sigs.k8s.io/cluster-api-provider-azure@v1.14.3/templates/addons/calico-ipv6.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 name: bgpconfigurations.crd.projectcalico.org 5 spec: 6 group: crd.projectcalico.org 7 names: 8 kind: BGPConfiguration 9 listKind: BGPConfigurationList 10 plural: bgpconfigurations 11 singular: bgpconfiguration 12 preserveUnknownFields: false 13 scope: Cluster 14 versions: 15 - name: v1 16 schema: 17 openAPIV3Schema: 18 description: BGPConfiguration contains the configuration for any BGP routing. 19 properties: 20 apiVersion: 21 description: 'APIVersion defines the versioned schema of this representation 22 of an object. Servers should convert recognized schemas to the latest 23 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 24 type: string 25 kind: 26 description: 'Kind is a string value representing the REST resource this 27 object represents. Servers may infer this from the endpoint the client 28 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 29 type: string 30 metadata: 31 type: object 32 spec: 33 description: BGPConfigurationSpec contains the values of the BGP configuration. 34 properties: 35 asNumber: 36 description: 'ASNumber is the default AS number used by a node. [Default: 37 64512]' 38 format: int32 39 type: integer 40 bindMode: 41 description: BindMode indicates whether to listen for BGP connections 42 on all addresses (None) or only on the node's canonical IP address 43 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen 44 for BGP connections on all addresses. 45 type: string 46 communities: 47 description: Communities is a list of BGP community values and their 48 arbitrary names for tagging routes. 49 items: 50 description: Community contains standard or large community value 51 and its name. 52 properties: 53 name: 54 description: Name given to community value. 55 type: string 56 value: 57 description: Value must be of format `aa:nn` or `aa:nn:mm`. 58 For standard community use `aa:nn` format, where `aa` and 59 `nn` are 16 bit number. For large community use `aa:nn:mm` 60 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 61 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 62 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 63 type: string 64 type: object 65 type: array 66 ignoredInterfaces: 67 description: IgnoredInterfaces indicates the network interfaces that 68 needs to be excluded when reading device routes. 69 items: 70 type: string 71 type: array 72 listenPort: 73 description: ListenPort is the port where BGP protocol should listen. 74 Defaults to 179 75 maximum: 65535 76 minimum: 1 77 type: integer 78 logSeverityScreen: 79 description: 'LogSeverityScreen is the log severity above which logs 80 are sent to the stdout. [Default: INFO]' 81 type: string 82 nodeMeshMaxRestartTime: 83 description: Time to allow for software restart for node-to-mesh peerings. When 84 specified, this is configured as the graceful restart timeout. When 85 not specified, the BIRD default of 120s is used. This field can 86 only be set on the default BGPConfiguration instance and requires 87 that NodeMesh is enabled 88 type: string 89 nodeMeshPassword: 90 description: Optional BGP password for full node-to-mesh peerings. 91 This field can only be set on the default BGPConfiguration instance 92 and requires that NodeMesh is enabled 93 properties: 94 secretKeyRef: 95 description: Selects a key of a secret in the node pod's namespace. 96 properties: 97 key: 98 description: The key of the secret to select from. Must be 99 a valid secret key. 100 type: string 101 name: 102 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 103 TODO: Add other useful fields. apiVersion, kind, uid?' 104 type: string 105 optional: 106 description: Specify whether the Secret or its key must be 107 defined 108 type: boolean 109 required: 110 - key 111 type: object 112 type: object 113 nodeToNodeMeshEnabled: 114 description: 'NodeToNodeMeshEnabled sets whether full node to node 115 BGP mesh is enabled. [Default: true]' 116 type: boolean 117 prefixAdvertisements: 118 description: PrefixAdvertisements contains per-prefix advertisement 119 configuration. 120 items: 121 description: PrefixAdvertisement configures advertisement properties 122 for the specified CIDR. 123 properties: 124 cidr: 125 description: CIDR for which properties should be advertised. 126 type: string 127 communities: 128 description: Communities can be list of either community names 129 already defined in `Specs.Communities` or community value 130 of format `aa:nn` or `aa:nn:mm`. For standard community use 131 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 132 large community use `aa:nn:mm` format, where `aa`, `nn` and 133 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 134 `mm` are per-AS identifier. 135 items: 136 type: string 137 type: array 138 type: object 139 type: array 140 serviceClusterIPs: 141 description: ServiceClusterIPs are the CIDR blocks from which service 142 cluster IPs are allocated. If specified, Calico will advertise these 143 blocks, as well as any cluster IPs within them. 144 items: 145 description: ServiceClusterIPBlock represents a single allowed ClusterIP 146 CIDR block. 147 properties: 148 cidr: 149 type: string 150 type: object 151 type: array 152 serviceExternalIPs: 153 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 154 Service External IPs. Kubernetes Service ExternalIPs will only be 155 advertised if they are within one of these blocks. 156 items: 157 description: ServiceExternalIPBlock represents a single allowed 158 External IP CIDR block. 159 properties: 160 cidr: 161 type: string 162 type: object 163 type: array 164 serviceLoadBalancerIPs: 165 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 166 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 167 IPs will only be advertised if they are within one of these blocks. 168 items: 169 description: ServiceLoadBalancerIPBlock represents a single allowed 170 LoadBalancer IP CIDR block. 171 properties: 172 cidr: 173 type: string 174 type: object 175 type: array 176 type: object 177 type: object 178 served: true 179 storage: true 180 status: 181 acceptedNames: 182 kind: "" 183 plural: "" 184 conditions: [] 185 storedVersions: [] 186 --- 187 apiVersion: apiextensions.k8s.io/v1 188 kind: CustomResourceDefinition 189 metadata: 190 annotations: 191 controller-gen.kubebuilder.io/version: (devel) 192 creationTimestamp: null 193 name: bgpfilters.crd.projectcalico.org 194 spec: 195 group: crd.projectcalico.org 196 names: 197 kind: BGPFilter 198 listKind: BGPFilterList 199 plural: bgpfilters 200 singular: bgpfilter 201 scope: Cluster 202 versions: 203 - name: v1 204 schema: 205 openAPIV3Schema: 206 properties: 207 apiVersion: 208 description: 'APIVersion defines the versioned schema of this representation 209 of an object. Servers should convert recognized schemas to the latest 210 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 211 type: string 212 kind: 213 description: 'Kind is a string value representing the REST resource this 214 object represents. Servers may infer this from the endpoint the client 215 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 216 type: string 217 metadata: 218 type: object 219 spec: 220 description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of 221 the BGP Filter. 222 properties: 223 exportV4: 224 description: The ordered set of IPv4 BGPFilter rules acting on exporting 225 routes to a peer. 226 items: 227 description: BGPFilterRuleV4 defines a BGP filter rule consisting 228 a single IPv4 CIDR block and a filter action for this CIDR. 229 properties: 230 action: 231 type: string 232 cidr: 233 type: string 234 matchOperator: 235 type: string 236 required: 237 - action 238 - cidr 239 - matchOperator 240 type: object 241 type: array 242 exportV6: 243 description: The ordered set of IPv6 BGPFilter rules acting on exporting 244 routes to a peer. 245 items: 246 description: BGPFilterRuleV6 defines a BGP filter rule consisting 247 a single IPv6 CIDR block and a filter action for this CIDR. 248 properties: 249 action: 250 type: string 251 cidr: 252 type: string 253 matchOperator: 254 type: string 255 required: 256 - action 257 - cidr 258 - matchOperator 259 type: object 260 type: array 261 importV4: 262 description: The ordered set of IPv4 BGPFilter rules acting on importing 263 routes from a peer. 264 items: 265 description: BGPFilterRuleV4 defines a BGP filter rule consisting 266 a single IPv4 CIDR block and a filter action for this CIDR. 267 properties: 268 action: 269 type: string 270 cidr: 271 type: string 272 matchOperator: 273 type: string 274 required: 275 - action 276 - cidr 277 - matchOperator 278 type: object 279 type: array 280 importV6: 281 description: The ordered set of IPv6 BGPFilter rules acting on importing 282 routes from a peer. 283 items: 284 description: BGPFilterRuleV6 defines a BGP filter rule consisting 285 a single IPv6 CIDR block and a filter action for this CIDR. 286 properties: 287 action: 288 type: string 289 cidr: 290 type: string 291 matchOperator: 292 type: string 293 required: 294 - action 295 - cidr 296 - matchOperator 297 type: object 298 type: array 299 type: object 300 type: object 301 served: true 302 storage: true 303 status: 304 acceptedNames: 305 kind: "" 306 plural: "" 307 conditions: [] 308 storedVersions: [] 309 --- 310 apiVersion: apiextensions.k8s.io/v1 311 kind: CustomResourceDefinition 312 metadata: 313 name: bgppeers.crd.projectcalico.org 314 spec: 315 group: crd.projectcalico.org 316 names: 317 kind: BGPPeer 318 listKind: BGPPeerList 319 plural: bgppeers 320 singular: bgppeer 321 preserveUnknownFields: false 322 scope: Cluster 323 versions: 324 - name: v1 325 schema: 326 openAPIV3Schema: 327 properties: 328 apiVersion: 329 description: 'APIVersion defines the versioned schema of this representation 330 of an object. Servers should convert recognized schemas to the latest 331 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 332 type: string 333 kind: 334 description: 'Kind is a string value representing the REST resource this 335 object represents. Servers may infer this from the endpoint the client 336 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 337 type: string 338 metadata: 339 type: object 340 spec: 341 description: BGPPeerSpec contains the specification for a BGPPeer resource. 342 properties: 343 asNumber: 344 description: The AS Number of the peer. 345 format: int32 346 type: integer 347 filters: 348 description: The ordered set of BGPFilters applied on this BGP peer. 349 items: 350 type: string 351 type: array 352 keepOriginalNextHop: 353 description: Option to keep the original nexthop field when routes 354 are sent to a BGP Peer. Setting "true" configures the selected BGP 355 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 356 in the specific branch of the Node on "bird.cfg". 357 type: boolean 358 maxRestartTime: 359 description: Time to allow for software restart. When specified, 360 this is configured as the graceful restart timeout. When not specified, 361 the BIRD default of 120s is used. 362 type: string 363 node: 364 description: The node name identifying the Calico node instance that 365 is targeted by this peer. If this is not set, and no nodeSelector 366 is specified, then this BGP peer selects all nodes in the cluster. 367 type: string 368 nodeSelector: 369 description: Selector for the nodes that should have this peering. When 370 this is set, the Node field must be empty. 371 type: string 372 numAllowedLocalASNumbers: 373 description: Maximum number of local AS numbers that are allowed in 374 the AS path for received routes. This removes BGP loop prevention 375 and should only be used if absolutely necesssary. 376 format: int32 377 type: integer 378 password: 379 description: Optional BGP password for the peerings generated by this 380 BGPPeer resource. 381 properties: 382 secretKeyRef: 383 description: Selects a key of a secret in the node pod's namespace. 384 properties: 385 key: 386 description: The key of the secret to select from. Must be 387 a valid secret key. 388 type: string 389 name: 390 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 391 TODO: Add other useful fields. apiVersion, kind, uid?' 392 type: string 393 optional: 394 description: Specify whether the Secret or its key must be 395 defined 396 type: boolean 397 required: 398 - key 399 type: object 400 type: object 401 peerIP: 402 description: The IP address of the peer followed by an optional port 403 number to peer with. If port number is given, format should be `[<IPv6>]:port` 404 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 405 and this peer IP and ASNumber belongs to a calico/node with ListenPort 406 set in BGPConfiguration, then we use that port to peer. 407 type: string 408 peerSelector: 409 description: Selector for the remote nodes to peer with. When this 410 is set, the PeerIP and ASNumber fields must be empty. For each 411 peering between the local node and selected remote nodes, we configure 412 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 413 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 414 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 415 or the global default if that is not set. 416 type: string 417 reachableBy: 418 description: Add an exact, i.e. /32, static route toward peer IP in 419 order to prevent route flapping. ReachableBy contains the address 420 of the gateway which peer can be reached by. 421 type: string 422 sourceAddress: 423 description: Specifies whether and how to configure a source address 424 for the peerings generated by this BGPPeer resource. Default value 425 "UseNodeIP" means to configure the node IP as the source address. "None" 426 means not to configure a source address. 427 type: string 428 ttlSecurity: 429 description: TTLSecurity enables the generalized TTL security mechanism 430 (GTSM) which protects against spoofed packets by ignoring received 431 packets with a smaller than expected TTL value. The provided value 432 is the number of hops (edges) between the peers. 433 type: integer 434 type: object 435 type: object 436 served: true 437 storage: true 438 status: 439 acceptedNames: 440 kind: "" 441 plural: "" 442 conditions: [] 443 storedVersions: [] 444 --- 445 apiVersion: apiextensions.k8s.io/v1 446 kind: CustomResourceDefinition 447 metadata: 448 name: blockaffinities.crd.projectcalico.org 449 spec: 450 group: crd.projectcalico.org 451 names: 452 kind: BlockAffinity 453 listKind: BlockAffinityList 454 plural: blockaffinities 455 singular: blockaffinity 456 preserveUnknownFields: false 457 scope: Cluster 458 versions: 459 - name: v1 460 schema: 461 openAPIV3Schema: 462 properties: 463 apiVersion: 464 description: 'APIVersion defines the versioned schema of this representation 465 of an object. Servers should convert recognized schemas to the latest 466 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 467 type: string 468 kind: 469 description: 'Kind is a string value representing the REST resource this 470 object represents. Servers may infer this from the endpoint the client 471 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 472 type: string 473 metadata: 474 type: object 475 spec: 476 description: BlockAffinitySpec contains the specification for a BlockAffinity 477 resource. 478 properties: 479 cidr: 480 type: string 481 deleted: 482 description: Deleted indicates that this block affinity is being deleted. 483 This field is a string for compatibility with older releases that 484 mistakenly treat this field as a string. 485 type: string 486 node: 487 type: string 488 state: 489 type: string 490 required: 491 - cidr 492 - deleted 493 - node 494 - state 495 type: object 496 type: object 497 served: true 498 storage: true 499 status: 500 acceptedNames: 501 kind: "" 502 plural: "" 503 conditions: [] 504 storedVersions: [] 505 --- 506 apiVersion: apiextensions.k8s.io/v1 507 kind: CustomResourceDefinition 508 metadata: 509 annotations: 510 controller-gen.kubebuilder.io/version: (devel) 511 creationTimestamp: null 512 name: caliconodestatuses.crd.projectcalico.org 513 spec: 514 group: crd.projectcalico.org 515 names: 516 kind: CalicoNodeStatus 517 listKind: CalicoNodeStatusList 518 plural: caliconodestatuses 519 singular: caliconodestatus 520 preserveUnknownFields: false 521 scope: Cluster 522 versions: 523 - name: v1 524 schema: 525 openAPIV3Schema: 526 properties: 527 apiVersion: 528 description: 'APIVersion defines the versioned schema of this representation 529 of an object. Servers should convert recognized schemas to the latest 530 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 531 type: string 532 kind: 533 description: 'Kind is a string value representing the REST resource this 534 object represents. Servers may infer this from the endpoint the client 535 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 536 type: string 537 metadata: 538 type: object 539 spec: 540 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 541 resource. 542 properties: 543 classes: 544 description: Classes declares the types of information to monitor 545 for this calico/node, and allows for selective status reporting 546 about certain subsets of information. 547 items: 548 type: string 549 type: array 550 node: 551 description: The node name identifies the Calico node instance for 552 node status. 553 type: string 554 updatePeriodSeconds: 555 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 556 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 557 Maximum update period is one day. 558 format: int32 559 type: integer 560 type: object 561 status: 562 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 563 No validation needed for status since it is updated by Calico. 564 properties: 565 agent: 566 description: Agent holds agent status on the node. 567 properties: 568 birdV4: 569 description: BIRDV4 represents the latest observed status of bird4. 570 properties: 571 lastBootTime: 572 description: LastBootTime holds the value of lastBootTime 573 from bird.ctl output. 574 type: string 575 lastReconfigurationTime: 576 description: LastReconfigurationTime holds the value of lastReconfigTime 577 from bird.ctl output. 578 type: string 579 routerID: 580 description: Router ID used by bird. 581 type: string 582 state: 583 description: The state of the BGP Daemon. 584 type: string 585 version: 586 description: Version of the BGP daemon 587 type: string 588 type: object 589 birdV6: 590 description: BIRDV6 represents the latest observed status of bird6. 591 properties: 592 lastBootTime: 593 description: LastBootTime holds the value of lastBootTime 594 from bird.ctl output. 595 type: string 596 lastReconfigurationTime: 597 description: LastReconfigurationTime holds the value of lastReconfigTime 598 from bird.ctl output. 599 type: string 600 routerID: 601 description: Router ID used by bird. 602 type: string 603 state: 604 description: The state of the BGP Daemon. 605 type: string 606 version: 607 description: Version of the BGP daemon 608 type: string 609 type: object 610 type: object 611 bgp: 612 description: BGP holds node BGP status. 613 properties: 614 numberEstablishedV4: 615 description: The total number of IPv4 established bgp sessions. 616 type: integer 617 numberEstablishedV6: 618 description: The total number of IPv6 established bgp sessions. 619 type: integer 620 numberNotEstablishedV4: 621 description: The total number of IPv4 non-established bgp sessions. 622 type: integer 623 numberNotEstablishedV6: 624 description: The total number of IPv6 non-established bgp sessions. 625 type: integer 626 peersV4: 627 description: PeersV4 represents IPv4 BGP peers status on the node. 628 items: 629 description: CalicoNodePeer contains the status of BGP peers 630 on the node. 631 properties: 632 peerIP: 633 description: IP address of the peer whose condition we are 634 reporting. 635 type: string 636 since: 637 description: Since the state or reason last changed. 638 type: string 639 state: 640 description: State is the BGP session state. 641 type: string 642 type: 643 description: Type indicates whether this peer is configured 644 via the node-to-node mesh, or via en explicit global or 645 per-node BGPPeer object. 646 type: string 647 type: object 648 type: array 649 peersV6: 650 description: PeersV6 represents IPv6 BGP peers status on the node. 651 items: 652 description: CalicoNodePeer contains the status of BGP peers 653 on the node. 654 properties: 655 peerIP: 656 description: IP address of the peer whose condition we are 657 reporting. 658 type: string 659 since: 660 description: Since the state or reason last changed. 661 type: string 662 state: 663 description: State is the BGP session state. 664 type: string 665 type: 666 description: Type indicates whether this peer is configured 667 via the node-to-node mesh, or via en explicit global or 668 per-node BGPPeer object. 