sigs.k8s.io/cluster-api-provider-aws@v1.5.5/test/e2e/data/cni/calico.yaml (about) 1 --- 2 # Source: calico/templates/calico-config.yaml (v3.19.1) 3 # This ConfigMap is used to configure a self-hosted Calico installation. 4 kind: ConfigMap 5 apiVersion: v1 6 metadata: 7 name: calico-config 8 namespace: kube-system 9 data: 10 # Typha is disabled. 11 typha_service_name: "none" 12 # Configure the backend to use. 13 calico_backend: "bird" 14 15 # Configure the MTU to use for workload interfaces and tunnels. 16 # By default, MTU is auto-detected, and explicitly setting this field should not be required. 17 # You can override auto-detection by providing a non-zero value. 18 veth_mtu: "0" 19 20 # The CNI network configuration to install on each node. The special 21 # values in this config will be automatically populated. 22 cni_network_config: |- 23 { 24 "name": "k8s-pod-network", 25 "cniVersion": "0.3.1", 26 "plugins": [ 27 { 28 "type": "calico", 29 "log_level": "info", 30 "log_file_path": "/var/log/calico/cni/cni.log", 31 "datastore_type": "kubernetes", 32 "nodename": "__KUBERNETES_NODE_NAME__", 33 "mtu": __CNI_MTU__, 34 "ipam": { 35 "type": "calico-ipam" 36 }, 37 "policy": { 38 "type": "k8s" 39 }, 40 "kubernetes": { 41 "kubeconfig": "__KUBECONFIG_FILEPATH__" 42 } 43 }, 44 { 45 "type": "portmap", 46 "snat": true, 47 "capabilities": {"portMappings": true} 48 }, 49 { 50 "type": "bandwidth", 51 "capabilities": {"bandwidth": true} 52 } 53 ] 54 } 55 56 --- 57 # Source: calico/templates/kdd-crds.yaml 58 59 apiVersion: apiextensions.k8s.io/v1 60 kind: CustomResourceDefinition 61 metadata: 62 name: bgpconfigurations.crd.projectcalico.org 63 spec: 64 group: crd.projectcalico.org 65 names: 66 kind: BGPConfiguration 67 listKind: BGPConfigurationList 68 plural: bgpconfigurations 69 singular: bgpconfiguration 70 scope: Cluster 71 versions: 72 - name: v1 73 schema: 74 openAPIV3Schema: 75 description: BGPConfiguration contains the configuration for any BGP routing. 76 properties: 77 apiVersion: 78 description: 'APIVersion defines the versioned schema of this representation 79 of an object. Servers should convert recognized schemas to the latest 80 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 81 type: string 82 kind: 83 description: 'Kind is a string value representing the REST resource this 84 object represents. Servers may infer this from the endpoint the client 85 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 86 type: string 87 metadata: 88 type: object 89 spec: 90 description: BGPConfigurationSpec contains the values of the BGP configuration. 91 properties: 92 asNumber: 93 description: 'ASNumber is the default AS number used by a node. [Default: 94 64512]' 95 format: int32 96 type: integer 97 communities: 98 description: Communities is a list of BGP community values and their 99 arbitrary names for tagging routes. 100 items: 101 description: Community contains standard or large community value 102 and its name. 103 properties: 104 name: 105 description: Name given to community value. 106 type: string 107 value: 108 description: Value must be of format `aa:nn` or `aa:nn:mm`. 109 For standard community use `aa:nn` format, where `aa` and 110 `nn` are 16 bit number. For large community use `aa:nn:mm` 111 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 112 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 113 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 114 type: string 115 type: object 116 type: array 117 listenPort: 118 description: ListenPort is the port where BGP protocol should listen. 119 Defaults to 179 120 maximum: 65535 121 minimum: 1 122 type: integer 123 logSeverityScreen: 124 description: 'LogSeverityScreen is the log severity above which logs 125 are sent to the stdout. [Default: INFO]' 126 type: string 127 nodeToNodeMeshEnabled: 128 description: 'NodeToNodeMeshEnabled sets whether full node to node 129 BGP mesh is enabled. [Default: true]' 130 type: boolean 131 prefixAdvertisements: 132 description: PrefixAdvertisements contains per-prefix advertisement 133 configuration. 134 items: 135 description: PrefixAdvertisement configures advertisement properties 136 for the specified CIDR. 137 properties: 138 cidr: 139 description: CIDR for which properties should be advertised. 140 type: string 141 communities: 142 description: Communities can be list of either community names 143 already defined in `Specs.Communities` or community value 144 of format `aa:nn` or `aa:nn:mm`. For standard community use 145 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 146 large community use `aa:nn:mm` format, where `aa`, `nn` and 147 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 148 `mm` are per-AS identifier. 149 items: 150 type: string 151 type: array 152 type: object 153 type: array 154 serviceClusterIPs: 155 description: ServiceClusterIPs are the CIDR blocks from which service 156 cluster IPs are allocated. If specified, Calico will advertise these 157 blocks, as well as any cluster IPs within them. 158 items: 159 description: ServiceClusterIPBlock represents a single allowed ClusterIP 160 CIDR block. 161 properties: 162 cidr: 163 type: string 164 type: object 165 type: array 166 serviceExternalIPs: 167 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 168 Service External IPs. Kubernetes Service ExternalIPs will only be 169 advertised if they are within one of these blocks. 170 items: 171 description: ServiceExternalIPBlock represents a single allowed 172 External IP CIDR block. 173 properties: 174 cidr: 175 type: string 176 type: object 177 type: array 178 serviceLoadBalancerIPs: 179 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 180 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 181 IPs will only be advertised if they are within one of these blocks. 182 items: 183 description: ServiceLoadBalancerIPBlock represents a single allowed 184 LoadBalancer IP CIDR block. 185 properties: 186 cidr: 187 type: string 188 type: object 189 type: array 190 type: object 191 type: object 192 served: true 193 storage: true 194 status: 195 acceptedNames: 196 kind: "" 197 plural: "" 198 conditions: [] 199 storedVersions: [] 200 201 --- 202 apiVersion: apiextensions.k8s.io/v1 203 kind: CustomResourceDefinition 204 metadata: 205 name: bgppeers.crd.projectcalico.org 206 spec: 207 group: crd.projectcalico.org 208 names: 209 kind: BGPPeer 210 listKind: BGPPeerList 211 plural: bgppeers 212 singular: bgppeer 213 scope: Cluster 214 versions: 215 - name: v1 216 schema: 217 openAPIV3Schema: 218 properties: 219 apiVersion: 220 description: 'APIVersion defines the versioned schema of this representation 221 of an object. Servers should convert recognized schemas to the latest 222 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 223 type: string 224 kind: 225 description: 'Kind is a string value representing the REST resource this 226 object represents. Servers may infer this from the endpoint the client 227 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 228 type: string 229 metadata: 230 type: object 231 spec: 232 description: BGPPeerSpec contains the specification for a BGPPeer resource. 233 properties: 234 asNumber: 235 description: The AS Number of the peer. 236 format: int32 237 type: integer 238 keepOriginalNextHop: 239 description: Option to keep the original nexthop field when routes 240 are sent to a BGP Peer. Setting "true" configures the selected BGP 241 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 242 in the specific branch of the Node on "bird.cfg". 243 type: boolean 244 node: 245 description: The node name identifying the Calico node instance that 246 is targeted by this peer. If this is not set, and no nodeSelector 247 is specified, then this BGP peer selects all nodes in the cluster. 248 type: string 249 nodeSelector: 250 description: Selector for the nodes that should have this peering. When 251 this is set, the Node field must be empty. 252 type: string 253 password: 254 description: Optional BGP password for the peerings generated by this 255 BGPPeer resource. 256 properties: 257 secretKeyRef: 258 description: Selects a key of a secret in the node pod's namespace. 259 properties: 260 key: 261 description: The key of the secret to select from. Must be 262 a valid secret key. 263 type: string 264 name: 265 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 266 TODO: Add other useful fields. apiVersion, kind, uid?' 267 type: string 268 optional: 269 description: Specify whether the Secret or its key must be 270 defined 271 type: boolean 272 required: 273 - key 274 type: object 275 type: object 276 peerIP: 277 description: The IP address of the peer followed by an optional port 278 number to peer with. If port number is given, format should be `[<IPv6>]:port` 279 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 280 and this peer IP and ASNumber belongs to a calico/node with ListenPort 281 set in BGPConfiguration, then we use that port to peer. 282 type: string 283 peerSelector: 284 description: Selector for the remote nodes to peer with. When this 285 is set, the PeerIP and ASNumber fields must be empty. For each 286 peering between the local node and selected remote nodes, we configure 287 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 288 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 289 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 290 or the global default if that is not set. 291 type: string 292 sourceAddress: 293 description: Specifies whether and how to configure a source address 294 for the peerings generated by this BGPPeer resource. Default value 295 "UseNodeIP" means to configure the node IP as the source address. "None" 296 means not to configure a source address. 297 type: string 298 type: object 299 type: object 300 served: true 301 storage: true 302 status: 303 acceptedNames: 304 kind: "" 305 plural: "" 306 conditions: [] 307 storedVersions: [] 308 309 --- 310 apiVersion: apiextensions.k8s.io/v1 311 kind: CustomResourceDefinition 312 metadata: 313 name: blockaffinities.crd.projectcalico.org 314 spec: 315 group: crd.projectcalico.org 316 names: 317 kind: BlockAffinity 318 listKind: BlockAffinityList 319 plural: blockaffinities 320 singular: blockaffinity 321 scope: Cluster 322 versions: 323 - name: v1 324 schema: 325 openAPIV3Schema: 326 properties: 327 apiVersion: 328 description: 'APIVersion defines the versioned schema of this representation 329 of an object. Servers should convert recognized schemas to the latest 330 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 331 type: string 332 kind: 333 description: 'Kind is a string value representing the REST resource this 334 object represents. Servers may infer this from the endpoint the client 335 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 336 type: string 337 metadata: 338 type: object 339 spec: 340 description: BlockAffinitySpec contains the specification for a BlockAffinity 341 resource. 342 properties: 343 cidr: 344 type: string 345 deleted: 346 description: Deleted indicates that this block affinity is being deleted. 347 This field is a string for compatibility with older releases that 348 mistakenly treat this field as a string. 349 type: string 350 node: 351 type: string 352 state: 353 type: string 354 required: 355 - cidr 356 - deleted 357 - node 358 - state 359 type: object 360 type: object 361 served: true 362 storage: true 363 status: 364 acceptedNames: 365 kind: "" 366 plural: "" 367 conditions: [] 368 storedVersions: [] 369 370 --- 371 apiVersion: apiextensions.k8s.io/v1 372 kind: CustomResourceDefinition 373 metadata: 374 name: clusterinformations.crd.projectcalico.org 375 spec: 376 group: crd.projectcalico.org 377 names: 378 kind: ClusterInformation 379 listKind: ClusterInformationList 380 plural: clusterinformations 381 singular: clusterinformation 382 scope: Cluster 383 versions: 384 - name: v1 385 schema: 386 openAPIV3Schema: 387 description: ClusterInformation contains the cluster specific information. 388 properties: 389 apiVersion: 390 description: 'APIVersion defines the versioned schema of this representation 391 of an object. Servers should convert recognized schemas to the latest 392 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 393 type: string 394 kind: 395 description: 'Kind is a string value representing the REST resource this 396 object represents. Servers may infer this from the endpoint the client 397 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 398 type: string 399 metadata: 400 type: object 401 spec: 402 description: ClusterInformationSpec contains the values of describing 403 the cluster. 404 properties: 405 calicoVersion: 406 description: CalicoVersion is the version of Calico that the cluster 407 is running 408 type: string 409 clusterGUID: 410 description: ClusterGUID is the GUID of the cluster 411 type: string 412 clusterType: 413 description: ClusterType describes the type of the cluster 414 type: string 415 datastoreReady: 416 description: DatastoreReady is used during significant datastore migrations 417 to signal to components such as Felix that it should wait before 418 accessing the datastore. 419 type: boolean 420 variant: 421 description: Variant declares which variant of Calico should be active. 422 type: string 423 type: object 424 type: object 425 served: true 426 storage: true 427 status: 428 acceptedNames: 429 kind: "" 430 plural: "" 431 conditions: [] 432 storedVersions: [] 433 434 --- 435 apiVersion: apiextensions.k8s.io/v1 436 kind: CustomResourceDefinition 437 metadata: 438 name: felixconfigurations.crd.projectcalico.org 439 spec: 440 group: crd.projectcalico.org 441 names: 442 kind: FelixConfiguration 443 listKind: FelixConfigurationList 444 plural: felixconfigurations 445 singular: felixconfiguration 446 scope: Cluster 447 versions: 448 - name: v1 449 schema: 450 openAPIV3Schema: 451 description: Felix Configuration contains the configuration for Felix. 452 properties: 453 apiVersion: 454 description: 'APIVersion defines the versioned schema of this representation 455 of an object. Servers should convert recognized schemas to the latest 456 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 457 type: string 458 kind: 459 description: 'Kind is a string value representing the REST resource this 460 object represents. Servers may infer this from the endpoint the client 461 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 462 type: string 463 metadata: 464 type: object 465 spec: 466 description: FelixConfigurationSpec contains the values of the Felix configuration. 467 properties: 468 allowIPIPPacketsFromWorkloads: 469 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 470 will add a rule to drop IPIP encapsulated traffic from workloads 471 [Default: false]' 472 type: boolean 473 allowVXLANPacketsFromWorkloads: 474 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 475 will add a rule to drop VXLAN encapsulated traffic from workloads 476 [Default: false]' 477 type: boolean 478 awsSrcDstCheck: 479 description: 'Set source-destination-check on AWS EC2 instances. Accepted 480 value must be one of "DoNothing", "Enabled" or "Disabled". [Default: 481 DoNothing]' 482 enum: 483 - DoNothing 484 - Enable 485 - Disable 486 type: string 487 bpfConnectTimeLoadBalancingEnabled: 488 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 489 controls whether Felix installs the connection-time load balancer. The 490 connect-time load balancer is required for the host to be able to 491 reach Kubernetes services and it improves the performance of pod-to-service 492 connections. The only reason to disable it is for debugging purposes. [Default: 493 true]' 494 type: boolean 495 bpfDataIfacePattern: 496 description: BPFDataIfacePattern is a regular expression that controls 497 which interfaces Felix should attach BPF programs to in order to 498 catch traffic to/from the network. This needs to match the interfaces 499 that Calico workload traffic flows over as well as any interfaces 500 that handle incoming traffic to nodeports and services from outside 501 the cluster. It should not match the workload interfaces (usually 502 named cali...). 