sigs.k8s.io/cluster-api-provider-azure@v1.14.3/templates/test/ci/cluster-template-prow-private.yaml (about) 1 apiVersion: cluster.x-k8s.io/v1beta1 2 kind: Cluster 3 metadata: 4 labels: 5 cloud-provider: ${CLOUD_PROVIDER_AZURE_LABEL:=azure} 6 cni: calico 7 name: ${CLUSTER_NAME} 8 namespace: default 9 spec: 10 clusterNetwork: 11 pods: 12 cidrBlocks: 13 - 192.168.0.0/16 14 controlPlaneRef: 15 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 16 kind: KubeadmControlPlane 17 name: ${CLUSTER_NAME}-control-plane 18 infrastructureRef: 19 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 20 kind: AzureCluster 21 name: ${CLUSTER_NAME} 22 --- 23 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 24 kind: AzureCluster 25 metadata: 26 name: ${CLUSTER_NAME} 27 namespace: default 28 spec: 29 additionalTags: 30 buildProvenance: ${BUILD_PROVENANCE} 31 creationTimestamp: ${TIMESTAMP} 32 jobName: ${JOB_NAME} 33 bastionSpec: 34 azureBastion: 35 enableTunneling: true 36 name: ${CLUSTER_NAME}-azure-bastion 37 publicIP: 38 name: ${CLUSTER_NAME}-azure-bastion-pip 39 sku: Standard 40 subnet: 41 cidrBlocks: 42 - ${AZURE_BASTION_SUBNET_CIDR} 43 name: AzureBastionSubnet 44 role: bastion 45 identityRef: 46 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 47 kind: AzureClusterIdentity 48 name: ${CLUSTER_IDENTITY_NAME} 49 location: ${AZURE_LOCATION} 50 networkSpec: 51 apiServerLB: 52 frontendIPs: 53 - name: ${CLUSTER_NAME}-internal-lb-frontend 54 privateIP: ${AZURE_INTERNAL_LB_IP} 55 name: ${CLUSTER_NAME}-internal-lb 56 type: Internal 57 controlPlaneOutboundLB: 58 frontendIPsCount: 1 59 nodeOutboundLB: 60 frontendIPsCount: 1 61 subnets: 62 - cidrBlocks: 63 - ${AZURE_CP_SUBNET_CIDR} 64 name: private-cp-subnet 65 role: control-plane 66 - cidrBlocks: 67 - ${AZURE_NODE_SUBNET_CIDR} 68 name: private-node-subnet 69 role: node 70 vnet: 71 cidrBlocks: 72 - ${AZURE_PRIVATE_VNET_CIDR} 73 name: ${AZURE_VNET_NAME} 74 peerings: 75 - remoteVnetName: ${AZURE_CUSTOM_VNET_NAME} 76 resourceGroup: ${AZURE_CUSTOM_VNET_RESOURCE_GROUP} 77 resourceGroup: ${AZURE_RESOURCE_GROUP:=${CLUSTER_NAME}} 78 subscriptionID: ${AZURE_SUBSCRIPTION_ID} 79 --- 80 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 81 kind: KubeadmControlPlane 82 metadata: 83 name: ${CLUSTER_NAME}-control-plane 84 namespace: default 85 spec: 86 kubeadmConfigSpec: 87 clusterConfiguration: 88 apiServer: 89 extraArgs: 90 cloud-provider: external 91 timeoutForControlPlane: 20m 92 controllerManager: 93 extraArgs: 94 allocate-node-cidrs: "false" 95 cloud-provider: external 96 cluster-name: ${CLUSTER_NAME} 97 v: "4" 98 etcd: 99 local: 100 dataDir: /var/lib/etcddisk/etcd 101 extraArgs: 102 quota-backend-bytes: "8589934592" 103 diskSetup: 104 filesystems: 105 - device: /dev/disk/azure/scsi1/lun0 106 extraOpts: 107 - -E 108 - lazy_itable_init=1,lazy_journal_init=1 109 filesystem: ext4 110 label: etcd_disk 111 - device: ephemeral0.1 112 filesystem: ext4 113 label: ephemeral0 114 replaceFS: ntfs 115 partitions: 116 - device: /dev/disk/azure/scsi1/lun0 117 layout: true 118 overwrite: false 119 tableType: gpt 120 files: 121 - contentFrom: 122 secret: 123 key: control-plane-azure.json 124 name: ${CLUSTER_NAME}-control-plane-azure-json 125 owner: root:root 126 path: /etc/kubernetes/azure.json 127 permissions: "0644" 128 initConfiguration: 129 nodeRegistration: 130 kubeletExtraArgs: 131 cloud-provider: external 132 name: '{{ ds.meta_data["local_hostname"] }}' 133 joinConfiguration: 134 nodeRegistration: 135 kubeletExtraArgs: 136 cloud-provider: external 137 name: '{{ ds.meta_data["local_hostname"] }}' 138 mounts: 139 - - LABEL=etcd_disk 140 - /var/lib/etcddisk 141 postKubeadmCommands: 142 - if [ -f /tmp/kubeadm-join-config.yaml ] || [ -f /run/kubeadm/kubeadm-join-config.yaml 143 ]; then echo '127.0.0.1 apiserver.${CLUSTER_NAME}.capz.io apiserver' >> /etc/hosts; 144 fi 145 preKubeadmCommands: 146 - if [ -f /tmp/kubeadm.yaml ] || [ -f /run/kubeadm/kubeadm.yaml ]; then echo '127.0.0.1 apiserver.${CLUSTER_NAME}.capz.io 147 apiserver' >> /etc/hosts; fi 148 machineTemplate: 149 infrastructureRef: 150 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 151 kind: AzureMachineTemplate 152 name: ${CLUSTER_NAME}-control-plane 153 replicas: ${CONTROL_PLANE_MACHINE_COUNT:=1} 154 version: ${KUBERNETES_VERSION} 155 --- 156 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 157 kind: AzureMachineTemplate 158 metadata: 159 name: ${CLUSTER_NAME}-control-plane 160 namespace: default 161 spec: 162 template: 163 spec: 164 dataDisks: 165 - diskSizeGB: 256 166 lun: 0 167 nameSuffix: etcddisk 168 identity: UserAssigned 169 osDisk: 170 diskSizeGB: 128 171 osType: Linux 172 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 173 userAssignedIdentities: 174 - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity} 175 vmSize: ${AZURE_CONTROL_PLANE_MACHINE_TYPE} 176 --- 177 apiVersion: cluster.x-k8s.io/v1beta1 178 kind: MachineDeployment 179 metadata: 180 name: ${CLUSTER_NAME}-md-0 181 namespace: default 182 spec: 183 clusterName: ${CLUSTER_NAME} 184 replicas: ${WORKER_MACHINE_COUNT:=2} 185 selector: 186 matchLabels: null 187 template: 188 spec: 189 bootstrap: 190 configRef: 191 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 192 kind: KubeadmConfigTemplate 193 name: ${CLUSTER_NAME}-md-0 194 clusterName: ${CLUSTER_NAME} 195 infrastructureRef: 196 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 197 kind: AzureMachineTemplate 198 name: ${CLUSTER_NAME}-md-0 199 version: ${KUBERNETES_VERSION} 200 --- 201 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 202 kind: AzureMachineTemplate 203 metadata: 204 name: ${CLUSTER_NAME}-md-0 205 namespace: default 206 spec: 207 template: 208 spec: 209 identity: UserAssigned 210 osDisk: 211 diskSizeGB: 128 212 osType: Linux 213 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 214 userAssignedIdentities: 215 - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity} 216 vmSize: ${AZURE_NODE_MACHINE_TYPE} 217 --- 218 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 219 kind: KubeadmConfigTemplate 220 metadata: 221 name: ${CLUSTER_NAME}-md-0 222 namespace: default 223 spec: 224 template: 225 spec: 226 files: 227 - contentFrom: 228 secret: 229 key: worker-node-azure.json 230 name: ${CLUSTER_NAME}-md-0-azure-json 231 owner: root:root 232 path: /etc/kubernetes/azure.json 233 permissions: "0644" 234 joinConfiguration: 235 nodeRegistration: 236 kubeletExtraArgs: 237 cloud-provider: external 238 name: '{{ ds.meta_data["local_hostname"] }}' 239 preKubeadmCommands: [] 240 --- 241 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 242 kind: AzureClusterIdentity 243 metadata: 244 labels: 245 clusterctl.cluster.x-k8s.io/move-hierarchy: "true" 246 name: ${CLUSTER_IDENTITY_NAME} 247 namespace: default 248 spec: 249 allowedNamespaces: {} 250 clientID: ${UAMI_CLIENT_ID} 251 resourceID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity} 252 tenantID: ${AZURE_TENANT_ID} 253 type: UserAssignedMSI 254 --- 255 apiVersion: addons.cluster.x-k8s.io/v1beta1 256 kind: ClusterResourceSet 257 metadata: 258 name: ${CLUSTER_NAME}-calico 259 namespace: default 260 spec: 261 clusterSelector: 262 matchLabels: 263 cni: ${CLUSTER_NAME}-calico 264 resources: 265 - kind: ConfigMap 266 name: cni-${CLUSTER_NAME}-calico 267 strategy: ApplyOnce 268 --- 269 apiVersion: addons.cluster.x-k8s.io/v1alpha1 270 kind: HelmChartProxy 271 metadata: 272 name: calico 273 namespace: default 274 spec: 275 chartName: tigera-operator 276 clusterSelector: 277 matchLabels: 278 cni: calico 279 namespace: tigera-operator 280 releaseName: projectcalico 281 repoURL: https://docs.tigera.io/calico/charts 282 valuesTemplate: |- 283 installation: 284 cni: 285 type: Calico 286 calicoNetwork: 287 bgp: Disabled 288 mtu: 1350 289 ipPools: 290 ipPools:{{range $i, $cidr := .Cluster.spec.clusterNetwork.pods.cidrBlocks }} 291 - cidr: {{ $cidr }} 292 encapsulation: VXLAN{{end}} 293 registry: mcr.microsoft.com/oss 294 # Image and registry configuration for the tigera/operator pod. 295 tigeraOperator: 296 image: tigera/operator 297 registry: mcr.microsoft.com/oss 298 calicoctl: 299 image: mcr.microsoft.com/oss/calico/ctl 300 version: ${CALICO_VERSION} 301 --- 302 apiVersion: addons.cluster.x-k8s.io/v1alpha1 303 kind: HelmChartProxy 304 metadata: 305 name: azuredisk-csi-driver-chart 306 namespace: default 307 spec: 308 chartName: azuredisk-csi-driver 309 clusterSelector: 310 matchLabels: 311 azuredisk-csi: "true" 312 namespace: kube-system 313 releaseName: azuredisk-csi-driver-oot 314 repoURL: https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/charts 315 valuesTemplate: |- 316 controller: 317 replicas: 1 318 runOnControlPlane: true 319 windows: 320 useHostProcessContainers: {{ hasKey .Cluster.metadata.labels "cni-windows" }} 321 --- 322 apiVersion: addons.cluster.x-k8s.io/v1alpha1 323 kind: HelmChartProxy 324 metadata: 325 name: cloud-provider-azure-chart 326 namespace: default 327 spec: 328 chartName: cloud-provider-azure 329 clusterSelector: 330 matchLabels: 331 cloud-provider: azure 332 releaseName: cloud-provider-azure-oot 333 repoURL: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo 334 valuesTemplate: | 335 infra: 336 clusterName: {{ .Cluster.metadata.name }} 337 cloudControllerManager: 338 clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }} 339 logVerbosity: 4 340 --- 341 apiVersion: addons.cluster.x-k8s.io/v1alpha1 342 kind: HelmChartProxy 343 metadata: 344 name: cloud-provider-azure-chart-ci 345 namespace: default 346 spec: 347 chartName: cloud-provider-azure 348 clusterSelector: 349 matchLabels: 350 cloud-provider: azure-ci 351 releaseName: cloud-provider-azure-oot 352 repoURL: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo 353 valuesTemplate: | 354 infra: 355 clusterName: {{ .Cluster.metadata.name }} 356 cloudControllerManager: 357 cloudConfig: ${CLOUD_CONFIG:-"/etc/kubernetes/azure.json"} 358 cloudConfigSecretName: ${CONFIG_SECRET_NAME:-""} 359 clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }} 360 imageName: "${CCM_IMAGE_NAME:-""}" 361 imageRepository: "${IMAGE_REGISTRY:-""}" 362 imageTag: "${IMAGE_TAG_CCM:-""}" 363 logVerbosity: ${CCM_LOG_VERBOSITY:-4} 364 replicas: ${CCM_COUNT:-1} 365 enableDynamicReloading: ${ENABLE_DYNAMIC_RELOADING:-false} 366 cloudNodeManager: 367 imageName: "${CNM_IMAGE_NAME:-""}" 368 imageRepository: "${IMAGE_REGISTRY:-""}" 369 imageTag: "${IMAGE_TAG_CNM:-""}" 370 --- 371 apiVersion: v1 372 data: 373 resources: | 374 apiVersion: apiextensions.k8s.io/v1 375 kind: CustomResourceDefinition 376 metadata: 377 name: bgpconfigurations.crd.projectcalico.org 378 spec: 379 group: crd.projectcalico.org 380 names: 381 kind: BGPConfiguration 382 listKind: BGPConfigurationList 383 plural: bgpconfigurations 384 singular: bgpconfiguration 385 preserveUnknownFields: false 386 scope: Cluster 387 versions: 388 - name: v1 389 schema: 390 openAPIV3Schema: 391 description: BGPConfiguration contains the configuration for any BGP routing. 392 properties: 393 apiVersion: 394 description: 'APIVersion defines the versioned schema of this representation 395 of an object. Servers should convert recognized schemas to the latest 396 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 397 type: string 398 kind: 399 description: 'Kind is a string value representing the REST resource this 400 object represents. Servers may infer this from the endpoint the client 401 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 402 type: string 403 metadata: 404 type: object 405 spec: 406 description: BGPConfigurationSpec contains the values of the BGP configuration. 407 properties: 408 asNumber: 409 description: 'ASNumber is the default AS number used by a node. [Default: 410 64512]' 411 format: int32 412 type: integer 413 bindMode: 414 description: BindMode indicates whether to listen for BGP connections 415 on all addresses (None) or only on the node's canonical IP address 416 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen 417 for BGP connections on all addresses. 418 type: string 419 communities: 420 description: Communities is a list of BGP community values and their 421 arbitrary names for tagging routes. 422 items: 423 description: Community contains standard or large community value 424 and its name. 425 properties: 426 name: 427 description: Name given to community value. 428 type: string 429 value: 430 description: Value must be of format `aa:nn` or `aa:nn:mm`. 431 For standard community use `aa:nn` format, where `aa` and 432 `nn` are 16 bit number. For large community use `aa:nn:mm` 433 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 434 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 435 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 436 type: string 437 type: object 438 type: array 439 ignoredInterfaces: 440 description: IgnoredInterfaces indicates the network interfaces that 441 needs to be excluded when reading device routes. 442 items: 443 type: string 444 type: array 445 listenPort: 446 description: ListenPort is the port where BGP protocol should listen. 447 Defaults to 179 448 maximum: 65535 449 minimum: 1 450 type: integer 451 logSeverityScreen: 452 description: 'LogSeverityScreen is the log severity above which logs 453 are sent to the stdout. [Default: INFO]' 454 type: string 455 nodeMeshMaxRestartTime: 456 description: Time to allow for software restart for node-to-mesh peerings. When 457 specified, this is configured as the graceful restart timeout. When 458 not specified, the BIRD default of 120s is used. This field can 459 only be set on the default BGPConfiguration instance and requires 460 that NodeMesh is enabled 461 type: string 462 nodeMeshPassword: 463 description: Optional BGP password for full node-to-mesh peerings. 464 This field can only be set on the default BGPConfiguration instance 465 and requires that NodeMesh is enabled 466 properties: 467 secretKeyRef: 468 description: Selects a key of a secret in the node pod's namespace. 469 properties: 470 key: 471 description: The key of the secret to select from. Must be 472 a valid secret key. 473 type: string 474 name: 475 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 476 TODO: Add other useful fields. apiVersion, kind, uid?' 477 type: string 478 optional: 479 description: Specify whether the Secret or its key must be 480 defined 481 type: boolean 482 required: 483 - key 484 type: object 485 type: object 486 nodeToNodeMeshEnabled: 487 description: 'NodeToNodeMeshEnabled sets whether full node to node 488 BGP mesh is enabled. [Default: true]' 489 type: boolean 490 prefixAdvertisements: 491 description: PrefixAdvertisements contains per-prefix advertisement 492 configuration. 493 items: 494 description: PrefixAdvertisement configures advertisement properties 495 for the specified CIDR. 496 properties: 497 cidr: 498 description: CIDR for which properties should be advertised. 499 type: string 500 communities: 501 description: Communities can be list of either community names 502 already defined in `Specs.Communities` or community value 503 of format `aa:nn` or `aa:nn:mm`. For standard community use 504 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 505 large community use `aa:nn:mm` format, where `aa`, `nn` and 506 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 507 `mm` are per-AS identifier. 508 items: 509 type: string 510 type: array 511 type: object 512 type: array 513 serviceClusterIPs: 514 description: ServiceClusterIPs are the CIDR blocks from which service 515 cluster IPs are allocated. If specified, Calico will advertise these 516 blocks, as well as any cluster IPs within them. 517 items: 518 description: ServiceClusterIPBlock represents a single allowed ClusterIP 519 CIDR block. 520 properties: 521 cidr: 522 type: string 523 type: object 524 type: array 525 serviceExternalIPs: 526 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 527 Service External IPs. Kubernetes Service ExternalIPs will only be 528 advertised if they are within one of these blocks. 529 items: 530 description: ServiceExternalIPBlock represents a single allowed 531 External IP CIDR block. 532 properties: 533 cidr: 534 type: string 535 type: object 536 type: array 537 serviceLoadBalancerIPs: 538 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 539 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 540 IPs will only be advertised if they are within one of these blocks. 541 items: 542 description: ServiceLoadBalancerIPBlock represents a single allowed 543 LoadBalancer IP CIDR block. 544 properties: 545 cidr: 546 type: string 547 type: object 548 type: array 549 type: object 550 type: object 551 served: true 552 storage: true 553 status: 554 acceptedNames: 555 kind: "" 556 plural: "" 557 conditions: [] 558 storedVersions: [] 559 --- 560 apiVersion: apiextensions.k8s.io/v1 561 kind: CustomResourceDefinition 562 metadata: 563 annotations: 564 controller-gen.kubebuilder.io/version: (devel) 565 creationTimestamp: null 566 name: bgpfilters.crd.projectcalico.org 567 spec: 568 group: crd.projectcalico.org 569 names: 570 kind: BGPFilter 571 listKind: BGPFilterList 572 plural: bgpfilters 573 singular: bgpfilter 574 scope: Cluster 575 versions: 576 - name: v1 577 schema: 578 openAPIV3Schema: 579 properties: 580 apiVersion: 581 description: 'APIVersion defines the versioned schema of this representation 582 of an object. Servers should convert recognized schemas to the latest 583 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 584 type: string 585 kind: 586 description: 'Kind is a string value representing the REST resource this 587 object represents. Servers may infer this from the endpoint the client 588 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 589 type: string 590 metadata: 591 type: object 592 spec: 593 description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of 594 the BGP Filter. 595 properties: 596 exportV4: 597 description: The ordered set of IPv4 BGPFilter rules acting on exporting 598 routes to a peer. 599 items: 600 description: BGPFilterRuleV4 defines a BGP filter rule consisting 601 a single IPv4 CIDR block and a filter action for this CIDR. 602 properties: 603 action: 604 type: string 605 cidr: 606 type: string 607 matchOperator: 608 type: string 609 required: 610 - action 611 - cidr 612 - matchOperator 613 type: object 614 type: array 615 exportV6: 616 description: The ordered set of IPv6 BGPFilter rules acting on exporting 617 routes to a peer. 618 items: 619 description: BGPFilterRuleV6 defines a BGP filter rule consisting 620 a single IPv6 CIDR block and a filter action for this CIDR. 621 properties: 622 action: 623 type: string 624 cidr: 625 type: string 626 matchOperator: 627 type: string 628 required: 629 - action 630 - cidr 631 - matchOperator 632 type: object 633 type: array 634 importV4: 635 description: The ordered set of IPv4 BGPFilter rules acting on importing 636 routes from a peer. 637 items: 638 description: BGPFilterRuleV4 defines a BGP filter rule consisting 639 a single IPv4 CIDR block and a filter action for this CIDR. 640 properties: 641 action: 642 type: string 643 cidr: 644 type: string 645 matchOperator: 646 type: string 647 required: 648 - action 649 - cidr 650 - matchOperator 651 type: object 652 type: array 653 importV6: 654 description: The ordered set of IPv6 BGPFilter rules acting on importing 655 routes from a peer. 656 items: 657 description: BGPFilterRuleV6 defines a BGP filter rule consisting 658 a single IPv6 CIDR block and a filter action for this CIDR. 659 properties: 660 action: 661 type: string 662 cidr: 663 type: string 664 matchOperator: 665 type: string 666 required: 667 - action 668 - cidr 669 - matchOperator 670 type: object 671 type: array 672 type: object 673 type: object 674 served: true 675 storage: true 676 status: 677 acceptedNames: 678 kind: "" 679 plural: "" 680 conditions: [] 681 storedVersions: [] 682 --- 683 apiVersion: apiextensions.k8s.io/v1 684 kind: CustomResourceDefinition 685 metadata: 686 name: bgppeers.crd.projectcalico.org 687 spec: 688 group: crd.projectcalico.org 689 names: 690 kind: BGPPeer 691 listKind: BGPPeerList 692 plural: bgppeers 693 singular: bgppeer 694 preserveUnknownFields: false 695 scope: Cluster 696 versions: 697 - name: v1 698 schema: 699 openAPIV3Schema: 700 properties: 701 apiVersion: 702 description: 'APIVersion defines the versioned schema of this representation 703 of an object. Servers should convert recognized schemas to the latest 704 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 705 type: string 706 kind: 707 description: 'Kind is a string value representing the REST resource this 708 object represents. Servers may infer this from the endpoint the client 709 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 710 type: string 711 metadata: 712 type: object 713 spec: 714 description: BGPPeerSpec contains the specification for a BGPPeer resource. 715 properties: 716 asNumber: 717 description: The AS Number of the peer. 718 format: int32 719 type: integer 720 filters: 721 description: The ordered set of BGPFilters applied on this BGP peer. 722 items: 723 type: string 724 type: array 725 keepOriginalNextHop: 726 description: Option to keep the original nexthop field when routes 727 are sent to a BGP Peer. Setting "true" configures the selected BGP 728 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 729 in the specific branch of the Node on "bird.cfg". 730 type: boolean 731 maxRestartTime: 732 description: Time to allow for software restart. When specified, 733 this is configured as the graceful restart timeout. When not specified, 734 the BIRD default of 120s is used. 735 type: string 736 node: 737 description: The node name identifying the Calico node instance that 738 is targeted by this peer. If this is not set, and no nodeSelector 739 is specified, then this BGP peer selects all nodes in the cluster. 740 type: string 741 nodeSelector: 742 description: Selector for the nodes that should have this peering. When 743 this is set, the Node field must be empty. 744 type: string 745 numAllowedLocalASNumbers: 746 description: Maximum number of local AS numbers that are allowed in 747 the AS path for received routes. This removes BGP loop prevention 748 and should only be used if absolutely necesssary. 749 format: int32 750 type: integer 751 password: 752 description: Optional BGP password for the peerings generated by this 753 BGPPeer resource. 754 properties: 755 secretKeyRef: 756 description: Selects a key of a secret in the node pod's namespace. 