sigs.k8s.io/cluster-api-provider-azure@v1.17.0/templates/test/ci/cluster-template-prow-private.yaml (about) 1 apiVersion: cluster.x-k8s.io/v1beta1 2 kind: Cluster 3 metadata: 4 labels: 5 cloud-provider: ${CLOUD_PROVIDER_AZURE_LABEL:=azure} 6 cni: calico 7 name: ${CLUSTER_NAME} 8 namespace: default 9 spec: 10 clusterNetwork: 11 pods: 12 cidrBlocks: 13 - 192.168.0.0/16 14 controlPlaneRef: 15 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 16 kind: KubeadmControlPlane 17 name: ${CLUSTER_NAME}-control-plane 18 infrastructureRef: 19 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 20 kind: AzureCluster 21 name: ${CLUSTER_NAME} 22 --- 23 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 24 kind: AzureCluster 25 metadata: 26 name: ${CLUSTER_NAME} 27 namespace: default 28 spec: 29 additionalTags: 30 buildProvenance: ${BUILD_PROVENANCE} 31 creationTimestamp: ${TIMESTAMP} 32 jobName: ${JOB_NAME} 33 bastionSpec: 34 azureBastion: 35 enableTunneling: true 36 name: ${CLUSTER_NAME}-azure-bastion 37 publicIP: 38 name: ${CLUSTER_NAME}-azure-bastion-pip 39 sku: Standard 40 subnet: 41 cidrBlocks: 42 - ${AZURE_BASTION_SUBNET_CIDR} 43 name: AzureBastionSubnet 44 role: bastion 45 identityRef: 46 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 47 kind: AzureClusterIdentity 48 name: ${CLUSTER_IDENTITY_NAME} 49 location: ${AZURE_LOCATION} 50 networkSpec: 51 apiServerLB: 52 frontendIPs: 53 - name: ${CLUSTER_NAME}-internal-lb-frontend 54 privateIP: ${AZURE_INTERNAL_LB_IP} 55 name: ${CLUSTER_NAME}-internal-lb 56 type: Internal 57 controlPlaneOutboundLB: 58 frontendIPsCount: 1 59 nodeOutboundLB: 60 frontendIPsCount: 1 61 subnets: 62 - cidrBlocks: 63 - ${AZURE_CP_SUBNET_CIDR} 64 name: private-cp-subnet 65 role: control-plane 66 - cidrBlocks: 67 - ${AZURE_NODE_SUBNET_CIDR} 68 name: private-node-subnet 69 role: node 70 vnet: 71 cidrBlocks: 72 - ${AZURE_PRIVATE_VNET_CIDR} 73 name: ${AZURE_VNET_NAME} 74 peerings: 75 - remoteVnetName: ${AZURE_CUSTOM_VNET_NAME} 76 resourceGroup: ${AZURE_CUSTOM_VNET_RESOURCE_GROUP} 77 resourceGroup: ${AZURE_RESOURCE_GROUP:=${CLUSTER_NAME}} 78 subscriptionID: ${AZURE_SUBSCRIPTION_ID} 79 --- 80 apiVersion: controlplane.cluster.x-k8s.io/v1beta1 81 kind: KubeadmControlPlane 82 metadata: 83 name: ${CLUSTER_NAME}-control-plane 84 namespace: default 85 spec: 86 kubeadmConfigSpec: 87 clusterConfiguration: 88 apiServer: 89 extraArgs: 90 cloud-provider: external 91 timeoutForControlPlane: 20m 92 controllerManager: 93 extraArgs: 94 allocate-node-cidrs: "false" 95 cloud-provider: external 96 cluster-name: ${CLUSTER_NAME} 97 v: "4" 98 etcd: 99 local: 100 dataDir: /var/lib/etcddisk/etcd 101 extraArgs: 102 quota-backend-bytes: "8589934592" 103 diskSetup: 104 filesystems: 105 - device: /dev/disk/azure/scsi1/lun0 106 extraOpts: 107 - -E 108 - lazy_itable_init=1,lazy_journal_init=1 109 filesystem: ext4 110 label: etcd_disk 111 - device: ephemeral0.1 112 filesystem: ext4 113 label: ephemeral0 114 replaceFS: ntfs 115 partitions: 116 - device: /dev/disk/azure/scsi1/lun0 117 layout: true 118 overwrite: false 119 tableType: gpt 120 files: 121 - contentFrom: 122 secret: 123 key: control-plane-azure.json 124 name: ${CLUSTER_NAME}-control-plane-azure-json 125 owner: root:root 126 path: /etc/kubernetes/azure.json 127 permissions: "0644" 128 initConfiguration: 129 nodeRegistration: 130 kubeletExtraArgs: 131 cloud-provider: external 132 name: '{{ ds.meta_data["local_hostname"] }}' 133 joinConfiguration: 134 nodeRegistration: 135 kubeletExtraArgs: 136 cloud-provider: external 137 name: '{{ ds.meta_data["local_hostname"] }}' 138 mounts: 139 - - LABEL=etcd_disk 140 - /var/lib/etcddisk 141 postKubeadmCommands: 142 - if [ -f /tmp/kubeadm-join-config.yaml ] || [ -f /run/kubeadm/kubeadm-join-config.yaml 143 ]; then echo '127.0.0.1 apiserver.