sigs.k8s.io/cluster-api-provider-azure@v1.14.3/templates/addons/calico-ipv6/calico-policy-only.yaml (about) 1 --- 2 # Source: calico/templates/calico-kube-controllers.yaml 3 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict 4 5 apiVersion: policy/v1 6 kind: PodDisruptionBudget 7 metadata: 8 name: calico-kube-controllers 9 namespace: kube-system 10 labels: 11 k8s-app: calico-kube-controllers 12 spec: 13 maxUnavailable: 1 14 selector: 15 matchLabels: 16 k8s-app: calico-kube-controllers 17 --- 18 # Source: calico/templates/calico-typha.yaml 19 # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict 20 21 apiVersion: policy/v1 22 kind: PodDisruptionBudget 23 metadata: 24 name: calico-typha 25 namespace: kube-system 26 labels: 27 k8s-app: calico-typha 28 spec: 29 maxUnavailable: 1 30 selector: 31 matchLabels: 32 k8s-app: calico-typha 33 --- 34 # Source: calico/templates/calico-kube-controllers.yaml 35 apiVersion: v1 36 kind: ServiceAccount 37 metadata: 38 name: calico-kube-controllers 39 namespace: kube-system 40 --- 41 # Source: calico/templates/calico-node.yaml 42 apiVersion: v1 43 kind: ServiceAccount 44 metadata: 45 name: calico-node 46 namespace: kube-system 47 --- 48 # Source: calico/templates/calico-node.yaml 49 apiVersion: v1 50 kind: ServiceAccount 51 metadata: 52 name: calico-cni-plugin 53 namespace: kube-system 54 --- 55 # Source: calico/templates/calico-config.yaml 56 # This ConfigMap is used to configure a self-hosted Calico installation. 57 kind: ConfigMap 58 apiVersion: v1 59 metadata: 60 name: calico-config 61 namespace: kube-system 62 data: 63 # You must set a non-zero value for Typha replicas below. 64 typha_service_name: "calico-typha" 65 66 # Configure the MTU to use for workload interfaces and tunnels. 67 # By default, MTU is auto-detected, and explicitly setting this field should not be required. 68 # You can override auto-detection by providing a non-zero value. 69 veth_mtu: "0" 70 71 # The CNI network configuration to install on each node. The special 72 # values in this config will be automatically populated. 73 cni_network_config: |- 74 { 75 "name": "k8s-pod-network", 76 "cniVersion": "0.3.1", 77 "plugins": [ 78 { 79 "type": "calico", 80 "log_level": "info", 81 "log_file_path": "/var/log/calico/cni/cni.log", 82 "datastore_type": "kubernetes", 83 "nodename": "__KUBERNETES_NODE_NAME__", 84 "mtu": 1500, 85 "ipam": { 86 "type": "host-local", 87 "subnet": "usePodCidr" 88 }, 89 "policy": { 90 "type": "k8s" 91 }, 92 "kubernetes": { 93 "kubeconfig": "__KUBECONFIG_FILEPATH__" 94 } 95 }, 96 { 97 "type": "portmap", 98 "snat": true, 99 "capabilities": {"portMappings": true} 100 }, 101 { 102 "type": "bandwidth", 103 "capabilities": {"bandwidth": true} 104 } 105 ] 106 } 107 --- 108 # Source: calico/templates/kdd-crds.yaml 109 apiVersion: apiextensions.k8s.io/v1 110 kind: CustomResourceDefinition 111 metadata: 112 name: bgpconfigurations.crd.projectcalico.org 113 spec: 114 group: crd.projectcalico.org 115 names: 116 kind: BGPConfiguration 117 listKind: BGPConfigurationList 118 plural: bgpconfigurations 119 singular: bgpconfiguration 120 preserveUnknownFields: false 121 scope: Cluster 122 versions: 123 - name: v1 124 schema: 125 openAPIV3Schema: 126 description: BGPConfiguration contains the configuration for any BGP routing. 127 properties: 128 apiVersion: 129 description: 'APIVersion defines the versioned schema of this representation 130 of an object. Servers should convert recognized schemas to the latest 131 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 132 type: string 133 kind: 134 description: 'Kind is a string value representing the REST resource this 135 object represents. Servers may infer this from the endpoint the client 136 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 137 type: string 138 metadata: 139 type: object 140 spec: 141 description: BGPConfigurationSpec contains the values of the BGP configuration. 142 properties: 143 asNumber: 144 description: 'ASNumber is the default AS number used by a node. [Default: 145 64512]' 146 format: int32 147 type: integer 148 bindMode: 149 description: BindMode indicates whether to listen for BGP connections 150 on all addresses (None) or only on the node's canonical IP address 151 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen 152 for BGP connections on all addresses. 153 type: string 154 communities: 155 description: Communities is a list of BGP community values and their 156 arbitrary names for tagging routes. 157 items: 158 description: Community contains standard or large community value 159 and its name. 160 properties: 161 name: 162 description: Name given to community value. 163 type: string 164 value: 165 description: Value must be of format `aa:nn` or `aa:nn:mm`. 166 For standard community use `aa:nn` format, where `aa` and 167 `nn` are 16 bit number. For large community use `aa:nn:mm` 168 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 169 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 170 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 171 type: string 172 type: object 173 type: array 174 ignoredInterfaces: 175 description: IgnoredInterfaces indicates the network interfaces that 176 needs to be excluded when reading device routes. 177 items: 178 type: string 179 type: array 180 listenPort: 181 description: ListenPort is the port where BGP protocol should listen. 182 Defaults to 179 183 maximum: 65535 184 minimum: 1 185 type: integer 186 logSeverityScreen: 187 description: 'LogSeverityScreen is the log severity above which logs 188 are sent to the stdout. [Default: INFO]' 189 type: string 190 nodeMeshMaxRestartTime: 191 description: Time to allow for software restart for node-to-mesh peerings. When 192 specified, this is configured as the graceful restart timeout. When 193 not specified, the BIRD default of 120s is used. This field can 194 only be set on the default BGPConfiguration instance and requires 195 that NodeMesh is enabled 196 type: string 197 nodeMeshPassword: 198 description: Optional BGP password for full node-to-mesh peerings. 199 This field can only be set on the default BGPConfiguration instance 200 and requires that NodeMesh is enabled 201 properties: 202 secretKeyRef: 203 description: Selects a key of a secret in the node pod's namespace. 204 properties: 205 key: 206 description: The key of the secret to select from. Must be 207 a valid secret key. 208 type: string 209 name: 210 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 211 TODO: Add other useful fields. apiVersion, kind, uid?' 212 type: string 213 optional: 214 description: Specify whether the Secret or its key must be 215 defined 216 type: boolean 217 required: 218 - key 219 type: object 220 type: object 221 nodeToNodeMeshEnabled: 222 description: 'NodeToNodeMeshEnabled sets whether full node to node 223 BGP mesh is enabled. [Default: true]' 224 type: boolean 225 prefixAdvertisements: 226 description: PrefixAdvertisements contains per-prefix advertisement 227 configuration. 228 items: 229 description: PrefixAdvertisement configures advertisement properties 230 for the specified CIDR. 231 properties: 232 cidr: 233 description: CIDR for which properties should be advertised. 234 type: string 235 communities: 236 description: Communities can be list of either community names 237 already defined in `Specs.Communities` or community value 238 of format `aa:nn` or `aa:nn:mm`. For standard community use 239 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 240 large community use `aa:nn:mm` format, where `aa`, `nn` and 241 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 242 `mm` are per-AS identifier. 243 items: 244 type: string 245 type: array 246 type: object 247 type: array 248 serviceClusterIPs: 249 description: ServiceClusterIPs are the CIDR blocks from which service 250 cluster IPs are allocated. If specified, Calico will advertise these 251 blocks, as well as any cluster IPs within them. 252 items: 253 description: ServiceClusterIPBlock represents a single allowed ClusterIP 254 CIDR block. 255 properties: 256 cidr: 257 type: string 258 type: object 259 type: array 260 serviceExternalIPs: 261 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 262 Service External IPs. Kubernetes Service ExternalIPs will only be 263 advertised if they are within one of these blocks. 264 items: 265 description: ServiceExternalIPBlock represents a single allowed 266 External IP CIDR block. 267 properties: 268 cidr: 269 type: string 270 type: object 271 type: array 272 serviceLoadBalancerIPs: 273 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 274 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 275 IPs will only be advertised if they are within one of these blocks. 276 items: 277 description: ServiceLoadBalancerIPBlock represents a single allowed 278 LoadBalancer IP CIDR block. 279 properties: 280 cidr: 281 type: string 282 type: object 283 type: array 284 type: object 285 type: object 286 served: true 287 storage: true 288 status: 289 acceptedNames: 290 kind: "" 291 plural: "" 292 conditions: [] 293 storedVersions: [] 294 --- 295 # Source: calico/templates/kdd-crds.yaml 296 apiVersion: apiextensions.k8s.io/v1 297 kind: CustomResourceDefinition 298 metadata: 299 annotations: 300 controller-gen.kubebuilder.io/version: (devel) 301 creationTimestamp: null 302 name: bgpfilters.crd.projectcalico.org 303 spec: 304 group: crd.projectcalico.org 305 names: 306 kind: BGPFilter 307 listKind: BGPFilterList 308 plural: bgpfilters 309 singular: bgpfilter 310 scope: Cluster 311 versions: 312 - name: v1 313 schema: 314 openAPIV3Schema: 315 properties: 316 apiVersion: 317 description: 'APIVersion defines the versioned schema of this representation 318 of an object. Servers should convert recognized schemas to the latest 319 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 320 type: string 321 kind: 322 description: 'Kind is a string value representing the REST resource this 323 object represents. Servers may infer this from the endpoint the client 324 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 325 type: string 326 metadata: 327 type: object 328 spec: 329 description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of 330 the BGP Filter. 331 properties: 332 exportV4: 333 description: The ordered set of IPv4 BGPFilter rules acting on exporting 334 routes to a peer. 335 items: 336 description: BGPFilterRuleV4 defines a BGP filter rule consisting 337 a single IPv4 CIDR block and a filter action for this CIDR. 338 properties: 339 action: 340 type: string 341 cidr: 342 type: string 343 matchOperator: 344 type: string 345 required: 346 - action 347 - cidr 348 - matchOperator 349 type: object 350 type: array 351 exportV6: 352 description: The ordered set of IPv6 BGPFilter rules acting on exporting 353 routes to a peer. 354 items: 355 description: BGPFilterRuleV6 defines a BGP filter rule consisting 356 a single IPv6 CIDR block and a filter action for this CIDR. 357 properties: 358 action: 359 type: string 360 cidr: 361 type: string 362 matchOperator: 363 type: string 364 required: 365 - action 366 - cidr 367 - matchOperator 368 type: object 369 type: array 370 importV4: 371 description: The ordered set of IPv4 BGPFilter rules acting on importing 372 routes from a peer. 373 items: 374 description: BGPFilterRuleV4 defines a BGP filter rule consisting 375 a single IPv4 CIDR block and a filter action for this CIDR. 376 properties: 377 action: 378 type: string 379 cidr: 380 type: string 381 matchOperator: 382 type: string 383 required: 384 - action 385 - cidr 386 - matchOperator 387 type: object 388 type: array 389 importV6: 390 description: The ordered set of IPv6 BGPFilter rules acting on importing 391 routes from a peer. 392 items: 393 description: BGPFilterRuleV6 defines a BGP filter rule consisting 394 a single IPv6 CIDR block and a filter action for this CIDR. 395 properties: 396 action: 397 type: string 398 cidr: 399 type: string 400 matchOperator: 401 type: string 402 required: 403 - action 404 - cidr 405 - matchOperator 406 type: object 407 type: array 408 type: object 409 type: object 410 served: true 411 storage: true 412 status: 413 acceptedNames: 414 kind: "" 415 plural: "" 416 conditions: [] 417 storedVersions: [] 418 --- 419 # Source: calico/templates/kdd-crds.yaml 420 apiVersion: apiextensions.k8s.io/v1 421 kind: CustomResourceDefinition 422 metadata: 423 name: bgppeers.crd.projectcalico.org 424 spec: 425 group: crd.projectcalico.org 426 names: 427 kind: BGPPeer 428 listKind: BGPPeerList 429 plural: bgppeers 430 singular: bgppeer 431 preserveUnknownFields: false 432 scope: Cluster 433 versions: 434 - name: v1 435 schema: 436 openAPIV3Schema: 437 properties: 438 apiVersion: 439 description: 'APIVersion defines the versioned schema of this representation 440 of an object. Servers should convert recognized schemas to the latest 441 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 442 type: string 443 kind: 444 description: 'Kind is a string value representing the REST resource this 445 object represents. Servers may infer this from the endpoint the client 446 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 447 type: string 448 metadata: 449 type: object 450 spec: 451 description: BGPPeerSpec contains the specification for a BGPPeer resource. 452 properties: 453 asNumber: 454 description: The AS Number of the peer. 455 format: int32 456 type: integer 457 filters: 458 description: The ordered set of BGPFilters applied on this BGP peer. 459 items: 460 type: string 461 type: array 462 keepOriginalNextHop: 463 description: Option to keep the original nexthop field when routes 464 are sent to a BGP Peer. Setting "true" configures the selected BGP 465 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 466 in the specific branch of the Node on "bird.cfg". 467 type: boolean 468 maxRestartTime: 469 description: Time to allow for software restart. When specified, 470 this is configured as the graceful restart timeout. When not specified, 471 the BIRD default of 120s is used. 472 type: string 473 node: 474 description: The node name identifying the Calico node instance that 475 is targeted by this peer. If this is not set, and no nodeSelector 476 is specified, then this BGP peer selects all nodes in the cluster. 477 type: string 478 nodeSelector: 479 description: Selector for the nodes that should have this peering. When 480 this is set, the Node field must be empty. 481 type: string 482 numAllowedLocalASNumbers: 483 description: Maximum number of local AS numbers that are allowed in 484 the AS path for received routes. This removes BGP loop prevention 485 and should only be used if absolutely necesssary. 486 format: int32 487 type: integer 488 password: 489 description: Optional BGP password for the peerings generated by this 490 BGPPeer resource. 491 properties: 492 secretKeyRef: 493 description: Selects a key of a secret in the node pod's namespace. 494 properties: 495 key: 496 description: The key of the secret to select from. Must be 497 a valid secret key. 498 type: string 499 name: 500 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 501 TODO: Add other useful fields. apiVersion, kind, uid?' 502 type: string 503 optional: 504 description: Specify whether the Secret or its key must be 505 defined 506 type: boolean 507 required: 508 - key 509 type: object 510 type: object 511 peerIP: 512 description: The IP address of the peer followed by an optional port 513 number to peer with. If port number is given, format should be `[<IPv6>]:port` 514 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 515 and this peer IP and ASNumber belongs to a calico/node with ListenPort 516 set in BGPConfiguration, then we use that port to peer. 517 type: string 518 peerSelector: 519 description: Selector for the remote nodes to peer with. When this 520 is set, the PeerIP and ASNumber fields must be empty. For each 521 peering between the local node and selected remote nodes, we configure 522 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 523 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 524 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 525 or the global default if that is not set. 526 type: string 527 reachableBy: 528 description: Add an exact, i.e. /32, static route toward peer IP in 529 order to prevent route flapping. ReachableBy contains the address 530 of the gateway which peer can be reached by. 531 type: string 532 sourceAddress: 533 description: Specifies whether and how to configure a source address 534 for the peerings generated by this BGPPeer resource. Default value 535 "UseNodeIP" means to configure the node IP as the source address. "None" 536 means not to configure a source address. 537 type: string 538 ttlSecurity: 539 description: TTLSecurity enables the generalized TTL security mechanism 540 (GTSM) which protects against spoofed packets by ignoring received 541 packets with a smaller than expected TTL value. The provided value 542 is the number of hops (edges) between the peers. 543 type: integer 544 type: object 545 type: object 546 served: true 547 storage: true 548 status: 549 acceptedNames: 550 kind: "" 551 plural: "" 552 conditions: [] 553 storedVersions: [] 554 --- 555 # Source: calico/templates/kdd-crds.yaml 556 apiVersion: apiextensions.k8s.io/v1 557 kind: CustomResourceDefinition 558 metadata: 559 name: blockaffinities.crd.projectcalico.org 560 spec: 561 group: crd.projectcalico.org 562 names: 563 kind: BlockAffinity 564 listKind: BlockAffinityList 565 plural: blockaffinities 566 singular: blockaffinity 567 preserveUnknownFields: false 568 scope: Cluster 569 versions: 570 - name: v1 571 schema: 572 openAPIV3Schema: 573 properties: 574 apiVersion: 575 description: 'APIVersion defines the versioned schema of this representation 576 of an object. Servers should convert recognized schemas to the latest 577 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 578 type: string 579 kind: 580 description: 'Kind is a string value representing the REST resource this 581 object represents. Servers may infer this from the endpoint the client 582 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 583 type: string 584 metadata: 585 type: object 586 spec: 587 description: BlockAffinitySpec contains the specification for a BlockAffinity 588 resource. 589 properties: 590 cidr: 591 type: string 592 deleted: 593 description: Deleted indicates that this block affinity is being deleted. 594 This field is a string for compatibility with older releases that 595 mistakenly treat this field as a string. 596 type: string 597 node: 598 type: string 599 state: 600 type: string 601 required: 602 - cidr 603 - deleted 604 - node 605 - state 606 type: object 607 type: object 608 served: true 609 storage: true 610 status: 611 acceptedNames: 612 kind: "" 613 plural: "" 614 conditions: [] 615 storedVersions: [] 616 --- 617 # Source: calico/templates/kdd-crds.yaml 618 apiVersion: apiextensions.k8s.io/v1 619 kind: CustomResourceDefinition 620 metadata: 621 annotations: 622 controller-gen.kubebuilder.io/version: (devel) 623 creationTimestamp: null 624 name: caliconodestatuses.crd.projectcalico.org 625 spec: 626 group: crd.projectcalico.org 627 names: 628 kind: CalicoNodeStatus 629 listKind: CalicoNodeStatusList 630 plural: caliconodestatuses 631 singular: caliconodestatus 632 preserveUnknownFields: false 633 scope: Cluster 634 versions: 635 - name: v1 636 schema: 637 openAPIV3Schema: 638 properties: 639 apiVersion: 640 description: 'APIVersion defines the versioned schema of this representation 641 of an object. Servers should convert recognized schemas to the latest 642 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 643 type: string 644 kind: 645 description: 'Kind is a string value representing the REST resource this 646 object represents. Servers may infer this from the endpoint the client 647 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 648 type: string 649 metadata: 650 type: object 651 spec: 652 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 653 resource. 654 properties: 655 classes: 656 description: Classes declares the types of information to monitor 657 for this calico/node, and allows for selective status reporting 658 about certain subsets of information. 659 items: 660 type: string 661 type: array 662 node: 663 description: The node name identifies the Calico node instance for 664 node status. 665 type: string 666 updatePeriodSeconds: 667 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 668 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 669 Maximum update period is one day. 670 format: int32 671 type: integer 672 type: object 673 status: 674 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 675 No validation needed for status since it is updated by Calico. 676 properties: 677 agent: 678 description: Agent holds agent status on the node. 679 properties: 680 birdV4: 681 description: BIRDV4 represents the latest observed status of bird4. 682 properties: 683 lastBootTime: 684 description: LastBootTime holds the value of lastBootTime 685 from bird.ctl output. 686 type: string 687 lastReconfigurationTime: 688 description: LastReconfigurationTime holds the value of lastReconfigTime 689 from bird.ctl output. 690 type: string 691 routerID: 692 description: Router ID used by bird. 693 type: string 694 state: 695 description: The state of the BGP Daemon. 696 type: string 697 version: 698 description: Version of the BGP daemon 699 type: string 700 type: object 701 birdV6: 702 description: BIRDV6 represents the latest observed status of bird6. 703 properties: 704 lastBootTime: 705 description: LastBootTime holds the value of lastBootTime 706 from bird.ctl output. 707 type: string 708 lastReconfigurationTime: 709 description: LastReconfigurationTime holds the value of lastReconfigTime 710 from bird.ctl output. 711 type: string 712 routerID: 713 description: Router ID used by bird. 714 type: string 715 state: 716 description: The state of the BGP Daemon. 717 type: string 718 version: 719 description: Version of the BGP daemon 720 type: string 721 type: object 722 type: object 723 bgp: 724 description: BGP holds node BGP status. 725 properties: 726 numberEstablishedV4: 727 description: The total number of IPv4 established bgp sessions. 728 type: integer 729 numberEstablishedV6: 730 description: The total number of IPv6 established bgp sessions. 731 type: integer 732 numberNotEstablishedV4: 733 description: The total number of IPv4 non-established bgp sessions. 