sigs.k8s.io/cluster-api-provider-azure@v1.14.3/templates/addons/calico/calico-vxlan.yaml (about) 1 --- 2 # Source: calico/templates/calico-kube-controllers.yaml 3 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict 4 5 apiVersion: policy/v1 6 kind: PodDisruptionBudget 7 metadata: 8 name: calico-kube-controllers 9 namespace: kube-system 10 labels: 11 k8s-app: calico-kube-controllers 12 spec: 13 maxUnavailable: 1 14 selector: 15 matchLabels: 16 k8s-app: calico-kube-controllers 17 --- 18 # Source: calico/templates/calico-kube-controllers.yaml 19 apiVersion: v1 20 kind: ServiceAccount 21 metadata: 22 name: calico-kube-controllers 23 namespace: kube-system 24 --- 25 # Source: calico/templates/calico-node.yaml 26 apiVersion: v1 27 kind: ServiceAccount 28 metadata: 29 name: calico-node 30 namespace: kube-system 31 --- 32 # Source: calico/templates/calico-node.yaml 33 apiVersion: v1 34 kind: ServiceAccount 35 metadata: 36 name: calico-cni-plugin 37 namespace: kube-system 38 --- 39 # Source: calico/templates/calico-config.yaml 40 # This ConfigMap is used to configure a self-hosted Calico installation. 41 kind: ConfigMap 42 apiVersion: v1 43 metadata: 44 name: calico-config 45 namespace: kube-system 46 data: 47 # Typha is disabled. 48 typha_service_name: "none" 49 # Configure the backend to use. 50 calico_backend: "vxlan" 51 52 # Configure the MTU to use for workload interfaces and tunnels. 53 # By default, MTU is auto-detected, and explicitly setting this field should not be required. 54 # You can override auto-detection by providing a non-zero value. 55 veth_mtu: "0" 56 57 # The CNI network configuration to install on each node. The special 58 # values in this config will be automatically populated. 59 cni_network_config: |- 60 { 61 "name": "k8s-pod-network", 62 "cniVersion": "0.3.1", 63 "plugins": [ 64 { 65 "type": "calico", 66 "log_level": "info", 67 "log_file_path": "/var/log/calico/cni/cni.log", 68 "datastore_type": "kubernetes", 69 "nodename": "__KUBERNETES_NODE_NAME__", 70 "mtu": __CNI_MTU__, 71 "ipam": { 72 "type": "calico-ipam" 73 }, 74 "policy": { 75 "type": "k8s" 76 }, 77 "kubernetes": { 78 "kubeconfig": "__KUBECONFIG_FILEPATH__" 79 } 80 }, 81 { 82 "type": "portmap", 83 "snat": true, 84 "capabilities": {"portMappings": true} 85 }, 86 { 87 "type": "bandwidth", 88 "capabilities": {"bandwidth": true} 89 } 90 ] 91 } 92 --- 93 # Source: calico/templates/kdd-crds.yaml 94 apiVersion: apiextensions.k8s.io/v1 95 kind: CustomResourceDefinition 96 metadata: 97 name: bgpconfigurations.crd.projectcalico.org 98 spec: 99 group: crd.projectcalico.org 100 names: 101 kind: BGPConfiguration 102 listKind: BGPConfigurationList 103 plural: bgpconfigurations 104 singular: bgpconfiguration 105 preserveUnknownFields: false 106 scope: Cluster 107 versions: 108 - name: v1 109 schema: 110 openAPIV3Schema: 111 description: BGPConfiguration contains the configuration for any BGP routing. 112 properties: 113 apiVersion: 114 description: 'APIVersion defines the versioned schema of this representation 115 of an object. Servers should convert recognized schemas to the latest 116 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 117 type: string 118 kind: 119 description: 'Kind is a string value representing the REST resource this 120 object represents. Servers may infer this from the endpoint the client 121 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 122 type: string 123 metadata: 124 type: object 125 spec: 126 description: BGPConfigurationSpec contains the values of the BGP configuration. 127 properties: 128 asNumber: 129 description: 'ASNumber is the default AS number used by a node. [Default: 130 64512]' 131 format: int32 132 type: integer 133 bindMode: 134 description: BindMode indicates whether to listen for BGP connections 135 on all addresses (None) or only on the node's canonical IP address 136 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen 137 for BGP connections on all addresses. 138 type: string 139 communities: 140 description: Communities is a list of BGP community values and their 141 arbitrary names for tagging routes. 142 items: 143 description: Community contains standard or large community value 144 and its name. 145 properties: 146 name: 147 description: Name given to community value. 148 type: string 149 value: 150 description: Value must be of format `aa:nn` or `aa:nn:mm`. 151 For standard community use `aa:nn` format, where `aa` and 152 `nn` are 16 bit number. For large community use `aa:nn:mm` 153 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 154 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 155 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 156 type: string 157 type: object 158 type: array 159 ignoredInterfaces: 160 description: IgnoredInterfaces indicates the network interfaces that 161 needs to be excluded when reading device routes. 162 items: 163 type: string 164 type: array 165 listenPort: 166 description: ListenPort is the port where BGP protocol should listen. 167 Defaults to 179 168 maximum: 65535 169 minimum: 1 170 type: integer 171 logSeverityScreen: 172 description: 'LogSeverityScreen is the log severity above which logs 173 are sent to the stdout. [Default: INFO]' 174 type: string 175 nodeMeshMaxRestartTime: 176 description: Time to allow for software restart for node-to-mesh peerings. When 177 specified, this is configured as the graceful restart timeout. When 178 not specified, the BIRD default of 120s is used. This field can 179 only be set on the default BGPConfiguration instance and requires 180 that NodeMesh is enabled 181 type: string 182 nodeMeshPassword: 183 description: Optional BGP password for full node-to-mesh peerings. 184 This field can only be set on the default BGPConfiguration instance 185 and requires that NodeMesh is enabled 186 properties: 187 secretKeyRef: 188 description: Selects a key of a secret in the node pod's namespace. 189 properties: 190 key: 191 description: The key of the secret to select from. Must be 192 a valid secret key. 193 type: string 194 name: 195 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 196 TODO: Add other useful fields. apiVersion, kind, uid?' 197 type: string 198 optional: 199 description: Specify whether the Secret or its key must be 200 defined 201 type: boolean 202 required: 203 - key 204 type: object 205 type: object 206 nodeToNodeMeshEnabled: 207 description: 'NodeToNodeMeshEnabled sets whether full node to node 208 BGP mesh is enabled. [Default: true]' 209 type: boolean 210 prefixAdvertisements: 211 description: PrefixAdvertisements contains per-prefix advertisement 212 configuration. 213 items: 214 description: PrefixAdvertisement configures advertisement properties 215 for the specified CIDR. 216 properties: 217 cidr: 218 description: CIDR for which properties should be advertised. 219 type: string 220 communities: 221 description: Communities can be list of either community names 222 already defined in `Specs.Communities` or community value 223 of format `aa:nn` or `aa:nn:mm`. For standard community use 224 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 225 large community use `aa:nn:mm` format, where `aa`, `nn` and 226 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 227 `mm` are per-AS identifier. 228 items: 229 type: string 230 type: array 231 type: object 232 type: array 233 serviceClusterIPs: 234 description: ServiceClusterIPs are the CIDR blocks from which service 235 cluster IPs are allocated. If specified, Calico will advertise these 236 blocks, as well as any cluster IPs within them. 237 items: 238 description: ServiceClusterIPBlock represents a single allowed ClusterIP 239 CIDR block. 240 properties: 241 cidr: 242 type: string 243 type: object 244 type: array 245 serviceExternalIPs: 246 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 247 Service External IPs. Kubernetes Service ExternalIPs will only be 248 advertised if they are within one of these blocks. 249 items: 250 description: ServiceExternalIPBlock represents a single allowed 251 External IP CIDR block. 252 properties: 253 cidr: 254 type: string 255 type: object 256 type: array 257 serviceLoadBalancerIPs: 258 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 259 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 260 IPs will only be advertised if they are within one of these blocks. 261 items: 262 description: ServiceLoadBalancerIPBlock represents a single allowed 263 LoadBalancer IP CIDR block. 264 properties: 265 cidr: 266 type: string 267 type: object 268 type: array 269 type: object 270 type: object 271 served: true 272 storage: true 273 status: 274 acceptedNames: 275 kind: "" 276 plural: "" 277 conditions: [] 278 storedVersions: [] 279 --- 280 # Source: calico/templates/kdd-crds.yaml 281 apiVersion: apiextensions.k8s.io/v1 282 kind: CustomResourceDefinition 283 metadata: 284 annotations: 285 controller-gen.kubebuilder.io/version: (devel) 286 creationTimestamp: null 287 name: bgpfilters.crd.projectcalico.org 288 spec: 289 group: crd.projectcalico.org 290 names: 291 kind: BGPFilter 292 listKind: BGPFilterList 293 plural: bgpfilters 294 singular: bgpfilter 295 scope: Cluster 296 versions: 297 - name: v1 298 schema: 299 openAPIV3Schema: 300 properties: 301 apiVersion: 302 description: 'APIVersion defines the versioned schema of this representation 303 of an object. Servers should convert recognized schemas to the latest 304 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 305 type: string 306 kind: 307 description: 'Kind is a string value representing the REST resource this 308 object represents. Servers may infer this from the endpoint the client 309 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 310 type: string 311 metadata: 312 type: object 313 spec: 314 description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of 315 the BGP Filter. 316 properties: 317 exportV4: 318 description: The ordered set of IPv4 BGPFilter rules acting on exporting 319 routes to a peer. 320 items: 321 description: BGPFilterRuleV4 defines a BGP filter rule consisting 322 a single IPv4 CIDR block and a filter action for this CIDR. 323 properties: 324 action: 325 type: string 326 cidr: 327 type: string 328 matchOperator: 329 type: string 330 required: 331 - action 332 - cidr 333 - matchOperator 334 type: object 335 type: array 336 exportV6: 337 description: The ordered set of IPv6 BGPFilter rules acting on exporting 338 routes to a peer. 339 items: 340 description: BGPFilterRuleV6 defines a BGP filter rule consisting 341 a single IPv6 CIDR block and a filter action for this CIDR. 342 properties: 343 action: 344 type: string 345 cidr: 346 type: string 347 matchOperator: 348 type: string 349 required: 350 - action 351 - cidr 352 - matchOperator 353 type: object 354 type: array 355 importV4: 356 description: The ordered set of IPv4 BGPFilter rules acting on importing 357 routes from a peer. 358 items: 359 description: BGPFilterRuleV4 defines a BGP filter rule consisting 360 a single IPv4 CIDR block and a filter action for this CIDR. 361 properties: 362 action: 363 type: string 364 cidr: 365 type: string 366 matchOperator: 367 type: string 368 required: 369 - action 370 - cidr 371 - matchOperator 372 type: object 373 type: array 374 importV6: 375 description: The ordered set of IPv6 BGPFilter rules acting on importing 376 routes from a peer. 377 items: 378 description: BGPFilterRuleV6 defines a BGP filter rule consisting 379 a single IPv6 CIDR block and a filter action for this CIDR. 380 properties: 381 action: 382 type: string 383 cidr: 384 type: string 385 matchOperator: 386 type: string 387 required: 388 - action 389 - cidr 390 - matchOperator 391 type: object 392 type: array 393 type: object 394 type: object 395 served: true 396 storage: true 397 status: 398 acceptedNames: 399 kind: "" 400 plural: "" 401 conditions: [] 402 storedVersions: [] 403 --- 404 # Source: calico/templates/kdd-crds.yaml 405 apiVersion: apiextensions.k8s.io/v1 406 kind: CustomResourceDefinition 407 metadata: 408 name: bgppeers.crd.projectcalico.org 409 spec: 410 group: crd.projectcalico.org 411 names: 412 kind: BGPPeer 413 listKind: BGPPeerList 414 plural: bgppeers 415 singular: bgppeer 416 preserveUnknownFields: false 417 scope: Cluster 418 versions: 419 - name: v1 420 schema: 421 openAPIV3Schema: 422 properties: 423 apiVersion: 424 description: 'APIVersion defines the versioned schema of this representation 425 of an object. Servers should convert recognized schemas to the latest 426 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 427 type: string 428 kind: 429 description: 'Kind is a string value representing the REST resource this 430 object represents. Servers may infer this from the endpoint the client 431 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 432 type: string 433 metadata: 434 type: object 435 spec: 436 description: BGPPeerSpec contains the specification for a BGPPeer resource. 437 properties: 438 asNumber: 439 description: The AS Number of the peer. 440 format: int32 441 type: integer 442 filters: 443 description: The ordered set of BGPFilters applied on this BGP peer. 444 items: 445 type: string 446 type: array 447 keepOriginalNextHop: 448 description: Option to keep the original nexthop field when routes 449 are sent to a BGP Peer. Setting "true" configures the selected BGP 450 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 451 in the specific branch of the Node on "bird.cfg". 452 type: boolean 453 maxRestartTime: 454 description: Time to allow for software restart. When specified, 455 this is configured as the graceful restart timeout. When not specified, 456 the BIRD default of 120s is used. 457 type: string 458 node: 459 description: The node name identifying the Calico node instance that 460 is targeted by this peer. If this is not set, and no nodeSelector 461 is specified, then this BGP peer selects all nodes in the cluster. 462 type: string 463 nodeSelector: 464 description: Selector for the nodes that should have this peering. When 465 this is set, the Node field must be empty. 466 type: string 467 numAllowedLocalASNumbers: 468 description: Maximum number of local AS numbers that are allowed in 469 the AS path for received routes. This removes BGP loop prevention 470 and should only be used if absolutely necesssary. 471 format: int32 472 type: integer 473 password: 474 description: Optional BGP password for the peerings generated by this 475 BGPPeer resource. 476 properties: 477 secretKeyRef: 478 description: Selects a key of a secret in the node pod's namespace. 479 properties: 480 key: 481 description: The key of the secret to select from. Must be 482 a valid secret key. 483 type: string 484 name: 485 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 486 TODO: Add other useful fields. apiVersion, kind, uid?' 487 type: string 488 optional: 489 description: Specify whether the Secret or its key must be 490 defined 491 type: boolean 492 required: 493 - key 494 type: object 495 type: object 496 peerIP: 497 description: The IP address of the peer followed by an optional port 498 number to peer with. If port number is given, format should be `[<IPv6>]:port` 499 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 500 and this peer IP and ASNumber belongs to a calico/node with ListenPort 501 set in BGPConfiguration, then we use that port to peer. 502 type: string 503 peerSelector: 504 description: Selector for the remote nodes to peer with. When this 505 is set, the PeerIP and ASNumber fields must be empty. For each 506 peering between the local node and selected remote nodes, we configure 507 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 508 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 509 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 510 or the global default if that is not set. 511 type: string 512 reachableBy: 513 description: Add an exact, i.e. /32, static route toward peer IP in 514 order to prevent route flapping. ReachableBy contains the address 515 of the gateway which peer can be reached by. 516 type: string 517 sourceAddress: 518 description: Specifies whether and how to configure a source address 519 for the peerings generated by this BGPPeer resource. Default value 520 "UseNodeIP" means to configure the node IP as the source address. "None" 521 means not to configure a source address. 522 type: string 523 ttlSecurity: 524 description: TTLSecurity enables the generalized TTL security mechanism 525 (GTSM) which protects against spoofed packets by ignoring received 526 packets with a smaller than expected TTL value. The provided value 527 is the number of hops (edges) between the peers. 528 type: integer 529 type: object 530 type: object 531 served: true 532 storage: true 533 status: 534 acceptedNames: 535 kind: "" 536 plural: "" 537 conditions: [] 538 storedVersions: [] 539 --- 540 # Source: calico/templates/kdd-crds.yaml 541 apiVersion: apiextensions.k8s.io/v1 542 kind: CustomResourceDefinition 543 metadata: 544 name: blockaffinities.crd.projectcalico.org 545 spec: 546 group: crd.projectcalico.org 547 names: 548 kind: BlockAffinity 549 listKind: BlockAffinityList 550 plural: blockaffinities 551 singular: blockaffinity 552 preserveUnknownFields: false 553 scope: Cluster 554 versions: 555 - name: v1 556 schema: 557 openAPIV3Schema: 558 properties: 559 apiVersion: 560 description: 'APIVersion defines the versioned schema of this representation 561 of an object. Servers should convert recognized schemas to the latest 562 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 563 type: string 564 kind: 565 description: 'Kind is a string value representing the REST resource this 566 object represents. Servers may infer this from the endpoint the client 567 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 568 type: string 569 metadata: 570 type: object 571 spec: 572 description: BlockAffinitySpec contains the specification for a BlockAffinity 573 resource. 574 properties: 575 cidr: 576 type: string 577 deleted: 578 description: Deleted indicates that this block affinity is being deleted. 579 This field is a string for compatibility with older releases that 580 mistakenly treat this field as a string. 581 type: string 582 node: 583 type: string 584 state: 585 type: string 586 required: 587 - cidr 588 - deleted 589 - node 590 - state 591 type: object 592 type: object 593 served: true 594 storage: true 595 status: 596 acceptedNames: 597 kind: "" 598 plural: "" 599 conditions: [] 600 storedVersions: [] 601 --- 602 # Source: calico/templates/kdd-crds.yaml 603 apiVersion: apiextensions.k8s.io/v1 604 kind: CustomResourceDefinition 605 metadata: 606 annotations: 607 controller-gen.kubebuilder.io/version: (devel) 608 creationTimestamp: null 609 name: caliconodestatuses.crd.projectcalico.org 610 spec: 611 group: crd.projectcalico.org 612 names: 613 kind: CalicoNodeStatus 614 listKind: CalicoNodeStatusList 615 plural: caliconodestatuses 616 singular: caliconodestatus 617 preserveUnknownFields: false 618 scope: Cluster 619 versions: 620 - name: v1 621 schema: 622 openAPIV3Schema: 623 properties: 624 apiVersion: 625 description: 'APIVersion defines the versioned schema of this representation 626 of an object. Servers should convert recognized schemas to the latest 627 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 628 type: string 629 kind: 630 description: 'Kind is a string value representing the REST resource this 631 object represents. Servers may infer this from the endpoint the client 632 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 633 type: string 634 metadata: 635 type: object 636 spec: 637 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 638 resource. 639 properties: 640 classes: 641 description: Classes declares the types of information to monitor 642 for this calico/node, and allows for selective status reporting 643 about certain subsets of information. 644 items: 645 type: string 646 type: array 647 node: 648 description: The node name identifies the Calico node instance for 649 node status. 650 type: string 651 updatePeriodSeconds: 652 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 653 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 654 Maximum update period is one day. 655 format: int32 656 type: integer 657 type: object 658 status: 659 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 660 No validation needed for status since it is updated by Calico. 661 properties: 662 agent: 663 description: Agent holds agent status on the node. 664 properties: 665 birdV4: 666 description: BIRDV4 represents the latest observed status of bird4. 667 properties: 668 lastBootTime: 669 description: LastBootTime holds the value of lastBootTime 670 from bird.ctl output. 671 type: string 672 lastReconfigurationTime: 673 description: LastReconfigurationTime holds the value of lastReconfigTime 674 from bird.ctl output. 675 type: string 676 routerID: 677 description: Router ID used by bird. 678 type: string 679 state: 680 description: The state of the BGP Daemon. 681 type: string 682 version: 683 description: Version of the BGP daemon 684 type: string 685 type: object 686 birdV6: 687 description: BIRDV6 represents the latest observed status of bird6. 688 properties: 689 lastBootTime: 690 description: LastBootTime holds the value of lastBootTime 691 from bird.ctl output. 692 type: string 693 lastReconfigurationTime: 694 description: LastReconfigurationTime holds the value of lastReconfigTime 695 from bird.ctl output. 696 type: string 697 routerID: 698 description: Router ID used by bird. 699 type: string 700 state: 701 description: The state of the BGP Daemon. 702 type: string 703 version: 704 description: Version of the BGP daemon 705 type: string 706 type: object 707 type: object 708 bgp: 709 description: BGP holds node BGP status. 710 properties: 711 numberEstablishedV4: 712 description: The total number of IPv4 established bgp sessions. 713 type: integer 714 numberEstablishedV6: 715 description: The total number of IPv6 established bgp sessions. 716 type: integer 717 numberNotEstablishedV4: 718 description: The total number of IPv4 non-established bgp sessions. 719 type: integer 720 numberNotEstablishedV6: 721 description: The total number of IPv6 non-established bgp sessions. 