k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cluster/addons/calico-policy-controller/felixconfigurations-crd.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 labels: 5 addonmanager.kubernetes.io/mode: Reconcile 6 name: felixconfigurations.crd.projectcalico.org 7 spec: 8 group: crd.projectcalico.org 9 names: 10 kind: FelixConfiguration 11 listKind: FelixConfigurationList 12 plural: felixconfigurations 13 singular: felixconfiguration 14 scope: Cluster 15 versions: 16 - name: v1 17 schema: 18 openAPIV3Schema: 19 description: Felix Configuration contains the configuration for Felix. 20 properties: 21 apiVersion: 22 description: 'APIVersion defines the versioned schema of this representation 23 of an object. Servers should convert recognized schemas to the latest 24 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 25 type: string 26 kind: 27 description: 'Kind is a string value representing the REST resource this 28 object represents. Servers may infer this from the endpoint the client 29 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 30 type: string 31 metadata: 32 type: object 33 spec: 34 description: FelixConfigurationSpec contains the values of the Felix configuration. 35 properties: 36 allowIPIPPacketsFromWorkloads: 37 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 38 will add a rule to drop IPIP encapsulated traffic from workloads 39 [Default: false]' 40 type: boolean 41 allowVXLANPacketsFromWorkloads: 42 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 43 will add a rule to drop VXLAN encapsulated traffic from workloads 44 [Default: false]' 45 type: boolean 46 awsSrcDstCheck: 47 description: 'Set source-destination-check on AWS EC2 instances. Accepted 48 value must be one of "DoNothing", "Enabled" or "Disabled". [Default: 49 DoNothing]' 50 enum: 51 - DoNothing 52 - Enable 53 - Disable 54 type: string 55 bpfConnectTimeLoadBalancingEnabled: 56 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 57 controls whether Felix installs the connection-time load balancer. The 58 connect-time load balancer is required for the host to be able to 59 reach Kubernetes services and it improves the performance of pod-to-service 60 connections. The only reason to disable it is for debugging purposes. [Default: 61 true]' 62 type: boolean 63 bpfDataIfacePattern: 64 description: 'BPFDataIfacePattern is a regular expression that controls 65 which interfaces Felix should attach BPF programs to in order to 66 catch traffic to/from the network. This needs to match the interfaces 67 that Calico workload traffic flows over as well as any interfaces 68 that handle incoming traffic to nodeports and services from outside 69 the cluster. It should not match the workload interfaces (usually 70 named cali...). [Default: ^(en.*|eth.*|tunl0$)]' 71 type: string 72 bpfDisableUnprivileged: 73 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 74 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 75 users cannot access Calico''s BPF maps and cannot insert their own 76 BPF programs to interfere with Calico''s. [Default: true]' 77 type: boolean 78 bpfEnabled: 79 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 80 [Default: false]' 81 type: boolean 82 bpfExternalServiceMode: 83 description: 'BPFExternalServiceMode in BPF mode, controls how connections 84 from outside the cluster to services (node ports and cluster IPs) 85 are forwarded to remote workloads. If set to "Tunnel" then both 86 request and response traffic is tunneled to the remote node. If 87 set to "DSR", the request traffic is tunneled but the response traffic 88 is sent directly from the remote node. In "DSR" mode, the remote 89 node appears to use the IP of the ingress node; this requires a 90 permissive L2 network. [Default: Tunnel]' 91 type: string 92 bpfKubeProxyEndpointSlicesEnabled: 93 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 94 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 95 type: boolean 96 bpfKubeProxyIptablesCleanupEnabled: 97 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 98 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 99 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 100 true]' 101 type: boolean 102 bpfKubeProxyMinSyncPeriod: 103 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 104 minimum time between updates to the dataplane for Felix''s embedded 105 kube-proxy. Lower values give reduced set-up latency. Higher values 106 reduce Felix CPU usage by batching up more work. [Default: 1s]' 107 type: string 108 bpfLogLevel: 109 description: 'BPFLogLevel controls the log level of the BPF programs 110 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 111 logs are emitted to the BPF trace pipe, accessible with the command 112 `tc exec bpf debug`. [Default: Off].' 