${CLUSTER_NAME}.capz.io apiserver' >> /etc/hosts; 144 fi 145 preKubeadmCommands: 146 - if [ -f /tmp/kubeadm.yaml ] || [ -f /run/kubeadm/kubeadm.yaml ]; then echo '127.0.0.1 apiserver.${CLUSTER_NAME}.capz.io 147 apiserver' >> /etc/hosts; fi 148 machineTemplate: 149 infrastructureRef: 150 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 151 kind: AzureMachineTemplate 152 name: ${CLUSTER_NAME}-control-plane 153 replicas: ${CONTROL_PLANE_MACHINE_COUNT:=1} 154 version: ${KUBERNETES_VERSION} 155 --- 156 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 157 kind: AzureMachineTemplate 158 metadata: 159 name: ${CLUSTER_NAME}-control-plane 160 namespace: default 161 spec: 162 template: 163 spec: 164 dataDisks: 165 - diskSizeGB: 256 166 lun: 0 167 nameSuffix: etcddisk 168 identity: UserAssigned 169 osDisk: 170 diskSizeGB: 128 171 osType: Linux 172 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 173 userAssignedIdentities: 174 - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity} 175 vmSize: ${AZURE_CONTROL_PLANE_MACHINE_TYPE} 176 --- 177 apiVersion: cluster.x-k8s.io/v1beta1 178 kind: MachineDeployment 179 metadata: 180 name: ${CLUSTER_NAME}-md-0 181 namespace: default 182 spec: 183 clusterName: ${CLUSTER_NAME} 184 replicas: ${WORKER_MACHINE_COUNT:=2} 185 selector: 186 matchLabels: null 187 template: 188 spec: 189 bootstrap: 190 configRef: 191 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 192 kind: KubeadmConfigTemplate 193 name: ${CLUSTER_NAME}-md-0 194 clusterName: ${CLUSTER_NAME} 195 infrastructureRef: 196 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 197 kind: AzureMachineTemplate 198 name: ${CLUSTER_NAME}-md-0 199 version: ${KUBERNETES_VERSION} 200 --- 201 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 202 kind: AzureMachineTemplate 203 metadata: 204 name: ${CLUSTER_NAME}-md-0 205 namespace: default 206 spec: 207 template: 208 spec: 209 identity: UserAssigned 210 osDisk: 211 diskSizeGB: 128 212 osType: Linux 213 sshPublicKey: ${AZURE_SSH_PUBLIC_KEY_B64:=""} 214 userAssignedIdentities: 215 - providerID: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CI_RG:=capz-ci}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${USER_IDENTITY:=cloud-provider-user-identity} 216 vmSize: ${AZURE_NODE_MACHINE_TYPE} 217 --- 218 apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 219 kind: KubeadmConfigTemplate 220 metadata: 221 name: ${CLUSTER_NAME}-md-0 222 namespace: default 223 spec: 224 template: 225 spec: 226 files: 227 - contentFrom: 228 secret: 229 key: worker-node-azure.json 230 name: ${CLUSTER_NAME}-md-0-azure-json 231 owner: root:root 232 path: /etc/kubernetes/azure.json 233 permissions: "0644" 234 joinConfiguration: 235 nodeRegistration: 236 kubeletExtraArgs: 237 cloud-provider: external 238 name: '{{ ds.meta_data["local_hostname"] }}' 239 preKubeadmCommands: [] 240 --- 241 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 242 kind: AzureClusterIdentity 243 metadata: 244 labels: 245 clusterctl.cluster.x-k8s.io/move-hierarchy: "true" 246 name: ${CLUSTER_IDENTITY_NAME} 247 namespace: default 248 spec: 249 allowedNamespaces: {} 250 clientID: ${UAMI_CLIENT_ID} 251 tenantID: ${AZURE_TENANT_ID} 252 type: UserAssignedMSI 253 --- 254 apiVersion: addons.cluster.x-k8s.io/v1beta1 255 kind: ClusterResourceSet 256 metadata: 257 name: ${CLUSTER_NAME}-calico 258 namespace: default 259 spec: 260 clusterSelector: 261 matchLabels: 262 cni: ${CLUSTER_NAME}-calico 263 resources: 264 - kind: ConfigMap 265 name: cni-${CLUSTER_NAME}-calico 266 strategy: ApplyOnce 267 --- 268 apiVersion: addons.cluster.x-k8s.io/v1alpha1 269 kind: HelmChartProxy 270 metadata: 271 name: calico 272 namespace: default 273 