757 properties: 758 key: 759 description: The key of the secret to select from. Must be 760 a valid secret key. 761 type: string 762 name: 763 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 764 TODO: Add other useful fields. apiVersion, kind, uid?' 765 type: string 766 optional: 767 description: Specify whether the Secret or its key must be 768 defined 769 type: boolean 770 required: 771 - key 772 type: object 773 type: object 774 peerIP: 775 description: The IP address of the peer followed by an optional port 776 number to peer with. If port number is given, format should be `[<IPv6>]:port` 777 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 778 and this peer IP and ASNumber belongs to a calico/node with ListenPort 779 set in BGPConfiguration, then we use that port to peer. 780 type: string 781 peerSelector: 782 description: Selector for the remote nodes to peer with. When this 783 is set, the PeerIP and ASNumber fields must be empty. For each 784 peering between the local node and selected remote nodes, we configure 785 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 786 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 787 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 788 or the global default if that is not set. 789 type: string 790 reachableBy: 791 description: Add an exact, i.e. /32, static route toward peer IP in 792 order to prevent route flapping. ReachableBy contains the address 793 of the gateway which peer can be reached by. 794 type: string 795 sourceAddress: 796 description: Specifies whether and how to configure a source address 797 for the peerings generated by this BGPPeer resource. Default value 798 "UseNodeIP" means to configure the node IP as the source address. "None" 799 means not to configure a source address. 800 type: string 801 ttlSecurity: 802 description: TTLSecurity enables the generalized TTL security mechanism 803 (GTSM) which protects against spoofed packets by ignoring received 804 packets with a smaller than expected TTL value. The provided value 805 is the number of hops (edges) between the peers. 806 type: integer 807 type: object 808 type: object 809 served: true 810 storage: true 811 status: 812 acceptedNames: 813 kind: "" 814 plural: "" 815 conditions: [] 816 storedVersions: [] 817 --- 818 apiVersion: apiextensions.k8s.io/v1 819 kind: CustomResourceDefinition 820 metadata: 821 name: blockaffinities.crd.projectcalico.org 822 spec: 823 group: crd.projectcalico.org 824 names: 825 kind: BlockAffinity 826 listKind: BlockAffinityList 827 plural: blockaffinities 828 singular: blockaffinity 829 preserveUnknownFields: false 830 scope: Cluster 831 versions: 832 - name: v1 833 schema: 834 openAPIV3Schema: 835 properties: 836 apiVersion: 837 description: 'APIVersion defines the versioned schema of this representation 838 of an object. Servers should convert recognized schemas to the latest 839 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 840 type: string 841 kind: 842 description: 'Kind is a string value representing the REST resource this 843 object represents. Servers may infer this from the endpoint the client 844 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 845 type: string 846 metadata: 847 type: object 848 spec: 849 description: BlockAffinitySpec contains the specification for a BlockAffinity 850 resource. 851 properties: 852 cidr: 853 type: string 854 deleted: 855 description: Deleted indicates that this block affinity is being deleted. 856 This field is a string for compatibility with older releases that 857 mistakenly treat this field as a string. 858 type: string 859 node: 860 type: string 861 state: 862 type: string 863 required: 864 - cidr 865 - deleted 866 - node 867 - state 868 type: object 869 type: object 870 served: true 871 storage: true 872 status: 873 acceptedNames: 874 kind: "" 875 plural: "" 876 conditions: [] 877 storedVersions: [] 878 --- 879 apiVersion: apiextensions.k8s.io/v1 880 kind: CustomResourceDefinition 881 metadata: 882 annotations: 883 controller-gen.kubebuilder.io/version: (devel) 884 creationTimestamp: null 885 name: caliconodestatuses.crd.projectcalico.org 886 spec: 887 group: crd.projectcalico.org 888 names: 889 kind: CalicoNodeStatus 890 listKind: CalicoNodeStatusList 891 plural: caliconodestatuses 892 singular: caliconodestatus 893 preserveUnknownFields: false 894 scope: Cluster 895 versions: 896 - name: v1 897 schema: 898 openAPIV3Schema: 899 properties: 900 apiVersion: 901 description: 'APIVersion defines the versioned schema of this representation 902 of an object. Servers should convert recognized schemas to the latest 903 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 904 type: string 905 kind: 906 description: 'Kind is a string value representing the REST resource this 907 object represents. Servers may infer this from the endpoint the client 908 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 909 type: string 910 metadata: 911 type: object 912 spec: 913 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 914 resource. 915 properties: 916 classes: 917 description: Classes declares the types of information to monitor 918 for this calico/node, and allows for selective status reporting 919 about certain subsets of information. 920 items: 921 type: string 922 type: array 923 node: 924 description: The node name identifies the Calico node instance for 925 node status. 926 type: string 927 updatePeriodSeconds: 928 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 929 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 930 Maximum update period is one day. 931 format: int32 932 type: integer 933 type: object 934 status: 935 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 936 No validation needed for status since it is updated by Calico. 937 properties: 938 agent: 939 description: Agent holds agent status on the node. 940 properties: 941 birdV4: 942 description: BIRDV4 represents the latest observed status of bird4. 943 properties: 944 lastBootTime: 945 description: LastBootTime holds the value of lastBootTime 946 from bird.ctl output. 947 type: string 948 lastReconfigurationTime: 949 description: LastReconfigurationTime holds the value of lastReconfigTime 950 from bird.ctl output. 951 type: string 952 routerID: 953 description: Router ID used by bird. 954 type: string 955 state: 956 description: The state of the BGP Daemon. 957 type: string 958 version: 959 description: Version of the BGP daemon 960 type: string 961 type: object 962 birdV6: 963 description: BIRDV6 represents the latest observed status of bird6. 964 properties: 965 lastBootTime: 966 description: LastBootTime holds the value of lastBootTime 967 from bird.ctl output. 968 type: string 969 lastReconfigurationTime: 970 description: LastReconfigurationTime holds the value of lastReconfigTime 971 from bird.ctl output. 972 type: string 973 routerID: 974 description: Router ID used by bird. 975 type: string 976 state: 977 description: The state of the BGP Daemon. 978 type: string 979 version: 980 description: Version of the BGP daemon 981 type: string 982 type: object 983 type: object 984 bgp: 985 description: BGP holds node BGP status. 986 properties: 987 numberEstablishedV4: 988 description: The total number of IPv4 established bgp sessions. 989 type: integer 990 numberEstablishedV6: 991 description: The total number of IPv6 established bgp sessions. 992 type: integer 993 numberNotEstablishedV4: 994 description: The total number of IPv4 non-established bgp sessions. 995 type: integer 996 numberNotEstablishedV6: 997 description: The total number of IPv6 non-established bgp sessions. 998 type: integer 999 peersV4: 1000 description: PeersV4 represents IPv4 BGP peers status on the node. 1001 items: 1002 description: CalicoNodePeer contains the status of BGP peers 1003 on the node. 1004 properties: 1005 peerIP: 1006 description: IP address of the peer whose condition we are 1007 reporting. 1008 type: string 1009 since: 1010 description: Since the state or reason last changed. 1011 type: string 1012 state: 1013 description: State is the BGP session state. 1014 type: string 1015 type: 1016 description: Type indicates whether this peer is configured 1017 via the node-to-node mesh, or via en explicit global or 1018 per-node BGPPeer object. 1019 type: string 1020 type: object 1021 type: array 1022 peersV6: 1023 description: PeersV6 represents IPv6 BGP peers status on the node. 1024 items: 1025 description: CalicoNodePeer contains the status of BGP peers 1026 on the node. 1027 properties: 1028 peerIP: 1029 description: IP address of the peer whose condition we are 1030 reporting. 1031 type: string 1032 since: 1033 description: Since the state or reason last changed. 1034 type: string 1035 state: 1036 description: State is the BGP session state. 1037 type: string 1038 type: 1039 description: Type indicates whether this peer is configured 1040 via the node-to-node mesh, or via en explicit global or 1041 per-node BGPPeer object. 1042 type: string 1043 type: object 1044 type: array 1045 required: 1046 - numberEstablishedV4 1047 - numberEstablishedV6 1048 - numberNotEstablishedV4 1049 - numberNotEstablishedV6 1050 type: object 1051 lastUpdated: 1052 description: LastUpdated is a timestamp representing the server time 1053 when CalicoNodeStatus object last updated. It is represented in 1054 RFC3339 form and is in UTC. 1055 format: date-time 1056 nullable: true 1057 type: string 1058 routes: 1059 description: Routes reports routes known to the Calico BGP daemon 1060 on the node. 1061 properties: 1062 routesV4: 1063 description: RoutesV4 represents IPv4 routes on the node. 1064 items: 1065 description: CalicoNodeRoute contains the status of BGP routes 1066 on the node. 1067 properties: 1068 destination: 1069 description: Destination of the route. 1070 type: string 1071 gateway: 1072 description: Gateway for the destination. 1073 type: string 1074 interface: 1075 description: Interface for the destination 1076 type: string 1077 learnedFrom: 1078 description: LearnedFrom contains information regarding 1079 where this route originated. 1080 properties: 1081 peerIP: 1082 description: If sourceType is NodeMesh or BGPPeer, IP 1083 address of the router that sent us this route. 1084 type: string 1085 sourceType: 1086 description: Type of the source where a route is learned 1087 from. 1088 type: string 1089 type: object 1090 type: 1091 description: Type indicates if the route is being used for 1092 forwarding or not. 1093 type: string 1094 type: object 1095 type: array 1096 routesV6: 1097 description: RoutesV6 represents IPv6 routes on the node. 1098 items: 1099 description: CalicoNodeRoute contains the status of BGP routes 1100 on the node. 1101 properties: 1102 destination: 1103 description: Destination of the route. 1104 type: string 1105 gateway: 1106 description: Gateway for the destination. 1107 type: string 1108 interface: 1109 description: Interface for the destination 1110 type: string 1111 learnedFrom: 1112 description: LearnedFrom contains information regarding 1113 where this route originated. 1114 properties: 1115 peerIP: 1116 description: If sourceType is NodeMesh or BGPPeer, IP 1117 address of the router that sent us this route. 1118 type: string 1119 sourceType: 1120 description: Type of the source where a route is learned 1121 from. 1122 type: string 1123 type: object 1124 type: 1125 description: Type indicates if the route is being used for 1126 forwarding or not. 1127 type: string 1128 type: object 1129 type: array 1130 type: object 1131 type: object 1132 type: object 1133 served: true 1134 storage: true 1135 status: 1136 acceptedNames: 1137 kind: "" 1138 plural: "" 1139 conditions: [] 1140 storedVersions: [] 1141 --- 1142 apiVersion: apiextensions.k8s.io/v1 1143 kind: CustomResourceDefinition 1144 metadata: 1145 name: clusterinformations.crd.projectcalico.org 1146 spec: 1147 group: crd.projectcalico.org 1148 names: 1149 kind: ClusterInformation 1150 listKind: ClusterInformationList 1151 plural: clusterinformations 1152 singular: clusterinformation 1153 preserveUnknownFields: false 1154 scope: Cluster 1155 versions: 1156 - name: v1 1157 schema: 1158 openAPIV3Schema: 1159 description: ClusterInformation contains the cluster specific information. 1160 properties: 1161 apiVersion: 1162 description: 'APIVersion defines the versioned schema of this representation 1163 of an object. Servers should convert recognized schemas to the latest 1164 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1165 type: string 1166 kind: 1167 description: 'Kind is a string value representing the REST resource this 1168 object represents. Servers may infer this from the endpoint the client 1169 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1170 type: string 1171 metadata: 1172 type: object 1173 spec: 1174 description: ClusterInformationSpec contains the values of describing 1175 the cluster. 1176 properties: 1177 calicoVersion: 1178 description: CalicoVersion is the version of Calico that the cluster 1179 is running 1180 type: string 1181 clusterGUID: 1182 description: ClusterGUID is the GUID of the cluster 1183 type: string 1184 clusterType: 1185 description: ClusterType describes the type of the cluster 1186 type: string 1187 datastoreReady: 1188 description: DatastoreReady is used during significant datastore migrations 1189 to signal to components such as Felix that it should wait before 1190 accessing the datastore. 1191 type: boolean 1192 variant: 1193 description: Variant declares which variant of Calico should be active. 1194 type: string 1195 type: object 1196 type: object 1197 served: true 1198 storage: true 1199 status: 1200 acceptedNames: 1201 kind: "" 1202 plural: "" 1203 conditions: [] 1204 storedVersions: [] 1205 --- 1206 apiVersion: apiextensions.k8s.io/v1 1207 kind: CustomResourceDefinition 1208 metadata: 1209 name: felixconfigurations.crd.projectcalico.org 1210 spec: 1211 group: crd.projectcalico.org 1212 names: 1213 kind: FelixConfiguration 1214 listKind: FelixConfigurationList 1215 plural: felixconfigurations 1216 singular: felixconfiguration 1217 preserveUnknownFields: false 1218 scope: Cluster 1219 versions: 1220 - name: v1 1221 schema: 1222 openAPIV3Schema: 1223 description: Felix Configuration contains the configuration for Felix. 1224 properties: 1225 apiVersion: 1226 description: 'APIVersion defines the versioned schema of this representation 1227 of an object. Servers should convert recognized schemas to the latest 1228 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1229 type: string 1230 kind: 1231 description: 'Kind is a string value representing the REST resource this 1232 object represents. Servers may infer this from the endpoint the client 1233 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1234 type: string 1235 metadata: 1236 type: object 1237 spec: 1238 description: FelixConfigurationSpec contains the values of the Felix configuration. 1239 properties: 1240 allowIPIPPacketsFromWorkloads: 1241 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 1242 will add a rule to drop IPIP encapsulated traffic from workloads 1243 [Default: false]' 1244 type: boolean 1245 allowVXLANPacketsFromWorkloads: 1246 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 1247 will add a rule to drop VXLAN encapsulated traffic from workloads 1248 [Default: false]' 1249 type: boolean 1250 awsSrcDstCheck: 1251 description: 'Set source-destination-check on AWS EC2 instances. Accepted 1252 value must be one of "DoNothing", "Enable" or "Disable". [Default: 1253 DoNothing]' 1254 enum: 1255 - DoNothing 1256 - Enable 1257 - Disable 1258 type: string 1259 bpfConnectTimeLoadBalancingEnabled: 1260 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 1261 controls whether Felix installs the connection-time load balancer. The 1262 connect-time load balancer is required for the host to be able to 1263 reach Kubernetes services and it improves the performance of pod-to-service 1264 connections. The only reason to disable it is for debugging purposes. [Default: 1265 true]' 1266 type: boolean 1267 bpfDSROptoutCIDRs: 1268 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded 1269 from DSR. That is, clients in those CIDRs will accesses nodeports 1270 as if BPFExternalServiceMode was set to Tunnel. 1271 items: 1272 type: string 1273 type: array 1274 bpfDataIfacePattern: 1275 description: BPFDataIfacePattern is a regular expression that controls 1276 which interfaces Felix should attach BPF programs to in order to 1277 catch traffic to/from the network. This needs to match the interfaces 1278 that Calico workload traffic flows over as well as any interfaces 1279 that handle incoming traffic to nodeports and services from outside 1280 the cluster. It should not match the workload interfaces (usually 1281 named cali...). 1282 type: string 1283 bpfDisableUnprivileged: 1284 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 1285 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 1286 users cannot access Calico''s BPF maps and cannot insert their own 1287 BPF programs to interfere with Calico''s. [Default: true]' 1288 type: boolean 1289 bpfEnabled: 1290 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 1291 [Default: false]' 1292 type: boolean 1293 bpfEnforceRPF: 1294 description: 'BPFEnforceRPF enforce strict RPF on all host interfaces 1295 with BPF programs regardless of what is the per-interfaces or global 1296 setting. Possible values are Disabled, Strict or Loose. [Default: 1297 Loose]' 1298 type: string 1299 bpfExtToServiceConnmark: 1300 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 1301 mark that is set on connections from an external client to a local 1302 service. This mark allows us to control how packets of that connection 1303 are routed within the host and how is routing interpreted by RPF 1304 check. [Default: 0]' 1305 type: integer 1306 bpfExternalServiceMode: 1307 description: 'BPFExternalServiceMode in BPF mode, controls how connections 1308 from outside the cluster to services (node ports and cluster IPs) 1309 are forwarded to remote workloads. If set to "Tunnel" then both 1310 request and response traffic is tunneled to the remote node. If 1311 set to "DSR", the request traffic is tunneled but the response traffic 1312 is sent directly from the remote node. In "DSR" mode, the remote 1313 node appears to use the IP of the ingress node; this requires a 1314 permissive L2 network. [Default: Tunnel]' 1315 type: string 1316 bpfHostConntrackBypass: 1317 description: 'BPFHostConntrackBypass Controls whether to bypass Linux 1318 conntrack in BPF mode for workloads and services. [Default: true 1319 - bypass Linux conntrack]' 1320 type: boolean 1321 bpfKubeProxyEndpointSlicesEnabled: 1322 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 1323 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 1324 type: boolean 1325 bpfKubeProxyIptablesCleanupEnabled: 1326 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 1327 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 1328 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 1329 true]' 1330 type: boolean 1331 bpfKubeProxyMinSyncPeriod: 1332 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 1333 minimum time between updates to the dataplane for Felix''s embedded 1334 kube-proxy. Lower values give reduced set-up latency. Higher values 1335 reduce Felix CPU usage by batching up more work. [Default: 1s]' 1336 type: string 1337 bpfL3IfacePattern: 1338 description: BPFL3IfacePattern is a regular expression that allows 1339 to list tunnel devices like wireguard or vxlan (i.e., L3 devices) 1340 in addition to BPFDataIfacePattern. That is, tunnel interfaces not 1341 created by Calico, that Calico workload traffic flows over as well 1342 as any interfaces that handle incoming traffic to nodeports and 1343 services from outside the cluster. 1344 type: string 1345 bpfLogLevel: 1346 description: 'BPFLogLevel controls the log level of the BPF programs 1347 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 1348 logs are emitted to the BPF trace pipe, accessible with the command 1349 `tc exec bpf debug`. [Default: Off].' 1350 type: string 1351 bpfMapSizeConntrack: 1352 description: 'BPFMapSizeConntrack sets the size for the conntrack 1353 map. This map must be large enough to hold an entry for each active 1354 connection. Warning: changing the size of the conntrack map can 1355 cause disruption.' 1356 type: integer 1357 bpfMapSizeIPSets: 1358 description: BPFMapSizeIPSets sets the size for ipsets map. The IP 1359 sets map must be large enough to hold an entry for each endpoint 1360 matched by every selector in the source/destination matches in network 1361 policy. Selectors such as "all()" can result in large numbers of 1362 entries (one entry per endpoint in that case). 1363 type: integer 1364 bpfMapSizeIfState: 1365 description: BPFMapSizeIfState sets the size for ifstate map. The 1366 ifstate map must be large enough to hold an entry for each device 1367 (host + workloads) on a host. 1368 type: integer 1369 bpfMapSizeNATAffinity: 1370 type: integer 1371 bpfMapSizeNATBackend: 1372 description: BPFMapSizeNATBackend sets the size for nat back end map. 1373 This is the total number of endpoints. This is mostly more than 1374 the size of the number of services. 1375 type: integer 1376 bpfMapSizeNATFrontend: 1377 description: BPFMapSizeNATFrontend sets the size for nat front end 1378 map. FrontendMap should be large enough to hold an entry for each 1379 nodeport, external IP and each port in each service. 1380 type: integer 1381 bpfMapSizeRoute: 1382 description: BPFMapSizeRoute sets the size for the routes map. The 1383 routes map should be large enough to hold one entry per workload 1384 and a handful of entries per host (enough to cover its own IPs and 1385 tunnel IPs). 1386 type: integer 1387 bpfPSNATPorts: 1388 anyOf: 1389 - type: integer 1390 - type: string 1391 description: 'BPFPSNATPorts sets the range from which we randomly 1392 pick a port if there is a source port collision. This should be 1393 within the ephemeral range as defined by RFC 6056 (1024–65535) and 1394 preferably outside the ephemeral ranges used by common operating 1395 systems. Linux uses 32768–60999, while others mostly use the IANA 1396 defined range 49152–65535. It is not necessarily a problem if this 1397 range overlaps with the operating systems. Both ends of the range 1398 are inclusive. [Default: 20000:29999]' 1399 pattern: ^.