722 type: integer 723 peersV4: 724 description: PeersV4 represents IPv4 BGP peers status on the node. 725 items: 726 description: CalicoNodePeer contains the status of BGP peers 727 on the node. 728 properties: 729 peerIP: 730 description: IP address of the peer whose condition we are 731 reporting. 732 type: string 733 since: 734 description: Since the state or reason last changed. 735 type: string 736 state: 737 description: State is the BGP session state. 738 type: string 739 type: 740 description: Type indicates whether this peer is configured 741 via the node-to-node mesh, or via en explicit global or 742 per-node BGPPeer object. 743 type: string 744 type: object 745 type: array 746 peersV6: 747 description: PeersV6 represents IPv6 BGP peers status on the node. 748 items: 749 description: CalicoNodePeer contains the status of BGP peers 750 on the node. 751 properties: 752 peerIP: 753 description: IP address of the peer whose condition we are 754 reporting. 755 type: string 756 since: 757 description: Since the state or reason last changed. 758 type: string 759 state: 760 description: State is the BGP session state. 761 type: string 762 type: 763 description: Type indicates whether this peer is configured 764 via the node-to-node mesh, or via en explicit global or 765 per-node BGPPeer object. 766 type: string 767 type: object 768 type: array 769 required: 770 - numberEstablishedV4 771 - numberEstablishedV6 772 - numberNotEstablishedV4 773 - numberNotEstablishedV6 774 type: object 775 lastUpdated: 776 description: LastUpdated is a timestamp representing the server time 777 when CalicoNodeStatus object last updated. It is represented in 778 RFC3339 form and is in UTC. 779 format: date-time 780 nullable: true 781 type: string 782 routes: 783 description: Routes reports routes known to the Calico BGP daemon 784 on the node. 785 properties: 786 routesV4: 787 description: RoutesV4 represents IPv4 routes on the node. 788 items: 789 description: CalicoNodeRoute contains the status of BGP routes 790 on the node. 791 properties: 792 destination: 793 description: Destination of the route. 794 type: string 795 gateway: 796 description: Gateway for the destination. 797 type: string 798 interface: 799 description: Interface for the destination 800 type: string 801 learnedFrom: 802 description: LearnedFrom contains information regarding 803 where this route originated. 804 properties: 805 peerIP: 806 description: If sourceType is NodeMesh or BGPPeer, IP 807 address of the router that sent us this route. 808 type: string 809 sourceType: 810 description: Type of the source where a route is learned 811 from. 812 type: string 813 type: object 814 type: 815 description: Type indicates if the route is being used for 816 forwarding or not. 817 type: string 818 type: object 819 type: array 820 routesV6: 821 description: RoutesV6 represents IPv6 routes on the node. 822 items: 823 description: CalicoNodeRoute contains the status of BGP routes 824 on the node. 825 properties: 826 destination: 827 description: Destination of the route. 828 type: string 829 gateway: 830 description: Gateway for the destination. 831 type: string 832 interface: 833 description: Interface for the destination 834 type: string 835 learnedFrom: 836 description: LearnedFrom contains information regarding 837 where this route originated. 838 properties: 839 peerIP: 840 description: If sourceType is NodeMesh or BGPPeer, IP 841 address of the router that sent us this route. 842 type: string 843 sourceType: 844 description: Type of the source where a route is learned 845 from. 846 type: string 847 type: object 848 type: 849 description: Type indicates if the route is being used for 850 forwarding or not. 851 type: string 852 type: object 853 type: array 854 type: object 855 type: object 856 type: object 857 served: true 858 storage: true 859 status: 860 acceptedNames: 861 kind: "" 862 plural: "" 863 conditions: [] 864 storedVersions: [] 865 --- 866 # Source: calico/templates/kdd-crds.yaml 867 apiVersion: apiextensions.k8s.io/v1 868 kind: CustomResourceDefinition 869 metadata: 870 name: clusterinformations.crd.projectcalico.org 871 spec: 872 group: crd.projectcalico.org 873 names: 874 kind: ClusterInformation 875 listKind: ClusterInformationList 876 plural: clusterinformations 877 singular: clusterinformation 878 preserveUnknownFields: false 879 scope: Cluster 880 versions: 881 - name: v1 882 schema: 883 openAPIV3Schema: 884 description: ClusterInformation contains the cluster specific information. 885 properties: 886 apiVersion: 887 description: 'APIVersion defines the versioned schema of this representation 888 of an object. Servers should convert recognized schemas to the latest 889 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 890 type: string 891 kind: 892 description: 'Kind is a string value representing the REST resource this 893 object represents. Servers may infer this from the endpoint the client 894 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 895 type: string 896 metadata: 897 type: object 898 spec: 899 description: ClusterInformationSpec contains the values of describing 900 the cluster. 901 properties: 902 calicoVersion: 903 description: CalicoVersion is the version of Calico that the cluster 904 is running 905 type: string 906 clusterGUID: 907 description: ClusterGUID is the GUID of the cluster 908 type: string 909 clusterType: 910 description: ClusterType describes the type of the cluster 911 type: string 912 datastoreReady: 913 description: DatastoreReady is used during significant datastore migrations 914 to signal to components such as Felix that it should wait before 915 accessing the datastore. 916 type: boolean 917 variant: 918 description: Variant declares which variant of Calico should be active. 919 type: string 920 type: object 921 type: object 922 served: true 923 storage: true 924 status: 925 acceptedNames: 926 kind: "" 927 plural: "" 928 conditions: [] 929 storedVersions: [] 930 --- 931 # Source: calico/templates/kdd-crds.yaml 932 apiVersion: apiextensions.k8s.io/v1 933 kind: CustomResourceDefinition 934 metadata: 935 name: felixconfigurations.crd.projectcalico.org 936 spec: 937 group: crd.projectcalico.org 938 names: 939 kind: FelixConfiguration 940 listKind: FelixConfigurationList 941 plural: felixconfigurations 942 singular: felixconfiguration 943 preserveUnknownFields: false 944 scope: Cluster 945 versions: 946 - name: v1 947 schema: 948 openAPIV3Schema: 949 description: Felix Configuration contains the configuration for Felix. 950 properties: 951 apiVersion: 952 description: 'APIVersion defines the versioned schema of this representation 953 of an object. Servers should convert recognized schemas to the latest 954 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 955 type: string 956 kind: 957 description: 'Kind is a string value representing the REST resource this 958 object represents. Servers may infer this from the endpoint the client 959 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 960 type: string 961 metadata: 962 type: object 963 spec: 964 description: FelixConfigurationSpec contains the values of the Felix configuration. 965 properties: 966 allowIPIPPacketsFromWorkloads: 967 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 968 will add a rule to drop IPIP encapsulated traffic from workloads 969 [Default: false]' 970 type: boolean 971 allowVXLANPacketsFromWorkloads: 972 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 973 will add a rule to drop VXLAN encapsulated traffic from workloads 974 [Default: false]' 975 type: boolean 976 awsSrcDstCheck: 977 description: 'Set source-destination-check on AWS EC2 instances. Accepted 978 value must be one of "DoNothing", "Enable" or "Disable". [Default: 979 DoNothing]' 980 enum: 981 - DoNothing 982 - Enable 983 - Disable 984 type: string 985 bpfConnectTimeLoadBalancingEnabled: 986 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 987 controls whether Felix installs the connection-time load balancer. The 988 connect-time load balancer is required for the host to be able to 989 reach Kubernetes services and it improves the performance of pod-to-service 990 connections. The only reason to disable it is for debugging purposes. [Default: 991 true]' 992 type: boolean 993 bpfDSROptoutCIDRs: 994 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded 995 from DSR. That is, clients in those CIDRs will accesses nodeports 996 as if BPFExternalServiceMode was set to Tunnel. 997 items: 998 type: string 999 type: array 1000 bpfDataIfacePattern: 1001 description: BPFDataIfacePattern is a regular expression that controls 1002 which interfaces Felix should attach BPF programs to in order to 1003 catch traffic to/from the network. This needs to match the interfaces 1004 that Calico workload traffic flows over as well as any interfaces 1005 that handle incoming traffic to nodeports and services from outside 1006 the cluster. It should not match the workload interfaces (usually 1007 named cali...). 1008 type: string 1009 bpfDisableUnprivileged: 1010 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 1011 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 1012 users cannot access Calico''s BPF maps and cannot insert their own 1013 BPF programs to interfere with Calico''s. [Default: true]' 1014 type: boolean 1015 bpfEnabled: 1016 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 1017 [Default: false]' 1018 type: boolean 1019 bpfEnforceRPF: 1020 description: 'BPFEnforceRPF enforce strict RPF on all host interfaces 1021 with BPF programs regardless of what is the per-interfaces or global 1022 setting. Possible values are Disabled, Strict or Loose. [Default: 1023 Loose]' 1024 type: string 1025 bpfExtToServiceConnmark: 1026 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 1027 mark that is set on connections from an external client to a local 1028 service. This mark allows us to control how packets of that connection 1029 are routed within the host and how is routing interpreted by RPF 1030 check. [Default: 0]' 1031 type: integer 1032 bpfExternalServiceMode: 1033 description: 'BPFExternalServiceMode in BPF mode, controls how connections 1034 from outside the cluster to services (node ports and cluster IPs) 1035 are forwarded to remote workloads. If set to "Tunnel" then both 1036 request and response traffic is tunneled to the remote node. If 1037 set to "DSR", the request traffic is tunneled but the response traffic 1038 is sent directly from the remote node. In "DSR" mode, the remote 1039 node appears to use the IP of the ingress node; this requires a 1040 permissive L2 network. [Default: Tunnel]' 1041 type: string 1042 bpfHostConntrackBypass: 1043 description: 'BPFHostConntrackBypass Controls whether to bypass Linux 1044 conntrack in BPF mode for workloads and services. [Default: true 1045 - bypass Linux conntrack]' 1046 type: boolean 1047 bpfKubeProxyEndpointSlicesEnabled: 1048 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 1049 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 1050 type: boolean 1051 bpfKubeProxyIptablesCleanupEnabled: 1052 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 1053 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 1054 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 1055 true]' 1056 type: boolean 1057 bpfKubeProxyMinSyncPeriod: 1058 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 1059 minimum time between updates to the dataplane for Felix''s embedded 1060 kube-proxy. Lower values give reduced set-up latency. Higher values 1061 reduce Felix CPU usage by batching up more work. [Default: 1s]' 1062 type: string 1063 bpfL3IfacePattern: 1064 description: BPFL3IfacePattern is a regular expression that allows 1065 to list tunnel devices like wireguard or vxlan (i.e., L3 devices) 1066 in addition to BPFDataIfacePattern. That is, tunnel interfaces not 1067 created by Calico, that Calico workload traffic flows over as well 1068 as any interfaces that handle incoming traffic to nodeports and 1069 services from outside the cluster. 1070 type: string 1071 bpfLogLevel: 1072 description: 'BPFLogLevel controls the log level of the BPF programs 1073 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 1074 logs are emitted to the BPF trace pipe, accessible with the command 1075 `tc exec bpf debug`. [Default: Off].' 1076 type: string 1077 bpfMapSizeConntrack: 1078 description: 'BPFMapSizeConntrack sets the size for the conntrack 1079 map. This map must be large enough to hold an entry for each active 1080 connection. Warning: changing the size of the conntrack map can 1081 cause disruption.' 1082 type: integer 1083 bpfMapSizeIPSets: 1084 description: BPFMapSizeIPSets sets the size for ipsets map. The IP 1085 sets map must be large enough to hold an entry for each endpoint 1086 matched by every selector in the source/destination matches in network 1087 policy. Selectors such as "all()" can result in large numbers of 1088 entries (one entry per endpoint in that case). 1089 type: integer 1090 bpfMapSizeIfState: 1091 description: BPFMapSizeIfState sets the size for ifstate map. The 1092 ifstate map must be large enough to hold an entry for each device 1093 (host + workloads) on a host. 1094 type: integer 1095 bpfMapSizeNATAffinity: 1096 type: integer 1097 bpfMapSizeNATBackend: 1098 description: BPFMapSizeNATBackend sets the size for nat back end map. 1099 This is the total number of endpoints. This is mostly more than 1100 the size of the number of services. 1101 type: integer 1102 bpfMapSizeNATFrontend: 1103 description: BPFMapSizeNATFrontend sets the size for nat front end 1104 map. FrontendMap should be large enough to hold an entry for each 1105 nodeport, external IP and each port in each service. 1106 type: integer 1107 bpfMapSizeRoute: 1108 description: BPFMapSizeRoute sets the size for the routes map. The 1109 routes map should be large enough to hold one entry per workload 1110 and a handful of entries per host (enough to cover its own IPs and 1111 tunnel IPs). 1112 type: integer 1113 bpfPSNATPorts: 1114 anyOf: 1115 - type: integer 1116 - type: string 1117 description: 'BPFPSNATPorts sets the range from which we randomly 1118 pick a port if there is a source port collision. This should be 1119 within the ephemeral range as defined by RFC 6056 (1024–65535) and 1120 preferably outside the ephemeral ranges used by common operating 1121 systems. Linux uses 32768–60999, while others mostly use the IANA 1122 defined range 49152–65535. It is not necessarily a problem if this 1123 range overlaps with the operating systems. Both ends of the range 1124 are inclusive. [Default: 20000:29999]' 1125 pattern: ^.* 1126 x-kubernetes-int-or-string: true 1127 bpfPolicyDebugEnabled: 1128 description: BPFPolicyDebugEnabled when true, Felix records detailed 1129 information about the BPF policy programs, which can be examined 1130 with the calico-bpf command-line tool. 1131 type: boolean 1132 chainInsertMode: 1133 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 1134 top-level iptables chains by inserting a rule at the top of the 1135 chain or by appending a rule at the bottom. insert is the safe default 1136 since it prevents Calico''s rules from being bypassed. If you switch 1137 to append mode, be sure that the other rules in the chains signal 1138 acceptance by falling through to the Calico rules, otherwise the 1139 Calico policy will be bypassed. [Default: insert]' 1140 type: string 1141 dataplaneDriver: 1142 description: DataplaneDriver filename of the external dataplane driver 1143 to use. Only used if UseInternalDataplaneDriver is set to false. 1144 type: string 1145 dataplaneWatchdogTimeout: 1146 description: "DataplaneWatchdogTimeout is the readiness/liveness timeout 1147 used for Felix's (internal) dataplane driver. Increase this value 1148 if you experience spurious non-ready or non-live events when Felix 1149 is under heavy load. Decrease the value to get felix to report non-live 1150 or non-ready more quickly. [Default: 90s] \n Deprecated: replaced 1151 by the generic HealthTimeoutOverrides." 1152 type: string 1153 debugDisableLogDropping: 1154 type: boolean 1155 debugMemoryProfilePath: 1156 type: string 1157 debugSimulateCalcGraphHangAfter: 1158 type: string 1159 debugSimulateDataplaneHangAfter: 1160 type: string 1161 defaultEndpointToHostAction: 1162 description: 'DefaultEndpointToHostAction controls what happens to 1163 traffic that goes from a workload endpoint to the host itself (after 1164 the traffic hits the endpoint egress policy). By default Calico 1165 blocks traffic from workload endpoints to the host itself with an 1166 iptables "DROP" action. If you want to allow some or all traffic 1167 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 1168 RETURN if you have your own rules in the iptables "INPUT" chain; 1169 Calico will insert its rules at the top of that chain, then "RETURN" 1170 packets to the "INPUT" chain once it has completed processing workload 1171 endpoint egress policy. Use ACCEPT to unconditionally accept packets 1172 from workloads after processing workload endpoint egress policy. 1173 [Default: Drop]' 1174 type: string 1175 deviceRouteProtocol: 1176 description: This defines the route protocol added to programmed device 1177 routes, by default this will be RTPROT_BOOT when left blank. 1178 type: integer 1179 deviceRouteSourceAddress: 1180 description: This is the IPv4 source address to use on programmed 1181 device routes. By default the source address is left blank, leaving 1182 the kernel to choose the source address used. 1183 type: string 1184 deviceRouteSourceAddressIPv6: 1185 description: This is the IPv6 source address to use on programmed 1186 device routes. By default the source address is left blank, leaving 1187 the kernel to choose the source address used. 1188 type: string 1189 disableConntrackInvalidCheck: 1190 type: boolean 1191 endpointReportingDelay: 1192 type: string 1193 endpointReportingEnabled: 1194 type: boolean 1195 externalNodesList: 1196 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 1197 which may source tunnel traffic and have the tunneled traffic be 1198 accepted at calico nodes. 1199 items: 1200 type: string 1201 type: array 1202 failsafeInboundHostPorts: 1203 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 1204 and CIDRs that Felix will allow incoming traffic to host endpoints 1205 on irrespective of the security policy. This is useful to avoid 1206 accidentally cutting off a host with incorrect configuration. For 1207 back-compatibility, if the protocol is not specified, it defaults 1208 to "tcp". If a CIDR is not specified, it will allow traffic from 1209 all addresses. To disable all inbound host ports, use the value 1210 none. The default value allows ssh access and DHCP. [Default: tcp:22, 1211 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 1212 items: 1213 description: ProtoPort is combination of protocol, port, and CIDR. 1214 Protocol and port must be specified. 1215 properties: 1216 net: 1217 type: string 1218 port: 1219 type: integer 1220 protocol: 1221 type: string 1222 required: 1223 - port 1224 - protocol 1225 type: object 1226 type: array 1227 failsafeOutboundHostPorts: 1228 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 1229 and CIDRs that Felix will allow outgoing traffic from host endpoints 1230 to irrespective of the security policy. This is useful to avoid 1231 accidentally cutting off a host with incorrect configuration. For 1232 back-compatibility, if the protocol is not specified, it defaults 1233 to "tcp". If a CIDR is not specified, it will allow traffic from 1234 all addresses. To disable all outbound host ports, use the value 1235 none. The default value opens etcd''s standard ports to ensure that 1236 Felix does not get cut off from etcd as well as allowing DHCP and 1237 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 1238 tcp:6667, udp:53, udp:67]' 1239 items: 1240 description: ProtoPort is combination of protocol, port, and CIDR. 1241 Protocol and port must be specified. 1242 properties: 1243 net: 1244 type: string 1245 port: 1246 type: integer 1247 protocol: 1248 type: string 1249 required: 1250 - port 1251 - protocol 1252 type: object 1253 type: array 1254 featureDetectOverride: 1255 description: FeatureDetectOverride is used to override feature detection 1256 based on auto-detected platform capabilities. Values are specified 1257 in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" 1258 or "false" will force the feature, empty or omitted values are auto-detected. 1259 type: string 1260 featureGates: 1261 description: FeatureGates is used to enable or disable tech-preview 1262 Calico features. Values are specified in a comma separated list 1263 with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". 1264 This is used to enable features that are not fully production ready. 1265 type: string 1266 floatingIPs: 1267 description: FloatingIPs configures whether or not Felix will program 1268 non-OpenStack floating IP addresses. (OpenStack-derived floating 1269 IPs are always programmed, regardless of this setting.) 