istio.io/istio@v0.0.0-20240520182934-d79c90f27776/prow/config/calico.yaml (about) 1 --- 2 # Source: calico/templates/calico-kube-controllers.yaml 3 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict 4 5 apiVersion: policy/v1 6 kind: PodDisruptionBudget 7 metadata: 8 name: calico-kube-controllers 9 namespace: kube-system 10 labels: 11 k8s-app: calico-kube-controllers 12 spec: 13 maxUnavailable: 1 14 selector: 15 matchLabels: 16 k8s-app: calico-kube-controllers 17 --- 18 # Source: calico/templates/calico-kube-controllers.yaml 19 apiVersion: v1 20 kind: ServiceAccount 21 metadata: 22 name: calico-kube-controllers 23 namespace: kube-system 24 --- 25 # Source: calico/templates/calico-node.yaml 26 apiVersion: v1 27 kind: ServiceAccount 28 metadata: 29 name: calico-node 30 namespace: kube-system 31 --- 32 # Source: calico/templates/calico-node.yaml 33 apiVersion: v1 34 kind: ServiceAccount 35 metadata: 36 name: calico-cni-plugin 37 namespace: kube-system 38 --- 39 # Source: calico/templates/calico-config.yaml 40 # This ConfigMap is used to configure a self-hosted Calico installation. 41 kind: ConfigMap 42 apiVersion: v1 43 metadata: 44 name: calico-config 45 namespace: kube-system 46 data: 47 # Typha is disabled. 48 typha_service_name: "none" 49 # Configure the backend to use. 50 calico_backend: "bird" 51 52 # Configure the MTU to use for workload interfaces and tunnels. 53 # By default, MTU is auto-detected, and explicitly setting this field should not be required. 54 # You can override auto-detection by providing a non-zero value. 55 veth_mtu: "0" 56 57 # The CNI network configuration to install on each node. The special 58 # values in this config will be automatically populated. 59 cni_network_config: |- 60 { 61 "name": "k8s-pod-network", 62 "cniVersion": "0.3.1", 63 "plugins": [ 64 { 65 "type": "calico", 66 "log_level": "info", 67 "log_file_path": "/var/log/calico/cni/cni.log", 68 "datastore_type": "kubernetes", 69 "nodename": "__KUBERNETES_NODE_NAME__", 70 "mtu": __CNI_MTU__, 71 "ipam": { 72 "type": "calico-ipam" 73 }, 74 "policy": { 75 "type": "k8s" 76 }, 77 "kubernetes": { 78 "kubeconfig": "__KUBECONFIG_FILEPATH__" 79 } 80 }, 81 { 82 "type": "portmap", 83 "snat": true, 84 "capabilities": {"portMappings": true} 85 }, 86 { 87 "type": "bandwidth", 88 "capabilities": {"bandwidth": true} 89 } 90 ] 91 } 92 --- 93 # Source: calico/templates/kdd-crds.yaml 94 apiVersion: apiextensions.k8s.io/v1 95 kind: CustomResourceDefinition 96 metadata: 97 name: bgpconfigurations.crd.projectcalico.org 98 spec: 99 group: crd.projectcalico.org 100 names: 101 kind: BGPConfiguration 102 listKind: BGPConfigurationList 103 plural: bgpconfigurations 104 singular: bgpconfiguration 105 preserveUnknownFields: false 106 scope: Cluster 107 versions: 108 - name: v1 109 schema: 110 openAPIV3Schema: 111 description: BGPConfiguration contains the configuration for any BGP routing. 112 properties: 113 apiVersion: 114 description: 'APIVersion defines the versioned schema of this representation 115 of an object. Servers should convert recognized schemas to the latest 116 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 117 type: string 118 kind: 119 description: 'Kind is a string value representing the REST resource this 120 object represents. Servers may infer this from the endpoint the client 121 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 122 type: string 123 metadata: 124 type: object 125 spec: 126 description: BGPConfigurationSpec contains the values of the BGP configuration. 127 properties: 128 asNumber: 129 description: 'ASNumber is the default AS number used by a node. [Default: 130 64512]' 131 format: int32 132 type: integer 133 bindMode: 134 description: BindMode indicates whether to listen for BGP connections 135 on all addresses (None) or only on the node's canonical IP address 136 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen 137 for BGP connections on all addresses. 138 type: string 139 communities: 140 description: Communities is a list of BGP community values and their 141 arbitrary names for tagging routes. 142 items: 143 description: Community contains standard or large community value 144 and its name. 145 properties: 146 name: 147 description: Name given to community value. 148 type: string 149 value: 150 description: Value must be of format `aa:nn` or `aa:nn:mm`. 151 For standard community use `aa:nn` format, where `aa` and 152 `nn` are 16 bit number. For large community use `aa:nn:mm` 153 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 154 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 155 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 156 type: string 157 type: object 158 type: array 159 ignoredInterfaces: 160 description: IgnoredInterfaces indicates the network interfaces that 161 needs to be excluded when reading device routes. 162 items: 163 type: string 164 type: array 165 listenPort: 166 description: ListenPort is the port where BGP protocol should listen. 167 Defaults to 179 168 maximum: 65535 169 minimum: 1 170 type: integer 171 logSeverityScreen: 172 description: 'LogSeverityScreen is the log severity above which logs 173 are sent to the stdout. [Default: INFO]' 174 type: string 175 nodeMeshMaxRestartTime: 176 description: Time to allow for software restart for node-to-mesh peerings. When 177 specified, this is configured as the graceful restart timeout. When 178 not specified, the BIRD default of 120s is used. This field can 179 only be set on the default BGPConfiguration instance and requires 180 that NodeMesh is enabled 181 type: string 182 nodeMeshPassword: 183 description: Optional BGP password for full node-to-mesh peerings. 184 This field can only be set on the default BGPConfiguration instance 185 and requires that NodeMesh is enabled 186 properties: 187 secretKeyRef: 188 description: Selects a key of a secret in the node pod's namespace. 189 properties: 190 key: 191 description: The key of the secret to select from. Must be 192 a valid secret key. 193 type: string 194 name: 195 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 196 TODO: Add other useful fields. apiVersion, kind, uid?' 197 type: string 198 optional: 199 description: Specify whether the Secret or its key must be 200 defined 201 type: boolean 202 required: 203 - key 204 type: object 205 type: object 206 nodeToNodeMeshEnabled: 207 description: 'NodeToNodeMeshEnabled sets whether full node to node 208 BGP mesh is enabled. [Default: true]' 209 type: boolean 210 prefixAdvertisements: 211 description: PrefixAdvertisements contains per-prefix advertisement 212 configuration. 213 items: 214 description: PrefixAdvertisement configures advertisement properties 215 for the specified CIDR. 216 properties: 217 cidr: 218 description: CIDR for which properties should be advertised. 219 type: string 220 communities: 221 description: Communities can be list of either community names 222 already defined in `Specs.Communities` or community value 223 of format `aa:nn` or `aa:nn:mm`. For standard community use 224 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 225 large community use `aa:nn:mm` format, where `aa`, `nn` and 226 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 227 `mm` are per-AS identifier. 228 items: 229 type: string 230 type: array 231 type: object 232 type: array 233 serviceClusterIPs: 234 description: ServiceClusterIPs are the CIDR blocks from which service 235 cluster IPs are allocated. If specified, Calico will advertise these 236 blocks, as well as any cluster IPs within them. 237 items: 238 description: ServiceClusterIPBlock represents a single allowed ClusterIP 239 CIDR block. 240 properties: 241 cidr: 242 type: string 243 type: object 244 type: array 245 serviceExternalIPs: 246 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 247 Service External IPs. Kubernetes Service ExternalIPs will only be 248 advertised if they are within one of these blocks. 249 items: 250 description: ServiceExternalIPBlock represents a single allowed 251 External IP CIDR block. 252 properties: 253 cidr: 254 type: string 255 type: object 256 type: array 257 serviceLoadBalancerIPs: 258 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 259 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 260 IPs will only be advertised if they are within one of these blocks. 261 items: 262 description: ServiceLoadBalancerIPBlock represents a single allowed 263 LoadBalancer IP CIDR block. 264 properties: 265 cidr: 266 type: string 267 type: object 268 type: array 269 type: object 270 type: object 271 served: true 272 storage: true 273 status: 274 acceptedNames: 275 kind: "" 276 plural: "" 277 conditions: [] 278 storedVersions: [] 279 --- 280 # Source: calico/templates/kdd-crds.yaml 281 apiVersion: apiextensions.k8s.io/v1 282 kind: CustomResourceDefinition 283 metadata: 284 annotations: 285 controller-gen.kubebuilder.io/version: (devel) 286 creationTimestamp: null 287 name: bgpfilters.crd.projectcalico.org 288 spec: 289 group: crd.projectcalico.org 290 names: 291 kind: BGPFilter 292 listKind: BGPFilterList 293 plural: bgpfilters 294 singular: bgpfilter 295 scope: Cluster 296 versions: 297 - name: v1 298 schema: 299 openAPIV3Schema: 300 properties: 301 apiVersion: 302 description: 'APIVersion defines the versioned schema of this representation 303 of an object. Servers should convert recognized schemas to the latest 304 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 305 type: string 306 kind: 307 description: 'Kind is a string value representing the REST resource this 308 object represents. Servers may infer this from the endpoint the client 309 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 310 type: string 311 metadata: 312 type: object 313 spec: 314 description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of 315 the BGP Filter. 316 properties: 317 exportV4: 318 description: The ordered set of IPv4 BGPFilter rules acting on exporting 319 routes to a peer. 320 items: 321 description: BGPFilterRuleV4 defines a BGP filter rule consisting 322 a single IPv4 CIDR block and a filter action for this CIDR. 323 properties: 324 action: 325 type: string 326 cidr: 327 type: string 328 interface: 329 type: string 330 matchOperator: 331 type: string 332 source: 333 type: string 334 required: 335 - action 336 type: object 337 type: array 338 exportV6: 339 description: The ordered set of IPv6 BGPFilter rules acting on exporting 340 routes to a peer. 341 items: 342 description: BGPFilterRuleV6 defines a BGP filter rule consisting 343 a single IPv6 CIDR block and a filter action for this CIDR. 344 properties: 345 action: 346 type: string 347 cidr: 348 type: string 349 interface: 350 type: string 351 matchOperator: 352 type: string 353 source: 354 type: string 355 required: 356 - action 357 type: object 358 type: array 359 importV4: 360 description: The ordered set of IPv4 BGPFilter rules acting on importing 361 routes from a peer. 362 items: 363 description: BGPFilterRuleV4 defines a BGP filter rule consisting 364 a single IPv4 CIDR block and a filter action for this CIDR. 365 properties: 366 action: 367 type: string 368 cidr: 369 type: string 370 interface: 371 type: string 372 matchOperator: 373 type: string 374 source: 375 type: string 376 required: 377 - action 378 type: object 379 type: array 380 importV6: 381 description: The ordered set of IPv6 BGPFilter rules acting on importing 382 routes from a peer. 383 items: 384 description: BGPFilterRuleV6 defines a BGP filter rule consisting 385 a single IPv6 CIDR block and a filter action for this CIDR. 386 properties: 387 action: 388 type: string 389 cidr: 390 type: string 391 interface: 392 type: string 393 matchOperator: 394 type: string 395 source: 396 type: string 397 required: 398 - action 399 type: object 400 type: array 401 type: object 402 type: object 403 served: true 404 storage: true 405 status: 406 acceptedNames: 407 kind: "" 408 plural: "" 409 conditions: [] 410 storedVersions: [] 411 --- 412 # Source: calico/templates/kdd-crds.yaml 413 apiVersion: apiextensions.k8s.io/v1 414 kind: CustomResourceDefinition 415 metadata: 416 name: bgppeers.crd.projectcalico.org 417 spec: 418 group: crd.projectcalico.org 419 names: 420 kind: BGPPeer 421 listKind: BGPPeerList 422 plural: bgppeers 423 singular: bgppeer 424 preserveUnknownFields: false 425 scope: Cluster 426 versions: 427 - name: v1 428 schema: 429 openAPIV3Schema: 430 properties: 431 apiVersion: 432 description: 'APIVersion defines the versioned schema of this representation 433 of an object. Servers should convert recognized schemas to the latest 434 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 435 type: string 436 kind: 437 description: 'Kind is a string value representing the REST resource this 438 object represents. Servers may infer this from the endpoint the client 439 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 440 type: string 441 metadata: 442 type: object 443 spec: 444 description: BGPPeerSpec contains the specification for a BGPPeer resource. 445 properties: 446 asNumber: 447 description: The AS Number of the peer. 448 format: int32 449 type: integer 450 filters: 451 description: The ordered set of BGPFilters applied on this BGP peer. 452 items: 453 type: string 454 type: array 455 keepOriginalNextHop: 456 description: Option to keep the original nexthop field when routes 457 are sent to a BGP Peer. Setting "true" configures the selected BGP 458 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 459 in the specific branch of the Node on "bird.cfg". 460 type: boolean 461 maxRestartTime: 462 description: Time to allow for software restart. When specified, 463 this is configured as the graceful restart timeout. When not specified, 464 the BIRD default of 120s is used. 465 type: string 466 node: 467 description: The node name identifying the Calico node instance that 468 is targeted by this peer. If this is not set, and no nodeSelector 469 is specified, then this BGP peer selects all nodes in the cluster. 470 type: string 471 nodeSelector: 472 description: Selector for the nodes that should have this peering. When 473 this is set, the Node field must be empty. 474 type: string 475 numAllowedLocalASNumbers: 476 description: Maximum number of local AS numbers that are allowed in 477 the AS path for received routes. This removes BGP loop prevention 478 and should only be used if absolutely necesssary. 479 format: int32 480 type: integer 481 password: 482 description: Optional BGP password for the peerings generated by this 483 BGPPeer resource. 484 properties: 485 secretKeyRef: 486 description: Selects a key of a secret in the node pod's namespace. 487 properties: 488 key: 489 description: The key of the secret to select from. Must be 490 a valid secret key. 491 type: string 492 name: 493 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 494 TODO: Add other useful fields. apiVersion, kind, uid?' 495 type: string 496 optional: 497 description: Specify whether the Secret or its key must be 498 defined 499 type: boolean 500 required: 501 - key 502 type: object 503 type: object 504 peerIP: 505 description: The IP address of the peer followed by an optional port 506 number to peer with. If port number is given, format should be `[<IPv6>]:port` 507 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 508 and this peer IP and ASNumber belongs to a calico/node with ListenPort 509 set in BGPConfiguration, then we use that port to peer. 510 type: string 511 peerSelector: 512 description: Selector for the remote nodes to peer with. When this 513 is set, the PeerIP and ASNumber fields must be empty. For each 514 peering between the local node and selected remote nodes, we configure 515 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 516 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 517 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 518 or the global default if that is not set. 519 type: string 520 reachableBy: 521 description: Add an exact, i.e. /32, static route toward peer IP in 522 order to prevent route flapping. ReachableBy contains the address 523 of the gateway which peer can be reached by. 524 type: string 525 sourceAddress: 526 description: Specifies whether and how to configure a source address 527 for the peerings generated by this BGPPeer resource. Default value 528 "UseNodeIP" means to configure the node IP as the source address. "None" 529 means not to configure a source address. 530 type: string 531 ttlSecurity: 532 description: TTLSecurity enables the generalized TTL security mechanism 533 (GTSM) which protects against spoofed packets by ignoring received 534 packets with a smaller than expected TTL value. The provided value 535 is the number of hops (edges) between the peers. 536 type: integer 537 type: object 538 type: object 539 served: true 540 storage: true 541 status: 542 acceptedNames: 543 kind: "" 544 plural: "" 545 conditions: [] 546 storedVersions: [] 547 --- 548 # Source: calico/templates/kdd-crds.yaml 549 apiVersion: apiextensions.k8s.io/v1 550 kind: CustomResourceDefinition 551 metadata: 552 name: blockaffinities.crd.projectcalico.org 553 spec: 554 group: crd.projectcalico.org 555 names: 556 kind: BlockAffinity 557 listKind: BlockAffinityList 558 plural: blockaffinities 559 singular: blockaffinity 560 preserveUnknownFields: false 561 scope: Cluster 562 versions: 563 - name: v1 564 schema: 565 openAPIV3Schema: 566 properties: 567 apiVersion: 568 description: 'APIVersion defines the versioned schema of this representation 569 of an object. Servers should convert recognized schemas to the latest 570 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 571 type: string 572 kind: 573 description: 'Kind is a string value representing the REST resource this 574 object represents. Servers may infer this from the endpoint the client 575 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 576 type: string 577 metadata: 578 type: object 579 spec: 580 description: BlockAffinitySpec contains the specification for a BlockAffinity 581 resource. 582 properties: 583 cidr: 584 type: string 585 deleted: 586 description: Deleted indicates that this block affinity is being deleted. 587 This field is a string for compatibility with older releases that 588 mistakenly treat this field as a string. 589 type: string 590 node: 591 type: string 592 state: 593 type: string 594 required: 595 - cidr 596 - deleted 597 - node 598 - state 599 type: object 600 type: object 601 served: true 602 storage: true 603 status: 604 acceptedNames: 605 kind: "" 606 plural: "" 607 conditions: [] 608 storedVersions: [] 609 --- 610 # Source: calico/templates/kdd-crds.yaml 611 apiVersion: apiextensions.k8s.io/v1 612 kind: CustomResourceDefinition 613 metadata: 614 annotations: 615 controller-gen.kubebuilder.io/version: (devel) 616 creationTimestamp: null 617 name: caliconodestatuses.crd.projectcalico.org 618 spec: 619 group: crd.projectcalico.org 620 names: 621 kind: CalicoNodeStatus 622 listKind: CalicoNodeStatusList 623 plural: caliconodestatuses 624 singular: caliconodestatus 625 preserveUnknownFields: false 626 scope: Cluster 627 versions: 628 - name: v1 629 schema: 630 openAPIV3Schema: 631 properties: 632 apiVersion: 633 description: 'APIVersion defines the versioned schema of this representation 634 of an object. Servers should convert recognized schemas to the latest 635 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 636 type: string 637 kind: 638 description: 'Kind is a string value representing the REST resource this 639 object represents. Servers may infer this from the endpoint the client 640 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 641 type: string 642 metadata: 643 type: object 644 spec: 645 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 646 resource. 647 properties: 648 classes: 649 description: Classes declares the types of information to monitor 650 for this calico/node, and allows for selective status reporting 651 about certain subsets of information. 652 items: 653 type: string 654 type: array 655 node: 656 description: The node name identifies the Calico node instance for 657 node status. 658 type: string 659 updatePeriodSeconds: 660 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 661 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 662 Maximum update period is one day. 663 format: int32 664 type: integer 665 type: object 666 status: 667 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 668 No validation needed for status since it is updated by Calico. 669 properties: 670 agent: 671 description: Agent holds agent status on the node. 672 properties: 673 birdV4: 674 description: BIRDV4 represents the latest observed status of bird4. 675 properties: 676 lastBootTime: 677 description: LastBootTime holds the value of lastBootTime 678 from bird.ctl output. 679 type: string 680 lastReconfigurationTime: 681 description: LastReconfigurationTime holds the value of lastReconfigTime 682 from bird.ctl output. 683 type: string 684 routerID: 685 description: Router ID used by bird. 686 type: string 687 state: 688 description: The state of the BGP Daemon. 689 type: string 690 version: 691 description: Version of the BGP daemon 692 type: string 693 type: object 694 birdV6: 695 description: BIRDV6 represents the latest observed status of bird6. 696 properties: 697 lastBootTime: 698 description: LastBootTime holds the value of lastBootTime 699 from bird.ctl output. 700 type: string 701 lastReconfigurationTime: 702 description: LastReconfigurationTime holds the value of lastReconfigTime 703 from bird.ctl output. 704 type: string 705 routerID: 706 description: Router ID used by bird. 707 type: string 708 state: 709 description: The state of the BGP Daemon. 710 type: string 711 version: 712 description: Version of the BGP daemon 713 type: string 714 type: object 715 type: object 716 bgp: 717 description: BGP holds node BGP status. 718 properties: 719 numberEstablishedV4: 720 description: The total number of IPv4 established bgp sessions. 721 type: integer 722 numberEstablishedV6: 723 description: The total number of IPv6 established bgp sessions. 724 type: integer 725 numberNotEstablishedV4: 726 description: The total number of IPv4 non-established bgp sessions. 727 type: integer 728 numberNotEstablishedV6: 729 description: The total number of IPv6 non-established bgp sessions. 730 type: integer 731 peersV4: 732 description: PeersV4 represents IPv4 BGP peers status on the node. 733 items: 734 description: CalicoNodePeer contains the status of BGP peers 735 on the node. 736 properties: 737 peerIP: 738 description: IP address of the peer whose condition we are 739 reporting. 740 type: string 741 since: 742 description: Since the state or reason last changed. 743 type: string 744 state: 745 description: State is the BGP session state. 746 type: string 747 type: 748 description: Type indicates whether this peer is configured 749 via the node-to-node mesh, or via en explicit global or 750 per-node BGPPeer object. 