* 1400 x-kubernetes-int-or-string: true 1401 bpfPolicyDebugEnabled: 1402 description: BPFPolicyDebugEnabled when true, Felix records detailed 1403 information about the BPF policy programs, which can be examined 1404 with the calico-bpf command-line tool. 1405 type: boolean 1406 chainInsertMode: 1407 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 1408 top-level iptables chains by inserting a rule at the top of the 1409 chain or by appending a rule at the bottom. insert is the safe default 1410 since it prevents Calico''s rules from being bypassed. If you switch 1411 to append mode, be sure that the other rules in the chains signal 1412 acceptance by falling through to the Calico rules, otherwise the 1413 Calico policy will be bypassed. [Default: insert]' 1414 type: string 1415 dataplaneDriver: 1416 description: DataplaneDriver filename of the external dataplane driver 1417 to use. Only used if UseInternalDataplaneDriver is set to false. 1418 type: string 1419 dataplaneWatchdogTimeout: 1420 description: "DataplaneWatchdogTimeout is the readiness/liveness timeout 1421 used for Felix's (internal) dataplane driver. Increase this value 1422 if you experience spurious non-ready or non-live events when Felix 1423 is under heavy load. Decrease the value to get felix to report non-live 1424 or non-ready more quickly. [Default: 90s] \n Deprecated: replaced 1425 by the generic HealthTimeoutOverrides." 1426 type: string 1427 debugDisableLogDropping: 1428 type: boolean 1429 debugMemoryProfilePath: 1430 type: string 1431 debugSimulateCalcGraphHangAfter: 1432 type: string 1433 debugSimulateDataplaneHangAfter: 1434 type: string 1435 defaultEndpointToHostAction: 1436 description: 'DefaultEndpointToHostAction controls what happens to 1437 traffic that goes from a workload endpoint to the host itself (after 1438 the traffic hits the endpoint egress policy). By default Calico 1439 blocks traffic from workload endpoints to the host itself with an 1440 iptables "DROP" action. If you want to allow some or all traffic 1441 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 1442 RETURN if you have your own rules in the iptables "INPUT" chain; 1443 Calico will insert its rules at the top of that chain, then "RETURN" 1444 packets to the "INPUT" chain once it has completed processing workload 1445 endpoint egress policy. Use ACCEPT to unconditionally accept packets 1446 from workloads after processing workload endpoint egress policy. 1447 [Default: Drop]' 1448 type: string 1449 deviceRouteProtocol: 1450 description: This defines the route protocol added to programmed device 1451 routes, by default this will be RTPROT_BOOT when left blank. 1452 type: integer 1453 deviceRouteSourceAddress: 1454 description: This is the IPv4 source address to use on programmed 1455 device routes. By default the source address is left blank, leaving 1456 the kernel to choose the source address used. 1457 type: string 1458 deviceRouteSourceAddressIPv6: 1459 description: This is the IPv6 source address to use on programmed 1460 device routes. By default the source address is left blank, leaving 1461 the kernel to choose the source address used. 1462 type: string 1463 disableConntrackInvalidCheck: 1464 type: boolean 1465 endpointReportingDelay: 1466 type: string 1467 endpointReportingEnabled: 1468 type: boolean 1469 externalNodesList: 1470 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 1471 which may source tunnel traffic and have the tunneled traffic be 1472 accepted at calico nodes. 1473 items: 1474 type: string 1475 type: array 1476 failsafeInboundHostPorts: 1477 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 1478 and CIDRs that Felix will allow incoming traffic to host endpoints 1479 on irrespective of the security policy. This is useful to avoid 1480 accidentally cutting off a host with incorrect configuration. For 1481 back-compatibility, if the protocol is not specified, it defaults 1482 to "tcp". If a CIDR is not specified, it will allow traffic from 1483 all addresses. To disable all inbound host ports, use the value 1484 none. The default value allows ssh access and DHCP. [Default: tcp:22, 1485 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 1486 items: 1487 description: ProtoPort is combination of protocol, port, and CIDR. 1488 Protocol and port must be specified. 1489 properties: 1490 net: 1491 type: string 1492 port: 1493 type: integer 1494 protocol: 1495 type: string 1496 required: 1497 - port 1498 - protocol 1499 type: object 1500 type: array 1501 failsafeOutboundHostPorts: 1502 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 1503 and CIDRs that Felix will allow outgoing traffic from host endpoints 1504 to irrespective of the security policy. This is useful to avoid 1505 accidentally cutting off a host with incorrect configuration. For 1506 back-compatibility, if the protocol is not specified, it defaults 1507 to "tcp". If a CIDR is not specified, it will allow traffic from 1508 all addresses. To disable all outbound host ports, use the value 1509 none. The default value opens etcd''s standard ports to ensure that 1510 Felix does not get cut off from etcd as well as allowing DHCP and 1511 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 1512 tcp:6667, udp:53, udp:67]' 1513 items: 1514 description: ProtoPort is combination of protocol, port, and CIDR. 1515 Protocol and port must be specified. 1516 properties: 1517 net: 1518 type: string 1519 port: 1520 type: integer 1521 protocol: 1522 type: string 1523 required: 1524 - port 1525 - protocol 1526 type: object 1527 type: array 1528 featureDetectOverride: 1529 description: FeatureDetectOverride is used to override feature detection 1530 based on auto-detected platform capabilities. Values are specified 1531 in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" 1532 or "false" will force the feature, empty or omitted values are auto-detected. 1533 type: string 1534 featureGates: 1535 description: FeatureGates is used to enable or disable tech-preview 1536 Calico features. Values are specified in a comma separated list 1537 with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". 1538 This is used to enable features that are not fully production ready. 1539 type: string 1540 floatingIPs: 1541 description: FloatingIPs configures whether or not Felix will program 1542 non-OpenStack floating IP addresses. (OpenStack-derived floating 1543 IPs are always programmed, regardless of this setting.) 1544 enum: 1545 - Enabled 1546 - Disabled 1547 type: string 1548 genericXDPEnabled: 1549 description: 'GenericXDPEnabled enables Generic XDP so network cards 1550 that don''t support XDP offload or driver modes can use XDP. This 1551 is not recommended since it doesn''t provide better performance 1552 than iptables. [Default: false]' 1553 type: boolean 1554 healthEnabled: 1555 type: boolean 1556 healthHost: 1557 type: string 1558 healthPort: 1559 type: integer 1560 healthTimeoutOverrides: 1561 description: HealthTimeoutOverrides allows the internal watchdog timeouts 1562 of individual subcomponents to be overridden. This is useful for 1563 working around "false positive" liveness timeouts that can occur 1564 in particularly stressful workloads or if CPU is constrained. For 1565 a list of active subcomponents, see Felix's logs. 1566 items: 1567 properties: 1568 name: 1569 type: string 1570 timeout: 1571 type: string 1572 required: 1573 - name 1574 - timeout 1575 type: object 1576 type: array 1577 interfaceExclude: 1578 description: 'InterfaceExclude is a comma-separated list of interfaces 1579 that Felix should exclude when monitoring for host endpoints. The 1580 default value ensures that Felix ignores Kubernetes'' IPVS dummy 1581 interface, which is used internally by kube-proxy. If you want to 1582 exclude multiple interface names using a single value, the list 1583 supports regular expressions. For regular expressions you must wrap 1584 the value with ''/''. For example having values ''/^kube/,veth1'' 1585 will exclude all interfaces that begin with ''kube'' and also the 1586 interface ''veth1''. [Default: kube-ipvs0]' 1587 type: string 1588 interfacePrefix: 1589 description: 'InterfacePrefix is the interface name prefix that identifies 1590 workload endpoints and so distinguishes them from host endpoint 1591 interfaces. Note: in environments other than bare metal, the orchestrators 1592 configure this appropriately. For example our Kubernetes and Docker 1593 integrations set the ''cali'' value, and our OpenStack integration 1594 sets the ''tap'' value. [Default: cali]' 1595 type: string 1596 interfaceRefreshInterval: 1597 description: InterfaceRefreshInterval is the period at which Felix 1598 rescans local interfaces to verify their state. The rescan can be 1599 disabled by setting the interval to 0. 1600 type: string 1601 ipipEnabled: 1602 description: 'IPIPEnabled overrides whether Felix should configure 1603 an IPIP interface on the host. Optional as Felix determines this 1604 based on the existing IP pools. [Default: nil (unset)]' 1605 type: boolean 1606 ipipMTU: 1607 description: 'IPIPMTU is the MTU to set on the tunnel device. See 1608 Configuring MTU [Default: 1440]' 1609 type: integer 1610 ipsetsRefreshInterval: 1611 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 1612 all iptables state to ensure that no other process has accidentally 1613 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 1614 90s]' 1615 type: string 1616 iptablesBackend: 1617 description: IptablesBackend specifies which backend of iptables will 1618 be used. The default is Auto. 1619 type: string 1620 iptablesFilterAllowAction: 1621 type: string 1622 iptablesFilterDenyAction: 1623 description: IptablesFilterDenyAction controls what happens to traffic 1624 that is denied by network policy. By default Calico blocks traffic 1625 with an iptables "DROP" action. If you want to use "REJECT" action 1626 instead you can configure it in here. 1627 type: string 1628 iptablesLockFilePath: 1629 description: 'IptablesLockFilePath is the location of the iptables 1630 lock file. You may need to change this if the lock file is not in 1631 its standard location (for example if you have mapped it into Felix''s 1632 container at a different path). [Default: /run/xtables.lock]' 1633 type: string 1634 iptablesLockProbeInterval: 1635 description: 'IptablesLockProbeInterval is the time that Felix will 1636 wait between attempts to acquire the iptables lock if it is not 1637 available. Lower values make Felix more responsive when the lock 1638 is contended, but use more CPU. [Default: 50ms]' 1639 type: string 1640 iptablesLockTimeout: 1641 description: 'IptablesLockTimeout is the time that Felix will wait 1642 for the iptables lock, or 0, to disable. To use this feature, Felix 1643 must share the iptables lock file with all other processes that 1644 also take the lock. When running Felix inside a container, this 1645 requires the /run directory of the host to be mounted into the calico/node 1646 or calico/felix container. [Default: 0s disabled]' 1647 type: string 1648 iptablesMangleAllowAction: 1649 type: string 1650 iptablesMarkMask: 1651 description: 'IptablesMarkMask is the mask that Felix selects its 1652 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 1653 at least 8 bits set, none of which clash with any other mark bits 1654 in use on the system. [Default: 0xff000000]' 1655 format: int32 1656 type: integer 1657 iptablesNATOutgoingInterfaceFilter: 1658 type: string 1659 iptablesPostWriteCheckInterval: 1660 description: 'IptablesPostWriteCheckInterval is the period after Felix 1661 has done a write to the dataplane that it schedules an extra read 1662 back in order to check the write was not clobbered by another process. 1663 This should only occur if another application on the system doesn''t 1664 respect the iptables lock. [Default: 1s]' 1665 type: string 1666 iptablesRefreshInterval: 1667 description: 'IptablesRefreshInterval is the period at which Felix 1668 re-checks the IP sets in the dataplane to ensure that no other process 1669 has accidentally broken Calico''s rules. Set to 0 to disable IP 1670 sets refresh. Note: the default for this value is lower than the 1671 other refresh intervals as a workaround for a Linux kernel bug that 1672 was fixed in kernel version 4.11. If you are using v4.11 or greater 1673 you may want to set this to, a higher value to reduce Felix CPU 1674 usage. [Default: 10s]' 1675 type: string 1676 ipv6Support: 1677 description: IPv6Support controls whether Felix enables support for 1678 IPv6 (if supported by the in-use dataplane). 1679 type: boolean 1680 kubeNodePortRanges: 1681 description: 'KubeNodePortRanges holds list of port ranges used for 1682 service node ports. Only used if felix detects kube-proxy running 1683 in ipvs mode. Felix uses these ranges to separate host and workload 1684 traffic. [Default: 30000:32767].' 1685 items: 1686 anyOf: 1687 - type: integer 1688 - type: string 1689 pattern: ^.* 1690 x-kubernetes-int-or-string: true 1691 type: array 1692 logDebugFilenameRegex: 1693 description: LogDebugFilenameRegex controls which source code files 1694 have their Debug log output included in the logs. Only logs from 1695 files with names that match the given regular expression are included. The 1696 filter only applies to Debug level logs. 1697 type: string 1698 logFilePath: 1699 description: 'LogFilePath is the full path to the Felix log. Set to 1700 none to disable file logging. [Default: /var/log/calico/felix.log]' 1701 type: string 1702 logPrefix: 1703 description: 'LogPrefix is the log prefix that Felix uses when rendering 1704 LOG rules. [Default: calico-packet]' 1705 type: string 1706 logSeverityFile: 1707 description: 'LogSeverityFile is the log severity above which logs 1708 are sent to the log file. [Default: Info]' 1709 type: string 1710 logSeverityScreen: 1711 description: 'LogSeverityScreen is the log severity above which logs 1712 are sent to the stdout. [Default: Info]' 1713 type: string 1714 logSeveritySys: 1715 description: 'LogSeveritySys is the log severity above which logs 1716 are sent to the syslog. Set to None for no logging to syslog. [Default: 1717 Info]' 1718 type: string 1719 maxIpsetSize: 1720 type: integer 1721 metadataAddr: 1722 description: 'MetadataAddr is the IP address or domain name of the 1723 server that can answer VM queries for cloud-init metadata. In OpenStack, 1724 this corresponds to the machine running nova-api (or in Ubuntu, 1725 nova-api-metadata). A value of none (case insensitive) means that 1726 Felix should not set up any NAT rule for the metadata path. [Default: 1727 127.0.0.1]' 1728 type: string 1729 metadataPort: 1730 description: 'MetadataPort is the port of the metadata server. This, 1731 combined with global.MetadataAddr (if not ''None''), is used to 1732 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1733 In most cases this should not need to be changed [Default: 8775].' 1734 type: integer 1735 mtuIfacePattern: 1736 description: MTUIfacePattern is a regular expression that controls 1737 which interfaces Felix should scan in order to calculate the host's 1738 MTU. This should not match workload interfaces (usually named cali...). 1739 type: string 1740 natOutgoingAddress: 1741 description: NATOutgoingAddress specifies an address to use when performing 1742 source NAT for traffic in a natOutgoing pool that is leaving the 1743 network. By default the address used is an address on the interface 1744 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1745 type: string 1746 natPortRange: 1747 anyOf: 1748 - type: integer 1749 - type: string 1750 description: NATPortRange specifies the range of ports that is used 1751 for port mapping when doing outgoing NAT. When unset the default 1752 behavior of the network stack is used. 1753 pattern: ^.* 1754 x-kubernetes-int-or-string: true 1755 netlinkTimeout: 1756 type: string 1757 openstackRegion: 1758 description: 'OpenstackRegion is the name of the region that a particular 1759 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1760 this must be configured somehow for each Felix (here in the datamodel, 1761 or in felix.cfg or the environment on each compute node), and must 1762 match the [calico] openstack_region value configured in neutron.conf 1763 on each node. [Default: Empty]' 1764 type: string 1765 policySyncPathPrefix: 1766 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1767 policy changes to external services, like Application layer policy. 1768 [Default: Empty]' 1769 type: string 1770 prometheusGoMetricsEnabled: 1771 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1772 collection, which the Prometheus client does by default, when set 1773 to false. This reduces the number of metrics reported, reducing 1774 Prometheus load. [Default: true]' 1775 type: boolean 1776 prometheusMetricsEnabled: 1777 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1778 server in Felix if set to true. [Default: false]' 1779 type: boolean 1780 prometheusMetricsHost: 1781 description: 'PrometheusMetricsHost is the host that the Prometheus 1782 metrics server should bind to. [Default: empty]' 1783 type: string 1784 prometheusMetricsPort: 1785 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1786 metrics server should bind to. [Default: 9091]' 1787 type: integer 1788 prometheusProcessMetricsEnabled: 1789 description: 'PrometheusProcessMetricsEnabled disables process metrics 1790 collection, which the Prometheus client does by default, when set 1791 to false. This reduces the number of metrics reported, reducing 1792 Prometheus load. [Default: true]' 1793 type: boolean 1794 prometheusWireGuardMetricsEnabled: 1795 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1796 metrics collection, which the Prometheus client does by default, 1797 when set to false. This reduces the number of metrics reported, 1798 reducing Prometheus load. [Default: true]' 1799 type: boolean 1800 removeExternalRoutes: 1801 description: Whether or not to remove device routes that have not 1802 been programmed by Felix. Disabling this will allow external applications 1803 to also add device routes. This is enabled by default which means 1804 we will remove externally added routes. 1805 type: boolean 1806 reportingInterval: 1807 description: 'ReportingInterval is the interval at which Felix reports 1808 its status into the datastore or 0 to disable. Must be non-zero 1809 in OpenStack deployments. [Default: 30s]' 1810 type: string 1811 reportingTTL: 1812 description: 'ReportingTTL is the time-to-live setting for process-wide 1813 status reports. [Default: 90s]' 1814 type: string 1815 routeRefreshInterval: 1816 description: 'RouteRefreshInterval is the period at which Felix re-checks 1817 the routes in the dataplane to ensure that no other process has 1818 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1819 [Default: 90s]' 1820 type: string 1821 routeSource: 1822 description: 'RouteSource configures where Felix gets its routing 1823 information. - WorkloadIPs: use workload endpoints to construct 1824 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1825 type: string 1826 routeSyncDisabled: 1827 description: RouteSyncDisabled will disable all operations performed 1828 on the route table. Set to true to run in network-policy mode only. 1829 type: boolean 1830 routeTableRange: 1831 description: Deprecated in favor of RouteTableRanges. Calico programs 1832 additional Linux route tables for various purposes. RouteTableRange 1833 specifies the indices of the route tables that Calico should use. 1834 properties: 1835 max: 1836 type: integer 1837 min: 1838 type: integer 1839 required: 1840 - max 1841 - min 1842 type: object 1843 routeTableRanges: 1844 description: Calico programs additional Linux route tables for various 1845 purposes. RouteTableRanges specifies a set of table index ranges 1846 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. 1847 items: 1848 properties: 1849 max: 1850 type: integer 1851 min: 1852 type: integer 1853 required: 1854 - max 1855 - min 1856 type: object 1857 type: array 1858 serviceLoopPrevention: 1859 description: 'When service IP advertisement is enabled, prevent routing 1860 loops to service IPs that are not in use, by dropping or rejecting 1861 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1862 in which case such routing loops continue to be allowed. [Default: 1863 Drop]' 1864 type: string 1865 sidecarAccelerationEnabled: 1866 description: 'SidecarAccelerationEnabled enables experimental sidecar 1867 acceleration [Default: false]' 1868 type: boolean 1869 usageReportingEnabled: 1870 description: 'UsageReportingEnabled reports anonymous Calico version 1871 number and cluster size to projectcalico.org. Logs warnings returned 1872 by the usage server. For example, if a significant security vulnerability 1873 has been discovered in the version of Calico being used. [Default: 1874 true]' 1875 type: boolean 1876 usageReportingInitialDelay: 1877 description: 'UsageReportingInitialDelay controls the minimum delay 1878 before Felix makes a report. [Default: 300s]' 1879 type: string 1880 usageReportingInterval: 1881 description: 'UsageReportingInterval controls the interval at which 1882 Felix makes reports. [Default: 86400s]' 1883 type: string 1884 useInternalDataplaneDriver: 1885 description: UseInternalDataplaneDriver, if true, Felix will use its 1886 internal dataplane programming logic. If false, it will launch 1887 an external dataplane driver and communicate with it over protobuf. 1888 type: boolean 1889 vxlanEnabled: 1890 description: 'VXLANEnabled overrides whether Felix should create the 1891 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix 1892 determines this based on the existing IP pools. [Default: nil (unset)]' 1893 type: boolean 1894 vxlanMTU: 1895 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel 1896 device. See Configuring MTU [Default: 1410]' 1897 type: integer 1898 vxlanMTUV6: 1899 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel 1900 device. See Configuring MTU [Default: 1390]' 1901 type: integer 1902 vxlanPort: 1903 type: integer 1904 vxlanVNI: 1905 type: integer 1906 wireguardEnabled: 1907 description: 'WireguardEnabled controls whether Wireguard is enabled 1908 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). 1909 [Default: false]' 1910 type: boolean 1911 wireguardEnabledV6: 1912 description: 'WireguardEnabledV6 controls whether Wireguard is enabled 1913 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). 