1270 enum: 1271 - Enabled 1272 - Disabled 1273 type: string 1274 genericXDPEnabled: 1275 description: 'GenericXDPEnabled enables Generic XDP so network cards 1276 that don''t support XDP offload or driver modes can use XDP. This 1277 is not recommended since it doesn''t provide better performance 1278 than iptables. [Default: false]' 1279 type: boolean 1280 healthEnabled: 1281 type: boolean 1282 healthHost: 1283 type: string 1284 healthPort: 1285 type: integer 1286 healthTimeoutOverrides: 1287 description: HealthTimeoutOverrides allows the internal watchdog timeouts 1288 of individual subcomponents to be overridden. This is useful for 1289 working around "false positive" liveness timeouts that can occur 1290 in particularly stressful workloads or if CPU is constrained. For 1291 a list of active subcomponents, see Felix's logs. 1292 items: 1293 properties: 1294 name: 1295 type: string 1296 timeout: 1297 type: string 1298 required: 1299 - name 1300 - timeout 1301 type: object 1302 type: array 1303 interfaceExclude: 1304 description: 'InterfaceExclude is a comma-separated list of interfaces 1305 that Felix should exclude when monitoring for host endpoints. The 1306 default value ensures that Felix ignores Kubernetes'' IPVS dummy 1307 interface, which is used internally by kube-proxy. If you want to 1308 exclude multiple interface names using a single value, the list 1309 supports regular expressions. For regular expressions you must wrap 1310 the value with ''/''. For example having values ''/^kube/,veth1'' 1311 will exclude all interfaces that begin with ''kube'' and also the 1312 interface ''veth1''. [Default: kube-ipvs0]' 1313 type: string 1314 interfacePrefix: 1315 description: 'InterfacePrefix is the interface name prefix that identifies 1316 workload endpoints and so distinguishes them from host endpoint 1317 interfaces. Note: in environments other than bare metal, the orchestrators 1318 configure this appropriately. For example our Kubernetes and Docker 1319 integrations set the ''cali'' value, and our OpenStack integration 1320 sets the ''tap'' value. [Default: cali]' 1321 type: string 1322 interfaceRefreshInterval: 1323 description: InterfaceRefreshInterval is the period at which Felix 1324 rescans local interfaces to verify their state. The rescan can be 1325 disabled by setting the interval to 0. 1326 type: string 1327 ipipEnabled: 1328 description: 'IPIPEnabled overrides whether Felix should configure 1329 an IPIP interface on the host. Optional as Felix determines this 1330 based on the existing IP pools. [Default: nil (unset)]' 1331 type: boolean 1332 ipipMTU: 1333 description: 'IPIPMTU is the MTU to set on the tunnel device. See 1334 Configuring MTU [Default: 1440]' 1335 type: integer 1336 ipsetsRefreshInterval: 1337 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 1338 all iptables state to ensure that no other process has accidentally 1339 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 1340 90s]' 1341 type: string 1342 iptablesBackend: 1343 description: IptablesBackend specifies which backend of iptables will 1344 be used. The default is Auto. 1345 type: string 1346 iptablesFilterAllowAction: 1347 type: string 1348 iptablesFilterDenyAction: 1349 description: IptablesFilterDenyAction controls what happens to traffic 1350 that is denied by network policy. By default Calico blocks traffic 1351 with an iptables "DROP" action. If you want to use "REJECT" action 1352 instead you can configure it in here. 1353 type: string 1354 iptablesLockFilePath: 1355 description: 'IptablesLockFilePath is the location of the iptables 1356 lock file. You may need to change this if the lock file is not in 1357 its standard location (for example if you have mapped it into Felix''s 1358 container at a different path). [Default: /run/xtables.lock]' 1359 type: string 1360 iptablesLockProbeInterval: 1361 description: 'IptablesLockProbeInterval is the time that Felix will 1362 wait between attempts to acquire the iptables lock if it is not 1363 available. Lower values make Felix more responsive when the lock 1364 is contended, but use more CPU. [Default: 50ms]' 1365 type: string 1366 iptablesLockTimeout: 1367 description: 'IptablesLockTimeout is the time that Felix will wait 1368 for the iptables lock, or 0, to disable. To use this feature, Felix 1369 must share the iptables lock file with all other processes that 1370 also take the lock. When running Felix inside a container, this 1371 requires the /run directory of the host to be mounted into the calico/node 1372 or calico/felix container. [Default: 0s disabled]' 1373 type: string 1374 iptablesMangleAllowAction: 1375 type: string 1376 iptablesMarkMask: 1377 description: 'IptablesMarkMask is the mask that Felix selects its 1378 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 1379 at least 8 bits set, none of which clash with any other mark bits 1380 in use on the system. [Default: 0xff000000]' 1381 format: int32 1382 type: integer 1383 iptablesNATOutgoingInterfaceFilter: 1384 type: string 1385 iptablesPostWriteCheckInterval: 1386 description: 'IptablesPostWriteCheckInterval is the period after Felix 1387 has done a write to the dataplane that it schedules an extra read 1388 back in order to check the write was not clobbered by another process. 1389 This should only occur if another application on the system doesn''t 1390 respect the iptables lock. [Default: 1s]' 1391 type: string 1392 iptablesRefreshInterval: 1393 description: 'IptablesRefreshInterval is the period at which Felix 1394 re-checks the IP sets in the dataplane to ensure that no other process 1395 has accidentally broken Calico''s rules. Set to 0 to disable IP 1396 sets refresh. Note: the default for this value is lower than the 1397 other refresh intervals as a workaround for a Linux kernel bug that 1398 was fixed in kernel version 4.11. If you are using v4.11 or greater 1399 you may want to set this to, a higher value to reduce Felix CPU 1400 usage. [Default: 10s]' 1401 type: string 1402 ipv6Support: 1403 description: IPv6Support controls whether Felix enables support for 1404 IPv6 (if supported by the in-use dataplane). 1405 type: boolean 1406 kubeNodePortRanges: 1407 description: 'KubeNodePortRanges holds list of port ranges used for 1408 service node ports. Only used if felix detects kube-proxy running 1409 in ipvs mode. Felix uses these ranges to separate host and workload 1410 traffic. [Default: 30000:32767].' 1411 items: 1412 anyOf: 1413 - type: integer 1414 - type: string 1415 pattern: ^.* 1416 x-kubernetes-int-or-string: true 1417 type: array 1418 logDebugFilenameRegex: 1419 description: LogDebugFilenameRegex controls which source code files 1420 have their Debug log output included in the logs. Only logs from 1421 files with names that match the given regular expression are included. The 1422 filter only applies to Debug level logs. 1423 type: string 1424 logFilePath: 1425 description: 'LogFilePath is the full path to the Felix log. Set to 1426 none to disable file logging. [Default: /var/log/calico/felix.log]' 1427 type: string 1428 logPrefix: 1429 description: 'LogPrefix is the log prefix that Felix uses when rendering 1430 LOG rules. [Default: calico-packet]' 1431 type: string 1432 logSeverityFile: 1433 description: 'LogSeverityFile is the log severity above which logs 1434 are sent to the log file. [Default: Info]' 1435 type: string 1436 logSeverityScreen: 1437 description: 'LogSeverityScreen is the log severity above which logs 1438 are sent to the stdout. [Default: Info]' 1439 type: string 1440 logSeveritySys: 1441 description: 'LogSeveritySys is the log severity above which logs 1442 are sent to the syslog. Set to None for no logging to syslog. [Default: 1443 Info]' 1444 type: string 1445 maxIpsetSize: 1446 type: integer 1447 metadataAddr: 1448 description: 'MetadataAddr is the IP address or domain name of the 1449 server that can answer VM queries for cloud-init metadata. In OpenStack, 1450 this corresponds to the machine running nova-api (or in Ubuntu, 1451 nova-api-metadata). A value of none (case insensitive) means that 1452 Felix should not set up any NAT rule for the metadata path. [Default: 1453 127.0.0.1]' 1454 type: string 1455 metadataPort: 1456 description: 'MetadataPort is the port of the metadata server. This, 1457 combined with global.MetadataAddr (if not ''None''), is used to 1458 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1459 In most cases this should not need to be changed [Default: 8775].' 1460 type: integer 1461 mtuIfacePattern: 1462 description: MTUIfacePattern is a regular expression that controls 1463 which interfaces Felix should scan in order to calculate the host's 1464 MTU. This should not match workload interfaces (usually named cali...). 1465 type: string 1466 natOutgoingAddress: 1467 description: NATOutgoingAddress specifies an address to use when performing 1468 source NAT for traffic in a natOutgoing pool that is leaving the 1469 network. By default the address used is an address on the interface 1470 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1471 type: string 1472 natPortRange: 1473 anyOf: 1474 - type: integer 1475 - type: string 1476 description: NATPortRange specifies the range of ports that is used 1477 for port mapping when doing outgoing NAT. When unset the default 1478 behavior of the network stack is used. 1479 pattern: ^.* 1480 x-kubernetes-int-or-string: true 1481 netlinkTimeout: 1482 type: string 1483 openstackRegion: 1484 description: 'OpenstackRegion is the name of the region that a particular 1485 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1486 this must be configured somehow for each Felix (here in the datamodel, 1487 or in felix.cfg or the environment on each compute node), and must 1488 match the [calico] openstack_region value configured in neutron.conf 1489 on each node. [Default: Empty]' 1490 type: string 1491 policySyncPathPrefix: 1492 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1493 policy changes to external services, like Application layer policy. 1494 [Default: Empty]' 1495 type: string 1496 prometheusGoMetricsEnabled: 1497 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1498 collection, which the Prometheus client does by default, when set 1499 to false. This reduces the number of metrics reported, reducing 1500 Prometheus load. [Default: true]' 1501 type: boolean 1502 prometheusMetricsEnabled: 1503 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1504 server in Felix if set to true. [Default: false]' 1505 type: boolean 1506 prometheusMetricsHost: 1507 description: 'PrometheusMetricsHost is the host that the Prometheus 1508 metrics server should bind to. [Default: empty]' 1509 type: string 1510 prometheusMetricsPort: 1511 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1512 metrics server should bind to. [Default: 9091]' 1513 type: integer 1514 prometheusProcessMetricsEnabled: 1515 description: 'PrometheusProcessMetricsEnabled disables process metrics 1516 collection, which the Prometheus client does by default, when set 1517 to false. This reduces the number of metrics reported, reducing 1518 Prometheus load. [Default: true]' 1519 type: boolean 1520 prometheusWireGuardMetricsEnabled: 1521 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1522 metrics collection, which the Prometheus client does by default, 1523 when set to false. This reduces the number of metrics reported, 1524 reducing Prometheus load. [Default: true]' 1525 type: boolean 1526 removeExternalRoutes: 1527 description: Whether or not to remove device routes that have not 1528 been programmed by Felix. Disabling this will allow external applications 1529 to also add device routes. This is enabled by default which means 1530 we will remove externally added routes. 1531 type: boolean 1532 reportingInterval: 1533 description: 'ReportingInterval is the interval at which Felix reports 1534 its status into the datastore or 0 to disable. Must be non-zero 1535 in OpenStack deployments. [Default: 30s]' 1536 type: string 1537 reportingTTL: 1538 description: 'ReportingTTL is the time-to-live setting for process-wide 1539 status reports. [Default: 90s]' 1540 type: string 1541 routeRefreshInterval: 1542 description: 'RouteRefreshInterval is the period at which Felix re-checks 1543 the routes in the dataplane to ensure that no other process has 1544 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1545 [Default: 90s]' 1546 type: string 1547 routeSource: 1548 description: 'RouteSource configures where Felix gets its routing 1549 information. - WorkloadIPs: use workload endpoints to construct 1550 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1551 type: string 1552 routeSyncDisabled: 1553 description: RouteSyncDisabled will disable all operations performed 1554 on the route table. Set to true to run in network-policy mode only. 1555 type: boolean 1556 routeTableRange: 1557 description: Deprecated in favor of RouteTableRanges. Calico programs 1558 additional Linux route tables for various purposes. RouteTableRange 1559 specifies the indices of the route tables that Calico should use. 1560 properties: 1561 max: 1562 type: integer 1563 min: 1564 type: integer 1565 required: 1566 - max 1567 - min 1568 type: object 1569 routeTableRanges: 1570 description: Calico programs additional Linux route tables for various 1571 purposes. RouteTableRanges specifies a set of table index ranges 1572 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. 1573 items: 1574 properties: 1575 max: 1576 type: integer 1577 min: 1578 type: integer 1579 required: 1580 - max 1581 - min 1582 type: object 1583 type: array 1584 serviceLoopPrevention: 1585 description: 'When service IP advertisement is enabled, prevent routing 1586 loops to service IPs that are not in use, by dropping or rejecting 1587 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1588 in which case such routing loops continue to be allowed. [Default: 1589 Drop]' 1590 type: string 1591 sidecarAccelerationEnabled: 1592 description: 'SidecarAccelerationEnabled enables experimental sidecar 1593 acceleration [Default: false]' 1594 type: boolean 1595 usageReportingEnabled: 1596 description: 'UsageReportingEnabled reports anonymous Calico version 1597 number and cluster size to projectcalico.org. Logs warnings returned 1598 by the usage server. For example, if a significant security vulnerability 1599 has been discovered in the version of Calico being used. [Default: 1600 true]' 1601 type: boolean 1602 usageReportingInitialDelay: 1603 description: 'UsageReportingInitialDelay controls the minimum delay 1604 before Felix makes a report. [Default: 300s]' 1605 type: string 1606 usageReportingInterval: 1607 description: 'UsageReportingInterval controls the interval at which 1608 Felix makes reports. [Default: 86400s]' 1609 type: string 1610 useInternalDataplaneDriver: 1611 description: UseInternalDataplaneDriver, if true, Felix will use its 1612 internal dataplane programming logic. If false, it will launch 1613 an external dataplane driver and communicate with it over protobuf. 1614 type: boolean 1615 vxlanEnabled: 1616 description: 'VXLANEnabled overrides whether Felix should create the 1617 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix 1618 determines this based on the existing IP pools. [Default: nil (unset)]' 1619 type: boolean 1620 vxlanMTU: 1621 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel 1622 device. See Configuring MTU [Default: 1410]' 1623 type: integer 1624 vxlanMTUV6: 1625 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel 1626 device. See Configuring MTU [Default: 1390]' 1627 type: integer 1628 vxlanPort: 1629 type: integer 1630 vxlanVNI: 1631 type: integer 1632 wireguardEnabled: 1633 description: 'WireguardEnabled controls whether Wireguard is enabled 1634 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). 1635 [Default: false]' 1636 type: boolean 1637 wireguardEnabledV6: 1638 description: 'WireguardEnabledV6 controls whether Wireguard is enabled 1639 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). 1640 [Default: false]' 1641 type: boolean 1642 wireguardHostEncryptionEnabled: 1643 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1644 host-to-host encryption is enabled. [Default: false]' 1645 type: boolean 1646 wireguardInterfaceName: 1647 description: 'WireguardInterfaceName specifies the name to use for 1648 the IPv4 Wireguard interface. [Default: wireguard.cali]' 1649 type: string 1650 wireguardInterfaceNameV6: 1651 description: 'WireguardInterfaceNameV6 specifies the name to use for 1652 the IPv6 Wireguard interface. [Default: wg-v6.cali]' 1653 type: string 1654 wireguardKeepAlive: 1655 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive 1656 option. Set 0 to disable. [Default: 0]' 1657 type: string 1658 wireguardListeningPort: 1659 description: 'WireguardListeningPort controls the listening port used 1660 by IPv4 Wireguard. [Default: 51820]' 1661 type: integer 1662 wireguardListeningPortV6: 1663 description: 'WireguardListeningPortV6 controls the listening port 1664 used by IPv6 Wireguard. [Default: 51821]' 1665 type: integer 1666 wireguardMTU: 1667 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard 1668 interface. See Configuring MTU [Default: 1440]' 1669 type: integer 1670 wireguardMTUV6: 1671 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard 1672 interface. See Configuring MTU [Default: 1420]' 1673 type: integer 1674 wireguardRoutingRulePriority: 1675 description: 'WireguardRoutingRulePriority controls the priority value 1676 to use for the Wireguard routing rule. [Default: 99]' 1677 type: integer 1678 workloadSourceSpoofing: 1679 description: WorkloadSourceSpoofing controls whether pods can use 1680 the allowedSourcePrefixes annotation to send traffic with a source 1681 IP address that is not theirs. This is disabled by default. When 1682 set to "Any", pods can request any prefix. 1683 type: string 1684 xdpEnabled: 1685 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1686 incoming deny rules. [Default: true]' 1687 type: boolean 1688 xdpRefreshInterval: 1689 description: 'XDPRefreshInterval is the period at which Felix re-checks 1690 all XDP state to ensure that no other process has accidentally broken 1691 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1692 refresh. [Default: 90s]' 1693 type: string 1694 type: object 1695 type: object 1696 served: true 1697 storage: true 1698 status: 1699 acceptedNames: 1700 kind: "" 1701 plural: "" 1702 conditions: [] 1703 storedVersions: [] 1704 --- 1705 # Source: calico/templates/kdd-crds.yaml 1706 apiVersion: apiextensions.k8s.io/v1 1707 kind: CustomResourceDefinition 1708 metadata: 1709 name: globalnetworkpolicies.crd.projectcalico.org 1710 spec: 1711 group: crd.projectcalico.org 1712 names: 1713 kind: GlobalNetworkPolicy 1714 listKind: GlobalNetworkPolicyList 1715 plural: globalnetworkpolicies 1716 singular: globalnetworkpolicy 1717 preserveUnknownFields: false 1718 scope: Cluster 1719 versions: 1720 - name: v1 1721 schema: 1722 openAPIV3Schema: 1723 properties: 1724 apiVersion: 1725 description: 'APIVersion defines the versioned schema of this representation 1726 of an object. Servers should convert recognized schemas to the latest 1727 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1728 type: string 1729 kind: 1730 description: 'Kind is a string value representing the REST resource this 1731 object represents. Servers may infer this from the endpoint the client 1732 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1733 type: string 1734 metadata: 1735 type: object 1736 spec: 1737 properties: 1738 applyOnForward: 1739 description: ApplyOnForward indicates to apply the rules in this policy 1740 on forward traffic. 1741 type: boolean 1742 doNotTrack: 1743 description: DoNotTrack indicates whether packets matched by the rules 1744 in this policy should go through the data plane's connection tracking, 1745 such as Linux conntrack. If True, the rules in this policy are 1746 applied before any data plane connection tracking, and packets allowed 1747 by this policy are marked as not to be tracked. 1748 type: boolean 1749 egress: 1750 description: The ordered set of egress rules. Each rule contains 1751 a set of packet match criteria and a corresponding action to apply. 1752 items: 1753 description: "A Rule encapsulates a set of match criteria and an 1754 action. Both selector-based security Policy and security Profiles 1755 reference rules - separated out as a list of rules for both ingress 1756 and egress packet matching. \n Each positive match criteria has 1757 a negated version, prefixed with \"Not\". All the match criteria 1758 within a rule must be satisfied for a packet to match. A single 1759 rule can contain the positive and negative version of a match 1760 and both must be satisfied for the rule to match." 1761 properties: 1762 action: 1763 type: string 1764 destination: 1765 description: Destination contains the match criteria that apply 1766 to destination entity. 1767 properties: 1768 namespaceSelector: 1769 description: "NamespaceSelector is an optional field that 1770 contains a selector expression. Only traffic that originates 1771 from (or terminates at) endpoints within the selected 1772 namespaces will be matched. When both NamespaceSelector 1773 and another selector are defined on the same rule, then 1774 only workload endpoints that are matched by both selectors 1775 will be selected by the rule. \n For NetworkPolicy, an 1776 empty NamespaceSelector implies that the Selector is limited 1777 to selecting only workload endpoints in the same namespace 1778 as the NetworkPolicy. \n For NetworkPolicy, `global()` 1779 NamespaceSelector implies that the Selector is limited 1780 to selecting only GlobalNetworkSet or HostEndpoint. \n 1781 For GlobalNetworkPolicy, an empty NamespaceSelector implies 1782 the Selector applies to workload endpoints across all 1783 namespaces." 1784 type: string 1785 nets: 1786 description: Nets is an optional field that restricts the 1787 rule to only apply to traffic that originates from (or 1788 terminates at) IP addresses in any of the given subnets. 1789 items: 1790 type: string 1791 type: array 1792 notNets: 1793 description: NotNets is the negated version of the Nets 1794 field. 1795 items: 1796 type: string 1797 type: array 1798 notPorts: 1799 description: NotPorts is the negated version of the Ports 1800 field. Since only some protocols have ports, if any ports 1801 are specified it requires the Protocol match in the Rule 1802 to be set to "TCP" or "UDP". 1803 items: 1804 anyOf: 1805 - type: integer 1806 - type: string 1807 pattern: ^.* 1808 x-kubernetes-int-or-string: true 1809 type: array 1810 notSelector: 1811 description: NotSelector is the negated version of the Selector 1812 field. See Selector field for subtleties with negated 1813 selectors. 1814 type: string 1815 ports: 1816 description: "Ports is an optional field that restricts 1817 the rule to only apply to traffic that has a source (destination) 1818 port that matches one of these ranges/values. This value 1819 is a list of integers or strings that represent ranges 1820 of ports. \n Since only some protocols have ports, if 1821 any ports are specified it requires the Protocol match 1822 in the Rule to be set to \"TCP\" or \"UDP\"." 