751 type: string 752 type: object 753 type: array 754 peersV6: 755 description: PeersV6 represents IPv6 BGP peers status on the node. 756 items: 757 description: CalicoNodePeer contains the status of BGP peers 758 on the node. 759 properties: 760 peerIP: 761 description: IP address of the peer whose condition we are 762 reporting. 763 type: string 764 since: 765 description: Since the state or reason last changed. 766 type: string 767 state: 768 description: State is the BGP session state. 769 type: string 770 type: 771 description: Type indicates whether this peer is configured 772 via the node-to-node mesh, or via en explicit global or 773 per-node BGPPeer object. 774 type: string 775 type: object 776 type: array 777 required: 778 - numberEstablishedV4 779 - numberEstablishedV6 780 - numberNotEstablishedV4 781 - numberNotEstablishedV6 782 type: object 783 lastUpdated: 784 description: LastUpdated is a timestamp representing the server time 785 when CalicoNodeStatus object last updated. It is represented in 786 RFC3339 form and is in UTC. 787 format: date-time 788 nullable: true 789 type: string 790 routes: 791 description: Routes reports routes known to the Calico BGP daemon 792 on the node. 793 properties: 794 routesV4: 795 description: RoutesV4 represents IPv4 routes on the node. 796 items: 797 description: CalicoNodeRoute contains the status of BGP routes 798 on the node. 799 properties: 800 destination: 801 description: Destination of the route. 802 type: string 803 gateway: 804 description: Gateway for the destination. 805 type: string 806 interface: 807 description: Interface for the destination 808 type: string 809 learnedFrom: 810 description: LearnedFrom contains information regarding 811 where this route originated. 812 properties: 813 peerIP: 814 description: If sourceType is NodeMesh or BGPPeer, IP 815 address of the router that sent us this route. 816 type: string 817 sourceType: 818 description: Type of the source where a route is learned 819 from. 820 type: string 821 type: object 822 type: 823 description: Type indicates if the route is being used for 824 forwarding or not. 825 type: string 826 type: object 827 type: array 828 routesV6: 829 description: RoutesV6 represents IPv6 routes on the node. 830 items: 831 description: CalicoNodeRoute contains the status of BGP routes 832 on the node. 833 properties: 834 destination: 835 description: Destination of the route. 836 type: string 837 gateway: 838 description: Gateway for the destination. 839 type: string 840 interface: 841 description: Interface for the destination 842 type: string 843 learnedFrom: 844 description: LearnedFrom contains information regarding 845 where this route originated. 846 properties: 847 peerIP: 848 description: If sourceType is NodeMesh or BGPPeer, IP 849 address of the router that sent us this route. 850 type: string 851 sourceType: 852 description: Type of the source where a route is learned 853 from. 854 type: string 855 type: object 856 type: 857 description: Type indicates if the route is being used for 858 forwarding or not. 859 type: string 860 type: object 861 type: array 862 type: object 863 type: object 864 type: object 865 served: true 866 storage: true 867 status: 868 acceptedNames: 869 kind: "" 870 plural: "" 871 conditions: [] 872 storedVersions: [] 873 --- 874 # Source: calico/templates/kdd-crds.yaml 875 apiVersion: apiextensions.k8s.io/v1 876 kind: CustomResourceDefinition 877 metadata: 878 name: clusterinformations.crd.projectcalico.org 879 spec: 880 group: crd.projectcalico.org 881 names: 882 kind: ClusterInformation 883 listKind: ClusterInformationList 884 plural: clusterinformations 885 singular: clusterinformation 886 preserveUnknownFields: false 887 scope: Cluster 888 versions: 889 - name: v1 890 schema: 891 openAPIV3Schema: 892 description: ClusterInformation contains the cluster specific information. 893 properties: 894 apiVersion: 895 description: 'APIVersion defines the versioned schema of this representation 896 of an object. Servers should convert recognized schemas to the latest 897 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 898 type: string 899 kind: 900 description: 'Kind is a string value representing the REST resource this 901 object represents. Servers may infer this from the endpoint the client 902 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 903 type: string 904 metadata: 905 type: object 906 spec: 907 description: ClusterInformationSpec contains the values of describing 908 the cluster. 909 properties: 910 calicoVersion: 911 description: CalicoVersion is the version of Calico that the cluster 912 is running 913 type: string 914 clusterGUID: 915 description: ClusterGUID is the GUID of the cluster 916 type: string 917 clusterType: 918 description: ClusterType describes the type of the cluster 919 type: string 920 datastoreReady: 921 description: DatastoreReady is used during significant datastore migrations 922 to signal to components such as Felix that it should wait before 923 accessing the datastore. 924 type: boolean 925 variant: 926 description: Variant declares which variant of Calico should be active. 927 type: string 928 type: object 929 type: object 930 served: true 931 storage: true 932 status: 933 acceptedNames: 934 kind: "" 935 plural: "" 936 conditions: [] 937 storedVersions: [] 938 --- 939 # Source: calico/templates/kdd-crds.yaml 940 apiVersion: apiextensions.k8s.io/v1 941 kind: CustomResourceDefinition 942 metadata: 943 name: felixconfigurations.crd.projectcalico.org 944 spec: 945 group: crd.projectcalico.org 946 names: 947 kind: FelixConfiguration 948 listKind: FelixConfigurationList 949 plural: felixconfigurations 950 singular: felixconfiguration 951 preserveUnknownFields: false 952 scope: Cluster 953 versions: 954 - name: v1 955 schema: 956 openAPIV3Schema: 957 description: Felix Configuration contains the configuration for Felix. 958 properties: 959 apiVersion: 960 description: 'APIVersion defines the versioned schema of this representation 961 of an object. Servers should convert recognized schemas to the latest 962 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 963 type: string 964 kind: 965 description: 'Kind is a string value representing the REST resource this 966 object represents. Servers may infer this from the endpoint the client 967 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 968 type: string 969 metadata: 970 type: object 971 spec: 972 description: FelixConfigurationSpec contains the values of the Felix configuration. 973 properties: 974 allowIPIPPacketsFromWorkloads: 975 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 976 will add a rule to drop IPIP encapsulated traffic from workloads 977 [Default: false]' 978 type: boolean 979 allowVXLANPacketsFromWorkloads: 980 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 981 will add a rule to drop VXLAN encapsulated traffic from workloads 982 [Default: false]' 983 type: boolean 984 awsSrcDstCheck: 985 description: 'Set source-destination-check on AWS EC2 instances. Accepted 986 value must be one of "DoNothing", "Enable" or "Disable". [Default: 987 DoNothing]' 988 enum: 989 - DoNothing 990 - Enable 991 - Disable 992 type: string 993 bpfCTLBLogFilter: 994 description: 'BPFCTLBLogFilter specifies, what is logged by connect 995 time load balancer when BPFLogLevel is debug. Currently has to be 996 specified as ''all'' when BPFLogFilters is set to see CTLB logs. 997 [Default: unset - means logs are emitted when BPFLogLevel id debug 998 and BPFLogFilters not set.]' 999 type: string 1000 bpfConnectTimeLoadBalancing: 1001 description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls 1002 whether Felix installs the connect-time load balancer. The connect-time 1003 load balancer is required for the host to be able to reach Kubernetes 1004 services and it improves the performance of pod-to-service connections.When 1005 set to TCP, connect time load balancing is available only for services 1006 with TCP ports. [Default: TCP]' 1007 enum: 1008 - TCP 1009 - Enabled 1010 - Disabled 1011 type: string 1012 bpfConnectTimeLoadBalancingEnabled: 1013 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 1014 controls whether Felix installs the connection-time load balancer. The 1015 connect-time load balancer is required for the host to be able to 1016 reach Kubernetes services and it improves the performance of pod-to-service 1017 connections. The only reason to disable it is for debugging purposes. 1018 This will be deprecated. Use BPFConnectTimeLoadBalancing [Default: 1019 true]' 1020 type: boolean 1021 bpfDSROptoutCIDRs: 1022 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded 1023 from DSR. That is, clients in those CIDRs will accesses nodeports 1024 as if BPFExternalServiceMode was set to Tunnel. 1025 items: 1026 type: string 1027 type: array 1028 bpfDataIfacePattern: 1029 description: BPFDataIfacePattern is a regular expression that controls 1030 which interfaces Felix should attach BPF programs to in order to 1031 catch traffic to/from the network. This needs to match the interfaces 1032 that Calico workload traffic flows over as well as any interfaces 1033 that handle incoming traffic to nodeports and services from outside 1034 the cluster. It should not match the workload interfaces (usually 1035 named cali...). 1036 type: string 1037 bpfDisableGROForIfaces: 1038 description: BPFDisableGROForIfaces is a regular expression that controls 1039 which interfaces Felix should disable the Generic Receive Offload 1040 [GRO] option. It should not match the workload interfaces (usually 1041 named cali...). 1042 type: string 1043 bpfDisableUnprivileged: 1044 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 1045 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 1046 users cannot access Calico''s BPF maps and cannot insert their own 1047 BPF programs to interfere with Calico''s. [Default: true]' 1048 type: boolean 1049 bpfEnabled: 1050 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 1051 [Default: false]' 1052 type: boolean 1053 bpfEnforceRPF: 1054 description: 'BPFEnforceRPF enforce strict RPF on all host interfaces 1055 with BPF programs regardless of what is the per-interfaces or global 1056 setting. Possible values are Disabled, Strict or Loose. [Default: 1057 Loose]' 1058 pattern: ^(?i)(Disabled|Strict|Loose)?$ 1059 type: string 1060 bpfExtToServiceConnmark: 1061 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 1062 mark that is set on connections from an external client to a local 1063 service. This mark allows us to control how packets of that connection 1064 are routed within the host and how is routing interpreted by RPF 1065 check. [Default: 0]' 1066 type: integer 1067 bpfExternalServiceMode: 1068 description: 'BPFExternalServiceMode in BPF mode, controls how connections 1069 from outside the cluster to services (node ports and cluster IPs) 1070 are forwarded to remote workloads. If set to "Tunnel" then both 1071 request and response traffic is tunneled to the remote node. If 1072 set to "DSR", the request traffic is tunneled but the response traffic 1073 is sent directly from the remote node. In "DSR" mode, the remote 1074 node appears to use the IP of the ingress node; this requires a 1075 permissive L2 network. [Default: Tunnel]' 1076 pattern: ^(?i)(Tunnel|DSR)?$ 1077 type: string 1078 bpfForceTrackPacketsFromIfaces: 1079 description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic 1080 from these interfaces to skip Calico''s iptables NOTRACK rule, allowing 1081 traffic from those interfaces to be tracked by Linux conntrack. Should 1082 only be used for interfaces that are not used for the Calico fabric. For 1083 example, a docker bridge device for non-Calico-networked containers. 1084 [Default: docker+]' 1085 items: 1086 type: string 1087 type: array 1088 bpfHostConntrackBypass: 1089 description: 'BPFHostConntrackBypass Controls whether to bypass Linux 1090 conntrack in BPF mode for workloads and services. [Default: true 1091 - bypass Linux conntrack]' 1092 type: boolean 1093 bpfHostNetworkedNATWithoutCTLB: 1094 description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls 1095 whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing 1096 determines the CTLB behavior. [Default: Enabled]' 1097 enum: 1098 - Enabled 1099 - Disabled 1100 type: string 1101 bpfKubeProxyEndpointSlicesEnabled: 1102 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 1103 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 1104 type: boolean 1105 bpfKubeProxyIptablesCleanupEnabled: 1106 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 1107 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 1108 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 1109 true]' 1110 type: boolean 1111 bpfKubeProxyMinSyncPeriod: 1112 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 1113 minimum time between updates to the dataplane for Felix''s embedded 1114 kube-proxy. Lower values give reduced set-up latency. Higher values 1115 reduce Felix CPU usage by batching up more work. [Default: 1s]' 1116 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1117 type: string 1118 bpfL3IfacePattern: 1119 description: BPFL3IfacePattern is a regular expression that allows 1120 to list tunnel devices like wireguard or vxlan (i.e., L3 devices) 1121 in addition to BPFDataIfacePattern. That is, tunnel interfaces not 1122 created by Calico, that Calico workload traffic flows over as well 1123 as any interfaces that handle incoming traffic to nodeports and 1124 services from outside the cluster. 1125 type: string 1126 bpfLogFilters: 1127 additionalProperties: 1128 type: string 1129 description: "BPFLogFilters is a map of key=values where the value 1130 is a pcap filter expression and the key is an interface name with 1131 'all' denoting all interfaces, 'weps' all workload endpoints and 1132 'heps' all host endpoints. \n When specified as an env var, it accepts 1133 a comma-separated list of key=values. [Default: unset - means all 1134 debug logs are emitted]" 1135 type: object 1136 bpfLogLevel: 1137 description: 'BPFLogLevel controls the log level of the BPF programs 1138 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 1139 logs are emitted to the BPF trace pipe, accessible with the command 1140 `tc exec bpf debug`. [Default: Off].' 1141 pattern: ^(?i)(Off|Info|Debug)?$ 1142 type: string 1143 bpfMapSizeConntrack: 1144 description: 'BPFMapSizeConntrack sets the size for the conntrack 1145 map. This map must be large enough to hold an entry for each active 1146 connection. Warning: changing the size of the conntrack map can 1147 cause disruption.' 1148 type: integer 1149 bpfMapSizeIPSets: 1150 description: BPFMapSizeIPSets sets the size for ipsets map. The IP 1151 sets map must be large enough to hold an entry for each endpoint 1152 matched by every selector in the source/destination matches in network 1153 policy. Selectors such as "all()" can result in large numbers of 1154 entries (one entry per endpoint in that case). 1155 type: integer 1156 bpfMapSizeIfState: 1157 description: BPFMapSizeIfState sets the size for ifstate map. The 1158 ifstate map must be large enough to hold an entry for each device 1159 (host + workloads) on a host. 1160 type: integer 1161 bpfMapSizeNATAffinity: 1162 type: integer 1163 bpfMapSizeNATBackend: 1164 description: BPFMapSizeNATBackend sets the size for nat back end map. 1165 This is the total number of endpoints. This is mostly more than 1166 the size of the number of services. 1167 type: integer 1168 bpfMapSizeNATFrontend: 1169 description: BPFMapSizeNATFrontend sets the size for nat front end 1170 map. FrontendMap should be large enough to hold an entry for each 1171 nodeport, external IP and each port in each service. 1172 type: integer 1173 bpfMapSizeRoute: 1174 description: BPFMapSizeRoute sets the size for the routes map. The 1175 routes map should be large enough to hold one entry per workload 1176 and a handful of entries per host (enough to cover its own IPs and 1177 tunnel IPs). 1178 type: integer 1179 bpfPSNATPorts: 1180 anyOf: 1181 - type: integer 1182 - type: string 1183 description: 'BPFPSNATPorts sets the range from which we randomly 1184 pick a port if there is a source port collision. This should be 1185 within the ephemeral range as defined by RFC 6056 (1024–65535) and 1186 preferably outside the ephemeral ranges used by common operating 1187 systems. Linux uses 32768–60999, while others mostly use the IANA 1188 defined range 49152–65535. It is not necessarily a problem if this 1189 range overlaps with the operating systems. Both ends of the range 1190 are inclusive. [Default: 20000:29999]' 1191 pattern: ^.* 1192 x-kubernetes-int-or-string: true 1193 bpfPolicyDebugEnabled: 1194 description: BPFPolicyDebugEnabled when true, Felix records detailed 1195 information about the BPF policy programs, which can be examined 1196 with the calico-bpf command-line tool. 1197 type: boolean 1198 chainInsertMode: 1199 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 1200 top-level iptables chains by inserting a rule at the top of the 1201 chain or by appending a rule at the bottom. insert is the safe default 1202 since it prevents Calico''s rules from being bypassed. If you switch 1203 to append mode, be sure that the other rules in the chains signal 1204 acceptance by falling through to the Calico rules, otherwise the 1205 Calico policy will be bypassed. [Default: insert]' 1206 pattern: ^(?i)(insert|append)?$ 1207 type: string 1208 dataplaneDriver: 1209 description: DataplaneDriver filename of the external dataplane driver 1210 to use. Only used if UseInternalDataplaneDriver is set to false. 1211 type: string 1212 dataplaneWatchdogTimeout: 1213 description: "DataplaneWatchdogTimeout is the readiness/liveness timeout 1214 used for Felix's (internal) dataplane driver. Increase this value 1215 if you experience spurious non-ready or non-live events when Felix 1216 is under heavy load. Decrease the value to get felix to report non-live 1217 or non-ready more quickly. [Default: 90s] \n Deprecated: replaced 1218 by the generic HealthTimeoutOverrides." 1219 type: string 1220 debugDisableLogDropping: 1221 type: boolean 1222 debugMemoryProfilePath: 1223 type: string 1224 debugSimulateCalcGraphHangAfter: 1225 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1226 type: string 1227 debugSimulateDataplaneHangAfter: 1228 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1229 type: string 1230 defaultEndpointToHostAction: 1231 description: 'DefaultEndpointToHostAction controls what happens to 1232 traffic that goes from a workload endpoint to the host itself (after 1233 the traffic hits the endpoint egress policy). By default Calico 1234 blocks traffic from workload endpoints to the host itself with an 1235 iptables "DROP" action. If you want to allow some or all traffic 1236 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 1237 RETURN if you have your own rules in the iptables "INPUT" chain; 1238 Calico will insert its rules at the top of that chain, then "RETURN" 1239 packets to the "INPUT" chain once it has completed processing workload 1240 endpoint egress policy. Use ACCEPT to unconditionally accept packets 1241 from workloads after processing workload endpoint egress policy. 1242 [Default: Drop]' 1243 pattern: ^(?i)(Drop|Accept|Return)?$ 1244 type: string 1245 deviceRouteProtocol: 1246 description: This defines the route protocol added to programmed device 1247 routes, by default this will be RTPROT_BOOT when left blank. 1248 type: integer 1249 deviceRouteSourceAddress: 1250 description: This is the IPv4 source address to use on programmed 1251 device routes. By default the source address is left blank, leaving 1252 the kernel to choose the source address used. 1253 type: string 1254 deviceRouteSourceAddressIPv6: 1255 description: This is the IPv6 source address to use on programmed 1256 device routes. By default the source address is left blank, leaving 1257 the kernel to choose the source address used. 1258 type: string 1259 disableConntrackInvalidCheck: 1260 type: boolean 1261 endpointReportingDelay: 1262 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1263 type: string 1264 endpointReportingEnabled: 1265 type: boolean 1266 externalNodesList: 1267 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 1268 which may source tunnel traffic and have the tunneled traffic be 1269 accepted at calico nodes. 1270 items: 1271 type: string 1272 type: array 1273 failsafeInboundHostPorts: 1274 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 1275 and CIDRs that Felix will allow incoming traffic to host endpoints 1276 on irrespective of the security policy. This is useful to avoid 1277 accidentally cutting off a host with incorrect configuration. For 1278 back-compatibility, if the protocol is not specified, it defaults 1279 to "tcp". If a CIDR is not specified, it will allow traffic from 1280 all addresses. To disable all inbound host ports, use the value 1281 none. The default value allows ssh access and DHCP. [Default: tcp:22, 1282 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 1283 items: 1284 description: ProtoPort is combination of protocol, port, and CIDR. 1285 Protocol and port must be specified. 1286 properties: 1287 net: 1288 type: string 1289 port: 1290 type: integer 1291 protocol: 1292 type: string 1293 required: 1294 - port 1295 - protocol 1296 type: object 1297 type: array 1298 failsafeOutboundHostPorts: 1299 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 1300 and CIDRs that Felix will allow outgoing traffic from host endpoints 1301 to irrespective of the security policy. This is useful to avoid 1302 accidentally cutting off a host with incorrect configuration. For 1303 back-compatibility, if the protocol is not specified, it defaults 1304 to "tcp". If a CIDR is not specified, it will allow traffic from 1305 all addresses. To disable all outbound host ports, use the value 1306 none. The default value opens etcd''s standard ports to ensure that 1307 Felix does not get cut off from etcd as well as allowing DHCP and 1308 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 1309 tcp:6667, udp:53, udp:67]' 1310 items: 1311 description: ProtoPort is combination of protocol, port, and CIDR. 1312 Protocol and port must be specified. 1313 properties: 1314 net: 1315 type: string 1316 port: 1317 type: integer 1318 protocol: 1319 type: string 1320 required: 1321 - port 1322 - protocol 1323 type: object 1324 type: array 1325 featureDetectOverride: 1326 description: FeatureDetectOverride is used to override feature detection 1327 based on auto-detected platform capabilities. Values are specified 1328 in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" 1329 or "false" will force the feature, empty or omitted values are auto-detected. 1330 pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ 1331 type: string 1332 featureGates: 1333 description: FeatureGates is used to enable or disable tech-preview 1334 Calico features. Values are specified in a comma separated list 1335 with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". 