sigs.k8s.io/cluster-api-provider-azure@v1.14.3/test/e2e/data/infrastructure-azure/v1.13.0/cluster-template-prow.yaml (about) 1 apiVersion: cluster.x-k8s.io/v1beta1 2 kind: Cluster 3 metadata: 4 labels: 5 cni: ${CLUSTER_NAME}-calico 6 name: ${CLUSTER_NAME} 7 namespace: default 8 spec: 9 clusterNetwork: 10 pods: 11 cidrBlocks: 12 - 192.168.0.0/16 13 controlPlaneRef: 14 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 15 kind: KubeadmControlPlane 16 name: ${CLUSTER_NAME}-control-plane 17 infrastructureRef: 18 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 19 kind: AzureCluster 20 name: ${CLUSTER_NAME} 21 --- 22 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 23 kind: AzureCluster 24 metadata: 25 name: ${CLUSTER_NAME} 26 namespace: default 27 spec: 28 additionalTags: 29 buildProvenance: ${BUILD_PROVENANCE} 30 creationTimestamp: ${TIMESTAMP} 31 jobName: ${JOB_NAME} 32 identityRef: 33 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 34 kind: AzureClusterIdentity 35 name: ${CLUSTER_IDENTITY_NAME} 36 location: ${AZURE_LOCATION} 37 networkSpec: 38 subnets: 39 - name: control-plane-subnet 40 role: control-plane 41 - name: node-subnet 42 natGateway: 43 name: node-natgateway 44 role: node 45 vnet: 46 name: ${AZURE_VNET_NAME:=${CLUSTER_NAME}-vnet} 47 resourceGroup: ${AZURE_RESOURCE_GROUP:=${CLUSTER_NAME}} 48 subscriptionID: ${AZURE_SUBSCRIPTION_ID} 49 --- 50 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 51 kind: KubeadmControlPlane 52 metadata: 53 name: ${CLUSTER_NAME}-control-plane 54 namespace: default 55 spec: 56 kubeadmConfigSpec: 57 clusterConfiguration: 58 apiServer: 59 extraArgs: 60 cloud-config: /etc/kubernetes/azure.json 61 cloud-provider: azure 62 feature-gates: ${K8S_FEATURE_GATES:-""} 63 extraVolumes: 64 - hostPath: /etc/kubernetes/azure.json 65 mountPath: /etc/kubernetes/azure.json 66 name: cloud-config 67 readOnly: true 68 timeoutForControlPlane: 20m 69 controllerManager: 70 extraArgs: 71 allocate-node-cidrs: "false" 72 cloud-config: /etc/kubernetes/azure.json 73 cloud-provider: azure 74 cluster-name: ${CLUSTER_NAME} 75 v: "4" 76 extraVolumes: 77 - hostPath: /etc/kubernetes/azure.json 78 mountPath: /etc/kubernetes/azure.json 79 name: cloud-config 80 readOnly: true 81 etcd: 82 local: 83 dataDir: /var/lib/etcddisk/etcd 84 extraArgs: 85 quota-backend-bytes: "8589934592" 86 diskSetup: 87 filesystems: 88 - device: /dev/disk/azure/scsi1/lun0 89 extraOpts: 90 - -E 91 - lazy_itable_init=1,lazy_journal_init=1 92 filesystem: ext4 93 label: etcd_disk 94 - device: ephemeral0.1 95 filesystem: ext4 96 label: ephemeral0 97 replaceFS: ntfs 98 partitions: 99 - device: /dev/disk/azure/scsi1/lun0 100 layout: true 101 overwrite: false 102 tableType: gpt 103 files: 104 - contentFrom: 105 secret: 106 key: control-plane-azure.json 107 name: ${CLUSTER_NAME}-control-plane-azure-json 108 owner: root:root 109 path: /etc/kubernetes/azure.json 110 permissions: "0644" 111 initConfiguration: 112 nodeRegistration: 113 kubeletExtraArgs: 114 azure-container-registry-config: /etc/kubernetes/azure.json 115 cloud-config: /etc/kubernetes/azure.json 116 cloud-provider: azure 117 name: '{{ ds.meta_data["local_hostname"] }}' 118 joinConfiguration: 119 nodeRegistration: 120 kubeletExtraArgs: 121 azure-container-registry-config: /etc/kubernetes/azure.json 122 cloud-config: /etc/kubernetes/azure.json 123 cloud-provider: azure 124 name: '{{ ds.meta_data["local_hostname"] }}' 125 mounts: 126 - - LABEL=etcd_disk 127 - /var/lib/etcddisk 128 postKubeadmCommands: [] 129 preKubeadmCommands: [] 130 machineTemplate: 131 infrastructureRef: 132 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 133 kind: AzureMachineTemplate 134 name: ${CLUSTER_NAME}-control-plane 135 replicas: ${CONTROL_PLANE_MACHINE_COUNT} 136 version: ${KUBERNETES_VERSION} 137 --- 138 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 139 kind: AzureMachineTemplate 140 metadata: 141 name: ${CLUSTER_NAME}-control-plane 142 namespace: default 143 spec: 144 template: 145 spec: 146 dataDisks: 147 - diskSizeGB: 256 148 lun: 0 149 nameSuffix: etcddisk 150 osDisk: 151 diskSizeGB: 128 152 osType: Linux 153 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 154 vmSize: ${AZURE_CONTROL_PLANE_MACHINE_TYPE} 155 --- 156 apiVersion: cluster.x-k8s.io/v1beta1 157 kind: MachineDeployment 158 metadata: 159 name: ${CLUSTER_NAME}-md-0 160 namespace: default 161 spec: 162 clusterName: ${CLUSTER_NAME} 163 replicas: ${WORKER_MACHINE_COUNT} 164 selector: {} 165 template: 166 metadata: 167 labels: 168 nodepool: pool1 169 spec: 170 bootstrap: 171 configRef: 172 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 173 kind: KubeadmConfigTemplate 174 name: ${CLUSTER_NAME}-md-0 175 clusterName: ${CLUSTER_NAME} 176 infrastructureRef: 177 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 178 kind: AzureMachineTemplate 179 name: ${CLUSTER_NAME}-md-0 180 version: ${KUBERNETES_VERSION} 181 --- 182 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 183 kind: AzureMachineTemplate 184 metadata: 185 name: ${CLUSTER_NAME}-md-0 186 namespace: default 187 spec: 188 template: 189 spec: 190 osDisk: 191 diskSizeGB: 128 192 osType: Linux 193 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 194 vmSize: ${AZURE_NODE_MACHINE_TYPE} 195 --- 196 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 197 kind: KubeadmConfigTemplate 198 metadata: 199 name: ${CLUSTER_NAME}-md-0 200 namespace: default 201 spec: 202 template: 203 spec: 204 files: 205 - contentFrom: 206 secret: 207 key: worker-node-azure.json 208 name: ${CLUSTER_NAME}-md-0-azure-json 209 owner: root:root 210 path: /etc/kubernetes/azure.json 211 permissions: "0644" 212 joinConfiguration: 213 nodeRegistration: 214 kubeletExtraArgs: 215 cloud-config: /etc/kubernetes/azure.json 216 cloud-provider: azure 217 name: '{{ ds.meta_data["local_hostname"] }}' 218 preKubeadmCommands: [] 219 --- 220 apiVersion: cluster.x-k8s.io/v1beta1 221 kind: MachineDeployment 222 metadata: 223 name: ${CLUSTER_NAME}-md-win 224 namespace: default 225 spec: 226 clusterName: ${CLUSTER_NAME} 227 replicas: ${WINDOWS_WORKER_MACHINE_COUNT:-0} 228 selector: {} 229 template: 230 spec: 231 bootstrap: 232 configRef: 233 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 234 kind: KubeadmConfigTemplate 235 name: ${CLUSTER_NAME}-md-win 236 clusterName: ${CLUSTER_NAME} 237 infrastructureRef: 238 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 239 kind: AzureMachineTemplate 240 name: ${CLUSTER_NAME}-md-win 241 version: ${KUBERNETES_VERSION} 242 --- 243 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 244 kind: AzureMachineTemplate 245 metadata: 246 annotations: 247 runtime: containerd 248 name: ${CLUSTER_NAME}-md-win 249 namespace: default 250 spec: 251 template: 252 spec: 253 osDisk: 254 diskSizeGB: 128 255 managedDisk: 256 storageAccountType: Premium_LRS 257 osType: Windows 258 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 259 vmSize: ${AZURE_NODE_MACHINE_TYPE} 260 --- 261 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 262 kind: KubeadmConfigTemplate 263 metadata: 264 name: ${CLUSTER_NAME}-md-win 265 namespace: default 266 spec: 267 template: 268 spec: 269 files: 270 - contentFrom: 271 secret: 272 key: worker-node-azure.json 273 name: ${CLUSTER_NAME}-md-win-azure-json 274 owner: root:root 275 path: c:/k/azure.json 276 permissions: "0644" 277 - content: Add-MpPreference -ExclusionProcess C:/opt/cni/bin/calico.exe 278 path: C:/defender-exclude-calico.ps1 279 permissions: "0744" 280 - content: | 281 # /tmp is assumed created and required for upstream e2e tests to pass 282 New-Item -ItemType Directory -Force -Path C:\tmp\ 283 path: C:/create-temp-folder.ps1 284 permissions: "0744" 285 joinConfiguration: 286 nodeRegistration: 287 criSocket: npipe:////./pipe/containerd-containerd 288 kubeletExtraArgs: 289 azure-container-registry-config: c:/k/azure.json 290 cloud-config: c:/k/azure.json 291 cloud-provider: azure 292 feature-gates: WindowsHostProcessContainers=true 293 name: '{{ ds.meta_data["local_hostname"] }}' 294 postKubeadmCommands: 295 - nssm set kubelet start SERVICE_AUTO_START 296 - powershell C:/defender-exclude-calico.ps1 297 preKubeadmCommands: 298 - powershell C:/create-temp-folder.ps1 299 users: 300 - groups: Administrators 301 name: capi 302 sshAuthorizedKeys: 303 - ${AZURE_SSH_PUBLIC_KEY:=""} 304 --- 305 apiVersion: cluster.x-k8s.io/v1beta1 306 kind: MachineHealthCheck 307 metadata: 308 name: ${CLUSTER_NAME}-mhc-0 309 namespace: default 310 spec: 311 clusterName: ${CLUSTER_NAME} 312 maxUnhealthy: 100% 313 selector: 314 matchLabels: 315 nodepool: pool1 316 unhealthyConditions: 317 - status: "True" 318 timeout: 30s 319 type: E2ENodeUnhealthy 320 --- 321 apiVersion: addons.cluster.x-k8s.io/v1beta1 322 kind: ClusterResourceSet 323 metadata: 324 name: ${CLUSTER_NAME}-calico 325 namespace: default 326 spec: 327 clusterSelector: 328 matchLabels: 329 cni: ${CLUSTER_NAME}-calico 330 resources: 331 - kind: ConfigMap 332 name: cni-${CLUSTER_NAME}-calico 333 strategy: ApplyOnce 334 --- 335 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 336 kind: AzureClusterIdentity 337 metadata: 338 labels: 339 clusterctl.cluster.x-k8s.io/move-hierarchy: "true" 340 name: ${CLUSTER_IDENTITY_NAME} 341 namespace: default 342 spec: 343 allowedNamespaces: {} 344 clientID: ${AZURE_CLIENT_ID} 345 clientSecret: 346 name: ${AZURE_CLUSTER_IDENTITY_SECRET_NAME} 347 namespace: ${AZURE_CLUSTER_IDENTITY_SECRET_NAMESPACE} 348 tenantID: ${AZURE_TENANT_ID} 349 type: ServicePrincipal 350 --- 351 apiVersion: v1 352 data: 353 proxy: "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n labels:\n k8s-app: 354 kube-proxy\n name: kube-proxy-windows\n namespace: kube-system\nspec:\n selector:\n 355 \ matchLabels:\n k8s-app: kube-proxy-windows\n template:\n metadata:\n 356 \ labels:\n k8s-app: kube-proxy-windows\n spec:\n serviceAccountName: 357 kube-proxy\n securityContext:\n windowsOptions:\n hostProcess: 358 true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n hostNetwork: 359 true\n containers:\n - image: sigwindowstools/kube-proxy:${KUBERNETES_VERSION/+/_}-calico-hostprocess\n 360 \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/kube-proxy/start.ps1\"]\n 361 \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/kube-proxy/\"\n name: 362 kube-proxy\n env:\n - name: NODE_NAME\n valueFrom:\n fieldRef:\n 363 \ apiVersion: v1\n fieldPath: spec.nodeName\n - 364 name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: 365 status.podIP\n - name: KUBEPROXY_PATH\n valueFrom:\n configMapKeyRef:\n 366 \ name: windows-kubeproxy-ci\n key: KUBEPROXY_PATH\n 367 \ optional: true\n volumeMounts:\n - mountPath: /var/lib/kube-proxy\n 368 \ name: kube-proxy\n nodeSelector:\n kubernetes.io/os: windows\n 369 \ tolerations:\n - key: CriticalAddonsOnly\n operator: Exists\n 370 \ - operator: Exists\n volumes:\n - configMap:\n name: 371 kube-proxy\n item: \n name: kube-proxy\n updateStrategy:\n 372 \ type: RollingUpdate\n" 373 resources: "---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap 374 is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: 375 v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha 376 is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n 377 \ calico_backend: \"vxlan\"\n # On Azure, the underlying network has an MTU of 378 1400, even though the network interface will have an MTU of 1500.\n # We set 379 this value to 1350 for “physical network MTU size minus 50” since we use VXLAN, 380 which uses a 50-byte header.\n # If enabling Wireguard, this value should be 381 changed to 1340 (Wireguard uses a 60-byte header).\n # https://docs.projectcalico.org/networking/mtu#determine-mtu-size\n 382 \ veth_mtu: \"1350\"\n \n # The CNI network configuration to install on each 383 node. The special\n # values in this config will be automatically populated.\n 384 \ cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": 385 \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n 386 \ \"log_level\": \"info\",\n \"log_file_path\": \"/var/log/calico/cni/cni.log\",\n 387 \ \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n 388 \ \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": 389 \"calico-ipam\"\n },\n \"policy\": {\n \"type\": 390 \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": 391 \"__KUBECONFIG_FILEPATH__\"\n }\n },\n {\n \"type\": 392 \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": 393 true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": 394 {\"bandwidth\": true}\n }\n ]\n }\n\n---\n# Source: calico/templates/kdd-crds.yaml\n\n\n---\napiVersion: 395 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 396 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 397 \ name: bgpconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 398 \ names:\n kind: BGPConfiguration\n listKind: BGPConfigurationList\n plural: 399 bgpconfigurations\n singular: bgpconfiguration\n scope: Cluster\n versions:\n 400 \ - name: v1\n schema:\n openAPIV3Schema:\n description: 401 BGPConfiguration contains the configuration for any BGP routing.\n properties:\n 402 \ apiVersion:\n description: 'APIVersion defines the versioned 403 schema of this representation\n of an object. Servers should convert 404 recognized schemas to the latest\n internal value, and may reject 405 unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 406 \ type: string\n kind:\n description: 'Kind 407 is a string value representing the REST resource this\n object represents. 408 Servers may infer this from the endpoint the client\n submits requests 409 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 410 \ type: string\n metadata:\n type: object\n 411 \ spec:\n description: BGPConfigurationSpec contains the 412 values of the BGP configuration.\n properties:\n asNumber:\n 413 \ description: 'ASNumber is the default AS number used by a node. 414 [Default:\n 64512]'\n format: int32\n type: 415 integer\n communities:\n description: Communities 416 is a list of BGP community values and their\n arbitrary names 417 for tagging routes.\n items:\n description: 418 Community contains standard or large community value\n and 419 its name.\n properties:\n name:\n description: 420 Name given to community value.\n type: string\n value:\n 421 \ description: Value must be of format `aa:nn` or `aa:nn:mm`.\n 422 \ For standard community use `aa:nn` format, where `aa` 423 and\n `nn` are 16 bit number. For large community use 424 `aa:nn:mm`\n format, where `aa`, `nn` and `mm` are 32 425 bit number. Where,\n `aa` is an AS Number, `nn` and `mm` 426 are per-AS identifier.\n pattern: ^(\\d+):(\\d+)$|^(\\d+):(\\d+):(\\d+)$\n 427 \ type: string\n type: object\n type: 428 array\n listenPort:\n description: ListenPort 429 is the port where BGP protocol should listen.\n Defaults to 430 179\n maximum: 65535\n minimum: 1\n type: 431 integer\n logSeverityScreen:\n description: 'LogSeverityScreen 432 is the log severity above which logs\n are sent to the stdout. 433 [Default: INFO]'\n type: string\n nodeToNodeMeshEnabled:\n 434 \ description: 'NodeToNodeMeshEnabled sets whether full node to 435 node\n BGP mesh is enabled. [Default: true]'\n type: 436 boolean\n prefixAdvertisements:\n description: 437 PrefixAdvertisements contains per-prefix advertisement\n configuration.\n 438 \ items:\n description: PrefixAdvertisement 439 configures advertisement properties\n for the specified CIDR.\n 440 \ properties:\n cidr:\n description: 441 CIDR for which properties should be advertised.\n type: 442 string\n communities:\n description: 443 Communities can be list of either community names\n already 444 defined in `Specs.Communities` or community value\n of 445 format `aa:nn` or `aa:nn:mm`. For standard community use\n `aa:nn` 446 format, where `aa` and `nn` are 16 bit number. For\n large 447 community use `aa:nn:mm` format, where `aa`, `nn` and\n `mm` 448 are 32 bit number. Where,`aa` is an AS Number, `nn` and\n `mm` 449 are per-AS identifier.\n items:\n type: 450 string\n type: array\n type: object\n 451 \ type: array\n serviceClusterIPs:\n description: 452 ServiceClusterIPs are the CIDR blocks from which service\n cluster 453 IPs are allocated. If specified, Calico will advertise these\n blocks, 454 as well as any cluster IPs within them.\n items:\n description: 455 ServiceClusterIPBlock represents a single allowed ClusterIP\n CIDR 456 block.\n properties:\n cidr:\n type: 457 string\n type: object\n type: array\n serviceExternalIPs:\n 458 \ description: ServiceExternalIPs are the CIDR blocks for Kubernetes\n 459 \ Service External IPs. Kubernetes Service ExternalIPs will 460 only be\n advertised if they are within one of these blocks.\n 461 \ items:\n description: ServiceExternalIPBlock 462 represents a single allowed\n External IP CIDR block.\n properties:\n 463 \ cidr:\n type: string\n type: 464 object\n type: array\n serviceLoadBalancerIPs:\n 465 \ description: ServiceLoadBalancerIPs are the CIDR blocks for 466 Kubernetes\n Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress\n 467 \ IPs will only be advertised if they are within one of these 468 blocks.\n items:\n description: ServiceLoadBalancerIPBlock 469 represents a single allowed\n LoadBalancer IP CIDR block.\n 470 \ properties:\n cidr:\n type: 471 string\n type: object\n type: array\n type: 472 object\n type: object\n served: true\n storage: true\nstatus:\n 473 \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: 474 []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n 475 \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: 476 null\n name: bgppeers.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 477 \ names:\n kind: BGPPeer\n listKind: BGPPeerList\n plural: bgppeers\n 478 \ singular: bgppeer\n scope: Cluster\n versions:\n - name: v1\n schema:\n 479 \ openAPIV3Schema:\n properties:\n apiVersion:\n description: 480 'APIVersion defines the versioned schema of this representation\n of 481 an object. Servers should convert recognized schemas to the latest\n internal 482 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 483 \ type: string\n kind:\n description: 'Kind 484 is a string value representing the REST resource this\n object represents. 485 Servers may infer this from the endpoint the client\n submits requests 486 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 487 \ type: string\n metadata:\n type: object\n 488 \ spec:\n description: BGPPeerSpec contains the specification 489 for a BGPPeer resource.\n properties:\n asNumber:\n 490 \ description: The AS Number of the peer.\n format: 491 int32\n type: integer\n keepOriginalNextHop:\n 492 \ description: Option to keep the original nexthop field when 493 routes\n are sent to a BGP Peer. Setting \"true\" configures 494 the selected BGP\n Peers node to use the \"next hop keep;\" 495 instead of \"next hop self;\"(default)\n in the specific branch 496 of the Node on \"bird.cfg\".\n type: boolean\n maxRestartTime:\n 497 \ description: Time to allow for software restart. When specified, 498 this\n is configured as the graceful restart timeout. When 499 not specified,\n the BIRD default of 120s is used.\n type: 500 string\n node:\n description: The node name identifying 501 the Calico node instance that\n is targeted by this peer. If 502 this is not set, and no nodeSelector\n is specified, then this 503 BGP peer selects all nodes in the cluster.\n type: string\n nodeSelector:\n 504 \ description: Selector for the nodes that should have this peering. 505 \ When\n this is set, the Node field must be empty.\n type: 506 string\n password:\n description: Optional BGP 507 password for the peerings generated by this\n BGPPeer resource.\n 508 \ properties:\n secretKeyRef:\n description: 509 Selects a key of a secret in the node pod's namespace.\n properties:\n 510 \ key:\n description: The key of 511 the secret to select from. Must be\n a valid secret 512 key.\n type: string\n name:\n 513 \ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\n 514 \ TODO: Add other useful fields. apiVersion, kind, uid?'\n 515 \ type: string\n optional:\n description: 516 Specify whether the Secret or its key must be\n defined\n 517 \ type: boolean\n required:\n - 518 key\n type: object\n type: object\n peerIP:\n 519 \ description: The IP address of the peer followed by an optional 520 port\n number to peer with. If port number is given, format 521 should be `[<IPv6>]:port`\n or `<IPv4>:<port>` for IPv4. If 522 optional port number is not set,\n and this peer IP and ASNumber 523 belongs to a calico/node with ListenPort\n set in BGPConfiguration, 524 then we use that port to peer.