1914 [Default: false]' 1915 type: boolean 1916 wireguardHostEncryptionEnabled: 1917 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1918 host-to-host encryption is enabled. [Default: false]' 1919 type: boolean 1920 wireguardInterfaceName: 1921 description: 'WireguardInterfaceName specifies the name to use for 1922 the IPv4 Wireguard interface. [Default: wireguard.cali]' 1923 type: string 1924 wireguardInterfaceNameV6: 1925 description: 'WireguardInterfaceNameV6 specifies the name to use for 1926 the IPv6 Wireguard interface. [Default: wg-v6.cali]' 1927 type: string 1928 wireguardKeepAlive: 1929 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive 1930 option. Set 0 to disable. [Default: 0]' 1931 type: string 1932 wireguardListeningPort: 1933 description: 'WireguardListeningPort controls the listening port used 1934 by IPv4 Wireguard. [Default: 51820]' 1935 type: integer 1936 wireguardListeningPortV6: 1937 description: 'WireguardListeningPortV6 controls the listening port 1938 used by IPv6 Wireguard. [Default: 51821]' 1939 type: integer 1940 wireguardMTU: 1941 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard 1942 interface. See Configuring MTU [Default: 1440]' 1943 type: integer 1944 wireguardMTUV6: 1945 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard 1946 interface. See Configuring MTU [Default: 1420]' 1947 type: integer 1948 wireguardRoutingRulePriority: 1949 description: 'WireguardRoutingRulePriority controls the priority value 1950 to use for the Wireguard routing rule. [Default: 99]' 1951 type: integer 1952 workloadSourceSpoofing: 1953 description: WorkloadSourceSpoofing controls whether pods can use 1954 the allowedSourcePrefixes annotation to send traffic with a source 1955 IP address that is not theirs. This is disabled by default. When 1956 set to "Any", pods can request any prefix. 1957 type: string 1958 xdpEnabled: 1959 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1960 incoming deny rules. [Default: true]' 1961 type: boolean 1962 xdpRefreshInterval: 1963 description: 'XDPRefreshInterval is the period at which Felix re-checks 1964 all XDP state to ensure that no other process has accidentally broken 1965 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1966 refresh. [Default: 90s]' 1967 type: string 1968 type: object 1969 type: object 1970 served: true 1971 storage: true 1972 status: 1973 acceptedNames: 1974 kind: "" 1975 plural: "" 1976 conditions: [] 1977 storedVersions: [] 1978 --- 1979 apiVersion: apiextensions.k8s.io/v1 1980 kind: CustomResourceDefinition 1981 metadata: 1982 name: globalnetworkpolicies.crd.projectcalico.org 1983 spec: 1984 group: crd.projectcalico.org 1985 names: 1986 kind: GlobalNetworkPolicy 1987 listKind: GlobalNetworkPolicyList 1988 plural: globalnetworkpolicies 1989 singular: globalnetworkpolicy 1990 preserveUnknownFields: false 1991 scope: Cluster 1992 versions: 1993 - name: v1 1994 schema: 1995 openAPIV3Schema: 1996 properties: 1997 apiVersion: 1998 description: 'APIVersion defines the versioned schema of this representation 1999 of an object. Servers should convert recognized schemas to the latest 2000 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2001 type: string 2002 kind: 2003 description: 'Kind is a string value representing the REST resource this 2004 object represents. Servers may infer this from the endpoint the client 2005 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2006 type: string 2007 metadata: 2008 type: object 2009 spec: 2010 properties: 2011 applyOnForward: 2012 description: ApplyOnForward indicates to apply the rules in this policy 2013 on forward traffic. 2014 type: boolean 2015 doNotTrack: 2016 description: DoNotTrack indicates whether packets matched by the rules 2017 in this policy should go through the data plane's connection tracking, 2018 such as Linux conntrack. If True, the rules in this policy are 2019 applied before any data plane connection tracking, and packets allowed 2020 by this policy are marked as not to be tracked. 2021 type: boolean 2022 egress: 2023 description: The ordered set of egress rules. Each rule contains 2024 a set of packet match criteria and a corresponding action to apply. 2025 items: 2026 description: "A Rule encapsulates a set of match criteria and an 2027 action. Both selector-based security Policy and security Profiles 2028 reference rules - separated out as a list of rules for both ingress 2029 and egress packet matching. \n Each positive match criteria has 2030 a negated version, prefixed with \"Not\". All the match criteria 2031 within a rule must be satisfied for a packet to match. A single 2032 rule can contain the positive and negative version of a match 2033 and both must be satisfied for the rule to match." 2034 properties: 2035 action: 2036 type: string 2037 destination: 2038 description: Destination contains the match criteria that apply 2039 to destination entity. 2040 properties: 2041 namespaceSelector: 2042 description: "NamespaceSelector is an optional field that 2043 contains a selector expression. Only traffic that originates 2044 from (or terminates at) endpoints within the selected 2045 namespaces will be matched. When both NamespaceSelector 2046 and another selector are defined on the same rule, then 2047 only workload endpoints that are matched by both selectors 2048 will be selected by the rule. \n For NetworkPolicy, an 2049 empty NamespaceSelector implies that the Selector is limited 2050 to selecting only workload endpoints in the same namespace 2051 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2052 NamespaceSelector implies that the Selector is limited 2053 to selecting only GlobalNetworkSet or HostEndpoint. \n 2054 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2055 the Selector applies to workload endpoints across all 2056 namespaces." 2057 type: string 2058 nets: 2059 description: Nets is an optional field that restricts the 2060 rule to only apply to traffic that originates from (or 2061 terminates at) IP addresses in any of the given subnets. 2062 items: 2063 type: string 2064 type: array 2065 notNets: 2066 description: NotNets is the negated version of the Nets 2067 field. 2068 items: 2069 type: string 2070 type: array 2071 notPorts: 2072 description: NotPorts is the negated version of the Ports 2073 field. Since only some protocols have ports, if any ports 2074 are specified it requires the Protocol match in the Rule 2075 to be set to "TCP" or "UDP". 2076 items: 2077 anyOf: 2078 - type: integer 2079 - type: string 2080 pattern: ^.* 2081 x-kubernetes-int-or-string: true 2082 type: array 2083 notSelector: 2084 description: NotSelector is the negated version of the Selector 2085 field. See Selector field for subtleties with negated 2086 selectors. 2087 type: string 2088 ports: 2089 description: "Ports is an optional field that restricts 2090 the rule to only apply to traffic that has a source (destination) 2091 port that matches one of these ranges/values. This value 2092 is a list of integers or strings that represent ranges 2093 of ports. \n Since only some protocols have ports, if 2094 any ports are specified it requires the Protocol match 2095 in the Rule to be set to \"TCP\" or \"UDP\"." 2096 items: 2097 anyOf: 2098 - type: integer 2099 - type: string 2100 pattern: ^.* 2101 x-kubernetes-int-or-string: true 2102 type: array 2103 selector: 2104 description: "Selector is an optional field that contains 2105 a selector expression (see Policy for sample syntax). 2106 \ Only traffic that originates from (terminates at) endpoints 2107 matching the selector will be matched. \n Note that: in 2108 addition to the negated version of the Selector (see NotSelector 2109 below), the selector expression syntax itself supports 2110 negation. The two types of negation are subtly different. 2111 One negates the set of matched endpoints, the other negates 2112 the whole match: \n \tSelector = \"!has(my_label)\" matches 2113 packets that are from other Calico-controlled \tendpoints 2114 that do not have the label \"my_label\". \n \tNotSelector 2115 = \"has(my_label)\" matches packets that are not from 2116 Calico-controlled \tendpoints that do have the label \"my_label\". 2117 \n The effect is that the latter will accept packets from 2118 non-Calico sources whereas the former is limited to packets 2119 from Calico-controlled endpoints." 2120 type: string 2121 serviceAccounts: 2122 description: ServiceAccounts is an optional field that restricts 2123 the rule to only apply to traffic that originates from 2124 (or terminates at) a pod running as a matching service 2125 account. 2126 properties: 2127 names: 2128 description: Names is an optional field that restricts 2129 the rule to only apply to traffic that originates 2130 from (or terminates at) a pod running as a service 2131 account whose name is in the list. 2132 items: 2133 type: string 2134 type: array 2135 selector: 2136 description: Selector is an optional field that restricts 2137 the rule to only apply to traffic that originates 2138 from (or terminates at) a pod running as a service 2139 account that matches the given label selector. If 2140 both Names and Selector are specified then they are 2141 AND'ed. 2142 type: string 2143 type: object 2144 services: 2145 description: "Services is an optional field that contains 2146 options for matching Kubernetes Services. If specified, 2147 only traffic that originates from or terminates at endpoints 2148 within the selected service(s) will be matched, and only 2149 to/from each endpoint's port. \n Services cannot be specified 2150 on the same rule as Selector, NotSelector, NamespaceSelector, 2151 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2152 can only be specified with Services on ingress rules." 2153 properties: 2154 name: 2155 description: Name specifies the name of a Kubernetes 2156 Service to match. 2157 type: string 2158 namespace: 2159 description: Namespace specifies the namespace of the 2160 given Service. If left empty, the rule will match 2161 within this policy's namespace. 2162 type: string 2163 type: object 2164 type: object 2165 http: 2166 description: HTTP contains match criteria that apply to HTTP 2167 requests. 2168 properties: 2169 methods: 2170 description: Methods is an optional field that restricts 2171 the rule to apply only to HTTP requests that use one of 2172 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2173 methods are OR'd together. 2174 items: 2175 type: string 2176 type: array 2177 paths: 2178 description: 'Paths is an optional field that restricts 2179 the rule to apply to HTTP requests that use one of the 2180 listed HTTP Paths. Multiple paths are OR''d together. 2181 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2182 ONLY specify either a `exact` or a `prefix` match. The 2183 validator will check for it.' 2184 items: 2185 description: 'HTTPPath specifies an HTTP path to match. 2186 It may be either of the form: exact: <path>: which matches 2187 the path exactly or prefix: <path-prefix>: which matches 2188 the path prefix' 2189 properties: 2190 exact: 2191 type: string 2192 prefix: 2193 type: string 2194 type: object 2195 type: array 2196 type: object 2197 icmp: 2198 description: ICMP is an optional field that restricts the rule 2199 to apply to a specific type and code of ICMP traffic. This 2200 should only be specified if the Protocol field is set to "ICMP" 2201 or "ICMPv6". 2202 properties: 2203 code: 2204 description: Match on a specific ICMP code. If specified, 2205 the Type value must also be specified. This is a technical 2206 limitation imposed by the kernel's iptables firewall, 2207 which Calico uses to enforce the rule. 2208 type: integer 2209 type: 2210 description: Match on a specific ICMP type. For example 2211 a value of 8 refers to ICMP Echo Request (i.e. pings). 2212 type: integer 2213 type: object 2214 ipVersion: 2215 description: IPVersion is an optional field that restricts the 2216 rule to only match a specific IP version. 2217 type: integer 2218 metadata: 2219 description: Metadata contains additional information for this 2220 rule 2221 properties: 2222 annotations: 2223 additionalProperties: 2224 type: string 2225 description: Annotations is a set of key value pairs that 2226 give extra information about the rule 2227 type: object 2228 type: object 2229 notICMP: 2230 description: NotICMP is the negated version of the ICMP field. 2231 properties: 2232 code: 2233 description: Match on a specific ICMP code. If specified, 2234 the Type value must also be specified. This is a technical 2235 limitation imposed by the kernel's iptables firewall, 2236 which Calico uses to enforce the rule. 2237 type: integer 2238 type: 2239 description: Match on a specific ICMP type. For example 2240 a value of 8 refers to ICMP Echo Request (i.e. pings). 2241 type: integer 2242 type: object 2243 notProtocol: 2244 anyOf: 2245 - type: integer 2246 - type: string 2247 description: NotProtocol is the negated version of the Protocol 2248 field. 2249 pattern: ^.* 2250 x-kubernetes-int-or-string: true 2251 protocol: 2252 anyOf: 2253 - type: integer 2254 - type: string 2255 description: "Protocol is an optional field that restricts the 2256 rule to only apply to traffic of a specific IP protocol. Required 2257 if any of the EntityRules contain Ports (because ports only 2258 apply to certain protocols). \n Must be one of these string 2259 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2260 \"UDPLite\" or an integer in the range 1-255." 2261 pattern: ^.* 2262 x-kubernetes-int-or-string: true 2263 source: 2264 description: Source contains the match criteria that apply to 2265 source entity. 2266 properties: 2267 namespaceSelector: 2268 description: "NamespaceSelector is an optional field that 2269 contains a selector expression. Only traffic that originates 2270 from (or terminates at) endpoints within the selected 2271 namespaces will be matched. When both NamespaceSelector 2272 and another selector are defined on the same rule, then 2273 only workload endpoints that are matched by both selectors 2274 will be selected by the rule. \n For NetworkPolicy, an 2275 empty NamespaceSelector implies that the Selector is limited 2276 to selecting only workload endpoints in the same namespace 2277 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2278 NamespaceSelector implies that the Selector is limited 2279 to selecting only GlobalNetworkSet or HostEndpoint. \n 2280 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2281 the Selector applies to workload endpoints across all 2282 namespaces." 2283 type: string 2284 nets: 2285 description: Nets is an optional field that restricts the 2286 rule to only apply to traffic that originates from (or 2287 terminates at) IP addresses in any of the given subnets. 2288 items: 2289 type: string 2290 type: array 2291 notNets: 2292 description: NotNets is the negated version of the Nets 2293 field. 2294 items: 2295 type: string 2296 type: array 2297 notPorts: 2298 description: NotPorts is the negated version of the Ports 2299 field. Since only some protocols have ports, if any ports 2300 are specified it requires the Protocol match in the Rule 2301 to be set to "TCP" or "UDP". 2302 items: 2303 anyOf: 2304 - type: integer 2305 - type: string 2306 pattern: ^.* 2307 x-kubernetes-int-or-string: true 2308 type: array 2309 notSelector: 2310 description: NotSelector is the negated version of the Selector 2311 field. See Selector field for subtleties with negated 2312 selectors. 2313 type: string 2314 ports: 2315 description: "Ports is an optional field that restricts 2316 the rule to only apply to traffic that has a source (destination) 2317 port that matches one of these ranges/values. This value 2318 is a list of integers or strings that represent ranges 2319 of ports. \n Since only some protocols have ports, if 2320 any ports are specified it requires the Protocol match 2321 in the Rule to be set to \"TCP\" or \"UDP\"." 2322 items: 2323 anyOf: 2324 - type: integer 2325 - type: string 2326 pattern: ^.* 2327 x-kubernetes-int-or-string: true 2328 type: array 2329 selector: 2330 description: "Selector is an optional field that contains 2331 a selector expression (see Policy for sample syntax). 2332 \ Only traffic that originates from (terminates at) endpoints 2333 matching the selector will be matched. \n Note that: in 2334 addition to the negated version of the Selector (see NotSelector 2335 below), the selector expression syntax itself supports 2336 negation. The two types of negation are subtly different. 2337 One negates the set of matched endpoints, the other negates 2338 the whole match: \n \tSelector = \"!has(my_label)\" matches 2339 packets that are from other Calico-controlled \tendpoints 2340 that do not have the label \"my_label\". \n \tNotSelector 2341 = \"has(my_label)\" matches packets that are not from 2342 Calico-controlled \tendpoints that do have the label \"my_label\". 2343 \n The effect is that the latter will accept packets from 2344 non-Calico sources whereas the former is limited to packets 2345 from Calico-controlled endpoints." 2346 type: string 2347 serviceAccounts: 2348 description: ServiceAccounts is an optional field that restricts 2349 the rule to only apply to traffic that originates from 2350 (or terminates at) a pod running as a matching service 2351 account. 2352 properties: 2353 names: 2354 description: Names is an optional field that restricts 2355 the rule to only apply to traffic that originates 2356 from (or terminates at) a pod running as a service 2357 account whose name is in the list. 2358 items: 2359 type: string 2360 type: array 2361 selector: 2362 description: Selector is an optional field that restricts 2363 the rule to only apply to traffic that originates 2364 from (or terminates at) a pod running as a service 2365 account that matches the given label selector. If 2366 both Names and Selector are specified then they are 2367 AND'ed. 2368 type: string 2369 type: object 2370 services: 2371 description: "Services is an optional field that contains 2372 options for matching Kubernetes Services. If specified, 2373 only traffic that originates from or terminates at endpoints 2374 within the selected service(s) will be matched, and only 2375 to/from each endpoint's port. \n Services cannot be specified 2376 on the same rule as Selector, NotSelector, NamespaceSelector, 2377 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2378 can only be specified with Services on ingress rules." 2379 properties: 2380 name: 2381 description: Name specifies the name of a Kubernetes 2382 Service to match. 2383 type: string 2384 namespace: 2385 description: Namespace specifies the namespace of the 2386 given Service. If left empty, the rule will match 2387 within this policy's namespace. 2388 type: string 2389 type: object 2390 type: object 2391 required: 2392 - action 2393 type: object 2394 type: array 2395 ingress: 2396 description: The ordered set of ingress rules. Each rule contains 2397 a set of packet match criteria and a corresponding action to apply. 2398 items: 2399 description: "A Rule encapsulates a set of match criteria and an 2400 action. Both selector-based security Policy and security Profiles 2401 reference rules - separated out as a list of rules for both ingress 2402 and egress packet matching. \n Each positive match criteria has 2403 a negated version, prefixed with \"Not\". All the match criteria 2404 within a rule must be satisfied for a packet to match. A single 2405 rule can contain the positive and negative version of a match 2406 and both must be satisfied for the rule to match." 2407 properties: 2408 action: 2409 type: string 2410 destination: 2411 description: Destination contains the match criteria that apply 2412 to destination entity. 2413 properties: 2414 namespaceSelector: 2415 description: "NamespaceSelector is an optional field that 2416 contains a selector expression. Only traffic that originates 2417 from (or terminates at) endpoints within the selected 2418 namespaces will be matched. When both NamespaceSelector 2419 and another selector are defined on the same rule, then 2420 only workload endpoints that are matched by both selectors 2421 will be selected by the rule. \n For NetworkPolicy, an 2422 empty NamespaceSelector implies that the Selector is limited 2423 to selecting only workload endpoints in the same namespace 2424 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2425 NamespaceSelector implies that the Selector is limited 2426 to selecting only GlobalNetworkSet or HostEndpoint. \n 2427 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2428 the Selector applies to workload endpoints across all 2429 namespaces." 2430 type: string 2431 nets: 2432 description: Nets is an optional field that restricts the 2433 rule to only apply to traffic that originates from (or 2434 terminates at) IP addresses in any of the given subnets. 2435 items: 2436 type: string 2437 type: array 2438 notNets: 2439 description: NotNets is the negated version of the Nets 2440 field. 2441 items: 2442 type: string 2443 type: array 2444 notPorts: 2445 description: NotPorts is the negated version of the Ports 2446 field. Since only some protocols have ports, if any ports 2447 are specified it requires the Protocol match in the Rule 2448 to be set to "TCP" or "UDP". 2449 items: 2450 anyOf: 2451 - type: integer 2452 - type: string 2453 pattern: ^.* 2454 x-kubernetes-int-or-string: true 2455 type: array 2456 notSelector: 2457 description: NotSelector is the negated version of the Selector 2458 field. See Selector field for subtleties with negated 2459 selectors. 2460 type: string 2461 ports: 2462 description: "Ports is an optional field that restricts 2463 the rule to only apply to traffic that has a source (destination) 2464 port that matches one of these ranges/values. This value 2465 is a list of integers or strings that represent ranges 2466 of ports. \n Since only some protocols have ports, if 2467 any ports are specified it requires the Protocol match 2468 in the Rule to be set to \"TCP\" or \"UDP\"." 2469 items: 2470 anyOf: 2471 - type: integer 2472 - type: string 2473 pattern: ^.* 2474 x-kubernetes-int-or-string: true 2475 type: array 2476 selector: 2477 description: "Selector is an optional field that contains 2478 a selector expression (see Policy for sample syntax). 2479 \ Only traffic that originates from (terminates at) endpoints 2480 matching the selector will be matched. \n Note that: in 2481 addition to the negated version of the Selector (see NotSelector 2482 below), the selector expression syntax itself supports 2483 negation. The two types of negation are subtly different. 2484 One negates the set of matched endpoints, the other negates 2485 the whole match: \n \tSelector = \"!has(my_label)\" matches 2486 packets that are from other Calico-controlled \tendpoints 2487 that do not have the label \"my_label\". \n \tNotSelector 2488 = \"has(my_label)\" matches packets that are not from 2489 Calico-controlled \tendpoints that do have the label \"my_label\". 