503 type: string 504 bpfDisableUnprivileged: 505 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 506 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 507 users cannot access Calico''s BPF maps and cannot insert their own 508 BPF programs to interfere with Calico''s. [Default: true]' 509 type: boolean 510 bpfEnabled: 511 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 512 [Default: false]' 513 type: boolean 514 bpfExtToServiceConnmark: 515 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 516 mark that is set on connections from an external client to a local 517 service. This mark allows us to control how packets of that connection 518 are routed within the host and how is routing intepreted by RPF 519 check. [Default: 0]' 520 type: integer 521 bpfExternalServiceMode: 522 description: 'BPFExternalServiceMode in BPF mode, controls how connections 523 from outside the cluster to services (node ports and cluster IPs) 524 are forwarded to remote workloads. If set to "Tunnel" then both 525 request and response traffic is tunneled to the remote node. If 526 set to "DSR", the request traffic is tunneled but the response traffic 527 is sent directly from the remote node. In "DSR" mode, the remote 528 node appears to use the IP of the ingress node; this requires a 529 permissive L2 network. [Default: Tunnel]' 530 type: string 531 bpfKubeProxyEndpointSlicesEnabled: 532 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 533 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 534 type: boolean 535 bpfKubeProxyIptablesCleanupEnabled: 536 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 537 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 538 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 539 true]' 540 type: boolean 541 bpfKubeProxyMinSyncPeriod: 542 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 543 minimum time between updates to the dataplane for Felix''s embedded 544 kube-proxy. Lower values give reduced set-up latency. Higher values 545 reduce Felix CPU usage by batching up more work. [Default: 1s]' 546 type: string 547 bpfLogLevel: 548 description: 'BPFLogLevel controls the log level of the BPF programs 549 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 550 logs are emitted to the BPF trace pipe, accessible with the command 551 `tc exec bpf debug`. [Default: Off].' 552 type: string 553 chainInsertMode: 554 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 555 top-level iptables chains by inserting a rule at the top of the 556 chain or by appending a rule at the bottom. insert is the safe default 557 since it prevents Calico''s rules from being bypassed. If you switch 558 to append mode, be sure that the other rules in the chains signal 559 acceptance by falling through to the Calico rules, otherwise the 560 Calico policy will be bypassed. [Default: insert]' 561 type: string 562 dataplaneDriver: 563 type: string 564 debugDisableLogDropping: 565 type: boolean 566 debugMemoryProfilePath: 567 type: string 568 debugSimulateCalcGraphHangAfter: 569 type: string 570 debugSimulateDataplaneHangAfter: 571 type: string 572 defaultEndpointToHostAction: 573 description: 'DefaultEndpointToHostAction controls what happens to 574 traffic that goes from a workload endpoint to the host itself (after 575 the traffic hits the endpoint egress policy). By default Calico 576 blocks traffic from workload endpoints to the host itself with an 577 iptables "DROP" action. If you want to allow some or all traffic 578 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 579 RETURN if you have your own rules in the iptables "INPUT" chain; 580 Calico will insert its rules at the top of that chain, then "RETURN" 581 packets to the "INPUT" chain once it has completed processing workload 582 endpoint egress policy. Use ACCEPT to unconditionally accept packets 583 from workloads after processing workload endpoint egress policy. 584 [Default: Drop]' 585 type: string 586 deviceRouteProtocol: 587 description: This defines the route protocol added to programmed device 588 routes, by default this will be RTPROT_BOOT when left blank. 589 type: integer 590 deviceRouteSourceAddress: 591 description: This is the source address to use on programmed device 592 routes. By default the source address is left blank, leaving the 593 kernel to choose the source address used. 594 type: string 595 disableConntrackInvalidCheck: 596 type: boolean 597 endpointReportingDelay: 598 type: string 599 endpointReportingEnabled: 600 type: boolean 601 externalNodesList: 602 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 603 which may source tunnel traffic and have the tunneled traffic be 604 accepted at calico nodes. 605 items: 606 type: string 607 type: array 608 failsafeInboundHostPorts: 609 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 610 and CIDRs that Felix will allow incoming traffic to host endpoints 611 on irrespective of the security policy. This is useful to avoid 612 accidentally cutting off a host with incorrect configuration. For 613 back-compatibility, if the protocol is not specified, it defaults 614 to "tcp". If a CIDR is not specified, it will allow traffic from 615 all addresses. To disable all inbound host ports, use the value 616 none. The default value allows ssh access and DHCP. [Default: tcp:22, 617 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 618 items: 619 description: ProtoPort is combination of protocol, port, and CIDR. 620 Protocol and port must be specified. 621 properties: 622 net: 623 type: string 624 port: 625 type: integer 626 protocol: 627 type: string 628 required: 629 - port 630 - protocol 631 type: object 632 type: array 633 failsafeOutboundHostPorts: 634 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 635 and CIDRs that Felix will allow outgoing traffic from host endpoints 636 to irrespective of the security policy. This is useful to avoid 637 accidentally cutting off a host with incorrect configuration. For 638 back-compatibility, if the protocol is not specified, it defaults 639 to "tcp". If a CIDR is not specified, it will allow traffic from 640 all addresses. To disable all outbound host ports, use the value 641 none. The default value opens etcd''s standard ports to ensure that 642 Felix does not get cut off from etcd as well as allowing DHCP and 643 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 644 tcp:6667, udp:53, udp:67]' 645 items: 646 description: ProtoPort is combination of protocol, port, and CIDR. 647 Protocol and port must be specified. 648 properties: 649 net: 650 type: string 651 port: 652 type: integer 653 protocol: 654 type: string 655 required: 656 - port 657 - protocol 658 type: object 659 type: array 660 featureDetectOverride: 661 description: FeatureDetectOverride is used to override the feature 662 detection. Values are specified in a comma separated list with no 663 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". 664 "true" or "false" will force the feature, empty or omitted values 665 are auto-detected. 666 type: string 667 genericXDPEnabled: 668 description: 'GenericXDPEnabled enables Generic XDP so network cards 669 that don''t support XDP offload or driver modes can use XDP. This 670 is not recommended since it doesn''t provide better performance 671 than iptables. [Default: false]' 672 type: boolean 673 healthEnabled: 674 type: boolean 675 healthHost: 676 type: string 677 healthPort: 678 type: integer 679 interfaceExclude: 680 description: 'InterfaceExclude is a comma-separated list of interfaces 681 that Felix should exclude when monitoring for host endpoints. The 682 default value ensures that Felix ignores Kubernetes'' IPVS dummy 683 interface, which is used internally by kube-proxy. If you want to 684 exclude multiple interface names using a single value, the list 685 supports regular expressions. For regular expressions you must wrap 686 the value with ''/''. For example having values ''/^kube/,veth1'' 687 will exclude all interfaces that begin with ''kube'' and also the 688 interface ''veth1''. [Default: kube-ipvs0]' 689 type: string 690 interfacePrefix: 691 description: 'InterfacePrefix is the interface name prefix that identifies 692 workload endpoints and so distinguishes them from host endpoint 693 interfaces. Note: in environments other than bare metal, the orchestrators 694 configure this appropriately. For example our Kubernetes and Docker 695 integrations set the ''cali'' value, and our OpenStack integration 696 sets the ''tap'' value. [Default: cali]' 697 type: string 698 interfaceRefreshInterval: 699 description: InterfaceRefreshInterval is the period at which Felix 700 rescans local interfaces to verify their state. The rescan can be 701 disabled by setting the interval to 0. 702 type: string 703 ipipEnabled: 704 type: boolean 705 ipipMTU: 706 description: 'IPIPMTU is the MTU to set on the tunnel device. See 707 Configuring MTU [Default: 1440]' 708 type: integer 709 ipsetsRefreshInterval: 710 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 711 all iptables state to ensure that no other process has accidentally 712 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 713 90s]' 714 type: string 715 iptablesBackend: 716 description: IptablesBackend specifies which backend of iptables will 717 be used. The default is legacy. 718 type: string 719 iptablesFilterAllowAction: 720 type: string 721 iptablesLockFilePath: 722 description: 'IptablesLockFilePath is the location of the iptables 723 lock file. You may need to change this if the lock file is not in 724 its standard location (for example if you have mapped it into Felix''s 725 container at a different path). [Default: /run/xtables.lock]' 726 type: string 727 iptablesLockProbeInterval: 728 description: 'IptablesLockProbeInterval is the time that Felix will 729 wait between attempts to acquire the iptables lock if it is not 730 available. Lower values make Felix more responsive when the lock 731 is contended, but use more CPU. [Default: 50ms]' 732 type: string 733 iptablesLockTimeout: 734 description: 'IptablesLockTimeout is the time that Felix will wait 735 for the iptables lock, or 0, to disable. To use this feature, Felix 736 must share the iptables lock file with all other processes that 737 also take the lock. When running Felix inside a container, this 738 requires the /run directory of the host to be mounted into the calico/node 739 or calico/felix container. [Default: 0s disabled]' 740 type: string 741 iptablesMangleAllowAction: 742 type: string 743 iptablesMarkMask: 744 description: 'IptablesMarkMask is the mask that Felix selects its 745 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 746 at least 8 bits set, none of which clash with any other mark bits 747 in use on the system. [Default: 0xff000000]' 748 format: int32 749 type: integer 750 iptablesNATOutgoingInterfaceFilter: 751 type: string 752 iptablesPostWriteCheckInterval: 753 description: 'IptablesPostWriteCheckInterval is the period after Felix 754 has done a write to the dataplane that it schedules an extra read 755 back in order to check the write was not clobbered by another process. 756 This should only occur if another application on the system doesn''t 757 respect the iptables lock. [Default: 1s]' 758 type: string 759 iptablesRefreshInterval: 760 description: 'IptablesRefreshInterval is the period at which Felix 761 re-checks the IP sets in the dataplane to ensure that no other process 762 has accidentally broken Calico''s rules. Set to 0 to disable IP 763 sets refresh. Note: the default for this value is lower than the 764 other refresh intervals as a workaround for a Linux kernel bug that 765 was fixed in kernel version 4.11. If you are using v4.11 or greater 766 you may want to set this to, a higher value to reduce Felix CPU 767 usage. [Default: 10s]' 768 type: string 769 ipv6Support: 770 type: boolean 771 kubeNodePortRanges: 772 description: 'KubeNodePortRanges holds list of port ranges used for 773 service node ports. Only used if felix detects kube-proxy running 774 in ipvs mode. Felix uses these ranges to separate host and workload 775 traffic. [Default: 30000:32767].' 776 items: 777 anyOf: 778 - type: integer 779 - type: string 780 pattern: ^.* 781 x-kubernetes-int-or-string: true 782 type: array 783 logFilePath: 784 description: 'LogFilePath is the full path to the Felix log. Set to 785 none to disable file logging. [Default: /var/log/calico/felix.log]' 786 type: string 787 logPrefix: 788 description: 'LogPrefix is the log prefix that Felix uses when rendering 789 LOG rules. [Default: calico-packet]' 790 type: string 791 logSeverityFile: 792 description: 'LogSeverityFile is the log severity above which logs 793 are sent to the log file. [Default: Info]' 794 type: string 795 logSeverityScreen: 796 description: 'LogSeverityScreen is the log severity above which logs 797 are sent to the stdout. [Default: Info]' 798 type: string 799 logSeveritySys: 800 description: 'LogSeveritySys is the log severity above which logs 801 are sent to the syslog. Set to None for no logging to syslog. [Default: 802 Info]' 803 type: string 804 maxIpsetSize: 805 type: integer 806 metadataAddr: 807 description: 'MetadataAddr is the IP address or domain name of the 808 server that can answer VM queries for cloud-init metadata. In OpenStack, 809 this corresponds to the machine running nova-api (or in Ubuntu, 810 nova-api-metadata). A value of none (case insensitive) means that 811 Felix should not set up any NAT rule for the metadata path. [Default: 812 127.0.0.1]' 813 type: string 814 metadataPort: 815 description: 'MetadataPort is the port of the metadata server. This, 816 combined with global.MetadataAddr (if not ''None''), is used to 817 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 818 In most cases this should not need to be changed [Default: 8775].' 819 type: integer 820 mtuIfacePattern: 821 description: MTUIfacePattern is a regular expression that controls 822 which interfaces Felix should scan in order to calculate the host's 823 MTU. This should not match workload interfaces (usually named cali...). 824 type: string 825 natOutgoingAddress: 826 description: NATOutgoingAddress specifies an address to use when performing 827 source NAT for traffic in a natOutgoing pool that is leaving the 828 network. By default the address used is an address on the interface 829 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 830 type: string 831 natPortRange: 832 anyOf: 833 - type: integer 834 - type: string 835 description: NATPortRange specifies the range of ports that is used 836 for port mapping when doing outgoing NAT. When unset the default 837 behavior of the network stack is used. 838 pattern: ^.* 839 x-kubernetes-int-or-string: true 840 netlinkTimeout: 841 type: string 842 openstackRegion: 843 description: 'OpenstackRegion is the name of the region that a particular 844 Felix belongs to. In a multi-region Calico/OpenStack deployment, 845 this must be configured somehow for each Felix (here in the datamodel, 846 or in felix.cfg or the environment on each compute node), and must 847 match the [calico] openstack_region value configured in neutron.conf 848 on each node. [Default: Empty]' 849 type: string 850 policySyncPathPrefix: 851 description: 'PolicySyncPathPrefix is used to by Felix to communicate 852 policy changes to external services, like Application layer policy. 853 [Default: Empty]' 854 type: string 855 prometheusGoMetricsEnabled: 856 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 857 collection, which the Prometheus client does by default, when set 858 to false. This reduces the number of metrics reported, reducing 859 Prometheus load. [Default: true]' 860 type: boolean 861 prometheusMetricsEnabled: 862 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 863 server in Felix if set to true. [Default: false]' 864 type: boolean 865 prometheusMetricsHost: 866 description: 'PrometheusMetricsHost is the host that the Prometheus 867 metrics server should bind to. [Default: empty]' 868 type: string 869 prometheusMetricsPort: 870 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 871 metrics server should bind to. [Default: 9091]' 872 type: integer 873 prometheusProcessMetricsEnabled: 874 description: 'PrometheusProcessMetricsEnabled disables process metrics 875 collection, which the Prometheus client does by default, when set 876 to false. This reduces the number of metrics reported, reducing 877 Prometheus load. [Default: true]' 878 type: boolean 879 removeExternalRoutes: 880 description: Whether or not to remove device routes that have not 881 been programmed by Felix. Disabling this will allow external applications 882 to also add device routes. This is enabled by default which means 883 we will remove externally added routes. 884 type: boolean 885 reportingInterval: 886 description: 'ReportingInterval is the interval at which Felix reports 887 its status into the datastore or 0 to disable. Must be non-zero 888 in OpenStack deployments. [Default: 30s]' 889 type: string 890 reportingTTL: 891 description: 'ReportingTTL is the time-to-live setting for process-wide 892 status reports. [Default: 90s]' 893 type: string 894 routeRefreshInterval: 895 description: 'RouteRefreshInterval is the period at which Felix re-checks 896 the routes in the dataplane to ensure that no other process has 897 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 898 [Default: 90s]' 899 type: string 900 routeSource: 901 description: 'RouteSource configures where Felix gets its routing 902 information. - WorkloadIPs: use workload endpoints to construct 903 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 904 type: string 905 routeTableRange: 906 description: Calico programs additional Linux route tables for various 907 purposes. RouteTableRange specifies the indices of the route tables 908 that Calico should use. 909 properties: 910 max: 911 type: integer 912 min: 913 type: integer 914 required: 915 - max 916 - min 917 type: object 918 serviceLoopPrevention: 919 description: 'When service IP advertisement is enabled, prevent routing 920 loops to service IPs that are not in use, by dropping or rejecting 921 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 922 in which case such routing loops continue to be allowed. [Default: 923 Drop]' 924 type: string 925 sidecarAccelerationEnabled: 926 description: 'SidecarAccelerationEnabled enables experimental sidecar 927 acceleration [Default: false]' 928 type: boolean 929 usageReportingEnabled: 930 description: 'UsageReportingEnabled reports anonymous Calico version 931 number and cluster size to projectcalico.org. Logs warnings returned 932 by the usage server. For example, if a significant security vulnerability 933 has been discovered in the version of Calico being used. [Default: 934 true]' 935 type: boolean 936 usageReportingInitialDelay: 937 description: 'UsageReportingInitialDelay controls the minimum delay 938 before Felix makes a report. [Default: 300s]' 939 type: string 940 usageReportingInterval: 941 description: 'UsageReportingInterval controls the interval at which 942 Felix makes reports. [Default: 86400s]' 943 type: string 944 useInternalDataplaneDriver: 945 type: boolean 946 vxlanEnabled: 947 type: boolean 948 vxlanMTU: 949 description: 'VXLANMTU is the MTU to set on the tunnel device. See 950 Configuring MTU [Default: 1440]' 951 type: integer 952 vxlanPort: 953 type: integer 954 vxlanVNI: 955 type: integer 956 wireguardEnabled: 957 description: 'WireguardEnabled controls whether Wireguard is enabled. 