\n type: string\n peerSelector:\n 525 \ description: Selector for the remote nodes to peer with. When 526 this\n is set, the PeerIP and ASNumber fields must be empty. 527 \ For each\n peering between the local node and selected remote 528 nodes, we configure\n an IPv4 peering if both ends have NodeBGPSpec.IPv4Address 529 specified,\n and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address 530 specified. The\n remote AS number comes from the remote node’s 531 NodeBGPSpec.ASNumber,\n or the global default if that is not 532 set.\n type: string\n sourceAddress:\n description: 533 Specifies whether and how to configure a source address\n for 534 the peerings generated by this BGPPeer resource. Default value\n \"UseNodeIP\" 535 means to configure the node IP as the source address. \"None\"\n means 536 not to configure a source address.\n type: string\n type: 537 object\n type: object\n served: true\n storage: true\nstatus:\n 538 \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: 539 []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n 540 \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: 541 null\n name: blockaffinities.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 542 \ names:\n kind: BlockAffinity\n listKind: BlockAffinityList\n plural: 543 blockaffinities\n singular: blockaffinity\n scope: Cluster\n versions:\n 544 \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n 545 \ apiVersion:\n description: 'APIVersion defines the versioned 546 schema of this representation\n of an object. Servers should convert 547 recognized schemas to the latest\n internal value, and may reject 548 unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 549 \ type: string\n kind:\n description: 'Kind 550 is a string value representing the REST resource this\n object represents. 551 Servers may infer this from the endpoint the client\n submits requests 552 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 553 \ type: string\n metadata:\n type: object\n 554 \ spec:\n description: BlockAffinitySpec contains the specification 555 for a BlockAffinity\n resource.\n properties:\n cidr:\n 556 \ type: string\n deleted:\n description: 557 Deleted indicates that this block affinity is being deleted.\n This 558 field is a string for compatibility with older releases that\n mistakenly 559 treat this field as a string.\n type: string\n node:\n 560 \ type: string\n state:\n type: 561 string\n required:\n - cidr\n - deleted\n 562 \ - node\n - state\n type: object\n 563 \ type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n 564 \ kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: 565 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 566 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 567 \ name: clusterinformations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 568 \ names:\n kind: ClusterInformation\n listKind: ClusterInformationList\n 569 \ plural: clusterinformations\n singular: clusterinformation\n scope: Cluster\n 570 \ versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: 571 ClusterInformation contains the cluster specific information.\n properties:\n 572 \ apiVersion:\n description: 'APIVersion defines the versioned 573 schema of this representation\n of an object. Servers should convert 574 recognized schemas to the latest\n internal value, and may reject 575 unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 576 \ type: string\n kind:\n description: 'Kind 577 is a string value representing the REST resource this\n object represents. 578 Servers may infer this from the endpoint the client\n submits requests 579 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 580 \ type: string\n metadata:\n type: object\n 581 \ spec:\n description: ClusterInformationSpec contains 582 the values of describing\n the cluster.\n properties:\n 583 \ calicoVersion:\n description: CalicoVersion is 584 the version of Calico that the cluster\n is running\n type: 585 string\n clusterGUID:\n description: ClusterGUID 586 is the GUID of the cluster\n type: string\n clusterType:\n 587 \ description: ClusterType describes the type of the cluster\n 588 \ type: string\n datastoreReady:\n description: 589 DatastoreReady is used during significant datastore migrations\n to 590 signal to components such as Felix that it should wait before\n accessing 591 the datastore.\n type: boolean\n variant:\n description: 592 Variant declares which variant of Calico should be active.\n type: 593 string\n type: object\n type: object\n served: true\n 594 \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n 595 \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: 596 CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: 597 (devel)\n creationTimestamp: null\n name: felixconfigurations.crd.projectcalico.org\nspec:\n 598 \ group: crd.projectcalico.org\n names:\n kind: FelixConfiguration\n listKind: 599 FelixConfigurationList\n plural: felixconfigurations\n singular: felixconfiguration\n 600 \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n 601 \ description: Felix Configuration contains the configuration for Felix.\n 602 \ properties:\n apiVersion:\n description: 'APIVersion 603 defines the versioned schema of this representation\n of an object. 604 Servers should convert recognized schemas to the latest\n internal 605 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 606 \ type: string\n kind:\n description: 'Kind 607 is a string value representing the REST resource this\n object represents. 608 Servers may infer this from the endpoint the client\n submits requests 609 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 610 \ type: string\n metadata:\n type: object\n 611 \ spec:\n description: FelixConfigurationSpec contains 612 the values of the Felix configuration.\n properties:\n allowIPIPPacketsFromWorkloads:\n 613 \ description: 'AllowIPIPPacketsFromWorkloads controls whether 614 Felix\n will add a rule to drop IPIP encapsulated traffic from 615 workloads\n [Default: false]'\n type: boolean\n 616 \ allowVXLANPacketsFromWorkloads:\n description: 617 'AllowVXLANPacketsFromWorkloads controls whether Felix\n will 618 add a rule to drop VXLAN encapsulated traffic from workloads\n [Default: 619 false]'\n type: boolean\n awsSrcDstCheck:\n description: 620 'Set source-destination-check on AWS EC2 instances. Accepted\n value 621 must be one of \"DoNothing\", \"Enabled\" or \"Disabled\". [Default:\n DoNothing]'\n 622 \ enum:\n - DoNothing\n - 623 Enable\n - Disable\n type: string\n bpfConnectTimeLoadBalancingEnabled:\n 624 \ description: 'BPFConnectTimeLoadBalancingEnabled when in BPF 625 mode,\n controls whether Felix installs the connection-time load 626 balancer. The\n connect-time load balancer is required for the 627 host to be able to\n reach Kubernetes services and it improves 628 the performance of pod-to-service\n connections. The only reason 629 to disable it is for debugging purposes. [Default:\n true]'\n 630 \ type: boolean\n bpfDataIfacePattern:\n description: 631 'BPFDataIfacePattern is a regular expression that controls\n which 632 interfaces Felix should attach BPF programs to in order to\n catch 633 traffic to/from the network. This needs to match the interfaces\n that 634 Calico workload traffic flows over as well as any interfaces\n that 635 handle incoming traffic to nodeports and services from outside\n the 636 cluster. It should not match the workload interfaces (usually\n named 637 cali...). [Default: ^(en.*|eth.*|tunl0$)]'\n type: string\n bpfDisableUnprivileged:\n 638 \ description: 'BPFDisableUnprivileged, if enabled, Felix sets 639 the kernel.unprivileged_bpf_disabled\n sysctl to disable unprivileged 640 use of BPF. This ensures that unprivileged\n users cannot access 641 Calico''s BPF maps and cannot insert their own\n BPF programs 642 to interfere with Calico''s. [Default: true]'\n type: boolean\n 643 \ bpfEnabled:\n description: 'BPFEnabled, if enabled 644 Felix will use the BPF dataplane.\n [Default: false]'\n type: 645 boolean\n bpfExtToServiceConnmark:\n description: 646 'BPFExtToServiceConnmark in BPF mode, control a 32bit\n mark 647 that is set on connections from an external client to a local\n service. 648 This mark allows us to control how packets of that connection\n are 649 routed within the host and how is routing interpreted by RPF\n check. 650 [Default: 0]'\n type: integer\n bpfExternalServiceMode:\n 651 \ description: 'BPFExternalServiceMode in BPF mode, controls how 652 connections\n from outside the cluster to services (node ports 653 and cluster IPs)\n are forwarded to remote workloads. If set 654 to \"Tunnel\" then both\n request and response traffic is tunneled 655 to the remote node. If\n set to \"DSR\", the request traffic 656 is tunneled but the response traffic\n is sent directly from 657 the remote node. In \"DSR\" mode, the remote\n node appears 658 to use the IP of the ingress node; this requires a\n permissive 659 L2 network. [Default: Tunnel]'\n type: string\n bpfKubeProxyEndpointSlicesEnabled:\n 660 \ description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, 661 controls\n whether Felix's embedded kube-proxy accepts EndpointSlices 662 or not.\n type: boolean\n bpfKubeProxyIptablesCleanupEnabled:\n 663 \ description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled 664 in BPF\n mode, Felix will proactively clean up the upstream Kubernetes 665 kube-proxy''s\n iptables chains. Should only be enabled if kube-proxy 666 is not running. [Default:\n true]'\n type: 667 boolean\n bpfKubeProxyMinSyncPeriod:\n description: 668 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the\n minimum 669 time between updates to the dataplane for Felix''s embedded\n kube-proxy. 670 \ Lower values give reduced set-up latency. Higher values\n reduce 671 Felix CPU usage by batching up more work. [Default: 1s]'\n type: 672 string\n bpfLogLevel:\n description: 'BPFLogLevel 673 controls the log level of the BPF programs\n when in BPF dataplane 674 mode. One of \"Off\", \"Info\", or \"Debug\". The\n logs are 675 emitted to the BPF trace pipe, accessible with the command\n `tc 676 exec bpf debug`. [Default: Off].'\n type: string\n chainInsertMode:\n 677 \ description: 'ChainInsertMode controls whether Felix hooks the 678 kernel’s\n top-level iptables chains by inserting a rule at the 679 top of the\n chain or by appending a rule at the bottom. insert 680 is the safe default\n since it prevents Calico’s rules from being 681 bypassed. If you switch\n to append mode, be sure that the other 682 rules in the chains signal\n acceptance by falling through to 683 the Calico rules, otherwise the\n Calico policy will be bypassed. 684 [Default: insert]'\n type: string\n dataplaneDriver:\n 685 \ type: string\n debugDisableLogDropping:\n type: 686 boolean\n debugMemoryProfilePath:\n type: string\n 687 \ debugSimulateCalcGraphHangAfter:\n type: string\n 688 \ debugSimulateDataplaneHangAfter:\n type: string\n 689 \ defaultEndpointToHostAction:\n description: 'DefaultEndpointToHostAction 690 controls what happens to\n traffic that goes from a workload 691 endpoint to the host itself (after\n the traffic hits the endpoint 692 egress policy). By default Calico\n blocks traffic from workload 693 endpoints to the host itself with an\n iptables “DROP” action. 694 If you want to allow some or all traffic\n from endpoint to host, 695 set this parameter to RETURN or ACCEPT. Use\n RETURN if you have 696 your own rules in the iptables “INPUT” chain;\n Calico will insert 697 its rules at the top of that chain, then “RETURN”\n packets to 698 the “INPUT” chain once it has completed processing workload\n endpoint 699 egress policy. Use ACCEPT to unconditionally accept packets\n from 700 workloads after processing workload endpoint egress policy.\n [Default: 701 Drop]'\n type: string\n deviceRouteProtocol:\n 702 \ description: This defines the route protocol added to programmed 703 device\n routes, by default this will be RTPROT_BOOT when left 704 blank.\n type: integer\n deviceRouteSourceAddress:\n 705 \ description: This is the source address to use on programmed 706 device\n routes. By default the source address is left blank, 707 leaving the\n kernel to choose the source address used.\n type: 708 string\n disableConntrackInvalidCheck:\n type: 709 boolean\n endpointReportingDelay:\n type: string\n 710 \ endpointReportingEnabled:\n type: boolean\n externalNodesList:\n 711 \ description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes\n 712 \ which may source tunnel traffic and have the tunneled traffic 713 be\n accepted at calico nodes.\n items:\n 714 \ type: string\n type: array\n failsafeInboundHostPorts:\n 715 \ description: 'FailsafeInboundHostPorts is a list of UDP/TCP 716 ports\n and CIDRs that Felix will allow incoming traffic to 717 host endpoints\n on irrespective of the security policy. This 718 is useful to avoid\n accidentally cutting off a host with incorrect 719 configuration. For\n back-compatibility, if the protocol is 720 not specified, it defaults\n to \"tcp\". If a CIDR is not specified, 721 it will allow traffic from\n all addresses. To disable all 722 inbound host ports, use the value\n none. The default value 723 allows ssh access and DHCP. [Default: tcp:22,\n udp:68, tcp:179, 724 tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'\n items:\n 725 \ description: ProtoPort is combination of protocol, port, and 726 CIDR.\n Protocol and port must be specified.\n properties:\n 727 \ net:\n type: string\n port:\n 728 \ type: integer\n protocol:\n type: 729 string\n required:\n - port\n - 730 protocol\n type: object\n type: array\n failsafeOutboundHostPorts:\n 731 \ description: 'FailsafeOutboundHostPorts is a list of UDP/TCP 732 ports\n and CIDRs that Felix will allow outgoing traffic from 733 host endpoints\n to irrespective of the security policy. This 734 is useful to avoid\n accidentally cutting off a host with incorrect 735 configuration. For\n back-compatibility, if the protocol is 736 not specified, it defaults\n to \"tcp\". If a CIDR is not specified, 737 it will allow traffic from\n all addresses. To disable all 738 outbound host ports, use the value\n none. The default value 739 opens etcd''s standard ports to ensure that\n Felix does not 740 get cut off from etcd as well as allowing DHCP and\n DNS. [Default: 741 tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,\n tcp:6667, 742 udp:53, udp:67]'\n items:\n description: ProtoPort 743 is combination of protocol, port, and CIDR.\n Protocol and 744 port must be specified.\n properties:\n net:\n 745 \ type: string\n port:\n type: 746 integer\n protocol:\n type: string\n 747 \ required:\n - port\n - 748 protocol\n type: object\n type: array\n featureDetectOverride:\n 749 \ description: FeatureDetectOverride is used to override the feature\n 750 \ detection. Values are specified in a comma separated list 751 with no\n spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\".\n 752 \ \"true\" or \"false\" will force the feature, empty or omitted 753 values\n are auto-detected.\n type: string\n 754 \ genericXDPEnabled:\n description: 'GenericXDPEnabled 755 enables Generic XDP so network cards\n that don''t support XDP 756 offload or driver modes can use XDP. This\n is not recommended 757 since it doesn''t provide better performance\n than iptables. 758 [Default: false]'\n type: boolean\n healthEnabled:\n 759 \ type: boolean\n healthHost:\n type: 760 string\n healthPort:\n type: integer\n interfaceExclude:\n 761 \ description: 'InterfaceExclude is a comma-separated list of 762 interfaces\n that Felix should exclude when monitoring for host 763 endpoints. The\n default value ensures that Felix ignores Kubernetes'' 764 IPVS dummy\n interface, which is used internally by kube-proxy. 765 If you want to\n exclude multiple interface names using a single 766 value, the list\n supports regular expressions. For regular expressions 767 you must wrap\n the value with ''/''. For example having values 768 ''/^kube/,veth1''\n will exclude all interfaces that begin with 769 ''kube'' and also the\n interface ''veth1''. [Default: kube-ipvs0]'\n 770 \ type: string\n interfacePrefix:\n description: 771 'InterfacePrefix is the interface name prefix that identifies\n workload 772 endpoints and so distinguishes them from host endpoint\n interfaces. 773 Note: in environments other than bare metal, the orchestrators\n configure 774 this appropriately. For example our Kubernetes and Docker\n integrations 775 set the ‘cali’ value, and our OpenStack integration\n sets the 776 ‘tap’ value. [Default: cali]'\n type: string\n interfaceRefreshInterval:\n 777 \ description: InterfaceRefreshInterval is the period at which 778 Felix\n rescans local interfaces to verify their state. The 779 rescan can be\n disabled by setting the interval to 0.\n type: 780 string\n ipipEnabled:\n type: boolean\n ipipMTU:\n 781 \ description: 'IPIPMTU is the MTU to set on the tunnel device. 782 See\n Configuring MTU [Default: 1440]'\n type: 783 integer\n ipsetsRefreshInterval:\n description: 784 'IpsetsRefreshInterval is the period at which Felix re-checks\n all 785 iptables state to ensure that no other process has accidentally\n broken 786 Calico’s rules. Set to 0 to disable iptables refresh. [Default:\n 90s]'\n 787 \ type: string\n iptablesBackend:\n description: 788 IptablesBackend specifies which backend of iptables will\n be 789 used. The default is legacy.\n type: string\n iptablesFilterAllowAction:\n 790 \ type: string\n iptablesLockFilePath:\n description: 791 'IptablesLockFilePath is the location of the iptables\n lock 792 file. You may need to change this if the lock file is not in\n its 793 standard location (for example if you have mapped it into Felix’s\n container 794 at a different path). [Default: /run/xtables.lock]'\n type: string\n 795 \ iptablesLockProbeInterval:\n description: 'IptablesLockProbeInterval 796 is the time that Felix will\n wait between attempts to acquire 797 the iptables lock if it is not\n available. Lower values make 798 Felix more responsive when the lock\n is contended, but use more 799 CPU. [Default: 50ms]'\n type: string\n iptablesLockTimeout:\n 800 \ description: 'IptablesLockTimeout is the time that Felix will 801 wait\n for the iptables lock, or 0, to disable. To use this feature, 802 Felix\n must share the iptables lock file with all other processes 803 that\n also take the lock. When running Felix inside a container, 804 this\n requires the /run directory of the host to be mounted 805 into the calico/node\n or calico/felix container. [Default: 0s 806 disabled]'\n type: string\n iptablesMangleAllowAction:\n 807 \ type: string\n iptablesMarkMask:\n description: 808 'IptablesMarkMask is the mask that Felix selects its\n IPTables 809 Mark bits from. Should be a 32 bit hexadecimal number with\n at 810 least 8 bits set, none of which clash with any other mark bits\n in 811 use on the system. [Default: 0xff000000]'\n format: int32\n type: 812 integer\n iptablesNATOutgoingInterfaceFilter:\n type: 813 string\n iptablesPostWriteCheckInterval:\n description: 814 'IptablesPostWriteCheckInterval is the period after Felix\n has 815 done a write to the dataplane that it schedules an extra read\n back 816 in order to check the write was not clobbered by another process.\n This 817 should only occur if another application on the system doesn’t\n respect 818 the iptables lock. [Default: 1s]'\n type: string\n iptablesRefreshInterval:\n 819 \ description: 'IptablesRefreshInterval is the period at which 820 Felix\n re-checks the IP sets in the dataplane to ensure that 821 no other process\n has accidentally broken Calico''s rules. 822 Set to 0 to disable IP\n sets refresh. Note: the default for 823 this value is lower than the\n other refresh intervals as a 824 workaround for a Linux kernel bug that\n was fixed in kernel 825 version 4.11. If you are using v4.11 or greater\n you may want 826 to set this to, a higher value to reduce Felix CPU\n usage. 827 [Default: 10s]'\n type: string\n ipv6Support:\n 828 \ type: boolean\n kubeNodePortRanges:\n description: 829 'KubeNodePortRanges holds list of port ranges used for\n service 830 node ports. Only used if felix detects kube-proxy running\n in 831 ipvs mode. Felix uses these ranges to separate host and workload\n traffic. 832 [Default: 30000:32767].'\n items:\n anyOf:\n 833 \ - type: integer\n - type: string\n 834 \ pattern: ^.*\n x-kubernetes-int-or-string: 835 true\n type: array\n logFilePath:\n description: 836 'LogFilePath is the full path to the Felix log. Set to\n none 837 to disable file logging. [Default: /var/log/calico/felix.log]'\n type: 838 string\n logPrefix:\n description: 'LogPrefix 839 is the log prefix that Felix uses when rendering\n LOG rules. 