2490 \n The effect is that the latter will accept packets from 2491 non-Calico sources whereas the former is limited to packets 2492 from Calico-controlled endpoints." 2493 type: string 2494 serviceAccounts: 2495 description: ServiceAccounts is an optional field that restricts 2496 the rule to only apply to traffic that originates from 2497 (or terminates at) a pod running as a matching service 2498 account. 2499 properties: 2500 names: 2501 description: Names is an optional field that restricts 2502 the rule to only apply to traffic that originates 2503 from (or terminates at) a pod running as a service 2504 account whose name is in the list. 2505 items: 2506 type: string 2507 type: array 2508 selector: 2509 description: Selector is an optional field that restricts 2510 the rule to only apply to traffic that originates 2511 from (or terminates at) a pod running as a service 2512 account that matches the given label selector. If 2513 both Names and Selector are specified then they are 2514 AND'ed. 2515 type: string 2516 type: object 2517 services: 2518 description: "Services is an optional field that contains 2519 options for matching Kubernetes Services. If specified, 2520 only traffic that originates from or terminates at endpoints 2521 within the selected service(s) will be matched, and only 2522 to/from each endpoint's port. \n Services cannot be specified 2523 on the same rule as Selector, NotSelector, NamespaceSelector, 2524 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2525 can only be specified with Services on ingress rules." 2526 properties: 2527 name: 2528 description: Name specifies the name of a Kubernetes 2529 Service to match. 2530 type: string 2531 namespace: 2532 description: Namespace specifies the namespace of the 2533 given Service. If left empty, the rule will match 2534 within this policy's namespace. 2535 type: string 2536 type: object 2537 type: object 2538 http: 2539 description: HTTP contains match criteria that apply to HTTP 2540 requests. 2541 properties: 2542 methods: 2543 description: Methods is an optional field that restricts 2544 the rule to apply only to HTTP requests that use one of 2545 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2546 methods are OR'd together. 2547 items: 2548 type: string 2549 type: array 2550 paths: 2551 description: 'Paths is an optional field that restricts 2552 the rule to apply to HTTP requests that use one of the 2553 listed HTTP Paths. Multiple paths are OR''d together. 2554 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2555 ONLY specify either a `exact` or a `prefix` match. The 2556 validator will check for it.' 2557 items: 2558 description: 'HTTPPath specifies an HTTP path to match. 2559 It may be either of the form: exact: <path>: which matches 2560 the path exactly or prefix: <path-prefix>: which matches 2561 the path prefix' 2562 properties: 2563 exact: 2564 type: string 2565 prefix: 2566 type: string 2567 type: object 2568 type: array 2569 type: object 2570 icmp: 2571 description: ICMP is an optional field that restricts the rule 2572 to apply to a specific type and code of ICMP traffic. This 2573 should only be specified if the Protocol field is set to "ICMP" 2574 or "ICMPv6". 2575 properties: 2576 code: 2577 description: Match on a specific ICMP code. If specified, 2578 the Type value must also be specified. This is a technical 2579 limitation imposed by the kernel's iptables firewall, 2580 which Calico uses to enforce the rule. 2581 type: integer 2582 type: 2583 description: Match on a specific ICMP type. For example 2584 a value of 8 refers to ICMP Echo Request (i.e. pings). 2585 type: integer 2586 type: object 2587 ipVersion: 2588 description: IPVersion is an optional field that restricts the 2589 rule to only match a specific IP version. 2590 type: integer 2591 metadata: 2592 description: Metadata contains additional information for this 2593 rule 2594 properties: 2595 annotations: 2596 additionalProperties: 2597 type: string 2598 description: Annotations is a set of key value pairs that 2599 give extra information about the rule 2600 type: object 2601 type: object 2602 notICMP: 2603 description: NotICMP is the negated version of the ICMP field. 2604 properties: 2605 code: 2606 description: Match on a specific ICMP code. If specified, 2607 the Type value must also be specified. This is a technical 2608 limitation imposed by the kernel's iptables firewall, 2609 which Calico uses to enforce the rule. 2610 type: integer 2611 type: 2612 description: Match on a specific ICMP type. For example 2613 a value of 8 refers to ICMP Echo Request (i.e. pings). 2614 type: integer 2615 type: object 2616 notProtocol: 2617 anyOf: 2618 - type: integer 2619 - type: string 2620 description: NotProtocol is the negated version of the Protocol 2621 field. 2622 pattern: ^.* 2623 x-kubernetes-int-or-string: true 2624 protocol: 2625 anyOf: 2626 - type: integer 2627 - type: string 2628 description: "Protocol is an optional field that restricts the 2629 rule to only apply to traffic of a specific IP protocol. Required 2630 if any of the EntityRules contain Ports (because ports only 2631 apply to certain protocols). \n Must be one of these string 2632 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2633 \"UDPLite\" or an integer in the range 1-255." 2634 pattern: ^.* 2635 x-kubernetes-int-or-string: true 2636 source: 2637 description: Source contains the match criteria that apply to 2638 source entity. 2639 properties: 2640 namespaceSelector: 2641 description: "NamespaceSelector is an optional field that 2642 contains a selector expression. Only traffic that originates 2643 from (or terminates at) endpoints within the selected 2644 namespaces will be matched. When both NamespaceSelector 2645 and another selector are defined on the same rule, then 2646 only workload endpoints that are matched by both selectors 2647 will be selected by the rule. \n For NetworkPolicy, an 2648 empty NamespaceSelector implies that the Selector is limited 2649 to selecting only workload endpoints in the same namespace 2650 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2651 NamespaceSelector implies that the Selector is limited 2652 to selecting only GlobalNetworkSet or HostEndpoint. \n 2653 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2654 the Selector applies to workload endpoints across all 2655 namespaces." 2656 type: string 2657 nets: 2658 description: Nets is an optional field that restricts the 2659 rule to only apply to traffic that originates from (or 2660 terminates at) IP addresses in any of the given subnets. 2661 items: 2662 type: string 2663 type: array 2664 notNets: 2665 description: NotNets is the negated version of the Nets 2666 field. 2667 items: 2668 type: string 2669 type: array 2670 notPorts: 2671 description: NotPorts is the negated version of the Ports 2672 field. Since only some protocols have ports, if any ports 2673 are specified it requires the Protocol match in the Rule 2674 to be set to "TCP" or "UDP". 2675 items: 2676 anyOf: 2677 - type: integer 2678 - type: string 2679 pattern: ^.* 2680 x-kubernetes-int-or-string: true 2681 type: array 2682 notSelector: 2683 description: NotSelector is the negated version of the Selector 2684 field. See Selector field for subtleties with negated 2685 selectors. 2686 type: string 2687 ports: 2688 description: "Ports is an optional field that restricts 2689 the rule to only apply to traffic that has a source (destination) 2690 port that matches one of these ranges/values. This value 2691 is a list of integers or strings that represent ranges 2692 of ports. \n Since only some protocols have ports, if 2693 any ports are specified it requires the Protocol match 2694 in the Rule to be set to \"TCP\" or \"UDP\"." 2695 items: 2696 anyOf: 2697 - type: integer 2698 - type: string 2699 pattern: ^.* 2700 x-kubernetes-int-or-string: true 2701 type: array 2702 selector: 2703 description: "Selector is an optional field that contains 2704 a selector expression (see Policy for sample syntax). 2705 \ Only traffic that originates from (terminates at) endpoints 2706 matching the selector will be matched. \n Note that: in 2707 addition to the negated version of the Selector (see NotSelector 2708 below), the selector expression syntax itself supports 2709 negation. The two types of negation are subtly different. 2710 One negates the set of matched endpoints, the other negates 2711 the whole match: \n \tSelector = \"!has(my_label)\" matches 2712 packets that are from other Calico-controlled \tendpoints 2713 that do not have the label \"my_label\". \n \tNotSelector 2714 = \"has(my_label)\" matches packets that are not from 2715 Calico-controlled \tendpoints that do have the label \"my_label\". 2716 \n The effect is that the latter will accept packets from 2717 non-Calico sources whereas the former is limited to packets 2718 from Calico-controlled endpoints." 2719 type: string 2720 serviceAccounts: 2721 description: ServiceAccounts is an optional field that restricts 2722 the rule to only apply to traffic that originates from 2723 (or terminates at) a pod running as a matching service 2724 account. 2725 properties: 2726 names: 2727 description: Names is an optional field that restricts 2728 the rule to only apply to traffic that originates 2729 from (or terminates at) a pod running as a service 2730 account whose name is in the list. 2731 items: 2732 type: string 2733 type: array 2734 selector: 2735 description: Selector is an optional field that restricts 2736 the rule to only apply to traffic that originates 2737 from (or terminates at) a pod running as a service 2738 account that matches the given label selector. If 2739 both Names and Selector are specified then they are 2740 AND'ed. 2741 type: string 2742 type: object 2743 services: 2744 description: "Services is an optional field that contains 2745 options for matching Kubernetes Services. If specified, 2746 only traffic that originates from or terminates at endpoints 2747 within the selected service(s) will be matched, and only 2748 to/from each endpoint's port. \n Services cannot be specified 2749 on the same rule as Selector, NotSelector, NamespaceSelector, 2750 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2751 can only be specified with Services on ingress rules." 2752 properties: 2753 name: 2754 description: Name specifies the name of a Kubernetes 2755 Service to match. 2756 type: string 2757 namespace: 2758 description: Namespace specifies the namespace of the 2759 given Service. If left empty, the rule will match 2760 within this policy's namespace. 2761 type: string 2762 type: object 2763 type: object 2764 required: 2765 - action 2766 type: object 2767 type: array 2768 namespaceSelector: 2769 description: NamespaceSelector is an optional field for an expression 2770 used to select a pod based on namespaces. 2771 type: string 2772 order: 2773 description: Order is an optional field that specifies the order in 2774 which the policy is applied. Policies with higher "order" are applied 2775 after those with lower order. If the order is omitted, it may be 2776 considered to be "infinite" - i.e. the policy will be applied last. Policies 2777 with identical order will be applied in alphanumerical order based 2778 on the Policy "Name". 2779 type: number 2780 preDNAT: 2781 description: PreDNAT indicates to apply the rules in this policy before 2782 any DNAT. 2783 type: boolean 2784 selector: 2785 description: "The selector is an expression used to pick pick out 2786 the endpoints that the policy should be applied to. \n Selector 2787 expressions follow this syntax: \n \tlabel == \"string_literal\" 2788 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2789 \ -> not equal; also matches if label is not present \tlabel in 2790 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2791 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2792 ... } -> true if the value of label X is not one of \"a\", \"b\", 2793 \"c\" \thas(label_name) -> True if that label is present \t! expr 2794 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2795 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2796 or the empty selector -> matches all endpoints. \n Label names are 2797 allowed to contain alphanumerics, -, _ and /. String literals are 2798 more permissive but they do not support escape characters. \n Examples 2799 (with made-up labels): \n \ttype == \"webserver\" && deployment 2800 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2801 \"dev\" \t! has(label_name)" 2802 type: string 2803 serviceAccountSelector: 2804 description: ServiceAccountSelector is an optional field for an expression 2805 used to select a pod based on service accounts. 2806 type: string 2807 types: 2808 description: "Types indicates whether this policy applies to ingress, 2809 or to egress, or to both. When not explicitly specified (and so 2810 the value on creation is empty or nil), Calico defaults Types according 2811 to what Ingress and Egress rules are present in the policy. The 2812 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2813 (including the case where there are also no Ingress rules) \n 2814 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2815 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2816 both Ingress and Egress rules. \n When the policy is read back again, 2817 Types will always be one of these values, never empty or nil." 2818 items: 2819 description: PolicyType enumerates the possible values of the PolicySpec 2820 Types field. 2821 type: string 2822 type: array 2823 type: object 2824 type: object 2825 served: true 2826 storage: true 2827 status: 2828 acceptedNames: 2829 kind: "" 2830 plural: "" 2831 conditions: [] 2832 storedVersions: [] 2833 --- 2834 apiVersion: apiextensions.k8s.io/v1 2835 kind: CustomResourceDefinition 2836 metadata: 2837 name: globalnetworksets.crd.projectcalico.org 2838 spec: 2839 group: crd.projectcalico.org 2840 names: 2841 kind: GlobalNetworkSet 2842 listKind: GlobalNetworkSetList 2843 plural: globalnetworksets 2844 singular: globalnetworkset 2845 preserveUnknownFields: false 2846 scope: Cluster 2847 versions: 2848 - name: v1 2849 schema: 2850 openAPIV3Schema: 2851 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2852 that share labels to allow rules to refer to them via selectors. The labels 2853 of GlobalNetworkSet are not namespaced. 2854 properties: 2855 apiVersion: 2856 description: 'APIVersion defines the versioned schema of this representation 2857 of an object. Servers should convert recognized schemas to the latest 2858 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2859 type: string 2860 kind: 2861 description: 'Kind is a string value representing the REST resource this 2862 object represents. Servers may infer this from the endpoint the client 2863 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2864 type: string 2865 metadata: 2866 type: object 2867 spec: 2868 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2869 resource. 2870 properties: 2871 nets: 2872 description: The list of IP networks that belong to this set. 2873 items: 2874 type: string 2875 type: array 2876 type: object 2877 type: object 2878 served: true 2879 storage: true 2880 status: 2881 acceptedNames: 2882 kind: "" 2883 plural: "" 2884 conditions: [] 2885 storedVersions: [] 2886 --- 2887 apiVersion: apiextensions.k8s.io/v1 2888 kind: CustomResourceDefinition 2889 metadata: 2890 name: hostendpoints.crd.projectcalico.org 2891 spec: 2892 group: crd.projectcalico.org 2893 names: 2894 kind: HostEndpoint 2895 listKind: HostEndpointList 2896 plural: hostendpoints 2897 singular: hostendpoint 2898 preserveUnknownFields: false 2899 scope: Cluster 2900 versions: 2901 - name: v1 2902 schema: 2903 openAPIV3Schema: 2904 properties: 2905 apiVersion: 2906 description: 'APIVersion defines the versioned schema of this representation 2907 of an object. Servers should convert recognized schemas to the latest 2908 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2909 type: string 2910 kind: 2911 description: 'Kind is a string value representing the REST resource this 2912 object represents. Servers may infer this from the endpoint the client 2913 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2914 type: string 2915 metadata: 2916 type: object 2917 spec: 2918 description: HostEndpointSpec contains the specification for a HostEndpoint 2919 resource. 2920 properties: 2921 expectedIPs: 2922 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2923 If \"InterfaceName\" is not present, Calico will look for an interface 2924 matching any of the IPs in the list and apply policy to that. Note: 2925 \tWhen using the selector match criteria in an ingress or egress 2926 security Policy \tor Profile, Calico converts the selector into 2927 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2928 is used for that purpose. (If only the interface \tname is specified, 2929 Calico does not learn the IPs of the interface for use in match 2930 \tcriteria.)" 2931 items: 2932 type: string 2933 type: array 2934 interfaceName: 2935 description: "Either \"*\", or the name of a specific Linux interface 2936 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2937 governs all traffic to, from or through the default network namespace 2938 of the host named by the \"Node\" field; entering and leaving that 2939 namespace via any interface, including those from/to non-host-networked 2940 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2941 only governs traffic that enters or leaves the host through the 2942 specific interface named by InterfaceName, or - when InterfaceName 2943 is empty - through the specific interface that has one of the IPs 2944 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2945 one expected IP must be specified. Only external interfaces (such 2946 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2947 to protect traffic through a specific local workload interface. 2948 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2949 initially just pre-DNAT policy. Please check Calico documentation 2950 for the latest position." 2951 type: string 2952 node: 2953 description: The node name identifying the Calico node instance. 2954 type: string 2955 ports: 2956 description: Ports contains the endpoint's named ports, which may 2957 be referenced in security policy rules. 2958 items: 2959 properties: 2960 name: 2961 type: string 2962 port: 2963 type: integer 2964 protocol: 2965 anyOf: 2966 - type: integer 2967 - type: string 2968 pattern: ^.* 2969 x-kubernetes-int-or-string: true 2970 required: 2971 - name 2972 - port 2973 - protocol 2974 type: object 2975 type: array 2976 profiles: 2977 description: A list of identifiers of security Profile objects that 2978 apply to this endpoint. Each profile is applied in the order that 2979 they appear in this list. Profile rules are applied after the selector-based 2980 security policy. 2981 items: 2982 type: string 2983 type: array 2984 type: object 2985 type: object 2986 served: true 2987 storage: true 2988 status: 2989 acceptedNames: 2990 kind: "" 2991 plural: "" 2992 conditions: [] 2993 storedVersions: [] 2994 --- 2995 apiVersion: apiextensions.k8s.io/v1 2996 kind: CustomResourceDefinition 2997 metadata: 2998 name: ipamblocks.crd.projectcalico.org 2999 spec: 3000 group: crd.projectcalico.org 3001 names: 3002 kind: IPAMBlock 3003 listKind: IPAMBlockList 3004 plural: ipamblocks 3005 singular: ipamblock 3006 preserveUnknownFields: false 3007 scope: Cluster 3008 versions: 3009 - name: v1 3010 schema: 3011 openAPIV3Schema: 3012 properties: 3013 apiVersion: 3014 description: 'APIVersion defines the versioned schema of this representation 3015 of an object. Servers should convert recognized schemas to the latest 3016 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3017 type: string 3018 kind: 3019 description: 'Kind is a string value representing the REST resource this 3020 object represents. Servers may infer this from the endpoint the client 3021 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3022 type: string 3023 metadata: 3024 type: object 3025 spec: 3026 description: IPAMBlockSpec contains the specification for an IPAMBlock 3027 resource. 3028 properties: 3029 affinity: 3030 description: Affinity of the block, if this block has one. If set, 3031 it will be of the form "host:<hostname>". If not set, this block 3032 is not affine to a host. 3033 type: string 3034 allocations: 3035 description: Array of allocations in-use within this block. nil entries 3036 mean the allocation is free. For non-nil entries at index i, the 3037 index is the ordinal of the allocation within this block and the 3038 value is the index of the associated attributes in the Attributes 3039 array. 3040 items: 3041 nullable: true 3042 type: integer 3043 type: array 3044 attributes: 3045 description: Attributes is an array of arbitrary metadata associated 3046 with allocations in the block. To find attributes for a given allocation, 3047 use the value of the allocation's entry in the Allocations array 3048 as the index of the element in this array. 3049 items: 3050 properties: 3051 handle_id: 3052 type: string 3053 secondary: 3054 additionalProperties: 3055 type: string 3056 type: object 3057 type: object 3058 type: array 3059 cidr: 3060 description: The block's CIDR. 3061 type: string 3062 deleted: 3063 description: Deleted is an internal boolean used to workaround a limitation 3064 in the Kubernetes API whereby deletion will not return a conflict 3065 error if the block has been updated. It should not be set manually. 3066 type: boolean 3067 sequenceNumber: 3068 default: 0 3069 description: We store a sequence number that is updated each time 3070 the block is written. Each allocation will also store the sequence 3071 number of the block at the time of its creation. When releasing 3072 an IP, passing the sequence number associated with the allocation 3073 allows us to protect against a race condition and ensure the IP 3074 hasn't been released and re-allocated since the release request. 3075 format: int64 3076 type: integer 3077 sequenceNumberForAllocation: 3078 additionalProperties: 3079 format: int64 3080 type: integer 3081 description: Map of allocated ordinal within the block to sequence 3082 number of the block at the time of allocation. Kubernetes does not 3083 allow numerical keys for maps, so the key is cast to a string. 