669 type: string 670 type: object 671 type: array 672 required: 673 - numberEstablishedV4 674 - numberEstablishedV6 675 - numberNotEstablishedV4 676 - numberNotEstablishedV6 677 type: object 678 lastUpdated: 679 description: LastUpdated is a timestamp representing the server time 680 when CalicoNodeStatus object last updated. It is represented in 681 RFC3339 form and is in UTC. 682 format: date-time 683 nullable: true 684 type: string 685 routes: 686 description: Routes reports routes known to the Calico BGP daemon 687 on the node. 688 properties: 689 routesV4: 690 description: RoutesV4 represents IPv4 routes on the node. 691 items: 692 description: CalicoNodeRoute contains the status of BGP routes 693 on the node. 694 properties: 695 destination: 696 description: Destination of the route. 697 type: string 698 gateway: 699 description: Gateway for the destination. 700 type: string 701 interface: 702 description: Interface for the destination 703 type: string 704 learnedFrom: 705 description: LearnedFrom contains information regarding 706 where this route originated. 707 properties: 708 peerIP: 709 description: If sourceType is NodeMesh or BGPPeer, IP 710 address of the router that sent us this route. 711 type: string 712 sourceType: 713 description: Type of the source where a route is learned 714 from. 715 type: string 716 type: object 717 type: 718 description: Type indicates if the route is being used for 719 forwarding or not. 720 type: string 721 type: object 722 type: array 723 routesV6: 724 description: RoutesV6 represents IPv6 routes on the node. 725 items: 726 description: CalicoNodeRoute contains the status of BGP routes 727 on the node. 728 properties: 729 destination: 730 description: Destination of the route. 731 type: string 732 gateway: 733 description: Gateway for the destination. 734 type: string 735 interface: 736 description: Interface for the destination 737 type: string 738 learnedFrom: 739 description: LearnedFrom contains information regarding 740 where this route originated. 741 properties: 742 peerIP: 743 description: If sourceType is NodeMesh or BGPPeer, IP 744 address of the router that sent us this route. 745 type: string 746 sourceType: 747 description: Type of the source where a route is learned 748 from. 749 type: string 750 type: object 751 type: 752 description: Type indicates if the route is being used for 753 forwarding or not. 754 type: string 755 type: object 756 type: array 757 type: object 758 type: object 759 type: object 760 served: true 761 storage: true 762 status: 763 acceptedNames: 764 kind: "" 765 plural: "" 766 conditions: [] 767 storedVersions: [] 768 --- 769 apiVersion: apiextensions.k8s.io/v1 770 kind: CustomResourceDefinition 771 metadata: 772 name: clusterinformations.crd.projectcalico.org 773 spec: 774 group: crd.projectcalico.org 775 names: 776 kind: ClusterInformation 777 listKind: ClusterInformationList 778 plural: clusterinformations 779 singular: clusterinformation 780 preserveUnknownFields: false 781 scope: Cluster 782 versions: 783 - name: v1 784 schema: 785 openAPIV3Schema: 786 description: ClusterInformation contains the cluster specific information. 787 properties: 788 apiVersion: 789 description: 'APIVersion defines the versioned schema of this representation 790 of an object. Servers should convert recognized schemas to the latest 791 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 792 type: string 793 kind: 794 description: 'Kind is a string value representing the REST resource this 795 object represents. Servers may infer this from the endpoint the client 796 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 797 type: string 798 metadata: 799 type: object 800 spec: 801 description: ClusterInformationSpec contains the values of describing 802 the cluster. 803 properties: 804 calicoVersion: 805 description: CalicoVersion is the version of Calico that the cluster 806 is running 807 type: string 808 clusterGUID: 809 description: ClusterGUID is the GUID of the cluster 810 type: string 811 clusterType: 812 description: ClusterType describes the type of the cluster 813 type: string 814 datastoreReady: 815 description: DatastoreReady is used during significant datastore migrations 816 to signal to components such as Felix that it should wait before 817 accessing the datastore. 818 type: boolean 819 variant: 820 description: Variant declares which variant of Calico should be active. 821 type: string 822 type: object 823 type: object 824 served: true 825 storage: true 826 status: 827 acceptedNames: 828 kind: "" 829 plural: "" 830 conditions: [] 831 storedVersions: [] 832 --- 833 apiVersion: apiextensions.k8s.io/v1 834 kind: CustomResourceDefinition 835 metadata: 836 name: felixconfigurations.crd.projectcalico.org 837 spec: 838 group: crd.projectcalico.org 839 names: 840 kind: FelixConfiguration 841 listKind: FelixConfigurationList 842 plural: felixconfigurations 843 singular: felixconfiguration 844 preserveUnknownFields: false 845 scope: Cluster 846 versions: 847 - name: v1 848 schema: 849 openAPIV3Schema: 850 description: Felix Configuration contains the configuration for Felix. 851 properties: 852 apiVersion: 853 description: 'APIVersion defines the versioned schema of this representation 854 of an object. Servers should convert recognized schemas to the latest 855 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 856 type: string 857 kind: 858 description: 'Kind is a string value representing the REST resource this 859 object represents. Servers may infer this from the endpoint the client 860 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 861 type: string 862 metadata: 863 type: object 864 spec: 865 description: FelixConfigurationSpec contains the values of the Felix configuration. 866 properties: 867 allowIPIPPacketsFromWorkloads: 868 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 869 will add a rule to drop IPIP encapsulated traffic from workloads 870 [Default: false]' 871 type: boolean 872 allowVXLANPacketsFromWorkloads: 873 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 874 will add a rule to drop VXLAN encapsulated traffic from workloads 875 [Default: false]' 876 type: boolean 877 awsSrcDstCheck: 878 description: 'Set source-destination-check on AWS EC2 instances. Accepted 879 value must be one of "DoNothing", "Enable" or "Disable". [Default: 880 DoNothing]' 881 enum: 882 - DoNothing 883 - Enable 884 - Disable 885 type: string 886 bpfConnectTimeLoadBalancingEnabled: 887 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 888 controls whether Felix installs the connection-time load balancer. The 889 connect-time load balancer is required for the host to be able to 890 reach Kubernetes services and it improves the performance of pod-to-service 891 connections. The only reason to disable it is for debugging purposes. [Default: 892 true]' 893 type: boolean 894 bpfDSROptoutCIDRs: 895 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded 896 from DSR. That is, clients in those CIDRs will accesses nodeports 897 as if BPFExternalServiceMode was set to Tunnel. 898 items: 899 type: string 900 type: array 901 bpfDataIfacePattern: 902 description: BPFDataIfacePattern is a regular expression that controls 903 which interfaces Felix should attach BPF programs to in order to 904 catch traffic to/from the network. This needs to match the interfaces 905 that Calico workload traffic flows over as well as any interfaces 906 that handle incoming traffic to nodeports and services from outside 907 the cluster. It should not match the workload interfaces (usually 908 named cali...). 909 type: string 910 bpfDisableUnprivileged: 911 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 912 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 913 users cannot access Calico''s BPF maps and cannot insert their own 914 BPF programs to interfere with Calico''s. [Default: true]' 915 type: boolean 916 bpfEnabled: 917 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 918 [Default: false]' 919 type: boolean 920 bpfEnforceRPF: 921 description: 'BPFEnforceRPF enforce strict RPF on all host interfaces 922 with BPF programs regardless of what is the per-interfaces or global 923 setting. Possible values are Disabled, Strict or Loose. [Default: 924 Loose]' 925 type: string 926 bpfExtToServiceConnmark: 927 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 928 mark that is set on connections from an external client to a local 929 service. This mark allows us to control how packets of that connection 930 are routed within the host and how is routing interpreted by RPF 931 check. [Default: 0]' 932 type: integer 933 bpfExternalServiceMode: 934 description: 'BPFExternalServiceMode in BPF mode, controls how connections 935 from outside the cluster to services (node ports and cluster IPs) 936 are forwarded to remote workloads. If set to "Tunnel" then both 937 request and response traffic is tunneled to the remote node. If 938 set to "DSR", the request traffic is tunneled but the response traffic 939 is sent directly from the remote node. In "DSR" mode, the remote 940 node appears to use the IP of the ingress node; this requires a 941 permissive L2 network. [Default: Tunnel]' 942 type: string 943 bpfHostConntrackBypass: 944 description: 'BPFHostConntrackBypass Controls whether to bypass Linux 945 conntrack in BPF mode for workloads and services. [Default: true 946 - bypass Linux conntrack]' 947 type: boolean 948 bpfKubeProxyEndpointSlicesEnabled: 949 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 950 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 951 type: boolean 952 bpfKubeProxyIptablesCleanupEnabled: 953 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 954 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 955 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 956 true]' 957 type: boolean 958 bpfKubeProxyMinSyncPeriod: 959 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 960 minimum time between updates to the dataplane for Felix''s embedded 961 kube-proxy. Lower values give reduced set-up latency. Higher values 962 reduce Felix CPU usage by batching up more work. [Default: 1s]' 963 type: string 964 bpfL3IfacePattern: 965 description: BPFL3IfacePattern is a regular expression that allows 966 to list tunnel devices like wireguard or vxlan (i.e., L3 devices) 967 in addition to BPFDataIfacePattern. That is, tunnel interfaces not 968 created by Calico, that Calico workload traffic flows over as well 969 as any interfaces that handle incoming traffic to nodeports and 970 services from outside the cluster. 971 type: string 972 bpfLogLevel: 973 description: 'BPFLogLevel controls the log level of the BPF programs 974 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 975 logs are emitted to the BPF trace pipe, accessible with the command 976 `tc exec bpf debug`. [Default: Off].' 977 type: string 978 bpfMapSizeConntrack: 979 description: 'BPFMapSizeConntrack sets the size for the conntrack 980 map. This map must be large enough to hold an entry for each active 981 connection. Warning: changing the size of the conntrack map can 982 cause disruption.' 983 type: integer 984 bpfMapSizeIPSets: 985 description: BPFMapSizeIPSets sets the size for ipsets map. The IP 986 sets map must be large enough to hold an entry for each endpoint 987 matched by every selector in the source/destination matches in network 988 policy. Selectors such as "all()" can result in large numbers of 989 entries (one entry per endpoint in that case). 990 type: integer 991 bpfMapSizeIfState: 992 description: BPFMapSizeIfState sets the size for ifstate map. The 993 ifstate map must be large enough to hold an entry for each device 994 (host + workloads) on a host. 995 type: integer 996 bpfMapSizeNATAffinity: 997 type: integer 998 bpfMapSizeNATBackend: 999 description: BPFMapSizeNATBackend sets the size for nat back end map. 1000 This is the total number of endpoints. This is mostly more than 1001 the size of the number of services. 1002 type: integer 1003 bpfMapSizeNATFrontend: 1004 description: BPFMapSizeNATFrontend sets the size for nat front end 1005 map. FrontendMap should be large enough to hold an entry for each 1006 nodeport, external IP and each port in each service. 1007 type: integer 1008 bpfMapSizeRoute: 1009 description: BPFMapSizeRoute sets the size for the routes map. The 1010 routes map should be large enough to hold one entry per workload 1011 and a handful of entries per host (enough to cover its own IPs and 1012 tunnel IPs). 1013 type: integer 1014 bpfPSNATPorts: 1015 anyOf: 1016 - type: integer 1017 - type: string 1018 description: 'BPFPSNATPorts sets the range from which we randomly 1019 pick a port if there is a source port collision. This should be 1020 within the ephemeral range as defined by RFC 6056 (1024–65535) and 1021 preferably outside the ephemeral ranges used by common operating 1022 systems. Linux uses 32768–60999, while others mostly use the IANA 1023 defined range 49152–65535. It is not necessarily a problem if this 1024 range overlaps with the operating systems. Both ends of the range 1025 are inclusive. [Default: 20000:29999]' 1026 pattern: ^.* 1027 x-kubernetes-int-or-string: true 1028 bpfPolicyDebugEnabled: 1029 description: BPFPolicyDebugEnabled when true, Felix records detailed 1030 information about the BPF policy programs, which can be examined 1031 with the calico-bpf command-line tool. 1032 type: boolean 1033 chainInsertMode: 1034 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 1035 top-level iptables chains by inserting a rule at the top of the 1036 chain or by appending a rule at the bottom. insert is the safe default 1037 since it prevents Calico''s rules from being bypassed. If you switch 1038 to append mode, be sure that the other rules in the chains signal 1039 acceptance by falling through to the Calico rules, otherwise the 1040 Calico policy will be bypassed. [Default: insert]' 1041 type: string 1042 dataplaneDriver: 1043 description: DataplaneDriver filename of the external dataplane driver 1044 to use. Only used if UseInternalDataplaneDriver is set to false. 1045 type: string 1046 dataplaneWatchdogTimeout: 1047 description: "DataplaneWatchdogTimeout is the readiness/liveness timeout 1048 used for Felix's (internal) dataplane driver. Increase this value 1049 if you experience spurious non-ready or non-live events when Felix 1050 is under heavy load. Decrease the value to get felix to report non-live 1051 or non-ready more quickly. [Default: 90s] \n Deprecated: replaced 1052 by the generic HealthTimeoutOverrides." 1053 type: string 1054 debugDisableLogDropping: 1055 type: boolean 1056 debugMemoryProfilePath: 1057 type: string 1058 debugSimulateCalcGraphHangAfter: 1059 type: string 1060 debugSimulateDataplaneHangAfter: 1061 type: string 1062 defaultEndpointToHostAction: 1063 description: 'DefaultEndpointToHostAction controls what happens to 1064 traffic that goes from a workload endpoint to the host itself (after 1065 the traffic hits the endpoint egress policy). By default Calico 1066 blocks traffic from workload endpoints to the host itself with an 1067 iptables "DROP" action. If you want to allow some or all traffic 1068 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 1069 RETURN if you have your own rules in the iptables "INPUT" chain; 1070 Calico will insert its rules at the top of that chain, then "RETURN" 1071 packets to the "INPUT" chain once it has completed processing workload 1072 endpoint egress policy. Use ACCEPT to unconditionally accept packets 1073 from workloads after processing workload endpoint egress policy. 1074 [Default: Drop]' 1075 type: string 1076 deviceRouteProtocol: 1077 description: This defines the route protocol added to programmed device 1078 routes, by default this will be RTPROT_BOOT when left blank. 1079 type: integer 1080 deviceRouteSourceAddress: 1081 description: This is the IPv4 source address to use on programmed 1082 device routes. By default the source address is left blank, leaving 1083 the kernel to choose the source address used. 1084 type: string 1085 deviceRouteSourceAddressIPv6: 1086 description: This is the IPv6 source address to use on programmed 1087 device routes. By default the source address is left blank, leaving 1088 the kernel to choose the source address used. 1089 type: string 1090 disableConntrackInvalidCheck: 1091 type: boolean 1092 endpointReportingDelay: 1093 type: string 1094 endpointReportingEnabled: 1095 type: boolean 1096 externalNodesList: 1097 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 1098 which may source tunnel traffic and have the tunneled traffic be 1099 accepted at calico nodes. 1100 items: 1101 type: string 1102 type: array 1103 failsafeInboundHostPorts: 1104 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 1105 and CIDRs that Felix will allow incoming traffic to host endpoints 1106 on irrespective of the security policy. This is useful to avoid 1107 accidentally cutting off a host with incorrect configuration. For 1108 back-compatibility, if the protocol is not specified, it defaults 1109 to "tcp". If a CIDR is not specified, it will allow traffic from 1110 all addresses. To disable all inbound host ports, use the value 1111 none. The default value allows ssh access and DHCP. [Default: tcp:22, 1112 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 1113 items: 1114 description: ProtoPort is combination of protocol, port, and CIDR. 1115 Protocol and port must be specified. 1116 properties: 1117 net: 1118 type: string 1119 port: 1120 type: integer 1121 protocol: 1122 type: string 1123 required: 1124 - port 1125 - protocol 1126 type: object 1127 type: array 1128 failsafeOutboundHostPorts: 1129 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 1130 and CIDRs that Felix will allow outgoing traffic from host endpoints 1131 to irrespective of the security policy. This is useful to avoid 1132 accidentally cutting off a host with incorrect configuration. For 1133 back-compatibility, if the protocol is not specified, it defaults 1134 to "tcp". If a CIDR is not specified, it will allow traffic from 1135 all addresses. To disable all outbound host ports, use the value 1136 none. The default value opens etcd''s standard ports to ensure that 1137 Felix does not get cut off from etcd as well as allowing DHCP and 1138 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 1139 tcp:6667, udp:53, udp:67]' 1140 items: 1141 description: ProtoPort is combination of protocol, port, and CIDR. 1142 Protocol and port must be specified. 1143 properties: 1144 net: 1145 type: string 1146 port: 1147 type: integer 1148 protocol: 1149 type: string 1150 required: 1151 - port 1152 - protocol 1153 type: object 1154 type: array 1155 featureDetectOverride: 1156 description: FeatureDetectOverride is used to override feature detection 1157 based on auto-detected platform capabilities. Values are specified 1158 in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" 1159 or "false" will force the feature, empty or omitted values are auto-detected. 1160 type: string 1161 featureGates: 1162 description: FeatureGates is used to enable or disable tech-preview 1163 Calico features. Values are specified in a comma separated list 1164 with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". 1165 This is used to enable features that are not fully production ready. 1166 type: string 1167 floatingIPs: 1168 description: FloatingIPs configures whether or not Felix will program 1169 non-OpenStack floating IP addresses. (OpenStack-derived floating 1170 IPs are always programmed, regardless of this setting.) 1171 enum: 1172 - Enabled 1173 - Disabled 1174 type: string 1175 genericXDPEnabled: 1176 description: 'GenericXDPEnabled enables Generic XDP so network cards 1177 that don''t support XDP offload or driver modes can use XDP. This 1178 is not recommended since it doesn''t provide better performance 1179 than iptables. [Default: false]' 1180 type: boolean 1181 healthEnabled: 1182 type: boolean 1183 healthHost: 1184 type: string 1185 healthPort: 1186 type: integer 1187 healthTimeoutOverrides: 1188 description: HealthTimeoutOverrides allows the internal watchdog timeouts 1189 of individual subcomponents to be overridden. This is useful for 1190 working around "false positive" liveness timeouts that can occur 1191 in particularly stressful workloads or if CPU is constrained. For 1192 a list of active subcomponents, see Felix's logs. 1193 items: 1194 properties: 1195 name: 1196 type: string 1197 timeout: 1198 type: string 1199 required: 1200 - name 1201 - timeout 1202 type: object 1203 type: array 1204 interfaceExclude: 1205 description: 'InterfaceExclude is a comma-separated list of interfaces 1206 that Felix should exclude when monitoring for host endpoints. The 1207 default value ensures that Felix ignores Kubernetes'' IPVS dummy 1208 interface, which is used internally by kube-proxy. If you want to 1209 exclude multiple interface names using a single value, the list 1210 supports regular expressions. For regular expressions you must wrap 1211 the value with ''/''. For example having values ''/^kube/,veth1'' 1212 will exclude all interfaces that begin with ''kube'' and also the 1213 interface ''veth1''. [Default: kube-ipvs0]' 1214 type: string 1215 interfacePrefix: 1216 description: 'InterfacePrefix is the interface name prefix that identifies 1217 workload endpoints and so distinguishes them from host endpoint 1218 interfaces. Note: in environments other than bare metal, the orchestrators 1219 configure this appropriately. For example our Kubernetes and Docker 1220 integrations set the ''cali'' value, and our OpenStack integration 1221 sets the ''tap'' value. [Default: cali]' 1222 type: string 1223 interfaceRefreshInterval: 1224 description: InterfaceRefreshInterval is the period at which Felix 1225 rescans local interfaces to verify their state. The rescan can be 1226 disabled by setting the interval to 0. 