840 [Default: calico-packet]'\n type: string\n logSeverityFile:\n 841 \ description: 'LogSeverityFile is the log severity above which 842 logs\n are sent to the log file. [Default: Info]'\n type: 843 string\n logSeverityScreen:\n description: 'LogSeverityScreen 844 is the log severity above which logs\n are sent to the stdout. 845 [Default: Info]'\n type: string\n logSeveritySys:\n 846 \ description: 'LogSeveritySys is the log severity above which 847 logs\n are sent to the syslog. Set to None for no logging to 848 syslog. [Default:\n Info]'\n type: string\n 849 \ maxIpsetSize:\n type: integer\n metadataAddr:\n 850 \ description: 'MetadataAddr is the IP address or domain name 851 of the\n server that can answer VM queries for cloud-init metadata. 852 In OpenStack,\n this corresponds to the machine running nova-api 853 (or in Ubuntu,\n nova-api-metadata). A value of none (case insensitive) 854 means that\n Felix should not set up any NAT rule for the metadata 855 path. [Default:\n 127.0.0.1]'\n type: string\n 856 \ metadataPort:\n description: 'MetadataPort is 857 the port of the metadata server. This,\n combined with global.MetadataAddr 858 (if not ‘None’), is used to set\n up a NAT rule, from 169.254.169.254:80 859 to MetadataAddr:MetadataPort.\n In most cases this should not 860 need to be changed [Default: 8775].'\n type: integer\n mtuIfacePattern:\n 861 \ description: MTUIfacePattern is a regular expression that controls\n 862 \ which interfaces Felix should scan in order to calculate the 863 host's\n MTU. This should not match workload interfaces (usually 864 named cali...).\n type: string\n natOutgoingAddress:\n 865 \ description: NATOutgoingAddress specifies an address to use 866 when performing\n source NAT for traffic in a natOutgoing pool 867 that is leaving the\n network. By default the address used 868 is an address on the interface\n the traffic is leaving on 869 (ie it uses the iptables MASQUERADE target)\n type: string\n 870 \ natPortRange:\n anyOf:\n - 871 type: integer\n - type: string\n description: 872 NATPortRange specifies the range of ports that is used\n for 873 port mapping when doing outgoing NAT. When unset the default\n behavior 874 of the network stack is used.\n pattern: ^.*\n x-kubernetes-int-or-string: 875 true\n netlinkTimeout:\n type: string\n openstackRegion:\n 876 \ description: 'OpenstackRegion is the name of the region that 877 a particular\n Felix belongs to. In a multi-region Calico/OpenStack 878 deployment,\n this must be configured somehow for each Felix 879 (here in the datamodel,\n or in felix.cfg or the environment 880 on each compute node), and must\n match the [calico] openstack_region 881 value configured in neutron.conf\n on each node. [Default: Empty]'\n 882 \ type: string\n policySyncPathPrefix:\n description: 883 'PolicySyncPathPrefix is used to by Felix to communicate\n policy 884 changes to external services, like Application layer policy.\n [Default: 885 Empty]'\n type: string\n prometheusGoMetricsEnabled:\n 886 \ description: 'PrometheusGoMetricsEnabled disables Go runtime 887 metrics\n collection, which the Prometheus client does by default, 888 when set\n to false. This reduces the number of metrics reported, 889 reducing\n Prometheus load. [Default: true]'\n type: 890 boolean\n prometheusMetricsEnabled:\n description: 891 'PrometheusMetricsEnabled enables the Prometheus metrics\n server 892 in Felix if set to true. [Default: false]'\n type: boolean\n 893 \ prometheusMetricsHost:\n description: 'PrometheusMetricsHost 894 is the host that the Prometheus\n metrics server should bind 895 to. [Default: empty]'\n type: string\n prometheusMetricsPort:\n 896 \ description: 'PrometheusMetricsPort is the TCP port that the 897 Prometheus\n metrics server should bind to. [Default: 9091]'\n 898 \ type: integer\n prometheusProcessMetricsEnabled:\n 899 \ description: 'PrometheusProcessMetricsEnabled disables process 900 metrics\n collection, which the Prometheus client does by default, 901 when set\n to false. This reduces the number of metrics reported, 902 reducing\n Prometheus load. [Default: true]'\n type: 903 boolean\n removeExternalRoutes:\n description: 904 Whether or not to remove device routes that have not\n been 905 programmed by Felix. Disabling this will allow external applications\n to 906 also add device routes. This is enabled by default which means\n we 907 will remove externally added routes.\n type: boolean\n reportingInterval:\n 908 \ description: 'ReportingInterval is the interval at which Felix 909 reports\n its status into the datastore or 0 to disable. Must 910 be non-zero\n in OpenStack deployments. [Default: 30s]'\n type: 911 string\n reportingTTL:\n description: 'ReportingTTL 912 is the time-to-live setting for process-wide\n status reports. 913 [Default: 90s]'\n type: string\n routeRefreshInterval:\n 914 \ description: 'RouterefreshInterval is the period at which Felix 915 re-checks\n the routes in the dataplane to ensure that no other 916 process has\n accidentally broken Calico’s rules. Set to 0 to 917 disable route refresh.\n [Default: 90s]'\n type: 918 string\n routeSource:\n description: 'RouteSource 919 configures where Felix gets its routing\n information. - WorkloadIPs: 920 use workload endpoints to construct\n routes. - CalicoIPAM: the 921 default - use IPAM data to construct routes.'\n type: string\n 922 \ routeTableRange:\n description: Calico programs 923 additional Linux route tables for various\n purposes. RouteTableRange 924 specifies the indices of the route tables\n that Calico should 925 use.\n properties:\n max:\n type: 926 integer\n min:\n type: integer\n required:\n 927 \ - max\n - min\n type: 928 object\n serviceLoopPrevention:\n description: 929 'When service IP advertisement is enabled, prevent routing\n loops 930 to service IPs that are not in use, by dropping or rejecting\n packets 931 that do not get DNAT''d by kube-proxy. Unless set to \"Disabled\",\n in 932 which case such routing loops continue to be allowed. [Default:\n Drop]'\n 933 \ type: string\n sidecarAccelerationEnabled:\n 934 \ description: 'SidecarAccelerationEnabled enables experimental 935 sidecar\n acceleration [Default: false]'\n type: 936 boolean\n usageReportingEnabled:\n description: 937 'UsageReportingEnabled reports anonymous Calico version\n number 938 and cluster size to projectcalico.org. Logs warnings returned\n by 939 the usage server. For example, if a significant security vulnerability\n has 940 been discovered in the version of Calico being used. [Default:\n true]'\n 941 \ type: boolean\n usageReportingInitialDelay:\n 942 \ description: 'UsageReportingInitialDelay controls the minimum 943 delay\n before Felix makes a report. [Default: 300s]'\n type: 944 string\n usageReportingInterval:\n description: 945 'UsageReportingInterval controls the interval at which\n Felix 946 makes reports. [Default: 86400s]'\n type: string\n useInternalDataplaneDriver:\n 947 \ type: boolean\n vxlanEnabled:\n type: 948 boolean\n vxlanMTU:\n description: 'VXLANMTU is 949 the MTU to set on the tunnel device. See\n Configuring MTU [Default: 950 1440]'\n type: integer\n vxlanPort:\n type: 951 integer\n vxlanVNI:\n type: integer\n wireguardEnabled:\n 952 \ description: 'WireguardEnabled controls whether Wireguard is 953 enabled.\n [Default: false]'\n type: boolean\n 954 \ wireguardInterfaceName:\n description: 'WireguardInterfaceName 955 specifies the name to use for\n the Wireguard interface. [Default: 956 wg.calico]'\n type: string\n wireguardListeningPort:\n 957 \ description: 'WireguardListeningPort controls the listening 958 port used\n by Wireguard. [Default: 51820]'\n type: 959 integer\n wireguardMTU:\n description: 'WireguardMTU 960 controls the MTU on the Wireguard interface.\n See Configuring 961 MTU [Default: 1420]'\n type: integer\n wireguardRoutingRulePriority:\n 962 \ description: 'WireguardRoutingRulePriority controls the priority 963 value\n to use for the Wireguard routing rule. [Default: 99]'\n 964 \ type: integer\n xdpEnabled:\n description: 965 'XDPEnabled enables XDP acceleration for suitable untracked\n incoming 966 deny rules. [Default: true]'\n type: boolean\n xdpRefreshInterval:\n 967 \ description: 'XDPRefreshInterval is the period at which Felix 968 re-checks\n all XDP state to ensure that no other process has 969 accidentally broken\n Calico''s BPF maps or attached programs. 970 Set to 0 to disable XDP\n refresh. [Default: 90s]'\n type: 971 string\n type: object\n type: object\n served: true\n 972 \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n 973 \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: 974 CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: 975 (devel)\n creationTimestamp: null\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n 976 \ group: crd.projectcalico.org\n names:\n kind: GlobalNetworkPolicy\n listKind: 977 GlobalNetworkPolicyList\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n 978 \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n 979 \ properties:\n apiVersion:\n description: 'APIVersion 980 defines the versioned schema of this representation\n of an object. 981 Servers should convert recognized schemas to the latest\n internal 982 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 983 \ type: string\n kind:\n description: 'Kind 984 is a string value representing the REST resource this\n object represents. 985 Servers may infer this from the endpoint the client\n submits requests 986 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 987 \ type: string\n metadata:\n type: object\n 988 \ spec:\n properties:\n applyOnForward:\n 989 \ description: ApplyOnForward indicates to apply the rules in 990 this policy\n on forward traffic.\n type: 991 boolean\n doNotTrack:\n description: DoNotTrack 992 indicates whether packets matched by the rules\n in this policy 993 should go through the data plane's connection tracking,\n such 994 as Linux conntrack. If True, the rules in this policy are\n applied 995 before any data plane connection tracking, and packets allowed\n by 996 this policy are marked as not to be tracked.\n type: boolean\n 997 \ egress:\n description: The ordered set of egress 998 rules. Each rule contains\n a set of packet match criteria 999 and a corresponding action to apply.\n items:\n description: 1000 \"A Rule encapsulates a set of match criteria and an\n action. 1001 \ Both selector-based security Policy and security Profiles\n reference 1002 rules - separated out as a list of rules for both ingress\n and 1003 egress packet matching. \\n Each positive match criteria has\n a 1004 negated version, prefixed with ”Not”. All the match criteria\n within 1005 a rule must be satisfied for a packet to match. A single\n rule 1006 can contain the positive and negative version of a match\n and 1007 both must be satisfied for the rule to match.\"\n properties:\n 1008 \ action:\n type: string\n destination:\n 1009 \ description: Destination contains the match criteria that 1010 apply\n to destination entity.\n properties:\n 1011 \ namespaceSelector:\n description: 1012 \"NamespaceSelector is an optional field that\n contains 1013 a selector expression. Only traffic that originates\n from 1014 (or terminates at) endpoints within the selected\n namespaces 1015 will be matched. When both NamespaceSelector\n and 1016 Selector are defined on the same rule, then only workload\n endpoints 1017 that are matched by both selectors will be selected\n by 1018 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 1019 that the Selector is limited to selecting only\n workload 1020 endpoints in the same namespace as the NetworkPolicy.\n \\n 1021 For NetworkPolicy, `global()` NamespaceSelector implies\n that 1022 the Selector is limited to selecting only GlobalNetworkSet\n or 1023 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 1024 implies the Selector applies to workload\n endpoints 1025 across all namespaces.\"\n type: string\n nets:\n 1026 \ description: Nets is an optional field that restricts 1027 the\n rule to only apply to traffic that originates 1028 from (or\n terminates at) IP addresses in any of 1029 the given subnets.\n items:\n type: 1030 string\n type: array\n notNets:\n 1031 \ description: NotNets is the negated version of the 1032 Nets\n field.\n items:\n 1033 \ type: string\n type: 1034 array\n notPorts:\n description: 1035 NotPorts is the negated version of the Ports\n field. 1036 Since only some protocols have ports, if any ports\n are 1037 specified it requires the Protocol match in the Rule\n to 1038 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 1039 \ - type: integer\n - 1040 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 1041 true\n type: array\n notSelector:\n 1042 \ description: NotSelector is the negated version of 1043 the Selector\n field. See Selector field for subtleties 1044 with negated\n selectors.\n type: 1045 string\n ports:\n description: 1046 \"Ports is an optional field that restricts\n the rule 1047 to only apply to traffic that has a source (destination)\n port 1048 that matches one of these ranges/values. This value\n is 1049 a list of integers or strings that represent ranges\n of 1050 ports. \\n Since only some protocols have ports, if\n any 1051 ports are specified it requires the Protocol match\n in 1052 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 1053 \ anyOf:\n - type: 1054 integer\n - type: string\n pattern: 1055 ^.*\n x-kubernetes-int-or-string: true\n type: 1056 array\n selector:\n description: 1057 \"Selector is an optional field that contains\n a selector 1058 expression (see Policy for sample syntax).\n \\ Only 1059 traffic that originates from (terminates at) endpoints\n matching 1060 the selector will be matched. \\n Note that: in\n addition 1061 to the negated version of the Selector (see NotSelector\n below), 1062 the selector expression syntax itself supports\n negation. 1063 \ The two types of negation are subtly different.\n One 1064 negates the set of matched endpoints, the other negates\n the 1065 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 1066 that are from other Calico-controlled \\tendpoints\n that 1067 do not have the label “my_label”. \\n \\tNotSelector\n = 1068 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 1069 \\tendpoints that do have the label “my_label”.\n \\n 1070 The effect is that the latter will accept packets from\n non-Calico 1071 sources whereas the former is limited to packets\n from 1072 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 1073 \ description: ServiceAccounts is an optional field 1074 that restricts\n the rule to only apply to traffic 1075 that originates from\n (or terminates at) a pod running 1076 as a matching service\n account.\n properties:\n 1077 \ names:\n description: 1078 Names is an optional field that restricts\n the 1079 rule to only apply to traffic that originates\n from 1080 (or terminates at) a pod running as a service\n account 1081 whose name is in the list.\n items:\n type: 1082 string\n type: array\n selector:\n 1083 \ description: Selector is an optional field that 1084 restricts\n the rule to only apply to traffic 1085 that originates\n from (or terminates at) a pod 1086 running as a service\n account that matches the 1087 given label selector. If\n both Names and Selector 1088 are specified then they are\n AND'ed.\n type: 1089 string\n type: object\n services:\n 1090 \ description: \"Services is an optional field that 1091 contains\n options for matching Kubernetes Services. 1092 If specified,\n only traffic that originates from 1093 or terminates at endpoints\n within the selected 1094 service(s) will be matched, and only\n to/from each 1095 endpoint's port. \\n Services cannot be specified\n on 1096 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 1097 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 1098 valid on egress rules.\"\n properties:\n name:\n 1099 \ description: Name specifies the name of a Kubernetes\n 1100 \ Service to match.\n type: 1101 string\n namespace:\n description: 1102 Namespace specifies the namespace of the\n given 1103 Service. If left empty, the rule will match\n within 1104 this policy's namespace.\n type: string\n type: 1105 object\n type: object\n http:\n description: 1106 HTTP contains match criteria that apply to HTTP\n requests.\n 1107 \ properties:\n methods:\n description: 1108 Methods is an optional field that restricts\n the 1109 rule to apply only to HTTP requests that use one of\n the 1110 listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods 1111 are OR'd together.\n items:\n type: 1112 string\n type: array\n paths:\n 1113 \ description: 'Paths is an optional field that restricts\n 1114 \ the rule to apply to HTTP requests that use one of 1115 the\n listed HTTP Paths. Multiple paths are OR''d together.\n 1116 \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry 1117 may\n ONLY specify either a `exact` or a `prefix` match. 1118 The\n validator will check for it.'\n items:\n 1119 \ description: 'HTTPPath specifies an HTTP path to 1120 match.\n It may be either of the form: exact: <path>: 1121 which matches\n the path exactly or prefix: <path-prefix>: 1122 which matches\n the path prefix'\n properties:\n 1123 \ exact:\n type: 1124 string\n prefix:\n type: 1125 string\n type: object\n type: 1126 array\n type: object\n icmp:\n description: 1127 ICMP is an optional field that restricts the rule\n to 1128 apply to a specific type and code of ICMP traffic. This\n should 1129 only be specified if the Protocol field is set to \"ICMP\"\n or 1130 \"ICMPv6\".\n properties:\n code:\n 1131 \ description: Match on a specific ICMP code. If specified,\n 1132 \ the Type value must also be specified. This is a 1133 technical\n limitation imposed by the kernel’s iptables 1134 firewall,\n which Calico uses to enforce the rule.\n 1135 \ type: integer\n type:\n description: 1136 Match on a specific ICMP type. For example\n a value 1137 of 8 refers to ICMP Echo Request (i.e. pings).\n type: 1138 integer\n type: object\n ipVersion:\n 1139 \ description: IPVersion is an optional field that restricts 1140 the\n rule to only match a specific IP version.\n type: 1141 integer\n metadata:\n description: 1142 Metadata contains additional information for this\n rule\n 1143 \ properties:\n annotations:\n 1144 \ additionalProperties:\n type: 1145 string\n description: Annotations is a set of key value 1146 pairs that\n give extra information about the rule\n 1147 \ type: object\n type: object\n 1148 \ notICMP:\n description: NotICMP is 1149 the negated version of the ICMP field.\n properties:\n 1150 \ code:\n description: Match 1151 on a specific ICMP code. If specified,\n the Type 1152 value must also be specified. This is a technical\n limitation 1153 imposed by the kernel’s iptables firewall,\n which 1154 Calico uses to enforce the rule.\n type: integer\n 1155 \ type:\n description: Match 1156 on a specific ICMP type. For example\n a value of 1157 8 refers to ICMP Echo Request (i.e. pings).\n type: 1158 integer\n type: object\n notProtocol:\n 1159 \ anyOf:\n - type: integer\n - 1160 type: string\n description: NotProtocol is the negated 1161 version of the Protocol\n field.\n pattern: 1162 ^.*\n x-kubernetes-int-or-string: true\n protocol:\n 1163 \ anyOf:\n - type: integer\n - 1164 type: string\n description: \"Protocol is an optional field 1165 that restricts the\n rule to only apply to traffic of a 1166 specific IP protocol. Required\n if any of the EntityRules 1167 contain Ports (because ports only\n apply to certain protocols). 1168 \\n Must be one of these string\n values: \\\"TCP\\\", 1169 \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" 1170 or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: 1171 true\n source:\n description: Source 1172 contains the match criteria that apply to\n source entity.\n 1173 \ properties:\n namespaceSelector:\n 1174 \ description: \"NamespaceSelector is an optional field 1175 that\n contains a selector expression. Only traffic 1176 that originates\n from (or terminates at) endpoints 1177 within the selected\n namespaces will be matched. When 1178 both NamespaceSelector\n and Selector are defined on 1179 the same rule, then only workload\n endpoints that 1180 are matched by both selectors will be selected\n by 1181 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 1182 that the Selector is limited to selecting only\n workload 1183 endpoints in the same namespace as the NetworkPolicy.