3084 type: object 3085 strictAffinity: 3086 description: StrictAffinity on the IPAMBlock is deprecated and no 3087 longer used by the code. Use IPAMConfig StrictAffinity instead. 3088 type: boolean 3089 unallocated: 3090 description: Unallocated is an ordered list of allocations which are 3091 free in the block. 3092 items: 3093 type: integer 3094 type: array 3095 required: 3096 - allocations 3097 - attributes 3098 - cidr 3099 - strictAffinity 3100 - unallocated 3101 type: object 3102 type: object 3103 served: true 3104 storage: true 3105 status: 3106 acceptedNames: 3107 kind: "" 3108 plural: "" 3109 conditions: [] 3110 storedVersions: [] 3111 --- 3112 apiVersion: apiextensions.k8s.io/v1 3113 kind: CustomResourceDefinition 3114 metadata: 3115 name: ipamconfigs.crd.projectcalico.org 3116 spec: 3117 group: crd.projectcalico.org 3118 names: 3119 kind: IPAMConfig 3120 listKind: IPAMConfigList 3121 plural: ipamconfigs 3122 singular: ipamconfig 3123 preserveUnknownFields: false 3124 scope: Cluster 3125 versions: 3126 - name: v1 3127 schema: 3128 openAPIV3Schema: 3129 properties: 3130 apiVersion: 3131 description: 'APIVersion defines the versioned schema of this representation 3132 of an object. Servers should convert recognized schemas to the latest 3133 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3134 type: string 3135 kind: 3136 description: 'Kind is a string value representing the REST resource this 3137 object represents. Servers may infer this from the endpoint the client 3138 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3139 type: string 3140 metadata: 3141 type: object 3142 spec: 3143 description: IPAMConfigSpec contains the specification for an IPAMConfig 3144 resource. 3145 properties: 3146 autoAllocateBlocks: 3147 type: boolean 3148 maxBlocksPerHost: 3149 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 3150 that can be affine to each host. 3151 maximum: 2147483647 3152 minimum: 0 3153 type: integer 3154 strictAffinity: 3155 type: boolean 3156 required: 3157 - autoAllocateBlocks 3158 - strictAffinity 3159 type: object 3160 type: object 3161 served: true 3162 storage: true 3163 status: 3164 acceptedNames: 3165 kind: "" 3166 plural: "" 3167 conditions: [] 3168 storedVersions: [] 3169 --- 3170 apiVersion: apiextensions.k8s.io/v1 3171 kind: CustomResourceDefinition 3172 metadata: 3173 name: ipamhandles.crd.projectcalico.org 3174 spec: 3175 group: crd.projectcalico.org 3176 names: 3177 kind: IPAMHandle 3178 listKind: IPAMHandleList 3179 plural: ipamhandles 3180 singular: ipamhandle 3181 preserveUnknownFields: false 3182 scope: Cluster 3183 versions: 3184 - name: v1 3185 schema: 3186 openAPIV3Schema: 3187 properties: 3188 apiVersion: 3189 description: 'APIVersion defines the versioned schema of this representation 3190 of an object. Servers should convert recognized schemas to the latest 3191 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3192 type: string 3193 kind: 3194 description: 'Kind is a string value representing the REST resource this 3195 object represents. Servers may infer this from the endpoint the client 3196 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3197 type: string 3198 metadata: 3199 type: object 3200 spec: 3201 description: IPAMHandleSpec contains the specification for an IPAMHandle 3202 resource. 3203 properties: 3204 block: 3205 additionalProperties: 3206 type: integer 3207 type: object 3208 deleted: 3209 type: boolean 3210 handleID: 3211 type: string 3212 required: 3213 - block 3214 - handleID 3215 type: object 3216 type: object 3217 served: true 3218 storage: true 3219 status: 3220 acceptedNames: 3221 kind: "" 3222 plural: "" 3223 conditions: [] 3224 storedVersions: [] 3225 --- 3226 apiVersion: apiextensions.k8s.io/v1 3227 kind: CustomResourceDefinition 3228 metadata: 3229 name: ippools.crd.projectcalico.org 3230 spec: 3231 group: crd.projectcalico.org 3232 names: 3233 kind: IPPool 3234 listKind: IPPoolList 3235 plural: ippools 3236 singular: ippool 3237 preserveUnknownFields: false 3238 scope: Cluster 3239 versions: 3240 - name: v1 3241 schema: 3242 openAPIV3Schema: 3243 properties: 3244 apiVersion: 3245 description: 'APIVersion defines the versioned schema of this representation 3246 of an object. Servers should convert recognized schemas to the latest 3247 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3248 type: string 3249 kind: 3250 description: 'Kind is a string value representing the REST resource this 3251 object represents. Servers may infer this from the endpoint the client 3252 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3253 type: string 3254 metadata: 3255 type: object 3256 spec: 3257 description: IPPoolSpec contains the specification for an IPPool resource. 3258 properties: 3259 allowedUses: 3260 description: AllowedUse controls what the IP pool will be used for. If 3261 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 3262 items: 3263 type: string 3264 type: array 3265 blockSize: 3266 description: The block size to use for IP address assignments from 3267 this pool. Defaults to 26 for IPv4 and 122 for IPv6. 3268 type: integer 3269 cidr: 3270 description: The pool CIDR. 3271 type: string 3272 disableBGPExport: 3273 description: 'Disable exporting routes from this IP Pool''s CIDR over 3274 BGP. [Default: false]' 3275 type: boolean 3276 disabled: 3277 description: When disabled is true, Calico IPAM will not assign addresses 3278 from this pool. 3279 type: boolean 3280 ipip: 3281 description: 'Deprecated: this field is only used for APIv1 backwards 3282 compatibility. Setting this field is not allowed, this field is 3283 for internal use only.' 3284 properties: 3285 enabled: 3286 description: When enabled is true, ipip tunneling will be used 3287 to deliver packets to destinations within this pool. 3288 type: boolean 3289 mode: 3290 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 3291 mode of "always" will also use IPIP tunneling for routing to 3292 destination IP addresses within this pool. A mode of "cross-subnet" 3293 will only use IPIP tunneling when the destination node is on 3294 a different subnet to the originating node. The default value 3295 (if not specified) is "always". 3296 type: string 3297 type: object 3298 ipipMode: 3299 description: Contains configuration for IPIP tunneling for this pool. 3300 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 3301 is disabled). 3302 type: string 3303 nat-outgoing: 3304 description: 'Deprecated: this field is only used for APIv1 backwards 3305 compatibility. Setting this field is not allowed, this field is 3306 for internal use only.' 3307 type: boolean 3308 natOutgoing: 3309 description: When natOutgoing is true, packets sent from Calico networked 3310 containers in this pool to destinations outside of this pool will 3311 be masqueraded. 3312 type: boolean 3313 nodeSelector: 3314 description: Allows IPPool to allocate for a specific node by label 3315 selector. 3316 type: string 3317 vxlanMode: 3318 description: Contains configuration for VXLAN tunneling for this pool. 3319 If not specified, then this is defaulted to "Never" (i.e. VXLAN 3320 tunneling is disabled). 3321 type: string 3322 required: 3323 - cidr 3324 type: object 3325 type: object 3326 served: true 3327 storage: true 3328 status: 3329 acceptedNames: 3330 kind: "" 3331 plural: "" 3332 conditions: [] 3333 storedVersions: [] 3334 --- 3335 apiVersion: apiextensions.k8s.io/v1 3336 kind: CustomResourceDefinition 3337 metadata: 3338 annotations: 3339 controller-gen.kubebuilder.io/version: (devel) 3340 creationTimestamp: null 3341 name: ipreservations.crd.projectcalico.org 3342 spec: 3343 group: crd.projectcalico.org 3344 names: 3345 kind: IPReservation 3346 listKind: IPReservationList 3347 plural: ipreservations 3348 singular: ipreservation 3349 preserveUnknownFields: false 3350 scope: Cluster 3351 versions: 3352 - name: v1 3353 schema: 3354 openAPIV3Schema: 3355 properties: 3356 apiVersion: 3357 description: 'APIVersion defines the versioned schema of this representation 3358 of an object. Servers should convert recognized schemas to the latest 3359 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3360 type: string 3361 kind: 3362 description: 'Kind is a string value representing the REST resource this 3363 object represents. Servers may infer this from the endpoint the client 3364 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3365 type: string 3366 metadata: 3367 type: object 3368 spec: 3369 description: IPReservationSpec contains the specification for an IPReservation 3370 resource. 3371 properties: 3372 reservedCIDRs: 3373 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 3374 that Calico IPAM will exclude from new allocations. 3375 items: 3376 type: string 3377 type: array 3378 type: object 3379 type: object 3380 served: true 3381 storage: true 3382 status: 3383 acceptedNames: 3384 kind: "" 3385 plural: "" 3386 conditions: [] 3387 storedVersions: [] 3388 --- 3389 apiVersion: apiextensions.k8s.io/v1 3390 kind: CustomResourceDefinition 3391 metadata: 3392 name: kubecontrollersconfigurations.crd.projectcalico.org 3393 spec: 3394 group: crd.projectcalico.org 3395 names: 3396 kind: KubeControllersConfiguration 3397 listKind: KubeControllersConfigurationList 3398 plural: kubecontrollersconfigurations 3399 singular: kubecontrollersconfiguration 3400 preserveUnknownFields: false 3401 scope: Cluster 3402 versions: 3403 - name: v1 3404 schema: 3405 openAPIV3Schema: 3406 properties: 3407 apiVersion: 3408 description: 'APIVersion defines the versioned schema of this representation 3409 of an object. Servers should convert recognized schemas to the latest 3410 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3411 type: string 3412 kind: 3413 description: 'Kind is a string value representing the REST resource this 3414 object represents. Servers may infer this from the endpoint the client 3415 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3416 type: string 3417 metadata: 3418 type: object 3419 spec: 3420 description: KubeControllersConfigurationSpec contains the values of the 3421 Kubernetes controllers configuration. 3422 properties: 3423 controllers: 3424 description: Controllers enables and configures individual Kubernetes 3425 controllers 3426 properties: 3427 namespace: 3428 description: Namespace enables and configures the namespace controller. 3429 Enabled by default, set to nil to disable. 3430 properties: 3431 reconcilerPeriod: 3432 description: 'ReconcilerPeriod is the period to perform reconciliation 3433 with the Calico datastore. [Default: 5m]' 3434 type: string 3435 type: object 3436 node: 3437 description: Node enables and configures the node controller. 3438 Enabled by default, set to nil to disable. 3439 properties: 3440 hostEndpoint: 3441 description: HostEndpoint controls syncing nodes to host endpoints. 3442 Disabled by default, set to nil to disable. 3443 properties: 3444 autoCreate: 3445 description: 'AutoCreate enables automatic creation of 3446 host endpoints for every node. [Default: Disabled]' 3447 type: string 3448 type: object 3449 leakGracePeriod: 3450 description: 'LeakGracePeriod is the period used by the controller 3451 to determine if an IP address has been leaked. Set to 0 3452 to disable IP garbage collection. [Default: 15m]' 3453 type: string 3454 reconcilerPeriod: 3455 description: 'ReconcilerPeriod is the period to perform reconciliation 3456 with the Calico datastore. [Default: 5m]' 3457 type: string 3458 syncLabels: 3459 description: 'SyncLabels controls whether to copy Kubernetes 3460 node labels to Calico nodes. [Default: Enabled]' 3461 type: string 3462 type: object 3463 policy: 3464 description: Policy enables and configures the policy controller. 3465 Enabled by default, set to nil to disable. 3466 properties: 3467 reconcilerPeriod: 3468 description: 'ReconcilerPeriod is the period to perform reconciliation 3469 with the Calico datastore. [Default: 5m]' 3470 type: string 3471 type: object 3472 serviceAccount: 3473 description: ServiceAccount enables and configures the service 3474 account controller. Enabled by default, set to nil to disable. 3475 properties: 3476 reconcilerPeriod: 3477 description: 'ReconcilerPeriod is the period to perform reconciliation 3478 with the Calico datastore. [Default: 5m]' 3479 type: string 3480 type: object 3481 workloadEndpoint: 3482 description: WorkloadEndpoint enables and configures the workload 3483 endpoint controller. Enabled by default, set to nil to disable. 3484 properties: 3485 reconcilerPeriod: 3486 description: 'ReconcilerPeriod is the period to perform reconciliation 3487 with the Calico datastore. [Default: 5m]' 3488 type: string 3489 type: object 3490 type: object 3491 debugProfilePort: 3492 description: DebugProfilePort configures the port to serve memory 3493 and cpu profiles on. If not specified, profiling is disabled. 3494 format: int32 3495 type: integer 3496 etcdV3CompactionPeriod: 3497 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3498 compaction requests. Set to 0 to disable. [Default: 10m]' 3499 type: string 3500 healthChecks: 3501 description: 'HealthChecks enables or disables support for health 3502 checks [Default: Enabled]' 3503 type: string 3504 logSeverityScreen: 3505 description: 'LogSeverityScreen is the log severity above which logs 3506 are sent to the stdout. [Default: Info]' 3507 type: string 3508 prometheusMetricsPort: 3509 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3510 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 3511 type: integer 3512 required: 3513 - controllers 3514 type: object 3515 status: 3516 description: KubeControllersConfigurationStatus represents the status 3517 of the configuration. It's useful for admins to be able to see the actual 3518 config that was applied, which can be modified by environment variables 3519 on the kube-controllers process. 3520 properties: 3521 environmentVars: 3522 additionalProperties: 3523 type: string 3524 description: EnvironmentVars contains the environment variables on 3525 the kube-controllers that influenced the RunningConfig. 3526 type: object 3527 runningConfig: 3528 description: RunningConfig contains the effective config that is running 3529 in the kube-controllers pod, after merging the API resource with 3530 any environment variables. 3531 properties: 3532 controllers: 3533 description: Controllers enables and configures individual Kubernetes 3534 controllers 3535 properties: 3536 namespace: 3537 description: Namespace enables and configures the namespace 3538 controller. Enabled by default, set to nil to disable. 3539 properties: 3540 reconcilerPeriod: 3541 description: 'ReconcilerPeriod is the period to perform 3542 reconciliation with the Calico datastore. [Default: 3543 5m]' 3544 type: string 3545 type: object 3546 node: 3547 description: Node enables and configures the node controller. 3548 Enabled by default, set to nil to disable. 3549 properties: 3550 hostEndpoint: 3551 description: HostEndpoint controls syncing nodes to host 3552 endpoints. Disabled by default, set to nil to disable. 3553 properties: 3554 autoCreate: 3555 description: 'AutoCreate enables automatic creation 3556 of host endpoints for every node. [Default: Disabled]' 3557 type: string 3558 type: object 3559 leakGracePeriod: 3560 description: 'LeakGracePeriod is the period used by the 3561 controller to determine if an IP address has been leaked. 3562 Set to 0 to disable IP garbage collection. [Default: 3563 15m]' 3564 type: string 3565 reconcilerPeriod: 3566 description: 'ReconcilerPeriod is the period to perform 3567 reconciliation with the Calico datastore. [Default: 3568 5m]' 3569 type: string 3570 syncLabels: 3571 description: 'SyncLabels controls whether to copy Kubernetes 3572 node labels to Calico nodes. [Default: Enabled]' 3573 type: string 3574 type: object 3575 policy: 3576 description: Policy enables and configures the policy controller. 3577 Enabled by default, set to nil to disable. 3578 properties: 3579 reconcilerPeriod: 3580 description: 'ReconcilerPeriod is the period to perform 3581 reconciliation with the Calico datastore. [Default: 3582 5m]' 3583 type: string 3584 type: object 3585 serviceAccount: 3586 description: ServiceAccount enables and configures the service 3587 account controller. Enabled by default, set to nil to disable. 3588 properties: 3589 reconcilerPeriod: 3590 description: 'ReconcilerPeriod is the period to perform 3591 reconciliation with the Calico datastore. [Default: 3592 5m]' 3593 type: string 3594 type: object 3595 workloadEndpoint: 3596 description: WorkloadEndpoint enables and configures the workload 3597 endpoint controller. Enabled by default, set to nil to disable. 3598 properties: 3599 reconcilerPeriod: 3600 description: 'ReconcilerPeriod is the period to perform 3601 reconciliation with the Calico datastore. [Default: 3602 5m]' 3603 type: string 3604 type: object 3605 type: object 3606 debugProfilePort: 3607 description: DebugProfilePort configures the port to serve memory 3608 and cpu profiles on. If not specified, profiling is disabled. 3609 format: int32 3610 type: integer 3611 etcdV3CompactionPeriod: 3612 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3613 compaction requests. Set to 0 to disable. [Default: 10m]' 3614 type: string 3615 healthChecks: 3616 description: 'HealthChecks enables or disables support for health 3617 checks [Default: Enabled]' 3618 type: string 3619 logSeverityScreen: 3620 description: 'LogSeverityScreen is the log severity above which 3621 logs are sent to the stdout. [Default: Info]' 3622 type: string 3623 prometheusMetricsPort: 3624 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3625 metrics server should bind to. Set to 0 to disable. [Default: 3626 9094]' 3627 type: integer 3628 required: 3629 - controllers 3630 type: object 3631 type: object 3632 type: object 3633 served: true 3634 storage: true 3635 status: 3636 acceptedNames: 3637 kind: "" 3638 plural: "" 3639 conditions: [] 3640 storedVersions: [] 3641 --- 3642 apiVersion: apiextensions.k8s.io/v1 3643 kind: CustomResourceDefinition 3644 metadata: 3645 name: networkpolicies.crd.projectcalico.org 3646 spec: 3647 group: crd.projectcalico.org 3648 names: 3649 kind: NetworkPolicy 3650 listKind: NetworkPolicyList 3651 plural: networkpolicies 3652 singular: networkpolicy 3653 preserveUnknownFields: false 3654 scope: Namespaced 3655 versions: 3656 - name: v1 3657 schema: 3658 openAPIV3Schema: 3659 properties: 3660 apiVersion: 3661 description: 'APIVersion defines the versioned schema of this representation 3662 of an object. Servers should convert recognized schemas to the latest 3663 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3664 type: string 3665 kind: 3666 description: 'Kind is a string value representing the REST resource this 3667 object represents. Servers may infer this from the endpoint the client 3668 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3669 type: string 3670 metadata: 3671 type: object 3672 spec: 3673 properties: 3674 egress: 3675 description: The ordered set of egress rules. Each rule contains 3676 a set of packet match criteria and a corresponding action to apply. 3677 items: 3678 description: "A Rule encapsulates a set of match criteria and an 3679 action. Both selector-based security Policy and security Profiles 3680 reference rules - separated out as a list of rules for both ingress 3681 and egress packet matching. \n Each positive match criteria has 3682 a negated version, prefixed with \"Not\". All the match criteria 3683 within a rule must be satisfied for a packet to match. A single 3684 rule can contain the positive and negative version of a match 3685 and both must be satisfied for the rule to match." 3686 properties: 3687 action: 3688 type: string 3689 destination: 3690 description: Destination contains the match criteria that apply 3691 to destination entity. 3692 properties: 3693 namespaceSelector: 3694 description: "NamespaceSelector is an optional field that 3695 contains a selector expression. Only traffic that originates 3696 from (or terminates at) endpoints within the selected 3697 namespaces will be matched. When both NamespaceSelector 3698 and another selector are defined on the same rule, then 3699 only workload endpoints that are matched by both selectors 3700 will be selected by the rule. \n For NetworkPolicy, an 3701 empty NamespaceSelector implies that the Selector is limited 3702 to selecting only workload endpoints in the same namespace 3703 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3704 NamespaceSelector implies that the Selector is limited 3705 to selecting only GlobalNetworkSet or HostEndpoint. \n 3706 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3707 the Selector applies to workload endpoints across all 3708 namespaces." 3709 type: string 3710 nets: 3711 description: Nets is an optional field that restricts the 3712 rule to only apply to traffic that originates from (or 3713 terminates at) IP addresses in any of the given subnets. 3714 items: 3715 type: string 3716 type: array 3717 notNets: 3718 description: NotNets is the negated version of the Nets 3719 field. 3720 items: 3721 type: string 3722 type: array 3723 notPorts: 3724 description: NotPorts is the negated version of the Ports 3725 field. Since only some protocols have ports, if any ports 3726 are specified it requires the Protocol match in the Rule 3727 to be set to "TCP" or "UDP". 3728 items: 3729 anyOf: 3730 - type: integer 3731 - type: string 3732 pattern: ^.* 3733 x-kubernetes-int-or-string: true 3734 type: array 3735 notSelector: 3736 description: NotSelector is the negated version of the Selector 3737 field. See Selector field for subtleties with negated 3738 selectors. 3739 type: string 3740 ports: 3741 description: "Ports is an optional field that restricts 3742 the rule to only apply to traffic that has a source (destination) 3743 port that matches one of these ranges/values. This value 3744 is a list of integers or strings that represent ranges 3745 of ports. \n Since only some protocols have ports, if 3746 any ports are specified it requires the Protocol match 3747 in the Rule to be set to \"TCP\" or \"UDP\"." 3748 items: 3749 anyOf: 3750 - type: integer 3751 - type: string 3752 pattern: ^.* 3753 x-kubernetes-int-or-string: true 3754 type: array 3755 selector: 3756 description: "Selector is an optional field that contains 3757 a selector expression (see Policy for sample syntax). 3758 \ Only traffic that originates from (terminates at) endpoints 3759 matching the selector will be matched. \n Note that: in 3760 addition to the negated version of the Selector (see NotSelector 3761 below), the selector expression syntax itself supports 3762 negation. The two types of negation are subtly different. 