958 [Default: false]' 959 type: boolean 960 wireguardInterfaceName: 961 description: 'WireguardInterfaceName specifies the name to use for 962 the Wireguard interface. [Default: wg.calico]' 963 type: string 964 wireguardListeningPort: 965 description: 'WireguardListeningPort controls the listening port used 966 by Wireguard. [Default: 51820]' 967 type: integer 968 wireguardMTU: 969 description: 'WireguardMTU controls the MTU on the Wireguard interface. 970 See Configuring MTU [Default: 1420]' 971 type: integer 972 wireguardRoutingRulePriority: 973 description: 'WireguardRoutingRulePriority controls the priority value 974 to use for the Wireguard routing rule. [Default: 99]' 975 type: integer 976 xdpEnabled: 977 description: 'XDPEnabled enables XDP acceleration for suitable untracked 978 incoming deny rules. [Default: true]' 979 type: boolean 980 xdpRefreshInterval: 981 description: 'XDPRefreshInterval is the period at which Felix re-checks 982 all XDP state to ensure that no other process has accidentally broken 983 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 984 refresh. [Default: 90s]' 985 type: string 986 type: object 987 type: object 988 served: true 989 storage: true 990 status: 991 acceptedNames: 992 kind: "" 993 plural: "" 994 conditions: [] 995 storedVersions: [] 996 997 --- 998 apiVersion: apiextensions.k8s.io/v1 999 kind: CustomResourceDefinition 1000 metadata: 1001 name: globalnetworkpolicies.crd.projectcalico.org 1002 spec: 1003 group: crd.projectcalico.org 1004 names: 1005 kind: GlobalNetworkPolicy 1006 listKind: GlobalNetworkPolicyList 1007 plural: globalnetworkpolicies 1008 singular: globalnetworkpolicy 1009 scope: Cluster 1010 versions: 1011 - name: v1 1012 schema: 1013 openAPIV3Schema: 1014 properties: 1015 apiVersion: 1016 description: 'APIVersion defines the versioned schema of this representation 1017 of an object. Servers should convert recognized schemas to the latest 1018 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1019 type: string 1020 kind: 1021 description: 'Kind is a string value representing the REST resource this 1022 object represents. Servers may infer this from the endpoint the client 1023 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1024 type: string 1025 metadata: 1026 type: object 1027 spec: 1028 properties: 1029 applyOnForward: 1030 description: ApplyOnForward indicates to apply the rules in this policy 1031 on forward traffic. 1032 type: boolean 1033 doNotTrack: 1034 description: DoNotTrack indicates whether packets matched by the rules 1035 in this policy should go through the data plane's connection tracking, 1036 such as Linux conntrack. If True, the rules in this policy are 1037 applied before any data plane connection tracking, and packets allowed 1038 by this policy are marked as not to be tracked. 1039 type: boolean 1040 egress: 1041 description: The ordered set of egress rules. Each rule contains 1042 a set of packet match criteria and a corresponding action to apply. 1043 items: 1044 description: "A Rule encapsulates a set of match criteria and an 1045 action. Both selector-based security Policy and security Profiles 1046 reference rules - separated out as a list of rules for both ingress 1047 and egress packet matching. \n Each positive match criteria has 1048 a negated version, prefixed with \"Not\". All the match criteria 1049 within a rule must be satisfied for a packet to match. A single 1050 rule can contain the positive and negative version of a match 1051 and both must be satisfied for the rule to match." 1052 properties: 1053 action: 1054 type: string 1055 destination: 1056 description: Destination contains the match criteria that apply 1057 to destination entity. 1058 properties: 1059 namespaceSelector: 1060 description: "NamespaceSelector is an optional field that 1061 contains a selector expression. Only traffic that originates 1062 from (or terminates at) endpoints within the selected 1063 namespaces will be matched. When both NamespaceSelector 1064 and Selector are defined on the same rule, then only workload 1065 endpoints that are matched by both selectors will be selected 1066 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1067 implies that the Selector is limited to selecting only 1068 workload endpoints in the same namespace as the NetworkPolicy. 1069 \n For NetworkPolicy, `global()` NamespaceSelector implies 1070 that the Selector is limited to selecting only GlobalNetworkSet 1071 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1072 NamespaceSelector implies the Selector applies to workload 1073 endpoints across all namespaces." 1074 type: string 1075 nets: 1076 description: Nets is an optional field that restricts the 1077 rule to only apply to traffic that originates from (or 1078 terminates at) IP addresses in any of the given subnets. 1079 items: 1080 type: string 1081 type: array 1082 notNets: 1083 description: NotNets is the negated version of the Nets 1084 field. 1085 items: 1086 type: string 1087 type: array 1088 notPorts: 1089 description: NotPorts is the negated version of the Ports 1090 field. Since only some protocols have ports, if any ports 1091 are specified it requires the Protocol match in the Rule 1092 to be set to "TCP" or "UDP". 1093 items: 1094 anyOf: 1095 - type: integer 1096 - type: string 1097 pattern: ^.* 1098 x-kubernetes-int-or-string: true 1099 type: array 1100 notSelector: 1101 description: NotSelector is the negated version of the Selector 1102 field. See Selector field for subtleties with negated 1103 selectors. 1104 type: string 1105 ports: 1106 description: "Ports is an optional field that restricts 1107 the rule to only apply to traffic that has a source (destination) 1108 port that matches one of these ranges/values. This value 1109 is a list of integers or strings that represent ranges 1110 of ports. \n Since only some protocols have ports, if 1111 any ports are specified it requires the Protocol match 1112 in the Rule to be set to \"TCP\" or \"UDP\"." 1113 items: 1114 anyOf: 1115 - type: integer 1116 - type: string 1117 pattern: ^.* 1118 x-kubernetes-int-or-string: true 1119 type: array 1120 selector: 1121 description: "Selector is an optional field that contains 1122 a selector expression (see Policy for sample syntax). 1123 \ Only traffic that originates from (terminates at) endpoints 1124 matching the selector will be matched. \n Note that: in 1125 addition to the negated version of the Selector (see NotSelector 1126 below), the selector expression syntax itself supports 1127 negation. The two types of negation are subtly different. 1128 One negates the set of matched endpoints, the other negates 1129 the whole match: \n \tSelector = \"!has(my_label)\" matches 1130 packets that are from other Calico-controlled \tendpoints 1131 that do not have the label \"my_label\". \n \tNotSelector 1132 = \"has(my_label)\" matches packets that are not from 1133 Calico-controlled \tendpoints that do have the label \"my_label\". 1134 \n The effect is that the latter will accept packets from 1135 non-Calico sources whereas the former is limited to packets 1136 from Calico-controlled endpoints." 1137 type: string 1138 serviceAccounts: 1139 description: ServiceAccounts is an optional field that restricts 1140 the rule to only apply to traffic that originates from 1141 (or terminates at) a pod running as a matching service 1142 account. 1143 properties: 1144 names: 1145 description: Names is an optional field that restricts 1146 the rule to only apply to traffic that originates 1147 from (or terminates at) a pod running as a service 1148 account whose name is in the list. 1149 items: 1150 type: string 1151 type: array 1152 selector: 1153 description: Selector is an optional field that restricts 1154 the rule to only apply to traffic that originates 1155 from (or terminates at) a pod running as a service 1156 account that matches the given label selector. If 1157 both Names and Selector are specified then they are 1158 AND'ed. 1159 type: string 1160 type: object 1161 type: object 1162 http: 1163 description: HTTP contains match criteria that apply to HTTP 1164 requests. 1165 properties: 1166 methods: 1167 description: Methods is an optional field that restricts 1168 the rule to apply only to HTTP requests that use one of 1169 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1170 methods are OR'd together. 1171 items: 1172 type: string 1173 type: array 1174 paths: 1175 description: 'Paths is an optional field that restricts 1176 the rule to apply to HTTP requests that use one of the 1177 listed HTTP Paths. Multiple paths are OR''d together. 1178 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1179 ONLY specify either a `exact` or a `prefix` match. The 1180 validator will check for it.' 1181 items: 1182 description: 'HTTPPath specifies an HTTP path to match. 1183 It may be either of the form: exact: <path>: which matches 1184 the path exactly or prefix: <path-prefix>: which matches 1185 the path prefix' 1186 properties: 1187 exact: 1188 type: string 1189 prefix: 1190 type: string 1191 type: object 1192 type: array 1193 type: object 1194 icmp: 1195 description: ICMP is an optional field that restricts the rule 1196 to apply to a specific type and code of ICMP traffic. This 1197 should only be specified if the Protocol field is set to "ICMP" 1198 or "ICMPv6". 1199 properties: 1200 code: 1201 description: Match on a specific ICMP code. If specified, 1202 the Type value must also be specified. This is a technical 1203 limitation imposed by the kernel's iptables firewall, 1204 which Calico uses to enforce the rule. 1205 type: integer 1206 type: 1207 description: Match on a specific ICMP type. For example 1208 a value of 8 refers to ICMP Echo Request (i.e. pings). 1209 type: integer 1210 type: object 1211 ipVersion: 1212 description: IPVersion is an optional field that restricts the 1213 rule to only match a specific IP version. 1214 type: integer 1215 metadata: 1216 description: Metadata contains additional information for this 1217 rule 1218 properties: 1219 annotations: 1220 additionalProperties: 1221 type: string 1222 description: Annotations is a set of key value pairs that 1223 give extra information about the rule 1224 type: object 1225 type: object 1226 notICMP: 1227 description: NotICMP is the negated version of the ICMP field. 1228 properties: 1229 code: 1230 description: Match on a specific ICMP code. If specified, 1231 the Type value must also be specified. This is a technical 1232 limitation imposed by the kernel's iptables firewall, 1233 which Calico uses to enforce the rule. 1234 type: integer 1235 type: 1236 description: Match on a specific ICMP type. For example 1237 a value of 8 refers to ICMP Echo Request (i.e. pings). 1238 type: integer 1239 type: object 1240 notProtocol: 1241 anyOf: 1242 - type: integer 1243 - type: string 1244 description: NotProtocol is the negated version of the Protocol 1245 field. 1246 pattern: ^.* 1247 x-kubernetes-int-or-string: true 1248 protocol: 1249 anyOf: 1250 - type: integer 1251 - type: string 1252 description: "Protocol is an optional field that restricts the 1253 rule to only apply to traffic of a specific IP protocol. Required 1254 if any of the EntityRules contain Ports (because ports only 1255 apply to certain protocols). \n Must be one of these string 1256 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1257 \"UDPLite\" or an integer in the range 1-255." 1258 pattern: ^.* 1259 x-kubernetes-int-or-string: true 1260 source: 1261 description: Source contains the match criteria that apply to 1262 source entity. 1263 properties: 1264 namespaceSelector: 1265 description: "NamespaceSelector is an optional field that 1266 contains a selector expression. Only traffic that originates 1267 from (or terminates at) endpoints within the selected 1268 namespaces will be matched. When both NamespaceSelector 1269 and Selector are defined on the same rule, then only workload 1270 endpoints that are matched by both selectors will be selected 1271 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1272 implies that the Selector is limited to selecting only 1273 workload endpoints in the same namespace as the NetworkPolicy. 1274 \n For NetworkPolicy, `global()` NamespaceSelector implies 1275 that the Selector is limited to selecting only GlobalNetworkSet 1276 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1277 NamespaceSelector implies the Selector applies to workload 1278 endpoints across all namespaces." 1279 type: string 1280 nets: 1281 description: Nets is an optional field that restricts the 1282 rule to only apply to traffic that originates from (or 1283 terminates at) IP addresses in any of the given subnets. 1284 items: 1285 type: string 1286 type: array 1287 notNets: 1288 description: NotNets is the negated version of the Nets 1289 field. 1290 items: 1291 type: string 1292 type: array 1293 notPorts: 1294 description: NotPorts is the negated version of the Ports 1295 field. Since only some protocols have ports, if any ports 1296 are specified it requires the Protocol match in the Rule 1297 to be set to "TCP" or "UDP". 1298 items: 1299 anyOf: 1300 - type: integer 1301 - type: string 1302 pattern: ^.* 1303 x-kubernetes-int-or-string: true 1304 type: array 1305 notSelector: 1306 description: NotSelector is the negated version of the Selector 1307 field. See Selector field for subtleties with negated 1308 selectors. 1309 type: string 1310 ports: 1311 description: "Ports is an optional field that restricts 1312 the rule to only apply to traffic that has a source (destination) 1313 port that matches one of these ranges/values. This value 1314 is a list of integers or strings that represent ranges 1315 of ports. \n Since only some protocols have ports, if 1316 any ports are specified it requires the Protocol match 1317 in the Rule to be set to \"TCP\" or \"UDP\"." 1318 items: 1319 anyOf: 1320 - type: integer 1321 - type: string 1322 pattern: ^.* 1323 x-kubernetes-int-or-string: true 1324 type: array 1325 selector: 1326 description: "Selector is an optional field that contains 1327 a selector expression (see Policy for sample syntax). 1328 \ Only traffic that originates from (terminates at) endpoints 1329 matching the selector will be matched. \n Note that: in 1330 addition to the negated version of the Selector (see NotSelector 1331 below), the selector expression syntax itself supports 1332 negation. The two types of negation are subtly different. 1333 One negates the set of matched endpoints, the other negates 1334 the whole match: \n \tSelector = \"!has(my_label)\" matches 1335 packets that are from other Calico-controlled \tendpoints 1336 that do not have the label \"my_label\". \n \tNotSelector 1337 = \"has(my_label)\" matches packets that are not from 1338 Calico-controlled \tendpoints that do have the label \"my_label\". 1339 \n The effect is that the latter will accept packets from 1340 non-Calico sources whereas the former is limited to packets 1341 from Calico-controlled endpoints." 1342 type: string 1343 serviceAccounts: 1344 description: ServiceAccounts is an optional field that restricts 1345 the rule to only apply to traffic that originates from 1346 (or terminates at) a pod running as a matching service 1347 account. 1348 properties: 1349 names: 1350 description: Names is an optional field that restricts 1351 the rule to only apply to traffic that originates 1352 from (or terminates at) a pod running as a service 1353 account whose name is in the list. 1354 items: 1355 type: string 1356 type: array 1357 selector: 1358 description: Selector is an optional field that restricts 1359 the rule to only apply to traffic that originates 1360 from (or terminates at) a pod running as a service 1361 account that matches the given label selector. If 1362 both Names and Selector are specified then they are 1363 AND'ed. 1364 type: string 1365 type: object 1366 type: object 1367 required: 1368 - action 1369 type: object 1370 type: array 1371 ingress: 1372 description: The ordered set of ingress rules. Each rule contains 1373 a set of packet match criteria and a corresponding action to apply. 