github.com/alibaba/sealer@v0.8.6-0.20220430115802-37a2bdaa8173/pkg/config/test/tigera-operator.yaml (about) 1 # Copyright © 2021 Alibaba Group Holding Ltd. 2 # 3 # Licensed under the Apache License, Version 2.0 (the "License"); 4 # you may not use this file except in compliance with the License. 5 # You may obtain a copy of the License at 6 # 7 # http://www.apache.org/licenses/LICENSE-2.0 8 # 9 # Unless required by applicable law or agreed to in writing, software 10 # distributed under the License is distributed on an "AS IS" BASIS, 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 # See the License for the specific language governing permissions and 13 # limitations under the License. 14 15 --- 16 # Source: crds/calico/kdd/crd.projectcalico.org_bgpconfigurations.yaml 17 apiVersion: apiextensions.k8s.io/v1 18 kind: CustomResourceDefinition 19 metadata: 20 name: bgpconfigurations.crd.projectcalico.org 21 spec: 22 group: crd.projectcalico.org 23 names: 24 kind: BGPConfiguration 25 listKind: BGPConfigurationList 26 plural: bgpconfigurations 27 singular: bgpconfiguration 28 scope: Cluster 29 versions: 30 - name: v1 31 schema: 32 openAPIV3Schema: 33 description: BGPConfiguration contains the configuration for any BGP routing. 34 properties: 35 apiVersion: 36 description: 'APIVersion defines the versioned schema of this representation 37 of an object. Servers should convert recognized schemas to the latest 38 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 39 type: string 40 kind: 41 description: 'Kind is a string value representing the REST resource this 42 object represents. Servers may infer this from the endpoint the client 43 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 44 type: string 45 metadata: 46 type: object 47 spec: 48 description: BGPConfigurationSpec contains the values of the BGP configuration. 49 properties: 50 asNumber: 51 description: 'ASNumber is the default AS number used by a node. [Default: 52 64512]' 53 format: int32 54 type: integer 55 communities: 56 description: Communities is a list of BGP community values and their 57 arbitrary names for tagging routes. 58 items: 59 description: Community contains standard or large community value 60 and its name. 61 properties: 62 name: 63 description: Name given to community value. 64 type: string 65 value: 66 description: Value must be of format `aa:nn` or `aa:nn:mm`. 67 For standard community use `aa:nn` format, where `aa` and 68 `nn` are 16 bit number. For large community use `aa:nn:mm` 69 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 70 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 71 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 72 type: string 73 type: object 74 type: array 75 listenPort: 76 description: ListenPort is the port where BGP protocol should listen. 77 Defaults to 179 78 maximum: 65535 79 minimum: 1 80 type: integer 81 logSeverityScreen: 82 description: 'LogSeverityScreen is the log severity above which logs 83 are sent to the stdout. [Default: INFO]' 84 type: string 85 nodeToNodeMeshEnabled: 86 description: 'NodeToNodeMeshEnabled sets whether full node to node 87 BGP mesh is enabled. [Default: true]' 88 type: boolean 89 prefixAdvertisements: 90 description: PrefixAdvertisements contains per-prefix advertisement 91 configuration. 92 items: 93 description: PrefixAdvertisement configures advertisement properties 94 for the specified CIDR. 95 properties: 96 cidr: 97 description: CIDR for which properties should be advertised. 98 type: string 99 communities: 100 description: Communities can be list of either community names 101 already defined in `Specs.Communities` or community value 102 of format `aa:nn` or `aa:nn:mm`. For standard community use 103 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 104 large community use `aa:nn:mm` format, where `aa`, `nn` and 105 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 106 `mm` are per-AS identifier. 107 items: 108 type: string 109 type: array 110 type: object 111 type: array 112 serviceClusterIPs: 113 description: ServiceClusterIPs are the CIDR blocks from which service 114 cluster IPs are allocated. If specified, Calico will advertise these 115 blocks, as well as any cluster IPs within them. 116 items: 117 description: ServiceClusterIPBlock represents a single allowed ClusterIP 118 CIDR block. 119 properties: 120 cidr: 121 type: string 122 type: object 123 type: array 124 serviceExternalIPs: 125 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 126 Service External IPs. Kubernetes Service ExternalIPs will only be 127 advertised if they are within one of these blocks. 128 items: 129 description: ServiceExternalIPBlock represents a single allowed 130 External IP CIDR block. 131 properties: 132 cidr: 133 type: string 134 type: object 135 type: array 136 serviceLoadBalancerIPs: 137 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 138 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 139 IPs will only be advertised if they are within one of these blocks. 140 items: 141 description: ServiceLoadBalancerIPBlock represents a single allowed 142 LoadBalancer IP CIDR block. 143 properties: 144 cidr: 145 type: string 146 type: object 147 type: array 148 type: object 149 type: object 150 served: true 151 storage: true 152 status: 153 acceptedNames: 154 kind: "" 155 plural: "" 156 conditions: [] 157 storedVersions: [] 158 159 --- 160 # Source: crds/calico/kdd/crd.projectcalico.org_bgppeers.yaml 161 apiVersion: apiextensions.k8s.io/v1 162 kind: CustomResourceDefinition 163 metadata: 164 name: bgppeers.crd.projectcalico.org 165 spec: 166 group: crd.projectcalico.org 167 names: 168 kind: BGPPeer 169 listKind: BGPPeerList 170 plural: bgppeers 171 singular: bgppeer 172 scope: Cluster 173 versions: 174 - name: v1 175 schema: 176 openAPIV3Schema: 177 properties: 178 apiVersion: 179 description: 'APIVersion defines the versioned schema of this representation 180 of an object. Servers should convert recognized schemas to the latest 181 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 182 type: string 183 kind: 184 description: 'Kind is a string value representing the REST resource this 185 object represents. Servers may infer this from the endpoint the client 186 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 187 type: string 188 metadata: 189 type: object 190 spec: 191 description: BGPPeerSpec contains the specification for a BGPPeer resource. 192 properties: 193 asNumber: 194 description: The AS Number of the peer. 195 format: int32 196 type: integer 197 keepOriginalNextHop: 198 description: Option to keep the original nexthop field when routes 199 are sent to a BGP Peer. Setting "true" configures the selected BGP 200 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 201 in the specific branch of the Node on "bird.cfg". 202 type: boolean 203 node: 204 description: The node name identifying the Calico node instance that 205 is targeted by this peer. If this is not set, and no nodeSelector 206 is specified, then this BGP peer selects all nodes in the cluster. 207 type: string 208 nodeSelector: 209 description: Selector for the nodes that should have this peering. When 210 this is set, the Node field must be empty. 211 type: string 212 password: 213 description: Optional BGP password for the peerings generated by this 214 BGPPeer resource. 215 properties: 216 secretKeyRef: 217 description: Selects a key of a secret in the node pod's namespace. 218 properties: 219 key: 220 description: The key of the secret to select from. Must be 221 a valid secret key. 222 type: string 223 name: 224 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 225 TODO: Add other useful fields. apiVersion, kind, uid?' 226 type: string 227 optional: 228 description: Specify whether the Secret or its key must be 229 defined 230 type: boolean 231 required: 232 - key 233 type: object 234 type: object 235 peerIP: 236 description: The IP address of the peer followed by an optional port 237 number to peer with. If port number is given, format should be `[<IPv6>]:port` 238 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 239 and this peer IP and ASNumber belongs to a calico/node with ListenPort 240 set in BGPConfiguration, then we use that port to peer. 241 type: string 242 peerSelector: 243 description: Selector for the remote nodes to peer with. When this 244 is set, the PeerIP and ASNumber fields must be empty. For each 245 peering between the local node and selected remote nodes, we configure 246 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 247 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 248 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 249 or the global default if that is not set. 250 type: string 251 sourceAddress: 252 description: Specifies whether and how to configure a source address 253 for the peerings generated by this BGPPeer resource. Default value 254 "UseNodeIP" means to configure the node IP as the source address. "None" 255 means not to configure a source address. 256 type: string 257 type: object 258 type: object 259 served: true 260 storage: true 261 status: 262 acceptedNames: 263 kind: "" 264 plural: "" 265 conditions: [] 266 storedVersions: [] 267 268 --- 269 # Source: crds/calico/kdd/crd.projectcalico.org_blockaffinities.yaml 270 apiVersion: apiextensions.k8s.io/v1 271 kind: CustomResourceDefinition 272 metadata: 273 name: blockaffinities.crd.projectcalico.org 274 spec: 275 group: crd.projectcalico.org 276 names: 277 kind: BlockAffinity 278 listKind: BlockAffinityList 279 plural: blockaffinities 280 singular: blockaffinity 281 scope: Cluster 282 versions: 283 - name: v1 284 schema: 285 openAPIV3Schema: 286 properties: 287 apiVersion: 288 description: 'APIVersion defines the versioned schema of this representation 289 of an object. Servers should convert recognized schemas to the latest 290 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 291 type: string 292 kind: 293 description: 'Kind is a string value representing the REST resource this 294 object represents. Servers may infer this from the endpoint the client 295 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 296 type: string 297 metadata: 298 type: object 299 spec: 300 description: BlockAffinitySpec contains the specification for a BlockAffinity 301 resource. 302 properties: 303 cidr: 304 type: string 305 deleted: 306 description: Deleted indicates that this block affinity is being deleted. 307 This field is a string for compatibility with older releases that 308 mistakenly treat this field as a string. 309 type: string 310 node: 311 type: string 312 state: 313 type: string 314 required: 315 - cidr 316 - deleted 317 - node 318 - state 319 type: object 320 type: object 321 served: true 322 storage: true 323 status: 324 acceptedNames: 325 kind: "" 326 plural: "" 327 conditions: [] 328 storedVersions: [] 329 330 --- 331 # Source: crds/calico/kdd/crd.projectcalico.org_clusterinformations.yaml 332 apiVersion: apiextensions.k8s.io/v1 333 kind: CustomResourceDefinition 334 metadata: 335 name: clusterinformations.crd.projectcalico.org 336 spec: 337 group: crd.projectcalico.org 338 names: 339 kind: ClusterInformation 340 listKind: ClusterInformationList 341 plural: clusterinformations 342 singular: clusterinformation 343 scope: Cluster 344 versions: 345 - name: v1 346 schema: 347 openAPIV3Schema: 348 description: ClusterInformation contains the cluster specific information. 349 properties: 350 apiVersion: 351 description: 'APIVersion defines the versioned schema of this representation 352 of an object. Servers should convert recognized schemas to the latest 353 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 354 type: string 355 kind: 356 description: 'Kind is a string value representing the REST resource this 357 object represents. Servers may infer this from the endpoint the client 358 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 359 type: string 360 metadata: 361 type: object 362 spec: 363 description: ClusterInformationSpec contains the values of describing 364 the cluster. 365 properties: 366 calicoVersion: 367 description: CalicoVersion is the version of Calico that the cluster 368 is running 369 type: string 370 clusterGUID: 371 description: ClusterGUID is the GUID of the cluster 372 type: string 373 clusterType: 374 description: ClusterType describes the type of the cluster 375 type: string 376 datastoreReady: 377 description: DatastoreReady is used during significant datastore migrations 378 to signal to components such as Felix that it should wait before 379 accessing the datastore. 380 type: boolean 381 variant: 382 description: Variant declares which variant of Calico should be active. 383 type: string 384 type: object 385 type: object 386 served: true 387 storage: true 388 status: 389 acceptedNames: 390 kind: "" 391 plural: "" 392 conditions: [] 393 storedVersions: [] 394 395 --- 396 # Source: crds/calico/kdd/crd.projectcalico.org_felixconfigurations.yaml 397 apiVersion: apiextensions.k8s.io/v1 398 kind: CustomResourceDefinition 399 metadata: 400 name: felixconfigurations.crd.projectcalico.org 401 spec: 402 group: crd.projectcalico.org 403 names: 404 kind: FelixConfiguration 405 listKind: FelixConfigurationList 406 plural: felixconfigurations 407 singular: felixconfiguration 408 scope: Cluster 409 versions: 410 - name: v1 411 schema: 412 openAPIV3Schema: 413 description: Felix Configuration contains the configuration for Felix. 414 properties: 415 apiVersion: 416 description: 'APIVersion defines the versioned schema of this representation 417 of an object. Servers should convert recognized schemas to the latest 418 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 419 type: string 420 kind: 421 description: 'Kind is a string value representing the REST resource this 422 object represents. Servers may infer this from the endpoint the client 423 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 424 type: string 425 metadata: 426 type: object 427 spec: 428 description: FelixConfigurationSpec contains the values of the Felix configuration. 429 properties: 430 allowIPIPPacketsFromWorkloads: 431 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 432 will add a rule to drop IPIP encapsulated traffic from workloads 433 [Default: false]' 434 type: boolean 435 allowVXLANPacketsFromWorkloads: 436 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 437 will add a rule to drop VXLAN encapsulated traffic from workloads 438 [Default: false]' 439 type: boolean 440 awsSrcDstCheck: 441 description: 'Set source-destination-check on AWS EC2 instances. Accepted 442 value must be one of "DoNothing", "Enabled" or "Disabled". [Default: 443 DoNothing]' 444 enum: 445 - DoNothing 446 - Enable 447 - Disable 448 type: string 449 bpfConnectTimeLoadBalancingEnabled: 450 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 451 controls whether Felix installs the connection-time load balancer. The 452 connect-time load balancer is required for the host to be able to 453 reach Kubernetes services and it improves the performance of pod-to-service 454 connections. The only reason to disable it is for debugging purposes. [Default: 455 true]' 456 type: boolean 457 bpfDataIfacePattern: 458 description: BPFDataIfacePattern is a regular expression that controls 459 which interfaces Felix should attach BPF programs to in order to 460 catch traffic to/from the network. This needs to match the interfaces 461 that Calico workload traffic flows over as well as any interfaces 462 that handle incoming traffic to nodeports and services from outside 463 the cluster. It should not match the workload interfaces (usually 464 named cali...). 465 type: string 466 bpfDisableUnprivileged: 467 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 468 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 469 users cannot access Calico''s BPF maps and cannot insert their own 470 BPF programs to interfere with Calico''s. [Default: true]' 471 type: boolean 472 bpfEnabled: 473 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 474 [Default: false]' 475 type: boolean 476 bpfExtToServiceConnmark: 477 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 478 mark that is set on connections from an external client to a local 479 service. This mark allows us to control how packets of that connection 480 are routed within the host and how is routing intepreted by RPF 481 check. [Default: 0]' 482 type: integer 483 bpfExternalServiceMode: 484 description: 'BPFExternalServiceMode in BPF mode, controls how connections 485 from outside the cluster to services (node ports and cluster IPs) 486 are forwarded to remote workloads. If set to "Tunnel" then both 487 request and response traffic is tunneled to the remote node. If 488 set to "DSR", the request traffic is tunneled but the response traffic 489 is sent directly from the remote node. In "DSR" mode, the remote 490 node appears to use the IP of the ingress node; this requires a 491 permissive L2 network. [Default: Tunnel]' 492 type: string 493 bpfKubeProxyEndpointSlicesEnabled: 494 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 495 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 496 type: boolean 497 bpfKubeProxyIptablesCleanupEnabled: 498 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 499 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 500 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 501 true]' 502 type: boolean 503 bpfKubeProxyMinSyncPeriod: 504 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 505 minimum time between updates to the dataplane for Felix''s embedded 506 kube-proxy. Lower values give reduced set-up latency. Higher values 507 reduce Felix CPU usage by batching up more work. [Default: 1s]' 508 type: string 509 bpfLogLevel: 510 description: 'BPFLogLevel controls the log level of the BPF programs 511 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 512 logs are emitted to the BPF trace pipe, accessible with the command 513 `tc exec bpf debug`. [Default: Off].' 514 type: string 515 chainInsertMode: 516 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 517 top-level iptables chains by inserting a rule at the top of the 518 chain or by appending a rule at the bottom. insert is the safe default 519 since it prevents Calico''s rules from being bypassed. If you switch 520 to append mode, be sure that the other rules in the chains signal 521 acceptance by falling through to the Calico rules, otherwise the 522 Calico policy will be bypassed. [Default: insert]' 523 type: string 524 dataplaneDriver: 525 type: string 526 debugDisableLogDropping: 527 type: boolean 528 debugMemoryProfilePath: 529 type: string 530 debugSimulateCalcGraphHangAfter: 531 type: string 532 debugSimulateDataplaneHangAfter: 533 type: string 534 defaultEndpointToHostAction: 535 description: 'DefaultEndpointToHostAction controls what happens to 536 traffic that goes from a workload endpoint to the host itself (after 537 the traffic hits the endpoint egress policy). By default Calico 538 blocks traffic from workload endpoints to the host itself with an 539 iptables "DROP" action. If you want to allow some or all traffic 540 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 541 RETURN if you have your own rules in the iptables "INPUT" chain; 542 Calico will insert its rules at the top of that chain, then "RETURN" 543 packets to the "INPUT" chain once it has completed processing workload 544 endpoint egress policy. Use ACCEPT to unconditionally accept packets 545 from workloads after processing workload endpoint egress policy. 546 [Default: Drop]' 547 type: string 548 deviceRouteProtocol: 549 description: This defines the route protocol added to programmed device 550 routes, by default this will be RTPROT_BOOT when left blank. 551 type: integer 552 deviceRouteSourceAddress: 553 description: This is the source address to use on programmed device 554 routes. By default the source address is left blank, leaving the 555 kernel to choose the source address used. 556 type: string 557 disableConntrackInvalidCheck: 558 type: boolean 559 endpointReportingDelay: 560 type: string 561 endpointReportingEnabled: 562 type: boolean 563 externalNodesList: 564 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 565 which may source tunnel traffic and have the tunneled traffic be 566 accepted at calico nodes. 567 items: 568 type: string 569 type: array 570 failsafeInboundHostPorts: 571 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 572 and CIDRs that Felix will allow incoming traffic to host endpoints 573 on irrespective of the security policy. This is useful to avoid 574 accidentally cutting off a host with incorrect configuration. For 575 back-compatibility, if the protocol is not specified, it defaults 576 to "tcp". If a CIDR is not specified, it will allow traffic from 577 all addresses. To disable all inbound host ports, use the value 578 none. The default value allows ssh access and DHCP. [Default: tcp:22, 579 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 580 items: 581 description: ProtoPort is combination of protocol, port, and CIDR. 582 Protocol and port must be specified. 583 properties: 584 net: 585 type: string 586 port: 587 type: integer 588 protocol: 589 type: string 590 required: 591 - port 592 - protocol 593 type: object 594 type: array 595 failsafeOutboundHostPorts: 596 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 597 and CIDRs that Felix will allow outgoing traffic from host endpoints 598 to irrespective of the security policy. This is useful to avoid 599 accidentally cutting off a host with incorrect configuration. For 600 back-compatibility, if the protocol is not specified, it defaults 601 to "tcp". If a CIDR is not specified, it will allow traffic from 602 all addresses. To disable all outbound host ports, use the value 603 none. The default value opens etcd''s standard ports to ensure that 604 Felix does not get cut off from etcd as well as allowing DHCP and 605 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 606 tcp:6667, udp:53, udp:67]' 607 items: 608 description: ProtoPort is combination of protocol, port, and CIDR. 609 Protocol and port must be specified. 610 properties: 611 net: 612 type: string 613 port: 614 type: integer 615 protocol: 616 type: string 617 required: 618 - port 619 - protocol 620 type: object 621 type: array 622 featureDetectOverride: 623 description: FeatureDetectOverride is used to override the feature 624 detection. Values are specified in a comma separated list with no 625 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". 