\n \\n 1184 For NetworkPolicy, `global()` NamespaceSelector implies\n that 1185 the Selector is limited to selecting only GlobalNetworkSet\n or 1186 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 1187 implies the Selector applies to workload\n endpoints 1188 across all namespaces.\"\n type: string\n nets:\n 1189 \ description: Nets is an optional field that restricts 1190 the\n rule to only apply to traffic that originates 1191 from (or\n terminates at) IP addresses in any of 1192 the given subnets.\n items:\n type: 1193 string\n type: array\n notNets:\n 1194 \ description: NotNets is the negated version of the 1195 Nets\n field.\n items:\n 1196 \ type: string\n type: 1197 array\n notPorts:\n description: 1198 NotPorts is the negated version of the Ports\n field. 1199 Since only some protocols have ports, if any ports\n are 1200 specified it requires the Protocol match in the Rule\n to 1201 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 1202 \ - type: integer\n - 1203 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 1204 true\n type: array\n notSelector:\n 1205 \ description: NotSelector is the negated version of 1206 the Selector\n field. See Selector field for subtleties 1207 with negated\n selectors.\n type: 1208 string\n ports:\n description: 1209 \"Ports is an optional field that restricts\n the rule 1210 to only apply to traffic that has a source (destination)\n port 1211 that matches one of these ranges/values. This value\n is 1212 a list of integers or strings that represent ranges\n of 1213 ports. \\n Since only some protocols have ports, if\n any 1214 ports are specified it requires the Protocol match\n in 1215 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 1216 \ anyOf:\n - type: 1217 integer\n - type: string\n pattern: 1218 ^.*\n x-kubernetes-int-or-string: true\n type: 1219 array\n selector:\n description: 1220 \"Selector is an optional field that contains\n a selector 1221 expression (see Policy for sample syntax).\n \\ Only 1222 traffic that originates from (terminates at) endpoints\n matching 1223 the selector will be matched. \\n Note that: in\n addition 1224 to the negated version of the Selector (see NotSelector\n below), 1225 the selector expression syntax itself supports\n negation. 1226 \ The two types of negation are subtly different.\n One 1227 negates the set of matched endpoints, the other negates\n the 1228 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 1229 that are from other Calico-controlled \\tendpoints\n that 1230 do not have the label “my_label”. \\n \\tNotSelector\n = 1231 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 1232 \\tendpoints that do have the label “my_label”.\n \\n 1233 The effect is that the latter will accept packets from\n non-Calico 1234 sources whereas the former is limited to packets\n from 1235 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 1236 \ description: ServiceAccounts is an optional field 1237 that restricts\n the rule to only apply to traffic 1238 that originates from\n (or terminates at) a pod running 1239 as a matching service\n account.\n properties:\n 1240 \ names:\n description: 1241 Names is an optional field that restricts\n the 1242 rule to only apply to traffic that originates\n from 1243 (or terminates at) a pod running as a service\n account 1244 whose name is in the list.\n items:\n type: 1245 string\n type: array\n selector:\n 1246 \ description: Selector is an optional field that 1247 restricts\n the rule to only apply to traffic 1248 that originates\n from (or terminates at) a pod 1249 running as a service\n account that matches the 1250 given label selector. If\n both Names and Selector 1251 are specified then they are\n AND'ed.\n type: 1252 string\n type: object\n services:\n 1253 \ description: \"Services is an optional field that 1254 contains\n options for matching Kubernetes Services. 1255 If specified,\n only traffic that originates from 1256 or terminates at endpoints\n within the selected 1257 service(s) will be matched, and only\n to/from each 1258 endpoint's port. \\n Services cannot be specified\n on 1259 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 1260 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 1261 valid on egress rules.\"\n properties:\n name:\n 1262 \ description: Name specifies the name of a Kubernetes\n 1263 \ Service to match.\n type: 1264 string\n namespace:\n description: 1265 Namespace specifies the namespace of the\n given 1266 Service. If left empty, the rule will match\n within 1267 this policy's namespace.\n type: string\n type: 1268 object\n type: object\n required:\n 1269 \ - action\n type: object\n type: 1270 array\n ingress:\n description: The ordered set 1271 of ingress rules. Each rule contains\n a set of packet match 1272 criteria and a corresponding action to apply.\n items:\n description: 1273 \"A Rule encapsulates a set of match criteria and an\n action. 1274 \ Both selector-based security Policy and security Profiles\n reference 1275 rules - separated out as a list of rules for both ingress\n and 1276 egress packet matching. \\n Each positive match criteria has\n a 1277 negated version, prefixed with ”Not”. All the match criteria\n within 1278 a rule must be satisfied for a packet to match. A single\n rule 1279 can contain the positive and negative version of a match\n and 1280 both must be satisfied for the rule to match.\"\n properties:\n 1281 \ action:\n type: string\n destination:\n 1282 \ description: Destination contains the match criteria that 1283 apply\n to destination entity.\n properties:\n 1284 \ namespaceSelector:\n description: 1285 \"NamespaceSelector is an optional field that\n contains 1286 a selector expression. Only traffic that originates\n from 1287 (or terminates at) endpoints within the selected\n namespaces 1288 will be matched. When both NamespaceSelector\n and 1289 Selector are defined on the same rule, then only workload\n endpoints 1290 that are matched by both selectors will be selected\n by 1291 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 1292 that the Selector is limited to selecting only\n workload 1293 endpoints in the same namespace as the NetworkPolicy.\n \\n 1294 For NetworkPolicy, `global()` NamespaceSelector implies\n that 1295 the Selector is limited to selecting only GlobalNetworkSet\n or 1296 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 1297 implies the Selector applies to workload\n endpoints 1298 across all namespaces.\"\n type: string\n nets:\n 1299 \ description: Nets is an optional field that restricts 1300 the\n rule to only apply to traffic that originates 1301 from (or\n terminates at) IP addresses in any of 1302 the given subnets.\n items:\n type: 1303 string\n type: array\n notNets:\n 1304 \ description: NotNets is the negated version of the 1305 Nets\n field.\n items:\n 1306 \ type: string\n type: 1307 array\n notPorts:\n description: 1308 NotPorts is the negated version of the Ports\n field. 1309 Since only some protocols have ports, if any ports\n are 1310 specified it requires the Protocol match in the Rule\n to 1311 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 1312 \ - type: integer\n - 1313 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 1314 true\n type: array\n notSelector:\n 1315 \ description: NotSelector is the negated version of 1316 the Selector\n field. See Selector field for subtleties 1317 with negated\n selectors.\n type: 1318 string\n ports:\n description: 1319 \"Ports is an optional field that restricts\n the rule 1320 to only apply to traffic that has a source (destination)\n port 1321 that matches one of these ranges/values. This value\n is 1322 a list of integers or strings that represent ranges\n of 1323 ports. \\n Since only some protocols have ports, if\n any 1324 ports are specified it requires the Protocol match\n in 1325 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 1326 \ anyOf:\n - type: 1327 integer\n - type: string\n pattern: 1328 ^.*\n x-kubernetes-int-or-string: true\n type: 1329 array\n selector:\n description: 1330 \"Selector is an optional field that contains\n a selector 1331 expression (see Policy for sample syntax).\n \\ Only 1332 traffic that originates from (terminates at) endpoints\n matching 1333 the selector will be matched. \\n Note that: in\n addition 1334 to the negated version of the Selector (see NotSelector\n below), 1335 the selector expression syntax itself supports\n negation. 1336 \ The two types of negation are subtly different.\n One 1337 negates the set of matched endpoints, the other negates\n the 1338 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 1339 that are from other Calico-controlled \\tendpoints\n that 1340 do not have the label “my_label”. \\n \\tNotSelector\n = 1341 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 1342 \\tendpoints that do have the label “my_label”.\n \\n 1343 The effect is that the latter will accept packets from\n non-Calico 1344 sources whereas the former is limited to packets\n from 1345 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 1346 \ description: ServiceAccounts is an optional field 1347 that restricts\n the rule to only apply to traffic 1348 that originates from\n (or terminates at) a pod running 1349 as a matching service\n account.\n properties:\n 1350 \ names:\n description: 1351 Names is an optional field that restricts\n the 1352 rule to only apply to traffic that originates\n from 1353 (or terminates at) a pod running as a service\n account 1354 whose name is in the list.\n items:\n type: 1355 string\n type: array\n selector:\n 1356 \ description: Selector is an optional field that 1357 restricts\n the rule to only apply to traffic 1358 that originates\n from (or terminates at) a pod 1359 running as a service\n account that matches the 1360 given label selector. If\n both Names and Selector 1361 are specified then they are\n AND'ed.\n type: 1362 string\n type: object\n services:\n 1363 \ description: \"Services is an optional field that 1364 contains\n options for matching Kubernetes Services. 1365 If specified,\n only traffic that originates from 1366 or terminates at endpoints\n within the selected 1367 service(s) will be matched, and only\n to/from each 1368 endpoint's port. \\n Services cannot be specified\n on 1369 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 1370 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 1371 valid on egress rules.\"\n properties:\n name:\n 1372 \ description: Name specifies the name of a Kubernetes\n 1373 \ Service to match.\n type: 1374 string\n namespace:\n description: 1375 Namespace specifies the namespace of the\n given 1376 Service. If left empty, the rule will match\n within 1377 this policy's namespace.\n type: string\n type: 1378 object\n type: object\n http:\n description: 1379 HTTP contains match criteria that apply to HTTP\n requests.\n 1380 \ properties:\n methods:\n description: 1381 Methods is an optional field that restricts\n the 1382 rule to apply only to HTTP requests that use one of\n the 1383 listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods 1384 are OR'd together.\n items:\n type: 1385 string\n type: array\n paths:\n 1386 \ description: 'Paths is an optional field that restricts\n 1387 \ the rule to apply to HTTP requests that use one of 1388 the\n listed HTTP Paths. Multiple paths are OR''d together.\n 1389 \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry 1390 may\n ONLY specify either a `exact` or a `prefix` match. 1391 The\n validator will check for it.'\n items:\n 1392 \ description: 'HTTPPath specifies an HTTP path to 1393 match.\n It may be either of the form: exact: <path>: 1394 which matches\n the path exactly or prefix: <path-prefix>: 1395 which matches\n the path prefix'\n properties:\n 1396 \ exact:\n type: 1397 string\n prefix:\n type: 1398 string\n type: object\n type: 1399 array\n type: object\n icmp:\n description: 1400 ICMP is an optional field that restricts the rule\n to 1401 apply to a specific type and code of ICMP traffic. This\n should 1402 only be specified if the Protocol field is set to \"ICMP\"\n or 1403 \"ICMPv6\".\n properties:\n code:\n 1404 \ description: Match on a specific ICMP code. If specified,\n 1405 \ the Type value must also be specified. This is a 1406 technical\n limitation imposed by the kernel’s iptables 1407 firewall,\n which Calico uses to enforce the rule.\n 1408 \ type: integer\n type:\n description: 1409 Match on a specific ICMP type. For example\n a value 1410 of 8 refers to ICMP Echo Request (i.e. pings).\n type: 1411 integer\n type: object\n ipVersion:\n 1412 \ description: IPVersion is an optional field that restricts 1413 the\n rule to only match a specific IP version.\n type: 1414 integer\n metadata:\n description: 1415 Metadata contains additional information for this\n rule\n 1416 \ properties:\n annotations:\n 1417 \ additionalProperties:\n type: 1418 string\n description: Annotations is a set of key value 1419 pairs that\n give extra information about the rule\n 1420 \ type: object\n type: object\n 1421 \ notICMP:\n description: NotICMP is 1422 the negated version of the ICMP field.\n properties:\n 1423 \ code:\n description: Match 1424 on a specific ICMP code. If specified,\n the Type 1425 value must also be specified. This is a technical\n limitation 1426 imposed by the kernel’s iptables firewall,\n which 1427 Calico uses to enforce the rule.\n type: integer\n 1428 \ type:\n description: Match 1429 on a specific ICMP type. For example\n a value of 1430 8 refers to ICMP Echo Request (i.e. pings).\n type: 1431 integer\n type: object\n notProtocol:\n 1432 \ anyOf:\n - type: integer\n - 1433 type: string\n description: NotProtocol is the negated 1434 version of the Protocol\n field.\n pattern: 1435 ^.*\n x-kubernetes-int-or-string: true\n protocol:\n 1436 \ anyOf:\n - type: integer\n - 1437 type: string\n description: \"Protocol is an optional field 1438 that restricts the\n rule to only apply to traffic of a 1439 specific IP protocol. Required\n if any of the EntityRules 1440 contain Ports (because ports only\n apply to certain protocols). 1441 \\n Must be one of these string\n values: \\\"TCP\\\", 1442 \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" 1443 or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: 1444 true\n source:\n description: Source 1445 contains the match criteria that apply to\n source entity.\n 1446 \ properties:\n namespaceSelector:\n 1447 \ description: \"NamespaceSelector is an optional field 1448 that\n contains a selector expression. Only traffic 1449 that originates\n from (or terminates at) endpoints 1450 within the selected\n namespaces will be matched. When 1451 both NamespaceSelector\n and Selector are defined on 1452 the same rule, then only workload\n endpoints that 1453 are matched by both selectors will be selected\n by 1454 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 1455 that the Selector is limited to selecting only\n workload 1456 endpoints in the same namespace as the NetworkPolicy.\n \\n 1457 For NetworkPolicy, `global()` NamespaceSelector implies\n that 1458 the Selector is limited to selecting only GlobalNetworkSet\n or 1459 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 1460 implies the Selector applies to workload\n endpoints 1461 across all namespaces.\"\n type: string\n nets:\n 1462 \ description: Nets is an optional field that restricts 1463 the\n rule to only apply to traffic that originates 1464 from (or\n terminates at) IP addresses in any of 1465 the given subnets.\n items:\n type: 1466 string\n type: array\n notNets:\n 1467 \ description: NotNets is the negated version of the 1468 Nets\n field.\n items:\n 1469 \ type: string\n type: 1470 array\n notPorts:\n description: 1471 NotPorts is the negated version of the Ports\n field. 1472 Since only some protocols have ports, if any ports\n are 1473 specified it requires the Protocol match in the Rule\n to 1474 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 1475 \ - type: integer\n - 1476 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 1477 true\n type: array\n notSelector:\n 1478 \ description: NotSelector is the negated version of 1479 the Selector\n field. See Selector field for subtleties 1480 with negated\n selectors.\n type: 1481 string\n ports:\n description: 1482 \"Ports is an optional field that restricts\n the rule 1483 to only apply to traffic that has a source (destination)\n port 1484 that matches one of these ranges/values. This value\n is 1485 a list of integers or strings that represent ranges\n of 1486 ports. \\n Since only some protocols have ports, if\n any 1487 ports are specified it requires the Protocol match\n in 1488 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 1489 \ anyOf:\n - type: 1490 integer\n - type: string\n pattern: 1491 ^.*\n x-kubernetes-int-or-string: true\n type: 1492 array\n selector:\n description: 1493 \"Selector is an optional field that contains\n a selector 1494 expression (see Policy for sample syntax).\n \\ Only 1495 traffic that originates from (terminates at) endpoints\n matching 1496 the selector will be matched. \\n Note that: in\n addition 1497 to the negated version of the Selector (see NotSelector\n below), 1498 the selector expression syntax itself supports\n negation. 1499 \ The two types of negation are subtly different.\n One 1500 negates the set of matched endpoints, the other negates\n the 1501 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 1502 that are from other Calico-controlled \\tendpoints\n that 1503 do not have the label “my_label”. \\n \\tNotSelector\n = 1504 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 1505 \\tendpoints that do have the label “my_label”.\n \\n 1506 The effect is that the latter will accept packets from\n non-Calico 1507 sources whereas the former is limited to packets\n from 1508 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 1509 \ description: ServiceAccounts is an optional field 1510 that restricts\n the rule to only apply to traffic 1511 that originates from\n (or terminates at) a pod running 1512 as a matching service\n account.\n properties:\n 1513 \ names:\n description: 1514 Names is an optional field that restricts\n the 1515 rule to only apply to traffic that originates\n from 1516 (or terminates at) a pod running as a service\n account 1517 whose name is in the list.\n items:\n type: 1518 string\n type: array\n selector:\n 1519 \ description: Selector is an optional field that 1520 restricts\n the rule to only apply to traffic 1521 that originates\n from (or terminates at) a pod 1522 running as a service\n account that matches the 1523 given label selector. If\n both Names and Selector 1524 are specified then they are\n AND'ed.\n type: 1525 string\n type: object\n services:\n 1526 \ description: \"Services is an optional field that 1527 contains\n options for matching Kubernetes Services. 1528 If specified,\n only traffic that originates from 1529 or terminates at endpoints\n within the selected 1530 service(s) will be matched, and only\n to/from each 1531 endpoint's port. \\n Services cannot be specified\n on 1532 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 1533 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 1534 valid on egress rules.\"\n properties:\n name:\n 1535 \ description: Name specifies the name of a Kubernetes\n 1536 \ Service to match.\n type: 1537 string\n namespace:\n description: 1538 Namespace specifies the namespace of the\n given 1539 Service. If left empty, the rule will match\n within 1540 this policy's namespace.\n type: string\n type: 1541 object\n type: object\n required:\n 1542 \ - action\n type: object\n type: 1543 array\n namespaceSelector:\n description: NamespaceSelector 1544 is an optional field for an expression\n used to select a pod 1545 based on namespaces.\n type: string\n order:\n 1546 \ description: Order is an optional field that specifies the order 1547 in\n which the policy is applied. Policies with higher \"order\" 1548 are applied\n after those with lower order. If the order is 1549 omitted, it may be\n considered to be \"infinite\" - i.e. the 1550 policy will be applied last. Policies\n with identical order 1551 will be applied in alphanumerical order based\n on the Policy 1552 \"Name\".\n type: number\n preDNAT:\n description: 1553 PreDNAT indicates to apply the rules in this policy before\n any 1554 DNAT.