1227 type: string 1228 ipipEnabled: 1229 description: 'IPIPEnabled overrides whether Felix should configure 1230 an IPIP interface on the host. Optional as Felix determines this 1231 based on the existing IP pools. [Default: nil (unset)]' 1232 type: boolean 1233 ipipMTU: 1234 description: 'IPIPMTU is the MTU to set on the tunnel device. See 1235 Configuring MTU [Default: 1440]' 1236 type: integer 1237 ipsetsRefreshInterval: 1238 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 1239 all iptables state to ensure that no other process has accidentally 1240 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 1241 90s]' 1242 type: string 1243 iptablesBackend: 1244 description: IptablesBackend specifies which backend of iptables will 1245 be used. The default is Auto. 1246 type: string 1247 iptablesFilterAllowAction: 1248 type: string 1249 iptablesFilterDenyAction: 1250 description: IptablesFilterDenyAction controls what happens to traffic 1251 that is denied by network policy. By default Calico blocks traffic 1252 with an iptables "DROP" action. If you want to use "REJECT" action 1253 instead you can configure it in here. 1254 type: string 1255 iptablesLockFilePath: 1256 description: 'IptablesLockFilePath is the location of the iptables 1257 lock file. You may need to change this if the lock file is not in 1258 its standard location (for example if you have mapped it into Felix''s 1259 container at a different path). [Default: /run/xtables.lock]' 1260 type: string 1261 iptablesLockProbeInterval: 1262 description: 'IptablesLockProbeInterval is the time that Felix will 1263 wait between attempts to acquire the iptables lock if it is not 1264 available. Lower values make Felix more responsive when the lock 1265 is contended, but use more CPU. [Default: 50ms]' 1266 type: string 1267 iptablesLockTimeout: 1268 description: 'IptablesLockTimeout is the time that Felix will wait 1269 for the iptables lock, or 0, to disable. To use this feature, Felix 1270 must share the iptables lock file with all other processes that 1271 also take the lock. When running Felix inside a container, this 1272 requires the /run directory of the host to be mounted into the calico/node 1273 or calico/felix container. [Default: 0s disabled]' 1274 type: string 1275 iptablesMangleAllowAction: 1276 type: string 1277 iptablesMarkMask: 1278 description: 'IptablesMarkMask is the mask that Felix selects its 1279 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 1280 at least 8 bits set, none of which clash with any other mark bits 1281 in use on the system. [Default: 0xff000000]' 1282 format: int32 1283 type: integer 1284 iptablesNATOutgoingInterfaceFilter: 1285 type: string 1286 iptablesPostWriteCheckInterval: 1287 description: 'IptablesPostWriteCheckInterval is the period after Felix 1288 has done a write to the dataplane that it schedules an extra read 1289 back in order to check the write was not clobbered by another process. 1290 This should only occur if another application on the system doesn''t 1291 respect the iptables lock. [Default: 1s]' 1292 type: string 1293 iptablesRefreshInterval: 1294 description: 'IptablesRefreshInterval is the period at which Felix 1295 re-checks the IP sets in the dataplane to ensure that no other process 1296 has accidentally broken Calico''s rules. Set to 0 to disable IP 1297 sets refresh. Note: the default for this value is lower than the 1298 other refresh intervals as a workaround for a Linux kernel bug that 1299 was fixed in kernel version 4.11. If you are using v4.11 or greater 1300 you may want to set this to, a higher value to reduce Felix CPU 1301 usage. [Default: 10s]' 1302 type: string 1303 ipv6Support: 1304 description: IPv6Support controls whether Felix enables support for 1305 IPv6 (if supported by the in-use dataplane). 1306 type: boolean 1307 kubeNodePortRanges: 1308 description: 'KubeNodePortRanges holds list of port ranges used for 1309 service node ports. Only used if felix detects kube-proxy running 1310 in ipvs mode. Felix uses these ranges to separate host and workload 1311 traffic. [Default: 30000:32767].' 1312 items: 1313 anyOf: 1314 - type: integer 1315 - type: string 1316 pattern: ^.* 1317 x-kubernetes-int-or-string: true 1318 type: array 1319 logDebugFilenameRegex: 1320 description: LogDebugFilenameRegex controls which source code files 1321 have their Debug log output included in the logs. Only logs from 1322 files with names that match the given regular expression are included. The 1323 filter only applies to Debug level logs. 1324 type: string 1325 logFilePath: 1326 description: 'LogFilePath is the full path to the Felix log. Set to 1327 none to disable file logging. [Default: /var/log/calico/felix.log]' 1328 type: string 1329 logPrefix: 1330 description: 'LogPrefix is the log prefix that Felix uses when rendering 1331 LOG rules. [Default: calico-packet]' 1332 type: string 1333 logSeverityFile: 1334 description: 'LogSeverityFile is the log severity above which logs 1335 are sent to the log file. [Default: Info]' 1336 type: string 1337 logSeverityScreen: 1338 description: 'LogSeverityScreen is the log severity above which logs 1339 are sent to the stdout. [Default: Info]' 1340 type: string 1341 logSeveritySys: 1342 description: 'LogSeveritySys is the log severity above which logs 1343 are sent to the syslog. Set to None for no logging to syslog. [Default: 1344 Info]' 1345 type: string 1346 maxIpsetSize: 1347 type: integer 1348 metadataAddr: 1349 description: 'MetadataAddr is the IP address or domain name of the 1350 server that can answer VM queries for cloud-init metadata. In OpenStack, 1351 this corresponds to the machine running nova-api (or in Ubuntu, 1352 nova-api-metadata). A value of none (case insensitive) means that 1353 Felix should not set up any NAT rule for the metadata path. [Default: 1354 127.0.0.1]' 1355 type: string 1356 metadataPort: 1357 description: 'MetadataPort is the port of the metadata server. This, 1358 combined with global.MetadataAddr (if not ''None''), is used to 1359 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1360 In most cases this should not need to be changed [Default: 8775].' 1361 type: integer 1362 mtuIfacePattern: 1363 description: MTUIfacePattern is a regular expression that controls 1364 which interfaces Felix should scan in order to calculate the host's 1365 MTU. This should not match workload interfaces (usually named cali...). 1366 type: string 1367 natOutgoingAddress: 1368 description: NATOutgoingAddress specifies an address to use when performing 1369 source NAT for traffic in a natOutgoing pool that is leaving the 1370 network. By default the address used is an address on the interface 1371 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1372 type: string 1373 natPortRange: 1374 anyOf: 1375 - type: integer 1376 - type: string 1377 description: NATPortRange specifies the range of ports that is used 1378 for port mapping when doing outgoing NAT. When unset the default 1379 behavior of the network stack is used. 1380 pattern: ^.* 1381 x-kubernetes-int-or-string: true 1382 netlinkTimeout: 1383 type: string 1384 openstackRegion: 1385 description: 'OpenstackRegion is the name of the region that a particular 1386 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1387 this must be configured somehow for each Felix (here in the datamodel, 1388 or in felix.cfg or the environment on each compute node), and must 1389 match the [calico] openstack_region value configured in neutron.conf 1390 on each node. [Default: Empty]' 1391 type: string 1392 policySyncPathPrefix: 1393 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1394 policy changes to external services, like Application layer policy. 1395 [Default: Empty]' 1396 type: string 1397 prometheusGoMetricsEnabled: 1398 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1399 collection, which the Prometheus client does by default, when set 1400 to false. This reduces the number of metrics reported, reducing 1401 Prometheus load. [Default: true]' 1402 type: boolean 1403 prometheusMetricsEnabled: 1404 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1405 server in Felix if set to true. [Default: false]' 1406 type: boolean 1407 prometheusMetricsHost: 1408 description: 'PrometheusMetricsHost is the host that the Prometheus 1409 metrics server should bind to. [Default: empty]' 1410 type: string 1411 prometheusMetricsPort: 1412 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1413 metrics server should bind to. [Default: 9091]' 1414 type: integer 1415 prometheusProcessMetricsEnabled: 1416 description: 'PrometheusProcessMetricsEnabled disables process metrics 1417 collection, which the Prometheus client does by default, when set 1418 to false. This reduces the number of metrics reported, reducing 1419 Prometheus load. [Default: true]' 1420 type: boolean 1421 prometheusWireGuardMetricsEnabled: 1422 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1423 metrics collection, which the Prometheus client does by default, 1424 when set to false. This reduces the number of metrics reported, 1425 reducing Prometheus load. [Default: true]' 1426 type: boolean 1427 removeExternalRoutes: 1428 description: Whether or not to remove device routes that have not 1429 been programmed by Felix. Disabling this will allow external applications 1430 to also add device routes. This is enabled by default which means 1431 we will remove externally added routes. 1432 type: boolean 1433 reportingInterval: 1434 description: 'ReportingInterval is the interval at which Felix reports 1435 its status into the datastore or 0 to disable. Must be non-zero 1436 in OpenStack deployments. [Default: 30s]' 1437 type: string 1438 reportingTTL: 1439 description: 'ReportingTTL is the time-to-live setting for process-wide 1440 status reports. [Default: 90s]' 1441 type: string 1442 routeRefreshInterval: 1443 description: 'RouteRefreshInterval is the period at which Felix re-checks 1444 the routes in the dataplane to ensure that no other process has 1445 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1446 [Default: 90s]' 1447 type: string 1448 routeSource: 1449 description: 'RouteSource configures where Felix gets its routing 1450 information. - WorkloadIPs: use workload endpoints to construct 1451 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1452 type: string 1453 routeSyncDisabled: 1454 description: RouteSyncDisabled will disable all operations performed 1455 on the route table. Set to true to run in network-policy mode only. 1456 type: boolean 1457 routeTableRange: 1458 description: Deprecated in favor of RouteTableRanges. Calico programs 1459 additional Linux route tables for various purposes. RouteTableRange 1460 specifies the indices of the route tables that Calico should use. 1461 properties: 1462 max: 1463 type: integer 1464 min: 1465 type: integer 1466 required: 1467 - max 1468 - min 1469 type: object 1470 routeTableRanges: 1471 description: Calico programs additional Linux route tables for various 1472 purposes. RouteTableRanges specifies a set of table index ranges 1473 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. 1474 items: 1475 properties: 1476 max: 1477 type: integer 1478 min: 1479 type: integer 1480 required: 1481 - max 1482 - min 1483 type: object 1484 type: array 1485 serviceLoopPrevention: 1486 description: 'When service IP advertisement is enabled, prevent routing 1487 loops to service IPs that are not in use, by dropping or rejecting 1488 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1489 in which case such routing loops continue to be allowed. [Default: 1490 Drop]' 1491 type: string 1492 sidecarAccelerationEnabled: 1493 description: 'SidecarAccelerationEnabled enables experimental sidecar 1494 acceleration [Default: false]' 1495 type: boolean 1496 usageReportingEnabled: 1497 description: 'UsageReportingEnabled reports anonymous Calico version 1498 number and cluster size to projectcalico.org. Logs warnings returned 1499 by the usage server. For example, if a significant security vulnerability 1500 has been discovered in the version of Calico being used. [Default: 1501 true]' 1502 type: boolean 1503 usageReportingInitialDelay: 1504 description: 'UsageReportingInitialDelay controls the minimum delay 1505 before Felix makes a report. [Default: 300s]' 1506 type: string 1507 usageReportingInterval: 1508 description: 'UsageReportingInterval controls the interval at which 1509 Felix makes reports. [Default: 86400s]' 1510 type: string 1511 useInternalDataplaneDriver: 1512 description: UseInternalDataplaneDriver, if true, Felix will use its 1513 internal dataplane programming logic. If false, it will launch 1514 an external dataplane driver and communicate with it over protobuf. 1515 type: boolean 1516 vxlanEnabled: 1517 description: 'VXLANEnabled overrides whether Felix should create the 1518 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix 1519 determines this based on the existing IP pools. [Default: nil (unset)]' 1520 type: boolean 1521 vxlanMTU: 1522 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel 1523 device. See Configuring MTU [Default: 1410]' 1524 type: integer 1525 vxlanMTUV6: 1526 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel 1527 device. See Configuring MTU [Default: 1390]' 1528 type: integer 1529 vxlanPort: 1530 type: integer 1531 vxlanVNI: 1532 type: integer 1533 wireguardEnabled: 1534 description: 'WireguardEnabled controls whether Wireguard is enabled 1535 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). 1536 [Default: false]' 1537 type: boolean 1538 wireguardEnabledV6: 1539 description: 'WireguardEnabledV6 controls whether Wireguard is enabled 1540 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). 1541 [Default: false]' 1542 type: boolean 1543 wireguardHostEncryptionEnabled: 1544 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1545 host-to-host encryption is enabled. [Default: false]' 1546 type: boolean 1547 wireguardInterfaceName: 1548 description: 'WireguardInterfaceName specifies the name to use for 1549 the IPv4 Wireguard interface. [Default: wireguard.cali]' 1550 type: string 1551 wireguardInterfaceNameV6: 1552 description: 'WireguardInterfaceNameV6 specifies the name to use for 1553 the IPv6 Wireguard interface. [Default: wg-v6.cali]' 1554 type: string 1555 wireguardKeepAlive: 1556 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive 1557 option. Set 0 to disable. [Default: 0]' 1558 type: string 1559 wireguardListeningPort: 1560 description: 'WireguardListeningPort controls the listening port used 1561 by IPv4 Wireguard. [Default: 51820]' 1562 type: integer 1563 wireguardListeningPortV6: 1564 description: 'WireguardListeningPortV6 controls the listening port 1565 used by IPv6 Wireguard. [Default: 51821]' 1566 type: integer 1567 wireguardMTU: 1568 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard 1569 interface. See Configuring MTU [Default: 1440]' 1570 type: integer 1571 wireguardMTUV6: 1572 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard 1573 interface. See Configuring MTU [Default: 1420]' 1574 type: integer 1575 wireguardRoutingRulePriority: 1576 description: 'WireguardRoutingRulePriority controls the priority value 1577 to use for the Wireguard routing rule. [Default: 99]' 1578 type: integer 1579 workloadSourceSpoofing: 1580 description: WorkloadSourceSpoofing controls whether pods can use 1581 the allowedSourcePrefixes annotation to send traffic with a source 1582 IP address that is not theirs. This is disabled by default. When 1583 set to "Any", pods can request any prefix. 1584 type: string 1585 xdpEnabled: 1586 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1587 incoming deny rules. [Default: true]' 1588 type: boolean 1589 xdpRefreshInterval: 1590 description: 'XDPRefreshInterval is the period at which Felix re-checks 1591 all XDP state to ensure that no other process has accidentally broken 1592 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1593 refresh. [Default: 90s]' 1594 type: string 1595 type: object 1596 type: object 1597 served: true 1598 storage: true 1599 status: 1600 acceptedNames: 1601 kind: "" 1602 plural: "" 1603 conditions: [] 1604 storedVersions: [] 1605 --- 1606 apiVersion: apiextensions.k8s.io/v1 1607 kind: CustomResourceDefinition 1608 metadata: 1609 name: globalnetworkpolicies.crd.projectcalico.org 1610 spec: 1611 group: crd.projectcalico.org 1612 names: 1613 kind: GlobalNetworkPolicy 1614 listKind: GlobalNetworkPolicyList 1615 plural: globalnetworkpolicies 1616 singular: globalnetworkpolicy 1617 preserveUnknownFields: false 1618 scope: Cluster 1619 versions: 1620 - name: v1 1621 schema: 1622 openAPIV3Schema: 1623 properties: 1624 apiVersion: 1625 description: 'APIVersion defines the versioned schema of this representation 1626 of an object. Servers should convert recognized schemas to the latest 1627 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1628 type: string 1629 kind: 1630 description: 'Kind is a string value representing the REST resource this 1631 object represents. Servers may infer this from the endpoint the client 1632 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1633 type: string 1634 metadata: 1635 type: object 1636 spec: 1637 properties: 1638 applyOnForward: 1639 description: ApplyOnForward indicates to apply the rules in this policy 1640 on forward traffic. 1641 type: boolean 1642 doNotTrack: 1643 description: DoNotTrack indicates whether packets matched by the rules 1644 in this policy should go through the data plane's connection tracking, 1645 such as Linux conntrack. If True, the rules in this policy are 1646 applied before any data plane connection tracking, and packets allowed 1647 by this policy are marked as not to be tracked. 1648 type: boolean 1649 egress: 1650 description: The ordered set of egress rules. Each rule contains 1651 a set of packet match criteria and a corresponding action to apply. 1652 items: 1653 description: "A Rule encapsulates a set of match criteria and an 1654 action. Both selector-based security Policy and security Profiles 1655 reference rules - separated out as a list of rules for both ingress 1656 and egress packet matching. \n Each positive match criteria has 1657 a negated version, prefixed with \"Not\". All the match criteria 1658 within a rule must be satisfied for a packet to match. A single 1659 rule can contain the positive and negative version of a match 1660 and both must be satisfied for the rule to match." 1661 properties: 1662 action: 1663 type: string 1664 destination: 1665 description: Destination contains the match criteria that apply 1666 to destination entity. 1667 properties: 1668 namespaceSelector: 1669 description: "NamespaceSelector is an optional field that 1670 contains a selector expression. Only traffic that originates 1671 from (or terminates at) endpoints within the selected 1672 namespaces will be matched. When both NamespaceSelector 1673 and another selector are defined on the same rule, then 1674 only workload endpoints that are matched by both selectors 1675 will be selected by the rule. \n For NetworkPolicy, an 1676 empty NamespaceSelector implies that the Selector is limited 1677 to selecting only workload endpoints in the same namespace 1678 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1679 NamespaceSelector implies that the Selector is limited 1680 to selecting only GlobalNetworkSet or HostEndpoint. \n 1681 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1682 the Selector applies to workload endpoints across all 1683 namespaces." 1684 type: string 1685 nets: 1686 description: Nets is an optional field that restricts the 1687 rule to only apply to traffic that originates from (or 1688 terminates at) IP addresses in any of the given subnets. 1689 items: 1690 type: string 1691 type: array 1692 notNets: 1693 description: NotNets is the negated version of the Nets 1694 field. 1695 items: 1696 type: string 1697 type: array 1698 notPorts: 1699 description: NotPorts is the negated version of the Ports 1700 field. Since only some protocols have ports, if any ports 1701 are specified it requires the Protocol match in the Rule 1702 to be set to "TCP" or "UDP". 1703 items: 1704 anyOf: 1705 - type: integer 1706 - type: string 1707 pattern: ^.* 1708 x-kubernetes-int-or-string: true 1709 type: array 1710 notSelector: 1711 description: NotSelector is the negated version of the Selector 1712 field. See Selector field for subtleties with negated 1713 selectors. 1714 type: string 1715 ports: 1716 description: "Ports is an optional field that restricts 1717 the rule to only apply to traffic that has a source (destination) 1718 port that matches one of these ranges/values. This value 1719 is a list of integers or strings that represent ranges 1720 of ports. \n Since only some protocols have ports, if 1721 any ports are specified it requires the Protocol match 1722 in the Rule to be set to \"TCP\" or \"UDP\"." 1723 items: 1724 anyOf: 1725 - type: integer 1726 - type: string 1727 pattern: ^.