626 "true" or "false" will force the feature, empty or omitted values 627 are auto-detected. 628 type: string 629 genericXDPEnabled: 630 description: 'GenericXDPEnabled enables Generic XDP so network cards 631 that don''t support XDP offload or driver modes can use XDP. This 632 is not recommended since it doesn''t provide better performance 633 than iptables. [Default: false]' 634 type: boolean 635 healthEnabled: 636 type: boolean 637 healthHost: 638 type: string 639 healthPort: 640 type: integer 641 interfaceExclude: 642 description: 'InterfaceExclude is a comma-separated list of interfaces 643 that Felix should exclude when monitoring for host endpoints. The 644 default value ensures that Felix ignores Kubernetes'' IPVS dummy 645 interface, which is used internally by kube-proxy. If you want to 646 exclude multiple interface names using a single value, the list 647 supports regular expressions. For regular expressions you must wrap 648 the value with ''/''. For example having values ''/^kube/,veth1'' 649 will exclude all interfaces that begin with ''kube'' and also the 650 interface ''veth1''. [Default: kube-ipvs0]' 651 type: string 652 interfacePrefix: 653 description: 'InterfacePrefix is the interface name prefix that identifies 654 workload endpoints and so distinguishes them from host endpoint 655 interfaces. Note: in environments other than bare metal, the orchestrators 656 configure this appropriately. For example our Kubernetes and Docker 657 integrations set the ''cali'' value, and our OpenStack integration 658 sets the ''tap'' value. [Default: cali]' 659 type: string 660 interfaceRefreshInterval: 661 description: InterfaceRefreshInterval is the period at which Felix 662 rescans local interfaces to verify their state. The rescan can be 663 disabled by setting the interval to 0. 664 type: string 665 ipipEnabled: 666 type: boolean 667 ipipMTU: 668 description: 'IPIPMTU is the MTU to set on the tunnel device. See 669 Configuring MTU [Default: 1440]' 670 type: integer 671 ipsetsRefreshInterval: 672 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 673 all iptables state to ensure that no other process has accidentally 674 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 675 90s]' 676 type: string 677 iptablesBackend: 678 description: IptablesBackend specifies which backend of iptables will 679 be used. The default is legacy. 680 type: string 681 iptablesFilterAllowAction: 682 type: string 683 iptablesLockFilePath: 684 description: 'IptablesLockFilePath is the location of the iptables 685 lock file. You may need to change this if the lock file is not in 686 its standard location (for example if you have mapped it into Felix''s 687 container at a different path). [Default: /run/xtables.lock]' 688 type: string 689 iptablesLockProbeInterval: 690 description: 'IptablesLockProbeInterval is the time that Felix will 691 wait between attempts to acquire the iptables lock if it is not 692 available. Lower values make Felix more responsive when the lock 693 is contended, but use more CPU. [Default: 50ms]' 694 type: string 695 iptablesLockTimeout: 696 description: 'IptablesLockTimeout is the time that Felix will wait 697 for the iptables lock, or 0, to disable. To use this feature, Felix 698 must share the iptables lock file with all other processes that 699 also take the lock. When running Felix inside a container, this 700 requires the /run directory of the host to be mounted into the calico/node 701 or calico/felix container. [Default: 0s disabled]' 702 type: string 703 iptablesMangleAllowAction: 704 type: string 705 iptablesMarkMask: 706 description: 'IptablesMarkMask is the mask that Felix selects its 707 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 708 at least 8 bits set, none of which clash with any other mark bits 709 in use on the system. [Default: 0xff000000]' 710 format: int32 711 type: integer 712 iptablesNATOutgoingInterfaceFilter: 713 type: string 714 iptablesPostWriteCheckInterval: 715 description: 'IptablesPostWriteCheckInterval is the period after Felix 716 has done a write to the dataplane that it schedules an extra read 717 back in order to check the write was not clobbered by another process. 718 This should only occur if another application on the system doesn''t 719 respect the iptables lock. [Default: 1s]' 720 type: string 721 iptablesRefreshInterval: 722 description: 'IptablesRefreshInterval is the period at which Felix 723 re-checks the IP sets in the dataplane to ensure that no other process 724 has accidentally broken Calico''s rules. Set to 0 to disable IP 725 sets refresh. Note: the default for this value is lower than the 726 other refresh intervals as a workaround for a Linux kernel bug that 727 was fixed in kernel version 4.11. If you are using v4.11 or greater 728 you may want to set this to, a higher value to reduce Felix CPU 729 usage. [Default: 10s]' 730 type: string 731 ipv6Support: 732 type: boolean 733 kubeNodePortRanges: 734 description: 'KubeNodePortRanges holds list of port ranges used for 735 service node ports. Only used if felix detects kube-proxy running 736 in ipvs mode. Felix uses these ranges to separate host and workload 737 traffic. [Default: 30000:32767].' 738 items: 739 anyOf: 740 - type: integer 741 - type: string 742 pattern: ^.* 743 x-kubernetes-int-or-string: true 744 type: array 745 logFilePath: 746 description: 'LogFilePath is the full path to the Felix log. Set to 747 none to disable file logging. [Default: /var/log/calico/felix.log]' 748 type: string 749 logPrefix: 750 description: 'LogPrefix is the log prefix that Felix uses when rendering 751 LOG rules. [Default: calico-packet]' 752 type: string 753 logSeverityFile: 754 description: 'LogSeverityFile is the log severity above which logs 755 are sent to the log file. [Default: Info]' 756 type: string 757 logSeverityScreen: 758 description: 'LogSeverityScreen is the log severity above which logs 759 are sent to the stdout. [Default: Info]' 760 type: string 761 logSeveritySys: 762 description: 'LogSeveritySys is the log severity above which logs 763 are sent to the syslog. Set to None for no logging to syslog. [Default: 764 Info]' 765 type: string 766 maxIpsetSize: 767 type: integer 768 metadataAddr: 769 description: 'MetadataAddr is the IP address or domain name of the 770 server that can answer VM queries for cloud-init metadata. In OpenStack, 771 this corresponds to the machine running nova-api (or in Ubuntu, 772 nova-api-metadata). A value of none (case insensitive) means that 773 Felix should not set up any NAT rule for the metadata path. [Default: 774 127.0.0.1]' 775 type: string 776 metadataPort: 777 description: 'MetadataPort is the port of the metadata server. This, 778 combined with global.MetadataAddr (if not ''None''), is used to 779 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 780 In most cases this should not need to be changed [Default: 8775].' 781 type: integer 782 mtuIfacePattern: 783 description: MTUIfacePattern is a regular expression that controls 784 which interfaces Felix should scan in order to calculate the host's 785 MTU. This should not match workload interfaces (usually named cali...). 786 type: string 787 natOutgoingAddress: 788 description: NATOutgoingAddress specifies an address to use when performing 789 source NAT for traffic in a natOutgoing pool that is leaving the 790 network. By default the address used is an address on the interface 791 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 792 type: string 793 natPortRange: 794 anyOf: 795 - type: integer 796 - type: string 797 description: NATPortRange specifies the range of ports that is used 798 for port mapping when doing outgoing NAT. When unset the default 799 behavior of the network stack is used. 800 pattern: ^.* 801 x-kubernetes-int-or-string: true 802 netlinkTimeout: 803 type: string 804 openstackRegion: 805 description: 'OpenstackRegion is the name of the region that a particular 806 Felix belongs to. In a multi-region Calico/OpenStack deployment, 807 this must be configured somehow for each Felix (here in the datamodel, 808 or in felix.cfg or the environment on each compute node), and must 809 match the [calico] openstack_region value configured in neutron.conf 810 on each node. [Default: Empty]' 811 type: string 812 policySyncPathPrefix: 813 description: 'PolicySyncPathPrefix is used to by Felix to communicate 814 policy changes to external services, like Application layer policy. 815 [Default: Empty]' 816 type: string 817 prometheusGoMetricsEnabled: 818 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 819 collection, which the Prometheus client does by default, when set 820 to false. This reduces the number of metrics reported, reducing 821 Prometheus load. [Default: true]' 822 type: boolean 823 prometheusMetricsEnabled: 824 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 825 server in Felix if set to true. [Default: false]' 826 type: boolean 827 prometheusMetricsHost: 828 description: 'PrometheusMetricsHost is the host that the Prometheus 829 metrics server should bind to. [Default: empty]' 830 type: string 831 prometheusMetricsPort: 832 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 833 metrics server should bind to. [Default: 9091]' 834 type: integer 835 prometheusProcessMetricsEnabled: 836 description: 'PrometheusProcessMetricsEnabled disables process metrics 837 collection, which the Prometheus client does by default, when set 838 to false. This reduces the number of metrics reported, reducing 839 Prometheus load. [Default: true]' 840 type: boolean 841 removeExternalRoutes: 842 description: Whether or not to remove device routes that have not 843 been programmed by Felix. Disabling this will allow external applications 844 to also add device routes. This is enabled by default which means 845 we will remove externally added routes. 846 type: boolean 847 reportingInterval: 848 description: 'ReportingInterval is the interval at which Felix reports 849 its status into the datastore or 0 to disable. Must be non-zero 850 in OpenStack deployments. [Default: 30s]' 851 type: string 852 reportingTTL: 853 description: 'ReportingTTL is the time-to-live setting for process-wide 854 status reports. [Default: 90s]' 855 type: string 856 routeRefreshInterval: 857 description: 'RouteRefreshInterval is the period at which Felix re-checks 858 the routes in the dataplane to ensure that no other process has 859 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 860 [Default: 90s]' 861 type: string 862 routeSource: 863 description: 'RouteSource configures where Felix gets its routing 864 information. - WorkloadIPs: use workload endpoints to construct 865 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 866 type: string 867 routeTableRange: 868 description: Calico programs additional Linux route tables for various 869 purposes. RouteTableRange specifies the indices of the route tables 870 that Calico should use. 871 properties: 872 max: 873 type: integer 874 min: 875 type: integer 876 required: 877 - max 878 - min 879 type: object 880 serviceLoopPrevention: 881 description: 'When service IP advertisement is enabled, prevent routing 882 loops to service IPs that are not in use, by dropping or rejecting 883 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 884 in which case such routing loops continue to be allowed. [Default: 885 Drop]' 886 type: string 887 sidecarAccelerationEnabled: 888 description: 'SidecarAccelerationEnabled enables experimental sidecar 889 acceleration [Default: false]' 890 type: boolean 891 usageReportingEnabled: 892 description: 'UsageReportingEnabled reports anonymous Calico version 893 number and cluster size to projectcalico.org. Logs warnings returned 894 by the usage server. For example, if a significant security vulnerability 895 has been discovered in the version of Calico being used. [Default: 896 true]' 897 type: boolean 898 usageReportingInitialDelay: 899 description: 'UsageReportingInitialDelay controls the minimum delay 900 before Felix makes a report. [Default: 300s]' 901 type: string 902 usageReportingInterval: 903 description: 'UsageReportingInterval controls the interval at which 904 Felix makes reports. [Default: 86400s]' 905 type: string 906 useInternalDataplaneDriver: 907 type: boolean 908 vxlanEnabled: 909 type: boolean 910 vxlanMTU: 911 description: 'VXLANMTU is the MTU to set on the tunnel device. See 912 Configuring MTU [Default: 1440]' 913 type: integer 914 vxlanPort: 915 type: integer 916 vxlanVNI: 917 type: integer 918 wireguardEnabled: 919 description: 'WireguardEnabled controls whether Wireguard is enabled. 920 [Default: false]' 921 type: boolean 922 wireguardInterfaceName: 923 description: 'WireguardInterfaceName specifies the name to use for 924 the Wireguard interface. [Default: wg.calico]' 925 type: string 926 wireguardListeningPort: 927 description: 'WireguardListeningPort controls the listening port used 928 by Wireguard. [Default: 51820]' 929 type: integer 930 wireguardMTU: 931 description: 'WireguardMTU controls the MTU on the Wireguard interface. 932 See Configuring MTU [Default: 1420]' 933 type: integer 934 wireguardRoutingRulePriority: 935 description: 'WireguardRoutingRulePriority controls the priority value 936 to use for the Wireguard routing rule. [Default: 99]' 937 type: integer 938 xdpEnabled: 939 description: 'XDPEnabled enables XDP acceleration for suitable untracked 940 incoming deny rules. [Default: true]' 941 type: boolean 942 xdpRefreshInterval: 943 description: 'XDPRefreshInterval is the period at which Felix re-checks 944 all XDP state to ensure that no other process has accidentally broken 945 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 946 refresh. [Default: 90s]' 947 type: string 948 type: object 949 type: object 950 served: true 951 storage: true 952 status: 953 acceptedNames: 954 kind: "" 955 plural: "" 956 conditions: [] 957 storedVersions: [] 958 959 --- 960 # Source: crds/calico/kdd/crd.projectcalico.org_globalnetworkpolicies.yaml 961 apiVersion: apiextensions.k8s.io/v1 962 kind: CustomResourceDefinition 963 metadata: 964 name: globalnetworkpolicies.crd.projectcalico.org 965 spec: 966 group: crd.projectcalico.org 967 names: 968 kind: GlobalNetworkPolicy 969 listKind: GlobalNetworkPolicyList 970 plural: globalnetworkpolicies 971 singular: globalnetworkpolicy 972 scope: Cluster 973 versions: 974 - name: v1 975 schema: 976 openAPIV3Schema: 977 properties: 978 apiVersion: 979 description: 'APIVersion defines the versioned schema of this representation 980 of an object. Servers should convert recognized schemas to the latest 981 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 982 type: string 983 kind: 984 description: 'Kind is a string value representing the REST resource this 985 object represents. Servers may infer this from the endpoint the client 986 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 987 type: string 988 metadata: 989 type: object 990 spec: 991 properties: 992 applyOnForward: 993 description: ApplyOnForward indicates to apply the rules in this policy 994 on forward traffic. 995 type: boolean 996 doNotTrack: 997 description: DoNotTrack indicates whether packets matched by the rules 998 in this policy should go through the data plane's connection tracking, 999 such as Linux conntrack. If True, the rules in this policy are 1000 applied before any data plane connection tracking, and packets allowed 1001 by this policy are marked as not to be tracked. 1002 type: boolean 1003 egress: 1004 description: The ordered set of egress rules. Each rule contains 1005 a set of packet match criteria and a corresponding action to apply. 1006 items: 1007 description: "A Rule encapsulates a set of match criteria and an 1008 action. Both selector-based security Policy and security Profiles 1009 reference rules - separated out as a list of rules for both ingress 1010 and egress packet matching. \n Each positive match criteria has 1011 a negated version, prefixed with \"Not\". All the match criteria 1012 within a rule must be satisfied for a packet to match. A single 1013 rule can contain the positive and negative version of a match 1014 and both must be satisfied for the rule to match." 1015 properties: 1016 action: 1017 type: string 1018 destination: 1019 description: Destination contains the match criteria that apply 1020 to destination entity. 1021 properties: 1022 namespaceSelector: 1023 description: "NamespaceSelector is an optional field that 1024 contains a selector expression. Only traffic that originates 1025 from (or terminates at) endpoints within the selected 1026 namespaces will be matched. When both NamespaceSelector 1027 and Selector are defined on the same rule, then only workload 1028 endpoints that are matched by both selectors will be selected 1029 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1030 implies that the Selector is limited to selecting only 1031 workload endpoints in the same namespace as the NetworkPolicy. 1032 \n For NetworkPolicy, `global()` NamespaceSelector implies 1033 that the Selector is limited to selecting only GlobalNetworkSet 1034 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1035 NamespaceSelector implies the Selector applies to workload 1036 endpoints across all namespaces." 1037 type: string 1038 nets: 1039 description: Nets is an optional field that restricts the 1040 rule to only apply to traffic that originates from (or 1041 terminates at) IP addresses in any of the given subnets. 1042 items: 1043 type: string 1044 type: array 1045 notNets: 1046 description: NotNets is the negated version of the Nets 1047 field. 1048 items: 1049 type: string 1050 type: array 1051 notPorts: 1052 description: NotPorts is the negated version of the Ports 1053 field. Since only some protocols have ports, if any ports 1054 are specified it requires the Protocol match in the Rule 1055 to be set to "TCP" or "UDP". 1056 items: 1057 anyOf: 1058 - type: integer 1059 - type: string 1060 pattern: ^.* 1061 x-kubernetes-int-or-string: true 1062 type: array 1063 notSelector: 1064 description: NotSelector is the negated version of the Selector 1065 field. See Selector field for subtleties with negated 1066 selectors. 1067 type: string 1068 ports: 1069 description: "Ports is an optional field that restricts 1070 the rule to only apply to traffic that has a source (destination) 1071 port that matches one of these ranges/values. This value 1072 is a list of integers or strings that represent ranges 1073 of ports. \n Since only some protocols have ports, if 1074 any ports are specified it requires the Protocol match 1075 in the Rule to be set to \"TCP\" or \"UDP\"." 1076 items: 1077 anyOf: 1078 - type: integer 1079 - type: string 1080 pattern: ^.* 1081 x-kubernetes-int-or-string: true 1082 type: array 1083 selector: 1084 description: "Selector is an optional field that contains 1085 a selector expression (see Policy for sample syntax). 1086 \ Only traffic that originates from (terminates at) endpoints 1087 matching the selector will be matched. \n Note that: in 1088 addition to the negated version of the Selector (see NotSelector 1089 below), the selector expression syntax itself supports 1090 negation. The two types of negation are subtly different. 1091 One negates the set of matched endpoints, the other negates 1092 the whole match: \n \tSelector = \"!has(my_label)\" matches 1093 packets that are from other Calico-controlled \tendpoints 1094 that do not have the label \"my_label\". \n \tNotSelector 1095 = \"has(my_label)\" matches packets that are not from 1096 Calico-controlled \tendpoints that do have the label \"my_label\". 1097 \n The effect is that the latter will accept packets from 1098 non-Calico sources whereas the former is limited to packets 1099 from Calico-controlled endpoints." 1100 type: string 1101 serviceAccounts: 1102 description: ServiceAccounts is an optional field that restricts 1103 the rule to only apply to traffic that originates from 1104 (or terminates at) a pod running as a matching service 1105 account. 1106 properties: 1107 names: 1108 description: Names is an optional field that restricts 1109 the rule to only apply to traffic that originates 1110 from (or terminates at) a pod running as a service 1111 account whose name is in the list. 1112 items: 1113 type: string 1114 type: array 1115 selector: 1116 description: Selector is an optional field that restricts 1117 the rule to only apply to traffic that originates 1118 from (or terminates at) a pod running as a service 1119 account that matches the given label selector. If 1120 both Names and Selector are specified then they are 1121 AND'ed. 1122 type: string 1123 type: object 1124 type: object 1125 http: 1126 description: HTTP contains match criteria that apply to HTTP 1127 requests. 1128 properties: 1129 methods: 1130 description: Methods is an optional field that restricts 1131 the rule to apply only to HTTP requests that use one of 1132 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1133 methods are OR'd together. 1134 items: 1135 type: string 1136 type: array 1137 paths: 1138 description: 'Paths is an optional field that restricts 1139 the rule to apply to HTTP requests that use one of the 1140 listed HTTP Paths. Multiple paths are OR''d together. 1141 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1142 ONLY specify either a `exact` or a `prefix` match. The 1143 validator will check for it.' 1144 items: 1145 description: 'HTTPPath specifies an HTTP path to match. 1146 It may be either of the form: exact: <path>: which matches 1147 the path exactly or prefix: <path-prefix>: which matches 1148 the path prefix' 1149 properties: 1150 exact: 1151 type: string 1152 prefix: 1153 type: string 1154 type: object 1155 type: array 1156 type: object 1157 icmp: 1158 description: ICMP is an optional field that restricts the rule 1159 to apply to a specific type and code of ICMP traffic. This 1160 should only be specified if the Protocol field is set to "ICMP" 1161 or "ICMPv6". 1162 properties: 1163 code: 1164 description: Match on a specific ICMP code. If specified, 1165 the Type value must also be specified. This is a technical 1166 limitation imposed by the kernel's iptables firewall, 1167 which Calico uses to enforce the rule. 1168 type: integer 1169 type: 1170 description: Match on a specific ICMP type. For example 1171 a value of 8 refers to ICMP Echo Request (i.e. pings). 