github.com/alibaba/sealer@v0.8.6-0.20220430115802-37a2bdaa8173/applications/calico/etc/tigera-operator.yaml (about) 1 # Copyright © 2021 Alibaba Group Holding Ltd. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 --- 16 # Source: crds/calico/kdd/crd.projectcalico.org_bgpconfigurations.yaml 17 apiVersion: apiextensions.k8s.io/v1 18 kind: CustomResourceDefinition 19 metadata: 20 name: bgpconfigurations.crd.projectcalico.org 21 spec: 22 group: crd.projectcalico.org 23 names: 24 kind: BGPConfiguration 25 listKind: BGPConfigurationList 26 plural: bgpconfigurations 27 singular: bgpconfiguration 28 scope: Cluster 29 versions: 30 - name: v1 31 schema: 32 openAPIV3Schema: 33 description: BGPConfiguration contains the configuration for any BGP routing. 34 properties: 35 apiVersion: 36 description: 'APIVersion defines the versioned schema of this representation 37 of an object. Servers should convert recognized schemas to the latest 38 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 39 type: string 40 kind: 41 description: 'Kind is a string value representing the REST resource this 42 object represents. Servers may infer this from the endpoint the client 43 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 44 type: string 45 metadata: 46 type: object 47 spec: 48 description: BGPConfigurationSpec contains the values of the BGP configuration. 49 properties: 50 asNumber: 51 description: 'ASNumber is the default AS number used by a node. [Default: 52 64512]' 53 format: int32 54 type: integer 55 communities: 56 description: Communities is a list of BGP community values and their 57 arbitrary names for tagging routes. 58 items: 59 description: Community contains standard or large community value 60 and its name. 61 properties: 62 name: 63 description: Name given to community value. 64 type: string 65 value: 66 description: Value must be of format `aa:nn` or `aa:nn:mm`. 67 For standard community use `aa:nn` format, where `aa` and 68 `nn` are 16 bit number. For large community use `aa:nn:mm` 69 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 70 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 71 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 72 type: string 73 type: object 74 type: array 75 listenPort: 76 description: ListenPort is the port where BGP protocol should listen. 77 Defaults to 179 78 maximum: 65535 79 minimum: 1 80 type: integer 81 logSeverityScreen: 82 description: 'LogSeverityScreen is the log severity above which logs 83 are sent to the stdout. [Default: INFO]' 84 type: string 85 nodeToNodeMeshEnabled: 86 description: 'NodeToNodeMeshEnabled sets whether full node to node 87 BGP mesh is enabled. [Default: true]' 88 type: boolean 89 prefixAdvertisements: 90 description: PrefixAdvertisements contains per-prefix advertisement 91 configuration. 92 items: 93 description: PrefixAdvertisement configures advertisement properties 94 for the specified CIDR. 95 properties: 96 cidr: 97 description: CIDR for which properties should be advertised. 98 type: string 99 communities: 100 description: Communities can be list of either community names 101 already defined in `Specs.Communities` or community value 102 of format `aa:nn` or `aa:nn:mm`. For standard community use 103 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 104 large community use `aa:nn:mm` format, where `aa`, `nn` and 105 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 106 `mm` are per-AS identifier. 107 items: 108 type: string 109 type: array 110 type: object 111 type: array 112 serviceClusterIPs: 113 description: ServiceClusterIPs are the CIDR blocks from which service 114 cluster IPs are allocated. If specified, Calico will advertise these 115 blocks, as well as any cluster IPs within them. 116 items: 117 description: ServiceClusterIPBlock represents a single allowed ClusterIP 118 CIDR block. 119 properties: 120 cidr: 121 type: string 122 type: object 123 type: array 124 serviceExternalIPs: 125 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 126 Service External IPs. Kubernetes Service ExternalIPs will only be 127 advertised if they are within one of these blocks. 128 items: 129 description: ServiceExternalIPBlock represents a single allowed 130 External IP CIDR block. 131 properties: 132 cidr: 133 type: string 134 type: object 135 type: array 136 serviceLoadBalancerIPs: 137 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 138 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 139 IPs will only be advertised if they are within one of these blocks. 140 items: 141 description: ServiceLoadBalancerIPBlock represents a single allowed 142 LoadBalancer IP CIDR block. 143 properties: 144 cidr: 145 type: string 146 type: object 147 type: array 148 type: object 149 type: object 150 served: true 151 storage: true 152 status: 153 acceptedNames: 154 kind: "" 155 plural: "" 156 conditions: [] 157 storedVersions: [] 158 159 --- 160 # Source: crds/calico/kdd/crd.projectcalico.org_bgppeers.yaml 161 apiVersion: apiextensions.k8s.io/v1 162 kind: CustomResourceDefinition 163 metadata: 164 name: bgppeers.crd.projectcalico.org 165 spec: 166 group: crd.projectcalico.org 167 names: 168 kind: BGPPeer 169 listKind: BGPPeerList 170 plural: bgppeers 171 singular: bgppeer 172 scope: Cluster 173 versions: 174 - name: v1 175 schema: 176 openAPIV3Schema: 177 properties: 178 apiVersion: 179 description: 'APIVersion defines the versioned schema of this representation 180 of an object. Servers should convert recognized schemas to the latest 181 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 182 type: string 183 kind: 184 description: 'Kind is a string value representing the REST resource this 185 object represents. Servers may infer this from the endpoint the client 186 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 187 type: string 188 metadata: 189 type: object 190 spec: 191 description: BGPPeerSpec contains the specification for a BGPPeer resource. 192 properties: 193 asNumber: 194 description: The AS Number of the peer. 195 format: int32 196 type: integer 197 keepOriginalNextHop: 198 description: Option to keep the original nexthop field when routes 199 are sent to a BGP Peer. Setting "true" configures the selected BGP 200 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 201 in the specific branch of the Node on "bird.cfg". 202 type: boolean 203 maxRestartTime: 204 description: Time to allow for software restart. When specified, 205 this is configured as the graceful restart timeout. When not specified, 206 the BIRD default of 120s is used. 207 type: string 208 node: 209 description: The node name identifying the Calico node instance that 210 is targeted by this peer. If this is not set, and no nodeSelector 211 is specified, then this BGP peer selects all nodes in the cluster. 212 type: string 213 nodeSelector: 214 description: Selector for the nodes that should have this peering. When 215 this is set, the Node field must be empty. 216 type: string 217 password: 218 description: Optional BGP password for the peerings generated by this 219 BGPPeer resource. 220 properties: 221 secretKeyRef: 222 description: Selects a key of a secret in the node pod's namespace. 223 properties: 224 key: 225 description: The key of the secret to select from. Must be 226 a valid secret key. 227 type: string 228 name: 229 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 230 TODO: Add other useful fields. apiVersion, kind, uid?' 231 type: string 232 optional: 233 description: Specify whether the Secret or its key must be 234 defined 235 type: boolean 236 required: 237 - key 238 type: object 239 type: object 240 peerIP: 241 description: The IP address of the peer followed by an optional port 242 number to peer with. If port number is given, format should be `[<IPv6>]:port` 243 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 244 and this peer IP and ASNumber belongs to a calico/node with ListenPort 245 set in BGPConfiguration, then we use that port to peer. 246 type: string 247 peerSelector: 248 description: Selector for the remote nodes to peer with. When this 249 is set, the PeerIP and ASNumber fields must be empty. For each 250 peering between the local node and selected remote nodes, we configure 251 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 252 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 253 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 254 or the global default if that is not set. 255 type: string 256 sourceAddress: 257 description: Specifies whether and how to configure a source address 258 for the peerings generated by this BGPPeer resource. Default value 259 "UseNodeIP" means to configure the node IP as the source address. "None" 260 means not to configure a source address. 261 type: string 262 type: object 263 type: object 264 served: true 265 storage: true 266 status: 267 acceptedNames: 268 kind: "" 269 plural: "" 270 conditions: [] 271 storedVersions: [] 272 273 --- 274 # Source: crds/calico/kdd/crd.projectcalico.org_blockaffinities.yaml 275 apiVersion: apiextensions.k8s.io/v1 276 kind: CustomResourceDefinition 277 metadata: 278 name: blockaffinities.crd.projectcalico.org 279 spec: 280 group: crd.projectcalico.org 281 names: 282 kind: BlockAffinity 283 listKind: BlockAffinityList 284 plural: blockaffinities 285 singular: blockaffinity 286 scope: Cluster 287 versions: 288 - name: v1 289 schema: 290 openAPIV3Schema: 291 properties: 292 apiVersion: 293 description: 'APIVersion defines the versioned schema of this representation 294 of an object. Servers should convert recognized schemas to the latest 295 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 296 type: string 297 kind: 298 description: 'Kind is a string value representing the REST resource this 299 object represents. Servers may infer this from the endpoint the client 300 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 301 type: string 302 metadata: 303 type: object 304 spec: 305 description: BlockAffinitySpec contains the specification for a BlockAffinity 306 resource. 307 properties: 308 cidr: 309 type: string 310 deleted: 311 description: Deleted indicates that this block affinity is being deleted. 312 This field is a string for compatibility with older releases that 313 mistakenly treat this field as a string. 314 type: string 315 node: 316 type: string 317 state: 318 type: string 319 required: 320 - cidr 321 - deleted 322 - node 323 - state 324 type: object 325 type: object 326 served: true 327 storage: true 328 status: 329 acceptedNames: 330 kind: "" 331 plural: "" 332 conditions: [] 333 storedVersions: [] 334 335 --- 336 # Source: crds/calico/kdd/crd.projectcalico.org_caliconodestatuses.yaml 337 338 --- 339 apiVersion: apiextensions.k8s.io/v1 340 kind: CustomResourceDefinition 341 metadata: 342 annotations: 343 controller-gen.kubebuilder.io/version: (devel) 344 creationTimestamp: null 345 name: caliconodestatuses.crd.projectcalico.org 346 spec: 347 group: crd.projectcalico.org 348 names: 349 kind: CalicoNodeStatus 350 listKind: CalicoNodeStatusList 351 plural: caliconodestatuses 352 singular: caliconodestatus 353 scope: Cluster 354 versions: 355 - name: v1 356 schema: 357 openAPIV3Schema: 358 properties: 359 apiVersion: 360 description: 'APIVersion defines the versioned schema of this representation 361 of an object. Servers should convert recognized schemas to the latest 362 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 363 type: string 364 kind: 365 description: 'Kind is a string value representing the REST resource this 366 object represents. Servers may infer this from the endpoint the client 367 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 368 type: string 369 metadata: 370 type: object 371 spec: 372 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 373 resource. 374 properties: 375 classes: 376 description: Classes declares the types of information to monitor 377 for this calico/node, and allows for selective status reporting 378 about certain subsets of information. 379 items: 380 type: string 381 type: array 382 node: 383 description: The node name identifies the Calico node instance for 384 node status. 385 type: string 386 updatePeriodSeconds: 387 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 388 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 389 Maximum update period is one day. 390 format: int32 391 type: integer 392 type: object 393 status: 394 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 395 No validation needed for status since it is updated by Calico. 396 properties: 397 agent: 398 description: Agent holds agent status on the node. 399 properties: 400 birdV4: 401 description: BIRDV4 represents the latest observed status of bird4. 402 properties: 403 lastBootTime: 404 description: LastBootTime holds the value of lastBootTime 405 from bird.ctl output. 406 type: string 407 lastReconfigurationTime: 408 description: LastReconfigurationTime holds the value of lastReconfigTime 409 from bird.ctl output. 410 type: string 411 routerID: 412 description: Router ID used by bird. 413 type: string 414 state: 415 description: The state of the BGP Daemon. 416 type: string 417 version: 418 description: Version of the BGP daemon 419 type: string 420 type: object 421 birdV6: 422 description: BIRDV6 represents the latest observed status of bird6. 423 properties: 424 lastBootTime: 425 description: LastBootTime holds the value of lastBootTime 426 from bird.ctl output. 427 type: string 428 lastReconfigurationTime: 429 description: LastReconfigurationTime holds the value of lastReconfigTime 430 from bird.ctl output. 431 type: string 432 routerID: 433 description: Router ID used by bird. 434 type: string 435 state: 436 description: The state of the BGP Daemon. 437 type: string 438 version: 439 description: Version of the BGP daemon 440 type: string 441 type: object 442 type: object 443 bgp: 444 description: BGP holds node BGP status. 445 properties: 446 numberEstablishedV4: 447 description: The total number of IPv4 established bgp sessions. 448 type: integer 449 numberEstablishedV6: 450 description: The total number of IPv6 established bgp sessions. 451 type: integer 452 numberNotEstablishedV4: 453 description: The total number of IPv4 non-established bgp sessions. 454 type: integer 455 numberNotEstablishedV6: 456 description: The total number of IPv6 non-established bgp sessions. 457 type: integer 458 peersV4: 459 description: PeersV4 represents IPv4 BGP peers status on the node. 460 items: 461 description: CalicoNodePeer contains the status of BGP peers 462 on the node. 463 properties: 464 peerIP: 465 description: IP address of the peer whose condition we are 466 reporting. 467 type: string 468 since: 469 description: Since the state or reason last changed. 470 type: string 471 state: 472 description: State is the BGP session state. 473 type: string 474 type: 475 description: Type indicates whether this peer is configured 476 via the node-to-node mesh, or via en explicit global or 477 per-node BGPPeer object. 478 type: string 479 type: object 480 type: array 481 peersV6: 482 description: PeersV6 represents IPv6 BGP peers status on the node. 483 items: 484 description: CalicoNodePeer contains the status of BGP peers 485 on the node. 486 properties: 487 peerIP: 488 description: IP address of the peer whose condition we are 489 reporting. 490 type: string 491 since: 492 description: Since the state or reason last changed. 493 type: string 494 state: 495 description: State is the BGP session state. 496 type: string 497 type: 498 description: Type indicates whether this peer is configured 499 via the node-to-node mesh, or via en explicit global or 500 per-node BGPPeer object. 501 type: string 502 type: object 503 type: array 504 required: 505 - numberEstablishedV4 506 - numberEstablishedV6 507 - numberNotEstablishedV4 508 - numberNotEstablishedV6 509 type: object 510 lastUpdated: 511 description: LastUpdated is a timestamp representing the server time 512 when CalicoNodeStatus object last updated. It is represented in 513 RFC3339 form and is in UTC. 514 format: date-time 515 nullable: true 516 type: string 517 routes: 518 description: Routes reports routes known to the Calico BGP daemon 519 on the node. 520 properties: 521 routesV4: 522 description: RoutesV4 represents IPv4 routes on the node. 523 items: 524 description: CalicoNodeRoute contains the status of BGP routes 525 on the node. 526 properties: 527 destination: 528 description: Destination of the route. 529 type: string 530 gateway: 531 description: Gateway for the destination. 532 type: string 533 interface: 534 description: Interface for the destination 535 type: string 536 learnedFrom: 537 description: LearnedFrom contains information regarding 538 where this route originated. 539 properties: 540 peerIP: 541 description: If sourceType is NodeMesh or BGPPeer, IP 542 address of the router that sent us this route. 543 type: string 544 sourceType: 545 description: Type of the source where a route is learned 546 from. 547 type: string 548 type: object 549 type: 550 description: Type indicates if the route is being used for 551 forwarding or not. 552 type: string 553 type: object 554 type: array 555 routesV6: 556 description: RoutesV6 represents IPv6 routes on the node. 557 items: 558 description: CalicoNodeRoute contains the status of BGP routes 559 on the node. 560 properties: 561 destination: 562 description: Destination of the route. 563 type: string 564 gateway: 565 description: Gateway for the destination. 566 type: string 567 interface: 568 description: Interface for the destination 569 type: string 570 learnedFrom: 571 description: LearnedFrom contains information regarding 572 where this route originated. 573 properties: 574 peerIP: 575 description: If sourceType is NodeMesh or BGPPeer, IP 576 address of the router that sent us this route. 577 type: string 578 sourceType: 579 description: Type of the source where a route is learned 580 from. 581 type: string 582 type: object 583 type: 584 description: Type indicates if the route is being used for 585 forwarding or not. 586 type: string 587 type: object 588 type: array 589 type: object 590 type: object 591 type: object 592 served: true 593 storage: true 594 status: 595 acceptedNames: 596 kind: "" 597 plural: "" 598 conditions: [] 599 storedVersions: [] 600 601 --- 602 # Source: crds/calico/kdd/crd.projectcalico.org_clusterinformations.yaml 603 apiVersion: apiextensions.k8s.io/v1 604 kind: CustomResourceDefinition 605 metadata: 606 name: clusterinformations.crd.projectcalico.org 607 spec: 608 group: crd.projectcalico.org 609 names: 610 kind: ClusterInformation 611 listKind: ClusterInformationList 612 plural: clusterinformations 613 singular: clusterinformation 614 scope: Cluster 615 versions: 616 - name: v1 617 schema: 618 openAPIV3Schema: 619 description: ClusterInformation contains the cluster specific information. 620 properties: 621 apiVersion: 622 description: 'APIVersion defines the versioned schema of this representation 623 of an object. Servers should convert recognized schemas to the latest 624 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 625 type: string 626 kind: 627 description: 'Kind is a string value representing the REST resource this 628 object represents. Servers may infer this from the endpoint the client 629 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 630 type: string 631 metadata: 632 type: object 633 spec: 634 description: ClusterInformationSpec contains the values of describing 635 the cluster. 636 properties: 637 calicoVersion: 638 description: CalicoVersion is the version of Calico that the cluster 639 is running 640 type: string 641 clusterGUID: 642 description: ClusterGUID is the GUID of the cluster 643 type: string 644 clusterType: 645 description: ClusterType describes the type of the cluster 646 type: string 647 datastoreReady: 648 description: DatastoreReady is used during significant datastore migrations 649 to signal to components such as Felix that it should wait before 650 accessing the datastore. 651 type: boolean 652 variant: 653 description: Variant declares which variant of Calico should be active. 654 type: string 655 type: object 656 type: object 657 served: true 658 storage: true 659 status: 660 acceptedNames: 661 kind: "" 662 plural: "" 663 conditions: [] 664 storedVersions: [] 665 666 --- 667 # Source: crds/calico/kdd/crd.projectcalico.org_felixconfigurations.yaml 668 apiVersion: apiextensions.k8s.io/v1 669 kind: CustomResourceDefinition 670 metadata: 671 name: felixconfigurations.crd.projectcalico.org 672 spec: 673 group: crd.projectcalico.org 674 names: 675 kind: FelixConfiguration 676 listKind: FelixConfigurationList 677 plural: felixconfigurations 678 singular: felixconfiguration 679 scope: Cluster 680 versions: 681 - name: v1 682 schema: 683 openAPIV3Schema: 684 description: Felix Configuration contains the configuration for Felix. 685 properties: 686 apiVersion: 687 description: 'APIVersion defines the versioned schema of this representation 688 of an object. Servers should convert recognized schemas to the latest 689 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 690 type: string 691 kind: 692 description: 'Kind is a string value representing the REST resource this 693 object represents. Servers may infer this from the endpoint the client 694 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 695 type: string 696 metadata: 697 type: object 698 spec: 699 description: FelixConfigurationSpec contains the values of the Felix configuration. 700 properties: 701 allowIPIPPacketsFromWorkloads: 702 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 703 will add a rule to drop IPIP encapsulated traffic from workloads 704 [Default: false]' 705 type: boolean 706 allowVXLANPacketsFromWorkloads: 707 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 708 will add a rule to drop VXLAN encapsulated traffic from workloads 709 [Default: false]' 710 type: boolean 711 awsSrcDstCheck: 712 description: 'Set source-destination-check on AWS EC2 instances. Accepted 713 value must be one of "DoNothing", "Enable" or "Disable". [Default: 714 DoNothing]' 715 enum: 716 - DoNothing 717 - Enable 718 - Disable 719 type: string 720 bpfConnectTimeLoadBalancingEnabled: 721 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 722 controls whether Felix installs the connection-time load balancer. The 723 connect-time load balancer is required for the host to be able to 724 reach Kubernetes services and it improves the performance of pod-to-service 725 connections. The only reason to disable it is for debugging purposes. [Default: 726 true]' 727 type: boolean 728 bpfDataIfacePattern: 729 description: BPFDataIfacePattern is a regular expression that controls 730 which interfaces Felix should attach BPF programs to in order to 731 catch traffic to/from the network. This needs to match the interfaces 732 that Calico workload traffic flows over as well as any interfaces 733 that handle incoming traffic to nodeports and services from outside 734 the cluster. It should not match the workload interfaces (usually 735 named cali...). 736 type: string 737 bpfDisableUnprivileged: 738 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 739 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 740 users cannot access Calico''s BPF maps and cannot insert their own 741 BPF programs to interfere with Calico''s. [Default: true]' 742 type: boolean 743 bpfEnabled: 744 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 745 [Default: false]' 746 type: boolean 747 bpfExtToServiceConnmark: 748 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 749 mark that is set on connections from an external client to a local 750 service. This mark allows us to control how packets of that connection 751 are routed within the host and how is routing intepreted by RPF 752 check. [Default: 0]' 753 type: integer 754 bpfExternalServiceMode: 755 description: 'BPFExternalServiceMode in BPF mode, controls how connections 756 from outside the cluster to services (node ports and cluster IPs) 757 are forwarded to remote workloads. If set to "Tunnel" then both 758 request and response traffic is tunneled to the remote node. If 759 set to "DSR", the request traffic is tunneled but the response traffic 760 is sent directly from the remote node. In "DSR" mode, the remote 761 node appears to use the IP of the ingress node; this requires a 762 permissive L2 network. [Default: Tunnel]' 763 type: string 764 bpfKubeProxyEndpointSlicesEnabled: 765 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 766 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 767 type: boolean 768 bpfKubeProxyIptablesCleanupEnabled: 769 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 770 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 771 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 772 true]' 773 type: boolean 774 bpfKubeProxyMinSyncPeriod: 775 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 776 minimum time between updates to the dataplane for Felix''s embedded 777 kube-proxy. Lower values give reduced set-up latency. Higher values 778 reduce Felix CPU usage by batching up more work. [Default: 1s]' 779 type: string 780 bpfLogLevel: 781 description: 'BPFLogLevel controls the log level of the BPF programs 782 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 783 logs are emitted to the BPF trace pipe, accessible with the command 784 `tc exec bpf debug`. [Default: Off].' 785 type: string 786 chainInsertMode: 787 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 788 top-level iptables chains by inserting a rule at the top of the 789 chain or by appending a rule at the bottom. insert is the safe default 790 since it prevents Calico''s rules from being bypassed. If you switch 791 to append mode, be sure that the other rules in the chains signal 792 acceptance by falling through to the Calico rules, otherwise the 793 Calico policy will be bypassed. [Default: insert]' 794 type: string 795 dataplaneDriver: 796 type: string 797 debugDisableLogDropping: 798 type: boolean 799 debugMemoryProfilePath: 800 type: string 801 debugSimulateCalcGraphHangAfter: 802 type: string 803 debugSimulateDataplaneHangAfter: 804 type: string 805 defaultEndpointToHostAction: 806 description: 'DefaultEndpointToHostAction controls what happens to 807 traffic that goes from a workload endpoint to the host itself (after 808 the traffic hits the endpoint egress policy). By default Calico 809 blocks traffic from workload endpoints to the host itself with an 810 iptables "DROP" action. If you want to allow some or all traffic 811 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 812 RETURN if you have your own rules in the iptables "INPUT" chain; 813 Calico will insert its rules at the top of that chain, then "RETURN" 814 packets to the "INPUT" chain once it has completed processing workload 815 endpoint egress policy. Use ACCEPT to unconditionally accept packets 816 from workloads after processing workload endpoint egress policy. 