\n type: boolean\n selector:\n description: 1555 \"The selector is an expression used to pick pick out\n the endpoints 1556 that the policy should be applied to. \\n Selector\n expressions 1557 follow this syntax: \\n \\tlabel == \\\"string_literal\\\"\n \\ 1558 -> comparison, e.g. my_label == \\\"foo bar\\\" \\tlabel != \\\"string_literal\\\"\n 1559 \ \\ -> not equal; also matches if label is not present \\tlabel 1560 in\n { \\\"a\\\", \\\"b\\\", \\\"c\\\", ... } -> true if the 1561 value of label X is\n one of \\\"a\\\", \\\"b\\\", \\\"c\\\" 1562 \\tlabel not in { \\\"a\\\", \\\"b\\\", \\\"c\\\",\n ... } -> 1563 \ true if the value of label X is not one of \\\"a\\\", \\\"b\\\",\n \\\"c\\\" 1564 \\thas(label_name) -> True if that label is present \\t! expr\n -> 1565 negation of expr \\texpr && expr -> Short-circuit and \\texpr\n || 1566 expr -> Short-circuit or \\t( expr ) -> parens for grouping \\tall()\n or 1567 the empty selector -> matches all endpoints. \\n Label names are\n allowed 1568 to contain alphanumerics, -, _ and /. String literals are\n more 1569 permissive but they do not support escape characters. \\n Examples\n (with 1570 made-up labels): \\n \\ttype == \\\"webserver\\\" && deployment\n == 1571 \\\"prod\\\" \\ttype in {\\\"frontend\\\", \\\"backend\\\"} \\tdeployment !=\n 1572 \ \\\"dev\\\" \\t! has(label_name)\"\n type: 1573 string\n serviceAccountSelector:\n description: 1574 ServiceAccountSelector is an optional field for an expression\n used 1575 to select a pod based on service accounts.\n type: string\n types:\n 1576 \ description: \"Types indicates whether this policy applies to 1577 ingress,\n or to egress, or to both. When not explicitly specified 1578 (and so\n the value on creation is empty or nil), Calico defaults 1579 Types according\n to what Ingress and Egress rules are present 1580 in the policy. The\n default is: \\n - [ PolicyTypeIngress ], 1581 if there are no Egress rules\n (including the case where there 1582 are also no Ingress rules) \\n\n - [ PolicyTypeEgress ], if 1583 there are Egress rules but no Ingress\n rules \\n - [ PolicyTypeIngress, 1584 PolicyTypeEgress ], if there are\n both Ingress and Egress rules. 1585 \\n When the policy is read back again,\n Types will always be 1586 one of these values, never empty or nil.\"\n items:\n description: 1587 PolicyType enumerates the possible values of the PolicySpec\n Types 1588 field.\n type: string\n type: array\n type: 1589 object\n type: object\n served: true\n storage: true\nstatus:\n 1590 \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: 1591 []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n 1592 \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: 1593 null\n name: globalnetworksets.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1594 \ names:\n kind: GlobalNetworkSet\n listKind: GlobalNetworkSetList\n plural: 1595 globalnetworksets\n singular: globalnetworkset\n scope: Cluster\n versions:\n 1596 \ - name: v1\n schema:\n openAPIV3Schema:\n description: 1597 GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs\n that 1598 share labels to allow rules to refer to them via selectors. The labels\n of 1599 GlobalNetworkSet are not namespaced.\n properties:\n apiVersion:\n 1600 \ description: 'APIVersion defines the versioned schema of this representation\n 1601 \ of an object. Servers should convert recognized schemas to the latest\n 1602 \ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1603 \ type: string\n kind:\n description: 'Kind 1604 is a string value representing the REST resource this\n object represents. 1605 Servers may infer this from the endpoint the client\n submits requests 1606 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1607 \ type: string\n metadata:\n type: object\n 1608 \ spec:\n description: GlobalNetworkSetSpec contains the 1609 specification for a NetworkSet\n resource.\n properties:\n 1610 \ nets:\n description: The list of IP networks 1611 that belong to this set.\n items:\n type: 1612 string\n type: array\n type: object\n type: 1613 object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: 1614 \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: 1615 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 1616 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 1617 \ name: hostendpoints.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1618 \ names:\n kind: HostEndpoint\n listKind: HostEndpointList\n plural: 1619 hostendpoints\n singular: hostendpoint\n scope: Cluster\n versions:\n - 1620 name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n 1621 \ description: 'APIVersion defines the versioned schema of this representation\n 1622 \ of an object. Servers should convert recognized schemas to the latest\n 1623 \ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1624 \ type: string\n kind:\n description: 'Kind 1625 is a string value representing the REST resource this\n object represents. 1626 Servers may infer this from the endpoint the client\n submits requests 1627 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1628 \ type: string\n metadata:\n type: object\n 1629 \ spec:\n description: HostEndpointSpec contains the specification 1630 for a HostEndpoint\n resource.\n properties:\n expectedIPs:\n 1631 \ description: \"The expected IP addresses (IPv4 and IPv6) of 1632 the endpoint.\n If \\\"InterfaceName\\\" is not present, Calico 1633 will look for an interface\n matching any of the IPs in the list 1634 and apply policy to that. Note:\n \\tWhen using the selector 1635 match criteria in an ingress or egress\n security Policy \\tor 1636 Profile, Calico converts the selector into\n a set of IP addresses. 1637 For host \\tendpoints, the ExpectedIPs field\n is used for that 1638 purpose. (If only the interface \\tname is specified,\n Calico 1639 does not learn the IPs of the interface for use in match\n \\tcriteria.)\"\n 1640 \ items:\n type: string\n type: 1641 array\n interfaceName:\n description: \"Either 1642 \\\"*\\\", or the name of a specific Linux interface\n to apply 1643 policy to; or empty. \\\"*\\\" indicates that this HostEndpoint\n governs 1644 all traffic to, from or through the default network namespace\n of 1645 the host named by the \\\"Node\\\" field; entering and leaving that\n namespace 1646 via any interface, including those from/to non-host-networked\n local 1647 workloads. \\n If InterfaceName is not \\\"*\\\", this HostEndpoint\n only 1648 governs traffic that enters or leaves the host through the\n specific 1649 interface named by InterfaceName, or - when InterfaceName\n is 1650 empty - through the specific interface that has one of the IPs\n in 1651 ExpectedIPs. Therefore, when InterfaceName is empty, at least\n one 1652 expected IP must be specified. Only external interfaces (such\n as 1653 “eth0”) are supported here; it isn't possible for a HostEndpoint\n to 1654 protect traffic through a specific local workload interface.\n \\n 1655 Note: Only some kinds of policy are implemented for \\\"*\\\" HostEndpoints;\n 1656 \ initially just pre-DNAT policy. Please check Calico documentation\n 1657 \ for the latest position.\"\n type: string\n 1658 \ node:\n description: The node name identifying 1659 the Calico node instance.\n type: string\n ports:\n 1660 \ description: Ports contains the endpoint's named ports, which 1661 may\n be referenced in security policy rules.\n items:\n 1662 \ properties:\n name:\n type: 1663 string\n port:\n type: integer\n protocol:\n 1664 \ anyOf:\n - type: integer\n - 1665 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 1666 true\n required:\n - name\n - 1667 port\n - protocol\n type: object\n type: 1668 array\n profiles:\n description: A list of identifiers 1669 of security Profile objects that\n apply to this endpoint. 1670 Each profile is applied in the order that\n they appear in 1671 this list. Profile rules are applied after the selector-based\n security 1672 policy.\n items:\n type: string\n type: 1673 array\n type: object\n type: object\n served: true\n 1674 \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n 1675 \ conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: 1676 CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: 1677 (devel)\n creationTimestamp: null\n name: ipamblocks.crd.projectcalico.org\nspec:\n 1678 \ group: crd.projectcalico.org\n names:\n kind: IPAMBlock\n listKind: IPAMBlockList\n 1679 \ plural: ipamblocks\n singular: ipamblock\n scope: Cluster\n versions:\n 1680 \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n 1681 \ apiVersion:\n description: 'APIVersion defines the versioned 1682 schema of this representation\n of an object. Servers should convert 1683 recognized schemas to the latest\n internal value, and may reject 1684 unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1685 \ type: string\n kind:\n description: 'Kind 1686 is a string value representing the REST resource this\n object represents. 1687 Servers may infer this from the endpoint the client\n submits requests 1688 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1689 \ type: string\n metadata:\n type: object\n 1690 \ spec:\n description: IPAMBlockSpec contains the specification 1691 for an IPAMBlock\n resource.\n properties:\n affinity:\n 1692 \ type: string\n allocations:\n items:\n 1693 \ type: integer\n # TODO: This nullable is 1694 manually added in. We should update controller-gen\n # to handle 1695 []*int properly itself.\n nullable: true\n type: 1696 array\n attributes:\n items:\n properties:\n 1697 \ handle_id:\n type: string\n secondary:\n 1698 \ additionalProperties:\n type: 1699 string\n type: object\n type: object\n 1700 \ type: array\n cidr:\n type: 1701 string\n deleted:\n type: boolean\n strictAffinity:\n 1702 \ type: boolean\n unallocated:\n items:\n 1703 \ type: integer\n type: array\n required:\n 1704 \ - allocations\n - attributes\n - 1705 cidr\n - strictAffinity\n - unallocated\n type: 1706 object\n type: object\n served: true\n storage: true\nstatus:\n 1707 \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: 1708 []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n 1709 \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: 1710 null\n name: ipamconfigs.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1711 \ names:\n kind: IPAMConfig\n listKind: IPAMConfigList\n plural: ipamconfigs\n 1712 \ singular: ipamconfig\n scope: Cluster\n versions:\n - name: v1\n schema:\n 1713 \ openAPIV3Schema:\n properties:\n apiVersion:\n description: 1714 'APIVersion defines the versioned schema of this representation\n of 1715 an object. Servers should convert recognized schemas to the latest\n internal 1716 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1717 \ type: string\n kind:\n description: 'Kind 1718 is a string value representing the REST resource this\n object represents. 1719 Servers may infer this from the endpoint the client\n submits requests 1720 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1721 \ type: string\n metadata:\n type: object\n 1722 \ spec:\n description: IPAMConfigSpec contains the specification 1723 for an IPAMConfig\n resource.\n properties:\n autoAllocateBlocks:\n 1724 \ type: boolean\n maxBlocksPerHost:\n description: 1725 MaxBlocksPerHost, if non-zero, is the max number of blocks\n that 1726 can be affine to each host.\n type: integer\n strictAffinity:\n 1727 \ type: boolean\n required:\n - autoAllocateBlocks\n 1728 \ - strictAffinity\n type: object\n type: 1729 object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: 1730 \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: 1731 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 1732 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 1733 \ name: ipamhandles.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1734 \ names:\n kind: IPAMHandle\n listKind: IPAMHandleList\n plural: ipamhandles\n 1735 \ singular: ipamhandle\n scope: Cluster\n versions:\n - name: v1\n schema:\n 1736 \ openAPIV3Schema:\n properties:\n apiVersion:\n description: 1737 'APIVersion defines the versioned schema of this representation\n of 1738 an object. Servers should convert recognized schemas to the latest\n internal 1739 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1740 \ type: string\n kind:\n description: 'Kind 1741 is a string value representing the REST resource this\n object represents. 1742 Servers may infer this from the endpoint the client\n submits requests 1743 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1744 \ type: string\n metadata:\n type: object\n 1745 \ spec:\n description: IPAMHandleSpec contains the specification 1746 for an IPAMHandle\n resource.\n properties:\n block:\n 1747 \ additionalProperties:\n type: integer\n type: 1748 object\n deleted:\n type: boolean\n handleID:\n 1749 \ type: string\n required:\n - block\n 1750 \ - handleID\n type: object\n type: object\n 1751 \ served: true\n storage: true\nstatus:\n acceptedNames:\n kind: 1752 \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: 1753 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 1754 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 1755 \ name: ippools.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1756 \ names:\n kind: IPPool\n listKind: IPPoolList\n plural: ippools\n singular: 1757 ippool\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n 1758 \ properties:\n apiVersion:\n description: 'APIVersion 1759 defines the versioned schema of this representation\n of an object. 1760 Servers should convert recognized schemas to the latest\n internal 1761 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1762 \ type: string\n kind:\n description: 'Kind 1763 is a string value representing the REST resource this\n object represents. 1764 Servers may infer this from the endpoint the client\n submits requests 1765 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1766 \ type: string\n metadata:\n type: object\n 1767 \ spec:\n description: IPPoolSpec contains the specification 1768 for an IPPool resource.\n properties:\n blockSize:\n 1769 \ description: The block size to use for IP address assignments 1770 from\n this pool. Defaults to 26 for IPv4 and 112 for IPv6.\n 1771 \ type: integer\n cidr:\n description: 1772 The pool CIDR.\n type: string\n disabled:\n description: 1773 When disabled is true, Calico IPAM will not assign addresses\n from 1774 this pool.\n type: boolean\n ipip:\n description: 1775 'Deprecated: this field is only used for APIv1 backwards\n compatibility. 1776 Setting this field is not allowed, this field is\n for internal 1777 use only.'\n properties:\n enabled:\n description: 1778 When enabled is true, ipip tunneling will be used\n to 1779 deliver packets to destinations within this pool.\n type: 1780 boolean\n mode:\n description: The IPIP 1781 mode. This can be one of \"always\" or \"cross-subnet\". A\n mode 1782 of \"always\" will also use IPIP tunneling for routing to\n destination 1783 IP addresses within this pool. A mode of \"cross-subnet\"\n will 1784 only use IPIP tunneling when the destination node is on\n a 1785 different subnet to the originating node. The default value\n (if 1786 not specified) is \"always\".\n type: string\n type: 1787 object\n ipipMode:\n description: Contains configuration 1788 for IPIP tunneling for this pool.\n If not specified, then 1789 this is defaulted to \"Never\" (i.e. IPIP tunneling\n is disabled).\n 1790 \ type: string\n nat-outgoing:\n description: 1791 'Deprecated: this field is only used for APIv1 backwards\n compatibility. 1792 Setting this field is not allowed, this field is\n for internal 1793 use only.'\n type: boolean\n natOutgoing:\n description: 1794 When nat-outgoing is true, packets sent from Calico networked\n containers 1795 in this pool to destinations outside of this pool will\n be 1796 masqueraded.\n type: boolean\n nodeSelector:\n 1797 \ description: Allows IPPool to allocate for a specific node by 1798 label\n selector.\n type: string\n vxlanMode:\n 1799 \ description: Contains configuration for VXLAN tunneling for 1800 this pool.\n If not specified, then this is defaulted to \"Never\" 1801 (i.e. VXLAN\n tunneling is disabled).\n type: 1802 string\n required:\n - cidr\n type: object\n 1803 \ type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n 1804 \ kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: 1805 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 1806 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 1807 \ name: kubecontrollersconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1808 \ names:\n kind: KubeControllersConfiguration\n listKind: KubeControllersConfigurationList\n 1809 \ plural: kubecontrollersconfigurations\n singular: kubecontrollersconfiguration\n 1810 \ scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n 1811 \ properties:\n apiVersion:\n description: 'APIVersion 1812 defines the versioned schema of this representation\n of an object. 1813 Servers should convert recognized schemas to the latest\n internal 1814 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1815 \ type: string\n kind:\n description: 'Kind 1816 is a string value representing the REST resource this\n object represents. 1817 Servers may infer this from the endpoint the client\n submits requests 1818 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1819 \ type: string\n metadata:\n type: object\n 1820 \ spec:\n description: KubeControllersConfigurationSpec 1821 contains the values of the\n Kubernetes controllers configuration.\n 1822 \ properties:\n controllers:\n description: 1823 Controllers enables and configures individual Kubernetes\n controllers\n 1824 \ properties:\n namespace:\n description: 1825 Namespace enables and configures the namespace controller.\n Enabled 1826 by default, set to nil to disable.\n properties:\n reconcilerPeriod:\n 1827 \ description: 'ReconcilerPeriod is the period to perform 1828 reconciliation\n with the Calico datastore. [Default: 1829 5m]'\n type: string\n type: object\n 1830 \ node:\n description: Node enables and 1831 configures the node controller.\n Enabled by default, set 1832 to nil to disable.\n properties:\n hostEndpoint:\n 1833 \ description: HostEndpoint controls syncing nodes to 1834 host endpoints.\n Disabled by default, set to nil to 1835 disable.\n properties:\n autoCreate:\n 1836 \ description: 'AutoCreate enables automatic creation 1837 of\n host endpoints for every node. [Default: Disabled]'\n 1838 \ type: string\n type: object\n 1839 \ reconcilerPeriod:\n description: 1840 'ReconcilerPeriod is the period to perform reconciliation\n with 1841 the Calico datastore. [Default: 5m]'\n type: string\n 1842 \ syncLabels:\n description: 'SyncLabels 1843 controls whether to copy Kubernetes\n node labels to 1844 Calico nodes. [Default: Enabled]'\n type: string\n type: 1845 object\n policy:\n description: Policy 1846 enables and configures the policy controller.\n Enabled 1847 by default, set to nil to disable.\n properties:\n reconcilerPeriod:\n 1848 \ description: 'ReconcilerPeriod is the period to perform 1849 reconciliation\n with the Calico datastore. [Default: 1850 5m]'\n type: string\n type: object\n 1851 \ serviceAccount:\n description: ServiceAccount 1852 enables and configures the service\n account controller. 1853 Enabled by default, set to nil to disable.\n properties:\n 1854 \ reconcilerPeriod:\n description: 1855 'ReconcilerPeriod is the period to perform reconciliation\n with 1856 the Calico datastore. [Default: 5m]'\n type: string\n 1857 \ type: object\n workloadEndpoint:\n description: 1858 WorkloadEndpoint enables and configures the workload\n endpoint 1859 controller. Enabled by default, set to nil to disable.\n properties:\n 1860 \ reconcilerPeriod:\n description: 1861 'ReconcilerPeriod is the period to perform reconciliation\n with 1862 the Calico datastore. [Default: 5m]'\n type: string\n 1863 \ type: object\n type: object\n etcdV3CompactionPeriod:\n 1864 \ description: 'EtcdV3CompactionPeriod is the period between etcdv3\n 1865 \ compaction requests. Set to 0 to disable. [Default: 10m]'\n 1866 \ type: string\n healthChecks:\n description: 1867 'HealthChecks enables or disables support for health\n checks 1868 [Default: Enabled]'\n type: string\n logSeverityScreen:\n 1869 \ description: 'LogSeverityScreen is the log severity above which 1870 logs\n are sent to the stdout. [Default: Info]'\n type: 1871 string\n prometheusMetricsPort:\n description: 1872 'PrometheusMetricsPort is the TCP port that the Prometheus\n metrics 1873 server should bind to. Set to 0 to disable. [Default: 9094]'\n type: 1874 integer\n required:\n - controllers\n type: 1875 object\n status:\n description: KubeControllersConfigurationStatus 1876 represents the status\n of the configuration. It's useful for admins 1877 to be able to see the actual\n config that was applied, which can 1878 be modified by environment variables\n on the kube-controllers 1879 process.