1172 type: integer 1173 type: object 1174 ipVersion: 1175 description: IPVersion is an optional field that restricts the 1176 rule to only match a specific IP version. 1177 type: integer 1178 metadata: 1179 description: Metadata contains additional information for this 1180 rule 1181 properties: 1182 annotations: 1183 additionalProperties: 1184 type: string 1185 description: Annotations is a set of key value pairs that 1186 give extra information about the rule 1187 type: object 1188 type: object 1189 notICMP: 1190 description: NotICMP is the negated version of the ICMP field. 1191 properties: 1192 code: 1193 description: Match on a specific ICMP code. If specified, 1194 the Type value must also be specified. This is a technical 1195 limitation imposed by the kernel's iptables firewall, 1196 which Calico uses to enforce the rule. 1197 type: integer 1198 type: 1199 description: Match on a specific ICMP type. For example 1200 a value of 8 refers to ICMP Echo Request (i.e. pings). 1201 type: integer 1202 type: object 1203 notProtocol: 1204 anyOf: 1205 - type: integer 1206 - type: string 1207 description: NotProtocol is the negated version of the Protocol 1208 field. 1209 pattern: ^.* 1210 x-kubernetes-int-or-string: true 1211 protocol: 1212 anyOf: 1213 - type: integer 1214 - type: string 1215 description: "Protocol is an optional field that restricts the 1216 rule to only apply to traffic of a specific IP protocol. Required 1217 if any of the EntityRules contain Ports (because ports only 1218 apply to certain protocols). \n Must be one of these string 1219 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1220 \"UDPLite\" or an integer in the range 1-255." 1221 pattern: ^.* 1222 x-kubernetes-int-or-string: true 1223 source: 1224 description: Source contains the match criteria that apply to 1225 source entity. 1226 properties: 1227 namespaceSelector: 1228 description: "NamespaceSelector is an optional field that 1229 contains a selector expression. Only traffic that originates 1230 from (or terminates at) endpoints within the selected 1231 namespaces will be matched. When both NamespaceSelector 1232 and Selector are defined on the same rule, then only workload 1233 endpoints that are matched by both selectors will be selected 1234 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1235 implies that the Selector is limited to selecting only 1236 workload endpoints in the same namespace as the NetworkPolicy. 1237 \n For NetworkPolicy, `global()` NamespaceSelector implies 1238 that the Selector is limited to selecting only GlobalNetworkSet 1239 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1240 NamespaceSelector implies the Selector applies to workload 1241 endpoints across all namespaces." 1242 type: string 1243 nets: 1244 description: Nets is an optional field that restricts the 1245 rule to only apply to traffic that originates from (or 1246 terminates at) IP addresses in any of the given subnets. 1247 items: 1248 type: string 1249 type: array 1250 notNets: 1251 description: NotNets is the negated version of the Nets 1252 field. 1253 items: 1254 type: string 1255 type: array 1256 notPorts: 1257 description: NotPorts is the negated version of the Ports 1258 field. Since only some protocols have ports, if any ports 1259 are specified it requires the Protocol match in the Rule 1260 to be set to "TCP" or "UDP". 1261 items: 1262 anyOf: 1263 - type: integer 1264 - type: string 1265 pattern: ^.* 1266 x-kubernetes-int-or-string: true 1267 type: array 1268 notSelector: 1269 description: NotSelector is the negated version of the Selector 1270 field. See Selector field for subtleties with negated 1271 selectors. 1272 type: string 1273 ports: 1274 description: "Ports is an optional field that restricts 1275 the rule to only apply to traffic that has a source (destination) 1276 port that matches one of these ranges/values. This value 1277 is a list of integers or strings that represent ranges 1278 of ports. \n Since only some protocols have ports, if 1279 any ports are specified it requires the Protocol match 1280 in the Rule to be set to \"TCP\" or \"UDP\"." 1281 items: 1282 anyOf: 1283 - type: integer 1284 - type: string 1285 pattern: ^.* 1286 x-kubernetes-int-or-string: true 1287 type: array 1288 selector: 1289 description: "Selector is an optional field that contains 1290 a selector expression (see Policy for sample syntax). 1291 \ Only traffic that originates from (terminates at) endpoints 1292 matching the selector will be matched. \n Note that: in 1293 addition to the negated version of the Selector (see NotSelector 1294 below), the selector expression syntax itself supports 1295 negation. The two types of negation are subtly different. 1296 One negates the set of matched endpoints, the other negates 1297 the whole match: \n \tSelector = \"!has(my_label)\" matches 1298 packets that are from other Calico-controlled \tendpoints 1299 that do not have the label \"my_label\". \n \tNotSelector 1300 = \"has(my_label)\" matches packets that are not from 1301 Calico-controlled \tendpoints that do have the label \"my_label\". 1302 \n The effect is that the latter will accept packets from 1303 non-Calico sources whereas the former is limited to packets 1304 from Calico-controlled endpoints." 1305 type: string 1306 serviceAccounts: 1307 description: ServiceAccounts is an optional field that restricts 1308 the rule to only apply to traffic that originates from 1309 (or terminates at) a pod running as a matching service 1310 account. 1311 properties: 1312 names: 1313 description: Names is an optional field that restricts 1314 the rule to only apply to traffic that originates 1315 from (or terminates at) a pod running as a service 1316 account whose name is in the list. 1317 items: 1318 type: string 1319 type: array 1320 selector: 1321 description: Selector is an optional field that restricts 1322 the rule to only apply to traffic that originates 1323 from (or terminates at) a pod running as a service 1324 account that matches the given label selector. If 1325 both Names and Selector are specified then they are 1326 AND'ed. 1327 type: string 1328 type: object 1329 type: object 1330 required: 1331 - action 1332 type: object 1333 type: array 1334 ingress: 1335 description: The ordered set of ingress rules. Each rule contains 1336 a set of packet match criteria and a corresponding action to apply. 1337 items: 1338 description: "A Rule encapsulates a set of match criteria and an 1339 action. Both selector-based security Policy and security Profiles 1340 reference rules - separated out as a list of rules for both ingress 1341 and egress packet matching. \n Each positive match criteria has 1342 a negated version, prefixed with \"Not\". All the match criteria 1343 within a rule must be satisfied for a packet to match. A single 1344 rule can contain the positive and negative version of a match 1345 and both must be satisfied for the rule to match." 1346 properties: 1347 action: 1348 type: string 1349 destination: 1350 description: Destination contains the match criteria that apply 1351 to destination entity. 1352 properties: 1353 namespaceSelector: 1354 description: "NamespaceSelector is an optional field that 1355 contains a selector expression. Only traffic that originates 1356 from (or terminates at) endpoints within the selected 1357 namespaces will be matched. When both NamespaceSelector 1358 and Selector are defined on the same rule, then only workload 1359 endpoints that are matched by both selectors will be selected 1360 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1361 implies that the Selector is limited to selecting only 1362 workload endpoints in the same namespace as the NetworkPolicy. 1363 \n For NetworkPolicy, `global()` NamespaceSelector implies 1364 that the Selector is limited to selecting only GlobalNetworkSet 1365 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1366 NamespaceSelector implies the Selector applies to workload 1367 endpoints across all namespaces." 1368 type: string 1369 nets: 1370 description: Nets is an optional field that restricts the 1371 rule to only apply to traffic that originates from (or 1372 terminates at) IP addresses in any of the given subnets. 1373 items: 1374 type: string 1375 type: array 1376 notNets: 1377 description: NotNets is the negated version of the Nets 1378 field. 1379 items: 1380 type: string 1381 type: array 1382 notPorts: 1383 description: NotPorts is the negated version of the Ports 1384 field. Since only some protocols have ports, if any ports 1385 are specified it requires the Protocol match in the Rule 1386 to be set to "TCP" or "UDP". 1387 items: 1388 anyOf: 1389 - type: integer 1390 - type: string 1391 pattern: ^.* 1392 x-kubernetes-int-or-string: true 1393 type: array 1394 notSelector: 1395 description: NotSelector is the negated version of the Selector 1396 field. See Selector field for subtleties with negated 1397 selectors. 1398 type: string 1399 ports: 1400 description: "Ports is an optional field that restricts 1401 the rule to only apply to traffic that has a source (destination) 1402 port that matches one of these ranges/values. This value 1403 is a list of integers or strings that represent ranges 1404 of ports. \n Since only some protocols have ports, if 1405 any ports are specified it requires the Protocol match 1406 in the Rule to be set to \"TCP\" or \"UDP\"." 1407 items: 1408 anyOf: 1409 - type: integer 1410 - type: string 1411 pattern: ^.* 1412 x-kubernetes-int-or-string: true 1413 type: array 1414 selector: 1415 description: "Selector is an optional field that contains 1416 a selector expression (see Policy for sample syntax). 1417 \ Only traffic that originates from (terminates at) endpoints 1418 matching the selector will be matched. \n Note that: in 1419 addition to the negated version of the Selector (see NotSelector 1420 below), the selector expression syntax itself supports 1421 negation. The two types of negation are subtly different. 1422 One negates the set of matched endpoints, the other negates 1423 the whole match: \n \tSelector = \"!has(my_label)\" matches 1424 packets that are from other Calico-controlled \tendpoints 1425 that do not have the label \"my_label\". \n \tNotSelector 1426 = \"has(my_label)\" matches packets that are not from 1427 Calico-controlled \tendpoints that do have the label \"my_label\". 1428 \n The effect is that the latter will accept packets from 1429 non-Calico sources whereas the former is limited to packets 1430 from Calico-controlled endpoints." 1431 type: string 1432 serviceAccounts: 1433 description: ServiceAccounts is an optional field that restricts 1434 the rule to only apply to traffic that originates from 1435 (or terminates at) a pod running as a matching service 1436 account. 1437 properties: 1438 names: 1439 description: Names is an optional field that restricts 1440 the rule to only apply to traffic that originates 1441 from (or terminates at) a pod running as a service 1442 account whose name is in the list. 1443 items: 1444 type: string 1445 type: array 1446 selector: 1447 description: Selector is an optional field that restricts 1448 the rule to only apply to traffic that originates 1449 from (or terminates at) a pod running as a service 1450 account that matches the given label selector. If 1451 both Names and Selector are specified then they are 1452 AND'ed. 1453 type: string 1454 type: object 1455 type: object 1456 http: 1457 description: HTTP contains match criteria that apply to HTTP 1458 requests. 1459 properties: 1460 methods: 1461 description: Methods is an optional field that restricts 1462 the rule to apply only to HTTP requests that use one of 1463 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1464 methods are OR'd together. 1465 items: 1466 type: string 1467 type: array 1468 paths: 1469 description: 'Paths is an optional field that restricts 1470 the rule to apply to HTTP requests that use one of the 1471 listed HTTP Paths. Multiple paths are OR''d together. 1472 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1473 ONLY specify either a `exact` or a `prefix` match. The 1474 validator will check for it.' 1475 items: 1476 description: 'HTTPPath specifies an HTTP path to match. 1477 It may be either of the form: exact: <path>: which matches 1478 the path exactly or prefix: <path-prefix>: which matches 1479 the path prefix' 1480 properties: 1481 exact: 1482 type: string 1483 prefix: 1484 type: string 1485 type: object 1486 type: array 1487 type: object 1488 icmp: 1489 description: ICMP is an optional field that restricts the rule 1490 to apply to a specific type and code of ICMP traffic. This 1491 should only be specified if the Protocol field is set to "ICMP" 1492 or "ICMPv6". 1493 properties: 1494 code: 1495 description: Match on a specific ICMP code. If specified, 1496 the Type value must also be specified. This is a technical 1497 limitation imposed by the kernel's iptables firewall, 1498 which Calico uses to enforce the rule. 1499 type: integer 1500 type: 1501 description: Match on a specific ICMP type. For example 1502 a value of 8 refers to ICMP Echo Request (i.e. pings). 1503 type: integer 1504 type: object 1505 ipVersion: 1506 description: IPVersion is an optional field that restricts the 1507 rule to only match a specific IP version. 1508 type: integer 1509 metadata: 1510 description: Metadata contains additional information for this 1511 rule 1512 properties: 1513 annotations: 1514 additionalProperties: 1515 type: string 1516 description: Annotations is a set of key value pairs that 1517 give extra information about the rule 1518 type: object 1519 type: object 1520 notICMP: 1521 description: NotICMP is the negated version of the ICMP field. 1522 properties: 1523 code: 1524 description: Match on a specific ICMP code. If specified, 1525 the Type value must also be specified. This is a technical 1526 limitation imposed by the kernel's iptables firewall, 1527 which Calico uses to enforce the rule. 1528 type: integer 1529 type: 1530 description: Match on a specific ICMP type. For example 1531 a value of 8 refers to ICMP Echo Request (i.e. pings). 1532 type: integer 1533 type: object 1534 notProtocol: 1535 anyOf: 1536 - type: integer 1537 - type: string 1538 description: NotProtocol is the negated version of the Protocol 1539 field. 1540 pattern: ^.* 1541 x-kubernetes-int-or-string: true 1542 protocol: 1543 anyOf: 1544 - type: integer 1545 - type: string 1546 description: "Protocol is an optional field that restricts the 1547 rule to only apply to traffic of a specific IP protocol. Required 1548 if any of the EntityRules contain Ports (because ports only 1549 apply to certain protocols). \n Must be one of these string 1550 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1551 \"UDPLite\" or an integer in the range 1-255." 1552 pattern: ^.* 1553 x-kubernetes-int-or-string: true 1554 source: 1555 description: Source contains the match criteria that apply to 1556 source entity. 1557 properties: 1558 namespaceSelector: 1559 description: "NamespaceSelector is an optional field that 1560 contains a selector expression. Only traffic that originates 1561 from (or terminates at) endpoints within the selected 1562 namespaces will be matched. When both NamespaceSelector 1563 and Selector are defined on the same rule, then only workload 1564 endpoints that are matched by both selectors will be selected 1565 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1566 implies that the Selector is limited to selecting only 1567 workload endpoints in the same namespace as the NetworkPolicy. 1568 \n For NetworkPolicy, `global()` NamespaceSelector implies 1569 that the Selector is limited to selecting only GlobalNetworkSet 1570 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1571 NamespaceSelector implies the Selector applies to workload 1572 endpoints across all namespaces." 1573 type: string 1574 nets: 1575 description: Nets is an optional field that restricts the 1576 rule to only apply to traffic that originates from (or 1577 terminates at) IP addresses in any of the given subnets. 1578 items: 1579 type: string 1580 type: array 1581 notNets: 1582 description: NotNets is the negated version of the Nets 1583 field. 1584 items: 1585 type: string 1586 type: array 1587 notPorts: 1588 description: NotPorts is the negated version of the Ports 1589 field. Since only some protocols have ports, if any ports 1590 are specified it requires the Protocol match in the Rule 1591 to be set to "TCP" or "UDP". 1592 items: 1593 anyOf: 1594 - type: integer 1595 - type: string 1596 pattern: ^.* 1597 x-kubernetes-int-or-string: true 1598 type: array 1599 notSelector: 1600 description: NotSelector is the negated version of the Selector 1601 field. See Selector field for subtleties with negated 1602 selectors. 1603 type: string 1604 ports: 1605 description: "Ports is an optional field that restricts 1606 the rule to only apply to traffic that has a source (destination) 1607 port that matches one of these ranges/values. This value 1608 is a list of integers or strings that represent ranges 1609 of ports. \n Since only some protocols have ports, if 1610 any ports are specified it requires the Protocol match 1611 in the Rule to be set to \"TCP\" or \"UDP\"." 1612 items: 1613 anyOf: 1614 - type: integer 1615 - type: string 1616 pattern: ^.* 1617 x-kubernetes-int-or-string: true 1618 type: array 1619 selector: 1620 description: "Selector is an optional field that contains 1621 a selector expression (see Policy for sample syntax). 1622 \ Only traffic that originates from (terminates at) endpoints 1623 matching the selector will be matched. \n Note that: in 1624 addition to the negated version of the Selector (see NotSelector 1625 below), the selector expression syntax itself supports 1626 negation. The two types of negation are subtly different. 1627 One negates the set of matched endpoints, the other negates 1628 the whole match: \n \tSelector = \"!has(my_label)\" matches 1629 packets that are from other Calico-controlled \tendpoints 1630 that do not have the label \"my_label\". \n \tNotSelector 1631 = \"has(my_label)\" matches packets that are not from 1632 Calico-controlled \tendpoints that do have the label \"my_label\". 1633 \n The effect is that the latter will accept packets from 1634 non-Calico sources whereas the former is limited to packets 1635 from Calico-controlled endpoints." 1636 type: string 1637 serviceAccounts: 1638 description: ServiceAccounts is an optional field that restricts 1639 the rule to only apply to traffic that originates from 1640 (or terminates at) a pod running as a matching service 1641 account. 1642 properties: 1643 names: 1644 description: Names is an optional field that restricts 1645 the rule to only apply to traffic that originates 1646 from (or terminates at) a pod running as a service 1647 account whose name is in the list. 1648 items: 1649 type: string 1650 type: array 1651 selector: 1652 description: Selector is an optional field that restricts 1653 the rule to only apply to traffic that originates 1654 from (or terminates at) a pod running as a service 1655 account that matches the given label selector. If 1656 both Names and Selector are specified then they are 1657 AND'ed. 1658 type: string 1659 type: object 1660 type: object 1661 required: 1662 - action 1663 type: object 1664 type: array 1665 namespaceSelector: 1666 description: NamespaceSelector is an optional field for an expression 1667 used to select a pod based on namespaces. 1668 type: string 1669 order: 1670 description: Order is an optional field that specifies the order in 1671 which the policy is applied. Policies with higher "order" are applied 1672 after those with lower order. If the order is omitted, it may be 1673 considered to be "infinite" - i.e. the policy will be applied last. Policies 1674 with identical order will be applied in alphanumerical order based 1675 on the Policy "Name". 1676 type: number 1677 preDNAT: 1678 description: PreDNAT indicates to apply the rules in this policy before 1679 any DNAT. 1680 type: boolean 1681 selector: 1682 description: "The selector is an expression used to pick pick out 1683 the endpoints that the policy should be applied to. \n Selector 1684 expressions follow this syntax: \n \tlabel == \"string_literal\" 1685 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 1686 \ -> not equal; also matches if label is not present \tlabel in 1687 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 1688 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 1689 ... } -> true if the value of label X is not one of \"a\", \"b\", 1690 \"c\" \thas(label_name) -> True if that label is present \t! expr 1691 -> negation of expr \texpr && expr -> Short-circuit and \texpr 1692 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 1693 or the empty selector -> matches all endpoints. \n Label names are 1694 allowed to contain alphanumerics, -, _ and /. String literals are 1695 more permissive but they do not support escape characters. \n Examples 1696 (with made-up labels): \n \ttype == \"webserver\" && deployment 1697 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 1698 \"dev\" \t! has(label_name)" 1699 type: string 1700 serviceAccountSelector: 1701 description: ServiceAccountSelector is an optional field for an expression 1702 used to select a pod based on service accounts. 1703 type: string 1704 types: 1705 description: "Types indicates whether this policy applies to ingress, 1706 or to egress, or to both. When not explicitly specified (and so 1707 the value on creation is empty or nil), Calico defaults Types according 1708 to what Ingress and Egress rules are present in the policy. The 1709 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 1710 (including the case where there are also no Ingress rules) \n 1711 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 1712 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 1713 both Ingress and Egress rules. \n When the policy is read back again, 1714 Types will always be one of these values, never empty or nil." 1715 items: 1716 description: PolicyType enumerates the possible values of the PolicySpec 1717 Types field. 