1823 items: 1824 anyOf: 1825 - type: integer 1826 - type: string 1827 pattern: ^.* 1828 x-kubernetes-int-or-string: true 1829 type: array 1830 selector: 1831 description: "Selector is an optional field that contains 1832 a selector expression (see Policy for sample syntax). 1833 \ Only traffic that originates from (terminates at) endpoints 1834 matching the selector will be matched. \n Note that: in 1835 addition to the negated version of the Selector (see NotSelector 1836 below), the selector expression syntax itself supports 1837 negation. The two types of negation are subtly different. 1838 One negates the set of matched endpoints, the other negates 1839 the whole match: \n \tSelector = \"!has(my_label)\" matches 1840 packets that are from other Calico-controlled \tendpoints 1841 that do not have the label \"my_label\". \n \tNotSelector 1842 = \"has(my_label)\" matches packets that are not from 1843 Calico-controlled \tendpoints that do have the label \"my_label\". 1844 \n The effect is that the latter will accept packets from 1845 non-Calico sources whereas the former is limited to packets 1846 from Calico-controlled endpoints." 1847 type: string 1848 serviceAccounts: 1849 description: ServiceAccounts is an optional field that restricts 1850 the rule to only apply to traffic that originates from 1851 (or terminates at) a pod running as a matching service 1852 account. 1853 properties: 1854 names: 1855 description: Names is an optional field that restricts 1856 the rule to only apply to traffic that originates 1857 from (or terminates at) a pod running as a service 1858 account whose name is in the list. 1859 items: 1860 type: string 1861 type: array 1862 selector: 1863 description: Selector is an optional field that restricts 1864 the rule to only apply to traffic that originates 1865 from (or terminates at) a pod running as a service 1866 account that matches the given label selector. If 1867 both Names and Selector are specified then they are 1868 AND'ed. 1869 type: string 1870 type: object 1871 services: 1872 description: "Services is an optional field that contains 1873 options for matching Kubernetes Services. If specified, 1874 only traffic that originates from or terminates at endpoints 1875 within the selected service(s) will be matched, and only 1876 to/from each endpoint's port. \n Services cannot be specified 1877 on the same rule as Selector, NotSelector, NamespaceSelector, 1878 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 1879 can only be specified with Services on ingress rules." 1880 properties: 1881 name: 1882 description: Name specifies the name of a Kubernetes 1883 Service to match. 1884 type: string 1885 namespace: 1886 description: Namespace specifies the namespace of the 1887 given Service. If left empty, the rule will match 1888 within this policy's namespace. 1889 type: string 1890 type: object 1891 type: object 1892 http: 1893 description: HTTP contains match criteria that apply to HTTP 1894 requests. 1895 properties: 1896 methods: 1897 description: Methods is an optional field that restricts 1898 the rule to apply only to HTTP requests that use one of 1899 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 1900 methods are OR'd together. 1901 items: 1902 type: string 1903 type: array 1904 paths: 1905 description: 'Paths is an optional field that restricts 1906 the rule to apply to HTTP requests that use one of the 1907 listed HTTP Paths. Multiple paths are OR''d together. 1908 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 1909 ONLY specify either a `exact` or a `prefix` match. The 1910 validator will check for it.' 1911 items: 1912 description: 'HTTPPath specifies an HTTP path to match. 1913 It may be either of the form: exact: <path>: which matches 1914 the path exactly or prefix: <path-prefix>: which matches 1915 the path prefix' 1916 properties: 1917 exact: 1918 type: string 1919 prefix: 1920 type: string 1921 type: object 1922 type: array 1923 type: object 1924 icmp: 1925 description: ICMP is an optional field that restricts the rule 1926 to apply to a specific type and code of ICMP traffic. This 1927 should only be specified if the Protocol field is set to "ICMP" 1928 or "ICMPv6". 1929 properties: 1930 code: 1931 description: Match on a specific ICMP code. If specified, 1932 the Type value must also be specified. This is a technical 1933 limitation imposed by the kernel's iptables firewall, 1934 which Calico uses to enforce the rule. 1935 type: integer 1936 type: 1937 description: Match on a specific ICMP type. For example 1938 a value of 8 refers to ICMP Echo Request (i.e. pings). 1939 type: integer 1940 type: object 1941 ipVersion: 1942 description: IPVersion is an optional field that restricts the 1943 rule to only match a specific IP version. 1944 type: integer 1945 metadata: 1946 description: Metadata contains additional information for this 1947 rule 1948 properties: 1949 annotations: 1950 additionalProperties: 1951 type: string 1952 description: Annotations is a set of key value pairs that 1953 give extra information about the rule 1954 type: object 1955 type: object 1956 notICMP: 1957 description: NotICMP is the negated version of the ICMP field. 1958 properties: 1959 code: 1960 description: Match on a specific ICMP code. If specified, 1961 the Type value must also be specified. This is a technical 1962 limitation imposed by the kernel's iptables firewall, 1963 which Calico uses to enforce the rule. 1964 type: integer 1965 type: 1966 description: Match on a specific ICMP type. For example 1967 a value of 8 refers to ICMP Echo Request (i.e. pings). 1968 type: integer 1969 type: object 1970 notProtocol: 1971 anyOf: 1972 - type: integer 1973 - type: string 1974 description: NotProtocol is the negated version of the Protocol 1975 field. 1976 pattern: ^.* 1977 x-kubernetes-int-or-string: true 1978 protocol: 1979 anyOf: 1980 - type: integer 1981 - type: string 1982 description: "Protocol is an optional field that restricts the 1983 rule to only apply to traffic of a specific IP protocol. Required 1984 if any of the EntityRules contain Ports (because ports only 1985 apply to certain protocols). \n Must be one of these string 1986 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 1987 \"UDPLite\" or an integer in the range 1-255." 1988 pattern: ^.* 1989 x-kubernetes-int-or-string: true 1990 source: 1991 description: Source contains the match criteria that apply to 1992 source entity. 1993 properties: 1994 namespaceSelector: 1995 description: "NamespaceSelector is an optional field that 1996 contains a selector expression. Only traffic that originates 1997 from (or terminates at) endpoints within the selected 1998 namespaces will be matched. When both NamespaceSelector 1999 and another selector are defined on the same rule, then 2000 only workload endpoints that are matched by both selectors 2001 will be selected by the rule. \n For NetworkPolicy, an 2002 empty NamespaceSelector implies that the Selector is limited 2003 to selecting only workload endpoints in the same namespace 2004 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2005 NamespaceSelector implies that the Selector is limited 2006 to selecting only GlobalNetworkSet or HostEndpoint. \n 2007 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2008 the Selector applies to workload endpoints across all 2009 namespaces." 2010 type: string 2011 nets: 2012 description: Nets is an optional field that restricts the 2013 rule to only apply to traffic that originates from (or 2014 terminates at) IP addresses in any of the given subnets. 2015 items: 2016 type: string 2017 type: array 2018 notNets: 2019 description: NotNets is the negated version of the Nets 2020 field. 2021 items: 2022 type: string 2023 type: array 2024 notPorts: 2025 description: NotPorts is the negated version of the Ports 2026 field. Since only some protocols have ports, if any ports 2027 are specified it requires the Protocol match in the Rule 2028 to be set to "TCP" or "UDP". 2029 items: 2030 anyOf: 2031 - type: integer 2032 - type: string 2033 pattern: ^.* 2034 x-kubernetes-int-or-string: true 2035 type: array 2036 notSelector: 2037 description: NotSelector is the negated version of the Selector 2038 field. See Selector field for subtleties with negated 2039 selectors. 2040 type: string 2041 ports: 2042 description: "Ports is an optional field that restricts 2043 the rule to only apply to traffic that has a source (destination) 2044 port that matches one of these ranges/values. This value 2045 is a list of integers or strings that represent ranges 2046 of ports. \n Since only some protocols have ports, if 2047 any ports are specified it requires the Protocol match 2048 in the Rule to be set to \"TCP\" or \"UDP\"." 2049 items: 2050 anyOf: 2051 - type: integer 2052 - type: string 2053 pattern: ^.* 2054 x-kubernetes-int-or-string: true 2055 type: array 2056 selector: 2057 description: "Selector is an optional field that contains 2058 a selector expression (see Policy for sample syntax). 2059 \ Only traffic that originates from (terminates at) endpoints 2060 matching the selector will be matched. \n Note that: in 2061 addition to the negated version of the Selector (see NotSelector 2062 below), the selector expression syntax itself supports 2063 negation. The two types of negation are subtly different. 2064 One negates the set of matched endpoints, the other negates 2065 the whole match: \n \tSelector = \"!has(my_label)\" matches 2066 packets that are from other Calico-controlled \tendpoints 2067 that do not have the label \"my_label\". \n \tNotSelector 2068 = \"has(my_label)\" matches packets that are not from 2069 Calico-controlled \tendpoints that do have the label \"my_label\". 2070 \n The effect is that the latter will accept packets from 2071 non-Calico sources whereas the former is limited to packets 2072 from Calico-controlled endpoints." 2073 type: string 2074 serviceAccounts: 2075 description: ServiceAccounts is an optional field that restricts 2076 the rule to only apply to traffic that originates from 2077 (or terminates at) a pod running as a matching service 2078 account. 2079 properties: 2080 names: 2081 description: Names is an optional field that restricts 2082 the rule to only apply to traffic that originates 2083 from (or terminates at) a pod running as a service 2084 account whose name is in the list. 2085 items: 2086 type: string 2087 type: array 2088 selector: 2089 description: Selector is an optional field that restricts 2090 the rule to only apply to traffic that originates 2091 from (or terminates at) a pod running as a service 2092 account that matches the given label selector. If 2093 both Names and Selector are specified then they are 2094 AND'ed. 2095 type: string 2096 type: object 2097 services: 2098 description: "Services is an optional field that contains 2099 options for matching Kubernetes Services. If specified, 2100 only traffic that originates from or terminates at endpoints 2101 within the selected service(s) will be matched, and only 2102 to/from each endpoint's port. \n Services cannot be specified 2103 on the same rule as Selector, NotSelector, NamespaceSelector, 2104 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2105 can only be specified with Services on ingress rules." 2106 properties: 2107 name: 2108 description: Name specifies the name of a Kubernetes 2109 Service to match. 2110 type: string 2111 namespace: 2112 description: Namespace specifies the namespace of the 2113 given Service. If left empty, the rule will match 2114 within this policy's namespace. 2115 type: string 2116 type: object 2117 type: object 2118 required: 2119 - action 2120 type: object 2121 type: array 2122 ingress: 2123 description: The ordered set of ingress rules. Each rule contains 2124 a set of packet match criteria and a corresponding action to apply. 2125 items: 2126 description: "A Rule encapsulates a set of match criteria and an 2127 action. Both selector-based security Policy and security Profiles 2128 reference rules - separated out as a list of rules for both ingress 2129 and egress packet matching. \n Each positive match criteria has 2130 a negated version, prefixed with \"Not\". All the match criteria 2131 within a rule must be satisfied for a packet to match. A single 2132 rule can contain the positive and negative version of a match 2133 and both must be satisfied for the rule to match." 2134 properties: 2135 action: 2136 type: string 2137 destination: 2138 description: Destination contains the match criteria that apply 2139 to destination entity. 2140 properties: 2141 namespaceSelector: 2142 description: "NamespaceSelector is an optional field that 2143 contains a selector expression. Only traffic that originates 2144 from (or terminates at) endpoints within the selected 2145 namespaces will be matched. When both NamespaceSelector 2146 and another selector are defined on the same rule, then 2147 only workload endpoints that are matched by both selectors 2148 will be selected by the rule. \n For NetworkPolicy, an 2149 empty NamespaceSelector implies that the Selector is limited 2150 to selecting only workload endpoints in the same namespace 2151 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2152 NamespaceSelector implies that the Selector is limited 2153 to selecting only GlobalNetworkSet or HostEndpoint. \n 2154 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2155 the Selector applies to workload endpoints across all 2156 namespaces." 2157 type: string 2158 nets: 2159 description: Nets is an optional field that restricts the 2160 rule to only apply to traffic that originates from (or 2161 terminates at) IP addresses in any of the given subnets. 2162 items: 2163 type: string 2164 type: array 2165 notNets: 2166 description: NotNets is the negated version of the Nets 2167 field. 2168 items: 2169 type: string 2170 type: array 2171 notPorts: 2172 description: NotPorts is the negated version of the Ports 2173 field. Since only some protocols have ports, if any ports 2174 are specified it requires the Protocol match in the Rule 2175 to be set to "TCP" or "UDP". 2176 items: 2177 anyOf: 2178 - type: integer 2179 - type: string 2180 pattern: ^.* 2181 x-kubernetes-int-or-string: true 2182 type: array 2183 notSelector: 2184 description: NotSelector is the negated version of the Selector 2185 field. See Selector field for subtleties with negated 2186 selectors. 2187 type: string 2188 ports: 2189 description: "Ports is an optional field that restricts 2190 the rule to only apply to traffic that has a source (destination) 2191 port that matches one of these ranges/values. This value 2192 is a list of integers or strings that represent ranges 2193 of ports. \n Since only some protocols have ports, if 2194 any ports are specified it requires the Protocol match 2195 in the Rule to be set to \"TCP\" or \"UDP\"." 2196 items: 2197 anyOf: 2198 - type: integer 2199 - type: string 2200 pattern: ^.* 2201 x-kubernetes-int-or-string: true 2202 type: array 2203 selector: 2204 description: "Selector is an optional field that contains 2205 a selector expression (see Policy for sample syntax). 2206 \ Only traffic that originates from (terminates at) endpoints 2207 matching the selector will be matched. \n Note that: in 2208 addition to the negated version of the Selector (see NotSelector 2209 below), the selector expression syntax itself supports 2210 negation. The two types of negation are subtly different. 2211 One negates the set of matched endpoints, the other negates 2212 the whole match: \n \tSelector = \"!has(my_label)\" matches 2213 packets that are from other Calico-controlled \tendpoints 2214 that do not have the label \"my_label\". \n \tNotSelector 2215 = \"has(my_label)\" matches packets that are not from 2216 Calico-controlled \tendpoints that do have the label \"my_label\". 2217 \n The effect is that the latter will accept packets from 2218 non-Calico sources whereas the former is limited to packets 2219 from Calico-controlled endpoints." 2220 type: string 2221 serviceAccounts: 2222 description: ServiceAccounts is an optional field that restricts 2223 the rule to only apply to traffic that originates from 2224 (or terminates at) a pod running as a matching service 2225 account. 2226 properties: 2227 names: 2228 description: Names is an optional field that restricts 2229 the rule to only apply to traffic that originates 2230 from (or terminates at) a pod running as a service 2231 account whose name is in the list. 2232 items: 2233 type: string 2234 type: array 2235 selector: 2236 description: Selector is an optional field that restricts 2237 the rule to only apply to traffic that originates 2238 from (or terminates at) a pod running as a service 2239 account that matches the given label selector. If 2240 both Names and Selector are specified then they are 2241 AND'ed. 2242 type: string 2243 type: object 2244 services: 2245 description: "Services is an optional field that contains 2246 options for matching Kubernetes Services. If specified, 2247 only traffic that originates from or terminates at endpoints 2248 within the selected service(s) will be matched, and only 2249 to/from each endpoint's port. \n Services cannot be specified 2250 on the same rule as Selector, NotSelector, NamespaceSelector, 2251 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2252 can only be specified with Services on ingress rules." 2253 properties: 2254 name: 2255 description: Name specifies the name of a Kubernetes 2256 Service to match. 2257 type: string 2258 namespace: 2259 description: Namespace specifies the namespace of the 2260 given Service. If left empty, the rule will match 2261 within this policy's namespace. 2262 type: string 2263 type: object 2264 type: object 2265 http: 2266 description: HTTP contains match criteria that apply to HTTP 2267 requests. 2268 properties: 2269 methods: 2270 description: Methods is an optional field that restricts 2271 the rule to apply only to HTTP requests that use one of 2272 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2273 methods are OR'd together. 2274 items: 2275 type: string 2276 type: array 2277 paths: 2278 description: 'Paths is an optional field that restricts 2279 the rule to apply to HTTP requests that use one of the 2280 listed HTTP Paths. Multiple paths are OR''d together. 2281 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2282 ONLY specify either a `exact` or a `prefix` match. The 2283 validator will check for it.' 2284 items: 2285 description: 'HTTPPath specifies an HTTP path to match. 2286 It may be either of the form: exact: <path>: which matches 2287 the path exactly or prefix: <path-prefix>: which matches 2288 the path prefix' 2289 properties: 2290 exact: 2291 type: string 2292 prefix: 2293 type: string 2294 type: object 2295 type: array 2296 type: object 2297 icmp: 2298 description: ICMP is an optional field that restricts the rule 2299 to apply to a specific type and code of ICMP traffic. This 2300 should only be specified if the Protocol field is set to "ICMP" 2301 or "ICMPv6". 2302 properties: 2303 code: 2304 description: Match on a specific ICMP code. If specified, 2305 the Type value must also be specified. This is a technical 2306 limitation imposed by the kernel's iptables firewall, 2307 which Calico uses to enforce the rule. 2308 type: integer 2309 type: 2310 description: Match on a specific ICMP type. For example 2311 a value of 8 refers to ICMP Echo Request (i.e. pings). 2312 type: integer 2313 type: object 2314 ipVersion: 2315 description: IPVersion is an optional field that restricts the 2316 rule to only match a specific IP version. 2317 type: integer 2318 metadata: 2319 description: Metadata contains additional information for this 2320 rule 2321 properties: 2322 annotations: 2323 additionalProperties: 2324 type: string 2325 description: Annotations is a set of key value pairs that 2326 give extra information about the rule 2327 type: object 2328 type: object 2329 notICMP: 2330 description: NotICMP is the negated version of the ICMP field. 2331 properties: 2332 code: 2333 description: Match on a specific ICMP code. If specified, 2334 the Type value must also be specified. This is a technical 2335 limitation imposed by the kernel's iptables firewall, 2336 which Calico uses to enforce the rule. 2337 type: integer 2338 type: 2339 description: Match on a specific ICMP type. For example 2340 a value of 8 refers to ICMP Echo Request (i.e. pings). 2341 type: integer 2342 type: object 2343 notProtocol: 2344 anyOf: 2345 - type: integer 2346 - type: string 2347 description: NotProtocol is the negated version of the Protocol 2348 field. 2349 pattern: ^.* 2350 x-kubernetes-int-or-string: true 2351 protocol: 2352 anyOf: 2353 - type: integer 2354 - type: string 2355 description: "Protocol is an optional field that restricts the 2356 rule to only apply to traffic of a specific IP protocol. Required 2357 if any of the EntityRules contain Ports (because ports only 2358 apply to certain protocols). \n Must be one of these string 2359 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2360 \"UDPLite\" or an integer in the range 1-255." 2361 pattern: ^.* 2362 x-kubernetes-int-or-string: true 2363 source: 2364 description: Source contains the match criteria that apply to 2365 source entity. 2366 properties: 2367 namespaceSelector: 2368 description: "NamespaceSelector is an optional field that 2369 contains a selector expression. Only traffic that originates 2370 from (or terminates at) endpoints within the selected 2371 namespaces will be matched. When both NamespaceSelector 2372 and another selector are defined on the same rule, then 2373 only workload endpoints that are matched by both selectors 2374 will be selected by the rule. \n For NetworkPolicy, an 2375 empty NamespaceSelector implies that the Selector is limited 2376 to selecting only workload endpoints in the same namespace 2377 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2378 NamespaceSelector implies that the Selector is limited 2379 to selecting only GlobalNetworkSet or HostEndpoint. \n 2380 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2381 the Selector applies to workload endpoints across all 2382 namespaces." 