1374 items: 1375 description: "A Rule encapsulates a set of match criteria and an 1376 action. Both selector-based security Policy and security Profiles 1377 reference rules - separated out as a list of rules for both ingress 1378 and egress packet matching. \n Each positive match criteria has 1379 a negated version, prefixed with \"Not\". All the match criteria 1380 within a rule must be satisfied for a packet to match. A single 1381 rule can contain the positive and negative version of a match 1382 and both must be satisfied for the rule to match." 1383 properties: 1384 action: 1385 type: string 1386 destination: 1387 description: Destination contains the match criteria that apply 1388 to destination entity. 1389 properties: 1390 namespaceSelector: 1391 description: "NamespaceSelector is an optional field that 1392 contains a selector expression. Only traffic that originates 1393 from (or terminates at) endpoints within the selected 1394 namespaces will be matched. When both NamespaceSelector 1395 and Selector are defined on the same rule, then only workload 1396 endpoints that are matched by both selectors will be selected 1397 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1398 implies that the Selector is limited to selecting only 1399 workload endpoints in the same namespace as the NetworkPolicy. 1400 \n For NetworkPolicy, `global()` NamespaceSelector implies 1401 that the Selector is limited to selecting only GlobalNetworkSet 1402 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1403 NamespaceSelector implies the Selector applies to workload 1404 endpoints across all namespaces." 1405 type: string 1406 nets: 1407 description: Nets is an optional field that restricts the 1408 rule to only apply to traffic that originates from (or 1409 terminates at) IP addresses in any of the given subnets. 1410 items: 1411 type: string 1412 type: array 1413 notNets: 1414 description: NotNets is the negated version of the Nets 1415 field. 1416 items: 1417 type: string 1418 type: array 1419 notPorts: 1420 description: NotPorts is the negated version of the Ports 1421 field. Since only some protocols have ports, if any ports 1422 are specified it requires the Protocol match in the Rule 1423 to be set to "TCP" or "UDP". 1424 items: 1425 anyOf: 1426 - type: integer 1427 - type: string 1428 pattern: ^.* 1429 x-kubernetes-int-or-string: true 1430 type: array 1431 notSelector: 1432 description: NotSelector is the negated version of the Selector 1433 field. See Selector field for subtleties with negated 1434 selectors. 1435 type: string 1436 ports: 1437 description: "Ports is an optional field that restricts 1438 the rule to only apply to traffic that has a source (destination) 1439 port that matches one of these ranges/values. This value 1440 is a list of integers or strings that represent ranges 1441 of ports. \n Since only some protocols have ports, if 1442 any ports are specified it requires the Protocol match 1443 in the Rule to be set to \"TCP\" or \"UDP\"." 1444 items: 1445 anyOf: 1446 - type: integer 1447 - type: string 1448 pattern: ^.* 1449 x-kubernetes-int-or-string: true 1450 type: array 1451 selector: 1452 description: "Selector is an optional field that contains 1453 a selector expression (see Policy for sample syntax). 1454 \ Only traffic that originates from (terminates at) endpoints 1455 matching the selector will be matched. \n Note that: in 1456 addition to the negated version of the Selector (see NotSelector 1457 below), the selector expression syntax itself supports 1458 negation. The two types of negation are subtly different. 1459 One negates the set of matched endpoints, the other negates 1460 the whole match: \n \tSelector = \"!has(my_label)\" matches 1461 packets that are from other Calico-controlled \tendpoints 1462 that do not have the label \"my_label\". \n \tNotSelector 1463 = \"has(my_label)\" matches packets that are not from 1464 Calico-controlled \tendpoints that do have the label \"my_label\". 1465 \n The effect is that the latter will accept packets from 1466 non-Calico sources whereas the former is limited to packets 1467 from Calico-controlled endpoints." 1468 type: string 1469 serviceAccounts: 1470 description: ServiceAccounts is an optional field that restricts 1471 the rule to only apply to traffic that originates from 1472 (or terminates at) a pod running as a matching service 1473 account. 1474 properties: 1475 names: 1476 description: Names is an optional field that restricts 1477 the rule to only apply to traffic that originates 1478 from (or terminates at) a pod running as a service 1479 account whose name is in the list. 1480 items: 1481 type: string 1482 type: array 1483 selector: 1484 description: Selector is an optional field that restricts 1485 the rule to only apply to traffic that originates 1486 from (or terminates at) a pod running as a service 1487 account that matches the given label selector. If 1488 both Names and Selector are specified then they are 1489 AND'ed. 1490 type: string 1491 type: object 1492 type: object 1493 http: 1494 description: HTTP contains match criteria that apply to HTTP 1495 requests. 1496 properties: 1497 methods: 1498 description: Methods is an optional field that restricts 1499 the rule to apply only to HTTP requests that use one of 1500 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1501 methods are OR'd together. 1502 items: 1503 type: string 1504 type: array 1505 paths: 1506 description: 'Paths is an optional field that restricts 1507 the rule to apply to HTTP requests that use one of the 1508 listed HTTP Paths. Multiple paths are OR''d together. 1509 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1510 ONLY specify either a `exact` or a `prefix` match. The 1511 validator will check for it.' 1512 items: 1513 description: 'HTTPPath specifies an HTTP path to match. 1514 It may be either of the form: exact: <path>: which matches 1515 the path exactly or prefix: <path-prefix>: which matches 1516 the path prefix' 1517 properties: 1518 exact: 1519 type: string 1520 prefix: 1521 type: string 1522 type: object 1523 type: array 1524 type: object 1525 icmp: 1526 description: ICMP is an optional field that restricts the rule 1527 to apply to a specific type and code of ICMP traffic. This 1528 should only be specified if the Protocol field is set to "ICMP" 1529 or "ICMPv6". 1530 properties: 1531 code: 1532 description: Match on a specific ICMP code. If specified, 1533 the Type value must also be specified. This is a technical 1534 limitation imposed by the kernel's iptables firewall, 1535 which Calico uses to enforce the rule. 1536 type: integer 1537 type: 1538 description: Match on a specific ICMP type. For example 1539 a value of 8 refers to ICMP Echo Request (i.e. pings). 1540 type: integer 1541 type: object 1542 ipVersion: 1543 description: IPVersion is an optional field that restricts the 1544 rule to only match a specific IP version. 1545 type: integer 1546 metadata: 1547 description: Metadata contains additional information for this 1548 rule 1549 properties: 1550 annotations: 1551 additionalProperties: 1552 type: string 1553 description: Annotations is a set of key value pairs that 1554 give extra information about the rule 1555 type: object 1556 type: object 1557 notICMP: 1558 description: NotICMP is the negated version of the ICMP field. 1559 properties: 1560 code: 1561 description: Match on a specific ICMP code. If specified, 1562 the Type value must also be specified. This is a technical 1563 limitation imposed by the kernel's iptables firewall, 1564 which Calico uses to enforce the rule. 1565 type: integer 1566 type: 1567 description: Match on a specific ICMP type. For example 1568 a value of 8 refers to ICMP Echo Request (i.e. pings). 1569 type: integer 1570 type: object 1571 notProtocol: 1572 anyOf: 1573 - type: integer 1574 - type: string 1575 description: NotProtocol is the negated version of the Protocol 1576 field. 1577 pattern: ^.* 1578 x-kubernetes-int-or-string: true 1579 protocol: 1580 anyOf: 1581 - type: integer 1582 - type: string 1583 description: "Protocol is an optional field that restricts the 1584 rule to only apply to traffic of a specific IP protocol. Required 1585 if any of the EntityRules contain Ports (because ports only 1586 apply to certain protocols). \n Must be one of these string 1587 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1588 \"UDPLite\" or an integer in the range 1-255." 1589 pattern: ^.* 1590 x-kubernetes-int-or-string: true 1591 source: 1592 description: Source contains the match criteria that apply to 1593 source entity. 1594 properties: 1595 namespaceSelector: 1596 description: "NamespaceSelector is an optional field that 1597 contains a selector expression. Only traffic that originates 1598 from (or terminates at) endpoints within the selected 1599 namespaces will be matched. When both NamespaceSelector 1600 and Selector are defined on the same rule, then only workload 1601 endpoints that are matched by both selectors will be selected 1602 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 1603 implies that the Selector is limited to selecting only 1604 workload endpoints in the same namespace as the NetworkPolicy. 1605 \n For NetworkPolicy, `global()` NamespaceSelector implies 1606 that the Selector is limited to selecting only GlobalNetworkSet 1607 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 1608 NamespaceSelector implies the Selector applies to workload 1609 endpoints across all namespaces." 1610 type: string 1611 nets: 1612 description: Nets is an optional field that restricts the 1613 rule to only apply to traffic that originates from (or 1614 terminates at) IP addresses in any of the given subnets. 1615 items: 1616 type: string 1617 type: array 1618 notNets: 1619 description: NotNets is the negated version of the Nets 1620 field. 1621 items: 1622 type: string 1623 type: array 1624 notPorts: 1625 description: NotPorts is the negated version of the Ports 1626 field. Since only some protocols have ports, if any ports 1627 are specified it requires the Protocol match in the Rule 1628 to be set to "TCP" or "UDP". 1629 items: 1630 anyOf: 1631 - type: integer 1632 - type: string 1633 pattern: ^.* 1634 x-kubernetes-int-or-string: true 1635 type: array 1636 notSelector: 1637 description: NotSelector is the negated version of the Selector 1638 field. See Selector field for subtleties with negated 1639 selectors. 1640 type: string 1641 ports: 1642 description: "Ports is an optional field that restricts 1643 the rule to only apply to traffic that has a source (destination) 1644 port that matches one of these ranges/values. This value 1645 is a list of integers or strings that represent ranges 1646 of ports. \n Since only some protocols have ports, if 1647 any ports are specified it requires the Protocol match 1648 in the Rule to be set to \"TCP\" or \"UDP\"." 1649 items: 1650 anyOf: 1651 - type: integer 1652 - type: string 1653 pattern: ^.* 1654 x-kubernetes-int-or-string: true 1655 type: array 1656 selector: 1657 description: "Selector is an optional field that contains 1658 a selector expression (see Policy for sample syntax). 1659 \ Only traffic that originates from (terminates at) endpoints 1660 matching the selector will be matched. \n Note that: in 1661 addition to the negated version of the Selector (see NotSelector 1662 below), the selector expression syntax itself supports 1663 negation. The two types of negation are subtly different. 1664 One negates the set of matched endpoints, the other negates 1665 the whole match: \n \tSelector = \"!has(my_label)\" matches 1666 packets that are from other Calico-controlled \tendpoints 1667 that do not have the label \"my_label\". \n \tNotSelector 1668 = \"has(my_label)\" matches packets that are not from 1669 Calico-controlled \tendpoints that do have the label \"my_label\". 1670 \n The effect is that the latter will accept packets from 1671 non-Calico sources whereas the former is limited to packets 1672 from Calico-controlled endpoints." 1673 type: string 1674 serviceAccounts: 1675 description: ServiceAccounts is an optional field that restricts 1676 the rule to only apply to traffic that originates from 1677 (or terminates at) a pod running as a matching service 1678 account. 1679 properties: 1680 names: 1681 description: Names is an optional field that restricts 1682 the rule to only apply to traffic that originates 1683 from (or terminates at) a pod running as a service 1684 account whose name is in the list. 1685 items: 1686 type: string 1687 type: array 1688 selector: 1689 description: Selector is an optional field that restricts 1690 the rule to only apply to traffic that originates 1691 from (or terminates at) a pod running as a service 1692 account that matches the given label selector. If 1693 both Names and Selector are specified then they are 1694 AND'ed. 1695 type: string 1696 type: object 1697 type: object 1698 required: 1699 - action 1700 type: object 1701 type: array 1702 namespaceSelector: 1703 description: NamespaceSelector is an optional field for an expression 1704 used to select a pod based on namespaces. 1705 type: string 1706 order: 1707 description: Order is an optional field that specifies the order in 1708 which the policy is applied. Policies with higher "order" are applied 1709 after those with lower order. If the order is omitted, it may be 1710 considered to be "infinite" - i.e. the policy will be applied last. Policies 1711 with identical order will be applied in alphanumerical order based 1712 on the Policy "Name". 1713 type: number 1714 preDNAT: 1715 description: PreDNAT indicates to apply the rules in this policy before 1716 any DNAT. 1717 type: boolean 1718 selector: 1719 description: "The selector is an expression used to pick pick out 1720 the endpoints that the policy should be applied to. \n Selector 1721 expressions follow this syntax: \n \tlabel == \"string_literal\" 1722 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 1723 \ -> not equal; also matches if label is not present \tlabel in 1724 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 1725 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 1726 ... } -> true if the value of label X is not one of \"a\", \"b\", 1727 \"c\" \thas(label_name) -> True if that label is present \t! expr 1728 -> negation of expr \texpr && expr -> Short-circuit and \texpr 1729 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 1730 or the empty selector -> matches all endpoints. \n Label names are 1731 allowed to contain alphanumerics, -, _ and /. String literals are 1732 more permissive but they do not support escape characters. \n Examples 1733 (with made-up labels): \n \ttype == \"webserver\" && deployment 1734 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 1735 \"dev\" \t! has(label_name)" 1736 type: string 1737 serviceAccountSelector: 1738 description: ServiceAccountSelector is an optional field for an expression 1739 used to select a pod based on service accounts. 1740 type: string 1741 types: 1742 description: "Types indicates whether this policy applies to ingress, 1743 or to egress, or to both. When not explicitly specified (and so 1744 the value on creation is empty or nil), Calico defaults Types according 1745 to what Ingress and Egress rules are present in the policy. The 1746 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 1747 (including the case where there are also no Ingress rules) \n 1748 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 1749 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 1750 both Ingress and Egress rules. \n When the policy is read back again, 1751 Types will always be one of these values, never empty or nil." 1752 items: 1753 description: PolicyType enumerates the possible values of the PolicySpec 1754 Types field. 1755 type: string 1756 type: array 1757 type: object 1758 type: object 1759 served: true 1760 storage: true 1761 status: 1762 acceptedNames: 1763 kind: "" 1764 plural: "" 1765 conditions: [] 1766 storedVersions: [] 1767 1768 --- 1769 apiVersion: apiextensions.k8s.io/v1 1770 kind: CustomResourceDefinition 1771 metadata: 1772 name: globalnetworksets.crd.projectcalico.org 1773 spec: 1774 group: crd.projectcalico.org 1775 names: 1776 kind: GlobalNetworkSet 1777 listKind: GlobalNetworkSetList 1778 plural: globalnetworksets 1779 singular: globalnetworkset 1780 scope: Cluster 1781 versions: 1782 - name: v1 1783 schema: 1784 openAPIV3Schema: 1785 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 1786 that share labels to allow rules to refer to them via selectors. The labels 1787 of GlobalNetworkSet are not namespaced. 1788 properties: 1789 apiVersion: 1790 description: 'APIVersion defines the versioned schema of this representation 1791 of an object. Servers should convert recognized schemas to the latest 1792 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1793 type: string 1794 kind: 1795 description: 'Kind is a string value representing the REST resource this 1796 object represents. Servers may infer this from the endpoint the client 1797 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1798 type: string 1799 metadata: 1800 type: object 1801 spec: 1802 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 1803 resource. 