\n properties:\n environmentVars:\n additionalProperties:\n 1880 \ type: string\n description: EnvironmentVars 1881 contains the environment variables on\n the kube-controllers 1882 that influenced the RunningConfig.\n type: object\n runningConfig:\n 1883 \ description: RunningConfig contains the effective config that 1884 is running\n in the kube-controllers pod, after merging the 1885 API resource with\n any environment variables.\n properties:\n 1886 \ controllers:\n description: Controllers 1887 enables and configures individual Kubernetes\n controllers\n 1888 \ properties:\n namespace:\n description: 1889 Namespace enables and configures the namespace\n controller. 1890 Enabled by default, set to nil to disable.\n properties:\n 1891 \ reconcilerPeriod:\n description: 1892 'ReconcilerPeriod is the period to perform\n reconciliation 1893 with the Calico datastore. [Default:\n 5m]'\n type: 1894 string\n type: object\n node:\n 1895 \ description: Node enables and configures the node controller.\n 1896 \ Enabled by default, set to nil to disable.\n properties:\n 1897 \ hostEndpoint:\n description: 1898 HostEndpoint controls syncing nodes to host\n endpoints. 1899 Disabled by default, set to nil to disable.\n properties:\n 1900 \ autoCreate:\n description: 1901 'AutoCreate enables automatic creation\n of host 1902 endpoints for every node. [Default: Disabled]'\n type: 1903 string\n type: object\n leakGracePeriod:\n 1904 \ description: 'LeakGracePeriod is the period used 1905 by the\n controller to determine if an IP address 1906 has been leaked.\n Set to 0 to disable IP garbage 1907 collection. [Default:\n 15m]'\n type: 1908 string\n reconcilerPeriod:\n description: 1909 'ReconcilerPeriod is the period to perform\n reconciliation 1910 with the Calico datastore. [Default:\n 5m]'\n type: 1911 string\n syncLabels:\n description: 1912 'SyncLabels controls whether to copy Kubernetes\n node 1913 labels to Calico nodes. [Default: Enabled]'\n type: 1914 string\n type: object\n policy:\n 1915 \ description: Policy enables and configures the policy 1916 controller.\n Enabled by default, set to nil to disable.\n 1917 \ properties:\n reconcilerPeriod:\n 1918 \ description: 'ReconcilerPeriod is the period to 1919 perform\n reconciliation with the Calico datastore. 1920 [Default:\n 5m]'\n type: 1921 string\n type: object\n serviceAccount:\n 1922 \ description: ServiceAccount enables and configures the 1923 service\n account controller. Enabled by default, set 1924 to nil to disable.\n properties:\n reconcilerPeriod:\n 1925 \ description: 'ReconcilerPeriod is the period to 1926 perform\n reconciliation with the Calico datastore. 1927 [Default:\n 5m]'\n type: 1928 string\n type: object\n workloadEndpoint:\n 1929 \ description: WorkloadEndpoint enables and configures 1930 the workload\n endpoint controller. Enabled by default, 1931 set to nil to disable.\n properties:\n reconcilerPeriod:\n 1932 \ description: 'ReconcilerPeriod is the period to 1933 perform\n reconciliation with the Calico datastore. 1934 [Default:\n 5m]'\n type: 1935 string\n type: object\n type: object\n 1936 \ etcdV3CompactionPeriod:\n description: 1937 'EtcdV3CompactionPeriod is the period between etcdv3\n compaction 1938 requests. Set to 0 to disable. [Default: 10m]'\n type: string\n 1939 \ healthChecks:\n description: 'HealthChecks 1940 enables or disables support for health\n checks [Default: 1941 Enabled]'\n type: string\n logSeverityScreen:\n 1942 \ description: 'LogSeverityScreen is the log severity above 1943 which\n logs are sent to the stdout. [Default: Info]'\n type: 1944 string\n prometheusMetricsPort:\n description: 1945 'PrometheusMetricsPort is the TCP port that the Prometheus\n metrics 1946 server should bind to. Set to 0 to disable. [Default:\n 9094]'\n 1947 \ type: integer\n required:\n - 1948 controllers\n type: object\n type: object\n type: 1949 object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: 1950 \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n\n---\n\n---\napiVersion: 1951 apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n 1952 \ controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n 1953 \ name: networkpolicies.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 1954 \ names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: 1955 networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n 1956 \ - name: v1\n schema:\n openAPIV3Schema:\n properties:\n 1957 \ apiVersion:\n description: 'APIVersion defines the versioned 1958 schema of this representation\n of an object. Servers should convert 1959 recognized schemas to the latest\n internal value, and may reject 1960 unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 1961 \ type: string\n kind:\n description: 'Kind 1962 is a string value representing the REST resource this\n object represents. 1963 Servers may infer this from the endpoint the client\n submits requests 1964 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 1965 \ type: string\n metadata:\n type: object\n 1966 \ spec:\n properties:\n egress:\n description: 1967 The ordered set of egress rules. Each rule contains\n a set 1968 of packet match criteria and a corresponding action to apply.\n items:\n 1969 \ description: \"A Rule encapsulates a set of match criteria 1970 and an\n action. Both selector-based security Policy and security 1971 Profiles\n reference rules - separated out as a list of rules 1972 for both ingress\n and egress packet matching. \\n Each positive 1973 match criteria has\n a negated version, prefixed with ”Not”. 1974 All the match criteria\n within a rule must be satisfied for 1975 a packet to match. A single\n rule can contain the positive 1976 and negative version of a match\n and both must be satisfied 1977 for the rule to match.\"\n properties:\n action:\n 1978 \ type: string\n destination:\n description: 1979 Destination contains the match criteria that apply\n to 1980 destination entity.\n properties:\n namespaceSelector:\n 1981 \ description: \"NamespaceSelector is an optional field 1982 that\n contains a selector expression. Only traffic 1983 that originates\n from (or terminates at) endpoints 1984 within the selected\n namespaces will be matched. When 1985 both NamespaceSelector\n and Selector are defined on 1986 the same rule, then only workload\n endpoints that 1987 are matched by both selectors will be selected\n by 1988 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 1989 that the Selector is limited to selecting only\n workload 1990 endpoints in the same namespace as the NetworkPolicy.\n \\n 1991 For NetworkPolicy, `global()` NamespaceSelector implies\n that 1992 the Selector is limited to selecting only GlobalNetworkSet\n or 1993 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 1994 implies the Selector applies to workload\n endpoints 1995 across all namespaces.\"\n type: string\n nets:\n 1996 \ description: Nets is an optional field that restricts 1997 the\n rule to only apply to traffic that originates 1998 from (or\n terminates at) IP addresses in any of 1999 the given subnets.\n items:\n type: 2000 string\n type: array\n notNets:\n 2001 \ description: NotNets is the negated version of the 2002 Nets\n field.\n items:\n 2003 \ type: string\n type: 2004 array\n notPorts:\n description: 2005 NotPorts is the negated version of the Ports\n field. 2006 Since only some protocols have ports, if any ports\n are 2007 specified it requires the Protocol match in the Rule\n to 2008 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 2009 \ - type: integer\n - 2010 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 2011 true\n type: array\n notSelector:\n 2012 \ description: NotSelector is the negated version of 2013 the Selector\n field. See Selector field for subtleties 2014 with negated\n selectors.\n type: 2015 string\n ports:\n description: 2016 \"Ports is an optional field that restricts\n the rule 2017 to only apply to traffic that has a source (destination)\n port 2018 that matches one of these ranges/values. This value\n is 2019 a list of integers or strings that represent ranges\n of 2020 ports. \\n Since only some protocols have ports, if\n any 2021 ports are specified it requires the Protocol match\n in 2022 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 2023 \ anyOf:\n - type: 2024 integer\n - type: string\n pattern: 2025 ^.*\n x-kubernetes-int-or-string: true\n type: 2026 array\n selector:\n description: 2027 \"Selector is an optional field that contains\n a selector 2028 expression (see Policy for sample syntax).\n \\ Only 2029 traffic that originates from (terminates at) endpoints\n matching 2030 the selector will be matched. \\n Note that: in\n addition 2031 to the negated version of the Selector (see NotSelector\n below), 2032 the selector expression syntax itself supports\n negation. 2033 \ The two types of negation are subtly different.\n One 2034 negates the set of matched endpoints, the other negates\n the 2035 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 2036 that are from other Calico-controlled \\tendpoints\n that 2037 do not have the label “my_label”. \\n \\tNotSelector\n = 2038 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 2039 \\tendpoints that do have the label “my_label”.\n \\n 2040 The effect is that the latter will accept packets from\n non-Calico 2041 sources whereas the former is limited to packets\n from 2042 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 2043 \ description: ServiceAccounts is an optional field 2044 that restricts\n the rule to only apply to traffic 2045 that originates from\n (or terminates at) a pod running 2046 as a matching service\n account.\n properties:\n 2047 \ names:\n description: 2048 Names is an optional field that restricts\n the 2049 rule to only apply to traffic that originates\n from 2050 (or terminates at) a pod running as a service\n account 2051 whose name is in the list.\n items:\n type: 2052 string\n type: array\n selector:\n 2053 \ description: Selector is an optional field that 2054 restricts\n the rule to only apply to traffic 2055 that originates\n from (or terminates at) a pod 2056 running as a service\n account that matches the 2057 given label selector. If\n both Names and Selector 2058 are specified then they are\n AND'ed.\n type: 2059 string\n type: object\n services:\n 2060 \ description: \"Services is an optional field that 2061 contains\n options for matching Kubernetes Services. 2062 If specified,\n only traffic that originates from 2063 or terminates at endpoints\n within the selected 2064 service(s) will be matched, and only\n to/from each 2065 endpoint's port. \\n Services cannot be specified\n on 2066 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 2067 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 2068 valid on egress rules.\"\n properties:\n name:\n 2069 \ description: Name specifies the name of a Kubernetes\n 2070 \ Service to match.\n type: 2071 string\n namespace:\n description: 2072 Namespace specifies the namespace of the\n given 2073 Service. If left empty, the rule will match\n within 2074 this policy's namespace.\n type: string\n type: 2075 object\n type: object\n http:\n description: 2076 HTTP contains match criteria that apply to HTTP\n requests.\n 2077 \ properties:\n methods:\n description: 2078 Methods is an optional field that restricts\n the 2079 rule to apply only to HTTP requests that use one of\n the 2080 listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods 2081 are OR'd together.\n items:\n type: 2082 string\n type: array\n paths:\n 2083 \ description: 'Paths is an optional field that restricts\n 2084 \ the rule to apply to HTTP requests that use one of 2085 the\n listed HTTP Paths. Multiple paths are OR''d together.\n 2086 \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry 2087 may\n ONLY specify either a `exact` or a `prefix` match. 2088 The\n validator will check for it.'\n items:\n 2089 \ description: 'HTTPPath specifies an HTTP path to 2090 match.\n It may be either of the form: exact: <path>: 2091 which matches\n the path exactly or prefix: <path-prefix>: 2092 which matches\n the path prefix'\n properties:\n 2093 \ exact:\n type: 2094 string\n prefix:\n type: 2095 string\n type: object\n type: 2096 array\n type: object\n icmp:\n description: 2097 ICMP is an optional field that restricts the rule\n to 2098 apply to a specific type and code of ICMP traffic. This\n should 2099 only be specified if the Protocol field is set to \"ICMP\"\n or 2100 \"ICMPv6\".\n properties:\n code:\n 2101 \ description: Match on a specific ICMP code. If specified,\n 2102 \ the Type value must also be specified. This is a 2103 technical\n limitation imposed by the kernel’s iptables 2104 firewall,\n which Calico uses to enforce the rule.\n 2105 \ type: integer\n type:\n description: 2106 Match on a specific ICMP type. For example\n a value 2107 of 8 refers to ICMP Echo Request (i.e. pings).\n type: 2108 integer\n type: object\n ipVersion:\n 2109 \ description: IPVersion is an optional field that restricts 2110 the\n rule to only match a specific IP version.\n type: 2111 integer\n metadata:\n description: 2112 Metadata contains additional information for this\n rule\n 2113 \ properties:\n annotations:\n 2114 \ additionalProperties:\n type: 2115 string\n description: Annotations is a set of key value 2116 pairs that\n give extra information about the rule\n 2117 \ type: object\n type: object\n 2118 \ notICMP:\n description: NotICMP is 2119 the negated version of the ICMP field.\n properties:\n 2120 \ code:\n description: Match 2121 on a specific ICMP code. If specified,\n the Type 2122 value must also be specified. This is a technical\n limitation 2123 imposed by the kernel’s iptables firewall,\n which 2124 Calico uses to enforce the rule.\n type: integer\n 2125 \ type:\n description: Match 2126 on a specific ICMP type. For example\n a value of 2127 8 refers to ICMP Echo Request (i.e. pings).\n type: 2128 integer\n type: object\n notProtocol:\n 2129 \ anyOf:\n - type: integer\n - 2130 type: string\n description: NotProtocol is the negated 2131 version of the Protocol\n field.\n pattern: 2132 ^.*\n x-kubernetes-int-or-string: true\n protocol:\n 2133 \ anyOf:\n - type: integer\n - 2134 type: string\n description: \"Protocol is an optional field 2135 that restricts the\n rule to only apply to traffic of a 2136 specific IP protocol. Required\n if any of the EntityRules 2137 contain Ports (because ports only\n apply to certain protocols). 2138 \\n Must be one of these string\n values: \\\"TCP\\\", 2139 \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" 2140 or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: 2141 true\n source:\n description: Source 2142 contains the match criteria that apply to\n source entity.\n 2143 \ properties:\n namespaceSelector:\n 2144 \ description: \"NamespaceSelector is an optional field 2145 that\n contains a selector expression. Only traffic 2146 that originates\n from (or terminates at) endpoints 2147 within the selected\n namespaces will be matched. When 2148 both NamespaceSelector\n and Selector are defined on 2149 the same rule, then only workload\n endpoints that 2150 are matched by both selectors will be selected\n by 2151 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 2152 that the Selector is limited to selecting only\n workload 2153 endpoints in the same namespace as the NetworkPolicy.\n \\n 2154 For NetworkPolicy, `global()` NamespaceSelector implies\n that 2155 the Selector is limited to selecting only GlobalNetworkSet\n or 2156 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 2157 implies the Selector applies to workload\n endpoints 2158 across all namespaces.\"\n type: string\n nets:\n 2159 \ description: Nets is an optional field that restricts 2160 the\n rule to only apply to traffic that originates 2161 from (or\n terminates at) IP addresses in any of 2162 the given subnets.\n items:\n type: 2163 string\n type: array\n notNets:\n 2164 \ description: NotNets is the negated version of the 2165 Nets\n field.\n items:\n 2166 \ type: string\n type: 2167 array\n notPorts:\n description: 2168 NotPorts is the negated version of the Ports\n field. 2169 Since only some protocols have ports, if any ports\n are 2170 specified it requires the Protocol match in the Rule\n to 2171 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 2172 \ - type: integer\n - 2173 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 2174 true\n type: array\n notSelector:\n 2175 \ description: NotSelector is the negated version of 2176 the Selector\n field. See Selector field for subtleties 2177 with negated\n selectors.\n type: 2178 string\n ports:\n description: 2179 \"Ports is an optional field that restricts\n the rule 2180 to only apply to traffic that has a source (destination)\n port 2181 that matches one of these ranges/values. This value\n is 2182 a list of integers or strings that represent ranges\n of 2183 ports. \\n Since only some protocols have ports, if\n any 2184 ports are specified it requires the Protocol match\n in 2185 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 2186 \ anyOf:\n - type: 2187 integer\n - type: string\n pattern: 2188 ^.*\n x-kubernetes-int-or-string: true\n type: 2189 array\n selector:\n description: 2190 \"Selector is an optional field that contains\n a selector 2191 expression (see Policy for sample syntax).\n \\ Only 2192 traffic that originates from (terminates at) endpoints\n matching 2193 the selector will be matched. \\n Note that: in\n addition 2194 to the negated version of the Selector (see NotSelector\n below), 2195 the selector expression syntax itself supports\n negation. 2196 \ The two types of negation are subtly different.\n One 2197 negates the set of matched endpoints, the other negates\n the 2198 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 2199 that are from other Calico-controlled \\tendpoints\n that 2200 do not have the label “my_label”. \\n \\tNotSelector\n = 2201 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 2202 \\tendpoints that do have the label “my_label”.\n \\n 2203 The effect is that the latter will accept packets from\n non-Calico 2204 sources whereas the former is limited to packets\n from 2205 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 2206 \ description: ServiceAccounts is an optional field 2207 that restricts\n the rule to only apply to traffic 2208 that originates from\n (or terminates at) a pod running 2209 as a matching service\n account.\n properties:\n 2210 \ names:\n description: 2211 Names is an optional field that restricts\n the 2212 rule to only apply to traffic that originates\n from 2213 (or terminates at) a pod running as a service\n account 2214 whose name is in the list.\n items:\n type: 2215 string\n type: array\n selector:\n 2216 \ description: Selector is an optional field that 2217 restricts\n the rule to only apply to traffic 2218 that originates\n from (or terminates at) a pod 2219 running as a service\n account that matches the 2220 given label selector. If\n both Names and Selector 2221 are specified then they are\n AND'ed.\n type: 2222 string\n type: object\n services:\n 2223 \ description: \"Services is an optional field that 2224 contains\n options for matching Kubernetes Services. 2225 If specified,\n only traffic that originates from 2226 or terminates at endpoints\n within the selected 2227 service(s) will be matched, and only\n to/from each 2228 endpoint's port. \\n Services cannot be specified\n on 2229 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 2230 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 2231 valid on egress rules.\"\n properties:\n name:\n 2232 \ description: Name specifies the name of a Kubernetes\n 2233 \ Service to match.\n type: 2234 string\n namespace:\n description: 2235 Namespace specifies the namespace of the\n given 2236 Service. If left empty, the rule will match\n within 2237 this policy's namespace.\n type: string\n type: 2238 object\n type: object\n required:\n 2239 \ - action\n type: object\n type: 2240 array\n ingress:\n description: The ordered set 2241 of ingress rules. Each rule contains\n a set of packet match 2242 criteria and a corresponding action to apply.\n items:\n description: 2243 \"A Rule encapsulates a set of match criteria and an\n action. 