734 type: integer 735 numberNotEstablishedV6: 736 description: The total number of IPv6 non-established bgp sessions. 737 type: integer 738 peersV4: 739 description: PeersV4 represents IPv4 BGP peers status on the node. 740 items: 741 description: CalicoNodePeer contains the status of BGP peers 742 on the node. 743 properties: 744 peerIP: 745 description: IP address of the peer whose condition we are 746 reporting. 747 type: string 748 since: 749 description: Since the state or reason last changed. 750 type: string 751 state: 752 description: State is the BGP session state. 753 type: string 754 type: 755 description: Type indicates whether this peer is configured 756 via the node-to-node mesh, or via en explicit global or 757 per-node BGPPeer object. 758 type: string 759 type: object 760 type: array 761 peersV6: 762 description: PeersV6 represents IPv6 BGP peers status on the node. 763 items: 764 description: CalicoNodePeer contains the status of BGP peers 765 on the node. 766 properties: 767 peerIP: 768 description: IP address of the peer whose condition we are 769 reporting. 770 type: string 771 since: 772 description: Since the state or reason last changed. 773 type: string 774 state: 775 description: State is the BGP session state. 776 type: string 777 type: 778 description: Type indicates whether this peer is configured 779 via the node-to-node mesh, or via en explicit global or 780 per-node BGPPeer object. 781 type: string 782 type: object 783 type: array 784 required: 785 - numberEstablishedV4 786 - numberEstablishedV6 787 - numberNotEstablishedV4 788 - numberNotEstablishedV6 789 type: object 790 lastUpdated: 791 description: LastUpdated is a timestamp representing the server time 792 when CalicoNodeStatus object last updated. It is represented in 793 RFC3339 form and is in UTC. 794 format: date-time 795 nullable: true 796 type: string 797 routes: 798 description: Routes reports routes known to the Calico BGP daemon 799 on the node. 800 properties: 801 routesV4: 802 description: RoutesV4 represents IPv4 routes on the node. 803 items: 804 description: CalicoNodeRoute contains the status of BGP routes 805 on the node. 806 properties: 807 destination: 808 description: Destination of the route. 809 type: string 810 gateway: 811 description: Gateway for the destination. 812 type: string 813 interface: 814 description: Interface for the destination 815 type: string 816 learnedFrom: 817 description: LearnedFrom contains information regarding 818 where this route originated. 819 properties: 820 peerIP: 821 description: If sourceType is NodeMesh or BGPPeer, IP 822 address of the router that sent us this route. 823 type: string 824 sourceType: 825 description: Type of the source where a route is learned 826 from. 827 type: string 828 type: object 829 type: 830 description: Type indicates if the route is being used for 831 forwarding or not. 832 type: string 833 type: object 834 type: array 835 routesV6: 836 description: RoutesV6 represents IPv6 routes on the node. 837 items: 838 description: CalicoNodeRoute contains the status of BGP routes 839 on the node. 840 properties: 841 destination: 842 description: Destination of the route. 843 type: string 844 gateway: 845 description: Gateway for the destination. 846 type: string 847 interface: 848 description: Interface for the destination 849 type: string 850 learnedFrom: 851 description: LearnedFrom contains information regarding 852 where this route originated. 853 properties: 854 peerIP: 855 description: If sourceType is NodeMesh or BGPPeer, IP 856 address of the router that sent us this route. 857 type: string 858 sourceType: 859 description: Type of the source where a route is learned 860 from. 861 type: string 862 type: object 863 type: 864 description: Type indicates if the route is being used for 865 forwarding or not. 866 type: string 867 type: object 868 type: array 869 type: object 870 type: object 871 type: object 872 served: true 873 storage: true 874 status: 875 acceptedNames: 876 kind: "" 877 plural: "" 878 conditions: [] 879 storedVersions: [] 880 --- 881 # Source: calico/templates/kdd-crds.yaml 882 apiVersion: apiextensions.k8s.io/v1 883 kind: CustomResourceDefinition 884 metadata: 885 name: clusterinformations.crd.projectcalico.org 886 spec: 887 group: crd.projectcalico.org 888 names: 889 kind: ClusterInformation 890 listKind: ClusterInformationList 891 plural: clusterinformations 892 singular: clusterinformation 893 preserveUnknownFields: false 894 scope: Cluster 895 versions: 896 - name: v1 897 schema: 898 openAPIV3Schema: 899 description: ClusterInformation contains the cluster specific information. 900 properties: 901 apiVersion: 902 description: 'APIVersion defines the versioned schema of this representation 903 of an object. Servers should convert recognized schemas to the latest 904 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 905 type: string 906 kind: 907 description: 'Kind is a string value representing the REST resource this 908 object represents. Servers may infer this from the endpoint the client 909 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 910 type: string 911 metadata: 912 type: object 913 spec: 914 description: ClusterInformationSpec contains the values of describing 915 the cluster. 916 properties: 917 calicoVersion: 918 description: CalicoVersion is the version of Calico that the cluster 919 is running 920 type: string 921 clusterGUID: 922 description: ClusterGUID is the GUID of the cluster 923 type: string 924 clusterType: 925 description: ClusterType describes the type of the cluster 926 type: string 927 datastoreReady: 928 description: DatastoreReady is used during significant datastore migrations 929 to signal to components such as Felix that it should wait before 930 accessing the datastore. 931 type: boolean 932 variant: 933 description: Variant declares which variant of Calico should be active. 934 type: string 935 type: object 936 type: object 937 served: true 938 storage: true 939 status: 940 acceptedNames: 941 kind: "" 942 plural: "" 943 conditions: [] 944 storedVersions: [] 945 --- 946 # Source: calico/templates/kdd-crds.yaml 947 apiVersion: apiextensions.k8s.io/v1 948 kind: CustomResourceDefinition 949 metadata: 950 name: felixconfigurations.crd.projectcalico.org 951 spec: 952 group: crd.projectcalico.org 953 names: 954 kind: FelixConfiguration 955 listKind: FelixConfigurationList 956 plural: felixconfigurations 957 singular: felixconfiguration 958 preserveUnknownFields: false 959 scope: Cluster 960 versions: 961 - name: v1 962 schema: 963 openAPIV3Schema: 964 description: Felix Configuration contains the configuration for Felix. 965 properties: 966 apiVersion: 967 description: 'APIVersion defines the versioned schema of this representation 968 of an object. Servers should convert recognized schemas to the latest 969 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 970 type: string 971 kind: 972 description: 'Kind is a string value representing the REST resource this 973 object represents. Servers may infer this from the endpoint the client 974 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 975 type: string 976 metadata: 977 type: object 978 spec: 979 description: FelixConfigurationSpec contains the values of the Felix configuration. 980 properties: 981 allowIPIPPacketsFromWorkloads: 982 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 983 will add a rule to drop IPIP encapsulated traffic from workloads 984 [Default: false]' 985 type: boolean 986 allowVXLANPacketsFromWorkloads: 987 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 988 will add a rule to drop VXLAN encapsulated traffic from workloads 989 [Default: false]' 990 type: boolean 991 awsSrcDstCheck: 992 description: 'Set source-destination-check on AWS EC2 instances. Accepted 993 value must be one of "DoNothing", "Enable" or "Disable". [Default: 994 DoNothing]' 995 enum: 996 - DoNothing 997 - Enable 998 - Disable 999 type: string 1000 bpfConnectTimeLoadBalancingEnabled: 1001 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 1002 controls whether Felix installs the connection-time load balancer. The 1003 connect-time load balancer is required for the host to be able to 1004 reach Kubernetes services and it improves the performance of pod-to-service 1005 connections. The only reason to disable it is for debugging purposes. [Default: 1006 true]' 1007 type: boolean 1008 bpfDSROptoutCIDRs: 1009 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded 1010 from DSR. That is, clients in those CIDRs will accesses nodeports 1011 as if BPFExternalServiceMode was set to Tunnel. 1012 items: 1013 type: string 1014 type: array 1015 bpfDataIfacePattern: 1016 description: BPFDataIfacePattern is a regular expression that controls 1017 which interfaces Felix should attach BPF programs to in order to 1018 catch traffic to/from the network. This needs to match the interfaces 1019 that Calico workload traffic flows over as well as any interfaces 1020 that handle incoming traffic to nodeports and services from outside 1021 the cluster. It should not match the workload interfaces (usually 1022 named cali...). 1023 type: string 1024 bpfDisableUnprivileged: 1025 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 1026 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 1027 users cannot access Calico''s BPF maps and cannot insert their own 1028 BPF programs to interfere with Calico''s. [Default: true]' 1029 type: boolean 1030 bpfEnabled: 1031 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 1032 [Default: false]' 1033 type: boolean 1034 bpfEnforceRPF: 1035 description: 'BPFEnforceRPF enforce strict RPF on all host interfaces 1036 with BPF programs regardless of what is the per-interfaces or global 1037 setting. Possible values are Disabled, Strict or Loose. [Default: 1038 Loose]' 1039 type: string 1040 bpfExtToServiceConnmark: 1041 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 1042 mark that is set on connections from an external client to a local 1043 service. This mark allows us to control how packets of that connection 1044 are routed within the host and how is routing interpreted by RPF 1045 check. [Default: 0]' 1046 type: integer 1047 bpfExternalServiceMode: 1048 description: 'BPFExternalServiceMode in BPF mode, controls how connections 1049 from outside the cluster to services (node ports and cluster IPs) 1050 are forwarded to remote workloads. If set to "Tunnel" then both 1051 request and response traffic is tunneled to the remote node. If 1052 set to "DSR", the request traffic is tunneled but the response traffic 1053 is sent directly from the remote node. In "DSR" mode, the remote 1054 node appears to use the IP of the ingress node; this requires a 1055 permissive L2 network. [Default: Tunnel]' 1056 type: string 1057 bpfHostConntrackBypass: 1058 description: 'BPFHostConntrackBypass Controls whether to bypass Linux 1059 conntrack in BPF mode for workloads and services. [Default: true 1060 - bypass Linux conntrack]' 1061 type: boolean 1062 bpfKubeProxyEndpointSlicesEnabled: 1063 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 1064 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 1065 type: boolean 1066 bpfKubeProxyIptablesCleanupEnabled: 1067 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 1068 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 1069 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 1070 true]' 1071 type: boolean 1072 bpfKubeProxyMinSyncPeriod: 1073 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 1074 minimum time between updates to the dataplane for Felix''s embedded 1075 kube-proxy. Lower values give reduced set-up latency. Higher values 1076 reduce Felix CPU usage by batching up more work. [Default: 1s]' 1077 type: string 1078 bpfL3IfacePattern: 1079 description: BPFL3IfacePattern is a regular expression that allows 1080 to list tunnel devices like wireguard or vxlan (i.e., L3 devices) 1081 in addition to BPFDataIfacePattern. That is, tunnel interfaces not 1082 created by Calico, that Calico workload traffic flows over as well 1083 as any interfaces that handle incoming traffic to nodeports and 1084 services from outside the cluster. 1085 type: string 1086 bpfLogLevel: 1087 description: 'BPFLogLevel controls the log level of the BPF programs 1088 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 1089 logs are emitted to the BPF trace pipe, accessible with the command 1090 `tc exec bpf debug`. [Default: Off].' 1091 type: string 1092 bpfMapSizeConntrack: 1093 description: 'BPFMapSizeConntrack sets the size for the conntrack 1094 map. This map must be large enough to hold an entry for each active 1095 connection. Warning: changing the size of the conntrack map can 1096 cause disruption.' 1097 type: integer 1098 bpfMapSizeIPSets: 1099 description: BPFMapSizeIPSets sets the size for ipsets map. The IP 1100 sets map must be large enough to hold an entry for each endpoint 1101 matched by every selector in the source/destination matches in network 1102 policy. Selectors such as "all()" can result in large numbers of 1103 entries (one entry per endpoint in that case). 1104 type: integer 1105 bpfMapSizeIfState: 1106 description: BPFMapSizeIfState sets the size for ifstate map. The 1107 ifstate map must be large enough to hold an entry for each device 1108 (host + workloads) on a host. 1109 type: integer 1110 bpfMapSizeNATAffinity: 1111 type: integer 1112 bpfMapSizeNATBackend: 1113 description: BPFMapSizeNATBackend sets the size for nat back end map. 1114 This is the total number of endpoints. This is mostly more than 1115 the size of the number of services. 1116 type: integer 1117 bpfMapSizeNATFrontend: 1118 description: BPFMapSizeNATFrontend sets the size for nat front end 1119 map. FrontendMap should be large enough to hold an entry for each 1120 nodeport, external IP and each port in each service. 1121 type: integer 1122 bpfMapSizeRoute: 1123 description: BPFMapSizeRoute sets the size for the routes map. The 1124 routes map should be large enough to hold one entry per workload 1125 and a handful of entries per host (enough to cover its own IPs and 1126 tunnel IPs). 1127 type: integer 1128 bpfPSNATPorts: 1129 anyOf: 1130 - type: integer 1131 - type: string 1132 description: 'BPFPSNATPorts sets the range from which we randomly 1133 pick a port if there is a source port collision. This should be 1134 within the ephemeral range as defined by RFC 6056 (1024–65535) and 1135 preferably outside the ephemeral ranges used by common operating 1136 systems. Linux uses 32768–60999, while others mostly use the IANA 1137 defined range 49152–65535. It is not necessarily a problem if this 1138 range overlaps with the operating systems. Both ends of the range 1139 are inclusive. [Default: 20000:29999]' 1140 pattern: ^.* 1141 x-kubernetes-int-or-string: true 1142 bpfPolicyDebugEnabled: 1143 description: BPFPolicyDebugEnabled when true, Felix records detailed 1144 information about the BPF policy programs, which can be examined 1145 with the calico-bpf command-line tool. 1146 type: boolean 1147 chainInsertMode: 1148 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 1149 top-level iptables chains by inserting a rule at the top of the 1150 chain or by appending a rule at the bottom. insert is the safe default 1151 since it prevents Calico''s rules from being bypassed. If you switch 1152 to append mode, be sure that the other rules in the chains signal 1153 acceptance by falling through to the Calico rules, otherwise the 1154 Calico policy will be bypassed. [Default: insert]' 1155 type: string 1156 dataplaneDriver: 1157 description: DataplaneDriver filename of the external dataplane driver 1158 to use. Only used if UseInternalDataplaneDriver is set to false. 1159 type: string 1160 dataplaneWatchdogTimeout: 1161 description: "DataplaneWatchdogTimeout is the readiness/liveness timeout 1162 used for Felix's (internal) dataplane driver. Increase this value 1163 if you experience spurious non-ready or non-live events when Felix 1164 is under heavy load. Decrease the value to get felix to report non-live 1165 or non-ready more quickly. [Default: 90s] \n Deprecated: replaced 1166 by the generic HealthTimeoutOverrides." 1167 type: string 1168 debugDisableLogDropping: 1169 type: boolean 1170 debugMemoryProfilePath: 1171 type: string 1172 debugSimulateCalcGraphHangAfter: 1173 type: string 1174 debugSimulateDataplaneHangAfter: 1175 type: string 1176 defaultEndpointToHostAction: 1177 description: 'DefaultEndpointToHostAction controls what happens to 1178 traffic that goes from a workload endpoint to the host itself (after 1179 the traffic hits the endpoint egress policy). By default Calico 1180 blocks traffic from workload endpoints to the host itself with an 1181 iptables "DROP" action. If you want to allow some or all traffic 1182 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 1183 RETURN if you have your own rules in the iptables "INPUT" chain; 1184 Calico will insert its rules at the top of that chain, then "RETURN" 1185 packets to the "INPUT" chain once it has completed processing workload 1186 endpoint egress policy. Use ACCEPT to unconditionally accept packets 1187 from workloads after processing workload endpoint egress policy. 1188 [Default: Drop]' 1189 type: string 1190 deviceRouteProtocol: 1191 description: This defines the route protocol added to programmed device 1192 routes, by default this will be RTPROT_BOOT when left blank. 1193 type: integer 1194 deviceRouteSourceAddress: 1195 description: This is the IPv4 source address to use on programmed 1196 device routes. By default the source address is left blank, leaving 1197 the kernel to choose the source address used. 1198 type: string 1199 deviceRouteSourceAddressIPv6: 1200 description: This is the IPv6 source address to use on programmed 1201 device routes. By default the source address is left blank, leaving 1202 the kernel to choose the source address used. 1203 type: string 1204 disableConntrackInvalidCheck: 1205 type: boolean 1206 endpointReportingDelay: 1207 type: string 1208 endpointReportingEnabled: 1209 type: boolean 1210 externalNodesList: 1211 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 1212 which may source tunnel traffic and have the tunneled traffic be 1213 accepted at calico nodes. 1214 items: 1215 type: string 1216 type: array 1217 failsafeInboundHostPorts: 1218 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 1219 and CIDRs that Felix will allow incoming traffic to host endpoints 1220 on irrespective of the security policy. This is useful to avoid 1221 accidentally cutting off a host with incorrect configuration. For 1222 back-compatibility, if the protocol is not specified, it defaults 1223 to "tcp". If a CIDR is not specified, it will allow traffic from 1224 all addresses. To disable all inbound host ports, use the value 1225 none. The default value allows ssh access and DHCP. [Default: tcp:22, 1226 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 1227 items: 1228 description: ProtoPort is combination of protocol, port, and CIDR. 1229 Protocol and port must be specified. 1230 properties: 1231 net: 1232 type: string 1233 port: 1234 type: integer 1235 protocol: 1236 type: string 1237 required: 1238 - port 1239 - protocol 1240 type: object 1241 type: array 1242 failsafeOutboundHostPorts: 1243 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 1244 and CIDRs that Felix will allow outgoing traffic from host endpoints 1245 to irrespective of the security policy. This is useful to avoid 1246 accidentally cutting off a host with incorrect configuration. For 1247 back-compatibility, if the protocol is not specified, it defaults 1248 to "tcp". If a CIDR is not specified, it will allow traffic from 1249 all addresses. To disable all outbound host ports, use the value 1250 none. The default value opens etcd''s standard ports to ensure that 1251 Felix does not get cut off from etcd as well as allowing DHCP and 1252 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 1253 tcp:6667, udp:53, udp:67]' 1254 items: 1255 description: ProtoPort is combination of protocol, port, and CIDR. 1256 Protocol and port must be specified. 1257 properties: 1258 net: 1259 type: string 1260 port: 1261 type: integer 1262 protocol: 1263 type: string 1264 required: 1265 - port 1266 - protocol 1267 type: object 1268 type: array 1269 featureDetectOverride: 1270 description: FeatureDetectOverride is used to override feature detection 1271 based on auto-detected platform capabilities. Values are specified 1272 in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" 1273 or "false" will force the feature, empty or omitted values are auto-detected. 1274 type: string 1275 featureGates: 1276 description: FeatureGates is used to enable or disable tech-preview 1277 Calico features. Values are specified in a comma separated list 1278 with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". 1279 This is used to enable features that are not fully production ready. 1280 type: string 1281 floatingIPs: 1282 description: FloatingIPs configures whether or not Felix will program 1283 non-OpenStack floating IP addresses. (OpenStack-derived floating 1284 IPs are always programmed, regardless of this setting.) 1285 enum: 1286 - Enabled 1287 - Disabled 1288 type: string 1289 genericXDPEnabled: 1290 description: 'GenericXDPEnabled enables Generic XDP so network cards 1291 that don''t support XDP offload or driver modes can use XDP. This 1292 is not recommended since it doesn''t provide better performance 1293 than iptables. [Default: false]' 1294 type: boolean 1295 healthEnabled: 1296 type: boolean 1297 healthHost: 1298 type: string 1299 healthPort: 1300 type: integer 1301 healthTimeoutOverrides: 1302 description: HealthTimeoutOverrides allows the internal watchdog timeouts 1303 of individual subcomponents to be overridden. This is useful for 1304 working around "false positive" liveness timeouts that can occur 1305 in particularly stressful workloads or if CPU is constrained. For 1306 a list of active subcomponents, see Felix's logs. 1307 items: 1308 properties: 1309 name: 1310 type: string 1311 timeout: 1312 type: string 1313 required: 1314 - name 1315 - timeout 1316 type: object 1317 type: array 1318 interfaceExclude: 1319 description: 'InterfaceExclude is a comma-separated list of interfaces 1320 that Felix should exclude when monitoring for host endpoints. The 1321 default value ensures that Felix ignores Kubernetes'' IPVS dummy 1322 interface, which is used internally by kube-proxy. If you want to 1323 exclude multiple interface names using a single value, the list 1324 supports regular expressions. For regular expressions you must wrap 1325 the value with ''/''. For example having values ''/^kube/,veth1'' 1326 will exclude all interfaces that begin with ''kube'' and also the 1327 interface ''veth1''. [Default: kube-ipvs0]' 1328 type: string 1329 interfacePrefix: 1330 description: 'InterfacePrefix is the interface name prefix that identifies 1331 workload endpoints and so distinguishes them from host endpoint 1332 interfaces. Note: in environments other than bare metal, the orchestrators 1333 configure this appropriately. For example our Kubernetes and Docker 1334 integrations set the ''cali'' value, and our OpenStack integration 1335 sets the ''tap'' value. [Default: cali]' 1336 type: string 1337 interfaceRefreshInterval: 1338 description: InterfaceRefreshInterval is the period at which Felix 1339 rescans local interfaces to verify their state. The rescan can be 1340 disabled by setting the interval to 0. 