spec: 274 chartName: tigera-operator 275 clusterSelector: 276 matchLabels: 277 cni: calico 278 namespace: tigera-operator 279 releaseName: projectcalico 280 repoURL: https://docs.tigera.io/calico/charts 281 valuesTemplate: |- 282 installation: 283 cni: 284 type: Calico 285 calicoNetwork: 286 bgp: Disabled 287 mtu: 1350 288 ipPools: 289 ipPools:{{range $i, $cidr := .Cluster.spec.clusterNetwork.pods.cidrBlocks }} 290 - cidr: {{ $cidr }} 291 encapsulation: VXLAN{{end}} 292 registry: mcr.microsoft.com/oss 293 # Image and registry configuration for the tigera/operator pod. 294 tigeraOperator: 295 image: tigera/operator 296 registry: mcr.microsoft.com/oss 297 calicoctl: 298 image: mcr.microsoft.com/oss/calico/ctl 299 version: ${CALICO_VERSION} 300 --- 301 apiVersion: addons.cluster.x-k8s.io/v1alpha1 302 kind: HelmChartProxy 303 metadata: 304 name: azuredisk-csi-driver-chart 305 namespace: default 306 spec: 307 chartName: azuredisk-csi-driver 308 clusterSelector: 309 matchLabels: 310 azuredisk-csi: "true" 311 namespace: kube-system 312 releaseName: azuredisk-csi-driver-oot 313 repoURL: https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/master/charts 314 valuesTemplate: |- 315 controller: 316 replicas: 1 317 runOnControlPlane: true 318 windows: 319 useHostProcessContainers: {{ hasKey .Cluster.metadata.labels "cni-windows" }} 320 --- 321 apiVersion: addons.cluster.x-k8s.io/v1alpha1 322 kind: HelmChartProxy 323 metadata: 324 name: cloud-provider-azure-chart 325 namespace: default 326 spec: 327 chartName: cloud-provider-azure 328 clusterSelector: 329 matchLabels: 330 cloud-provider: azure 331 releaseName: cloud-provider-azure-oot 332 repoURL: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo 333 valuesTemplate: | 334 infra: 335 clusterName: {{ .Cluster.metadata.name }} 336 cloudControllerManager: 337 clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }} 338 logVerbosity: 4 339 --- 340 apiVersion: addons.cluster.x-k8s.io/v1alpha1 341 kind: HelmChartProxy 342 metadata: 343 name: cloud-provider-azure-chart-ci 344 namespace: default 345 spec: 346 chartName: cloud-provider-azure 347 clusterSelector: 348 matchLabels: 349 cloud-provider: azure-ci 350 releaseName: cloud-provider-azure-oot 351 repoURL: https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/helm/repo 352 valuesTemplate: | 353 infra: 354 clusterName: {{ .Cluster.metadata.name }} 355 cloudControllerManager: 356 cloudConfig: ${CLOUD_CONFIG:-"/etc/kubernetes/azure.json"} 357 cloudConfigSecretName: ${CONFIG_SECRET_NAME:-""} 358 clusterCIDR: {{ .Cluster.spec.clusterNetwork.pods.cidrBlocks | join "," }} 359 imageName: "${CCM_IMAGE_NAME:-""}" 360 imageRepository: "${IMAGE_REGISTRY:-""}" 361 imageTag: "${IMAGE_TAG_CCM:-""}" 362 logVerbosity: ${CCM_LOG_VERBOSITY:-4} 363 replicas: ${CCM_COUNT:-1} 364 enableDynamicReloading: ${ENABLE_DYNAMIC_RELOADING:-false} 365 cloudNodeManager: 366 imageName: "${CNM_IMAGE_NAME:-""}" 367 imageRepository: "${IMAGE_REGISTRY:-""}" 368 imageTag: "${IMAGE_TAG_CNM:-""}" 369 --- 370 apiVersion: v1 371 data: 372 resources: | 373 apiVersion: apiextensions.k8s.io/v1 374 kind: CustomResourceDefinition 375 metadata: 376 name: bgpconfigurations.crd.projectcalico.org 377 spec: 378 group: crd.projectcalico.org 379 names: 380 kind: BGPConfiguration 381 listKind: BGPConfigurationList 382 plural: bgpconfigurations 383 singular: bgpconfiguration 384 preserveUnknownFields: false 385 scope: Cluster 386 versions: 387 - name: v1 388 schema: 389 openAPIV3Schema: 390 description: BGPConfiguration contains the configuration for any BGP routing. 