113 type: string 114 chainInsertMode: 115 description: 'ChainInsertMode controls whether Felix hooks the kernel’s 116 top-level iptables chains by inserting a rule at the top of the 117 chain or by appending a rule at the bottom. insert is the safe default 118 since it prevents Calico’s rules from being bypassed. If you switch 119 to append mode, be sure that the other rules in the chains signal 120 acceptance by falling through to the Calico rules, otherwise the 121 Calico policy will be bypassed. [Default: insert]' 122 type: string 123 dataplaneDriver: 124 type: string 125 debugDisableLogDropping: 126 type: boolean 127 debugMemoryProfilePath: 128 type: string 129 debugSimulateCalcGraphHangAfter: 130 type: string 131 debugSimulateDataplaneHangAfter: 132 type: string 133 defaultEndpointToHostAction: 134 description: 'DefaultEndpointToHostAction controls what happens to 135 traffic that goes from a workload endpoint to the host itself (after 136 the traffic hits the endpoint egress policy). By default Calico 137 blocks traffic from workload endpoints to the host itself with an 138 iptables “DROP” action. If you want to allow some or all traffic 139 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 140 RETURN if you have your own rules in the iptables “INPUT” chain; 141 Calico will insert its rules at the top of that chain, then “RETURN” 142 packets to the “INPUT” chain once it has completed processing workload 143 endpoint egress policy. Use ACCEPT to unconditionally accept packets 144 from workloads after processing workload endpoint egress policy. 145 [Default: Drop]' 146 type: string 147 deviceRouteProtocol: 148 description: This defines the route protocol added to programmed device 149 routes, by default this will be RTPROT_BOOT when left blank. 150 type: integer 151 deviceRouteSourceAddress: 152 description: This is the source address to use on programmed device 153 routes. By default the source address is left blank, leaving the 154 kernel to choose the source address used. 155 type: string 156 disableConntrackInvalidCheck: 157 type: boolean 158 endpointReportingDelay: 159 type: string 160 endpointReportingEnabled: 161 type: boolean 162 externalNodesList: 163 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 164 which may source tunnel traffic and have the tunneled traffic be 165 accepted at calico nodes. 166 items: 167 type: string 168 type: array 169 failsafeInboundHostPorts: 170 description: 'FailsafeInboundHostPorts is a comma-delimited list of 171 UDP/TCP ports that Felix will allow incoming traffic to host endpoints 172 on irrespective of the security policy. This is useful to avoid 173 accidentally cutting off a host with incorrect configuration. Each 174 port should be specified as tcp:<port-number> or udp:<port-number>. 175 For back-compatibility, if the protocol is not specified, it defaults 176 to “tcp”. To disable all inbound host ports, use the value none. 177 The default value allows ssh access and DHCP. [Default: tcp:22, 178 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 179 items: 180 description: ProtoPort is combination of protocol and port, both 181 must be specified. 182 properties: 183 port: 184 type: integer 185 protocol: 186 type: string 187 required: 188 - port 189 - protocol 190 type: object 191 type: array 192 failsafeOutboundHostPorts: 193 description: 'FailsafeOutboundHostPorts is a comma-delimited list 194 of UDP/TCP ports that Felix will allow outgoing traffic from host 195 endpoints to irrespective of the security policy. This is useful 196 to avoid accidentally cutting off a host with incorrect configuration. 197 Each port should be specified as tcp:<port-number> or udp:<port-number>. 198 For back-compatibility, if the protocol is not specified, it defaults 199 to “tcp”. To disable all outbound host ports, use the value none. 200 The default value opens etcd’s standard ports to ensure that Felix 201 does not get cut off from etcd as well as allowing DHCP and DNS. 202 [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, 203 udp:53, udp:67]' 204 items: 205 description: ProtoPort is combination of protocol and port, both 206 must be specified. 