1804 properties: 1805 nets: 1806 description: The list of IP networks that belong to this set. 1807 items: 1808 type: string 1809 type: array 1810 type: object 1811 type: object 1812 served: true 1813 storage: true 1814 status: 1815 acceptedNames: 1816 kind: "" 1817 plural: "" 1818 conditions: [] 1819 storedVersions: [] 1820 1821 --- 1822 apiVersion: apiextensions.k8s.io/v1 1823 kind: CustomResourceDefinition 1824 metadata: 1825 name: hostendpoints.crd.projectcalico.org 1826 spec: 1827 group: crd.projectcalico.org 1828 names: 1829 kind: HostEndpoint 1830 listKind: HostEndpointList 1831 plural: hostendpoints 1832 singular: hostendpoint 1833 scope: Cluster 1834 versions: 1835 - name: v1 1836 schema: 1837 openAPIV3Schema: 1838 properties: 1839 apiVersion: 1840 description: 'APIVersion defines the versioned schema of this representation 1841 of an object. Servers should convert recognized schemas to the latest 1842 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1843 type: string 1844 kind: 1845 description: 'Kind is a string value representing the REST resource this 1846 object represents. Servers may infer this from the endpoint the client 1847 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1848 type: string 1849 metadata: 1850 type: object 1851 spec: 1852 description: HostEndpointSpec contains the specification for a HostEndpoint 1853 resource. 1854 properties: 1855 expectedIPs: 1856 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 1857 If \"InterfaceName\" is not present, Calico will look for an interface 1858 matching any of the IPs in the list and apply policy to that. Note: 1859 \tWhen using the selector match criteria in an ingress or egress 1860 security Policy \tor Profile, Calico converts the selector into 1861 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 1862 is used for that purpose. (If only the interface \tname is specified, 1863 Calico does not learn the IPs of the interface for use in match 1864 \tcriteria.)" 1865 items: 1866 type: string 1867 type: array 1868 interfaceName: 1869 description: "Either \"*\", or the name of a specific Linux interface 1870 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 1871 governs all traffic to, from or through the default network namespace 1872 of the host named by the \"Node\" field; entering and leaving that 1873 namespace via any interface, including those from/to non-host-networked 1874 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 1875 only governs traffic that enters or leaves the host through the 1876 specific interface named by InterfaceName, or - when InterfaceName 1877 is empty - through the specific interface that has one of the IPs 1878 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 1879 one expected IP must be specified. Only external interfaces (such 1880 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 1881 to protect traffic through a specific local workload interface. 1882 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 1883 initially just pre-DNAT policy. Please check Calico documentation 1884 for the latest position." 1885 type: string 1886 node: 1887 description: The node name identifying the Calico node instance. 1888 type: string 1889 ports: 1890 description: Ports contains the endpoint's named ports, which may 1891 be referenced in security policy rules. 1892 items: 1893 properties: 1894 name: 1895 type: string 1896 port: 1897 type: integer 1898 protocol: 1899 anyOf: 1900 - type: integer 1901 - type: string 1902 pattern: ^.* 1903 x-kubernetes-int-or-string: true 1904 required: 1905 - name 1906 - port 1907 - protocol 1908 type: object 1909 type: array 1910 profiles: 1911 description: A list of identifiers of security Profile objects that 1912 apply to this endpoint. Each profile is applied in the order that 1913 they appear in this list. Profile rules are applied after the selector-based 1914 security policy. 1915 items: 1916 type: string 1917 type: array 1918 type: object 1919 type: object 1920 served: true 1921 storage: true 1922 status: 1923 acceptedNames: 1924 kind: "" 1925 plural: "" 1926 conditions: [] 1927 storedVersions: [] 1928 1929 --- 1930 apiVersion: apiextensions.k8s.io/v1 1931 kind: CustomResourceDefinition 1932 metadata: 1933 name: ipamblocks.crd.projectcalico.org 1934 spec: 1935 group: crd.projectcalico.org 1936 names: 1937 kind: IPAMBlock 1938 listKind: IPAMBlockList 1939 plural: ipamblocks 1940 singular: ipamblock 1941 scope: Cluster 1942 versions: 1943 - name: v1 1944 schema: 1945 openAPIV3Schema: 1946 properties: 1947 apiVersion: 1948 description: 'APIVersion defines the versioned schema of this representation 1949 of an object. Servers should convert recognized schemas to the latest 1950 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1951 type: string 1952 kind: 1953 description: 'Kind is a string value representing the REST resource this 1954 object represents. Servers may infer this from the endpoint the client 1955 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1956 type: string 1957 metadata: 1958 type: object 1959 spec: 1960 description: IPAMBlockSpec contains the specification for an IPAMBlock 1961 resource. 1962 properties: 1963 affinity: 1964 type: string 1965 allocations: 1966 items: 1967 type: integer 1968 # TODO: This nullable is manually added in. We should update controller-gen 1969 # to handle []*int properly itself. 1970 nullable: true 1971 type: array 1972 attributes: 1973 items: 1974 properties: 1975 handle_id: 1976 type: string 1977 secondary: 1978 additionalProperties: 1979 type: string 1980 type: object 1981 type: object 1982 type: array 1983 cidr: 1984 type: string 1985 deleted: 1986 type: boolean 1987 strictAffinity: 1988 type: boolean 1989 unallocated: 1990 items: 1991 type: integer 1992 type: array 1993 required: 1994 - allocations 1995 - attributes 1996 - cidr 1997 - strictAffinity 1998 - unallocated 1999 type: object 2000 type: object 2001 served: true 2002 storage: true 2003 status: 2004 acceptedNames: 2005 kind: "" 2006 plural: "" 2007 conditions: [] 2008 storedVersions: [] 2009 2010 --- 2011 apiVersion: apiextensions.k8s.io/v1 2012 kind: CustomResourceDefinition 2013 metadata: 2014 name: ipamconfigs.crd.projectcalico.org 2015 spec: 2016 group: crd.projectcalico.org 2017 names: 2018 kind: IPAMConfig 2019 listKind: IPAMConfigList 2020 plural: ipamconfigs 2021 singular: ipamconfig 2022 scope: Cluster 2023 versions: 2024 - name: v1 2025 schema: 2026 openAPIV3Schema: 2027 properties: 2028 apiVersion: 2029 description: 'APIVersion defines the versioned schema of this representation 2030 of an object. Servers should convert recognized schemas to the latest 2031 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2032 type: string 2033 kind: 2034 description: 'Kind is a string value representing the REST resource this 2035 object represents. Servers may infer this from the endpoint the client 2036 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2037 type: string 2038 metadata: 2039 type: object 2040 spec: 2041 description: IPAMConfigSpec contains the specification for an IPAMConfig 2042 resource. 2043 properties: 2044 autoAllocateBlocks: 2045 type: boolean 2046 maxBlocksPerHost: 2047 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 2048 that can be affine to each host. 2049 type: integer 2050 strictAffinity: 2051 type: boolean 2052 required: 2053 - autoAllocateBlocks 2054 - strictAffinity 2055 type: object 2056 type: object 2057 served: true 2058 storage: true 2059 status: 2060 acceptedNames: 2061 kind: "" 2062 plural: "" 2063 conditions: [] 2064 storedVersions: [] 2065 2066 --- 2067 apiVersion: apiextensions.k8s.io/v1 2068 kind: CustomResourceDefinition 2069 metadata: 2070 name: ipamhandles.crd.projectcalico.org 2071 spec: 2072 group: crd.projectcalico.org 2073 names: 2074 kind: IPAMHandle 2075 listKind: IPAMHandleList 2076 plural: ipamhandles 2077 singular: ipamhandle 2078 scope: Cluster 2079 versions: 2080 - name: v1 2081 schema: 2082 openAPIV3Schema: 2083 properties: 2084 apiVersion: 2085 description: 'APIVersion defines the versioned schema of this representation 2086 of an object. Servers should convert recognized schemas to the latest 2087 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2088 type: string 2089 kind: 2090 description: 'Kind is a string value representing the REST resource this 2091 object represents. Servers may infer this from the endpoint the client 2092 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2093 type: string 2094 metadata: 2095 type: object 2096 spec: 2097 description: IPAMHandleSpec contains the specification for an IPAMHandle 2098 resource. 2099 properties: 2100 block: 2101 additionalProperties: 2102 type: integer 2103 type: object 2104 deleted: 2105 type: boolean 2106 handleID: 2107 type: string 2108 required: 2109 - block 2110 - handleID 2111 type: object 2112 type: object 2113 served: true 2114 storage: true 2115 status: 2116 acceptedNames: 2117 kind: "" 2118 plural: "" 2119 conditions: [] 2120 storedVersions: [] 2121 2122 --- 2123 apiVersion: apiextensions.k8s.io/v1 2124 kind: CustomResourceDefinition 2125 metadata: 2126 name: ippools.crd.projectcalico.org 2127 spec: 2128 group: crd.projectcalico.org 2129 names: 2130 kind: IPPool 2131 listKind: IPPoolList 2132 plural: ippools 2133 singular: ippool 2134 scope: Cluster 2135 versions: 2136 - name: v1 2137 schema: 2138 openAPIV3Schema: 2139 properties: 2140 apiVersion: 2141 description: 'APIVersion defines the versioned schema of this representation 2142 of an object. Servers should convert recognized schemas to the latest 2143 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2144 type: string 2145 kind: 2146 description: 'Kind is a string value representing the REST resource this 2147 object represents. Servers may infer this from the endpoint the client 2148 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2149 type: string 2150 metadata: 2151 type: object 2152 spec: 2153 description: IPPoolSpec contains the specification for an IPPool resource. 2154 properties: 2155 blockSize: 2156 description: The block size to use for IP address assignments from 2157 this pool. Defaults to 26 for IPv4 and 112 for IPv6. 2158 type: integer 2159 cidr: 2160 description: The pool CIDR. 2161 type: string 2162 disabled: 2163 description: When disabled is true, Calico IPAM will not assign addresses 2164 from this pool. 2165 type: boolean 2166 ipip: 2167 description: 'Deprecated: this field is only used for APIv1 backwards 2168 compatibility. Setting this field is not allowed, this field is 2169 for internal use only.' 2170 properties: 2171 enabled: 2172 description: When enabled is true, ipip tunneling will be used 2173 to deliver packets to destinations within this pool. 2174 type: boolean 2175 mode: 2176 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 2177 mode of "always" will also use IPIP tunneling for routing to 2178 destination IP addresses within this pool. A mode of "cross-subnet" 2179 will only use IPIP tunneling when the destination node is on 2180 a different subnet to the originating node. The default value 2181 (if not specified) is "always". 2182 type: string 2183 type: object 2184 ipipMode: 2185 description: Contains configuration for IPIP tunneling for this pool. 2186 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 2187 is disabled). 2188 type: string 2189 nat-outgoing: 2190 description: 'Deprecated: this field is only used for APIv1 backwards 2191 compatibility. Setting this field is not allowed, this field is 2192 for internal use only.' 2193 type: boolean 2194 natOutgoing: 2195 description: When nat-outgoing is true, packets sent from Calico networked 2196 containers in this pool to destinations outside of this pool will 2197 be masqueraded. 2198 type: boolean 2199 nodeSelector: 2200 description: Allows IPPool to allocate for a specific node by label 2201 selector. 2202 type: string 2203 vxlanMode: 2204 description: Contains configuration for VXLAN tunneling for this pool. 2205 If not specified, then this is defaulted to "Never" (i.e. VXLAN 2206 tunneling is disabled). 2207 type: string 2208 required: 2209 - cidr 2210 type: object 2211 type: object 2212 served: true 2213 storage: true 2214 status: 2215 acceptedNames: 2216 kind: "" 2217 plural: "" 2218 conditions: [] 2219 storedVersions: [] 2220 2221 --- 2222 apiVersion: apiextensions.k8s.io/v1 2223 kind: CustomResourceDefinition 2224 metadata: 2225 name: kubecontrollersconfigurations.crd.projectcalico.org 2226 spec: 2227 group: crd.projectcalico.org 2228 names: 2229 kind: KubeControllersConfiguration 2230 listKind: KubeControllersConfigurationList 2231 plural: kubecontrollersconfigurations 2232 singular: kubecontrollersconfiguration 2233 scope: Cluster 2234 versions: 2235 - name: v1 2236 schema: 2237 openAPIV3Schema: 2238 properties: 2239 apiVersion: 2240 description: 'APIVersion defines the versioned schema of this representation 2241 of an object. Servers should convert recognized schemas to the latest 2242 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2243 type: string 2244 kind: 2245 description: 'Kind is a string value representing the REST resource this 2246 object represents. Servers may infer this from the endpoint the client 2247 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2248 type: string 2249 metadata: 2250 type: object 2251 spec: 2252 description: KubeControllersConfigurationSpec contains the values of the 2253 Kubernetes controllers configuration. 2254 properties: 2255 controllers: 2256 description: Controllers enables and configures individual Kubernetes 2257 controllers 2258 properties: 2259 namespace: 2260 description: Namespace enables and configures the namespace controller. 2261 Enabled by default, set to nil to disable. 2262 properties: 2263 reconcilerPeriod: 2264 description: 'ReconcilerPeriod is the period to perform reconciliation 2265 with the Calico datastore. [Default: 5m]' 2266 type: string 2267 type: object 2268 node: 2269 description: Node enables and configures the node controller. 2270 Enabled by default, set to nil to disable. 2271 properties: 2272 hostEndpoint: 2273 description: HostEndpoint controls syncing nodes to host endpoints. 2274 Disabled by default, set to nil to disable. 2275 properties: 2276 autoCreate: 2277 description: 'AutoCreate enables automatic creation of 2278 host endpoints for every node. [Default: Disabled]' 2279 type: string 2280 type: object 2281 reconcilerPeriod: 2282 description: 'ReconcilerPeriod is the period to perform reconciliation 2283 with the Calico datastore. [Default: 5m]' 2284 type: string 2285 syncLabels: 2286 description: 'SyncLabels controls whether to copy Kubernetes 2287 node labels to Calico nodes. [Default: Enabled]' 2288 type: string 2289 type: object 2290 policy: 2291 description: Policy enables and configures the policy controller. 2292 Enabled by default, set to nil to disable. 2293 properties: 2294 reconcilerPeriod: 2295 description: 'ReconcilerPeriod is the period to perform reconciliation 2296 with the Calico datastore. [Default: 5m]' 2297 type: string 2298 type: object 2299 serviceAccount: 2300 description: ServiceAccount enables and configures the service 2301 account controller. Enabled by default, set to nil to disable. 2302 properties: 2303 reconcilerPeriod: 2304 description: 'ReconcilerPeriod is the period to perform reconciliation 2305 with the Calico datastore. [Default: 5m]' 2306 type: string 2307 type: object 2308 workloadEndpoint: 2309 description: WorkloadEndpoint enables and configures the workload 2310 endpoint controller. Enabled by default, set to nil to disable. 2311 properties: 2312 reconcilerPeriod: 2313 description: 'ReconcilerPeriod is the period to perform reconciliation 2314 with the Calico datastore. [Default: 5m]' 2315 type: string 2316 type: object 2317 type: object 2318 etcdV3CompactionPeriod: 2319 description: 'EtcdV3CompactionPeriod is the period between etcdv3 2320 compaction requests. Set to 0 to disable. [Default: 10m]' 2321 type: string 2322 healthChecks: 2323 description: 'HealthChecks enables or disables support for health 2324 checks [Default: Enabled]' 2325 type: string 2326 logSeverityScreen: 2327 description: 'LogSeverityScreen is the log severity above which logs 2328 are sent to the stdout. [Default: Info]' 2329 type: string 2330 prometheusMetricsPort: 2331 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 2332 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 2333 type: integer 2334 required: 2335 - controllers 2336 type: object 2337 status: 2338 description: KubeControllersConfigurationStatus represents the status 2339 of the configuration. It's useful for admins to be able to see the actual 2340 config that was applied, which can be modified by environment variables 2341 on the kube-controllers process. 2342 properties: 2343 environmentVars: 2344 additionalProperties: 2345 type: string 2346 description: EnvironmentVars contains the environment variables on 2347 the kube-controllers that influenced the RunningConfig. 