1336 This is used to enable features that are not fully production ready. 1337 pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ 1338 type: string 1339 floatingIPs: 1340 description: FloatingIPs configures whether or not Felix will program 1341 non-OpenStack floating IP addresses. (OpenStack-derived floating 1342 IPs are always programmed, regardless of this setting.) 1343 enum: 1344 - Enabled 1345 - Disabled 1346 type: string 1347 genericXDPEnabled: 1348 description: 'GenericXDPEnabled enables Generic XDP so network cards 1349 that don''t support XDP offload or driver modes can use XDP. This 1350 is not recommended since it doesn''t provide better performance 1351 than iptables. [Default: false]' 1352 type: boolean 1353 healthEnabled: 1354 type: boolean 1355 healthHost: 1356 type: string 1357 healthPort: 1358 type: integer 1359 healthTimeoutOverrides: 1360 description: HealthTimeoutOverrides allows the internal watchdog timeouts 1361 of individual subcomponents to be overridden. This is useful for 1362 working around "false positive" liveness timeouts that can occur 1363 in particularly stressful workloads or if CPU is constrained. For 1364 a list of active subcomponents, see Felix's logs. 1365 items: 1366 properties: 1367 name: 1368 type: string 1369 timeout: 1370 type: string 1371 required: 1372 - name 1373 - timeout 1374 type: object 1375 type: array 1376 interfaceExclude: 1377 description: 'InterfaceExclude is a comma-separated list of interfaces 1378 that Felix should exclude when monitoring for host endpoints. The 1379 default value ensures that Felix ignores Kubernetes'' IPVS dummy 1380 interface, which is used internally by kube-proxy. If you want to 1381 exclude multiple interface names using a single value, the list 1382 supports regular expressions. For regular expressions you must wrap 1383 the value with ''/''. For example having values ''/^kube/,veth1'' 1384 will exclude all interfaces that begin with ''kube'' and also the 1385 interface ''veth1''. [Default: kube-ipvs0]' 1386 type: string 1387 interfacePrefix: 1388 description: 'InterfacePrefix is the interface name prefix that identifies 1389 workload endpoints and so distinguishes them from host endpoint 1390 interfaces. Note: in environments other than bare metal, the orchestrators 1391 configure this appropriately. For example our Kubernetes and Docker 1392 integrations set the ''cali'' value, and our OpenStack integration 1393 sets the ''tap'' value. [Default: cali]' 1394 type: string 1395 interfaceRefreshInterval: 1396 description: InterfaceRefreshInterval is the period at which Felix 1397 rescans local interfaces to verify their state. The rescan can be 1398 disabled by setting the interval to 0. 1399 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1400 type: string 1401 ipipEnabled: 1402 description: 'IPIPEnabled overrides whether Felix should configure 1403 an IPIP interface on the host. Optional as Felix determines this 1404 based on the existing IP pools. [Default: nil (unset)]' 1405 type: boolean 1406 ipipMTU: 1407 description: 'IPIPMTU is the MTU to set on the tunnel device. See 1408 Configuring MTU [Default: 1440]' 1409 type: integer 1410 ipsetsRefreshInterval: 1411 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 1412 all iptables state to ensure that no other process has accidentally 1413 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 1414 90s]' 1415 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1416 type: string 1417 iptablesBackend: 1418 description: IptablesBackend specifies which backend of iptables will 1419 be used. The default is Auto. 1420 pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$ 1421 type: string 1422 iptablesFilterAllowAction: 1423 pattern: ^(?i)(Accept|Return)?$ 1424 type: string 1425 iptablesFilterDenyAction: 1426 description: IptablesFilterDenyAction controls what happens to traffic 1427 that is denied by network policy. By default Calico blocks traffic 1428 with an iptables "DROP" action. If you want to use "REJECT" action 1429 instead you can configure it in here. 1430 pattern: ^(?i)(Drop|Reject)?$ 1431 type: string 1432 iptablesLockFilePath: 1433 description: 'IptablesLockFilePath is the location of the iptables 1434 lock file. You may need to change this if the lock file is not in 1435 its standard location (for example if you have mapped it into Felix''s 1436 container at a different path). [Default: /run/xtables.lock]' 1437 type: string 1438 iptablesLockProbeInterval: 1439 description: 'IptablesLockProbeInterval is the time that Felix will 1440 wait between attempts to acquire the iptables lock if it is not 1441 available. Lower values make Felix more responsive when the lock 1442 is contended, but use more CPU. [Default: 50ms]' 1443 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1444 type: string 1445 iptablesLockTimeout: 1446 description: 'IptablesLockTimeout is the time that Felix will wait 1447 for the iptables lock, or 0, to disable. To use this feature, Felix 1448 must share the iptables lock file with all other processes that 1449 also take the lock. When running Felix inside a container, this 1450 requires the /run directory of the host to be mounted into the calico/node 1451 or calico/felix container. [Default: 0s disabled]' 1452 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1453 type: string 1454 iptablesMangleAllowAction: 1455 pattern: ^(?i)(Accept|Return)?$ 1456 type: string 1457 iptablesMarkMask: 1458 description: 'IptablesMarkMask is the mask that Felix selects its 1459 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 1460 at least 8 bits set, none of which clash with any other mark bits 1461 in use on the system. [Default: 0xff000000]' 1462 format: int32 1463 type: integer 1464 iptablesNATOutgoingInterfaceFilter: 1465 type: string 1466 iptablesPostWriteCheckInterval: 1467 description: 'IptablesPostWriteCheckInterval is the period after Felix 1468 has done a write to the dataplane that it schedules an extra read 1469 back in order to check the write was not clobbered by another process. 1470 This should only occur if another application on the system doesn''t 1471 respect the iptables lock. [Default: 1s]' 1472 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1473 type: string 1474 iptablesRefreshInterval: 1475 description: 'IptablesRefreshInterval is the period at which Felix 1476 re-checks the IP sets in the dataplane to ensure that no other process 1477 has accidentally broken Calico''s rules. Set to 0 to disable IP 1478 sets refresh. Note: the default for this value is lower than the 1479 other refresh intervals as a workaround for a Linux kernel bug that 1480 was fixed in kernel version 4.11. If you are using v4.11 or greater 1481 you may want to set this to, a higher value to reduce Felix CPU 1482 usage. [Default: 10s]' 1483 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1484 type: string 1485 ipv6Support: 1486 description: IPv6Support controls whether Felix enables support for 1487 IPv6 (if supported by the in-use dataplane). 1488 type: boolean 1489 kubeNodePortRanges: 1490 description: 'KubeNodePortRanges holds list of port ranges used for 1491 service node ports. Only used if felix detects kube-proxy running 1492 in ipvs mode. Felix uses these ranges to separate host and workload 1493 traffic. [Default: 30000:32767].' 1494 items: 1495 anyOf: 1496 - type: integer 1497 - type: string 1498 pattern: ^.* 1499 x-kubernetes-int-or-string: true 1500 type: array 1501 logDebugFilenameRegex: 1502 description: LogDebugFilenameRegex controls which source code files 1503 have their Debug log output included in the logs. Only logs from 1504 files with names that match the given regular expression are included. The 1505 filter only applies to Debug level logs. 1506 type: string 1507 logFilePath: 1508 description: 'LogFilePath is the full path to the Felix log. Set to 1509 none to disable file logging. [Default: /var/log/calico/felix.log]' 1510 type: string 1511 logPrefix: 1512 description: 'LogPrefix is the log prefix that Felix uses when rendering 1513 LOG rules. [Default: calico-packet]' 1514 type: string 1515 logSeverityFile: 1516 description: 'LogSeverityFile is the log severity above which logs 1517 are sent to the log file. [Default: Info]' 1518 pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ 1519 type: string 1520 logSeverityScreen: 1521 description: 'LogSeverityScreen is the log severity above which logs 1522 are sent to the stdout. [Default: Info]' 1523 pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ 1524 type: string 1525 logSeveritySys: 1526 description: 'LogSeveritySys is the log severity above which logs 1527 are sent to the syslog. Set to None for no logging to syslog. [Default: 1528 Info]' 1529 pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ 1530 type: string 1531 maxIpsetSize: 1532 type: integer 1533 metadataAddr: 1534 description: 'MetadataAddr is the IP address or domain name of the 1535 server that can answer VM queries for cloud-init metadata. In OpenStack, 1536 this corresponds to the machine running nova-api (or in Ubuntu, 1537 nova-api-metadata). A value of none (case insensitive) means that 1538 Felix should not set up any NAT rule for the metadata path. [Default: 1539 127.0.0.1]' 1540 type: string 1541 metadataPort: 1542 description: 'MetadataPort is the port of the metadata server. This, 1543 combined with global.MetadataAddr (if not ''None''), is used to 1544 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1545 In most cases this should not need to be changed [Default: 8775].' 1546 type: integer 1547 mtuIfacePattern: 1548 description: MTUIfacePattern is a regular expression that controls 1549 which interfaces Felix should scan in order to calculate the host's 1550 MTU. This should not match workload interfaces (usually named cali...). 1551 type: string 1552 natOutgoingAddress: 1553 description: NATOutgoingAddress specifies an address to use when performing 1554 source NAT for traffic in a natOutgoing pool that is leaving the 1555 network. By default the address used is an address on the interface 1556 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1557 type: string 1558 natPortRange: 1559 anyOf: 1560 - type: integer 1561 - type: string 1562 description: NATPortRange specifies the range of ports that is used 1563 for port mapping when doing outgoing NAT. When unset the default 1564 behavior of the network stack is used. 1565 pattern: ^.* 1566 x-kubernetes-int-or-string: true 1567 netlinkTimeout: 1568 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1569 type: string 1570 openstackRegion: 1571 description: 'OpenstackRegion is the name of the region that a particular 1572 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1573 this must be configured somehow for each Felix (here in the datamodel, 1574 or in felix.cfg or the environment on each compute node), and must 1575 match the [calico] openstack_region value configured in neutron.conf 1576 on each node. [Default: Empty]' 1577 type: string 1578 policySyncPathPrefix: 1579 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1580 policy changes to external services, like Application layer policy. 1581 [Default: Empty]' 1582 type: string 1583 prometheusGoMetricsEnabled: 1584 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1585 collection, which the Prometheus client does by default, when set 1586 to false. This reduces the number of metrics reported, reducing 1587 Prometheus load. [Default: true]' 1588 type: boolean 1589 prometheusMetricsEnabled: 1590 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1591 server in Felix if set to true. [Default: false]' 1592 type: boolean 1593 prometheusMetricsHost: 1594 description: 'PrometheusMetricsHost is the host that the Prometheus 1595 metrics server should bind to. [Default: empty]' 1596 type: string 1597 prometheusMetricsPort: 1598 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1599 metrics server should bind to. [Default: 9091]' 1600 type: integer 1601 prometheusProcessMetricsEnabled: 1602 description: 'PrometheusProcessMetricsEnabled disables process metrics 1603 collection, which the Prometheus client does by default, when set 1604 to false. This reduces the number of metrics reported, reducing 1605 Prometheus load. [Default: true]' 1606 type: boolean 1607 prometheusWireGuardMetricsEnabled: 1608 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1609 metrics collection, which the Prometheus client does by default, 1610 when set to false. This reduces the number of metrics reported, 1611 reducing Prometheus load. [Default: true]' 1612 type: boolean 1613 removeExternalRoutes: 1614 description: Whether or not to remove device routes that have not 1615 been programmed by Felix. Disabling this will allow external applications 1616 to also add device routes. This is enabled by default which means 1617 we will remove externally added routes. 1618 type: boolean 1619 reportingInterval: 1620 description: 'ReportingInterval is the interval at which Felix reports 1621 its status into the datastore or 0 to disable. Must be non-zero 1622 in OpenStack deployments. [Default: 30s]' 1623 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1624 type: string 1625 reportingTTL: 1626 description: 'ReportingTTL is the time-to-live setting for process-wide 1627 status reports. [Default: 90s]' 1628 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1629 type: string 1630 routeRefreshInterval: 1631 description: 'RouteRefreshInterval is the period at which Felix re-checks 1632 the routes in the dataplane to ensure that no other process has 1633 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1634 [Default: 90s]' 1635 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1636 type: string 1637 routeSource: 1638 description: 'RouteSource configures where Felix gets its routing 1639 information. - WorkloadIPs: use workload endpoints to construct 1640 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1641 pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ 1642 type: string 1643 routeSyncDisabled: 1644 description: RouteSyncDisabled will disable all operations performed 1645 on the route table. Set to true to run in network-policy mode only. 1646 type: boolean 1647 routeTableRange: 1648 description: Deprecated in favor of RouteTableRanges. Calico programs 1649 additional Linux route tables for various purposes. RouteTableRange 1650 specifies the indices of the route tables that Calico should use. 1651 properties: 1652 max: 1653 type: integer 1654 min: 1655 type: integer 1656 required: 1657 - max 1658 - min 1659 type: object 1660 routeTableRanges: 1661 description: Calico programs additional Linux route tables for various 1662 purposes. RouteTableRanges specifies a set of table index ranges 1663 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. 1664 items: 1665 properties: 1666 max: 1667 type: integer 1668 min: 1669 type: integer 1670 required: 1671 - max 1672 - min 1673 type: object 1674 type: array 1675 serviceLoopPrevention: 1676 description: 'When service IP advertisement is enabled, prevent routing 1677 loops to service IPs that are not in use, by dropping or rejecting 1678 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1679 in which case such routing loops continue to be allowed. [Default: 1680 Drop]' 1681 pattern: ^(?i)(Drop|Reject|Disabled)?$ 1682 type: string 1683 sidecarAccelerationEnabled: 1684 description: 'SidecarAccelerationEnabled enables experimental sidecar 1685 acceleration [Default: false]' 1686 type: boolean 1687 usageReportingEnabled: 1688 description: 'UsageReportingEnabled reports anonymous Calico version 1689 number and cluster size to projectcalico.org. Logs warnings returned 1690 by the usage server. For example, if a significant security vulnerability 1691 has been discovered in the version of Calico being used. [Default: 1692 true]' 1693 type: boolean 1694 usageReportingInitialDelay: 1695 description: 'UsageReportingInitialDelay controls the minimum delay 1696 before Felix makes a report. [Default: 300s]' 1697 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1698 type: string 1699 usageReportingInterval: 1700 description: 'UsageReportingInterval controls the interval at which 1701 Felix makes reports. [Default: 86400s]' 1702 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1703 type: string 1704 useInternalDataplaneDriver: 1705 description: UseInternalDataplaneDriver, if true, Felix will use its 1706 internal dataplane programming logic. If false, it will launch 1707 an external dataplane driver and communicate with it over protobuf. 1708 type: boolean 1709 vxlanEnabled: 1710 description: 'VXLANEnabled overrides whether Felix should create the 1711 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix 1712 determines this based on the existing IP pools. [Default: nil (unset)]' 1713 type: boolean 1714 vxlanMTU: 1715 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel 1716 device. See Configuring MTU [Default: 1410]' 1717 type: integer 1718 vxlanMTUV6: 1719 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel 1720 device. See Configuring MTU [Default: 1390]' 1721 type: integer 1722 vxlanPort: 1723 type: integer 1724 vxlanVNI: 1725 type: integer 1726 windowsManageFirewallRules: 1727 description: 'WindowsManageFirewallRules configures whether or not 1728 Felix will program Windows Firewall rules. (to allow inbound access 1729 to its own metrics ports) [Default: Disabled]' 1730 enum: 1731 - Enabled 1732 - Disabled 1733 type: string 1734 wireguardEnabled: 1735 description: 'WireguardEnabled controls whether Wireguard is enabled 1736 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). 1737 [Default: false]' 1738 type: boolean 1739 wireguardEnabledV6: 1740 description: 'WireguardEnabledV6 controls whether Wireguard is enabled 1741 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). 1742 [Default: false]' 1743 type: boolean 1744 wireguardHostEncryptionEnabled: 1745 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1746 host-to-host encryption is enabled. [Default: false]' 1747 type: boolean 1748 wireguardInterfaceName: 1749 description: 'WireguardInterfaceName specifies the name to use for 1750 the IPv4 Wireguard interface. [Default: wireguard.cali]' 1751 type: string 1752 wireguardInterfaceNameV6: 1753 description: 'WireguardInterfaceNameV6 specifies the name to use for 1754 the IPv6 Wireguard interface. [Default: wg-v6.cali]' 1755 type: string 1756 wireguardKeepAlive: 1757 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive 1758 option. Set 0 to disable. [Default: 0]' 1759 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1760 type: string 1761 wireguardListeningPort: 1762 description: 'WireguardListeningPort controls the listening port used 1763 by IPv4 Wireguard. [Default: 51820]' 1764 type: integer 1765 wireguardListeningPortV6: 1766 description: 'WireguardListeningPortV6 controls the listening port 1767 used by IPv6 Wireguard. [Default: 51821]' 1768 type: integer 1769 wireguardMTU: 1770 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard 1771 interface. See Configuring MTU [Default: 1440]' 1772 type: integer 1773 wireguardMTUV6: 1774 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard 1775 interface. See Configuring MTU [Default: 1420]' 1776 type: integer 1777 wireguardRoutingRulePriority: 1778 description: 'WireguardRoutingRulePriority controls the priority value 1779 to use for the Wireguard routing rule. [Default: 99]' 1780 type: integer 1781 workloadSourceSpoofing: 1782 description: WorkloadSourceSpoofing controls whether pods can use 1783 the allowedSourcePrefixes annotation to send traffic with a source 1784 IP address that is not theirs. This is disabled by default. When 1785 set to "Any", pods can request any prefix. 1786 pattern: ^(?i)(Disabled|Any)?$ 1787 type: string 1788 xdpEnabled: 1789 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1790 incoming deny rules. [Default: true]' 1791 type: boolean 1792 xdpRefreshInterval: 1793 description: 'XDPRefreshInterval is the period at which Felix re-checks 1794 all XDP state to ensure that no other process has accidentally broken 1795 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1796 refresh. [Default: 90s]' 1797 pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ 1798 type: string 1799 type: object 1800 type: object 1801 served: true 1802 storage: true 1803 status: 1804 acceptedNames: 1805 kind: "" 1806 plural: "" 1807 conditions: [] 1808 storedVersions: [] 1809 --- 1810 # Source: calico/templates/kdd-crds.yaml 1811 apiVersion: apiextensions.k8s.io/v1 1812 kind: CustomResourceDefinition 1813 metadata: 1814 name: globalnetworkpolicies.crd.projectcalico.org 1815 spec: 1816 group: crd.projectcalico.org 1817 names: 1818 kind: GlobalNetworkPolicy 1819 listKind: GlobalNetworkPolicyList 1820 plural: globalnetworkpolicies 1821 singular: globalnetworkpolicy 1822 preserveUnknownFields: false 1823 scope: Cluster 1824 versions: 1825 - name: v1 1826 schema: 1827 openAPIV3Schema: 1828 properties: 1829 apiVersion: 1830 description: 'APIVersion defines the versioned schema of this representation 1831 of an object. Servers should convert recognized schemas to the latest 1832 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1833 type: string 1834 kind: 1835 description: 'Kind is a string value representing the REST resource this 1836 object represents. Servers may infer this from the endpoint the client 1837 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1838 type: string 1839 metadata: 1840 type: object 1841 spec: 1842 properties: 1843 applyOnForward: 1844 description: ApplyOnForward indicates to apply the rules in this policy 1845 on forward traffic. 1846 type: boolean 1847 doNotTrack: 1848 description: DoNotTrack indicates whether packets matched by the rules 1849 in this policy should go through the data plane's connection tracking, 1850 such as Linux conntrack. If True, the rules in this policy are 1851 applied before any data plane connection tracking, and packets allowed 1852 by this policy are marked as not to be tracked. 1853 type: boolean 1854 egress: 1855 description: The ordered set of egress rules. Each rule contains 1856 a set of packet match criteria and a corresponding action to apply. 1857 items: 1858 description: "A Rule encapsulates a set of match criteria and an 1859 action. Both selector-based security Policy and security Profiles 1860 reference rules - separated out as a list of rules for both ingress 1861 and egress packet matching. \n Each positive match criteria has 1862 a negated version, prefixed with \"Not\". All the match criteria 1863 within a rule must be satisfied for a packet to match. A single 1864 rule can contain the positive and negative version of a match 1865 and both must be satisfied for the rule to match." 