207 properties: 208 port: 209 type: integer 210 protocol: 211 type: string 212 required: 213 - port 214 - protocol 215 type: object 216 type: array 217 featureDetectOverride: 218 description: FeatureDetectOverride is used to override the feature 219 detection. Values are specified in a comma separated list with no 220 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". 221 "true" or "false" will force the feature, empty or omitted values 222 are auto-detected. 223 type: string 224 genericXDPEnabled: 225 description: 'GenericXDPEnabled enables Generic XDP so network cards 226 that don''t support XDP offload or driver modes can use XDP. This 227 is not recommended since it doesn''t provide better performance 228 than iptables. [Default: false]' 229 type: boolean 230 healthEnabled: 231 type: boolean 232 healthHost: 233 type: string 234 healthPort: 235 type: integer 236 interfaceExclude: 237 description: 'InterfaceExclude is a comma-separated list of interfaces 238 that Felix should exclude when monitoring for host endpoints. The 239 default value ensures that Felix ignores Kubernetes'' IPVS dummy 240 interface, which is used internally by kube-proxy. If you want to 241 exclude multiple interface names using a single value, the list 242 supports regular expressions. For regular expressions you must wrap 243 the value with ''/''. For example having values ''/^kube/,veth1'' 244 will exclude all interfaces that begin with ''kube'' and also the 245 interface ''veth1''. [Default: kube-ipvs0]' 246 type: string 247 interfacePrefix: 248 description: 'InterfacePrefix is the interface name prefix that identifies 249 workload endpoints and so distinguishes them from host endpoint 250 interfaces. Note: in environments other than bare metal, the orchestrators 251 configure this appropriately. For example our Kubernetes and Docker 252 integrations set the ‘cali’ value, and our OpenStack integration 253 sets the ‘tap’ value. [Default: cali]' 254 type: string 255 interfaceRefreshInterval: 256 description: InterfaceRefreshInterval is the period at which Felix 257 rescans local interfaces to verify their state. The rescan can be 258 disabled by setting the interval to 0. 259 type: string 260 ipipEnabled: 261 type: boolean 262 ipipMTU: 263 description: 'IPIPMTU is the MTU to set on the tunnel device. See 264 Configuring MTU [Default: 1440]' 265 type: integer 266 ipsetsRefreshInterval: 267 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 268 all iptables state to ensure that no other process has accidentally 269 broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: 270 90s]' 271 type: string 272 iptablesBackend: 273 description: IptablesBackend specifies which backend of iptables will 274 be used. The default is legacy. 275 type: string 276 iptablesFilterAllowAction: 277 type: string 278 iptablesLockFilePath: 279 description: 'IptablesLockFilePath is the location of the iptables 280 lock file. You may need to change this if the lock file is not in 281 its standard location (for example if you have mapped it into Felix’s 282 container at a different path). [Default: /run/xtables.lock]' 283 type: string 284 iptablesLockProbeInterval: 285 description: 'IptablesLockProbeInterval is the time that Felix will 286 wait between attempts to acquire the iptables lock if it is not 287 available. Lower values make Felix more responsive when the lock 288 is contended, but use more CPU. [Default: 50ms]' 289 type: string 290 iptablesLockTimeout: 291 description: 'IptablesLockTimeout is the time that Felix will wait 292 for the iptables lock, or 0, to disable. To use this feature, Felix 293 must share the iptables lock file with all other processes that 294 also take the lock. When running Felix inside a container, this 295 requires the /run directory of the host to be mounted into the calico/node 296 or calico/felix container. [Default: 0s disabled]' 297 type: string 298 iptablesMangleAllowAction: 299 type: string 300 iptablesMarkMask: 301 description: 'IptablesMarkMask is the mask that Felix selects its 302 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 303 at least 8 bits set, none of which clash with any other mark bits 304 in use on the system. [Default: 0xff000000]' 305 format: int32 306 type: integer 307 iptablesNATOutgoingInterfaceFilter: 308 type: string 309 iptablesPostWriteCheckInterval: 310 description: 'IptablesPostWriteCheckInterval is the period after Felix 311 has done a write to the dataplane that it schedules an extra read 312 back in order to check the write was not clobbered by another process. 