcalico.org
  2085. names:
  2086. kind: IPPool
  2087. listKind: IPPoolList
  2088. plural: ippools
  2089. singular: ippool
  2090. scope: Cluster
  2091. versions:
  2092. - name: v1
  2093. schema:
  2094. openAPIV3Schema:
  2095. properties:
  2096. apiVersion:
  2097. description: 'APIVersion defines the versioned schema of this representation
  2098. of an object. Servers should convert recognized schemas to the latest
  2099. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2100. type: string
  2101. kind:
  2102. description: 'Kind is a string value representing the REST resource this
  2103. object represents. Servers may infer this from the endpoint the client
  2104. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2105. type: string
  2106. metadata:
  2107. type: object
  2108. spec:
  2109. description: IPPoolSpec contains the specification for an IPPool resource.
  2110. properties:
  2111. blockSize:
  2112. description: The block size to use for IP address assignments from
  2113. this pool. Defaults to 26 for IPv4 and 112 for IPv6.
  2114. type: integer
  2115. cidr:
  2116. description: The pool CIDR.
  2117. type: string
  2118. disabled:
  2119. description: When disabled is true, Calico IPAM will not assign addresses
  2120. from this pool.
  2121. type: boolean
  2122. ipip:
  2123. description: 'Deprecated: this field is only used for APIv1 backwards
  2124. compatibility. Setting this field is not allowed, this field is
  2125. for internal use only.'
  2126. properties:
  2127. enabled:
  2128. description: When enabled is true, ipip tunneling will be used
  2129. to deliver packets to destinations within this pool.
  2130. type: boolean
  2131. mode:
  2132. description: The IPIP mode. This can be one of "always" or "cross-subnet". A
  2133. mode of "always" will also use IPIP tunneling for routing to
  2134. destination IP addresses within this pool. A mode of "cross-subnet"
  2135. will only use IPIP tunneling when the destination node is on
  2136. a different subnet to the originating node. The default value
  2137. (if not specified) is "always".
  2138. type: string
  2139. type: object
  2140. ipipMode:
  2141. description: Contains configuration for IPIP tunneling for this pool.
  2142. If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
  2143. is disabled).
  2144. type: string
  2145. nat-outgoing:
  2146. description: 'Deprecated: this field is only used for APIv1 backwards
  2147. compatibility. Setting this field is not allowed, this field is
  2148. for internal use only.'
  2149. type: boolean
  2150. natOutgoing:
  2151. description: When nat-outgoing is true, packets sent from Calico networked
  2152. containers in this pool to destinations outside of this pool will
  2153. be masqueraded.
  2154. type: boolean
  2155. nodeSelector:
  2156. description: Allows IPPool to allocate for a specific node by label
  2157. selector.
  2158. type: string
  2159. vxlanMode:
  2160. description: Contains configuration for VXLAN tunneling for this pool.
  2161. If not specified, then this is defaulted to "Never" (i.e. VXLAN
  2162. tunneling is disabled).
  2163. type: string
  2164. required:
  2165. - cidr
  2166. type: object
  2167. type: object
  2168. served: true
  2169. storage: true
  2170. status:
  2171. acceptedNames:
  2172. kind: ""
  2173. plural: ""
  2174. conditions: []
  2175. storedVersions: []
  2176. ---
  2177. apiVersion: apiextensions.k8s.io/v1
  2178. kind: CustomResourceDefinition
  2179. metadata:
  2180. name: kubecontrollersconfigurations.crd.projectcalico.org
  2181. spec:
  2182. group: crd.projectcalico.org
  2183. names:
  2184. kind: KubeControllersConfiguration
  2185. listKind: KubeControllersConfigurationList
  2186. plural: kubecontrollersconfigurations
  2187. singular: kubecontrollersconfiguration
  2188. scope: Cluster
  2189. versions:
  2190. - name: v1
  2191. schema:
  2192. openAPIV3Schema:
  2193. properties:
  2194. apiVersion:
  2195. description: 'APIVersion defines the versioned schema of this representation
  2196. of an object. Servers should convert recognized schemas to the latest
  2197. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2198. type: string
  2199. kind:
  2200. description: 'Kind is a string value representing the REST resource this
  2201. object represents. Servers may infer this from the endpoint the client
  2202. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2203. type: string
  2204. metadata:
  2205. type: object
  2206. spec:
  2207. description: KubeControllersConfigurationSpec contains the values of the
  2208. Kubernetes controllers configuration.
  2209. properties:
  2210. controllers:
  2211. description: Controllers enables and configures individual Kubernetes
  2212. controllers
  2213. properties:
  2214. namespace:
  2215. description: Namespace enables and configures the namespace controller.
  2216. Enabled by default, set to nil to disable.
  2217. properties:
  2218. reconcilerPeriod:
  2219. description: 'ReconcilerPeriod is the period to perform reconciliation
  2220. with the Calico datastore. [Default: 5m]'
  2221. type: string
  2222. type: object
  2223. node:
  2224. description: Node enables and configures the node controller.
  2225. Enabled by default, set to nil to disable.
  2226. properties:
  2227. hostEndpoint:
  2228. description: HostEndpoint controls syncing nodes to host endpoints.
  2229. Disabled by default, set to nil to disable.
  2230. properties:
  2231. autoCreate:
  2232. description: 'AutoCreate enables automatic creation of
  2233. host endpoints for every node. [Default: Disabled]'
  2234. type: string
  2235. type: object
  2236. reconcilerPeriod:
  2237. description: 'ReconcilerPeriod is the period to perform reconciliation
  2238. with the Calico datastore. [Default: 5m]'
  2239. type: string
  2240. syncLabels:
  2241. description: 'SyncLabels controls whether to copy Kubernetes
  2242. node labels to Calico nodes. [Default: Enabled]'
  2243. type: string
  2244. type: object
  2245. policy:
  2246. description: Policy enables and configures the policy controller.
  2247. Enabled by default, set to nil to disable.
  2248. properties:
  2249. reconcilerPeriod:
  2250. description: 'ReconcilerPeriod is the period to perform reconciliation
  2251. with the Calico datastore. [Default: 5m]'
  2252. type: string
  2253. type: object
  2254. serviceAccount:
  2255. description: ServiceAccount enables and configures the service
  2256. account controller. Enabled by default, set to nil to disable.
  2257. properties:
  2258. reconcilerPeriod:
  2259. description: 'ReconcilerPeriod is the period to perform reconciliation
  2260. with the Calico datastore. [Default: 5m]'
  2261. type: string
  2262. type: object
  2263. workloadEndpoint:
  2264. description: WorkloadEndpoint enables and configures the workload
  2265. endpoint controller. Enabled by default, set to nil to disable.
  2266. properties:
  2267. reconcilerPeriod:
  2268. description: 'ReconcilerPeriod is the period to perform reconciliation
  2269. with the Calico datastore. [Default: 5m]'
  2270. type: string
  2271. type: object
  2272. type: object
  2273. etcdV3CompactionPeriod:
  2274. description: 'EtcdV3CompactionPeriod is the period between etcdv3
  2275. compaction requests. Set to 0 to disable. [Default: 10m]'
  2276. type: string
  2277. healthChecks:
  2278. description: 'HealthChecks enables or disables support for health
  2279. checks [Default: Enabled]'
  2280. type: string
  2281. logSeverityScreen:
  2282. description: 'LogSeverityScreen is the log severity above which logs
  2283. are sent to the stdout. [Default: Info]'
  2284. type: string
  2285. required:
  2286. - controllers
  2287. type: object
  2288. status:
  2289. description: KubeControllersConfigurationStatus represents the status
  2290. of the configuration. It's useful for admins to be able to see the actual
  2291. config that was applied, which can be modified by environment variables
  2292. on the kube-controllers process.
  2293. properties:
  2294. environmentVars:
  2295. additionalProperties:
  2296. type: string
  2297. description: EnvironmentVars contains the environment variables on
  2298. the kube-controllers that influenced the RunningConfig.