1341 type: string 1342 ipipEnabled: 1343 description: 'IPIPEnabled overrides whether Felix should configure 1344 an IPIP interface on the host. Optional as Felix determines this 1345 based on the existing IP pools. [Default: nil (unset)]' 1346 type: boolean 1347 ipipMTU: 1348 description: 'IPIPMTU is the MTU to set on the tunnel device. See 1349 Configuring MTU [Default: 1440]' 1350 type: integer 1351 ipsetsRefreshInterval: 1352 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 1353 all iptables state to ensure that no other process has accidentally 1354 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 1355 90s]' 1356 type: string 1357 iptablesBackend: 1358 description: IptablesBackend specifies which backend of iptables will 1359 be used. The default is Auto. 1360 type: string 1361 iptablesFilterAllowAction: 1362 type: string 1363 iptablesFilterDenyAction: 1364 description: IptablesFilterDenyAction controls what happens to traffic 1365 that is denied by network policy. By default Calico blocks traffic 1366 with an iptables "DROP" action. If you want to use "REJECT" action 1367 instead you can configure it in here. 1368 type: string 1369 iptablesLockFilePath: 1370 description: 'IptablesLockFilePath is the location of the iptables 1371 lock file. You may need to change this if the lock file is not in 1372 its standard location (for example if you have mapped it into Felix''s 1373 container at a different path). [Default: /run/xtables.lock]' 1374 type: string 1375 iptablesLockProbeInterval: 1376 description: 'IptablesLockProbeInterval is the time that Felix will 1377 wait between attempts to acquire the iptables lock if it is not 1378 available. Lower values make Felix more responsive when the lock 1379 is contended, but use more CPU. [Default: 50ms]' 1380 type: string 1381 iptablesLockTimeout: 1382 description: 'IptablesLockTimeout is the time that Felix will wait 1383 for the iptables lock, or 0, to disable. To use this feature, Felix 1384 must share the iptables lock file with all other processes that 1385 also take the lock. When running Felix inside a container, this 1386 requires the /run directory of the host to be mounted into the calico/node 1387 or calico/felix container. [Default: 0s disabled]' 1388 type: string 1389 iptablesMangleAllowAction: 1390 type: string 1391 iptablesMarkMask: 1392 description: 'IptablesMarkMask is the mask that Felix selects its 1393 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 1394 at least 8 bits set, none of which clash with any other mark bits 1395 in use on the system. [Default: 0xff000000]' 1396 format: int32 1397 type: integer 1398 iptablesNATOutgoingInterfaceFilter: 1399 type: string 1400 iptablesPostWriteCheckInterval: 1401 description: 'IptablesPostWriteCheckInterval is the period after Felix 1402 has done a write to the dataplane that it schedules an extra read 1403 back in order to check the write was not clobbered by another process. 1404 This should only occur if another application on the system doesn''t 1405 respect the iptables lock. [Default: 1s]' 1406 type: string 1407 iptablesRefreshInterval: 1408 description: 'IptablesRefreshInterval is the period at which Felix 1409 re-checks the IP sets in the dataplane to ensure that no other process 1410 has accidentally broken Calico''s rules. Set to 0 to disable IP 1411 sets refresh. Note: the default for this value is lower than the 1412 other refresh intervals as a workaround for a Linux kernel bug that 1413 was fixed in kernel version 4.11. If you are using v4.11 or greater 1414 you may want to set this to, a higher value to reduce Felix CPU 1415 usage. [Default: 10s]' 1416 type: string 1417 ipv6Support: 1418 description: IPv6Support controls whether Felix enables support for 1419 IPv6 (if supported by the in-use dataplane). 1420 type: boolean 1421 kubeNodePortRanges: 1422 description: 'KubeNodePortRanges holds list of port ranges used for 1423 service node ports. Only used if felix detects kube-proxy running 1424 in ipvs mode. Felix uses these ranges to separate host and workload 1425 traffic. [Default: 30000:32767].' 1426 items: 1427 anyOf: 1428 - type: integer 1429 - type: string 1430 pattern: ^.* 1431 x-kubernetes-int-or-string: true 1432 type: array 1433 logDebugFilenameRegex: 1434 description: LogDebugFilenameRegex controls which source code files 1435 have their Debug log output included in the logs. Only logs from 1436 files with names that match the given regular expression are included. The 1437 filter only applies to Debug level logs. 1438 type: string 1439 logFilePath: 1440 description: 'LogFilePath is the full path to the Felix log. Set to 1441 none to disable file logging. [Default: /var/log/calico/felix.log]' 1442 type: string 1443 logPrefix: 1444 description: 'LogPrefix is the log prefix that Felix uses when rendering 1445 LOG rules. [Default: calico-packet]' 1446 type: string 1447 logSeverityFile: 1448 description: 'LogSeverityFile is the log severity above which logs 1449 are sent to the log file. [Default: Info]' 1450 type: string 1451 logSeverityScreen: 1452 description: 'LogSeverityScreen is the log severity above which logs 1453 are sent to the stdout. [Default: Info]' 1454 type: string 1455 logSeveritySys: 1456 description: 'LogSeveritySys is the log severity above which logs 1457 are sent to the syslog. Set to None for no logging to syslog. [Default: 1458 Info]' 1459 type: string 1460 maxIpsetSize: 1461 type: integer 1462 metadataAddr: 1463 description: 'MetadataAddr is the IP address or domain name of the 1464 server that can answer VM queries for cloud-init metadata. In OpenStack, 1465 this corresponds to the machine running nova-api (or in Ubuntu, 1466 nova-api-metadata). A value of none (case insensitive) means that 1467 Felix should not set up any NAT rule for the metadata path. [Default: 1468 127.0.0.1]' 1469 type: string 1470 metadataPort: 1471 description: 'MetadataPort is the port of the metadata server. This, 1472 combined with global.MetadataAddr (if not ''None''), is used to 1473 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1474 In most cases this should not need to be changed [Default: 8775].' 1475 type: integer 1476 mtuIfacePattern: 1477 description: MTUIfacePattern is a regular expression that controls 1478 which interfaces Felix should scan in order to calculate the host's 1479 MTU. This should not match workload interfaces (usually named cali...). 1480 type: string 1481 natOutgoingAddress: 1482 description: NATOutgoingAddress specifies an address to use when performing 1483 source NAT for traffic in a natOutgoing pool that is leaving the 1484 network. By default the address used is an address on the interface 1485 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1486 type: string 1487 natPortRange: 1488 anyOf: 1489 - type: integer 1490 - type: string 1491 description: NATPortRange specifies the range of ports that is used 1492 for port mapping when doing outgoing NAT. When unset the default 1493 behavior of the network stack is used. 1494 pattern: ^.* 1495 x-kubernetes-int-or-string: true 1496 netlinkTimeout: 1497 type: string 1498 openstackRegion: 1499 description: 'OpenstackRegion is the name of the region that a particular 1500 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1501 this must be configured somehow for each Felix (here in the datamodel, 1502 or in felix.cfg or the environment on each compute node), and must 1503 match the [calico] openstack_region value configured in neutron.conf 1504 on each node. [Default: Empty]' 1505 type: string 1506 policySyncPathPrefix: 1507 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1508 policy changes to external services, like Application layer policy. 1509 [Default: Empty]' 1510 type: string 1511 prometheusGoMetricsEnabled: 1512 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1513 collection, which the Prometheus client does by default, when set 1514 to false. This reduces the number of metrics reported, reducing 1515 Prometheus load. [Default: true]' 1516 type: boolean 1517 prometheusMetricsEnabled: 1518 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1519 server in Felix if set to true. [Default: false]' 1520 type: boolean 1521 prometheusMetricsHost: 1522 description: 'PrometheusMetricsHost is the host that the Prometheus 1523 metrics server should bind to. [Default: empty]' 1524 type: string 1525 prometheusMetricsPort: 1526 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1527 metrics server should bind to. [Default: 9091]' 1528 type: integer 1529 prometheusProcessMetricsEnabled: 1530 description: 'PrometheusProcessMetricsEnabled disables process metrics 1531 collection, which the Prometheus client does by default, when set 1532 to false. This reduces the number of metrics reported, reducing 1533 Prometheus load. [Default: true]' 1534 type: boolean 1535 prometheusWireGuardMetricsEnabled: 1536 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1537 metrics collection, which the Prometheus client does by default, 1538 when set to false. This reduces the number of metrics reported, 1539 reducing Prometheus load. [Default: true]' 1540 type: boolean 1541 removeExternalRoutes: 1542 description: Whether or not to remove device routes that have not 1543 been programmed by Felix. Disabling this will allow external applications 1544 to also add device routes. This is enabled by default which means 1545 we will remove externally added routes. 1546 type: boolean 1547 reportingInterval: 1548 description: 'ReportingInterval is the interval at which Felix reports 1549 its status into the datastore or 0 to disable. Must be non-zero 1550 in OpenStack deployments. [Default: 30s]' 1551 type: string 1552 reportingTTL: 1553 description: 'ReportingTTL is the time-to-live setting for process-wide 1554 status reports. [Default: 90s]' 1555 type: string 1556 routeRefreshInterval: 1557 description: 'RouteRefreshInterval is the period at which Felix re-checks 1558 the routes in the dataplane to ensure that no other process has 1559 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1560 [Default: 90s]' 1561 type: string 1562 routeSource: 1563 description: 'RouteSource configures where Felix gets its routing 1564 information. - WorkloadIPs: use workload endpoints to construct 1565 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1566 type: string 1567 routeSyncDisabled: 1568 description: RouteSyncDisabled will disable all operations performed 1569 on the route table. Set to true to run in network-policy mode only. 1570 type: boolean 1571 routeTableRange: 1572 description: Deprecated in favor of RouteTableRanges. Calico programs 1573 additional Linux route tables for various purposes. RouteTableRange 1574 specifies the indices of the route tables that Calico should use. 1575 properties: 1576 max: 1577 type: integer 1578 min: 1579 type: integer 1580 required: 1581 - max 1582 - min 1583 type: object 1584 routeTableRanges: 1585 description: Calico programs additional Linux route tables for various 1586 purposes. RouteTableRanges specifies a set of table index ranges 1587 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. 1588 items: 1589 properties: 1590 max: 1591 type: integer 1592 min: 1593 type: integer 1594 required: 1595 - max 1596 - min 1597 type: object 1598 type: array 1599 serviceLoopPrevention: 1600 description: 'When service IP advertisement is enabled, prevent routing 1601 loops to service IPs that are not in use, by dropping or rejecting 1602 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1603 in which case such routing loops continue to be allowed. [Default: 1604 Drop]' 1605 type: string 1606 sidecarAccelerationEnabled: 1607 description: 'SidecarAccelerationEnabled enables experimental sidecar 1608 acceleration [Default: false]' 1609 type: boolean 1610 usageReportingEnabled: 1611 description: 'UsageReportingEnabled reports anonymous Calico version 1612 number and cluster size to projectcalico.org. Logs warnings returned 1613 by the usage server. For example, if a significant security vulnerability 1614 has been discovered in the version of Calico being used. [Default: 1615 true]' 1616 type: boolean 1617 usageReportingInitialDelay: 1618 description: 'UsageReportingInitialDelay controls the minimum delay 1619 before Felix makes a report. [Default: 300s]' 1620 type: string 1621 usageReportingInterval: 1622 description: 'UsageReportingInterval controls the interval at which 1623 Felix makes reports. [Default: 86400s]' 1624 type: string 1625 useInternalDataplaneDriver: 1626 description: UseInternalDataplaneDriver, if true, Felix will use its 1627 internal dataplane programming logic. If false, it will launch 1628 an external dataplane driver and communicate with it over protobuf. 1629 type: boolean 1630 vxlanEnabled: 1631 description: 'VXLANEnabled overrides whether Felix should create the 1632 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix 1633 determines this based on the existing IP pools. [Default: nil (unset)]' 1634 type: boolean 1635 vxlanMTU: 1636 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel 1637 device. See Configuring MTU [Default: 1410]' 1638 type: integer 1639 vxlanMTUV6: 1640 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel 1641 device. See Configuring MTU [Default: 1390]' 1642 type: integer 1643 vxlanPort: 1644 type: integer 1645 vxlanVNI: 1646 type: integer 1647 wireguardEnabled: 1648 description: 'WireguardEnabled controls whether Wireguard is enabled 1649 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). 1650 [Default: false]' 1651 type: boolean 1652 wireguardEnabledV6: 1653 description: 'WireguardEnabledV6 controls whether Wireguard is enabled 1654 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). 1655 [Default: false]' 1656 type: boolean 1657 wireguardHostEncryptionEnabled: 1658 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1659 host-to-host encryption is enabled. [Default: false]' 1660 type: boolean 1661 wireguardInterfaceName: 1662 description: 'WireguardInterfaceName specifies the name to use for 1663 the IPv4 Wireguard interface. [Default: wireguard.cali]' 1664 type: string 1665 wireguardInterfaceNameV6: 1666 description: 'WireguardInterfaceNameV6 specifies the name to use for 1667 the IPv6 Wireguard interface. [Default: wg-v6.cali]' 1668 type: string 1669 wireguardKeepAlive: 1670 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive 1671 option. Set 0 to disable. [Default: 0]' 1672 type: string 1673 wireguardListeningPort: 1674 description: 'WireguardListeningPort controls the listening port used 1675 by IPv4 Wireguard. [Default: 51820]' 1676 type: integer 1677 wireguardListeningPortV6: 1678 description: 'WireguardListeningPortV6 controls the listening port 1679 used by IPv6 Wireguard. [Default: 51821]' 1680 type: integer 1681 wireguardMTU: 1682 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard 1683 interface. See Configuring MTU [Default: 1440]' 1684 type: integer 1685 wireguardMTUV6: 1686 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard 1687 interface. See Configuring MTU [Default: 1420]' 1688 type: integer 1689 wireguardRoutingRulePriority: 1690 description: 'WireguardRoutingRulePriority controls the priority value 1691 to use for the Wireguard routing rule. [Default: 99]' 1692 type: integer 1693 workloadSourceSpoofing: 1694 description: WorkloadSourceSpoofing controls whether pods can use 1695 the allowedSourcePrefixes annotation to send traffic with a source 1696 IP address that is not theirs. This is disabled by default. When 1697 set to "Any", pods can request any prefix. 1698 type: string 1699 xdpEnabled: 1700 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1701 incoming deny rules. [Default: true]' 1702 type: boolean 1703 xdpRefreshInterval: 1704 description: 'XDPRefreshInterval is the period at which Felix re-checks 1705 all XDP state to ensure that no other process has accidentally broken 1706 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1707 refresh. [Default: 90s]' 1708 type: string 1709 type: object 1710 type: object 1711 served: true 1712 storage: true 1713 status: 1714 acceptedNames: 1715 kind: "" 1716 plural: "" 1717 conditions: [] 1718 storedVersions: [] 1719 --- 1720 # Source: calico/templates/kdd-crds.yaml 1721 apiVersion: apiextensions.k8s.io/v1 1722 kind: CustomResourceDefinition 1723 metadata: 1724 name: globalnetworkpolicies.crd.projectcalico.org 1725 spec: 1726 group: crd.projectcalico.org 1727 names: 1728 kind: GlobalNetworkPolicy 1729 listKind: GlobalNetworkPolicyList 1730 plural: globalnetworkpolicies 1731 singular: globalnetworkpolicy 1732 preserveUnknownFields: false 1733 scope: Cluster 1734 versions: 1735 - name: v1 1736 schema: 1737 openAPIV3Schema: 1738 properties: 1739 apiVersion: 1740 description: 'APIVersion defines the versioned schema of this representation 1741 of an object. Servers should convert recognized schemas to the latest 1742 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1743 type: string 1744 kind: 1745 description: 'Kind is a string value representing the REST resource this 1746 object represents. Servers may infer this from the endpoint the client 1747 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1748 type: string 1749 metadata: 1750 type: object 1751 spec: 1752 properties: 1753 applyOnForward: 1754 description: ApplyOnForward indicates to apply the rules in this policy 1755 on forward traffic. 1756 type: boolean 1757 doNotTrack: 1758 description: DoNotTrack indicates whether packets matched by the rules 1759 in this policy should go through the data plane's connection tracking, 1760 such as Linux conntrack. If True, the rules in this policy are 1761 applied before any data plane connection tracking, and packets allowed 1762 by this policy are marked as not to be tracked. 1763 type: boolean 1764 egress: 1765 description: The ordered set of egress rules. Each rule contains 1766 a set of packet match criteria and a corresponding action to apply. 1767 items: 1768 description: "A Rule encapsulates a set of match criteria and an 1769 action. Both selector-based security Policy and security Profiles 1770 reference rules - separated out as a list of rules for both ingress 1771 and egress packet matching. \n Each positive match criteria has 1772 a negated version, prefixed with \"Not\". All the match criteria 1773 within a rule must be satisfied for a packet to match. A single 1774 rule can contain the positive and negative version of a match 1775 and both must be satisfied for the rule to match." 1776 properties: 1777 action: 1778 type: string 1779 destination: 1780 description: Destination contains the match criteria that apply 1781 to destination entity. 1782 properties: 1783 namespaceSelector: 1784 description: "NamespaceSelector is an optional field that 1785 contains a selector expression. Only traffic that originates 1786 from (or terminates at) endpoints within the selected 1787 namespaces will be matched. When both NamespaceSelector 1788 and another selector are defined on the same rule, then 1789 only workload endpoints that are matched by both selectors 1790 will be selected by the rule. \n For NetworkPolicy, an 1791 empty NamespaceSelector implies that the Selector is limited 1792 to selecting only workload endpoints in the same namespace 1793 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1794 NamespaceSelector implies that the Selector is limited 1795 to selecting only GlobalNetworkSet or HostEndpoint. \n 1796 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1797 the Selector applies to workload endpoints across all 1798 namespaces." 1799 type: string 1800 nets: 1801 description: Nets is an optional field that restricts the 1802 rule to only apply to traffic that originates from (or 1803 terminates at) IP addresses in any of the given subnets. 1804 items: 1805 type: string 1806 type: array 1807 notNets: 1808 description: NotNets is the negated version of the Nets 1809 field. 1810 items: 1811 type: string 1812 type: array 1813 notPorts: 1814 description: NotPorts is the negated version of the Ports 1815 field. Since only some protocols have ports, if any ports 1816 are specified it requires the Protocol match in the Rule 1817 to be set to "TCP" or "UDP". 1818 items: 1819 anyOf: 1820 - type: integer 1821 - type: string 1822 pattern: ^.* 1823 x-kubernetes-int-or-string: true 1824 type: array 1825 notSelector: 1826 description: NotSelector is the negated version of the Selector 1827 field. See Selector field for subtleties with negated 1828 selectors. 1829 type: string 1830 ports: 1831 description: "Ports is an optional field that restricts 1832 the rule to only apply to traffic that has a source (destination) 1833 port that matches one of these ranges/values. This value 1834 is a list of integers or strings that represent ranges 1835 of ports. \n Since only some protocols have ports, if 1836 any ports are specified it requires the Protocol match 1837 in the Rule to be set to \"TCP\" or \"UDP\"." 1838 items: 1839 anyOf: 1840 - type: integer 1841 - type: string 1842 pattern: ^.* 1843 x-kubernetes-int-or-string: true 1844 type: array 1845 selector: 1846 description: "Selector is an optional field that contains 1847 a selector expression (see Policy for sample syntax). 