* 1728 x-kubernetes-int-or-string: true 1729 type: array 1730 selector: 1731 description: "Selector is an optional field that contains 1732 a selector expression (see Policy for sample syntax). 1733 \ Only traffic that originates from (terminates at) endpoints 1734 matching the selector will be matched. \n Note that: in 1735 addition to the negated version of the Selector (see NotSelector 1736 below), the selector expression syntax itself supports 1737 negation. The two types of negation are subtly different. 1738 One negates the set of matched endpoints, the other negates 1739 the whole match: \n \tSelector = \"!has(my_label)\" matches 1740 packets that are from other Calico-controlled \tendpoints 1741 that do not have the label \"my_label\". \n \tNotSelector 1742 = \"has(my_label)\" matches packets that are not from 1743 Calico-controlled \tendpoints that do have the label \"my_label\". 1744 \n The effect is that the latter will accept packets from 1745 non-Calico sources whereas the former is limited to packets 1746 from Calico-controlled endpoints." 1747 type: string 1748 serviceAccounts: 1749 description: ServiceAccounts is an optional field that restricts 1750 the rule to only apply to traffic that originates from 1751 (or terminates at) a pod running as a matching service 1752 account. 1753 properties: 1754 names: 1755 description: Names is an optional field that restricts 1756 the rule to only apply to traffic that originates 1757 from (or terminates at) a pod running as a service 1758 account whose name is in the list. 1759 items: 1760 type: string 1761 type: array 1762 selector: 1763 description: Selector is an optional field that restricts 1764 the rule to only apply to traffic that originates 1765 from (or terminates at) a pod running as a service 1766 account that matches the given label selector. If 1767 both Names and Selector are specified then they are 1768 AND'ed. 1769 type: string 1770 type: object 1771 services: 1772 description: "Services is an optional field that contains 1773 options for matching Kubernetes Services. If specified, 1774 only traffic that originates from or terminates at endpoints 1775 within the selected service(s) will be matched, and only 1776 to/from each endpoint's port. \n Services cannot be specified 1777 on the same rule as Selector, NotSelector, NamespaceSelector, 1778 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1779 can only be specified with Services on ingress rules." 1780 properties: 1781 name: 1782 description: Name specifies the name of a Kubernetes 1783 Service to match. 1784 type: string 1785 namespace: 1786 description: Namespace specifies the namespace of the 1787 given Service. If left empty, the rule will match 1788 within this policy's namespace. 1789 type: string 1790 type: object 1791 type: object 1792 http: 1793 description: HTTP contains match criteria that apply to HTTP 1794 requests. 1795 properties: 1796 methods: 1797 description: Methods is an optional field that restricts 1798 the rule to apply only to HTTP requests that use one of 1799 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1800 methods are OR'd together. 1801 items: 1802 type: string 1803 type: array 1804 paths: 1805 description: 'Paths is an optional field that restricts 1806 the rule to apply to HTTP requests that use one of the 1807 listed HTTP Paths. Multiple paths are OR''d together. 1808 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1809 ONLY specify either a `exact` or a `prefix` match. The 1810 validator will check for it.' 1811 items: 1812 description: 'HTTPPath specifies an HTTP path to match. 1813 It may be either of the form: exact: <path>: which matches 1814 the path exactly or prefix: <path-prefix>: which matches 1815 the path prefix' 1816 properties: 1817 exact: 1818 type: string 1819 prefix: 1820 type: string 1821 type: object 1822 type: array 1823 type: object 1824 icmp: 1825 description: ICMP is an optional field that restricts the rule 1826 to apply to a specific type and code of ICMP traffic. This 1827 should only be specified if the Protocol field is set to "ICMP" 1828 or "ICMPv6". 1829 properties: 1830 code: 1831 description: Match on a specific ICMP code. If specified, 1832 the Type value must also be specified. This is a technical 1833 limitation imposed by the kernel's iptables firewall, 1834 which Calico uses to enforce the rule. 1835 type: integer 1836 type: 1837 description: Match on a specific ICMP type. For example 1838 a value of 8 refers to ICMP Echo Request (i.e. pings). 1839 type: integer 1840 type: object 1841 ipVersion: 1842 description: IPVersion is an optional field that restricts the 1843 rule to only match a specific IP version. 1844 type: integer 1845 metadata: 1846 description: Metadata contains additional information for this 1847 rule 1848 properties: 1849 annotations: 1850 additionalProperties: 1851 type: string 1852 description: Annotations is a set of key value pairs that 1853 give extra information about the rule 1854 type: object 1855 type: object 1856 notICMP: 1857 description: NotICMP is the negated version of the ICMP field. 1858 properties: 1859 code: 1860 description: Match on a specific ICMP code. If specified, 1861 the Type value must also be specified. This is a technical 1862 limitation imposed by the kernel's iptables firewall, 1863 which Calico uses to enforce the rule. 1864 type: integer 1865 type: 1866 description: Match on a specific ICMP type. For example 1867 a value of 8 refers to ICMP Echo Request (i.e. pings). 1868 type: integer 1869 type: object 1870 notProtocol: 1871 anyOf: 1872 - type: integer 1873 - type: string 1874 description: NotProtocol is the negated version of the Protocol 1875 field. 1876 pattern: ^.* 1877 x-kubernetes-int-or-string: true 1878 protocol: 1879 anyOf: 1880 - type: integer 1881 - type: string 1882 description: "Protocol is an optional field that restricts the 1883 rule to only apply to traffic of a specific IP protocol. Required 1884 if any of the EntityRules contain Ports (because ports only 1885 apply to certain protocols). \n Must be one of these string 1886 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1887 \"UDPLite\" or an integer in the range 1-255." 1888 pattern: ^.* 1889 x-kubernetes-int-or-string: true 1890 source: 1891 description: Source contains the match criteria that apply to 1892 source entity. 1893 properties: 1894 namespaceSelector: 1895 description: "NamespaceSelector is an optional field that 1896 contains a selector expression. Only traffic that originates 1897 from (or terminates at) endpoints within the selected 1898 namespaces will be matched. When both NamespaceSelector 1899 and another selector are defined on the same rule, then 1900 only workload endpoints that are matched by both selectors 1901 will be selected by the rule. \n For NetworkPolicy, an 1902 empty NamespaceSelector implies that the Selector is limited 1903 to selecting only workload endpoints in the same namespace 1904 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1905 NamespaceSelector implies that the Selector is limited 1906 to selecting only GlobalNetworkSet or HostEndpoint. \n 1907 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1908 the Selector applies to workload endpoints across all 1909 namespaces." 1910 type: string 1911 nets: 1912 description: Nets is an optional field that restricts the 1913 rule to only apply to traffic that originates from (or 1914 terminates at) IP addresses in any of the given subnets. 1915 items: 1916 type: string 1917 type: array 1918 notNets: 1919 description: NotNets is the negated version of the Nets 1920 field. 1921 items: 1922 type: string 1923 type: array 1924 notPorts: 1925 description: NotPorts is the negated version of the Ports 1926 field. Since only some protocols have ports, if any ports 1927 are specified it requires the Protocol match in the Rule 1928 to be set to "TCP" or "UDP". 1929 items: 1930 anyOf: 1931 - type: integer 1932 - type: string 1933 pattern: ^.* 1934 x-kubernetes-int-or-string: true 1935 type: array 1936 notSelector: 1937 description: NotSelector is the negated version of the Selector 1938 field. See Selector field for subtleties with negated 1939 selectors. 1940 type: string 1941 ports: 1942 description: "Ports is an optional field that restricts 1943 the rule to only apply to traffic that has a source (destination) 1944 port that matches one of these ranges/values. This value 1945 is a list of integers or strings that represent ranges 1946 of ports. \n Since only some protocols have ports, if 1947 any ports are specified it requires the Protocol match 1948 in the Rule to be set to \"TCP\" or \"UDP\"." 1949 items: 1950 anyOf: 1951 - type: integer 1952 - type: string 1953 pattern: ^.* 1954 x-kubernetes-int-or-string: true 1955 type: array 1956 selector: 1957 description: "Selector is an optional field that contains 1958 a selector expression (see Policy for sample syntax). 1959 \ Only traffic that originates from (terminates at) endpoints 1960 matching the selector will be matched. \n Note that: in 1961 addition to the negated version of the Selector (see NotSelector 1962 below), the selector expression syntax itself supports 1963 negation. The two types of negation are subtly different. 1964 One negates the set of matched endpoints, the other negates 1965 the whole match: \n \tSelector = \"!has(my_label)\" matches 1966 packets that are from other Calico-controlled \tendpoints 1967 that do not have the label \"my_label\". \n \tNotSelector 1968 = \"has(my_label)\" matches packets that are not from 1969 Calico-controlled \tendpoints that do have the label \"my_label\". 1970 \n The effect is that the latter will accept packets from 1971 non-Calico sources whereas the former is limited to packets 1972 from Calico-controlled endpoints." 1973 type: string 1974 serviceAccounts: 1975 description: ServiceAccounts is an optional field that restricts 1976 the rule to only apply to traffic that originates from 1977 (or terminates at) a pod running as a matching service 1978 account. 1979 properties: 1980 names: 1981 description: Names is an optional field that restricts 1982 the rule to only apply to traffic that originates 1983 from (or terminates at) a pod running as a service 1984 account whose name is in the list. 1985 items: 1986 type: string 1987 type: array 1988 selector: 1989 description: Selector is an optional field that restricts 1990 the rule to only apply to traffic that originates 1991 from (or terminates at) a pod running as a service 1992 account that matches the given label selector. If 1993 both Names and Selector are specified then they are 1994 AND'ed. 1995 type: string 1996 type: object 1997 services: 1998 description: "Services is an optional field that contains 1999 options for matching Kubernetes Services. If specified, 2000 only traffic that originates from or terminates at endpoints 2001 within the selected service(s) will be matched, and only 2002 to/from each endpoint's port. \n Services cannot be specified 2003 on the same rule as Selector, NotSelector, NamespaceSelector, 2004 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2005 can only be specified with Services on ingress rules." 2006 properties: 2007 name: 2008 description: Name specifies the name of a Kubernetes 2009 Service to match. 2010 type: string 2011 namespace: 2012 description: Namespace specifies the namespace of the 2013 given Service. If left empty, the rule will match 2014 within this policy's namespace. 2015 type: string 2016 type: object 2017 type: object 2018 required: 2019 - action 2020 type: object 2021 type: array 2022 ingress: 2023 description: The ordered set of ingress rules. Each rule contains 2024 a set of packet match criteria and a corresponding action to apply. 2025 items: 2026 description: "A Rule encapsulates a set of match criteria and an 2027 action. Both selector-based security Policy and security Profiles 2028 reference rules - separated out as a list of rules for both ingress 2029 and egress packet matching. \n Each positive match criteria has 2030 a negated version, prefixed with \"Not\". All the match criteria 2031 within a rule must be satisfied for a packet to match. A single 2032 rule can contain the positive and negative version of a match 2033 and both must be satisfied for the rule to match." 2034 properties: 2035 action: 2036 type: string 2037 destination: 2038 description: Destination contains the match criteria that apply 2039 to destination entity. 2040 properties: 2041 namespaceSelector: 2042 description: "NamespaceSelector is an optional field that 2043 contains a selector expression. Only traffic that originates 2044 from (or terminates at) endpoints within the selected 2045 namespaces will be matched. When both NamespaceSelector 2046 and another selector are defined on the same rule, then 2047 only workload endpoints that are matched by both selectors 2048 will be selected by the rule. \n For NetworkPolicy, an 2049 empty NamespaceSelector implies that the Selector is limited 2050 to selecting only workload endpoints in the same namespace 2051 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2052 NamespaceSelector implies that the Selector is limited 2053 to selecting only GlobalNetworkSet or HostEndpoint. \n 2054 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2055 the Selector applies to workload endpoints across all 2056 namespaces." 2057 type: string 2058 nets: 2059 description: Nets is an optional field that restricts the 2060 rule to only apply to traffic that originates from (or 2061 terminates at) IP addresses in any of the given subnets. 2062 items: 2063 type: string 2064 type: array 2065 notNets: 2066 description: NotNets is the negated version of the Nets 2067 field. 2068 items: 2069 type: string 2070 type: array 2071 notPorts: 2072 description: NotPorts is the negated version of the Ports 2073 field. Since only some protocols have ports, if any ports 2074 are specified it requires the Protocol match in the Rule 2075 to be set to "TCP" or "UDP". 2076 items: 2077 anyOf: 2078 - type: integer 2079 - type: string 2080 pattern: ^.* 2081 x-kubernetes-int-or-string: true 2082 type: array 2083 notSelector: 2084 description: NotSelector is the negated version of the Selector 2085 field. See Selector field for subtleties with negated 2086 selectors. 2087 type: string 2088 ports: 2089 description: "Ports is an optional field that restricts 2090 the rule to only apply to traffic that has a source (destination) 2091 port that matches one of these ranges/values. This value 2092 is a list of integers or strings that represent ranges 2093 of ports. \n Since only some protocols have ports, if 2094 any ports are specified it requires the Protocol match 2095 in the Rule to be set to \"TCP\" or \"UDP\"." 2096 items: 2097 anyOf: 2098 - type: integer 2099 - type: string 2100 pattern: ^.* 2101 x-kubernetes-int-or-string: true 2102 type: array 2103 selector: 2104 description: "Selector is an optional field that contains 2105 a selector expression (see Policy for sample syntax). 2106 \ Only traffic that originates from (terminates at) endpoints 2107 matching the selector will be matched. \n Note that: in 2108 addition to the negated version of the Selector (see NotSelector 2109 below), the selector expression syntax itself supports 2110 negation. The two types of negation are subtly different. 2111 One negates the set of matched endpoints, the other negates 2112 the whole match: \n \tSelector = \"!has(my_label)\" matches 2113 packets that are from other Calico-controlled \tendpoints 2114 that do not have the label \"my_label\". \n \tNotSelector 2115 = \"has(my_label)\" matches packets that are not from 2116 Calico-controlled \tendpoints that do have the label \"my_label\". 2117 \n The effect is that the latter will accept packets from 2118 non-Calico sources whereas the former is limited to packets 2119 from Calico-controlled endpoints." 2120 type: string 2121 serviceAccounts: 2122 description: ServiceAccounts is an optional field that restricts 2123 the rule to only apply to traffic that originates from 2124 (or terminates at) a pod running as a matching service 2125 account. 2126 properties: 2127 names: 2128 description: Names is an optional field that restricts 2129 the rule to only apply to traffic that originates 2130 from (or terminates at) a pod running as a service 2131 account whose name is in the list. 2132 items: 2133 type: string 2134 type: array 2135 selector: 2136 description: Selector is an optional field that restricts 2137 the rule to only apply to traffic that originates 2138 from (or terminates at) a pod running as a service 2139 account that matches the given label selector. If 2140 both Names and Selector are specified then they are 2141 AND'ed. 2142 type: string 2143 type: object 2144 services: 2145 description: "Services is an optional field that contains 2146 options for matching Kubernetes Services. If specified, 2147 only traffic that originates from or terminates at endpoints 2148 within the selected service(s) will be matched, and only 2149 to/from each endpoint's port. \n Services cannot be specified 2150 on the same rule as Selector, NotSelector, NamespaceSelector, 2151 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2152 can only be specified with Services on ingress rules." 2153 properties: 2154 name: 2155 description: Name specifies the name of a Kubernetes 2156 Service to match. 2157 type: string 2158 namespace: 2159 description: Namespace specifies the namespace of the 2160 given Service. If left empty, the rule will match 2161 within this policy's namespace. 2162 type: string 2163 type: object 2164 type: object 2165 http: 2166 description: HTTP contains match criteria that apply to HTTP 2167 requests. 2168 properties: 2169 methods: 2170 description: Methods is an optional field that restricts 2171 the rule to apply only to HTTP requests that use one of 2172 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2173 methods are OR'd together. 2174 items: 2175 type: string 2176 type: array 2177 paths: 2178 description: 'Paths is an optional field that restricts 2179 the rule to apply to HTTP requests that use one of the 2180 listed HTTP Paths. Multiple paths are OR''d together. 2181 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2182 ONLY specify either a `exact` or a `prefix` match. The 2183 validator will check for it.' 2184 items: 2185 description: 'HTTPPath specifies an HTTP path to match. 2186 It may be either of the form: exact: <path>: which matches 2187 the path exactly or prefix: <path-prefix>: which matches 2188 the path prefix' 2189 properties: 2190 exact: 2191 type: string 2192 prefix: 2193 type: string 2194 type: object 2195 type: array 2196 type: object 2197 icmp: 2198 description: ICMP is an optional field that restricts the rule 2199 to apply to a specific type and code of ICMP traffic. This 2200 should only be specified if the Protocol field is set to "ICMP" 2201 or "ICMPv6". 2202 properties: 2203 code: 2204 description: Match on a specific ICMP code. If specified, 2205 the Type value must also be specified. This is a technical 2206 limitation imposed by the kernel's iptables firewall, 2207 which Calico uses to enforce the rule. 2208 type: integer 2209 type: 2210 description: Match on a specific ICMP type. For example 2211 a value of 8 refers to ICMP Echo Request (i.e. pings). 2212 type: integer 2213 type: object 2214 ipVersion: 2215 description: IPVersion is an optional field that restricts the 2216 rule to only match a specific IP version. 2217 type: integer 2218 metadata: 2219 description: Metadata contains additional information for this 2220 rule 2221 properties: 2222 annotations: 2223 additionalProperties: 2224 type: string 2225 description: Annotations is a set of key value pairs that 2226 give extra information about the rule 2227 type: object 2228 type: object 2229 notICMP: 2230 description: NotICMP is the negated version of the ICMP field. 2231 properties: 2232 code: 2233 description: Match on a specific ICMP code. If specified, 2234 the Type value must also be specified. This is a technical 2235 limitation imposed by the kernel's iptables firewall, 2236 which Calico uses to enforce the rule. 2237 type: integer 2238 type: 2239 description: Match on a specific ICMP type. For example 2240 a value of 8 refers to ICMP Echo Request (i.e. pings). 2241 type: integer 2242 type: object 2243 notProtocol: 2244 anyOf: 2245 - type: integer 2246 - type: string 2247 description: NotProtocol is the negated version of the Protocol 2248 field. 2249 pattern: ^.* 2250 x-kubernetes-int-or-string: true 2251 protocol: 2252 anyOf: 2253 - type: integer 2254 - type: string 2255 description: "Protocol is an optional field that restricts the 2256 rule to only apply to traffic of a specific IP protocol. Required 2257 if any of the EntityRules contain Ports (because ports only 2258 apply to certain protocols). \n Must be one of these string 2259 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2260 \"UDPLite\" or an integer in the range 1-255." 2261 pattern: ^.* 2262 x-kubernetes-int-or-string: true 2263 source: 2264 description: Source contains the match criteria that apply to 2265 source entity. 