1866 properties: 1867 action: 1868 type: string 1869 destination: 1870 description: Destination contains the match criteria that apply 1871 to destination entity. 1872 properties: 1873 namespaceSelector: 1874 description: "NamespaceSelector is an optional field that 1875 contains a selector expression. Only traffic that originates 1876 from (or terminates at) endpoints within the selected 1877 namespaces will be matched. When both NamespaceSelector 1878 and another selector are defined on the same rule, then 1879 only workload endpoints that are matched by both selectors 1880 will be selected by the rule. \n For NetworkPolicy, an 1881 empty NamespaceSelector implies that the Selector is limited 1882 to selecting only workload endpoints in the same namespace 1883 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1884 NamespaceSelector implies that the Selector is limited 1885 to selecting only GlobalNetworkSet or HostEndpoint. \n 1886 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1887 the Selector applies to workload endpoints across all 1888 namespaces." 1889 type: string 1890 nets: 1891 description: Nets is an optional field that restricts the 1892 rule to only apply to traffic that originates from (or 1893 terminates at) IP addresses in any of the given subnets. 1894 items: 1895 type: string 1896 type: array 1897 notNets: 1898 description: NotNets is the negated version of the Nets 1899 field. 1900 items: 1901 type: string 1902 type: array 1903 notPorts: 1904 description: NotPorts is the negated version of the Ports 1905 field. Since only some protocols have ports, if any ports 1906 are specified it requires the Protocol match in the Rule 1907 to be set to "TCP" or "UDP". 1908 items: 1909 anyOf: 1910 - type: integer 1911 - type: string 1912 pattern: ^.* 1913 x-kubernetes-int-or-string: true 1914 type: array 1915 notSelector: 1916 description: NotSelector is the negated version of the Selector 1917 field. See Selector field for subtleties with negated 1918 selectors. 1919 type: string 1920 ports: 1921 description: "Ports is an optional field that restricts 1922 the rule to only apply to traffic that has a source (destination) 1923 port that matches one of these ranges/values. This value 1924 is a list of integers or strings that represent ranges 1925 of ports. \n Since only some protocols have ports, if 1926 any ports are specified it requires the Protocol match 1927 in the Rule to be set to \"TCP\" or \"UDP\"." 1928 items: 1929 anyOf: 1930 - type: integer 1931 - type: string 1932 pattern: ^.* 1933 x-kubernetes-int-or-string: true 1934 type: array 1935 selector: 1936 description: "Selector is an optional field that contains 1937 a selector expression (see Policy for sample syntax). 1938 \ Only traffic that originates from (terminates at) endpoints 1939 matching the selector will be matched. \n Note that: in 1940 addition to the negated version of the Selector (see NotSelector 1941 below), the selector expression syntax itself supports 1942 negation. The two types of negation are subtly different. 1943 One negates the set of matched endpoints, the other negates 1944 the whole match: \n \tSelector = \"!has(my_label)\" matches 1945 packets that are from other Calico-controlled \tendpoints 1946 that do not have the label \"my_label\". \n \tNotSelector 1947 = \"has(my_label)\" matches packets that are not from 1948 Calico-controlled \tendpoints that do have the label \"my_label\". 1949 \n The effect is that the latter will accept packets from 1950 non-Calico sources whereas the former is limited to packets 1951 from Calico-controlled endpoints." 1952 type: string 1953 serviceAccounts: 1954 description: ServiceAccounts is an optional field that restricts 1955 the rule to only apply to traffic that originates from 1956 (or terminates at) a pod running as a matching service 1957 account. 1958 properties: 1959 names: 1960 description: Names is an optional field that restricts 1961 the rule to only apply to traffic that originates 1962 from (or terminates at) a pod running as a service 1963 account whose name is in the list. 1964 items: 1965 type: string 1966 type: array 1967 selector: 1968 description: Selector is an optional field that restricts 1969 the rule to only apply to traffic that originates 1970 from (or terminates at) a pod running as a service 1971 account that matches the given label selector. If 1972 both Names and Selector are specified then they are 1973 AND'ed. 1974 type: string 1975 type: object 1976 services: 1977 description: "Services is an optional field that contains 1978 options for matching Kubernetes Services. If specified, 1979 only traffic that originates from or terminates at endpoints 1980 within the selected service(s) will be matched, and only 1981 to/from each endpoint's port. \n Services cannot be specified 1982 on the same rule as Selector, NotSelector, NamespaceSelector, 1983 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1984 can only be specified with Services on ingress rules." 1985 properties: 1986 name: 1987 description: Name specifies the name of a Kubernetes 1988 Service to match. 1989 type: string 1990 namespace: 1991 description: Namespace specifies the namespace of the 1992 given Service. If left empty, the rule will match 1993 within this policy's namespace. 1994 type: string 1995 type: object 1996 type: object 1997 http: 1998 description: HTTP contains match criteria that apply to HTTP 1999 requests. 2000 properties: 2001 methods: 2002 description: Methods is an optional field that restricts 2003 the rule to apply only to HTTP requests that use one of 2004 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2005 methods are OR'd together. 2006 items: 2007 type: string 2008 type: array 2009 paths: 2010 description: 'Paths is an optional field that restricts 2011 the rule to apply to HTTP requests that use one of the 2012 listed HTTP Paths. Multiple paths are OR''d together. 2013 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2014 ONLY specify either a `exact` or a `prefix` match. The 2015 validator will check for it.' 2016 items: 2017 description: 'HTTPPath specifies an HTTP path to match. 2018 It may be either of the form: exact: <path>: which matches 2019 the path exactly or prefix: <path-prefix>: which matches 2020 the path prefix' 2021 properties: 2022 exact: 2023 type: string 2024 prefix: 2025 type: string 2026 type: object 2027 type: array 2028 type: object 2029 icmp: 2030 description: ICMP is an optional field that restricts the rule 2031 to apply to a specific type and code of ICMP traffic. This 2032 should only be specified if the Protocol field is set to "ICMP" 2033 or "ICMPv6". 2034 properties: 2035 code: 2036 description: Match on a specific ICMP code. If specified, 2037 the Type value must also be specified. This is a technical 2038 limitation imposed by the kernel's iptables firewall, 2039 which Calico uses to enforce the rule. 2040 type: integer 2041 type: 2042 description: Match on a specific ICMP type. For example 2043 a value of 8 refers to ICMP Echo Request (i.e. pings). 2044 type: integer 2045 type: object 2046 ipVersion: 2047 description: IPVersion is an optional field that restricts the 2048 rule to only match a specific IP version. 2049 type: integer 2050 metadata: 2051 description: Metadata contains additional information for this 2052 rule 2053 properties: 2054 annotations: 2055 additionalProperties: 2056 type: string 2057 description: Annotations is a set of key value pairs that 2058 give extra information about the rule 2059 type: object 2060 type: object 2061 notICMP: 2062 description: NotICMP is the negated version of the ICMP field. 2063 properties: 2064 code: 2065 description: Match on a specific ICMP code. If specified, 2066 the Type value must also be specified. This is a technical 2067 limitation imposed by the kernel's iptables firewall, 2068 which Calico uses to enforce the rule. 2069 type: integer 2070 type: 2071 description: Match on a specific ICMP type. For example 2072 a value of 8 refers to ICMP Echo Request (i.e. pings). 2073 type: integer 2074 type: object 2075 notProtocol: 2076 anyOf: 2077 - type: integer 2078 - type: string 2079 description: NotProtocol is the negated version of the Protocol 2080 field. 2081 pattern: ^.* 2082 x-kubernetes-int-or-string: true 2083 protocol: 2084 anyOf: 2085 - type: integer 2086 - type: string 2087 description: "Protocol is an optional field that restricts the 2088 rule to only apply to traffic of a specific IP protocol. Required 2089 if any of the EntityRules contain Ports (because ports only 2090 apply to certain protocols). \n Must be one of these string 2091 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2092 \"UDPLite\" or an integer in the range 1-255." 2093 pattern: ^.* 2094 x-kubernetes-int-or-string: true 2095 source: 2096 description: Source contains the match criteria that apply to 2097 source entity. 2098 properties: 2099 namespaceSelector: 2100 description: "NamespaceSelector is an optional field that 2101 contains a selector expression. Only traffic that originates 2102 from (or terminates at) endpoints within the selected 2103 namespaces will be matched. When both NamespaceSelector 2104 and another selector are defined on the same rule, then 2105 only workload endpoints that are matched by both selectors 2106 will be selected by the rule. \n For NetworkPolicy, an 2107 empty NamespaceSelector implies that the Selector is limited 2108 to selecting only workload endpoints in the same namespace 2109 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2110 NamespaceSelector implies that the Selector is limited 2111 to selecting only GlobalNetworkSet or HostEndpoint. \n 2112 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2113 the Selector applies to workload endpoints across all 2114 namespaces." 2115 type: string 2116 nets: 2117 description: Nets is an optional field that restricts the 2118 rule to only apply to traffic that originates from (or 2119 terminates at) IP addresses in any of the given subnets. 2120 items: 2121 type: string 2122 type: array 2123 notNets: 2124 description: NotNets is the negated version of the Nets 2125 field. 2126 items: 2127 type: string 2128 type: array 2129 notPorts: 2130 description: NotPorts is the negated version of the Ports 2131 field. Since only some protocols have ports, if any ports 2132 are specified it requires the Protocol match in the Rule 2133 to be set to "TCP" or "UDP". 2134 items: 2135 anyOf: 2136 - type: integer 2137 - type: string 2138 pattern: ^.* 2139 x-kubernetes-int-or-string: true 2140 type: array 2141 notSelector: 2142 description: NotSelector is the negated version of the Selector 2143 field. See Selector field for subtleties with negated 2144 selectors. 2145 type: string 2146 ports: 2147 description: "Ports is an optional field that restricts 2148 the rule to only apply to traffic that has a source (destination) 2149 port that matches one of these ranges/values. This value 2150 is a list of integers or strings that represent ranges 2151 of ports. \n Since only some protocols have ports, if 2152 any ports are specified it requires the Protocol match 2153 in the Rule to be set to \"TCP\" or \"UDP\"." 2154 items: 2155 anyOf: 2156 - type: integer 2157 - type: string 2158 pattern: ^.* 2159 x-kubernetes-int-or-string: true 2160 type: array 2161 selector: 2162 description: "Selector is an optional field that contains 2163 a selector expression (see Policy for sample syntax). 2164 \ Only traffic that originates from (terminates at) endpoints 2165 matching the selector will be matched. \n Note that: in 2166 addition to the negated version of the Selector (see NotSelector 2167 below), the selector expression syntax itself supports 2168 negation. The two types of negation are subtly different. 2169 One negates the set of matched endpoints, the other negates 2170 the whole match: \n \tSelector = \"!has(my_label)\" matches 2171 packets that are from other Calico-controlled \tendpoints 2172 that do not have the label \"my_label\". \n \tNotSelector 2173 = \"has(my_label)\" matches packets that are not from 2174 Calico-controlled \tendpoints that do have the label \"my_label\". 2175 \n The effect is that the latter will accept packets from 2176 non-Calico sources whereas the former is limited to packets 2177 from Calico-controlled endpoints." 2178 type: string 2179 serviceAccounts: 2180 description: ServiceAccounts is an optional field that restricts 2181 the rule to only apply to traffic that originates from 2182 (or terminates at) a pod running as a matching service 2183 account. 2184 properties: 2185 names: 2186 description: Names is an optional field that restricts 2187 the rule to only apply to traffic that originates 2188 from (or terminates at) a pod running as a service 2189 account whose name is in the list. 2190 items: 2191 type: string 2192 type: array 2193 selector: 2194 description: Selector is an optional field that restricts 2195 the rule to only apply to traffic that originates 2196 from (or terminates at) a pod running as a service 2197 account that matches the given label selector. If 2198 both Names and Selector are specified then they are 2199 AND'ed. 2200 type: string 2201 type: object 2202 services: 2203 description: "Services is an optional field that contains 2204 options for matching Kubernetes Services. If specified, 2205 only traffic that originates from or terminates at endpoints 2206 within the selected service(s) will be matched, and only 2207 to/from each endpoint's port. \n Services cannot be specified 2208 on the same rule as Selector, NotSelector, NamespaceSelector, 2209 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2210 can only be specified with Services on ingress rules." 2211 properties: 2212 name: 2213 description: Name specifies the name of a Kubernetes 2214 Service to match. 2215 type: string 2216 namespace: 2217 description: Namespace specifies the namespace of the 2218 given Service. If left empty, the rule will match 2219 within this policy's namespace. 2220 type: string 2221 type: object 2222 type: object 2223 required: 2224 - action 2225 type: object 2226 type: array 2227 ingress: 2228 description: The ordered set of ingress rules. Each rule contains 2229 a set of packet match criteria and a corresponding action to apply. 2230 items: 2231 description: "A Rule encapsulates a set of match criteria and an 2232 action. Both selector-based security Policy and security Profiles 2233 reference rules - separated out as a list of rules for both ingress 2234 and egress packet matching. \n Each positive match criteria has 2235 a negated version, prefixed with \"Not\". All the match criteria 2236 within a rule must be satisfied for a packet to match. A single 2237 rule can contain the positive and negative version of a match 2238 and both must be satisfied for the rule to match." 2239 properties: 2240 action: 2241 type: string 2242 destination: 2243 description: Destination contains the match criteria that apply 2244 to destination entity. 2245 properties: 2246 namespaceSelector: 2247 description: "NamespaceSelector is an optional field that 2248 contains a selector expression. Only traffic that originates 2249 from (or terminates at) endpoints within the selected 2250 namespaces will be matched. When both NamespaceSelector 2251 and another selector are defined on the same rule, then 2252 only workload endpoints that are matched by both selectors 2253 will be selected by the rule. \n For NetworkPolicy, an 2254 empty NamespaceSelector implies that the Selector is limited 2255 to selecting only workload endpoints in the same namespace 2256 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2257 NamespaceSelector implies that the Selector is limited 2258 to selecting only GlobalNetworkSet or HostEndpoint. \n 2259 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2260 the Selector applies to workload endpoints across all 2261 namespaces." 2262 type: string 2263 nets: 2264 description: Nets is an optional field that restricts the 2265 rule to only apply to traffic that originates from (or 2266 terminates at) IP addresses in any of the given subnets. 2267 items: 2268 type: string 2269 type: array 2270 notNets: 2271 description: NotNets is the negated version of the Nets 2272 field. 2273 items: 2274 type: string 2275 type: array 2276 notPorts: 2277 description: NotPorts is the negated version of the Ports 2278 field. Since only some protocols have ports, if any ports 2279 are specified it requires the Protocol match in the Rule 2280 to be set to "TCP" or "UDP". 2281 items: 2282 anyOf: 2283 - type: integer 2284 - type: string 2285 pattern: ^.* 2286 x-kubernetes-int-or-string: true 2287 type: array 2288 notSelector: 2289 description: NotSelector is the negated version of the Selector 2290 field. See Selector field for subtleties with negated 2291 selectors. 2292 type: string 2293 ports: 2294 description: "Ports is an optional field that restricts 2295 the rule to only apply to traffic that has a source (destination) 2296 port that matches one of these ranges/values. This value 2297 is a list of integers or strings that represent ranges 2298 of ports. \n Since only some protocols have ports, if 2299 any ports are specified it requires the Protocol match 2300 in the Rule to be set to \"TCP\" or \"UDP\"." 2301 items: 2302 anyOf: 2303 - type: integer 2304 - type: string 2305 pattern: ^.* 2306 x-kubernetes-int-or-string: true 2307 type: array 2308 selector: 2309 description: "Selector is an optional field that contains 2310 a selector expression (see Policy for sample syntax). 2311 \ Only traffic that originates from (terminates at) endpoints 2312 matching the selector will be matched. \n Note that: in 2313 addition to the negated version of the Selector (see NotSelector 2314 below), the selector expression syntax itself supports 2315 negation. The two types of negation are subtly different. 2316 One negates the set of matched endpoints, the other negates 2317 the whole match: \n \tSelector = \"!has(my_label)\" matches 2318 packets that are from other Calico-controlled \tendpoints 2319 that do not have the label \"my_label\". \n \tNotSelector 2320 = \"has(my_label)\" matches packets that are not from 2321 Calico-controlled \tendpoints that do have the label \"my_label\". 2322 \n The effect is that the latter will accept packets from 2323 non-Calico sources whereas the former is limited to packets 2324 from Calico-controlled endpoints." 2325 type: string 2326 serviceAccounts: 2327 description: ServiceAccounts is an optional field that restricts 2328 the rule to only apply to traffic that originates from 2329 (or terminates at) a pod running as a matching service 2330 account. 2331 properties: 2332 names: 2333 description: Names is an optional field that restricts 2334 the rule to only apply to traffic that originates 2335 from (or terminates at) a pod running as a service 2336 account whose name is in the list. 2337 items: 2338 type: string 2339 type: array 2340 selector: 2341 description: Selector is an optional field that restricts 2342 the rule to only apply to traffic that originates 2343 from (or terminates at) a pod running as a service 2344 account that matches the given label selector. If 2345 both Names and Selector are specified then they are 2346 AND'ed. 2347 type: string 2348 type: object 2349 services: 2350 description: "Services is an optional field that contains 2351 options for matching Kubernetes Services. If specified, 2352 only traffic that originates from or terminates at endpoints 2353 within the selected service(s) will be matched, and only 2354 to/from each endpoint's port. \n Services cannot be specified 2355 on the same rule as Selector, NotSelector, NamespaceSelector, 2356 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2357 can only be specified with Services on ingress rules." 2358 properties: 2359 name: 2360 description: Name specifies the name of a Kubernetes 2361 Service to match. 2362 type: string 2363 namespace: 2364 description: Namespace specifies the namespace of the 2365 given Service. If left empty, the rule will match 2366 within this policy's namespace. 2367 type: string 2368 type: object 2369 type: object 2370 http: 2371 description: HTTP contains match criteria that apply to HTTP 2372 requests. 2373 properties: 2374 methods: 2375 description: Methods is an optional field that restricts 2376 the rule to apply only to HTTP requests that use one of 2377 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2378 methods are OR'd together. 2379 items: 2380 type: string 2381 type: array 2382 paths: 2383 description: 'Paths is an optional field that restricts 2384 the rule to apply to HTTP requests that use one of the 2385 listed HTTP Paths. Multiple paths are OR''d together. 2386 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2387 ONLY specify either a `exact` or a `prefix` match. The 2388 validator will check for it.' 2389 items: 2390 description: 'HTTPPath specifies an HTTP path to match. 2391 It may be either of the form: exact: <path>: which matches 2392 the path exactly or prefix: <path-prefix>: which matches 2393 the path prefix' 2394 properties: 2395 exact: 2396 type: string 2397 prefix: 2398 type: string 2399 type: object 2400 type: array 2401 type: object 2402 icmp: 2403 description: ICMP is an optional field that restricts the rule 2404 to apply to a specific type and code of ICMP traffic. This 2405 should only be specified if the Protocol field is set to "ICMP" 2406 or "ICMPv6". 2407 properties: 2408 code: 2409 description: Match on a specific ICMP code. If specified, 2410 the Type value must also be specified. This is a technical 2411 limitation imposed by the kernel's iptables firewall, 2412 which Calico uses to enforce the rule. 2413 type: integer 2414 type: 2415 description: Match on a specific ICMP type. For example 2416 a value of 8 refers to ICMP Echo Request (i.e. pings). 2417 type: integer 2418 type: object 2419 ipVersion: 2420 description: IPVersion is an optional field that restricts the 2421 rule to only match a specific IP version. 2422 type: integer 2423 metadata: 2424 description: Metadata contains additional information for this 2425 rule 2426 properties: 2427 annotations: 2428 additionalProperties: 2429 type: string 2430 description: Annotations is a set of key value pairs that 2431 give extra information about the rule 2432 type: object 2433 type: object 2434 notICMP: 2435 description: NotICMP is the negated version of the ICMP field. 2436 properties: 2437 code: 2438 description: Match on a specific ICMP code. If specified, 2439 the Type value must also be specified. This is a technical 2440 limitation imposed by the kernel's iptables firewall, 2441 which Calico uses to enforce the rule. 2442 type: integer 2443 type: 2444 description: Match on a specific ICMP type. For example 2445 a value of 8 refers to ICMP Echo Request (i.e. pings). 