1848 \ Only traffic that originates from (terminates at) endpoints 1849 matching the selector will be matched. \n Note that: in 1850 addition to the negated version of the Selector (see NotSelector 1851 below), the selector expression syntax itself supports 1852 negation. The two types of negation are subtly different. 1853 One negates the set of matched endpoints, the other negates 1854 the whole match: \n \tSelector = \"!has(my_label)\" matches 1855 packets that are from other Calico-controlled \tendpoints 1856 that do not have the label \"my_label\". \n \tNotSelector 1857 = \"has(my_label)\" matches packets that are not from 1858 Calico-controlled \tendpoints that do have the label \"my_label\". 1859 \n The effect is that the latter will accept packets from 1860 non-Calico sources whereas the former is limited to packets 1861 from Calico-controlled endpoints." 1862 type: string 1863 serviceAccounts: 1864 description: ServiceAccounts is an optional field that restricts 1865 the rule to only apply to traffic that originates from 1866 (or terminates at) a pod running as a matching service 1867 account. 1868 properties: 1869 names: 1870 description: Names is an optional field that restricts 1871 the rule to only apply to traffic that originates 1872 from (or terminates at) a pod running as a service 1873 account whose name is in the list. 1874 items: 1875 type: string 1876 type: array 1877 selector: 1878 description: Selector is an optional field that restricts 1879 the rule to only apply to traffic that originates 1880 from (or terminates at) a pod running as a service 1881 account that matches the given label selector. If 1882 both Names and Selector are specified then they are 1883 AND'ed. 1884 type: string 1885 type: object 1886 services: 1887 description: "Services is an optional field that contains 1888 options for matching Kubernetes Services. If specified, 1889 only traffic that originates from or terminates at endpoints 1890 within the selected service(s) will be matched, and only 1891 to/from each endpoint's port. \n Services cannot be specified 1892 on the same rule as Selector, NotSelector, NamespaceSelector, 1893 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1894 can only be specified with Services on ingress rules." 1895 properties: 1896 name: 1897 description: Name specifies the name of a Kubernetes 1898 Service to match. 1899 type: string 1900 namespace: 1901 description: Namespace specifies the namespace of the 1902 given Service. If left empty, the rule will match 1903 within this policy's namespace. 1904 type: string 1905 type: object 1906 type: object 1907 http: 1908 description: HTTP contains match criteria that apply to HTTP 1909 requests. 1910 properties: 1911 methods: 1912 description: Methods is an optional field that restricts 1913 the rule to apply only to HTTP requests that use one of 1914 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1915 methods are OR'd together. 1916 items: 1917 type: string 1918 type: array 1919 paths: 1920 description: 'Paths is an optional field that restricts 1921 the rule to apply to HTTP requests that use one of the 1922 listed HTTP Paths. Multiple paths are OR''d together. 1923 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1924 ONLY specify either a `exact` or a `prefix` match. The 1925 validator will check for it.' 1926 items: 1927 description: 'HTTPPath specifies an HTTP path to match. 1928 It may be either of the form: exact: <path>: which matches 1929 the path exactly or prefix: <path-prefix>: which matches 1930 the path prefix' 1931 properties: 1932 exact: 1933 type: string 1934 prefix: 1935 type: string 1936 type: object 1937 type: array 1938 type: object 1939 icmp: 1940 description: ICMP is an optional field that restricts the rule 1941 to apply to a specific type and code of ICMP traffic. This 1942 should only be specified if the Protocol field is set to "ICMP" 1943 or "ICMPv6". 1944 properties: 1945 code: 1946 description: Match on a specific ICMP code. If specified, 1947 the Type value must also be specified. This is a technical 1948 limitation imposed by the kernel's iptables firewall, 1949 which Calico uses to enforce the rule. 1950 type: integer 1951 type: 1952 description: Match on a specific ICMP type. For example 1953 a value of 8 refers to ICMP Echo Request (i.e. pings). 1954 type: integer 1955 type: object 1956 ipVersion: 1957 description: IPVersion is an optional field that restricts the 1958 rule to only match a specific IP version. 1959 type: integer 1960 metadata: 1961 description: Metadata contains additional information for this 1962 rule 1963 properties: 1964 annotations: 1965 additionalProperties: 1966 type: string 1967 description: Annotations is a set of key value pairs that 1968 give extra information about the rule 1969 type: object 1970 type: object 1971 notICMP: 1972 description: NotICMP is the negated version of the ICMP field. 1973 properties: 1974 code: 1975 description: Match on a specific ICMP code. If specified, 1976 the Type value must also be specified. This is a technical 1977 limitation imposed by the kernel's iptables firewall, 1978 which Calico uses to enforce the rule. 1979 type: integer 1980 type: 1981 description: Match on a specific ICMP type. For example 1982 a value of 8 refers to ICMP Echo Request (i.e. pings). 1983 type: integer 1984 type: object 1985 notProtocol: 1986 anyOf: 1987 - type: integer 1988 - type: string 1989 description: NotProtocol is the negated version of the Protocol 1990 field. 1991 pattern: ^.* 1992 x-kubernetes-int-or-string: true 1993 protocol: 1994 anyOf: 1995 - type: integer 1996 - type: string 1997 description: "Protocol is an optional field that restricts the 1998 rule to only apply to traffic of a specific IP protocol. Required 1999 if any of the EntityRules contain Ports (because ports only 2000 apply to certain protocols). \n Must be one of these string 2001 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2002 \"UDPLite\" or an integer in the range 1-255." 2003 pattern: ^.* 2004 x-kubernetes-int-or-string: true 2005 source: 2006 description: Source contains the match criteria that apply to 2007 source entity. 2008 properties: 2009 namespaceSelector: 2010 description: "NamespaceSelector is an optional field that 2011 contains a selector expression. Only traffic that originates 2012 from (or terminates at) endpoints within the selected 2013 namespaces will be matched. When both NamespaceSelector 2014 and another selector are defined on the same rule, then 2015 only workload endpoints that are matched by both selectors 2016 will be selected by the rule. \n For NetworkPolicy, an 2017 empty NamespaceSelector implies that the Selector is limited 2018 to selecting only workload endpoints in the same namespace 2019 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2020 NamespaceSelector implies that the Selector is limited 2021 to selecting only GlobalNetworkSet or HostEndpoint. \n 2022 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2023 the Selector applies to workload endpoints across all 2024 namespaces." 2025 type: string 2026 nets: 2027 description: Nets is an optional field that restricts the 2028 rule to only apply to traffic that originates from (or 2029 terminates at) IP addresses in any of the given subnets. 2030 items: 2031 type: string 2032 type: array 2033 notNets: 2034 description: NotNets is the negated version of the Nets 2035 field. 2036 items: 2037 type: string 2038 type: array 2039 notPorts: 2040 description: NotPorts is the negated version of the Ports 2041 field. Since only some protocols have ports, if any ports 2042 are specified it requires the Protocol match in the Rule 2043 to be set to "TCP" or "UDP". 2044 items: 2045 anyOf: 2046 - type: integer 2047 - type: string 2048 pattern: ^.* 2049 x-kubernetes-int-or-string: true 2050 type: array 2051 notSelector: 2052 description: NotSelector is the negated version of the Selector 2053 field. See Selector field for subtleties with negated 2054 selectors. 2055 type: string 2056 ports: 2057 description: "Ports is an optional field that restricts 2058 the rule to only apply to traffic that has a source (destination) 2059 port that matches one of these ranges/values. This value 2060 is a list of integers or strings that represent ranges 2061 of ports. \n Since only some protocols have ports, if 2062 any ports are specified it requires the Protocol match 2063 in the Rule to be set to \"TCP\" or \"UDP\"." 2064 items: 2065 anyOf: 2066 - type: integer 2067 - type: string 2068 pattern: ^.* 2069 x-kubernetes-int-or-string: true 2070 type: array 2071 selector: 2072 description: "Selector is an optional field that contains 2073 a selector expression (see Policy for sample syntax). 2074 \ Only traffic that originates from (terminates at) endpoints 2075 matching the selector will be matched. \n Note that: in 2076 addition to the negated version of the Selector (see NotSelector 2077 below), the selector expression syntax itself supports 2078 negation. The two types of negation are subtly different. 2079 One negates the set of matched endpoints, the other negates 2080 the whole match: \n \tSelector = \"!has(my_label)\" matches 2081 packets that are from other Calico-controlled \tendpoints 2082 that do not have the label \"my_label\". \n \tNotSelector 2083 = \"has(my_label)\" matches packets that are not from 2084 Calico-controlled \tendpoints that do have the label \"my_label\". 2085 \n The effect is that the latter will accept packets from 2086 non-Calico sources whereas the former is limited to packets 2087 from Calico-controlled endpoints." 2088 type: string 2089 serviceAccounts: 2090 description: ServiceAccounts is an optional field that restricts 2091 the rule to only apply to traffic that originates from 2092 (or terminates at) a pod running as a matching service 2093 account. 2094 properties: 2095 names: 2096 description: Names is an optional field that restricts 2097 the rule to only apply to traffic that originates 2098 from (or terminates at) a pod running as a service 2099 account whose name is in the list. 2100 items: 2101 type: string 2102 type: array 2103 selector: 2104 description: Selector is an optional field that restricts 2105 the rule to only apply to traffic that originates 2106 from (or terminates at) a pod running as a service 2107 account that matches the given label selector. If 2108 both Names and Selector are specified then they are 2109 AND'ed. 2110 type: string 2111 type: object 2112 services: 2113 description: "Services is an optional field that contains 2114 options for matching Kubernetes Services. If specified, 2115 only traffic that originates from or terminates at endpoints 2116 within the selected service(s) will be matched, and only 2117 to/from each endpoint's port. \n Services cannot be specified 2118 on the same rule as Selector, NotSelector, NamespaceSelector, 2119 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2120 can only be specified with Services on ingress rules." 2121 properties: 2122 name: 2123 description: Name specifies the name of a Kubernetes 2124 Service to match. 2125 type: string 2126 namespace: 2127 description: Namespace specifies the namespace of the 2128 given Service. If left empty, the rule will match 2129 within this policy's namespace. 2130 type: string 2131 type: object 2132 type: object 2133 required: 2134 - action 2135 type: object 2136 type: array 2137 ingress: 2138 description: The ordered set of ingress rules. Each rule contains 2139 a set of packet match criteria and a corresponding action to apply. 2140 items: 2141 description: "A Rule encapsulates a set of match criteria and an 2142 action. Both selector-based security Policy and security Profiles 2143 reference rules - separated out as a list of rules for both ingress 2144 and egress packet matching. \n Each positive match criteria has 2145 a negated version, prefixed with \"Not\". All the match criteria 2146 within a rule must be satisfied for a packet to match. A single 2147 rule can contain the positive and negative version of a match 2148 and both must be satisfied for the rule to match." 2149 properties: 2150 action: 2151 type: string 2152 destination: 2153 description: Destination contains the match criteria that apply 2154 to destination entity. 2155 properties: 2156 namespaceSelector: 2157 description: "NamespaceSelector is an optional field that 2158 contains a selector expression. Only traffic that originates 2159 from (or terminates at) endpoints within the selected 2160 namespaces will be matched. When both NamespaceSelector 2161 and another selector are defined on the same rule, then 2162 only workload endpoints that are matched by both selectors 2163 will be selected by the rule. \n For NetworkPolicy, an 2164 empty NamespaceSelector implies that the Selector is limited 2165 to selecting only workload endpoints in the same namespace 2166 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2167 NamespaceSelector implies that the Selector is limited 2168 to selecting only GlobalNetworkSet or HostEndpoint. \n 2169 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2170 the Selector applies to workload endpoints across all 2171 namespaces." 2172 type: string 2173 nets: 2174 description: Nets is an optional field that restricts the 2175 rule to only apply to traffic that originates from (or 2176 terminates at) IP addresses in any of the given subnets. 2177 items: 2178 type: string 2179 type: array 2180 notNets: 2181 description: NotNets is the negated version of the Nets 2182 field. 2183 items: 2184 type: string 2185 type: array 2186 notPorts: 2187 description: NotPorts is the negated version of the Ports 2188 field. Since only some protocols have ports, if any ports 2189 are specified it requires the Protocol match in the Rule 2190 to be set to "TCP" or "UDP". 2191 items: 2192 anyOf: 2193 - type: integer 2194 - type: string 2195 pattern: ^.* 2196 x-kubernetes-int-or-string: true 2197 type: array 2198 notSelector: 2199 description: NotSelector is the negated version of the Selector 2200 field. See Selector field for subtleties with negated 2201 selectors. 2202 type: string 2203 ports: 2204 description: "Ports is an optional field that restricts 2205 the rule to only apply to traffic that has a source (destination) 2206 port that matches one of these ranges/values. This value 2207 is a list of integers or strings that represent ranges 2208 of ports. \n Since only some protocols have ports, if 2209 any ports are specified it requires the Protocol match 2210 in the Rule to be set to \"TCP\" or \"UDP\"." 2211 items: 2212 anyOf: 2213 - type: integer 2214 - type: string 2215 pattern: ^.* 2216 x-kubernetes-int-or-string: true 2217 type: array 2218 selector: 2219 description: "Selector is an optional field that contains 2220 a selector expression (see Policy for sample syntax). 2221 \ Only traffic that originates from (terminates at) endpoints 2222 matching the selector will be matched. \n Note that: in 2223 addition to the negated version of the Selector (see NotSelector 2224 below), the selector expression syntax itself supports 2225 negation. The two types of negation are subtly different. 2226 One negates the set of matched endpoints, the other negates 2227 the whole match: \n \tSelector = \"!has(my_label)\" matches 2228 packets that are from other Calico-controlled \tendpoints 2229 that do not have the label \"my_label\". \n \tNotSelector 2230 = \"has(my_label)\" matches packets that are not from 2231 Calico-controlled \tendpoints that do have the label \"my_label\". 2232 \n The effect is that the latter will accept packets from 2233 non-Calico sources whereas the former is limited to packets 2234 from Calico-controlled endpoints." 2235 type: string 2236 serviceAccounts: 2237 description: ServiceAccounts is an optional field that restricts 2238 the rule to only apply to traffic that originates from 2239 (or terminates at) a pod running as a matching service 2240 account. 2241 properties: 2242 names: 2243 description: Names is an optional field that restricts 2244 the rule to only apply to traffic that originates 2245 from (or terminates at) a pod running as a service 2246 account whose name is in the list. 2247 items: 2248 type: string 2249 type: array 2250 selector: 2251 description: Selector is an optional field that restricts 2252 the rule to only apply to traffic that originates 2253 from (or terminates at) a pod running as a service 2254 account that matches the given label selector. If 2255 both Names and Selector are specified then they are 2256 AND'ed. 2257 type: string 2258 type: object 2259 services: 2260 description: "Services is an optional field that contains 2261 options for matching Kubernetes Services. If specified, 2262 only traffic that originates from or terminates at endpoints 2263 within the selected service(s) will be matched, and only 2264 to/from each endpoint's port. \n Services cannot be specified 2265 on the same rule as Selector, NotSelector, NamespaceSelector, 2266 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2267 can only be specified with Services on ingress rules." 2268 properties: 2269 name: 2270 description: Name specifies the name of a Kubernetes 2271 Service to match. 2272 type: string 2273 namespace: 2274 description: Namespace specifies the namespace of the 2275 given Service. If left empty, the rule will match 2276 within this policy's namespace. 2277 type: string 2278 type: object 2279 type: object 2280 http: 2281 description: HTTP contains match criteria that apply to HTTP 2282 requests. 2283 properties: 2284 methods: 2285 description: Methods is an optional field that restricts 2286 the rule to apply only to HTTP requests that use one of 2287 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2288 methods are OR'd together. 2289 items: 2290 type: string 2291 type: array 2292 paths: 2293 description: 'Paths is an optional field that restricts 2294 the rule to apply to HTTP requests that use one of the 2295 listed HTTP Paths. Multiple paths are OR''d together. 2296 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2297 ONLY specify either a `exact` or a `prefix` match. The 2298 validator will check for it.' 2299 items: 2300 description: 'HTTPPath specifies an HTTP path to match. 2301 It may be either of the form: exact: <path>: which matches 2302 the path exactly or prefix: <path-prefix>: which matches 2303 the path prefix' 2304 properties: 2305 exact: 2306 type: string 2307 prefix: 2308 type: string 2309 type: object 2310 type: array 2311 type: object 2312 icmp: 2313 description: ICMP is an optional field that restricts the rule 2314 to apply to a specific type and code of ICMP traffic. This 2315 should only be specified if the Protocol field is set to "ICMP" 2316 or "ICMPv6". 2317 properties: 2318 code: 2319 description: Match on a specific ICMP code. If specified, 2320 the Type value must also be specified. This is a technical 2321 limitation imposed by the kernel's iptables firewall, 2322 which Calico uses to enforce the rule. 2323 type: integer 2324 type: 2325 description: Match on a specific ICMP type. For example 2326 a value of 8 refers to ICMP Echo Request (i.e. pings). 2327 type: integer 2328 type: object 2329 ipVersion: 2330 description: IPVersion is an optional field that restricts the 2331 rule to only match a specific IP version. 2332 type: integer 2333 metadata: 2334 description: Metadata contains additional information for this 2335 rule 2336 properties: 2337 annotations: 2338 additionalProperties: 2339 type: string 2340 description: Annotations is a set of key value pairs that 2341 give extra information about the rule 2342 type: object 2343 type: object 2344 notICMP: 2345 description: NotICMP is the negated version of the ICMP field. 2346 properties: 2347 code: 2348 description: Match on a specific ICMP code. If specified, 2349 the Type value must also be specified. This is a technical 2350 limitation imposed by the kernel's iptables firewall, 2351 which Calico uses to enforce the rule. 2352 type: integer 2353 type: 2354 description: Match on a specific ICMP type. For example 2355 a value of 8 refers to ICMP Echo Request (i.e. pings). 2356 type: integer 2357 type: object 2358 notProtocol: 2359 anyOf: 2360 - type: integer 2361 - type: string 2362 description: NotProtocol is the negated version of the Protocol 2363 field. 2364 pattern: ^.* 2365 x-kubernetes-int-or-string: true 2366 protocol: 2367 anyOf: 2368 - type: integer 2369 - type: string 2370 description: "Protocol is an optional field that restricts the 2371 rule to only apply to traffic of a specific IP protocol. Required 2372 if any of the EntityRules contain Ports (because ports only 2373 apply to certain protocols). \n Must be one of these string 2374 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2375 \"UDPLite\" or an integer in the range 1-255." 2376 pattern: ^.* 2377 x-kubernetes-int-or-string: true 2378 source: 2379 description: Source contains the match criteria that apply to 2380 source entity. 2381 properties: 2382 namespaceSelector: 2383 description: "NamespaceSelector is an optional field that 2384 contains a selector expression. Only traffic that originates 2385 from (or terminates at) endpoints within the selected 2386 namespaces will be matched. When both NamespaceSelector 2387 and another selector are defined on the same rule, then 2388 only workload endpoints that are matched by both selectors 2389 will be selected by the rule. \n For NetworkPolicy, an 2390 empty NamespaceSelector implies that the Selector is limited 2391 to selecting only workload endpoints in the same namespace 2392 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2393 NamespaceSelector implies that the Selector is limited 2394 to selecting only GlobalNetworkSet or HostEndpoint. \n 2395 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2396 the Selector applies to workload endpoints across all 2397 namespaces." 2398 type: string 2399 nets: 2400 description: Nets is an optional field that restricts the 2401 rule to only apply to traffic that originates from (or 2402 terminates at) IP addresses in any of the given subnets. 2403 items: 2404 type: string 2405 type: array 2406 notNets: 2407 description: NotNets is the negated version of the Nets 2408 field. 2409 items: 2410 type: string 2411 type: array 2412 notPorts: 2413 description: NotPorts is the negated version of the Ports 2414 field. Since only some protocols have ports, if any ports 2415 are specified it requires the Protocol match in the Rule 2416 to be set to "TCP" or "UDP". 2417 items: 2418 anyOf: 2419 - type: integer 2420 - type: string 2421 pattern: ^.