817 [Default: Drop]' 818 type: string 819 deviceRouteProtocol: 820 description: This defines the route protocol added to programmed device 821 routes, by default this will be RTPROT_BOOT when left blank. 822 type: integer 823 deviceRouteSourceAddress: 824 description: This is the source address to use on programmed device 825 routes. By default the source address is left blank, leaving the 826 kernel to choose the source address used. 827 type: string 828 disableConntrackInvalidCheck: 829 type: boolean 830 endpointReportingDelay: 831 type: string 832 endpointReportingEnabled: 833 type: boolean 834 externalNodesList: 835 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 836 which may source tunnel traffic and have the tunneled traffic be 837 accepted at calico nodes. 838 items: 839 type: string 840 type: array 841 failsafeInboundHostPorts: 842 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 843 and CIDRs that Felix will allow incoming traffic to host endpoints 844 on irrespective of the security policy. This is useful to avoid 845 accidentally cutting off a host with incorrect configuration. For 846 back-compatibility, if the protocol is not specified, it defaults 847 to "tcp". If a CIDR is not specified, it will allow traffic from 848 all addresses. To disable all inbound host ports, use the value 849 none. The default value allows ssh access and DHCP. [Default: tcp:22, 850 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 851 items: 852 description: ProtoPort is combination of protocol, port, and CIDR. 853 Protocol and port must be specified. 854 properties: 855 net: 856 type: string 857 port: 858 type: integer 859 protocol: 860 type: string 861 required: 862 - port 863 - protocol 864 type: object 865 type: array 866 failsafeOutboundHostPorts: 867 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 868 and CIDRs that Felix will allow outgoing traffic from host endpoints 869 to irrespective of the security policy. This is useful to avoid 870 accidentally cutting off a host with incorrect configuration. For 871 back-compatibility, if the protocol is not specified, it defaults 872 to "tcp". If a CIDR is not specified, it will allow traffic from 873 all addresses. To disable all outbound host ports, use the value 874 none. The default value opens etcd''s standard ports to ensure that 875 Felix does not get cut off from etcd as well as allowing DHCP and 876 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 877 tcp:6667, udp:53, udp:67]' 878 items: 879 description: ProtoPort is combination of protocol, port, and CIDR. 880 Protocol and port must be specified. 881 properties: 882 net: 883 type: string 884 port: 885 type: integer 886 protocol: 887 type: string 888 required: 889 - port 890 - protocol 891 type: object 892 type: array 893 featureDetectOverride: 894 description: FeatureDetectOverride is used to override the feature 895 detection. Values are specified in a comma separated list with no 896 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". 897 "true" or "false" will force the feature, empty or omitted values 898 are auto-detected. 899 type: string 900 genericXDPEnabled: 901 description: 'GenericXDPEnabled enables Generic XDP so network cards 902 that don''t support XDP offload or driver modes can use XDP. This 903 is not recommended since it doesn''t provide better performance 904 than iptables. [Default: false]' 905 type: boolean 906 healthEnabled: 907 type: boolean 908 healthHost: 909 type: string 910 healthPort: 911 type: integer 912 interfaceExclude: 913 description: 'InterfaceExclude is a comma-separated list of interfaces 914 that Felix should exclude when monitoring for host endpoints. The 915 default value ensures that Felix ignores Kubernetes'' IPVS dummy 916 interface, which is used internally by kube-proxy. If you want to 917 exclude multiple interface names using a single value, the list 918 supports regular expressions. For regular expressions you must wrap 919 the value with ''/''. For example having values ''/^kube/,veth1'' 920 will exclude all interfaces that begin with ''kube'' and also the 921 interface ''veth1''. [Default: kube-ipvs0]' 922 type: string 923 interfacePrefix: 924 description: 'InterfacePrefix is the interface name prefix that identifies 925 workload endpoints and so distinguishes them from host endpoint 926 interfaces. Note: in environments other than bare metal, the orchestrators 927 configure this appropriately. For example our Kubernetes and Docker 928 integrations set the ''cali'' value, and our OpenStack integration 929 sets the ''tap'' value. [Default: cali]' 930 type: string 931 interfaceRefreshInterval: 932 description: InterfaceRefreshInterval is the period at which Felix 933 rescans local interfaces to verify their state. The rescan can be 934 disabled by setting the interval to 0. 935 type: string 936 ipipEnabled: 937 type: boolean 938 ipipMTU: 939 description: 'IPIPMTU is the MTU to set on the tunnel device. See 940 Configuring MTU [Default: 1440]' 941 type: integer 942 ipsetsRefreshInterval: 943 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 944 all iptables state to ensure that no other process has accidentally 945 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 946 90s]' 947 type: string 948 iptablesBackend: 949 description: IptablesBackend specifies which backend of iptables will 950 be used. The default is legacy. 951 type: string 952 iptablesFilterAllowAction: 953 type: string 954 iptablesLockFilePath: 955 description: 'IptablesLockFilePath is the location of the iptables 956 lock file. You may need to change this if the lock file is not in 957 its standard location (for example if you have mapped it into Felix''s 958 container at a different path). [Default: /run/xtables.lock]' 959 type: string 960 iptablesLockProbeInterval: 961 description: 'IptablesLockProbeInterval is the time that Felix will 962 wait between attempts to acquire the iptables lock if it is not 963 available. Lower values make Felix more responsive when the lock 964 is contended, but use more CPU. [Default: 50ms]' 965 type: string 966 iptablesLockTimeout: 967 description: 'IptablesLockTimeout is the time that Felix will wait 968 for the iptables lock, or 0, to disable. To use this feature, Felix 969 must share the iptables lock file with all other processes that 970 also take the lock. When running Felix inside a container, this 971 requires the /run directory of the host to be mounted into the calico/node 972 or calico/felix container. [Default: 0s disabled]' 973 type: string 974 iptablesMangleAllowAction: 975 type: string 976 iptablesMarkMask: 977 description: 'IptablesMarkMask is the mask that Felix selects its 978 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 979 at least 8 bits set, none of which clash with any other mark bits 980 in use on the system. [Default: 0xff000000]' 981 format: int32 982 type: integer 983 iptablesNATOutgoingInterfaceFilter: 984 type: string 985 iptablesPostWriteCheckInterval: 986 description: 'IptablesPostWriteCheckInterval is the period after Felix 987 has done a write to the dataplane that it schedules an extra read 988 back in order to check the write was not clobbered by another process. 989 This should only occur if another application on the system doesn''t 990 respect the iptables lock. [Default: 1s]' 991 type: string 992 iptablesRefreshInterval: 993 description: 'IptablesRefreshInterval is the period at which Felix 994 re-checks the IP sets in the dataplane to ensure that no other process 995 has accidentally broken Calico''s rules. Set to 0 to disable IP 996 sets refresh. Note: the default for this value is lower than the 997 other refresh intervals as a workaround for a Linux kernel bug that 998 was fixed in kernel version 4.11. If you are using v4.11 or greater 999 you may want to set this to, a higher value to reduce Felix CPU 1000 usage. [Default: 10s]' 1001 type: string 1002 ipv6Support: 1003 type: boolean 1004 kubeNodePortRanges: 1005 description: 'KubeNodePortRanges holds list of port ranges used for 1006 service node ports. Only used if felix detects kube-proxy running 1007 in ipvs mode. Felix uses these ranges to separate host and workload 1008 traffic. [Default: 30000:32767].' 1009 items: 1010 anyOf: 1011 - type: integer 1012 - type: string 1013 pattern: ^.* 1014 x-kubernetes-int-or-string: true 1015 type: array 1016 logFilePath: 1017 description: 'LogFilePath is the full path to the Felix log. Set to 1018 none to disable file logging. [Default: /var/log/calico/felix.log]' 1019 type: string 1020 logPrefix: 1021 description: 'LogPrefix is the log prefix that Felix uses when rendering 1022 LOG rules. [Default: calico-packet]' 1023 type: string 1024 logSeverityFile: 1025 description: 'LogSeverityFile is the log severity above which logs 1026 are sent to the log file. [Default: Info]' 1027 type: string 1028 logSeverityScreen: 1029 description: 'LogSeverityScreen is the log severity above which logs 1030 are sent to the stdout. [Default: Info]' 1031 type: string 1032 logSeveritySys: 1033 description: 'LogSeveritySys is the log severity above which logs 1034 are sent to the syslog. Set to None for no logging to syslog. [Default: 1035 Info]' 1036 type: string 1037 maxIpsetSize: 1038 type: integer 1039 metadataAddr: 1040 description: 'MetadataAddr is the IP address or domain name of the 1041 server that can answer VM queries for cloud-init metadata. In OpenStack, 1042 this corresponds to the machine running nova-api (or in Ubuntu, 1043 nova-api-metadata). A value of none (case insensitive) means that 1044 Felix should not set up any NAT rule for the metadata path. [Default: 1045 127.0.0.1]' 1046 type: string 1047 metadataPort: 1048 description: 'MetadataPort is the port of the metadata server. This, 1049 combined with global.MetadataAddr (if not ''None''), is used to 1050 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1051 In most cases this should not need to be changed [Default: 8775].' 1052 type: integer 1053 mtuIfacePattern: 1054 description: MTUIfacePattern is a regular expression that controls 1055 which interfaces Felix should scan in order to calculate the host's 1056 MTU. This should not match workload interfaces (usually named cali...). 1057 type: string 1058 natOutgoingAddress: 1059 description: NATOutgoingAddress specifies an address to use when performing 1060 source NAT for traffic in a natOutgoing pool that is leaving the 1061 network. By default the address used is an address on the interface 1062 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1063 type: string 1064 natPortRange: 1065 anyOf: 1066 - type: integer 1067 - type: string 1068 description: NATPortRange specifies the range of ports that is used 1069 for port mapping when doing outgoing NAT. When unset the default 1070 behavior of the network stack is used. 1071 pattern: ^.* 1072 x-kubernetes-int-or-string: true 1073 netlinkTimeout: 1074 type: string 1075 openstackRegion: 1076 description: 'OpenstackRegion is the name of the region that a particular 1077 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1078 this must be configured somehow for each Felix (here in the datamodel, 1079 or in felix.cfg or the environment on each compute node), and must 1080 match the [calico] openstack_region value configured in neutron.conf 1081 on each node. [Default: Empty]' 1082 type: string 1083 policySyncPathPrefix: 1084 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1085 policy changes to external services, like Application layer policy. 1086 [Default: Empty]' 1087 type: string 1088 prometheusGoMetricsEnabled: 1089 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1090 collection, which the Prometheus client does by default, when set 1091 to false. This reduces the number of metrics reported, reducing 1092 Prometheus load. [Default: true]' 1093 type: boolean 1094 prometheusMetricsEnabled: 1095 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1096 server in Felix if set to true. [Default: false]' 1097 type: boolean 1098 prometheusMetricsHost: 1099 description: 'PrometheusMetricsHost is the host that the Prometheus 1100 metrics server should bind to. [Default: empty]' 1101 type: string 1102 prometheusMetricsPort: 1103 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1104 metrics server should bind to. [Default: 9091]' 1105 type: integer 1106 prometheusProcessMetricsEnabled: 1107 description: 'PrometheusProcessMetricsEnabled disables process metrics 1108 collection, which the Prometheus client does by default, when set 1109 to false. This reduces the number of metrics reported, reducing 1110 Prometheus load. [Default: true]' 1111 type: boolean 1112 prometheusWireGuardMetricsEnabled: 1113 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1114 metrics collection, which the Prometheus client does by default, 1115 when set to false. This reduces the number of metrics reported, 1116 reducing Prometheus load. [Default: true]' 1117 type: boolean 1118 removeExternalRoutes: 1119 description: Whether or not to remove device routes that have not 1120 been programmed by Felix. Disabling this will allow external applications 1121 to also add device routes. This is enabled by default which means 1122 we will remove externally added routes. 1123 type: boolean 1124 reportingInterval: 1125 description: 'ReportingInterval is the interval at which Felix reports 1126 its status into the datastore or 0 to disable. Must be non-zero 1127 in OpenStack deployments. [Default: 30s]' 1128 type: string 1129 reportingTTL: 1130 description: 'ReportingTTL is the time-to-live setting for process-wide 1131 status reports. [Default: 90s]' 1132 type: string 1133 routeRefreshInterval: 1134 description: 'RouteRefreshInterval is the period at which Felix re-checks 1135 the routes in the dataplane to ensure that no other process has 1136 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1137 [Default: 90s]' 1138 type: string 1139 routeSource: 1140 description: 'RouteSource configures where Felix gets its routing 1141 information. - WorkloadIPs: use workload endpoints to construct 1142 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1143 type: string 1144 routeTableRange: 1145 description: Calico programs additional Linux route tables for various 1146 purposes. RouteTableRange specifies the indices of the route tables 1147 that Calico should use. 1148 properties: 1149 max: 1150 type: integer 1151 min: 1152 type: integer 1153 required: 1154 - max 1155 - min 1156 type: object 1157 serviceLoopPrevention: 1158 description: 'When service IP advertisement is enabled, prevent routing 1159 loops to service IPs that are not in use, by dropping or rejecting 1160 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1161 in which case such routing loops continue to be allowed. [Default: 1162 Drop]' 1163 type: string 1164 sidecarAccelerationEnabled: 1165 description: 'SidecarAccelerationEnabled enables experimental sidecar 1166 acceleration [Default: false]' 1167 type: boolean 1168 usageReportingEnabled: 1169 description: 'UsageReportingEnabled reports anonymous Calico version 1170 number and cluster size to projectcalico.org. Logs warnings returned 1171 by the usage server. For example, if a significant security vulnerability 1172 has been discovered in the version of Calico being used. [Default: 1173 true]' 1174 type: boolean 1175 usageReportingInitialDelay: 1176 description: 'UsageReportingInitialDelay controls the minimum delay 1177 before Felix makes a report. [Default: 300s]' 1178 type: string 1179 usageReportingInterval: 1180 description: 'UsageReportingInterval controls the interval at which 1181 Felix makes reports. [Default: 86400s]' 1182 type: string 1183 useInternalDataplaneDriver: 1184 type: boolean 1185 vxlanEnabled: 1186 type: boolean 1187 vxlanMTU: 1188 description: 'VXLANMTU is the MTU to set on the tunnel device. See 1189 Configuring MTU [Default: 1440]' 1190 type: integer 1191 vxlanPort: 1192 type: integer 1193 vxlanVNI: 1194 type: integer 1195 wireguardEnabled: 1196 description: 'WireguardEnabled controls whether Wireguard is enabled. 1197 [Default: false]' 1198 type: boolean 1199 wireguardHostEncryptionEnabled: 1200 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1201 host-to-host encryption is enabled. [Default: false]' 1202 type: boolean 1203 wireguardInterfaceName: 1204 description: 'WireguardInterfaceName specifies the name to use for 1205 the Wireguard interface. [Default: wg.calico]' 1206 type: string 1207 wireguardListeningPort: 1208 description: 'WireguardListeningPort controls the listening port used 1209 by Wireguard. [Default: 51820]' 1210 type: integer 1211 wireguardMTU: 1212 description: 'WireguardMTU controls the MTU on the Wireguard interface. 1213 See Configuring MTU [Default: 1420]' 1214 type: integer 1215 wireguardRoutingRulePriority: 1216 description: 'WireguardRoutingRulePriority controls the priority value 1217 to use for the Wireguard routing rule. [Default: 99]' 1218 type: integer 1219 xdpEnabled: 1220 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1221 incoming deny rules. [Default: true]' 1222 type: boolean 1223 xdpRefreshInterval: 1224 description: 'XDPRefreshInterval is the period at which Felix re-checks 1225 all XDP state to ensure that no other process has accidentally broken 1226 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1227 refresh. [Default: 90s]' 1228 type: string 1229 type: object 1230 type: object 1231 served: true 1232 storage: true 1233 status: 1234 acceptedNames: 1235 kind: "" 1236 plural: "" 1237 conditions: [] 1238 storedVersions: [] 1239 1240 --- 1241 # Source: crds/calico/kdd/crd.projectcalico.org_globalnetworkpolicies.yaml 1242 apiVersion: apiextensions.k8s.io/v1 1243 kind: CustomResourceDefinition 1244 metadata: 1245 name: globalnetworkpolicies.crd.projectcalico.org 1246 spec: 1247 group: crd.projectcalico.org 1248 names: 1249 kind: GlobalNetworkPolicy 1250 listKind: GlobalNetworkPolicyList 1251 plural: globalnetworkpolicies 1252 singular: globalnetworkpolicy 1253 scope: Cluster 1254 versions: 1255 - name: v1 1256 schema: 1257 openAPIV3Schema: 1258 properties: 1259 apiVersion: 1260 description: 'APIVersion defines the versioned schema of this representation 1261 of an object. Servers should convert recognized schemas to the latest 1262 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1263 type: string 1264 kind: 1265 description: 'Kind is a string value representing the REST resource this 1266 object represents. Servers may infer this from the endpoint the client 1267 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1268 type: string 1269 metadata: 1270 type: object 1271 spec: 1272 properties: 1273 applyOnForward: 1274 description: ApplyOnForward indicates to apply the rules in this policy 1275 on forward traffic. 1276 type: boolean 1277 doNotTrack: 1278 description: DoNotTrack indicates whether packets matched by the rules 1279 in this policy should go through the data plane's connection tracking, 1280 such as Linux conntrack. If True, the rules in this policy are 1281 applied before any data plane connection tracking, and packets allowed 1282 by this policy are marked as not to be tracked. 1283 type: boolean 1284 egress: 1285 description: The ordered set of egress rules. Each rule contains 1286 a set of packet match criteria and a corresponding action to apply. 1287 items: 1288 description: "A Rule encapsulates a set of match criteria and an 1289 action. Both selector-based security Policy and security Profiles 1290 reference rules - separated out as a list of rules for both ingress 1291 and egress packet matching. \n Each positive match criteria has 1292 a negated version, prefixed with \"Not\". All the match criteria 1293 within a rule must be satisfied for a packet to match. A single 1294 rule can contain the positive and negative version of a match 1295 and both must be satisfied for the rule to match." 1296 properties: 1297 action: 1298 type: string 1299 destination: 1300 description: Destination contains the match criteria that apply 1301 to destination entity. 1302 properties: 1303 namespaceSelector: 1304 description: "NamespaceSelector is an optional field that 1305 contains a selector expression. Only traffic that originates 1306 from (or terminates at) endpoints within the selected 1307 namespaces will be matched. When both NamespaceSelector 1308 and another selector are defined on the same rule, then 1309 only workload endpoints that are matched by both selectors 1310 will be selected by the rule. \n For NetworkPolicy, an 1311 empty NamespaceSelector implies that the Selector is limited 1312 to selecting only workload endpoints in the same namespace 1313 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1314 NamespaceSelector implies that the Selector is limited 1315 to selecting only GlobalNetworkSet or HostEndpoint. \n 1316 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1317 the Selector applies to workload endpoints across all 1318 namespaces." 1319 type: string 1320 nets: 1321 description: Nets is an optional field that restricts the 1322 rule to only apply to traffic that originates from (or 1323 terminates at) IP addresses in any of the given subnets. 1324 items: 1325 type: string 1326 type: array 1327 notNets: 1328 description: NotNets is the negated version of the Nets 1329 field. 1330 items: 1331 type: string 1332 type: array 1333 notPorts: 1334 description: NotPorts is the negated version of the Ports 1335 field. Since only some protocols have ports, if any ports 1336 are specified it requires the Protocol match in the Rule 1337 to be set to "TCP" or "UDP". 1338 items: 1339 anyOf: 1340 - type: integer 1341 - type: string 1342 pattern: ^.* 1343 x-kubernetes-int-or-string: true 1344 type: array 1345 notSelector: 1346 description: NotSelector is the negated version of the Selector 1347 field. See Selector field for subtleties with negated 1348 selectors. 1349 type: string 1350 ports: 1351 description: "Ports is an optional field that restricts 1352 the rule to only apply to traffic that has a source (destination) 1353 port that matches one of these ranges/values. This value 1354 is a list of integers or strings that represent ranges 1355 of ports. \n Since only some protocols have ports, if 1356 any ports are specified it requires the Protocol match 1357 in the Rule to be set to \"TCP\" or \"UDP\"." 1358 items: 1359 anyOf: 1360 - type: integer 1361 - type: string 1362 pattern: ^.* 1363 x-kubernetes-int-or-string: true 1364 type: array 1365 selector: 1366 description: "Selector is an optional field that contains 1367 a selector expression (see Policy for sample syntax). 1368 \ Only traffic that originates from (terminates at) endpoints 1369 matching the selector will be matched. \n Note that: in 1370 addition to the negated version of the Selector (see NotSelector 1371 below), the selector expression syntax itself supports 1372 negation. The two types of negation are subtly different. 1373 One negates the set of matched endpoints, the other negates 1374 the whole match: \n \tSelector = \"!has(my_label)\" matches 1375 packets that are from other Calico-controlled \tendpoints 1376 that do not have the label \"my_label\". \n \tNotSelector 1377 = \"has(my_label)\" matches packets that are not from 1378 Calico-controlled \tendpoints that do have the label \"my_label\". 1379 \n The effect is that the latter will accept packets from 1380 non-Calico sources whereas the former is limited to packets 1381 from Calico-controlled endpoints." 1382 type: string 1383 serviceAccounts: 1384 description: ServiceAccounts is an optional field that restricts 1385 the rule to only apply to traffic that originates from 1386 (or terminates at) a pod running as a matching service 1387 account. 1388 properties: 1389 names: 1390 description: Names is an optional field that restricts 1391 the rule to only apply to traffic that originates 1392 from (or terminates at) a pod running as a service 1393 account whose name is in the list. 1394 items: 1395 type: string 1396 type: array 1397 selector: 1398 description: Selector is an optional field that restricts 1399 the rule to only apply to traffic that originates 1400 from (or terminates at) a pod running as a service 1401 account that matches the given label selector. If 1402 both Names and Selector are specified then they are 1403 AND'ed. 1404 type: string 1405 type: object 1406 services: 1407 description: "Services is an optional field that contains 1408 options for matching Kubernetes Services. If specified, 1409 only traffic that originates from or terminates at endpoints 1410 within the selected service(s) will be matched, and only 1411 to/from each endpoint's port. \n Services cannot be specified 1412 on the same rule as Selector, NotSelector, NamespaceSelector, 1413 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1414 can only be specified with Services on ingress rules." 1415 properties: 1416 name: 1417 description: Name specifies the name of a Kubernetes 1418 Service to match. 1419 type: string 1420 namespace: 1421 description: Namespace specifies the namespace of the 1422 given Service. If left empty, the rule will match 1423 within this policy's namespace. 1424 type: string 1425 type: object 1426 type: object 1427 http: 1428 description: HTTP contains match criteria that apply to HTTP 1429 requests. 1430 properties: 1431 methods: 1432 description: Methods is an optional field that restricts 1433 the rule to apply only to HTTP requests that use one of 1434 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1435 methods are OR'd together. 1436 items: 1437 type: string 1438 type: array 1439 paths: 1440 description: 'Paths is an optional field that restricts 1441 the rule to apply to HTTP requests that use one of the 1442 listed HTTP Paths. Multiple paths are OR''d together. 