391 properties: 392 apiVersion: 393 description: 'APIVersion defines the versioned schema of this representation 394 of an object. Servers should convert recognized schemas to the latest 395 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 396 type: string 397 kind: 398 description: 'Kind is a string value representing the REST resource this 399 object represents. Servers may infer this from the endpoint the client 400 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 401 type: string 402 metadata: 403 type: object 404 spec: 405 description: BGPConfigurationSpec contains the values of the BGP configuration. 406 properties: 407 asNumber: 408 description: 'ASNumber is the default AS number used by a node. [Default: 409 64512]' 410 format: int32 411 type: integer 412 bindMode: 413 description: BindMode indicates whether to listen for BGP connections 414 on all addresses (None) or only on the node's canonical IP address 415 Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen 416 for BGP connections on all addresses. 417 type: string 418 communities: 419 description: Communities is a list of BGP community values and their 420 arbitrary names for tagging routes. 421 items: 422 description: Community contains standard or large community value 423 and its name. 424 properties: 425 name: 426 description: Name given to community value. 427 type: string 428 value: 429 description: Value must be of format `aa:nn` or `aa:nn:mm`. 430 For standard community use `aa:nn` format, where `aa` and 431 `nn` are 16 bit number. For large community use `aa:nn:mm` 432 format, where `aa`, `nn` and `mm` are 32 bit number. Where, 433 `aa` is an AS Number, `nn` and `mm` are per-AS identifier. 434 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ 435 type: string 436 type: object 437 type: array 438 ignoredInterfaces: 439 description: IgnoredInterfaces indicates the network interfaces that 440 needs to be excluded when reading device routes. 441 items: 442 type: string 443 type: array 444 listenPort: 445 description: ListenPort is the port where BGP protocol should listen. 446 Defaults to 179 447 maximum: 65535 448 minimum: 1 449 type: integer 450 logSeverityScreen: 451 description: 'LogSeverityScreen is the log severity above which logs 452 are sent to the stdout. [Default: INFO]' 453 type: string 454 nodeMeshMaxRestartTime: 455 description: Time to allow for software restart for node-to-mesh peerings. When 456 specified, this is configured as the graceful restart timeout. When 457 not specified, the BIRD default of 120s is used. This field can 458 only be set on the default BGPConfiguration instance and requires 459 that NodeMesh is enabled 460 type: string 461 nodeMeshPassword: 462 description: Optional BGP password for full node-to-mesh peerings. 463 This field can only be set on the default BGPConfiguration instance 464 and requires that NodeMesh is enabled 465 properties: 466 secretKeyRef: 467 description: Selects a key of a secret in the node pod's namespace. 468 properties: 469 key: 470 description: The key of the secret to select from. Must be 471 a valid secret key. 472 type: string 473 name: 474 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 475 TODO: Add other useful fields. apiVersion, kind, uid?' 476 type: string 477 optional: 478 description: Specify whether the Secret or its key must be 479 defined 480 type: boolean 481 required: 482 - key 483 type: object 484 type: object 485 nodeToNodeMeshEnabled: 486 description: 'NodeToNodeMeshEnabled sets whether full node to node 487 BGP mesh is enabled. [Default: true]' 488 type: boolean 489 prefixAdvertisements: 490 description: PrefixAdvertisements contains per-prefix advertisement 491 configuration. 492 items: 493 description: PrefixAdvertisement configures advertisement properties 494 for the specified CIDR. 495 properties: 496 cidr: 497 description: CIDR for which properties should be advertised. 