1718 type: string 1719 type: array 1720 type: object 1721 type: object 1722 served: true 1723 storage: true 1724 status: 1725 acceptedNames: 1726 kind: "" 1727 plural: "" 1728 conditions: [] 1729 storedVersions: [] 1730 1731 --- 1732 # Source: crds/calico/kdd/crd.projectcalico.org_globalnetworksets.yaml 1733 apiVersion: apiextensions.k8s.io/v1 1734 kind: CustomResourceDefinition 1735 metadata: 1736 name: globalnetworksets.crd.projectcalico.org 1737 spec: 1738 group: crd.projectcalico.org 1739 names: 1740 kind: GlobalNetworkSet 1741 listKind: GlobalNetworkSetList 1742 plural: globalnetworksets 1743 singular: globalnetworkset 1744 scope: Cluster 1745 versions: 1746 - name: v1 1747 schema: 1748 openAPIV3Schema: 1749 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 1750 that share labels to allow rules to refer to them via selectors. The labels 1751 of GlobalNetworkSet are not namespaced. 1752 properties: 1753 apiVersion: 1754 description: 'APIVersion defines the versioned schema of this representation 1755 of an object. Servers should convert recognized schemas to the latest 1756 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1757 type: string 1758 kind: 1759 description: 'Kind is a string value representing the REST resource this 1760 object represents. Servers may infer this from the endpoint the client 1761 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1762 type: string 1763 metadata: 1764 type: object 1765 spec: 1766 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 1767 resource. 1768 properties: 1769 nets: 1770 description: The list of IP networks that belong to this set. 1771 items: 1772 type: string 1773 type: array 1774 type: object 1775 type: object 1776 served: true 1777 storage: true 1778 status: 1779 acceptedNames: 1780 kind: "" 1781 plural: "" 1782 conditions: [] 1783 storedVersions: [] 1784 1785 --- 1786 # Source: crds/calico/kdd/crd.projectcalico.org_hostendpoints.yaml 1787 apiVersion: apiextensions.k8s.io/v1 1788 kind: CustomResourceDefinition 1789 metadata: 1790 name: hostendpoints.crd.projectcalico.org 1791 spec: 1792 group: crd.projectcalico.org 1793 names: 1794 kind: HostEndpoint 1795 listKind: HostEndpointList 1796 plural: hostendpoints 1797 singular: hostendpoint 1798 scope: Cluster 1799 versions: 1800 - name: v1 1801 schema: 1802 openAPIV3Schema: 1803 properties: 1804 apiVersion: 1805 description: 'APIVersion defines the versioned schema of this representation 1806 of an object. Servers should convert recognized schemas to the latest 1807 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1808 type: string 1809 kind: 1810 description: 'Kind is a string value representing the REST resource this 1811 object represents. Servers may infer this from the endpoint the client 1812 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1813 type: string 1814 metadata: 1815 type: object 1816 spec: 1817 description: HostEndpointSpec contains the specification for a HostEndpoint 1818 resource. 1819 properties: 1820 expectedIPs: 1821 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 1822 If \"InterfaceName\" is not present, Calico will look for an interface 1823 matching any of the IPs in the list and apply policy to that. Note: 1824 \tWhen using the selector match criteria in an ingress or egress 1825 security Policy \tor Profile, Calico converts the selector into 1826 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 1827 is used for that purpose. (If only the interface \tname is specified, 1828 Calico does not learn the IPs of the interface for use in match 1829 \tcriteria.)" 1830 items: 1831 type: string 1832 type: array 1833 interfaceName: 1834 description: "Either \"*\", or the name of a specific Linux interface 1835 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 1836 governs all traffic to, from or through the default network namespace 1837 of the host named by the \"Node\" field; entering and leaving that 1838 namespace via any interface, including those from/to non-host-networked 1839 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 1840 only governs traffic that enters or leaves the host through the 1841 specific interface named by InterfaceName, or - when InterfaceName 1842 is empty - through the specific interface that has one of the IPs 1843 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 1844 one expected IP must be specified. Only external interfaces (such 1845 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 1846 to protect traffic through a specific local workload interface. 1847 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 1848 initially just pre-DNAT policy. Please check Calico documentation 1849 for the latest position." 1850 type: string 1851 node: 1852 description: The node name identifying the Calico node instance. 1853 type: string 1854 ports: 1855 description: Ports contains the endpoint's named ports, which may 1856 be referenced in security policy rules. 1857 items: 1858 properties: 1859 name: 1860 type: string 1861 port: 1862 type: integer 1863 protocol: 1864 anyOf: 1865 - type: integer 1866 - type: string 1867 pattern: ^.* 1868 x-kubernetes-int-or-string: true 1869 required: 1870 - name 1871 - port 1872 - protocol 1873 type: object 1874 type: array 1875 profiles: 1876 description: A list of identifiers of security Profile objects that 1877 apply to this endpoint. Each profile is applied in the order that 1878 they appear in this list. Profile rules are applied after the selector-based 1879 security policy. 1880 items: 1881 type: string 1882 type: array 1883 type: object 1884 type: object 1885 served: true 1886 storage: true 1887 status: 1888 acceptedNames: 1889 kind: "" 1890 plural: "" 1891 conditions: [] 1892 storedVersions: [] 1893 1894 --- 1895 # Source: crds/calico/kdd/crd.projectcalico.org_ipamblocks.yaml 1896 apiVersion: apiextensions.k8s.io/v1 1897 kind: CustomResourceDefinition 1898 metadata: 1899 name: ipamblocks.crd.projectcalico.org 1900 spec: 1901 group: crd.projectcalico.org 1902 names: 1903 kind: IPAMBlock 1904 listKind: IPAMBlockList 1905 plural: ipamblocks 1906 singular: ipamblock 1907 scope: Cluster 1908 versions: 1909 - name: v1 1910 schema: 1911 openAPIV3Schema: 1912 properties: 1913 apiVersion: 1914 description: 'APIVersion defines the versioned schema of this representation 1915 of an object. Servers should convert recognized schemas to the latest 1916 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1917 type: string 1918 kind: 1919 description: 'Kind is a string value representing the REST resource this 1920 object represents. Servers may infer this from the endpoint the client 1921 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1922 type: string 1923 metadata: 1924 type: object 1925 spec: 1926 description: IPAMBlockSpec contains the specification for an IPAMBlock 1927 resource. 1928 properties: 1929 affinity: 1930 type: string 1931 allocations: 1932 items: 1933 type: integer 1934 # TODO: This nullable is manually added in. We should update controller-gen 1935 # to handle []*int properly itself. 1936 nullable: true 1937 type: array 1938 attributes: 1939 items: 1940 properties: 1941 handle_id: 1942 type: string 1943 secondary: 1944 additionalProperties: 1945 type: string 1946 type: object 1947 type: object 1948 type: array 1949 cidr: 1950 type: string 1951 deleted: 1952 type: boolean 1953 strictAffinity: 1954 type: boolean 1955 unallocated: 1956 items: 1957 type: integer 1958 type: array 1959 required: 1960 - allocations 1961 - attributes 1962 - cidr 1963 - strictAffinity 1964 - unallocated 1965 type: object 1966 type: object 1967 served: true 1968 storage: true 1969 status: 1970 acceptedNames: 1971 kind: "" 1972 plural: "" 1973 conditions: [] 1974 storedVersions: [] 1975 1976 --- 1977 # Source: crds/calico/kdd/crd.projectcalico.org_ipamconfigs.yaml 1978 apiVersion: apiextensions.k8s.io/v1 1979 kind: CustomResourceDefinition 1980 metadata: 1981 name: ipamconfigs.crd.projectcalico.org 1982 spec: 1983 group: crd.projectcalico.org 1984 names: 1985 kind: IPAMConfig 1986 listKind: IPAMConfigList 1987 plural: ipamconfigs 1988 singular: ipamconfig 1989 scope: Cluster 1990 versions: 1991 - name: v1 1992 schema: 1993 openAPIV3Schema: 1994 properties: 1995 apiVersion: 1996 description: 'APIVersion defines the versioned schema of this representation 1997 of an object. Servers should convert recognized schemas to the latest 1998 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1999 type: string 2000 kind: 2001 description: 'Kind is a string value representing the REST resource this 2002 object represents. Servers may infer this from the endpoint the client 2003 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2004 type: string 2005 metadata: 2006 type: object 2007 spec: 2008 description: IPAMConfigSpec contains the specification for an IPAMConfig 2009 resource. 2010 properties: 2011 autoAllocateBlocks: 2012 type: boolean 2013 maxBlocksPerHost: 2014 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 2015 that can be affine to each host. 2016 type: integer 2017 strictAffinity: 2018 type: boolean 2019 required: 2020 - autoAllocateBlocks 2021 - strictAffinity 2022 type: object 2023 type: object 2024 served: true 2025 storage: true 2026 status: 2027 acceptedNames: 2028 kind: "" 2029 plural: "" 2030 conditions: [] 2031 storedVersions: [] 2032 2033 --- 2034 # Source: crds/calico/kdd/crd.projectcalico.org_ipamhandles.yaml 2035 apiVersion: apiextensions.k8s.io/v1 2036 kind: CustomResourceDefinition 2037 metadata: 2038 name: ipamhandles.crd.projectcalico.org 2039 spec: 2040 group: crd.projectcalico.org 2041 names: 2042 kind: IPAMHandle 2043 listKind: IPAMHandleList 2044 plural: ipamhandles 2045 singular: ipamhandle 2046 scope: Cluster 2047 versions: 2048 - name: v1 2049 schema: 2050 openAPIV3Schema: 2051 properties: 2052 apiVersion: 2053 description: 'APIVersion defines the versioned schema of this representation 2054 of an object. Servers should convert recognized schemas to the latest 2055 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2056 type: string 2057 kind: 2058 description: 'Kind is a string value representing the REST resource this 2059 object represents. Servers may infer this from the endpoint the client 2060 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2061 type: string 2062 metadata: 2063 type: object 2064 spec: 2065 description: IPAMHandleSpec contains the specification for an IPAMHandle 2066 resource. 2067 properties: 2068 block: 2069 additionalProperties: 2070 type: integer 2071 type: object 2072 deleted: 2073 type: boolean 2074 handleID: 2075 type: string 2076 required: 2077 - block 2078 - handleID 2079 type: object 2080 type: object 2081 served: true 2082 storage: true 2083 status: 2084 acceptedNames: 2085 kind: "" 2086 plural: "" 2087 conditions: [] 2088 storedVersions: [] 2089 2090 --- 2091 # Source: crds/calico/kdd/crd.projectcalico.org_ippools.yaml 2092 apiVersion: apiextensions.k8s.io/v1 2093 kind: CustomResourceDefinition 2094 metadata: 2095 name: ippools.crd.projectcalico.org 2096 spec: 2097 group: crd.projectcalico.org 2098 names: 2099 kind: IPPool 2100 listKind: IPPoolList 2101 plural: ippools 2102 singular: ippool 2103 scope: Cluster 2104 versions: 2105 - name: v1 2106 schema: 2107 openAPIV3Schema: 2108 properties: 2109 apiVersion: 2110 description: 'APIVersion defines the versioned schema of this representation 2111 of an object. Servers should convert recognized schemas to the latest 2112 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2113 type: string 2114 kind: 2115 description: 'Kind is a string value representing the REST resource this 2116 object represents. Servers may infer this from the endpoint the client 2117 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2118 type: string 2119 metadata: 2120 type: object 2121 spec: 2122 description: IPPoolSpec contains the specification for an IPPool resource. 2123 properties: 2124 blockSize: 2125 description: The block size to use for IP address assignments from 2126 this pool. Defaults to 26 for IPv4 and 112 for IPv6. 2127 type: integer 2128 cidr: 2129 description: The pool CIDR. 2130 type: string 2131 disabled: 2132 description: When disabled is true, Calico IPAM will not assign addresses 2133 from this pool. 2134 type: boolean 2135 ipip: 2136 description: 'Deprecated: this field is only used for APIv1 backwards 2137 compatibility. Setting this field is not allowed, this field is 2138 for internal use only.' 2139 properties: 2140 enabled: 2141 description: When enabled is true, ipip tunneling will be used 2142 to deliver packets to destinations within this pool. 2143 type: boolean 2144 mode: 2145 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 2146 mode of "always" will also use IPIP tunneling for routing to 2147 destination IP addresses within this pool. A mode of "cross-subnet" 2148 will only use IPIP tunneling when the destination node is on 2149 a different subnet to the originating node. The default value 2150 (if not specified) is "always". 2151 type: string 2152 type: object 2153 ipipMode: 2154 description: Contains configuration for IPIP tunneling for this pool. 2155 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 2156 is disabled). 2157 type: string 2158 nat-outgoing: 2159 description: 'Deprecated: this field is only used for APIv1 backwards 2160 compatibility. Setting this field is not allowed, this field is 2161 for internal use only.' 2162 type: boolean 2163 natOutgoing: 2164 description: When nat-outgoing is true, packets sent from Calico networked 2165 containers in this pool to destinations outside of this pool will 2166 be masqueraded. 2167 type: boolean 2168 nodeSelector: 2169 description: Allows IPPool to allocate for a specific node by label 2170 selector. 2171 type: string 2172 vxlanMode: 2173 description: Contains configuration for VXLAN tunneling for this pool. 2174 If not specified, then this is defaulted to "Never" (i.e. VXLAN 2175 tunneling is disabled). 2176 type: string 2177 required: 2178 - cidr 2179 type: object 2180 type: object 2181 served: true 2182 storage: true 2183 status: 2184 acceptedNames: 2185 kind: "" 2186 plural: "" 2187 conditions: [] 2188 storedVersions: [] 2189 2190 --- 2191 # Source: crds/calico/kdd/crd.projectcalico.org_kubecontrollersconfigurations.yaml 2192 apiVersion: apiextensions.k8s.io/v1 2193 kind: CustomResourceDefinition 2194 metadata: 2195 name: kubecontrollersconfigurations.crd.projectcalico.org 2196 spec: 2197 group: crd.projectcalico.org 2198 names: 2199 kind: KubeControllersConfiguration 2200 listKind: KubeControllersConfigurationList 2201 plural: kubecontrollersconfigurations 2202 singular: kubecontrollersconfiguration 2203 scope: Cluster 2204 versions: 2205 - name: v1 2206 schema: 2207 openAPIV3Schema: 2208 properties: 2209 apiVersion: 2210 description: 'APIVersion defines the versioned schema of this representation 2211 of an object. Servers should convert recognized schemas to the latest 2212 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2213 type: string 2214 kind: 2215 description: 'Kind is a string value representing the REST resource this 2216 object represents. Servers may infer this from the endpoint the client 2217 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2218 type: string 2219 metadata: 2220 type: object 2221 spec: 2222 description: KubeControllersConfigurationSpec contains the values of the 2223 Kubernetes controllers configuration. 2224 properties: 2225 controllers: 2226 description: Controllers enables and configures individual Kubernetes 2227 controllers 2228 properties: 2229 namespace: 2230 description: Namespace enables and configures the namespace controller. 2231 Enabled by default, set to nil to disable. 2232 properties: 2233 reconcilerPeriod: 2234 description: 'ReconcilerPeriod is the period to perform reconciliation 2235 with the Calico datastore. [Default: 5m]' 2236 type: string 2237 type: object 2238 node: 2239 description: Node enables and configures the node controller. 2240 Enabled by default, set to nil to disable. 2241 properties: 2242 hostEndpoint: 2243 description: HostEndpoint controls syncing nodes to host endpoints. 2244 Disabled by default, set to nil to disable. 2245 properties: 2246 autoCreate: 2247 description: 'AutoCreate enables automatic creation of 2248 host endpoints for every node. [Default: Disabled]' 2249 type: string 2250 type: object 2251 reconcilerPeriod: 2252 description: 'ReconcilerPeriod is the period to perform reconciliation 2253 with the Calico datastore. [Default: 5m]' 2254 type: string 2255 syncLabels: 2256 description: 'SyncLabels controls whether to copy Kubernetes 2257 node labels to Calico nodes. [Default: Enabled]' 2258 type: string 2259 type: object 2260 policy: 2261 description: Policy enables and configures the policy controller. 2262 Enabled by default, set to nil to disable. 2263 properties: 2264 reconcilerPeriod: 2265 description: 'ReconcilerPeriod is the period to perform reconciliation 2266 with the Calico datastore. [Default: 5m]' 2267 type: string 2268 type: object 2269 serviceAccount: 2270 description: ServiceAccount enables and configures the service 2271 account controller. Enabled by default, set to nil to disable. 2272 properties: 2273 reconcilerPeriod: 2274 description: 'ReconcilerPeriod is the period to perform reconciliation 2275 with the Calico datastore. [Default: 5m]' 2276 type: string 2277 type: object 2278 workloadEndpoint: 2279 description: WorkloadEndpoint enables and configures the workload 2280 endpoint controller. Enabled by default, set to nil to disable. 2281 properties: 2282 reconcilerPeriod: 2283 description: 'ReconcilerPeriod is the period to perform reconciliation 2284 with the Calico datastore. [Default: 5m]' 2285 type: string 2286 type: object 2287 type: object 2288 etcdV3CompactionPeriod: 2289 description: 'EtcdV3CompactionPeriod is the period between etcdv3 2290 compaction requests. Set to 0 to disable. [Default: 10m]' 2291 type: string 2292 healthChecks: 2293 description: 'HealthChecks enables or disables support for health 2294 checks [Default: Enabled]' 2295 type: string 2296 logSeverityScreen: 2297 description: 'LogSeverityScreen is the log severity above which logs 2298 are sent to the stdout. [Default: Info]' 2299 type: string 2300 prometheusMetricsPort: 2301 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 2302 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 2303 type: integer 2304 required: 2305 - controllers 2306 type: object 2307 status: 2308 description: KubeControllersConfigurationStatus represents the status 2309 of the configuration. It's useful for admins to be able to see the actual 2310 config that was applied, which can be modified by environment variables 2311 on the kube-controllers process. 2312 properties: 2313 environmentVars: 2314 additionalProperties: 2315 type: string 2316 description: EnvironmentVars contains the environment variables on 2317 the kube-controllers that influenced the RunningConfig. 2318 type: object 2319 runningConfig: 2320 description: RunningConfig contains the effective config that is running 2321 in the kube-controllers pod, after merging the API resource with 2322 any environment variables. 2323 properties: 2324 controllers: 2325 description: Controllers enables and configures individual Kubernetes 2326 controllers 2327 properties: 2328 namespace: 2329 description: Namespace enables and configures the namespace 2330 controller. Enabled by default, set to nil to disable. 2331 properties: 2332 reconcilerPeriod: 2333 description: 'ReconcilerPeriod is the period to perform 2334 reconciliation with the Calico datastore. [Default: 2335 5m]' 2336 type: string 2337 type: object 2338 node: 2339 description: Node enables and configures the node controller. 2340 Enabled by default, set to nil to disable. 2341 properties: 2342 hostEndpoint: 2343 description: HostEndpoint controls syncing nodes to host 2344 endpoints. Disabled by default, set to nil to disable. 2345 properties: 2346 autoCreate: 2347 description: 'AutoCreate enables automatic creation 2348 of host endpoints for every node. [Default: Disabled]' 2349 type: string 2350 type: object 2351 reconcilerPeriod: 2352 description: 'ReconcilerPeriod is the period to perform 2353 reconciliation with the Calico datastore. [Default: 2354 5m]' 2355 type: string 2356 syncLabels: 2357 description: 'SyncLabels controls whether to copy Kubernetes 2358 node labels to Calico nodes. [Default: Enabled]' 2359 type: string 2360 type: object 2361 policy: 2362 description: Policy enables and configures the policy controller. 2363 Enabled by default, set to nil to disable. 2364 properties: 2365 reconcilerPeriod: 2366 description: 'ReconcilerPeriod is the period to perform 2367 reconciliation with the Calico datastore. [Default: 2368 5m]' 2369 type: string 2370 type: object 2371 serviceAccount: 2372 description: ServiceAccount enables and configures the service 2373 account controller. Enabled by default, set to nil to disable. 2374 properties: 2375 reconcilerPeriod: 2376 description: 'ReconcilerPeriod is the period to perform 2377 reconciliation with the Calico datastore. [Default: 2378 5m]' 2379 type: string 2380 type: object 2381 workloadEndpoint: 2382 description: WorkloadEndpoint enables and configures the workload 2383 endpoint controller. Enabled by default, set to nil to disable. 2384 properties: 2385 reconcilerPeriod: 2386 description: 'ReconcilerPeriod is the period to perform 2387 reconciliation with the Calico datastore. [Default: 2388 5m]' 2389 type: string 2390 type: object 2391 type: object 2392 etcdV3CompactionPeriod: 2393 description: 'EtcdV3CompactionPeriod is the period between etcdv3 2394 compaction requests. Set to 0 to disable. [Default: 10m]' 2395 type: string 2396 healthChecks: 2397 description: 'HealthChecks enables or disables support for health 2398 checks [Default: Enabled]' 2399 type: string 2400 logSeverityScreen: 2401 description: 'LogSeverityScreen is the log severity above which 2402 logs are sent to the stdout. [Default: Info]' 2403 type: string 2404 prometheusMetricsPort: 2405 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 2406 metrics server should bind to. Set to 0 to disable. [Default: 2407 9094]' 2408 type: integer 2409 required: 2410 - controllers 2411 type: object 2412 type: object 2413 type: object 2414 served: true 2415 storage: true 2416 status: 2417 acceptedNames: 2418 kind: "" 2419 plural: "" 2420 conditions: [] 2421 storedVersions: [] 2422 2423 --- 2424 # Source: crds/calico/kdd/crd.projectcalico.org_networkpolicies.yaml 2425 apiVersion: apiextensions.k8s.io/v1 2426 kind: CustomResourceDefinition 2427 metadata: 2428 name: networkpolicies.crd.projectcalico.org 2429 spec: 2430 group: crd.projectcalico.org 2431 names: 2432 kind: NetworkPolicy 2433 listKind: NetworkPolicyList 2434 plural: networkpolicies 2435 singular: networkpolicy 2436 scope: Namespaced 2437 versions: 2438 - name: v1 2439 schema: 2440 openAPIV3Schema: 2441 properties: 2442 apiVersion: 2443 description: 'APIVersion defines the versioned schema of this representation 2444 of an object. Servers should convert recognized schemas to the latest 2445 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2446 type: string 2447 kind: 2448 description: 'Kind is a string value representing the REST resource this 2449 object represents. Servers may infer this from the endpoint the client 2450 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2451 type: string 2452 metadata: 2453 type: object 2454 spec: 2455 properties: 2456 egress: 2457 description: The ordered set of egress rules. Each rule contains 2458 a set of packet match criteria and a corresponding action to apply. 