2383 type: string 2384 nets: 2385 description: Nets is an optional field that restricts the 2386 rule to only apply to traffic that originates from (or 2387 terminates at) IP addresses in any of the given subnets. 2388 items: 2389 type: string 2390 type: array 2391 notNets: 2392 description: NotNets is the negated version of the Nets 2393 field. 2394 items: 2395 type: string 2396 type: array 2397 notPorts: 2398 description: NotPorts is the negated version of the Ports 2399 field. Since only some protocols have ports, if any ports 2400 are specified it requires the Protocol match in the Rule 2401 to be set to "TCP" or "UDP". 2402 items: 2403 anyOf: 2404 - type: integer 2405 - type: string 2406 pattern: ^.* 2407 x-kubernetes-int-or-string: true 2408 type: array 2409 notSelector: 2410 description: NotSelector is the negated version of the Selector 2411 field. See Selector field for subtleties with negated 2412 selectors. 2413 type: string 2414 ports: 2415 description: "Ports is an optional field that restricts 2416 the rule to only apply to traffic that has a source (destination) 2417 port that matches one of these ranges/values. This value 2418 is a list of integers or strings that represent ranges 2419 of ports. \n Since only some protocols have ports, if 2420 any ports are specified it requires the Protocol match 2421 in the Rule to be set to \"TCP\" or \"UDP\"." 2422 items: 2423 anyOf: 2424 - type: integer 2425 - type: string 2426 pattern: ^.* 2427 x-kubernetes-int-or-string: true 2428 type: array 2429 selector: 2430 description: "Selector is an optional field that contains 2431 a selector expression (see Policy for sample syntax). 2432 \ Only traffic that originates from (terminates at) endpoints 2433 matching the selector will be matched. \n Note that: in 2434 addition to the negated version of the Selector (see NotSelector 2435 below), the selector expression syntax itself supports 2436 negation. The two types of negation are subtly different. 2437 One negates the set of matched endpoints, the other negates 2438 the whole match: \n \tSelector = \"!has(my_label)\" matches 2439 packets that are from other Calico-controlled \tendpoints 2440 that do not have the label \"my_label\". \n \tNotSelector 2441 = \"has(my_label)\" matches packets that are not from 2442 Calico-controlled \tendpoints that do have the label \"my_label\". 2443 \n The effect is that the latter will accept packets from 2444 non-Calico sources whereas the former is limited to packets 2445 from Calico-controlled endpoints." 2446 type: string 2447 serviceAccounts: 2448 description: ServiceAccounts is an optional field that restricts 2449 the rule to only apply to traffic that originates from 2450 (or terminates at) a pod running as a matching service 2451 account. 2452 properties: 2453 names: 2454 description: Names is an optional field that restricts 2455 the rule to only apply to traffic that originates 2456 from (or terminates at) a pod running as a service 2457 account whose name is in the list. 2458 items: 2459 type: string 2460 type: array 2461 selector: 2462 description: Selector is an optional field that restricts 2463 the rule to only apply to traffic that originates 2464 from (or terminates at) a pod running as a service 2465 account that matches the given label selector. If 2466 both Names and Selector are specified then they are 2467 AND'ed. 2468 type: string 2469 type: object 2470 services: 2471 description: "Services is an optional field that contains 2472 options for matching Kubernetes Services. If specified, 2473 only traffic that originates from or terminates at endpoints 2474 within the selected service(s) will be matched, and only 2475 to/from each endpoint's port. \n Services cannot be specified 2476 on the same rule as Selector, NotSelector, NamespaceSelector, 2477 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2478 can only be specified with Services on ingress rules." 2479 properties: 2480 name: 2481 description: Name specifies the name of a Kubernetes 2482 Service to match. 2483 type: string 2484 namespace: 2485 description: Namespace specifies the namespace of the 2486 given Service. If left empty, the rule will match 2487 within this policy's namespace. 2488 type: string 2489 type: object 2490 type: object 2491 required: 2492 - action 2493 type: object 2494 type: array 2495 namespaceSelector: 2496 description: NamespaceSelector is an optional field for an expression 2497 used to select a pod based on namespaces. 2498 type: string 2499 order: 2500 description: Order is an optional field that specifies the order in 2501 which the policy is applied. Policies with higher "order" are applied 2502 after those with lower order. If the order is omitted, it may be 2503 considered to be "infinite" - i.e. the policy will be applied last. Policies 2504 with identical order will be applied in alphanumerical order based 2505 on the Policy "Name". 2506 type: number 2507 preDNAT: 2508 description: PreDNAT indicates to apply the rules in this policy before 2509 any DNAT. 2510 type: boolean 2511 selector: 2512 description: "The selector is an expression used to pick pick out 2513 the endpoints that the policy should be applied to. \n Selector 2514 expressions follow this syntax: \n \tlabel == \"string_literal\" 2515 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2516 \ -> not equal; also matches if label is not present \tlabel in 2517 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2518 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2519 ... } -> true if the value of label X is not one of \"a\", \"b\", 2520 \"c\" \thas(label_name) -> True if that label is present \t! expr 2521 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2522 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2523 or the empty selector -> matches all endpoints. \n Label names are 2524 allowed to contain alphanumerics, -, _ and /. String literals are 2525 more permissive but they do not support escape characters. \n Examples 2526 (with made-up labels): \n \ttype == \"webserver\" && deployment 2527 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2528 \"dev\" \t! has(label_name)" 2529 type: string 2530 serviceAccountSelector: 2531 description: ServiceAccountSelector is an optional field for an expression 2532 used to select a pod based on service accounts. 2533 type: string 2534 types: 2535 description: "Types indicates whether this policy applies to ingress, 2536 or to egress, or to both. When not explicitly specified (and so 2537 the value on creation is empty or nil), Calico defaults Types according 2538 to what Ingress and Egress rules are present in the policy. The 2539 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2540 (including the case where there are also no Ingress rules) \n 2541 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2542 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2543 both Ingress and Egress rules. \n When the policy is read back again, 2544 Types will always be one of these values, never empty or nil." 2545 items: 2546 description: PolicyType enumerates the possible values of the PolicySpec 2547 Types field. 2548 type: string 2549 type: array 2550 type: object 2551 type: object 2552 served: true 2553 storage: true 2554 status: 2555 acceptedNames: 2556 kind: "" 2557 plural: "" 2558 conditions: [] 2559 storedVersions: [] 2560 --- 2561 # Source: calico/templates/kdd-crds.yaml 2562 apiVersion: apiextensions.k8s.io/v1 2563 kind: CustomResourceDefinition 2564 metadata: 2565 name: globalnetworksets.crd.projectcalico.org 2566 spec: 2567 group: crd.projectcalico.org 2568 names: 2569 kind: GlobalNetworkSet 2570 listKind: GlobalNetworkSetList 2571 plural: globalnetworksets 2572 singular: globalnetworkset 2573 preserveUnknownFields: false 2574 scope: Cluster 2575 versions: 2576 - name: v1 2577 schema: 2578 openAPIV3Schema: 2579 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2580 that share labels to allow rules to refer to them via selectors. The labels 2581 of GlobalNetworkSet are not namespaced. 2582 properties: 2583 apiVersion: 2584 description: 'APIVersion defines the versioned schema of this representation 2585 of an object. Servers should convert recognized schemas to the latest 2586 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2587 type: string 2588 kind: 2589 description: 'Kind is a string value representing the REST resource this 2590 object represents. Servers may infer this from the endpoint the client 2591 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2592 type: string 2593 metadata: 2594 type: object 2595 spec: 2596 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2597 resource. 2598 properties: 2599 nets: 2600 description: The list of IP networks that belong to this set. 2601 items: 2602 type: string 2603 type: array 2604 type: object 2605 type: object 2606 served: true 2607 storage: true 2608 status: 2609 acceptedNames: 2610 kind: "" 2611 plural: "" 2612 conditions: [] 2613 storedVersions: [] 2614 --- 2615 # Source: calico/templates/kdd-crds.yaml 2616 apiVersion: apiextensions.k8s.io/v1 2617 kind: CustomResourceDefinition 2618 metadata: 2619 name: hostendpoints.crd.projectcalico.org 2620 spec: 2621 group: crd.projectcalico.org 2622 names: 2623 kind: HostEndpoint 2624 listKind: HostEndpointList 2625 plural: hostendpoints 2626 singular: hostendpoint 2627 preserveUnknownFields: false 2628 scope: Cluster 2629 versions: 2630 - name: v1 2631 schema: 2632 openAPIV3Schema: 2633 properties: 2634 apiVersion: 2635 description: 'APIVersion defines the versioned schema of this representation 2636 of an object. Servers should convert recognized schemas to the latest 2637 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2638 type: string 2639 kind: 2640 description: 'Kind is a string value representing the REST resource this 2641 object represents. Servers may infer this from the endpoint the client 2642 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2643 type: string 2644 metadata: 2645 type: object 2646 spec: 2647 description: HostEndpointSpec contains the specification for a HostEndpoint 2648 resource. 2649 properties: 2650 expectedIPs: 2651 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2652 If \"InterfaceName\" is not present, Calico will look for an interface 2653 matching any of the IPs in the list and apply policy to that. Note: 2654 \tWhen using the selector match criteria in an ingress or egress 2655 security Policy \tor Profile, Calico converts the selector into 2656 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2657 is used for that purpose. (If only the interface \tname is specified, 2658 Calico does not learn the IPs of the interface for use in match 2659 \tcriteria.)" 2660 items: 2661 type: string 2662 type: array 2663 interfaceName: 2664 description: "Either \"*\", or the name of a specific Linux interface 2665 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2666 governs all traffic to, from or through the default network namespace 2667 of the host named by the \"Node\" field; entering and leaving that 2668 namespace via any interface, including those from/to non-host-networked 2669 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2670 only governs traffic that enters or leaves the host through the 2671 specific interface named by InterfaceName, or - when InterfaceName 2672 is empty - through the specific interface that has one of the IPs 2673 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2674 one expected IP must be specified. Only external interfaces (such 2675 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2676 to protect traffic through a specific local workload interface. 2677 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2678 initially just pre-DNAT policy. Please check Calico documentation 2679 for the latest position." 2680 type: string 2681 node: 2682 description: The node name identifying the Calico node instance. 2683 type: string 2684 ports: 2685 description: Ports contains the endpoint's named ports, which may 2686 be referenced in security policy rules. 2687 items: 2688 properties: 2689 name: 2690 type: string 2691 port: 2692 type: integer 2693 protocol: 2694 anyOf: 2695 - type: integer 2696 - type: string 2697 pattern: ^.* 2698 x-kubernetes-int-or-string: true 2699 required: 2700 - name 2701 - port 2702 - protocol 2703 type: object 2704 type: array 2705 profiles: 2706 description: A list of identifiers of security Profile objects that 2707 apply to this endpoint. Each profile is applied in the order that 2708 they appear in this list. Profile rules are applied after the selector-based 2709 security policy. 2710 items: 2711 type: string 2712 type: array 2713 type: object 2714 type: object 2715 served: true 2716 storage: true 2717 status: 2718 acceptedNames: 2719 kind: "" 2720 plural: "" 2721 conditions: [] 2722 storedVersions: [] 2723 --- 2724 # Source: calico/templates/kdd-crds.yaml 2725 apiVersion: apiextensions.k8s.io/v1 2726 kind: CustomResourceDefinition 2727 metadata: 2728 name: ipamblocks.crd.projectcalico.org 2729 spec: 2730 group: crd.projectcalico.org 2731 names: 2732 kind: IPAMBlock 2733 listKind: IPAMBlockList 2734 plural: ipamblocks 2735 singular: ipamblock 2736 preserveUnknownFields: false 2737 scope: Cluster 2738 versions: 2739 - name: v1 2740 schema: 2741 openAPIV3Schema: 2742 properties: 2743 apiVersion: 2744 description: 'APIVersion defines the versioned schema of this representation 2745 of an object. Servers should convert recognized schemas to the latest 2746 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2747 type: string 2748 kind: 2749 description: 'Kind is a string value representing the REST resource this 2750 object represents. Servers may infer this from the endpoint the client 2751 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2752 type: string 2753 metadata: 2754 type: object 2755 spec: 2756 description: IPAMBlockSpec contains the specification for an IPAMBlock 2757 resource. 2758 properties: 2759 affinity: 2760 description: Affinity of the block, if this block has one. If set, 2761 it will be of the form "host:<hostname>". If not set, this block 2762 is not affine to a host. 2763 type: string 2764 allocations: 2765 description: Array of allocations in-use within this block. nil entries 2766 mean the allocation is free. For non-nil entries at index i, the 2767 index is the ordinal of the allocation within this block and the 2768 value is the index of the associated attributes in the Attributes 2769 array. 2770 items: 2771 type: integer 2772 # TODO: This nullable is manually added in. We should update controller-gen 2773 # to handle []*int properly itself. 2774 nullable: true 2775 type: array 2776 attributes: 2777 description: Attributes is an array of arbitrary metadata associated 2778 with allocations in the block. To find attributes for a given allocation, 2779 use the value of the allocation's entry in the Allocations array 2780 as the index of the element in this array. 2781 items: 2782 properties: 2783 handle_id: 2784 type: string 2785 secondary: 2786 additionalProperties: 2787 type: string 2788 type: object 2789 type: object 2790 type: array 2791 cidr: 2792 description: The block's CIDR. 2793 type: string 2794 deleted: 2795 description: Deleted is an internal boolean used to workaround a limitation 2796 in the Kubernetes API whereby deletion will not return a conflict 2797 error if the block has been updated. It should not be set manually. 2798 type: boolean 2799 sequenceNumber: 2800 default: 0 2801 description: We store a sequence number that is updated each time 2802 the block is written. Each allocation will also store the sequence 2803 number of the block at the time of its creation. When releasing 2804 an IP, passing the sequence number associated with the allocation 2805 allows us to protect against a race condition and ensure the IP 2806 hasn't been released and re-allocated since the release request. 2807 format: int64 2808 type: integer 2809 sequenceNumberForAllocation: 2810 additionalProperties: 2811 format: int64 2812 type: integer 2813 description: Map of allocated ordinal within the block to sequence 2814 number of the block at the time of allocation. Kubernetes does not 2815 allow numerical keys for maps, so the key is cast to a string. 2816 type: object 2817 strictAffinity: 2818 description: StrictAffinity on the IPAMBlock is deprecated and no 2819 longer used by the code. Use IPAMConfig StrictAffinity instead. 2820 type: boolean 2821 unallocated: 2822 description: Unallocated is an ordered list of allocations which are 2823 free in the block. 2824 items: 2825 type: integer 2826 type: array 2827 required: 2828 - allocations 2829 - attributes 2830 - cidr 2831 - strictAffinity 2832 - unallocated 2833 type: object 2834 type: object 2835 served: true 2836 storage: true 2837 status: 2838 acceptedNames: 2839 kind: "" 2840 plural: "" 2841 conditions: [] 2842 storedVersions: [] 2843 --- 2844 # Source: calico/templates/kdd-crds.yaml 2845 apiVersion: apiextensions.k8s.io/v1 2846 kind: CustomResourceDefinition 2847 metadata: 2848 name: ipamconfigs.crd.projectcalico.org 2849 spec: 2850 group: crd.projectcalico.org 2851 names: 2852 kind: IPAMConfig 2853 listKind: IPAMConfigList 2854 plural: ipamconfigs 2855 singular: ipamconfig 2856 preserveUnknownFields: false 2857 scope: Cluster 2858 versions: 2859 - name: v1 2860 schema: 2861 openAPIV3Schema: 2862 properties: 2863 apiVersion: 2864 description: 'APIVersion defines the versioned schema of this representation 2865 of an object. Servers should convert recognized schemas to the latest 2866 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2867 type: string 2868 kind: 2869 description: 'Kind is a string value representing the REST resource this 2870 object represents. Servers may infer this from the endpoint the client 2871 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2872 type: string 2873 metadata: 2874 type: object 2875 spec: 2876 description: IPAMConfigSpec contains the specification for an IPAMConfig 2877 resource. 2878 properties: 2879 autoAllocateBlocks: 2880 type: boolean 2881 maxBlocksPerHost: 2882 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 2883 that can be affine to each host. 2884 maximum: 2147483647 2885 minimum: 0 2886 type: integer 2887 strictAffinity: 2888 type: boolean 2889 required: 2890 - autoAllocateBlocks 2891 - strictAffinity 2892 type: object 2893 type: object 2894 served: true 2895 storage: true 2896 status: 2897 acceptedNames: 2898 kind: "" 2899 plural: "" 2900 conditions: [] 2901 storedVersions: [] 2902 --- 2903 # Source: calico/templates/kdd-crds.yaml 2904 apiVersion: apiextensions.k8s.io/v1 2905 kind: CustomResourceDefinition 2906 metadata: 2907 name: ipamhandles.crd.projectcalico.org 2908 spec: 2909 group: crd.projectcalico.org 2910 names: 2911 kind: IPAMHandle 2912 listKind: IPAMHandleList 2913 plural: ipamhandles 2914 singular: ipamhandle 2915 preserveUnknownFields: false 2916 scope: Cluster 2917 versions: 2918 - name: v1 2919 schema: 2920 openAPIV3Schema: 2921 properties: 2922 apiVersion: 2923 description: 'APIVersion defines the versioned schema of this representation 2924 of an object. Servers should convert recognized schemas to the latest 2925 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2926 type: string 2927 kind: 2928 description: 'Kind is a string value representing the REST resource this 2929 object represents. Servers may infer this from the endpoint the client 2930 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2931 type: string 2932 metadata: 2933 type: object 2934 spec: 2935 description: IPAMHandleSpec contains the specification for an IPAMHandle 2936 resource. 2937 properties: 2938 block: 2939 additionalProperties: 2940 type: integer 2941 type: object 2942 deleted: 2943 type: boolean 2944 handleID: 2945 type: string 2946 required: 2947 - block 2948 - handleID 2949 type: object 2950 type: object 2951 served: true 2952 storage: true 2953 status: 2954 acceptedNames: 2955 kind: "" 2956 plural: "" 2957 conditions: [] 2958 storedVersions: [] 2959 --- 2960 # Source: calico/templates/kdd-crds.yaml 2961 apiVersion: apiextensions.k8s.io/v1 2962 kind: CustomResourceDefinition 2963 metadata: 2964 name: ippools.crd.projectcalico.org 2965 spec: 2966 group: crd.projectcalico.org 2967 names: 2968 kind: IPPool 2969 listKind: IPPoolList 2970 plural: ippools 2971 singular: ippool 2972 preserveUnknownFields: false 2973 scope: Cluster 2974 versions: 2975 - name: v1 2976 schema: 2977 openAPIV3Schema: 2978 properties: 2979 apiVersion: 2980 description: 'APIVersion defines the versioned schema of this representation 2981 of an object. Servers should convert recognized schemas to the latest 2982 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2983 type: string 2984 kind: 2985 description: 'Kind is a string value representing the REST resource this 2986 object represents. Servers may infer this from the endpoint the client 2987 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2988 type: string 2989 metadata: 2990 type: object 2991 spec: 2992 description: IPPoolSpec contains the specification for an IPPool resource. 2993 properties: 2994 allowedUses: 2995 description: AllowedUse controls what the IP pool will be used for. If 2996 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 2997 items: 2998 type: string 2999 type: array 3000 blockSize: 3001 description: The block size to use for IP address assignments from 3002 this pool. Defaults to 26 for IPv4 and 122 for IPv6. 3003 type: integer 3004 cidr: 3005 description: The pool CIDR. 3006 type: string 3007 disableBGPExport: 3008 description: 'Disable exporting routes from this IP Pool''s CIDR over 3009 BGP. [Default: false]' 3010 type: boolean 3011 disabled: 3012 description: When disabled is true, Calico IPAM will not assign addresses 3013 from this pool. 3014 type: boolean 3015 ipip: 3016 description: 'Deprecated: this field is only used for APIv1 backwards 3017 compatibility. Setting this field is not allowed, this field is 3018 for internal use only.' 3019 properties: 3020 enabled: 3021 description: When enabled is true, ipip tunneling will be used 3022 to deliver packets to destinations within this pool. 3023 type: boolean 3024 mode: 3025 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 3026 mode of "always" will also use IPIP tunneling for routing to 3027 destination IP addresses within this pool. A mode of "cross-subnet" 3028 will only use IPIP tunneling when the destination node is on 3029 a different subnet to the originating node. The default value 3030 (if not specified) is "always". 