1443 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1444 ONLY specify either a `exact` or a `prefix` match. The 1445 validator will check for it.' 1446 items: 1447 description: 'HTTPPath specifies an HTTP path to match. 1448 It may be either of the form: exact: <path>: which matches 1449 the path exactly or prefix: <path-prefix>: which matches 1450 the path prefix' 1451 properties: 1452 exact: 1453 type: string 1454 prefix: 1455 type: string 1456 type: object 1457 type: array 1458 type: object 1459 icmp: 1460 description: ICMP is an optional field that restricts the rule 1461 to apply to a specific type and code of ICMP traffic. This 1462 should only be specified if the Protocol field is set to "ICMP" 1463 or "ICMPv6". 1464 properties: 1465 code: 1466 description: Match on a specific ICMP code. If specified, 1467 the Type value must also be specified. This is a technical 1468 limitation imposed by the kernel's iptables firewall, 1469 which Calico uses to enforce the rule. 1470 type: integer 1471 type: 1472 description: Match on a specific ICMP type. For example 1473 a value of 8 refers to ICMP Echo Request (i.e. pings). 1474 type: integer 1475 type: object 1476 ipVersion: 1477 description: IPVersion is an optional field that restricts the 1478 rule to only match a specific IP version. 1479 type: integer 1480 metadata: 1481 description: Metadata contains additional information for this 1482 rule 1483 properties: 1484 annotations: 1485 additionalProperties: 1486 type: string 1487 description: Annotations is a set of key value pairs that 1488 give extra information about the rule 1489 type: object 1490 type: object 1491 notICMP: 1492 description: NotICMP is the negated version of the ICMP field. 1493 properties: 1494 code: 1495 description: Match on a specific ICMP code. If specified, 1496 the Type value must also be specified. This is a technical 1497 limitation imposed by the kernel's iptables firewall, 1498 which Calico uses to enforce the rule. 1499 type: integer 1500 type: 1501 description: Match on a specific ICMP type. For example 1502 a value of 8 refers to ICMP Echo Request (i.e. pings). 1503 type: integer 1504 type: object 1505 notProtocol: 1506 anyOf: 1507 - type: integer 1508 - type: string 1509 description: NotProtocol is the negated version of the Protocol 1510 field. 1511 pattern: ^.* 1512 x-kubernetes-int-or-string: true 1513 protocol: 1514 anyOf: 1515 - type: integer 1516 - type: string 1517 description: "Protocol is an optional field that restricts the 1518 rule to only apply to traffic of a specific IP protocol. Required 1519 if any of the EntityRules contain Ports (because ports only 1520 apply to certain protocols). \n Must be one of these string 1521 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1522 \"UDPLite\" or an integer in the range 1-255." 1523 pattern: ^.* 1524 x-kubernetes-int-or-string: true 1525 source: 1526 description: Source contains the match criteria that apply to 1527 source entity. 1528 properties: 1529 namespaceSelector: 1530 description: "NamespaceSelector is an optional field that 1531 contains a selector expression. Only traffic that originates 1532 from (or terminates at) endpoints within the selected 1533 namespaces will be matched. When both NamespaceSelector 1534 and another selector are defined on the same rule, then 1535 only workload endpoints that are matched by both selectors 1536 will be selected by the rule. \n For NetworkPolicy, an 1537 empty NamespaceSelector implies that the Selector is limited 1538 to selecting only workload endpoints in the same namespace 1539 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1540 NamespaceSelector implies that the Selector is limited 1541 to selecting only GlobalNetworkSet or HostEndpoint. \n 1542 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1543 the Selector applies to workload endpoints across all 1544 namespaces." 1545 type: string 1546 nets: 1547 description: Nets is an optional field that restricts the 1548 rule to only apply to traffic that originates from (or 1549 terminates at) IP addresses in any of the given subnets. 1550 items: 1551 type: string 1552 type: array 1553 notNets: 1554 description: NotNets is the negated version of the Nets 1555 field. 1556 items: 1557 type: string 1558 type: array 1559 notPorts: 1560 description: NotPorts is the negated version of the Ports 1561 field. Since only some protocols have ports, if any ports 1562 are specified it requires the Protocol match in the Rule 1563 to be set to "TCP" or "UDP". 1564 items: 1565 anyOf: 1566 - type: integer 1567 - type: string 1568 pattern: ^.* 1569 x-kubernetes-int-or-string: true 1570 type: array 1571 notSelector: 1572 description: NotSelector is the negated version of the Selector 1573 field. See Selector field for subtleties with negated 1574 selectors. 1575 type: string 1576 ports: 1577 description: "Ports is an optional field that restricts 1578 the rule to only apply to traffic that has a source (destination) 1579 port that matches one of these ranges/values. This value 1580 is a list of integers or strings that represent ranges 1581 of ports. \n Since only some protocols have ports, if 1582 any ports are specified it requires the Protocol match 1583 in the Rule to be set to \"TCP\" or \"UDP\"." 1584 items: 1585 anyOf: 1586 - type: integer 1587 - type: string 1588 pattern: ^.* 1589 x-kubernetes-int-or-string: true 1590 type: array 1591 selector: 1592 description: "Selector is an optional field that contains 1593 a selector expression (see Policy for sample syntax). 1594 \ Only traffic that originates from (terminates at) endpoints 1595 matching the selector will be matched. \n Note that: in 1596 addition to the negated version of the Selector (see NotSelector 1597 below), the selector expression syntax itself supports 1598 negation. The two types of negation are subtly different. 1599 One negates the set of matched endpoints, the other negates 1600 the whole match: \n \tSelector = \"!has(my_label)\" matches 1601 packets that are from other Calico-controlled \tendpoints 1602 that do not have the label \"my_label\". \n \tNotSelector 1603 = \"has(my_label)\" matches packets that are not from 1604 Calico-controlled \tendpoints that do have the label \"my_label\". 1605 \n The effect is that the latter will accept packets from 1606 non-Calico sources whereas the former is limited to packets 1607 from Calico-controlled endpoints." 1608 type: string 1609 serviceAccounts: 1610 description: ServiceAccounts is an optional field that restricts 1611 the rule to only apply to traffic that originates from 1612 (or terminates at) a pod running as a matching service 1613 account. 1614 properties: 1615 names: 1616 description: Names is an optional field that restricts 1617 the rule to only apply to traffic that originates 1618 from (or terminates at) a pod running as a service 1619 account whose name is in the list. 1620 items: 1621 type: string 1622 type: array 1623 selector: 1624 description: Selector is an optional field that restricts 1625 the rule to only apply to traffic that originates 1626 from (or terminates at) a pod running as a service 1627 account that matches the given label selector. If 1628 both Names and Selector are specified then they are 1629 AND'ed. 1630 type: string 1631 type: object 1632 services: 1633 description: "Services is an optional field that contains 1634 options for matching Kubernetes Services. If specified, 1635 only traffic that originates from or terminates at endpoints 1636 within the selected service(s) will be matched, and only 1637 to/from each endpoint's port. \n Services cannot be specified 1638 on the same rule as Selector, NotSelector, NamespaceSelector, 1639 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1640 can only be specified with Services on ingress rules." 1641 properties: 1642 name: 1643 description: Name specifies the name of a Kubernetes 1644 Service to match. 1645 type: string 1646 namespace: 1647 description: Namespace specifies the namespace of the 1648 given Service. If left empty, the rule will match 1649 within this policy's namespace. 1650 type: string 1651 type: object 1652 type: object 1653 required: 1654 - action 1655 type: object 1656 type: array 1657 ingress: 1658 description: The ordered set of ingress rules. Each rule contains 1659 a set of packet match criteria and a corresponding action to apply. 1660 items: 1661 description: "A Rule encapsulates a set of match criteria and an 1662 action. Both selector-based security Policy and security Profiles 1663 reference rules - separated out as a list of rules for both ingress 1664 and egress packet matching. \n Each positive match criteria has 1665 a negated version, prefixed with \"Not\". All the match criteria 1666 within a rule must be satisfied for a packet to match. A single 1667 rule can contain the positive and negative version of a match 1668 and both must be satisfied for the rule to match." 1669 properties: 1670 action: 1671 type: string 1672 destination: 1673 description: Destination contains the match criteria that apply 1674 to destination entity. 1675 properties: 1676 namespaceSelector: 1677 description: "NamespaceSelector is an optional field that 1678 contains a selector expression. Only traffic that originates 1679 from (or terminates at) endpoints within the selected 1680 namespaces will be matched. When both NamespaceSelector 1681 and another selector are defined on the same rule, then 1682 only workload endpoints that are matched by both selectors 1683 will be selected by the rule. \n For NetworkPolicy, an 1684 empty NamespaceSelector implies that the Selector is limited 1685 to selecting only workload endpoints in the same namespace 1686 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1687 NamespaceSelector implies that the Selector is limited 1688 to selecting only GlobalNetworkSet or HostEndpoint. \n 1689 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1690 the Selector applies to workload endpoints across all 1691 namespaces." 1692 type: string 1693 nets: 1694 description: Nets is an optional field that restricts the 1695 rule to only apply to traffic that originates from (or 1696 terminates at) IP addresses in any of the given subnets. 1697 items: 1698 type: string 1699 type: array 1700 notNets: 1701 description: NotNets is the negated version of the Nets 1702 field. 1703 items: 1704 type: string 1705 type: array 1706 notPorts: 1707 description: NotPorts is the negated version of the Ports 1708 field. Since only some protocols have ports, if any ports 1709 are specified it requires the Protocol match in the Rule 1710 to be set to "TCP" or "UDP". 1711 items: 1712 anyOf: 1713 - type: integer 1714 - type: string 1715 pattern: ^.* 1716 x-kubernetes-int-or-string: true 1717 type: array 1718 notSelector: 1719 description: NotSelector is the negated version of the Selector 1720 field. See Selector field for subtleties with negated 1721 selectors. 1722 type: string 1723 ports: 1724 description: "Ports is an optional field that restricts 1725 the rule to only apply to traffic that has a source (destination) 1726 port that matches one of these ranges/values. This value 1727 is a list of integers or strings that represent ranges 1728 of ports. \n Since only some protocols have ports, if 1729 any ports are specified it requires the Protocol match 1730 in the Rule to be set to \"TCP\" or \"UDP\"." 1731 items: 1732 anyOf: 1733 - type: integer 1734 - type: string 1735 pattern: ^.* 1736 x-kubernetes-int-or-string: true 1737 type: array 1738 selector: 1739 description: "Selector is an optional field that contains 1740 a selector expression (see Policy for sample syntax). 1741 \ Only traffic that originates from (terminates at) endpoints 1742 matching the selector will be matched. \n Note that: in 1743 addition to the negated version of the Selector (see NotSelector 1744 below), the selector expression syntax itself supports 1745 negation. The two types of negation are subtly different. 1746 One negates the set of matched endpoints, the other negates 1747 the whole match: \n \tSelector = \"!has(my_label)\" matches 1748 packets that are from other Calico-controlled \tendpoints 1749 that do not have the label \"my_label\". \n \tNotSelector 1750 = \"has(my_label)\" matches packets that are not from 1751 Calico-controlled \tendpoints that do have the label \"my_label\". 1752 \n The effect is that the latter will accept packets from 1753 non-Calico sources whereas the former is limited to packets 1754 from Calico-controlled endpoints." 1755 type: string 1756 serviceAccounts: 1757 description: ServiceAccounts is an optional field that restricts 1758 the rule to only apply to traffic that originates from 1759 (or terminates at) a pod running as a matching service 1760 account. 1761 properties: 1762 names: 1763 description: Names is an optional field that restricts 1764 the rule to only apply to traffic that originates 1765 from (or terminates at) a pod running as a service 1766 account whose name is in the list. 1767 items: 1768 type: string 1769 type: array 1770 selector: 1771 description: Selector is an optional field that restricts 1772 the rule to only apply to traffic that originates 1773 from (or terminates at) a pod running as a service 1774 account that matches the given label selector. If 1775 both Names and Selector are specified then they are 1776 AND'ed. 1777 type: string 1778 type: object 1779 services: 1780 description: "Services is an optional field that contains 1781 options for matching Kubernetes Services. If specified, 1782 only traffic that originates from or terminates at endpoints 1783 within the selected service(s) will be matched, and only 1784 to/from each endpoint's port. \n Services cannot be specified 1785 on the same rule as Selector, NotSelector, NamespaceSelector, 1786 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1787 can only be specified with Services on ingress rules." 1788 properties: 1789 name: 1790 description: Name specifies the name of a Kubernetes 1791 Service to match. 1792 type: string 1793 namespace: 1794 description: Namespace specifies the namespace of the 1795 given Service. If left empty, the rule will match 1796 within this policy's namespace. 1797 type: string 1798 type: object 1799 type: object 1800 http: 1801 description: HTTP contains match criteria that apply to HTTP 1802 requests. 1803 properties: 1804 methods: 1805 description: Methods is an optional field that restricts 1806 the rule to apply only to HTTP requests that use one of 1807 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1808 methods are OR'd together. 1809 items: 1810 type: string 1811 type: array 1812 paths: 1813 description: 'Paths is an optional field that restricts 1814 the rule to apply to HTTP requests that use one of the 1815 listed HTTP Paths. Multiple paths are OR''d together. 1816 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1817 ONLY specify either a `exact` or a `prefix` match. The 1818 validator will check for it.' 1819 items: 1820 description: 'HTTPPath specifies an HTTP path to match. 1821 It may be either of the form: exact: <path>: which matches 1822 the path exactly or prefix: <path-prefix>: which matches 1823 the path prefix' 1824 properties: 1825 exact: 1826 type: string 1827 prefix: 1828 type: string 1829 type: object 1830 type: array 1831 type: object 1832 icmp: 1833 description: ICMP is an optional field that restricts the rule 1834 to apply to a specific type and code of ICMP traffic. This 1835 should only be specified if the Protocol field is set to "ICMP" 1836 or "ICMPv6". 1837 properties: 1838 code: 1839 description: Match on a specific ICMP code. If specified, 1840 the Type value must also be specified. This is a technical 1841 limitation imposed by the kernel's iptables firewall, 1842 which Calico uses to enforce the rule. 1843 type: integer 1844 type: 1845 description: Match on a specific ICMP type. For example 1846 a value of 8 refers to ICMP Echo Request (i.e. pings). 1847 type: integer 1848 type: object 1849 ipVersion: 1850 description: IPVersion is an optional field that restricts the 1851 rule to only match a specific IP version. 1852 type: integer 1853 metadata: 1854 description: Metadata contains additional information for this 1855 rule 1856 properties: 1857 annotations: 1858 additionalProperties: 1859 type: string 1860 description: Annotations is a set of key value pairs that 1861 give extra information about the rule 1862 type: object 1863 type: object 1864 notICMP: 1865 description: NotICMP is the negated version of the ICMP field. 1866 properties: 1867 code: 1868 description: Match on a specific ICMP code. If specified, 1869 the Type value must also be specified. This is a technical 1870 limitation imposed by the kernel's iptables firewall, 1871 which Calico uses to enforce the rule. 1872 type: integer 1873 type: 1874 description: Match on a specific ICMP type. For example 1875 a value of 8 refers to ICMP Echo Request (i.e. pings). 1876 type: integer 1877 type: object 1878 notProtocol: 1879 anyOf: 1880 - type: integer 1881 - type: string 1882 description: NotProtocol is the negated version of the Protocol 1883 field. 1884 pattern: ^.* 1885 x-kubernetes-int-or-string: true 1886 protocol: 1887 anyOf: 1888 - type: integer 1889 - type: string 1890 description: "Protocol is an optional field that restricts the 1891 rule to only apply to traffic of a specific IP protocol. Required 1892 if any of the EntityRules contain Ports (because ports only 1893 apply to certain protocols). \n Must be one of these string 1894 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1895 \"UDPLite\" or an integer in the range 1-255." 1896 pattern: ^.* 1897 x-kubernetes-int-or-string: true 1898 source: 1899 description: Source contains the match criteria that apply to 1900 source entity. 1901 properties: 1902 namespaceSelector: 1903 description: "NamespaceSelector is an optional field that 1904 contains a selector expression. Only traffic that originates 1905 from (or terminates at) endpoints within the selected 1906 namespaces will be matched. When both NamespaceSelector 1907 and another selector are defined on the same rule, then 1908 only workload endpoints that are matched by both selectors 1909 will be selected by the rule. \n For NetworkPolicy, an 1910 empty NamespaceSelector implies that the Selector is limited 1911 to selecting only workload endpoints in the same namespace 1912 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1913 NamespaceSelector implies that the Selector is limited 1914 to selecting only GlobalNetworkSet or HostEndpoint. \n 1915 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1916 the Selector applies to workload endpoints across all 1917 namespaces." 1918 type: string 1919 nets: 1920 description: Nets is an optional field that restricts the 1921 rule to only apply to traffic that originates from (or 1922 terminates at) IP addresses in any of the given subnets. 1923 items: 1924 type: string 1925 type: array 1926 notNets: 1927 description: NotNets is the negated version of the Nets 1928 field. 1929 items: 1930 type: string 1931 type: array 1932 notPorts: 1933 description: NotPorts is the negated version of the Ports 1934 field. Since only some protocols have ports, if any ports 1935 are specified it requires the Protocol match in the Rule 1936 to be set to "TCP" or "UDP". 1937 items: 1938 anyOf: 1939 - type: integer 1940 - type: string 1941 pattern: ^.* 1942 x-kubernetes-int-or-string: true 1943 type: array 1944 notSelector: 1945 description: NotSelector is the negated version of the Selector 1946 field. See Selector field for subtleties with negated 1947 selectors. 1948 type: string 1949 ports: 1950 description: "Ports is an optional field that restricts 1951 the rule to only apply to traffic that has a source (destination) 1952 port that matches one of these ranges/values. This value 1953 is a list of integers or strings that represent ranges 1954 of ports. \n Since only some protocols have ports, if 1955 any ports are specified it requires the Protocol match 1956 in the Rule to be set to \"TCP\" or \"UDP\"." 1957 items: 1958 anyOf: 1959 - type: integer 1960 - type: string 1961 pattern: ^.* 1962 x-kubernetes-int-or-string: true 1963 type: array 1964 selector: 1965 description: "Selector is an optional field that contains 1966 a selector expression (see Policy for sample syntax). 1967 \ Only traffic that originates from (terminates at) endpoints 1968 matching the selector will be matched. \n Note that: in 1969 addition to the negated version of the Selector (see NotSelector 1970 below), the selector expression syntax itself supports 1971 negation. The two types of negation are subtly different. 1972 One negates the set of matched endpoints, the other negates 1973 the whole match: \n \tSelector = \"!has(my_label)\" matches 1974 packets that are from other Calico-controlled \tendpoints 1975 that do not have the label \"my_label\". \n \tNotSelector 1976 = \"has(my_label)\" matches packets that are not from 1977 Calico-controlled \tendpoints that do have the label \"my_label\". 1978 \n The effect is that the latter will accept packets from 1979 non-Calico sources whereas the former is limited to packets 1980 from Calico-controlled endpoints." 1981 type: string 1982 serviceAccounts: 1983 description: ServiceAccounts is an optional field that restricts 1984 the rule to only apply to traffic that originates from 1985 (or terminates at) a pod running as a matching service 1986 account. 1987 properties: 1988 names: 1989 description: Names is an optional field that restricts 1990 the rule to only apply to traffic that originates 1991 from (or terminates at) a pod running as a service 1992 account whose name is in the list. 1993 items: 1994 type: string 1995 type: array 1996 selector: 1997 description: Selector is an optional field that restricts 1998 the rule to only apply to traffic that originates 1999 from (or terminates at) a pod running as a service 2000 account that matches the given label selector. If 2001 both Names and Selector are specified then they are 2002 AND'ed. 2003 type: string 2004 type: object 2005 services: 2006 description: "Services is an optional field that contains 2007 options for matching Kubernetes Services. If specified, 2008 only traffic that originates from or terminates at endpoints 2009 within the selected service(s) will be matched, and only 2010 to/from each endpoint's port. \n Services cannot be specified 2011 on the same rule as Selector, NotSelector, NamespaceSelector, 2012 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2013 can only be specified with Services on ingress rules." 2014 properties: 2015 name: 2016 description: Name specifies the name of a Kubernetes 2017 Service to match. 2018 type: string 2019 namespace: 2020 description: Namespace specifies the namespace of the 2021 given Service. If left empty, the rule will match 2022 within this policy's namespace. 2023 type: string 2024 type: object 2025 type: object 2026 required: 2027 - action 2028 type: object 2029 type: array 2030 namespaceSelector: 2031 description: NamespaceSelector is an optional field for an expression 2032 used to select a pod based on namespaces. 2033 type: string 2034 order: 2035 description: Order is an optional field that specifies the order in 2036 which the policy is applied. Policies with higher "order" are applied 2037 after those with lower order. If the order is omitted, it may be 2038 considered to be "infinite" - i.e. the policy will be applied last. Policies 2039 with identical order will be applied in alphanumerical order based 2040 on the Policy "Name". 2041 type: number 2042 preDNAT: 2043 description: PreDNAT indicates to apply the rules in this policy before 2044 any DNAT. 2045 type: boolean 2046 selector: 2047 description: "The selector is an expression used to pick pick out 2048 the endpoints that the policy should be applied to. \n Selector 2049 expressions follow this syntax: \n \tlabel == \"string_literal\" 2050 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2051 \ -> not equal; also matches if label is not present \tlabel in 2052 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2053 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2054 ... } -> true if the value of label X is not one of \"a\", \"b\", 2055 \"c\" \thas(label_name) -> True if that label is present \t! expr 2056 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2057 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2058 or the empty selector -> matches all endpoints. \n Label names are 2059 allowed to contain alphanumerics, -, _ and /. String literals are 2060 more permissive but they do not support escape characters. \n Examples 2061 (with made-up labels): \n \ttype == \"webserver\" && deployment 2062 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2063 \"dev\" \t! has(label_name)" 2064 type: string 2065 serviceAccountSelector: 2066 description: ServiceAccountSelector is an optional field for an expression 2067 used to select a pod based on service accounts. 2068 type: string 2069 types: 2070 description: "Types indicates whether this policy applies to ingress, 2071 or to egress, or to both. When not explicitly specified (and so 2072 the value on creation is empty or nil), Calico defaults Types according 2073 to what Ingress and Egress rules are present in the policy. The 2074 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2075 (including the case where there are also no Ingress rules) \n 2076 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2077 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2078 both Ingress and Egress rules. \n When the policy is read back again, 2079 Types will always be one of these values, never empty or nil." 2080 items: 2081 description: PolicyType enumerates the possible values of the PolicySpec 2082 Types field. 2083 type: string 2084 type: array 2085 type: object 2086 type: object 2087 served: true 2088 storage: true 2089 status: 2090 acceptedNames: 2091 kind: "" 2092 plural: "" 2093 conditions: [] 2094 storedVersions: [] 2095 2096 --- 2097 # Source: crds/calico/kdd/crd.projectcalico.org_globalnetworksets.yaml 2098 apiVersion: apiextensions.k8s.io/v1 2099 kind: CustomResourceDefinition 2100 metadata: 2101 name: globalnetworksets.crd.projectcalico.org 2102 spec: 2103 group: crd.projectcalico.org 2104 names: 2105 kind: GlobalNetworkSet 2106 listKind: GlobalNetworkSetList 2107 plural: globalnetworksets 2108 singular: globalnetworkset 2109 scope: Cluster 2110 versions: 2111 - name: v1 2112 schema: 2113 openAPIV3Schema: 2114 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2115 that share labels to allow rules to refer to them via selectors. The labels 2116 of GlobalNetworkSet are not namespaced. 