  2299. type: object
  2300. runningConfig:
  2301. description: RunningConfig contains the effective config that is running
  2302. in the kube-controllers pod, after merging the API resource with
  2303. any environment variables.
  2304. properties:
  2305. controllers:
  2306. description: Controllers enables and configures individual Kubernetes
  2307. controllers
  2308. properties:
  2309. namespace:
  2310. description: Namespace enables and configures the namespace
  2311. controller. Enabled by default, set to nil to disable.
  2312. properties:
  2313. reconcilerPeriod:
  2314. description: 'ReconcilerPeriod is the period to perform
  2315. reconciliation with the Calico datastore. [Default:
  2316. 5m]'
  2317. type: string
  2318. type: object
  2319. node:
  2320. description: Node enables and configures the node controller.
  2321. Enabled by default, set to nil to disable.
  2322. properties:
  2323. hostEndpoint:
  2324. description: HostEndpoint controls syncing nodes to host
  2325. endpoints. Disabled by default, set to nil to disable.
  2326. properties:
  2327. autoCreate:
  2328. description: 'AutoCreate enables automatic creation
  2329. of host endpoints for every node. [Default: Disabled]'
  2330. type: string
  2331. type: object
  2332. reconcilerPeriod:
  2333. description: 'ReconcilerPeriod is the period to perform
  2334. reconciliation with the Calico datastore. [Default:
  2335. 5m]'
  2336. type: string
  2337. syncLabels:
  2338. description: 'SyncLabels controls whether to copy Kubernetes
  2339. node labels to Calico nodes. [Default: Enabled]'
  2340. type: string
  2341. type: object
  2342. policy:
  2343. description: Policy enables and configures the policy controller.
  2344. Enabled by default, set to nil to disable.
  2345. properties:
  2346. reconcilerPeriod:
  2347. description: 'ReconcilerPeriod is the period to perform
  2348. reconciliation with the Calico datastore. [Default:
  2349. 5m]'
  2350. type: string
  2351. type: object
  2352. serviceAccount:
  2353. description: ServiceAccount enables and configures the service
  2354. account controller. Enabled by default, set to nil to disable.
  2355. properties:
  2356. reconcilerPeriod:
  2357. description: 'ReconcilerPeriod is the period to perform
  2358. reconciliation with the Calico datastore. [Default:
  2359. 5m]'
  2360. type: string
  2361. type: object
  2362. workloadEndpoint:
  2363. description: WorkloadEndpoint enables and configures the workload
  2364. endpoint controller. Enabled by default, set to nil to disable.
  2365. properties:
  2366. reconcilerPeriod:
  2367. description: 'ReconcilerPeriod is the period to perform
  2368. reconciliation with the Calico datastore. [Default:
  2369. 5m]'
  2370. type: string
  2371. type: object
  2372. type: object
  2373. etcdV3CompactionPeriod:
  2374. description: 'EtcdV3CompactionPeriod is the period between etcdv3
  2375. compaction requests. Set to 0 to disable. [Default: 10m]'
  2376. type: string
  2377. healthChecks:
  2378. description: 'HealthChecks enables or disables support for health
  2379. checks [Default: Enabled]'
  2380. type: string
  2381. logSeverityScreen:
  2382. description: 'LogSeverityScreen is the log severity above which
  2383. logs are sent to the stdout. [Default: Info]'
  2384. type: string
  2385. required:
  2386. - controllers
  2387. type: object
  2388. type: object
  2389. type: object
  2390. served: true
  2391. storage: true
  2392. status:
  2393. acceptedNames:
  2394. kind: ""
  2395. plural: ""
  2396. conditions: []
  2397. storedVersions: []
  2398. ---
  2399. apiVersion: apiextensions.k8s.io/v1
  2400. kind: CustomResourceDefinition
  2401. metadata:
  2402. name: networkpolicies.crd.projectcalico.org
  2403. spec:
  2404. group: crd.projectcalico.org
  2405. names:
  2406. kind: NetworkPolicy
  2407. listKind: NetworkPolicyList
  2408. plural: networkpolicies
  2409. singular: networkpolicy
  2410. scope: Namespaced
  2411. versions:
  2412. - name: v1
  2413. schema:
  2414. openAPIV3Schema:
  2415. properties:
  2416. apiVersion:
  2417. description: 'APIVersion defines the versioned schema of this representation
  2418. of an object. Servers should convert recognized schemas to the latest
  2419. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2420. type: string
  2421. kind:
  2422. description: 'Kind is a string value representing the REST resource this
  2423. object represents. Servers may infer this from the endpoint the client
  2424. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2425. type: string
  2426. metadata:
  2427. type: object
  2428. spec:
  2429. properties:
  2430. egress:
  2431. description: The ordered set of egress rules. Each rule contains
  2432. a set of packet match criteria and a corresponding action to apply.
  2433. items:
  2434. description: "A Rule encapsulates a set of match criteria and an
  2435. action. Both selector-based security Policy and security Profiles
  2436. reference rules - separated out as a list of rules for both ingress
  2437. and egress packet matching. \n Each positive match criteria has
  2438. a negated version, prefixed with 鈥漀ot鈥�. All the match criteria
  2439. within a rule must be satisfied for a packet to match. A single
  2440. rule can contain the positive and negative version of a match
  2441. and both must be satisfied for the rule to match."
  2442. properties:
  2443. action:
  2444. type: string
  2445. destination:
  2446. description: Destination contains the match criteria that apply
  2447. to destination entity.
  2448. properties:
  2449. namespaceSelector:
  2450. description: "NamespaceSelector is an optional field that
  2451. contains a selector expression. Only traffic that originates
  2452. from (or terminates at) endpoints within the selected
  2453. namespaces will be matched. When both NamespaceSelector
  2454. and Selector are defined on the same rule, then only workload
  2455. endpoints that are matched by both selectors will be selected
  2456. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  2457. implies that the Selector is limited to selecting only
  2458. workload endpoints in the same namespace as the NetworkPolicy.
  2459. \n For NetworkPolicy, `global()` NamespaceSelector implies
  2460. that the Selector is limited to selecting only GlobalNetworkSet
  2461. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  2462. NamespaceSelector implies the Selector applies to workload
  2463. endpoints across all namespaces."
  2464. type: string
  2465. nets:
  2466. description: Nets is an optional field that restricts the
  2467. rule to only apply to traffic that originates from (or
  2468. terminates at) IP addresses in any of the given subnets.
  2469. items:
  2470. type: string
  2471. type: array
  2472. notNets:
  2473. description: NotNets is the negated version of the Nets
  2474. field.
  2475. items:
  2476. type: string
  2477. type: array
  2478. notPorts:
  2479. description: NotPorts is the negated version of the Ports
  2480. field. Since only some protocols have ports, if any ports
  2481. are specified it requires the Protocol match in the Rule
  2482. to be set to "TCP" or "UDP".
  2483. items:
  2484. anyOf:
  2485. - type: integer
  2486. - type: string
  2487. pattern: ^.*
  2488. x-kubernetes-int-or-string: true
  2489. type: array
  2490. notSelector:
  2491. description: NotSelector is the negated version of the Selector
  2492. field. See Selector field for subtleties with negated
  2493. selectors.
  2494. type: string
  2495. ports:
  2496. description: "Ports is an optional field that restricts
  2497. the rule to only apply to traffic that has a source (destination)
  2498. port that matches one of these ranges/values. This value
  2499. is a list of integers or strings that represent ranges
  2500. of ports. \n Since only some protocols have ports, if
  2501. any ports are specified it requires the Protocol match
  2502. in the Rule to be set to \"TCP\" or \"UDP\"."
  2503. items:
  2504. anyOf:
  2505. - type: integer
  2506. - type: string
  2507. pattern: ^.*
  2508. x-kubernetes-int-or-string: true
  2509. type: array
  2510. selector:
  2511. description: "Selector is an optional field that contains
  2512. a selector expression (see Policy for sample syntax).