498 type: string 499 communities: 500 description: Communities can be list of either community names 501 already defined in `Specs.Communities` or community value 502 of format `aa:nn` or `aa:nn:mm`. For standard community use 503 `aa:nn` format, where `aa` and `nn` are 16 bit number. For 504 large community use `aa:nn:mm` format, where `aa`, `nn` and 505 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and 506 `mm` are per-AS identifier. 507 items: 508 type: string 509 type: array 510 type: object 511 type: array 512 serviceClusterIPs: 513 description: ServiceClusterIPs are the CIDR blocks from which service 514 cluster IPs are allocated. If specified, Calico will advertise these 515 blocks, as well as any cluster IPs within them. 516 items: 517 description: ServiceClusterIPBlock represents a single allowed ClusterIP 518 CIDR block. 519 properties: 520 cidr: 521 type: string 522 type: object 523 type: array 524 serviceExternalIPs: 525 description: ServiceExternalIPs are the CIDR blocks for Kubernetes 526 Service External IPs. Kubernetes Service ExternalIPs will only be 527 advertised if they are within one of these blocks. 528 items: 529 description: ServiceExternalIPBlock represents a single allowed 530 External IP CIDR block. 531 properties: 532 cidr: 533 type: string 534 type: object 535 type: array 536 serviceLoadBalancerIPs: 537 description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes 538 Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress 539 IPs will only be advertised if they are within one of these blocks. 540 items: 541 description: ServiceLoadBalancerIPBlock represents a single allowed 542 LoadBalancer IP CIDR block. 543 properties: 544 cidr: 545 type: string 546 type: object 547 type: array 548 type: object 549 type: object 550 served: true 551 storage: true 552 status: 553 acceptedNames: 554 kind: "" 555 plural: "" 556 conditions: [] 557 storedVersions: [] 558 --- 559 apiVersion: apiextensions.k8s.io/v1 560 kind: CustomResourceDefinition 561 metadata: 562 annotations: 563 controller-gen.kubebuilder.io/version: (devel) 564 creationTimestamp: null 565 name: bgpfilters.crd.projectcalico.org 566 spec: 567 group: crd.projectcalico.org 568 names: 569 kind: BGPFilter 570 listKind: BGPFilterList 571 plural: bgpfilters 572 singular: bgpfilter 573 scope: Cluster 574 versions: 575 - name: v1 576 schema: 577 openAPIV3Schema: 578 properties: 579 apiVersion: 580 description: 'APIVersion defines the versioned schema of this representation 581 of an object. Servers should convert recognized schemas to the latest 582 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 583 type: string 584 kind: 585 description: 'Kind is a string value representing the REST resource this 586 object represents. Servers may infer this from the endpoint the client 587 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 588 type: string 589 metadata: 590 type: object 591 spec: 592 description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of 593 the BGP Filter. 594 properties: 595 exportV4: 596 description: The ordered set of IPv4 BGPFilter rules acting on exporting 597 routes to a peer. 598 items: 599 description: BGPFilterRuleV4 defines a BGP filter rule consisting 600 a single IPv4 CIDR block and a filter action for this CIDR. 601 properties: 602 action: 603 type: string 604 cidr: 605 type: string 606 matchOperator: 607 type: string 608 required: 609 - action 610 - cidr 611 - matchOperator 612 type: object 613 type: array 614 exportV6: 615 description: The ordered set of IPv6 BGPFilter rules acting on exporting 616 routes to a peer. 617 items: 618 description: BGPFilterRuleV6 defines a BGP filter rule consisting 619 a single IPv6 CIDR block and a filter