2459 items: 2460 description: "A Rule encapsulates a set of match criteria and an 2461 action. Both selector-based security Policy and security Profiles 2462 reference rules - separated out as a list of rules for both ingress 2463 and egress packet matching. \n Each positive match criteria has 2464 a negated version, prefixed with \"Not\". All the match criteria 2465 within a rule must be satisfied for a packet to match. A single 2466 rule can contain the positive and negative version of a match 2467 and both must be satisfied for the rule to match." 2468 properties: 2469 action: 2470 type: string 2471 destination: 2472 description: Destination contains the match criteria that apply 2473 to destination entity. 2474 properties: 2475 namespaceSelector: 2476 description: "NamespaceSelector is an optional field that 2477 contains a selector expression. Only traffic that originates 2478 from (or terminates at) endpoints within the selected 2479 namespaces will be matched. When both NamespaceSelector 2480 and Selector are defined on the same rule, then only workload 2481 endpoints that are matched by both selectors will be selected 2482 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 2483 implies that the Selector is limited to selecting only 2484 workload endpoints in the same namespace as the NetworkPolicy. 2485 \n For NetworkPolicy, `global()` NamespaceSelector implies 2486 that the Selector is limited to selecting only GlobalNetworkSet 2487 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 2488 NamespaceSelector implies the Selector applies to workload 2489 endpoints across all namespaces." 2490 type: string 2491 nets: 2492 description: Nets is an optional field that restricts the 2493 rule to only apply to traffic that originates from (or 2494 terminates at) IP addresses in any of the given subnets. 2495 items: 2496 type: string 2497 type: array 2498 notNets: 2499 description: NotNets is the negated version of the Nets 2500 field. 2501 items: 2502 type: string 2503 type: array 2504 notPorts: 2505 description: NotPorts is the negated version of the Ports 2506 field. Since only some protocols have ports, if any ports 2507 are specified it requires the Protocol match in the Rule 2508 to be set to "TCP" or "UDP". 2509 items: 2510 anyOf: 2511 - type: integer 2512 - type: string 2513 pattern: ^.* 2514 x-kubernetes-int-or-string: true 2515 type: array 2516 notSelector: 2517 description: NotSelector is the negated version of the Selector 2518 field. See Selector field for subtleties with negated 2519 selectors. 2520 type: string 2521 ports: 2522 description: "Ports is an optional field that restricts 2523 the rule to only apply to traffic that has a source (destination) 2524 port that matches one of these ranges/values. This value 2525 is a list of integers or strings that represent ranges 2526 of ports. \n Since only some protocols have ports, if 2527 any ports are specified it requires the Protocol match 2528 in the Rule to be set to \"TCP\" or \"UDP\"." 2529 items: 2530 anyOf: 2531 - type: integer 2532 - type: string 2533 pattern: ^.* 2534 x-kubernetes-int-or-string: true 2535 type: array 2536 selector: 2537 description: "Selector is an optional field that contains 2538 a selector expression (see Policy for sample syntax). 2539 \ Only traffic that originates from (terminates at) endpoints 2540 matching the selector will be matched. \n Note that: in 2541 addition to the negated version of the Selector (see NotSelector 2542 below), the selector expression syntax itself supports 2543 negation. The two types of negation are subtly different. 2544 One negates the set of matched endpoints, the other negates 2545 the whole match: \n \tSelector = \"!has(my_label)\" matches 2546 packets that are from other Calico-controlled \tendpoints 2547 that do not have the label \"my_label\". \n \tNotSelector 2548 = \"has(my_label)\" matches packets that are not from 2549 Calico-controlled \tendpoints that do have the label \"my_label\". 2550 \n The effect is that the latter will accept packets from 2551 non-Calico sources whereas the former is limited to packets 2552 from Calico-controlled endpoints." 2553 type: string 2554 serviceAccounts: 2555 description: ServiceAccounts is an optional field that restricts 2556 the rule to only apply to traffic that originates from 2557 (or terminates at) a pod running as a matching service 2558 account. 2559 properties: 2560 names: 2561 description: Names is an optional field that restricts 2562 the rule to only apply to traffic that originates 2563 from (or terminates at) a pod running as a service 2564 account whose name is in the list. 2565 items: 2566 type: string 2567 type: array 2568 selector: 2569 description: Selector is an optional field that restricts 2570 the rule to only apply to traffic that originates 2571 from (or terminates at) a pod running as a service 2572 account that matches the given label selector. If 2573 both Names and Selector are specified then they are 2574 AND'ed. 2575 type: string 2576 type: object 2577 type: object 2578 http: 2579 description: HTTP contains match criteria that apply to HTTP 2580 requests. 2581 properties: 2582 methods: 2583 description: Methods is an optional field that restricts 2584 the rule to apply only to HTTP requests that use one of 2585 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2586 methods are OR'd together. 2587 items: 2588 type: string 2589 type: array 2590 paths: 2591 description: 'Paths is an optional field that restricts 2592 the rule to apply to HTTP requests that use one of the 2593 listed HTTP Paths. Multiple paths are OR''d together. 2594 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2595 ONLY specify either a `exact` or a `prefix` match. The 2596 validator will check for it.' 2597 items: 2598 description: 'HTTPPath specifies an HTTP path to match. 2599 It may be either of the form: exact: <path>: which matches 2600 the path exactly or prefix: <path-prefix>: which matches 2601 the path prefix' 2602 properties: 2603 exact: 2604 type: string 2605 prefix: 2606 type: string 2607 type: object 2608 type: array 2609 type: object 2610 icmp: 2611 description: ICMP is an optional field that restricts the rule 2612 to apply to a specific type and code of ICMP traffic. This 2613 should only be specified if the Protocol field is set to "ICMP" 2614 or "ICMPv6". 2615 properties: 2616 code: 2617 description: Match on a specific ICMP code. If specified, 2618 the Type value must also be specified. This is a technical 2619 limitation imposed by the kernel's iptables firewall, 2620 which Calico uses to enforce the rule. 2621 type: integer 2622 type: 2623 description: Match on a specific ICMP type. For example 2624 a value of 8 refers to ICMP Echo Request (i.e. pings). 2625 type: integer 2626 type: object 2627 ipVersion: 2628 description: IPVersion is an optional field that restricts the 2629 rule to only match a specific IP version. 2630 type: integer 2631 metadata: 2632 description: Metadata contains additional information for this 2633 rule 2634 properties: 2635 annotations: 2636 additionalProperties: 2637 type: string 2638 description: Annotations is a set of key value pairs that 2639 give extra information about the rule 2640 type: object 2641 type: object 2642 notICMP: 2643 description: NotICMP is the negated version of the ICMP field. 2644 properties: 2645 code: 2646 description: Match on a specific ICMP code. If specified, 2647 the Type value must also be specified. This is a technical 2648 limitation imposed by the kernel's iptables firewall, 2649 which Calico uses to enforce the rule. 2650 type: integer 2651 type: 2652 description: Match on a specific ICMP type. For example 2653 a value of 8 refers to ICMP Echo Request (i.e. pings). 2654 type: integer 2655 type: object 2656 notProtocol: 2657 anyOf: 2658 - type: integer 2659 - type: string 2660 description: NotProtocol is the negated version of the Protocol 2661 field. 2662 pattern: ^.* 2663 x-kubernetes-int-or-string: true 2664 protocol: 2665 anyOf: 2666 - type: integer 2667 - type: string 2668 description: "Protocol is an optional field that restricts the 2669 rule to only apply to traffic of a specific IP protocol. Required 2670 if any of the EntityRules contain Ports (because ports only 2671 apply to certain protocols). \n Must be one of these string 2672 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2673 \"UDPLite\" or an integer in the range 1-255." 2674 pattern: ^.* 2675 x-kubernetes-int-or-string: true 2676 source: 2677 description: Source contains the match criteria that apply to 2678 source entity. 2679 properties: 2680 namespaceSelector: 2681 description: "NamespaceSelector is an optional field that 2682 contains a selector expression. Only traffic that originates 2683 from (or terminates at) endpoints within the selected 2684 namespaces will be matched. When both NamespaceSelector 2685 and Selector are defined on the same rule, then only workload 2686 endpoints that are matched by both selectors will be selected 2687 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 2688 implies that the Selector is limited to selecting only 2689 workload endpoints in the same namespace as the NetworkPolicy. 2690 \n For NetworkPolicy, `global()` NamespaceSelector implies 2691 that the Selector is limited to selecting only GlobalNetworkSet 2692 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 2693 NamespaceSelector implies the Selector applies to workload 2694 endpoints across all namespaces." 2695 type: string 2696 nets: 2697 description: Nets is an optional field that restricts the 2698 rule to only apply to traffic that originates from (or 2699 terminates at) IP addresses in any of the given subnets. 2700 items: 2701 type: string 2702 type: array 2703 notNets: 2704 description: NotNets is the negated version of the Nets 2705 field. 2706 items: 2707 type: string 2708 type: array 2709 notPorts: 2710 description: NotPorts is the negated version of the Ports 2711 field. Since only some protocols have ports, if any ports 2712 are specified it requires the Protocol match in the Rule 2713 to be set to "TCP" or "UDP". 2714 items: 2715 anyOf: 2716 - type: integer 2717 - type: string 2718 pattern: ^.* 2719 x-kubernetes-int-or-string: true 2720 type: array 2721 notSelector: 2722 description: NotSelector is the negated version of the Selector 2723 field. See Selector field for subtleties with negated 2724 selectors. 2725 type: string 2726 ports: 2727 description: "Ports is an optional field that restricts 2728 the rule to only apply to traffic that has a source (destination) 2729 port that matches one of these ranges/values. This value 2730 is a list of integers or strings that represent ranges 2731 of ports. \n Since only some protocols have ports, if 2732 any ports are specified it requires the Protocol match 2733 in the Rule to be set to \"TCP\" or \"UDP\"." 2734 items: 2735 anyOf: 2736 - type: integer 2737 - type: string 2738 pattern: ^.* 2739 x-kubernetes-int-or-string: true 2740 type: array 2741 selector: 2742 description: "Selector is an optional field that contains 2743 a selector expression (see Policy for sample syntax). 2744 \ Only traffic that originates from (terminates at) endpoints 2745 matching the selector will be matched. \n Note that: in 2746 addition to the negated version of the Selector (see NotSelector 2747 below), the selector expression syntax itself supports 2748 negation. The two types of negation are subtly different. 2749 One negates the set of matched endpoints, the other negates 2750 the whole match: \n \tSelector = \"!has(my_label)\" matches 2751 packets that are from other Calico-controlled \tendpoints 2752 that do not have the label \"my_label\". \n \tNotSelector 2753 = \"has(my_label)\" matches packets that are not from 2754 Calico-controlled \tendpoints that do have the label \"my_label\". 2755 \n The effect is that the latter will accept packets from 2756 non-Calico sources whereas the former is limited to packets 2757 from Calico-controlled endpoints." 2758 type: string 2759 serviceAccounts: 2760 description: ServiceAccounts is an optional field that restricts 2761 the rule to only apply to traffic that originates from 2762 (or terminates at) a pod running as a matching service 2763 account. 2764 properties: 2765 names: 2766 description: Names is an optional field that restricts 2767 the rule to only apply to traffic that originates 2768 from (or terminates at) a pod running as a service 2769 account whose name is in the list. 2770 items: 2771 type: string 2772 type: array 2773 selector: 2774 description: Selector is an optional field that restricts 2775 the rule to only apply to traffic that originates 2776 from (or terminates at) a pod running as a service 2777 account that matches the given label selector. If 2778 both Names and Selector are specified then they are 2779 AND'ed. 2780 type: string 2781 type: object 2782 type: object 2783 required: 2784 - action 2785 type: object 2786 type: array 2787 ingress: 2788 description: The ordered set of ingress rules. Each rule contains 2789 a set of packet match criteria and a corresponding action to apply. 2790 items: 2791 description: "A Rule encapsulates a set of match criteria and an 2792 action. Both selector-based security Policy and security Profiles 2793 reference rules - separated out as a list of rules for both ingress 2794 and egress packet matching. \n Each positive match criteria has 2795 a negated version, prefixed with \"Not\". All the match criteria 2796 within a rule must be satisfied for a packet to match. A single 2797 rule can contain the positive and negative version of a match 2798 and both must be satisfied for the rule to match." 2799 properties: 2800 action: 2801 type: string 2802 destination: 2803 description: Destination contains the match criteria that apply 2804 to destination entity. 2805 properties: 2806 namespaceSelector: 2807 description: "NamespaceSelector is an optional field that 2808 contains a selector expression. Only traffic that originates 2809 from (or terminates at) endpoints within the selected 2810 namespaces will be matched. When both NamespaceSelector 2811 and Selector are defined on the same rule, then only workload 2812 endpoints that are matched by both selectors will be selected 2813 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 2814 implies that the Selector is limited to selecting only 2815 workload endpoints in the same namespace as the NetworkPolicy. 2816 \n For NetworkPolicy, `global()` NamespaceSelector implies 2817 that the Selector is limited to selecting only GlobalNetworkSet 2818 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 2819 NamespaceSelector implies the Selector applies to workload 2820 endpoints across all namespaces." 2821 type: string 2822 nets: 2823 description: Nets is an optional field that restricts the 2824 rule to only apply to traffic that originates from (or 2825 terminates at) IP addresses in any of the given subnets. 2826 items: 2827 type: string 2828 type: array 2829 notNets: 2830 description: NotNets is the negated version of the Nets 2831 field. 2832 items: 2833 type: string 2834 type: array 2835 notPorts: 2836 description: NotPorts is the negated version of the Ports 2837 field. Since only some protocols have ports, if any ports 2838 are specified it requires the Protocol match in the Rule 2839 to be set to "TCP" or "UDP". 2840 items: 2841 anyOf: 2842 - type: integer 2843 - type: string 2844 pattern: ^.* 2845 x-kubernetes-int-or-string: true 2846 type: array 2847 notSelector: 2848 description: NotSelector is the negated version of the Selector 2849 field. See Selector field for subtleties with negated 2850 selectors. 2851 type: string 2852 ports: 2853 description: "Ports is an optional field that restricts 2854 the rule to only apply to traffic that has a source (destination) 2855 port that matches one of these ranges/values. This value 2856 is a list of integers or strings that represent ranges 2857 of ports. \n Since only some protocols have ports, if 2858 any ports are specified it requires the Protocol match 2859 in the Rule to be set to \"TCP\" or \"UDP\"." 2860 items: 2861 anyOf: 2862 - type: integer 2863 - type: string 2864 pattern: ^.* 2865 x-kubernetes-int-or-string: true 2866 type: array 2867 selector: 2868 description: "Selector is an optional field that contains 2869 a selector expression (see Policy for sample syntax). 2870 \ Only traffic that originates from (terminates at) endpoints 2871 matching the selector will be matched. \n Note that: in 2872 addition to the negated version of the Selector (see NotSelector 2873 below), the selector expression syntax itself supports 2874 negation. The two types of negation are subtly different. 2875 One negates the set of matched endpoints, the other negates 2876 the whole match: \n \tSelector = \"!has(my_label)\" matches 2877 packets that are from other Calico-controlled \tendpoints 2878 that do not have the label \"my_label\". \n \tNotSelector 2879 = \"has(my_label)\" matches packets that are not from 2880 Calico-controlled \tendpoints that do have the label \"my_label\". 2881 \n The effect is that the latter will accept packets from 2882 non-Calico sources whereas the former is limited to packets 2883 from Calico-controlled endpoints." 2884 type: string 2885 serviceAccounts: 2886 description: ServiceAccounts is an optional field that restricts 2887 the rule to only apply to traffic that originates from 2888 (or terminates at) a pod running as a matching service 2889 account. 2890 properties: 2891 names: 2892 description: Names is an optional field that restricts 2893 the rule to only apply to traffic that originates 2894 from (or terminates at) a pod running as a service 2895 account whose name is in the list. 2896 items: 2897 type: string 2898 type: array 2899 selector: 2900 description: Selector is an optional field that restricts 2901 the rule to only apply to traffic that originates 2902 from (or terminates at) a pod running as a service 2903 account that matches the given label selector. If 2904 both Names and Selector are specified then they are 2905 AND'ed. 2906 type: string 2907 type: object 2908 type: object 2909 http: 2910 description: HTTP contains match criteria that apply to HTTP 2911 requests. 2912 properties: 2913 methods: 2914 description: Methods is an optional field that restricts 2915 the rule to apply only to HTTP requests that use one of 2916 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2917 methods are OR'd together. 2918 items: 2919 type: string 2920 type: array 2921 paths: 2922 description: 'Paths is an optional field that restricts 2923 the rule to apply to HTTP requests that use one of the 2924 listed HTTP Paths. Multiple paths are OR''d together. 2925 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2926 ONLY specify either a `exact` or a `prefix` match. The 2927 validator will check for it.' 2928 items: 2929 description: 'HTTPPath specifies an HTTP path to match. 2930 It may be either of the form: exact: <path>: which matches 2931 the path exactly or prefix: <path-prefix>: which matches 2932 the path prefix' 2933 properties: 2934 exact: 2935 type: string 2936 prefix: 2937 type: string 2938 type: object 2939 type: array 2940 type: object 2941 icmp: 2942 description: ICMP is an optional field that restricts the rule 2943 to apply to a specific type and code of ICMP traffic. This 2944 should only be specified if the Protocol field is set to "ICMP" 2945 or "ICMPv6". 2946 properties: 2947 code: 2948 description: Match on a specific ICMP code. If specified, 2949 the Type value must also be specified. This is a technical 2950 limitation imposed by the kernel's iptables firewall, 2951 which Calico uses to enforce the rule. 2952 type: integer 2953 type: 2954 description: Match on a specific ICMP type. For example 2955 a value of 8 refers to ICMP Echo Request (i.e. pings). 2956 type: integer 2957 type: object 2958 ipVersion: 2959 description: IPVersion is an optional field that restricts the 2960 rule to only match a specific IP version. 2961 type: integer 2962 metadata: 2963 description: Metadata contains additional information for this 2964 rule 2965 properties: 2966 annotations: 2967 additionalProperties: 2968 type: string 2969 description: Annotations is a set of key value pairs that 2970 give extra information about the rule 2971 type: object 2972 type: object 2973 notICMP: 2974 description: NotICMP is the negated version of the ICMP field. 2975 properties: 2976 code: 2977 description: Match on a specific ICMP code. If specified, 2978 the Type value must also be specified. This is a technical 2979 limitation imposed by the kernel's iptables firewall, 2980 which Calico uses to enforce the rule. 2981 type: integer 2982 type: 2983 description: Match on a specific ICMP type. For example 2984 a value of 8 refers to ICMP Echo Request (i.e. pings). 2985 type: integer 2986 type: object 2987 notProtocol: 2988 anyOf: 2989 - type: integer 2990 - type: string 2991 description: NotProtocol is the negated version of the Protocol 2992 field. 2993 pattern: ^.* 2994 x-kubernetes-int-or-string: true 2995 protocol: 2996 anyOf: 2997 - type: integer 2998 - type: string 2999 description: "Protocol is an optional field that restricts the 3000 rule to only apply to traffic of a specific IP protocol. Required 3001 if any of the EntityRules contain Ports (because ports only 3002 apply to certain protocols). \n Must be one of these string 3003 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3004 \"UDPLite\" or an integer in the range 1-255." 