* 2422 x-kubernetes-int-or-string: true 2423 type: array 2424 notSelector: 2425 description: NotSelector is the negated version of the Selector 2426 field. See Selector field for subtleties with negated 2427 selectors. 2428 type: string 2429 ports: 2430 description: "Ports is an optional field that restricts 2431 the rule to only apply to traffic that has a source (destination) 2432 port that matches one of these ranges/values. This value 2433 is a list of integers or strings that represent ranges 2434 of ports. \n Since only some protocols have ports, if 2435 any ports are specified it requires the Protocol match 2436 in the Rule to be set to \"TCP\" or \"UDP\"." 2437 items: 2438 anyOf: 2439 - type: integer 2440 - type: string 2441 pattern: ^.* 2442 x-kubernetes-int-or-string: true 2443 type: array 2444 selector: 2445 description: "Selector is an optional field that contains 2446 a selector expression (see Policy for sample syntax). 2447 \ Only traffic that originates from (terminates at) endpoints 2448 matching the selector will be matched. \n Note that: in 2449 addition to the negated version of the Selector (see NotSelector 2450 below), the selector expression syntax itself supports 2451 negation. The two types of negation are subtly different. 2452 One negates the set of matched endpoints, the other negates 2453 the whole match: \n \tSelector = \"!has(my_label)\" matches 2454 packets that are from other Calico-controlled \tendpoints 2455 that do not have the label \"my_label\". \n \tNotSelector 2456 = \"has(my_label)\" matches packets that are not from 2457 Calico-controlled \tendpoints that do have the label \"my_label\". 2458 \n The effect is that the latter will accept packets from 2459 non-Calico sources whereas the former is limited to packets 2460 from Calico-controlled endpoints." 2461 type: string 2462 serviceAccounts: 2463 description: ServiceAccounts is an optional field that restricts 2464 the rule to only apply to traffic that originates from 2465 (or terminates at) a pod running as a matching service 2466 account. 2467 properties: 2468 names: 2469 description: Names is an optional field that restricts 2470 the rule to only apply to traffic that originates 2471 from (or terminates at) a pod running as a service 2472 account whose name is in the list. 2473 items: 2474 type: string 2475 type: array 2476 selector: 2477 description: Selector is an optional field that restricts 2478 the rule to only apply to traffic that originates 2479 from (or terminates at) a pod running as a service 2480 account that matches the given label selector. If 2481 both Names and Selector are specified then they are 2482 AND'ed. 2483 type: string 2484 type: object 2485 services: 2486 description: "Services is an optional field that contains 2487 options for matching Kubernetes Services. If specified, 2488 only traffic that originates from or terminates at endpoints 2489 within the selected service(s) will be matched, and only 2490 to/from each endpoint's port. \n Services cannot be specified 2491 on the same rule as Selector, NotSelector, NamespaceSelector, 2492 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2493 can only be specified with Services on ingress rules." 2494 properties: 2495 name: 2496 description: Name specifies the name of a Kubernetes 2497 Service to match. 2498 type: string 2499 namespace: 2500 description: Namespace specifies the namespace of the 2501 given Service. If left empty, the rule will match 2502 within this policy's namespace. 2503 type: string 2504 type: object 2505 type: object 2506 required: 2507 - action 2508 type: object 2509 type: array 2510 namespaceSelector: 2511 description: NamespaceSelector is an optional field for an expression 2512 used to select a pod based on namespaces. 2513 type: string 2514 order: 2515 description: Order is an optional field that specifies the order in 2516 which the policy is applied. Policies with higher "order" are applied 2517 after those with lower order. If the order is omitted, it may be 2518 considered to be "infinite" - i.e. the policy will be applied last. Policies 2519 with identical order will be applied in alphanumerical order based 2520 on the Policy "Name". 2521 type: number 2522 preDNAT: 2523 description: PreDNAT indicates to apply the rules in this policy before 2524 any DNAT. 2525 type: boolean 2526 selector: 2527 description: "The selector is an expression used to pick pick out 2528 the endpoints that the policy should be applied to. \n Selector 2529 expressions follow this syntax: \n \tlabel == \"string_literal\" 2530 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2531 \ -> not equal; also matches if label is not present \tlabel in 2532 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2533 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2534 ... } -> true if the value of label X is not one of \"a\", \"b\", 2535 \"c\" \thas(label_name) -> True if that label is present \t! expr 2536 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2537 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2538 or the empty selector -> matches all endpoints. \n Label names are 2539 allowed to contain alphanumerics, -, _ and /. String literals are 2540 more permissive but they do not support escape characters. \n Examples 2541 (with made-up labels): \n \ttype == \"webserver\" && deployment 2542 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2543 \"dev\" \t! has(label_name)" 2544 type: string 2545 serviceAccountSelector: 2546 description: ServiceAccountSelector is an optional field for an expression 2547 used to select a pod based on service accounts. 2548 type: string 2549 types: 2550 description: "Types indicates whether this policy applies to ingress, 2551 or to egress, or to both. When not explicitly specified (and so 2552 the value on creation is empty or nil), Calico defaults Types according 2553 to what Ingress and Egress rules are present in the policy. The 2554 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2555 (including the case where there are also no Ingress rules) \n 2556 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2557 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2558 both Ingress and Egress rules. \n When the policy is read back again, 2559 Types will always be one of these values, never empty or nil." 2560 items: 2561 description: PolicyType enumerates the possible values of the PolicySpec 2562 Types field. 2563 type: string 2564 type: array 2565 type: object 2566 type: object 2567 served: true 2568 storage: true 2569 status: 2570 acceptedNames: 2571 kind: "" 2572 plural: "" 2573 conditions: [] 2574 storedVersions: [] 2575 --- 2576 # Source: calico/templates/kdd-crds.yaml 2577 apiVersion: apiextensions.k8s.io/v1 2578 kind: CustomResourceDefinition 2579 metadata: 2580 name: globalnetworksets.crd.projectcalico.org 2581 spec: 2582 group: crd.projectcalico.org 2583 names: 2584 kind: GlobalNetworkSet 2585 listKind: GlobalNetworkSetList 2586 plural: globalnetworksets 2587 singular: globalnetworkset 2588 preserveUnknownFields: false 2589 scope: Cluster 2590 versions: 2591 - name: v1 2592 schema: 2593 openAPIV3Schema: 2594 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2595 that share labels to allow rules to refer to them via selectors. The labels 2596 of GlobalNetworkSet are not namespaced. 2597 properties: 2598 apiVersion: 2599 description: 'APIVersion defines the versioned schema of this representation 2600 of an object. Servers should convert recognized schemas to the latest 2601 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2602 type: string 2603 kind: 2604 description: 'Kind is a string value representing the REST resource this 2605 object represents. Servers may infer this from the endpoint the client 2606 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2607 type: string 2608 metadata: 2609 type: object 2610 spec: 2611 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2612 resource. 2613 properties: 2614 nets: 2615 description: The list of IP networks that belong to this set. 2616 items: 2617 type: string 2618 type: array 2619 type: object 2620 type: object 2621 served: true 2622 storage: true 2623 status: 2624 acceptedNames: 2625 kind: "" 2626 plural: "" 2627 conditions: [] 2628 storedVersions: [] 2629 --- 2630 # Source: calico/templates/kdd-crds.yaml 2631 apiVersion: apiextensions.k8s.io/v1 2632 kind: CustomResourceDefinition 2633 metadata: 2634 name: hostendpoints.crd.projectcalico.org 2635 spec: 2636 group: crd.projectcalico.org 2637 names: 2638 kind: HostEndpoint 2639 listKind: HostEndpointList 2640 plural: hostendpoints 2641 singular: hostendpoint 2642 preserveUnknownFields: false 2643 scope: Cluster 2644 versions: 2645 - name: v1 2646 schema: 2647 openAPIV3Schema: 2648 properties: 2649 apiVersion: 2650 description: 'APIVersion defines the versioned schema of this representation 2651 of an object. Servers should convert recognized schemas to the latest 2652 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2653 type: string 2654 kind: 2655 description: 'Kind is a string value representing the REST resource this 2656 object represents. Servers may infer this from the endpoint the client 2657 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2658 type: string 2659 metadata: 2660 type: object 2661 spec: 2662 description: HostEndpointSpec contains the specification for a HostEndpoint 2663 resource. 2664 properties: 2665 expectedIPs: 2666 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2667 If \"InterfaceName\" is not present, Calico will look for an interface 2668 matching any of the IPs in the list and apply policy to that. Note: 2669 \tWhen using the selector match criteria in an ingress or egress 2670 security Policy \tor Profile, Calico converts the selector into 2671 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2672 is used for that purpose. (If only the interface \tname is specified, 2673 Calico does not learn the IPs of the interface for use in match 2674 \tcriteria.)" 2675 items: 2676 type: string 2677 type: array 2678 interfaceName: 2679 description: "Either \"*\", or the name of a specific Linux interface 2680 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2681 governs all traffic to, from or through the default network namespace 2682 of the host named by the \"Node\" field; entering and leaving that 2683 namespace via any interface, including those from/to non-host-networked 2684 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2685 only governs traffic that enters or leaves the host through the 2686 specific interface named by InterfaceName, or - when InterfaceName 2687 is empty - through the specific interface that has one of the IPs 2688 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2689 one expected IP must be specified. Only external interfaces (such 2690 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2691 to protect traffic through a specific local workload interface. 2692 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2693 initially just pre-DNAT policy. Please check Calico documentation 2694 for the latest position." 2695 type: string 2696 node: 2697 description: The node name identifying the Calico node instance. 2698 type: string 2699 ports: 2700 description: Ports contains the endpoint's named ports, which may 2701 be referenced in security policy rules. 2702 items: 2703 properties: 2704 name: 2705 type: string 2706 port: 2707 type: integer 2708 protocol: 2709 anyOf: 2710 - type: integer 2711 - type: string 2712 pattern: ^.* 2713 x-kubernetes-int-or-string: true 2714 required: 2715 - name 2716 - port 2717 - protocol 2718 type: object 2719 type: array 2720 profiles: 2721 description: A list of identifiers of security Profile objects that 2722 apply to this endpoint. Each profile is applied in the order that 2723 they appear in this list. Profile rules are applied after the selector-based 2724 security policy. 2725 items: 2726 type: string 2727 type: array 2728 type: object 2729 type: object 2730 served: true 2731 storage: true 2732 status: 2733 acceptedNames: 2734 kind: "" 2735 plural: "" 2736 conditions: [] 2737 storedVersions: [] 2738 --- 2739 # Source: calico/templates/kdd-crds.yaml 2740 apiVersion: apiextensions.k8s.io/v1 2741 kind: CustomResourceDefinition 2742 metadata: 2743 name: ipamblocks.crd.projectcalico.org 2744 spec: 2745 group: crd.projectcalico.org 2746 names: 2747 kind: IPAMBlock 2748 listKind: IPAMBlockList 2749 plural: ipamblocks 2750 singular: ipamblock 2751 preserveUnknownFields: false 2752 scope: Cluster 2753 versions: 2754 - name: v1 2755 schema: 2756 openAPIV3Schema: 2757 properties: 2758 apiVersion: 2759 description: 'APIVersion defines the versioned schema of this representation 2760 of an object. Servers should convert recognized schemas to the latest 2761 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2762 type: string 2763 kind: 2764 description: 'Kind is a string value representing the REST resource this 2765 object represents. Servers may infer this from the endpoint the client 2766 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2767 type: string 2768 metadata: 2769 type: object 2770 spec: 2771 description: IPAMBlockSpec contains the specification for an IPAMBlock 2772 resource. 2773 properties: 2774 affinity: 2775 description: Affinity of the block, if this block has one. If set, 2776 it will be of the form "host:<hostname>". If not set, this block 2777 is not affine to a host. 2778 type: string 2779 allocations: 2780 description: Array of allocations in-use within this block. nil entries 2781 mean the allocation is free. For non-nil entries at index i, the 2782 index is the ordinal of the allocation within this block and the 2783 value is the index of the associated attributes in the Attributes 2784 array. 2785 items: 2786 type: integer 2787 # TODO: This nullable is manually added in. We should update controller-gen 2788 # to handle []*int properly itself. 2789 nullable: true 2790 type: array 2791 attributes: 2792 description: Attributes is an array of arbitrary metadata associated 2793 with allocations in the block. To find attributes for a given allocation, 2794 use the value of the allocation's entry in the Allocations array 2795 as the index of the element in this array. 2796 items: 2797 properties: 2798 handle_id: 2799 type: string 2800 secondary: 2801 additionalProperties: 2802 type: string 2803 type: object 2804 type: object 2805 type: array 2806 cidr: 2807 description: The block's CIDR. 2808 type: string 2809 deleted: 2810 description: Deleted is an internal boolean used to workaround a limitation 2811 in the Kubernetes API whereby deletion will not return a conflict 2812 error if the block has been updated. It should not be set manually. 2813 type: boolean 2814 sequenceNumber: 2815 default: 0 2816 description: We store a sequence number that is updated each time 2817 the block is written. Each allocation will also store the sequence 2818 number of the block at the time of its creation. When releasing 2819 an IP, passing the sequence number associated with the allocation 2820 allows us to protect against a race condition and ensure the IP 2821 hasn't been released and re-allocated since the release request. 2822 format: int64 2823 type: integer 2824 sequenceNumberForAllocation: 2825 additionalProperties: 2826 format: int64 2827 type: integer 2828 description: Map of allocated ordinal within the block to sequence 2829 number of the block at the time of allocation. Kubernetes does not 2830 allow numerical keys for maps, so the key is cast to a string. 2831 type: object 2832 strictAffinity: 2833 description: StrictAffinity on the IPAMBlock is deprecated and no 2834 longer used by the code. Use IPAMConfig StrictAffinity instead. 2835 type: boolean 2836 unallocated: 2837 description: Unallocated is an ordered list of allocations which are 2838 free in the block. 2839 items: 2840 type: integer 2841 type: array 2842 required: 2843 - allocations 2844 - attributes 2845 - cidr 2846 - strictAffinity 2847 - unallocated 2848 type: object 2849 type: object 2850 served: true 2851 storage: true 2852 status: 2853 acceptedNames: 2854 kind: "" 2855 plural: "" 2856 conditions: [] 2857 storedVersions: [] 2858 --- 2859 # Source: calico/templates/kdd-crds.yaml 2860 apiVersion: apiextensions.k8s.io/v1 2861 kind: CustomResourceDefinition 2862 metadata: 2863 name: ipamconfigs.crd.projectcalico.org 2864 spec: 2865 group: crd.projectcalico.org 2866 names: 2867 kind: IPAMConfig 2868 listKind: IPAMConfigList 2869 plural: ipamconfigs 2870 singular: ipamconfig 2871 preserveUnknownFields: false 2872 scope: Cluster 2873 versions: 2874 - name: v1 2875 schema: 2876 openAPIV3Schema: 2877 properties: 2878 apiVersion: 2879 description: 'APIVersion defines the versioned schema of this representation 2880 of an object. Servers should convert recognized schemas to the latest 2881 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2882 type: string 2883 kind: 2884 description: 'Kind is a string value representing the REST resource this 2885 object represents. Servers may infer this from the endpoint the client 2886 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2887 type: string 2888 metadata: 2889 type: object 2890 spec: 2891 description: IPAMConfigSpec contains the specification for an IPAMConfig 2892 resource. 2893 properties: 2894 autoAllocateBlocks: 2895 type: boolean 2896 maxBlocksPerHost: 2897 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 2898 that can be affine to each host. 2899 maximum: 2147483647 2900 minimum: 0 2901 type: integer 2902 strictAffinity: 2903 type: boolean 2904 required: 2905 - autoAllocateBlocks 2906 - strictAffinity 2907 type: object 2908 type: object 2909 served: true 2910 storage: true 2911 status: 2912 acceptedNames: 2913 kind: "" 2914 plural: "" 2915 conditions: [] 2916 storedVersions: [] 2917 --- 2918 # Source: calico/templates/kdd-crds.yaml 2919 apiVersion: apiextensions.k8s.io/v1 2920 kind: CustomResourceDefinition 2921 metadata: 2922 name: ipamhandles.crd.projectcalico.org 2923 spec: 2924 group: crd.projectcalico.org 2925 names: 2926 kind: IPAMHandle 2927 listKind: IPAMHandleList 2928 plural: ipamhandles 2929 singular: ipamhandle 2930 preserveUnknownFields: false 2931 scope: Cluster 2932 versions: 2933 - name: v1 2934 schema: 2935 openAPIV3Schema: 2936 properties: 2937 apiVersion: 2938 description: 'APIVersion defines the versioned schema of this representation 2939 of an object. Servers should convert recognized schemas to the latest 2940 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2941 type: string 2942 kind: 2943 description: 'Kind is a string value representing the REST resource this 2944 object represents. Servers may infer this from the endpoint the client 2945 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2946 type: string 2947 metadata: 2948 type: object 2949 spec: 2950 description: IPAMHandleSpec contains the specification for an IPAMHandle 2951 resource. 2952 properties: 2953 block: 2954 additionalProperties: 2955 type: integer 2956 type: object 2957 deleted: 2958 type: boolean 2959 handleID: 2960 type: string 2961 required: 2962 - block 2963 - handleID 2964 type: object 2965 type: object 2966 served: true 2967 storage: true 2968 status: 2969 acceptedNames: 2970 kind: "" 2971 plural: "" 2972 conditions: [] 2973 storedVersions: [] 2974 --- 2975 # Source: calico/templates/kdd-crds.yaml 2976 apiVersion: apiextensions.k8s.io/v1 2977 kind: CustomResourceDefinition 2978 metadata: 2979 name: ippools.crd.projectcalico.org 2980 spec: 2981 group: crd.projectcalico.org 2982 names: 2983 kind: IPPool 2984 listKind: IPPoolList 2985 plural: ippools 2986 singular: ippool 2987 preserveUnknownFields: false 2988 scope: Cluster 2989 versions: 2990 - name: v1 2991 schema: 2992 openAPIV3Schema: 2993 properties: 2994 apiVersion: 2995 description: 'APIVersion defines the versioned schema of this representation 2996 of an object. Servers should convert recognized schemas to the latest 2997 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2998 type: string 2999 kind: 3000 description: 'Kind is a string value representing the REST resource this 3001 object represents. Servers may infer this from the endpoint the client 3002 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3003 type: string 3004 metadata: 3005 type: object 3006 spec: 3007 description: IPPoolSpec contains the specification for an IPPool resource. 3008 properties: 3009 allowedUses: 3010 description: AllowedUse controls what the IP pool will be used for. If 3011 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 3012 items: 3013 type: string 3014 type: array 3015 blockSize: 3016 description: The block size to use for IP address assignments from 3017 this pool. Defaults to 26 for IPv4 and 122 for IPv6. 3018 type: integer 3019 cidr: 3020 description: The pool CIDR. 3021 type: string 3022 disableBGPExport: 3023 description: 'Disable exporting routes from this IP Pool''s CIDR over 3024 BGP. [Default: false]' 3025 type: boolean 3026 disabled: 3027 description: When disabled is true, Calico IPAM will not assign addresses 3028 from this pool. 3029 type: boolean 3030 ipip: 3031 description: 'Deprecated: this field is only used for APIv1 backwards 3032 compatibility. Setting this field is not allowed, this field is 3033 for internal use only.' 3034 properties: 3035 enabled: 3036 description: When enabled is true, ipip tunneling will be used 3037 to deliver packets to destinations within this pool. 3038 type: boolean 3039 mode: 3040 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 3041 mode of "always" will also use IPIP tunneling for routing to 3042 destination IP addresses within this pool. A mode of "cross-subnet" 3043 will only use IPIP tunneling when the destination node is on 3044 a different subnet to the originating node. The default value 3045 (if not specified) is "always". 3046 type: string 3047 type: object 3048 ipipMode: 3049 description: Contains configuration for IPIP tunneling for this pool. 3050 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 3051 is disabled). 3052 type: string 3053 nat-outgoing: 3054 description: 'Deprecated: this field is only used for APIv1 backwards 3055 compatibility. Setting this field is not allowed, this field is 3056 for internal use only.' 3057 type: boolean 3058 natOutgoing: 3059 description: When natOutgoing is true, packets sent from Calico networked 3060 containers in this pool to destinations outside of this pool will 3061 be masqueraded. 