2244 \ Both selector-based security Policy and security Profiles\n reference 2245 rules - separated out as a list of rules for both ingress\n and 2246 egress packet matching. \\n Each positive match criteria has\n a 2247 negated version, prefixed with ”Not”. All the match criteria\n within 2248 a rule must be satisfied for a packet to match. A single\n rule 2249 can contain the positive and negative version of a match\n and 2250 both must be satisfied for the rule to match.\"\n properties:\n 2251 \ action:\n type: string\n destination:\n 2252 \ description: Destination contains the match criteria that 2253 apply\n to destination entity.\n properties:\n 2254 \ namespaceSelector:\n description: 2255 \"NamespaceSelector is an optional field that\n contains 2256 a selector expression. Only traffic that originates\n from 2257 (or terminates at) endpoints within the selected\n namespaces 2258 will be matched. When both NamespaceSelector\n and 2259 Selector are defined on the same rule, then only workload\n endpoints 2260 that are matched by both selectors will be selected\n by 2261 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 2262 that the Selector is limited to selecting only\n workload 2263 endpoints in the same namespace as the NetworkPolicy.\n \\n 2264 For NetworkPolicy, `global()` NamespaceSelector implies\n that 2265 the Selector is limited to selecting only GlobalNetworkSet\n or 2266 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 2267 implies the Selector applies to workload\n endpoints 2268 across all namespaces.\"\n type: string\n nets:\n 2269 \ description: Nets is an optional field that restricts 2270 the\n rule to only apply to traffic that originates 2271 from (or\n terminates at) IP addresses in any of 2272 the given subnets.\n items:\n type: 2273 string\n type: array\n notNets:\n 2274 \ description: NotNets is the negated version of the 2275 Nets\n field.\n items:\n 2276 \ type: string\n type: 2277 array\n notPorts:\n description: 2278 NotPorts is the negated version of the Ports\n field. 2279 Since only some protocols have ports, if any ports\n are 2280 specified it requires the Protocol match in the Rule\n to 2281 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 2282 \ - type: integer\n - 2283 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 2284 true\n type: array\n notSelector:\n 2285 \ description: NotSelector is the negated version of 2286 the Selector\n field. See Selector field for subtleties 2287 with negated\n selectors.\n type: 2288 string\n ports:\n description: 2289 \"Ports is an optional field that restricts\n the rule 2290 to only apply to traffic that has a source (destination)\n port 2291 that matches one of these ranges/values. This value\n is 2292 a list of integers or strings that represent ranges\n of 2293 ports. \\n Since only some protocols have ports, if\n any 2294 ports are specified it requires the Protocol match\n in 2295 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 2296 \ anyOf:\n - type: 2297 integer\n - type: string\n pattern: 2298 ^.*\n x-kubernetes-int-or-string: true\n type: 2299 array\n selector:\n description: 2300 \"Selector is an optional field that contains\n a selector 2301 expression (see Policy for sample syntax).\n \\ Only 2302 traffic that originates from (terminates at) endpoints\n matching 2303 the selector will be matched. \\n Note that: in\n addition 2304 to the negated version of the Selector (see NotSelector\n below), 2305 the selector expression syntax itself supports\n negation. 2306 \ The two types of negation are subtly different.\n One 2307 negates the set of matched endpoints, the other negates\n the 2308 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 2309 that are from other Calico-controlled \\tendpoints\n that 2310 do not have the label “my_label”. \\n \\tNotSelector\n = 2311 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 2312 \\tendpoints that do have the label “my_label”.\n \\n 2313 The effect is that the latter will accept packets from\n non-Calico 2314 sources whereas the former is limited to packets\n from 2315 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 2316 \ description: ServiceAccounts is an optional field 2317 that restricts\n the rule to only apply to traffic 2318 that originates from\n (or terminates at) a pod running 2319 as a matching service\n account.\n properties:\n 2320 \ names:\n description: 2321 Names is an optional field that restricts\n the 2322 rule to only apply to traffic that originates\n from 2323 (or terminates at) a pod running as a service\n account 2324 whose name is in the list.\n items:\n type: 2325 string\n type: array\n selector:\n 2326 \ description: Selector is an optional field that 2327 restricts\n the rule to only apply to traffic 2328 that originates\n from (or terminates at) a pod 2329 running as a service\n account that matches the 2330 given label selector. If\n both Names and Selector 2331 are specified then they are\n AND'ed.\n type: 2332 string\n type: object\n services:\n 2333 \ description: \"Services is an optional field that 2334 contains\n options for matching Kubernetes Services. 2335 If specified,\n only traffic that originates from 2336 or terminates at endpoints\n within the selected 2337 service(s) will be matched, and only\n to/from each 2338 endpoint's port. \\n Services cannot be specified\n on 2339 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 2340 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 2341 valid on egress rules.\"\n properties:\n name:\n 2342 \ description: Name specifies the name of a Kubernetes\n 2343 \ Service to match.\n type: 2344 string\n namespace:\n description: 2345 Namespace specifies the namespace of the\n given 2346 Service. If left empty, the rule will match\n within 2347 this policy's namespace.\n type: string\n type: 2348 object\n type: object\n http:\n description: 2349 HTTP contains match criteria that apply to HTTP\n requests.\n 2350 \ properties:\n methods:\n description: 2351 Methods is an optional field that restricts\n the 2352 rule to apply only to HTTP requests that use one of\n the 2353 listed HTTP Methods (e.g. GET, PUT, etc.) Multiple\n methods 2354 are OR'd together.\n items:\n type: 2355 string\n type: array\n paths:\n 2356 \ description: 'Paths is an optional field that restricts\n 2357 \ the rule to apply to HTTP requests that use one of 2358 the\n listed HTTP Paths. Multiple paths are OR''d together.\n 2359 \ e.g: - exact: /foo - prefix: /bar NOTE: Each entry 2360 may\n ONLY specify either a `exact` or a `prefix` match. 2361 The\n validator will check for it.'\n items:\n 2362 \ description: 'HTTPPath specifies an HTTP path to 2363 match.\n It may be either of the form: exact: <path>: 2364 which matches\n the path exactly or prefix: <path-prefix>: 2365 which matches\n the path prefix'\n properties:\n 2366 \ exact:\n type: 2367 string\n prefix:\n type: 2368 string\n type: object\n type: 2369 array\n type: object\n icmp:\n description: 2370 ICMP is an optional field that restricts the rule\n to 2371 apply to a specific type and code of ICMP traffic. This\n should 2372 only be specified if the Protocol field is set to \"ICMP\"\n or 2373 \"ICMPv6\".\n properties:\n code:\n 2374 \ description: Match on a specific ICMP code. If specified,\n 2375 \ the Type value must also be specified. This is a 2376 technical\n limitation imposed by the kernel’s iptables 2377 firewall,\n which Calico uses to enforce the rule.\n 2378 \ type: integer\n type:\n description: 2379 Match on a specific ICMP type. For example\n a value 2380 of 8 refers to ICMP Echo Request (i.e. pings).\n type: 2381 integer\n type: object\n ipVersion:\n 2382 \ description: IPVersion is an optional field that restricts 2383 the\n rule to only match a specific IP version.\n type: 2384 integer\n metadata:\n description: 2385 Metadata contains additional information for this\n rule\n 2386 \ properties:\n annotations:\n 2387 \ additionalProperties:\n type: 2388 string\n description: Annotations is a set of key value 2389 pairs that\n give extra information about the rule\n 2390 \ type: object\n type: object\n 2391 \ notICMP:\n description: NotICMP is 2392 the negated version of the ICMP field.\n properties:\n 2393 \ code:\n description: Match 2394 on a specific ICMP code. If specified,\n the Type 2395 value must also be specified. This is a technical\n limitation 2396 imposed by the kernel’s iptables firewall,\n which 2397 Calico uses to enforce the rule.\n type: integer\n 2398 \ type:\n description: Match 2399 on a specific ICMP type. For example\n a value of 2400 8 refers to ICMP Echo Request (i.e. pings).\n type: 2401 integer\n type: object\n notProtocol:\n 2402 \ anyOf:\n - type: integer\n - 2403 type: string\n description: NotProtocol is the negated 2404 version of the Protocol\n field.\n pattern: 2405 ^.*\n x-kubernetes-int-or-string: true\n protocol:\n 2406 \ anyOf:\n - type: integer\n - 2407 type: string\n description: \"Protocol is an optional field 2408 that restricts the\n rule to only apply to traffic of a 2409 specific IP protocol. Required\n if any of the EntityRules 2410 contain Ports (because ports only\n apply to certain protocols). 2411 \\n Must be one of these string\n values: \\\"TCP\\\", 2412 \\\"UDP\\\", \\\"ICMP\\\", \\\"ICMPv6\\\", \\\"SCTP\\\",\n \\\"UDPLite\\\" 2413 or an integer in the range 1-255.\"\n pattern: ^.*\n x-kubernetes-int-or-string: 2414 true\n source:\n description: Source 2415 contains the match criteria that apply to\n source entity.\n 2416 \ properties:\n namespaceSelector:\n 2417 \ description: \"NamespaceSelector is an optional field 2418 that\n contains a selector expression. Only traffic 2419 that originates\n from (or terminates at) endpoints 2420 within the selected\n namespaces will be matched. When 2421 both NamespaceSelector\n and Selector are defined on 2422 the same rule, then only workload\n endpoints that 2423 are matched by both selectors will be selected\n by 2424 the rule. \\n For NetworkPolicy, an empty NamespaceSelector\n implies 2425 that the Selector is limited to selecting only\n workload 2426 endpoints in the same namespace as the NetworkPolicy.\n \\n 2427 For NetworkPolicy, `global()` NamespaceSelector implies\n that 2428 the Selector is limited to selecting only GlobalNetworkSet\n or 2429 HostEndpoint. \\n For GlobalNetworkPolicy, an empty\n NamespaceSelector 2430 implies the Selector applies to workload\n endpoints 2431 across all namespaces.\"\n type: string\n nets:\n 2432 \ description: Nets is an optional field that restricts 2433 the\n rule to only apply to traffic that originates 2434 from (or\n terminates at) IP addresses in any of 2435 the given subnets.\n items:\n type: 2436 string\n type: array\n notNets:\n 2437 \ description: NotNets is the negated version of the 2438 Nets\n field.\n items:\n 2439 \ type: string\n type: 2440 array\n notPorts:\n description: 2441 NotPorts is the negated version of the Ports\n field. 2442 Since only some protocols have ports, if any ports\n are 2443 specified it requires the Protocol match in the Rule\n to 2444 be set to \"TCP\" or \"UDP\".\n items:\n anyOf:\n 2445 \ - type: integer\n - 2446 type: string\n pattern: ^.*\n x-kubernetes-int-or-string: 2447 true\n type: array\n notSelector:\n 2448 \ description: NotSelector is the negated version of 2449 the Selector\n field. See Selector field for subtleties 2450 with negated\n selectors.\n type: 2451 string\n ports:\n description: 2452 \"Ports is an optional field that restricts\n the rule 2453 to only apply to traffic that has a source (destination)\n port 2454 that matches one of these ranges/values. This value\n is 2455 a list of integers or strings that represent ranges\n of 2456 ports. \\n Since only some protocols have ports, if\n any 2457 ports are specified it requires the Protocol match\n in 2458 the Rule to be set to \\\"TCP\\\" or \\\"UDP\\\".\"\n items:\n 2459 \ anyOf:\n - type: 2460 integer\n - type: string\n pattern: 2461 ^.*\n x-kubernetes-int-or-string: true\n type: 2462 array\n selector:\n description: 2463 \"Selector is an optional field that contains\n a selector 2464 expression (see Policy for sample syntax).\n \\ Only 2465 traffic that originates from (terminates at) endpoints\n matching 2466 the selector will be matched. \\n Note that: in\n addition 2467 to the negated version of the Selector (see NotSelector\n below), 2468 the selector expression syntax itself supports\n negation. 2469 \ The two types of negation are subtly different.\n One 2470 negates the set of matched endpoints, the other negates\n the 2471 whole match: \\n \\tSelector = \\\"!has(my_label)\\\" matches\n packets 2472 that are from other Calico-controlled \\tendpoints\n that 2473 do not have the label “my_label”. \\n \\tNotSelector\n = 2474 \\\"has(my_label)\\\" matches packets that are not from\n Calico-controlled 2475 \\tendpoints that do have the label “my_label”.\n \\n 2476 The effect is that the latter will accept packets from\n non-Calico 2477 sources whereas the former is limited to packets\n from 2478 Calico-controlled endpoints.\"\n type: string\n serviceAccounts:\n 2479 \ description: ServiceAccounts is an optional field 2480 that restricts\n the rule to only apply to traffic 2481 that originates from\n (or terminates at) a pod running 2482 as a matching service\n account.\n properties:\n 2483 \ names:\n description: 2484 Names is an optional field that restricts\n the 2485 rule to only apply to traffic that originates\n from 2486 (or terminates at) a pod running as a service\n account 2487 whose name is in the list.\n items:\n type: 2488 string\n type: array\n selector:\n 2489 \ description: Selector is an optional field that 2490 restricts\n the rule to only apply to traffic 2491 that originates\n from (or terminates at) a pod 2492 running as a service\n account that matches the 2493 given label selector. If\n both Names and Selector 2494 are specified then they are\n AND'ed.\n type: 2495 string\n type: object\n services:\n 2496 \ description: \"Services is an optional field that 2497 contains\n options for matching Kubernetes Services. 2498 If specified,\n only traffic that originates from 2499 or terminates at endpoints\n within the selected 2500 service(s) will be matched, and only\n to/from each 2501 endpoint's port. \\n Services cannot be specified\n on 2502 the same rule as Selector, NotSelector, NamespaceSelector,\n Ports, 2503 NotPorts, Nets, NotNets or ServiceAccounts. \\n\n Only 2504 valid on egress rules.\"\n properties:\n name:\n 2505 \ description: Name specifies the name of a Kubernetes\n 2506 \ Service to match.\n type: 2507 string\n namespace:\n description: 2508 Namespace specifies the namespace of the\n given 2509 Service. If left empty, the rule will match\n within 2510 this policy's namespace.\n type: string\n type: 2511 object\n type: object\n required:\n 2512 \ - action\n type: object\n type: 2513 array\n order:\n description: Order is an optional 2514 field that specifies the order in\n which the policy is applied. 2515 Policies with higher \"order\" are applied\n after those with 2516 lower order. If the order is omitted, it may be\n considered 2517 to be \"infinite\" - i.e. the policy will be applied last. Policies\n with 2518 identical order will be applied in alphanumerical order based\n on 2519 the Policy \"Name\".\n type: number\n selector:\n 2520 \ description: \"The selector is an expression used to pick pick 2521 out\n the endpoints that the policy should be applied to. \\n 2522 Selector\n expressions follow this syntax: \\n \\tlabel == \\\"string_literal\\\"\n 2523 \ \\ -> comparison, e.g. my_label == \\\"foo bar\\\" \\tlabel 2524 != \\\"string_literal\\\"\n \\ -> not equal; also matches if 2525 label is not present \\tlabel in\n { \\\"a\\\", \\\"b\\\", \\\"c\\\", 2526 ... } -> true if the value of label X is\n one of \\\"a\\\", 2527 \\\"b\\\", \\\"c\\\" \\tlabel not in { \\\"a\\\", \\\"b\\\", \\\"c\\\",\n ... 2528 } -> true if the value of label X is not one of \\\"a\\\", \\\"b\\\",\n \\\"c\\\" 2529 \\thas(label_name) -> True if that label is present \\t! expr\n -> 2530 negation of expr \\texpr && expr -> Short-circuit and \\texpr\n || 2531 expr -> Short-circuit or \\t( expr ) -> parens for grouping \\tall()\n or 2532 the empty selector -> matches all endpoints. \\n Label names are\n allowed 2533 to contain alphanumerics, -, _ and /. String literals are\n more 2534 permissive but they do not support escape characters. \\n Examples\n (with 2535 made-up labels): \\n \\ttype == \\\"webserver\\\" && deployment\n == 2536 \\\"prod\\\" \\ttype in {\\\"frontend\\\", \\\"backend\\\"} \\tdeployment !=\n 2537 \ \\\"dev\\\" \\t! has(label_name)\"\n type: 2538 string\n serviceAccountSelector:\n description: 2539 ServiceAccountSelector is an optional field for an expression\n used 2540 to select a pod based on service accounts.\n type: string\n types:\n 2541 \ description: \"Types indicates whether this policy applies to 2542 ingress,\n or to egress, or to both. When not explicitly specified 2543 (and so\n the value on creation is empty or nil), Calico defaults 2544 Types according\n to what Ingress and Egress are present in the 2545 policy. The default\n is: \\n - [ PolicyTypeIngress ], if there 2546 are no Egress rules (including\n the case where there are also 2547 no Ingress rules) \\n - [ PolicyTypeEgress\n ], if there are 2548 Egress rules but no Ingress rules \\n - [ PolicyTypeIngress,\n PolicyTypeEgress 2549 ], if there are both Ingress and Egress rules.\n \\n When the 2550 policy is read back again, Types will always be one\n of these 2551 values, never empty or nil.\"\n items:\n description: 2552 PolicyType enumerates the possible values of the PolicySpec\n Types 2553 field.\n type: string\n type: array\n type: 2554 object\n type: object\n served: true\n storage: true\nstatus:\n 2555 \ acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: 2556 []\n\n---\n\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n 2557 \ annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: 2558 null\n name: networksets.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n 2559 \ names:\n kind: NetworkSet\n listKind: NetworkSetList\n plural: networksets\n 2560 \ singular: networkset\n scope: Namespaced\n versions:\n - name: v1\n schema:\n 2561 \ openAPIV3Schema:\n description: NetworkSet is the Namespaced-equivalent 2562 of the GlobalNetworkSet.\n properties:\n apiVersion:\n description: 2563 'APIVersion defines the versioned schema of this representation\n of 2564 an object. Servers should convert recognized schemas to the latest\n internal 2565 value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n 2566 \ type: string\n kind:\n description: 'Kind 2567 is a string value representing the REST resource this\n object represents. 2568 Servers may infer this from the endpoint the client\n submits requests 2569 to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n 2570 \ type: string\n metadata:\n type: object\n 2571 \ spec:\n description: NetworkSetSpec contains the specification 2572 for a NetworkSet\n resource.\n properties:\n nets:\n 2573 \ description: The list of IP networks that belong to this set.\n 2574 \ items:\n type: string\n type: 2575 array\n type: object\n type: object\n served: true\n 2576 \ storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n 2577 \ conditions: []\n storedVersions: []\n\n---\n---\n# Source: calico/templates/calico-kube-controllers-rbac.yaml\n\n# 2578 Include a clusterrole for the kube-controllers component,\n# and bind it to the 2579 calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n 2580 \ name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for 2581 deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n 2582 \ - watch\n - list\n - get\n # Pods are watched to check for existence 2583 as part of IPAM controller.\n - apiGroups: [\"\"]\n resources:\n - pods\n 2584 \ verbs:\n - get\n - list\n - watch\n # IPAM resources are manipulated 2585 when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n 2586 \ - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n 2587 \ resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n 2588 \ verbs:\n - get\n - list\n - create\n - update\n - 2589 delete\n - watch\n # kube-controllers manages hostendpoints.