313 This should only occur if another application on the system doesn’t 314 respect the iptables lock. [Default: 1s]' 315 type: string 316 iptablesRefreshInterval: 317 description: 'IptablesRefreshInterval is the period at which Felix 318 re-checks the IP sets in the dataplane to ensure that no other process 319 has accidentally broken Calico’s rules. Set to 0 to disable IP sets 320 refresh. Note: the default for this value is lower than the other 321 refresh intervals as a workaround for a Linux kernel bug that was 322 fixed in kernel version 4.11. If you are using v4.11 or greater 323 you may want to set this to, a higher value to reduce Felix CPU 324 usage. [Default: 10s]' 325 type: string 326 ipv6Support: 327 type: boolean 328 kubeNodePortRanges: 329 description: 'KubeNodePortRanges holds list of port ranges used for 330 service node ports. Only used if felix detects kube-proxy running 331 in ipvs mode. Felix uses these ranges to separate host and workload 332 traffic. [Default: 30000:32767].' 333 items: 334 anyOf: 335 - type: integer 336 - type: string 337 pattern: ^.* 338 x-kubernetes-int-or-string: true 339 type: array 340 logFilePath: 341 description: 'LogFilePath is the full path to the Felix log. Set to 342 none to disable file logging. [Default: /var/log/calico/felix.log]' 343 type: string 344 logPrefix: 345 description: 'LogPrefix is the log prefix that Felix uses when rendering 346 LOG rules. [Default: calico-packet]' 347 type: string 348 logSeverityFile: 349 description: 'LogSeverityFile is the log severity above which logs 350 are sent to the log file. [Default: Info]' 351 type: string 352 logSeverityScreen: 353 description: 'LogSeverityScreen is the log severity above which logs 354 are sent to the stdout. [Default: Info]' 355 type: string 356 logSeveritySys: 357 description: 'LogSeveritySys is the log severity above which logs 358 are sent to the syslog. Set to None for no logging to syslog. [Default: 359 Info]' 360 type: string 361 maxIpsetSize: 362 type: integer 363 metadataAddr: 364 description: 'MetadataAddr is the IP address or domain name of the 365 server that can answer VM queries for cloud-init metadata. In OpenStack, 366 this corresponds to the machine running nova-api (or in Ubuntu, 367 nova-api-metadata). A value of none (case insensitive) means that 368 Felix should not set up any NAT rule for the metadata path. [Default: 369 127.0.0.1]' 370 type: string 371 metadataPort: 372 description: 'MetadataPort is the port of the metadata server. This, 373 combined with global.MetadataAddr (if not ‘None’), is used to set 374 up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 375 In most cases this should not need to be changed [Default: 8775].' 376 type: integer 377 natOutgoingAddress: 378 description: NATOutgoingAddress specifies an address to use when performing 379 source NAT for traffic in a natOutgoing pool that is leaving the 380 network. By default the address used is an address on the interface 381 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 382 type: string 383 natPortRange: 384 anyOf: 385 - type: integer 386 - type: string 387 description: NATPortRange specifies the range of ports that is used 388 for port mapping when doing outgoing NAT. When unset the default 389 behavior of the network stack is used. 390 pattern: ^.* 391 x-kubernetes-int-or-string: true 392 netlinkTimeout: 393 type: string 394 openstackRegion: 395 description: 'OpenstackRegion is the name of the region that a particular 396 Felix belongs to. In a multi-region Calico/OpenStack deployment, 397 this must be configured somehow for each Felix (here in the datamodel, 398 or in felix.cfg or the environment on each compute node), and must 399 match the [calico] openstack_region value configured in neutron.conf 400 on each node. [Default: Empty]' 401 type: string 402 policySyncPathPrefix: 403 description: 'PolicySyncPathPrefix is used to by Felix to communicate 404 policy changes to external services, like Application layer policy. 