3005 pattern: ^.* 3006 x-kubernetes-int-or-string: true 3007 source: 3008 description: Source contains the match criteria that apply to 3009 source entity. 3010 properties: 3011 namespaceSelector: 3012 description: "NamespaceSelector is an optional field that 3013 contains a selector expression. Only traffic that originates 3014 from (or terminates at) endpoints within the selected 3015 namespaces will be matched. When both NamespaceSelector 3016 and Selector are defined on the same rule, then only workload 3017 endpoints that are matched by both selectors will be selected 3018 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 3019 implies that the Selector is limited to selecting only 3020 workload endpoints in the same namespace as the NetworkPolicy. 3021 \n For NetworkPolicy, `global()` NamespaceSelector implies 3022 that the Selector is limited to selecting only GlobalNetworkSet 3023 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 3024 NamespaceSelector implies the Selector applies to workload 3025 endpoints across all namespaces." 3026 type: string 3027 nets: 3028 description: Nets is an optional field that restricts the 3029 rule to only apply to traffic that originates from (or 3030 terminates at) IP addresses in any of the given subnets. 3031 items: 3032 type: string 3033 type: array 3034 notNets: 3035 description: NotNets is the negated version of the Nets 3036 field. 3037 items: 3038 type: string 3039 type: array 3040 notPorts: 3041 description: NotPorts is the negated version of the Ports 3042 field. Since only some protocols have ports, if any ports 3043 are specified it requires the Protocol match in the Rule 3044 to be set to "TCP" or "UDP". 3045 items: 3046 anyOf: 3047 - type: integer 3048 - type: string 3049 pattern: ^.* 3050 x-kubernetes-int-or-string: true 3051 type: array 3052 notSelector: 3053 description: NotSelector is the negated version of the Selector 3054 field. See Selector field for subtleties with negated 3055 selectors. 3056 type: string 3057 ports: 3058 description: "Ports is an optional field that restricts 3059 the rule to only apply to traffic that has a source (destination) 3060 port that matches one of these ranges/values. This value 3061 is a list of integers or strings that represent ranges 3062 of ports. \n Since only some protocols have ports, if 3063 any ports are specified it requires the Protocol match 3064 in the Rule to be set to \"TCP\" or \"UDP\"." 3065 items: 3066 anyOf: 3067 - type: integer 3068 - type: string 3069 pattern: ^.* 3070 x-kubernetes-int-or-string: true 3071 type: array 3072 selector: 3073 description: "Selector is an optional field that contains 3074 a selector expression (see Policy for sample syntax). 3075 \ Only traffic that originates from (terminates at) endpoints 3076 matching the selector will be matched. \n Note that: in 3077 addition to the negated version of the Selector (see NotSelector 3078 below), the selector expression syntax itself supports 3079 negation. The two types of negation are subtly different. 3080 One negates the set of matched endpoints, the other negates 3081 the whole match: \n \tSelector = \"!has(my_label)\" matches 3082 packets that are from other Calico-controlled \tendpoints 3083 that do not have the label \"my_label\". \n \tNotSelector 3084 = \"has(my_label)\" matches packets that are not from 3085 Calico-controlled \tendpoints that do have the label \"my_label\". 3086 \n The effect is that the latter will accept packets from 3087 non-Calico sources whereas the former is limited to packets 3088 from Calico-controlled endpoints." 3089 type: string 3090 serviceAccounts: 3091 description: ServiceAccounts is an optional field that restricts 3092 the rule to only apply to traffic that originates from 3093 (or terminates at) a pod running as a matching service 3094 account. 3095 properties: 3096 names: 3097 description: Names is an optional field that restricts 3098 the rule to only apply to traffic that originates 3099 from (or terminates at) a pod running as a service 3100 account whose name is in the list. 3101 items: 3102 type: string 3103 type: array 3104 selector: 3105 description: Selector is an optional field that restricts 3106 the rule to only apply to traffic that originates 3107 from (or terminates at) a pod running as a service 3108 account that matches the given label selector. If 3109 both Names and Selector are specified then they are 3110 AND'ed. 3111 type: string 3112 type: object 3113 type: object 3114 required: 3115 - action 3116 type: object 3117 type: array 3118 order: 3119 description: Order is an optional field that specifies the order in 3120 which the policy is applied. Policies with higher "order" are applied 3121 after those with lower order. If the order is omitted, it may be 3122 considered to be "infinite" - i.e. the policy will be applied last. Policies 3123 with identical order will be applied in alphanumerical order based 3124 on the Policy "Name". 3125 type: number 3126 selector: 3127 description: "The selector is an expression used to pick pick out 3128 the endpoints that the policy should be applied to. \n Selector 3129 expressions follow this syntax: \n \tlabel == \"string_literal\" 3130 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 3131 \ -> not equal; also matches if label is not present \tlabel in 3132 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 3133 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 3134 ... } -> true if the value of label X is not one of \"a\", \"b\", 3135 \"c\" \thas(label_name) -> True if that label is present \t! expr 3136 -> negation of expr \texpr && expr -> Short-circuit and \texpr 3137 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 3138 or the empty selector -> matches all endpoints. \n Label names are 3139 allowed to contain alphanumerics, -, _ and /. String literals are 3140 more permissive but they do not support escape characters. \n Examples 3141 (with made-up labels): \n \ttype == \"webserver\" && deployment 3142 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 3143 \"dev\" \t! has(label_name)" 3144 type: string 3145 serviceAccountSelector: 3146 description: ServiceAccountSelector is an optional field for an expression 3147 used to select a pod based on service accounts. 3148 type: string 3149 types: 3150 description: "Types indicates whether this policy applies to ingress, 3151 or to egress, or to both. When not explicitly specified (and so 3152 the value on creation is empty or nil), Calico defaults Types according 3153 to what Ingress and Egress are present in the policy. The default 3154 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 3155 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 3156 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 3157 PolicyTypeEgress ], if there are both Ingress and Egress rules. 3158 \n When the policy is read back again, Types will always be one 3159 of these values, never empty or nil." 3160 items: 3161 description: PolicyType enumerates the possible values of the PolicySpec 3162 Types field. 3163 type: string 3164 type: array 3165 type: object 3166 type: object 3167 served: true 3168 storage: true 3169 status: 3170 acceptedNames: 3171 kind: "" 3172 plural: "" 3173 conditions: [] 3174 storedVersions: [] 3175 3176 --- 3177 # Source: crds/calico/kdd/crd.projectcalico.org_networksets.yaml 3178 apiVersion: apiextensions.k8s.io/v1 3179 kind: CustomResourceDefinition 3180 metadata: 3181 name: networksets.crd.projectcalico.org 3182 spec: 3183 group: crd.projectcalico.org 3184 names: 3185 kind: NetworkSet 3186 listKind: NetworkSetList 3187 plural: networksets 3188 singular: networkset 3189 scope: Namespaced 3190 versions: 3191 - name: v1 3192 schema: 3193 openAPIV3Schema: 3194 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 3195 properties: 3196 apiVersion: 3197 description: 'APIVersion defines the versioned schema of this representation 3198 of an object. Servers should convert recognized schemas to the latest 3199 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3200 type: string 3201 kind: 3202 description: 'Kind is a string value representing the REST resource this 3203 object represents. Servers may infer this from the endpoint the client 3204 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3205 type: string 3206 metadata: 3207 type: object 3208 spec: 3209 description: NetworkSetSpec contains the specification for a NetworkSet 3210 resource. 3211 properties: 3212 nets: 3213 description: The list of IP networks that belong to this set. 3214 items: 3215 type: string 3216 type: array 3217 type: object 3218 type: object 3219 served: true 3220 storage: true 3221 status: 3222 acceptedNames: 3223 kind: "" 3224 plural: "" 3225 conditions: [] 3226 storedVersions: [] 3227 3228 --- 3229 # Source: crds/operator.tigera.io_imagesets_crd.yaml 3230 apiVersion: apiextensions.k8s.io/v1 3231 kind: CustomResourceDefinition 3232 metadata: 3233 annotations: 3234 controller-gen.kubebuilder.io/version: v0.3.0 3235 name: imagesets.operator.tigera.io 3236 spec: 3237 group: operator.tigera.io 3238 names: 3239 kind: ImageSet 3240 listKind: ImageSetList 3241 plural: imagesets 3242 singular: imageset 3243 scope: Cluster 3244 versions: 3245 - name: v1 3246 schema: 3247 openAPIV3Schema: 3248 description: ImageSet is used to specify image digests for the images that 3249 the operator deploys. The name of the ImageSet is expected to be in the 3250 format `<variang>-<release>`. The `variant` used is `enterprise` if the 3251 InstallationSpec Variant is `TigeraSecureEnterprise` otherwise it is `calico`. 3252 The `release` must match the version of the variant that the operator is 3253 built to deploy, this version can be obtained by passing the `--version` 3254 flag to the operator binary. 3255 properties: 3256 apiVersion: 3257 description: 'APIVersion defines the versioned schema of this representation 3258 of an object. Servers should convert recognized schemas to the latest 3259 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3260 type: string 3261 kind: 3262 description: 'Kind is a string value representing the REST resource this 3263 object represents. Servers may infer this from the endpoint the client 3264 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3265 type: string 3266 metadata: 3267 type: object 3268 spec: 3269 description: ImageSetSpec defines the desired state of ImageSet. 3270 properties: 3271 images: 3272 description: Images is the list of images to use digests. All images 3273 that the operator will deploy must be specified. 3274 items: 3275 properties: 3276 digest: 3277 description: Digest is the image identifier that will be used 3278 for the Image. The field should not include a leading `@` 3279 and must be prefixed with `sha256:`. 3280 type: string 3281 image: 3282 description: Image is an image that the operator deploys and 3283 instead of using the built in tag the operator will use the 3284 Digest for the image identifier. The value should be the image 3285 name without registry or tag or digest. For the image `docker.io/calico/node:v3.17.1` 3286 it should be represented as `calico/node` 3287 type: string 3288 required: 3289 - digest 3290 - image 3291 type: object 3292 type: array 3293 type: object 3294 type: object 3295 served: true 3296 storage: true 3297 subresources: 3298 status: {} 3299 status: 3300 acceptedNames: 3301 kind: "" 3302 plural: "" 3303 conditions: [] 3304 storedVersions: [] 3305 3306 --- 3307 # Source: crds/operator.tigera.io_installations_crd.yaml 3308 apiVersion: apiextensions.k8s.io/v1 3309 kind: CustomResourceDefinition 3310 metadata: 3311 annotations: 3312 controller-gen.kubebuilder.io/version: v0.3.0 3313 name: installations.operator.tigera.io 3314 spec: 3315 group: operator.tigera.io 3316 names: 3317 kind: Installation 3318 listKind: InstallationList 3319 plural: installations 3320 singular: installation 3321 scope: Cluster 3322 versions: 3323 - name: v1 3324 schema: 3325 openAPIV3Schema: 3326 description: Installation configures an installation of Calico or Calico Enterprise. 3327 At most one instance of this resource is supported. It must be named "default". 3328 The Installation API installs core networking and network policy components, 3329 and provides general install-time configuration. 3330 properties: 3331 apiVersion: 3332 description: 'APIVersion defines the versioned schema of this representation 3333 of an object. Servers should convert recognized schemas to the latest 3334 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3335 type: string 3336 kind: 3337 description: 'Kind is a string value representing the REST resource this 3338 object represents. Servers may infer this from the endpoint the client 3339 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3340 type: string 3341 metadata: 3342 type: object 3343 spec: 3344 description: Specification of the desired state for the Calico or Calico 3345 Enterprise installation. 3346 properties: 3347 calicoNetwork: 3348 description: CalicoNetwork specifies networking configuration options 3349 for Calico. 3350 properties: 3351 bgp: 3352 description: BGP configures whether or not to enable Calico's 3353 BGP capabilities. 3354 enum: 3355 - Enabled 3356 - Disabled 3357 type: string 3358 containerIPForwarding: 3359 description: 'ContainerIPForwarding configures whether ip forwarding 3360 will be enabled for containers in the CNI configuration. Default: 3361 Disabled' 3362 enum: 3363 - Enabled 3364 - Disabled 3365 type: string 3366 hostPorts: 3367 description: 'HostPorts configures whether or not Calico will 3368 support Kubernetes HostPorts. Valid only when using the Calico 3369 CNI plugin. Default: Enabled' 3370 enum: 3371 - Enabled 3372 - Disabled 3373 type: string 3374 ipPools: 3375 description: IPPools contains a list of IP pools to create if 3376 none exist. At most one IP pool of each address family may be 3377 specified. If omitted, a single pool will be configured if needed. 3378 items: 3379 properties: 3380 blockSize: 3381 description: 'BlockSize specifies the CIDR prefex length 3382 to use when allocating per-node IP blocks from the main 3383 IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' 3384 format: int32 3385 type: integer 3386 cidr: 3387 description: CIDR contains the address range for the IP 3388 Pool in classless inter-domain routing format. 3389 type: string 3390 encapsulation: 3391 description: 'Encapsulation specifies the encapsulation 3392 type that will be used with the IP Pool. Default: IPIP' 3393 enum: 3394 - IPIPCrossSubnet 3395 - IPIP 3396 - VXLAN 3397 - VXLANCrossSubnet 3398 - None 3399 type: string 3400 natOutgoing: 3401 description: 'NATOutgoing specifies if NAT will be enabled 3402 or disabled for outgoing traffic. Default: Enabled' 3403 enum: 3404 - Enabled 3405 - Disabled 3406 type: string 3407 nodeSelector: 3408 description: 'NodeSelector specifies the node selector that 3409 will be set for the IP Pool. Default: ''all()''' 3410 type: string 3411 required: 3412 - cidr 3413 type: object 3414 type: array 3415 linuxDataplane: 3416 description: 'LinuxDataplane is used to select the dataplane used 3417 for Linux nodes. In particular, it causes the operator to add 3418 required mounts and environment variables for the particular 3419 dataplane. If not specified, iptables mode is used. Default: 3420 Iptables' 3421 enum: 3422 - Iptables 3423 - BPF 3424 type: string 3425 mtu: 3426 description: MTU specifies the maximum transmission unit to use 3427 on the pod network. If not specified, Calico will perform MTU 3428 auto-detection based on the cluster network. 3429 format: int32 3430 type: integer 3431 multiInterfaceMode: 3432 description: 'MultiInterfaceMode configures what will configure 3433 multiple interface per pod. Only valid for Calico Enterprise 3434 installations using the Calico CNI plugin. Default: None' 3435 enum: 3436 - None 3437 - Multus 3438 type: string 3439 nodeAddressAutodetectionV4: 3440 description: NodeAddressAutodetectionV4 specifies an approach 3441 to automatically detect node IPv4 addresses. If not specified, 3442 will use default auto-detection settings to acquire an IPv4 3443 address for each node. 3444 properties: 3445 canReach: 3446 description: CanReach enables IP auto-detection based on which 3447 source address on the node is used to reach the specified 3448 IP or domain. 3449 type: string 3450 cidrs: 3451 description: CIDRS enables IP auto-detection based on which 3452 addresses on the nodes are within one of the provided CIDRs. 3453 items: 3454 type: string 3455 type: array 3456 firstFound: 3457 description: FirstFound uses default interface matching parameters 3458 to select an interface, performing best-effort filtering 3459 based on well-known interface names. 3460 type: boolean 3461 interface: 3462 description: Interface enables IP auto-detection based on 3463 interfaces that match the given regex. 3464 type: string 3465 skipInterface: 3466 description: SkipInterface enables IP auto-detection based 3467 on interfaces that do not match the given regex. 3468 type: string 3469 type: object 3470 nodeAddressAutodetectionV6: 3471 description: NodeAddressAutodetectionV6 specifies an approach 3472 to automatically detect node IPv6 addresses. If not specified, 3473 IPv6 addresses will not be auto-detected. 3474 properties: 3475 canReach: 3476 description: CanReach enables IP auto-detection based on which 3477 source address on the node is used to reach the specified 3478 IP or domain. 3479 type: string 3480 cidrs: 3481 description: CIDRS enables IP auto-detection based on which 3482 addresses on the nodes are within one of the provided CIDRs. 3483 items: 3484 type: string 3485 type: array 3486 firstFound: 3487 description: FirstFound uses default interface matching parameters 3488 to select an interface, performing best-effort filtering 3489 based on well-known interface names. 3490 type: boolean 3491 interface: 3492 description: Interface enables IP auto-detection based on 3493 interfaces that match the given regex. 3494 type: string 3495 skipInterface: 3496 description: SkipInterface enables IP auto-detection based 3497 on interfaces that do not match the given regex. 3498 type: string 3499 type: object 3500 type: object 3501 certificateManagement: 3502 description: CertificateManagement configures pods to submit a CertificateSigningRequest 3503 to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. 3504 This feature requires that you bring your own CSR signing and approval 3505 process, otherwise pods will be stuck during initialization. 3506 properties: 3507 caCert: 3508 description: Certificate of the authority that signs the CertificateSigningRequests 3509 in PEM format. 3510 format: byte 3511 type: string 3512 keyAlgorithm: 3513 description: 'Specify the algorithm used by pods to generate a 3514 key pair that is associated with the X.509 certificate request. 3515 Default: RSAWithSize2048' 3516 enum: 3517 - "" 3518 - RSAWithSize2048 3519 - RSAWithSize4096 3520 - RSAWithSize8192 3521 - ECDSAWithCurve256 3522 - ECDSAWithCurve384 3523 - ECDSAWithCurve521 3524 type: string 3525 signatureAlgorithm: 3526 description: 'Specify the algorithm used for the signature of 3527 the X.509 certificate request. Default: SHA256WithRSA' 3528 enum: 3529 - "" 3530 - SHA256WithRSA 3531 - SHA384WithRSA 3532 - SHA512WithRSA 3533 - ECDSAWithSHA256 3534 - ECDSAWithSHA384 3535 - ECDSAWithSHA512 3536 type: string 3537 signerName: 3538 description: 'When a CSR is issued to the certificates.k8s.io 3539 API, the signerName is added to the request in order to accommodate 3540 for clusters with multiple signers. Must be formatted as: `<my-domain>/<my-signername>`.' 3541 type: string 3542 required: 3543 - caCert 3544 - signerName 3545 type: object 3546 cni: 3547 description: CNI specifies the CNI that will be used by this installation. 3548 properties: 3549 ipam: 3550 description: IPAM specifies the pod IP address management that 3551 will be used in the Calico or Calico Enterprise installation. 3552 properties: 3553 type: 3554 description: "Specifies the IPAM plugin that will be used 3555 in the Calico or Calico Enterprise installation. * For CNI 3556 Plugin Calico, this field defaults to Calico. * For CNI 3557 Plugin GKE, this field defaults to HostLocal. * For CNI 3558 Plugin AzureVNET, this field defaults to AzureVNET. * For 3559 CNI Plugin AmazonVPC, this field defaults to AmazonVPC. 3560 \n The IPAM plugin is installed and configured only if the 3561 CNI plugin is set to Calico, for all other values of the 3562 CNI plugin the plugin binaries and CNI config is a dependency 3563 that is expected to be installed separately. \n Default: 3564 Calico" 3565 enum: 3566 - Calico 3567 - HostLocal 3568 - AmazonVPC 3569 - AzureVNET 3570 type: string 3571 required: 3572 - type 3573 type: object 3574 type: 3575 description: "Specifies the CNI plugin that will be used in the 3576 Calico or Calico Enterprise installation. * For KubernetesProvider 3577 GKE, this field defaults to GKE. * For KubernetesProvider AKS, 3578 this field defaults to AzureVNET. * For KubernetesProvider EKS, 3579 this field defaults to AmazonVPC. * If aws-node daemonset exists 3580 in kube-system when the Installation resource is created, this 3581 field defaults to AmazonVPC. * For all other cases this field 3582 defaults to Calico. \n For the value Calico, the CNI plugin 3583 binaries and CNI config will be installed as part of deployment, 3584 for all other values the CNI plugin binaries and CNI config 3585 is a dependency that is expected to be installed separately. 3586 \n Default: Calico" 3587 enum: 3588 - Calico 3589 - GKE 3590 - AmazonVPC 3591 - AzureVNET 3592 type: string 3593 required: 3594 - type 3595 type: object 3596 componentResources: 3597 description: ComponentResources can be used to customize the resource 3598 requirements for each component. Node, Typha, and KubeControllers 3599 are supported for installations. 3600 items: 3601 description: The ComponentResource struct associates a ResourceRequirements 3602 with a component by name 3603 properties: 3604 componentName: 3605 description: ComponentName is an enum which identifies the component 3606 enum: 3607 - Node 3608 - Typha 3609 - KubeControllers 3610 type: string 3611 resourceRequirements: 3612 description: ResourceRequirements allows customization of limits 3613 and requests for compute resources such as cpu and memory. 