3062 type: boolean 3063 nodeSelector: 3064 description: Allows IPPool to allocate for a specific node by label 3065 selector. 3066 type: string 3067 vxlanMode: 3068 description: Contains configuration for VXLAN tunneling for this pool. 3069 If not specified, then this is defaulted to "Never" (i.e. VXLAN 3070 tunneling is disabled). 3071 type: string 3072 required: 3073 - cidr 3074 type: object 3075 type: object 3076 served: true 3077 storage: true 3078 status: 3079 acceptedNames: 3080 kind: "" 3081 plural: "" 3082 conditions: [] 3083 storedVersions: [] 3084 --- 3085 # Source: calico/templates/kdd-crds.yaml 3086 apiVersion: apiextensions.k8s.io/v1 3087 kind: CustomResourceDefinition 3088 metadata: 3089 annotations: 3090 controller-gen.kubebuilder.io/version: (devel) 3091 creationTimestamp: null 3092 name: ipreservations.crd.projectcalico.org 3093 spec: 3094 group: crd.projectcalico.org 3095 names: 3096 kind: IPReservation 3097 listKind: IPReservationList 3098 plural: ipreservations 3099 singular: ipreservation 3100 preserveUnknownFields: false 3101 scope: Cluster 3102 versions: 3103 - name: v1 3104 schema: 3105 openAPIV3Schema: 3106 properties: 3107 apiVersion: 3108 description: 'APIVersion defines the versioned schema of this representation 3109 of an object. Servers should convert recognized schemas to the latest 3110 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3111 type: string 3112 kind: 3113 description: 'Kind is a string value representing the REST resource this 3114 object represents. Servers may infer this from the endpoint the client 3115 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3116 type: string 3117 metadata: 3118 type: object 3119 spec: 3120 description: IPReservationSpec contains the specification for an IPReservation 3121 resource. 3122 properties: 3123 reservedCIDRs: 3124 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 3125 that Calico IPAM will exclude from new allocations. 3126 items: 3127 type: string 3128 type: array 3129 type: object 3130 type: object 3131 served: true 3132 storage: true 3133 status: 3134 acceptedNames: 3135 kind: "" 3136 plural: "" 3137 conditions: [] 3138 storedVersions: [] 3139 --- 3140 # Source: calico/templates/kdd-crds.yaml 3141 apiVersion: apiextensions.k8s.io/v1 3142 kind: CustomResourceDefinition 3143 metadata: 3144 name: kubecontrollersconfigurations.crd.projectcalico.org 3145 spec: 3146 group: crd.projectcalico.org 3147 names: 3148 kind: KubeControllersConfiguration 3149 listKind: KubeControllersConfigurationList 3150 plural: kubecontrollersconfigurations 3151 singular: kubecontrollersconfiguration 3152 preserveUnknownFields: false 3153 scope: Cluster 3154 versions: 3155 - name: v1 3156 schema: 3157 openAPIV3Schema: 3158 properties: 3159 apiVersion: 3160 description: 'APIVersion defines the versioned schema of this representation 3161 of an object. Servers should convert recognized schemas to the latest 3162 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3163 type: string 3164 kind: 3165 description: 'Kind is a string value representing the REST resource this 3166 object represents. Servers may infer this from the endpoint the client 3167 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3168 type: string 3169 metadata: 3170 type: object 3171 spec: 3172 description: KubeControllersConfigurationSpec contains the values of the 3173 Kubernetes controllers configuration. 3174 properties: 3175 controllers: 3176 description: Controllers enables and configures individual Kubernetes 3177 controllers 3178 properties: 3179 namespace: 3180 description: Namespace enables and configures the namespace controller. 3181 Enabled by default, set to nil to disable. 3182 properties: 3183 reconcilerPeriod: 3184 description: 'ReconcilerPeriod is the period to perform reconciliation 3185 with the Calico datastore. [Default: 5m]' 3186 type: string 3187 type: object 3188 node: 3189 description: Node enables and configures the node controller. 3190 Enabled by default, set to nil to disable. 3191 properties: 3192 hostEndpoint: 3193 description: HostEndpoint controls syncing nodes to host endpoints. 3194 Disabled by default, set to nil to disable. 3195 properties: 3196 autoCreate: 3197 description: 'AutoCreate enables automatic creation of 3198 host endpoints for every node. [Default: Disabled]' 3199 type: string 3200 type: object 3201 leakGracePeriod: 3202 description: 'LeakGracePeriod is the period used by the controller 3203 to determine if an IP address has been leaked. Set to 0 3204 to disable IP garbage collection. [Default: 15m]' 3205 type: string 3206 reconcilerPeriod: 3207 description: 'ReconcilerPeriod is the period to perform reconciliation 3208 with the Calico datastore. [Default: 5m]' 3209 type: string 3210 syncLabels: 3211 description: 'SyncLabels controls whether to copy Kubernetes 3212 node labels to Calico nodes. [Default: Enabled]' 3213 type: string 3214 type: object 3215 policy: 3216 description: Policy enables and configures the policy controller. 3217 Enabled by default, set to nil to disable. 3218 properties: 3219 reconcilerPeriod: 3220 description: 'ReconcilerPeriod is the period to perform reconciliation 3221 with the Calico datastore. [Default: 5m]' 3222 type: string 3223 type: object 3224 serviceAccount: 3225 description: ServiceAccount enables and configures the service 3226 account controller. Enabled by default, set to nil to disable. 3227 properties: 3228 reconcilerPeriod: 3229 description: 'ReconcilerPeriod is the period to perform reconciliation 3230 with the Calico datastore. [Default: 5m]' 3231 type: string 3232 type: object 3233 workloadEndpoint: 3234 description: WorkloadEndpoint enables and configures the workload 3235 endpoint controller. Enabled by default, set to nil to disable. 3236 properties: 3237 reconcilerPeriod: 3238 description: 'ReconcilerPeriod is the period to perform reconciliation 3239 with the Calico datastore. [Default: 5m]' 3240 type: string 3241 type: object 3242 type: object 3243 debugProfilePort: 3244 description: DebugProfilePort configures the port to serve memory 3245 and cpu profiles on. If not specified, profiling is disabled. 3246 format: int32 3247 type: integer 3248 etcdV3CompactionPeriod: 3249 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3250 compaction requests. Set to 0 to disable. [Default: 10m]' 3251 type: string 3252 healthChecks: 3253 description: 'HealthChecks enables or disables support for health 3254 checks [Default: Enabled]' 3255 type: string 3256 logSeverityScreen: 3257 description: 'LogSeverityScreen is the log severity above which logs 3258 are sent to the stdout. [Default: Info]' 3259 type: string 3260 prometheusMetricsPort: 3261 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3262 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 3263 type: integer 3264 required: 3265 - controllers 3266 type: object 3267 status: 3268 description: KubeControllersConfigurationStatus represents the status 3269 of the configuration. It's useful for admins to be able to see the actual 3270 config that was applied, which can be modified by environment variables 3271 on the kube-controllers process. 3272 properties: 3273 environmentVars: 3274 additionalProperties: 3275 type: string 3276 description: EnvironmentVars contains the environment variables on 3277 the kube-controllers that influenced the RunningConfig. 3278 type: object 3279 runningConfig: 3280 description: RunningConfig contains the effective config that is running 3281 in the kube-controllers pod, after merging the API resource with 3282 any environment variables. 3283 properties: 3284 controllers: 3285 description: Controllers enables and configures individual Kubernetes 3286 controllers 3287 properties: 3288 namespace: 3289 description: Namespace enables and configures the namespace 3290 controller. Enabled by default, set to nil to disable. 3291 properties: 3292 reconcilerPeriod: 3293 description: 'ReconcilerPeriod is the period to perform 3294 reconciliation with the Calico datastore. [Default: 3295 5m]' 3296 type: string 3297 type: object 3298 node: 3299 description: Node enables and configures the node controller. 3300 Enabled by default, set to nil to disable. 3301 properties: 3302 hostEndpoint: 3303 description: HostEndpoint controls syncing nodes to host 3304 endpoints. Disabled by default, set to nil to disable. 3305 properties: 3306 autoCreate: 3307 description: 'AutoCreate enables automatic creation 3308 of host endpoints for every node. [Default: Disabled]' 3309 type: string 3310 type: object 3311 leakGracePeriod: 3312 description: 'LeakGracePeriod is the period used by the 3313 controller to determine if an IP address has been leaked. 3314 Set to 0 to disable IP garbage collection. [Default: 3315 15m]' 3316 type: string 3317 reconcilerPeriod: 3318 description: 'ReconcilerPeriod is the period to perform 3319 reconciliation with the Calico datastore. [Default: 3320 5m]' 3321 type: string 3322 syncLabels: 3323 description: 'SyncLabels controls whether to copy Kubernetes 3324 node labels to Calico nodes. [Default: Enabled]' 3325 type: string 3326 type: object 3327 policy: 3328 description: Policy enables and configures the policy controller. 3329 Enabled by default, set to nil to disable. 3330 properties: 3331 reconcilerPeriod: 3332 description: 'ReconcilerPeriod is the period to perform 3333 reconciliation with the Calico datastore. [Default: 3334 5m]' 3335 type: string 3336 type: object 3337 serviceAccount: 3338 description: ServiceAccount enables and configures the service 3339 account controller. Enabled by default, set to nil to disable. 3340 properties: 3341 reconcilerPeriod: 3342 description: 'ReconcilerPeriod is the period to perform 3343 reconciliation with the Calico datastore. [Default: 3344 5m]' 3345 type: string 3346 type: object 3347 workloadEndpoint: 3348 description: WorkloadEndpoint enables and configures the workload 3349 endpoint controller. Enabled by default, set to nil to disable. 3350 properties: 3351 reconcilerPeriod: 3352 description: 'ReconcilerPeriod is the period to perform 3353 reconciliation with the Calico datastore. [Default: 3354 5m]' 3355 type: string 3356 type: object 3357 type: object 3358 debugProfilePort: 3359 description: DebugProfilePort configures the port to serve memory 3360 and cpu profiles on. If not specified, profiling is disabled. 3361 format: int32 3362 type: integer 3363 etcdV3CompactionPeriod: 3364 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3365 compaction requests. Set to 0 to disable. [Default: 10m]' 3366 type: string 3367 healthChecks: 3368 description: 'HealthChecks enables or disables support for health 3369 checks [Default: Enabled]' 3370 type: string 3371 logSeverityScreen: 3372 description: 'LogSeverityScreen is the log severity above which 3373 logs are sent to the stdout. [Default: Info]' 3374 type: string 3375 prometheusMetricsPort: 3376 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3377 metrics server should bind to. Set to 0 to disable. [Default: 3378 9094]' 3379 type: integer 3380 required: 3381 - controllers 3382 type: object 3383 type: object 3384 type: object 3385 served: true 3386 storage: true 3387 status: 3388 acceptedNames: 3389 kind: "" 3390 plural: "" 3391 conditions: [] 3392 storedVersions: [] 3393 --- 3394 # Source: calico/templates/kdd-crds.yaml 3395 apiVersion: apiextensions.k8s.io/v1 3396 kind: CustomResourceDefinition 3397 metadata: 3398 name: networkpolicies.crd.projectcalico.org 3399 spec: 3400 group: crd.projectcalico.org 3401 names: 3402 kind: NetworkPolicy 3403 listKind: NetworkPolicyList 3404 plural: networkpolicies 3405 singular: networkpolicy 3406 preserveUnknownFields: false 3407 scope: Namespaced 3408 versions: 3409 - name: v1 3410 schema: 3411 openAPIV3Schema: 3412 properties: 3413 apiVersion: 3414 description: 'APIVersion defines the versioned schema of this representation 3415 of an object. Servers should convert recognized schemas to the latest 3416 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3417 type: string 3418 kind: 3419 description: 'Kind is a string value representing the REST resource this 3420 object represents. Servers may infer this from the endpoint the client 3421 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3422 type: string 3423 metadata: 3424 type: object 3425 spec: 3426 properties: 3427 egress: 3428 description: The ordered set of egress rules. Each rule contains 3429 a set of packet match criteria and a corresponding action to apply. 3430 items: 3431 description: "A Rule encapsulates a set of match criteria and an 3432 action. Both selector-based security Policy and security Profiles 3433 reference rules - separated out as a list of rules for both ingress 3434 and egress packet matching. \n Each positive match criteria has 3435 a negated version, prefixed with \"Not\". All the match criteria 3436 within a rule must be satisfied for a packet to match. A single 3437 rule can contain the positive and negative version of a match 3438 and both must be satisfied for the rule to match." 3439 properties: 3440 action: 3441 type: string 3442 destination: 3443 description: Destination contains the match criteria that apply 3444 to destination entity. 3445 properties: 3446 namespaceSelector: 3447 description: "NamespaceSelector is an optional field that 3448 contains a selector expression. Only traffic that originates 3449 from (or terminates at) endpoints within the selected 3450 namespaces will be matched. When both NamespaceSelector 3451 and another selector are defined on the same rule, then 3452 only workload endpoints that are matched by both selectors 3453 will be selected by the rule. \n For NetworkPolicy, an 3454 empty NamespaceSelector implies that the Selector is limited 3455 to selecting only workload endpoints in the same namespace 3456 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3457 NamespaceSelector implies that the Selector is limited 3458 to selecting only GlobalNetworkSet or HostEndpoint. \n 3459 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3460 the Selector applies to workload endpoints across all 3461 namespaces." 3462 type: string 3463 nets: 3464 description: Nets is an optional field that restricts the 3465 rule to only apply to traffic that originates from (or 3466 terminates at) IP addresses in any of the given subnets. 3467 items: 3468 type: string 3469 type: array 3470 notNets: 3471 description: NotNets is the negated version of the Nets 3472 field. 3473 items: 3474 type: string 3475 type: array 3476 notPorts: 3477 description: NotPorts is the negated version of the Ports 3478 field. Since only some protocols have ports, if any ports 3479 are specified it requires the Protocol match in the Rule 3480 to be set to "TCP" or "UDP". 3481 items: 3482 anyOf: 3483 - type: integer 3484 - type: string 3485 pattern: ^.* 3486 x-kubernetes-int-or-string: true 3487 type: array 3488 notSelector: 3489 description: NotSelector is the negated version of the Selector 3490 field. See Selector field for subtleties with negated 3491 selectors. 3492 type: string 3493 ports: 3494 description: "Ports is an optional field that restricts 3495 the rule to only apply to traffic that has a source (destination) 3496 port that matches one of these ranges/values. This value 3497 is a list of integers or strings that represent ranges 3498 of ports. \n Since only some protocols have ports, if 3499 any ports are specified it requires the Protocol match 3500 in the Rule to be set to \"TCP\" or \"UDP\"." 3501 items: 3502 anyOf: 3503 - type: integer 3504 - type: string 3505 pattern: ^.* 3506 x-kubernetes-int-or-string: true 3507 type: array 3508 selector: 3509 description: "Selector is an optional field that contains 3510 a selector expression (see Policy for sample syntax). 3511 \ Only traffic that originates from (terminates at) endpoints 3512 matching the selector will be matched. \n Note that: in 3513 addition to the negated version of the Selector (see NotSelector 3514 below), the selector expression syntax itself supports 3515 negation. The two types of negation are subtly different. 3516 One negates the set of matched endpoints, the other negates 3517 the whole match: \n \tSelector = \"!has(my_label)\" matches 3518 packets that are from other Calico-controlled \tendpoints 3519 that do not have the label \"my_label\". \n \tNotSelector 3520 = \"has(my_label)\" matches packets that are not from 3521 Calico-controlled \tendpoints that do have the label \"my_label\". 3522 \n The effect is that the latter will accept packets from 3523 non-Calico sources whereas the former is limited to packets 3524 from Calico-controlled endpoints." 3525 type: string 3526 serviceAccounts: 3527 description: ServiceAccounts is an optional field that restricts 3528 the rule to only apply to traffic that originates from 3529 (or terminates at) a pod running as a matching service 3530 account. 3531 properties: 3532 names: 3533 description: Names is an optional field that restricts 3534 the rule to only apply to traffic that originates 3535 from (or terminates at) a pod running as a service 3536 account whose name is in the list. 3537 items: 3538 type: string 3539 type: array 3540 selector: 3541 description: Selector is an optional field that restricts 3542 the rule to only apply to traffic that originates 3543 from (or terminates at) a pod running as a service 3544 account that matches the given label selector. If 3545 both Names and Selector are specified then they are 3546 AND'ed. 3547 type: string 3548 type: object 3549 services: 3550 description: "Services is an optional field that contains 3551 options for matching Kubernetes Services. If specified, 3552 only traffic that originates from or terminates at endpoints 3553 within the selected service(s) will be matched, and only 3554 to/from each endpoint's port. \n Services cannot be specified 3555 on the same rule as Selector, NotSelector, NamespaceSelector, 3556 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3557 can only be specified with Services on ingress rules." 3558 properties: 3559 name: 3560 description: Name specifies the name of a Kubernetes 3561 Service to match. 3562 type: string 3563 namespace: 3564 description: Namespace specifies the namespace of the 3565 given Service. If left empty, the rule will match 3566 within this policy's namespace. 3567 type: string 3568 type: object 3569 type: object 3570 http: 3571 description: HTTP contains match criteria that apply to HTTP 3572 requests. 3573 properties: 3574 methods: 3575 description: Methods is an optional field that restricts 3576 the rule to apply only to HTTP requests that use one of 3577 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3578 methods are OR'd together. 3579 items: 3580 type: string 3581 type: array 3582 paths: 3583 description: 'Paths is an optional field that restricts 3584 the rule to apply to HTTP requests that use one of the 3585 listed HTTP Paths. Multiple paths are OR''d together. 3586 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3587 ONLY specify either a `exact` or a `prefix` match. The 3588 validator will check for it.' 3589 items: 3590 description: 'HTTPPath specifies an HTTP path to match. 3591 It may be either of the form: exact: <path>: which matches 3592 the path exactly or prefix: <path-prefix>: which matches 3593 the path prefix' 3594 properties: 3595 exact: 3596 type: string 3597 prefix: 3598 type: string 3599 type: object 3600 type: array 3601 type: object 3602 icmp: 3603 description: ICMP is an optional field that restricts the rule 3604 to apply to a specific type and code of ICMP traffic. This 3605 should only be specified if the Protocol field is set to "ICMP" 3606 or "ICMPv6". 3607 properties: 3608 code: 3609 description: Match on a specific ICMP code. If specified, 3610 the Type value must also be specified. This is a technical 3611 limitation imposed by the kernel's iptables firewall, 3612 which Calico uses to enforce the rule. 3613 type: integer 3614 type: 3615 description: Match on a specific ICMP type. For example 3616 a value of 8 refers to ICMP Echo Request (i.e. pings). 3617 type: integer 3618 type: object 3619 ipVersion: 3620 description: IPVersion is an optional field that restricts the 3621 rule to only match a specific IP version. 3622 type: integer 3623 metadata: 3624 description: Metadata contains additional information for this 3625 rule 3626 properties: 3627 annotations: 3628 additionalProperties: 3629 type: string 3630 description: Annotations is a set of key value pairs that 3631 give extra information about the rule 3632 type: object 3633 type: object 3634 notICMP: 3635 description: NotICMP is the negated version of the ICMP field. 3636 properties: 3637 code: 3638 description: Match on a specific ICMP code. If specified, 3639 the Type value must also be specified. This is a technical 3640 limitation imposed by the kernel's iptables firewall, 3641 which Calico uses to enforce the rule. 3642 type: integer 3643 type: 3644 description: Match on a specific ICMP type. For example 3645 a value of 8 refers to ICMP Echo Request (i.e. pings). 3646 type: integer 3647 type: object 3648 notProtocol: 3649 anyOf: 3650 - type: integer 3651 - type: string 3652 description: NotProtocol is the negated version of the Protocol 3653 field. 3654 pattern: ^.* 3655 x-kubernetes-int-or-string: true 3656 protocol: 3657 anyOf: 3658 - type: integer 3659 - type: string 3660 description: "Protocol is an optional field that restricts the 3661 rule to only apply to traffic of a specific IP protocol. Required 3662 if any of the EntityRules contain Ports (because ports only 3663 apply to certain protocols). \n Must be one of these string 3664 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3665 \"UDPLite\" or an integer in the range 1-255." 3666 pattern: ^.* 3667 x-kubernetes-int-or-string: true 3668 source: 3669 description: Source contains the match criteria that apply to 3670 source entity. 3671 properties: 3672 namespaceSelector: 3673 description: "NamespaceSelector is an optional field that 3674 contains a selector expression. Only traffic that originates 3675 from (or terminates at) endpoints within the selected 3676 namespaces will be matched. When both NamespaceSelector 3677 and another selector are defined on the same rule, then 3678 only workload endpoints that are matched by both selectors 3679 will be selected by the rule. \n For NetworkPolicy, an 3680 empty NamespaceSelector implies that the Selector is limited 3681 to selecting only workload endpoints in the same namespace 3682 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3683 NamespaceSelector implies that the Selector is limited 3684 to selecting only GlobalNetworkSet or HostEndpoint. \n 3685 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3686 the Selector applies to workload endpoints across all 3687 namespaces." 