2117 properties: 2118 apiVersion: 2119 description: 'APIVersion defines the versioned schema of this representation 2120 of an object. Servers should convert recognized schemas to the latest 2121 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2122 type: string 2123 kind: 2124 description: 'Kind is a string value representing the REST resource this 2125 object represents. Servers may infer this from the endpoint the client 2126 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2127 type: string 2128 metadata: 2129 type: object 2130 spec: 2131 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2132 resource. 2133 properties: 2134 nets: 2135 description: The list of IP networks that belong to this set. 2136 items: 2137 type: string 2138 type: array 2139 type: object 2140 type: object 2141 served: true 2142 storage: true 2143 status: 2144 acceptedNames: 2145 kind: "" 2146 plural: "" 2147 conditions: [] 2148 storedVersions: [] 2149 2150 --- 2151 # Source: crds/calico/kdd/crd.projectcalico.org_hostendpoints.yaml 2152 apiVersion: apiextensions.k8s.io/v1 2153 kind: CustomResourceDefinition 2154 metadata: 2155 name: hostendpoints.crd.projectcalico.org 2156 spec: 2157 group: crd.projectcalico.org 2158 names: 2159 kind: HostEndpoint 2160 listKind: HostEndpointList 2161 plural: hostendpoints 2162 singular: hostendpoint 2163 scope: Cluster 2164 versions: 2165 - name: v1 2166 schema: 2167 openAPIV3Schema: 2168 properties: 2169 apiVersion: 2170 description: 'APIVersion defines the versioned schema of this representation 2171 of an object. Servers should convert recognized schemas to the latest 2172 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2173 type: string 2174 kind: 2175 description: 'Kind is a string value representing the REST resource this 2176 object represents. Servers may infer this from the endpoint the client 2177 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2178 type: string 2179 metadata: 2180 type: object 2181 spec: 2182 description: HostEndpointSpec contains the specification for a HostEndpoint 2183 resource. 2184 properties: 2185 expectedIPs: 2186 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2187 If \"InterfaceName\" is not present, Calico will look for an interface 2188 matching any of the IPs in the list and apply policy to that. Note: 2189 \tWhen using the selector match criteria in an ingress or egress 2190 security Policy \tor Profile, Calico converts the selector into 2191 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2192 is used for that purpose. (If only the interface \tname is specified, 2193 Calico does not learn the IPs of the interface for use in match 2194 \tcriteria.)" 2195 items: 2196 type: string 2197 type: array 2198 interfaceName: 2199 description: "Either \"*\", or the name of a specific Linux interface 2200 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2201 governs all traffic to, from or through the default network namespace 2202 of the host named by the \"Node\" field; entering and leaving that 2203 namespace via any interface, including those from/to non-host-networked 2204 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2205 only governs traffic that enters or leaves the host through the 2206 specific interface named by InterfaceName, or - when InterfaceName 2207 is empty - through the specific interface that has one of the IPs 2208 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2209 one expected IP must be specified. Only external interfaces (such 2210 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2211 to protect traffic through a specific local workload interface. 2212 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2213 initially just pre-DNAT policy. Please check Calico documentation 2214 for the latest position." 2215 type: string 2216 node: 2217 description: The node name identifying the Calico node instance. 2218 type: string 2219 ports: 2220 description: Ports contains the endpoint's named ports, which may 2221 be referenced in security policy rules. 2222 items: 2223 properties: 2224 name: 2225 type: string 2226 port: 2227 type: integer 2228 protocol: 2229 anyOf: 2230 - type: integer 2231 - type: string 2232 pattern: ^.* 2233 x-kubernetes-int-or-string: true 2234 required: 2235 - name 2236 - port 2237 - protocol 2238 type: object 2239 type: array 2240 profiles: 2241 description: A list of identifiers of security Profile objects that 2242 apply to this endpoint. Each profile is applied in the order that 2243 they appear in this list. Profile rules are applied after the selector-based 2244 security policy. 2245 items: 2246 type: string 2247 type: array 2248 type: object 2249 type: object 2250 served: true 2251 storage: true 2252 status: 2253 acceptedNames: 2254 kind: "" 2255 plural: "" 2256 conditions: [] 2257 storedVersions: [] 2258 2259 --- 2260 # Source: crds/calico/kdd/crd.projectcalico.org_ipamblocks.yaml 2261 apiVersion: apiextensions.k8s.io/v1 2262 kind: CustomResourceDefinition 2263 metadata: 2264 name: ipamblocks.crd.projectcalico.org 2265 spec: 2266 group: crd.projectcalico.org 2267 names: 2268 kind: IPAMBlock 2269 listKind: IPAMBlockList 2270 plural: ipamblocks 2271 singular: ipamblock 2272 scope: Cluster 2273 versions: 2274 - name: v1 2275 schema: 2276 openAPIV3Schema: 2277 properties: 2278 apiVersion: 2279 description: 'APIVersion defines the versioned schema of this representation 2280 of an object. Servers should convert recognized schemas to the latest 2281 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2282 type: string 2283 kind: 2284 description: 'Kind is a string value representing the REST resource this 2285 object represents. Servers may infer this from the endpoint the client 2286 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2287 type: string 2288 metadata: 2289 type: object 2290 spec: 2291 description: IPAMBlockSpec contains the specification for an IPAMBlock 2292 resource. 2293 properties: 2294 affinity: 2295 type: string 2296 allocations: 2297 items: 2298 type: integer 2299 # TODO: This nullable is manually added in. We should update controller-gen 2300 # to handle []*int properly itself. 2301 nullable: true 2302 type: array 2303 attributes: 2304 items: 2305 properties: 2306 handle_id: 2307 type: string 2308 secondary: 2309 additionalProperties: 2310 type: string 2311 type: object 2312 type: object 2313 type: array 2314 cidr: 2315 type: string 2316 deleted: 2317 type: boolean 2318 strictAffinity: 2319 type: boolean 2320 unallocated: 2321 items: 2322 type: integer 2323 type: array 2324 required: 2325 - allocations 2326 - attributes 2327 - cidr 2328 - strictAffinity 2329 - unallocated 2330 type: object 2331 type: object 2332 served: true 2333 storage: true 2334 status: 2335 acceptedNames: 2336 kind: "" 2337 plural: "" 2338 conditions: [] 2339 storedVersions: [] 2340 2341 --- 2342 # Source: crds/calico/kdd/crd.projectcalico.org_ipamconfigs.yaml 2343 apiVersion: apiextensions.k8s.io/v1 2344 kind: CustomResourceDefinition 2345 metadata: 2346 name: ipamconfigs.crd.projectcalico.org 2347 spec: 2348 group: crd.projectcalico.org 2349 names: 2350 kind: IPAMConfig 2351 listKind: IPAMConfigList 2352 plural: ipamconfigs 2353 singular: ipamconfig 2354 scope: Cluster 2355 versions: 2356 - name: v1 2357 schema: 2358 openAPIV3Schema: 2359 properties: 2360 apiVersion: 2361 description: 'APIVersion defines the versioned schema of this representation 2362 of an object. Servers should convert recognized schemas to the latest 2363 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2364 type: string 2365 kind: 2366 description: 'Kind is a string value representing the REST resource this 2367 object represents. Servers may infer this from the endpoint the client 2368 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2369 type: string 2370 metadata: 2371 type: object 2372 spec: 2373 description: IPAMConfigSpec contains the specification for an IPAMConfig 2374 resource. 2375 properties: 2376 autoAllocateBlocks: 2377 type: boolean 2378 maxBlocksPerHost: 2379 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 2380 that can be affine to each host. 2381 type: integer 2382 strictAffinity: 2383 type: boolean 2384 required: 2385 - autoAllocateBlocks 2386 - strictAffinity 2387 type: object 2388 type: object 2389 served: true 2390 storage: true 2391 status: 2392 acceptedNames: 2393 kind: "" 2394 plural: "" 2395 conditions: [] 2396 storedVersions: [] 2397 2398 --- 2399 # Source: crds/calico/kdd/crd.projectcalico.org_ipamhandles.yaml 2400 apiVersion: apiextensions.k8s.io/v1 2401 kind: CustomResourceDefinition 2402 metadata: 2403 name: ipamhandles.crd.projectcalico.org 2404 spec: 2405 group: crd.projectcalico.org 2406 names: 2407 kind: IPAMHandle 2408 listKind: IPAMHandleList 2409 plural: ipamhandles 2410 singular: ipamhandle 2411 scope: Cluster 2412 versions: 2413 - name: v1 2414 schema: 2415 openAPIV3Schema: 2416 properties: 2417 apiVersion: 2418 description: 'APIVersion defines the versioned schema of this representation 2419 of an object. Servers should convert recognized schemas to the latest 2420 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2421 type: string 2422 kind: 2423 description: 'Kind is a string value representing the REST resource this 2424 object represents. Servers may infer this from the endpoint the client 2425 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2426 type: string 2427 metadata: 2428 type: object 2429 spec: 2430 description: IPAMHandleSpec contains the specification for an IPAMHandle 2431 resource. 2432 properties: 2433 block: 2434 additionalProperties: 2435 type: integer 2436 type: object 2437 deleted: 2438 type: boolean 2439 handleID: 2440 type: string 2441 required: 2442 - block 2443 - handleID 2444 type: object 2445 type: object 2446 served: true 2447 storage: true 2448 status: 2449 acceptedNames: 2450 kind: "" 2451 plural: "" 2452 conditions: [] 2453 storedVersions: [] 2454 2455 --- 2456 # Source: crds/calico/kdd/crd.projectcalico.org_ippools.yaml 2457 apiVersion: apiextensions.k8s.io/v1 2458 kind: CustomResourceDefinition 2459 metadata: 2460 name: ippools.crd.projectcalico.org 2461 spec: 2462 group: crd.projectcalico.org 2463 names: 2464 kind: IPPool 2465 listKind: IPPoolList 2466 plural: ippools 2467 singular: ippool 2468 scope: Cluster 2469 versions: 2470 - name: v1 2471 schema: 2472 openAPIV3Schema: 2473 properties: 2474 apiVersion: 2475 description: 'APIVersion defines the versioned schema of this representation 2476 of an object. Servers should convert recognized schemas to the latest 2477 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2478 type: string 2479 kind: 2480 description: 'Kind is a string value representing the REST resource this 2481 object represents. Servers may infer this from the endpoint the client 2482 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2483 type: string 2484 metadata: 2485 type: object 2486 spec: 2487 description: IPPoolSpec contains the specification for an IPPool resource. 2488 properties: 2489 allowedUses: 2490 description: AllowedUse controls what the IP pool will be used for. If 2491 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 2492 items: 2493 type: string 2494 type: array 2495 blockSize: 2496 description: The block size to use for IP address assignments from 2497 this pool. Defaults to 26 for IPv4 and 112 for IPv6. 2498 type: integer 2499 cidr: 2500 description: The pool CIDR. 2501 type: string 2502 disabled: 2503 description: When disabled is true, Calico IPAM will not assign addresses 2504 from this pool. 2505 type: boolean 2506 disableBGPExport: 2507 description: "Disable exporting routes from this IP Pool's CIDR over 2508 BGP. [Default: false]" 2509 type: boolean 2510 ipip: 2511 description: 'Deprecated: this field is only used for APIv1 backwards 2512 compatibility. Setting this field is not allowed, this field is 2513 for internal use only.' 2514 properties: 2515 enabled: 2516 description: When enabled is true, ipip tunneling will be used 2517 to deliver packets to destinations within this pool. 2518 type: boolean 2519 mode: 2520 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 2521 mode of "always" will also use IPIP tunneling for routing to 2522 destination IP addresses within this pool. A mode of "cross-subnet" 2523 will only use IPIP tunneling when the destination node is on 2524 a different subnet to the originating node. The default value 2525 (if not specified) is "always". 2526 type: string 2527 type: object 2528 ipipMode: 2529 description: Contains configuration for IPIP tunneling for this pool. 2530 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 2531 is disabled). 2532 type: string 2533 nat-outgoing: 2534 description: 'Deprecated: this field is only used for APIv1 backwards 2535 compatibility. Setting this field is not allowed, this field is 2536 for internal use only.' 2537 type: boolean 2538 natOutgoing: 2539 description: When nat-outgoing is true, packets sent from Calico networked 2540 containers in this pool to destinations outside of this pool will 2541 be masqueraded. 2542 type: boolean 2543 nodeSelector: 2544 description: Allows IPPool to allocate for a specific node by label 2545 selector. 2546 type: string 2547 vxlanMode: 2548 description: Contains configuration for VXLAN tunneling for this pool. 2549 If not specified, then this is defaulted to "Never" (i.e. VXLAN 2550 tunneling is disabled). 2551 type: string 2552 required: 2553 - cidr 2554 type: object 2555 type: object 2556 served: true 2557 storage: true 2558 status: 2559 acceptedNames: 2560 kind: "" 2561 plural: "" 2562 conditions: [] 2563 storedVersions: [] 2564 2565 --- 2566 # Source: crds/calico/kdd/crd.projectcalico.org_ipreservations.yaml 2567 apiVersion: apiextensions.k8s.io/v1 2568 kind: CustomResourceDefinition 2569 metadata: 2570 name: ipreservations.crd.projectcalico.org 2571 spec: 2572 group: crd.projectcalico.org 2573 names: 2574 kind: IPReservation 2575 listKind: IPReservationList 2576 plural: ipreservations 2577 singular: ipreservation 2578 scope: Cluster 2579 versions: 2580 - name: v1 2581 schema: 2582 openAPIV3Schema: 2583 properties: 2584 apiVersion: 2585 description: 'APIVersion defines the versioned schema of this representation 2586 of an object. Servers should convert recognized schemas to the latest 2587 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2588 type: string 2589 kind: 2590 description: 'Kind is a string value representing the REST resource this 2591 object represents. Servers may infer this from the endpoint the client 2592 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2593 type: string 2594 metadata: 2595 type: object 2596 spec: 2597 description: IPReservationSpec contains the specification for an IPReservation 2598 resource. 2599 properties: 2600 reservedCIDRs: 2601 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 2602 that Calico IPAM will exclude from new allocations. 2603 items: 2604 type: string 2605 type: array 2606 type: object 2607 type: object 2608 served: true 2609 storage: true 2610 status: 2611 acceptedNames: 2612 kind: "" 2613 plural: "" 2614 conditions: [] 2615 storedVersions: [] 2616 2617 --- 2618 # Source: crds/calico/kdd/crd.projectcalico.org_kubecontrollersconfigurations.yaml 2619 apiVersion: apiextensions.k8s.io/v1 2620 kind: CustomResourceDefinition 2621 metadata: 2622 name: kubecontrollersconfigurations.crd.projectcalico.org 2623 spec: 2624 group: crd.projectcalico.org 2625 names: 2626 kind: KubeControllersConfiguration 2627 listKind: KubeControllersConfigurationList 2628 plural: kubecontrollersconfigurations 2629 singular: kubecontrollersconfiguration 2630 scope: Cluster 2631 versions: 2632 - name: v1 2633 schema: 2634 openAPIV3Schema: 2635 properties: 2636 apiVersion: 2637 description: 'APIVersion defines the versioned schema of this representation 2638 of an object. Servers should convert recognized schemas to the latest 2639 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2640 type: string 2641 kind: 2642 description: 'Kind is a string value representing the REST resource this 2643 object represents. Servers may infer this from the endpoint the client 2644 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2645 type: string 2646 metadata: 2647 type: object 2648 spec: 2649 description: KubeControllersConfigurationSpec contains the values of the 2650 Kubernetes controllers configuration. 2651 properties: 2652 controllers: 2653 description: Controllers enables and configures individual Kubernetes 2654 controllers 2655 properties: 2656 namespace: 2657 description: Namespace enables and configures the namespace controller. 2658 Enabled by default, set to nil to disable. 2659 properties: 2660 reconcilerPeriod: 2661 description: 'ReconcilerPeriod is the period to perform reconciliation 2662 with the Calico datastore. [Default: 5m]' 2663 type: string 2664 type: object 2665 node: 2666 description: Node enables and configures the node controller. 2667 Enabled by default, set to nil to disable. 2668 properties: 2669 hostEndpoint: 2670 description: HostEndpoint controls syncing nodes to host endpoints. 2671 Disabled by default, set to nil to disable. 2672 properties: 2673 autoCreate: 2674 description: 'AutoCreate enables automatic creation of 2675 host endpoints for every node. [Default: Disabled]' 2676 type: string 2677 type: object 2678 leakGracePeriod: 2679 description: 'LeakGracePeriod is the period used by the controller 2680 to determine if an IP address has been leaked. Set to 0 2681 to disable IP garbage collection. [Default: 15m]' 2682 type: string 2683 reconcilerPeriod: 2684 description: 'ReconcilerPeriod is the period to perform reconciliation 2685 with the Calico datastore. [Default: 5m]' 2686 type: string 2687 syncLabels: 2688 description: 'SyncLabels controls whether to copy Kubernetes 2689 node labels to Calico nodes. [Default: Enabled]' 2690 type: string 2691 type: object 2692 policy: 2693 description: Policy enables and configures the policy controller. 2694 Enabled by default, set to nil to disable. 2695 properties: 2696 reconcilerPeriod: 2697 description: 'ReconcilerPeriod is the period to perform reconciliation 2698 with the Calico datastore. [Default: 5m]' 2699 type: string 2700 type: object 2701 serviceAccount: 2702 description: ServiceAccount enables and configures the service 2703 account controller. Enabled by default, set to nil to disable. 2704 properties: 2705 reconcilerPeriod: 2706 description: 'ReconcilerPeriod is the period to perform reconciliation 2707 with the Calico datastore. [Default: 5m]' 2708 type: string 2709 type: object 2710 workloadEndpoint: 2711 description: WorkloadEndpoint enables and configures the workload 2712 endpoint controller. Enabled by default, set to nil to disable. 2713 properties: 2714 reconcilerPeriod: 2715 description: 'ReconcilerPeriod is the period to perform reconciliation 2716 with the Calico datastore. [Default: 5m]' 2717 type: string 2718 type: object 2719 type: object 2720 etcdV3CompactionPeriod: 2721 description: 'EtcdV3CompactionPeriod is the period between etcdv3 2722 compaction requests. Set to 0 to disable. [Default: 10m]' 2723 type: string 2724 healthChecks: 2725 description: 'HealthChecks enables or disables support for health 2726 checks [Default: Enabled]' 2727 type: string 2728 logSeverityScreen: 2729 description: 'LogSeverityScreen is the log severity above which logs 2730 are sent to the stdout. [Default: Info]' 2731 type: string 2732 prometheusMetricsPort: 2733 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 2734 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 2735 type: integer 2736 required: 2737 - controllers 2738 type: object 2739 status: 2740 description: KubeControllersConfigurationStatus represents the status 2741 of the configuration. It's useful for admins to be able to see the actual 2742 config that was applied, which can be modified by environment variables 2743 on the kube-controllers process. 2744 properties: 2745 environmentVars: 2746 additionalProperties: 2747 type: string 2748 description: EnvironmentVars contains the environment variables on 2749 the kube-controllers that influenced the RunningConfig. 2750 type: object 2751 runningConfig: 2752 description: RunningConfig contains the effective config that is running 2753 in the kube-controllers pod, after merging the API resource with 2754 any environment variables. 2755 properties: 2756 controllers: 2757 description: Controllers enables and configures individual Kubernetes 2758 controllers 2759 properties: 2760 namespace: 2761 description: Namespace enables and configures the namespace 2762 controller. Enabled by default, set to nil to disable. 2763 properties: 2764 reconcilerPeriod: 2765 description: 'ReconcilerPeriod is the period to perform 2766 reconciliation with the Calico datastore. [Default: 2767 5m]' 2768 type: string 2769 type: object 2770 node: 2771 description: Node enables and configures the node controller. 2772 Enabled by default, set to nil to disable. 2773 properties: 2774 hostEndpoint: 2775 description: HostEndpoint controls syncing nodes to host 2776 endpoints. Disabled by default, set to nil to disable. 2777 properties: 2778 autoCreate: 2779 description: 'AutoCreate enables automatic creation 2780 of host endpoints for every node. [Default: Disabled]' 2781 type: string 2782 type: object 2783 leakGracePeriod: 2784 description: 'LeakGracePeriod is the period used by the 2785 controller to determine if an IP address has been leaked. 2786 Set to 0 to disable IP garbage collection. [Default: 2787 15m]' 2788 type: string 2789 reconcilerPeriod: 2790 description: 'ReconcilerPeriod is the period to perform 2791 reconciliation with the Calico datastore. [Default: 2792 5m]' 2793 type: string 2794 syncLabels: 2795 description: 'SyncLabels controls whether to copy Kubernetes 2796 node labels to Calico nodes. [Default: Enabled]' 2797 type: string 2798 type: object 2799 policy: 2800 description: Policy enables and configures the policy controller. 2801 Enabled by default, set to nil to disable. 2802 properties: 2803 reconcilerPeriod: 2804 description: 'ReconcilerPeriod is the period to perform 2805 reconciliation with the Calico datastore. [Default: 2806 5m]' 2807 type: string 2808 type: object 2809 serviceAccount: 2810 description: ServiceAccount enables and configures the service 2811 account controller. Enabled by default, set to nil to disable. 2812 properties: 2813 reconcilerPeriod: 2814 description: 'ReconcilerPeriod is the period to perform 2815 reconciliation with the Calico datastore. [Default: 2816 5m]' 2817 type: string 2818 type: object 2819 workloadEndpoint: 2820 description: WorkloadEndpoint enables and configures the workload 2821 endpoint controller. Enabled by default, set to nil to disable. 2822 properties: 2823 reconcilerPeriod: 2824 description: 'ReconcilerPeriod is the period to perform 2825 reconciliation with the Calico datastore. [Default: 2826 5m]' 2827 type: string 2828 type: object 2829 type: object 2830 etcdV3CompactionPeriod: 2831 description: 'EtcdV3CompactionPeriod is the period between etcdv3 2832 compaction requests. Set to 0 to disable. [Default: 10m]' 2833 type: string 2834 healthChecks: 2835 description: 'HealthChecks enables or disables support for health 2836 checks [Default: Enabled]' 2837 type: string 2838 logSeverityScreen: 2839 description: 'LogSeverityScreen is the log severity above which 2840 logs are sent to the stdout. [Default: Info]' 2841 type: string 2842 prometheusMetricsPort: 2843 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 2844 metrics server should bind to. Set to 0 to disable. [Default: 2845 9094]' 2846 type: integer 2847 required: 2848 - controllers 2849 type: object 2850 type: object 2851 type: object 2852 served: true 2853 storage: true 2854 status: 2855 acceptedNames: 2856 kind: "" 2857 plural: "" 2858 conditions: [] 2859 storedVersions: [] 2860 2861 --- 2862 # Source: crds/calico/kdd/crd.projectcalico.org_networkpolicies.yaml 2863 apiVersion: apiextensions.k8s.io/v1 2864 kind: CustomResourceDefinition 2865 metadata: 2866 name: networkpolicies.crd.projectcalico.org 2867 spec: 2868 group: crd.projectcalico.org 2869 names: 2870 kind: NetworkPolicy 2871 listKind: NetworkPolicyList 2872 plural: networkpolicies 2873 singular: networkpolicy 2874 scope: Namespaced 2875 versions: 2876 - name: v1 2877 schema: 2878 openAPIV3Schema: 2879 properties: 2880 apiVersion: 2881 description: 'APIVersion defines the versioned schema of this representation 2882 of an object. Servers should convert recognized schemas to the latest 2883 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2884 type: string 2885 kind: 2886 description: 'Kind is a string value representing the REST resource this 2887 object represents. Servers may infer this from the endpoint the client 2888 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2889 type: string 2890 metadata: 2891 type: object 2892 spec: 2893 properties: 2894 egress: 2895 description: The ordered set of egress rules. Each rule contains 2896 a set of packet match criteria and a corresponding action to apply. 2897 items: 2898 description: "A Rule encapsulates a set of match criteria and an 2899 action. Both selector-based security Policy and security Profiles 2900 reference rules - separated out as a list of rules for both ingress 2901 and egress packet matching. \n Each positive match criteria has 2902 a negated version, prefixed with \"Not\". All the match criteria 2903 within a rule must be satisfied for a packet to match. A single 2904 rule can contain the positive and negative version of a match 2905 and both must be satisfied for the rule to match." 2906 properties: 2907 action: 2908 type: string 2909 destination: 2910 description: Destination contains the match criteria that apply 2911 to destination entity. 