3614 properties: 3615 limits: 3616 additionalProperties: 3617 anyOf: 3618 - type: integer 3619 - type: string 3620 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 3621 x-kubernetes-int-or-string: true 3622 description: 'Limits describes the maximum amount of compute 3623 resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' 3624 type: object 3625 requests: 3626 additionalProperties: 3627 anyOf: 3628 - type: integer 3629 - type: string 3630 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 3631 x-kubernetes-int-or-string: true 3632 description: 'Requests describes the minimum amount of compute 3633 resources required. If Requests is omitted for a container, 3634 it defaults to Limits if that is explicitly specified, 3635 otherwise to an implementation-defined value. More info: 3636 https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' 3637 type: object 3638 type: object 3639 required: 3640 - componentName 3641 - resourceRequirements 3642 type: object 3643 type: array 3644 controlPlaneNodeSelector: 3645 additionalProperties: 3646 type: string 3647 description: ControlPlaneNodeSelector is used to select control plane 3648 nodes on which to run Calico components. This is globally applied 3649 to all resources created by the operator excluding daemonsets. 3650 type: object 3651 controlPlaneTolerations: 3652 description: ControlPlaneTolerations specify tolerations which are 3653 then globally applied to all resources created by the operator. 3654 items: 3655 description: The pod this Toleration is attached to tolerates any 3656 taint that matches the triple <key,value,effect> using the matching 3657 operator <operator>. 3658 properties: 3659 effect: 3660 description: Effect indicates the taint effect to match. Empty 3661 means match all taint effects. When specified, allowed values 3662 are NoSchedule, PreferNoSchedule and NoExecute. 3663 type: string 3664 key: 3665 description: Key is the taint key that the toleration applies 3666 to. Empty means match all taint keys. If the key is empty, 3667 operator must be Exists; this combination means to match all 3668 values and all keys. 3669 type: string 3670 operator: 3671 description: Operator represents a key's relationship to the 3672 value. Valid operators are Exists and Equal. Defaults to Equal. 3673 Exists is equivalent to wildcard for value, so that a pod 3674 can tolerate all taints of a particular category. 3675 type: string 3676 tolerationSeconds: 3677 description: TolerationSeconds represents the period of time 3678 the toleration (which must be of effect NoExecute, otherwise 3679 this field is ignored) tolerates the taint. By default, it 3680 is not set, which means tolerate the taint forever (do not 3681 evict). Zero and negative values will be treated as 0 (evict 3682 immediately) by the system. 3683 format: int64 3684 type: integer 3685 value: 3686 description: Value is the taint value the toleration matches 3687 to. If the operator is Exists, the value should be empty, 3688 otherwise just a regular string. 3689 type: string 3690 type: object 3691 type: array 3692 flexVolumePath: 3693 description: FlexVolumePath optionally specifies a custom path for 3694 FlexVolume. If not specified, FlexVolume will be enabled by default. 3695 If set to 'None', FlexVolume will be disabled. The default is based 3696 on the kubernetesProvider. 3697 type: string 3698 imagePath: 3699 description: "ImagePath allows for the path part of an image to be 3700 specified. If specified then the specified value will be used as 3701 the image path for each image. If not specified or empty, the default 3702 for each image will be used. A special case value, UseDefault, is 3703 supported to explicitly specify the default image path will be used 3704 for each image. \n Image format: `<registry>/<imagePath>/<imagePrefix><imageName>:<image-tag>` 3705 \n This option allows configuring the `<imagePath>` portion of the 3706 above format." 3707 type: string 3708 imagePrefix: 3709 description: "ImagePrefix allows for the prefix part of an image to 3710 be specified. If specified then the given value will be used as 3711 a prefix on each image. If not specified or empty, no prefix will 3712 be used. A special case value, UseDefault, is supported to explicitly 3713 specify the default image prefix will be used for each image. \n 3714 Image format: `<registry>/<imagePath>/<imagePrefix><imageName>:<image-tag>` 3715 \n This option allows configuring the `<imagePrefix>` portion of 3716 the above format." 3717 type: string 3718 imagePullSecrets: 3719 description: ImagePullSecrets is an array of references to container 3720 registry pull secrets to use. These are applied to all images to 3721 be pulled. 3722 items: 3723 description: LocalObjectReference contains enough information to 3724 let you locate the referenced object inside the same namespace. 3725 properties: 3726 name: 3727 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 3728 TODO: Add other useful fields. apiVersion, kind, uid?' 3729 type: string 3730 type: object 3731 type: array 3732 kubernetesProvider: 3733 description: KubernetesProvider specifies a particular provider of 3734 the Kubernetes platform and enables provider-specific configuration. 3735 If the specified value is empty, the Operator will attempt to automatically 3736 determine the current provider. If the specified value is not empty, 3737 the Operator will still attempt auto-detection, but will additionally 3738 compare the auto-detected value to the specified value to confirm 3739 they match. 3740 enum: 3741 - "" 3742 - EKS 3743 - GKE 3744 - AKS 3745 - OpenShift 3746 - DockerEnterprise 3747 type: string 3748 nodeMetricsPort: 3749 description: NodeMetricsPort specifies which port calico/node serves 3750 prometheus metrics on. By default, metrics are not enabled. If specified, 3751 this overrides any FelixConfiguration resources which may exist. 3752 If omitted, then prometheus metrics may still be configured through 3753 FelixConfiguration. 3754 format: int32 3755 type: integer 3756 nodeUpdateStrategy: 3757 description: NodeUpdateStrategy can be used to customize the desired 3758 update strategy, such as the MaxUnavailable field. 3759 properties: 3760 rollingUpdate: 3761 description: 'Rolling update config params. Present only if type 3762 = "RollingUpdate". --- TODO: Update this to follow our convention 3763 for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. 3764 See https://github.com/kubernetes/kubernetes/issues/35345' 3765 properties: 3766 maxUnavailable: 3767 anyOf: 3768 - type: integer 3769 - type: string 3770 description: 'The maximum number of DaemonSet pods that can 3771 be unavailable during the update. Value can be an absolute 3772 number (ex: 5) or a percentage of total number of DaemonSet 3773 pods at the start of the update (ex: 10%). Absolute number 3774 is calculated from percentage by rounding up. This cannot 3775 be 0. Default value is 1. Example: when this is set to 30%, 3776 at most 30% of the total number of nodes that should be 3777 running the daemon pod (i.e. status.desiredNumberScheduled) 3778 can have their pods stopped for an update at any given time. 3779 The update starts by stopping at most 30% of those DaemonSet 3780 pods and then brings up new DaemonSet pods in their place. 3781 Once the new pods are available, it then proceeds onto other 3782 DaemonSet pods, thus ensuring that at least 70% of original 3783 number of DaemonSet pods are available at all times during 3784 the update.' 3785 x-kubernetes-int-or-string: true 3786 type: object 3787 type: 3788 description: Type of daemon set update. Can be "RollingUpdate" 3789 or "OnDelete". Default is RollingUpdate. 3790 type: string 3791 type: object 3792 registry: 3793 description: "Registry is the default Docker registry used for component 3794 Docker images. If specified, all images will be pulled from this 3795 registry. If not specified then the default registries will be used. 3796 A special case value, UseDefault, is supported to explicitly specify 3797 the default registries will be used. \n Image format: `<registry>/<imagePath>/<imagePrefix><imageName>:<image-tag>` 3798 \n This option allows configuring the `<registry>` portion of the 3799 above format." 3800 type: string 3801 typhaAffinity: 3802 description: TyphaAffinity allows configuration of node affinity characteristics 3803 for Typha pods. 3804 properties: 3805 nodeAffinity: 3806 description: NodeAffinity describes node affinity scheduling rules 3807 for typha. 3808 properties: 3809 preferredDuringSchedulingIgnoredDuringExecution: 3810 description: The scheduler will prefer to schedule pods to 3811 nodes that satisfy the affinity expressions specified by 3812 this field, but it may choose a node that violates one or 3813 more of the expressions. 3814 items: 3815 description: An empty preferred scheduling term matches 3816 all objects with implicit weight 0 (i.e. it's a no-op). 3817 A null preferred scheduling term matches no objects (i.e. 3818 is also a no-op). 3819 properties: 3820 preference: 3821 description: A node selector term, associated with the 3822 corresponding weight. 3823 properties: 3824 matchExpressions: 3825 description: A list of node selector requirements 3826 by node's labels. 3827 items: 3828 description: A node selector requirement is a 3829 selector that contains values, a key, and an 3830 operator that relates the key and values. 3831 properties: 3832 key: 3833 description: The label key that the selector 3834 applies to. 3835 type: string 3836 operator: 3837 description: Represents a key's relationship 3838 to a set of values. Valid operators are 3839 In, NotIn, Exists, DoesNotExist. Gt, and 3840 Lt. 3841 type: string 3842 values: 3843 description: An array of string values. If 3844 the operator is In or NotIn, the values 3845 array must be non-empty. If the operator 3846 is Exists or DoesNotExist, the values array 3847 must be empty. If the operator is Gt or 3848 Lt, the values array must have a single 3849 element, which will be interpreted as an 3850 integer. This array is replaced during a 3851 strategic merge patch. 3852 items: 3853 type: string 3854 type: array 3855 required: 3856 - key 3857 - operator 3858 type: object 3859 type: array 3860 matchFields: 3861 description: A list of node selector requirements 3862 by node's fields. 3863 items: 3864 description: A node selector requirement is a 3865 selector that contains values, a key, and an 3866 operator that relates the key and values. 3867 properties: 3868 key: 3869 description: The label key that the selector 3870 applies to. 3871 type: string 3872 operator: 3873 description: Represents a key's relationship 3874 to a set of values. Valid operators are 3875 In, NotIn, Exists, DoesNotExist. Gt, and 3876 Lt. 3877 type: string 3878 values: 3879 description: An array of string values. If 3880 the operator is In or NotIn, the values 3881 array must be non-empty. If the operator 3882 is Exists or DoesNotExist, the values array 3883 must be empty. If the operator is Gt or 3884 Lt, the values array must have a single 3885 element, which will be interpreted as an 3886 integer. This array is replaced during a 3887 strategic merge patch. 3888 items: 3889 type: string 3890 type: array 3891 required: 3892 - key 3893 - operator 3894 type: object 3895 type: array 3896 type: object 3897 weight: 3898 description: Weight associated with matching the corresponding 3899 nodeSelectorTerm, in the range 1-100. 3900 format: int32 3901 type: integer 3902 required: 3903 - preference 3904 - weight 3905 type: object 3906 type: array 3907 type: object 3908 type: object 3909 typhaMetricsPort: 3910 description: TyphaMetricsPort specifies which port calico/typha serves 3911 prometheus metrics on. By default, metrics are not enabled. 3912 format: int32 3913 type: integer 3914 variant: 3915 description: 'Variant is the product to install - one of Calico or 3916 TigeraSecureEnterprise Default: Calico' 3917 enum: 3918 - Calico 3919 - TigeraSecureEnterprise 3920 type: string 3921 type: object 3922 status: 3923 description: Most recently observed state for the Calico or Calico Enterprise 3924 installation. 3925 properties: 3926 computed: 3927 description: Computed is the final installation including overlaid 3928 resources. 3929 properties: 3930 calicoNetwork: 3931 description: CalicoNetwork specifies networking configuration 3932 options for Calico. 3933 properties: 3934 bgp: 3935 description: BGP configures whether or not to enable Calico's 3936 BGP capabilities. 3937 enum: 3938 - Enabled 3939 - Disabled 3940 type: string 3941 containerIPForwarding: 3942 description: 'ContainerIPForwarding configures whether ip 3943 forwarding will be enabled for containers in the CNI configuration. 3944 Default: Disabled' 3945 enum: 3946 - Enabled 3947 - Disabled 3948 type: string 3949 hostPorts: 3950 description: 'HostPorts configures whether or not Calico will 3951 support Kubernetes HostPorts. Valid only when using the 3952 Calico CNI plugin. Default: Enabled' 3953 enum: 3954 - Enabled 3955 - Disabled 3956 type: string 3957 ipPools: 3958 description: IPPools contains a list of IP pools to create 3959 if none exist. At most one IP pool of each address family 3960 may be specified. If omitted, a single pool will be configured 3961 if needed. 3962 items: 3963 properties: 3964 blockSize: 3965 description: 'BlockSize specifies the CIDR prefex length 3966 to use when allocating per-node IP blocks from the 3967 main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' 3968 format: int32 3969 type: integer 3970 cidr: 3971 description: CIDR contains the address range for the 3972 IP Pool in classless inter-domain routing format. 3973 type: string 3974 encapsulation: 3975 description: 'Encapsulation specifies the encapsulation 3976 type that will be used with the IP Pool. Default: 3977 IPIP' 3978 enum: 3979 - IPIPCrossSubnet 3980 - IPIP 3981 - VXLAN 3982 - VXLANCrossSubnet 3983 - None 3984 type: string 3985 natOutgoing: 3986 description: 'NATOutgoing specifies if NAT will be enabled 3987 or disabled for outgoing traffic. Default: Enabled' 3988 enum: 3989 - Enabled 3990 - Disabled 3991 type: string 3992 nodeSelector: 3993 description: 'NodeSelector specifies the node selector 3994 that will be set for the IP Pool. Default: ''all()''' 3995 type: string 3996 required: 3997 - cidr 3998 type: object 3999 type: array 4000 linuxDataplane: 4001 description: 'LinuxDataplane is used to select the dataplane 4002 used for Linux nodes. In particular, it causes the operator 4003 to add required mounts and environment variables for the 4004 particular dataplane. If not specified, iptables mode is 4005 used. Default: Iptables' 4006 enum: 4007 - Iptables 4008 - BPF 4009 type: string 4010 mtu: 4011 description: MTU specifies the maximum transmission unit to 4012 use on the pod network. If not specified, Calico will perform 4013 MTU auto-detection based on the cluster network. 4014 format: int32 4015 type: integer 4016 multiInterfaceMode: 4017 description: 'MultiInterfaceMode configures what will configure 4018 multiple interface per pod. Only valid for Calico Enterprise 4019 installations using the Calico CNI plugin. Default: None' 4020 enum: 4021 - None 4022 - Multus 4023 type: string 4024 nodeAddressAutodetectionV4: 4025 description: NodeAddressAutodetectionV4 specifies an approach 4026 to automatically detect node IPv4 addresses. If not specified, 4027 will use default auto-detection settings to acquire an IPv4 4028 address for each node. 4029 properties: 4030 canReach: 4031 description: CanReach enables IP auto-detection based 4032 on which source address on the node is used to reach 4033 the specified IP or domain. 4034 type: string 4035 cidrs: 4036 description: CIDRS enables IP auto-detection based on 4037 which addresses on the nodes are within one of the provided 4038 CIDRs. 4039 items: 4040 type: string 4041 type: array 4042 firstFound: 4043 description: FirstFound uses default interface matching 4044 parameters to select an interface, performing best-effort 4045 filtering based on well-known interface names. 4046 type: boolean 4047 interface: 4048 description: Interface enables IP auto-detection based 4049 on interfaces that match the given regex. 4050 type: string 4051 skipInterface: 4052 description: SkipInterface enables IP auto-detection based 4053 on interfaces that do not match the given regex. 4054 type: string 4055 type: object 4056 nodeAddressAutodetectionV6: 4057 description: NodeAddressAutodetectionV6 specifies an approach 4058 to automatically detect node IPv6 addresses. If not specified, 4059 IPv6 addresses will not be auto-detected. 4060 properties: 4061 canReach: 4062 description: CanReach enables IP auto-detection based 4063 on which source address on the node is used to reach 4064 the specified IP or domain. 4065 type: string 4066 cidrs: 4067 description: CIDRS enables IP auto-detection based on 4068 which addresses on the nodes are within one of the provided 4069 CIDRs. 4070 items: 4071 type: string 4072 type: array 4073 firstFound: 4074 description: FirstFound uses default interface matching 4075 parameters to select an interface, performing best-effort 4076 filtering based on well-known interface names. 4077 type: boolean 4078 interface: 4079 description: Interface enables IP auto-detection based 4080 on interfaces that match the given regex. 4081 type: string 4082 skipInterface: 4083 description: SkipInterface enables IP auto-detection based 4084 on interfaces that do not match the given regex. 4085 type: string 4086 type: object 4087 type: object 4088 certificateManagement: 4089 description: CertificateManagement configures pods to submit a 4090 CertificateSigningRequest to the certificates.k8s.io/v1beta1 4091 API in order to obtain TLS certificates. This feature requires 4092 that you bring your own CSR signing and approval process, otherwise 4093 pods will be stuck during initialization. 4094 properties: 4095 caCert: 4096 description: Certificate of the authority that signs the CertificateSigningRequests 4097 in PEM format. 4098 format: byte 4099 type: string 4100 keyAlgorithm: 4101 description: 'Specify the algorithm used by pods to generate 4102 a key pair that is associated with the X.509 certificate 4103 request. Default: RSAWithSize2048' 4104 enum: 4105 - "" 4106 - RSAWithSize2048 4107 - RSAWithSize4096 4108 - RSAWithSize8192 4109 - ECDSAWithCurve256 4110 - ECDSAWithCurve384 4111 - ECDSAWithCurve521 4112 type: string 4113 signatureAlgorithm: 4114 description: 'Specify the algorithm used for the signature 4115 of the X.509 certificate request. Default: SHA256WithRSA' 4116 enum: 4117 - "" 4118 - SHA256WithRSA 4119 - SHA384WithRSA 4120 - SHA512WithRSA 4121 - ECDSAWithSHA256 4122 - ECDSAWithSHA384 4123 - ECDSAWithSHA512 4124 type: string 4125 signerName: 4126 description: 'When a CSR is issued to the certificates.k8s.io 4127 API, the signerName is added to the request in order to 4128 accommodate for clusters with multiple signers. Must be 4129 formatted as: `<my-domain>/<my-signername>`.' 4130 type: string 4131 required: 4132 - caCert 4133 - signerName 4134 type: object 4135 cni: 4136 description: CNI specifies the CNI that will be used by this installation. 4137 properties: 4138 ipam: 4139 description: IPAM specifies the pod IP address management 4140 that will be used in the Calico or Calico Enterprise installation. 4141 properties: 4142 type: 4143 description: "Specifies the IPAM plugin that will be used 4144 in the Calico or Calico Enterprise installation. * For 4145 CNI Plugin Calico, this field defaults to Calico. * 4146 For CNI Plugin GKE, this field defaults to HostLocal. 4147 * For CNI Plugin AzureVNET, this field defaults to AzureVNET. 4148 * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. 4149 \n The IPAM plugin is installed and configured only 4150 if the CNI plugin is set to Calico, for all other values 4151 of the CNI plugin the plugin binaries and CNI config 4152 is a dependency that is expected to be installed separately. 4153 \n Default: Calico" 4154 enum: 4155 - Calico 4156 - HostLocal 4157 - AmazonVPC 4158 - AzureVNET 4159 type: string 4160 required: 4161 - type 4162 type: object 4163 type: 4164 description: "Specifies the CNI plugin that will be used in 4165 the Calico or Calico Enterprise installation. * For KubernetesProvider 4166 GKE, this field defaults to GKE. * For KubernetesProvider 4167 AKS, this field defaults to AzureVNET. * For KubernetesProvider 4168 EKS, this field defaults to AmazonVPC. * If aws-node daemonset 4169 exists in kube-system when the Installation resource is 4170 created, this field defaults to AmazonVPC. * For all other 4171 cases this field defaults to Calico. \n For the value Calico, 4172 the CNI plugin binaries and CNI config will be installed 4173 as part of deployment, for all other values the CNI plugin 4174 binaries and CNI config is a dependency that is expected 4175 to be installed separately. \n Default: Calico" 4176 enum: 4177 - Calico 4178 - GKE 4179 - AmazonVPC 4180 - AzureVNET 4181 type: string 4182 required: 4183 - type 4184 type: object 4185 componentResources: 4186 description: ComponentResources can be used to customize the resource 4187 requirements for each component. Node, Typha, and KubeControllers 4188 are supported for installations. 4189 items: 4190 description: The ComponentResource struct associates a ResourceRequirements 4191 with a component by name 4192 properties: 4193 componentName: 4194 description: ComponentName is an enum which identifies the 4195 component 4196 enum: 4197 - Node 4198 - Typha 4199 - KubeControllers 4200 type: string 4201 resourceRequirements: 4202 description: ResourceRequirements allows customization of 4203 limits and requests for compute resources such as cpu 4204 and memory. 