  2513. \ Only traffic that originates from (terminates at) endpoints
  2514. matching the selector will be matched. \n Note that: in
  2515. addition to the negated version of the Selector (see NotSelector
  2516. below), the selector expression syntax itself supports
  2517. negation. The two types of negation are subtly different.
  2518. One negates the set of matched endpoints, the other negates
  2519. the whole match: \n \tSelector = \"!has(my_label)\" matches
  2520. packets that are from other Calico-controlled \tendpoints
  2521. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  2522. = \"has(my_label)\" matches packets that are not from
  2523. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  2524. \n The effect is that the latter will accept packets from
  2525. non-Calico sources whereas the former is limited to packets
  2526. from Calico-controlled endpoints."
  2527. type: string
  2528. serviceAccounts:
  2529. description: ServiceAccounts is an optional field that restricts
  2530. the rule to only apply to traffic that originates from
  2531. (or terminates at) a pod running as a matching service
  2532. account.
  2533. properties:
  2534. names:
  2535. description: Names is an optional field that restricts
  2536. the rule to only apply to traffic that originates
  2537. from (or terminates at) a pod running as a service
  2538. account whose name is in the list.
  2539. items:
  2540. type: string
  2541. type: array
  2542. selector:
  2543. description: Selector is an optional field that restricts
  2544. the rule to only apply to traffic that originates
  2545. from (or terminates at) a pod running as a service
  2546. account that matches the given label selector. If
  2547. both Names and Selector are specified then they are
  2548. AND'ed.
  2549. type: string
  2550. type: object
  2551. type: object
  2552. http:
  2553. description: HTTP contains match criteria that apply to HTTP
  2554. requests.
  2555. properties:
  2556. methods:
  2557. description: Methods is an optional field that restricts
  2558. the rule to apply only to HTTP requests that use one of
  2559. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
  2560. methods are OR'd together.
  2561. items:
  2562. type: string
  2563. type: array
  2564. paths:
  2565. description: 'Paths is an optional field that restricts
  2566. the rule to apply to HTTP requests that use one of the
  2567. listed HTTP Paths. Multiple paths are OR''d together.
  2568. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
  2569. ONLY specify either a `exact` or a `prefix` match. The
  2570. validator will check for it.'
  2571. items:
  2572. description: 'HTTPPath specifies an HTTP path to match.
  2573. It may be either of the form: exact: <path>: which matches
  2574. the path exactly or prefix: <path-prefix>: which matches
  2575. the path prefix'
  2576. properties:
  2577. exact:
  2578. type: string
  2579. prefix:
  2580. type: string
  2581. type: object
  2582. type: array
  2583. type: object
  2584. icmp:
  2585. description: ICMP is an optional field that restricts the rule
  2586. to apply to a specific type and code of ICMP traffic. This
  2587. should only be specified if the Protocol field is set to "ICMP"
  2588. or "ICMPv6".
  2589. properties:
  2590. code:
  2591. description: Match on a specific ICMP code. If specified,
  2592. the Type value must also be specified. This is a technical
  2593. limitation imposed by the kernel's iptables firewall,
  2594. which Calico uses to enforce the rule.
  2595. type: integer
  2596. type:
  2597. description: Match on a specific ICMP type. For example
  2598. a value of 8 refers to ICMP Echo Request (i.e. pings).
  2599. type: integer
  2600. type: object
  2601. ipVersion:
  2602. description: IPVersion is an optional field that restricts the
  2603. rule to only match a specific IP version.
  2604. type: integer
  2605. metadata:
  2606. description: Metadata contains additional information for this
  2607. rule
  2608. properties:
  2609. annotations:
  2610. additionalProperties:
  2611. type: string
  2612. description: Annotations is a set of key value pairs that
  2613. give extra information about the rule
  2614. type: object
  2615. type: object
  2616. notICMP:
  2617. description: NotICMP is the negated version of the ICMP field.
  2618. properties:
  2619. code:
  2620. description: Match on a specific ICMP code. If specified,
  2621. the Type value must also be specified. This is a technical
  2622. limitation imposed by the kernel's iptables firewall,
  2623. which Calico uses to enforce the rule.
  2624. type: integer
  2625. type:
  2626. description: Match on a specific ICMP type. For example
  2627. a value of 8 refers to ICMP Echo Request (i.e. pings).
  2628. type: integer
  2629. type: object
  2630. notProtocol:
  2631. anyOf:
  2632. - type: integer
  2633. - type: string
  2634. description: NotProtocol is the negated version of the Protocol
  2635. field.
  2636. pattern: ^.*
  2637. x-kubernetes-int-or-string: true
  2638. protocol:
  2639. anyOf:
  2640. - type: integer
  2641. - type: string
  2642. description: "Protocol is an optional field that restricts the
  2643. rule to only apply to traffic of a specific IP protocol. Required
  2644. if any of the EntityRules contain Ports (because ports only
  2645. apply to certain protocols). \n Must be one of these string
  2646. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
  2647. \"UDPLite\" or an integer in the range 1-255."
  2648. pattern: ^.*
  2649. x-kubernetes-int-or-string: true
  2650. source:
  2651. description: Source contains the match criteria that apply to
  2652. source entity.
  2653. properties:
  2654. namespaceSelector:
  2655. description: "NamespaceSelector is an optional field that
  2656. contains a selector expression. Only traffic that originates
  2657. from (or terminates at) endpoints within the selected
  2658. namespaces will be matched. When both NamespaceSelector
  2659. and Selector are defined on the same rule, then only workload
  2660. endpoints that are matched by both selectors will be selected
  2661. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  2662. implies that the Selector is limited to selecting only
  2663. workload endpoints in the same namespace as the NetworkPolicy.
  2664. \n For NetworkPolicy, `global()` NamespaceSelector implies
  2665. that the Selector is limited to selecting only GlobalNetworkSet
  2666. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  2667. NamespaceSelector implies the Selector applies to workload
  2668. endpoints across all namespaces."
  2669. type: string
  2670. nets:
  2671. description: Nets is an optional field that restricts the
  2672. rule to only apply to traffic that originates from (or
  2673. terminates at) IP addresses in any of the given subnets.
  2674. items:
  2675. type: string
  2676. type: array
  2677. notNets:
  2678. description: NotNets is the negated version of the Nets
  2679. field.
  2680. items:
  2681. type: string
  2682. type: array
  2683. notPorts:
  2684. description: NotPorts is the negated version of the Ports
  2685. field. Since only some protocols have ports, if any ports
  2686. are specified it requires the Protocol match in the Rule
  2687. to be set to "TCP" or "UDP".
  2688. items:
  2689. anyOf:
  2690. - type: integer
  2691. - type: string
  2692. pattern: ^.*
  2693. x-kubernetes-int-or-string: true
  2694. type: array
  2695. notSelector:
  2696. description: NotSelector is the negated version of the Selector
  2697. field. See Selector field for subtleties with negated
  2698. selectors.
  2699. type: string
  2700. ports:
  2701. description: "Ports is an optional field that restricts
  2702. the rule to only apply to traffic that has a source (destination)
  2703. port that matches one of these ranges/values. This value
  2704. is a list of integers or strings that represent ranges
  2705. of ports. \n Since only some protocols have ports, if
  2706. any ports are specified it requires the Protocol match
  2707. in the Rule to be set to \"TCP\" or \"UDP\"."
  2708. items:
  2709. anyOf:
  2710. - type: integer
  2711. - type: string
  2712. pattern: ^.*
  2713. x-kubernetes-int-or-string: true
  2714. type: array
  2715. selector:
  2716. description: "Selector is an optional field that contains
  2717. a selector expression (see Policy for sample syntax).