3763 One negates the set of matched endpoints, the other negates 3764 the whole match: \n \tSelector = \"!has(my_label)\" matches 3765 packets that are from other Calico-controlled \tendpoints 3766 that do not have the label \"my_label\". \n \tNotSelector 3767 = \"has(my_label)\" matches packets that are not from 3768 Calico-controlled \tendpoints that do have the label \"my_label\". 3769 \n The effect is that the latter will accept packets from 3770 non-Calico sources whereas the former is limited to packets 3771 from Calico-controlled endpoints." 3772 type: string 3773 serviceAccounts: 3774 description: ServiceAccounts is an optional field that restricts 3775 the rule to only apply to traffic that originates from 3776 (or terminates at) a pod running as a matching service 3777 account. 3778 properties: 3779 names: 3780 description: Names is an optional field that restricts 3781 the rule to only apply to traffic that originates 3782 from (or terminates at) a pod running as a service 3783 account whose name is in the list. 3784 items: 3785 type: string 3786 type: array 3787 selector: 3788 description: Selector is an optional field that restricts 3789 the rule to only apply to traffic that originates 3790 from (or terminates at) a pod running as a service 3791 account that matches the given label selector. If 3792 both Names and Selector are specified then they are 3793 AND'ed. 3794 type: string 3795 type: object 3796 services: 3797 description: "Services is an optional field that contains 3798 options for matching Kubernetes Services. If specified, 3799 only traffic that originates from or terminates at endpoints 3800 within the selected service(s) will be matched, and only 3801 to/from each endpoint's port. \n Services cannot be specified 3802 on the same rule as Selector, NotSelector, NamespaceSelector, 3803 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3804 can only be specified with Services on ingress rules." 3805 properties: 3806 name: 3807 description: Name specifies the name of a Kubernetes 3808 Service to match. 3809 type: string 3810 namespace: 3811 description: Namespace specifies the namespace of the 3812 given Service. If left empty, the rule will match 3813 within this policy's namespace. 3814 type: string 3815 type: object 3816 type: object 3817 http: 3818 description: HTTP contains match criteria that apply to HTTP 3819 requests. 3820 properties: 3821 methods: 3822 description: Methods is an optional field that restricts 3823 the rule to apply only to HTTP requests that use one of 3824 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3825 methods are OR'd together. 3826 items: 3827 type: string 3828 type: array 3829 paths: 3830 description: 'Paths is an optional field that restricts 3831 the rule to apply to HTTP requests that use one of the 3832 listed HTTP Paths. Multiple paths are OR''d together. 3833 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3834 ONLY specify either a `exact` or a `prefix` match. The 3835 validator will check for it.' 3836 items: 3837 description: 'HTTPPath specifies an HTTP path to match. 3838 It may be either of the form: exact: <path>: which matches 3839 the path exactly or prefix: <path-prefix>: which matches 3840 the path prefix' 3841 properties: 3842 exact: 3843 type: string 3844 prefix: 3845 type: string 3846 type: object 3847 type: array 3848 type: object 3849 icmp: 3850 description: ICMP is an optional field that restricts the rule 3851 to apply to a specific type and code of ICMP traffic. This 3852 should only be specified if the Protocol field is set to "ICMP" 3853 or "ICMPv6". 3854 properties: 3855 code: 3856 description: Match on a specific ICMP code. If specified, 3857 the Type value must also be specified. This is a technical 3858 limitation imposed by the kernel's iptables firewall, 3859 which Calico uses to enforce the rule. 3860 type: integer 3861 type: 3862 description: Match on a specific ICMP type. For example 3863 a value of 8 refers to ICMP Echo Request (i.e. pings). 3864 type: integer 3865 type: object 3866 ipVersion: 3867 description: IPVersion is an optional field that restricts the 3868 rule to only match a specific IP version. 3869 type: integer 3870 metadata: 3871 description: Metadata contains additional information for this 3872 rule 3873 properties: 3874 annotations: 3875 additionalProperties: 3876 type: string 3877 description: Annotations is a set of key value pairs that 3878 give extra information about the rule 3879 type: object 3880 type: object 3881 notICMP: 3882 description: NotICMP is the negated version of the ICMP field. 3883 properties: 3884 code: 3885 description: Match on a specific ICMP code. If specified, 3886 the Type value must also be specified. This is a technical 3887 limitation imposed by the kernel's iptables firewall, 3888 which Calico uses to enforce the rule. 3889 type: integer 3890 type: 3891 description: Match on a specific ICMP type. For example 3892 a value of 8 refers to ICMP Echo Request (i.e. pings). 3893 type: integer 3894 type: object 3895 notProtocol: 3896 anyOf: 3897 - type: integer 3898 - type: string 3899 description: NotProtocol is the negated version of the Protocol 3900 field. 3901 pattern: ^.* 3902 x-kubernetes-int-or-string: true 3903 protocol: 3904 anyOf: 3905 - type: integer 3906 - type: string 3907 description: "Protocol is an optional field that restricts the 3908 rule to only apply to traffic of a specific IP protocol. Required 3909 if any of the EntityRules contain Ports (because ports only 3910 apply to certain protocols). \n Must be one of these string 3911 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3912 \"UDPLite\" or an integer in the range 1-255." 3913 pattern: ^.* 3914 x-kubernetes-int-or-string: true 3915 source: 3916 description: Source contains the match criteria that apply to 3917 source entity. 3918 properties: 3919 namespaceSelector: 3920 description: "NamespaceSelector is an optional field that 3921 contains a selector expression. Only traffic that originates 3922 from (or terminates at) endpoints within the selected 3923 namespaces will be matched. When both NamespaceSelector 3924 and another selector are defined on the same rule, then 3925 only workload endpoints that are matched by both selectors 3926 will be selected by the rule. \n For NetworkPolicy, an 3927 empty NamespaceSelector implies that the Selector is limited 3928 to selecting only workload endpoints in the same namespace 3929 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3930 NamespaceSelector implies that the Selector is limited 3931 to selecting only GlobalNetworkSet or HostEndpoint. \n 3932 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3933 the Selector applies to workload endpoints across all 3934 namespaces." 3935 type: string 3936 nets: 3937 description: Nets is an optional field that restricts the 3938 rule to only apply to traffic that originates from (or 3939 terminates at) IP addresses in any of the given subnets. 3940 items: 3941 type: string 3942 type: array 3943 notNets: 3944 description: NotNets is the negated version of the Nets 3945 field. 3946 items: 3947 type: string 3948 type: array 3949 notPorts: 3950 description: NotPorts is the negated version of the Ports 3951 field. Since only some protocols have ports, if any ports 3952 are specified it requires the Protocol match in the Rule 3953 to be set to "TCP" or "UDP". 3954 items: 3955 anyOf: 3956 - type: integer 3957 - type: string 3958 pattern: ^.* 3959 x-kubernetes-int-or-string: true 3960 type: array 3961 notSelector: 3962 description: NotSelector is the negated version of the Selector 3963 field. See Selector field for subtleties with negated 3964 selectors. 3965 type: string 3966 ports: 3967 description: "Ports is an optional field that restricts 3968 the rule to only apply to traffic that has a source (destination) 3969 port that matches one of these ranges/values. This value 3970 is a list of integers or strings that represent ranges 3971 of ports. \n Since only some protocols have ports, if 3972 any ports are specified it requires the Protocol match 3973 in the Rule to be set to \"TCP\" or \"UDP\"." 3974 items: 3975 anyOf: 3976 - type: integer 3977 - type: string 3978 pattern: ^.* 3979 x-kubernetes-int-or-string: true 3980 type: array 3981 selector: 3982 description: "Selector is an optional field that contains 3983 a selector expression (see Policy for sample syntax). 3984 \ Only traffic that originates from (terminates at) endpoints 3985 matching the selector will be matched. \n Note that: in 3986 addition to the negated version of the Selector (see NotSelector 3987 below), the selector expression syntax itself supports 3988 negation. The two types of negation are subtly different. 3989 One negates the set of matched endpoints, the other negates 3990 the whole match: \n \tSelector = \"!has(my_label)\" matches 3991 packets that are from other Calico-controlled \tendpoints 3992 that do not have the label \"my_label\". \n \tNotSelector 3993 = \"has(my_label)\" matches packets that are not from 3994 Calico-controlled \tendpoints that do have the label \"my_label\". 3995 \n The effect is that the latter will accept packets from 3996 non-Calico sources whereas the former is limited to packets 3997 from Calico-controlled endpoints." 3998 type: string 3999 serviceAccounts: 4000 description: ServiceAccounts is an optional field that restricts 4001 the rule to only apply to traffic that originates from 4002 (or terminates at) a pod running as a matching service 4003 account. 4004 properties: 4005 names: 4006 description: Names is an optional field that restricts 4007 the rule to only apply to traffic that originates 4008 from (or terminates at) a pod running as a service 4009 account whose name is in the list. 4010 items: 4011 type: string 4012 type: array 4013 selector: 4014 description: Selector is an optional field that restricts 4015 the rule to only apply to traffic that originates 4016 from (or terminates at) a pod running as a service 4017 account that matches the given label selector. If 4018 both Names and Selector are specified then they are 4019 AND'ed. 4020 type: string 4021 type: object 4022 services: 4023 description: "Services is an optional field that contains 4024 options for matching Kubernetes Services. If specified, 4025 only traffic that originates from or terminates at endpoints 4026 within the selected service(s) will be matched, and only 4027 to/from each endpoint's port. \n Services cannot be specified 4028 on the same rule as Selector, NotSelector, NamespaceSelector, 4029 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4030 can only be specified with Services on ingress rules." 4031 properties: 4032 name: 4033 description: Name specifies the name of a Kubernetes 4034 Service to match. 4035 type: string 4036 namespace: 4037 description: Namespace specifies the namespace of the 4038 given Service. If left empty, the rule will match 4039 within this policy's namespace. 4040 type: string 4041 type: object 4042 type: object 4043 required: 4044 - action 4045 type: object 4046 type: array 4047 ingress: 4048 description: The ordered set of ingress rules. Each rule contains 4049 a set of packet match criteria and a corresponding action to apply. 4050 items: 4051 description: "A Rule encapsulates a set of match criteria and an 4052 action. Both selector-based security Policy and security Profiles 4053 reference rules - separated out as a list of rules for both ingress 4054 and egress packet matching. \n Each positive match criteria has 4055 a negated version, prefixed with \"Not\". All the match criteria 4056 within a rule must be satisfied for a packet to match. A single 4057 rule can contain the positive and negative version of a match 4058 and both must be satisfied for the rule to match." 4059 properties: 4060 action: 4061 type: string 4062 destination: 4063 description: Destination contains the match criteria that apply 4064 to destination entity. 4065 properties: 4066 namespaceSelector: 4067 description: "NamespaceSelector is an optional field that 4068 contains a selector expression. Only traffic that originates 4069 from (or terminates at) endpoints within the selected 4070 namespaces will be matched. When both NamespaceSelector 4071 and another selector are defined on the same rule, then 4072 only workload endpoints that are matched by both selectors 4073 will be selected by the rule. \n For NetworkPolicy, an 4074 empty NamespaceSelector implies that the Selector is limited 4075 to selecting only workload endpoints in the same namespace 4076 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4077 NamespaceSelector implies that the Selector is limited 4078 to selecting only GlobalNetworkSet or HostEndpoint. \n 4079 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4080 the Selector applies to workload endpoints across all 4081 namespaces." 4082 type: string 4083 nets: 4084 description: Nets is an optional field that restricts the 4085 rule to only apply to traffic that originates from (or 4086 terminates at) IP addresses in any of the given subnets. 4087 items: 4088 type: string 4089 type: array 4090 notNets: 4091 description: NotNets is the negated version of the Nets 4092 field. 4093 items: 4094 type: string 4095 type: array 4096 notPorts: 4097 description: NotPorts is the negated version of the Ports 4098 field. Since only some protocols have ports, if any ports 4099 are specified it requires the Protocol match in the Rule 4100 to be set to "TCP" or "UDP". 4101 items: 4102 anyOf: 4103 - type: integer 4104 - type: string 4105 pattern: ^.* 4106 x-kubernetes-int-or-string: true 4107 type: array 4108 notSelector: 4109 description: NotSelector is the negated version of the Selector 4110 field. See Selector field for subtleties with negated 4111 selectors. 4112 type: string 4113 ports: 4114 description: "Ports is an optional field that restricts 4115 the rule to only apply to traffic that has a source (destination) 4116 port that matches one of these ranges/values. This value 4117 is a list of integers or strings that represent ranges 4118 of ports. \n Since only some protocols have ports, if 4119 any ports are specified it requires the Protocol match 4120 in the Rule to be set to \"TCP\" or \"UDP\"." 4121 items: 4122 anyOf: 4123 - type: integer 4124 - type: string 4125 pattern: ^.* 4126 x-kubernetes-int-or-string: true 4127 type: array 4128 selector: 4129 description: "Selector is an optional field that contains 4130 a selector expression (see Policy for sample syntax). 4131 \ Only traffic that originates from (terminates at) endpoints 4132 matching the selector will be matched. \n Note that: in 4133 addition to the negated version of the Selector (see NotSelector 4134 below), the selector expression syntax itself supports 4135 negation. The two types of negation are subtly different. 4136 One negates the set of matched endpoints, the other negates 4137 the whole match: \n \tSelector = \"!has(my_label)\" matches 4138 packets that are from other Calico-controlled \tendpoints 4139 that do not have the label \"my_label\". \n \tNotSelector 4140 = \"has(my_label)\" matches packets that are not from 4141 Calico-controlled \tendpoints that do have the label \"my_label\". 4142 \n The effect is that the latter will accept packets from 4143 non-Calico sources whereas the former is limited to packets 4144 from Calico-controlled endpoints." 4145 type: string 4146 serviceAccounts: 4147 description: ServiceAccounts is an optional field that restricts 4148 the rule to only apply to traffic that originates from 4149 (or terminates at) a pod running as a matching service 4150 account. 4151 properties: 4152 names: 4153 description: Names is an optional field that restricts 4154 the rule to only apply to traffic that originates 4155 from (or terminates at) a pod running as a service 4156 account whose name is in the list. 4157 items: 4158 type: string 4159 type: array 4160 selector: 4161 description: Selector is an optional field that restricts 4162 the rule to only apply to traffic that originates 4163 from (or terminates at) a pod running as a service 4164 account that matches the given label selector. If 4165 both Names and Selector are specified then they are 4166 AND'ed. 4167 type: string 4168 type: object 4169 services: 4170 description: "Services is an optional field that contains 4171 options for matching Kubernetes Services. If specified, 4172 only traffic that originates from or terminates at endpoints 4173 within the selected service(s) will be matched, and only 4174 to/from each endpoint's port. \n Services cannot be specified 4175 on the same rule as Selector, NotSelector, NamespaceSelector, 4176 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4177 can only be specified with Services on ingress rules." 4178 properties: 4179 name: 4180 description: Name specifies the name of a Kubernetes 4181 Service to match. 4182 type: string 4183 namespace: 4184 description: Namespace specifies the namespace of the 4185 given Service. If left empty, the rule will match 4186 within this policy's namespace. 4187 type: string 4188 type: object 4189 type: object 4190 http: 4191 description: HTTP contains match criteria that apply to HTTP 4192 requests. 4193 properties: 4194 methods: 4195 description: Methods is an optional field that restricts 4196 the rule to apply only to HTTP requests that use one of 4197 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 4198 methods are OR'd together. 4199 items: 4200 type: string 4201 type: array 4202 paths: 4203 description: 'Paths is an optional field that restricts 4204 the rule to apply to HTTP requests that use one of the 4205 listed HTTP Paths. Multiple paths are OR''d together. 4206 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 4207 ONLY specify either a `exact` or a `prefix` match. The 4208 validator will check for it.' 4209 items: 4210 description: 'HTTPPath specifies an HTTP path to match. 4211 It may be either of the form: exact: <path>: which matches 4212 the path exactly or prefix: <path-prefix>: which matches 4213 the path prefix' 4214 properties: 4215 exact: 4216 type: string 4217 prefix: 4218 type: string 4219 type: object 4220 type: array 4221 type: object 4222 icmp: 4223 description: ICMP is an optional field that restricts the rule 4224 to apply to a specific type and code of ICMP traffic. This 4225 should only be specified if the Protocol field is set to "ICMP" 4226 or "ICMPv6". 4227 properties: 4228 code: 4229 description: Match on a specific ICMP code. If specified, 4230 the Type value must also be specified. This is a technical 4231 limitation imposed by the kernel's iptables firewall, 4232 which Calico uses to enforce the rule. 4233 type: integer 4234 type: 4235 description: Match on a specific ICMP type. For example 4236 a value of 8 refers to ICMP Echo Request (i.e. pings). 4237 type: integer 4238 type: object 4239 ipVersion: 4240 description: IPVersion is an optional field that restricts the 4241 rule to only match a specific IP version. 4242 type: integer 4243 metadata: 4244 description: Metadata contains additional information for this 4245 rule 4246 properties: 4247 annotations: 4248 additionalProperties: 4249 type: string 4250 description: Annotations is a set of key value pairs that 4251 give extra information about the rule 4252 type: object 4253 type: object 4254 notICMP: 4255 description: NotICMP is the negated version of the ICMP field. 4256 properties: 4257 code: 4258 description: Match on a specific ICMP code. If specified, 4259 the Type value must also be specified. This is a technical 4260 limitation imposed by the kernel's iptables firewall, 4261 which Calico uses to enforce the rule. 4262 type: integer 4263 type: 4264 description: Match on a specific ICMP type. For example 4265 a value of 8 refers to ICMP Echo Request (i.e. pings). 4266 type: integer 4267 type: object 4268 notProtocol: 4269 anyOf: 4270 - type: integer 4271 - type: string 4272 description: NotProtocol is the negated version of the Protocol 4273 field. 4274 pattern: ^.* 4275 x-kubernetes-int-or-string: true 4276 protocol: 4277 anyOf: 4278 - type: integer 4279 - type: string 4280 description: "Protocol is an optional field that restricts the 4281 rule to only apply to traffic of a specific IP protocol. Required 4282 if any of the EntityRules contain Ports (because ports only 4283 apply to certain protocols). \n Must be one of these string 4284 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 4285 \"UDPLite\" or an integer in the range 1-255." 4286 pattern: ^.* 4287 x-kubernetes-int-or-string: true 4288 source: 4289 description: Source contains the match criteria that apply to 4290 source entity. 4291 properties: 4292 namespaceSelector: 4293 description: "NamespaceSelector is an optional field that 4294 contains a selector expression. Only traffic that originates 4295 from (or terminates at) endpoints within the selected 4296 namespaces will be matched. When both NamespaceSelector 4297 and another selector are defined on the same rule, then 4298 only workload endpoints that are matched by both selectors 4299 will be selected by the rule. \n For NetworkPolicy, an 4300 empty NamespaceSelector implies that the Selector is limited 4301 to selecting only workload endpoints in the same namespace 4302 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4303 NamespaceSelector implies that the Selector is limited 4304 to selecting only GlobalNetworkSet or HostEndpoint. \n 4305 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4306 the Selector applies to workload endpoints across all 4307 namespaces." 4308 type: string 4309 nets: 4310 description: Nets is an optional field that restricts the 4311 rule to only apply to traffic that originates from (or 4312 terminates at) IP addresses in any of the given subnets. 4313 items: 4314 type: string 4315 type: array 4316 notNets: 4317 description: NotNets is the negated version of the Nets 4318 field. 4319 items: 4320 type: string 4321 type: array 4322 notPorts: 4323 description: NotPorts is the negated version of the Ports 4324 field. Since only some protocols have ports, if any ports 4325 are specified it requires the Protocol match in the Rule 4326 to be set to "TCP" or "UDP". 4327 items: 4328 anyOf: 4329 - type: integer 4330 - type: string 4331 pattern: ^.* 4332 x-kubernetes-int-or-string: true 4333 type: array 4334 notSelector: 4335 description: NotSelector is the negated version of the Selector 4336 field. See Selector field for subtleties with negated 4337 selectors. 