2446 type: integer 2447 type: object 2448 notProtocol: 2449 anyOf: 2450 - type: integer 2451 - type: string 2452 description: NotProtocol is the negated version of the Protocol 2453 field. 2454 pattern: ^.* 2455 x-kubernetes-int-or-string: true 2456 protocol: 2457 anyOf: 2458 - type: integer 2459 - type: string 2460 description: "Protocol is an optional field that restricts the 2461 rule to only apply to traffic of a specific IP protocol. Required 2462 if any of the EntityRules contain Ports (because ports only 2463 apply to certain protocols). \n Must be one of these string 2464 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2465 \"UDPLite\" or an integer in the range 1-255." 2466 pattern: ^.* 2467 x-kubernetes-int-or-string: true 2468 source: 2469 description: Source contains the match criteria that apply to 2470 source entity. 2471 properties: 2472 namespaceSelector: 2473 description: "NamespaceSelector is an optional field that 2474 contains a selector expression. Only traffic that originates 2475 from (or terminates at) endpoints within the selected 2476 namespaces will be matched. When both NamespaceSelector 2477 and another selector are defined on the same rule, then 2478 only workload endpoints that are matched by both selectors 2479 will be selected by the rule. \n For NetworkPolicy, an 2480 empty NamespaceSelector implies that the Selector is limited 2481 to selecting only workload endpoints in the same namespace 2482 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2483 NamespaceSelector implies that the Selector is limited 2484 to selecting only GlobalNetworkSet or HostEndpoint. \n 2485 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2486 the Selector applies to workload endpoints across all 2487 namespaces." 2488 type: string 2489 nets: 2490 description: Nets is an optional field that restricts the 2491 rule to only apply to traffic that originates from (or 2492 terminates at) IP addresses in any of the given subnets. 2493 items: 2494 type: string 2495 type: array 2496 notNets: 2497 description: NotNets is the negated version of the Nets 2498 field. 2499 items: 2500 type: string 2501 type: array 2502 notPorts: 2503 description: NotPorts is the negated version of the Ports 2504 field. Since only some protocols have ports, if any ports 2505 are specified it requires the Protocol match in the Rule 2506 to be set to "TCP" or "UDP". 2507 items: 2508 anyOf: 2509 - type: integer 2510 - type: string 2511 pattern: ^.* 2512 x-kubernetes-int-or-string: true 2513 type: array 2514 notSelector: 2515 description: NotSelector is the negated version of the Selector 2516 field. See Selector field for subtleties with negated 2517 selectors. 2518 type: string 2519 ports: 2520 description: "Ports is an optional field that restricts 2521 the rule to only apply to traffic that has a source (destination) 2522 port that matches one of these ranges/values. This value 2523 is a list of integers or strings that represent ranges 2524 of ports. \n Since only some protocols have ports, if 2525 any ports are specified it requires the Protocol match 2526 in the Rule to be set to \"TCP\" or \"UDP\"." 2527 items: 2528 anyOf: 2529 - type: integer 2530 - type: string 2531 pattern: ^.* 2532 x-kubernetes-int-or-string: true 2533 type: array 2534 selector: 2535 description: "Selector is an optional field that contains 2536 a selector expression (see Policy for sample syntax). 2537 \ Only traffic that originates from (terminates at) endpoints 2538 matching the selector will be matched. \n Note that: in 2539 addition to the negated version of the Selector (see NotSelector 2540 below), the selector expression syntax itself supports 2541 negation. The two types of negation are subtly different. 2542 One negates the set of matched endpoints, the other negates 2543 the whole match: \n \tSelector = \"!has(my_label)\" matches 2544 packets that are from other Calico-controlled \tendpoints 2545 that do not have the label \"my_label\". \n \tNotSelector 2546 = \"has(my_label)\" matches packets that are not from 2547 Calico-controlled \tendpoints that do have the label \"my_label\". 2548 \n The effect is that the latter will accept packets from 2549 non-Calico sources whereas the former is limited to packets 2550 from Calico-controlled endpoints." 2551 type: string 2552 serviceAccounts: 2553 description: ServiceAccounts is an optional field that restricts 2554 the rule to only apply to traffic that originates from 2555 (or terminates at) a pod running as a matching service 2556 account. 2557 properties: 2558 names: 2559 description: Names is an optional field that restricts 2560 the rule to only apply to traffic that originates 2561 from (or terminates at) a pod running as a service 2562 account whose name is in the list. 2563 items: 2564 type: string 2565 type: array 2566 selector: 2567 description: Selector is an optional field that restricts 2568 the rule to only apply to traffic that originates 2569 from (or terminates at) a pod running as a service 2570 account that matches the given label selector. If 2571 both Names and Selector are specified then they are 2572 AND'ed. 2573 type: string 2574 type: object 2575 services: 2576 description: "Services is an optional field that contains 2577 options for matching Kubernetes Services. If specified, 2578 only traffic that originates from or terminates at endpoints 2579 within the selected service(s) will be matched, and only 2580 to/from each endpoint's port. \n Services cannot be specified 2581 on the same rule as Selector, NotSelector, NamespaceSelector, 2582 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2583 can only be specified with Services on ingress rules." 2584 properties: 2585 name: 2586 description: Name specifies the name of a Kubernetes 2587 Service to match. 2588 type: string 2589 namespace: 2590 description: Namespace specifies the namespace of the 2591 given Service. If left empty, the rule will match 2592 within this policy's namespace. 2593 type: string 2594 type: object 2595 type: object 2596 required: 2597 - action 2598 type: object 2599 type: array 2600 namespaceSelector: 2601 description: NamespaceSelector is an optional field for an expression 2602 used to select a pod based on namespaces. 2603 type: string 2604 order: 2605 description: Order is an optional field that specifies the order in 2606 which the policy is applied. Policies with higher "order" are applied 2607 after those with lower order. If the order is omitted, it may be 2608 considered to be "infinite" - i.e. the policy will be applied last. Policies 2609 with identical order will be applied in alphanumerical order based 2610 on the Policy "Name". 2611 type: number 2612 performanceHints: 2613 description: "PerformanceHints contains a list of hints to Calico's 2614 policy engine to help process the policy more efficiently. Hints 2615 never change the enforcement behaviour of the policy. \n Currently, 2616 the only available hint is \"AssumeNeededOnEveryNode\". When that 2617 hint is set on a policy, Felix will act as if the policy matches 2618 a local endpoint even if it does not. This is useful for \"preloading\" 2619 any large static policies that are known to be used on every node. 2620 If the policy is _not_ used on a particular node then the work done 2621 to preload the policy (and to maintain it) is wasted." 2622 items: 2623 type: string 2624 type: array 2625 preDNAT: 2626 description: PreDNAT indicates to apply the rules in this policy before 2627 any DNAT. 2628 type: boolean 2629 selector: 2630 description: "The selector is an expression used to pick pick out 2631 the endpoints that the policy should be applied to. \n Selector 2632 expressions follow this syntax: \n \tlabel == \"string_literal\" 2633 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2634 \ -> not equal; also matches if label is not present \tlabel in 2635 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2636 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2637 ... } -> true if the value of label X is not one of \"a\", \"b\", 2638 \"c\" \thas(label_name) -> True if that label is present \t! expr 2639 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2640 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2641 or the empty selector -> matches all endpoints. \n Label names are 2642 allowed to contain alphanumerics, -, _ and /. String literals are 2643 more permissive but they do not support escape characters. \n Examples 2644 (with made-up labels): \n \ttype == \"webserver\" && deployment 2645 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2646 \"dev\" \t! has(label_name)" 2647 type: string 2648 serviceAccountSelector: 2649 description: ServiceAccountSelector is an optional field for an expression 2650 used to select a pod based on service accounts. 2651 type: string 2652 types: 2653 description: "Types indicates whether this policy applies to ingress, 2654 or to egress, or to both. When not explicitly specified (and so 2655 the value on creation is empty or nil), Calico defaults Types according 2656 to what Ingress and Egress rules are present in the policy. The 2657 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2658 (including the case where there are also no Ingress rules) \n 2659 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2660 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2661 both Ingress and Egress rules. \n When the policy is read back again, 2662 Types will always be one of these values, never empty or nil." 2663 items: 2664 description: PolicyType enumerates the possible values of the PolicySpec 2665 Types field. 2666 type: string 2667 type: array 2668 type: object 2669 type: object 2670 served: true 2671 storage: true 2672 status: 2673 acceptedNames: 2674 kind: "" 2675 plural: "" 2676 conditions: [] 2677 storedVersions: [] 2678 --- 2679 # Source: calico/templates/kdd-crds.yaml 2680 apiVersion: apiextensions.k8s.io/v1 2681 kind: CustomResourceDefinition 2682 metadata: 2683 name: globalnetworksets.crd.projectcalico.org 2684 spec: 2685 group: crd.projectcalico.org 2686 names: 2687 kind: GlobalNetworkSet 2688 listKind: GlobalNetworkSetList 2689 plural: globalnetworksets 2690 singular: globalnetworkset 2691 preserveUnknownFields: false 2692 scope: Cluster 2693 versions: 2694 - name: v1 2695 schema: 2696 openAPIV3Schema: 2697 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2698 that share labels to allow rules to refer to them via selectors. The labels 2699 of GlobalNetworkSet are not namespaced. 2700 properties: 2701 apiVersion: 2702 description: 'APIVersion defines the versioned schema of this representation 2703 of an object. Servers should convert recognized schemas to the latest 2704 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2705 type: string 2706 kind: 2707 description: 'Kind is a string value representing the REST resource this 2708 object represents. Servers may infer this from the endpoint the client 2709 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2710 type: string 2711 metadata: 2712 type: object 2713 spec: 2714 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2715 resource. 2716 properties: 2717 nets: 2718 description: The list of IP networks that belong to this set. 2719 items: 2720 type: string 2721 type: array 2722 type: object 2723 type: object 2724 served: true 2725 storage: true 2726 status: 2727 acceptedNames: 2728 kind: "" 2729 plural: "" 2730 conditions: [] 2731 storedVersions: [] 2732 --- 2733 # Source: calico/templates/kdd-crds.yaml 2734 apiVersion: apiextensions.k8s.io/v1 2735 kind: CustomResourceDefinition 2736 metadata: 2737 name: hostendpoints.crd.projectcalico.org 2738 spec: 2739 group: crd.projectcalico.org 2740 names: 2741 kind: HostEndpoint 2742 listKind: HostEndpointList 2743 plural: hostendpoints 2744 singular: hostendpoint 2745 preserveUnknownFields: false 2746 scope: Cluster 2747 versions: 2748 - name: v1 2749 schema: 2750 openAPIV3Schema: 2751 properties: 2752 apiVersion: 2753 description: 'APIVersion defines the versioned schema of this representation 2754 of an object. Servers should convert recognized schemas to the latest 2755 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2756 type: string 2757 kind: 2758 description: 'Kind is a string value representing the REST resource this 2759 object represents. Servers may infer this from the endpoint the client 2760 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2761 type: string 2762 metadata: 2763 type: object 2764 spec: 2765 description: HostEndpointSpec contains the specification for a HostEndpoint 2766 resource. 2767 properties: 2768 expectedIPs: 2769 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2770 If \"InterfaceName\" is not present, Calico will look for an interface 2771 matching any of the IPs in the list and apply policy to that. Note: 2772 \tWhen using the selector match criteria in an ingress or egress 2773 security Policy \tor Profile, Calico converts the selector into 2774 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2775 is used for that purpose. (If only the interface \tname is specified, 2776 Calico does not learn the IPs of the interface for use in match 2777 \tcriteria.)" 2778 items: 2779 type: string 2780 type: array 2781 interfaceName: 2782 description: "Either \"*\", or the name of a specific Linux interface 2783 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2784 governs all traffic to, from or through the default network namespace 2785 of the host named by the \"Node\" field; entering and leaving that 2786 namespace via any interface, including those from/to non-host-networked 2787 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2788 only governs traffic that enters or leaves the host through the 2789 specific interface named by InterfaceName, or - when InterfaceName 2790 is empty - through the specific interface that has one of the IPs 2791 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2792 one expected IP must be specified. Only external interfaces (such 2793 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2794 to protect traffic through a specific local workload interface. 2795 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2796 initially just pre-DNAT policy. Please check Calico documentation 2797 for the latest position." 2798 type: string 2799 node: 2800 description: The node name identifying the Calico node instance. 2801 type: string 2802 ports: 2803 description: Ports contains the endpoint's named ports, which may 2804 be referenced in security policy rules. 2805 items: 2806 properties: 2807 name: 2808 type: string 2809 port: 2810 type: integer 2811 protocol: 2812 anyOf: 2813 - type: integer 2814 - type: string 2815 pattern: ^.* 2816 x-kubernetes-int-or-string: true 2817 required: 2818 - name 2819 - port 2820 - protocol 2821 type: object 2822 type: array 2823 profiles: 2824 description: A list of identifiers of security Profile objects that 2825 apply to this endpoint. Each profile is applied in the order that 2826 they appear in this list. Profile rules are applied after the selector-based 2827 security policy. 2828 items: 2829 type: string 2830 type: array 2831 type: object 2832 type: object 2833 served: true 2834 storage: true 2835 status: 2836 acceptedNames: 2837 kind: "" 2838 plural: "" 2839 conditions: [] 2840 storedVersions: [] 2841 --- 2842 # Source: calico/templates/kdd-crds.yaml 2843 apiVersion: apiextensions.k8s.io/v1 2844 kind: CustomResourceDefinition 2845 metadata: 2846 name: ipamblocks.crd.projectcalico.org 2847 spec: 2848 group: crd.projectcalico.org 2849 names: 2850 kind: IPAMBlock 2851 listKind: IPAMBlockList 2852 plural: ipamblocks 2853 singular: ipamblock 2854 preserveUnknownFields: false 2855 scope: Cluster 2856 versions: 2857 - name: v1 2858 schema: 2859 openAPIV3Schema: 2860 properties: 2861 apiVersion: 2862 description: 'APIVersion defines the versioned schema of this representation 2863 of an object. Servers should convert recognized schemas to the latest 2864 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2865 type: string 2866 kind: 2867 description: 'Kind is a string value representing the REST resource this 2868 object represents. Servers may infer this from the endpoint the client 2869 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2870 type: string 2871 metadata: 2872 type: object 2873 spec: 2874 description: IPAMBlockSpec contains the specification for an IPAMBlock 2875 resource. 2876 properties: 2877 affinity: 2878 description: Affinity of the block, if this block has one. If set, 2879 it will be of the form "host:<hostname>". If not set, this block 2880 is not affine to a host. 2881 type: string 2882 allocations: 2883 description: Array of allocations in-use within this block. nil entries 2884 mean the allocation is free. For non-nil entries at index i, the 2885 index is the ordinal of the allocation within this block and the 2886 value is the index of the associated attributes in the Attributes 2887 array. 2888 items: 2889 type: integer 2890 # TODO: This nullable is manually added in. We should update controller-gen 2891 # to handle []*int properly itself. 2892 nullable: true 2893 type: array 2894 attributes: 2895 description: Attributes is an array of arbitrary metadata associated 2896 with allocations in the block. To find attributes for a given allocation, 2897 use the value of the allocation's entry in the Allocations array 2898 as the index of the element in this array. 2899 items: 2900 properties: 2901 handle_id: 2902 type: string 2903 secondary: 2904 additionalProperties: 2905 type: string 2906 type: object 2907 type: object 2908 type: array 2909 cidr: 2910 description: The block's CIDR. 2911 type: string 2912 deleted: 2913 description: Deleted is an internal boolean used to workaround a limitation 2914 in the Kubernetes API whereby deletion will not return a conflict 2915 error if the block has been updated. It should not be set manually. 2916 type: boolean 2917 sequenceNumber: 2918 default: 0 2919 description: We store a sequence number that is updated each time 2920 the block is written. Each allocation will also store the sequence 2921 number of the block at the time of its creation. When releasing 2922 an IP, passing the sequence number associated with the allocation 2923 allows us to protect against a race condition and ensure the IP 2924 hasn't been released and re-allocated since the release request. 2925 format: int64 2926 type: integer 2927 sequenceNumberForAllocation: 2928 additionalProperties: 2929 format: int64 2930 type: integer 2931 description: Map of allocated ordinal within the block to sequence 2932 number of the block at the time of allocation. Kubernetes does not 2933 allow numerical keys for maps, so the key is cast to a string. 2934 type: object 2935 strictAffinity: 2936 description: StrictAffinity on the IPAMBlock is deprecated and no 2937 longer used by the code. Use IPAMConfig StrictAffinity instead. 2938 type: boolean 2939 unallocated: 2940 description: Unallocated is an ordered list of allocations which are 2941 free in the block. 2942 items: 2943 type: integer 2944 type: array 2945 required: 2946 - allocations 2947 - attributes 2948 - cidr 2949 - strictAffinity 2950 - unallocated 2951 type: object 2952 type: object 2953 served: true 2954 storage: true 2955 status: 2956 acceptedNames: 2957 kind: "" 2958 plural: "" 2959 conditions: [] 2960 storedVersions: [] 2961 --- 2962 # Source: calico/templates/kdd-crds.yaml 2963 apiVersion: apiextensions.k8s.io/v1 2964 kind: CustomResourceDefinition 2965 metadata: 2966 name: ipamconfigs.crd.projectcalico.org 2967 spec: 2968 group: crd.projectcalico.org 2969 names: 2970 kind: IPAMConfig 2971 listKind: IPAMConfigList 2972 plural: ipamconfigs 2973 singular: ipamconfig 2974 preserveUnknownFields: false 2975 scope: Cluster 2976 versions: 2977 - name: v1 2978 schema: 2979 openAPIV3Schema: 2980 properties: 2981 apiVersion: 2982 description: 'APIVersion defines the versioned schema of this representation 2983 of an object. Servers should convert recognized schemas to the latest 2984 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2985 type: string 2986 kind: 2987 description: 'Kind is a string value representing the REST resource this 2988 object represents. Servers may infer this from the endpoint the client 2989 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2990 type: string 2991 metadata: 2992 type: object 2993 spec: 2994 description: IPAMConfigSpec contains the specification for an IPAMConfig 2995 resource. 2996 properties: 2997 autoAllocateBlocks: 2998 type: boolean 2999 maxBlocksPerHost: 3000 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 3001 that can be affine to each host. 3002 maximum: 2147483647 3003 minimum: 0 3004 type: integer 3005 strictAffinity: 3006 type: boolean 3007 required: 3008 - autoAllocateBlocks 3009 - strictAffinity 3010 type: object 3011 type: object 3012 served: true 3013 storage: true 3014 status: 3015 acceptedNames: 3016 kind: "" 3017 plural: "" 3018 conditions: [] 3019 storedVersions: [] 3020 --- 3021 # Source: calico/templates/kdd-crds.yaml 3022 apiVersion: apiextensions.k8s.io/v1 3023 kind: CustomResourceDefinition 3024 metadata: 3025 name: ipamhandles.crd.projectcalico.org 3026 spec: 3027 group: crd.projectcalico.org 3028 names: 3029 kind: IPAMHandle 3030 listKind: IPAMHandleList 3031 plural: ipamhandles 3032 singular: ipamhandle 3033 preserveUnknownFields: false 3034 scope: Cluster 3035 versions: 3036 - name: v1 3037 schema: 3038 openAPIV3Schema: 3039 properties: 3040 apiVersion: 3041 description: 'APIVersion defines the versioned schema of this representation 3042 of an object. Servers should convert recognized schemas to the latest 3043 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3044 type: string 3045 kind: 3046 description: 'Kind is a string value representing the REST resource this 3047 object represents. Servers may infer this from the endpoint the client 3048 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3049 type: string 3050 metadata: 3051 type: object 3052 spec: 3053 description: IPAMHandleSpec contains the specification for an IPAMHandle 3054 resource. 3055 properties: 3056 block: 3057 additionalProperties: 3058 type: integer 3059 type: object 3060 deleted: 3061 type: boolean 3062 handleID: 3063 type: string 3064 required: 3065 - block 3066 - handleID 3067 type: object 3068 type: object 3069 served: true 3070 storage: true 3071 status: 3072 acceptedNames: 3073 kind: "" 3074 plural: "" 3075 conditions: [] 3076 storedVersions: [] 3077 --- 3078 # Source: calico/templates/kdd-crds.yaml 3079 apiVersion: apiextensions.k8s.io/v1 3080 kind: CustomResourceDefinition 3081 metadata: 3082 name: ippools.crd.projectcalico.org 3083 spec: 3084 group: crd.projectcalico.org 3085 names: 3086 kind: IPPool 3087 listKind: IPPoolList 3088 plural: ippools 3089 singular: ippool 3090 preserveUnknownFields: false 3091 scope: Cluster 3092 versions: 3093 - name: v1 3094 schema: 3095 openAPIV3Schema: 3096 properties: 3097 apiVersion: 3098 description: 'APIVersion defines the versioned schema of this representation 3099 of an object. Servers should convert recognized schemas to the latest 3100 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3101 type: string 3102 kind: 3103 description: 'Kind is a string value representing the REST resource this 3104 object represents. Servers may infer this from the endpoint the client 3105 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3106 type: string 3107 metadata: 3108 type: object 3109 spec: 3110 description: IPPoolSpec contains the specification for an IPPool resource. 