2266 properties: 2267 namespaceSelector: 2268 description: "NamespaceSelector is an optional field that 2269 contains a selector expression. Only traffic that originates 2270 from (or terminates at) endpoints within the selected 2271 namespaces will be matched. When both NamespaceSelector 2272 and another selector are defined on the same rule, then 2273 only workload endpoints that are matched by both selectors 2274 will be selected by the rule. \n For NetworkPolicy, an 2275 empty NamespaceSelector implies that the Selector is limited 2276 to selecting only workload endpoints in the same namespace 2277 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2278 NamespaceSelector implies that the Selector is limited 2279 to selecting only GlobalNetworkSet or HostEndpoint. \n 2280 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2281 the Selector applies to workload endpoints across all 2282 namespaces." 2283 type: string 2284 nets: 2285 description: Nets is an optional field that restricts the 2286 rule to only apply to traffic that originates from (or 2287 terminates at) IP addresses in any of the given subnets. 2288 items: 2289 type: string 2290 type: array 2291 notNets: 2292 description: NotNets is the negated version of the Nets 2293 field. 2294 items: 2295 type: string 2296 type: array 2297 notPorts: 2298 description: NotPorts is the negated version of the Ports 2299 field. Since only some protocols have ports, if any ports 2300 are specified it requires the Protocol match in the Rule 2301 to be set to "TCP" or "UDP". 2302 items: 2303 anyOf: 2304 - type: integer 2305 - type: string 2306 pattern: ^.* 2307 x-kubernetes-int-or-string: true 2308 type: array 2309 notSelector: 2310 description: NotSelector is the negated version of the Selector 2311 field. See Selector field for subtleties with negated 2312 selectors. 2313 type: string 2314 ports: 2315 description: "Ports is an optional field that restricts 2316 the rule to only apply to traffic that has a source (destination) 2317 port that matches one of these ranges/values. This value 2318 is a list of integers or strings that represent ranges 2319 of ports. \n Since only some protocols have ports, if 2320 any ports are specified it requires the Protocol match 2321 in the Rule to be set to \"TCP\" or \"UDP\"." 2322 items: 2323 anyOf: 2324 - type: integer 2325 - type: string 2326 pattern: ^.* 2327 x-kubernetes-int-or-string: true 2328 type: array 2329 selector: 2330 description: "Selector is an optional field that contains 2331 a selector expression (see Policy for sample syntax). 2332 \ Only traffic that originates from (terminates at) endpoints 2333 matching the selector will be matched. \n Note that: in 2334 addition to the negated version of the Selector (see NotSelector 2335 below), the selector expression syntax itself supports 2336 negation. The two types of negation are subtly different. 2337 One negates the set of matched endpoints, the other negates 2338 the whole match: \n \tSelector = \"!has(my_label)\" matches 2339 packets that are from other Calico-controlled \tendpoints 2340 that do not have the label \"my_label\". \n \tNotSelector 2341 = \"has(my_label)\" matches packets that are not from 2342 Calico-controlled \tendpoints that do have the label \"my_label\". 2343 \n The effect is that the latter will accept packets from 2344 non-Calico sources whereas the former is limited to packets 2345 from Calico-controlled endpoints." 2346 type: string 2347 serviceAccounts: 2348 description: ServiceAccounts is an optional field that restricts 2349 the rule to only apply to traffic that originates from 2350 (or terminates at) a pod running as a matching service 2351 account. 2352 properties: 2353 names: 2354 description: Names is an optional field that restricts 2355 the rule to only apply to traffic that originates 2356 from (or terminates at) a pod running as a service 2357 account whose name is in the list. 2358 items: 2359 type: string 2360 type: array 2361 selector: 2362 description: Selector is an optional field that restricts 2363 the rule to only apply to traffic that originates 2364 from (or terminates at) a pod running as a service 2365 account that matches the given label selector. If 2366 both Names and Selector are specified then they are 2367 AND'ed. 2368 type: string 2369 type: object 2370 services: 2371 description: "Services is an optional field that contains 2372 options for matching Kubernetes Services. If specified, 2373 only traffic that originates from or terminates at endpoints 2374 within the selected service(s) will be matched, and only 2375 to/from each endpoint's port. \n Services cannot be specified 2376 on the same rule as Selector, NotSelector, NamespaceSelector, 2377 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2378 can only be specified with Services on ingress rules." 2379 properties: 2380 name: 2381 description: Name specifies the name of a Kubernetes 2382 Service to match. 2383 type: string 2384 namespace: 2385 description: Namespace specifies the namespace of the 2386 given Service. If left empty, the rule will match 2387 within this policy's namespace. 2388 type: string 2389 type: object 2390 type: object 2391 required: 2392 - action 2393 type: object 2394 type: array 2395 namespaceSelector: 2396 description: NamespaceSelector is an optional field for an expression 2397 used to select a pod based on namespaces. 2398 type: string 2399 order: 2400 description: Order is an optional field that specifies the order in 2401 which the policy is applied. Policies with higher "order" are applied 2402 after those with lower order. If the order is omitted, it may be 2403 considered to be "infinite" - i.e. the policy will be applied last. Policies 2404 with identical order will be applied in alphanumerical order based 2405 on the Policy "Name". 2406 type: number 2407 preDNAT: 2408 description: PreDNAT indicates to apply the rules in this policy before 2409 any DNAT. 2410 type: boolean 2411 selector: 2412 description: "The selector is an expression used to pick pick out 2413 the endpoints that the policy should be applied to. \n Selector 2414 expressions follow this syntax: \n \tlabel == \"string_literal\" 2415 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2416 \ -> not equal; also matches if label is not present \tlabel in 2417 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2418 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2419 ... } -> true if the value of label X is not one of \"a\", \"b\", 2420 \"c\" \thas(label_name) -> True if that label is present \t! expr 2421 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2422 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2423 or the empty selector -> matches all endpoints. \n Label names are 2424 allowed to contain alphanumerics, -, _ and /. String literals are 2425 more permissive but they do not support escape characters. \n Examples 2426 (with made-up labels): \n \ttype == \"webserver\" && deployment 2427 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2428 \"dev\" \t! has(label_name)" 2429 type: string 2430 serviceAccountSelector: 2431 description: ServiceAccountSelector is an optional field for an expression 2432 used to select a pod based on service accounts. 2433 type: string 2434 types: 2435 description: "Types indicates whether this policy applies to ingress, 2436 or to egress, or to both. When not explicitly specified (and so 2437 the value on creation is empty or nil), Calico defaults Types according 2438 to what Ingress and Egress rules are present in the policy. The 2439 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2440 (including the case where there are also no Ingress rules) \n 2441 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2442 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2443 both Ingress and Egress rules. \n When the policy is read back again, 2444 Types will always be one of these values, never empty or nil." 2445 items: 2446 description: PolicyType enumerates the possible values of the PolicySpec 2447 Types field. 2448 type: string 2449 type: array 2450 type: object 2451 type: object 2452 served: true 2453 storage: true 2454 status: 2455 acceptedNames: 2456 kind: "" 2457 plural: "" 2458 conditions: [] 2459 storedVersions: [] 2460 --- 2461 apiVersion: apiextensions.k8s.io/v1 2462 kind: CustomResourceDefinition 2463 metadata: 2464 name: globalnetworksets.crd.projectcalico.org 2465 spec: 2466 group: crd.projectcalico.org 2467 names: 2468 kind: GlobalNetworkSet 2469 listKind: GlobalNetworkSetList 2470 plural: globalnetworksets 2471 singular: globalnetworkset 2472 preserveUnknownFields: false 2473 scope: Cluster 2474 versions: 2475 - name: v1 2476 schema: 2477 openAPIV3Schema: 2478 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2479 that share labels to allow rules to refer to them via selectors. The labels 2480 of GlobalNetworkSet are not namespaced. 2481 properties: 2482 apiVersion: 2483 description: 'APIVersion defines the versioned schema of this representation 2484 of an object. Servers should convert recognized schemas to the latest 2485 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2486 type: string 2487 kind: 2488 description: 'Kind is a string value representing the REST resource this 2489 object represents. Servers may infer this from the endpoint the client 2490 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2491 type: string 2492 metadata: 2493 type: object 2494 spec: 2495 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2496 resource. 2497 properties: 2498 nets: 2499 description: The list of IP networks that belong to this set. 2500 items: 2501 type: string 2502 type: array 2503 type: object 2504 type: object 2505 served: true 2506 storage: true 2507 status: 2508 acceptedNames: 2509 kind: "" 2510 plural: "" 2511 conditions: [] 2512 storedVersions: [] 2513 --- 2514 apiVersion: apiextensions.k8s.io/v1 2515 kind: CustomResourceDefinition 2516 metadata: 2517 name: hostendpoints.crd.projectcalico.org 2518 spec: 2519 group: crd.projectcalico.org 2520 names: 2521 kind: HostEndpoint 2522 listKind: HostEndpointList 2523 plural: hostendpoints 2524 singular: hostendpoint 2525 preserveUnknownFields: false 2526 scope: Cluster 2527 versions: 2528 - name: v1 2529 schema: 2530 openAPIV3Schema: 2531 properties: 2532 apiVersion: 2533 description: 'APIVersion defines the versioned schema of this representation 2534 of an object. Servers should convert recognized schemas to the latest 2535 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2536 type: string 2537 kind: 2538 description: 'Kind is a string value representing the REST resource this 2539 object represents. Servers may infer this from the endpoint the client 2540 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2541 type: string 2542 metadata: 2543 type: object 2544 spec: 2545 description: HostEndpointSpec contains the specification for a HostEndpoint 2546 resource. 2547 properties: 2548 expectedIPs: 2549 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2550 If \"InterfaceName\" is not present, Calico will look for an interface 2551 matching any of the IPs in the list and apply policy to that. Note: 2552 \tWhen using the selector match criteria in an ingress or egress 2553 security Policy \tor Profile, Calico converts the selector into 2554 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2555 is used for that purpose. (If only the interface \tname is specified, 2556 Calico does not learn the IPs of the interface for use in match 2557 \tcriteria.)" 2558 items: 2559 type: string 2560 type: array 2561 interfaceName: 2562 description: "Either \"*\", or the name of a specific Linux interface 2563 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2564 governs all traffic to, from or through the default network namespace 2565 of the host named by the \"Node\" field; entering and leaving that 2566 namespace via any interface, including those from/to non-host-networked 2567 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2568 only governs traffic that enters or leaves the host through the 2569 specific interface named by InterfaceName, or - when InterfaceName 2570 is empty - through the specific interface that has one of the IPs 2571 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2572 one expected IP must be specified. Only external interfaces (such 2573 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2574 to protect traffic through a specific local workload interface. 2575 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2576 initially just pre-DNAT policy. Please check Calico documentation 2577 for the latest position." 2578 type: string 2579 node: 2580 description: The node name identifying the Calico node instance. 2581 type: string 2582 ports: 2583 description: Ports contains the endpoint's named ports, which may 2584 be referenced in security policy rules. 2585 items: 2586 properties: 2587 name: 2588 type: string 2589 port: 2590 type: integer 2591 protocol: 2592 anyOf: 2593 - type: integer 2594 - type: string 2595 pattern: ^.* 2596 x-kubernetes-int-or-string: true 2597 required: 2598 - name 2599 - port 2600 - protocol 2601 type: object 2602 type: array 2603 profiles: 2604 description: A list of identifiers of security Profile objects that 2605 apply to this endpoint. Each profile is applied in the order that 2606 they appear in this list. Profile rules are applied after the selector-based 2607 security policy. 2608 items: 2609 type: string 2610 type: array 2611 type: object 2612 type: object 2613 served: true 2614 storage: true 2615 status: 2616 acceptedNames: 2617 kind: "" 2618 plural: "" 2619 conditions: [] 2620 storedVersions: [] 2621 --- 2622 apiVersion: apiextensions.k8s.io/v1 2623 kind: CustomResourceDefinition 2624 metadata: 2625 name: ipamblocks.crd.projectcalico.org 2626 spec: 2627 group: crd.projectcalico.org 2628 names: 2629 kind: IPAMBlock 2630 listKind: IPAMBlockList 2631 plural: ipamblocks 2632 singular: ipamblock 2633 preserveUnknownFields: false 2634 scope: Cluster 2635 versions: 2636 - name: v1 2637 schema: 2638 openAPIV3Schema: 2639 properties: 2640 apiVersion: 2641 description: 'APIVersion defines the versioned schema of this representation 2642 of an object. Servers should convert recognized schemas to the latest 2643 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2644 type: string 2645 kind: 2646 description: 'Kind is a string value representing the REST resource this 2647 object represents. Servers may infer this from the endpoint the client 2648 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2649 type: string 2650 metadata: 2651 type: object 2652 spec: 2653 description: IPAMBlockSpec contains the specification for an IPAMBlock 2654 resource. 2655 properties: 2656 affinity: 2657 description: Affinity of the block, if this block has one. If set, 2658 it will be of the form "host:<hostname>". If not set, this block 2659 is not affine to a host. 2660 type: string 2661 allocations: 2662 description: Array of allocations in-use within this block. nil entries 2663 mean the allocation is free. For non-nil entries at index i, the 2664 index is the ordinal of the allocation within this block and the 2665 value is the index of the associated attributes in the Attributes 2666 array. 2667 items: 2668 nullable: true 2669 type: integer 2670 type: array 2671 attributes: 2672 description: Attributes is an array of arbitrary metadata associated 2673 with allocations in the block. To find attributes for a given allocation, 2674 use the value of the allocation's entry in the Allocations array 2675 as the index of the element in this array. 2676 items: 2677 properties: 2678 handle_id: 2679 type: string 2680 secondary: 2681 additionalProperties: 2682 type: string 2683 type: object 2684 type: object 2685 type: array 2686 cidr: 2687 description: The block's CIDR. 2688 type: string 2689 deleted: 2690 description: Deleted is an internal boolean used to workaround a limitation 2691 in the Kubernetes API whereby deletion will not return a conflict 2692 error if the block has been updated. It should not be set manually. 2693 type: boolean 2694 sequenceNumber: 2695 default: 0 2696 description: We store a sequence number that is updated each time 2697 the block is written. Each allocation will also store the sequence 2698 number of the block at the time of its creation. When releasing 2699 an IP, passing the sequence number associated with the allocation 2700 allows us to protect against a race condition and ensure the IP 2701 hasn't been released and re-allocated since the release request. 2702 format: int64 2703 type: integer 2704 sequenceNumberForAllocation: 2705 additionalProperties: 2706 format: int64 2707 type: integer 2708 description: Map of allocated ordinal within the block to sequence 2709 number of the block at the time of allocation. Kubernetes does not 2710 allow numerical keys for maps, so the key is cast to a string. 2711 type: object 2712 strictAffinity: 2713 description: StrictAffinity on the IPAMBlock is deprecated and no 2714 longer used by the code. Use IPAMConfig StrictAffinity instead. 2715 type: boolean 2716 unallocated: 2717 description: Unallocated is an ordered list of allocations which are 2718 free in the block. 2719 items: 2720 type: integer 2721 type: array 2722 required: 2723 - allocations 2724 - attributes 2725 - cidr 2726 - strictAffinity 2727 - unallocated 2728 type: object 2729 type: object 2730 served: true 2731 storage: true 2732 status: 2733 acceptedNames: 2734 kind: "" 2735 plural: "" 2736 conditions: [] 2737 storedVersions: [] 2738 --- 2739 apiVersion: apiextensions.k8s.io/v1 2740 kind: CustomResourceDefinition 2741 metadata: 2742 name: ipamconfigs.crd.projectcalico.org 2743 spec: 2744 group: crd.projectcalico.org 2745 names: 2746 kind: IPAMConfig 2747 listKind: IPAMConfigList 2748 plural: ipamconfigs 2749 singular: ipamconfig 2750 preserveUnknownFields: false 2751 scope: Cluster 2752 versions: 2753 - name: v1 2754 schema: 2755 openAPIV3Schema: 2756 properties: 2757 apiVersion: 2758 description: 'APIVersion defines the versioned schema of this representation 2759 of an object. Servers should convert recognized schemas to the latest 2760 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2761 type: string 2762 kind: 2763 description: 'Kind is a string value representing the REST resource this 2764 object represents. Servers may infer this from the endpoint the client 2765 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2766 type: string 2767 metadata: 2768 type: object 2769 spec: 2770 description: IPAMConfigSpec contains the specification for an IPAMConfig 2771 resource. 2772 properties: 2773 autoAllocateBlocks: 2774 type: boolean 2775 maxBlocksPerHost: 2776 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 2777 that can be affine to each host. 2778 maximum: 2147483647 2779 minimum: 0 2780 type: integer 2781 strictAffinity: 2782 type: boolean 2783 required: 2784 - autoAllocateBlocks 2785 - strictAffinity 2786 type: object 2787 type: object 2788 served: true 2789 storage: true 2790 status: 2791 acceptedNames: 2792 kind: "" 2793 plural: "" 2794 conditions: [] 2795 storedVersions: [] 2796 --- 2797 apiVersion: apiextensions.k8s.io/v1 2798 kind: CustomResourceDefinition 2799 metadata: 2800 name: ipamhandles.crd.projectcalico.org 2801 spec: 2802 group: crd.projectcalico.org 2803 names: 2804 kind: IPAMHandle 2805 listKind: IPAMHandleList 2806 plural: ipamhandles 2807 singular: ipamhandle 2808 preserveUnknownFields: false 2809 scope: Cluster 2810 versions: 2811 - name: v1 2812 schema: 2813 openAPIV3Schema: 2814 properties: 2815 apiVersion: 2816 description: 'APIVersion defines the versioned schema of this representation 2817 of an object. Servers should convert recognized schemas to the latest 2818 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2819 type: string 2820 kind: 2821 description: 'Kind is a string value representing the REST resource this 2822 object represents. Servers may infer this from the endpoint the client 2823 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2824 type: string 2825 metadata: 2826 type: object 2827 spec: 2828 description: IPAMHandleSpec contains the specification for an IPAMHandle 2829 resource. 2830 properties: 2831 block: 2832 additionalProperties: 2833 type: integer 2834 type: object 2835 deleted: 2836 type: boolean 2837 handleID: 2838 type: string 2839 required: 2840 - block 2841 - handleID 2842 type: object 2843 type: object 2844 served: true 2845 storage: true 2846 status: 2847 acceptedNames: 2848 kind: "" 2849 plural: "" 2850 conditions: [] 2851 storedVersions: [] 2852 --- 2853 apiVersion: apiextensions.k8s.io/v1 2854 kind: CustomResourceDefinition 2855 metadata: 2856 name: ippools.crd.projectcalico.org 2857 spec: 2858 group: crd.projectcalico.org 2859 names: 2860 kind: IPPool 2861 listKind: IPPoolList 2862 plural: ippools 2863 singular: ippool 2864 preserveUnknownFields: false 2865 scope: Cluster 2866 versions: 2867 - name: v1 2868 schema: 2869 openAPIV3Schema: 2870 properties: 2871 apiVersion: 2872 description: 'APIVersion defines the versioned schema of this representation 2873 of an object. Servers should convert recognized schemas to the latest 2874 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2875 type: string 2876 kind: 2877 description: 'Kind is a string value representing the REST resource this 2878 object represents. Servers may infer this from the endpoint the client 2879 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2880 type: string 2881 metadata: 2882 type: object 2883 spec: 2884 description: IPPoolSpec contains the specification for an IPPool resource. 