3031 type: string 3032 type: object 3033 ipipMode: 3034 description: Contains configuration for IPIP tunneling for this pool. 3035 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 3036 is disabled). 3037 type: string 3038 nat-outgoing: 3039 description: 'Deprecated: this field is only used for APIv1 backwards 3040 compatibility. Setting this field is not allowed, this field is 3041 for internal use only.' 3042 type: boolean 3043 natOutgoing: 3044 description: When natOutgoing is true, packets sent from Calico networked 3045 containers in this pool to destinations outside of this pool will 3046 be masqueraded. 3047 type: boolean 3048 nodeSelector: 3049 description: Allows IPPool to allocate for a specific node by label 3050 selector. 3051 type: string 3052 vxlanMode: 3053 description: Contains configuration for VXLAN tunneling for this pool. 3054 If not specified, then this is defaulted to "Never" (i.e. VXLAN 3055 tunneling is disabled). 3056 type: string 3057 required: 3058 - cidr 3059 type: object 3060 type: object 3061 served: true 3062 storage: true 3063 status: 3064 acceptedNames: 3065 kind: "" 3066 plural: "" 3067 conditions: [] 3068 storedVersions: [] 3069 --- 3070 # Source: calico/templates/kdd-crds.yaml 3071 apiVersion: apiextensions.k8s.io/v1 3072 kind: CustomResourceDefinition 3073 metadata: 3074 annotations: 3075 controller-gen.kubebuilder.io/version: (devel) 3076 creationTimestamp: null 3077 name: ipreservations.crd.projectcalico.org 3078 spec: 3079 group: crd.projectcalico.org 3080 names: 3081 kind: IPReservation 3082 listKind: IPReservationList 3083 plural: ipreservations 3084 singular: ipreservation 3085 preserveUnknownFields: false 3086 scope: Cluster 3087 versions: 3088 - name: v1 3089 schema: 3090 openAPIV3Schema: 3091 properties: 3092 apiVersion: 3093 description: 'APIVersion defines the versioned schema of this representation 3094 of an object. Servers should convert recognized schemas to the latest 3095 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3096 type: string 3097 kind: 3098 description: 'Kind is a string value representing the REST resource this 3099 object represents. Servers may infer this from the endpoint the client 3100 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3101 type: string 3102 metadata: 3103 type: object 3104 spec: 3105 description: IPReservationSpec contains the specification for an IPReservation 3106 resource. 3107 properties: 3108 reservedCIDRs: 3109 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 3110 that Calico IPAM will exclude from new allocations. 3111 items: 3112 type: string 3113 type: array 3114 type: object 3115 type: object 3116 served: true 3117 storage: true 3118 status: 3119 acceptedNames: 3120 kind: "" 3121 plural: "" 3122 conditions: [] 3123 storedVersions: [] 3124 --- 3125 # Source: calico/templates/kdd-crds.yaml 3126 apiVersion: apiextensions.k8s.io/v1 3127 kind: CustomResourceDefinition 3128 metadata: 3129 name: kubecontrollersconfigurations.crd.projectcalico.org 3130 spec: 3131 group: crd.projectcalico.org 3132 names: 3133 kind: KubeControllersConfiguration 3134 listKind: KubeControllersConfigurationList 3135 plural: kubecontrollersconfigurations 3136 singular: kubecontrollersconfiguration 3137 preserveUnknownFields: false 3138 scope: Cluster 3139 versions: 3140 - name: v1 3141 schema: 3142 openAPIV3Schema: 3143 properties: 3144 apiVersion: 3145 description: 'APIVersion defines the versioned schema of this representation 3146 of an object. Servers should convert recognized schemas to the latest 3147 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3148 type: string 3149 kind: 3150 description: 'Kind is a string value representing the REST resource this 3151 object represents. Servers may infer this from the endpoint the client 3152 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3153 type: string 3154 metadata: 3155 type: object 3156 spec: 3157 description: KubeControllersConfigurationSpec contains the values of the 3158 Kubernetes controllers configuration. 3159 properties: 3160 controllers: 3161 description: Controllers enables and configures individual Kubernetes 3162 controllers 3163 properties: 3164 namespace: 3165 description: Namespace enables and configures the namespace controller. 3166 Enabled by default, set to nil to disable. 3167 properties: 3168 reconcilerPeriod: 3169 description: 'ReconcilerPeriod is the period to perform reconciliation 3170 with the Calico datastore. [Default: 5m]' 3171 type: string 3172 type: object 3173 node: 3174 description: Node enables and configures the node controller. 3175 Enabled by default, set to nil to disable. 3176 properties: 3177 hostEndpoint: 3178 description: HostEndpoint controls syncing nodes to host endpoints. 3179 Disabled by default, set to nil to disable. 3180 properties: 3181 autoCreate: 3182 description: 'AutoCreate enables automatic creation of 3183 host endpoints for every node. [Default: Disabled]' 3184 type: string 3185 type: object 3186 leakGracePeriod: 3187 description: 'LeakGracePeriod is the period used by the controller 3188 to determine if an IP address has been leaked. Set to 0 3189 to disable IP garbage collection. [Default: 15m]' 3190 type: string 3191 reconcilerPeriod: 3192 description: 'ReconcilerPeriod is the period to perform reconciliation 3193 with the Calico datastore. [Default: 5m]' 3194 type: string 3195 syncLabels: 3196 description: 'SyncLabels controls whether to copy Kubernetes 3197 node labels to Calico nodes. [Default: Enabled]' 3198 type: string 3199 type: object 3200 policy: 3201 description: Policy enables and configures the policy controller. 3202 Enabled by default, set to nil to disable. 3203 properties: 3204 reconcilerPeriod: 3205 description: 'ReconcilerPeriod is the period to perform reconciliation 3206 with the Calico datastore. [Default: 5m]' 3207 type: string 3208 type: object 3209 serviceAccount: 3210 description: ServiceAccount enables and configures the service 3211 account controller. Enabled by default, set to nil to disable. 3212 properties: 3213 reconcilerPeriod: 3214 description: 'ReconcilerPeriod is the period to perform reconciliation 3215 with the Calico datastore. [Default: 5m]' 3216 type: string 3217 type: object 3218 workloadEndpoint: 3219 description: WorkloadEndpoint enables and configures the workload 3220 endpoint controller. Enabled by default, set to nil to disable. 3221 properties: 3222 reconcilerPeriod: 3223 description: 'ReconcilerPeriod is the period to perform reconciliation 3224 with the Calico datastore. [Default: 5m]' 3225 type: string 3226 type: object 3227 type: object 3228 debugProfilePort: 3229 description: DebugProfilePort configures the port to serve memory 3230 and cpu profiles on. If not specified, profiling is disabled. 3231 format: int32 3232 type: integer 3233 etcdV3CompactionPeriod: 3234 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3235 compaction requests. Set to 0 to disable. [Default: 10m]' 3236 type: string 3237 healthChecks: 3238 description: 'HealthChecks enables or disables support for health 3239 checks [Default: Enabled]' 3240 type: string 3241 logSeverityScreen: 3242 description: 'LogSeverityScreen is the log severity above which logs 3243 are sent to the stdout. [Default: Info]' 3244 type: string 3245 prometheusMetricsPort: 3246 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3247 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 3248 type: integer 3249 required: 3250 - controllers 3251 type: object 3252 status: 3253 description: KubeControllersConfigurationStatus represents the status 3254 of the configuration. It's useful for admins to be able to see the actual 3255 config that was applied, which can be modified by environment variables 3256 on the kube-controllers process. 3257 properties: 3258 environmentVars: 3259 additionalProperties: 3260 type: string 3261 description: EnvironmentVars contains the environment variables on 3262 the kube-controllers that influenced the RunningConfig. 3263 type: object 3264 runningConfig: 3265 description: RunningConfig contains the effective config that is running 3266 in the kube-controllers pod, after merging the API resource with 3267 any environment variables. 3268 properties: 3269 controllers: 3270 description: Controllers enables and configures individual Kubernetes 3271 controllers 3272 properties: 3273 namespace: 3274 description: Namespace enables and configures the namespace 3275 controller. Enabled by default, set to nil to disable. 3276 properties: 3277 reconcilerPeriod: 3278 description: 'ReconcilerPeriod is the period to perform 3279 reconciliation with the Calico datastore. [Default: 3280 5m]' 3281 type: string 3282 type: object 3283 node: 3284 description: Node enables and configures the node controller. 3285 Enabled by default, set to nil to disable. 3286 properties: 3287 hostEndpoint: 3288 description: HostEndpoint controls syncing nodes to host 3289 endpoints. Disabled by default, set to nil to disable. 3290 properties: 3291 autoCreate: 3292 description: 'AutoCreate enables automatic creation 3293 of host endpoints for every node. [Default: Disabled]' 3294 type: string 3295 type: object 3296 leakGracePeriod: 3297 description: 'LeakGracePeriod is the period used by the 3298 controller to determine if an IP address has been leaked. 3299 Set to 0 to disable IP garbage collection. [Default: 3300 15m]' 3301 type: string 3302 reconcilerPeriod: 3303 description: 'ReconcilerPeriod is the period to perform 3304 reconciliation with the Calico datastore. [Default: 3305 5m]' 3306 type: string 3307 syncLabels: 3308 description: 'SyncLabels controls whether to copy Kubernetes 3309 node labels to Calico nodes. [Default: Enabled]' 3310 type: string 3311 type: object 3312 policy: 3313 description: Policy enables and configures the policy controller. 3314 Enabled by default, set to nil to disable. 3315 properties: 3316 reconcilerPeriod: 3317 description: 'ReconcilerPeriod is the period to perform 3318 reconciliation with the Calico datastore. [Default: 3319 5m]' 3320 type: string 3321 type: object 3322 serviceAccount: 3323 description: ServiceAccount enables and configures the service 3324 account controller. Enabled by default, set to nil to disable. 3325 properties: 3326 reconcilerPeriod: 3327 description: 'ReconcilerPeriod is the period to perform 3328 reconciliation with the Calico datastore. [Default: 3329 5m]' 3330 type: string 3331 type: object 3332 workloadEndpoint: 3333 description: WorkloadEndpoint enables and configures the workload 3334 endpoint controller. Enabled by default, set to nil to disable. 3335 properties: 3336 reconcilerPeriod: 3337 description: 'ReconcilerPeriod is the period to perform 3338 reconciliation with the Calico datastore. [Default: 3339 5m]' 3340 type: string 3341 type: object 3342 type: object 3343 debugProfilePort: 3344 description: DebugProfilePort configures the port to serve memory 3345 and cpu profiles on. If not specified, profiling is disabled. 3346 format: int32 3347 type: integer 3348 etcdV3CompactionPeriod: 3349 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3350 compaction requests. Set to 0 to disable. [Default: 10m]' 3351 type: string 3352 healthChecks: 3353 description: 'HealthChecks enables or disables support for health 3354 checks [Default: Enabled]' 3355 type: string 3356 logSeverityScreen: 3357 description: 'LogSeverityScreen is the log severity above which 3358 logs are sent to the stdout. [Default: Info]' 3359 type: string 3360 prometheusMetricsPort: 3361 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3362 metrics server should bind to. Set to 0 to disable. [Default: 3363 9094]' 3364 type: integer 3365 required: 3366 - controllers 3367 type: object 3368 type: object 3369 type: object 3370 served: true 3371 storage: true 3372 status: 3373 acceptedNames: 3374 kind: "" 3375 plural: "" 3376 conditions: [] 3377 storedVersions: [] 3378 --- 3379 # Source: calico/templates/kdd-crds.yaml 3380 apiVersion: apiextensions.k8s.io/v1 3381 kind: CustomResourceDefinition 3382 metadata: 3383 name: networkpolicies.crd.projectcalico.org 3384 spec: 3385 group: crd.projectcalico.org 3386 names: 3387 kind: NetworkPolicy 3388 listKind: NetworkPolicyList 3389 plural: networkpolicies 3390 singular: networkpolicy 3391 preserveUnknownFields: false 3392 scope: Namespaced 3393 versions: 3394 - name: v1 3395 schema: 3396 openAPIV3Schema: 3397 properties: 3398 apiVersion: 3399 description: 'APIVersion defines the versioned schema of this representation 3400 of an object. Servers should convert recognized schemas to the latest 3401 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3402 type: string 3403 kind: 3404 description: 'Kind is a string value representing the REST resource this 3405 object represents. Servers may infer this from the endpoint the client 3406 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3407 type: string 3408 metadata: 3409 type: object 3410 spec: 3411 properties: 3412 egress: 3413 description: The ordered set of egress rules. Each rule contains 3414 a set of packet match criteria and a corresponding action to apply. 3415 items: 3416 description: "A Rule encapsulates a set of match criteria and an 3417 action. Both selector-based security Policy and security Profiles 3418 reference rules - separated out as a list of rules for both ingress 3419 and egress packet matching. \n Each positive match criteria has 3420 a negated version, prefixed with \"Not\". All the match criteria 3421 within a rule must be satisfied for a packet to match. A single 3422 rule can contain the positive and negative version of a match 3423 and both must be satisfied for the rule to match." 3424 properties: 3425 action: 3426 type: string 3427 destination: 3428 description: Destination contains the match criteria that apply 3429 to destination entity. 3430 properties: 3431 namespaceSelector: 3432 description: "NamespaceSelector is an optional field that 3433 contains a selector expression. Only traffic that originates 3434 from (or terminates at) endpoints within the selected 3435 namespaces will be matched. When both NamespaceSelector 3436 and another selector are defined on the same rule, then 3437 only workload endpoints that are matched by both selectors 3438 will be selected by the rule. \n For NetworkPolicy, an 3439 empty NamespaceSelector implies that the Selector is limited 3440 to selecting only workload endpoints in the same namespace 3441 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3442 NamespaceSelector implies that the Selector is limited 3443 to selecting only GlobalNetworkSet or HostEndpoint. \n 3444 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3445 the Selector applies to workload endpoints across all 3446 namespaces." 3447 type: string 3448 nets: 3449 description: Nets is an optional field that restricts the 3450 rule to only apply to traffic that originates from (or 3451 terminates at) IP addresses in any of the given subnets. 3452 items: 3453 type: string 3454 type: array 3455 notNets: 3456 description: NotNets is the negated version of the Nets 3457 field. 3458 items: 3459 type: string 3460 type: array 3461 notPorts: 3462 description: NotPorts is the negated version of the Ports 3463 field. Since only some protocols have ports, if any ports 3464 are specified it requires the Protocol match in the Rule 3465 to be set to "TCP" or "UDP". 3466 items: 3467 anyOf: 3468 - type: integer 3469 - type: string 3470 pattern: ^.* 3471 x-kubernetes-int-or-string: true 3472 type: array 3473 notSelector: 3474 description: NotSelector is the negated version of the Selector 3475 field. See Selector field for subtleties with negated 3476 selectors. 3477 type: string 3478 ports: 3479 description: "Ports is an optional field that restricts 3480 the rule to only apply to traffic that has a source (destination) 3481 port that matches one of these ranges/values. This value 3482 is a list of integers or strings that represent ranges 3483 of ports. \n Since only some protocols have ports, if 3484 any ports are specified it requires the Protocol match 3485 in the Rule to be set to \"TCP\" or \"UDP\"." 3486 items: 3487 anyOf: 3488 - type: integer 3489 - type: string 3490 pattern: ^.* 3491 x-kubernetes-int-or-string: true 3492 type: array 3493 selector: 3494 description: "Selector is an optional field that contains 3495 a selector expression (see Policy for sample syntax). 3496 \ Only traffic that originates from (terminates at) endpoints 3497 matching the selector will be matched. \n Note that: in 3498 addition to the negated version of the Selector (see NotSelector 3499 below), the selector expression syntax itself supports 3500 negation. The two types of negation are subtly different. 3501 One negates the set of matched endpoints, the other negates 3502 the whole match: \n \tSelector = \"!has(my_label)\" matches 3503 packets that are from other Calico-controlled \tendpoints 3504 that do not have the label \"my_label\". \n \tNotSelector 3505 = \"has(my_label)\" matches packets that are not from 3506 Calico-controlled \tendpoints that do have the label \"my_label\". 3507 \n The effect is that the latter will accept packets from 3508 non-Calico sources whereas the former is limited to packets 3509 from Calico-controlled endpoints." 3510 type: string 3511 serviceAccounts: 3512 description: ServiceAccounts is an optional field that restricts 3513 the rule to only apply to traffic that originates from 3514 (or terminates at) a pod running as a matching service 3515 account. 3516 properties: 3517 names: 3518 description: Names is an optional field that restricts 3519 the rule to only apply to traffic that originates 3520 from (or terminates at) a pod running as a service 3521 account whose name is in the list. 3522 items: 3523 type: string 3524 type: array 3525 selector: 3526 description: Selector is an optional field that restricts 3527 the rule to only apply to traffic that originates 3528 from (or terminates at) a pod running as a service 3529 account that matches the given label selector. If 3530 both Names and Selector are specified then they are 3531 AND'ed. 3532 type: string 3533 type: object 3534 services: 3535 description: "Services is an optional field that contains 3536 options for matching Kubernetes Services. If specified, 3537 only traffic that originates from or terminates at endpoints 3538 within the selected service(s) will be matched, and only 3539 to/from each endpoint's port. \n Services cannot be specified 3540 on the same rule as Selector, NotSelector, NamespaceSelector, 3541 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3542 can only be specified with Services on ingress rules." 3543 properties: 3544 name: 3545 description: Name specifies the name of a Kubernetes 3546 Service to match. 3547 type: string 3548 namespace: 3549 description: Namespace specifies the namespace of the 3550 given Service. If left empty, the rule will match 3551 within this policy's namespace. 3552 type: string 3553 type: object 3554 type: object 3555 http: 3556 description: HTTP contains match criteria that apply to HTTP 3557 requests. 3558 properties: 3559 methods: 3560 description: Methods is an optional field that restricts 3561 the rule to apply only to HTTP requests that use one of 3562 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3563 methods are OR'd together. 3564 items: 3565 type: string 3566 type: array 3567 paths: 3568 description: 'Paths is an optional field that restricts 3569 the rule to apply to HTTP requests that use one of the 3570 listed HTTP Paths. Multiple paths are OR''d together. 3571 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3572 ONLY specify either a `exact` or a `prefix` match. The 3573 validator will check for it.' 3574 items: 3575 description: 'HTTPPath specifies an HTTP path to match. 3576 It may be either of the form: exact: <path>: which matches 3577 the path exactly or prefix: <path-prefix>: which matches 3578 the path prefix' 3579 properties: 3580 exact: 3581 type: string 3582 prefix: 3583 type: string 3584 type: object 3585 type: array 3586 type: object 3587 icmp: 3588 description: ICMP is an optional field that restricts the rule 3589 to apply to a specific type and code of ICMP traffic. This 3590 should only be specified if the Protocol field is set to "ICMP" 3591 or "ICMPv6". 3592 properties: 3593 code: 3594 description: Match on a specific ICMP code. If specified, 3595 the Type value must also be specified. This is a technical 3596 limitation imposed by the kernel's iptables firewall, 3597 which Calico uses to enforce the rule. 3598 type: integer 3599 type: 3600 description: Match on a specific ICMP type. For example 3601 a value of 8 refers to ICMP Echo Request (i.e. pings). 3602 type: integer 3603 type: object 3604 ipVersion: 3605 description: IPVersion is an optional field that restricts the 3606 rule to only match a specific IP version. 3607 type: integer 3608 metadata: 3609 description: Metadata contains additional information for this 3610 rule 3611 properties: 3612 annotations: 3613 additionalProperties: 3614 type: string 3615 description: Annotations is a set of key value pairs that 3616 give extra information about the rule 3617 type: object 3618 type: object 3619 notICMP: 3620 description: NotICMP is the negated version of the ICMP field. 3621 properties: 3622 code: 3623 description: Match on a specific ICMP code. If specified, 3624 the Type value must also be specified. This is a technical 3625 limitation imposed by the kernel's iptables firewall, 3626 which Calico uses to enforce the rule. 3627 type: integer 3628 type: 3629 description: Match on a specific ICMP type. For example 3630 a value of 8 refers to ICMP Echo Request (i.e. pings). 