2912 properties: 2913 namespaceSelector: 2914 description: "NamespaceSelector is an optional field that 2915 contains a selector expression. Only traffic that originates 2916 from (or terminates at) endpoints within the selected 2917 namespaces will be matched. When both NamespaceSelector 2918 and another selector are defined on the same rule, then 2919 only workload endpoints that are matched by both selectors 2920 will be selected by the rule. \n For NetworkPolicy, an 2921 empty NamespaceSelector implies that the Selector is limited 2922 to selecting only workload endpoints in the same namespace 2923 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2924 NamespaceSelector implies that the Selector is limited 2925 to selecting only GlobalNetworkSet or HostEndpoint. \n 2926 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2927 the Selector applies to workload endpoints across all 2928 namespaces." 2929 type: string 2930 nets: 2931 description: Nets is an optional field that restricts the 2932 rule to only apply to traffic that originates from (or 2933 terminates at) IP addresses in any of the given subnets. 2934 items: 2935 type: string 2936 type: array 2937 notNets: 2938 description: NotNets is the negated version of the Nets 2939 field. 2940 items: 2941 type: string 2942 type: array 2943 notPorts: 2944 description: NotPorts is the negated version of the Ports 2945 field. Since only some protocols have ports, if any ports 2946 are specified it requires the Protocol match in the Rule 2947 to be set to "TCP" or "UDP". 2948 items: 2949 anyOf: 2950 - type: integer 2951 - type: string 2952 pattern: ^.* 2953 x-kubernetes-int-or-string: true 2954 type: array 2955 notSelector: 2956 description: NotSelector is the negated version of the Selector 2957 field. See Selector field for subtleties with negated 2958 selectors. 2959 type: string 2960 ports: 2961 description: "Ports is an optional field that restricts 2962 the rule to only apply to traffic that has a source (destination) 2963 port that matches one of these ranges/values. This value 2964 is a list of integers or strings that represent ranges 2965 of ports. \n Since only some protocols have ports, if 2966 any ports are specified it requires the Protocol match 2967 in the Rule to be set to \"TCP\" or \"UDP\"." 2968 items: 2969 anyOf: 2970 - type: integer 2971 - type: string 2972 pattern: ^.* 2973 x-kubernetes-int-or-string: true 2974 type: array 2975 selector: 2976 description: "Selector is an optional field that contains 2977 a selector expression (see Policy for sample syntax). 2978 \ Only traffic that originates from (terminates at) endpoints 2979 matching the selector will be matched. \n Note that: in 2980 addition to the negated version of the Selector (see NotSelector 2981 below), the selector expression syntax itself supports 2982 negation. The two types of negation are subtly different. 2983 One negates the set of matched endpoints, the other negates 2984 the whole match: \n \tSelector = \"!has(my_label)\" matches 2985 packets that are from other Calico-controlled \tendpoints 2986 that do not have the label \"my_label\". \n \tNotSelector 2987 = \"has(my_label)\" matches packets that are not from 2988 Calico-controlled \tendpoints that do have the label \"my_label\". 2989 \n The effect is that the latter will accept packets from 2990 non-Calico sources whereas the former is limited to packets 2991 from Calico-controlled endpoints." 2992 type: string 2993 serviceAccounts: 2994 description: ServiceAccounts is an optional field that restricts 2995 the rule to only apply to traffic that originates from 2996 (or terminates at) a pod running as a matching service 2997 account. 2998 properties: 2999 names: 3000 description: Names is an optional field that restricts 3001 the rule to only apply to traffic that originates 3002 from (or terminates at) a pod running as a service 3003 account whose name is in the list. 3004 items: 3005 type: string 3006 type: array 3007 selector: 3008 description: Selector is an optional field that restricts 3009 the rule to only apply to traffic that originates 3010 from (or terminates at) a pod running as a service 3011 account that matches the given label selector. If 3012 both Names and Selector are specified then they are 3013 AND'ed. 3014 type: string 3015 type: object 3016 services: 3017 description: "Services is an optional field that contains 3018 options for matching Kubernetes Services. If specified, 3019 only traffic that originates from or terminates at endpoints 3020 within the selected service(s) will be matched, and only 3021 to/from each endpoint's port. \n Services cannot be specified 3022 on the same rule as Selector, NotSelector, NamespaceSelector, 3023 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3024 can only be specified with Services on ingress rules." 3025 properties: 3026 name: 3027 description: Name specifies the name of a Kubernetes 3028 Service to match. 3029 type: string 3030 namespace: 3031 description: Namespace specifies the namespace of the 3032 given Service. If left empty, the rule will match 3033 within this policy's namespace. 3034 type: string 3035 type: object 3036 type: object 3037 http: 3038 description: HTTP contains match criteria that apply to HTTP 3039 requests. 3040 properties: 3041 methods: 3042 description: Methods is an optional field that restricts 3043 the rule to apply only to HTTP requests that use one of 3044 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3045 methods are OR'd together. 3046 items: 3047 type: string 3048 type: array 3049 paths: 3050 description: 'Paths is an optional field that restricts 3051 the rule to apply to HTTP requests that use one of the 3052 listed HTTP Paths. Multiple paths are OR''d together. 3053 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3054 ONLY specify either a `exact` or a `prefix` match. The 3055 validator will check for it.' 3056 items: 3057 description: 'HTTPPath specifies an HTTP path to match. 3058 It may be either of the form: exact: <path>: which matches 3059 the path exactly or prefix: <path-prefix>: which matches 3060 the path prefix' 3061 properties: 3062 exact: 3063 type: string 3064 prefix: 3065 type: string 3066 type: object 3067 type: array 3068 type: object 3069 icmp: 3070 description: ICMP is an optional field that restricts the rule 3071 to apply to a specific type and code of ICMP traffic. This 3072 should only be specified if the Protocol field is set to "ICMP" 3073 or "ICMPv6". 3074 properties: 3075 code: 3076 description: Match on a specific ICMP code. If specified, 3077 the Type value must also be specified. This is a technical 3078 limitation imposed by the kernel's iptables firewall, 3079 which Calico uses to enforce the rule. 3080 type: integer 3081 type: 3082 description: Match on a specific ICMP type. For example 3083 a value of 8 refers to ICMP Echo Request (i.e. pings). 3084 type: integer 3085 type: object 3086 ipVersion: 3087 description: IPVersion is an optional field that restricts the 3088 rule to only match a specific IP version. 3089 type: integer 3090 metadata: 3091 description: Metadata contains additional information for this 3092 rule 3093 properties: 3094 annotations: 3095 additionalProperties: 3096 type: string 3097 description: Annotations is a set of key value pairs that 3098 give extra information about the rule 3099 type: object 3100 type: object 3101 notICMP: 3102 description: NotICMP is the negated version of the ICMP field. 3103 properties: 3104 code: 3105 description: Match on a specific ICMP code. If specified, 3106 the Type value must also be specified. This is a technical 3107 limitation imposed by the kernel's iptables firewall, 3108 which Calico uses to enforce the rule. 3109 type: integer 3110 type: 3111 description: Match on a specific ICMP type. For example 3112 a value of 8 refers to ICMP Echo Request (i.e. pings). 3113 type: integer 3114 type: object 3115 notProtocol: 3116 anyOf: 3117 - type: integer 3118 - type: string 3119 description: NotProtocol is the negated version of the Protocol 3120 field. 3121 pattern: ^.* 3122 x-kubernetes-int-or-string: true 3123 protocol: 3124 anyOf: 3125 - type: integer 3126 - type: string 3127 description: "Protocol is an optional field that restricts the 3128 rule to only apply to traffic of a specific IP protocol. Required 3129 if any of the EntityRules contain Ports (because ports only 3130 apply to certain protocols). \n Must be one of these string 3131 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3132 \"UDPLite\" or an integer in the range 1-255." 3133 pattern: ^.* 3134 x-kubernetes-int-or-string: true 3135 source: 3136 description: Source contains the match criteria that apply to 3137 source entity. 3138 properties: 3139 namespaceSelector: 3140 description: "NamespaceSelector is an optional field that 3141 contains a selector expression. Only traffic that originates 3142 from (or terminates at) endpoints within the selected 3143 namespaces will be matched. When both NamespaceSelector 3144 and another selector are defined on the same rule, then 3145 only workload endpoints that are matched by both selectors 3146 will be selected by the rule. \n For NetworkPolicy, an 3147 empty NamespaceSelector implies that the Selector is limited 3148 to selecting only workload endpoints in the same namespace 3149 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3150 NamespaceSelector implies that the Selector is limited 3151 to selecting only GlobalNetworkSet or HostEndpoint. \n 3152 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3153 the Selector applies to workload endpoints across all 3154 namespaces." 3155 type: string 3156 nets: 3157 description: Nets is an optional field that restricts the 3158 rule to only apply to traffic that originates from (or 3159 terminates at) IP addresses in any of the given subnets. 3160 items: 3161 type: string 3162 type: array 3163 notNets: 3164 description: NotNets is the negated version of the Nets 3165 field. 3166 items: 3167 type: string 3168 type: array 3169 notPorts: 3170 description: NotPorts is the negated version of the Ports 3171 field. Since only some protocols have ports, if any ports 3172 are specified it requires the Protocol match in the Rule 3173 to be set to "TCP" or "UDP". 3174 items: 3175 anyOf: 3176 - type: integer 3177 - type: string 3178 pattern: ^.* 3179 x-kubernetes-int-or-string: true 3180 type: array 3181 notSelector: 3182 description: NotSelector is the negated version of the Selector 3183 field. See Selector field for subtleties with negated 3184 selectors. 3185 type: string 3186 ports: 3187 description: "Ports is an optional field that restricts 3188 the rule to only apply to traffic that has a source (destination) 3189 port that matches one of these ranges/values. This value 3190 is a list of integers or strings that represent ranges 3191 of ports. \n Since only some protocols have ports, if 3192 any ports are specified it requires the Protocol match 3193 in the Rule to be set to \"TCP\" or \"UDP\"." 3194 items: 3195 anyOf: 3196 - type: integer 3197 - type: string 3198 pattern: ^.* 3199 x-kubernetes-int-or-string: true 3200 type: array 3201 selector: 3202 description: "Selector is an optional field that contains 3203 a selector expression (see Policy for sample syntax). 3204 \ Only traffic that originates from (terminates at) endpoints 3205 matching the selector will be matched. \n Note that: in 3206 addition to the negated version of the Selector (see NotSelector 3207 below), the selector expression syntax itself supports 3208 negation. The two types of negation are subtly different. 3209 One negates the set of matched endpoints, the other negates 3210 the whole match: \n \tSelector = \"!has(my_label)\" matches 3211 packets that are from other Calico-controlled \tendpoints 3212 that do not have the label \"my_label\". \n \tNotSelector 3213 = \"has(my_label)\" matches packets that are not from 3214 Calico-controlled \tendpoints that do have the label \"my_label\". 3215 \n The effect is that the latter will accept packets from 3216 non-Calico sources whereas the former is limited to packets 3217 from Calico-controlled endpoints." 3218 type: string 3219 serviceAccounts: 3220 description: ServiceAccounts is an optional field that restricts 3221 the rule to only apply to traffic that originates from 3222 (or terminates at) a pod running as a matching service 3223 account. 3224 properties: 3225 names: 3226 description: Names is an optional field that restricts 3227 the rule to only apply to traffic that originates 3228 from (or terminates at) a pod running as a service 3229 account whose name is in the list. 3230 items: 3231 type: string 3232 type: array 3233 selector: 3234 description: Selector is an optional field that restricts 3235 the rule to only apply to traffic that originates 3236 from (or terminates at) a pod running as a service 3237 account that matches the given label selector. If 3238 both Names and Selector are specified then they are 3239 AND'ed. 3240 type: string 3241 type: object 3242 services: 3243 description: "Services is an optional field that contains 3244 options for matching Kubernetes Services. If specified, 3245 only traffic that originates from or terminates at endpoints 3246 within the selected service(s) will be matched, and only 3247 to/from each endpoint's port. \n Services cannot be specified 3248 on the same rule as Selector, NotSelector, NamespaceSelector, 3249 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3250 can only be specified with Services on ingress rules." 3251 properties: 3252 name: 3253 description: Name specifies the name of a Kubernetes 3254 Service to match. 3255 type: string 3256 namespace: 3257 description: Namespace specifies the namespace of the 3258 given Service. If left empty, the rule will match 3259 within this policy's namespace. 3260 type: string 3261 type: object 3262 type: object 3263 required: 3264 - action 3265 type: object 3266 type: array 3267 ingress: 3268 description: The ordered set of ingress rules. Each rule contains 3269 a set of packet match criteria and a corresponding action to apply. 3270 items: 3271 description: "A Rule encapsulates a set of match criteria and an 3272 action. Both selector-based security Policy and security Profiles 3273 reference rules - separated out as a list of rules for both ingress 3274 and egress packet matching. \n Each positive match criteria has 3275 a negated version, prefixed with \"Not\". All the match criteria 3276 within a rule must be satisfied for a packet to match. A single 3277 rule can contain the positive and negative version of a match 3278 and both must be satisfied for the rule to match." 3279 properties: 3280 action: 3281 type: string 3282 destination: 3283 description: Destination contains the match criteria that apply 3284 to destination entity. 3285 properties: 3286 namespaceSelector: 3287 description: "NamespaceSelector is an optional field that 3288 contains a selector expression. Only traffic that originates 3289 from (or terminates at) endpoints within the selected 3290 namespaces will be matched. When both NamespaceSelector 3291 and another selector are defined on the same rule, then 3292 only workload endpoints that are matched by both selectors 3293 will be selected by the rule. \n For NetworkPolicy, an 3294 empty NamespaceSelector implies that the Selector is limited 3295 to selecting only workload endpoints in the same namespace 3296 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3297 NamespaceSelector implies that the Selector is limited 3298 to selecting only GlobalNetworkSet or HostEndpoint. \n 3299 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3300 the Selector applies to workload endpoints across all 3301 namespaces." 3302 type: string 3303 nets: 3304 description: Nets is an optional field that restricts the 3305 rule to only apply to traffic that originates from (or 3306 terminates at) IP addresses in any of the given subnets. 3307 items: 3308 type: string 3309 type: array 3310 notNets: 3311 description: NotNets is the negated version of the Nets 3312 field. 3313 items: 3314 type: string 3315 type: array 3316 notPorts: 3317 description: NotPorts is the negated version of the Ports 3318 field. Since only some protocols have ports, if any ports 3319 are specified it requires the Protocol match in the Rule 3320 to be set to "TCP" or "UDP". 3321 items: 3322 anyOf: 3323 - type: integer 3324 - type: string 3325 pattern: ^.* 3326 x-kubernetes-int-or-string: true 3327 type: array 3328 notSelector: 3329 description: NotSelector is the negated version of the Selector 3330 field. See Selector field for subtleties with negated 3331 selectors. 3332 type: string 3333 ports: 3334 description: "Ports is an optional field that restricts 3335 the rule to only apply to traffic that has a source (destination) 3336 port that matches one of these ranges/values. This value 3337 is a list of integers or strings that represent ranges 3338 of ports. \n Since only some protocols have ports, if 3339 any ports are specified it requires the Protocol match 3340 in the Rule to be set to \"TCP\" or \"UDP\"." 3341 items: 3342 anyOf: 3343 - type: integer 3344 - type: string 3345 pattern: ^.* 3346 x-kubernetes-int-or-string: true 3347 type: array 3348 selector: 3349 description: "Selector is an optional field that contains 3350 a selector expression (see Policy for sample syntax). 3351 \ Only traffic that originates from (terminates at) endpoints 3352 matching the selector will be matched. \n Note that: in 3353 addition to the negated version of the Selector (see NotSelector 3354 below), the selector expression syntax itself supports 3355 negation. The two types of negation are subtly different. 3356 One negates the set of matched endpoints, the other negates 3357 the whole match: \n \tSelector = \"!has(my_label)\" matches 3358 packets that are from other Calico-controlled \tendpoints 3359 that do not have the label \"my_label\". \n \tNotSelector 3360 = \"has(my_label)\" matches packets that are not from 3361 Calico-controlled \tendpoints that do have the label \"my_label\". 3362 \n The effect is that the latter will accept packets from 3363 non-Calico sources whereas the former is limited to packets 3364 from Calico-controlled endpoints." 3365 type: string 3366 serviceAccounts: 3367 description: ServiceAccounts is an optional field that restricts 3368 the rule to only apply to traffic that originates from 3369 (or terminates at) a pod running as a matching service 3370 account. 3371 properties: 3372 names: 3373 description: Names is an optional field that restricts 3374 the rule to only apply to traffic that originates 3375 from (or terminates at) a pod running as a service 3376 account whose name is in the list. 3377 items: 3378 type: string 3379 type: array 3380 selector: 3381 description: Selector is an optional field that restricts 3382 the rule to only apply to traffic that originates 3383 from (or terminates at) a pod running as a service 3384 account that matches the given label selector. If 3385 both Names and Selector are specified then they are 3386 AND'ed. 3387 type: string 3388 type: object 3389 services: 3390 description: "Services is an optional field that contains 3391 options for matching Kubernetes Services. If specified, 3392 only traffic that originates from or terminates at endpoints 3393 within the selected service(s) will be matched, and only 3394 to/from each endpoint's port. \n Services cannot be specified 3395 on the same rule as Selector, NotSelector, NamespaceSelector, 3396 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3397 can only be specified with Services on ingress rules." 3398 properties: 3399 name: 3400 description: Name specifies the name of a Kubernetes 3401 Service to match. 3402 type: string 3403 namespace: 3404 description: Namespace specifies the namespace of the 3405 given Service. If left empty, the rule will match 3406 within this policy's namespace. 3407 type: string 3408 type: object 3409 type: object 3410 http: 3411 description: HTTP contains match criteria that apply to HTTP 3412 requests. 3413 properties: 3414 methods: 3415 description: Methods is an optional field that restricts 3416 the rule to apply only to HTTP requests that use one of 3417 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3418 methods are OR'd together. 3419 items: 3420 type: string 3421 type: array 3422 paths: 3423 description: 'Paths is an optional field that restricts 3424 the rule to apply to HTTP requests that use one of the 3425 listed HTTP Paths. Multiple paths are OR''d together. 3426 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3427 ONLY specify either a `exact` or a `prefix` match. The 3428 validator will check for it.' 3429 items: 3430 description: 'HTTPPath specifies an HTTP path to match. 3431 It may be either of the form: exact: <path>: which matches 3432 the path exactly or prefix: <path-prefix>: which matches 3433 the path prefix' 3434 properties: 3435 exact: 3436 type: string 3437 prefix: 3438 type: string 3439 type: object 3440 type: array 3441 type: object 3442 icmp: 3443 description: ICMP is an optional field that restricts the rule 3444 to apply to a specific type and code of ICMP traffic. This 3445 should only be specified if the Protocol field is set to "ICMP" 3446 or "ICMPv6". 3447 properties: 3448 code: 3449 description: Match on a specific ICMP code. If specified, 3450 the Type value must also be specified. This is a technical 3451 limitation imposed by the kernel's iptables firewall, 3452 which Calico uses to enforce the rule. 3453 type: integer 3454 type: 3455 description: Match on a specific ICMP type. For example 3456 a value of 8 refers to ICMP Echo Request (i.e. pings). 3457 type: integer 3458 type: object 3459 ipVersion: 3460 description: IPVersion is an optional field that restricts the 3461 rule to only match a specific IP version. 3462 type: integer 3463 metadata: 3464 description: Metadata contains additional information for this 3465 rule 3466 properties: 3467 annotations: 3468 additionalProperties: 3469 type: string 3470 description: Annotations is a set of key value pairs that 3471 give extra information about the rule 3472 type: object 3473 type: object 3474 notICMP: 3475 description: NotICMP is the negated version of the ICMP field. 3476 properties: 3477 code: 3478 description: Match on a specific ICMP code. If specified, 3479 the Type value must also be specified. This is a technical 3480 limitation imposed by the kernel's iptables firewall, 3481 which Calico uses to enforce the rule. 3482 type: integer 3483 type: 3484 description: Match on a specific ICMP type. For example 3485 a value of 8 refers to ICMP Echo Request (i.e. pings). 3486 type: integer 3487 type: object 3488 notProtocol: 3489 anyOf: 3490 - type: integer 3491 - type: string 3492 description: NotProtocol is the negated version of the Protocol 3493 field. 3494 pattern: ^.* 3495 x-kubernetes-int-or-string: true 3496 protocol: 3497 anyOf: 3498 - type: integer 3499 - type: string 3500 description: "Protocol is an optional field that restricts the 3501 rule to only apply to traffic of a specific IP protocol. Required 3502 if any of the EntityRules contain Ports (because ports only 3503 apply to certain protocols). \n Must be one of these string 3504 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3505 \"UDPLite\" or an integer in the range 1-255." 3506 pattern: ^.* 3507 x-kubernetes-int-or-string: true 3508 source: 3509 description: Source contains the match criteria that apply to 3510 source entity. 3511 properties: 3512 namespaceSelector: 3513 description: "NamespaceSelector is an optional field that 3514 contains a selector expression. Only traffic that originates 3515 from (or terminates at) endpoints within the selected 3516 namespaces will be matched. When both NamespaceSelector 3517 and another selector are defined on the same rule, then 3518 only workload endpoints that are matched by both selectors 3519 will be selected by the rule. \n For NetworkPolicy, an 3520 empty NamespaceSelector implies that the Selector is limited 3521 to selecting only workload endpoints in the same namespace 3522 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3523 NamespaceSelector implies that the Selector is limited 3524 to selecting only GlobalNetworkSet or HostEndpoint. \n 3525 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3526 the Selector applies to workload endpoints across all 3527 namespaces." 3528 type: string 3529 nets: 3530 description: Nets is an optional field that restricts the 3531 rule to only apply to traffic that originates from (or 3532 terminates at) IP addresses in any of the given subnets. 3533 items: 3534 type: string 3535 type: array 3536 notNets: 3537 description: NotNets is the negated version of the Nets 3538 field. 3539 items: 3540 type: string 3541 type: array 3542 notPorts: 3543 description: NotPorts is the negated version of the Ports 3544 field. Since only some protocols have ports, if any ports 3545 are specified it requires the Protocol match in the Rule 3546 to be set to "TCP" or "UDP". 3547 items: 3548 anyOf: 3549 - type: integer 3550 - type: string 3551 pattern: ^.* 3552 x-kubernetes-int-or-string: true 3553 type: array 3554 notSelector: 3555 description: NotSelector is the negated version of the Selector 3556 field. See Selector field for subtleties with negated 3557 selectors. 3558 type: string 3559 ports: 3560 description: "Ports is an optional field that restricts 3561 the rule to only apply to traffic that has a source (destination) 3562 port that matches one of these ranges/values. This value 3563 is a list of integers or strings that represent ranges 3564 of ports. \n Since only some protocols have ports, if 3565 any ports are specified it requires the Protocol match 3566 in the Rule to be set to \"TCP\" or \"UDP\"." 3567 items: 3568 anyOf: 3569 - type: integer 3570 - type: string 3571 pattern: ^.* 3572 x-kubernetes-int-or-string: true 3573 type: array 3574 selector: 3575 description: "Selector is an optional field that contains 3576 a selector expression (see Policy for sample syntax). 3577 \ Only traffic that originates from (terminates at) endpoints 3578 matching the selector will be matched. \n Note that: in 3579 addition to the negated version of the Selector (see NotSelector 3580 below), the selector expression syntax itself supports 3581 negation. The two types of negation are subtly different. 3582 One negates the set of matched endpoints, the other negates 3583 the whole match: \n \tSelector = \"!has(my_label)\" matches 3584 packets that are from other Calico-controlled \tendpoints 3585 that do not have the label \"my_label\". \n \tNotSelector 3586 = \"has(my_label)\" matches packets that are not from 3587 Calico-controlled \tendpoints that do have the label \"my_label\". 