405 [Default: Empty]' 406 type: string 407 prometheusGoMetricsEnabled: 408 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 409 collection, which the Prometheus client does by default, when set 410 to false. This reduces the number of metrics reported, reducing 411 Prometheus load. [Default: true]' 412 type: boolean 413 prometheusMetricsEnabled: 414 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 415 server in Felix if set to true. [Default: false]' 416 type: boolean 417 prometheusMetricsHost: 418 description: 'PrometheusMetricsHost is the host that the Prometheus 419 metrics server should bind to. [Default: empty]' 420 type: string 421 prometheusMetricsPort: 422 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 423 metrics server should bind to. [Default: 9091]' 424 type: integer 425 prometheusProcessMetricsEnabled: 426 description: 'PrometheusProcessMetricsEnabled disables process metrics 427 collection, which the Prometheus client does by default, when set 428 to false. This reduces the number of metrics reported, reducing 429 Prometheus load. [Default: true]' 430 type: boolean 431 removeExternalRoutes: 432 description: Whether or not to remove device routes that have not 433 been programmed by Felix. Disabling this will allow external applications 434 to also add device routes. This is enabled by default which means 435 we will remove externally added routes. 436 type: boolean 437 reportingInterval: 438 description: 'ReportingInterval is the interval at which Felix reports 439 its status into the datastore or 0 to disable. Must be non-zero 440 in OpenStack deployments. [Default: 30s]' 441 type: string 442 reportingTTL: 443 description: 'ReportingTTL is the time-to-live setting for process-wide 444 status reports. [Default: 90s]' 445 type: string 446 routeRefreshInterval: 447 description: 'RouterefreshInterval is the period at which Felix re-checks 448 the routes in the dataplane to ensure that no other process has 449 accidentally broken Calico’s rules. Set to 0 to disable route refresh. 450 [Default: 90s]' 451 type: string 452 routeSource: 453 description: 'RouteSource configures where Felix gets its routing 454 information. - WorkloadIPs: use workload endpoints to construct 455 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 456 type: string 457 routeTableRange: 458 description: Calico programs additional Linux route tables for various 459 purposes. RouteTableRange specifies the indices of the route tables 460 that Calico should use. 461 properties: 462 max: 463 type: integer 464 min: 465 type: integer 466 required: 467 - max 468 - min 469 type: object 470 sidecarAccelerationEnabled: 471 description: 'SidecarAccelerationEnabled enables experimental sidecar 472 acceleration [Default: false]' 473 type: boolean 474 usageReportingEnabled: 475 description: 'UsageReportingEnabled reports anonymous Calico version 476 number and cluster size to projectcalico.org. Logs warnings returned 477 by the usage server. For example, if a significant security vulnerability 478 has been discovered in the version of Calico being used. [Default: 479 true]' 480 type: boolean 481 usageReportingInitialDelay: 482 description: 'UsageReportingInitialDelay controls the minimum delay 483 before Felix makes a report. [Default: 300s]' 484 type: string 485 usageReportingInterval: 486 description: 'UsageReportingInterval controls the interval at which 487 Felix makes reports. [Default: 86400s]' 488 type: string 489 useInternalDataplaneDriver: 490 type: boolean 491 vxlanEnabled: 492 type: boolean 493 vxlanMTU: 494 description: 'VXLANMTU is the MTU to set on the tunnel device. See 495 Configuring MTU [Default: 1440]' 496 type: integer 497 vxlanPort: 498 type: integer 499 vxlanVNI: 500 type: integer 501 wireguardEnabled: 502 description: 'WireguardEnabled controls whether Wireguard is enabled. 503 [Default: false]' 504 type: boolean 505 wireguardInterfaceName: 506 description: 'WireguardInterfaceName specifies the name to use for 507 the Wireguard interface. [Default: wg.calico]' 508 type: string 509 wireguardListeningPort: 510 description: 'WireguardListeningPort controls the listening port used 511 by Wireguard. [Default: 51820]' 512 type: integer 513 wireguardMTU: 514 description: 'WireguardMTU controls the MTU on the Wireguard interface. 515 See Configuring MTU [Default: 1420]' 516 type: integer 517 wireguardRoutingRulePriority: 518 description: 'WireguardRoutingRulePriority controls the priority value 519 to use for the Wireguard routing rule. [Default: 99]' 520 type: integer 521 xdpEnabled: 522 description: 'XDPEnabled enables XDP acceleration for suitable untracked 523 incoming deny rules. [Default: true]' 524 type: boolean 525 xdpRefreshInterval: 526 description: 'XDPRefreshInterval is the period at which Felix re-checks 527 all XDP state to ensure that no other process has accidentally broken 528 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 529 refresh. [Default: 90s]' 530 type: string 531 type: object 532 type: object 533 served: true 534 storage: true 535 status: 536 acceptedNames: 537 kind: "" 538 plural: "" 539 conditions: [] 540 storedVersions: []