2348 type: object 2349 runningConfig: 2350 description: RunningConfig contains the effective config that is running 2351 in the kube-controllers pod, after merging the API resource with 2352 any environment variables. 2353 properties: 2354 controllers: 2355 description: Controllers enables and configures individual Kubernetes 2356 controllers 2357 properties: 2358 namespace: 2359 description: Namespace enables and configures the namespace 2360 controller. Enabled by default, set to nil to disable. 2361 properties: 2362 reconcilerPeriod: 2363 description: 'ReconcilerPeriod is the period to perform 2364 reconciliation with the Calico datastore. [Default: 2365 5m]' 2366 type: string 2367 type: object 2368 node: 2369 description: Node enables and configures the node controller. 2370 Enabled by default, set to nil to disable. 2371 properties: 2372 hostEndpoint: 2373 description: HostEndpoint controls syncing nodes to host 2374 endpoints. Disabled by default, set to nil to disable. 2375 properties: 2376 autoCreate: 2377 description: 'AutoCreate enables automatic creation 2378 of host endpoints for every node. [Default: Disabled]' 2379 type: string 2380 type: object 2381 reconcilerPeriod: 2382 description: 'ReconcilerPeriod is the period to perform 2383 reconciliation with the Calico datastore. [Default: 2384 5m]' 2385 type: string 2386 syncLabels: 2387 description: 'SyncLabels controls whether to copy Kubernetes 2388 node labels to Calico nodes. [Default: Enabled]' 2389 type: string 2390 type: object 2391 policy: 2392 description: Policy enables and configures the policy controller. 2393 Enabled by default, set to nil to disable. 2394 properties: 2395 reconcilerPeriod: 2396 description: 'ReconcilerPeriod is the period to perform 2397 reconciliation with the Calico datastore. [Default: 2398 5m]' 2399 type: string 2400 type: object 2401 serviceAccount: 2402 description: ServiceAccount enables and configures the service 2403 account controller. Enabled by default, set to nil to disable. 2404 properties: 2405 reconcilerPeriod: 2406 description: 'ReconcilerPeriod is the period to perform 2407 reconciliation with the Calico datastore. [Default: 2408 5m]' 2409 type: string 2410 type: object 2411 workloadEndpoint: 2412 description: WorkloadEndpoint enables and configures the workload 2413 endpoint controller. Enabled by default, set to nil to disable. 2414 properties: 2415 reconcilerPeriod: 2416 description: 'ReconcilerPeriod is the period to perform 2417 reconciliation with the Calico datastore. [Default: 2418 5m]' 2419 type: string 2420 type: object 2421 type: object 2422 etcdV3CompactionPeriod: 2423 description: 'EtcdV3CompactionPeriod is the period between etcdv3 2424 compaction requests. Set to 0 to disable. [Default: 10m]' 2425 type: string 2426 healthChecks: 2427 description: 'HealthChecks enables or disables support for health 2428 checks [Default: Enabled]' 2429 type: string 2430 logSeverityScreen: 2431 description: 'LogSeverityScreen is the log severity above which 2432 logs are sent to the stdout. [Default: Info]' 2433 type: string 2434 prometheusMetricsPort: 2435 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 2436 metrics server should bind to. Set to 0 to disable. [Default: 2437 9094]' 2438 type: integer 2439 required: 2440 - controllers 2441 type: object 2442 type: object 2443 type: object 2444 served: true 2445 storage: true 2446 status: 2447 acceptedNames: 2448 kind: "" 2449 plural: "" 2450 conditions: [] 2451 storedVersions: [] 2452 2453 --- 2454 apiVersion: apiextensions.k8s.io/v1 2455 kind: CustomResourceDefinition 2456 metadata: 2457 name: networkpolicies.crd.projectcalico.org 2458 spec: 2459 group: crd.projectcalico.org 2460 names: 2461 kind: NetworkPolicy 2462 listKind: NetworkPolicyList 2463 plural: networkpolicies 2464 singular: networkpolicy 2465 scope: Namespaced 2466 versions: 2467 - name: v1 2468 schema: 2469 openAPIV3Schema: 2470 properties: 2471 apiVersion: 2472 description: 'APIVersion defines the versioned schema of this representation 2473 of an object. Servers should convert recognized schemas to the latest 2474 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2475 type: string 2476 kind: 2477 description: 'Kind is a string value representing the REST resource this 2478 object represents. Servers may infer this from the endpoint the client 2479 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2480 type: string 2481 metadata: 2482 type: object 2483 spec: 2484 properties: 2485 egress: 2486 description: The ordered set of egress rules. Each rule contains 2487 a set of packet match criteria and a corresponding action to apply. 2488 items: 2489 description: "A Rule encapsulates a set of match criteria and an 2490 action. Both selector-based security Policy and security Profiles 2491 reference rules - separated out as a list of rules for both ingress 2492 and egress packet matching. \n Each positive match criteria has 2493 a negated version, prefixed with \"Not\". All the match criteria 2494 within a rule must be satisfied for a packet to match. A single 2495 rule can contain the positive and negative version of a match 2496 and both must be satisfied for the rule to match." 2497 properties: 2498 action: 2499 type: string 2500 destination: 2501 description: Destination contains the match criteria that apply 2502 to destination entity. 2503 properties: 2504 namespaceSelector: 2505 description: "NamespaceSelector is an optional field that 2506 contains a selector expression. Only traffic that originates 2507 from (or terminates at) endpoints within the selected 2508 namespaces will be matched. When both NamespaceSelector 2509 and Selector are defined on the same rule, then only workload 2510 endpoints that are matched by both selectors will be selected 2511 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 2512 implies that the Selector is limited to selecting only 2513 workload endpoints in the same namespace as the NetworkPolicy. 2514 \n For NetworkPolicy, `global()` NamespaceSelector implies 2515 that the Selector is limited to selecting only GlobalNetworkSet 2516 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 2517 NamespaceSelector implies the Selector applies to workload 2518 endpoints across all namespaces." 2519 type: string 2520 nets: 2521 description: Nets is an optional field that restricts the 2522 rule to only apply to traffic that originates from (or 2523 terminates at) IP addresses in any of the given subnets. 2524 items: 2525 type: string 2526 type: array 2527 notNets: 2528 description: NotNets is the negated version of the Nets 2529 field. 2530 items: 2531 type: string 2532 type: array 2533 notPorts: 2534 description: NotPorts is the negated version of the Ports 2535 field. Since only some protocols have ports, if any ports 2536 are specified it requires the Protocol match in the Rule 2537 to be set to "TCP" or "UDP". 2538 items: 2539 anyOf: 2540 - type: integer 2541 - type: string 2542 pattern: ^.* 2543 x-kubernetes-int-or-string: true 2544 type: array 2545 notSelector: 2546 description: NotSelector is the negated version of the Selector 2547 field. See Selector field for subtleties with negated 2548 selectors. 2549 type: string 2550 ports: 2551 description: "Ports is an optional field that restricts 2552 the rule to only apply to traffic that has a source (destination) 2553 port that matches one of these ranges/values. This value 2554 is a list of integers or strings that represent ranges 2555 of ports. \n Since only some protocols have ports, if 2556 any ports are specified it requires the Protocol match 2557 in the Rule to be set to \"TCP\" or \"UDP\"." 2558 items: 2559 anyOf: 2560 - type: integer 2561 - type: string 2562 pattern: ^.* 2563 x-kubernetes-int-or-string: true 2564 type: array 2565 selector: 2566 description: "Selector is an optional field that contains 2567 a selector expression (see Policy for sample syntax). 2568 \ Only traffic that originates from (terminates at) endpoints 2569 matching the selector will be matched. \n Note that: in 2570 addition to the negated version of the Selector (see NotSelector 2571 below), the selector expression syntax itself supports 2572 negation. The two types of negation are subtly different. 2573 One negates the set of matched endpoints, the other negates 2574 the whole match: \n \tSelector = \"!has(my_label)\" matches 2575 packets that are from other Calico-controlled \tendpoints 2576 that do not have the label \"my_label\". \n \tNotSelector 2577 = \"has(my_label)\" matches packets that are not from 2578 Calico-controlled \tendpoints that do have the label \"my_label\". 2579 \n The effect is that the latter will accept packets from 2580 non-Calico sources whereas the former is limited to packets 2581 from Calico-controlled endpoints." 2582 type: string 2583 serviceAccounts: 2584 description: ServiceAccounts is an optional field that restricts 2585 the rule to only apply to traffic that originates from 2586 (or terminates at) a pod running as a matching service 2587 account. 2588 properties: 2589 names: 2590 description: Names is an optional field that restricts 2591 the rule to only apply to traffic that originates 2592 from (or terminates at) a pod running as a service 2593 account whose name is in the list. 2594 items: 2595 type: string 2596 type: array 2597 selector: 2598 description: Selector is an optional field that restricts 2599 the rule to only apply to traffic that originates 2600 from (or terminates at) a pod running as a service 2601 account that matches the given label selector. If 2602 both Names and Selector are specified then they are 2603 AND'ed. 2604 type: string 2605 type: object 2606 type: object 2607 http: 2608 description: HTTP contains match criteria that apply to HTTP 2609 requests. 2610 properties: 2611 methods: 2612 description: Methods is an optional field that restricts 2613 the rule to apply only to HTTP requests that use one of 2614 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2615 methods are OR'd together. 2616 items: 2617 type: string 2618 type: array 2619 paths: 2620 description: 'Paths is an optional field that restricts 2621 the rule to apply to HTTP requests that use one of the 2622 listed HTTP Paths. Multiple paths are OR''d together. 2623 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2624 ONLY specify either a `exact` or a `prefix` match. The 2625 validator will check for it.' 2626 items: 2627 description: 'HTTPPath specifies an HTTP path to match. 2628 It may be either of the form: exact: <path>: which matches 2629 the path exactly or prefix: <path-prefix>: which matches 2630 the path prefix' 2631 properties: 2632 exact: 2633 type: string 2634 prefix: 2635 type: string 2636 type: object 2637 type: array 2638 type: object 2639 icmp: 2640 description: ICMP is an optional field that restricts the rule 2641 to apply to a specific type and code of ICMP traffic. This 2642 should only be specified if the Protocol field is set to "ICMP" 2643 or "ICMPv6". 2644 properties: 2645 code: 2646 description: Match on a specific ICMP code. If specified, 2647 the Type value must also be specified. This is a technical 2648 limitation imposed by the kernel's iptables firewall, 2649 which Calico uses to enforce the rule. 2650 type: integer 2651 type: 2652 description: Match on a specific ICMP type. For example 2653 a value of 8 refers to ICMP Echo Request (i.e. pings). 2654 type: integer 2655 type: object 2656 ipVersion: 2657 description: IPVersion is an optional field that restricts the 2658 rule to only match a specific IP version. 2659 type: integer 2660 metadata: 2661 description: Metadata contains additional information for this 2662 rule 2663 properties: 2664 annotations: 2665 additionalProperties: 2666 type: string 2667 description: Annotations is a set of key value pairs that 2668 give extra information about the rule 2669 type: object 2670 type: object 2671 notICMP: 2672 description: NotICMP is the negated version of the ICMP field. 2673 properties: 2674 code: 2675 description: Match on a specific ICMP code. If specified, 2676 the Type value must also be specified. This is a technical 2677 limitation imposed by the kernel's iptables firewall, 2678 which Calico uses to enforce the rule. 2679 type: integer 2680 type: 2681 description: Match on a specific ICMP type. For example 2682 a value of 8 refers to ICMP Echo Request (i.e. pings). 2683 type: integer 2684 type: object 2685 notProtocol: 2686 anyOf: 2687 - type: integer 2688 - type: string 2689 description: NotProtocol is the negated version of the Protocol 2690 field. 2691 pattern: ^.* 2692 x-kubernetes-int-or-string: true 2693 protocol: 2694 anyOf: 2695 - type: integer 2696 - type: string 2697 description: "Protocol is an optional field that restricts the 2698 rule to only apply to traffic of a specific IP protocol. Required 2699 if any of the EntityRules contain Ports (because ports only 2700 apply to certain protocols). \n Must be one of these string 2701 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2702 \"UDPLite\" or an integer in the range 1-255." 2703 pattern: ^.* 2704 x-kubernetes-int-or-string: true 2705 source: 2706 description: Source contains the match criteria that apply to 2707 source entity. 2708 properties: 2709 namespaceSelector: 2710 description: "NamespaceSelector is an optional field that 2711 contains a selector expression. Only traffic that originates 2712 from (or terminates at) endpoints within the selected 2713 namespaces will be matched. When both NamespaceSelector 2714 and Selector are defined on the same rule, then only workload 2715 endpoints that are matched by both selectors will be selected 2716 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 2717 implies that the Selector is limited to selecting only 2718 workload endpoints in the same namespace as the NetworkPolicy. 2719 \n For NetworkPolicy, `global()` NamespaceSelector implies 2720 that the Selector is limited to selecting only GlobalNetworkSet 2721 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 2722 NamespaceSelector implies the Selector applies to workload 2723 endpoints across all namespaces." 2724 type: string 2725 nets: 2726 description: Nets is an optional field that restricts the 2727 rule to only apply to traffic that originates from (or 2728 terminates at) IP addresses in any of the given subnets. 2729 items: 2730 type: string 2731 type: array 2732 notNets: 2733 description: NotNets is the negated version of the Nets 2734 field. 2735 items: 2736 type: string 2737 type: array 2738 notPorts: 2739 description: NotPorts is the negated version of the Ports 2740 field. Since only some protocols have ports, if any ports 2741 are specified it requires the Protocol match in the Rule 2742 to be set to "TCP" or "UDP". 2743 items: 2744 anyOf: 2745 - type: integer 2746 - type: string 2747 pattern: ^.* 2748 x-kubernetes-int-or-string: true 2749 type: array 2750 notSelector: 2751 description: NotSelector is the negated version of the Selector 2752 field. See Selector field for subtleties with negated 2753 selectors. 2754 type: string 2755 ports: 2756 description: "Ports is an optional field that restricts 2757 the rule to only apply to traffic that has a source (destination) 2758 port that matches one of these ranges/values. This value 2759 is a list of integers or strings that represent ranges 2760 of ports. \n Since only some protocols have ports, if 2761 any ports are specified it requires the Protocol match 2762 in the Rule to be set to \"TCP\" or \"UDP\"." 2763 items: 2764 anyOf: 2765 - type: integer 2766 - type: string 2767 pattern: ^.* 2768 x-kubernetes-int-or-string: true 2769 type: array 2770 selector: 2771 description: "Selector is an optional field that contains 2772 a selector expression (see Policy for sample syntax). 2773 \ Only traffic that originates from (terminates at) endpoints 2774 matching the selector will be matched. \n Note that: in 2775 addition to the negated version of the Selector (see NotSelector 2776 below), the selector expression syntax itself supports 2777 negation. The two types of negation are subtly different. 2778 One negates the set of matched endpoints, the other negates 2779 the whole match: \n \tSelector = \"!has(my_label)\" matches 2780 packets that are from other Calico-controlled \tendpoints 2781 that do not have the label \"my_label\". \n \tNotSelector 2782 = \"has(my_label)\" matches packets that are not from 2783 Calico-controlled \tendpoints that do have the label \"my_label\". 2784 \n The effect is that the latter will accept packets from 2785 non-Calico sources whereas the former is limited to packets 2786 from Calico-controlled endpoints." 2787 type: string 2788 serviceAccounts: 2789 description: ServiceAccounts is an optional field that restricts 2790 the rule to only apply to traffic that originates from 2791 (or terminates at) a pod running as a matching service 2792 account. 