  2718. \ Only traffic that originates from (terminates at) endpoints
  2719. matching the selector will be matched. \n Note that: in
  2720. addition to the negated version of the Selector (see NotSelector
  2721. below), the selector expression syntax itself supports
  2722. negation. The two types of negation are subtly different.
  2723. One negates the set of matched endpoints, the other negates
  2724. the whole match: \n \tSelector = \"!has(my_label)\" matches
  2725. packets that are from other Calico-controlled \tendpoints
  2726. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  2727. = \"has(my_label)\" matches packets that are not from
  2728. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  2729. \n The effect is that the latter will accept packets from
  2730. non-Calico sources whereas the former is limited to packets
  2731. from Calico-controlled endpoints."
  2732. type: string
  2733. serviceAccounts:
  2734. description: ServiceAccounts is an optional field that restricts
  2735. the rule to only apply to traffic that originates from
  2736. (or terminates at) a pod running as a matching service
  2737. account.
  2738. properties:
  2739. names:
  2740. description: Names is an optional field that restricts
  2741. the rule to only apply to traffic that originates
  2742. from (or terminates at) a pod running as a service
  2743. account whose name is in the list.
  2744. items:
  2745. type: string
  2746. type: array
  2747. selector:
  2748. description: Selector is an optional field that restricts
  2749. the rule to only apply to traffic that originates
  2750. from (or terminates at) a pod running as a service
  2751. account that matches the given label selector. If
  2752. both Names and Selector are specified then they are
  2753. AND'ed.
  2754. type: string
  2755. type: object
  2756. type: object
  2757. required:
  2758. - action
  2759. type: object
  2760. type: array
  2761. ingress:
  2762. description: The ordered set of ingress rules. Each rule contains
  2763. a set of packet match criteria and a corresponding action to apply.
  2764. items:
  2765. description: "A Rule encapsulates a set of match criteria and an
  2766. action. Both selector-based security Policy and security Profiles
  2767. reference rules - separated out as a list of rules for both ingress
  2768. and egress packet matching. \n Each positive match criteria has
  2769. a negated version, prefixed with 鈥漀ot鈥�. All the match criteria
  2770. within a rule must be satisfied for a packet to match. A single
  2771. rule can contain the positive and negative version of a match
  2772. and both must be satisfied for the rule to match."
  2773. properties:
  2774. action:
  2775. type: string
  2776. destination:
  2777. description: Destination contains the match criteria that apply
  2778. to destination entity.
  2779. properties:
  2780. namespaceSelector:
  2781. description: "NamespaceSelector is an optional field that
  2782. contains a selector expression. Only traffic that originates
  2783. from (or terminates at) endpoints within the selected
  2784. namespaces will be matched. When both NamespaceSelector
  2785. and Selector are defined on the same rule, then only workload
  2786. endpoints that are matched by both selectors will be selected
  2787. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  2788. implies that the Selector is limited to selecting only
  2789. workload endpoints in the same namespace as the NetworkPolicy.
  2790. \n For NetworkPolicy, `global()` NamespaceSelector implies
  2791. that the Selector is limited to selecting only GlobalNetworkSet
  2792. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  2793. NamespaceSelector implies the Selector applies to workload
  2794. endpoints across all namespaces."
  2795. type: string
  2796. nets:
  2797. description: Nets is an optional field that restricts the
  2798. rule to only apply to traffic that originates from (or
  2799. terminates at) IP addresses in any of the given subnets.
  2800. items:
  2801. type: string
  2802. type: array
  2803. notNets:
  2804. description: NotNets is the negated version of the Nets
  2805. field.
  2806. items:
  2807. type: string
  2808. type: array
  2809. notPorts:
  2810. description: NotPorts is the negated version of the Ports
  2811. field. Since only some protocols have ports, if any ports
  2812. are specified it requires the Protocol match in the Rule
  2813. to be set to "TCP" or "UDP".
  2814. items:
  2815. anyOf:
  2816. - type: integer
  2817. - type: string
  2818. pattern: ^.*
  2819. x-kubernetes-int-or-string: true
  2820. type: array
  2821. notSelector:
  2822. description: NotSelector is the negated version of the Selector
  2823. field. See Selector field for subtleties with negated
  2824. selectors.
  2825. type: string
  2826. ports:
  2827. description: "Ports is an optional field that restricts
  2828. the rule to only apply to traffic that has a source (destination)
  2829. port that matches one of these ranges/values. This value
  2830. is a list of integers or strings that represent ranges
  2831. of ports. \n Since only some protocols have ports, if
  2832. any ports are specified it requires the Protocol match
  2833. in the Rule to be set to \"TCP\" or \"UDP\"."
  2834. items:
  2835. anyOf:
  2836. - type: integer
  2837. - type: string
  2838. pattern: ^.*
  2839. x-kubernetes-int-or-string: true
  2840. type: array
  2841. selector:
  2842. description: "Selector is an optional field that contains
  2843. a selector expression (see Policy for sample syntax).
  2844. \ Only traffic that originates from (terminates at) endpoints
  2845. matching the selector will be matched. \n Note that: in
  2846. addition to the negated version of the Selector (see NotSelector
  2847. below), the selector expression syntax itself supports
  2848. negation. The two types of negation are subtly different.
  2849. One negates the set of matched endpoints, the other negates
  2850. the whole match: \n \tSelector = \"!has(my_label)\" matches
  2851. packets that are from other Calico-controlled \tendpoints
  2852. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  2853. = \"has(my_label)\" matches packets that are not from
  2854. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  2855. \n The effect is that the latter will accept packets from
  2856. non-Calico sources whereas the former is limited to packets
  2857. from Calico-controlled endpoints."
  2858. type: string
  2859. serviceAccounts:
  2860. description: ServiceAccounts is an optional field that restricts
  2861. the rule to only apply to traffic that originates from
  2862. (or terminates at) a pod running as a matching service
  2863. account.
  2864. properties:
  2865. names:
  2866. description: Names is an optional field that restricts
  2867. the rule to only apply to traffic that originates
  2868. from (or terminates at) a pod running as a service
  2869. account whose name is in the list.
  2870. items:
  2871. type: string
  2872. type: array
  2873. selector:
  2874. description: Selector is an optional field that restricts
  2875. the rule to only apply to traffic that originates
  2876. from (or terminates at) a pod running as a service
  2877. account that matches the given label selector. If
  2878. both Names and Selector are specified then they are
  2879. AND'ed.
  2880. type: string
  2881. type: object
  2882. type: object
  2883. http:
  2884. description: HTTP contains match criteria that apply to HTTP
  2885. requests.
  2886. properties:
  2887. methods:
  2888. description: Methods is an optional field that restricts
  2889. the rule to apply only to HTTP requests that use one of
  2890. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
  2891. methods are OR'd together.
  2892. items:
  2893. type: string
  2894. type: array
  2895. paths:
  2896. description: 'Paths is an optional field that restricts
  2897. the rule to apply to HTTP requests that use one of the
  2898. listed HTTP Paths. Multiple paths are OR''d together.
  2899. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
  2900. ONLY specify either a `exact` or a `prefix` match. The
  2901. validator will check for it.'
  2902. items:
  2903. description: 'HTTPPath specifies an HTTP path to match.
  2904. It may be either of the form: exact: <path>: which matches
  2905. the path exactly or prefix: <path-prefix>: which matches
  2906. the path prefix'
  2907. properties:
  2908. exact:
  2909. type: string
  2910. prefix:
  2911. type: string
  2912. type: object
  2913. type: array
  2914. type: object
  2915. icmp:
  2916. description: ICMP is an optional field that restricts the rule
  2917. to apply to a specific type and code of ICMP traffic. This
  2918. should only be specified if the Protocol field is set to "ICMP"
  2919. or "ICMPv6".
  2920. properties:
  2921. code:
  2922. description: Match on a specific ICMP code. If specified,
  2923. the Type value must also be specified. This is a technical
  2924. limitation imposed by the kernel's iptables firewall,
  2925. which Calico uses to enforce the rule.