3588 \n The effect is that the latter will accept packets from 3589 non-Calico sources whereas the former is limited to packets 3590 from Calico-controlled endpoints." 3591 type: string 3592 serviceAccounts: 3593 description: ServiceAccounts is an optional field that restricts 3594 the rule to only apply to traffic that originates from 3595 (or terminates at) a pod running as a matching service 3596 account. 3597 properties: 3598 names: 3599 description: Names is an optional field that restricts 3600 the rule to only apply to traffic that originates 3601 from (or terminates at) a pod running as a service 3602 account whose name is in the list. 3603 items: 3604 type: string 3605 type: array 3606 selector: 3607 description: Selector is an optional field that restricts 3608 the rule to only apply to traffic that originates 3609 from (or terminates at) a pod running as a service 3610 account that matches the given label selector. If 3611 both Names and Selector are specified then they are 3612 AND'ed. 3613 type: string 3614 type: object 3615 services: 3616 description: "Services is an optional field that contains 3617 options for matching Kubernetes Services. If specified, 3618 only traffic that originates from or terminates at endpoints 3619 within the selected service(s) will be matched, and only 3620 to/from each endpoint's port. \n Services cannot be specified 3621 on the same rule as Selector, NotSelector, NamespaceSelector, 3622 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3623 can only be specified with Services on ingress rules." 3624 properties: 3625 name: 3626 description: Name specifies the name of a Kubernetes 3627 Service to match. 3628 type: string 3629 namespace: 3630 description: Namespace specifies the namespace of the 3631 given Service. If left empty, the rule will match 3632 within this policy's namespace. 3633 type: string 3634 type: object 3635 type: object 3636 required: 3637 - action 3638 type: object 3639 type: array 3640 order: 3641 description: Order is an optional field that specifies the order in 3642 which the policy is applied. Policies with higher "order" are applied 3643 after those with lower order. If the order is omitted, it may be 3644 considered to be "infinite" - i.e. the policy will be applied last. Policies 3645 with identical order will be applied in alphanumerical order based 3646 on the Policy "Name". 3647 type: number 3648 selector: 3649 description: "The selector is an expression used to pick pick out 3650 the endpoints that the policy should be applied to. \n Selector 3651 expressions follow this syntax: \n \tlabel == \"string_literal\" 3652 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 3653 \ -> not equal; also matches if label is not present \tlabel in 3654 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 3655 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 3656 ... } -> true if the value of label X is not one of \"a\", \"b\", 3657 \"c\" \thas(label_name) -> True if that label is present \t! expr 3658 -> negation of expr \texpr && expr -> Short-circuit and \texpr 3659 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 3660 or the empty selector -> matches all endpoints. \n Label names are 3661 allowed to contain alphanumerics, -, _ and /. String literals are 3662 more permissive but they do not support escape characters. \n Examples 3663 (with made-up labels): \n \ttype == \"webserver\" && deployment 3664 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 3665 \"dev\" \t! has(label_name)" 3666 type: string 3667 serviceAccountSelector: 3668 description: ServiceAccountSelector is an optional field for an expression 3669 used to select a pod based on service accounts. 3670 type: string 3671 types: 3672 description: "Types indicates whether this policy applies to ingress, 3673 or to egress, or to both. When not explicitly specified (and so 3674 the value on creation is empty or nil), Calico defaults Types according 3675 to what Ingress and Egress are present in the policy. The default 3676 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 3677 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 3678 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 3679 PolicyTypeEgress ], if there are both Ingress and Egress rules. 3680 \n When the policy is read back again, Types will always be one 3681 of these values, never empty or nil." 3682 items: 3683 description: PolicyType enumerates the possible values of the PolicySpec 3684 Types field. 3685 type: string 3686 type: array 3687 type: object 3688 type: object 3689 served: true 3690 storage: true 3691 status: 3692 acceptedNames: 3693 kind: "" 3694 plural: "" 3695 conditions: [] 3696 storedVersions: [] 3697 3698 --- 3699 # Source: crds/calico/kdd/crd.projectcalico.org_networksets.yaml 3700 apiVersion: apiextensions.k8s.io/v1 3701 kind: CustomResourceDefinition 3702 metadata: 3703 name: networksets.crd.projectcalico.org 3704 spec: 3705 group: crd.projectcalico.org 3706 names: 3707 kind: NetworkSet 3708 listKind: NetworkSetList 3709 plural: networksets 3710 singular: networkset 3711 scope: Namespaced 3712 versions: 3713 - name: v1 3714 schema: 3715 openAPIV3Schema: 3716 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 3717 properties: 3718 apiVersion: 3719 description: 'APIVersion defines the versioned schema of this representation 3720 of an object. Servers should convert recognized schemas to the latest 3721 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3722 type: string 3723 kind: 3724 description: 'Kind is a string value representing the REST resource this 3725 object represents. Servers may infer this from the endpoint the client 3726 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3727 type: string 3728 metadata: 3729 type: object 3730 spec: 3731 description: NetworkSetSpec contains the specification for a NetworkSet 3732 resource. 3733 properties: 3734 nets: 3735 description: The list of IP networks that belong to this set. 3736 items: 3737 type: string 3738 type: array 3739 type: object 3740 type: object 3741 served: true 3742 storage: true 3743 status: 3744 acceptedNames: 3745 kind: "" 3746 plural: "" 3747 conditions: [] 3748 storedVersions: [] 3749 3750 --- 3751 # Source: crds/operator.tigera.io_apiservers_crd.yaml 3752 apiVersion: apiextensions.k8s.io/v1 3753 kind: CustomResourceDefinition 3754 metadata: 3755 annotations: 3756 controller-gen.kubebuilder.io/version: v0.3.0 3757 name: apiservers.operator.tigera.io 3758 spec: 3759 group: operator.tigera.io 3760 names: 3761 kind: APIServer 3762 listKind: APIServerList 3763 plural: apiservers 3764 singular: apiserver 3765 scope: Cluster 3766 versions: 3767 - name: v1 3768 schema: 3769 openAPIV3Schema: 3770 description: APIServer installs the Tigera API server and related resources. 3771 At most one instance of this resource is supported. It must be named "tigera-secure". 3772 properties: 3773 apiVersion: 3774 description: 'APIVersion defines the versioned schema of this representation 3775 of an object. Servers should convert recognized schemas to the latest 3776 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3777 type: string 3778 kind: 3779 description: 'Kind is a string value representing the REST resource this 3780 object represents. Servers may infer this from the endpoint the client 3781 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3782 type: string 3783 metadata: 3784 type: object 3785 spec: 3786 description: Specification of the desired state for the Tigera API server. 3787 type: object 3788 status: 3789 description: Most recently observed status for the Tigera API server. 3790 properties: 3791 state: 3792 description: State provides user-readable status. 3793 type: string 3794 type: object 3795 type: object 3796 served: true 3797 storage: true 3798 subresources: 3799 status: {} 3800 3801 --- 3802 # Source: crds/operator.tigera.io_imagesets_crd.yaml 3803 apiVersion: apiextensions.k8s.io/v1 3804 kind: CustomResourceDefinition 3805 metadata: 3806 annotations: 3807 controller-gen.kubebuilder.io/version: v0.3.0 3808 name: imagesets.operator.tigera.io 3809 spec: 3810 group: operator.tigera.io 3811 names: 3812 kind: ImageSet 3813 listKind: ImageSetList 3814 plural: imagesets 3815 singular: imageset 3816 scope: Cluster 3817 versions: 3818 - name: v1 3819 schema: 3820 openAPIV3Schema: 3821 description: ImageSet is used to specify image digests for the images that 3822 the operator deploys. The name of the ImageSet is expected to be in the 3823 format `<variang>-<release>`. The `variant` used is `enterprise` if the 3824 InstallationSpec Variant is `TigeraSecureEnterprise` otherwise it is `calico`. 3825 The `release` must match the version of the variant that the operator is 3826 built to deploy, this version can be obtained by passing the `--version` 3827 flag to the operator binary. 3828 properties: 3829 apiVersion: 3830 description: 'APIVersion defines the versioned schema of this representation 3831 of an object. Servers should convert recognized schemas to the latest 3832 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3833 type: string 3834 kind: 3835 description: 'Kind is a string value representing the REST resource this 3836 object represents. Servers may infer this from the endpoint the client 3837 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3838 type: string 3839 metadata: 3840 type: object 3841 spec: 3842 description: ImageSetSpec defines the desired state of ImageSet. 3843 properties: 3844 images: 3845 description: Images is the list of images to use digests. All images 3846 that the operator will deploy must be specified. 3847 items: 3848 properties: 3849 digest: 3850 description: Digest is the image identifier that will be used 3851 for the Image. The field should not include a leading `@` 3852 and must be prefixed with `sha256:`. 3853 type: string 3854 image: 3855 description: Image is an image that the operator deploys and 3856 instead of using the built in tag the operator will use the 3857 Digest for the image identifier. The value should be the image 3858 name without registry or tag or digest. For the image `docker.io/calico/node:v3.17.1` 3859 it should be represented as `calico/node` 3860 type: string 3861 required: 3862 - digest 3863 - image 3864 type: object 3865 type: array 3866 type: object 3867 type: object 3868 served: true 3869 storage: true 3870 subresources: 3871 status: {} 3872 status: 3873 acceptedNames: 3874 kind: "" 3875 plural: "" 3876 conditions: [] 3877 storedVersions: [] 3878 3879 --- 3880 # Source: crds/operator.tigera.io_installations_crd.yaml 3881 apiVersion: apiextensions.k8s.io/v1 3882 kind: CustomResourceDefinition 3883 metadata: 3884 annotations: 3885 controller-gen.kubebuilder.io/version: v0.3.0 3886 name: installations.operator.tigera.io 3887 spec: 3888 group: operator.tigera.io 3889 names: 3890 kind: Installation 3891 listKind: InstallationList 3892 plural: installations 3893 singular: installation 3894 scope: Cluster 3895 versions: 3896 - name: v1 3897 schema: 3898 openAPIV3Schema: 3899 description: Installation configures an installation of Calico or Calico Enterprise. 3900 At most one instance of this resource is supported. It must be named "default". 3901 The Installation API installs core networking and network policy components, 3902 and provides general install-time configuration. 3903 properties: 3904 apiVersion: 3905 description: 'APIVersion defines the versioned schema of this representation 3906 of an object. Servers should convert recognized schemas to the latest 3907 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3908 type: string 3909 kind: 3910 description: 'Kind is a string value representing the REST resource this 3911 object represents. Servers may infer this from the endpoint the client 3912 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3913 type: string 3914 metadata: 3915 type: object 3916 spec: 3917 description: Specification of the desired state for the Calico or Calico 3918 Enterprise installation. 3919 properties: 3920 calicoNetwork: 3921 description: CalicoNetwork specifies networking configuration options 3922 for Calico. 3923 properties: 3924 bgp: 3925 description: BGP configures whether or not to enable Calico's 3926 BGP capabilities. 3927 enum: 3928 - Enabled 3929 - Disabled 3930 type: string 3931 containerIPForwarding: 3932 description: 'ContainerIPForwarding configures whether ip forwarding 3933 will be enabled for containers in the CNI configuration. Default: 3934 Disabled' 3935 enum: 3936 - Enabled 3937 - Disabled 3938 type: string 3939 hostPorts: 3940 description: 'HostPorts configures whether or not Calico will 3941 support Kubernetes HostPorts. Valid only when using the Calico 3942 CNI plugin. Default: Enabled' 3943 enum: 3944 - Enabled 3945 - Disabled 3946 type: string 3947 ipPools: 3948 description: IPPools contains a list of IP pools to create if 3949 none exist. At most one IP pool of each address family may be 3950 specified. If omitted, a single pool will be configured if needed. 3951 items: 3952 properties: 3953 blockSize: 3954 description: 'BlockSize specifies the CIDR prefex length 3955 to use when allocating per-node IP blocks from the main 3956 IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' 3957 format: int32 3958 type: integer 3959 cidr: 3960 description: CIDR contains the address range for the IP 3961 Pool in classless inter-domain routing format. 3962 type: string 3963 encapsulation: 3964 description: 'Encapsulation specifies the encapsulation 3965 type that will be used with the IP Pool. Default: IPIP' 3966 enum: 3967 - IPIPCrossSubnet 3968 - IPIP 3969 - VXLAN 3970 - VXLANCrossSubnet 3971 - None 3972 type: string 3973 natOutgoing: 3974 description: 'NATOutgoing specifies if NAT will be enabled 3975 or disabled for outgoing traffic. Default: Enabled' 3976 enum: 3977 - Enabled 3978 - Disabled 3979 type: string 3980 nodeSelector: 3981 description: 'NodeSelector specifies the node selector that 3982 will be set for the IP Pool. Default: ''all()''' 3983 type: string 3984 required: 3985 - cidr 3986 type: object 3987 type: array 3988 linuxDataplane: 3989 description: 'LinuxDataplane is used to select the dataplane used 3990 for Linux nodes. In particular, it causes the operator to add 3991 required mounts and environment variables for the particular 3992 dataplane. If not specified, iptables mode is used. Default: 3993 Iptables' 3994 enum: 3995 - Iptables 3996 - BPF 3997 - VPP 3998 type: string 3999 mtu: 4000 description: MTU specifies the maximum transmission unit to use 4001 on the pod network. If not specified, Calico will perform MTU 4002 auto-detection based on the cluster network. 4003 format: int32 4004 type: integer 4005 multiInterfaceMode: 4006 description: 'MultiInterfaceMode configures what will configure 4007 multiple interface per pod. Only valid for Calico Enterprise 4008 installations using the Calico CNI plugin. Default: None' 4009 enum: 4010 - None 4011 - Multus 4012 type: string 4013 nodeAddressAutodetectionV4: 4014 description: NodeAddressAutodetectionV4 specifies an approach 4015 to automatically detect node IPv4 addresses. If not specified, 4016 will use default auto-detection settings to acquire an IPv4 4017 address for each node. 4018 properties: 4019 canReach: 4020 description: CanReach enables IP auto-detection based on which 4021 source address on the node is used to reach the specified 4022 IP or domain. 4023 type: string 4024 cidrs: 4025 description: CIDRS enables IP auto-detection based on which 4026 addresses on the nodes are within one of the provided CIDRs. 4027 items: 4028 type: string 4029 type: array 4030 firstFound: 4031 description: FirstFound uses default interface matching parameters 4032 to select an interface, performing best-effort filtering 4033 based on well-known interface names. 4034 type: boolean 4035 interface: 4036 description: Interface enables IP auto-detection based on 4037 interfaces that match the given regex. 4038 type: string 4039 kubernetes: 4040 description: Kubernetes configures Calico to detect node addresses 4041 based on the Kubernetes API. 4042 enum: 4043 - NodeInternalIP 4044 type: string 4045 skipInterface: 4046 description: SkipInterface enables IP auto-detection based 4047 on interfaces that do not match the given regex. 4048 type: string 4049 type: object 4050 nodeAddressAutodetectionV6: 4051 description: NodeAddressAutodetectionV6 specifies an approach 4052 to automatically detect node IPv6 addresses. If not specified, 4053 IPv6 addresses will not be auto-detected. 4054 properties: 4055 canReach: 4056 description: CanReach enables IP auto-detection based on which 4057 source address on the node is used to reach the specified 4058 IP or domain. 4059 type: string 4060 cidrs: 4061 description: CIDRS enables IP auto-detection based on which 4062 addresses on the nodes are within one of the provided CIDRs. 4063 items: 4064 type: string 4065 type: array 4066 firstFound: 4067 description: FirstFound uses default interface matching parameters 4068 to select an interface, performing best-effort filtering 4069 based on well-known interface names. 4070 type: boolean 4071 interface: 4072 description: Interface enables IP auto-detection based on 4073 interfaces that match the given regex. 4074 type: string 4075 kubernetes: 4076 description: Kubernetes configures Calico to detect node addresses 4077 based on the Kubernetes API. 4078 enum: 4079 - NodeInternalIP 4080 type: string 4081 skipInterface: 4082 description: SkipInterface enables IP auto-detection based 4083 on interfaces that do not match the given regex. 4084 type: string 4085 type: object 4086 type: object 4087 certificateManagement: 4088 description: CertificateManagement configures pods to submit a CertificateSigningRequest 4089 to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. 4090 This feature requires that you bring your own CSR signing and approval 4091 process, otherwise pods will be stuck during initialization. 4092 properties: 4093 caCert: 4094 description: Certificate of the authority that signs the CertificateSigningRequests 4095 in PEM format. 4096 format: byte 4097 type: string 4098 keyAlgorithm: 4099 description: 'Specify the algorithm used by pods to generate a 4100 key pair that is associated with the X.509 certificate request. 4101 Default: RSAWithSize2048' 4102 enum: 4103 - "" 4104 - RSAWithSize2048 4105 - RSAWithSize4096 4106 - RSAWithSize8192 4107 - ECDSAWithCurve256 4108 - ECDSAWithCurve384 4109 - ECDSAWithCurve521 4110 type: string 4111 signatureAlgorithm: 4112 description: 'Specify the algorithm used for the signature of 4113 the X.509 certificate request. Default: SHA256WithRSA' 4114 enum: 4115 - "" 4116 - SHA256WithRSA 4117 - SHA384WithRSA 4118 - SHA512WithRSA 4119 - ECDSAWithSHA256 4120 - ECDSAWithSHA384 4121 - ECDSAWithSHA512 4122 type: string 4123 signerName: 4124 description: 'When a CSR is issued to the certificates.k8s.io 4125 API, the signerName is added to the request in order to accommodate 4126 for clusters with multiple signers. Must be formatted as: `<my-domain>/<my-signername>`.' 4127 type: string 4128 required: 4129 - caCert 4130 - signerName 4131 type: object 4132 cni: 4133 description: CNI specifies the CNI that will be used by this installation. 4134 properties: 4135 ipam: 4136 description: IPAM specifies the pod IP address management that 4137 will be used in the Calico or Calico Enterprise installation. 4138 properties: 4139 type: 4140 description: "Specifies the IPAM plugin that will be used 4141 in the Calico or Calico Enterprise installation. * For CNI 4142 Plugin Calico, this field defaults to Calico. * For CNI 4143 Plugin GKE, this field defaults to HostLocal. * For CNI 4144 Plugin AzureVNET, this field defaults to AzureVNET. * For 4145 CNI Plugin AmazonVPC, this field defaults to AmazonVPC. 4146 \n The IPAM plugin is installed and configured only if the 4147 CNI plugin is set to Calico, for all other values of the 4148 CNI plugin the plugin binaries and CNI config is a dependency 4149 that is expected to be installed separately. \n Default: 4150 Calico" 4151 enum: 4152 - Calico 4153 - HostLocal 4154 - AmazonVPC 4155 - AzureVNET 4156 type: string 4157 required: 4158 - type 4159 type: object 4160 type: 4161 description: "Specifies the CNI plugin that will be used in the 4162 Calico or Calico Enterprise installation. * For KubernetesProvider 4163 GKE, this field defaults to GKE. * For KubernetesProvider AKS, 4164 this field defaults to AzureVNET. * For KubernetesProvider EKS, 4165 this field defaults to AmazonVPC. * If aws-node daemonset exists 4166 in kube-system when the Installation resource is created, this 4167 field defaults to AmazonVPC. * For all other cases this field 4168 defaults to Calico. \n For the value Calico, the CNI plugin 4169 binaries and CNI config will be installed as part of deployment, 4170 for all other values the CNI plugin binaries and CNI config 4171 is a dependency that is expected to be installed separately. 4172 \n Default: Calico" 4173 enum: 4174 - Calico 4175 - GKE 4176 - AmazonVPC 4177 - AzureVNET 4178 type: string 4179 required: 4180 - type 4181 type: object 4182 componentResources: 4183 description: ComponentResources can be used to customize the resource 4184 requirements for each component. Node, Typha, and KubeControllers 4185 are supported for installations. 4186 items: 4187 description: The ComponentResource struct associates a ResourceRequirements 4188 with a component by name 4189 properties: 4190 componentName: 4191 description: ComponentName is an enum which identifies the component 4192 enum: 4193 - Node 4194 - Typha 4195 - KubeControllers 4196 type: string 4197 resourceRequirements: 4198 description: ResourceRequirements allows customization of limits 4199 and requests for compute resources such as cpu and memory. 4200 properties: 4201 limits: 4202 additionalProperties: 4203 anyOf: 4204 - type: integer 4205 - type: string 4206 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 4207 x-kubernetes-int-or-string: true 4208 description: 'Limits describes the maximum amount of compute 4209 resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' 4210 type: object 4211 requests: 4212 additionalProperties: 4213 anyOf: 4214 - type: integer 4215 - type: string 4216 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 4217 x-kubernetes-int-or-string: true 4218 description: 'Requests describes the minimum amount of compute 4219 resources required. If Requests is omitted for a container, 4220 it defaults to Limits if that is explicitly specified, 4221 otherwise to an implementation-defined value. More info: 4222 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' 4223 type: object 4224 type: object 4225 required: 4226 - componentName 4227 - resourceRequirements 4228 type: object 4229 type: array 4230 controlPlaneNodeSelector: 4231 additionalProperties: 4232 type: string 4233 description: ControlPlaneNodeSelector is used to select control plane 4234 nodes on which to run Calico components. This is globally applied 4235 to all resources created by the operator excluding daemonsets. 4236 type: object 4237 controlPlaneReplicas: 4238 description: ControlPlaneReplicas defines how many replicas of the 4239 control plane core components will be deployed. This field applies 4240 to all control plane components that support High Availability. 4241 Defaults to 2. 4242 format: int32 4243 type: integer 4244 controlPlaneTolerations: 4245 description: ControlPlaneTolerations specify tolerations which are 4246 then globally applied to all resources created by the operator. 4247 items: 4248 description: The pod this Toleration is attached to tolerates any 4249 taint that matches the triple <key,value,effect> using the matching 4250 operator <operator>. 4251 properties: 4252 effect: 4253 description: Effect indicates the taint effect to match. Empty 4254 means match all taint effects. When specified, allowed values 4255 are NoSchedule, PreferNoSchedule and NoExecute. 4256 type: string 4257 key: 4258 description: Key is the taint key that the toleration applies 4259 to. Empty means match all taint keys. If the key is empty, 4260 operator must be Exists; this combination means to match all 4261 values and all keys. 4262 type: string 4263 operator: 4264 description: Operator represents a key's relationship to the 4265 value. Valid operators are Exists and Equal. Defaults to Equal. 4266 Exists is equivalent to wildcard for value, so that a pod 4267 can tolerate all taints of a particular category. 4268 type: string 4269 tolerationSeconds: 4270 description: TolerationSeconds represents the period of time 4271 the toleration (which must be of effect NoExecute, otherwise 4272 this field is ignored) tolerates the taint. By default, it 4273 is not set, which means tolerate the taint forever (do not 4274 evict). Zero and negative values will be treated as 0 (evict 4275 immediately) by the system. 4276 format: int64 4277 type: integer 4278 value: 4279 description: Value is the taint value the toleration matches 4280 to. If the operator is Exists, the value should be empty, 4281 otherwise just a regular string. 4282 type: string 4283 type: object 4284 type: array 4285 flexVolumePath: 4286 description: FlexVolumePath optionally specifies a custom path for 4287 FlexVolume. If not specified, FlexVolume will be enabled by default. 4288 If set to 'None', FlexVolume will be disabled. The default is based 4289 on the kubernetesProvider. 4290 type: string 4291 imagePath: 4292 description: "ImagePath allows for the path part of an image to be 4293 specified. If specified then the specified value will be used as 4294 the image path for each image. If not specified or empty, the default 4295 for each image will be used. A special case value, UseDefault, is 4296 supported to explicitly specify the default image path will be used 4297 for each image. \n Image format: `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>` 4298 \n This option allows configuring the `<imagePath>` portion of the 4299 above format." 