3631 type: integer 3632 type: object 3633 notProtocol: 3634 anyOf: 3635 - type: integer 3636 - type: string 3637 description: NotProtocol is the negated version of the Protocol 3638 field. 3639 pattern: ^.* 3640 x-kubernetes-int-or-string: true 3641 protocol: 3642 anyOf: 3643 - type: integer 3644 - type: string 3645 description: "Protocol is an optional field that restricts the 3646 rule to only apply to traffic of a specific IP protocol. Required 3647 if any of the EntityRules contain Ports (because ports only 3648 apply to certain protocols). \n Must be one of these string 3649 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3650 \"UDPLite\" or an integer in the range 1-255." 3651 pattern: ^.* 3652 x-kubernetes-int-or-string: true 3653 source: 3654 description: Source contains the match criteria that apply to 3655 source entity. 3656 properties: 3657 namespaceSelector: 3658 description: "NamespaceSelector is an optional field that 3659 contains a selector expression. Only traffic that originates 3660 from (or terminates at) endpoints within the selected 3661 namespaces will be matched. When both NamespaceSelector 3662 and another selector are defined on the same rule, then 3663 only workload endpoints that are matched by both selectors 3664 will be selected by the rule. \n For NetworkPolicy, an 3665 empty NamespaceSelector implies that the Selector is limited 3666 to selecting only workload endpoints in the same namespace 3667 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3668 NamespaceSelector implies that the Selector is limited 3669 to selecting only GlobalNetworkSet or HostEndpoint. \n 3670 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3671 the Selector applies to workload endpoints across all 3672 namespaces." 3673 type: string 3674 nets: 3675 description: Nets is an optional field that restricts the 3676 rule to only apply to traffic that originates from (or 3677 terminates at) IP addresses in any of the given subnets. 3678 items: 3679 type: string 3680 type: array 3681 notNets: 3682 description: NotNets is the negated version of the Nets 3683 field. 3684 items: 3685 type: string 3686 type: array 3687 notPorts: 3688 description: NotPorts is the negated version of the Ports 3689 field. Since only some protocols have ports, if any ports 3690 are specified it requires the Protocol match in the Rule 3691 to be set to "TCP" or "UDP". 3692 items: 3693 anyOf: 3694 - type: integer 3695 - type: string 3696 pattern: ^.* 3697 x-kubernetes-int-or-string: true 3698 type: array 3699 notSelector: 3700 description: NotSelector is the negated version of the Selector 3701 field. See Selector field for subtleties with negated 3702 selectors. 3703 type: string 3704 ports: 3705 description: "Ports is an optional field that restricts 3706 the rule to only apply to traffic that has a source (destination) 3707 port that matches one of these ranges/values. This value 3708 is a list of integers or strings that represent ranges 3709 of ports. \n Since only some protocols have ports, if 3710 any ports are specified it requires the Protocol match 3711 in the Rule to be set to \"TCP\" or \"UDP\"." 3712 items: 3713 anyOf: 3714 - type: integer 3715 - type: string 3716 pattern: ^.* 3717 x-kubernetes-int-or-string: true 3718 type: array 3719 selector: 3720 description: "Selector is an optional field that contains 3721 a selector expression (see Policy for sample syntax). 3722 \ Only traffic that originates from (terminates at) endpoints 3723 matching the selector will be matched. \n Note that: in 3724 addition to the negated version of the Selector (see NotSelector 3725 below), the selector expression syntax itself supports 3726 negation. The two types of negation are subtly different. 3727 One negates the set of matched endpoints, the other negates 3728 the whole match: \n \tSelector = \"!has(my_label)\" matches 3729 packets that are from other Calico-controlled \tendpoints 3730 that do not have the label \"my_label\". \n \tNotSelector 3731 = \"has(my_label)\" matches packets that are not from 3732 Calico-controlled \tendpoints that do have the label \"my_label\". 3733 \n The effect is that the latter will accept packets from 3734 non-Calico sources whereas the former is limited to packets 3735 from Calico-controlled endpoints." 3736 type: string 3737 serviceAccounts: 3738 description: ServiceAccounts is an optional field that restricts 3739 the rule to only apply to traffic that originates from 3740 (or terminates at) a pod running as a matching service 3741 account. 3742 properties: 3743 names: 3744 description: Names is an optional field that restricts 3745 the rule to only apply to traffic that originates 3746 from (or terminates at) a pod running as a service 3747 account whose name is in the list. 3748 items: 3749 type: string 3750 type: array 3751 selector: 3752 description: Selector is an optional field that restricts 3753 the rule to only apply to traffic that originates 3754 from (or terminates at) a pod running as a service 3755 account that matches the given label selector. If 3756 both Names and Selector are specified then they are 3757 AND'ed. 3758 type: string 3759 type: object 3760 services: 3761 description: "Services is an optional field that contains 3762 options for matching Kubernetes Services. If specified, 3763 only traffic that originates from or terminates at endpoints 3764 within the selected service(s) will be matched, and only 3765 to/from each endpoint's port. \n Services cannot be specified 3766 on the same rule as Selector, NotSelector, NamespaceSelector, 3767 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3768 can only be specified with Services on ingress rules." 3769 properties: 3770 name: 3771 description: Name specifies the name of a Kubernetes 3772 Service to match. 3773 type: string 3774 namespace: 3775 description: Namespace specifies the namespace of the 3776 given Service. If left empty, the rule will match 3777 within this policy's namespace. 3778 type: string 3779 type: object 3780 type: object 3781 required: 3782 - action 3783 type: object 3784 type: array 3785 ingress: 3786 description: The ordered set of ingress rules. Each rule contains 3787 a set of packet match criteria and a corresponding action to apply. 3788 items: 3789 description: "A Rule encapsulates a set of match criteria and an 3790 action. Both selector-based security Policy and security Profiles 3791 reference rules - separated out as a list of rules for both ingress 3792 and egress packet matching. \n Each positive match criteria has 3793 a negated version, prefixed with \"Not\". All the match criteria 3794 within a rule must be satisfied for a packet to match. A single 3795 rule can contain the positive and negative version of a match 3796 and both must be satisfied for the rule to match." 3797 properties: 3798 action: 3799 type: string 3800 destination: 3801 description: Destination contains the match criteria that apply 3802 to destination entity. 3803 properties: 3804 namespaceSelector: 3805 description: "NamespaceSelector is an optional field that 3806 contains a selector expression. Only traffic that originates 3807 from (or terminates at) endpoints within the selected 3808 namespaces will be matched. When both NamespaceSelector 3809 and another selector are defined on the same rule, then 3810 only workload endpoints that are matched by both selectors 3811 will be selected by the rule. \n For NetworkPolicy, an 3812 empty NamespaceSelector implies that the Selector is limited 3813 to selecting only workload endpoints in the same namespace 3814 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3815 NamespaceSelector implies that the Selector is limited 3816 to selecting only GlobalNetworkSet or HostEndpoint. \n 3817 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3818 the Selector applies to workload endpoints across all 3819 namespaces." 3820 type: string 3821 nets: 3822 description: Nets is an optional field that restricts the 3823 rule to only apply to traffic that originates from (or 3824 terminates at) IP addresses in any of the given subnets. 3825 items: 3826 type: string 3827 type: array 3828 notNets: 3829 description: NotNets is the negated version of the Nets 3830 field. 3831 items: 3832 type: string 3833 type: array 3834 notPorts: 3835 description: NotPorts is the negated version of the Ports 3836 field. Since only some protocols have ports, if any ports 3837 are specified it requires the Protocol match in the Rule 3838 to be set to "TCP" or "UDP". 3839 items: 3840 anyOf: 3841 - type: integer 3842 - type: string 3843 pattern: ^.* 3844 x-kubernetes-int-or-string: true 3845 type: array 3846 notSelector: 3847 description: NotSelector is the negated version of the Selector 3848 field. See Selector field for subtleties with negated 3849 selectors. 3850 type: string 3851 ports: 3852 description: "Ports is an optional field that restricts 3853 the rule to only apply to traffic that has a source (destination) 3854 port that matches one of these ranges/values. This value 3855 is a list of integers or strings that represent ranges 3856 of ports. \n Since only some protocols have ports, if 3857 any ports are specified it requires the Protocol match 3858 in the Rule to be set to \"TCP\" or \"UDP\"." 3859 items: 3860 anyOf: 3861 - type: integer 3862 - type: string 3863 pattern: ^.* 3864 x-kubernetes-int-or-string: true 3865 type: array 3866 selector: 3867 description: "Selector is an optional field that contains 3868 a selector expression (see Policy for sample syntax). 3869 \ Only traffic that originates from (terminates at) endpoints 3870 matching the selector will be matched. \n Note that: in 3871 addition to the negated version of the Selector (see NotSelector 3872 below), the selector expression syntax itself supports 3873 negation. The two types of negation are subtly different. 3874 One negates the set of matched endpoints, the other negates 3875 the whole match: \n \tSelector = \"!has(my_label)\" matches 3876 packets that are from other Calico-controlled \tendpoints 3877 that do not have the label \"my_label\". \n \tNotSelector 3878 = \"has(my_label)\" matches packets that are not from 3879 Calico-controlled \tendpoints that do have the label \"my_label\". 3880 \n The effect is that the latter will accept packets from 3881 non-Calico sources whereas the former is limited to packets 3882 from Calico-controlled endpoints." 3883 type: string 3884 serviceAccounts: 3885 description: ServiceAccounts is an optional field that restricts 3886 the rule to only apply to traffic that originates from 3887 (or terminates at) a pod running as a matching service 3888 account. 3889 properties: 3890 names: 3891 description: Names is an optional field that restricts 3892 the rule to only apply to traffic that originates 3893 from (or terminates at) a pod running as a service 3894 account whose name is in the list. 3895 items: 3896 type: string 3897 type: array 3898 selector: 3899 description: Selector is an optional field that restricts 3900 the rule to only apply to traffic that originates 3901 from (or terminates at) a pod running as a service 3902 account that matches the given label selector. If 3903 both Names and Selector are specified then they are 3904 AND'ed. 3905 type: string 3906 type: object 3907 services: 3908 description: "Services is an optional field that contains 3909 options for matching Kubernetes Services. If specified, 3910 only traffic that originates from or terminates at endpoints 3911 within the selected service(s) will be matched, and only 3912 to/from each endpoint's port. \n Services cannot be specified 3913 on the same rule as Selector, NotSelector, NamespaceSelector, 3914 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3915 can only be specified with Services on ingress rules." 3916 properties: 3917 name: 3918 description: Name specifies the name of a Kubernetes 3919 Service to match. 3920 type: string 3921 namespace: 3922 description: Namespace specifies the namespace of the 3923 given Service. If left empty, the rule will match 3924 within this policy's namespace. 3925 type: string 3926 type: object 3927 type: object 3928 http: 3929 description: HTTP contains match criteria that apply to HTTP 3930 requests. 3931 properties: 3932 methods: 3933 description: Methods is an optional field that restricts 3934 the rule to apply only to HTTP requests that use one of 3935 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3936 methods are OR'd together. 3937 items: 3938 type: string 3939 type: array 3940 paths: 3941 description: 'Paths is an optional field that restricts 3942 the rule to apply to HTTP requests that use one of the 3943 listed HTTP Paths. Multiple paths are OR''d together. 3944 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3945 ONLY specify either a `exact` or a `prefix` match. The 3946 validator will check for it.' 3947 items: 3948 description: 'HTTPPath specifies an HTTP path to match. 3949 It may be either of the form: exact: <path>: which matches 3950 the path exactly or prefix: <path-prefix>: which matches 3951 the path prefix' 3952 properties: 3953 exact: 3954 type: string 3955 prefix: 3956 type: string 3957 type: object 3958 type: array 3959 type: object 3960 icmp: 3961 description: ICMP is an optional field that restricts the rule 3962 to apply to a specific type and code of ICMP traffic. This 3963 should only be specified if the Protocol field is set to "ICMP" 3964 or "ICMPv6". 3965 properties: 3966 code: 3967 description: Match on a specific ICMP code. If specified, 3968 the Type value must also be specified. This is a technical 3969 limitation imposed by the kernel's iptables firewall, 3970 which Calico uses to enforce the rule. 3971 type: integer 3972 type: 3973 description: Match on a specific ICMP type. For example 3974 a value of 8 refers to ICMP Echo Request (i.e. pings). 3975 type: integer 3976 type: object 3977 ipVersion: 3978 description: IPVersion is an optional field that restricts the 3979 rule to only match a specific IP version. 3980 type: integer 3981 metadata: 3982 description: Metadata contains additional information for this 3983 rule 3984 properties: 3985 annotations: 3986 additionalProperties: 3987 type: string 3988 description: Annotations is a set of key value pairs that 3989 give extra information about the rule 3990 type: object 3991 type: object 3992 notICMP: 3993 description: NotICMP is the negated version of the ICMP field. 3994 properties: 3995 code: 3996 description: Match on a specific ICMP code. If specified, 3997 the Type value must also be specified. This is a technical 3998 limitation imposed by the kernel's iptables firewall, 3999 which Calico uses to enforce the rule. 4000 type: integer 4001 type: 4002 description: Match on a specific ICMP type. For example 4003 a value of 8 refers to ICMP Echo Request (i.e. pings). 4004 type: integer 4005 type: object 4006 notProtocol: 4007 anyOf: 4008 - type: integer 4009 - type: string 4010 description: NotProtocol is the negated version of the Protocol 4011 field. 4012 pattern: ^.* 4013 x-kubernetes-int-or-string: true 4014 protocol: 4015 anyOf: 4016 - type: integer 4017 - type: string 4018 description: "Protocol is an optional field that restricts the 4019 rule to only apply to traffic of a specific IP protocol. Required 4020 if any of the EntityRules contain Ports (because ports only 4021 apply to certain protocols). \n Must be one of these string 4022 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 4023 \"UDPLite\" or an integer in the range 1-255." 4024 pattern: ^.* 4025 x-kubernetes-int-or-string: true 4026 source: 4027 description: Source contains the match criteria that apply to 4028 source entity. 4029 properties: 4030 namespaceSelector: 4031 description: "NamespaceSelector is an optional field that 4032 contains a selector expression. Only traffic that originates 4033 from (or terminates at) endpoints within the selected 4034 namespaces will be matched. When both NamespaceSelector 4035 and another selector are defined on the same rule, then 4036 only workload endpoints that are matched by both selectors 4037 will be selected by the rule. \n For NetworkPolicy, an 4038 empty NamespaceSelector implies that the Selector is limited 4039 to selecting only workload endpoints in the same namespace 4040 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4041 NamespaceSelector implies that the Selector is limited 4042 to selecting only GlobalNetworkSet or HostEndpoint. \n 4043 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4044 the Selector applies to workload endpoints across all 4045 namespaces." 4046 type: string 4047 nets: 4048 description: Nets is an optional field that restricts the 4049 rule to only apply to traffic that originates from (or 4050 terminates at) IP addresses in any of the given subnets. 4051 items: 4052 type: string 4053 type: array 4054 notNets: 4055 description: NotNets is the negated version of the Nets 4056 field. 4057 items: 4058 type: string 4059 type: array 4060 notPorts: 4061 description: NotPorts is the negated version of the Ports 4062 field. Since only some protocols have ports, if any ports 4063 are specified it requires the Protocol match in the Rule 4064 to be set to "TCP" or "UDP". 4065 items: 4066 anyOf: 4067 - type: integer 4068 - type: string 4069 pattern: ^.* 4070 x-kubernetes-int-or-string: true 4071 type: array 4072 notSelector: 4073 description: NotSelector is the negated version of the Selector 4074 field. See Selector field for subtleties with negated 4075 selectors. 4076 type: string 4077 ports: 4078 description: "Ports is an optional field that restricts 4079 the rule to only apply to traffic that has a source (destination) 4080 port that matches one of these ranges/values. This value 4081 is a list of integers or strings that represent ranges 4082 of ports. \n Since only some protocols have ports, if 4083 any ports are specified it requires the Protocol match 4084 in the Rule to be set to \"TCP\" or \"UDP\"." 4085 items: 4086 anyOf: 4087 - type: integer 4088 - type: string 4089 pattern: ^.* 4090 x-kubernetes-int-or-string: true 4091 type: array 4092 selector: 4093 description: "Selector is an optional field that contains 4094 a selector expression (see Policy for sample syntax). 4095 \ Only traffic that originates from (terminates at) endpoints 4096 matching the selector will be matched. \n Note that: in 4097 addition to the negated version of the Selector (see NotSelector 4098 below), the selector expression syntax itself supports 4099 negation. The two types of negation are subtly different. 4100 One negates the set of matched endpoints, the other negates 4101 the whole match: \n \tSelector = \"!has(my_label)\" matches 4102 packets that are from other Calico-controlled \tendpoints 4103 that do not have the label \"my_label\". \n \tNotSelector 4104 = \"has(my_label)\" matches packets that are not from 4105 Calico-controlled \tendpoints that do have the label \"my_label\". 4106 \n The effect is that the latter will accept packets from 4107 non-Calico sources whereas the former is limited to packets 4108 from Calico-controlled endpoints." 4109 type: string 4110 serviceAccounts: 4111 description: ServiceAccounts is an optional field that restricts 4112 the rule to only apply to traffic that originates from 4113 (or terminates at) a pod running as a matching service 4114 account. 4115 properties: 4116 names: 4117 description: Names is an optional field that restricts 4118 the rule to only apply to traffic that originates 4119 from (or terminates at) a pod running as a service 4120 account whose name is in the list. 4121 items: 4122 type: string 4123 type: array 4124 selector: 4125 description: Selector is an optional field that restricts 4126 the rule to only apply to traffic that originates 4127 from (or terminates at) a pod running as a service 4128 account that matches the given label selector. If 4129 both Names and Selector are specified then they are 4130 AND'ed. 4131 type: string 4132 type: object 4133 services: 4134 description: "Services is an optional field that contains 4135 options for matching Kubernetes Services. If specified, 4136 only traffic that originates from or terminates at endpoints 4137 within the selected service(s) will be matched, and only 4138 to/from each endpoint's port. \n Services cannot be specified 4139 on the same rule as Selector, NotSelector, NamespaceSelector, 4140 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4141 can only be specified with Services on ingress rules." 4142 properties: 4143 name: 4144 description: Name specifies the name of a Kubernetes 4145 Service to match. 4146 type: string 4147 namespace: 4148 description: Namespace specifies the namespace of the 4149 given Service. If left empty, the rule will match 4150 within this policy's namespace. 4151 type: string 4152 type: object 4153 type: object 4154 required: 4155 - action 4156 type: object 4157 type: array 4158 order: 4159 description: Order is an optional field that specifies the order in 4160 which the policy is applied. Policies with higher "order" are applied 4161 after those with lower order. If the order is omitted, it may be 4162 considered to be "infinite" - i.e. the policy will be applied last. Policies 4163 with identical order will be applied in alphanumerical order based 4164 on the Policy "Name". 4165 type: number 4166 selector: 4167 description: "The selector is an expression used to pick pick out 4168 the endpoints that the policy should be applied to. \n Selector 4169 expressions follow this syntax: \n \tlabel == \"string_literal\" 4170 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 4171 \ -> not equal; also matches if label is not present \tlabel in 4172 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 4173 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 4174 ... } -> true if the value of label X is not one of \"a\", \"b\", 4175 \"c\" \thas(label_name) -> True if that label is present \t! expr 4176 -> negation of expr \texpr && expr -> Short-circuit and \texpr 4177 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 4178 or the empty selector -> matches all endpoints. \n Label names are 4179 allowed to contain alphanumerics, -, _ and /. String literals are 4180 more permissive but they do not support escape characters. \n Examples 4181 (with made-up labels): \n \ttype == \"webserver\" && deployment 4182 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 4183 \"dev\" \t! has(label_name)" 4184 type: string 4185 serviceAccountSelector: 4186 description: ServiceAccountSelector is an optional field for an expression 4187 used to select a pod based on service accounts. 