2885 properties: 2886 allowedUses: 2887 description: AllowedUse controls what the IP pool will be used for. If 2888 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 2889 items: 2890 type: string 2891 type: array 2892 blockSize: 2893 description: The block size to use for IP address assignments from 2894 this pool. Defaults to 26 for IPv4 and 122 for IPv6. 2895 type: integer 2896 cidr: 2897 description: The pool CIDR. 2898 type: string 2899 disableBGPExport: 2900 description: 'Disable exporting routes from this IP Pool''s CIDR over 2901 BGP. [Default: false]' 2902 type: boolean 2903 disabled: 2904 description: When disabled is true, Calico IPAM will not assign addresses 2905 from this pool. 2906 type: boolean 2907 ipip: 2908 description: 'Deprecated: this field is only used for APIv1 backwards 2909 compatibility. Setting this field is not allowed, this field is 2910 for internal use only.' 2911 properties: 2912 enabled: 2913 description: When enabled is true, ipip tunneling will be used 2914 to deliver packets to destinations within this pool. 2915 type: boolean 2916 mode: 2917 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 2918 mode of "always" will also use IPIP tunneling for routing to 2919 destination IP addresses within this pool. A mode of "cross-subnet" 2920 will only use IPIP tunneling when the destination node is on 2921 a different subnet to the originating node. The default value 2922 (if not specified) is "always". 2923 type: string 2924 type: object 2925 ipipMode: 2926 description: Contains configuration for IPIP tunneling for this pool. 2927 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 2928 is disabled). 2929 type: string 2930 nat-outgoing: 2931 description: 'Deprecated: this field is only used for APIv1 backwards 2932 compatibility. Setting this field is not allowed, this field is 2933 for internal use only.' 2934 type: boolean 2935 natOutgoing: 2936 description: When natOutgoing is true, packets sent from Calico networked 2937 containers in this pool to destinations outside of this pool will 2938 be masqueraded. 2939 type: boolean 2940 nodeSelector: 2941 description: Allows IPPool to allocate for a specific node by label 2942 selector. 2943 type: string 2944 vxlanMode: 2945 description: Contains configuration for VXLAN tunneling for this pool. 2946 If not specified, then this is defaulted to "Never" (i.e. VXLAN 2947 tunneling is disabled). 2948 type: string 2949 required: 2950 - cidr 2951 type: object 2952 type: object 2953 served: true 2954 storage: true 2955 status: 2956 acceptedNames: 2957 kind: "" 2958 plural: "" 2959 conditions: [] 2960 storedVersions: [] 2961 --- 2962 apiVersion: apiextensions.k8s.io/v1 2963 kind: CustomResourceDefinition 2964 metadata: 2965 annotations: 2966 controller-gen.kubebuilder.io/version: (devel) 2967 creationTimestamp: null 2968 name: ipreservations.crd.projectcalico.org 2969 spec: 2970 group: crd.projectcalico.org 2971 names: 2972 kind: IPReservation 2973 listKind: IPReservationList 2974 plural: ipreservations 2975 singular: ipreservation 2976 preserveUnknownFields: false 2977 scope: Cluster 2978 versions: 2979 - name: v1 2980 schema: 2981 openAPIV3Schema: 2982 properties: 2983 apiVersion: 2984 description: 'APIVersion defines the versioned schema of this representation 2985 of an object. Servers should convert recognized schemas to the latest 2986 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2987 type: string 2988 kind: 2989 description: 'Kind is a string value representing the REST resource this 2990 object represents. Servers may infer this from the endpoint the client 2991 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2992 type: string 2993 metadata: 2994 type: object 2995 spec: 2996 description: IPReservationSpec contains the specification for an IPReservation 2997 resource. 2998 properties: 2999 reservedCIDRs: 3000 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 3001 that Calico IPAM will exclude from new allocations. 3002 items: 3003 type: string 3004 type: array 3005 type: object 3006 type: object 3007 served: true 3008 storage: true 3009 status: 3010 acceptedNames: 3011 kind: "" 3012 plural: "" 3013 conditions: [] 3014 storedVersions: [] 3015 --- 3016 apiVersion: apiextensions.k8s.io/v1 3017 kind: CustomResourceDefinition 3018 metadata: 3019 name: kubecontrollersconfigurations.crd.projectcalico.org 3020 spec: 3021 group: crd.projectcalico.org 3022 names: 3023 kind: KubeControllersConfiguration 3024 listKind: KubeControllersConfigurationList 3025 plural: kubecontrollersconfigurations 3026 singular: kubecontrollersconfiguration 3027 preserveUnknownFields: false 3028 scope: Cluster 3029 versions: 3030 - name: v1 3031 schema: 3032 openAPIV3Schema: 3033 properties: 3034 apiVersion: 3035 description: 'APIVersion defines the versioned schema of this representation 3036 of an object. Servers should convert recognized schemas to the latest 3037 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3038 type: string 3039 kind: 3040 description: 'Kind is a string value representing the REST resource this 3041 object represents. Servers may infer this from the endpoint the client 3042 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3043 type: string 3044 metadata: 3045 type: object 3046 spec: 3047 description: KubeControllersConfigurationSpec contains the values of the 3048 Kubernetes controllers configuration. 3049 properties: 3050 controllers: 3051 description: Controllers enables and configures individual Kubernetes 3052 controllers 3053 properties: 3054 namespace: 3055 description: Namespace enables and configures the namespace controller. 3056 Enabled by default, set to nil to disable. 3057 properties: 3058 reconcilerPeriod: 3059 description: 'ReconcilerPeriod is the period to perform reconciliation 3060 with the Calico datastore. [Default: 5m]' 3061 type: string 3062 type: object 3063 node: 3064 description: Node enables and configures the node controller. 3065 Enabled by default, set to nil to disable. 3066 properties: 3067 hostEndpoint: 3068 description: HostEndpoint controls syncing nodes to host endpoints. 3069 Disabled by default, set to nil to disable. 3070 properties: 3071 autoCreate: 3072 description: 'AutoCreate enables automatic creation of 3073 host endpoints for every node. [Default: Disabled]' 3074 type: string 3075 type: object 3076 leakGracePeriod: 3077 description: 'LeakGracePeriod is the period used by the controller 3078 to determine if an IP address has been leaked. Set to 0 3079 to disable IP garbage collection. [Default: 15m]' 3080 type: string 3081 reconcilerPeriod: 3082 description: 'ReconcilerPeriod is the period to perform reconciliation 3083 with the Calico datastore. [Default: 5m]' 3084 type: string 3085 syncLabels: 3086 description: 'SyncLabels controls whether to copy Kubernetes 3087 node labels to Calico nodes. [Default: Enabled]' 3088 type: string 3089 type: object 3090 policy: 3091 description: Policy enables and configures the policy controller. 3092 Enabled by default, set to nil to disable. 3093 properties: 3094 reconcilerPeriod: 3095 description: 'ReconcilerPeriod is the period to perform reconciliation 3096 with the Calico datastore. [Default: 5m]' 3097 type: string 3098 type: object 3099 serviceAccount: 3100 description: ServiceAccount enables and configures the service 3101 account controller. Enabled by default, set to nil to disable. 3102 properties: 3103 reconcilerPeriod: 3104 description: 'ReconcilerPeriod is the period to perform reconciliation 3105 with the Calico datastore. [Default: 5m]' 3106 type: string 3107 type: object 3108 workloadEndpoint: 3109 description: WorkloadEndpoint enables and configures the workload 3110 endpoint controller. Enabled by default, set to nil to disable. 3111 properties: 3112 reconcilerPeriod: 3113 description: 'ReconcilerPeriod is the period to perform reconciliation 3114 with the Calico datastore. [Default: 5m]' 3115 type: string 3116 type: object 3117 type: object 3118 debugProfilePort: 3119 description: DebugProfilePort configures the port to serve memory 3120 and cpu profiles on. If not specified, profiling is disabled. 3121 format: int32 3122 type: integer 3123 etcdV3CompactionPeriod: 3124 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3125 compaction requests. Set to 0 to disable. [Default: 10m]' 3126 type: string 3127 healthChecks: 3128 description: 'HealthChecks enables or disables support for health 3129 checks [Default: Enabled]' 3130 type: string 3131 logSeverityScreen: 3132 description: 'LogSeverityScreen is the log severity above which logs 3133 are sent to the stdout. [Default: Info]' 3134 type: string 3135 prometheusMetricsPort: 3136 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3137 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 3138 type: integer 3139 required: 3140 - controllers 3141 type: object 3142 status: 3143 description: KubeControllersConfigurationStatus represents the status 3144 of the configuration. It's useful for admins to be able to see the actual 3145 config that was applied, which can be modified by environment variables 3146 on the kube-controllers process. 3147 properties: 3148 environmentVars: 3149 additionalProperties: 3150 type: string 3151 description: EnvironmentVars contains the environment variables on 3152 the kube-controllers that influenced the RunningConfig. 3153 type: object 3154 runningConfig: 3155 description: RunningConfig contains the effective config that is running 3156 in the kube-controllers pod, after merging the API resource with 3157 any environment variables. 3158 properties: 3159 controllers: 3160 description: Controllers enables and configures individual Kubernetes 3161 controllers 3162 properties: 3163 namespace: 3164 description: Namespace enables and configures the namespace 3165 controller. Enabled by default, set to nil to disable. 3166 properties: 3167 reconcilerPeriod: 3168 description: 'ReconcilerPeriod is the period to perform 3169 reconciliation with the Calico datastore. [Default: 3170 5m]' 3171 type: string 3172 type: object 3173 node: 3174 description: Node enables and configures the node controller. 3175 Enabled by default, set to nil to disable. 3176 properties: 3177 hostEndpoint: 3178 description: HostEndpoint controls syncing nodes to host 3179 endpoints. Disabled by default, set to nil to disable. 3180 properties: 3181 autoCreate: 3182 description: 'AutoCreate enables automatic creation 3183 of host endpoints for every node. [Default: Disabled]' 3184 type: string 3185 type: object 3186 leakGracePeriod: 3187 description: 'LeakGracePeriod is the period used by the 3188 controller to determine if an IP address has been leaked. 3189 Set to 0 to disable IP garbage collection. [Default: 3190 15m]' 3191 type: string 3192 reconcilerPeriod: 3193 description: 'ReconcilerPeriod is the period to perform 3194 reconciliation with the Calico datastore. [Default: 3195 5m]' 3196 type: string 3197 syncLabels: 3198 description: 'SyncLabels controls whether to copy Kubernetes 3199 node labels to Calico nodes. [Default: Enabled]' 3200 type: string 3201 type: object 3202 policy: 3203 description: Policy enables and configures the policy controller. 3204 Enabled by default, set to nil to disable. 3205 properties: 3206 reconcilerPeriod: 3207 description: 'ReconcilerPeriod is the period to perform 3208 reconciliation with the Calico datastore. [Default: 3209 5m]' 3210 type: string 3211 type: object 3212 serviceAccount: 3213 description: ServiceAccount enables and configures the service 3214 account controller. Enabled by default, set to nil to disable. 3215 properties: 3216 reconcilerPeriod: 3217 description: 'ReconcilerPeriod is the period to perform 3218 reconciliation with the Calico datastore. [Default: 3219 5m]' 3220 type: string 3221 type: object 3222 workloadEndpoint: 3223 description: WorkloadEndpoint enables and configures the workload 3224 endpoint controller. Enabled by default, set to nil to disable. 3225 properties: 3226 reconcilerPeriod: 3227 description: 'ReconcilerPeriod is the period to perform 3228 reconciliation with the Calico datastore. [Default: 3229 5m]' 3230 type: string 3231 type: object 3232 type: object 3233 debugProfilePort: 3234 description: DebugProfilePort configures the port to serve memory 3235 and cpu profiles on. If not specified, profiling is disabled. 3236 format: int32 3237 type: integer 3238 etcdV3CompactionPeriod: 3239 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3240 compaction requests. Set to 0 to disable. [Default: 10m]' 3241 type: string 3242 healthChecks: 3243 description: 'HealthChecks enables or disables support for health 3244 checks [Default: Enabled]' 3245 type: string 3246 logSeverityScreen: 3247 description: 'LogSeverityScreen is the log severity above which 3248 logs are sent to the stdout. [Default: Info]' 3249 type: string 3250 prometheusMetricsPort: 3251 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3252 metrics server should bind to. Set to 0 to disable. [Default: 3253 9094]' 3254 type: integer 3255 required: 3256 - controllers 3257 type: object 3258 type: object 3259 type: object 3260 served: true 3261 storage: true 3262 status: 3263 acceptedNames: 3264 kind: "" 3265 plural: "" 3266 conditions: [] 3267 storedVersions: [] 3268 --- 3269 apiVersion: apiextensions.k8s.io/v1 3270 kind: CustomResourceDefinition 3271 metadata: 3272 name: networkpolicies.crd.projectcalico.org 3273 spec: 3274 group: crd.projectcalico.org 3275 names: 3276 kind: NetworkPolicy 3277 listKind: NetworkPolicyList 3278 plural: networkpolicies 3279 singular: networkpolicy 3280 preserveUnknownFields: false 3281 scope: Namespaced 3282 versions: 3283 - name: v1 3284 schema: 3285 openAPIV3Schema: 3286 properties: 3287 apiVersion: 3288 description: 'APIVersion defines the versioned schema of this representation 3289 of an object. Servers should convert recognized schemas to the latest 3290 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3291 type: string 3292 kind: 3293 description: 'Kind is a string value representing the REST resource this 3294 object represents. Servers may infer this from the endpoint the client 3295 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3296 type: string 3297 metadata: 3298 type: object 3299 spec: 3300 properties: 3301 egress: 3302 description: The ordered set of egress rules. Each rule contains 3303 a set of packet match criteria and a corresponding action to apply. 3304 items: 3305 description: "A Rule encapsulates a set of match criteria and an 3306 action. Both selector-based security Policy and security Profiles 3307 reference rules - separated out as a list of rules for both ingress 3308 and egress packet matching. \n Each positive match criteria has 3309 a negated version, prefixed with \"Not\". All the match criteria 3310 within a rule must be satisfied for a packet to match. A single 3311 rule can contain the positive and negative version of a match 3312 and both must be satisfied for the rule to match." 3313 properties: 3314 action: 3315 type: string 3316 destination: 3317 description: Destination contains the match criteria that apply 3318 to destination entity. 3319 properties: 3320 namespaceSelector: 3321 description: "NamespaceSelector is an optional field that 3322 contains a selector expression. Only traffic that originates 3323 from (or terminates at) endpoints within the selected 3324 namespaces will be matched. When both NamespaceSelector 3325 and another selector are defined on the same rule, then 3326 only workload endpoints that are matched by both selectors 3327 will be selected by the rule. \n For NetworkPolicy, an 3328 empty NamespaceSelector implies that the Selector is limited 3329 to selecting only workload endpoints in the same namespace 3330 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3331 NamespaceSelector implies that the Selector is limited 3332 to selecting only GlobalNetworkSet or HostEndpoint. \n 3333 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3334 the Selector applies to workload endpoints across all 3335 namespaces." 3336 type: string 3337 nets: 3338 description: Nets is an optional field that restricts the 3339 rule to only apply to traffic that originates from (or 3340 terminates at) IP addresses in any of the given subnets. 3341 items: 3342 type: string 3343 type: array 3344 notNets: 3345 description: NotNets is the negated version of the Nets 3346 field. 3347 items: 3348 type: string 3349 type: array 3350 notPorts: 3351 description: NotPorts is the negated version of the Ports 3352 field. Since only some protocols have ports, if any ports 3353 are specified it requires the Protocol match in the Rule 3354 to be set to "TCP" or "UDP". 3355 items: 3356 anyOf: 3357 - type: integer 3358 - type: string 3359 pattern: ^.* 3360 x-kubernetes-int-or-string: true 3361 type: array 3362 notSelector: 3363 description: NotSelector is the negated version of the Selector 3364 field. See Selector field for subtleties with negated 3365 selectors. 3366 type: string 3367 ports: 3368 description: "Ports is an optional field that restricts 3369 the rule to only apply to traffic that has a source (destination) 3370 port that matches one of these ranges/values. This value 3371 is a list of integers or strings that represent ranges 3372 of ports. \n Since only some protocols have ports, if 3373 any ports are specified it requires the Protocol match 3374 in the Rule to be set to \"TCP\" or \"UDP\"." 3375 items: 3376 anyOf: 3377 - type: integer 3378 - type: string 3379 pattern: ^.* 3380 x-kubernetes-int-or-string: true 3381 type: array 3382 selector: 3383 description: "Selector is an optional field that contains 3384 a selector expression (see Policy for sample syntax). 3385 \ Only traffic that originates from (terminates at) endpoints 3386 matching the selector will be matched. \n Note that: in 3387 addition to the negated version of the Selector (see NotSelector 3388 below), the selector expression syntax itself supports 3389 negation. The two types of negation are subtly different. 3390 One negates the set of matched endpoints, the other negates 3391 the whole match: \n \tSelector = \"!has(my_label)\" matches 3392 packets that are from other Calico-controlled \tendpoints 3393 that do not have the label \"my_label\". \n \tNotSelector 3394 = \"has(my_label)\" matches packets that are not from 3395 Calico-controlled \tendpoints that do have the label \"my_label\". 3396 \n The effect is that the latter will accept packets from 3397 non-Calico sources whereas the former is limited to packets 3398 from Calico-controlled endpoints." 3399 type: string 3400 serviceAccounts: 3401 description: ServiceAccounts is an optional field that restricts 3402 the rule to only apply to traffic that originates from 3403 (or terminates at) a pod running as a matching service 3404 account. 3405 properties: 3406 names: 3407 description: Names is an optional field that restricts 3408 the rule to only apply to traffic that originates 3409 from (or terminates at) a pod running as a service 3410 account whose name is in the list. 3411 items: 3412 type: string 3413 type: array 3414 selector: 3415 description: Selector is an optional field that restricts 3416 the rule to only apply to traffic that originates 3417 from (or terminates at) a pod running as a service 3418 account that matches the given label selector. If 3419 both Names and Selector are specified then they are 3420 AND'ed. 3421 type: string 3422 type: object 3423 services: 3424 description: "Services is an optional field that contains 3425 options for matching Kubernetes Services. If specified, 3426 only traffic that originates from or terminates at endpoints 3427 within the selected service(s) will be matched, and only 3428 to/from each endpoint's port. \n Services cannot be specified 3429 on the same rule as Selector, NotSelector, NamespaceSelector, 3430 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3431 can only be specified with Services on ingress rules." 3432 properties: 3433 name: 3434 description: Name specifies the name of a Kubernetes 3435 Service to match. 3436 type: string 3437 namespace: 3438 description: Namespace specifies the namespace of the 3439 given Service. If left empty, the rule will match 3440 within this policy's namespace. 3441 type: string 3442 type: object 3443 type: object 3444 http: 3445 description: HTTP contains match criteria that apply to HTTP 3446 requests. 3447 properties: 3448 methods: 3449 description: Methods is an optional field that restricts 3450 the rule to apply only to HTTP requests that use one of 3451 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3452 methods are OR'd together. 3453 items: 3454 type: string 3455 type: array 3456 paths: 3457 description: 'Paths is an optional field that restricts 3458 the rule to apply to HTTP requests that use one of the 3459 listed HTTP Paths. Multiple paths are OR''d together. 