4205 properties: 4206 limits: 4207 additionalProperties: 4208 anyOf: 4209 - type: integer 4210 - type: string 4211 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 4212 x-kubernetes-int-or-string: true 4213 description: 'Limits describes the maximum amount of 4214 compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' 4215 type: object 4216 requests: 4217 additionalProperties: 4218 anyOf: 4219 - type: integer 4220 - type: string 4221 pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ 4222 x-kubernetes-int-or-string: true 4223 description: 'Requests describes the minimum amount 4224 of compute resources required. If Requests is omitted 4225 for a container, it defaults to Limits if that is 4226 explicitly specified, otherwise to an implementation-defined 4227 value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' 4228 type: object 4229 type: object 4230 required: 4231 - componentName 4232 - resourceRequirements 4233 type: object 4234 type: array 4235 controlPlaneNodeSelector: 4236 additionalProperties: 4237 type: string 4238 description: ControlPlaneNodeSelector is used to select control 4239 plane nodes on which to run Calico components. This is globally 4240 applied to all resources created by the operator excluding daemonsets. 4241 type: object 4242 controlPlaneTolerations: 4243 description: ControlPlaneTolerations specify tolerations which 4244 are then globally applied to all resources created by the operator. 4245 items: 4246 description: The pod this Toleration is attached to tolerates 4247 any taint that matches the triple <key,value,effect> using 4248 the matching operator <operator>. 4249 properties: 4250 effect: 4251 description: Effect indicates the taint effect to match. 4252 Empty means match all taint effects. When specified, allowed 4253 values are NoSchedule, PreferNoSchedule and NoExecute. 4254 type: string 4255 key: 4256 description: Key is the taint key that the toleration applies 4257 to. Empty means match all taint keys. If the key is empty, 4258 operator must be Exists; this combination means to match 4259 all values and all keys. 4260 type: string 4261 operator: 4262 description: Operator represents a key's relationship to 4263 the value. Valid operators are Exists and Equal. Defaults 4264 to Equal. Exists is equivalent to wildcard for value, 4265 so that a pod can tolerate all taints of a particular 4266 category. 4267 type: string 4268 tolerationSeconds: 4269 description: TolerationSeconds represents the period of 4270 time the toleration (which must be of effect NoExecute, 4271 otherwise this field is ignored) tolerates the taint. 4272 By default, it is not set, which means tolerate the taint 4273 forever (do not evict). Zero and negative values will 4274 be treated as 0 (evict immediately) by the system. 4275 format: int64 4276 type: integer 4277 value: 4278 description: Value is the taint value the toleration matches 4279 to. If the operator is Exists, the value should be empty, 4280 otherwise just a regular string. 4281 type: string 4282 type: object 4283 type: array 4284 flexVolumePath: 4285 description: FlexVolumePath optionally specifies a custom path 4286 for FlexVolume. If not specified, FlexVolume will be enabled 4287 by default. If set to 'None', FlexVolume will be disabled. The 4288 default is based on the kubernetesProvider. 4289 type: string 4290 imagePath: 4291 description: "ImagePath allows for the path part of an image to 4292 be specified. If specified then the specified value will be 4293 used as the image path for each image. If not specified or empty, 4294 the default for each image will be used. A special case value, 4295 UseDefault, is supported to explicitly specify the default image 4296 path will be used for each image. \n Image format: `<registry>/<imagePath>/<imagePrefix><imageName>:<image-tag>` 4297 \n This option allows configuring the `<imagePath>` portion 4298 of the above format." 4299 type: string 4300 imagePrefix: 4301 description: "ImagePrefix allows for the prefix part of an image 4302 to be specified. If specified then the given value will be used 4303 as a prefix on each image. If not specified or empty, no prefix 4304 will be used. A special case value, UseDefault, is supported 4305 to explicitly specify the default image prefix will be used 4306 for each image. \n Image format: `<registry>/<imagePath>/<imagePrefix><imageName>:<image-tag>` 4307 \n This option allows configuring the `<imagePrefix>` portion 4308 of the above format." 4309 type: string 4310 imagePullSecrets: 4311 description: ImagePullSecrets is an array of references to container 4312 registry pull secrets to use. These are applied to all images 4313 to be pulled. 4314 items: 4315 description: LocalObjectReference contains enough information 4316 to let you locate the referenced object inside the same namespace. 4317 properties: 4318 name: 4319 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 4320 TODO: Add other useful fields. apiVersion, kind, uid?' 4321 type: string 4322 type: object 4323 type: array 4324 kubernetesProvider: 4325 description: KubernetesProvider specifies a particular provider 4326 of the Kubernetes platform and enables provider-specific configuration. 4327 If the specified value is empty, the Operator will attempt to 4328 automatically determine the current provider. If the specified 4329 value is not empty, the Operator will still attempt auto-detection, 4330 but will additionally compare the auto-detected value to the 4331 specified value to confirm they match. 4332 enum: 4333 - "" 4334 - EKS 4335 - GKE 4336 - AKS 4337 - OpenShift 4338 - DockerEnterprise 4339 type: string 4340 nodeMetricsPort: 4341 description: NodeMetricsPort specifies which port calico/node 4342 serves prometheus metrics on. By default, metrics are not enabled. 4343 If specified, this overrides any FelixConfiguration resources 4344 which may exist. If omitted, then prometheus metrics may still 4345 be configured through FelixConfiguration. 4346 format: int32 4347 type: integer 4348 nodeUpdateStrategy: 4349 description: NodeUpdateStrategy can be used to customize the desired 4350 update strategy, such as the MaxUnavailable field. 4351 properties: 4352 rollingUpdate: 4353 description: 'Rolling update config params. Present only if 4354 type = "RollingUpdate". --- TODO: Update this to follow 4355 our convention for oneOf, whatever we decide it to be. Same 4356 as Deployment `strategy.rollingUpdate`. See https://github.com/kubernetes/kubernetes/issues/35345' 4357 properties: 4358 maxUnavailable: 4359 anyOf: 4360 - type: integer 4361 - type: string 4362 description: 'The maximum number of DaemonSet pods that 4363 can be unavailable during the update. Value can be an 4364 absolute number (ex: 5) or a percentage of total number 4365 of DaemonSet pods at the start of the update (ex: 10%). 4366 Absolute number is calculated from percentage by rounding 4367 up. This cannot be 0. Default value is 1. Example: when 4368 this is set to 30%, at most 30% of the total number 4369 of nodes that should be running the daemon pod (i.e. 4370 status.desiredNumberScheduled) can have their pods stopped 4371 for an update at any given time. The update starts by 4372 stopping at most 30% of those DaemonSet pods and then 4373 brings up new DaemonSet pods in their place. Once the 4374 new pods are available, it then proceeds onto other 4375 DaemonSet pods, thus ensuring that at least 70% of original 4376 number of DaemonSet pods are available at all times 4377 during the update.' 4378 x-kubernetes-int-or-string: true 4379 type: object 4380 type: 4381 description: Type of daemon set update. Can be "RollingUpdate" 4382 or "OnDelete". Default is RollingUpdate. 4383 type: string 4384 type: object 4385 registry: 4386 description: "Registry is the default Docker registry used for 4387 component Docker images. If specified, all images will be pulled 4388 from this registry. If not specified then the default registries 4389 will be used. A special case value, UseDefault, is supported 4390 to explicitly specify the default registries will be used. \n 4391 Image format: `<registry>/<imagePath>/<imagePrefix><imageName>:<image-tag>` 4392 \n This option allows configuring the `<registry>` portion of 4393 the above format." 4394 type: string 4395 typhaAffinity: 4396 description: TyphaAffinity allows configuration of node affinity 4397 characteristics for Typha pods. 4398 properties: 4399 nodeAffinity: 4400 description: NodeAffinity describes node affinity scheduling 4401 rules for typha. 4402 properties: 4403 preferredDuringSchedulingIgnoredDuringExecution: 4404 description: The scheduler will prefer to schedule pods 4405 to nodes that satisfy the affinity expressions specified 4406 by this field, but it may choose a node that violates 4407 one or more of the expressions. 4408 items: 4409 description: An empty preferred scheduling term matches 4410 all objects with implicit weight 0 (i.e. it's a no-op). 4411 A null preferred scheduling term matches no objects 4412 (i.e. is also a no-op). 4413 properties: 4414 preference: 4415 description: A node selector term, associated with 4416 the corresponding weight. 4417 properties: 4418 matchExpressions: 4419 description: A list of node selector requirements 4420 by node's labels. 4421 items: 4422 description: A node selector requirement is 4423 a selector that contains values, a key, 4424 and an operator that relates the key and 4425 values. 4426 properties: 4427 key: 4428 description: The label key that the selector 4429 applies to. 4430 type: string 4431 operator: 4432 description: Represents a key's relationship 4433 to a set of values. Valid operators 4434 are In, NotIn, Exists, DoesNotExist. 4435 Gt, and Lt. 4436 type: string 4437 values: 4438 description: An array of string values. 4439 If the operator is In or NotIn, the 4440 values array must be non-empty. If the 4441 operator is Exists or DoesNotExist, 4442 the values array must be empty. If the 4443 operator is Gt or Lt, the values array 4444 must have a single element, which will 4445 be interpreted as an integer. This array 4446 is replaced during a strategic merge 4447 patch. 4448 items: 4449 type: string 4450 type: array 4451 required: 4452 - key 4453 - operator 4454 type: object 4455 type: array 4456 matchFields: 4457 description: A list of node selector requirements 4458 by node's fields. 4459 items: 4460 description: A node selector requirement is 4461 a selector that contains values, a key, 4462 and an operator that relates the key and 4463 values. 4464 properties: 4465 key: 4466 description: The label key that the selector 4467 applies to. 4468 type: string 4469 operator: 4470 description: Represents a key's relationship 4471 to a set of values. Valid operators 4472 are In, NotIn, Exists, DoesNotExist. 4473 Gt, and Lt. 4474 type: string 4475 values: 4476 description: An array of string values. 4477 If the operator is In or NotIn, the 4478 values array must be non-empty. If the 4479 operator is Exists or DoesNotExist, 4480 the values array must be empty. If the 4481 operator is Gt or Lt, the values array 4482 must have a single element, which will 4483 be interpreted as an integer. This array 4484 is replaced during a strategic merge 4485 patch. 4486 items: 4487 type: string 4488 type: array 4489 required: 4490 - key 4491 - operator 4492 type: object 4493 type: array 4494 type: object 4495 weight: 4496 description: Weight associated with matching the 4497 corresponding nodeSelectorTerm, in the range 1-100. 4498 format: int32 4499 type: integer 4500 required: 4501 - preference 4502 - weight 4503 type: object 4504 type: array 4505 type: object 4506 type: object 4507 typhaMetricsPort: 4508 description: TyphaMetricsPort specifies which port calico/typha 4509 serves prometheus metrics on. By default, metrics are not enabled. 4510 format: int32 4511 type: integer 4512 variant: 4513 description: 'Variant is the product to install - one of Calico 4514 or TigeraSecureEnterprise Default: Calico' 4515 enum: 4516 - Calico 4517 - TigeraSecureEnterprise 4518 type: string 4519 type: object 4520 imageSet: 4521 description: ImageSet is the name of the ImageSet being used, if there 4522 is an ImageSet that is being used. If an ImageSet is not being used 4523 then this will not be set. 4524 type: string 4525 mtu: 4526 description: MTU is the most recently observed value for pod network 4527 MTU. This may be an explicitly configured value, or based on Calico's 4528 native auto-detetion. 4529 format: int32 4530 type: integer 4531 variant: 4532 description: Variant is the most recently observed installed variant 4533 - one of Calico or TigeraSecureEnterprise 4534 enum: 4535 - Calico 4536 - TigeraSecureEnterprise 4537 type: string 4538 type: object 4539 type: object 4540 served: true 4541 storage: true 4542 subresources: 4543 status: {} 4544 status: 4545 acceptedNames: 4546 kind: "" 4547 plural: "" 4548 conditions: [] 4549 storedVersions: [] 4550 4551 --- 4552 # Source: crds/operator.tigera.io_tigerastatuses_crd.yaml 4553 apiVersion: apiextensions.k8s.io/v1 4554 kind: CustomResourceDefinition 4555 metadata: 4556 annotations: 4557 controller-gen.kubebuilder.io/version: v0.3.0 4558 name: tigerastatuses.operator.tigera.io 4559 spec: 4560 group: operator.tigera.io 4561 names: 4562 kind: TigeraStatus 4563 listKind: TigeraStatusList 4564 plural: tigerastatuses 4565 singular: tigerastatus 4566 scope: Cluster 4567 versions: 4568 - additionalPrinterColumns: 4569 - description: Whether the component running and stable. 4570 jsonPath: .status.conditions[?(@.type=='Available')].status 4571 name: Available 4572 type: string 4573 - description: Whether the component is processing changes. 4574 jsonPath: .status.conditions[?(@.type=='Progressing')].status 4575 name: Progressing 4576 type: string 4577 - description: Whether the component is degraded. 4578 jsonPath: .status.conditions[?(@.type=='Degraded')].status 4579 name: Degraded 4580 type: string 4581 - description: The time the component's Available status last changed. 4582 jsonPath: .status.conditions[?(@.type=='Available')].lastTransitionTime 4583 name: Since 4584 type: date 4585 name: v1 4586 schema: 4587 openAPIV3Schema: 4588 description: TigeraStatus represents the most recently observed status for 4589 Calico or a Calico Enterprise functional area. 4590 properties: 4591 apiVersion: 4592 description: 'APIVersion defines the versioned schema of this representation 4593 of an object. Servers should convert recognized schemas to the latest 4594 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4595 type: string 4596 kind: 4597 description: 'Kind is a string value representing the REST resource this 4598 object represents. Servers may infer this from the endpoint the client 4599 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4600 type: string 4601 metadata: 4602 type: object 4603 spec: 4604 description: TigeraStatusSpec defines the desired state of TigeraStatus 4605 type: object 4606 status: 4607 description: TigeraStatusStatus defines the observed state of TigeraStatus 4608 properties: 4609 conditions: 4610 description: Conditions represents the latest observed set of conditions 4611 for this component. A component may be one or more of Available, 4612 Progressing, or Degraded. 4613 items: 4614 description: TigeraStatusCondition represents a condition attached 4615 to a particular component. 4616 properties: 4617 lastTransitionTime: 4618 description: The timestamp representing the start time for the 4619 current status. 4620 format: date-time 4621 type: string 4622 message: 4623 description: Optionally, a detailed message providing additional 4624 context. 4625 type: string 4626 reason: 4627 description: A brief reason explaining the condition. 4628 type: string 4629 status: 4630 description: The status of the condition. May be True, False, 4631 or Unknown. 4632 type: string 4633 type: 4634 description: The type of condition. May be Available, Progressing, 4635 or Degraded. 4636 type: string 4637 required: 4638 - lastTransitionTime 4639 - status 4640 - type 4641 type: object 4642 type: array 4643 required: 4644 - conditions 4645 type: object 4646 type: object 4647 served: true 4648 storage: true 4649 subresources: 4650 status: {} 4651 status: 4652 acceptedNames: 4653 kind: "" 4654 plural: "" 4655 conditions: [] 4656 storedVersions: [] 4657 4658 --- 4659 # Source: tigera-operator/templates/tigera-operator/00-namespace-tigera-operator.yaml 4660 apiVersion: v1 4661 kind: Namespace 4662 metadata: 4663 name: tigera-operator 4664 annotations: 4665 labels: 4666 name: tigera-operator 4667 --- 4668 # Source: tigera-operator/templates/tigera-operator/02-podsecuritypolicy-tigera-operator.yaml 4669 # This should not be rendered for an OpenShift install. 4670 # OpenShift uses SecurityContextConstraints instead. 4671 apiVersion: policy/v1beta1 4672 kind: PodSecurityPolicy 4673 metadata: 4674 name: tigera-operator 4675 annotations: 4676 seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' 4677 spec: 4678 privileged: false 4679 allowPrivilegeEscalation: false 4680 requiredDropCapabilities: 4681 - ALL 4682 volumes: 4683 - 'hostPath' 4684 - 'configMap' 4685 - 'emptyDir' 4686 - 'projected' 4687 - 'secret' 4688 - 'downwardAPI' 4689 # Assume that persistentVolumes set up by the cluster admin are safe to use. 4690 - 'persistentVolumeClaim' 4691 hostNetwork: true 4692 hostPorts: 4693 - min: 0 4694 max: 65535 4695 hostIPC: false 4696 hostPID: false 4697 runAsUser: 4698 rule: 'MustRunAsNonRoot' 4699 seLinux: 4700 rule: 'RunAsAny' 4701 supplementalGroups: 4702 rule: 'MustRunAs' 4703 ranges: 4704 # Forbid adding the root group. 4705 - min: 1 4706 max: 65535 4707 fsGroup: 4708 rule: 'MustRunAs' 4709 ranges: 4710 # Forbid adding the root group. 4711 - min: 1 4712 max: 65535 4713 readOnlyRootFilesystem: false 4714 --- 4715 # Source: tigera-operator/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml 4716 apiVersion: v1 4717 kind: ServiceAccount 4718 metadata: 4719 name: tigera-operator 4720 namespace: tigera-operator 4721 --- 4722 # Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml 4723 apiVersion: rbac.authorization.k8s.io/v1 4724 kind: ClusterRole 4725 metadata: 4726 name: tigera-operator 4727 rules: 4728 - apiGroups: 4729 - "" 4730 resources: 4731 - namespaces 4732 - pods 4733 - podtemplates 4734 - services 4735 - endpoints 4736 - events 4737 - configmaps 4738 - secrets 4739 - serviceaccounts 4740 verbs: 4741 - create 4742 - get 4743 - list 4744 - update 4745 - delete 4746 - watch 4747 - apiGroups: 4748 - "" 4749 resources: 4750 - nodes 4751 verbs: 4752 # Need to update node labels when migrating nodes. 4753 - 'get' 4754 - 'patch' 4755 - 'list' 4756 # We need this for Typha autoscaling 4757 - 'watch' 4758 - apiGroups: 4759 - rbac.authorization.k8s.io 4760 resources: 4761 - clusterroles 4762 - clusterrolebindings 4763 - rolebindings 4764 - roles 4765 verbs: 4766 - create 4767 - get 4768 - list 4769 - update 4770 - delete 4771 - watch 4772 - bind 4773 - escalate 4774 - apiGroups: 4775 - apps 4776 resources: 4777 - deployments 4778 - daemonsets 4779 - statefulsets 4780 verbs: 4781 - create 4782 - get 4783 - list 4784 - patch 4785 - update 4786 - delete 4787 - watch 4788 - apiGroups: 4789 - apps 4790 resourceNames: 4791 - tigera-operator 4792 resources: 4793 - deployments/finalizers 4794 verbs: 4795 - update 4796 - apiGroups: 4797 - operator.tigera.io 4798 resources: 4799 - '*' 4800 verbs: 4801 - create 4802 - get 4803 - list 4804 - update 4805 - patch 4806 - delete 4807 - watch 4808 - apiGroups: 4809 - crd.projectcalico.org 4810 resources: 4811 - felixconfigurations 4812 verbs: 4813 - patch 4814 - apiGroups: 4815 - crd.projectcalico.org 4816 resources: 4817 - ippools 4818 - kubecontrollersconfigurations 4819 verbs: 4820 - get 4821 - list 4822 - watch 4823 - apiGroups: 4824 - scheduling.k8s.io 4825 resources: 4826 - priorityclasses 4827 verbs: 4828 - create 4829 - get 4830 - list 4831 - update 4832 - delete 4833 - watch 4834 - apiGroups: 4835 - monitoring.coreos.com 4836 resources: 4837 - servicemonitors 4838 verbs: 4839 - get 4840 - create 4841 - apiGroups: 4842 - policy 4843 resources: 4844 - poddisruptionbudgets 4845 verbs: 4846 - create 4847 - get 4848 - list 4849 - update 4850 - delete 4851 - watch 4852 - apiGroups: 4853 - apiregistration.k8s.io 4854 resources: 4855 - apiservices 4856 verbs: 4857 - list 4858 - watch 4859 # Needed for operator lock 4860 - apiGroups: 4861 - coordination.k8s.io 4862 resources: 4863 - leases 4864 verbs: 4865 - create 4866 - get 4867 - list 4868 - update 4869 - delete 4870 - watch 4871 # Add the appropriate pod security policy permissions 4872 - apiGroups: 4873 - policy 4874 resources: 4875 - podsecuritypolicies 4876 resourceNames: 4877 - tigera-operator 4878 verbs: 4879 - use 4880 - apiGroups: 4881 - policy 4882 resources: 4883 - podsecuritypolicies 4884 verbs: 4885 - get 4886 - list 4887 - watch 4888 - create 4889 - update 4890 # Add the permissions to monitor the status of certificatesigningrequests when certificate management is enabled. 4891 - apiGroups: 4892 - certificates.k8s.io 4893 resources: 4894 - certificatesigningrequests 4895 verbs: 4896 - list 4897 --- 4898 # Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator.yaml 4899 kind: ClusterRoleBinding 4900 apiVersion: rbac.authorization.k8s.io/v1 4901 metadata: 4902 name: tigera-operator 4903 subjects: 4904 - kind: ServiceAccount 4905 name: tigera-operator 4906 namespace: tigera-operator 4907 roleRef: 4908 kind: ClusterRole 4909 name: tigera-operator 4910 apiGroup: rbac.authorization.k8s.io 4911 --- 4912 # Source: tigera-operator/templates/tigera-operator/02-tigera-operator.yaml 4913 apiVersion: apps/v1 4914 kind: Deployment 4915 metadata: 4916 name: tigera-operator 4917 namespace: tigera-operator 4918 labels: 4919 k8s-app: tigera-operator 4920 spec: 4921 replicas: 1 4922 selector: 4923 matchLabels: 4924 name: tigera-operator 4925 template: 4926 metadata: 4927 labels: 4928 name: tigera-operator 4929 k8s-app: tigera-operator 4930 spec: 4931 nodeSelector: 4932 kubernetes.io/os: linux 4933 tolerations: 4934 - effect: NoExecute 4935 operator: Exists 4936 - effect: NoSchedule 4937 operator: Exists 4938 serviceAccountName: tigera-operator 4939 hostNetwork: true 4940 # This must be set when hostNetwork is true or else the cluster services won't resolve 4941 dnsPolicy: ClusterFirstWithHostNet 4942 containers: 4943 - name: tigera-operator 4944 image: quay.io/tigera/operator:v1.17.4 4945 imagePullPolicy: IfNotPresent 4946 command: 4947 - operator 4948 volumeMounts: 4949 - name: var-lib-calico 4950 readOnly: true 4951 mountPath: /var/lib/calico 4952 env: 4953 - name: WATCH_NAMESPACE 4954 value: "" 4955 - name: POD_NAME 4956 valueFrom: 4957 fieldRef: 4958 fieldPath: metadata.name 4959 - name: OPERATOR_NAME 4960 value: "tigera-operator" 4961 - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION 4962 value: v1.17.4 4963 envFrom: 4964 - configMapRef: 4965 name: kubernetes-services-endpoint 4966 optional: true 4967 volumes: 4968 - name: var-lib-calico 4969 hostPath: 4970 path: /var/lib/calico 4971