4188 type: string 4189 types: 4190 description: "Types indicates whether this policy applies to ingress, 4191 or to egress, or to both. When not explicitly specified (and so 4192 the value on creation is empty or nil), Calico defaults Types according 4193 to what Ingress and Egress are present in the policy. The default 4194 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 4195 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 4196 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 4197 PolicyTypeEgress ], if there are both Ingress and Egress rules. 4198 \n When the policy is read back again, Types will always be one 4199 of these values, never empty or nil." 4200 items: 4201 description: PolicyType enumerates the possible values of the PolicySpec 4202 Types field. 4203 type: string 4204 type: array 4205 type: object 4206 type: object 4207 served: true 4208 storage: true 4209 status: 4210 acceptedNames: 4211 kind: "" 4212 plural: "" 4213 conditions: [] 4214 storedVersions: [] 4215 --- 4216 # Source: calico/templates/kdd-crds.yaml 4217 apiVersion: apiextensions.k8s.io/v1 4218 kind: CustomResourceDefinition 4219 metadata: 4220 name: networksets.crd.projectcalico.org 4221 spec: 4222 group: crd.projectcalico.org 4223 names: 4224 kind: NetworkSet 4225 listKind: NetworkSetList 4226 plural: networksets 4227 singular: networkset 4228 preserveUnknownFields: false 4229 scope: Namespaced 4230 versions: 4231 - name: v1 4232 schema: 4233 openAPIV3Schema: 4234 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 4235 properties: 4236 apiVersion: 4237 description: 'APIVersion defines the versioned schema of this representation 4238 of an object. Servers should convert recognized schemas to the latest 4239 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4240 type: string 4241 kind: 4242 description: 'Kind is a string value representing the REST resource this 4243 object represents. Servers may infer this from the endpoint the client 4244 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4245 type: string 4246 metadata: 4247 type: object 4248 spec: 4249 description: NetworkSetSpec contains the specification for a NetworkSet 4250 resource. 4251 properties: 4252 nets: 4253 description: The list of IP networks that belong to this set. 4254 items: 4255 type: string 4256 type: array 4257 type: object 4258 type: object 4259 served: true 4260 storage: true 4261 status: 4262 acceptedNames: 4263 kind: "" 4264 plural: "" 4265 conditions: [] 4266 storedVersions: [] 4267 --- 4268 # Source: calico/templates/calico-kube-controllers-rbac.yaml 4269 # Include a clusterrole for the kube-controllers component, 4270 # and bind it to the calico-kube-controllers serviceaccount. 4271 kind: ClusterRole 4272 apiVersion: rbac.authorization.k8s.io/v1 4273 metadata: 4274 name: calico-kube-controllers 4275 rules: 4276 # Nodes are watched to monitor for deletions. 4277 - apiGroups: [""] 4278 resources: 4279 - nodes 4280 verbs: 4281 - watch 4282 - list 4283 - get 4284 # Pods are watched to check for existence as part of IPAM controller. 4285 - apiGroups: [""] 4286 resources: 4287 - pods 4288 verbs: 4289 - get 4290 - list 4291 - watch 4292 # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. 4293 - apiGroups: ["crd.projectcalico.org"] 4294 resources: 4295 - ipreservations 4296 verbs: 4297 - list 4298 - apiGroups: ["crd.projectcalico.org"] 4299 resources: 4300 - blockaffinities 4301 - ipamblocks 4302 - ipamhandles 4303 verbs: 4304 - get 4305 - list 4306 - create 4307 - update 4308 - delete 4309 - watch 4310 # Pools are watched to maintain a mapping of blocks to IP pools. 4311 - apiGroups: ["crd.projectcalico.org"] 4312 resources: 4313 - ippools 4314 verbs: 4315 - list 4316 - watch 4317 # kube-controllers manages hostendpoints. 4318 - apiGroups: ["crd.projectcalico.org"] 4319 resources: 4320 - hostendpoints 4321 verbs: 4322 - get 4323 - list 4324 - create 4325 - update 4326 - delete 4327 # Needs access to update clusterinformations. 4328 - apiGroups: ["crd.projectcalico.org"] 4329 resources: 4330 - clusterinformations 4331 verbs: 4332 - get 4333 - list 4334 - create 4335 - update 4336 - watch 4337 # KubeControllersConfiguration is where it gets its config 4338 - apiGroups: ["crd.projectcalico.org"] 4339 resources: 4340 - kubecontrollersconfigurations 4341 verbs: 4342 # read its own config 4343 - get 4344 # create a default if none exists 4345 - create 4346 # update status 4347 - update 4348 # watch for changes 4349 - watch 4350 --- 4351 # Source: calico/templates/calico-node-rbac.yaml 4352 # Include a clusterrole for the calico-node DaemonSet, 4353 # and bind it to the calico-node serviceaccount. 4354 kind: ClusterRole 4355 apiVersion: rbac.authorization.k8s.io/v1 4356 metadata: 4357 name: calico-node 4358 rules: 4359 # Used for creating service account tokens to be used by the CNI plugin 4360 - apiGroups: [""] 4361 resources: 4362 - serviceaccounts/token 4363 resourceNames: 4364 - calico-cni-plugin 4365 verbs: 4366 - create 4367 # The CNI plugin needs to get pods, nodes, and namespaces. 4368 - apiGroups: [""] 4369 resources: 4370 - pods 4371 - nodes 4372 - namespaces 4373 verbs: 4374 - get 4375 # EndpointSlices are used for Service-based network policy rule 4376 # enforcement. 4377 - apiGroups: ["discovery.k8s.io"] 4378 resources: 4379 - endpointslices 4380 verbs: 4381 - watch 4382 - list 4383 - apiGroups: [""] 4384 resources: 4385 - endpoints 4386 - services 4387 verbs: 4388 # Used to discover service IPs for advertisement. 4389 - watch 4390 - list 4391 # Used to discover Typhas. 4392 - get 4393 # Pod CIDR auto-detection on kubeadm needs access to config maps. 4394 - apiGroups: [""] 4395 resources: 4396 - configmaps 4397 verbs: 4398 - get 4399 - apiGroups: [""] 4400 resources: 4401 - nodes/status 4402 verbs: 4403 # Needed for clearing NodeNetworkUnavailable flag. 4404 - patch 4405 # Calico stores some configuration information in node annotations. 4406 - update 4407 # Watch for changes to Kubernetes NetworkPolicies. 4408 - apiGroups: ["networking.k8s.io"] 4409 resources: 4410 - networkpolicies 4411 verbs: 4412 - watch 4413 - list 4414 # Used by Calico for policy information. 4415 - apiGroups: [""] 4416 resources: 4417 - pods 4418 - namespaces 4419 - serviceaccounts 4420 verbs: 4421 - list 4422 - watch 4423 # The CNI plugin patches pods/status. 4424 - apiGroups: [""] 4425 resources: 4426 - pods/status 4427 verbs: 4428 - patch 4429 # Calico monitors various CRDs for config. 4430 - apiGroups: ["crd.projectcalico.org"] 4431 resources: 4432 - globalfelixconfigs 4433 - felixconfigurations 4434 - bgppeers 4435 - bgpfilters 4436 - globalbgpconfigs 4437 - bgpconfigurations 4438 - ippools 4439 - ipreservations 4440 - ipamblocks 4441 - globalnetworkpolicies 4442 - globalnetworksets 4443 - networkpolicies 4444 - networksets 4445 - clusterinformations 4446 - hostendpoints 4447 - blockaffinities 4448 - caliconodestatuses 4449 verbs: 4450 - get 4451 - list 4452 - watch 4453 # Calico must create and update some CRDs on startup. 4454 - apiGroups: ["crd.projectcalico.org"] 4455 resources: 4456 - ippools 4457 - felixconfigurations 4458 - clusterinformations 4459 verbs: 4460 - create 4461 - update 4462 # Calico must update some CRDs. 4463 - apiGroups: [ "crd.projectcalico.org" ] 4464 resources: 4465 - caliconodestatuses 4466 verbs: 4467 - update 4468 # Calico stores some configuration information on the node. 4469 - apiGroups: [""] 4470 resources: 4471 - nodes 4472 verbs: 4473 - get 4474 - list 4475 - watch 4476 # These permissions are only required for upgrade from v2.6, and can 4477 # be removed after upgrade or on fresh installations. 4478 - apiGroups: ["crd.projectcalico.org"] 4479 resources: 4480 - bgpconfigurations 4481 - bgppeers 4482 verbs: 4483 - create 4484 - update 4485 # These permissions are required for Calico CNI to perform IPAM allocations. 4486 - apiGroups: ["crd.projectcalico.org"] 4487 resources: 4488 - blockaffinities 4489 - ipamblocks 4490 - ipamhandles 4491 verbs: 4492 - get 4493 - list 4494 - create 4495 - update 4496 - delete 4497 # The CNI plugin and calico/node need to be able to create a default 4498 # IPAMConfiguration 4499 - apiGroups: ["crd.projectcalico.org"] 4500 resources: 4501 - ipamconfigs 4502 verbs: 4503 - get 4504 - create 4505 # Block affinities must also be watchable by confd for route aggregation. 4506 - apiGroups: ["crd.projectcalico.org"] 4507 resources: 4508 - blockaffinities 4509 verbs: 4510 - watch 4511 # The Calico IPAM migration needs to get daemonsets. These permissions can be 4512 # removed if not upgrading from an installation using host-local IPAM. 4513 - apiGroups: ["apps"] 4514 resources: 4515 - daemonsets 4516 verbs: 4517 - get 4518 --- 4519 # Source: calico/templates/calico-node-rbac.yaml 4520 # CNI cluster role 4521 kind: ClusterRole 4522 apiVersion: rbac.authorization.k8s.io/v1 4523 metadata: 4524 name: calico-cni-plugin 4525 rules: 4526 - apiGroups: [""] 4527 resources: 4528 - pods 4529 - nodes 4530 - namespaces 4531 verbs: 4532 - get 4533 - apiGroups: [""] 4534 resources: 4535 - pods/status 4536 verbs: 4537 - patch 4538 - apiGroups: ["crd.projectcalico.org"] 4539 resources: 4540 - blockaffinities 4541 - ipamblocks 4542 - ipamhandles 4543 - clusterinformations 4544 - ippools 4545 - ipreservations 4546 - ipamconfigs 4547 verbs: 4548 - get 4549 - list 4550 - create 4551 - update 4552 - delete 4553 --- 4554 # Source: calico/templates/calico-kube-controllers-rbac.yaml 4555 kind: ClusterRoleBinding 4556 apiVersion: rbac.authorization.k8s.io/v1 4557 metadata: 4558 name: calico-kube-controllers 4559 roleRef: 4560 apiGroup: rbac.authorization.k8s.io 4561 kind: ClusterRole 4562 name: calico-kube-controllers 4563 subjects: 4564 - kind: ServiceAccount 4565 name: calico-kube-controllers 4566 namespace: kube-system 4567 --- 4568 # Source: calico/templates/calico-node-rbac.yaml 4569 apiVersion: rbac.authorization.k8s.io/v1 4570 kind: ClusterRoleBinding 4571 metadata: 4572 name: calico-node 4573 roleRef: 4574 apiGroup: rbac.authorization.k8s.io 4575 kind: ClusterRole 4576 name: calico-node 4577 subjects: 4578 - kind: ServiceAccount 4579 name: calico-node 4580 namespace: kube-system 4581 --- 4582 # Source: calico/templates/calico-node-rbac.yaml 4583 apiVersion: rbac.authorization.k8s.io/v1 4584 kind: ClusterRoleBinding 4585 metadata: 4586 name: calico-cni-plugin 4587 roleRef: 4588 apiGroup: rbac.authorization.k8s.io 4589 kind: ClusterRole 4590 name: calico-cni-plugin 4591 subjects: 4592 - kind: ServiceAccount 4593 name: calico-cni-plugin 4594 namespace: kube-system 4595 --- 4596 # Source: calico/templates/calico-node.yaml 4597 # This manifest installs the calico-node container, as well 4598 # as the CNI plugins and network config on 4599 # each master and worker node in a Kubernetes cluster. 4600 kind: DaemonSet 4601 apiVersion: apps/v1 4602 metadata: 4603 name: calico-node 4604 namespace: kube-system 4605 labels: 4606 k8s-app: calico-node 4607 spec: 4608 selector: 4609 matchLabels: 4610 k8s-app: calico-node 4611 updateStrategy: 4612 type: RollingUpdate 4613 rollingUpdate: 4614 maxUnavailable: 1 4615 template: 4616 metadata: 4617 labels: 4618 k8s-app: calico-node 4619 spec: 4620 nodeSelector: 4621 kubernetes.io/os: linux 4622 hostNetwork: true 4623 tolerations: 4624 # Make sure calico-node gets scheduled on all nodes. 4625 - effect: NoSchedule 4626 operator: Exists 4627 # Mark the pod as a critical add-on for rescheduling. 4628 - key: CriticalAddonsOnly 4629 operator: Exists 4630 - effect: NoExecute 4631 operator: Exists 4632 serviceAccountName: calico-node 4633 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force 4634 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. 4635 terminationGracePeriodSeconds: 0 4636 priorityClassName: system-node-critical 4637 initContainers: 4638 # This container performs upgrade from host-local IPAM to calico-ipam. 4639 # It can be deleted if this is a fresh installation, or if you have already 4640 # upgraded to use calico-ipam. 4641 - name: upgrade-ipam 4642 image: docker.io/calico/cni:v3.26.1 4643 imagePullPolicy: IfNotPresent 4644 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] 4645 envFrom: 4646 - configMapRef: 4647 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4648 name: kubernetes-services-endpoint 4649 optional: true 4650 env: 4651 - name: KUBERNETES_NODE_NAME 4652 valueFrom: 4653 fieldRef: 4654 fieldPath: spec.nodeName 4655 - name: CALICO_NETWORKING_BACKEND 4656 valueFrom: 4657 configMapKeyRef: 4658 name: calico-config 4659 key: calico_backend 4660 volumeMounts: 4661 - mountPath: /var/lib/cni/networks 4662 name: host-local-net-dir 4663 - mountPath: /host/opt/cni/bin 4664 name: cni-bin-dir 4665 securityContext: 4666 privileged: true 4667 # This container installs the CNI binaries 4668 # and CNI network config file on each node. 4669 - name: install-cni 4670 image: docker.io/calico/cni:v3.26.1 4671 imagePullPolicy: IfNotPresent 4672 command: ["/opt/cni/bin/install"] 4673 envFrom: 4674 - configMapRef: 4675 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4676 name: kubernetes-services-endpoint 4677 optional: true 4678 env: 4679 # Name of the CNI config file to create. 4680 - name: CNI_CONF_NAME 4681 value: "10-calico.conflist" 4682 # The CNI network config to install on each node. 4683 - name: CNI_NETWORK_CONFIG 4684 valueFrom: 4685 configMapKeyRef: 4686 name: calico-config 4687 key: cni_network_config 4688 # Set the hostname based on the k8s node name. 4689 - name: KUBERNETES_NODE_NAME 4690 valueFrom: 4691 fieldRef: 4692 fieldPath: spec.nodeName 4693 # CNI MTU Config variable 4694 - name: CNI_MTU 4695 valueFrom: 4696 configMapKeyRef: 4697 name: calico-config 4698 key: veth_mtu 4699 # Prevents the container from sleeping forever. 4700 - name: SLEEP 4701 value: "false" 4702 volumeMounts: 4703 - mountPath: /host/opt/cni/bin 4704 name: cni-bin-dir 4705 - mountPath: /host/etc/cni/net.d 4706 name: cni-net-dir 4707 securityContext: 4708 privileged: true 4709 # This init container mounts the necessary filesystems needed by the BPF data plane 4710 # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed 4711 # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. 4712 - name: "mount-bpffs" 4713 image: docker.io/calico/node:v3.26.1 4714 imagePullPolicy: IfNotPresent 4715 command: ["calico-node", "-init", "-best-effort"] 4716 volumeMounts: 4717 - mountPath: /sys/fs 4718 name: sys-fs 4719 # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host 4720 # so that it outlives the init container. 4721 mountPropagation: Bidirectional 4722 - mountPath: /var/run/calico 4723 name: var-run-calico 4724 # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host 4725 # so that it outlives the init container. 4726 mountPropagation: Bidirectional 4727 # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, 4728 # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. 4729 - mountPath: /nodeproc 4730 name: nodeproc 4731 readOnly: true 4732 securityContext: 4733 privileged: true 4734 containers: 4735 # Runs calico-node container on each Kubernetes node. This 4736 # container programs network policy and routes on each 4737 # host. 4738 - name: calico-node 4739 image: docker.io/calico/node:v3.26.1 4740 imagePullPolicy: IfNotPresent 4741 envFrom: 4742 - configMapRef: 4743 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. 4744 name: kubernetes-services-endpoint 4745 optional: true 4746 env: 4747 # Use Kubernetes API as the backing datastore. 4748 - name: DATASTORE_TYPE 4749 value: "kubernetes" 4750 # Wait for the datastore. 4751 - name: WAIT_FOR_DATASTORE 4752 value: "true" 4753 # Set based on the k8s node name. 4754 - name: NODENAME 4755 valueFrom: 4756 fieldRef: 4757 fieldPath: spec.nodeName 4758 # Choose the backend to use. 4759 - name: CALICO_NETWORKING_BACKEND 4760 valueFrom: 4761 configMapKeyRef: 4762 name: calico-config 4763 key: calico_backend 4764 # Cluster type to identify the deployment type 4765 - name: CLUSTER_TYPE 4766 value: "k8s,bgp" 4767 # Auto-detect the BGP IP address. 4768 - name: IP 4769 value: "autodetect" 4770 # Enable IPIP 4771 - name: CALICO_IPV4POOL_IPIP 4772 value: "Never" 4773 # Enable or Disable VXLAN on the default IP pool. 4774 - name: CALICO_IPV4POOL_VXLAN 4775 value: "CrossSubnet" 4776 # Enable or Disable VXLAN on the default IPv6 IP pool. 4777 - name: CALICO_IPV6POOL_VXLAN 4778 value: "CrossSubnet" 4779 # Set MTU for tunnel device used if ipip is enabled 4780 - name: FELIX_IPINIPMTU 4781 valueFrom: 4782 configMapKeyRef: 4783 name: calico-config 4784 key: veth_mtu 4785 # Set MTU for the VXLAN tunnel device. 4786 - name: FELIX_VXLANMTU 4787 valueFrom: 4788 configMapKeyRef: 4789 name: calico-config 4790 key: veth_mtu 4791 # Set MTU for the Wireguard tunnel device. 4792 - name: FELIX_WIREGUARDMTU 4793 valueFrom: 4794 configMapKeyRef: 4795 name: calico-config 4796 key: veth_mtu 4797 # The default IPv4 pool to create on startup if none exists. Pod IPs will be 4798 # chosen from this range. Changing this value after installation will have 4799 # no effect. This should fall within `--cluster-cidr`. 4800 # - name: CALICO_IPV4POOL_CIDR 4801 # value: "192.168.0.0/16" 4802 # Disable file logging so `kubectl logs` works. 4803 - name: CALICO_DISABLE_FILE_LOGGING 4804 value: "true" 4805 # Set Felix endpoint to host default action to ACCEPT. 4806 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 4807 value: "ACCEPT" 4808 # Disable IPv6 on Kubernetes. 4809 - name: FELIX_IPV6SUPPORT 4810 value: "false" 4811 - name: FELIX_HEALTHENABLED 4812 value: "true" 4813 securityContext: 4814 privileged: true 4815 resources: 4816 requests: 4817 cpu: 250m 4818 lifecycle: 4819 preStop: 4820 exec: 4821 command: 4822 - /bin/calico-node 4823 - -shutdown 4824 livenessProbe: 4825 exec: 4826 command: 4827 - /bin/calico-node 4828 - -felix-live 4829 periodSeconds: 10 4830 initialDelaySeconds: 10 4831 failureThreshold: 6 4832 timeoutSeconds: 10 4833 readinessProbe: 4834 exec: 4835 command: 4836 - /bin/calico-node 4837 - -felix-ready 4838 periodSeconds: 10 4839 timeoutSeconds: 10 4840 volumeMounts: 4841 # For maintaining CNI plugin API credentials. 4842 - mountPath: /host/etc/cni/net.d 4843 name: cni-net-dir 4844 readOnly: false 4845 - mountPath: /lib/modules 4846 name: lib-modules 4847 readOnly: true 4848 - mountPath: /run/xtables.lock 4849 name: xtables-lock 4850 readOnly: false 4851 - mountPath: /var/run/calico 4852 name: var-run-calico 4853 readOnly: false 4854 - mountPath: /var/lib/calico 4855 name: var-lib-calico 4856 readOnly: false 4857 - name: policysync 4858 mountPath: /var/run/nodeagent 4859 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the 4860 # parent directory. 4861 - name: bpffs 4862 mountPath: /sys/fs/bpf 4863 - name: cni-log-dir 4864 mountPath: /var/log/calico/cni 4865 readOnly: true 4866 volumes: 4867 # Used by calico-node. 4868 - name: lib-modules 4869 hostPath: 4870 path: /lib/modules 4871 - name: var-run-calico 4872 hostPath: 4873 path: /var/run/calico 4874 - name: var-lib-calico 4875 hostPath: 4876 path: /var/lib/calico 4877 - name: xtables-lock 4878 hostPath: 4879 path: /run/xtables.lock 4880 type: FileOrCreate 4881 - name: sys-fs 4882 hostPath: 4883 path: /sys/fs/ 4884 type: DirectoryOrCreate 4885 - name: bpffs 4886 hostPath: 4887 path: /sys/fs/bpf 4888 type: Directory 4889 # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. 4890 - name: nodeproc 4891 hostPath: 4892 path: /proc 4893 # Used to install CNI. 4894 - name: cni-bin-dir 4895 hostPath: 4896 path: /opt/cni/bin 4897 - name: cni-net-dir 4898 hostPath: 4899 path: /etc/cni/net.d 4900 # Used to access CNI logs. 4901 - name: cni-log-dir 4902 hostPath: 4903 path: /var/log/calico/cni 4904 # Mount in the directory for host-local IPAM allocations. This is 4905 # used when upgrading from host-local to calico-ipam, and can be removed 4906 # if not using the upgrade-ipam init container. 4907 - name: host-local-net-dir 4908 hostPath: 4909 path: /var/lib/cni/networks 4910 # Used to create per-pod Unix Domain Sockets 4911 - name: policysync 4912 hostPath: 4913 type: DirectoryOrCreate 4914 path: /var/run/nodeagent 4915 --- 4916 # Source: calico/templates/calico-kube-controllers.yaml 4917 # See https://github.com/projectcalico/kube-controllers 4918 apiVersion: apps/v1 4919 kind: Deployment 4920 metadata: 4921 name: calico-kube-controllers 4922 namespace: kube-system 4923 labels: 4924 k8s-app: calico-kube-controllers 4925 spec: 4926 # The controllers can only have a single active instance. 4927 replicas: 1 4928 selector: 4929 matchLabels: 4930 k8s-app: calico-kube-controllers 4931 strategy: 4932 type: Recreate 4933 template: 4934 metadata: 4935 name: calico-kube-controllers 4936 namespace: kube-system 4937 labels: 4938 k8s-app: calico-kube-controllers 4939 spec: 4940 nodeSelector: 4941 kubernetes.io/os: linux 4942 tolerations: 4943 # Mark the pod as a critical add-on for rescheduling. 4944 - key: CriticalAddonsOnly 4945 operator: Exists 4946 - key: node-role.kubernetes.io/master 4947 effect: NoSchedule 4948 - key: node-role.kubernetes.io/control-plane 4949 effect: NoSchedule 4950 serviceAccountName: calico-kube-controllers 4951 priorityClassName: system-cluster-critical 4952 containers: 4953 - name: calico-kube-controllers 4954 image: docker.io/calico/kube-controllers:v3.26.1 4955 imagePullPolicy: IfNotPresent 4956 env: 4957 # Choose which controllers to run. 4958 - name: ENABLED_CONTROLLERS 4959 value: node 4960 - name: DATASTORE_TYPE 4961 value: kubernetes 4962 livenessProbe: 4963 exec: 4964 command: 4965 - /usr/bin/check-status 4966 - -l 4967 periodSeconds: 10 4968 initialDelaySeconds: 10 4969 failureThreshold: 6 4970 timeoutSeconds: 10 4971 readinessProbe: 4972 exec: 4973 command: 4974 - /usr/bin/check-status 4975 - -r 4976 periodSeconds: 10