4300 type: string 4301 imagePrefix: 4302 description: "ImagePrefix allows for the prefix part of an image to 4303 be specified. If specified then the given value will be used as 4304 a prefix on each image. If not specified or empty, no prefix will 4305 be used. A special case value, UseDefault, is supported to explicitly 4306 specify the default image prefix will be used for each image. \n 4307 Image format: `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>` 4308 \n This option allows configuring the `<imagePrefix>` portion of 4309 the above format." 4310 type: string 4311 imagePullSecrets: 4312 description: ImagePullSecrets is an array of references to container 4313 registry pull secrets to use. These are applied to all images to 4314 be pulled. 4315 items: 4316 description: LocalObjectReference contains enough information to 4317 let you locate the referenced object inside the same namespace. 4318 properties: 4319 name: 4320 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4321 TODO: Add other useful fields. apiVersion, kind, uid?' 4322 type: string 4323 type: object 4324 type: array 4325 kubernetesProvider: 4326 description: KubernetesProvider specifies a particular provider of 4327 the Kubernetes platform and enables provider-specific configuration. 4328 If the specified value is empty, the Operator will attempt to automatically 4329 determine the current provider. If the specified value is not empty, 4330 the Operator will still attempt auto-detection, but will additionally 4331 compare the auto-detected value to the specified value to confirm 4332 they match. 4333 enum: 4334 - "" 4335 - EKS 4336 - GKE 4337 - AKS 4338 - OpenShift 4339 - DockerEnterprise 4340 type: string 4341 nodeMetricsPort: 4342 description: NodeMetricsPort specifies which port calico/node serves 4343 prometheus metrics on. By default, metrics are not enabled. If specified, 4344 this overrides any FelixConfiguration resources which may exist. 4345 If omitted, then prometheus metrics may still be configured through 4346 FelixConfiguration. 4347 format: int32 4348 type: integer 4349 nodeUpdateStrategy: 4350 description: NodeUpdateStrategy can be used to customize the desired 4351 update strategy, such as the MaxUnavailable field. 4352 properties: 4353 rollingUpdate: 4354 description: 'Rolling update config params. Present only if type 4355 = "RollingUpdate". --- TODO: Update this to follow our convention 4356 for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. 4357 See https://github.com/kubernetes/kubernetes/issues/35345' 4358 properties: 4359 maxSurge: 4360 anyOf: 4361 - type: integer 4362 - type: string 4363 description: 'The maximum number of nodes with an existing 4364 available DaemonSet pod that can have an updated DaemonSet 4365 pod during during an update. Value can be an absolute number 4366 (ex: 5) or a percentage of desired pods (ex: 10%). This 4367 can not be 0 if MaxUnavailable is 0. Absolute number is 4368 calculated from percentage by rounding up to a minimum of 4369 1. Default value is 0. Example: when this is set to 30%, 4370 at most 30% of the total number of nodes that should be 4371 running the daemon pod (i.e. status.desiredNumberScheduled) 4372 can have their a new pod created before the old pod is marked 4373 as deleted. The update starts by launching new pods on 30% 4374 of nodes. Once an updated pod is available (Ready for at 4375 least minReadySeconds) the old DaemonSet pod on that node 4376 is marked deleted. If the old pod becomes unavailable for 4377 any reason (Ready transitions to false, is evicted, or is 4378 drained) an updated pod is immediatedly created on that 4379 node without considering surge limits. Allowing surge implies 4380 the possibility that the resources consumed by the daemonset 4381 on any given node can double if the readiness check fails, 4382 and so resource intensive daemonsets should take into account 4383 that they may cause evictions during disruption. This is 4384 an alpha field and requires enabling DaemonSetUpdateSurge 4385 feature gate.' 4386 x-kubernetes-int-or-string: true 4387 maxUnavailable: 4388 anyOf: 4389 - type: integer 4390 - type: string 4391 description: 'The maximum number of DaemonSet pods that can 4392 be unavailable during the update. Value can be an absolute 4393 number (ex: 5) or a percentage of total number of DaemonSet 4394 pods at the start of the update (ex: 10%). Absolute number 4395 is calculated from percentage by rounding down to a minimum 4396 of one. This cannot be 0 if MaxSurge is 0 Default value 4397 is 1. Example: when this is set to 30%, at most 30% of the 4398 total number of nodes that should be running the daemon 4399 pod (i.e. status.desiredNumberScheduled) can have their 4400 pods stopped for an update at any given time. The update 4401 starts by stopping at most 30% of those DaemonSet pods and 4402 then brings up new DaemonSet pods in their place. Once the 4403 new pods are available, it then proceeds onto other DaemonSet 4404 pods, thus ensuring that at least 70% of original number 4405 of DaemonSet pods are available at all times during the 4406 update.' 4407 x-kubernetes-int-or-string: true 4408 type: object 4409 type: 4410 description: Type of daemon set update. Can be "RollingUpdate" 4411 or "OnDelete". Default is RollingUpdate. 4412 type: string 4413 type: object 4414 nonPrivileged: 4415 description: NonPrivileged configures Calico to be run in non-privileged 4416 containers as non-root users where possible. 4417 type: string 4418 registry: 4419 description: "Registry is the default Docker registry used for component 4420 Docker images. If specified then the given value must end with a 4421 slash character (`/`) and all images will be pulled from this registry. 4422 If not specified then the default registries will be used. A special 4423 case value, UseDefault, is supported to explicitly specify the default 4424 registries will be used. \n Image format: `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>` 4425 \n This option allows configuring the `<registry>` portion of the 4426 above format." 4427 type: string 4428 typhaAffinity: 4429 description: TyphaAffinity allows configuration of node affinity characteristics 4430 for Typha pods. 4431 properties: 4432 nodeAffinity: 4433 description: NodeAffinity describes node affinity scheduling rules 4434 for typha. 4435 properties: 4436 preferredDuringSchedulingIgnoredDuringExecution: 4437 description: The scheduler will prefer to schedule pods to 4438 nodes that satisfy the affinity expressions specified by 4439 this field, but it may choose a node that violates one or 4440 more of the expressions. 4441 items: 4442 description: An empty preferred scheduling term matches 4443 all objects with implicit weight 0 (i.e. it's a no-op). 4444 A null preferred scheduling term matches no objects (i.e. 4445 is also a no-op). 4446 properties: 4447 preference: 4448 description: A node selector term, associated with the 4449 corresponding weight. 4450 properties: 4451 matchExpressions: 4452 description: A list of node selector requirements 4453 by node's labels. 4454 items: 4455 description: A node selector requirement is a 4456 selector that contains values, a key, and an 4457 operator that relates the key and values. 4458 properties: 4459 key: 4460 description: The label key that the selector 4461 applies to. 4462 type: string 4463 operator: 4464 description: Represents a key's relationship 4465 to a set of values. Valid operators are 4466 In, NotIn, Exists, DoesNotExist. Gt, and 4467 Lt. 4468 type: string 4469 values: 4470 description: An array of string values. If 4471 the operator is In or NotIn, the values 4472 array must be non-empty. If the operator 4473 is Exists or DoesNotExist, the values array 4474 must be empty. If the operator is Gt or 4475 Lt, the values array must have a single 4476 element, which will be interpreted as an 4477 integer. This array is replaced during a 4478 strategic merge patch. 4479 items: 4480 type: string 4481 type: array 4482 required: 4483 - key 4484 - operator 4485 type: object 4486 type: array 4487 matchFields: 4488 description: A list of node selector requirements 4489 by node's fields. 4490 items: 4491 description: A node selector requirement is a 4492 selector that contains values, a key, and an 4493 operator that relates the key and values. 4494 properties: 4495 key: 4496 description: The label key that the selector 4497 applies to. 4498 type: string 4499 operator: 4500 description: Represents a key's relationship 4501 to a set of values. Valid operators are 4502 In, NotIn, Exists, DoesNotExist. Gt, and 4503 Lt. 4504 type: string 4505 values: 4506 description: An array of string values. If 4507 the operator is In or NotIn, the values 4508 array must be non-empty. If the operator 4509 is Exists or DoesNotExist, the values array 4510 must be empty. If the operator is Gt or 4511 Lt, the values array must have a single 4512 element, which will be interpreted as an 4513 integer. This array is replaced during a 4514 strategic merge patch. 4515 items: 4516 type: string 4517 type: array 4518 required: 4519 - key 4520 - operator 4521 type: object 4522 type: array 4523 type: object 4524 weight: 4525 description: Weight associated with matching the corresponding 4526 nodeSelectorTerm, in the range 1-100. 4527 format: int32 4528 type: integer 4529 required: 4530 - preference 4531 - weight 4532 type: object 4533 type: array 4534 requiredDuringSchedulingIgnoredDuringExecution: 4535 description: 'WARNING: Please note that if the affinity requirements 4536 specified by this field are not met at scheduling time, 4537 the pod will NOT be scheduled onto the node. There is no 4538 fallback to another affinity rules with this setting. This 4539 may cause networking disruption or even catastrophic failure! 4540 PreferredDuringSchedulingIgnoredDuringExecution should be 4541 used for affinity unless there is a specific well understood 4542 reason to use RequiredDuringSchedulingIgnoredDuringExecution 4543 and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution 4544 will always have sufficient nodes to satisfy the requirement. 4545 NOTE: RequiredDuringSchedulingIgnoredDuringExecution is 4546 set by default for AKS nodes, to avoid scheduling Typhas 4547 on virtual-nodes. If the affinity requirements specified 4548 by this field cease to be met at some point during pod execution 4549 (e.g. due to an update), the system may or may not try to 4550 eventually evict the pod from its node.' 4551 properties: 4552 nodeSelectorTerms: 4553 description: Required. A list of node selector terms. 4554 The terms are ORed. 4555 items: 4556 description: A null or empty node selector term matches 4557 no objects. The requirements of them are ANDed. The 4558 TopologySelectorTerm type implements a subset of the 4559 NodeSelectorTerm. 4560 properties: 4561 matchExpressions: 4562 description: A list of node selector requirements 4563 by node's labels. 4564 items: 4565 description: A node selector requirement is a 4566 selector that contains values, a key, and an 4567 operator that relates the key and values. 4568 properties: 4569 key: 4570 description: The label key that the selector 4571 applies to. 4572 type: string 4573 operator: 4574 description: Represents a key's relationship 4575 to a set of values. Valid operators are 4576 In, NotIn, Exists, DoesNotExist. Gt, and 4577 Lt. 4578 type: string 4579 values: 4580 description: An array of string values. If 4581 the operator is In or NotIn, the values 4582 array must be non-empty. If the operator 4583 is Exists or DoesNotExist, the values array 4584 must be empty. If the operator is Gt or 4585 Lt, the values array must have a single 4586 element, which will be interpreted as an 4587 integer. This array is replaced during a 4588 strategic merge patch. 4589 items: 4590 type: string 4591 type: array 4592 required: 4593 - key 4594 - operator 4595 type: object 4596 type: array 4597 matchFields: 4598 description: A list of node selector requirements 4599 by node's fields. 4600 items: 4601 description: A node selector requirement is a 4602 selector that contains values, a key, and an 4603 operator that relates the key and values. 4604 properties: 4605 key: 4606 description: The label key that the selector 4607 applies to. 4608 type: string 4609 operator: 4610 description: Represents a key's relationship 4611 to a set of values. Valid operators are 4612 In, NotIn, Exists, DoesNotExist. Gt, and 4613 Lt. 4614 type: string 4615 values: 4616 description: An array of string values. If 4617 the operator is In or NotIn, the values 4618 array must be non-empty. If the operator 4619 is Exists or DoesNotExist, the values array 4620 must be empty. If the operator is Gt or 4621 Lt, the values array must have a single 4622 element, which will be interpreted as an 4623 integer. This array is replaced during a 4624 strategic merge patch. 4625 items: 4626 type: string 4627 type: array 4628 required: 4629 - key 4630 - operator 4631 type: object 4632 type: array 4633 type: object 4634 type: array 4635 required: 4636 - nodeSelectorTerms 4637 type: object 4638 type: object 4639 type: object 4640 typhaMetricsPort: 4641 description: TyphaMetricsPort specifies which port calico/typha serves 4642 prometheus metrics on. By default, metrics are not enabled. 4643 format: int32 4644 type: integer 4645 variant: 4646 description: 'Variant is the product to install - one of Calico or 4647 TigeraSecureEnterprise Default: Calico' 4648 enum: 4649 - Calico 4650 - TigeraSecureEnterprise 4651 type: string 4652 type: object 4653 status: 4654 description: Most recently observed state for the Calico or Calico Enterprise 4655 installation. 4656 properties: 4657 computed: 4658 description: Computed is the final installation including overlaid 4659 resources. 4660 properties: 4661 calicoNetwork: 4662 description: CalicoNetwork specifies networking configuration 4663 options for Calico. 4664 properties: 4665 bgp: 4666 description: BGP configures whether or not to enable Calico's 4667 BGP capabilities. 4668 enum: 4669 - Enabled 4670 - Disabled 4671 type: string 4672 containerIPForwarding: 4673 description: 'ContainerIPForwarding configures whether ip 4674 forwarding will be enabled for containers in the CNI configuration. 4675 Default: Disabled' 4676 enum: 4677 - Enabled 4678 - Disabled 4679 type: string 4680 hostPorts: 4681 description: 'HostPorts configures whether or not Calico will 4682 support Kubernetes HostPorts. Valid only when using the 4683 Calico CNI plugin. Default: Enabled' 4684 enum: 4685 - Enabled 4686 - Disabled 4687 type: string 4688 ipPools: 4689 description: IPPools contains a list of IP pools to create 4690 if none exist. At most one IP pool of each address family 4691 may be specified. If omitted, a single pool will be configured 4692 if needed. 4693 items: 4694 properties: 4695 blockSize: 4696 description: 'BlockSize specifies the CIDR prefex length 4697 to use when allocating per-node IP blocks from the 4698 main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' 4699 format: int32 4700 type: integer 4701 cidr: 4702 description: CIDR contains the address range for the 4703 IP Pool in classless inter-domain routing format. 4704 type: string 4705 encapsulation: 4706 description: 'Encapsulation specifies the encapsulation 4707 type that will be used with the IP Pool. Default: 4708 IPIP' 4709 enum: 4710 - IPIPCrossSubnet 4711 - IPIP 4712 - VXLAN 4713 - VXLANCrossSubnet 4714 - None 4715 type: string 4716 natOutgoing: 4717 description: 'NATOutgoing specifies if NAT will be enabled 4718 or disabled for outgoing traffic. Default: Enabled' 4719 enum: 4720 - Enabled 4721 - Disabled 4722 type: string 4723 nodeSelector: 4724 description: 'NodeSelector specifies the node selector 4725 that will be set for the IP Pool. Default: ''all()''' 4726 type: string 4727 required: 4728 - cidr 4729 type: object 4730 type: array 4731 linuxDataplane: 4732 description: 'LinuxDataplane is used to select the dataplane 4733 used for Linux nodes. In particular, it causes the operator 4734 to add required mounts and environment variables for the 4735 particular dataplane. If not specified, iptables mode is 4736 used. Default: Iptables' 4737 enum: 4738 - Iptables 4739 - BPF 4740 - VPP 4741 type: string 4742 mtu: 4743 description: MTU specifies the maximum transmission unit to 4744 use on the pod network. If not specified, Calico will perform 4745 MTU auto-detection based on the cluster network. 4746 format: int32 4747 type: integer 4748 multiInterfaceMode: 4749 description: 'MultiInterfaceMode configures what will configure 4750 multiple interface per pod. Only valid for Calico Enterprise 4751 installations using the Calico CNI plugin. Default: None' 4752 enum: 4753 - None 4754 - Multus 4755 type: string 4756 nodeAddressAutodetectionV4: 4757 description: NodeAddressAutodetectionV4 specifies an approach 4758 to automatically detect node IPv4 addresses. If not specified, 4759 will use default auto-detection settings to acquire an IPv4 4760 address for each node. 4761 properties: 4762 canReach: 4763 description: CanReach enables IP auto-detection based 4764 on which source address on the node is used to reach 4765 the specified IP or domain. 4766 type: string 4767 cidrs: 4768 description: CIDRS enables IP auto-detection based on 4769 which addresses on the nodes are within one of the provided 4770 CIDRs. 4771 items: 4772 type: string 4773 type: array 4774 firstFound: 4775 description: FirstFound uses default interface matching 4776 parameters to select an interface, performing best-effort 4777 filtering based on well-known interface names. 4778 type: boolean 4779 interface: 4780 description: Interface enables IP auto-detection based 4781 on interfaces that match the given regex. 4782 type: string 4783 kubernetes: 4784 description: Kubernetes configures Calico to detect node 4785 addresses based on the Kubernetes API. 4786 enum: 4787 - NodeInternalIP 4788 type: string 4789 skipInterface: 4790 description: SkipInterface enables IP auto-detection based 4791 on interfaces that do not match the given regex. 4792 type: string 4793 type: object 4794 nodeAddressAutodetectionV6: 4795 description: NodeAddressAutodetectionV6 specifies an approach 4796 to automatically detect node IPv6 addresses. If not specified, 4797 IPv6 addresses will not be auto-detected. 4798 properties: 4799 canReach: 4800 description: CanReach enables IP auto-detection based 4801 on which source address on the node is used to reach 4802 the specified IP or domain. 4803 type: string 4804 cidrs: 4805 description: CIDRS enables IP auto-detection based on 4806 which addresses on the nodes are within one of the provided 4807 CIDRs. 4808 items: 4809 type: string 4810 type: array 4811 firstFound: 4812 description: FirstFound uses default interface matching 4813 parameters to select an interface, performing best-effort 4814 filtering based on well-known interface names. 4815 type: boolean 4816 interface: 4817 description: Interface enables IP auto-detection based 4818 on interfaces that match the given regex. 4819 type: string 4820 kubernetes: 4821 description: Kubernetes configures Calico to detect node 4822 addresses based on the Kubernetes API. 4823 enum: 4824 - NodeInternalIP 4825 type: string 4826 skipInterface: 4827 description: SkipInterface enables IP auto-detection based 4828 on interfaces that do not match the given regex. 4829 type: string 4830 type: object 4831 type: object 4832 certificateManagement: 4833 description: CertificateManagement configures pods to submit a 4834 CertificateSigningRequest to the certificates.k8s.io/v1beta1 4835 API in order to obtain TLS certificates. This feature requires 4836 that you bring your own CSR signing and approval process, otherwise 4837 pods will be stuck during initialization. 4838 properties: 4839 caCert: 4840 description: Certificate of the authority that signs the CertificateSigningRequests 4841 in PEM format. 4842 format: byte 4843 type: string 4844 keyAlgorithm: 4845 description: 'Specify the algorithm used by pods to generate 4846 a key pair that is associated with the X.509 certificate 4847 request. Default: RSAWithSize2048' 4848 enum: 4849 - "" 4850 - RSAWithSize2048 4851 - RSAWithSize4096 4852 - RSAWithSize8192 4853 - ECDSAWithCurve256 4854 - ECDSAWithCurve384 4855 - ECDSAWithCurve521 4856 type: string 4857 signatureAlgorithm: 4858 description: 'Specify the algorithm used for the signature 4859 of the X.509 certificate request. Default: SHA256WithRSA' 4860 enum: 4861 - "" 4862 - SHA256WithRSA 4863 - SHA384WithRSA 4864 - SHA512WithRSA 4865 - ECDSAWithSHA256 4866 - ECDSAWithSHA384 4867 - ECDSAWithSHA512 4868 type: string 4869 signerName: 4870 description: 'When a CSR is issued to the certificates.k8s.io 4871 API, the signerName is added to the request in order to 4872 accommodate for clusters with multiple signers. Must be 4873 formatted as: `<my-domain>/<my-signername>`.' 4874 type: string 4875 required: 4876 - caCert 4877 - signerName 4878 type: object 4879 cni: 4880 description: CNI specifies the CNI that will be used by this installation. 4881 properties: 4882 ipam: 4883 description: IPAM specifies the pod IP address management 4884 that will be used in the Calico or Calico Enterprise installation. 4885 properties: 4886 type: 4887 description: "Specifies the IPAM plugin that will be used 4888 in the Calico or Calico Enterprise installation. * For 4889 CNI Plugin Calico, this field defaults to Calico. * 4890 For CNI Plugin GKE, this field defaults to HostLocal. 4891 * For CNI Plugin AzureVNET, this field defaults to AzureVNET. 4892 * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. 4893 \n The IPAM plugin is installed and configured only 4894 if the CNI plugin is set to Calico, for all other values 4895 of the CNI plugin the plugin binaries and CNI config 4896 is a dependency that is expected to be installed separately. 4897 \n Default: Calico" 4898 enum: 4899 - Calico 4900 - HostLocal 4901 - AmazonVPC 4902 - AzureVNET 4903 type: string 4904 required: 4905 - type 4906 type: object 4907 type: 4908 description: "Specifies the CNI plugin that will be used in 4909 the Calico or Calico Enterprise installation. * For KubernetesProvider 4910 GKE, this field defaults to GKE. * For KubernetesProvider 4911 AKS, this field defaults to AzureVNET. * For KubernetesProvider 4912 EKS, this field defaults to AmazonVPC. * If aws-node daemonset 4913 exists in kube-system when the Installation resource is 4914 created, this field defaults to AmazonVPC. * For all other 4915 cases this field defaults to Calico. \n For the value Calico, 4916 the CNI plugin binaries and CNI config will be installed 4917 as part of deployment, for all other values the CNI plugin 4918 binaries and CNI config is a dependency that is expected 4919 to be installed separately. \n Default: Calico" 4920 enum: 4921 - Calico 4922 - GKE 4923 - AmazonVPC 4924 - AzureVNET 4925 type: string 4926 required: 4927 - type 4928 type: object 4929 componentResources: 4930 description: ComponentResources can be used to customize the resource 4931 requirements for each component. Node, Typha, and KubeControllers 4932 are supported for installations. 4933 items: 4934 description: The ComponentResource struct associates a ResourceRequirements 4935 with a component by name 4936 properties: 4937 componentName: 4938 description: ComponentName is an enum which identifies the 4939 component 4940 enum: 4941 - Node 4942 - Typha 4943 - KubeControllers 4944 type: string 4945 resourceRequirements: 4946 description: ResourceRequirements allows customization of 4947 limits and requests for compute resources such as cpu 4948 and memory. 4949 properties: 4950 limits: 4951 additionalProperties: 4952 anyOf: 4953 - type: integer 4954 - type: string 4955 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 4956 x-kubernetes-int-or-string: true 4957 description: 'Limits describes the maximum amount of 4958 compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' 4959 type: object 4960 requests: 4961 additionalProperties: 4962 anyOf: 4963 - type: integer 4964 - type: string 4965 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 4966 x-kubernetes-int-or-string: true 4967 description: 'Requests describes the minimum amount 4968 of compute resources required. If Requests is omitted 4969 for a container, it defaults to Limits if that is 4970 explicitly specified, otherwise to an implementation-defined 4971 value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' 4972 type: object 4973 type: object 4974 required: 4975 - componentName 4976 - resourceRequirements 4977 type: object 4978 type: array 4979 controlPlaneNodeSelector: 4980 additionalProperties: 4981 type: string 4982 description: ControlPlaneNodeSelector is used to select control 4983 plane nodes on which to run Calico components. This is globally 4984 applied to all resources created by the operator excluding daemonsets. 4985 type: object 4986 controlPlaneReplicas: 4987 description: ControlPlaneReplicas defines how many replicas of 4988 the control plane core components will be deployed. This field 4989 applies to all control plane components that support High Availability. 4990 Defaults to 2. 4991 format: int32 4992 type: integer 4993 controlPlaneTolerations: 4994 description: ControlPlaneTolerations specify tolerations which 4995 are then globally applied to all resources created by the operator. 4996 items: 4997 description: The pod this Toleration is attached to tolerates 4998 any taint that matches the triple <key,value,effect> using 4999 the matching operator <operator>. 5000 properties: 5001 effect: 5002 description: Effect indicates the taint effect to match. 5003 Empty means match all taint effects. When specified, allowed 5004 values are NoSchedule, PreferNoSchedule and NoExecute. 5005 type: string 5006 key: 5007 description: Key is the taint key that the toleration applies 5008 to. Empty means match all taint keys. If the key is empty, 5009 operator must be Exists; this combination means to match 5010 all values and all keys. 5011 type: string 5012 operator: 5013 description: Operator represents a key's relationship to 5014 the value. Valid operators are Exists and Equal. Defaults 5015 to Equal. Exists is equivalent to wildcard for value, 5016 so that a pod can tolerate all taints of a particular 5017 category. 5018 type: string 5019 tolerationSeconds: 5020 description: TolerationSeconds represents the period of 5021 time the toleration (which must be of effect NoExecute, 5022 otherwise this field is ignored) tolerates the taint. 5023 By default, it is not set, which means tolerate the taint 5024 forever (do not evict). Zero and negative values will 5025 be treated as 0 (evict immediately) by the system. 