  2926. type: integer
  2927. type:
  2928. description: Match on a specific ICMP type. For example
  2929. a value of 8 refers to ICMP Echo Request (i.e. pings).
  2930. type: integer
  2931. type: object
  2932. ipVersion:
  2933. description: IPVersion is an optional field that restricts the
  2934. rule to only match a specific IP version.
  2935. type: integer
  2936. metadata:
  2937. description: Metadata contains additional information for this
  2938. rule
  2939. properties:
  2940. annotations:
  2941. additionalProperties:
  2942. type: string
  2943. description: Annotations is a set of key value pairs that
  2944. give extra information about the rule
  2945. type: object
  2946. type: object
  2947. notICMP:
  2948. description: NotICMP is the negated version of the ICMP field.
  2949. properties:
  2950. code:
  2951. description: Match on a specific ICMP code. If specified,
  2952. the Type value must also be specified. This is a technical
  2953. limitation imposed by the kernel's iptables firewall,
  2954. which Calico uses to enforce the rule.
  2955. type: integer
  2956. type:
  2957. description: Match on a specific ICMP type. For example
  2958. a value of 8 refers to ICMP Echo Request (i.e. pings).
  2959. type: integer
  2960. type: object
  2961. notProtocol:
  2962. anyOf:
  2963. - type: integer
  2964. - type: string
  2965. description: NotProtocol is the negated version of the Protocol
  2966. field.
  2967. pattern: ^.*
  2968. x-kubernetes-int-or-string: true
  2969. protocol:
  2970. anyOf:
  2971. - type: integer
  2972. - type: string
  2973. description: "Protocol is an optional field that restricts the
  2974. rule to only apply to traffic of a specific IP protocol. Required
  2975. if any of the EntityRules contain Ports (because ports only
  2976. apply to certain protocols). \n Must be one of these string
  2977. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
  2978. \"UDPLite\" or an integer in the range 1-255."
  2979. pattern: ^.*
  2980. x-kubernetes-int-or-string: true
  2981. source:
  2982. description: Source contains the match criteria that apply to
  2983. source entity.
  2984. properties:
  2985. namespaceSelector:
  2986. description: "NamespaceSelector is an optional field that
  2987. contains a selector expression. Only traffic that originates
  2988. from (or terminates at) endpoints within the selected
  2989. namespaces will be matched. When both NamespaceSelector
  2990. and Selector are defined on the same rule, then only workload
  2991. endpoints that are matched by both selectors will be selected
  2992. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
  2993. implies that the Selector is limited to selecting only
  2994. workload endpoints in the same namespace as the NetworkPolicy.
  2995. \n For NetworkPolicy, `global()` NamespaceSelector implies
  2996. that the Selector is limited to selecting only GlobalNetworkSet
  2997. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
  2998. NamespaceSelector implies the Selector applies to workload
  2999. endpoints across all namespaces."
  3000. type: string
  3001. nets:
  3002. description: Nets is an optional field that restricts the
  3003. rule to only apply to traffic that originates from (or
  3004. terminates at) IP addresses in any of the given subnets.
  3005. items:
  3006. type: string
  3007. type: array
  3008. notNets:
  3009. description: NotNets is the negated version of the Nets
  3010. field.
  3011. items:
  3012. type: string
  3013. type: array
  3014. notPorts:
  3015. description: NotPorts is the negated version of the Ports
  3016. field. Since only some protocols have ports, if any ports
  3017. are specified it requires the Protocol match in the Rule
  3018. to be set to "TCP" or "UDP".
  3019. items:
  3020. anyOf:
  3021. - type: integer
  3022. - type: string
  3023. pattern: ^.*
  3024. x-kubernetes-int-or-string: true
  3025. type: array
  3026. notSelector:
  3027. description: NotSelector is the negated version of the Selector
  3028. field. See Selector field for subtleties with negated
  3029. selectors.
  3030. type: string
  3031. ports:
  3032. description: "Ports is an optional field that restricts
  3033. the rule to only apply to traffic that has a source (destination)
  3034. port that matches one of these ranges/values. This value
  3035. is a list of integers or strings that represent ranges
  3036. of ports. \n Since only some protocols have ports, if
  3037. any ports are specified it requires the Protocol match
  3038. in the Rule to be set to \"TCP\" or \"UDP\"."
  3039. items:
  3040. anyOf:
  3041. - type: integer
  3042. - type: string
  3043. pattern: ^.*
  3044. x-kubernetes-int-or-string: true
  3045. type: array
  3046. selector:
  3047. description: "Selector is an optional field that contains
  3048. a selector expression (see Policy for sample syntax).
  3049. \ Only traffic that originates from (terminates at) endpoints
  3050. matching the selector will be matched. \n Note that: in
  3051. addition to the negated version of the Selector (see NotSelector
  3052. below), the selector expression syntax itself supports
  3053. negation. The two types of negation are subtly different.
  3054. One negates the set of matched endpoints, the other negates
  3055. the whole match: \n \tSelector = \"!has(my_label)\" matches
  3056. packets that are from other Calico-controlled \tendpoints
  3057. that do not have the label 鈥渕y_label鈥�. \n \tNotSelector
  3058. = \"has(my_label)\" matches packets that are not from
  3059. Calico-controlled \tendpoints that do have the label 鈥渕y_label鈥�.
  3060. \n The effect is that the latter will accept packets from
  3061. non-Calico sources whereas the former is limited to packets
  3062. from Calico-controlled endpoints."
  3063. type: string
  3064. serviceAccounts:
  3065. description: ServiceAccounts is an optional field that restricts
  3066. the rule to only apply to traffic that originates from
  3067. (or terminates at) a pod running as a matching service
  3068. account.
  3069. properties:
  3070. names:
  3071. description: Names is an optional field that restricts
  3072. the rule to only apply to traffic that originates
  3073. from (or terminates at) a pod running as a service
  3074. account whose name is in the list.
  3075. items:
  3076. type: string
  3077. type: array
  3078. selector:
  3079. description: Selector is an optional field that restricts
  3080. the rule to only apply to traffic that originates
  3081. from (or terminates at) a pod running as a service
  3082. account that matches the given label selector. If
  3083. both Names and Selector are specified then they are
  3084. AND'ed.
  3085. type: string
  3086. type: object
  3087. type: object
  3088. required:
  3089. - action
  3090. type: object
  3091. type: array
  3092. order:
  3093. description: Order is an optional field that specifies the order in
  3094. which the policy is applied. Policies with higher "order" are applied
  3095. after those with lower order. If the order is omitted, it may be
  3096. considered to be "infinite" - i.e. the policy will be applied last. Policies
  3097. with identical order will be applied in alphanumerical order based
  3098. on the Policy "Name".
  3099. type: number
  3100. selector:
  3101. description: "The selector is an expression used to pick pick out
  3102. the endpoints that the policy should be applied to. \n Selector
  3103. expressions follow this syntax: \n \tlabel == \"string_literal\"
  3104. \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
  3105. \ -> not equal; also matches if label is not present \tlabel in
  3106. { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
  3107. one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
  3108. ... } -> true if the value of label X is not one of \"a\", \"b\",
  3109. \"c\" \thas(label_name) -> True if that label is present \t! expr
  3110. -> negation of expr \texpr && expr -> Short-circuit and \texpr
  3111. || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
  3112. or the empty selector -> matches all endpoints. \n Label names are
  3113. allowed to contain alphanumerics, -, _ and /. String literals are
  3114. more permissive but they do not support escape characters. \n Examples
  3115. (with made-up labels): \n \ttype == \"webserver\" && deployment
  3116. == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
  3117. \"dev\" \t! has(label_name)"
  3118. type: string
  3119. serviceAccountSelector:
  3120. description: ServiceAccountSelector is an optional field for an expression
  3121. used to select a pod based on service accounts.