2793 properties: 2794 names: 2795 description: Names is an optional field that restricts 2796 the rule to only apply to traffic that originates 2797 from (or terminates at) a pod running as a service 2798 account whose name is in the list. 2799 items: 2800 type: string 2801 type: array 2802 selector: 2803 description: Selector is an optional field that restricts 2804 the rule to only apply to traffic that originates 2805 from (or terminates at) a pod running as a service 2806 account that matches the given label selector. If 2807 both Names and Selector are specified then they are 2808 AND'ed. 2809 type: string 2810 type: object 2811 type: object 2812 required: 2813 - action 2814 type: object 2815 type: array 2816 ingress: 2817 description: The ordered set of ingress rules. Each rule contains 2818 a set of packet match criteria and a corresponding action to apply. 2819 items: 2820 description: "A Rule encapsulates a set of match criteria and an 2821 action. Both selector-based security Policy and security Profiles 2822 reference rules - separated out as a list of rules for both ingress 2823 and egress packet matching. \n Each positive match criteria has 2824 a negated version, prefixed with \"Not\". All the match criteria 2825 within a rule must be satisfied for a packet to match. A single 2826 rule can contain the positive and negative version of a match 2827 and both must be satisfied for the rule to match." 2828 properties: 2829 action: 2830 type: string 2831 destination: 2832 description: Destination contains the match criteria that apply 2833 to destination entity. 2834 properties: 2835 namespaceSelector: 2836 description: "NamespaceSelector is an optional field that 2837 contains a selector expression. Only traffic that originates 2838 from (or terminates at) endpoints within the selected 2839 namespaces will be matched. When both NamespaceSelector 2840 and Selector are defined on the same rule, then only workload 2841 endpoints that are matched by both selectors will be selected 2842 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 2843 implies that the Selector is limited to selecting only 2844 workload endpoints in the same namespace as the NetworkPolicy. 2845 \n For NetworkPolicy, `global()` NamespaceSelector implies 2846 that the Selector is limited to selecting only GlobalNetworkSet 2847 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 2848 NamespaceSelector implies the Selector applies to workload 2849 endpoints across all namespaces." 2850 type: string 2851 nets: 2852 description: Nets is an optional field that restricts the 2853 rule to only apply to traffic that originates from (or 2854 terminates at) IP addresses in any of the given subnets. 2855 items: 2856 type: string 2857 type: array 2858 notNets: 2859 description: NotNets is the negated version of the Nets 2860 field. 2861 items: 2862 type: string 2863 type: array 2864 notPorts: 2865 description: NotPorts is the negated version of the Ports 2866 field. Since only some protocols have ports, if any ports 2867 are specified it requires the Protocol match in the Rule 2868 to be set to "TCP" or "UDP". 2869 items: 2870 anyOf: 2871 - type: integer 2872 - type: string 2873 pattern: ^.* 2874 x-kubernetes-int-or-string: true 2875 type: array 2876 notSelector: 2877 description: NotSelector is the negated version of the Selector 2878 field. See Selector field for subtleties with negated 2879 selectors. 2880 type: string 2881 ports: 2882 description: "Ports is an optional field that restricts 2883 the rule to only apply to traffic that has a source (destination) 2884 port that matches one of these ranges/values. This value 2885 is a list of integers or strings that represent ranges 2886 of ports. \n Since only some protocols have ports, if 2887 any ports are specified it requires the Protocol match 2888 in the Rule to be set to \"TCP\" or \"UDP\"." 2889 items: 2890 anyOf: 2891 - type: integer 2892 - type: string 2893 pattern: ^.* 2894 x-kubernetes-int-or-string: true 2895 type: array 2896 selector: 2897 description: "Selector is an optional field that contains 2898 a selector expression (see Policy for sample syntax). 2899 \ Only traffic that originates from (terminates at) endpoints 2900 matching the selector will be matched. \n Note that: in 2901 addition to the negated version of the Selector (see NotSelector 2902 below), the selector expression syntax itself supports 2903 negation. The two types of negation are subtly different. 2904 One negates the set of matched endpoints, the other negates 2905 the whole match: \n \tSelector = \"!has(my_label)\" matches 2906 packets that are from other Calico-controlled \tendpoints 2907 that do not have the label \"my_label\". \n \tNotSelector 2908 = \"has(my_label)\" matches packets that are not from 2909 Calico-controlled \tendpoints that do have the label \"my_label\". 2910 \n The effect is that the latter will accept packets from 2911 non-Calico sources whereas the former is limited to packets 2912 from Calico-controlled endpoints." 2913 type: string 2914 serviceAccounts: 2915 description: ServiceAccounts is an optional field that restricts 2916 the rule to only apply to traffic that originates from 2917 (or terminates at) a pod running as a matching service 2918 account. 2919 properties: 2920 names: 2921 description: Names is an optional field that restricts 2922 the rule to only apply to traffic that originates 2923 from (or terminates at) a pod running as a service 2924 account whose name is in the list. 2925 items: 2926 type: string 2927 type: array 2928 selector: 2929 description: Selector is an optional field that restricts 2930 the rule to only apply to traffic that originates 2931 from (or terminates at) a pod running as a service 2932 account that matches the given label selector. If 2933 both Names and Selector are specified then they are 2934 AND'ed. 2935 type: string 2936 type: object 2937 type: object 2938 http: 2939 description: HTTP contains match criteria that apply to HTTP 2940 requests. 2941 properties: 2942 methods: 2943 description: Methods is an optional field that restricts 2944 the rule to apply only to HTTP requests that use one of 2945 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2946 methods are OR'd together. 2947 items: 2948 type: string 2949 type: array 2950 paths: 2951 description: 'Paths is an optional field that restricts 2952 the rule to apply to HTTP requests that use one of the 2953 listed HTTP Paths. Multiple paths are OR''d together. 2954 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2955 ONLY specify either a `exact` or a `prefix` match. The 2956 validator will check for it.' 2957 items: 2958 description: 'HTTPPath specifies an HTTP path to match. 2959 It may be either of the form: exact: <path>: which matches 2960 the path exactly or prefix: <path-prefix>: which matches 2961 the path prefix' 2962 properties: 2963 exact: 2964 type: string 2965 prefix: 2966 type: string 2967 type: object 2968 type: array 2969 type: object 2970 icmp: 2971 description: ICMP is an optional field that restricts the rule 2972 to apply to a specific type and code of ICMP traffic. This 2973 should only be specified if the Protocol field is set to "ICMP" 2974 or "ICMPv6". 2975 properties: 2976 code: 2977 description: Match on a specific ICMP code. If specified, 2978 the Type value must also be specified. This is a technical 2979 limitation imposed by the kernel's iptables firewall, 2980 which Calico uses to enforce the rule. 2981 type: integer 2982 type: 2983 description: Match on a specific ICMP type. For example 2984 a value of 8 refers to ICMP Echo Request (i.e. pings). 2985 type: integer 2986 type: object 2987 ipVersion: 2988 description: IPVersion is an optional field that restricts the 2989 rule to only match a specific IP version. 2990 type: integer 2991 metadata: 2992 description: Metadata contains additional information for this 2993 rule 2994 properties: 2995 annotations: 2996 additionalProperties: 2997 type: string 2998 description: Annotations is a set of key value pairs that 2999 give extra information about the rule 3000 type: object 3001 type: object 3002 notICMP: 3003 description: NotICMP is the negated version of the ICMP field. 3004 properties: 3005 code: 3006 description: Match on a specific ICMP code. If specified, 3007 the Type value must also be specified. This is a technical 3008 limitation imposed by the kernel's iptables firewall, 3009 which Calico uses to enforce the rule. 3010 type: integer 3011 type: 3012 description: Match on a specific ICMP type. For example 3013 a value of 8 refers to ICMP Echo Request (i.e. pings). 3014 type: integer 3015 type: object 3016 notProtocol: 3017 anyOf: 3018 - type: integer 3019 - type: string 3020 description: NotProtocol is the negated version of the Protocol 3021 field. 3022 pattern: ^.* 3023 x-kubernetes-int-or-string: true 3024 protocol: 3025 anyOf: 3026 - type: integer 3027 - type: string 3028 description: "Protocol is an optional field that restricts the 3029 rule to only apply to traffic of a specific IP protocol. Required 3030 if any of the EntityRules contain Ports (because ports only 3031 apply to certain protocols). \n Must be one of these string 3032 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3033 \"UDPLite\" or an integer in the range 1-255." 3034 pattern: ^.* 3035 x-kubernetes-int-or-string: true 3036 source: 3037 description: Source contains the match criteria that apply to 3038 source entity. 3039 properties: 3040 namespaceSelector: 3041 description: "NamespaceSelector is an optional field that 3042 contains a selector expression. Only traffic that originates 3043 from (or terminates at) endpoints within the selected 3044 namespaces will be matched. When both NamespaceSelector 3045 and Selector are defined on the same rule, then only workload 3046 endpoints that are matched by both selectors will be selected 3047 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 3048 implies that the Selector is limited to selecting only 3049 workload endpoints in the same namespace as the NetworkPolicy. 3050 \n For NetworkPolicy, `global()` NamespaceSelector implies 3051 that the Selector is limited to selecting only GlobalNetworkSet 3052 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 3053 NamespaceSelector implies the Selector applies to workload 3054 endpoints across all namespaces." 3055 type: string 3056 nets: 3057 description: Nets is an optional field that restricts the 3058 rule to only apply to traffic that originates from (or 3059 terminates at) IP addresses in any of the given subnets. 3060 items: 3061 type: string 3062 type: array 3063 notNets: 3064 description: NotNets is the negated version of the Nets 3065 field. 3066 items: 3067 type: string 3068 type: array 3069 notPorts: 3070 description: NotPorts is the negated version of the Ports 3071 field. Since only some protocols have ports, if any ports 3072 are specified it requires the Protocol match in the Rule 3073 to be set to "TCP" or "UDP". 3074 items: 3075 anyOf: 3076 - type: integer 3077 - type: string 3078 pattern: ^.* 3079 x-kubernetes-int-or-string: true 3080 type: array 3081 notSelector: 3082 description: NotSelector is the negated version of the Selector 3083 field. See Selector field for subtleties with negated 3084 selectors. 3085 type: string 3086 ports: 3087 description: "Ports is an optional field that restricts 3088 the rule to only apply to traffic that has a source (destination) 3089 port that matches one of these ranges/values. This value 3090 is a list of integers or strings that represent ranges 3091 of ports. \n Since only some protocols have ports, if 3092 any ports are specified it requires the Protocol match 3093 in the Rule to be set to \"TCP\" or \"UDP\"." 3094 items: 3095 anyOf: 3096 - type: integer 3097 - type: string 3098 pattern: ^.* 3099 x-kubernetes-int-or-string: true 3100 type: array 3101 selector: 3102 description: "Selector is an optional field that contains 3103 a selector expression (see Policy for sample syntax). 3104 \ Only traffic that originates from (terminates at) endpoints 3105 matching the selector will be matched. \n Note that: in 3106 addition to the negated version of the Selector (see NotSelector 3107 below), the selector expression syntax itself supports 3108 negation. The two types of negation are subtly different. 3109 One negates the set of matched endpoints, the other negates 3110 the whole match: \n \tSelector = \"!has(my_label)\" matches 3111 packets that are from other Calico-controlled \tendpoints 3112 that do not have the label \"my_label\". \n \tNotSelector 3113 = \"has(my_label)\" matches packets that are not from 3114 Calico-controlled \tendpoints that do have the label \"my_label\". 3115 \n The effect is that the latter will accept packets from 3116 non-Calico sources whereas the former is limited to packets 3117 from Calico-controlled endpoints." 3118 type: string 3119 serviceAccounts: 3120 description: ServiceAccounts is an optional field that restricts 3121 the rule to only apply to traffic that originates from 3122 (or terminates at) a pod running as a matching service 3123 account. 3124 properties: 3125 names: 3126 description: Names is an optional field that restricts 3127 the rule to only apply to traffic that originates 3128 from (or terminates at) a pod running as a service 3129 account whose name is in the list. 3130 items: 3131 type: string 3132 type: array 3133 selector: 3134 description: Selector is an optional field that restricts 3135 the rule to only apply to traffic that originates 3136 from (or terminates at) a pod running as a service 3137 account that matches the given label selector. If 3138 both Names and Selector are specified then they are 3139 AND'ed. 3140 type: string 3141 type: object 3142 type: object 3143 required: 3144 - action 3145 type: object 3146 type: array 3147 order: 3148 description: Order is an optional field that specifies the order in 3149 which the policy is applied. Policies with higher "order" are applied 3150 after those with lower order. If the order is omitted, it may be 3151 considered to be "infinite" - i.e. the policy will be applied last. Policies 3152 with identical order will be applied in alphanumerical order based 3153 on the Policy "Name". 3154 type: number 3155 selector: 3156 description: "The selector is an expression used to pick pick out 3157 the endpoints that the policy should be applied to. \n Selector 3158 expressions follow this syntax: \n \tlabel == \"string_literal\" 3159 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 3160 \ -> not equal; also matches if label is not present \tlabel in 3161 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 3162 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 3163 ... } -> true if the value of label X is not one of \"a\", \"b\", 3164 \"c\" \thas(label_name) -> True if that label is present \t! expr 3165 -> negation of expr \texpr && expr -> Short-circuit and \texpr 3166 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 3167 or the empty selector -> matches all endpoints. \n Label names are 3168 allowed to contain alphanumerics, -, _ and /. String literals are 3169 more permissive but they do not support escape characters. \n Examples 3170 (with made-up labels): \n \ttype == \"webserver\" && deployment 3171 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 3172 \"dev\" \t! has(label_name)" 3173 type: string 3174 serviceAccountSelector: 3175 description: ServiceAccountSelector is an optional field for an expression 3176 used to select a pod based on service accounts. 3177 type: string 3178 types: 3179 description: "Types indicates whether this policy applies to ingress, 3180 or to egress, or to both. When not explicitly specified (and so 3181 the value on creation is empty or nil), Calico defaults Types according 3182 to what Ingress and Egress are present in the policy. The default 3183 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 3184 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 3185 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 3186 PolicyTypeEgress ], if there are both Ingress and Egress rules. 3187 \n When the policy is read back again, Types will always be one 3188 of these values, never empty or nil." 3189 items: 3190 description: PolicyType enumerates the possible values of the PolicySpec 3191 Types field. 3192 type: string 3193 type: array 3194 type: object 3195 type: object 3196 served: true 3197 storage: true 3198 status: 3199 acceptedNames: 3200 kind: "" 3201 plural: "" 3202 conditions: [] 3203 storedVersions: [] 3204 3205 --- 3206 apiVersion: apiextensions.k8s.io/v1 3207 kind: CustomResourceDefinition 3208 metadata: 3209 name: networksets.crd.projectcalico.org 3210 spec: 3211 group: crd.projectcalico.org 3212 names: 3213 kind: NetworkSet 3214 listKind: NetworkSetList 3215 plural: networksets 3216 singular: networkset 3217 scope: Namespaced 3218 versions: 3219 - name: v1 3220 schema: 3221 openAPIV3Schema: 3222 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 3223 properties: 3224 apiVersion: 3225 description: 'APIVersion defines the versioned schema of this representation 3226 of an object. Servers should convert recognized schemas to the latest 3227 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3228 type: string 3229 kind: 3230 description: 'Kind is a string value representing the REST resource this 3231 object represents. Servers may infer this from the endpoint the client 3232 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3233 type: string 3234 metadata: 3235 type: object 3236 spec: 3237 description: NetworkSetSpec contains the specification for a NetworkSet 3238 resource. 