action for this CIDR. 620 properties: 621 action: 622 type: string 623 cidr: 624 type: string 625 matchOperator: 626 type: string 627 required: 628 - action 629 - cidr 630 - matchOperator 631 type: object 632 type: array 633 importV4: 634 description: The ordered set of IPv4 BGPFilter rules acting on importing 635 routes from a peer. 636 items: 637 description: BGPFilterRuleV4 defines a BGP filter rule consisting 638 a single IPv4 CIDR block and a filter action for this CIDR. 639 properties: 640 action: 641 type: string 642 cidr: 643 type: string 644 matchOperator: 645 type: string 646 required: 647 - action 648 - cidr 649 - matchOperator 650 type: object 651 type: array 652 importV6: 653 description: The ordered set of IPv6 BGPFilter rules acting on importing 654 routes from a peer. 655 items: 656 description: BGPFilterRuleV6 defines a BGP filter rule consisting 657 a single IPv6 CIDR block and a filter action for this CIDR. 658 properties: 659 action: 660 type: string 661 cidr: 662 type: string 663 matchOperator: 664 type: string 665 required: 666 - action 667 - cidr 668 - matchOperator 669 type: object 670 type: array 671 type: object 672 type: object 673 served: true 674 storage: true 675 status: 676 acceptedNames: 677 kind: "" 678 plural: "" 679 conditions: [] 680 storedVersions: [] 681 --- 682 apiVersion: apiextensions.k8s.io/v1 683 kind: CustomResourceDefinition 684 metadata: 685 name: bgppeers.crd.projectcalico.org 686 spec: 687 group: crd.projectcalico.org 688 names: 689 kind: BGPPeer 690 listKind: BGPPeerList 691 plural: bgppeers 692 singular: bgppeer 693 preserveUnknownFields: false 694 scope: Cluster 695 versions: 696 - name: v1 697 schema: 698 openAPIV3Schema: 699 properties: 700 apiVersion: 701 description: 'APIVersion defines the versioned schema of this representation 702 of an object. Servers should convert recognized schemas to the latest 703 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 704 type: string 705 kind: 706 description: 'Kind is a string value representing the REST resource this 707 object represents. Servers may infer this from the endpoint the client 708 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 709 type: string 710 metadata: 711 type: object 712 spec: 713 description: BGPPeerSpec contains the specification for a BGPPeer resource. 714 properties: 715 asNumber: 716 description: The AS Number of the peer. 717 format: int32 718 type: integer 719 filters: 720 description: The ordered set of BGPFilters applied on this BGP peer. 721 items: 722 type: string 723 type: array 724 keepOriginalNextHop: 725 description: Option to keep the original nexthop field when routes 726 are sent to a BGP Peer. Setting "true" configures the selected BGP 727 Peers node to use the "next hop keep;" instead of "next hop self;"(default) 728 in the specific branch of the Node on "bird.cfg". 729 type: boolean 730 maxRestartTime: 731 description: Time to allow for software restart. When specified, 732 this is configured as the graceful restart timeout. When not specified, 733 the BIRD default of 120s is used. 734 type: string 735 node: 736 description: The node name identifying the Calico node instance that 737 is targeted by this peer. If this is not set, and no nodeSelector 738 is specified, then this BGP peer selects all nodes in the cluster. 739 type: string 740 nodeSelector: 741 description: Selector for the nodes that should have this peering. When 742 this is set, the Node field must be empty. 743 type: string 744 numAllowedLocalASNumbers: 745 description: Maximum number of local AS numbers that are allowed in 746 the AS path for received routes. This removes BGP loop prevention 747 and should only be used if absolutely necesssary. 