  3122. type: string
  3123. types:
  3124. description: "Types indicates whether this policy applies to ingress,
  3125. or to egress, or to both. When not explicitly specified (and so
  3126. the value on creation is empty or nil), Calico defaults Types according
  3127. to what Ingress and Egress are present in the policy. The default
  3128. is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
  3129. the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
  3130. ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
  3131. PolicyTypeEgress ], if there are both Ingress and Egress rules.
  3132. \n When the policy is read back again, Types will always be one
  3133. of these values, never empty or nil."
  3134. items:
  3135. description: PolicyType enumerates the possible values of the PolicySpec
  3136. Types field.
  3137. type: string
  3138. type: array
  3139. type: object
  3140. type: object
  3141. served: true
  3142. storage: true
  3143. status:
  3144. acceptedNames:
  3145. kind: ""
  3146. plural: ""
  3147. conditions: []
  3148. storedVersions: []
  3149. ---
  3150. apiVersion: apiextensions.k8s.io/v1
  3151. kind: CustomResourceDefinition
  3152. metadata:
  3153. name: networksets.crd.projectcalico.org
  3154. spec:
  3155. group: crd.projectcalico.org
  3156. names:
  3157. kind: NetworkSet
  3158. listKind: NetworkSetList
  3159. plural: networksets
  3160. singular: networkset
  3161. scope: Namespaced
  3162. versions:
  3163. - name: v1
  3164. schema:
  3165. openAPIV3Schema:
  3166. description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
  3167. properties:
  3168. apiVersion:
  3169. description: 'APIVersion defines the versioned schema of this representation
  3170. of an object. Servers should convert recognized schemas to the latest
  3171. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3172. type: string
  3173. kind:
  3174. description: 'Kind is a string value representing the REST resource this
  3175. object represents. Servers may infer this from the endpoint the client
  3176. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3177. type: string
  3178. metadata:
  3179. type: object
  3180. spec:
  3181. description: NetworkSetSpec contains the specification for a NetworkSet
  3182. resource.
  3183. properties:
  3184. nets:
  3185. description: The list of IP networks that belong to this set.
  3186. items:
  3187. type: string
  3188. type: array
  3189. type: object
  3190. type: object
  3191. served: true
  3192. storage: true
  3193. status:
  3194. acceptedNames:
  3195. kind: ""
  3196. plural: ""
  3197. conditions: []
  3198. storedVersions: []
  3199. ---
  3200. ---
  3201. # Source: calico/templates/calico-kube-controllers-rbac.yaml
  3202. # Include a clusterrole for the kube-controllers component,
  3203. # and bind it to the calico-kube-controllers serviceaccount.
  3204. kind: ClusterRole
  3205. apiVersion: rbac.authorization.k8s.io/v1
  3206. metadata:
  3207. name: calico-kube-controllers
  3208. rules:
  3209. # Nodes are watched to monitor for deletions.
  3210. - apiGroups: [""]
  3211. resources:
  3212. - nodes
  3213. verbs:
  3214. - watch
  3215. - list
  3216. - get
  3217. # Pods are queried to check for existence.
  3218. - apiGroups: [""]
  3219. resources:
  3220. - pods
  3221. verbs:
  3222. - get
  3223. # IPAM resources are manipulated when nodes are deleted.
  3224. - apiGroups: ["crd.projectcalico.org"]
  3225. resources:
  3226. - ippools
  3227. verbs:
  3228. - list
  3229. - apiGroups: ["crd.projectcalico.org"]
  3230. resources:
  3231. - blockaffinities
  3232. - ipamblocks
  3233. - ipamhandles
  3234. verbs:
  3235. - get
  3236. - list
  3237. - create
  3238. - update
  3239. - delete
  3240. # kube-controllers manages hostendpoints.
  3241. - apiGroups: ["crd.projectcalico.org"]
  3242. resources:
  3243. - hostendpoints
  3244. verbs:
  3245. - get
  3246. - list
  3247. - create
  3248. - update
  3249. - delete
  3250. # Needs access to update clusterinformations.
  3251. - apiGroups: ["crd.projectcalico.org"]
  3252. resources:
  3253. - clusterinformations
  3254. verbs:
  3255. - get
  3256. - create
  3257. - update
  3258. # KubeControllersConfiguration is where it gets its config
  3259. - apiGroups: ["crd.projectcalico.org"]
  3260. resources:
  3261. - kubecontrollersconfigurations
  3262. verbs:
  3263. # read its own config
  3264. - get
  3265. # create a default if none exists
  3266. - create
  3267. # update status
  3268. - update
  3269. # watch for changes
  3270. - watch
  3271. ---
  3272. kind: ClusterRoleBinding
  3273. apiVersion: rbac.authorization.k8s.io/v1
  3274. metadata:
  3275. name: calico-kube-controllers
  3276. roleRef:
  3277. apiGroup: rbac.authorization.k8s.io
  3278. kind: ClusterRole
  3279. name: calico-kube-controllers
  3280. subjects:
  3281. - kind: ServiceAccount
  3282. name: calico-kube-controllers
  3283. namespace: kube-system
  3284. ---
  3285. ---
  3286. # Source: calico/templates/calico-node-rbac.yaml
  3287. # Include a clusterrole for the calico-node DaemonSet,
  3288. # and bind it to the calico-node serviceaccount.
  3289. kind: ClusterRole
  3290. apiVersion: rbac.authorization.k8s.io/v1
  3291. metadata:
  3292. name: calico-node
  3293. rules:
  3294. # The CNI plugin needs to get pods, nodes, and namespaces.
  3295. - apiGroups: [""]
  3296. resources:
  3297. - pods
  3298. - nodes
  3299. - namespaces
  3300. verbs:
  3301. - get
  3302. - apiGroups: [""]
  3303. resources:
  3304. - endpoints
  3305. - services
  3306. verbs:
  3307. # Used to discover service IPs for advertisement.
  3308. - watch
  3309. - list
  3310. # Used to discover Typhas.
  3311. - get
  3312. # Pod CIDR auto-detection on kubeadm needs access to config maps.
  3313. - apiGroups: [""]
  3314. resources:
  3315. - configmaps
  3316. verbs:
  3317. - get
  3318. - apiGroups: [""]
  3319. resources:
  3320. - nodes/status
  3321. verbs:
  3322. # Needed for clearing NodeNetworkUnavailable flag.
  3323. - patch
  3324. # Calico stores some configuration information in node annotations.
  3325. - update
  3326. # Watch for changes to Kubernetes NetworkPolicies.
  3327. - apiGroups: ["networking.k8s.io"]
  3328. resources:
  3329. - networkpolicies
  3330. verbs:
  3331. - watch
  3332. - list
  3333. # Used by Calico for policy information.
  3334. - apiGroups: [""]
  3335. resources:
  3336. - pods
  3337. - namespaces
  3338. - serviceaccounts
  3339. verbs:
  3340. - list
  3341. - watch
  3342. # The CNI plugin patches pods/status.
  3343. - apiGroups: [""]
  3344. resources:
  3345. - pods/status
  3346. verbs:
  3347. - patch
  3348. # Calico monitors various CRDs for config.
  3349. - apiGroups: ["crd.projectcalico.org"]
  3350. resources:
  3351. - globalfelixconfigs
  3352. - felixconfigurations
  3353. - bgppeers
  3354. - globalbgpconfigs
  3355. - bgpconfigurations
  3356. - ippools
  3357. - ipamblocks
  3358. - globalnetworkpolicies
  3359. - globalnetworksets
  3360. - networkpolicies
  3361. - networksets
  3362. - clusterinformations
  3363. - hostendpoints
  3364. - blockaffinities
  3365. verbs:
  3366. - get
  3367. - list
  3368. - watch
  3369. # Calico must create and update some CRDs on startup.
  3370. - apiGroups: ["crd.projectcalico.org"]
  3371. resources:
  3372. - ippools
  3373. - felixconfigurations
  3374. - clusterinformations
  3375. verbs:
  3376. - create
  3377. - update
  3378. # Calico stores some configuration information on the node.