3239 properties: 3240 nets: 3241 description: The list of IP networks that belong to this set. 3242 items: 3243 type: string 3244 type: array 3245 type: object 3246 type: object 3247 served: true 3248 storage: true 3249 status: 3250 acceptedNames: 3251 kind: "" 3252 plural: "" 3253 conditions: [] 3254 storedVersions: [] 3255 3256 --- 3257 --- 3258 # Source: calico/templates/calico-kube-controllers-rbac.yaml 3259 3260 # Include a clusterrole for the kube-controllers component, 3261 # and bind it to the calico-kube-controllers serviceaccount. 3262 kind: ClusterRole 3263 apiVersion: rbac.authorization.k8s.io/v1 3264 metadata: 3265 name: calico-kube-controllers 3266 rules: 3267 # Nodes are watched to monitor for deletions. 3268 - apiGroups: [""] 3269 resources: 3270 - nodes 3271 verbs: 3272 - watch 3273 - list 3274 - get 3275 # Pods are queried to check for existence. 3276 - apiGroups: [""] 3277 resources: 3278 - pods 3279 verbs: 3280 - get 3281 # IPAM resources are manipulated when nodes are deleted. 3282 - apiGroups: ["crd.projectcalico.org"] 3283 resources: 3284 - ippools 3285 verbs: 3286 - list 3287 - apiGroups: ["crd.projectcalico.org"] 3288 resources: 3289 - blockaffinities 3290 - ipamblocks 3291 - ipamhandles 3292 verbs: 3293 - get 3294 - list 3295 - create 3296 - update 3297 - delete 3298 - watch 3299 # kube-controllers manages hostendpoints. 3300 - apiGroups: ["crd.projectcalico.org"] 3301 resources: 3302 - hostendpoints 3303 verbs: 3304 - get 3305 - list 3306 - create 3307 - update 3308 - delete 3309 # Needs access to update clusterinformations. 3310 - apiGroups: ["crd.projectcalico.org"] 3311 resources: 3312 - clusterinformations 3313 verbs: 3314 - get 3315 - create 3316 - update 3317 # KubeControllersConfiguration is where it gets its config 3318 - apiGroups: ["crd.projectcalico.org"] 3319 resources: 3320 - kubecontrollersconfigurations 3321 verbs: 3322 # read its own config 3323 - get 3324 # create a default if none exists 3325 - create 3326 # update status 3327 - update 3328 # watch for changes 3329 - watch 3330 --- 3331 kind: ClusterRoleBinding 3332 apiVersion: rbac.authorization.k8s.io/v1 3333 metadata: 3334 name: calico-kube-controllers 3335 roleRef: 3336 apiGroup: rbac.authorization.k8s.io 3337 kind: ClusterRole 3338 name: calico-kube-controllers 3339 subjects: 3340 - kind: ServiceAccount 3341 name: calico-kube-controllers 3342 namespace: kube-system 3343 --- 3344 3345 --- 3346 # Source: calico/templates/calico-node-rbac.yaml 3347 # Include a clusterrole for the calico-node DaemonSet, 3348 # and bind it to the calico-node serviceaccount. 3349 kind: ClusterRole 3350 apiVersion: rbac.authorization.k8s.io/v1 3351 metadata: 3352 name: calico-node 3353 rules: 3354 # The CNI plugin needs to get pods, nodes, and namespaces. 3355 - apiGroups: [""] 3356 resources: 3357 - pods 3358 - nodes 3359 - namespaces 3360 verbs: 3361 - get 3362 - apiGroups: [""] 3363 resources: 3364 - endpoints 3365 - services 3366 verbs: 3367 # Used to discover service IPs for advertisement. 3368 - watch 3369 - list 3370 # Used to discover Typhas. 3371 - get 3372 # Pod CIDR auto-detection on kubeadm needs access to config maps. 3373 - apiGroups: [""] 3374 resources: 3375 - configmaps 3376 verbs: 3377 - get 3378 - apiGroups: [""] 3379 resources: 3380 - nodes/status 3381 verbs: 3382 # Needed for clearing NodeNetworkUnavailable flag. 3383 - patch 3384 # Calico stores some configuration information in node annotations. 3385 - update 3386 # Watch for changes to Kubernetes NetworkPolicies. 3387 - apiGroups: ["networking.k8s.io"] 3388 resources: 3389 - networkpolicies 3390 verbs: 3391 - watch 3392 - list 3393 # Used by Calico for policy information. 3394 - apiGroups: [""] 3395 resources: 3396 - pods 3397 - namespaces 3398 - serviceaccounts 3399 verbs: 3400 - list 3401 - watch 3402 # The CNI plugin patches pods/status. 3403 - apiGroups: [""] 3404 resources: 3405 - pods/status 3406 verbs: 3407 - patch 3408 # Calico monitors various CRDs for config. 3409 - apiGroups: ["crd.projectcalico.org"] 3410 resources: 3411 - globalfelixconfigs 3412 - felixconfigurations 3413 - bgppeers 3414 - globalbgpconfigs 3415 - bgpconfigurations 3416 - ippools 3417 - ipamblocks 3418 - globalnetworkpolicies 3419 - globalnetworksets 3420 - networkpolicies 3421 - networksets 3422 - clusterinformations 3423 - hostendpoints 3424 - blockaffinities 3425 verbs: 3426 - get 3427 - list 3428 - watch 3429 # Calico must create and update some CRDs on startup. 3430 - apiGroups: ["crd.projectcalico.org"] 3431 resources: 3432 - ippools 3433 - felixconfigurations 3434 - clusterinformations 3435 verbs: 3436 - create 3437 - update 3438 # Calico stores some configuration information on the node. 3439 - apiGroups: [""] 3440 resources: 3441 - nodes 3442 verbs: 3443 - get 3444 - list 3445 - watch 3446 # These permissions are only required for upgrade from v2.6, and can 3447 # be removed after upgrade or on fresh installations. 3448 - apiGroups: ["crd.projectcalico.org"] 3449 resources: 3450 - bgpconfigurations 3451 - bgppeers 3452 verbs: 3453 - create 3454 - update 3455 # These permissions are required for Calico CNI to perform IPAM allocations. 3456 - apiGroups: ["crd.projectcalico.org"] 3457 resources: 3458 - blockaffinities 3459 - ipamblocks 3460 - ipamhandles 3461 verbs: 3462 - get 3463 - list 3464 - create 3465 - update 3466 - delete 3467 - apiGroups: ["crd.projectcalico.org"] 3468 resources: 3469 - ipamconfigs 3470 verbs: 3471 - get 3472 # Block affinities must also be watchable by confd for route aggregation. 3473 - apiGroups: ["crd.projectcalico.org"] 3474 resources: 3475 - blockaffinities 3476 verbs: 3477 - watch 3478 # The Calico IPAM migration needs to get daemonsets. These permissions can be 3479 # removed if not upgrading from an installation using host-local IPAM. 3480 - apiGroups: ["apps"] 3481 resources: 3482 - daemonsets 3483 verbs: 3484 - get 3485 3486 --- 3487 apiVersion: rbac.authorization.k8s.io/v1 3488 kind: ClusterRoleBinding 3489 metadata: 3490 name: calico-node 3491 roleRef: 3492 apiGroup: rbac.authorization.k8s.io 3493 kind: ClusterRole 3494 name: calico-node 3495 subjects: 3496 - kind: ServiceAccount 3497 name: calico-node 3498 namespace: kube-system 3499 3500 --- 3501 # Source: calico/templates/calico-node.yaml 3502 # This manifest installs the calico-node container, as well 3503 # as the CNI plugins and network config on 3504 # each master and worker node in a Kubernetes cluster. 3505 kind: DaemonSet 3506 apiVersion: apps/v1 3507 metadata: 3508 name: calico-node 3509 namespace: kube-system 3510 labels: 3511 k8s-app: calico-node 3512 spec: 3513 selector: 3514 matchLabels: 3515 k8s-app: calico-node 3516 updateStrategy: 3517 type: RollingUpdate 3518 rollingUpdate: 3519 maxUnavailable: 1 3520 template: 3521 metadata: 3522 labels: 3523 k8s-app: calico-node 3524 spec: 3525 nodeSelector: 3526 kubernetes.io/os: linux 3527 hostNetwork: true 3528 tolerations: 3529 # Make sure calico-node gets scheduled on all nodes. 3530 - effect: NoSchedule 3531 operator: Exists 3532 # Mark the pod as a critical add-on for rescheduling. 3533 - key: CriticalAddonsOnly 3534 operator: Exists 3535 - effect: NoExecute 3536 operator: Exists 3537 serviceAccountName: calico-node 3538 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 3539 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 3540 terminationGracePeriodSeconds: 0 3541 priorityClassName: system-node-critical 3542 initContainers: 3543 # This container performs upgrade from host-local IPAM to calico-ipam. 3544 # It can be deleted if this is a fresh installation, or if you have already 3545 # upgraded to use calico-ipam. 3546 - name: upgrade-ipam 3547 image: docker.io/calico/cni:v3.19.1 3548 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] 3549 envFrom: 3550 - configMapRef: 3551 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 3552 name: kubernetes-services-endpoint 3553 optional: true 3554 env: 3555 - name: KUBERNETES_NODE_NAME 3556 valueFrom: 3557 fieldRef: 3558 fieldPath: spec.nodeName 3559 - name: CALICO_NETWORKING_BACKEND 3560 valueFrom: 3561 configMapKeyRef: 3562 name: calico-config 3563 key: calico_backend 3564 volumeMounts: 3565 - mountPath: /var/lib/cni/networks 3566 name: host-local-net-dir 3567 - mountPath: /host/opt/cni/bin 3568 name: cni-bin-dir 3569 securityContext: 3570 privileged: true 3571 # This container installs the CNI binaries 3572 # and CNI network config file on each node. 3573 - name: install-cni 3574 image: docker.io/calico/cni:v3.19.1 3575 command: ["/opt/cni/bin/install"] 3576 envFrom: 3577 - configMapRef: 3578 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 3579 name: kubernetes-services-endpoint 3580 optional: true 3581 env: 3582 # Name of the CNI config file to create. 3583 - name: CNI_CONF_NAME 3584 value: "10-calico.conflist" 3585 # The CNI network config to install on each node. 3586 - name: CNI_NETWORK_CONFIG 3587 valueFrom: 3588 configMapKeyRef: 3589 name: calico-config 3590 key: cni_network_config 3591 # Set the hostname based on the k8s node name. 3592 - name: KUBERNETES_NODE_NAME 3593 valueFrom: 3594 fieldRef: 3595 fieldPath: spec.nodeName 3596 # CNI MTU Config variable 3597 - name: CNI_MTU 3598 valueFrom: 3599 configMapKeyRef: 3600 name: calico-config 3601 key: veth_mtu 3602 # Prevents the container from sleeping forever. 3603 - name: SLEEP 3604 value: "false" 3605 volumeMounts: 3606 - mountPath: /host/opt/cni/bin 3607 name: cni-bin-dir 3608 - mountPath: /host/etc/cni/net.d 3609 name: cni-net-dir 3610 securityContext: 3611 privileged: true 3612 # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes 3613 # to communicate with Felix over the Policy Sync API. 3614 - name: flexvol-driver 3615 image: docker.io/calico/pod2daemon-flexvol:v3.19.1 3616 volumeMounts: 3617 - name: flexvol-driver-host 3618 mountPath: /host/driver 3619 securityContext: 3620 privileged: true 3621 containers: 3622 # Runs calico-node container on each Kubernetes node. This 3623 # container programs network policy and routes on each 3624 # host. 3625 - name: calico-node 3626 image: docker.io/calico/node:v3.19.1 3627 envFrom: 3628 - configMapRef: 3629 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 3630 name: kubernetes-services-endpoint 3631 optional: true 3632 env: 3633 # Use Kubernetes API as the backing datastore. 3634 - name: DATASTORE_TYPE 3635 value: "kubernetes" 3636 # Wait for the datastore. 3637 - name: WAIT_FOR_DATASTORE 3638 value: "true" 3639 # Set based on the k8s node name. 3640 - name: NODENAME 3641 valueFrom: 3642 fieldRef: 3643 fieldPath: spec.nodeName 3644 # Choose the backend to use. 3645 - name: CALICO_NETWORKING_BACKEND 3646 valueFrom: 3647 configMapKeyRef: 3648 name: calico-config 3649 key: calico_backend 3650 # Cluster type to identify the deployment type 3651 - name: CLUSTER_TYPE 3652 value: "k8s,bgp" 3653 # Auto-detect the BGP IP address. 3654 - name: IP 3655 value: "autodetect" 3656 # Enable IPIP 3657 - name: CALICO_IPV4POOL_IPIP 3658 value: "Always" 3659 # Enable or Disable VXLAN on the default IP pool. 3660 - name: CALICO_IPV4POOL_VXLAN 3661 value: "Never" 3662 # Set MTU for tunnel device used if ipip is enabled 3663 - name: FELIX_IPINIPMTU 3664 valueFrom: 3665 configMapKeyRef: 3666 name: calico-config 3667 key: veth_mtu 3668 # Set MTU for the VXLAN tunnel device. 3669 - name: FELIX_VXLANMTU 3670 valueFrom: 3671 configMapKeyRef: 3672 name: calico-config 3673 key: veth_mtu 3674 # Set MTU for the Wireguard tunnel device. 3675 - name: FELIX_WIREGUARDMTU 3676 valueFrom: 3677 configMapKeyRef: 3678 name: calico-config 3679 key: veth_mtu 3680 # The default IPv4 pool to create on startup if none exists. Pod IPs will be 3681 # chosen from this range. Changing this value after installation will have 3682 # no effect. This should fall within `--cluster-cidr`. 3683 # - name: CALICO_IPV4POOL_CIDR 3684 # value: "192.168.0.0/16" 3685 # Disable file logging so `kubectl logs` works. 3686 - name: CALICO_DISABLE_FILE_LOGGING 3687 value: "true" 3688 # Set Felix endpoint to host default action to ACCEPT. 3689 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 3690 value: "ACCEPT" 3691 # Disable IPv6 on Kubernetes. 3692 - name: FELIX_IPV6SUPPORT 3693 value: "false" 3694 - name: FELIX_HEALTHENABLED 3695 value: "true" 3696 securityContext: 3697 privileged: true 3698 resources: 3699 requests: 3700 cpu: 250m 3701 livenessProbe: 3702 exec: 3703 command: 3704 - /bin/calico-node 3705 - -felix-live 3706 - -bird-live 3707 periodSeconds: 10 3708 initialDelaySeconds: 10 3709 failureThreshold: 6 3710 readinessProbe: 3711 exec: 3712 command: 3713 - /bin/calico-node 3714 - -felix-ready 3715 - -bird-ready 3716 periodSeconds: 10 3717 volumeMounts: 3718 - mountPath: /lib/modules 3719 name: lib-modules 3720 readOnly: true 3721 - mountPath: /run/xtables.lock 3722 name: xtables-lock 3723 readOnly: false 3724 - mountPath: /var/run/calico 3725 name: var-run-calico 3726 readOnly: false 3727 - mountPath: /var/lib/calico 3728 name: var-lib-calico 3729 readOnly: false 3730 - name: policysync 3731 mountPath: /var/run/nodeagent 3732 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the 3733 # parent directory. 3734 - name: sysfs 3735 mountPath: /sys/fs/ 3736 # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. 3737 # If the host is known to mount that filesystem already then Bidirectional can be omitted. 3738 mountPropagation: Bidirectional 3739 - name: cni-log-dir 3740 mountPath: /var/log/calico/cni 3741 readOnly: true 3742 volumes: 3743 # Used by calico-node. 3744 - name: lib-modules 3745 hostPath: 3746 path: /lib/modules 3747 - name: var-run-calico 3748 hostPath: 3749 path: /var/run/calico 3750 - name: var-lib-calico 3751 hostPath: 3752 path: /var/lib/calico 3753 - name: xtables-lock 3754 hostPath: 3755 path: /run/xtables.lock 3756 type: FileOrCreate 3757 - name: sysfs 3758 hostPath: 3759 path: /sys/fs/ 3760 type: DirectoryOrCreate 3761 # Used to install CNI. 3762 - name: cni-bin-dir 3763 hostPath: 3764 path: /opt/cni/bin 3765 - name: cni-net-dir 3766 hostPath: 3767 path: /etc/cni/net.d 3768 # Used to access CNI logs. 3769 - name: cni-log-dir 3770 hostPath: 3771 path: /var/log/calico/cni 3772 # Mount in the directory for host-local IPAM allocations. This is 3773 # used when upgrading from host-local to calico-ipam, and can be removed 3774 # if not using the upgrade-ipam init container. 3775 - name: host-local-net-dir 3776 hostPath: 3777 path: /var/lib/cni/networks 3778 # Used to create per-pod Unix Domain Sockets 3779 - name: policysync 3780 hostPath: 3781 type: DirectoryOrCreate 3782 path: /var/run/nodeagent 3783 # Used to install Flex Volume Driver 3784 - name: flexvol-driver-host 3785 hostPath: 3786 type: DirectoryOrCreate 3787 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds 3788 --- 3789 3790 apiVersion: v1 3791 kind: ServiceAccount 3792 metadata: 3793 name: calico-node 3794 namespace: kube-system 3795 3796 --- 3797 # Source: calico/templates/calico-kube-controllers.yaml 3798 # See https://github.com/projectcalico/kube-controllers 3799 apiVersion: apps/v1 3800 kind: Deployment 3801 metadata: 3802 name: calico-kube-controllers 3803 namespace: kube-system 3804 labels: 3805 k8s-app: calico-kube-controllers 3806 spec: 3807 # The controllers can only have a single active instance. 3808 replicas: 1 3809 selector: 3810 matchLabels: 3811 k8s-app: calico-kube-controllers 3812 strategy: 3813 type: Recreate 3814 template: 3815 metadata: 3816 name: calico-kube-controllers 3817 namespace: kube-system 3818 labels: 3819 k8s-app: calico-kube-controllers 3820 spec: 3821 nodeSelector: 3822 kubernetes.io/os: linux 3823 tolerations: 3824 # Mark the pod as a critical add-on for rescheduling. 3825 - key: CriticalAddonsOnly 3826 operator: Exists 3827 - key: node-role.kubernetes.io/master 3828 effect: NoSchedule 3829 serviceAccountName: calico-kube-controllers 3830 priorityClassName: system-cluster-critical 3831 containers: 3832 - name: calico-kube-controllers 3833 image: docker.io/calico/kube-controllers:v3.19.1 3834 env: 3835 # Choose which controllers to run. 3836 - name: ENABLED_CONTROLLERS 3837 value: node 3838 - name: DATASTORE_TYPE 3839 value: kubernetes 3840 livenessProbe: 3841 exec: 3842 command: 3843 - /usr/bin/check-status 3844 - -l 3845 periodSeconds: 10 3846 initialDelaySeconds: 10 3847 failureThreshold: 6 3848 readinessProbe: 3849 exec: 3850 command: 3851 - /usr/bin/check-status 3852 - -r 3853 periodSeconds: 10 3854 3855 --- 3856 3857 apiVersion: v1 3858 kind: ServiceAccount 3859 metadata: 3860 name: calico-kube-controllers 3861 namespace: kube-system 3862 3863 --- 3864 3865 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict 3866 3867 apiVersion: policy/v1beta1 3868 kind: PodDisruptionBudget 3869 metadata: 3870 name: calico-kube-controllers 3871 namespace: kube-system 3872 labels: 3873 k8s-app: calico-kube-controllers 3874 spec: 3875 maxUnavailable: 1 3876 selector: 3877 matchLabels: 3878 k8s-app: calico-kube-controllers 3879 3880 --- 3881 # Source: calico/templates/calico-etcd-secrets.yaml 3882 3883 --- 3884 # Source: calico/templates/calico-typha.yaml 3885 3886 --- 3887 # Source: calico/templates/configure-canal.yaml 3888 3889