748 format: int32 749 type: integer 750 password: 751 description: Optional BGP password for the peerings generated by this 752 BGPPeer resource. 753 properties: 754 secretKeyRef: 755 description: Selects a key of a secret in the node pod's namespace. 756 properties: 757 key: 758 description: The key of the secret to select from. Must be 759 a valid secret key. 760 type: string 761 name: 762 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 763 TODO: Add other useful fields. apiVersion, kind, uid?' 764 type: string 765 optional: 766 description: Specify whether the Secret or its key must be 767 defined 768 type: boolean 769 required: 770 - key 771 type: object 772 type: object 773 peerIP: 774 description: The IP address of the peer followed by an optional port 775 number to peer with. If port number is given, format should be `[<IPv6>]:port` 776 or `<IPv4>:<port>` for IPv4. If optional port number is not set, 777 and this peer IP and ASNumber belongs to a calico/node with ListenPort 778 set in BGPConfiguration, then we use that port to peer. 779 type: string 780 peerSelector: 781 description: Selector for the remote nodes to peer with. When this 782 is set, the PeerIP and ASNumber fields must be empty. For each 783 peering between the local node and selected remote nodes, we configure 784 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, 785 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The 786 remote AS number comes from the remote node's NodeBGPSpec.ASNumber, 787 or the global default if that is not set. 788 type: string 789 reachableBy: 790 description: Add an exact, i.e. /32, static route toward peer IP in 791 order to prevent route flapping. ReachableBy contains the address 792 of the gateway which peer can be reached by. 793 type: string 794 sourceAddress: 795 description: Specifies whether and how to configure a source address 796 for the peerings generated by this BGPPeer resource. Default value 797 "UseNodeIP" means to configure the node IP as the source address. "None" 798 means not to configure a source address. 799 type: string 800 ttlSecurity: 801 description: TTLSecurity enables the generalized TTL security mechanism 802 (GTSM) which protects against spoofed packets by ignoring received 803 packets with a smaller than expected TTL value. The provided value 804 is the number of hops (edges) between the peers. 805 type: integer 806 type: object 807 type: object 808 served: true 809 storage: true 810 status: 811 acceptedNames: 812 kind: "" 813 plural: "" 814 conditions: [] 815 storedVersions: [] 816 --- 817 apiVersion: apiextensions.k8s.io/v1 818 kind: CustomResourceDefinition 819 metadata: 820 name: blockaffinities.crd.projectcalico.org 821 spec: 822 group: crd.projectcalico.org 823 names: 824 kind: BlockAffinity 825 listKind: BlockAffinityList 826 plural: blockaffinities 827 singular: blockaffinity 828 preserveUnknownFields: false 829 scope: Cluster 830 versions: 831 - name: v1 832 schema: 833 openAPIV3Schema: 834 properties: 835 apiVersion: 836 description: 'APIVersion defines the versioned schema of this representation 837 of an object. Servers should convert recognized schemas to the latest 838 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 839 type: string 840 kind: 841 description: 'Kind is a string value representing the REST resource this 842 object represents. Servers may infer this from the endpoint the client 843 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 844 type: string 845 metadata: 846 type: object 847 spec: 848 description: BlockAffinitySpec contains the specification for a BlockAffinity 849 resource. 850 properties: 851 cidr: 852 type: string 853 deleted: 854 description: Deleted indicates that this block affinity is being deleted. 