3688 type: string 3689 nets: 3690 description: Nets is an optional field that restricts the 3691 rule to only apply to traffic that originates from (or 3692 terminates at) IP addresses in any of the given subnets. 3693 items: 3694 type: string 3695 type: array 3696 notNets: 3697 description: NotNets is the negated version of the Nets 3698 field. 3699 items: 3700 type: string 3701 type: array 3702 notPorts: 3703 description: NotPorts is the negated version of the Ports 3704 field. Since only some protocols have ports, if any ports 3705 are specified it requires the Protocol match in the Rule 3706 to be set to "TCP" or "UDP". 3707 items: 3708 anyOf: 3709 - type: integer 3710 - type: string 3711 pattern: ^.* 3712 x-kubernetes-int-or-string: true 3713 type: array 3714 notSelector: 3715 description: NotSelector is the negated version of the Selector 3716 field. See Selector field for subtleties with negated 3717 selectors. 3718 type: string 3719 ports: 3720 description: "Ports is an optional field that restricts 3721 the rule to only apply to traffic that has a source (destination) 3722 port that matches one of these ranges/values. This value 3723 is a list of integers or strings that represent ranges 3724 of ports. \n Since only some protocols have ports, if 3725 any ports are specified it requires the Protocol match 3726 in the Rule to be set to \"TCP\" or \"UDP\"." 3727 items: 3728 anyOf: 3729 - type: integer 3730 - type: string 3731 pattern: ^.* 3732 x-kubernetes-int-or-string: true 3733 type: array 3734 selector: 3735 description: "Selector is an optional field that contains 3736 a selector expression (see Policy for sample syntax). 3737 \ Only traffic that originates from (terminates at) endpoints 3738 matching the selector will be matched. \n Note that: in 3739 addition to the negated version of the Selector (see NotSelector 3740 below), the selector expression syntax itself supports 3741 negation. The two types of negation are subtly different. 3742 One negates the set of matched endpoints, the other negates 3743 the whole match: \n \tSelector = \"!has(my_label)\" matches 3744 packets that are from other Calico-controlled \tendpoints 3745 that do not have the label \"my_label\". \n \tNotSelector 3746 = \"has(my_label)\" matches packets that are not from 3747 Calico-controlled \tendpoints that do have the label \"my_label\". 3748 \n The effect is that the latter will accept packets from 3749 non-Calico sources whereas the former is limited to packets 3750 from Calico-controlled endpoints." 3751 type: string 3752 serviceAccounts: 3753 description: ServiceAccounts is an optional field that restricts 3754 the rule to only apply to traffic that originates from 3755 (or terminates at) a pod running as a matching service 3756 account. 3757 properties: 3758 names: 3759 description: Names is an optional field that restricts 3760 the rule to only apply to traffic that originates 3761 from (or terminates at) a pod running as a service 3762 account whose name is in the list. 3763 items: 3764 type: string 3765 type: array 3766 selector: 3767 description: Selector is an optional field that restricts 3768 the rule to only apply to traffic that originates 3769 from (or terminates at) a pod running as a service 3770 account that matches the given label selector. If 3771 both Names and Selector are specified then they are 3772 AND'ed. 3773 type: string 3774 type: object 3775 services: 3776 description: "Services is an optional field that contains 3777 options for matching Kubernetes Services. If specified, 3778 only traffic that originates from or terminates at endpoints 3779 within the selected service(s) will be matched, and only 3780 to/from each endpoint's port. \n Services cannot be specified 3781 on the same rule as Selector, NotSelector, NamespaceSelector, 3782 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3783 can only be specified with Services on ingress rules." 3784 properties: 3785 name: 3786 description: Name specifies the name of a Kubernetes 3787 Service to match. 3788 type: string 3789 namespace: 3790 description: Namespace specifies the namespace of the 3791 given Service. If left empty, the rule will match 3792 within this policy's namespace. 3793 type: string 3794 type: object 3795 type: object 3796 required: 3797 - action 3798 type: object 3799 type: array 3800 ingress: 3801 description: The ordered set of ingress rules. Each rule contains 3802 a set of packet match criteria and a corresponding action to apply. 3803 items: 3804 description: "A Rule encapsulates a set of match criteria and an 3805 action. Both selector-based security Policy and security Profiles 3806 reference rules - separated out as a list of rules for both ingress 3807 and egress packet matching. \n Each positive match criteria has 3808 a negated version, prefixed with \"Not\". All the match criteria 3809 within a rule must be satisfied for a packet to match. A single 3810 rule can contain the positive and negative version of a match 3811 and both must be satisfied for the rule to match." 3812 properties: 3813 action: 3814 type: string 3815 destination: 3816 description: Destination contains the match criteria that apply 3817 to destination entity. 3818 properties: 3819 namespaceSelector: 3820 description: "NamespaceSelector is an optional field that 3821 contains a selector expression. Only traffic that originates 3822 from (or terminates at) endpoints within the selected 3823 namespaces will be matched. When both NamespaceSelector 3824 and another selector are defined on the same rule, then 3825 only workload endpoints that are matched by both selectors 3826 will be selected by the rule. \n For NetworkPolicy, an 3827 empty NamespaceSelector implies that the Selector is limited 3828 to selecting only workload endpoints in the same namespace 3829 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3830 NamespaceSelector implies that the Selector is limited 3831 to selecting only GlobalNetworkSet or HostEndpoint. \n 3832 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3833 the Selector applies to workload endpoints across all 3834 namespaces." 3835 type: string 3836 nets: 3837 description: Nets is an optional field that restricts the 3838 rule to only apply to traffic that originates from (or 3839 terminates at) IP addresses in any of the given subnets. 3840 items: 3841 type: string 3842 type: array 3843 notNets: 3844 description: NotNets is the negated version of the Nets 3845 field. 3846 items: 3847 type: string 3848 type: array 3849 notPorts: 3850 description: NotPorts is the negated version of the Ports 3851 field. Since only some protocols have ports, if any ports 3852 are specified it requires the Protocol match in the Rule 3853 to be set to "TCP" or "UDP". 3854 items: 3855 anyOf: 3856 - type: integer 3857 - type: string 3858 pattern: ^.* 3859 x-kubernetes-int-or-string: true 3860 type: array 3861 notSelector: 3862 description: NotSelector is the negated version of the Selector 3863 field. See Selector field for subtleties with negated 3864 selectors. 3865 type: string 3866 ports: 3867 description: "Ports is an optional field that restricts 3868 the rule to only apply to traffic that has a source (destination) 3869 port that matches one of these ranges/values. This value 3870 is a list of integers or strings that represent ranges 3871 of ports. \n Since only some protocols have ports, if 3872 any ports are specified it requires the Protocol match 3873 in the Rule to be set to \"TCP\" or \"UDP\"." 3874 items: 3875 anyOf: 3876 - type: integer 3877 - type: string 3878 pattern: ^.* 3879 x-kubernetes-int-or-string: true 3880 type: array 3881 selector: 3882 description: "Selector is an optional field that contains 3883 a selector expression (see Policy for sample syntax). 3884 \ Only traffic that originates from (terminates at) endpoints 3885 matching the selector will be matched. \n Note that: in 3886 addition to the negated version of the Selector (see NotSelector 3887 below), the selector expression syntax itself supports 3888 negation. The two types of negation are subtly different. 3889 One negates the set of matched endpoints, the other negates 3890 the whole match: \n \tSelector = \"!has(my_label)\" matches 3891 packets that are from other Calico-controlled \tendpoints 3892 that do not have the label \"my_label\". \n \tNotSelector 3893 = \"has(my_label)\" matches packets that are not from 3894 Calico-controlled \tendpoints that do have the label \"my_label\". 3895 \n The effect is that the latter will accept packets from 3896 non-Calico sources whereas the former is limited to packets 3897 from Calico-controlled endpoints." 3898 type: string 3899 serviceAccounts: 3900 description: ServiceAccounts is an optional field that restricts 3901 the rule to only apply to traffic that originates from 3902 (or terminates at) a pod running as a matching service 3903 account. 3904 properties: 3905 names: 3906 description: Names is an optional field that restricts 3907 the rule to only apply to traffic that originates 3908 from (or terminates at) a pod running as a service 3909 account whose name is in the list. 3910 items: 3911 type: string 3912 type: array 3913 selector: 3914 description: Selector is an optional field that restricts 3915 the rule to only apply to traffic that originates 3916 from (or terminates at) a pod running as a service 3917 account that matches the given label selector. If 3918 both Names and Selector are specified then they are 3919 AND'ed. 3920 type: string 3921 type: object 3922 services: 3923 description: "Services is an optional field that contains 3924 options for matching Kubernetes Services. If specified, 3925 only traffic that originates from or terminates at endpoints 3926 within the selected service(s) will be matched, and only 3927 to/from each endpoint's port. \n Services cannot be specified 3928 on the same rule as Selector, NotSelector, NamespaceSelector, 3929 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3930 can only be specified with Services on ingress rules." 3931 properties: 3932 name: 3933 description: Name specifies the name of a Kubernetes 3934 Service to match. 3935 type: string 3936 namespace: 3937 description: Namespace specifies the namespace of the 3938 given Service. If left empty, the rule will match 3939 within this policy's namespace. 3940 type: string 3941 type: object 3942 type: object 3943 http: 3944 description: HTTP contains match criteria that apply to HTTP 3945 requests. 3946 properties: 3947 methods: 3948 description: Methods is an optional field that restricts 3949 the rule to apply only to HTTP requests that use one of 3950 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3951 methods are OR'd together. 3952 items: 3953 type: string 3954 type: array 3955 paths: 3956 description: 'Paths is an optional field that restricts 3957 the rule to apply to HTTP requests that use one of the 3958 listed HTTP Paths. Multiple paths are OR''d together. 3959 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3960 ONLY specify either a `exact` or a `prefix` match. The 3961 validator will check for it.' 3962 items: 3963 description: 'HTTPPath specifies an HTTP path to match. 3964 It may be either of the form: exact: <path>: which matches 3965 the path exactly or prefix: <path-prefix>: which matches 3966 the path prefix' 3967 properties: 3968 exact: 3969 type: string 3970 prefix: 3971 type: string 3972 type: object 3973 type: array 3974 type: object 3975 icmp: 3976 description: ICMP is an optional field that restricts the rule 3977 to apply to a specific type and code of ICMP traffic. This 3978 should only be specified if the Protocol field is set to "ICMP" 3979 or "ICMPv6". 3980 properties: 3981 code: 3982 description: Match on a specific ICMP code. If specified, 3983 the Type value must also be specified. This is a technical 3984 limitation imposed by the kernel's iptables firewall, 3985 which Calico uses to enforce the rule. 3986 type: integer 3987 type: 3988 description: Match on a specific ICMP type. For example 3989 a value of 8 refers to ICMP Echo Request (i.e. pings). 3990 type: integer 3991 type: object 3992 ipVersion: 3993 description: IPVersion is an optional field that restricts the 3994 rule to only match a specific IP version. 3995 type: integer 3996 metadata: 3997 description: Metadata contains additional information for this 3998 rule 3999 properties: 4000 annotations: 4001 additionalProperties: 4002 type: string 4003 description: Annotations is a set of key value pairs that 4004 give extra information about the rule 4005 type: object 4006 type: object 4007 notICMP: 4008 description: NotICMP is the negated version of the ICMP field. 4009 properties: 4010 code: 4011 description: Match on a specific ICMP code. If specified, 4012 the Type value must also be specified. This is a technical 4013 limitation imposed by the kernel's iptables firewall, 4014 which Calico uses to enforce the rule. 4015 type: integer 4016 type: 4017 description: Match on a specific ICMP type. For example 4018 a value of 8 refers to ICMP Echo Request (i.e. pings). 4019 type: integer 4020 type: object 4021 notProtocol: 4022 anyOf: 4023 - type: integer 4024 - type: string 4025 description: NotProtocol is the negated version of the Protocol 4026 field. 4027 pattern: ^.* 4028 x-kubernetes-int-or-string: true 4029 protocol: 4030 anyOf: 4031 - type: integer 4032 - type: string 4033 description: "Protocol is an optional field that restricts the 4034 rule to only apply to traffic of a specific IP protocol. Required 4035 if any of the EntityRules contain Ports (because ports only 4036 apply to certain protocols). \n Must be one of these string 4037 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 4038 \"UDPLite\" or an integer in the range 1-255." 4039 pattern: ^.* 4040 x-kubernetes-int-or-string: true 4041 source: 4042 description: Source contains the match criteria that apply to 4043 source entity. 4044 properties: 4045 namespaceSelector: 4046 description: "NamespaceSelector is an optional field that 4047 contains a selector expression. Only traffic that originates 4048 from (or terminates at) endpoints within the selected 4049 namespaces will be matched. When both NamespaceSelector 4050 and another selector are defined on the same rule, then 4051 only workload endpoints that are matched by both selectors 4052 will be selected by the rule. \n For NetworkPolicy, an 4053 empty NamespaceSelector implies that the Selector is limited 4054 to selecting only workload endpoints in the same namespace 4055 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4056 NamespaceSelector implies that the Selector is limited 4057 to selecting only GlobalNetworkSet or HostEndpoint. \n 4058 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4059 the Selector applies to workload endpoints across all 4060 namespaces." 4061 type: string 4062 nets: 4063 description: Nets is an optional field that restricts the 4064 rule to only apply to traffic that originates from (or 4065 terminates at) IP addresses in any of the given subnets. 4066 items: 4067 type: string 4068 type: array 4069 notNets: 4070 description: NotNets is the negated version of the Nets 4071 field. 4072 items: 4073 type: string 4074 type: array 4075 notPorts: 4076 description: NotPorts is the negated version of the Ports 4077 field. Since only some protocols have ports, if any ports 4078 are specified it requires the Protocol match in the Rule 4079 to be set to "TCP" or "UDP". 4080 items: 4081 anyOf: 4082 - type: integer 4083 - type: string 4084 pattern: ^.* 4085 x-kubernetes-int-or-string: true 4086 type: array 4087 notSelector: 4088 description: NotSelector is the negated version of the Selector 4089 field. See Selector field for subtleties with negated 4090 selectors. 4091 type: string 4092 ports: 4093 description: "Ports is an optional field that restricts 4094 the rule to only apply to traffic that has a source (destination) 4095 port that matches one of these ranges/values. This value 4096 is a list of integers or strings that represent ranges 4097 of ports. \n Since only some protocols have ports, if 4098 any ports are specified it requires the Protocol match 4099 in the Rule to be set to \"TCP\" or \"UDP\"." 4100 items: 4101 anyOf: 4102 - type: integer 4103 - type: string 4104 pattern: ^.* 4105 x-kubernetes-int-or-string: true 4106 type: array 4107 selector: 4108 description: "Selector is an optional field that contains 4109 a selector expression (see Policy for sample syntax). 4110 \ Only traffic that originates from (terminates at) endpoints 4111 matching the selector will be matched. \n Note that: in 4112 addition to the negated version of the Selector (see NotSelector 4113 below), the selector expression syntax itself supports 4114 negation. The two types of negation are subtly different. 4115 One negates the set of matched endpoints, the other negates 4116 the whole match: \n \tSelector = \"!has(my_label)\" matches 4117 packets that are from other Calico-controlled \tendpoints 4118 that do not have the label \"my_label\". \n \tNotSelector 4119 = \"has(my_label)\" matches packets that are not from 4120 Calico-controlled \tendpoints that do have the label \"my_label\". 4121 \n The effect is that the latter will accept packets from 4122 non-Calico sources whereas the former is limited to packets 4123 from Calico-controlled endpoints." 4124 type: string 4125 serviceAccounts: 4126 description: ServiceAccounts is an optional field that restricts 4127 the rule to only apply to traffic that originates from 4128 (or terminates at) a pod running as a matching service 4129 account. 4130 properties: 4131 names: 4132 description: Names is an optional field that restricts 4133 the rule to only apply to traffic that originates 4134 from (or terminates at) a pod running as a service 4135 account whose name is in the list. 4136 items: 4137 type: string 4138 type: array 4139 selector: 4140 description: Selector is an optional field that restricts 4141 the rule to only apply to traffic that originates 4142 from (or terminates at) a pod running as a service 4143 account that matches the given label selector. If 4144 both Names and Selector are specified then they are 4145 AND'ed. 4146 type: string 4147 type: object 4148 services: 4149 description: "Services is an optional field that contains 4150 options for matching Kubernetes Services. If specified, 4151 only traffic that originates from or terminates at endpoints 4152 within the selected service(s) will be matched, and only 4153 to/from each endpoint's port. \n Services cannot be specified 4154 on the same rule as Selector, NotSelector, NamespaceSelector, 4155 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4156 can only be specified with Services on ingress rules." 4157 properties: 4158 name: 4159 description: Name specifies the name of a Kubernetes 4160 Service to match. 4161 type: string 4162 namespace: 4163 description: Namespace specifies the namespace of the 4164 given Service. If left empty, the rule will match 4165 within this policy's namespace. 4166 type: string 4167 type: object 4168 type: object 4169 required: 4170 - action 4171 type: object 4172 type: array 4173 order: 4174 description: Order is an optional field that specifies the order in 4175 which the policy is applied. Policies with higher "order" are applied 4176 after those with lower order. If the order is omitted, it may be 4177 considered to be "infinite" - i.e. the policy will be applied last. Policies 4178 with identical order will be applied in alphanumerical order based 4179 on the Policy "Name". 4180 type: number 4181 selector: 4182 description: "The selector is an expression used to pick pick out 4183 the endpoints that the policy should be applied to. \n Selector 4184 expressions follow this syntax: \n \tlabel == \"string_literal\" 4185 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 4186 \ -> not equal; also matches if label is not present \tlabel in 4187 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 4188 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 4189 ... } -> true if the value of label X is not one of \"a\", \"b\", 4190 \"c\" \thas(label_name) -> True if that label is present \t! expr 4191 -> negation of expr \texpr && expr -> Short-circuit and \texpr 4192 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 4193 or the empty selector -> matches all endpoints. \n Label names are 4194 allowed to contain alphanumerics, -, _ and /. String literals are 4195 more permissive but they do not support escape characters. \n Examples 4196 (with made-up labels): \n \ttype == \"webserver\" && deployment 4197 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 4198 \"dev\" \t! has(label_name)" 4199 type: string 4200 serviceAccountSelector: 4201 description: ServiceAccountSelector is an optional field for an expression 4202 used to select a pod based on service accounts. 4203 type: string 4204 types: 4205 description: "Types indicates whether this policy applies to ingress, 4206 or to egress, or to both. When not explicitly specified (and so 4207 the value on creation is empty or nil), Calico defaults Types according 4208 to what Ingress and Egress are present in the policy. The default 4209 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 4210 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 4211 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 4212 PolicyTypeEgress ], if there are both Ingress and Egress rules. 4213 \n When the policy is read back again, Types will always be one 4214 of these values, never empty or nil." 4215 items: 4216 description: PolicyType enumerates the possible values of the PolicySpec 4217 Types field. 