\n - apiGroups: 2590 [\"crd.projectcalico.org\"]\n resources:\n - hostendpoints\n verbs:\n 2591 \ - get\n - list\n - create\n - update\n - delete\n # 2592 Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n 2593 \ resources:\n - clusterinformations\n verbs:\n - get\n - 2594 create\n - update\n # KubeControllersConfiguration is where it gets its 2595 config\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - kubecontrollersconfigurations\n 2596 \ verbs:\n # read its own config\n - get\n # create a default 2597 if none exists\n - create\n # update status\n - update\n # 2598 watch for changes\n - watch\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n 2599 \ name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n 2600 \ kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n - kind: ServiceAccount\n 2601 \ name: calico-kube-controllers\n namespace: kube-system\n---\n\n---\n# Source: 2602 calico/templates/calico-node-rbac.yaml\n# Include a clusterrole for the calico-node 2603 DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: 2604 rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-node\nrules:\n # The 2605 CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n 2606 \ resources:\n - pods\n - nodes\n - namespaces\n verbs:\n 2607 \ - get\n # EndpointSlices are used for Service-based network policy rule\n 2608 \ # enforcement.\n - apiGroups: [\"discovery.k8s.io\"]\n resources:\n - 2609 endpointslices\n verbs:\n - watch\n - list\n - apiGroups: [\"\"]\n 2610 \ resources:\n - endpoints\n - services\n verbs:\n # Used 2611 to discover service IPs for advertisement.\n - watch\n - list\n # 2612 Used to discover Typhas.\n - get\n # Pod CIDR auto-detection on kubeadm 2613 needs access to config maps.\n - apiGroups: [\"\"]\n resources:\n - configmaps\n 2614 \ verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n 2615 \ verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - 2616 patch\n # Calico stores some configuration information in node annotations.\n 2617 \ - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: 2618 [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n 2619 \ - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: 2620 [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n 2621 \ verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n 2622 \ - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - 2623 patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n 2624 \ resources:\n - globalfelixconfigs\n - felixconfigurations\n - 2625 bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n 2626 \ - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n 2627 \ - networkpolicies\n - networksets\n - clusterinformations\n - 2628 hostendpoints\n - blockaffinities\n verbs:\n - get\n - list\n 2629 \ - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: 2630 [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n 2631 \ - clusterinformations\n verbs:\n - create\n - update\n # Calico 2632 stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n 2633 \ - nodes\n verbs:\n - get\n - list\n - watch\n # These 2634 permissions are only required for upgrade from v2.6, and can\n # be removed after 2635 upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n 2636 \ resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - 2637 create\n - update\n # These permissions are required for Calico CNI to perform 2638 IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n 2639 \ - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n 2640 \ - get\n - list\n - create\n - update\n - delete\n - 2641 apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n 2642 \ verbs:\n - get\n # Block affinities must also be watchable by confd 2643 for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n 2644 \ - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration 2645 needs to get daemonsets. These permissions can be\n # removed if not upgrading 2646 from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n 2647 \ - daemonsets\n verbs:\n - get\n\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: 2648 ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n 2649 \ kind: ClusterRole\n name: calico-node\nsubjects:\n - kind: ServiceAccount\n 2650 \ name: calico-node\n namespace: kube-system\n\n---\n# Source: calico/templates/calico-node.yaml\n# 2651 This manifest installs the calico-node container, as well\n# as the CNI plugins 2652 and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: 2653 DaemonSet\napiVersion: apps/v1\nmetadata:\n name: calico-node\n namespace: kube-system\n 2654 \ labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: 2655 calico-node\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n 2656 \ maxUnavailable: 1\n template:\n metadata:\n labels:\n k8s-app: 2657 calico-node\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n 2658 \ hostNetwork: true\n tolerations:\n # Make sure calico-node gets 2659 scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n 2660 \ # Mark the pod as a critical add-on for rescheduling.\n - key: 2661 CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n 2662 \ operator: Exists\n serviceAccountName: calico-node\n # Minimize 2663 downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n 2664 \ # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n 2665 \ terminationGracePeriodSeconds: 0\n priorityClassName: system-node-critical\n 2666 \ initContainers:\n # This container performs upgrade from host-local 2667 IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, 2668 or if you have already\n # upgraded to use calico-ipam.\n - name: 2669 upgrade-ipam\n image: calico/cni:v3.20.0\n command: [\"/opt/cni/bin/calico-ipam\", 2670 \"-upgrade\"]\n envFrom:\n - configMapRef:\n # 2671 Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for 2672 eBPF mode.\n name: kubernetes-services-endpoint\n optional: 2673 true\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n 2674 \ fieldRef:\n fieldPath: spec.nodeName\n - 2675 name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n 2676 \ name: calico-config\n key: calico_backend\n 2677 \ volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: 2678 host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: 2679 cni-bin-dir\n securityContext:\n privileged: true\n # 2680 This container installs the CNI binaries\n # and CNI network config file 2681 on each node.\n - name: install-cni\n image: calico/cni:v3.20.0\n 2682 \ command: [\"/opt/cni/bin/install\"]\n envFrom:\n - 2683 configMapRef:\n # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT 2684 to be overridden for eBPF mode.\n name: kubernetes-services-endpoint\n 2685 \ optional: true\n env:\n # Name of the CNI 2686 config file to create.\n - name: CNI_CONF_NAME\n value: 2687 \"10-calico.conflist\"\n # The CNI network config to install on each 2688 node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n 2689 \ name: calico-config\n key: cni_network_config\n 2690 \ # Set the hostname based on the k8s node name.\n - name: 2691 KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: 2692 spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n 2693 \ valueFrom:\n configMapKeyRef:\n name: 2694 calico-config\n key: veth_mtu\n # Prevents the container 2695 from sleeping forever.\n - name: SLEEP\n value: \"false\"\n 2696 \ volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: 2697 cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: 2698 cni-net-dir\n securityContext:\n privileged: true\n # 2699 Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes\n 2700 \ # to communicate with Felix over the Policy Sync API.\n - name: 2701 flexvol-driver\n image: calico/pod2daemon-flexvol:v3.20.0\n volumeMounts:\n 2702 \ - name: flexvol-driver-host\n mountPath: /host/driver\n 2703 \ securityContext:\n privileged: true\n containers:\n 2704 \ # Runs calico-node container on each Kubernetes node. This\n # 2705 container programs network policy and routes on each\n # host.\n - 2706 name: calico-node\n image: calico/node:v3.20.0\n envFrom:\n 2707 \ - configMapRef:\n # Allow KUBERNETES_SERVICE_HOST and 2708 KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.\n name: 2709 kubernetes-services-endpoint\n optional: true\n env:\n 2710 \ # Use Kubernetes API as the backing datastore.\n - name: 2711 DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the 2712 datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n 2713 \ # Set based on the k8s node name.\n - name: NODENAME\n 2714 \ valueFrom:\n fieldRef:\n fieldPath: 2715 spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n 2716 \ valueFrom:\n configMapKeyRef:\n name: 2717 calico-config\n key: calico_backend\n # Cluster type 2718 to identify the deployment type\n - name: CLUSTER_TYPE\n value: 2719 \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: 2720 IP\n value: \"autodetect\"\n # Enable VXLAN\n - 2721 name: CALICO_IPV4POOL_VXLAN\n value: \"Always\"\n # Set 2722 MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n 2723 \ valueFrom:\n configMapKeyRef:\n name: 2724 calico-config\n key: veth_mtu\n # Set MTU for the 2725 VXLAN tunnel device.\n - name: FELIX_VXLANMTU\n valueFrom:\n 2726 \ configMapKeyRef:\n name: calico-config\n key: 2727 veth_mtu\n # Set MTU for the Wireguard tunnel device.\n - 2728 name: FELIX_WIREGUARDMTU\n valueFrom:\n configMapKeyRef:\n 2729 \ name: calico-config\n key: veth_mtu\n # 2730 The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # 2731 chosen from this range. Changing this value after installation will have\n # 2732 no effect. This should fall within `--cluster-cidr`.\n # - name: CALICO_IPV4POOL_CIDR\n 2733 \ # value: \"192.168.0.0/16\"\n # Disable file logging 2734 so `kubectl logs` works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: 2735 \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n 2736 \ - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n 2737 \ # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n 2738 \ value: \"false\"\n - name: FELIX_FEATUREDETECTOVERRIDE\n 2739 \ value: \"ChecksumOffloadBroken=true\"\n - name: FELIX_HEALTHENABLED\n 2740 \ value: \"true\"\n securityContext:\n privileged: 2741 true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n 2742 \ exec:\n command:\n - /bin/calico-node\n 2743 \ - -felix-live\n periodSeconds: 10\n initialDelaySeconds: 2744 10\n failureThreshold: 6\n readinessProbe:\n exec:\n 2745 \ command:\n - /bin/calico-node\n - 2746 -felix-ready\n periodSeconds: 10\n volumeMounts:\n - 2747 mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n readOnly: 2748 false\n - mountPath: /lib/modules\n name: lib-modules\n 2749 \ readOnly: true\n - mountPath: /run/xtables.lock\n name: 2750 xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n 2751 \ name: var-run-calico\n readOnly: false\n - 2752 mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: 2753 false\n - name: policysync\n mountPath: /var/run/nodeagent\n 2754 \ # For eBPF mode, we need to be able to mount the BPF filesystem at 2755 /sys/fs/bpf so we mount in the\n # parent directory.\n - 2756 name: sysfs\n mountPath: /sys/fs/\n # Bidirectional 2757 means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to 2758 the host.\n # If the host is known to mount that filesystem already 2759 then Bidirectional can be omitted.\n mountPropagation: Bidirectional\n 2760 \ - name: cni-log-dir\n mountPath: /var/log/calico/cni\n 2761 \ readOnly: true\n volumes:\n # Used by calico-node.\n 2762 \ - name: lib-modules\n hostPath:\n path: /lib/modules\n 2763 \ - name: var-run-calico\n hostPath:\n path: /var/run/calico\n 2764 \ - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n 2765 \ - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n 2766 \ type: FileOrCreate\n - name: sysfs\n hostPath:\n path: 2767 /sys/fs/\n type: DirectoryOrCreate\n # Used to install CNI.\n 2768 \ - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n 2769 \ - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n 2770 \ # Used to access CNI logs.\n - name: cni-log-dir\n hostPath:\n 2771 \ path: /var/log/calico/cni\n # Mount in the directory for host-local 2772 IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, 2773 and can be removed\n # if not using the upgrade-ipam init container.\n 2774 \ - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n 2775 \ # Used to create per-pod Unix Domain Sockets\n - name: policysync\n 2776 \ hostPath:\n type: DirectoryOrCreate\n path: /var/run/nodeagent\n 2777 \ # Used to install Flex Volume Driver\n - name: flexvol-driver-host\n 2778 \ hostPath:\n type: DirectoryOrCreate\n path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds\n---\n\napiVersion: 2779 v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n\n---\n# 2780 Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: 2781 apps/v1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: 2782 kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n # The controllers 2783 can only have a single active instance.\n replicas: 1\n selector:\n matchLabels:\n 2784 \ k8s-app: calico-kube-controllers\n strategy:\n type: Recreate\n template:\n 2785 \ metadata:\n name: calico-kube-controllers\n namespace: kube-system\n 2786 \ labels:\n k8s-app: calico-kube-controllers\n spec:\n nodeSelector:\n 2787 \ kubernetes.io/os: linux\n tolerations:\n # Mark the pod as 2788 a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: 2789 Exists\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n 2790 \ serviceAccountName: calico-kube-controllers\n priorityClassName: system-cluster-critical\n 2791 \ containers:\n - name: calico-kube-controllers\n image: calico/kube-controllers:v3.20.0\n 2792 \ env:\n # Choose which controllers to run.\n - 2793 name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n 2794 \ value: kubernetes\n livenessProbe:\n exec:\n 2795 \ command:\n - /usr/bin/check-status\n - 2796 -l\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 2797 6\n timeoutSeconds: 10\n readinessProbe:\n exec:\n 2798 \ command:\n - /usr/bin/check-status\n - 2799 -r\n periodSeconds: 10\n\n---\n\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n 2800 \ name: calico-kube-controllers\n namespace: kube-system\n\n---\n\n# This manifest 2801 creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler 2802 to evict\n\napiVersion: policy/v1beta1\nkind: PodDisruptionBudget\nmetadata:\n 2803 \ name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: 2804 calico-kube-controllers\nspec:\n maxUnavailable: 1\n selector:\n matchLabels:\n 2805 \ k8s-app: calico-kube-controllers\n---\n# Source: calico/templates/calico-etcd-secrets.yaml\n\n---\n# 2806 Source: calico/templates/calico-typha.yaml\n\n---\n# Source: calico/templates/configure-canal.yaml\n" 2807 windows-cni: "# strictAffinity required for windows\napiVersion: crd.projectcalico.org/v1\nkind: 2808 IPAMConfig\nmetadata:\n name: default\nspec:\n autoAllocateBlocks: true\n strictAffinity: 2809 true\n---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-static-rules\n 2810 \ namespace: kube-system\n labels:\n tier: node\n app: calico\ndata:\n 2811 \ static-rules.json: |\n {\n \"Provider\": \"azure\",\n \"Version\": 2812 \"0.1\",\n \"Rules\": [\n {\n \"Name\": \"EndpointPolicy\",\n 2813 \ \"Rule\": {\n \"Id\": \"wireserver\",\n \"Type\": 2814 \"ACL\",\n \"Protocol\": 6,\n \"Action\": \"Block\",\n 2815 \ \"Direction\": \"Out\",\n \"RemoteAddresses\": \"168.63.129.16/32\",\n 2816 \ \"RemotePorts\": \"80\",\n \"Priority\": 200,\n \"RuleType\": 2817 \"Switch\"\n }\n }\n ]\n } \n---\nkind: ConfigMap\napiVersion: 2818 v1\nmetadata:\n name: calico-config-windows\n namespace: kube-system\n labels:\n 2819 \ tier: node\n app: calico\ndata:\n veth_mtu: \"1350\"\n \n cni_network_config: 2820 |\n {\n \"name\": \"Calico\",\n \"cniVersion\": \"0.3.1\",\n \"plugins\": 2821 [\n {\n \"windows_use_single_network\": true,\n \"type\": 2822 \"calico\",\n \"mode\": \"vxlan\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n 2823 \ \"nodename_file_optional\": true,\n \"log_file_path\": \"c:/cni.log\",\n 2824 \ \"log_level\": \"debug\",\n\n \"vxlan_mac_prefix\": \"0E-2A\",\n 2825 \ \"vxlan_vni\": 4096,\n \"mtu\": __CNI_MTU__,\n \"policy\": 2826 {\n \"type\": \"k8s\"\n },\n\n \"log_level\": \"info\",\n\n 2827 \ \"capabilities\": {\"dns\": true},\n \"DNS\": {\n \"Search\": 2828 \ [\n \"svc.cluster.local\"\n ]\n },\n\n \"datastore_type\": 2829 \"kubernetes\",\n\n \"kubernetes\": {\n \"kubeconfig\": \"__KUBECONFIG_FILEPATH__\"\n 2830 \ },\n\n \"ipam\": {\n \"type\": \"calico-ipam\",\n 2831 \ \"subnet\": \"usePodCidr\"\n },\n\n \"policies\": 2832 \ [\n {\n \"Name\": \"EndpointPolicy\",\n \"Value\": 2833 \ {\n \"Type\": \"OutBoundNAT\",\n \"ExceptionList\": 2834 \ [\n \"__K8S_SERVICE_CIDR__\"\n ]\n }\n 2835 \ },\n {\n \"Name\": \"EndpointPolicy\",\n 2836 \ \"Value\": {\n \"Type\": \"SDNROUTE\",\n \"DestinationPrefix\": 2837 \ \"__K8S_SERVICE_CIDR__\",\n \"NeedEncap\": true\n }\n 2838 \ }\n ]\n }\n ]\n\n }\n---\napiVersion: apps/v1\nkind: 2839 DaemonSet\nmetadata:\n name: calico-node-windows\n labels:\n tier: node\n 2840 \ app: calico\n namespace: kube-system\nspec:\n selector:\n matchLabels:\n 2841 \ app: calico\n template:\n metadata:\n labels:\n tier: node\n 2842 \ app: calico\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n 2843 \ nodeSelectorTerms:\n - matchExpressions:\n - 2844 key: kubernetes.io/os\n operator: In\n values:\n 2845 \ - windows\n - key: kubernetes.io/arch\n 2846 \ operator: In\n values:\n - 2847 amd64\n securityContext:\n windowsOptions:\n hostProcess: 2848 true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n hostNetwork: 2849 true\n serviceAccountName: calico-node\n tolerations:\n - operator: 2850 Exists\n effect: NoSchedule\n # Mark the pod as a critical add-on 2851 for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n 2852 \ - effect: NoExecute\n operator: Exists\n initContainers:\n # 2853 This container installs the CNI binaries\n # and CNI network config file 2854 on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.20.0-hostprocess\n 2855 \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n 2856 \ imagePullPolicy: Always\n env:\n # Name of the CNI 2857 config file to create.\n - name: CNI_CONF_NAME\n value: 2858 \"10-calico.conflist\"\n # The CNI network config to install on each 2859 node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n 2860 \ name: calico-config-windows\n key: cni_network_config\n 2861 \ # Set the hostname based on the k8s node name.\n - name: 2862 KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: 2863 spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n 2864 \ valueFrom:\n configMapKeyRef:\n name: 2865 calico-config-windows\n key: veth_mtu\n # Prevents 2866 the container from sleeping forever.\n - name: SLEEP\n value: 2867 \"false\"\n - name: K8S_SERVICE_CIDR\n value: \"10.96.0.0/12\"\n 2868 \ volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: 2869 cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: 2870 cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n 2871 \ securityContext:\n windowsOptions:\n hostProcess: 2872 true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n 2873 \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.20.0-hostprocess\n 2874 \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n 2875 \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: 2876 Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: 2877 /etc/kube-calico-windows/\n env:\n - name: POD_NAME\n valueFrom:\n 2878 \ fieldRef:\n apiVersion: v1\n fieldPath: 2879 metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n 2880 \ apiVersion: v1\n fieldPath: metadata.namespace\n - 2881 name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n 2882 \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n 2883 \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n 2884 \ image: sigwindowstools/calico-node:v3.20.0-hostprocess\n args: 2885 [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: 2886 Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n 2887 \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n 2888 \ - name: calico-static-rules\n mountPath: /calico/static-rules.json\n 2889 \ subPath: static-rules.json\n env:\n - name: POD_NAME\n 2890 \ valueFrom:\n fieldRef:\n apiVersion: v1\n fieldPath: 2891 metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n 2892 \ apiVersion: v1\n fieldPath: metadata.namespace\n - 2893 name: VXLAN_VNI\n value: \"4096\"\n - name: KUBECONFIG\n value: 2894 \"C:/etc/cni/net.d/calico-kubeconfig\"\n volumes:\n - name: calico-config-windows\n 2895 \ configMap:\n name: calico-config-windows\n - name: calico-static-rules\n 2896 \ configMap:\n name: calico-static-rules\n # Used to install 2897 CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n 2898 \ - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n 2899 \ - name: kubeadm-config\n configMap:\n name: kubeadm-config\n" 2900 kind: ConfigMap 2901 metadata: 2902 annotations: 2903 note: generated 2904 labels: 2905 type: generated 2906 name: cni-${CLUSTER_NAME}-calico 2907 namespace: default