4338 type: string 4339 ports: 4340 description: "Ports is an optional field that restricts 4341 the rule to only apply to traffic that has a source (destination) 4342 port that matches one of these ranges/values. This value 4343 is a list of integers or strings that represent ranges 4344 of ports. \n Since only some protocols have ports, if 4345 any ports are specified it requires the Protocol match 4346 in the Rule to be set to \"TCP\" or \"UDP\"." 4347 items: 4348 anyOf: 4349 - type: integer 4350 - type: string 4351 pattern: ^.* 4352 x-kubernetes-int-or-string: true 4353 type: array 4354 selector: 4355 description: "Selector is an optional field that contains 4356 a selector expression (see Policy for sample syntax). 4357 \ Only traffic that originates from (terminates at) endpoints 4358 matching the selector will be matched. \n Note that: in 4359 addition to the negated version of the Selector (see NotSelector 4360 below), the selector expression syntax itself supports 4361 negation. The two types of negation are subtly different. 4362 One negates the set of matched endpoints, the other negates 4363 the whole match: \n \tSelector = \"!has(my_label)\" matches 4364 packets that are from other Calico-controlled \tendpoints 4365 that do not have the label \"my_label\". \n \tNotSelector 4366 = \"has(my_label)\" matches packets that are not from 4367 Calico-controlled \tendpoints that do have the label \"my_label\". 4368 \n The effect is that the latter will accept packets from 4369 non-Calico sources whereas the former is limited to packets 4370 from Calico-controlled endpoints." 4371 type: string 4372 serviceAccounts: 4373 description: ServiceAccounts is an optional field that restricts 4374 the rule to only apply to traffic that originates from 4375 (or terminates at) a pod running as a matching service 4376 account. 4377 properties: 4378 names: 4379 description: Names is an optional field that restricts 4380 the rule to only apply to traffic that originates 4381 from (or terminates at) a pod running as a service 4382 account whose name is in the list. 4383 items: 4384 type: string 4385 type: array 4386 selector: 4387 description: Selector is an optional field that restricts 4388 the rule to only apply to traffic that originates 4389 from (or terminates at) a pod running as a service 4390 account that matches the given label selector. If 4391 both Names and Selector are specified then they are 4392 AND'ed. 4393 type: string 4394 type: object 4395 services: 4396 description: "Services is an optional field that contains 4397 options for matching Kubernetes Services. If specified, 4398 only traffic that originates from or terminates at endpoints 4399 within the selected service(s) will be matched, and only 4400 to/from each endpoint's port. \n Services cannot be specified 4401 on the same rule as Selector, NotSelector, NamespaceSelector, 4402 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4403 can only be specified with Services on ingress rules." 4404 properties: 4405 name: 4406 description: Name specifies the name of a Kubernetes 4407 Service to match. 4408 type: string 4409 namespace: 4410 description: Namespace specifies the namespace of the 4411 given Service. If left empty, the rule will match 4412 within this policy's namespace. 4413 type: string 4414 type: object 4415 type: object 4416 required: 4417 - action 4418 type: object 4419 type: array 4420 order: 4421 description: Order is an optional field that specifies the order in 4422 which the policy is applied. Policies with higher "order" are applied 4423 after those with lower order. If the order is omitted, it may be 4424 considered to be "infinite" - i.e. the policy will be applied last. Policies 4425 with identical order will be applied in alphanumerical order based 4426 on the Policy "Name". 4427 type: number 4428 selector: 4429 description: "The selector is an expression used to pick pick out 4430 the endpoints that the policy should be applied to. \n Selector 4431 expressions follow this syntax: \n \tlabel == \"string_literal\" 4432 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 4433 \ -> not equal; also matches if label is not present \tlabel in 4434 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 4435 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 4436 ... } -> true if the value of label X is not one of \"a\", \"b\", 4437 \"c\" \thas(label_name) -> True if that label is present \t! expr 4438 -> negation of expr \texpr && expr -> Short-circuit and \texpr 4439 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 4440 or the empty selector -> matches all endpoints. \n Label names are 4441 allowed to contain alphanumerics, -, _ and /. String literals are 4442 more permissive but they do not support escape characters. \n Examples 4443 (with made-up labels): \n \ttype == \"webserver\" && deployment 4444 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 4445 \"dev\" \t! has(label_name)" 4446 type: string 4447 serviceAccountSelector: 4448 description: ServiceAccountSelector is an optional field for an expression 4449 used to select a pod based on service accounts. 4450 type: string 4451 types: 4452 description: "Types indicates whether this policy applies to ingress, 4453 or to egress, or to both. When not explicitly specified (and so 4454 the value on creation is empty or nil), Calico defaults Types according 4455 to what Ingress and Egress are present in the policy. The default 4456 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 4457 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 4458 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 4459 PolicyTypeEgress ], if there are both Ingress and Egress rules. 4460 \n When the policy is read back again, Types will always be one 4461 of these values, never empty or nil." 4462 items: 4463 description: PolicyType enumerates the possible values of the PolicySpec 4464 Types field. 4465 type: string 4466 type: array 4467 type: object 4468 type: object 4469 served: true 4470 storage: true 4471 status: 4472 acceptedNames: 4473 kind: "" 4474 plural: "" 4475 conditions: [] 4476 storedVersions: [] 4477 --- 4478 apiVersion: apiextensions.k8s.io/v1 4479 kind: CustomResourceDefinition 4480 metadata: 4481 name: networksets.crd.projectcalico.org 4482 spec: 4483 group: crd.projectcalico.org 4484 names: 4485 kind: NetworkSet 4486 listKind: NetworkSetList 4487 plural: networksets 4488 singular: networkset 4489 preserveUnknownFields: false 4490 scope: Namespaced 4491 versions: 4492 - name: v1 4493 schema: 4494 openAPIV3Schema: 4495 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 4496 properties: 4497 apiVersion: 4498 description: 'APIVersion defines the versioned schema of this representation 4499 of an object. Servers should convert recognized schemas to the latest 4500 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4501 type: string 4502 kind: 4503 description: 'Kind is a string value representing the REST resource this 4504 object represents. Servers may infer this from the endpoint the client 4505 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4506 type: string 4507 metadata: 4508 type: object 4509 spec: 4510 description: NetworkSetSpec contains the specification for a NetworkSet 4511 resource. 4512 properties: 4513 nets: 4514 description: The list of IP networks that belong to this set. 4515 items: 4516 type: string 4517 type: array 4518 type: object 4519 type: object 4520 served: true 4521 storage: true 4522 status: 4523 acceptedNames: 4524 kind: "" 4525 plural: "" 4526 conditions: [] 4527 storedVersions: [] 4528 --- 4529 apiVersion: v1 4530 kind: ServiceAccount 4531 metadata: 4532 name: calico-cni-plugin 4533 namespace: kube-system 4534 --- 4535 apiVersion: v1 4536 kind: ServiceAccount 4537 metadata: 4538 name: calico-kube-controllers 4539 namespace: kube-system 4540 --- 4541 apiVersion: v1 4542 kind: ServiceAccount 4543 metadata: 4544 name: calico-node 4545 namespace: kube-system 4546 --- 4547 apiVersion: rbac.authorization.k8s.io/v1 4548 kind: ClusterRole 4549 metadata: 4550 name: calico-cni-plugin 4551 rules: 4552 - apiGroups: 4553 - "" 4554 resources: 4555 - pods 4556 - nodes 4557 - namespaces 4558 verbs: 4559 - get 4560 - apiGroups: 4561 - "" 4562 resources: 4563 - pods/status 4564 verbs: 4565 - patch 4566 - apiGroups: 4567 - crd.projectcalico.org 4568 resources: 4569 - blockaffinities 4570 - ipamblocks 4571 - ipamhandles 4572 - clusterinformations 4573 - ippools 4574 - ipreservations 4575 - ipamconfigs 4576 verbs: 4577 - get 4578 - list 4579 - create 4580 - update 4581 - delete 4582 --- 4583 apiVersion: rbac.authorization.k8s.io/v1 4584 kind: ClusterRole 4585 metadata: 4586 name: calico-kube-controllers 4587 rules: 4588 - apiGroups: 4589 - "" 4590 resources: 4591 - nodes 4592 verbs: 4593 - watch 4594 - list 4595 - get 4596 - apiGroups: 4597 - "" 4598 resources: 4599 - pods 4600 verbs: 4601 - get 4602 - list 4603 - watch 4604 - apiGroups: 4605 - crd.projectcalico.org 4606 resources: 4607 - ipreservations 4608 verbs: 4609 - list 4610 - apiGroups: 4611 - crd.projectcalico.org 4612 resources: 4613 - blockaffinities 4614 - ipamblocks 4615 - ipamhandles 4616 verbs: 4617 - get 4618 - list 4619 - create 4620 - update 4621 - delete 4622 - watch 4623 - apiGroups: 4624 - crd.projectcalico.org 4625 resources: 4626 - ippools 4627 verbs: 4628 - list 4629 - watch 4630 - apiGroups: 4631 - crd.projectcalico.org 4632 resources: 4633 - hostendpoints 4634 verbs: 4635 - get 4636 - list 4637 - create 4638 - update 4639 - delete 4640 - apiGroups: 4641 - crd.projectcalico.org 4642 resources: 4643 - clusterinformations 4644 verbs: 4645 - get 4646 - list 4647 - create 4648 - update 4649 - watch 4650 - apiGroups: 4651 - crd.projectcalico.org 4652 resources: 4653 - kubecontrollersconfigurations 4654 verbs: 4655 - get 4656 - create 4657 - update 4658 - watch 4659 --- 4660 apiVersion: rbac.authorization.k8s.io/v1 4661 kind: ClusterRole 4662 metadata: 4663 name: calico-node 4664 rules: 4665 - apiGroups: 4666 - "" 4667 resourceNames: 4668 - calico-cni-plugin 4669 resources: 4670 - serviceaccounts/token 4671 verbs: 4672 - create 4673 - apiGroups: 4674 - "" 4675 resources: 4676 - pods 4677 - nodes 4678 - namespaces 4679 verbs: 4680 - get 4681 - apiGroups: 4682 - discovery.k8s.io 4683 resources: 4684 - endpointslices 4685 verbs: 4686 - watch 4687 - list 4688 - apiGroups: 4689 - "" 4690 resources: 4691 - endpoints 4692 - services 4693 verbs: 4694 - watch 4695 - list 4696 - get 4697 - apiGroups: 4698 - "" 4699 resources: 4700 - configmaps 4701 verbs: 4702 - get 4703 - apiGroups: 4704 - "" 4705 resources: 4706 - nodes/status 4707 verbs: 4708 - patch 4709 - update 4710 - apiGroups: 4711 - networking.k8s.io 4712 resources: 4713 - networkpolicies 4714 verbs: 4715 - watch 4716 - list 4717 - apiGroups: 4718 - "" 4719 resources: 4720 - pods 4721 - namespaces 4722 - serviceaccounts 4723 verbs: 4724 - list 4725 - watch 4726 - apiGroups: 4727 - "" 4728 resources: 4729 - pods/status 4730 verbs: 4731 - patch 4732 - apiGroups: 4733 - crd.projectcalico.org 4734 resources: 4735 - globalfelixconfigs 4736 - felixconfigurations 4737 - bgppeers 4738 - bgpfilters 4739 - globalbgpconfigs 4740 - bgpconfigurations 4741 - ippools 4742 - ipreservations 4743 - ipamblocks 4744 - globalnetworkpolicies 4745 - globalnetworksets 4746 - networkpolicies 4747 - networksets 4748 - clusterinformations 4749 - hostendpoints 4750 - blockaffinities 4751 - caliconodestatuses 4752 verbs: 4753 - get 4754 - list 4755 - watch 4756 - apiGroups: 4757 - crd.projectcalico.org 4758 resources: 4759 - ippools 4760 - felixconfigurations 4761 - clusterinformations 4762 verbs: 4763 - create 4764 - update 4765 - apiGroups: 4766 - crd.projectcalico.org 4767 resources: 4768 - caliconodestatuses 4769 verbs: 4770 - update 4771 - apiGroups: 4772 - "" 4773 resources: 4774 - nodes 4775 verbs: 4776 - get 4777 - list 4778 - watch 4779 - apiGroups: 4780 - crd.projectcalico.org 4781 resources: 4782 - bgpconfigurations 4783 - bgppeers 4784 verbs: 4785 - create 4786 - update 4787 - apiGroups: 4788 - crd.projectcalico.org 4789 resources: 4790 - blockaffinities 4791 - ipamblocks 4792 - ipamhandles 4793 verbs: 4794 - get 4795 - list 4796 - create 4797 - update 4798 - delete 4799 - apiGroups: 4800 - crd.projectcalico.org 4801 resources: 4802 - ipamconfigs 4803 verbs: 4804 - get 4805 - create 4806 - apiGroups: 4807 - crd.projectcalico.org 4808 resources: 4809 - blockaffinities 4810 verbs: 4811 - watch 4812 - apiGroups: 4813 - apps 4814 resources: 4815 - daemonsets 4816 verbs: 4817 - get 4818 --- 4819 apiVersion: rbac.authorization.k8s.io/v1 4820 kind: ClusterRoleBinding 4821 metadata: 4822 name: calico-cni-plugin 4823 roleRef: 4824 apiGroup: rbac.authorization.k8s.io 4825 kind: ClusterRole 4826 name: calico-cni-plugin 4827 subjects: 4828 - kind: ServiceAccount 4829 name: calico-cni-plugin 4830 namespace: kube-system 4831 --- 4832 apiVersion: rbac.authorization.k8s.io/v1 4833 kind: ClusterRoleBinding 4834 metadata: 4835 name: calico-kube-controllers 4836 roleRef: 4837 apiGroup: rbac.authorization.k8s.io 4838 kind: ClusterRole 4839 name: calico-kube-controllers 4840 subjects: 4841 - kind: ServiceAccount 4842 name: calico-kube-controllers 4843 namespace: kube-system 4844 --- 4845 apiVersion: rbac.authorization.k8s.io/v1 4846 kind: ClusterRoleBinding 4847 metadata: 4848 name: calico-node 4849 roleRef: 4850 apiGroup: rbac.authorization.k8s.io 4851 kind: ClusterRole 4852 name: calico-node 4853 subjects: 4854 - kind: ServiceAccount 4855 name: calico-node 4856 namespace: kube-system 4857 --- 4858 apiVersion: v1 4859 data: 4860 calico_backend: vxlan 4861 cni_network_config: |- 4862 { 4863 "name": "k8s-pod-network", 4864 "cniVersion": "0.3.1", 4865 "plugins": [ 4866 { 4867 "type": "calico", 4868 "log_level": "info", 4869 "log_file_path": "/var/log/calico/cni/cni.log", 4870 "datastore_type": "kubernetes", 4871 "nodename": "__KUBERNETES_NODE_NAME__", 4872 "mtu": __CNI_MTU__, 4873 "ipam": { 4874 "type": "calico-ipam" 4875 }, 4876 "policy": { 4877 "type": "k8s" 4878 }, 4879 "kubernetes": { 4880 "kubeconfig": "__KUBECONFIG_FILEPATH__" 4881 } 4882 }, 4883 { 4884 "type": "portmap", 4885 "snat": true, 4886 "capabilities": {"portMappings": true} 4887 }, 4888 { 4889 "type": "bandwidth", 4890 "capabilities": {"bandwidth": true} 4891 } 4892 ] 4893 } 4894 typha_service_name: none 4895 veth_mtu: "1350" 4896 kind: ConfigMap 4897 metadata: 4898 name: calico-config 4899 namespace: kube-system 4900 --- 4901 apiVersion: apps/v1 4902 kind: Deployment 4903 metadata: 4904 labels: 4905 k8s-app: calico-kube-controllers 4906 name: calico-kube-controllers 4907 namespace: kube-system 4908 spec: 4909 replicas: 1 4910 selector: 4911 matchLabels: 4912 k8s-app: calico-kube-controllers 4913 strategy: 4914 type: Recreate 4915 template: 4916 metadata: 4917 labels: 4918 k8s-app: calico-kube-controllers 4919 name: calico-kube-controllers 4920 namespace: kube-system 4921 spec: 4922 containers: 4923 - env: 4924 - name: ENABLED_CONTROLLERS 4925 value: node 4926 - name: DATASTORE_TYPE 4927 value: kubernetes 4928 image: docker.io/calico/kube-controllers:v3.26.1 4929 imagePullPolicy: IfNotPresent 4930 livenessProbe: 4931 exec: 4932 command: 4933 - /usr/bin/check-status 4934 - -l 4935 failureThreshold: 6 4936 initialDelaySeconds: 10 4937 periodSeconds: 10 4938 timeoutSeconds: 10 4939 name: calico-kube-controllers 4940 readinessProbe: 4941 exec: 4942 command: 4943 - /usr/bin/check-status 4944 - -r 4945 periodSeconds: 10 4946 nodeSelector: 4947 kubernetes.io/os: linux 4948 priorityClassName: system-cluster-critical 4949 serviceAccountName: calico-kube-controllers 4950 tolerations: 4951 - key: CriticalAddonsOnly 4952 operator: Exists 4953 - effect: NoSchedule 4954 key: node-role.kubernetes.io/master 4955 - effect: NoSchedule 4956 key: node-role.kubernetes.io/control-plane 4957 --- 4958 apiVersion: policy/v1 4959 kind: PodDisruptionBudget 4960 metadata: 4961 labels: 4962 k8s-app: calico-kube-controllers 4963 name: calico-kube-controllers 4964 namespace: kube-system 4965 spec: 4966 maxUnavailable: 1 4967 selector: 4968 matchLabels: 4969 k8s-app: calico-kube-controllers 4970 --- 4971 apiVersion: apps/v1 4972 kind: DaemonSet 4973 metadata: 4974 labels: 4975 k8s-app: calico-node 4976 name: calico-node 4977 namespace: kube-system 4978 spec: 4979 selector: 4980 matchLabels: 4981 k8s-app: calico-node 4982 template: 4983 metadata: 4984 labels: 4985 k8s-app: calico-node 4986 spec: 4987 containers: 4988 - env: 4989 - name: FELIX_FEATUREDETECTOVERRIDE 4990 value: ChecksumOffloadBroken=true 4991 - name: CALICO_IPV4POOL_VXLAN 4992 value: Always 4993 - name: DATASTORE_TYPE 4994 value: kubernetes 4995 - name: WAIT_FOR_DATASTORE 4996 value: "true" 4997 - name: NODENAME 4998 valueFrom: 4999 fieldRef: 5000 fieldPath: spec.nodeName 5001 - name: CALICO_NETWORKING_BACKEND 5002 valueFrom: 5003 configMapKeyRef: 5004 key: calico_backend 5005 name: calico-config 5006 - name: CLUSTER_TYPE 5007 value: k8s,bgp 5008 - name: IP 5009 value: autodetect 5010 - name: CALICO_IPV4POOL_IPIP 5011 value: Never 5012 - name: CALICO_IPV6POOL_VXLAN 5013 value: CrossSubnet 5014 - name: FELIX_IPINIPMTU 5015 valueFrom: 5016 configMapKeyRef: 5017 key: veth_mtu 5018 name: calico-config 5019 - name: FELIX_VXLANMTU 5020 valueFrom: 5021 configMapKeyRef: 5022 key: veth_mtu 5023 name: calico-config 5024 - name: FELIX_WIREGUARDMTU 5025 valueFrom: 5026 configMapKeyRef: 5027 key: veth_mtu 5028 name: calico-config 5029 - name: CALICO_DISABLE_FILE_LOGGING 5030 value: "true" 5031 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 5032 value: ACCEPT 5033 - name: FELIX_IPV6SUPPORT 5034 value: "false" 5035 - name: FELIX_HEALTHENABLED 5036 value: "true" 5037 envFrom: 5038 - configMapRef: 5039 name: kubernetes-services-endpoint 5040 optional: true 5041 image: docker.io/calico/node:v3.26.1 5042 imagePullPolicy: IfNotPresent 5043 lifecycle: 5044 preStop: 5045 exec: 5046 command: 5047 - /bin/calico-node 5048 - -shutdown 5049 livenessProbe: 5050 exec: 5051 command: 5052 - /bin/calico-node 5053 - -felix-live 5054 failureThreshold: 6 5055 initialDelaySeconds: 10 5056 periodSeconds: 10 5057 timeoutSeconds: 10 5058 name: calico-node 5059 readinessProbe: 5060 exec: 5061 command: 5062 - /bin/calico-node 5063 - -felix-ready 5064 periodSeconds: 10 5065 timeoutSeconds: 10 5066 resources: 5067 requests: 5068 cpu: 250m 5069 securityContext: 5070 privileged: true 5071 volumeMounts: 5072 - mountPath: /host/etc/cni/net.d 5073 name: cni-net-dir 5074 readOnly: false 5075 - mountPath: /lib/modules 5076 name: lib-modules 5077 readOnly: true 5078 - mountPath: /run/xtables.lock 5079 name: xtables-lock 5080 readOnly: false 5081 - mountPath: /var/run/calico 5082 name: var-run-calico 5083 readOnly: false 5084 - mountPath: /var/lib/calico 5085 name: var-lib-calico 5086 readOnly: false 5087 - mountPath: /var/run/nodeagent 5088 name: policysync 5089 - mountPath: /sys/fs/bpf 5090 name: bpffs 5091 - mountPath: /var/log/calico/cni 5092 name: cni-log-dir 5093 readOnly: true 5094 hostNetwork: true 5095 initContainers: 5096 - command: 5097 - /opt/cni/bin/calico-ipam 5098 - -upgrade 5099 env: 5100 - name: KUBERNETES_NODE_NAME 5101 valueFrom: 5102 fieldRef: 5103 fieldPath: spec.nodeName 5104 - name: CALICO_NETWORKING_BACKEND 5105 valueFrom: 5106 configMapKeyRef: 5107 key: calico_backend 5108 name: calico-config 5109 envFrom: 5110 - configMapRef: 5111 name: kubernetes-services-endpoint 5112 optional: true 5113 image: docker.io/calico/cni:v3.26.1 5114 imagePullPolicy: IfNotPresent 5115 name: upgrade-ipam 5116 securityContext: 5117 privileged: true 5118 volumeMounts: 5119 - mountPath: /var/lib/cni/networks 5120 name: host-local-net-dir 5121 - mountPath: /host/opt/cni/bin 5122 name: cni-bin-dir 5123 - command: 5124 - /opt/cni/bin/install 5125 env: 5126 - name: CNI_CONF_NAME 5127 value: 10-calico.conflist 5128 - name: CNI_NETWORK_CONFIG 5129 valueFrom: 5130 configMapKeyRef: 5131 key: cni_network_config 5132 name: calico-config 5133 - name: KUBERNETES_NODE_NAME 5134 valueFrom: 5135 fieldRef: 5136 fieldPath: spec.nodeName 5137 - name: CNI_MTU 5138 valueFrom: 5139 configMapKeyRef: 5140 key: veth_mtu 5141 name: calico-config 5142 - name: SLEEP 5143 value: "false" 5144 envFrom: 5145 - configMapRef: 5146 name: kubernetes-services-endpoint 5147 optional: true 5148 image: docker.io/calico/cni:v3.26.1 5149 imagePullPolicy: IfNotPresent 5150 name: install-cni 5151 securityContext: 5152 privileged: true 5153 volumeMounts: 5154 - mountPath: /host/opt/cni/bin 5155 name: cni-bin-dir 5156 - mountPath: /host/etc/cni/net.d 5157 name: cni-net-dir 5158 - command: 5159 - calico-node 5160 - -init 5161 - -best-effort 5162 image: docker.io/calico/node:v3.26.1 5163 imagePullPolicy: IfNotPresent 5164 name: mount-bpffs 5165 securityContext: 5166 privileged: true 5167 volumeMounts: 5168 - mountPath: /sys/fs 5169 mountPropagation: Bidirectional 5170 name: sys-fs 5171 - mountPath: /var/run/calico 5172 mountPropagation: Bidirectional 5173 name: var-run-calico 5174 - mountPath: /nodeproc 5175 name: nodeproc 5176 readOnly: true 5177 nodeSelector: 5178 kubernetes.io/os: linux 5179 priorityClassName: system-node-critical 5180 serviceAccountName: calico-node 5181 terminationGracePeriodSeconds: 0 5182 tolerations: 5183 - effect: NoSchedule 5184 operator: Exists 5185 - key: CriticalAddonsOnly 5186 operator: Exists 5187 - effect: NoExecute 5188 operator: Exists 5189 volumes: 5190 - hostPath: 5191 path: /lib/modules 5192 name: lib-modules 5193 - hostPath: 5194 path: /var/run/calico 5195 name: var-run-calico 5196 - hostPath: 5197 path: /var/lib/calico 5198 name: var-lib-calico 5199 - hostPath: 5200 path: /run/xtables.lock 5201 type: FileOrCreate 5202 name: xtables-lock 5203 - hostPath: 5204 path: /sys/fs/ 5205 type: DirectoryOrCreate 5206 name: sys-fs 5207 - hostPath: 5208 path: /sys/fs/bpf 5209 type: Directory 5210 name: bpffs 5211 - hostPath: 5212 path: /proc 5213 name: nodeproc 5214 - hostPath: 5215 path: /opt/cni/bin 5216 name: cni-bin-dir 5217 - hostPath: 5218 path: /etc/cni/net.d 5219 name: cni-net-dir 5220 - hostPath: 5221 path: /var/log/calico/cni 5222 name: cni-log-dir 5223 - hostPath: 5224 path: /var/lib/cni/networks 5225 name: host-local-net-dir 5226 - hostPath: 5227 path: /var/run/nodeagent 5228 type: DirectoryOrCreate 5229 name: policysync 5230 updateStrategy: 5231 rollingUpdate: 5232 maxUnavailable: 1 5233 type: RollingUpdate 5234 kind: ConfigMap 5235 metadata: 5236 annotations: 5237 note: generated 5238 labels: 5239 type: generated 5240 name: cni-${CLUSTER_NAME}-calico 5241 namespace: default