3460 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3461 ONLY specify either a `exact` or a `prefix` match. The 3462 validator will check for it.' 3463 items: 3464 description: 'HTTPPath specifies an HTTP path to match. 3465 It may be either of the form: exact: <path>: which matches 3466 the path exactly or prefix: <path-prefix>: which matches 3467 the path prefix' 3468 properties: 3469 exact: 3470 type: string 3471 prefix: 3472 type: string 3473 type: object 3474 type: array 3475 type: object 3476 icmp: 3477 description: ICMP is an optional field that restricts the rule 3478 to apply to a specific type and code of ICMP traffic. This 3479 should only be specified if the Protocol field is set to "ICMP" 3480 or "ICMPv6". 3481 properties: 3482 code: 3483 description: Match on a specific ICMP code. If specified, 3484 the Type value must also be specified. This is a technical 3485 limitation imposed by the kernel's iptables firewall, 3486 which Calico uses to enforce the rule. 3487 type: integer 3488 type: 3489 description: Match on a specific ICMP type. For example 3490 a value of 8 refers to ICMP Echo Request (i.e. pings). 3491 type: integer 3492 type: object 3493 ipVersion: 3494 description: IPVersion is an optional field that restricts the 3495 rule to only match a specific IP version. 3496 type: integer 3497 metadata: 3498 description: Metadata contains additional information for this 3499 rule 3500 properties: 3501 annotations: 3502 additionalProperties: 3503 type: string 3504 description: Annotations is a set of key value pairs that 3505 give extra information about the rule 3506 type: object 3507 type: object 3508 notICMP: 3509 description: NotICMP is the negated version of the ICMP field. 3510 properties: 3511 code: 3512 description: Match on a specific ICMP code. If specified, 3513 the Type value must also be specified. This is a technical 3514 limitation imposed by the kernel's iptables firewall, 3515 which Calico uses to enforce the rule. 3516 type: integer 3517 type: 3518 description: Match on a specific ICMP type. For example 3519 a value of 8 refers to ICMP Echo Request (i.e. pings). 3520 type: integer 3521 type: object 3522 notProtocol: 3523 anyOf: 3524 - type: integer 3525 - type: string 3526 description: NotProtocol is the negated version of the Protocol 3527 field. 3528 pattern: ^.* 3529 x-kubernetes-int-or-string: true 3530 protocol: 3531 anyOf: 3532 - type: integer 3533 - type: string 3534 description: "Protocol is an optional field that restricts the 3535 rule to only apply to traffic of a specific IP protocol. Required 3536 if any of the EntityRules contain Ports (because ports only 3537 apply to certain protocols). \n Must be one of these string 3538 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3539 \"UDPLite\" or an integer in the range 1-255." 3540 pattern: ^.* 3541 x-kubernetes-int-or-string: true 3542 source: 3543 description: Source contains the match criteria that apply to 3544 source entity. 3545 properties: 3546 namespaceSelector: 3547 description: "NamespaceSelector is an optional field that 3548 contains a selector expression. Only traffic that originates 3549 from (or terminates at) endpoints within the selected 3550 namespaces will be matched. When both NamespaceSelector 3551 and another selector are defined on the same rule, then 3552 only workload endpoints that are matched by both selectors 3553 will be selected by the rule. \n For NetworkPolicy, an 3554 empty NamespaceSelector implies that the Selector is limited 3555 to selecting only workload endpoints in the same namespace 3556 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3557 NamespaceSelector implies that the Selector is limited 3558 to selecting only GlobalNetworkSet or HostEndpoint. \n 3559 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3560 the Selector applies to workload endpoints across all 3561 namespaces." 3562 type: string 3563 nets: 3564 description: Nets is an optional field that restricts the 3565 rule to only apply to traffic that originates from (or 3566 terminates at) IP addresses in any of the given subnets. 3567 items: 3568 type: string 3569 type: array 3570 notNets: 3571 description: NotNets is the negated version of the Nets 3572 field. 3573 items: 3574 type: string 3575 type: array 3576 notPorts: 3577 description: NotPorts is the negated version of the Ports 3578 field. Since only some protocols have ports, if any ports 3579 are specified it requires the Protocol match in the Rule 3580 to be set to "TCP" or "UDP". 3581 items: 3582 anyOf: 3583 - type: integer 3584 - type: string 3585 pattern: ^.* 3586 x-kubernetes-int-or-string: true 3587 type: array 3588 notSelector: 3589 description: NotSelector is the negated version of the Selector 3590 field. See Selector field for subtleties with negated 3591 selectors. 3592 type: string 3593 ports: 3594 description: "Ports is an optional field that restricts 3595 the rule to only apply to traffic that has a source (destination) 3596 port that matches one of these ranges/values. This value 3597 is a list of integers or strings that represent ranges 3598 of ports. \n Since only some protocols have ports, if 3599 any ports are specified it requires the Protocol match 3600 in the Rule to be set to \"TCP\" or \"UDP\"." 3601 items: 3602 anyOf: 3603 - type: integer 3604 - type: string 3605 pattern: ^.* 3606 x-kubernetes-int-or-string: true 3607 type: array 3608 selector: 3609 description: "Selector is an optional field that contains 3610 a selector expression (see Policy for sample syntax). 3611 \ Only traffic that originates from (terminates at) endpoints 3612 matching the selector will be matched. \n Note that: in 3613 addition to the negated version of the Selector (see NotSelector 3614 below), the selector expression syntax itself supports 3615 negation. The two types of negation are subtly different. 3616 One negates the set of matched endpoints, the other negates 3617 the whole match: \n \tSelector = \"!has(my_label)\" matches 3618 packets that are from other Calico-controlled \tendpoints 3619 that do not have the label \"my_label\". \n \tNotSelector 3620 = \"has(my_label)\" matches packets that are not from 3621 Calico-controlled \tendpoints that do have the label \"my_label\". 3622 \n The effect is that the latter will accept packets from 3623 non-Calico sources whereas the former is limited to packets 3624 from Calico-controlled endpoints." 3625 type: string 3626 serviceAccounts: 3627 description: ServiceAccounts is an optional field that restricts 3628 the rule to only apply to traffic that originates from 3629 (or terminates at) a pod running as a matching service 3630 account. 3631 properties: 3632 names: 3633 description: Names is an optional field that restricts 3634 the rule to only apply to traffic that originates 3635 from (or terminates at) a pod running as a service 3636 account whose name is in the list. 3637 items: 3638 type: string 3639 type: array 3640 selector: 3641 description: Selector is an optional field that restricts 3642 the rule to only apply to traffic that originates 3643 from (or terminates at) a pod running as a service 3644 account that matches the given label selector. If 3645 both Names and Selector are specified then they are 3646 AND'ed. 3647 type: string 3648 type: object 3649 services: 3650 description: "Services is an optional field that contains 3651 options for matching Kubernetes Services. If specified, 3652 only traffic that originates from or terminates at endpoints 3653 within the selected service(s) will be matched, and only 3654 to/from each endpoint's port. \n Services cannot be specified 3655 on the same rule as Selector, NotSelector, NamespaceSelector, 3656 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3657 can only be specified with Services on ingress rules." 3658 properties: 3659 name: 3660 description: Name specifies the name of a Kubernetes 3661 Service to match. 3662 type: string 3663 namespace: 3664 description: Namespace specifies the namespace of the 3665 given Service. If left empty, the rule will match 3666 within this policy's namespace. 3667 type: string 3668 type: object 3669 type: object 3670 required: 3671 - action 3672 type: object 3673 type: array 3674 ingress: 3675 description: The ordered set of ingress rules. Each rule contains 3676 a set of packet match criteria and a corresponding action to apply. 3677 items: 3678 description: "A Rule encapsulates a set of match criteria and an 3679 action. Both selector-based security Policy and security Profiles 3680 reference rules - separated out as a list of rules for both ingress 3681 and egress packet matching. \n Each positive match criteria has 3682 a negated version, prefixed with \"Not\". All the match criteria 3683 within a rule must be satisfied for a packet to match. A single 3684 rule can contain the positive and negative version of a match 3685 and both must be satisfied for the rule to match." 3686 properties: 3687 action: 3688 type: string 3689 destination: 3690 description: Destination contains the match criteria that apply 3691 to destination entity. 3692 properties: 3693 namespaceSelector: 3694 description: "NamespaceSelector is an optional field that 3695 contains a selector expression. Only traffic that originates 3696 from (or terminates at) endpoints within the selected 3697 namespaces will be matched. When both NamespaceSelector 3698 and another selector are defined on the same rule, then 3699 only workload endpoints that are matched by both selectors 3700 will be selected by the rule. \n For NetworkPolicy, an 3701 empty NamespaceSelector implies that the Selector is limited 3702 to selecting only workload endpoints in the same namespace 3703 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3704 NamespaceSelector implies that the Selector is limited 3705 to selecting only GlobalNetworkSet or HostEndpoint. \n 3706 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3707 the Selector applies to workload endpoints across all 3708 namespaces." 3709 type: string 3710 nets: 3711 description: Nets is an optional field that restricts the 3712 rule to only apply to traffic that originates from (or 3713 terminates at) IP addresses in any of the given subnets. 3714 items: 3715 type: string 3716 type: array 3717 notNets: 3718 description: NotNets is the negated version of the Nets 3719 field. 3720 items: 3721 type: string 3722 type: array 3723 notPorts: 3724 description: NotPorts is the negated version of the Ports 3725 field. Since only some protocols have ports, if any ports 3726 are specified it requires the Protocol match in the Rule 3727 to be set to "TCP" or "UDP". 3728 items: 3729 anyOf: 3730 - type: integer 3731 - type: string 3732 pattern: ^.* 3733 x-kubernetes-int-or-string: true 3734 type: array 3735 notSelector: 3736 description: NotSelector is the negated version of the Selector 3737 field. See Selector field for subtleties with negated 3738 selectors. 3739 type: string 3740 ports: 3741 description: "Ports is an optional field that restricts 3742 the rule to only apply to traffic that has a source (destination) 3743 port that matches one of these ranges/values. This value 3744 is a list of integers or strings that represent ranges 3745 of ports. \n Since only some protocols have ports, if 3746 any ports are specified it requires the Protocol match 3747 in the Rule to be set to \"TCP\" or \"UDP\"." 3748 items: 3749 anyOf: 3750 - type: integer 3751 - type: string 3752 pattern: ^.* 3753 x-kubernetes-int-or-string: true 3754 type: array 3755 selector: 3756 description: "Selector is an optional field that contains 3757 a selector expression (see Policy for sample syntax). 3758 \ Only traffic that originates from (terminates at) endpoints 3759 matching the selector will be matched. \n Note that: in 3760 addition to the negated version of the Selector (see NotSelector 3761 below), the selector expression syntax itself supports 3762 negation. The two types of negation are subtly different. 3763 One negates the set of matched endpoints, the other negates 3764 the whole match: \n \tSelector = \"!has(my_label)\" matches 3765 packets that are from other Calico-controlled \tendpoints 3766 that do not have the label \"my_label\". \n \tNotSelector 3767 = \"has(my_label)\" matches packets that are not from 3768 Calico-controlled \tendpoints that do have the label \"my_label\". 3769 \n The effect is that the latter will accept packets from 3770 non-Calico sources whereas the former is limited to packets 3771 from Calico-controlled endpoints." 3772 type: string 3773 serviceAccounts: 3774 description: ServiceAccounts is an optional field that restricts 3775 the rule to only apply to traffic that originates from 3776 (or terminates at) a pod running as a matching service 3777 account. 3778 properties: 3779 names: 3780 description: Names is an optional field that restricts 3781 the rule to only apply to traffic that originates 3782 from (or terminates at) a pod running as a service 3783 account whose name is in the list. 3784 items: 3785 type: string 3786 type: array 3787 selector: 3788 description: Selector is an optional field that restricts 3789 the rule to only apply to traffic that originates 3790 from (or terminates at) a pod running as a service 3791 account that matches the given label selector. If 3792 both Names and Selector are specified then they are 3793 AND'ed. 3794 type: string 3795 type: object 3796 services: 3797 description: "Services is an optional field that contains 3798 options for matching Kubernetes Services. If specified, 3799 only traffic that originates from or terminates at endpoints 3800 within the selected service(s) will be matched, and only 3801 to/from each endpoint's port. \n Services cannot be specified 3802 on the same rule as Selector, NotSelector, NamespaceSelector, 3803 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3804 can only be specified with Services on ingress rules." 3805 properties: 3806 name: 3807 description: Name specifies the name of a Kubernetes 3808 Service to match. 3809 type: string 3810 namespace: 3811 description: Namespace specifies the namespace of the 3812 given Service. If left empty, the rule will match 3813 within this policy's namespace. 3814 type: string 3815 type: object 3816 type: object 3817 http: 3818 description: HTTP contains match criteria that apply to HTTP 3819 requests. 3820 properties: 3821 methods: 3822 description: Methods is an optional field that restricts 3823 the rule to apply only to HTTP requests that use one of 3824 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3825 methods are OR'd together. 3826 items: 3827 type: string 3828 type: array 3829 paths: 3830 description: 'Paths is an optional field that restricts 3831 the rule to apply to HTTP requests that use one of the 3832 listed HTTP Paths. Multiple paths are OR''d together. 3833 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3834 ONLY specify either a `exact` or a `prefix` match. The 3835 validator will check for it.' 3836 items: 3837 description: 'HTTPPath specifies an HTTP path to match. 3838 It may be either of the form: exact: <path>: which matches 3839 the path exactly or prefix: <path-prefix>: which matches 3840 the path prefix' 3841 properties: 3842 exact: 3843 type: string 3844 prefix: 3845 type: string 3846 type: object 3847 type: array 3848 type: object 3849 icmp: 3850 description: ICMP is an optional field that restricts the rule 3851 to apply to a specific type and code of ICMP traffic. This 3852 should only be specified if the Protocol field is set to "ICMP" 3853 or "ICMPv6". 3854 properties: 3855 code: 3856 description: Match on a specific ICMP code. If specified, 3857 the Type value must also be specified. This is a technical 3858 limitation imposed by the kernel's iptables firewall, 3859 which Calico uses to enforce the rule. 3860 type: integer 3861 type: 3862 description: Match on a specific ICMP type. For example 3863 a value of 8 refers to ICMP Echo Request (i.e. pings). 3864 type: integer 3865 type: object 3866 ipVersion: 3867 description: IPVersion is an optional field that restricts the 3868 rule to only match a specific IP version. 3869 type: integer 3870 metadata: 3871 description: Metadata contains additional information for this 3872 rule 3873 properties: 3874 annotations: 3875 additionalProperties: 3876 type: string 3877 description: Annotations is a set of key value pairs that 3878 give extra information about the rule 3879 type: object 3880 type: object 3881 notICMP: 3882 description: NotICMP is the negated version of the ICMP field. 3883 properties: 3884 code: 3885 description: Match on a specific ICMP code. If specified, 3886 the Type value must also be specified. This is a technical 3887 limitation imposed by the kernel's iptables firewall, 3888 which Calico uses to enforce the rule. 3889 type: integer 3890 type: 3891 description: Match on a specific ICMP type. For example 3892 a value of 8 refers to ICMP Echo Request (i.e. pings). 3893 type: integer 3894 type: object 3895 notProtocol: 3896 anyOf: 3897 - type: integer 3898 - type: string 3899 description: NotProtocol is the negated version of the Protocol 3900 field. 3901 pattern: ^.* 3902 x-kubernetes-int-or-string: true 3903 protocol: 3904 anyOf: 3905 - type: integer 3906 - type: string 3907 description: "Protocol is an optional field that restricts the 3908 rule to only apply to traffic of a specific IP protocol. Required 3909 if any of the EntityRules contain Ports (because ports only 3910 apply to certain protocols). \n Must be one of these string 3911 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3912 \"UDPLite\" or an integer in the range 1-255." 3913 pattern: ^.* 3914 x-kubernetes-int-or-string: true 3915 source: 3916 description: Source contains the match criteria that apply to 3917 source entity. 3918 properties: 3919 namespaceSelector: 3920 description: "NamespaceSelector is an optional field that 3921 contains a selector expression. Only traffic that originates 3922 from (or terminates at) endpoints within the selected 3923 namespaces will be matched. When both NamespaceSelector 3924 and another selector are defined on the same rule, then 3925 only workload endpoints that are matched by both selectors 3926 will be selected by the rule. \n For NetworkPolicy, an 3927 empty NamespaceSelector implies that the Selector is limited 3928 to selecting only workload endpoints in the same namespace 3929 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3930 NamespaceSelector implies that the Selector is limited 3931 to selecting only GlobalNetworkSet or HostEndpoint. \n 3932 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3933 the Selector applies to workload endpoints across all 3934 namespaces." 3935 type: string 3936 nets: 3937 description: Nets is an optional field that restricts the 3938 rule to only apply to traffic that originates from (or 3939 terminates at) IP addresses in any of the given subnets. 3940 items: 3941 type: string 3942 type: array 3943 notNets: 3944 description: NotNets is the negated version of the Nets 3945 field. 3946 items: 3947 type: string 3948 type: array 3949 notPorts: 3950 description: NotPorts is the negated version of the Ports 3951 field. Since only some protocols have ports, if any ports 3952 are specified it requires the Protocol match in the Rule 3953 to be set to "TCP" or "UDP". 3954 items: 3955 anyOf: 3956 - type: integer 3957 - type: string 3958 pattern: ^.* 3959 x-kubernetes-int-or-string: true 3960 type: array 3961 notSelector: 3962 description: NotSelector is the negated version of the Selector 3963 field. See Selector field for subtleties with negated 3964 selectors. 3965 type: string 3966 ports: 3967 description: "Ports is an optional field that restricts 3968 the rule to only apply to traffic that has a source (destination) 3969 port that matches one of these ranges/values. This value 3970 is a list of integers or strings that represent ranges 3971 of ports. \n Since only some protocols have ports, if 3972 any ports are specified it requires the Protocol match 3973 in the Rule to be set to \"TCP\" or \"UDP\"." 3974 items: 3975 anyOf: 3976 - type: integer 3977 - type: string 3978 pattern: ^.* 3979 x-kubernetes-int-or-string: true 3980 type: array 3981 selector: 3982 description: "Selector is an optional field that contains 3983 a selector expression (see Policy for sample syntax). 3984 \ Only traffic that originates from (terminates at) endpoints 3985 matching the selector will be matched. \n Note that: in 3986 addition to the negated version of the Selector (see NotSelector 3987 below), the selector expression syntax itself supports 3988 negation. The two types of negation are subtly different. 3989 One negates the set of matched endpoints, the other negates 3990 the whole match: \n \tSelector = \"!has(my_label)\" matches 3991 packets that are from other Calico-controlled \tendpoints 3992 that do not have the label \"my_label\". \n \tNotSelector 3993 = \"has(my_label)\" matches packets that are not from 3994 Calico-controlled \tendpoints that do have the label \"my_label\". 3995 \n The effect is that the latter will accept packets from 3996 non-Calico sources whereas the former is limited to packets 3997 from Calico-controlled endpoints." 