  3379. - apiGroups: [""]
  3380. resources:
  3381. - nodes
  3382. verbs:
  3383. - get
  3384. - list
  3385. - watch
  3386. # These permissions are only required for upgrade from v2.6, and can
  3387. # be removed after upgrade or on fresh installations.
  3388. - apiGroups: ["crd.projectcalico.org"]
  3389. resources:
  3390. - bgpconfigurations
  3391. - bgppeers
  3392. verbs:
  3393. - create
  3394. - update
  3395. # These permissions are required for Calico CNI to perform IPAM allocations.
  3396. - apiGroups: ["crd.projectcalico.org"]
  3397. resources:
  3398. - blockaffinities
  3399. - ipamblocks
  3400. - ipamhandles
  3401. verbs:
  3402. - get
  3403. - list
  3404. - create
  3405. - update
  3406. - delete
  3407. - apiGroups: ["crd.projectcalico.org"]
  3408. resources:
  3409. - ipamconfigs
  3410. verbs:
  3411. - get
  3412. # Block affinities must also be watchable by confd for route aggregation.
  3413. - apiGroups: ["crd.projectcalico.org"]
  3414. resources:
  3415. - blockaffinities
  3416. verbs:
  3417. - watch
  3418. # The Calico IPAM migration needs to get daemonsets. These permissions can be
  3419. # removed if not upgrading from an installation using host-local IPAM.
  3420. - apiGroups: ["apps"]
  3421. resources:
  3422. - daemonsets
  3423. verbs:
  3424. - get
  3425. ---
  3426. apiVersion: rbac.authorization.k8s.io/v1
  3427. kind: ClusterRoleBinding
  3428. metadata:
  3429. name: calico-node
  3430. roleRef:
  3431. apiGroup: rbac.authorization.k8s.io
  3432. kind: ClusterRole
  3433. name: calico-node
  3434. subjects:
  3435. - kind: ServiceAccount
  3436. name: calico-node
  3437. namespace: kube-system
  3438. ---
  3439. # Source: calico/templates/calico-node.yaml
  3440. # This manifest installs the calico-node container, as well
  3441. # as the CNI plugins and network config on
  3442. # each master and worker node in a Kubernetes cluster.
  3443. kind: DaemonSet
  3444. apiVersion: apps/v1
  3445. metadata:
  3446. name: calico-node
  3447. namespace: kube-system
  3448. labels:
  3449. k8s-app: calico-node
  3450. spec:
  3451. selector:
  3452. matchLabels:
  3453. k8s-app: calico-node
  3454. updateStrategy:
  3455. type: RollingUpdate
  3456. rollingUpdate:
  3457. maxUnavailable: 1
  3458. template:
  3459. metadata:
  3460. labels:
  3461. k8s-app: calico-node
  3462. spec:
  3463. nodeSelector:
  3464. kubernetes.io/os: linux
  3465. hostNetwork: true
  3466. tolerations:
  3467. # Make sure calico-node gets scheduled on all nodes.
  3468. - effect: NoSchedule
  3469. operator: Exists
  3470. # Mark the pod as a critical add-on for rescheduling.
  3471. - key: CriticalAddonsOnly
  3472. operator: Exists
  3473. - effect: NoExecute
  3474. operator: Exists
  3475. serviceAccountName: calico-node
  3476. # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
  3477. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
  3478. terminationGracePeriodSeconds: 0
  3479. priorityClassName: system-node-critical
  3480. initContainers:
  3481. # This container performs upgrade from host-local IPAM to calico-ipam.
  3482. # It can be deleted if this is a fresh installation, or if you have already
  3483. # upgraded to use calico-ipam.
  3484. - name: upgrade-ipam
  3485. image: docker.io/calico/cni:v3.17.1
  3486. command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
  3487. envFrom:
  3488. - configMapRef:
  3489. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  3490. name: kubernetes-services-endpoint
  3491. optional: true
  3492. env:
  3493. - name: KUBERNETES_NODE_NAME
  3494. valueFrom:
  3495. fieldRef:
  3496. fieldPath: spec.nodeName
  3497. - name: CALICO_NETWORKING_BACKEND
  3498. valueFrom:
  3499. configMapKeyRef:
  3500. name: calico-config
  3501. key: calico_backend
  3502. volumeMounts:
  3503. - mountPath: /var/lib/cni/networks
  3504. name: host-local-net-dir
  3505. - mountPath: /host/opt/cni/bin
  3506. name: cni-bin-dir
  3507. securityContext:
  3508. privileged: true
  3509. # This container installs the CNI binaries
  3510. # and CNI network config file on each node.
  3511. - name: install-cni
  3512. image: docker.io/calico/cni:v3.17.1
  3513. command: ["/opt/cni/bin/install"]
  3514. envFrom:
  3515. - configMapRef:
  3516. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  3517. name: kubernetes-services-endpoint
  3518. optional: true
  3519. env:
  3520. # Name of the CNI config file to create.
  3521. - name: CNI_CONF_NAME
  3522. value: "10-calico.conflist"
  3523. # The CNI network config to install on each node.
  3524. - name: CNI_NETWORK_CONFIG
  3525. valueFrom:
  3526. configMapKeyRef:
  3527. name: calico-config
  3528. key: cni_network_config
  3529. # Set the hostname based on the k8s node name.
  3530. - name: KUBERNETES_NODE_NAME
  3531. valueFrom:
  3532. fieldRef:
  3533. fieldPath: spec.nodeName
  3534. # CNI MTU Config variable
  3535. - name: CNI_MTU
  3536. valueFrom:
  3537. configMapKeyRef:
  3538. name: calico-config
  3539. key: veth_mtu
  3540. # Prevents the container from sleeping forever.
  3541. - name: SLEEP
  3542. value: "false"
  3543. volumeMounts:
  3544. - mountPath: /host/opt/cni/bin
  3545. name: cni-bin-dir
  3546. - mountPath: /host/etc/cni/net.d
  3547. name: cni-net-dir
  3548. securityContext:
  3549. privileged: true
  3550. # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
  3551. # to communicate with Felix over the Policy Sync API.
  3552. - name: flexvol-driver
  3553. image: docker.io/calico/pod2daemon-flexvol:v3.17.1
  3554. volumeMounts:
  3555. - name: flexvol-driver-host
  3556. mountPath: /host/driver
  3557. securityContext:
  3558. privileged: true
  3559. containers:
  3560. # Runs calico-node container on each Kubernetes node. This
  3561. # container programs network policy and routes on each
  3562. # host.
  3563. - name: calico-node
  3564. image: docker.io/calico/node:v3.17.1
  3565. envFrom:
  3566. - configMapRef:
  3567. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
  3568. name: kubernetes-services-endpoint
  3569. optional: true
  3570. env:
  3571. # Use Kubernetes API as the backing datastore.
  3572. - name: DATASTORE_TYPE
  3573. value: "kubernetes"
  3574. # Wait for the datastore.
  3575. - name: WAIT_FOR_DATASTORE
  3576. value: "true"
  3577. # Set based on the k8s node name.
  3578. - name: NODENAME
  3579. valueFrom:
  3580. fieldRef:
  3581. fieldPath: spec.nodeName
  3582. # Choose the backend to use.
  3583. - name: CALICO_NETWORKING_BACKEND
  3584. valueFrom:
  3585. configMapKeyRef:
  3586. name: calico-config
  3587. key: calico_backend
  3588. # Cluster type to identify the deployment type
  3589. - name: CLUSTER_TYPE
  3590. value: "k8s,bgp"
  3591. # Auto-detect the BGP IP address.
  3592. - name: IP
  3593. value: "autodetect"
  3594. # Enable IPIP
  3595. - name: CALICO_IPV4POOL_IPIP
  3596. value: "Always"
  3597. # Enable or Disable VXLAN on the default IP pool.