3111 properties: 3112 allowedUses: 3113 description: AllowedUse controls what the IP pool will be used for. If 3114 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 3115 items: 3116 type: string 3117 type: array 3118 blockSize: 3119 description: The block size to use for IP address assignments from 3120 this pool. Defaults to 26 for IPv4 and 122 for IPv6. 3121 type: integer 3122 cidr: 3123 description: The pool CIDR. 3124 type: string 3125 disableBGPExport: 3126 description: 'Disable exporting routes from this IP Pool''s CIDR over 3127 BGP. [Default: false]' 3128 type: boolean 3129 disabled: 3130 description: When disabled is true, Calico IPAM will not assign addresses 3131 from this pool. 3132 type: boolean 3133 ipip: 3134 description: 'Deprecated: this field is only used for APIv1 backwards 3135 compatibility. Setting this field is not allowed, this field is 3136 for internal use only.' 3137 properties: 3138 enabled: 3139 description: When enabled is true, ipip tunneling will be used 3140 to deliver packets to destinations within this pool. 3141 type: boolean 3142 mode: 3143 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 3144 mode of "always" will also use IPIP tunneling for routing to 3145 destination IP addresses within this pool. A mode of "cross-subnet" 3146 will only use IPIP tunneling when the destination node is on 3147 a different subnet to the originating node. The default value 3148 (if not specified) is "always". 3149 type: string 3150 type: object 3151 ipipMode: 3152 description: Contains configuration for IPIP tunneling for this pool. 3153 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 3154 is disabled). 3155 type: string 3156 nat-outgoing: 3157 description: 'Deprecated: this field is only used for APIv1 backwards 3158 compatibility. Setting this field is not allowed, this field is 3159 for internal use only.' 3160 type: boolean 3161 natOutgoing: 3162 description: When natOutgoing is true, packets sent from Calico networked 3163 containers in this pool to destinations outside of this pool will 3164 be masqueraded. 3165 type: boolean 3166 nodeSelector: 3167 description: Allows IPPool to allocate for a specific node by label 3168 selector. 3169 type: string 3170 vxlanMode: 3171 description: Contains configuration for VXLAN tunneling for this pool. 3172 If not specified, then this is defaulted to "Never" (i.e. VXLAN 3173 tunneling is disabled). 3174 type: string 3175 required: 3176 - cidr 3177 type: object 3178 type: object 3179 served: true 3180 storage: true 3181 status: 3182 acceptedNames: 3183 kind: "" 3184 plural: "" 3185 conditions: [] 3186 storedVersions: [] 3187 --- 3188 # Source: calico/templates/kdd-crds.yaml 3189 apiVersion: apiextensions.k8s.io/v1 3190 kind: CustomResourceDefinition 3191 metadata: 3192 annotations: 3193 controller-gen.kubebuilder.io/version: (devel) 3194 creationTimestamp: null 3195 name: ipreservations.crd.projectcalico.org 3196 spec: 3197 group: crd.projectcalico.org 3198 names: 3199 kind: IPReservation 3200 listKind: IPReservationList 3201 plural: ipreservations 3202 singular: ipreservation 3203 preserveUnknownFields: false 3204 scope: Cluster 3205 versions: 3206 - name: v1 3207 schema: 3208 openAPIV3Schema: 3209 properties: 3210 apiVersion: 3211 description: 'APIVersion defines the versioned schema of this representation 3212 of an object. Servers should convert recognized schemas to the latest 3213 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3214 type: string 3215 kind: 3216 description: 'Kind is a string value representing the REST resource this 3217 object represents. Servers may infer this from the endpoint the client 3218 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3219 type: string 3220 metadata: 3221 type: object 3222 spec: 3223 description: IPReservationSpec contains the specification for an IPReservation 3224 resource. 3225 properties: 3226 reservedCIDRs: 3227 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 3228 that Calico IPAM will exclude from new allocations. 3229 items: 3230 type: string 3231 type: array 3232 type: object 3233 type: object 3234 served: true 3235 storage: true 3236 status: 3237 acceptedNames: 3238 kind: "" 3239 plural: "" 3240 conditions: [] 3241 storedVersions: [] 3242 --- 3243 # Source: calico/templates/kdd-crds.yaml 3244 apiVersion: apiextensions.k8s.io/v1 3245 kind: CustomResourceDefinition 3246 metadata: 3247 name: kubecontrollersconfigurations.crd.projectcalico.org 3248 spec: 3249 group: crd.projectcalico.org 3250 names: 3251 kind: KubeControllersConfiguration 3252 listKind: KubeControllersConfigurationList 3253 plural: kubecontrollersconfigurations 3254 singular: kubecontrollersconfiguration 3255 preserveUnknownFields: false 3256 scope: Cluster 3257 versions: 3258 - name: v1 3259 schema: 3260 openAPIV3Schema: 3261 properties: 3262 apiVersion: 3263 description: 'APIVersion defines the versioned schema of this representation 3264 of an object. Servers should convert recognized schemas to the latest 3265 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3266 type: string 3267 kind: 3268 description: 'Kind is a string value representing the REST resource this 3269 object represents. Servers may infer this from the endpoint the client 3270 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3271 type: string 3272 metadata: 3273 type: object 3274 spec: 3275 description: KubeControllersConfigurationSpec contains the values of the 3276 Kubernetes controllers configuration. 3277 properties: 3278 controllers: 3279 description: Controllers enables and configures individual Kubernetes 3280 controllers 3281 properties: 3282 namespace: 3283 description: Namespace enables and configures the namespace controller. 3284 Enabled by default, set to nil to disable. 3285 properties: 3286 reconcilerPeriod: 3287 description: 'ReconcilerPeriod is the period to perform reconciliation 3288 with the Calico datastore. [Default: 5m]' 3289 type: string 3290 type: object 3291 node: 3292 description: Node enables and configures the node controller. 3293 Enabled by default, set to nil to disable. 3294 properties: 3295 hostEndpoint: 3296 description: HostEndpoint controls syncing nodes to host endpoints. 3297 Disabled by default, set to nil to disable. 3298 properties: 3299 autoCreate: 3300 description: 'AutoCreate enables automatic creation of 3301 host endpoints for every node. [Default: Disabled]' 3302 type: string 3303 type: object 3304 leakGracePeriod: 3305 description: 'LeakGracePeriod is the period used by the controller 3306 to determine if an IP address has been leaked. Set to 0 3307 to disable IP garbage collection. [Default: 15m]' 3308 type: string 3309 reconcilerPeriod: 3310 description: 'ReconcilerPeriod is the period to perform reconciliation 3311 with the Calico datastore. [Default: 5m]' 3312 type: string 3313 syncLabels: 3314 description: 'SyncLabels controls whether to copy Kubernetes 3315 node labels to Calico nodes. [Default: Enabled]' 3316 type: string 3317 type: object 3318 policy: 3319 description: Policy enables and configures the policy controller. 3320 Enabled by default, set to nil to disable. 3321 properties: 3322 reconcilerPeriod: 3323 description: 'ReconcilerPeriod is the period to perform reconciliation 3324 with the Calico datastore. [Default: 5m]' 3325 type: string 3326 type: object 3327 serviceAccount: 3328 description: ServiceAccount enables and configures the service 3329 account controller. Enabled by default, set to nil to disable. 3330 properties: 3331 reconcilerPeriod: 3332 description: 'ReconcilerPeriod is the period to perform reconciliation 3333 with the Calico datastore. [Default: 5m]' 3334 type: string 3335 type: object 3336 workloadEndpoint: 3337 description: WorkloadEndpoint enables and configures the workload 3338 endpoint controller. Enabled by default, set to nil to disable. 3339 properties: 3340 reconcilerPeriod: 3341 description: 'ReconcilerPeriod is the period to perform reconciliation 3342 with the Calico datastore. [Default: 5m]' 3343 type: string 3344 type: object 3345 type: object 3346 debugProfilePort: 3347 description: DebugProfilePort configures the port to serve memory 3348 and cpu profiles on. If not specified, profiling is disabled. 3349 format: int32 3350 type: integer 3351 etcdV3CompactionPeriod: 3352 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3353 compaction requests. Set to 0 to disable. [Default: 10m]' 3354 type: string 3355 healthChecks: 3356 description: 'HealthChecks enables or disables support for health 3357 checks [Default: Enabled]' 3358 type: string 3359 logSeverityScreen: 3360 description: 'LogSeverityScreen is the log severity above which logs 3361 are sent to the stdout. [Default: Info]' 3362 type: string 3363 prometheusMetricsPort: 3364 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3365 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 3366 type: integer 3367 required: 3368 - controllers 3369 type: object 3370 status: 3371 description: KubeControllersConfigurationStatus represents the status 3372 of the configuration. It's useful for admins to be able to see the actual 3373 config that was applied, which can be modified by environment variables 3374 on the kube-controllers process. 3375 properties: 3376 environmentVars: 3377 additionalProperties: 3378 type: string 3379 description: EnvironmentVars contains the environment variables on 3380 the kube-controllers that influenced the RunningConfig. 3381 type: object 3382 runningConfig: 3383 description: RunningConfig contains the effective config that is running 3384 in the kube-controllers pod, after merging the API resource with 3385 any environment variables. 3386 properties: 3387 controllers: 3388 description: Controllers enables and configures individual Kubernetes 3389 controllers 3390 properties: 3391 namespace: 3392 description: Namespace enables and configures the namespace 3393 controller. Enabled by default, set to nil to disable. 3394 properties: 3395 reconcilerPeriod: 3396 description: 'ReconcilerPeriod is the period to perform 3397 reconciliation with the Calico datastore. [Default: 3398 5m]' 3399 type: string 3400 type: object 3401 node: 3402 description: Node enables and configures the node controller. 3403 Enabled by default, set to nil to disable. 3404 properties: 3405 hostEndpoint: 3406 description: HostEndpoint controls syncing nodes to host 3407 endpoints. Disabled by default, set to nil to disable. 3408 properties: 3409 autoCreate: 3410 description: 'AutoCreate enables automatic creation 3411 of host endpoints for every node. [Default: Disabled]' 3412 type: string 3413 type: object 3414 leakGracePeriod: 3415 description: 'LeakGracePeriod is the period used by the 3416 controller to determine if an IP address has been leaked. 3417 Set to 0 to disable IP garbage collection. [Default: 3418 15m]' 3419 type: string 3420 reconcilerPeriod: 3421 description: 'ReconcilerPeriod is the period to perform 3422 reconciliation with the Calico datastore. [Default: 3423 5m]' 3424 type: string 3425 syncLabels: 3426 description: 'SyncLabels controls whether to copy Kubernetes 3427 node labels to Calico nodes. [Default: Enabled]' 3428 type: string 3429 type: object 3430 policy: 3431 description: Policy enables and configures the policy controller. 3432 Enabled by default, set to nil to disable. 3433 properties: 3434 reconcilerPeriod: 3435 description: 'ReconcilerPeriod is the period to perform 3436 reconciliation with the Calico datastore. [Default: 3437 5m]' 3438 type: string 3439 type: object 3440 serviceAccount: 3441 description: ServiceAccount enables and configures the service 3442 account controller. Enabled by default, set to nil to disable. 3443 properties: 3444 reconcilerPeriod: 3445 description: 'ReconcilerPeriod is the period to perform 3446 reconciliation with the Calico datastore. [Default: 3447 5m]' 3448 type: string 3449 type: object 3450 workloadEndpoint: 3451 description: WorkloadEndpoint enables and configures the workload 3452 endpoint controller. Enabled by default, set to nil to disable. 3453 properties: 3454 reconcilerPeriod: 3455 description: 'ReconcilerPeriod is the period to perform 3456 reconciliation with the Calico datastore. [Default: 3457 5m]' 3458 type: string 3459 type: object 3460 type: object 3461 debugProfilePort: 3462 description: DebugProfilePort configures the port to serve memory 3463 and cpu profiles on. If not specified, profiling is disabled. 3464 format: int32 3465 type: integer 3466 etcdV3CompactionPeriod: 3467 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3468 compaction requests. Set to 0 to disable. [Default: 10m]' 3469 type: string 3470 healthChecks: 3471 description: 'HealthChecks enables or disables support for health 3472 checks [Default: Enabled]' 3473 type: string 3474 logSeverityScreen: 3475 description: 'LogSeverityScreen is the log severity above which 3476 logs are sent to the stdout. [Default: Info]' 3477 type: string 3478 prometheusMetricsPort: 3479 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3480 metrics server should bind to. Set to 0 to disable. [Default: 3481 9094]' 3482 type: integer 3483 required: 3484 - controllers 3485 type: object 3486 type: object 3487 type: object 3488 served: true 3489 storage: true 3490 status: 3491 acceptedNames: 3492 kind: "" 3493 plural: "" 3494 conditions: [] 3495 storedVersions: [] 3496 --- 3497 # Source: calico/templates/kdd-crds.yaml 3498 apiVersion: apiextensions.k8s.io/v1 3499 kind: CustomResourceDefinition 3500 metadata: 3501 name: networkpolicies.crd.projectcalico.org 3502 spec: 3503 group: crd.projectcalico.org 3504 names: 3505 kind: NetworkPolicy 3506 listKind: NetworkPolicyList 3507 plural: networkpolicies 3508 singular: networkpolicy 3509 preserveUnknownFields: false 3510 scope: Namespaced 3511 versions: 3512 - name: v1 3513 schema: 3514 openAPIV3Schema: 3515 properties: 3516 apiVersion: 3517 description: 'APIVersion defines the versioned schema of this representation 3518 of an object. Servers should convert recognized schemas to the latest 3519 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3520 type: string 3521 kind: 3522 description: 'Kind is a string value representing the REST resource this 3523 object represents. Servers may infer this from the endpoint the client 3524 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3525 type: string 3526 metadata: 3527 type: object 3528 spec: 3529 properties: 3530 egress: 3531 description: The ordered set of egress rules. Each rule contains 3532 a set of packet match criteria and a corresponding action to apply. 3533 items: 3534 description: "A Rule encapsulates a set of match criteria and an 3535 action. Both selector-based security Policy and security Profiles 3536 reference rules - separated out as a list of rules for both ingress 3537 and egress packet matching. \n Each positive match criteria has 3538 a negated version, prefixed with \"Not\". All the match criteria 3539 within a rule must be satisfied for a packet to match. A single 3540 rule can contain the positive and negative version of a match 3541 and both must be satisfied for the rule to match." 3542 properties: 3543 action: 3544 type: string 3545 destination: 3546 description: Destination contains the match criteria that apply 3547 to destination entity. 3548 properties: 3549 namespaceSelector: 3550 description: "NamespaceSelector is an optional field that 3551 contains a selector expression. Only traffic that originates 3552 from (or terminates at) endpoints within the selected 3553 namespaces will be matched. When both NamespaceSelector 3554 and another selector are defined on the same rule, then 3555 only workload endpoints that are matched by both selectors 3556 will be selected by the rule. \n For NetworkPolicy, an 3557 empty NamespaceSelector implies that the Selector is limited 3558 to selecting only workload endpoints in the same namespace 3559 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3560 NamespaceSelector implies that the Selector is limited 3561 to selecting only GlobalNetworkSet or HostEndpoint. \n 3562 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3563 the Selector applies to workload endpoints across all 3564 namespaces." 3565 type: string 3566 nets: 3567 description: Nets is an optional field that restricts the 3568 rule to only apply to traffic that originates from (or 3569 terminates at) IP addresses in any of the given subnets. 3570 items: 3571 type: string 3572 type: array 3573 notNets: 3574 description: NotNets is the negated version of the Nets 3575 field. 3576 items: 3577 type: string 3578 type: array 3579 notPorts: 3580 description: NotPorts is the negated version of the Ports 3581 field. Since only some protocols have ports, if any ports 3582 are specified it requires the Protocol match in the Rule 3583 to be set to "TCP" or "UDP". 3584 items: 3585 anyOf: 3586 - type: integer 3587 - type: string 3588 pattern: ^.* 3589 x-kubernetes-int-or-string: true 3590 type: array 3591 notSelector: 3592 description: NotSelector is the negated version of the Selector 3593 field. See Selector field for subtleties with negated 3594 selectors. 3595 type: string 3596 ports: 3597 description: "Ports is an optional field that restricts 3598 the rule to only apply to traffic that has a source (destination) 3599 port that matches one of these ranges/values. This value 3600 is a list of integers or strings that represent ranges 3601 of ports. \n Since only some protocols have ports, if 3602 any ports are specified it requires the Protocol match 3603 in the Rule to be set to \"TCP\" or \"UDP\"." 3604 items: 3605 anyOf: 3606 - type: integer 3607 - type: string 3608 pattern: ^.* 3609 x-kubernetes-int-or-string: true 3610 type: array 3611 selector: 3612 description: "Selector is an optional field that contains 3613 a selector expression (see Policy for sample syntax). 3614 \ Only traffic that originates from (terminates at) endpoints 3615 matching the selector will be matched. \n Note that: in 3616 addition to the negated version of the Selector (see NotSelector 3617 below), the selector expression syntax itself supports 3618 negation. The two types of negation are subtly different. 3619 One negates the set of matched endpoints, the other negates 3620 the whole match: \n \tSelector = \"!has(my_label)\" matches 3621 packets that are from other Calico-controlled \tendpoints 3622 that do not have the label \"my_label\". \n \tNotSelector 3623 = \"has(my_label)\" matches packets that are not from 3624 Calico-controlled \tendpoints that do have the label \"my_label\". 3625 \n The effect is that the latter will accept packets from 3626 non-Calico sources whereas the former is limited to packets 3627 from Calico-controlled endpoints." 3628 type: string 3629 serviceAccounts: 3630 description: ServiceAccounts is an optional field that restricts 3631 the rule to only apply to traffic that originates from 3632 (or terminates at) a pod running as a matching service 3633 account. 3634 properties: 3635 names: 3636 description: Names is an optional field that restricts 3637 the rule to only apply to traffic that originates 3638 from (or terminates at) a pod running as a service 3639 account whose name is in the list. 3640 items: 3641 type: string 3642 type: array 3643 selector: 3644 description: Selector is an optional field that restricts 3645 the rule to only apply to traffic that originates 3646 from (or terminates at) a pod running as a service 3647 account that matches the given label selector. If 3648 both Names and Selector are specified then they are 3649 AND'ed. 3650 type: string 3651 type: object 3652 services: 3653 description: "Services is an optional field that contains 3654 options for matching Kubernetes Services. If specified, 3655 only traffic that originates from or terminates at endpoints 3656 within the selected service(s) will be matched, and only 3657 to/from each endpoint's port. \n Services cannot be specified 3658 on the same rule as Selector, NotSelector, NamespaceSelector, 3659 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3660 can only be specified with Services on ingress rules." 3661 properties: 3662 name: 3663 description: Name specifies the name of a Kubernetes 3664 Service to match. 3665 type: string 3666 namespace: 3667 description: Namespace specifies the namespace of the 3668 given Service. If left empty, the rule will match 3669 within this policy's namespace. 3670 type: string 3671 type: object 3672 type: object 3673 http: 3674 description: HTTP contains match criteria that apply to HTTP 3675 requests. 3676 properties: 3677 methods: 3678 description: Methods is an optional field that restricts 3679 the rule to apply only to HTTP requests that use one of 3680 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3681 methods are OR'd together. 3682 items: 3683 type: string 3684 type: array 3685 paths: 3686 description: 'Paths is an optional field that restricts 3687 the rule to apply to HTTP requests that use one of the 3688 listed HTTP Paths. Multiple paths are OR''d together. 3689 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3690 ONLY specify either a `exact` or a `prefix` match. The 3691 validator will check for it.' 3692 items: 3693 description: 'HTTPPath specifies an HTTP path to match. 3694 It may be either of the form: exact: <path>: which matches 3695 the path exactly or prefix: <path-prefix>: which matches 3696 the path prefix' 3697 properties: 3698 exact: 3699 type: string 3700 prefix: 3701 type: string 3702 type: object 3703 type: array 3704 type: object 3705 icmp: 3706 description: ICMP is an optional field that restricts the rule 3707 to apply to a specific type and code of ICMP traffic. This 3708 should only be specified if the Protocol field is set to "ICMP" 3709 or "ICMPv6". 3710 properties: 3711 code: 3712 description: Match on a specific ICMP code. If specified, 3713 the Type value must also be specified. This is a technical 3714 limitation imposed by the kernel's iptables firewall, 3715 which Calico uses to enforce the rule. 3716 type: integer 3717 type: 3718 description: Match on a specific ICMP type. For example 3719 a value of 8 refers to ICMP Echo Request (i.e. pings). 3720 type: integer 3721 type: object 3722 ipVersion: 3723 description: IPVersion is an optional field that restricts the 3724 rule to only match a specific IP version. 