4218 type: string 4219 type: array 4220 type: object 4221 type: object 4222 served: true 4223 storage: true 4224 status: 4225 acceptedNames: 4226 kind: "" 4227 plural: "" 4228 conditions: [] 4229 storedVersions: [] 4230 --- 4231 # Source: calico/templates/kdd-crds.yaml 4232 apiVersion: apiextensions.k8s.io/v1 4233 kind: CustomResourceDefinition 4234 metadata: 4235 name: networksets.crd.projectcalico.org 4236 spec: 4237 group: crd.projectcalico.org 4238 names: 4239 kind: NetworkSet 4240 listKind: NetworkSetList 4241 plural: networksets 4242 singular: networkset 4243 preserveUnknownFields: false 4244 scope: Namespaced 4245 versions: 4246 - name: v1 4247 schema: 4248 openAPIV3Schema: 4249 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 4250 properties: 4251 apiVersion: 4252 description: 'APIVersion defines the versioned schema of this representation 4253 of an object. Servers should convert recognized schemas to the latest 4254 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4255 type: string 4256 kind: 4257 description: 'Kind is a string value representing the REST resource this 4258 object represents. Servers may infer this from the endpoint the client 4259 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4260 type: string 4261 metadata: 4262 type: object 4263 spec: 4264 description: NetworkSetSpec contains the specification for a NetworkSet 4265 resource. 4266 properties: 4267 nets: 4268 description: The list of IP networks that belong to this set. 4269 items: 4270 type: string 4271 type: array 4272 type: object 4273 type: object 4274 served: true 4275 storage: true 4276 status: 4277 acceptedNames: 4278 kind: "" 4279 plural: "" 4280 conditions: [] 4281 storedVersions: [] 4282 --- 4283 # Source: calico/templates/calico-kube-controllers-rbac.yaml 4284 # Include a clusterrole for the kube-controllers component, 4285 # and bind it to the calico-kube-controllers serviceaccount. 4286 kind: ClusterRole 4287 apiVersion: rbac.authorization.k8s.io/v1 4288 metadata: 4289 name: calico-kube-controllers 4290 rules: 4291 # Nodes are watched to monitor for deletions. 4292 - apiGroups: [""] 4293 resources: 4294 - nodes 4295 verbs: 4296 - watch 4297 - list 4298 - get 4299 # Pods are watched to check for existence as part of IPAM controller. 4300 - apiGroups: [""] 4301 resources: 4302 - pods 4303 verbs: 4304 - get 4305 - list 4306 - watch 4307 # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. 4308 - apiGroups: ["crd.projectcalico.org"] 4309 resources: 4310 - ipreservations 4311 verbs: 4312 - list 4313 - apiGroups: ["crd.projectcalico.org"] 4314 resources: 4315 - blockaffinities 4316 - ipamblocks 4317 - ipamhandles 4318 verbs: 4319 - get 4320 - list 4321 - create 4322 - update 4323 - delete 4324 - watch 4325 # Pools are watched to maintain a mapping of blocks to IP pools. 4326 - apiGroups: ["crd.projectcalico.org"] 4327 resources: 4328 - ippools 4329 verbs: 4330 - list 4331 - watch 4332 # kube-controllers manages hostendpoints. 4333 - apiGroups: ["crd.projectcalico.org"] 4334 resources: 4335 - hostendpoints 4336 verbs: 4337 - get 4338 - list 4339 - create 4340 - update 4341 - delete 4342 # Needs access to update clusterinformations. 4343 - apiGroups: ["crd.projectcalico.org"] 4344 resources: 4345 - clusterinformations 4346 verbs: 4347 - get 4348 - list 4349 - create 4350 - update 4351 - watch 4352 # KubeControllersConfiguration is where it gets its config 4353 - apiGroups: ["crd.projectcalico.org"] 4354 resources: 4355 - kubecontrollersconfigurations 4356 verbs: 4357 # read its own config 4358 - get 4359 # create a default if none exists 4360 - create 4361 # update status 4362 - update 4363 # watch for changes 4364 - watch 4365 --- 4366 # Source: calico/templates/calico-node-rbac.yaml 4367 # Include a clusterrole for the calico-node DaemonSet, 4368 # and bind it to the calico-node serviceaccount. 4369 kind: ClusterRole 4370 apiVersion: rbac.authorization.k8s.io/v1 4371 metadata: 4372 name: calico-node 4373 rules: 4374 # Used for creating service account tokens to be used by the CNI plugin 4375 - apiGroups: [""] 4376 resources: 4377 - serviceaccounts/token 4378 resourceNames: 4379 - calico-cni-plugin 4380 verbs: 4381 - create 4382 # The CNI plugin needs to get pods, nodes, and namespaces. 4383 - apiGroups: [""] 4384 resources: 4385 - pods 4386 - nodes 4387 - namespaces 4388 verbs: 4389 - get 4390 # EndpointSlices are used for Service-based network policy rule 4391 # enforcement. 4392 - apiGroups: ["discovery.k8s.io"] 4393 resources: 4394 - endpointslices 4395 verbs: 4396 - watch 4397 - list 4398 - apiGroups: [""] 4399 resources: 4400 - endpoints 4401 - services 4402 verbs: 4403 # Used to discover service IPs for advertisement. 4404 - watch 4405 - list 4406 # Used to discover Typhas. 4407 - get 4408 # Pod CIDR auto-detection on kubeadm needs access to config maps. 4409 - apiGroups: [""] 4410 resources: 4411 - configmaps 4412 verbs: 4413 - get 4414 - apiGroups: [""] 4415 resources: 4416 - nodes/status 4417 verbs: 4418 # Needed for clearing NodeNetworkUnavailable flag. 4419 - patch 4420 # Calico stores some configuration information in node annotations. 4421 - update 4422 # Watch for changes to Kubernetes NetworkPolicies. 4423 - apiGroups: ["networking.k8s.io"] 4424 resources: 4425 - networkpolicies 4426 verbs: 4427 - watch 4428 - list 4429 # Used by Calico for policy information. 4430 - apiGroups: [""] 4431 resources: 4432 - pods 4433 - namespaces 4434 - serviceaccounts 4435 verbs: 4436 - list 4437 - watch 4438 # The CNI plugin patches pods/status. 4439 - apiGroups: [""] 4440 resources: 4441 - pods/status 4442 verbs: 4443 - patch 4444 # Calico monitors various CRDs for config. 4445 - apiGroups: ["crd.projectcalico.org"] 4446 resources: 4447 - globalfelixconfigs 4448 - felixconfigurations 4449 - bgppeers 4450 - bgpfilters 4451 - globalbgpconfigs 4452 - bgpconfigurations 4453 - ippools 4454 - ipreservations 4455 - ipamblocks 4456 - globalnetworkpolicies 4457 - globalnetworksets 4458 - networkpolicies 4459 - networksets 4460 - clusterinformations 4461 - hostendpoints 4462 - blockaffinities 4463 - caliconodestatuses 4464 verbs: 4465 - get 4466 - list 4467 - watch 4468 # Calico must create and update some CRDs on startup. 4469 - apiGroups: ["crd.projectcalico.org"] 4470 resources: 4471 - ippools 4472 - felixconfigurations 4473 - clusterinformations 4474 verbs: 4475 - create 4476 - update 4477 # Calico must update some CRDs. 4478 - apiGroups: [ "crd.projectcalico.org" ] 4479 resources: 4480 - caliconodestatuses 4481 verbs: 4482 - update 4483 # Calico stores some configuration information on the node. 4484 - apiGroups: [""] 4485 resources: 4486 - nodes 4487 verbs: 4488 - get 4489 - list 4490 - watch 4491 # These permissions are only required for upgrade from v2.6, and can 4492 # be removed after upgrade or on fresh installations. 4493 - apiGroups: ["crd.projectcalico.org"] 4494 resources: 4495 - bgpconfigurations 4496 - bgppeers 4497 verbs: 4498 - create 4499 - update 4500 --- 4501 # Source: calico/templates/calico-node-rbac.yaml 4502 # CNI cluster role 4503 kind: ClusterRole 4504 apiVersion: rbac.authorization.k8s.io/v1 4505 metadata: 4506 name: calico-cni-plugin 4507 rules: 4508 - apiGroups: [""] 4509 resources: 4510 - pods 4511 - nodes 4512 - namespaces 4513 verbs: 4514 - get 4515 - apiGroups: [""] 4516 resources: 4517 - pods/status 4518 verbs: 4519 - patch 4520 --- 4521 # Source: calico/templates/calico-kube-controllers-rbac.yaml 4522 kind: ClusterRoleBinding 4523 apiVersion: rbac.authorization.k8s.io/v1 4524 metadata: 4525 name: calico-kube-controllers 4526 roleRef: 4527 apiGroup: rbac.authorization.k8s.io 4528 kind: ClusterRole 4529 name: calico-kube-controllers 4530 subjects: 4531 - kind: ServiceAccount 4532 name: calico-kube-controllers 4533 namespace: kube-system 4534 --- 4535 # Source: calico/templates/calico-node-rbac.yaml 4536 apiVersion: rbac.authorization.k8s.io/v1 4537 kind: ClusterRoleBinding 4538 metadata: 4539 name: calico-node 4540 roleRef: 4541 apiGroup: rbac.authorization.k8s.io 4542 kind: ClusterRole 4543 name: calico-node 4544 subjects: 4545 - kind: ServiceAccount 4546 name: calico-node 4547 namespace: kube-system 4548 --- 4549 # Source: calico/templates/calico-node-rbac.yaml 4550 apiVersion: rbac.authorization.k8s.io/v1 4551 kind: ClusterRoleBinding 4552 metadata: 4553 name: calico-cni-plugin 4554 roleRef: 4555 apiGroup: rbac.authorization.k8s.io 4556 kind: ClusterRole 4557 name: calico-cni-plugin 4558 subjects: 4559 - kind: ServiceAccount 4560 name: calico-cni-plugin 4561 namespace: kube-system 4562 --- 4563 # Source: calico/templates/calico-typha.yaml 4564 # This manifest creates a Service, which will be backed by Calico's Typha daemon. 4565 # Typha sits in between Felix and the API server, reducing Calico's load on the API server. 4566 4567 apiVersion: v1 4568 kind: Service 4569 metadata: 4570 name: calico-typha 4571 namespace: kube-system 4572 labels: 4573 k8s-app: calico-typha 4574 spec: 4575 ports: 4576 - port: 5473 4577 protocol: TCP 4578 targetPort: calico-typha 4579 name: calico-typha 4580 selector: 4581 k8s-app: calico-typha 4582 --- 4583 # Source: calico/templates/calico-node.yaml 4584 # This manifest installs the calico-node container, as well 4585 # as the CNI plugins and network config on 4586 # each master and worker node in a Kubernetes cluster. 4587 kind: DaemonSet 4588 apiVersion: apps/v1 4589 metadata: 4590 name: calico-node 4591 namespace: kube-system 4592 labels: 4593 k8s-app: calico-node 4594 spec: 4595 selector: 4596 matchLabels: 4597 k8s-app: calico-node 4598 updateStrategy: 4599 type: RollingUpdate 4600 rollingUpdate: 4601 maxUnavailable: 1 4602 template: 4603 metadata: 4604 labels: 4605 k8s-app: calico-node 4606 spec: 4607 nodeSelector: 4608 kubernetes.io/os: linux 4609 hostNetwork: true 4610 tolerations: 4611 # Make sure calico-node gets scheduled on all nodes. 4612 - effect: NoSchedule 4613 operator: Exists 4614 # Mark the pod as a critical add-on for rescheduling. 4615 - key: CriticalAddonsOnly 4616 operator: Exists 4617 - effect: NoExecute 4618 operator: Exists 4619 serviceAccountName: calico-node 4620 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 4621 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 4622 terminationGracePeriodSeconds: 0 4623 priorityClassName: system-node-critical 4624 initContainers: 4625 # This container installs the CNI binaries 4626 # and CNI network config file on each node. 4627 - name: install-cni 4628 image: docker.io/calico/cni:v3.26.1 4629 imagePullPolicy: IfNotPresent 4630 command: ["/opt/cni/bin/install"] 4631 envFrom: 4632 - configMapRef: 4633 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4634 name: kubernetes-services-endpoint 4635 optional: true 4636 env: 4637 # Name of the CNI config file to create. 4638 - name: CNI_CONF_NAME 4639 value: "10-calico.conflist" 4640 # The CNI network config to install on each node. 4641 - name: CNI_NETWORK_CONFIG 4642 valueFrom: 4643 configMapKeyRef: 4644 name: calico-config 4645 key: cni_network_config 4646 # Set the hostname based on the k8s node name. 4647 - name: KUBERNETES_NODE_NAME 4648 valueFrom: 4649 fieldRef: 4650 fieldPath: spec.nodeName 4651 # Prevents the container from sleeping forever. 4652 - name: SLEEP 4653 value: "false" 4654 volumeMounts: 4655 - mountPath: /host/opt/cni/bin 4656 name: cni-bin-dir 4657 - mountPath: /host/etc/cni/net.d 4658 name: cni-net-dir 4659 securityContext: 4660 privileged: true 4661 # This init container mounts the necessary filesystems needed by the BPF data plane 4662 # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed 4663 # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. 4664 - name: "mount-bpffs" 4665 image: docker.io/calico/node:v3.26.1 4666 imagePullPolicy: IfNotPresent 4667 command: ["calico-node", "-init", "-best-effort"] 4668 volumeMounts: 4669 - mountPath: /sys/fs 4670 name: sys-fs 4671 # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host 4672 # so that it outlives the init container. 4673 mountPropagation: Bidirectional 4674 - mountPath: /var/run/calico 4675 name: var-run-calico 4676 # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host 4677 # so that it outlives the init container. 4678 mountPropagation: Bidirectional 4679 # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, 4680 # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. 4681 - mountPath: /nodeproc 4682 name: nodeproc 4683 readOnly: true 4684 securityContext: 4685 privileged: true 4686 containers: 4687 # Runs calico-node container on each Kubernetes node. This 4688 # container programs network policy and routes on each 4689 # host. 4690 - name: calico-node 4691 image: docker.io/calico/node:v3.26.1 4692 imagePullPolicy: IfNotPresent 4693 envFrom: 4694 - configMapRef: 4695 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4696 name: kubernetes-services-endpoint 4697 optional: true 4698 env: 4699 # Use Kubernetes API as the backing datastore. 4700 - name: DATASTORE_TYPE 4701 value: "kubernetes" 4702 # Configure route aggregation based on pod CIDR. 4703 - name: USE_POD_CIDR 4704 value: "true" 4705 # Typha support: controlled by the ConfigMap. 4706 - name: FELIX_TYPHAK8SSERVICENAME 4707 valueFrom: 4708 configMapKeyRef: 4709 name: calico-config 4710 key: typha_service_name 4711 # Wait for the datastore. 4712 - name: WAIT_FOR_DATASTORE 4713 value: "true" 4714 # Set based on the k8s node name. 4715 - name: NODENAME 4716 valueFrom: 4717 fieldRef: 4718 fieldPath: spec.nodeName 4719 # Don't enable BGP. 4720 - name: CALICO_NETWORKING_BACKEND 4721 value: "none" 4722 # Cluster type to identify the deployment type 4723 - name: CLUSTER_TYPE 4724 value: "k8s" 4725 # Non-calico CNI, disable credential management. 4726 - name: CALICO_MANAGE_CNI 4727 value: "false" 4728 # The default IPv4 pool to create on startup if none exists. Pod IPs will be 4729 # chosen from this range. Changing this value after installation will have 4730 # no effect. This should fall within `--cluster-cidr`. 4731 # - name: CALICO_IPV4POOL_CIDR 4732 # value: "192.168.0.0/16" 4733 # Disable file logging so `kubectl logs` works. 4734 - name: CALICO_DISABLE_FILE_LOGGING 4735 value: "true" 4736 # Set Felix endpoint to host default action to ACCEPT. 4737 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 4738 value: "ACCEPT" 4739 # Disable IPv6 on Kubernetes. 4740 - name: FELIX_IPV6SUPPORT 4741 value: "false" 4742 - name: FELIX_HEALTHENABLED 4743 value: "true" 4744 securityContext: 4745 privileged: true 4746 resources: 4747 requests: 4748 cpu: 250m 4749 lifecycle: 4750 preStop: 4751 exec: 4752 command: 4753 - /bin/calico-node 4754 - -shutdown 4755 livenessProbe: 4756 exec: 4757 command: 4758 - /bin/calico-node 4759 - -felix-live 4760 periodSeconds: 10 4761 initialDelaySeconds: 10 4762 failureThreshold: 6 4763 timeoutSeconds: 10 4764 readinessProbe: 4765 exec: 4766 command: 4767 - /bin/calico-node 4768 - -felix-ready 4769 periodSeconds: 10 4770 timeoutSeconds: 10 4771 volumeMounts: 4772 # For maintaining CNI plugin API credentials. 4773 - mountPath: /host/etc/cni/net.d 4774 name: cni-net-dir 4775 readOnly: false 4776 - mountPath: /lib/modules 4777 name: lib-modules 4778 readOnly: true 4779 - mountPath: /run/xtables.lock 4780 name: xtables-lock 4781 readOnly: false 4782 - mountPath: /var/run/calico 4783 name: var-run-calico 4784 readOnly: false 4785 - mountPath: /var/lib/calico 4786 name: var-lib-calico 4787 readOnly: false 4788 - name: policysync 4789 mountPath: /var/run/nodeagent 4790 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the 4791 # parent directory. 4792 - name: bpffs 4793 mountPath: /sys/fs/bpf 4794 - name: cni-log-dir 4795 mountPath: /var/log/calico/cni 4796 readOnly: true 4797 volumes: 4798 # Used by calico-node. 4799 - name: lib-modules 4800 hostPath: 4801 path: /lib/modules 4802 - name: var-run-calico 4803 hostPath: 4804 path: /var/run/calico 4805 - name: var-lib-calico 4806 hostPath: 4807 path: /var/lib/calico 4808 - name: xtables-lock 4809 hostPath: 4810 path: /run/xtables.lock 4811 type: FileOrCreate 4812 - name: sys-fs 4813 hostPath: 4814 path: /sys/fs/ 4815 type: DirectoryOrCreate 4816 - name: bpffs 4817 hostPath: 4818 path: /sys/fs/bpf 4819 type: Directory 4820 # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. 4821 - name: nodeproc 4822 hostPath: 4823 path: /proc 4824 # Used to install CNI. 4825 - name: cni-bin-dir 4826 hostPath: 4827 path: /opt/cni/bin 4828 - name: cni-net-dir 4829 hostPath: 4830 path: /etc/cni/net.d 4831 # Used to access CNI logs. 4832 - name: cni-log-dir 4833 hostPath: 4834 path: /var/log/calico/cni 4835 # Used to create per-pod Unix Domain Sockets 4836 - name: policysync 4837 hostPath: 4838 type: DirectoryOrCreate 4839 path: /var/run/nodeagent 4840 --- 4841 # Source: calico/templates/calico-kube-controllers.yaml 4842 # See https://github.com/projectcalico/kube-controllers 4843 apiVersion: apps/v1 4844 kind: Deployment 4845 metadata: 4846 name: calico-kube-controllers 4847 namespace: kube-system 4848 labels: 4849 k8s-app: calico-kube-controllers 4850 spec: 4851 # The controllers can only have a single active instance. 4852 replicas: 1 4853 selector: 4854 matchLabels: 4855 k8s-app: calico-kube-controllers 4856 strategy: 4857 type: Recreate 4858 template: 4859 metadata: 4860 name: calico-kube-controllers 4861 namespace: kube-system 4862 labels: 4863 k8s-app: calico-kube-controllers 4864 spec: 4865 nodeSelector: 4866 kubernetes.io/os: linux 4867 tolerations: 4868 # Mark the pod as a critical add-on for rescheduling. 4869 - key: CriticalAddonsOnly 4870 operator: Exists 4871 - key: node-role.kubernetes.io/master 4872 effect: NoSchedule 4873 - key: node-role.kubernetes.io/control-plane 4874 effect: NoSchedule 4875 serviceAccountName: calico-kube-controllers 4876 priorityClassName: system-cluster-critical 4877 containers: 4878 - name: calico-kube-controllers 4879 image: docker.io/calico/kube-controllers:v3.26.1 4880 imagePullPolicy: IfNotPresent 4881 env: 4882 # Choose which controllers to run. 4883 - name: ENABLED_CONTROLLERS 4884 value: node 4885 - name: DATASTORE_TYPE 4886 value: kubernetes 4887 livenessProbe: 4888 exec: 4889 command: 4890 - /usr/bin/check-status 4891 - -l 4892 periodSeconds: 10 4893 initialDelaySeconds: 10 4894 failureThreshold: 6 4895 timeoutSeconds: 10 4896 readinessProbe: 4897 exec: 4898 command: 4899 - /usr/bin/check-status 4900 - -r 4901 periodSeconds: 10 4902 --- 4903 # Source: calico/templates/calico-typha.yaml 4904 # This manifest creates a Deployment of Typha to back the above service. 4905 4906 apiVersion: apps/v1 4907 kind: Deployment 4908 metadata: 4909 name: calico-typha 4910 namespace: kube-system 4911 labels: 4912 k8s-app: calico-typha 4913 spec: 4914 # Number of Typha replicas. To enable Typha, set this to a non-zero value *and* set the 4915 # typha_service_name variable in the calico-config ConfigMap above. 4916 # 4917 # We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is essential 4918 # (when using the Kubernetes datastore). Use one replica for every 100-200 nodes. In 4919 # production, we recommend running at least 3 replicas to reduce the impact of rolling upgrade. 4920 replicas: 1 4921 revisionHistoryLimit: 2 4922 selector: 4923 matchLabels: 4924 k8s-app: calico-typha 4925 strategy: 4926 rollingUpdate: 4927 # 100% surge allows a complete up-level set of typha instances to start and become ready, 4928 # which in turn allows all the back-level typha instances to start shutting down. This 4929 # means that connections tend to bounce directly from a back-level instance to an up-level 4930 # instance. 4931 maxSurge: 100% 4932 # In case the cluster is unable to schedule extra surge instances, allow at most one instance 4933 # to shut down to make room. You can set this to 0 if you're sure there'll always be enough room to 4934 # schedule extra typha instances during an upgrade (because setting it to 0 blocks shutdown until 4935 # up-level typha instances are online and ready). 4936 maxUnavailable: 1 4937 type: RollingUpdate 4938 template: 4939 metadata: 4940 labels: 4941 k8s-app: calico-typha 4942 annotations: 4943 cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' 4944 spec: 4945 nodeSelector: 4946 kubernetes.io/os: linux 4947 hostNetwork: true 4948 # Typha supports graceful shut down, disconnecting clients slowly during the grace period. 4949 # The TYPHA_SHUTDOWNTIMEOUTSECS env var should be kept in sync with this value. 4950 terminationGracePeriodSeconds: 300 4951 tolerations: 4952 # Mark the pod as a critical add-on for rescheduling. 4953 - key: CriticalAddonsOnly 4954 operator: Exists 4955 # Since Calico can't network a pod until Typha is up, we need to run Typha itself 4956 # as a host-networked pod. 4957 serviceAccountName: calico-node 4958 priorityClassName: system-cluster-critical 4959 # fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573 4960 securityContext: 4961 fsGroup: 65534 4962 containers: 4963 - image: docker.io/calico/typha:v3.26.1 4964 imagePullPolicy: IfNotPresent 4965 name: calico-typha 4966 ports: 4967 - containerPort: 5473 4968 name: calico-typha 4969 protocol: TCP 4970 envFrom: 4971 - configMapRef: 4972 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4973 name: kubernetes-services-endpoint 4974 optional: true 4975 env: 4976 # Enable "info" logging by default. Can be set to "debug" to increase verbosity. 4977 - name: TYPHA_LOGSEVERITYSCREEN 4978 value: "info" 4979 # Disable logging to file and syslog since those don't make sense in Kubernetes. 4980 - name: TYPHA_LOGFILEPATH 4981 value: "none" 4982 - name: TYPHA_LOGSEVERITYSYS 4983 value: "none" 4984 # Monitor the Kubernetes API to find the number of running instances and rebalance 4985 # connections. 4986 - name: TYPHA_CONNECTIONREBALANCINGMODE 4987 value: "kubernetes" 4988 - name: TYPHA_DATASTORETYPE 4989 value: "kubernetes" 4990 - name: TYPHA_HEALTHENABLED 4991 value: "true" 4992 # Set this to the same value as terminationGracePeriodSeconds; it tells Typha how much time 4993 # it has to shut down. 4994 - name: TYPHA_SHUTDOWNTIMEOUTSECS 4995 value: "300" 4996 # Configure route aggregation based on pod CIDR. 4997 - name: USE_POD_CIDR 4998 value: "true" 4999 # Uncomment these lines to enable prometheus metrics. Since Typha is host-networked, 5000 # this opens a port on the host, which may need to be secured. 5001 #- name: TYPHA_PROMETHEUSMETRICSENABLED 5002 # value: "true" 5003 #- name: TYPHA_PROMETHEUSMETRICSPORT 5004 # value: "9093" 5005 livenessProbe: 5006 httpGet: 5007 path: /liveness 5008 port: 9098 5009 host: localhost 5010 periodSeconds: 30 5011 initialDelaySeconds: 30 5012 timeoutSeconds: 10 5013 securityContext: 5014 runAsNonRoot: true 5015 allowPrivilegeEscalation: false 5016 readinessProbe: 5017 httpGet: 5018 path: /readiness 5019 port: 9098 5020 host: localhost 5021 periodSeconds: 10 5022 timeoutSeconds: 10