3998 type: string 3999 serviceAccounts: 4000 description: ServiceAccounts is an optional field that restricts 4001 the rule to only apply to traffic that originates from 4002 (or terminates at) a pod running as a matching service 4003 account. 4004 properties: 4005 names: 4006 description: Names is an optional field that restricts 4007 the rule to only apply to traffic that originates 4008 from (or terminates at) a pod running as a service 4009 account whose name is in the list. 4010 items: 4011 type: string 4012 type: array 4013 selector: 4014 description: Selector is an optional field that restricts 4015 the rule to only apply to traffic that originates 4016 from (or terminates at) a pod running as a service 4017 account that matches the given label selector. If 4018 both Names and Selector are specified then they are 4019 AND'ed. 4020 type: string 4021 type: object 4022 services: 4023 description: "Services is an optional field that contains 4024 options for matching Kubernetes Services. If specified, 4025 only traffic that originates from or terminates at endpoints 4026 within the selected service(s) will be matched, and only 4027 to/from each endpoint's port. \n Services cannot be specified 4028 on the same rule as Selector, NotSelector, NamespaceSelector, 4029 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4030 can only be specified with Services on ingress rules." 4031 properties: 4032 name: 4033 description: Name specifies the name of a Kubernetes 4034 Service to match. 4035 type: string 4036 namespace: 4037 description: Namespace specifies the namespace of the 4038 given Service. If left empty, the rule will match 4039 within this policy's namespace. 4040 type: string 4041 type: object 4042 type: object 4043 required: 4044 - action 4045 type: object 4046 type: array 4047 order: 4048 description: Order is an optional field that specifies the order in 4049 which the policy is applied. Policies with higher "order" are applied 4050 after those with lower order. If the order is omitted, it may be 4051 considered to be "infinite" - i.e. the policy will be applied last. Policies 4052 with identical order will be applied in alphanumerical order based 4053 on the Policy "Name". 4054 type: number 4055 selector: 4056 description: "The selector is an expression used to pick pick out 4057 the endpoints that the policy should be applied to. \n Selector 4058 expressions follow this syntax: \n \tlabel == \"string_literal\" 4059 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 4060 \ -> not equal; also matches if label is not present \tlabel in 4061 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 4062 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 4063 ... } -> true if the value of label X is not one of \"a\", \"b\", 4064 \"c\" \thas(label_name) -> True if that label is present \t! expr 4065 -> negation of expr \texpr && expr -> Short-circuit and \texpr 4066 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 4067 or the empty selector -> matches all endpoints. \n Label names are 4068 allowed to contain alphanumerics, -, _ and /. String literals are 4069 more permissive but they do not support escape characters. \n Examples 4070 (with made-up labels): \n \ttype == \"webserver\" && deployment 4071 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 4072 \"dev\" \t! has(label_name)" 4073 type: string 4074 serviceAccountSelector: 4075 description: ServiceAccountSelector is an optional field for an expression 4076 used to select a pod based on service accounts. 4077 type: string 4078 types: 4079 description: "Types indicates whether this policy applies to ingress, 4080 or to egress, or to both. When not explicitly specified (and so 4081 the value on creation is empty or nil), Calico defaults Types according 4082 to what Ingress and Egress are present in the policy. The default 4083 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 4084 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 4085 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 4086 PolicyTypeEgress ], if there are both Ingress and Egress rules. 4087 \n When the policy is read back again, Types will always be one 4088 of these values, never empty or nil." 4089 items: 4090 description: PolicyType enumerates the possible values of the PolicySpec 4091 Types field. 4092 type: string 4093 type: array 4094 type: object 4095 type: object 4096 served: true 4097 storage: true 4098 status: 4099 acceptedNames: 4100 kind: "" 4101 plural: "" 4102 conditions: [] 4103 storedVersions: [] 4104 --- 4105 apiVersion: apiextensions.k8s.io/v1 4106 kind: CustomResourceDefinition 4107 metadata: 4108 name: networksets.crd.projectcalico.org 4109 spec: 4110 group: crd.projectcalico.org 4111 names: 4112 kind: NetworkSet 4113 listKind: NetworkSetList 4114 plural: networksets 4115 singular: networkset 4116 preserveUnknownFields: false 4117 scope: Namespaced 4118 versions: 4119 - name: v1 4120 schema: 4121 openAPIV3Schema: 4122 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 4123 properties: 4124 apiVersion: 4125 description: 'APIVersion defines the versioned schema of this representation 4126 of an object. Servers should convert recognized schemas to the latest 4127 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4128 type: string 4129 kind: 4130 description: 'Kind is a string value representing the REST resource this 4131 object represents. Servers may infer this from the endpoint the client 4132 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4133 type: string 4134 metadata: 4135 type: object 4136 spec: 4137 description: NetworkSetSpec contains the specification for a NetworkSet 4138 resource. 4139 properties: 4140 nets: 4141 description: The list of IP networks that belong to this set. 4142 items: 4143 type: string 4144 type: array 4145 type: object 4146 type: object 4147 served: true 4148 storage: true 4149 status: 4150 acceptedNames: 4151 kind: "" 4152 plural: "" 4153 conditions: [] 4154 storedVersions: [] 4155 --- 4156 apiVersion: v1 4157 kind: ServiceAccount 4158 metadata: 4159 name: calico-cni-plugin 4160 namespace: kube-system 4161 --- 4162 apiVersion: v1 4163 kind: ServiceAccount 4164 metadata: 4165 name: calico-kube-controllers 4166 namespace: kube-system 4167 --- 4168 apiVersion: v1 4169 kind: ServiceAccount 4170 metadata: 4171 name: calico-node 4172 namespace: kube-system 4173 --- 4174 apiVersion: rbac.authorization.k8s.io/v1 4175 kind: ClusterRole 4176 metadata: 4177 name: calico-cni-plugin 4178 rules: 4179 - apiGroups: 4180 - "" 4181 resources: 4182 - pods 4183 - nodes 4184 - namespaces 4185 verbs: 4186 - get 4187 - apiGroups: 4188 - "" 4189 resources: 4190 - pods/status 4191 verbs: 4192 - patch 4193 --- 4194 apiVersion: rbac.authorization.k8s.io/v1 4195 kind: ClusterRole 4196 metadata: 4197 name: calico-kube-controllers 4198 rules: 4199 - apiGroups: 4200 - "" 4201 resources: 4202 - nodes 4203 verbs: 4204 - watch 4205 - list 4206 - get 4207 - apiGroups: 4208 - "" 4209 resources: 4210 - pods 4211 verbs: 4212 - get 4213 - list 4214 - watch 4215 - apiGroups: 4216 - crd.projectcalico.org 4217 resources: 4218 - ipreservations 4219 verbs: 4220 - list 4221 - apiGroups: 4222 - crd.projectcalico.org 4223 resources: 4224 - blockaffinities 4225 - ipamblocks 4226 - ipamhandles 4227 verbs: 4228 - get 4229 - list 4230 - create 4231 - update 4232 - delete 4233 - watch 4234 - apiGroups: 4235 - crd.projectcalico.org 4236 resources: 4237 - ippools 4238 verbs: 4239 - list 4240 - watch 4241 - apiGroups: 4242 - crd.projectcalico.org 4243 resources: 4244 - hostendpoints 4245 verbs: 4246 - get 4247 - list 4248 - create 4249 - update 4250 - delete 4251 - apiGroups: 4252 - crd.projectcalico.org 4253 resources: 4254 - clusterinformations 4255 verbs: 4256 - get 4257 - list 4258 - create 4259 - update 4260 - watch 4261 - apiGroups: 4262 - crd.projectcalico.org 4263 resources: 4264 - kubecontrollersconfigurations 4265 verbs: 4266 - get 4267 - create 4268 - update 4269 - watch 4270 --- 4271 apiVersion: rbac.authorization.k8s.io/v1 4272 kind: ClusterRole 4273 metadata: 4274 name: calico-node 4275 rules: 4276 - apiGroups: 4277 - "" 4278 resourceNames: 4279 - calico-cni-plugin 4280 resources: 4281 - serviceaccounts/token 4282 verbs: 4283 - create 4284 - apiGroups: 4285 - "" 4286 resources: 4287 - pods 4288 - nodes 4289 - namespaces 4290 verbs: 4291 - get 4292 - apiGroups: 4293 - discovery.k8s.io 4294 resources: 4295 - endpointslices 4296 verbs: 4297 - watch 4298 - list 4299 - apiGroups: 4300 - "" 4301 resources: 4302 - endpoints 4303 - services 4304 verbs: 4305 - watch 4306 - list 4307 - get 4308 - apiGroups: 4309 - "" 4310 resources: 4311 - configmaps 4312 verbs: 4313 - get 4314 - apiGroups: 4315 - "" 4316 resources: 4317 - nodes/status 4318 verbs: 4319 - patch 4320 - update 4321 - apiGroups: 4322 - networking.k8s.io 4323 resources: 4324 - networkpolicies 4325 verbs: 4326 - watch 4327 - list 4328 - apiGroups: 4329 - "" 4330 resources: 4331 - pods 4332 - namespaces 4333 - serviceaccounts 4334 verbs: 4335 - list 4336 - watch 4337 - apiGroups: 4338 - "" 4339 resources: 4340 - pods/status 4341 verbs: 4342 - patch 4343 - apiGroups: 4344 - crd.projectcalico.org 4345 resources: 4346 - globalfelixconfigs 4347 - felixconfigurations 4348 - bgppeers 4349 - bgpfilters 4350 - globalbgpconfigs 4351 - bgpconfigurations 4352 - ippools 4353 - ipreservations 4354 - ipamblocks 4355 - globalnetworkpolicies 4356 - globalnetworksets 4357 - networkpolicies 4358 - networksets 4359 - clusterinformations 4360 - hostendpoints 4361 - blockaffinities 4362 - caliconodestatuses 4363 verbs: 4364 - get 4365 - list 4366 - watch 4367 - apiGroups: 4368 - crd.projectcalico.org 4369 resources: 4370 - ippools 4371 - felixconfigurations 4372 - clusterinformations 4373 verbs: 4374 - create 4375 - update 4376 - apiGroups: 4377 - crd.projectcalico.org 4378 resources: 4379 - caliconodestatuses 4380 verbs: 4381 - update 4382 - apiGroups: 4383 - "" 4384 resources: 4385 - nodes 4386 verbs: 4387 - get 4388 - list 4389 - watch 4390 - apiGroups: 4391 - crd.projectcalico.org 4392 resources: 4393 - bgpconfigurations 4394 - bgppeers 4395 verbs: 4396 - create 4397 - update 4398 --- 4399 apiVersion: rbac.authorization.k8s.io/v1 4400 kind: ClusterRoleBinding 4401 metadata: 4402 name: calico-cni-plugin 4403 roleRef: 4404 apiGroup: rbac.authorization.k8s.io 4405 kind: ClusterRole 4406 name: calico-cni-plugin 4407 subjects: 4408 - kind: ServiceAccount 4409 name: calico-cni-plugin 4410 namespace: kube-system 4411 --- 4412 apiVersion: rbac.authorization.k8s.io/v1 4413 kind: ClusterRoleBinding 4414 metadata: 4415 name: calico-kube-controllers 4416 roleRef: 4417 apiGroup: rbac.authorization.k8s.io 4418 kind: ClusterRole 4419 name: calico-kube-controllers 4420 subjects: 4421 - kind: ServiceAccount 4422 name: calico-kube-controllers 4423 namespace: kube-system 4424 --- 4425 apiVersion: rbac.authorization.k8s.io/v1 4426 kind: ClusterRoleBinding 4427 metadata: 4428 name: calico-node 4429 roleRef: 4430 apiGroup: rbac.authorization.k8s.io 4431 kind: ClusterRole 4432 name: calico-node 4433 subjects: 4434 - kind: ServiceAccount 4435 name: calico-node 4436 namespace: kube-system 4437 --- 4438 apiVersion: v1 4439 data: 4440 cni_network_config: |- 4441 { 4442 "name": "k8s-pod-network", 4443 "cniVersion": "0.3.1", 4444 "plugins": [ 4445 { 4446 "type": "calico", 4447 "log_level": "info", 4448 "log_file_path": "/var/log/calico/cni/cni.log", 4449 "datastore_type": "kubernetes", 4450 "nodename": "__KUBERNETES_NODE_NAME__", 4451 "mtu": 1500, 4452 "ipam": { 4453 "type": "host-local", 4454 "subnet": "usePodCidrIPv6" 4455 }, 4456 "policy": { 4457 "type": "k8s" 4458 }, 4459 "kubernetes": { 4460 "kubeconfig": "__KUBECONFIG_FILEPATH__" 4461 } 4462 }, 4463 { 4464 "type": "portmap", 4465 "snat": true, 4466 "capabilities": {"portMappings": true} 4467 }, 4468 { 4469 "type": "bandwidth", 4470 "capabilities": {"bandwidth": true} 4471 } 4472 ] 4473 } 4474 typha_service_name: calico-typha 4475 veth_mtu: "1350" 4476 kind: ConfigMap 4477 metadata: 4478 name: calico-config 4479 namespace: kube-system 4480 --- 4481 apiVersion: v1 4482 kind: Service 4483 metadata: 4484 labels: 4485 k8s-app: calico-typha 4486 name: calico-typha 4487 namespace: kube-system 4488 spec: 4489 ports: 4490 - name: calico-typha 4491 port: 5473 4492 protocol: TCP 4493 targetPort: calico-typha 4494 selector: 4495 k8s-app: calico-typha 4496 --- 4497 apiVersion: apps/v1 4498 kind: Deployment 4499 metadata: 4500 labels: 4501 k8s-app: calico-kube-controllers 4502 name: calico-kube-controllers 4503 namespace: kube-system 4504 spec: 4505 replicas: 1 4506 selector: 4507 matchLabels: 4508 k8s-app: calico-kube-controllers 4509 strategy: 4510 type: Recreate 4511 template: 4512 metadata: 4513 labels: 4514 k8s-app: calico-kube-controllers 4515 name: calico-kube-controllers 4516 namespace: kube-system 4517 spec: 4518 containers: 4519 - env: 4520 - name: ENABLED_CONTROLLERS 4521 value: node 4522 - name: DATASTORE_TYPE 4523 value: kubernetes 4524 image: docker.io/calico/kube-controllers:v3.26.1 4525 imagePullPolicy: IfNotPresent 4526 livenessProbe: 4527 exec: 4528 command: 4529 - /usr/bin/check-status 4530 - -l 4531 failureThreshold: 6 4532 initialDelaySeconds: 10 4533 periodSeconds: 10 4534 timeoutSeconds: 10 4535 name: calico-kube-controllers 4536 readinessProbe: 4537 exec: 4538 command: 4539 - /usr/bin/check-status 4540 - -r 4541 periodSeconds: 10 4542 nodeSelector: 4543 kubernetes.io/os: linux 4544 priorityClassName: system-cluster-critical 4545 serviceAccountName: calico-kube-controllers 4546 tolerations: 4547 - key: CriticalAddonsOnly 4548 operator: Exists 4549 - effect: NoSchedule 4550 key: node-role.kubernetes.io/master 4551 - effect: NoSchedule 4552 key: node-role.kubernetes.io/control-plane 4553 --- 4554 apiVersion: apps/v1 4555 kind: Deployment 4556 metadata: 4557 labels: 4558 k8s-app: calico-typha 4559 name: calico-typha 4560 namespace: kube-system 4561 spec: 4562 replicas: 1 4563 revisionHistoryLimit: 2 4564 selector: 4565 matchLabels: 4566 k8s-app: calico-typha 4567 strategy: 4568 rollingUpdate: 4569 maxSurge: 100% 4570 maxUnavailable: 1 4571 type: RollingUpdate 4572 template: 4573 metadata: 4574 annotations: 4575 cluster-autoscaler.kubernetes.io/safe-to-evict: "true" 4576 labels: 4577 k8s-app: calico-typha 4578 spec: 4579 containers: 4580 - env: 4581 - name: TYPHA_LOGSEVERITYSCREEN 4582 value: info 4583 - name: TYPHA_LOGFILEPATH 4584 value: none 4585 - name: TYPHA_LOGSEVERITYSYS 4586 value: none 4587 - name: TYPHA_CONNECTIONREBALANCINGMODE 4588 value: kubernetes 4589 - name: TYPHA_DATASTORETYPE 4590 value: kubernetes 4591 - name: TYPHA_HEALTHENABLED 4592 value: "true" 4593 - name: TYPHA_SHUTDOWNTIMEOUTSECS 4594 value: "300" 4595 - name: USE_POD_CIDR 4596 value: "true" 4597 envFrom: 4598 - configMapRef: 4599 name: kubernetes-services-endpoint 4600 optional: true 4601 image: docker.io/calico/typha:v3.26.1 4602 imagePullPolicy: IfNotPresent 4603 livenessProbe: 4604 httpGet: 4605 host: localhost 4606 path: /liveness 4607 port: 9098 4608 initialDelaySeconds: 30 4609 periodSeconds: 30 4610 timeoutSeconds: 10 4611 name: calico-typha 4612 ports: 4613 - containerPort: 5473 4614 name: calico-typha 4615 protocol: TCP 4616 readinessProbe: 4617 httpGet: 4618 host: localhost 4619 path: /readiness 4620 port: 9098 4621 periodSeconds: 10 4622 timeoutSeconds: 10 4623 securityContext: 4624 allowPrivilegeEscalation: false 4625 runAsNonRoot: true 4626 hostNetwork: true 4627 nodeSelector: 4628 kubernetes.io/os: linux 4629 priorityClassName: system-cluster-critical 4630 securityContext: 4631 fsGroup: 65534 4632 serviceAccountName: calico-node 4633 terminationGracePeriodSeconds: 300 4634 tolerations: 4635 - key: CriticalAddonsOnly 4636 operator: Exists 4637 --- 4638 apiVersion: policy/v1 4639 kind: PodDisruptionBudget 4640 metadata: 4641 labels: 4642 k8s-app: calico-kube-controllers 4643 name: calico-kube-controllers 4644 namespace: kube-system 4645 spec: 4646 maxUnavailable: 1 4647 selector: 4648 matchLabels: 4649 k8s-app: calico-kube-controllers 4650 --- 4651 apiVersion: policy/v1 4652 kind: PodDisruptionBudget 4653 metadata: 4654 labels: 4655 k8s-app: calico-typha 4656 name: calico-typha 4657 namespace: kube-system 4658 spec: 4659 maxUnavailable: 1 4660 selector: 4661 matchLabels: 4662 k8s-app: calico-typha 4663 --- 4664 apiVersion: apps/v1 4665 kind: DaemonSet 4666 metadata: 4667 labels: 4668 k8s-app: calico-node 4669 name: calico-node 4670 namespace: kube-system 4671 spec: 4672 selector: 4673 matchLabels: 4674 k8s-app: calico-node 4675 template: 4676 metadata: 4677 labels: 4678 k8s-app: calico-node 4679 spec: 4680 containers: 4681 - env: 4682 - name: CALICO_IPv6POOL_CIDR 4683 value: 2001:1234:5678:9a40::/58 4684 - name: IP6 4685 value: autodetect 4686 - name: FELIX_IPV6SUPPORT 4687 value: "true" 4688 - name: DATASTORE_TYPE 4689 value: kubernetes 4690 - name: USE_POD_CIDR 4691 value: "true" 4692 - name: FELIX_TYPHAK8SSERVICENAME 4693 valueFrom: 4694 configMapKeyRef: 4695 key: typha_service_name 4696 name: calico-config 4697 - name: WAIT_FOR_DATASTORE 4698 value: "true" 4699 - name: NODENAME 4700 valueFrom: 4701 fieldRef: 4702 fieldPath: spec.nodeName 4703 - name: CALICO_NETWORKING_BACKEND 4704 value: none 4705 - name: CLUSTER_TYPE 4706 value: k8s 4707 - name: CALICO_MANAGE_CNI 4708 value: "false" 4709 - name: CALICO_DISABLE_FILE_LOGGING 4710 value: "true" 4711 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 4712 value: ACCEPT 4713 - name: FELIX_HEALTHENABLED 4714 value: "true" 4715 envFrom: 4716 - configMapRef: 4717 name: kubernetes-services-endpoint 4718 optional: true 4719 image: docker.io/calico/node:v3.26.1 4720 imagePullPolicy: IfNotPresent 4721 lifecycle: 4722 preStop: 4723 exec: 4724 command: 4725 - /bin/calico-node 4726 - -shutdown 4727 livenessProbe: 4728 exec: 4729 command: 4730 - /bin/calico-node 4731 - -felix-live 4732 failureThreshold: 6 4733 initialDelaySeconds: 10 4734 periodSeconds: 10 4735 timeoutSeconds: 10 4736 name: calico-node 4737 readinessProbe: 4738 exec: 4739 command: 4740 - /bin/calico-node 4741 - -felix-ready 4742 periodSeconds: 10 4743 timeoutSeconds: 10 4744 resources: 4745 requests: 4746 cpu: 250m 4747 securityContext: 4748 privileged: true 4749 volumeMounts: 4750 - mountPath: /host/etc/cni/net.d 4751 name: cni-net-dir 4752 readOnly: false 4753 - mountPath: /lib/modules 4754 name: lib-modules 4755 readOnly: true 4756 - mountPath: /run/xtables.lock 4757 name: xtables-lock 4758 readOnly: false 4759 - mountPath: /var/run/calico 4760 name: var-run-calico 4761 readOnly: false 4762 - mountPath: /var/lib/calico 4763 name: var-lib-calico 4764 readOnly: false 4765 - mountPath: /var/run/nodeagent 4766 name: policysync 4767 - mountPath: /sys/fs/bpf 4768 name: bpffs 4769 - mountPath: /var/log/calico/cni 4770 name: cni-log-dir 4771 readOnly: true 4772 hostNetwork: true 4773 initContainers: 4774 - command: 4775 - /opt/cni/bin/install 4776 env: 4777 - name: CNI_CONF_NAME 4778 value: 10-calico.conflist 4779 - name: CNI_NETWORK_CONFIG 4780 valueFrom: 4781 configMapKeyRef: 4782 key: cni_network_config 4783 name: calico-config 4784 - name: KUBERNETES_NODE_NAME 4785 valueFrom: 4786 fieldRef: 4787 fieldPath: spec.nodeName 4788 - name: SLEEP 4789 value: "false" 4790 envFrom: 4791 - configMapRef: 4792 name: kubernetes-services-endpoint 4793 optional: true 4794 image: docker.io/calico/cni:v3.26.1 4795 imagePullPolicy: IfNotPresent 4796 name: install-cni 4797 securityContext: 4798 privileged: true 4799 volumeMounts: 4800 - mountPath: /host/opt/cni/bin 4801 name: cni-bin-dir 4802 - mountPath: /host/etc/cni/net.d 4803 name: cni-net-dir 4804 - command: 4805 - calico-node 4806 - -init 4807 - -best-effort 4808 image: docker.io/calico/node:v3.26.1 4809 imagePullPolicy: IfNotPresent 4810 name: mount-bpffs 4811 securityContext: 4812 privileged: true 4813 volumeMounts: 4814 - mountPath: /sys/fs 4815 mountPropagation: Bidirectional 4816 name: sys-fs 4817 - mountPath: /var/run/calico 4818 mountPropagation: Bidirectional 4819 name: var-run-calico 4820 - mountPath: /nodeproc 4821 name: nodeproc 4822 readOnly: true 4823 nodeSelector: 4824 kubernetes.io/os: linux 4825 priorityClassName: system-node-critical 4826 serviceAccountName: calico-node 4827 terminationGracePeriodSeconds: 0 4828 tolerations: 4829 - effect: NoSchedule 4830 operator: Exists 4831 - key: CriticalAddonsOnly 4832 operator: Exists 4833 - effect: NoExecute 4834 operator: Exists 4835 volumes: 4836 - hostPath: 4837 path: /lib/modules 4838 name: lib-modules 4839 - hostPath: 4840 path: /var/run/calico 4841 name: var-run-calico 4842 - hostPath: 4843 path: /var/lib/calico 4844 name: var-lib-calico 4845 - hostPath: 4846 path: /run/xtables.lock 4847 type: FileOrCreate 4848 name: xtables-lock 4849 - hostPath: 4850 path: /sys/fs/ 4851 type: DirectoryOrCreate 4852 name: sys-fs 4853 - hostPath: 4854 path: /sys/fs/bpf 4855 type: Directory 4856 name: bpffs 4857 - hostPath: 4858 path: /proc 4859 name: nodeproc 4860 - hostPath: 4861 path: /opt/cni/bin 4862 name: cni-bin-dir 4863 - hostPath: 4864 path: /etc/cni/net.d 4865 name: cni-net-dir 4866 - hostPath: 4867 path: /var/log/calico/cni 4868 name: cni-log-dir 4869 - hostPath: 4870 path: /var/run/nodeagent 4871 type: DirectoryOrCreate 4872 name: policysync 4873 updateStrategy: 4874 rollingUpdate: 4875 maxUnavailable: 1 4876 type: RollingUpdate