  3598. - name: CALICO_IPV4POOL_VXLAN
  3599. value: "Never"
  3600. # Set MTU for tunnel device used if ipip is enabled
  3601. - name: FELIX_IPINIPMTU
  3602. valueFrom:
  3603. configMapKeyRef:
  3604. name: calico-config
  3605. key: veth_mtu
  3606. # Set MTU for the VXLAN tunnel device.
  3607. - name: FELIX_VXLANMTU
  3608. valueFrom:
  3609. configMapKeyRef:
  3610. name: calico-config
  3611. key: veth_mtu
  3612. # Set MTU for the Wireguard tunnel device.
  3613. - name: FELIX_WIREGUARDMTU
  3614. valueFrom:
  3615. configMapKeyRef:
  3616. name: calico-config
  3617. key: veth_mtu
  3618. - name: IP_AUTODETECTION_METHOD
  3619. value: "interface=eth0"
  3620. # The default IPv4 pool to create on startup if none exists. Pod IPs will be
  3621. # chosen from this range. Changing this value after installation will have
  3622. # no effect. This should fall within `--cluster-cidr`.
  3623. - name: CALICO_IPV4POOL_CIDR
  3624. value: "10.244.0.0/16"
  3625. # Disable file logging so `kubectl logs` works.
  3626. - name: CALICO_DISABLE_FILE_LOGGING
  3627. value: "true"
  3628. # Set Felix endpoint to host default action to ACCEPT.
  3629. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
  3630. value: "ACCEPT"
  3631. # Disable IPv6 on Kubernetes.
  3632. - name: FELIX_IPV6SUPPORT
  3633. value: "false"
  3634. # Set Felix logging to "info"
  3635. - name: FELIX_LOGSEVERITYSCREEN
  3636. value: "info"
  3637. - name: FELIX_HEALTHENABLED
  3638. value: "true"
  3639. securityContext:
  3640. privileged: true
  3641. resources:
  3642. requests:
  3643. cpu: 250m
  3644. livenessProbe:
  3645. exec:
  3646. command:
  3647. - /bin/calico-node
  3648. - -felix-live
  3649. - -bird-live
  3650. periodSeconds: 10
  3651. initialDelaySeconds: 10
  3652. failureThreshold: 6
  3653. readinessProbe:
  3654. exec:
  3655. command:
  3656. - /bin/calico-node
  3657. - -felix-ready
  3658. - -bird-ready
  3659. periodSeconds: 10
  3660. volumeMounts:
  3661. - mountPath: /lib/modules
  3662. name: lib-modules
  3663. readOnly: true
  3664. - mountPath: /run/xtables.lock
  3665. name: xtables-lock
  3666. readOnly: false
  3667. - mountPath: /var/run/calico
  3668. name: var-run-calico
  3669. readOnly: false
  3670. - mountPath: /var/lib/calico
  3671. name: var-lib-calico
  3672. readOnly: false
  3673. - name: policysync
  3674. mountPath: /var/run/nodeagent
  3675. # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
  3676. # parent directory.
  3677. - name: sysfs
  3678. mountPath: /sys/fs/
  3679. # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
  3680. # If the host is known to mount that filesystem already then Bidirectional can be omitted.
  3681. mountPropagation: Bidirectional
  3682. - name: cni-log-dir
  3683. mountPath: /var/log/calico/cni
  3684. readOnly: true
  3685. volumes:
  3686. # Used by calico-node.
  3687. - name: lib-modules
  3688. hostPath:
  3689. path: /lib/modules
  3690. - name: var-run-calico
  3691. hostPath:
  3692. path: /var/run/calico
  3693. - name: var-lib-calico
  3694. hostPath:
  3695. path: /var/lib/calico
  3696. - name: xtables-lock
  3697. hostPath:
  3698. path: /run/xtables.lock
  3699. type: FileOrCreate
  3700. - name: sysfs
  3701. hostPath:
  3702. path: /sys/fs/
  3703. type: DirectoryOrCreate
  3704. # Used to install CNI.
  3705. - name: cni-bin-dir
  3706. hostPath:
  3707. path: /opt/cni/bin
  3708. - name: cni-net-dir
  3709. hostPath:
  3710. path: /etc/cni/net.d
  3711. # Used to access CNI logs.
  3712. - name: cni-log-dir
  3713. hostPath:
  3714. path: /var/log/calico/cni
  3715. # Mount in the directory for host-local IPAM allocations. This is
  3716. # used when upgrading from host-local to calico-ipam, and can be removed
  3717. # if not using the upgrade-ipam init container.
  3718. - name: host-local-net-dir
  3719. hostPath:
  3720. path: /var/lib/cni/networks
  3721. # Used to create per-pod Unix Domain Sockets
  3722. - name: policysync
  3723. hostPath:
  3724. type: DirectoryOrCreate
  3725. path: /var/run/nodeagent
  3726. # Used to install Flex Volume Driver
  3727. - name: flexvol-driver-host
  3728. hostPath:
  3729. type: DirectoryOrCreate
  3730. path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
  3731. ---
  3732. apiVersion: v1
  3733. kind: ServiceAccount
  3734. metadata:
  3735. name: calico-node
  3736. namespace: kube-system
  3737. ---
  3738. # Source: calico/templates/calico-kube-controllers.yaml
  3739. # See https://github.com/projectcalico/kube-controllers
  3740. apiVersion: apps/v1
  3741. kind: Deployment
  3742. metadata:
  3743. name: calico-kube-controllers
  3744. namespace: kube-system
  3745. labels:
  3746. k8s-app: calico-kube-controllers
  3747. spec:
  3748. # The controllers can only have a single active instance.
  3749. replicas: 1
  3750. selector:
  3751. matchLabels:
  3752. k8s-app: calico-kube-controllers
  3753. strategy:
  3754. type: Recreate
  3755. template:
  3756. metadata:
  3757. name: calico-kube-controllers
  3758. namespace: kube-system
  3759. labels:
  3760. k8s-app: calico-kube-controllers
  3761. spec:
  3762. nodeSelector:
  3763. kubernetes.io/os: linux
  3764. tolerations:
  3765. # Mark the pod as a critical add-on for rescheduling.
  3766. - key: CriticalAddonsOnly
  3767. operator: Exists
  3768. - key: node-role.kubernetes.io/master
  3769. effect: NoSchedule
  3770. serviceAccountName: calico-kube-controllers
  3771. priorityClassName: system-cluster-critical
  3772. containers:
  3773. - name: calico-kube-controllers
  3774. image: docker.io/calico/kube-controllers:v3.17.1
  3775. env:
  3776. # Choose which controllers to run.
  3777. - name: ENABLED_CONTROLLERS
  3778. value: node
  3779. - name: DATASTORE_TYPE
  3780. value: kubernetes
  3781. readinessProbe:
  3782. exec:
  3783. command:
  3784. - /usr/bin/check-status
  3785. - -r
  3786. ---
  3787. apiVersion: v1
  3788. kind: ServiceAccount
  3789. metadata:
  3790. name: calico-kube-controllers
  3791. namespace: kube-system
  3792. ---
  3793. # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
  3794. apiVersion: policy/v1beta1
  3795. kind: PodDisruptionBudget
  3796. metadata:
  3797. name: calico-kube-controllers
  3798. namespace: kube-system
  3799. labels:
  3800. k8s-app: calico-kube-controllers
  3801. spec:
  3802. maxUnavailable: 1
  3803. selector:
  3804. matchLabels:
  3805. k8s-app: calico-kube-controllers
  3806. ---
  3807. # Source: calico/templates/calico-etcd-secrets.yaml
  3808. ---
  3809. # Source: calico/templates/calico-typha.yaml
  3810. ---
  3811. # Source: calico/templates/configure-canal.yaml
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/weixin_40725706/article/detail/712789
推荐阅读
相关标签
  

闽ICP备14008679号