5026 format: int64 5027 type: integer 5028 value: 5029 description: Value is the taint value the toleration matches 5030 to. If the operator is Exists, the value should be empty, 5031 otherwise just a regular string. 5032 type: string 5033 type: object 5034 type: array 5035 flexVolumePath: 5036 description: FlexVolumePath optionally specifies a custom path 5037 for FlexVolume. If not specified, FlexVolume will be enabled 5038 by default. If set to 'None', FlexVolume will be disabled. The 5039 default is based on the kubernetesProvider. 5040 type: string 5041 imagePath: 5042 description: "ImagePath allows for the path part of an image to 5043 be specified. If specified then the specified value will be 5044 used as the image path for each image. If not specified or empty, 5045 the default for each image will be used. A special case value, 5046 UseDefault, is supported to explicitly specify the default image 5047 path will be used for each image. \n Image format: `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>` 5048 \n This option allows configuring the `<imagePath>` portion 5049 of the above format." 5050 type: string 5051 imagePrefix: 5052 description: "ImagePrefix allows for the prefix part of an image 5053 to be specified. If specified then the given value will be used 5054 as a prefix on each image. If not specified or empty, no prefix 5055 will be used. A special case value, UseDefault, is supported 5056 to explicitly specify the default image prefix will be used 5057 for each image. \n Image format: `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>` 5058 \n This option allows configuring the `<imagePrefix>` portion 5059 of the above format." 5060 type: string 5061 imagePullSecrets: 5062 description: ImagePullSecrets is an array of references to container 5063 registry pull secrets to use. These are applied to all images 5064 to be pulled. 5065 items: 5066 description: LocalObjectReference contains enough information 5067 to let you locate the referenced object inside the same namespace. 5068 properties: 5069 name: 5070 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 5071 TODO: Add other useful fields. apiVersion, kind, uid?' 5072 type: string 5073 type: object 5074 type: array 5075 kubernetesProvider: 5076 description: KubernetesProvider specifies a particular provider 5077 of the Kubernetes platform and enables provider-specific configuration. 5078 If the specified value is empty, the Operator will attempt to 5079 automatically determine the current provider. If the specified 5080 value is not empty, the Operator will still attempt auto-detection, 5081 but will additionally compare the auto-detected value to the 5082 specified value to confirm they match. 5083 enum: 5084 - "" 5085 - EKS 5086 - GKE 5087 - AKS 5088 - OpenShift 5089 - DockerEnterprise 5090 type: string 5091 nodeMetricsPort: 5092 description: NodeMetricsPort specifies which port calico/node 5093 serves prometheus metrics on. By default, metrics are not enabled. 5094 If specified, this overrides any FelixConfiguration resources 5095 which may exist. If omitted, then prometheus metrics may still 5096 be configured through FelixConfiguration. 5097 format: int32 5098 type: integer 5099 nodeUpdateStrategy: 5100 description: NodeUpdateStrategy can be used to customize the desired 5101 update strategy, such as the MaxUnavailable field. 5102 properties: 5103 rollingUpdate: 5104 description: 'Rolling update config params. Present only if 5105 type = "RollingUpdate". --- TODO: Update this to follow 5106 our convention for oneOf, whatever we decide it to be. Same 5107 as Deployment `strategy.rollingUpdate`. See https://github.com/kubernetes/kubernetes/issues/35345' 5108 properties: 5109 maxSurge: 5110 anyOf: 5111 - type: integer 5112 - type: string 5113 description: 'The maximum number of nodes with an existing 5114 available DaemonSet pod that can have an updated DaemonSet 5115 pod during during an update. Value can be an absolute 5116 number (ex: 5) or a percentage of desired pods (ex: 5117 10%). This can not be 0 if MaxUnavailable is 0. Absolute 5118 number is calculated from percentage by rounding up 5119 to a minimum of 1. Default value is 0. Example: when 5120 this is set to 30%, at most 30% of the total number 5121 of nodes that should be running the daemon pod (i.e. 5122 status.desiredNumberScheduled) can have their a new 5123 pod created before the old pod is marked as deleted. 5124 The update starts by launching new pods on 30% of nodes. 5125 Once an updated pod is available (Ready for at least 5126 minReadySeconds) the old DaemonSet pod on that node 5127 is marked deleted. If the old pod becomes unavailable 5128 for any reason (Ready transitions to false, is evicted, 5129 or is drained) an updated pod is immediatedly created 5130 on that node without considering surge limits. Allowing 5131 surge implies the possibility that the resources consumed 5132 by the daemonset on any given node can double if the 5133 readiness check fails, and so resource intensive daemonsets 5134 should take into account that they may cause evictions 5135 during disruption. This is an alpha field and requires 5136 enabling DaemonSetUpdateSurge feature gate.' 5137 x-kubernetes-int-or-string: true 5138 maxUnavailable: 5139 anyOf: 5140 - type: integer 5141 - type: string 5142 description: 'The maximum number of DaemonSet pods that 5143 can be unavailable during the update. Value can be an 5144 absolute number (ex: 5) or a percentage of total number 5145 of DaemonSet pods at the start of the update (ex: 10%). 5146 Absolute number is calculated from percentage by rounding 5147 down to a minimum of one. This cannot be 0 if MaxSurge 5148 is 0 Default value is 1. Example: when this is set to 5149 30%, at most 30% of the total number of nodes that should 5150 be running the daemon pod (i.e. status.desiredNumberScheduled) 5151 can have their pods stopped for an update at any given 5152 time. The update starts by stopping at most 30% of those 5153 DaemonSet pods and then brings up new DaemonSet pods 5154 in their place. Once the new pods are available, it 5155 then proceeds onto other DaemonSet pods, thus ensuring 5156 that at least 70% of original number of DaemonSet pods 5157 are available at all times during the update.' 5158 x-kubernetes-int-or-string: true 5159 type: object 5160 type: 5161 description: Type of daemon set update. Can be "RollingUpdate" 5162 or "OnDelete". Default is RollingUpdate. 5163 type: string 5164 type: object 5165 nonPrivileged: 5166 description: NonPrivileged configures Calico to be run in non-privileged 5167 containers as non-root users where possible. 5168 type: string 5169 registry: 5170 description: "Registry is the default Docker registry used for 5171 component Docker images. If specified then the given value must 5172 end with a slash character (`/`) and all images will be pulled 5173 from this registry. If not specified then the default registries 5174 will be used. A special case value, UseDefault, is supported 5175 to explicitly specify the default registries will be used. \n 5176 Image format: `<registry><imagePath>/<imagePrefix><imageName>:<image-tag>` 5177 \n This option allows configuring the `<registry>` portion of 5178 the above format." 5179 type: string 5180 typhaAffinity: 5181 description: TyphaAffinity allows configuration of node affinity 5182 characteristics for Typha pods. 5183 properties: 5184 nodeAffinity: 5185 description: NodeAffinity describes node affinity scheduling 5186 rules for typha. 5187 properties: 5188 preferredDuringSchedulingIgnoredDuringExecution: 5189 description: The scheduler will prefer to schedule pods 5190 to nodes that satisfy the affinity expressions specified 5191 by this field, but it may choose a node that violates 5192 one or more of the expressions. 5193 items: 5194 description: An empty preferred scheduling term matches 5195 all objects with implicit weight 0 (i.e. it's a no-op). 5196 A null preferred scheduling term matches no objects 5197 (i.e. is also a no-op). 5198 properties: 5199 preference: 5200 description: A node selector term, associated with 5201 the corresponding weight. 5202 properties: 5203 matchExpressions: 5204 description: A list of node selector requirements 5205 by node's labels. 5206 items: 5207 description: A node selector requirement is 5208 a selector that contains values, a key, 5209 and an operator that relates the key and 5210 values. 5211 properties: 5212 key: 5213 description: The label key that the selector 5214 applies to. 5215 type: string 5216 operator: 5217 description: Represents a key's relationship 5218 to a set of values. Valid operators 5219 are In, NotIn, Exists, DoesNotExist. 5220 Gt, and Lt. 5221 type: string 5222 values: 5223 description: An array of string values. 5224 If the operator is In or NotIn, the 5225 values array must be non-empty. If the 5226 operator is Exists or DoesNotExist, 5227 the values array must be empty. If the 5228 operator is Gt or Lt, the values array 5229 must have a single element, which will 5230 be interpreted as an integer. This array 5231 is replaced during a strategic merge 5232 patch. 5233 items: 5234 type: string 5235 type: array 5236 required: 5237 - key 5238 - operator 5239 type: object 5240 type: array 5241 matchFields: 5242 description: A list of node selector requirements 5243 by node's fields. 5244 items: 5245 description: A node selector requirement is 5246 a selector that contains values, a key, 5247 and an operator that relates the key and 5248 values. 5249 properties: 5250 key: 5251 description: The label key that the selector 5252 applies to. 5253 type: string 5254 operator: 5255 description: Represents a key's relationship 5256 to a set of values. Valid operators 5257 are In, NotIn, Exists, DoesNotExist. 5258 Gt, and Lt. 5259 type: string 5260 values: 5261 description: An array of string values. 5262 If the operator is In or NotIn, the 5263 values array must be non-empty. If the 5264 operator is Exists or DoesNotExist, 5265 the values array must be empty. If the 5266 operator is Gt or Lt, the values array 5267 must have a single element, which will 5268 be interpreted as an integer. This array 5269 is replaced during a strategic merge 5270 patch. 5271 items: 5272 type: string 5273 type: array 5274 required: 5275 - key 5276 - operator 5277 type: object 5278 type: array 5279 type: object 5280 weight: 5281 description: Weight associated with matching the 5282 corresponding nodeSelectorTerm, in the range 1-100. 5283 format: int32 5284 type: integer 5285 required: 5286 - preference 5287 - weight 5288 type: object 5289 type: array 5290 requiredDuringSchedulingIgnoredDuringExecution: 5291 description: 'WARNING: Please note that if the affinity 5292 requirements specified by this field are not met at 5293 scheduling time, the pod will NOT be scheduled onto 5294 the node. There is no fallback to another affinity rules 5295 with this setting. This may cause networking disruption 5296 or even catastrophic failure! PreferredDuringSchedulingIgnoredDuringExecution 5297 should be used for affinity unless there is a specific 5298 well understood reason to use RequiredDuringSchedulingIgnoredDuringExecution 5299 and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution 5300 will always have sufficient nodes to satisfy the requirement. 5301 NOTE: RequiredDuringSchedulingIgnoredDuringExecution 5302 is set by default for AKS nodes, to avoid scheduling 5303 Typhas on virtual-nodes. If the affinity requirements 5304 specified by this field cease to be met at some point 5305 during pod execution (e.g. due to an update), the system 5306 may or may not try to eventually evict the pod from 5307 its node.' 5308 properties: 5309 nodeSelectorTerms: 5310 description: Required. A list of node selector terms. 5311 The terms are ORed. 5312 items: 5313 description: A null or empty node selector term 5314 matches no objects. The requirements of them are 5315 ANDed. The TopologySelectorTerm type implements 5316 a subset of the NodeSelectorTerm. 5317 properties: 5318 matchExpressions: 5319 description: A list of node selector requirements 5320 by node's labels. 5321 items: 5322 description: A node selector requirement is 5323 a selector that contains values, a key, 5324 and an operator that relates the key and 5325 values. 5326 properties: 5327 key: 5328 description: The label key that the selector 5329 applies to. 5330 type: string 5331 operator: 5332 description: Represents a key's relationship 5333 to a set of values. Valid operators 5334 are In, NotIn, Exists, DoesNotExist. 5335 Gt, and Lt. 5336 type: string 5337 values: 5338 description: An array of string values. 5339 If the operator is In or NotIn, the 5340 values array must be non-empty. If the 5341 operator is Exists or DoesNotExist, 5342 the values array must be empty. If the 5343 operator is Gt or Lt, the values array 5344 must have a single element, which will 5345 be interpreted as an integer. This array 5346 is replaced during a strategic merge 5347 patch. 5348 items: 5349 type: string 5350 type: array 5351 required: 5352 - key 5353 - operator 5354 type: object 5355 type: array 5356 matchFields: 5357 description: A list of node selector requirements 5358 by node's fields. 5359 items: 5360 description: A node selector requirement is 5361 a selector that contains values, a key, 5362 and an operator that relates the key and 5363 values. 5364 properties: 5365 key: 5366 description: The label key that the selector 5367 applies to. 5368 type: string 5369 operator: 5370 description: Represents a key's relationship 5371 to a set of values. Valid operators 5372 are In, NotIn, Exists, DoesNotExist. 5373 Gt, and Lt. 5374 type: string 5375 values: 5376 description: An array of string values. 5377 If the operator is In or NotIn, the 5378 values array must be non-empty. If the 5379 operator is Exists or DoesNotExist, 5380 the values array must be empty. If the 5381 operator is Gt or Lt, the values array 5382 must have a single element, which will 5383 be interpreted as an integer. This array 5384 is replaced during a strategic merge 5385 patch. 5386 items: 5387 type: string 5388 type: array 5389 required: 5390 - key 5391 - operator 5392 type: object 5393 type: array 5394 type: object 5395 type: array 5396 required: 5397 - nodeSelectorTerms 5398 type: object 5399 type: object 5400 type: object 5401 typhaMetricsPort: 5402 description: TyphaMetricsPort specifies which port calico/typha 5403 serves prometheus metrics on. By default, metrics are not enabled. 5404 format: int32 5405 type: integer 5406 variant: 5407 description: 'Variant is the product to install - one of Calico 5408 or TigeraSecureEnterprise Default: Calico' 5409 enum: 5410 - Calico 5411 - TigeraSecureEnterprise 5412 type: string 5413 type: object 5414 imageSet: 5415 description: ImageSet is the name of the ImageSet being used, if there 5416 is an ImageSet that is being used. If an ImageSet is not being used 5417 then this will not be set. 5418 type: string 5419 mtu: 5420 description: MTU is the most recently observed value for pod network 5421 MTU. This may be an explicitly configured value, or based on Calico's 5422 native auto-detetion. 5423 format: int32 5424 type: integer 5425 variant: 5426 description: Variant is the most recently observed installed variant 5427 - one of Calico or TigeraSecureEnterprise 5428 enum: 5429 - Calico 5430 - TigeraSecureEnterprise 5431 type: string 5432 type: object 5433 type: object 5434 served: true 5435 storage: true 5436 subresources: 5437 status: {} 5438 status: 5439 acceptedNames: 5440 kind: "" 5441 plural: "" 5442 conditions: [] 5443 storedVersions: [] 5444 5445 --- 5446 # Source: crds/operator.tigera.io_tigerastatuses_crd.yaml 5447 apiVersion: apiextensions.k8s.io/v1 5448 kind: CustomResourceDefinition 5449 metadata: 5450 annotations: 5451 controller-gen.kubebuilder.io/version: v0.3.0 5452 name: tigerastatuses.operator.tigera.io 5453 spec: 5454 group: operator.tigera.io 5455 names: 5456 kind: TigeraStatus 5457 listKind: TigeraStatusList 5458 plural: tigerastatuses 5459 singular: tigerastatus 5460 scope: Cluster 5461 versions: 5462 - additionalPrinterColumns: 5463 - description: Whether the component running and stable. 5464 jsonPath: .status.conditions[?(@.type=='Available')].status 5465 name: Available 5466 type: string 5467 - description: Whether the component is processing changes. 5468 jsonPath: .status.conditions[?(@.type=='Progressing')].status 5469 name: Progressing 5470 type: string 5471 - description: Whether the component is degraded. 5472 jsonPath: .status.conditions[?(@.type=='Degraded')].status 5473 name: Degraded 5474 type: string 5475 - description: The time the component's Available status last changed. 5476 jsonPath: .status.conditions[?(@.type=='Available')].lastTransitionTime 5477 name: Since 5478 type: date 5479 name: v1 5480 schema: 5481 openAPIV3Schema: 5482 description: TigeraStatus represents the most recently observed status for 5483 Calico or a Calico Enterprise functional area. 5484 properties: 5485 apiVersion: 5486 description: 'APIVersion defines the versioned schema of this representation 5487 of an object. Servers should convert recognized schemas to the latest 5488 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 5489 type: string 5490 kind: 5491 description: 'Kind is a string value representing the REST resource this 5492 object represents. Servers may infer this from the endpoint the client 5493 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 5494 type: string 5495 metadata: 5496 type: object 5497 spec: 5498 description: TigeraStatusSpec defines the desired state of TigeraStatus 5499 type: object 5500 status: 5501 description: TigeraStatusStatus defines the observed state of TigeraStatus 5502 properties: 5503 conditions: 5504 description: Conditions represents the latest observed set of conditions 5505 for this component. A component may be one or more of Available, 5506 Progressing, or Degraded. 5507 items: 5508 description: TigeraStatusCondition represents a condition attached 5509 to a particular component. 5510 properties: 5511 lastTransitionTime: 5512 description: The timestamp representing the start time for the 5513 current status. 5514 format: date-time 5515 type: string 5516 message: 5517 description: Optionally, a detailed message providing additional 5518 context. 5519 type: string 5520 reason: 5521 description: A brief reason explaining the condition. 5522 type: string 5523 status: 5524 description: The status of the condition. May be True, False, 5525 or Unknown. 5526 type: string 5527 type: 5528 description: The type of condition. May be Available, Progressing, 5529 or Degraded. 5530 type: string 5531 required: 5532 - lastTransitionTime 5533 - status 5534 - type 5535 type: object 5536 type: array 5537 required: 5538 - conditions 5539 type: object 5540 type: object 5541 served: true 5542 storage: true 5543 subresources: 5544 status: {} 5545 status: 5546 acceptedNames: 5547 kind: "" 5548 plural: "" 5549 conditions: [] 5550 storedVersions: [] 5551 5552 --- 5553 # Source: tigera-operator/templates/tigera-operator/00-namespace-tigera-operator.yaml 5554 apiVersion: v1 5555 kind: Namespace 5556 metadata: 5557 name: tigera-operator 5558 annotations: 5559 labels: 5560 name: tigera-operator 5561 --- 5562 # Source: tigera-operator/templates/tigera-operator/02-podsecuritypolicy-tigera-operator.yaml 5563 # This should not be rendered for an OpenShift install. 5564 # OpenShift uses SecurityContextConstraints instead. 5565 apiVersion: policy/v1beta1 5566 kind: PodSecurityPolicy 5567 metadata: 5568 name: tigera-operator 5569 annotations: 5570 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' 5571 spec: 5572 privileged: false 5573 allowPrivilegeEscalation: false 5574 requiredDropCapabilities: 5575 - ALL 5576 volumes: 5577 - 'hostPath' 5578 - 'configMap' 5579 - 'emptyDir' 5580 - 'projected' 5581 - 'secret' 5582 - 'downwardAPI' 5583 # Assume that persistentVolumes set up by the cluster admin are safe to use. 5584 - 'persistentVolumeClaim' 5585 hostNetwork: true 5586 hostPorts: 5587 - min: 0 5588 max: 65535 5589 hostIPC: false 5590 hostPID: false 5591 runAsUser: 5592 rule: 'MustRunAsNonRoot' 5593 seLinux: 5594 rule: 'RunAsAny' 5595 supplementalGroups: 5596 rule: 'MustRunAs' 5597 ranges: 5598 # Forbid adding the root group. 5599 - min: 1 5600 max: 65535 5601 fsGroup: 5602 rule: 'MustRunAs' 5603 ranges: 5604 # Forbid adding the root group. 5605 - min: 1 5606 max: 65535 5607 readOnlyRootFilesystem: false 5608 --- 5609 # Source: tigera-operator/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml 5610 apiVersion: v1 5611 kind: ServiceAccount 5612 metadata: 5613 name: tigera-operator 5614 namespace: tigera-operator 5615 --- 5616 # Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml 5617 # Permissions required when running the operator for a Calico cluster. 5618 apiVersion: rbac.authorization.k8s.io/v1 5619 kind: ClusterRole 5620 metadata: 5621 name: tigera-operator 5622 rules: 5623 - apiGroups: 5624 - "" 5625 resources: 5626 - namespaces 5627 - pods 5628 - podtemplates 5629 - services 5630 - endpoints 5631 - events 5632 - configmaps 5633 - secrets 5634 - serviceaccounts 5635 verbs: 5636 - create 5637 - get 5638 - list 5639 - update 5640 - delete 5641 - watch 5642 - apiGroups: 5643 - "" 5644 resources: 5645 - resourcequotas 5646 verbs: 5647 - list 5648 - get 5649 - watch 5650 - apiGroups: 5651 - "" 5652 resources: 5653 - resourcequotas 5654 verbs: 5655 - create 5656 - get 5657 - list 5658 - update 5659 - delete 5660 - watch 5661 resourceNames: 5662 - calico-critical-pods 5663 - tigera-critical-pods 5664 - apiGroups: 5665 - "" 5666 resources: 5667 - nodes 5668 verbs: 5669 # Need to update node labels when migrating nodes. 5670 - get 5671 - patch 5672 - list 5673 # We need this for Typha autoscaling 5674 - watch 5675 - apiGroups: 5676 - rbac.authorization.k8s.io 5677 resources: 5678 - clusterroles 5679 - clusterrolebindings 5680 - rolebindings 5681 - roles 5682 verbs: 5683 - create 5684 - get 5685 - list 5686 - update 5687 - delete 5688 - watch 5689 - bind 5690 - escalate 5691 - apiGroups: 5692 - apps 5693 resources: 5694 - deployments 5695 - daemonsets 5696 - statefulsets 5697 verbs: 5698 - create 5699 - get 5700 - list 5701 - patch 5702 - update 5703 - delete 5704 - watch 5705 - apiGroups: 5706 - apps 5707 resourceNames: 5708 - tigera-operator 5709 resources: 5710 - deployments/finalizers 5711 verbs: 5712 - update 5713 - apiGroups: 5714 - operator.tigera.io 5715 resources: 5716 - '*' 5717 verbs: 5718 - create 5719 - get 5720 - list 5721 - update 5722 - patch 5723 - delete 5724 - watch 5725 - apiGroups: 5726 - networking.k8s.io 5727 resources: 5728 - networkpolicies 5729 verbs: 5730 - create 5731 - update 5732 - delete 5733 - get 5734 - list 5735 - watch 5736 - apiGroups: 5737 - crd.projectcalico.org 5738 resources: 5739 - felixconfigurations 5740 verbs: 5741 - create 5742 - patch 5743 - list 5744 - get 5745 - watch 5746 - apiGroups: 5747 - crd.projectcalico.org 5748 resources: 5749 - ippools 5750 - kubecontrollersconfigurations 5751 verbs: 5752 - get 5753 - list 5754 - watch 5755 - apiGroups: 5756 - scheduling.k8s.io 5757 resources: 5758 - priorityclasses 5759 verbs: 5760 - create 5761 - get 5762 - list 5763 - update 5764 - delete 5765 - watch 5766 - apiGroups: 5767 - policy 5768 resources: 5769 - poddisruptionbudgets 5770 verbs: 5771 - create 5772 - get 5773 - list 5774 - update 5775 - delete 5776 - watch 5777 - apiGroups: 5778 - apiregistration.k8s.io 5779 resources: 5780 - apiservices 5781 verbs: 5782 - list 5783 - watch 5784 - create 5785 - update 5786 # Needed for operator lock 5787 - apiGroups: 5788 - coordination.k8s.io 5789 resources: 5790 - leases 5791 verbs: 5792 - create 5793 - get 5794 - list 5795 - update 5796 - delete 5797 - watch 5798 # Add the appropriate pod security policy permissions 5799 - apiGroups: 5800 - policy 5801 resources: 5802 - podsecuritypolicies 5803 resourceNames: 5804 - tigera-operator 5805 verbs: 5806 - use 5807 - apiGroups: 5808 - policy 5809 resources: 5810 - podsecuritypolicies 5811 verbs: 5812 - get 5813 - list 5814 - watch 5815 - create 5816 - update 5817 - delete 5818 # Add the permissions to monitor the status of certificatesigningrequests when certificate management is enabled. 5819 - apiGroups: 5820 - certificates.k8s.io 5821 resources: 5822 - certificatesigningrequests 5823 verbs: 5824 - list 5825 --- 5826 # Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator.yaml 5827 kind: ClusterRoleBinding 5828 apiVersion: rbac.authorization.k8s.io/v1 5829 metadata: 5830 name: tigera-operator 5831 subjects: 5832 - kind: ServiceAccount 5833 name: tigera-operator 5834 namespace: tigera-operator 5835 roleRef: 5836 kind: ClusterRole 5837 name: tigera-operator 5838 apiGroup: rbac.authorization.k8s.io 5839 --- 5840 # Source: tigera-operator/templates/tigera-operator/02-tigera-operator.yaml 5841 apiVersion: apps/v1 5842 kind: Deployment 5843 metadata: 5844 name: tigera-operator 5845 namespace: tigera-operator 5846 labels: 5847 k8s-app: tigera-operator 5848 spec: 5849 replicas: 1 5850 selector: 5851 matchLabels: 5852 name: tigera-operator 5853 template: 5854 metadata: 5855 labels: 5856 name: tigera-operator 5857 k8s-app: tigera-operator 5858 spec: 5859 nodeSelector: 5860 kubernetes.io/os: linux 5861 tolerations: 5862 - effect: NoExecute 5863 operator: Exists 5864 - effect: NoSchedule 5865 operator: Exists 5866 serviceAccountName: tigera-operator 5867 hostNetwork: true 5868 # This must be set when hostNetwork is true or else the cluster services won't resolve 5869 dnsPolicy: ClusterFirstWithHostNet 5870 containers: 5871 - name: tigera-operator 5872 image: quay.io/tigera/operator:v1.25.3 5873 imagePullPolicy: IfNotPresent 5874 command: 5875 - operator 5876 volumeMounts: 5877 - name: var-lib-calico 5878 readOnly: true 5879 mountPath: /var/lib/calico 5880 env: 5881 - name: WATCH_NAMESPACE 5882 value: "" 5883 - name: POD_NAME 5884 valueFrom: 5885 fieldRef: 5886 fieldPath: metadata.name 5887 - name: OPERATOR_NAME 5888 value: "tigera-operator" 5889 - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION 5890 value: v1.25.3 5891 envFrom: 5892 - configMapRef: 5893 name: kubernetes-services-endpoint 5894 optional: true 5895 volumes: 5896 - name: var-lib-calico 5897 hostPath: 5898 path: /var/lib/calico 5899