3725 type: integer 3726 metadata: 3727 description: Metadata contains additional information for this 3728 rule 3729 properties: 3730 annotations: 3731 additionalProperties: 3732 type: string 3733 description: Annotations is a set of key value pairs that 3734 give extra information about the rule 3735 type: object 3736 type: object 3737 notICMP: 3738 description: NotICMP is the negated version of the ICMP field. 3739 properties: 3740 code: 3741 description: Match on a specific ICMP code. If specified, 3742 the Type value must also be specified. This is a technical 3743 limitation imposed by the kernel's iptables firewall, 3744 which Calico uses to enforce the rule. 3745 type: integer 3746 type: 3747 description: Match on a specific ICMP type. For example 3748 a value of 8 refers to ICMP Echo Request (i.e. pings). 3749 type: integer 3750 type: object 3751 notProtocol: 3752 anyOf: 3753 - type: integer 3754 - type: string 3755 description: NotProtocol is the negated version of the Protocol 3756 field. 3757 pattern: ^.* 3758 x-kubernetes-int-or-string: true 3759 protocol: 3760 anyOf: 3761 - type: integer 3762 - type: string 3763 description: "Protocol is an optional field that restricts the 3764 rule to only apply to traffic of a specific IP protocol. Required 3765 if any of the EntityRules contain Ports (because ports only 3766 apply to certain protocols). \n Must be one of these string 3767 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3768 \"UDPLite\" or an integer in the range 1-255." 3769 pattern: ^.* 3770 x-kubernetes-int-or-string: true 3771 source: 3772 description: Source contains the match criteria that apply to 3773 source entity. 3774 properties: 3775 namespaceSelector: 3776 description: "NamespaceSelector is an optional field that 3777 contains a selector expression. Only traffic that originates 3778 from (or terminates at) endpoints within the selected 3779 namespaces will be matched. When both NamespaceSelector 3780 and another selector are defined on the same rule, then 3781 only workload endpoints that are matched by both selectors 3782 will be selected by the rule. \n For NetworkPolicy, an 3783 empty NamespaceSelector implies that the Selector is limited 3784 to selecting only workload endpoints in the same namespace 3785 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3786 NamespaceSelector implies that the Selector is limited 3787 to selecting only GlobalNetworkSet or HostEndpoint. \n 3788 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3789 the Selector applies to workload endpoints across all 3790 namespaces." 3791 type: string 3792 nets: 3793 description: Nets is an optional field that restricts the 3794 rule to only apply to traffic that originates from (or 3795 terminates at) IP addresses in any of the given subnets. 3796 items: 3797 type: string 3798 type: array 3799 notNets: 3800 description: NotNets is the negated version of the Nets 3801 field. 3802 items: 3803 type: string 3804 type: array 3805 notPorts: 3806 description: NotPorts is the negated version of the Ports 3807 field. Since only some protocols have ports, if any ports 3808 are specified it requires the Protocol match in the Rule 3809 to be set to "TCP" or "UDP". 3810 items: 3811 anyOf: 3812 - type: integer 3813 - type: string 3814 pattern: ^.* 3815 x-kubernetes-int-or-string: true 3816 type: array 3817 notSelector: 3818 description: NotSelector is the negated version of the Selector 3819 field. See Selector field for subtleties with negated 3820 selectors. 3821 type: string 3822 ports: 3823 description: "Ports is an optional field that restricts 3824 the rule to only apply to traffic that has a source (destination) 3825 port that matches one of these ranges/values. This value 3826 is a list of integers or strings that represent ranges 3827 of ports. \n Since only some protocols have ports, if 3828 any ports are specified it requires the Protocol match 3829 in the Rule to be set to \"TCP\" or \"UDP\"." 3830 items: 3831 anyOf: 3832 - type: integer 3833 - type: string 3834 pattern: ^.* 3835 x-kubernetes-int-or-string: true 3836 type: array 3837 selector: 3838 description: "Selector is an optional field that contains 3839 a selector expression (see Policy for sample syntax). 3840 \ Only traffic that originates from (terminates at) endpoints 3841 matching the selector will be matched. \n Note that: in 3842 addition to the negated version of the Selector (see NotSelector 3843 below), the selector expression syntax itself supports 3844 negation. The two types of negation are subtly different. 3845 One negates the set of matched endpoints, the other negates 3846 the whole match: \n \tSelector = \"!has(my_label)\" matches 3847 packets that are from other Calico-controlled \tendpoints 3848 that do not have the label \"my_label\". \n \tNotSelector 3849 = \"has(my_label)\" matches packets that are not from 3850 Calico-controlled \tendpoints that do have the label \"my_label\". 3851 \n The effect is that the latter will accept packets from 3852 non-Calico sources whereas the former is limited to packets 3853 from Calico-controlled endpoints." 3854 type: string 3855 serviceAccounts: 3856 description: ServiceAccounts is an optional field that restricts 3857 the rule to only apply to traffic that originates from 3858 (or terminates at) a pod running as a matching service 3859 account. 3860 properties: 3861 names: 3862 description: Names is an optional field that restricts 3863 the rule to only apply to traffic that originates 3864 from (or terminates at) a pod running as a service 3865 account whose name is in the list. 3866 items: 3867 type: string 3868 type: array 3869 selector: 3870 description: Selector is an optional field that restricts 3871 the rule to only apply to traffic that originates 3872 from (or terminates at) a pod running as a service 3873 account that matches the given label selector. If 3874 both Names and Selector are specified then they are 3875 AND'ed. 3876 type: string 3877 type: object 3878 services: 3879 description: "Services is an optional field that contains 3880 options for matching Kubernetes Services. If specified, 3881 only traffic that originates from or terminates at endpoints 3882 within the selected service(s) will be matched, and only 3883 to/from each endpoint's port. \n Services cannot be specified 3884 on the same rule as Selector, NotSelector, NamespaceSelector, 3885 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3886 can only be specified with Services on ingress rules." 3887 properties: 3888 name: 3889 description: Name specifies the name of a Kubernetes 3890 Service to match. 3891 type: string 3892 namespace: 3893 description: Namespace specifies the namespace of the 3894 given Service. If left empty, the rule will match 3895 within this policy's namespace. 3896 type: string 3897 type: object 3898 type: object 3899 required: 3900 - action 3901 type: object 3902 type: array 3903 ingress: 3904 description: The ordered set of ingress rules. Each rule contains 3905 a set of packet match criteria and a corresponding action to apply. 3906 items: 3907 description: "A Rule encapsulates a set of match criteria and an 3908 action. Both selector-based security Policy and security Profiles 3909 reference rules - separated out as a list of rules for both ingress 3910 and egress packet matching. \n Each positive match criteria has 3911 a negated version, prefixed with \"Not\". All the match criteria 3912 within a rule must be satisfied for a packet to match. A single 3913 rule can contain the positive and negative version of a match 3914 and both must be satisfied for the rule to match." 3915 properties: 3916 action: 3917 type: string 3918 destination: 3919 description: Destination contains the match criteria that apply 3920 to destination entity. 3921 properties: 3922 namespaceSelector: 3923 description: "NamespaceSelector is an optional field that 3924 contains a selector expression. Only traffic that originates 3925 from (or terminates at) endpoints within the selected 3926 namespaces will be matched. When both NamespaceSelector 3927 and another selector are defined on the same rule, then 3928 only workload endpoints that are matched by both selectors 3929 will be selected by the rule. \n For NetworkPolicy, an 3930 empty NamespaceSelector implies that the Selector is limited 3931 to selecting only workload endpoints in the same namespace 3932 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3933 NamespaceSelector implies that the Selector is limited 3934 to selecting only GlobalNetworkSet or HostEndpoint. \n 3935 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3936 the Selector applies to workload endpoints across all 3937 namespaces." 3938 type: string 3939 nets: 3940 description: Nets is an optional field that restricts the 3941 rule to only apply to traffic that originates from (or 3942 terminates at) IP addresses in any of the given subnets. 3943 items: 3944 type: string 3945 type: array 3946 notNets: 3947 description: NotNets is the negated version of the Nets 3948 field. 3949 items: 3950 type: string 3951 type: array 3952 notPorts: 3953 description: NotPorts is the negated version of the Ports 3954 field. Since only some protocols have ports, if any ports 3955 are specified it requires the Protocol match in the Rule 3956 to be set to "TCP" or "UDP". 3957 items: 3958 anyOf: 3959 - type: integer 3960 - type: string 3961 pattern: ^.* 3962 x-kubernetes-int-or-string: true 3963 type: array 3964 notSelector: 3965 description: NotSelector is the negated version of the Selector 3966 field. See Selector field for subtleties with negated 3967 selectors. 3968 type: string 3969 ports: 3970 description: "Ports is an optional field that restricts 3971 the rule to only apply to traffic that has a source (destination) 3972 port that matches one of these ranges/values. This value 3973 is a list of integers or strings that represent ranges 3974 of ports. \n Since only some protocols have ports, if 3975 any ports are specified it requires the Protocol match 3976 in the Rule to be set to \"TCP\" or \"UDP\"." 3977 items: 3978 anyOf: 3979 - type: integer 3980 - type: string 3981 pattern: ^.* 3982 x-kubernetes-int-or-string: true 3983 type: array 3984 selector: 3985 description: "Selector is an optional field that contains 3986 a selector expression (see Policy for sample syntax). 3987 \ Only traffic that originates from (terminates at) endpoints 3988 matching the selector will be matched. \n Note that: in 3989 addition to the negated version of the Selector (see NotSelector 3990 below), the selector expression syntax itself supports 3991 negation. The two types of negation are subtly different. 3992 One negates the set of matched endpoints, the other negates 3993 the whole match: \n \tSelector = \"!has(my_label)\" matches 3994 packets that are from other Calico-controlled \tendpoints 3995 that do not have the label \"my_label\". \n \tNotSelector 3996 = \"has(my_label)\" matches packets that are not from 3997 Calico-controlled \tendpoints that do have the label \"my_label\". 3998 \n The effect is that the latter will accept packets from 3999 non-Calico sources whereas the former is limited to packets 4000 from Calico-controlled endpoints." 4001 type: string 4002 serviceAccounts: 4003 description: ServiceAccounts is an optional field that restricts 4004 the rule to only apply to traffic that originates from 4005 (or terminates at) a pod running as a matching service 4006 account. 4007 properties: 4008 names: 4009 description: Names is an optional field that restricts 4010 the rule to only apply to traffic that originates 4011 from (or terminates at) a pod running as a service 4012 account whose name is in the list. 4013 items: 4014 type: string 4015 type: array 4016 selector: 4017 description: Selector is an optional field that restricts 4018 the rule to only apply to traffic that originates 4019 from (or terminates at) a pod running as a service 4020 account that matches the given label selector. If 4021 both Names and Selector are specified then they are 4022 AND'ed. 4023 type: string 4024 type: object 4025 services: 4026 description: "Services is an optional field that contains 4027 options for matching Kubernetes Services. If specified, 4028 only traffic that originates from or terminates at endpoints 4029 within the selected service(s) will be matched, and only 4030 to/from each endpoint's port. \n Services cannot be specified 4031 on the same rule as Selector, NotSelector, NamespaceSelector, 4032 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4033 can only be specified with Services on ingress rules." 4034 properties: 4035 name: 4036 description: Name specifies the name of a Kubernetes 4037 Service to match. 4038 type: string 4039 namespace: 4040 description: Namespace specifies the namespace of the 4041 given Service. If left empty, the rule will match 4042 within this policy's namespace. 4043 type: string 4044 type: object 4045 type: object 4046 http: 4047 description: HTTP contains match criteria that apply to HTTP 4048 requests. 4049 properties: 4050 methods: 4051 description: Methods is an optional field that restricts 4052 the rule to apply only to HTTP requests that use one of 4053 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 4054 methods are OR'd together. 4055 items: 4056 type: string 4057 type: array 4058 paths: 4059 description: 'Paths is an optional field that restricts 4060 the rule to apply to HTTP requests that use one of the 4061 listed HTTP Paths. Multiple paths are OR''d together. 4062 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 4063 ONLY specify either a `exact` or a `prefix` match. The 4064 validator will check for it.' 4065 items: 4066 description: 'HTTPPath specifies an HTTP path to match. 4067 It may be either of the form: exact: <path>: which matches 4068 the path exactly or prefix: <path-prefix>: which matches 4069 the path prefix' 4070 properties: 4071 exact: 4072 type: string 4073 prefix: 4074 type: string 4075 type: object 4076 type: array 4077 type: object 4078 icmp: 4079 description: ICMP is an optional field that restricts the rule 4080 to apply to a specific type and code of ICMP traffic. This 4081 should only be specified if the Protocol field is set to "ICMP" 4082 or "ICMPv6". 4083 properties: 4084 code: 4085 description: Match on a specific ICMP code. If specified, 4086 the Type value must also be specified. This is a technical 4087 limitation imposed by the kernel's iptables firewall, 4088 which Calico uses to enforce the rule. 4089 type: integer 4090 type: 4091 description: Match on a specific ICMP type. For example 4092 a value of 8 refers to ICMP Echo Request (i.e. pings). 4093 type: integer 4094 type: object 4095 ipVersion: 4096 description: IPVersion is an optional field that restricts the 4097 rule to only match a specific IP version. 4098 type: integer 4099 metadata: 4100 description: Metadata contains additional information for this 4101 rule 4102 properties: 4103 annotations: 4104 additionalProperties: 4105 type: string 4106 description: Annotations is a set of key value pairs that 4107 give extra information about the rule 4108 type: object 4109 type: object 4110 notICMP: 4111 description: NotICMP is the negated version of the ICMP field. 4112 properties: 4113 code: 4114 description: Match on a specific ICMP code. If specified, 4115 the Type value must also be specified. This is a technical 4116 limitation imposed by the kernel's iptables firewall, 4117 which Calico uses to enforce the rule. 4118 type: integer 4119 type: 4120 description: Match on a specific ICMP type. For example 4121 a value of 8 refers to ICMP Echo Request (i.e. pings). 4122 type: integer 4123 type: object 4124 notProtocol: 4125 anyOf: 4126 - type: integer 4127 - type: string 4128 description: NotProtocol is the negated version of the Protocol 4129 field. 4130 pattern: ^.* 4131 x-kubernetes-int-or-string: true 4132 protocol: 4133 anyOf: 4134 - type: integer 4135 - type: string 4136 description: "Protocol is an optional field that restricts the 4137 rule to only apply to traffic of a specific IP protocol. Required 4138 if any of the EntityRules contain Ports (because ports only 4139 apply to certain protocols). \n Must be one of these string 4140 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 4141 \"UDPLite\" or an integer in the range 1-255." 4142 pattern: ^.* 4143 x-kubernetes-int-or-string: true 4144 source: 4145 description: Source contains the match criteria that apply to 4146 source entity. 4147 properties: 4148 namespaceSelector: 4149 description: "NamespaceSelector is an optional field that 4150 contains a selector expression. Only traffic that originates 4151 from (or terminates at) endpoints within the selected 4152 namespaces will be matched. When both NamespaceSelector 4153 and another selector are defined on the same rule, then 4154 only workload endpoints that are matched by both selectors 4155 will be selected by the rule. \n For NetworkPolicy, an 4156 empty NamespaceSelector implies that the Selector is limited 4157 to selecting only workload endpoints in the same namespace 4158 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4159 NamespaceSelector implies that the Selector is limited 4160 to selecting only GlobalNetworkSet or HostEndpoint. \n 4161 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4162 the Selector applies to workload endpoints across all 4163 namespaces." 4164 type: string 4165 nets: 4166 description: Nets is an optional field that restricts the 4167 rule to only apply to traffic that originates from (or 4168 terminates at) IP addresses in any of the given subnets. 4169 items: 4170 type: string 4171 type: array 4172 notNets: 4173 description: NotNets is the negated version of the Nets 4174 field. 4175 items: 4176 type: string 4177 type: array 4178 notPorts: 4179 description: NotPorts is the negated version of the Ports 4180 field. Since only some protocols have ports, if any ports 4181 are specified it requires the Protocol match in the Rule 4182 to be set to "TCP" or "UDP". 4183 items: 4184 anyOf: 4185 - type: integer 4186 - type: string 4187 pattern: ^.* 4188 x-kubernetes-int-or-string: true 4189 type: array 4190 notSelector: 4191 description: NotSelector is the negated version of the Selector 4192 field. See Selector field for subtleties with negated 4193 selectors. 4194 type: string 4195 ports: 4196 description: "Ports is an optional field that restricts 4197 the rule to only apply to traffic that has a source (destination) 4198 port that matches one of these ranges/values. This value 4199 is a list of integers or strings that represent ranges 4200 of ports. \n Since only some protocols have ports, if 4201 any ports are specified it requires the Protocol match 4202 in the Rule to be set to \"TCP\" or \"UDP\"." 4203 items: 4204 anyOf: 4205 - type: integer 4206 - type: string 4207 pattern: ^.* 4208 x-kubernetes-int-or-string: true 4209 type: array 4210 selector: 4211 description: "Selector is an optional field that contains 4212 a selector expression (see Policy for sample syntax). 4213 \ Only traffic that originates from (terminates at) endpoints 4214 matching the selector will be matched. \n Note that: in 4215 addition to the negated version of the Selector (see NotSelector 4216 below), the selector expression syntax itself supports 4217 negation. The two types of negation are subtly different. 4218 One negates the set of matched endpoints, the other negates 4219 the whole match: \n \tSelector = \"!has(my_label)\" matches 4220 packets that are from other Calico-controlled \tendpoints 4221 that do not have the label \"my_label\". \n \tNotSelector 4222 = \"has(my_label)\" matches packets that are not from 4223 Calico-controlled \tendpoints that do have the label \"my_label\". 4224 \n The effect is that the latter will accept packets from 4225 non-Calico sources whereas the former is limited to packets 4226 from Calico-controlled endpoints." 4227 type: string 4228 serviceAccounts: 4229 description: ServiceAccounts is an optional field that restricts 4230 the rule to only apply to traffic that originates from 4231 (or terminates at) a pod running as a matching service 4232 account. 4233 properties: 4234 names: 4235 description: Names is an optional field that restricts 4236 the rule to only apply to traffic that originates 4237 from (or terminates at) a pod running as a service 4238 account whose name is in the list. 4239 items: 4240 type: string 4241 type: array 4242 selector: 4243 description: Selector is an optional field that restricts 4244 the rule to only apply to traffic that originates 4245 from (or terminates at) a pod running as a service 4246 account that matches the given label selector. If 4247 both Names and Selector are specified then they are 4248 AND'ed. 4249 type: string 4250 type: object 4251 services: 4252 description: "Services is an optional field that contains 4253 options for matching Kubernetes Services. If specified, 4254 only traffic that originates from or terminates at endpoints 4255 within the selected service(s) will be matched, and only 4256 to/from each endpoint's port. \n Services cannot be specified 4257 on the same rule as Selector, NotSelector, NamespaceSelector, 4258 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4259 can only be specified with Services on ingress rules." 4260 properties: 4261 name: 4262 description: Name specifies the name of a Kubernetes 4263 Service to match. 4264 type: string 4265 namespace: 4266 description: Namespace specifies the namespace of the 4267 given Service. If left empty, the rule will match 4268 within this policy's namespace. 4269 type: string 4270 type: object 4271 type: object 4272 required: 4273 - action 4274 type: object 4275 type: array 4276 order: 4277 description: Order is an optional field that specifies the order in 4278 which the policy is applied. Policies with higher "order" are applied 4279 after those with lower order. If the order is omitted, it may be 4280 considered to be "infinite" - i.e. the policy will be applied last. Policies 4281 with identical order will be applied in alphanumerical order based 4282 on the Policy "Name". 4283 type: number 4284 performanceHints: 4285 description: "PerformanceHints contains a list of hints to Calico's 4286 policy engine to help process the policy more efficiently. Hints 4287 never change the enforcement behaviour of the policy. \n Currently, 4288 the only available hint is \"AssumeNeededOnEveryNode\". When that 4289 hint is set on a policy, Felix will act as if the policy matches 4290 a local endpoint even if it does not. This is useful for \"preloading\" 4291 any large static policies that are known to be used on every node. 4292 If the policy is _not_ used on a particular node then the work done 4293 to preload the policy (and to maintain it) is wasted." 4294 items: 4295 type: string 4296 type: array 4297 selector: 4298 description: "The selector is an expression used to pick pick out 4299 the endpoints that the policy should be applied to. \n Selector 4300 expressions follow this syntax: \n \tlabel == \"string_literal\" 4301 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 4302 \ -> not equal; also matches if label is not present \tlabel in 4303 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 4304 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 4305 ... } -> true if the value of label X is not one of \"a\", \"b\", 4306 \"c\" \thas(label_name) -> True if that label is present \t! expr 4307 -> negation of expr \texpr && expr -> Short-circuit and \texpr 4308 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 4309 or the empty selector -> matches all endpoints. \n Label names are 4310 allowed to contain alphanumerics, -, _ and /. String literals are 4311 more permissive but they do not support escape characters. \n Examples 4312 (with made-up labels): \n \ttype == \"webserver\" && deployment 4313 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 4314 \"dev\" \t! has(label_name)" 4315 type: string 4316 serviceAccountSelector: 4317 description: ServiceAccountSelector is an optional field for an expression 4318 used to select a pod based on service accounts. 4319 type: string 4320 types: 4321 description: "Types indicates whether this policy applies to ingress, 4322 or to egress, or to both. When not explicitly specified (and so 4323 the value on creation is empty or nil), Calico defaults Types according 4324 to what Ingress and Egress are present in the policy. The default 4325 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 4326 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 4327 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 4328 PolicyTypeEgress ], if there are both Ingress and Egress rules. 4329 \n When the policy is read back again, Types will always be one 4330 of these values, never empty or nil." 4331 items: 4332 description: PolicyType enumerates the possible values of the PolicySpec 4333 Types field. 4334 type: string 4335 type: array 4336 type: object 4337 type: object 4338 served: true 4339 storage: true 4340 status: 4341 acceptedNames: 4342 kind: "" 4343 plural: "" 4344 conditions: [] 4345 storedVersions: [] 4346 --- 4347 # Source: calico/templates/kdd-crds.yaml 4348 apiVersion: apiextensions.k8s.io/v1 4349 kind: CustomResourceDefinition 4350 metadata: 4351 name: networksets.crd.projectcalico.org 4352 spec: 4353 group: crd.projectcalico.org 4354 names: 4355 kind: NetworkSet 4356 listKind: NetworkSetList 4357 plural: networksets 4358 singular: networkset 4359 preserveUnknownFields: false 4360 scope: Namespaced 4361 versions: 4362 - name: v1 4363 schema: 4364 openAPIV3Schema: 4365 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 4366 properties: 4367 apiVersion: 4368 description: 'APIVersion defines the versioned schema of this representation 4369 of an object. Servers should convert recognized schemas to the latest 4370 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4371 type: string 4372 kind: 4373 description: 'Kind is a string value representing the REST resource this 4374 object represents. Servers may infer this from the endpoint the client 4375 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4376 type: string 4377 metadata: 4378 type: object 4379 spec: 4380 description: NetworkSetSpec contains the specification for a NetworkSet 4381 resource. 4382 properties: 4383 nets: 4384 description: The list of IP networks that belong to this set. 4385 items: 4386 type: string 4387 type: array 4388 type: object 4389 type: object 4390 served: true 4391 storage: true 4392 status: 4393 acceptedNames: 4394 kind: "" 4395 plural: "" 4396 conditions: [] 4397 storedVersions: [] 4398 --- 4399 # Source: calico/templates/calico-kube-controllers-rbac.yaml 4400 # Include a clusterrole for the kube-controllers component, 4401 # and bind it to the calico-kube-controllers serviceaccount. 4402 kind: ClusterRole 4403 apiVersion: rbac.authorization.k8s.io/v1 4404 metadata: 4405 name: calico-kube-controllers 4406 rules: 4407 # Nodes are watched to monitor for deletions. 4408 - apiGroups: [""] 4409 resources: 4410 - nodes 4411 verbs: 4412 - watch 4413 - list 4414 - get 4415 # Pods are watched to check for existence as part of IPAM controller. 4416 - apiGroups: [""] 4417 resources: 4418 - pods 4419 verbs: 4420 - get 4421 - list 4422 - watch 4423 # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. 4424 - apiGroups: ["crd.projectcalico.org"] 4425 resources: 4426 - ipreservations 4427 verbs: 4428 - list 4429 - apiGroups: ["crd.projectcalico.org"] 4430 resources: 4431 - blockaffinities 4432 - ipamblocks 4433 - ipamhandles 4434 verbs: 4435 - get 4436 - list 4437 - create 4438 - update 4439 - delete 4440 - watch 4441 # Pools are watched to maintain a mapping of blocks to IP pools. 4442 - apiGroups: ["crd.projectcalico.org"] 4443 resources: 4444 - ippools 4445 verbs: 4446 - list 4447 - watch 4448 # kube-controllers manages hostendpoints. 4449 - apiGroups: ["crd.projectcalico.org"] 4450 resources: 4451 - hostendpoints 4452 verbs: 4453 - get 4454 - list 4455 - create 4456 - update 4457 - delete 4458 # Needs access to update clusterinformations. 4459 - apiGroups: ["crd.projectcalico.org"] 4460 resources: 4461 - clusterinformations 4462 verbs: 4463 - get 4464 - list 4465 - create 4466 - update 4467 - watch 4468 # KubeControllersConfiguration is where it gets its config 4469 - apiGroups: ["crd.projectcalico.org"] 4470 resources: 4471 - kubecontrollersconfigurations 4472 verbs: 4473 # read its own config 4474 - get 4475 # create a default if none exists 4476 - create 4477 # update status 4478 - update 4479 # watch for changes 4480 - watch 4481 --- 4482 # Source: calico/templates/calico-node-rbac.yaml 4483 # Include a clusterrole for the calico-node DaemonSet, 4484 # and bind it to the calico-node serviceaccount. 4485 kind: ClusterRole 4486 apiVersion: rbac.authorization.k8s.io/v1 4487 metadata: 4488 name: calico-node 4489 rules: 4490 # Used for creating service account tokens to be used by the CNI plugin 4491 - apiGroups: [""] 4492 resources: 4493 - serviceaccounts/token 4494 resourceNames: 4495 - calico-cni-plugin 4496 verbs: 4497 - create 4498 # The CNI plugin needs to get pods, nodes, and namespaces. 4499 - apiGroups: [""] 4500 resources: 4501 - pods 4502 - nodes 4503 - namespaces 4504 verbs: 4505 - get 4506 # EndpointSlices are used for Service-based network policy rule 4507 # enforcement. 4508 - apiGroups: ["discovery.k8s.io"] 4509 resources: 4510 - endpointslices 4511 verbs: 4512 - watch 4513 - list 4514 - apiGroups: [""] 4515 resources: 4516 - endpoints 4517 - services 4518 verbs: 4519 # Used to discover service IPs for advertisement. 4520 - watch 4521 - list 4522 # Used to discover Typhas. 4523 - get 4524 # Pod CIDR auto-detection on kubeadm needs access to config maps. 4525 - apiGroups: [""] 4526 resources: 4527 - configmaps 4528 verbs: 4529 - get 4530 - apiGroups: [""] 4531 resources: 4532 - nodes/status 4533 verbs: 4534 # Needed for clearing NodeNetworkUnavailable flag. 4535 - patch 4536 # Calico stores some configuration information in node annotations. 4537 - update 4538 # Watch for changes to Kubernetes NetworkPolicies. 4539 - apiGroups: ["networking.k8s.io"] 4540 resources: 4541 - networkpolicies 4542 verbs: 4543 - watch 4544 - list 4545 # Used by Calico for policy information. 4546 - apiGroups: [""] 4547 resources: 4548 - pods 4549 - namespaces 4550 - serviceaccounts 4551 verbs: 4552 - list 4553 - watch 4554 # The CNI plugin patches pods/status. 4555 - apiGroups: [""] 4556 resources: 4557 - pods/status 4558 verbs: 4559 - patch 4560 # Calico monitors various CRDs for config. 4561 - apiGroups: ["crd.projectcalico.org"] 4562 resources: 4563 - globalfelixconfigs 4564 - felixconfigurations 4565 - bgppeers 4566 - bgpfilters 4567 - globalbgpconfigs 4568 - bgpconfigurations 4569 - ippools 4570 - ipreservations 4571 - ipamblocks 4572 - globalnetworkpolicies 4573 - globalnetworksets 4574 - networkpolicies 4575 - networksets 4576 - clusterinformations 4577 - hostendpoints 4578 - blockaffinities 4579 - caliconodestatuses 4580 verbs: 4581 - get 4582 - list 4583 - watch 4584 # Calico must create and update some CRDs on startup. 4585 - apiGroups: ["crd.projectcalico.org"] 4586 resources: 4587 - ippools 4588 - felixconfigurations 4589 - clusterinformations 4590 verbs: 4591 - create 4592 - update 4593 # Calico must update some CRDs. 4594 - apiGroups: [ "crd.projectcalico.org" ] 4595 resources: 4596 - caliconodestatuses 4597 verbs: 4598 - update 4599 # Calico stores some configuration information on the node. 4600 - apiGroups: [""] 4601 resources: 4602 - nodes 4603 verbs: 4604 - get 4605 - list 4606 - watch 4607 # These permissions are only required for upgrade from v2.6, and can 4608 # be removed after upgrade or on fresh installations. 4609 - apiGroups: ["crd.projectcalico.org"] 4610 resources: 4611 - bgpconfigurations 4612 - bgppeers 4613 verbs: 4614 - create 4615 - update 4616 # These permissions are required for Calico CNI to perform IPAM allocations. 4617 - apiGroups: ["crd.projectcalico.org"] 4618 resources: 4619 - blockaffinities 4620 - ipamblocks 4621 - ipamhandles 4622 verbs: 4623 - get 4624 - list 4625 - create 4626 - update 4627 - delete 4628 # The CNI plugin and calico/node need to be able to create a default 4629 # IPAMConfiguration 4630 - apiGroups: ["crd.projectcalico.org"] 4631 resources: 4632 - ipamconfigs 4633 verbs: 4634 - get 4635 - create 4636 # Block affinities must also be watchable by confd for route aggregation. 4637 - apiGroups: ["crd.projectcalico.org"] 4638 resources: 4639 - blockaffinities 4640 verbs: 4641 - watch 4642 # The Calico IPAM migration needs to get daemonsets. These permissions can be 4643 # removed if not upgrading from an installation using host-local IPAM. 4644 - apiGroups: ["apps"] 4645 resources: 4646 - daemonsets 4647 verbs: 4648 - get 4649 --- 4650 # Source: calico/templates/calico-node-rbac.yaml 4651 # CNI cluster role 4652 kind: ClusterRole 4653 apiVersion: rbac.authorization.k8s.io/v1 4654 metadata: 4655 name: calico-cni-plugin 4656 rules: 4657 - apiGroups: [""] 4658 resources: 4659 - pods 4660 - nodes 4661 - namespaces 4662 verbs: 4663 - get 4664 - apiGroups: [""] 4665 resources: 4666 - pods/status 4667 verbs: 4668 - patch 4669 - apiGroups: ["crd.projectcalico.org"] 4670 resources: 4671 - blockaffinities 4672 - ipamblocks 4673 - ipamhandles 4674 - clusterinformations 4675 - ippools 4676 - ipreservations 4677 - ipamconfigs 4678 verbs: 4679 - get 4680 - list 4681 - create 4682 - update 4683 - delete 4684 --- 4685 # Source: calico/templates/calico-kube-controllers-rbac.yaml 4686 kind: ClusterRoleBinding 4687 apiVersion: rbac.authorization.k8s.io/v1 4688 metadata: 4689 name: calico-kube-controllers 4690 roleRef: 4691 apiGroup: rbac.authorization.k8s.io 4692 kind: ClusterRole 4693 name: calico-kube-controllers 4694 subjects: 4695 - kind: ServiceAccount 4696 name: calico-kube-controllers 4697 namespace: kube-system 4698 --- 4699 # Source: calico/templates/calico-node-rbac.yaml 4700 apiVersion: rbac.authorization.k8s.io/v1 4701 kind: ClusterRoleBinding 4702 metadata: 4703 name: calico-node 4704 roleRef: 4705 apiGroup: rbac.authorization.k8s.io 4706 kind: ClusterRole 4707 name: calico-node 4708 subjects: 4709 - kind: ServiceAccount 4710 name: calico-node 4711 namespace: kube-system 4712 --- 4713 # Source: calico/templates/calico-node-rbac.yaml 4714 apiVersion: rbac.authorization.k8s.io/v1 4715 kind: ClusterRoleBinding 4716 metadata: 4717 name: calico-cni-plugin 4718 roleRef: 4719 apiGroup: rbac.authorization.k8s.io 4720 kind: ClusterRole 4721 name: calico-cni-plugin 4722 subjects: 4723 - kind: ServiceAccount 4724 name: calico-cni-plugin 4725 namespace: kube-system 4726 --- 4727 # Source: calico/templates/calico-node.yaml 4728 # This manifest installs the calico-node container, as well 4729 # as the CNI plugins and network config on 4730 # each master and worker node in a Kubernetes cluster. 4731 kind: DaemonSet 4732 apiVersion: apps/v1 4733 metadata: 4734 name: calico-node 4735 namespace: kube-system 4736 labels: 4737 k8s-app: calico-node 4738 spec: 4739 selector: 4740 matchLabels: 4741 k8s-app: calico-node 4742 updateStrategy: 4743 type: RollingUpdate 4744 rollingUpdate: 4745 maxUnavailable: 1 4746 template: 4747 metadata: 4748 labels: 4749 k8s-app: calico-node 4750 spec: 4751 nodeSelector: 4752 kubernetes.io/os: linux 4753 hostNetwork: true 4754 tolerations: 4755 # Make sure calico-node gets scheduled on all nodes. 4756 - effect: NoSchedule 4757 operator: Exists 4758 # Mark the pod as a critical add-on for rescheduling. 4759 - key: CriticalAddonsOnly 4760 operator: Exists 4761 - effect: NoExecute 4762 operator: Exists 4763 serviceAccountName: calico-node 4764 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 4765 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 4766 terminationGracePeriodSeconds: 0 4767 priorityClassName: system-node-critical 4768 initContainers: 4769 # This container performs upgrade from host-local IPAM to calico-ipam. 4770 # It can be deleted if this is a fresh installation, or if you have already 4771 # upgraded to use calico-ipam. 4772 - name: upgrade-ipam 4773 image: gcr.io/istio-testing/calico/cni:v3.27.0 4774 imagePullPolicy: IfNotPresent 4775 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] 4776 envFrom: 4777 - configMapRef: 4778 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4779 name: kubernetes-services-endpoint 4780 optional: true 4781 env: 4782 - name: KUBERNETES_NODE_NAME 4783 valueFrom: 4784 fieldRef: 4785 fieldPath: spec.nodeName 4786 - name: CALICO_NETWORKING_BACKEND 4787 valueFrom: 4788 configMapKeyRef: 4789 name: calico-config 4790 key: calico_backend 4791 volumeMounts: 4792 - mountPath: /var/lib/cni/networks 4793 name: host-local-net-dir 4794 - mountPath: /host/opt/cni/bin 4795 name: cni-bin-dir 4796 securityContext: 4797 privileged: true 4798 # This container installs the CNI binaries 4799 # and CNI network config file on each node. 4800 - name: install-cni 4801 image: gcr.io/istio-testing/calico/cni:v3.27.0 4802 imagePullPolicy: IfNotPresent 4803 command: ["/opt/cni/bin/install"] 4804 envFrom: 4805 - configMapRef: 4806 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4807 name: kubernetes-services-endpoint 4808 optional: true 4809 env: 4810 # Name of the CNI config file to create. 4811 - name: CNI_CONF_NAME 4812 value: "10-calico.conflist" 4813 # The CNI network config to install on each node. 4814 - name: CNI_NETWORK_CONFIG 4815 valueFrom: 4816 configMapKeyRef: 4817 name: calico-config 4818 key: cni_network_config 4819 # Set the hostname based on the k8s node name. 4820 - name: KUBERNETES_NODE_NAME 4821 valueFrom: 4822 fieldRef: 4823 fieldPath: spec.nodeName 4824 # CNI MTU Config variable 4825 - name: CNI_MTU 4826 valueFrom: 4827 configMapKeyRef: 4828 name: calico-config 4829 key: veth_mtu 4830 # Prevents the container from sleeping forever. 4831 - name: SLEEP 4832 value: "false" 4833 volumeMounts: 4834 - mountPath: /host/opt/cni/bin 4835 name: cni-bin-dir 4836 - mountPath: /host/etc/cni/net.d 4837 name: cni-net-dir 4838 securityContext: 4839 privileged: true 4840 # This init container mounts the necessary filesystems needed by the BPF data plane 4841 # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed 4842 # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. 4843 - name: "mount-bpffs" 4844 image: gcr.io/istio-testing/calico/node:v3.27.0 4845 imagePullPolicy: IfNotPresent 4846 command: ["calico-node", "-init", "-best-effort"] 4847 volumeMounts: 4848 - mountPath: /sys/fs 4849 name: sys-fs 4850 # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host 4851 # so that it outlives the init container. 4852 mountPropagation: Bidirectional 4853 - mountPath: /var/run/calico 4854 name: var-run-calico 4855 # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host 4856 # so that it outlives the init container. 4857 mountPropagation: Bidirectional 4858 # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, 4859 # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. 4860 - mountPath: /nodeproc 4861 name: nodeproc 4862 readOnly: true 4863 securityContext: 4864 privileged: true 4865 containers: 4866 # Runs calico-node container on each Kubernetes node. This 4867 # container programs network policy and routes on each 4868 # host. 4869 - name: calico-node 4870 image: gcr.io/istio-testing/calico/node:v3.27.0 4871 imagePullPolicy: IfNotPresent 4872 envFrom: 4873 - configMapRef: 4874 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4875 name: kubernetes-services-endpoint 4876 optional: true 4877 env: 4878 # Use Kubernetes API as the backing datastore. 4879 - name: DATASTORE_TYPE 4880 value: "kubernetes" 4881 # Wait for the datastore. 4882 - name: WAIT_FOR_DATASTORE 4883 value: "true" 4884 # Set based on the k8s node name. 4885 - name: NODENAME 4886 valueFrom: 4887 fieldRef: 4888 fieldPath: spec.nodeName 4889 # Choose the backend to use. 4890 - name: CALICO_NETWORKING_BACKEND 4891 valueFrom: 4892 configMapKeyRef: 4893 name: calico-config 4894 key: calico_backend 4895 # Cluster type to identify the deployment type 4896 - name: CLUSTER_TYPE 4897 value: "k8s,bgp" 4898 # Auto-detect the BGP IP address. 4899 - name: IP 4900 value: "autodetect" 4901 # Enable IPIP 4902 - name: CALICO_IPV4POOL_IPIP 4903 value: "Always" 4904 # Enable or Disable VXLAN on the default IP pool. 4905 - name: CALICO_IPV4POOL_VXLAN 4906 value: "Never" 4907 # Enable or Disable VXLAN on the default IPv6 IP pool. 4908 - name: CALICO_IPV6POOL_VXLAN 4909 value: "Never" 4910 # Set MTU for tunnel device used if ipip is enabled 4911 - name: FELIX_IPINIPMTU 4912 valueFrom: 4913 configMapKeyRef: 4914 name: calico-config 4915 key: veth_mtu 4916 # Set MTU for the VXLAN tunnel device. 4917 - name: FELIX_VXLANMTU 4918 valueFrom: 4919 configMapKeyRef: 4920 name: calico-config 4921 key: veth_mtu 4922 # Set MTU for the Wireguard tunnel device. 4923 - name: FELIX_WIREGUARDMTU 4924 valueFrom: 4925 configMapKeyRef: 4926 name: calico-config 4927 key: veth_mtu 4928 # The default IPv4 pool to create on startup if none exists. Pod IPs will be 4929 # chosen from this range. Changing this value after installation will have 4930 # no effect. This should fall within `--cluster-cidr`. 4931 # - name: CALICO_IPV4POOL_CIDR 4932 # value: "192.168.0.0/16" 4933 # Disable file logging so `kubectl logs` works. 4934 - name: CALICO_DISABLE_FILE_LOGGING 4935 value: "true" 4936 # Set Felix endpoint to host default action to ACCEPT. 4937 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 4938 value: "ACCEPT" 4939 # Disable IPv6 on Kubernetes. 4940 - name: FELIX_IPV6SUPPORT 4941 value: "false" 4942 - name: FELIX_HEALTHENABLED 4943 value: "true" 4944 securityContext: 4945 privileged: true 4946 resources: 4947 requests: 4948 cpu: 250m 4949 lifecycle: 4950 preStop: 4951 exec: 4952 command: 4953 - /bin/calico-node 4954 - -shutdown 4955 livenessProbe: 4956 exec: 4957 command: 4958 - /bin/calico-node 4959 - -felix-live 4960 - -bird-live 4961 periodSeconds: 10 4962 initialDelaySeconds: 10 4963 failureThreshold: 6 4964 timeoutSeconds: 10 4965 readinessProbe: 4966 exec: 4967 command: 4968 - /bin/calico-node 4969 - -felix-ready 4970 - -bird-ready 4971 periodSeconds: 10 4972 timeoutSeconds: 10 4973 volumeMounts: 4974 # For maintaining CNI plugin API credentials. 4975 - mountPath: /host/etc/cni/net.d 4976 name: cni-net-dir 4977 readOnly: false 4978 - mountPath: /lib/modules 4979 name: lib-modules 4980 readOnly: true 4981 - mountPath: /run/xtables.lock 4982 name: xtables-lock 4983 readOnly: false 4984 - mountPath: /var/run/calico 4985 name: var-run-calico 4986 readOnly: false 4987 - mountPath: /var/lib/calico 4988 name: var-lib-calico 4989 readOnly: false 4990 - name: policysync 4991 mountPath: /var/run/nodeagent 4992 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the 4993 # parent directory. 4994 - name: bpffs 4995 mountPath: /sys/fs/bpf 4996 - name: cni-log-dir 4997 mountPath: /var/log/calico/cni 4998 readOnly: true 4999 volumes: 5000 # Used by calico-node. 5001 - name: lib-modules 5002 hostPath: 5003 path: /lib/modules 5004 - name: var-run-calico 5005 hostPath: 5006 path: /var/run/calico 5007 - name: var-lib-calico 5008 hostPath: 5009 path: /var/lib/calico 5010 - name: xtables-lock 5011 hostPath: 5012 path: /run/xtables.lock 5013 type: FileOrCreate 5014 - name: sys-fs 5015 hostPath: 5016 path: /sys/fs/ 5017 type: DirectoryOrCreate 5018 - name: bpffs 5019 hostPath: 5020 path: /sys/fs/bpf 5021 type: Directory 5022 # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. 5023 - name: nodeproc 5024 hostPath: 5025 path: /proc 5026 # Used to install CNI. 5027 - name: cni-bin-dir 5028 hostPath: 5029 path: /opt/cni/bin 5030 - name: cni-net-dir 5031 hostPath: 5032 path: /etc/cni/net.d 5033 # Used to access CNI logs. 5034 - name: cni-log-dir 5035 hostPath: 5036 path: /var/log/calico/cni 5037 # Mount in the directory for host-local IPAM allocations. This is 5038 # used when upgrading from host-local to calico-ipam, and can be removed 5039 # if not using the upgrade-ipam init container. 5040 - name: host-local-net-dir 5041 hostPath: 5042 path: /var/lib/cni/networks 5043 # Used to create per-pod Unix Domain Sockets 5044 - name: policysync 5045 hostPath: 5046 type: DirectoryOrCreate 5047 path: /var/run/nodeagent 5048 --- 5049 # Source: calico/templates/calico-kube-controllers.yaml 5050 # See https://github.com/projectcalico/kube-controllers 5051 apiVersion: apps/v1 5052 kind: Deployment 5053 metadata: 5054 name: calico-kube-controllers 5055 namespace: kube-system 5056 labels: 5057 k8s-app: calico-kube-controllers 5058 spec: 5059 # The controllers can only have a single active instance. 5060 replicas: 1 5061 selector: 5062 matchLabels: 5063 k8s-app: calico-kube-controllers 5064 strategy: 5065 type: Recreate 5066 template: 5067 metadata: 5068 name: calico-kube-controllers 5069 namespace: kube-system 5070 labels: 5071 k8s-app: calico-kube-controllers 5072 spec: 5073 nodeSelector: 5074 kubernetes.io/os: linux 5075 tolerations: 5076 # Mark the pod as a critical add-on for rescheduling. 5077 - key: CriticalAddonsOnly 5078 operator: Exists 5079 - key: node-role.kubernetes.io/master 5080 effect: NoSchedule 5081 - key: node-role.kubernetes.io/control-plane 5082 effect: NoSchedule 5083 serviceAccountName: calico-kube-controllers 5084 priorityClassName: system-cluster-critical 5085 containers: 5086 - name: calico-kube-controllers 5087 image: gcr.io/istio-testing/calico/kube-controllers:v3.27.0 5088 imagePullPolicy: IfNotPresent 5089 env: 5090 # Choose which controllers to run. 5091 - name: ENABLED_CONTROLLERS 5092 value: node 5093 - name: DATASTORE_TYPE 5094 value: kubernetes 5095 livenessProbe: 5096 exec: 5097 command: 5098 - /usr/bin/check-status 5099 - -l 5100 periodSeconds: 10 5101 initialDelaySeconds: 10 5102 failureThreshold: 6 5103 timeoutSeconds: 10 5104 readinessProbe: 5105 exec: 5106 command: 5107 - /usr/bin/check-status 5108 - -r 5109 periodSeconds: 10