855 This field is a string for compatibility with older releases that 856 mistakenly treat this field as a string. 857 type: string 858 node: 859 type: string 860 state: 861 type: string 862 required: 863 - cidr 864 - deleted 865 - node 866 - state 867 type: object 868 type: object 869 served: true 870 storage: true 871 status: 872 acceptedNames: 873 kind: "" 874 plural: "" 875 conditions: [] 876 storedVersions: [] 877 --- 878 apiVersion: apiextensions.k8s.io/v1 879 kind: CustomResourceDefinition 880 metadata: 881 annotations: 882 controller-gen.kubebuilder.io/version: (devel) 883 creationTimestamp: null 884 name: caliconodestatuses.crd.projectcalico.org 885 spec: 886 group: crd.projectcalico.org 887 names: 888 kind: CalicoNodeStatus 889 listKind: CalicoNodeStatusList 890 plural: caliconodestatuses 891 singular: caliconodestatus 892 preserveUnknownFields: false 893 scope: Cluster 894 versions: 895 - name: v1 896 schema: 897 openAPIV3Schema: 898 properties: 899 apiVersion: 900 description: 'APIVersion defines the versioned schema of this representation 901 of an object. Servers should convert recognized schemas to the latest 902 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 903 type: string 904 kind: 905 description: 'Kind is a string value representing the REST resource this 906 object represents. Servers may infer this from the endpoint the client 907 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 908 type: string 909 metadata: 910 type: object 911 spec: 912 description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus 913 resource. 914 properties: 915 classes: 916 description: Classes declares the types of information to monitor 917 for this calico/node, and allows for selective status reporting 918 about certain subsets of information. 919 items: 920 type: string 921 type: array 922 node: 923 description: The node name identifies the Calico node instance for 924 node status. 925 type: string 926 updatePeriodSeconds: 927 description: UpdatePeriodSeconds is the period at which CalicoNodeStatus 928 should be updated. Set to 0 to disable CalicoNodeStatus refresh. 929 Maximum update period is one day. 930 format: int32 931 type: integer 932 type: object 933 status: 934 description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. 935 No validation needed for status since it is updated by Calico. 936 properties: 937 agent: 938 description: Agent holds agent status on the node. 939 properties: 940 birdV4: 941 description: BIRDV4 represents the latest observed status of bird4. 942 properties: 943 lastBootTime: 944 description: LastBootTime holds the value of lastBootTime 945 from bird.ctl output. 946 type: string 947 lastReconfigurationTime: 948 description: LastReconfigurationTime holds the value of lastReconfigTime 949 from bird.ctl output. 950 type: string 951 routerID: 952 description: Router ID used by bird. 953 type: string 954 state: 955 description: The state of the BGP Daemon. 956 type: string 957 version: 958 description: Version of the BGP daemon 959 type: string 960 type: object 961 birdV6: 962 description: BIRDV6 represents the latest observed status of bird6. 963 properties: 964 lastBootTime: 965 description: LastBootTime holds the value of lastBootTime 966 from bird.ctl output. 967 type: string 968 lastReconfigurationTime: 969 description: LastReconfigurationTime holds the value of lastReconfigTime 970 from bird.ctl output. 971 type: string 972 routerID: 973 description: Router ID used by bird. 974 type: string 975 state: 976 description: The state of the BGP Daemon. 977 type: string 978 version: 979 description: Version of the BGP daemon 980 type: string 981 type: object 982 type: object 983 bgp: 984 description: BGP holds node BGP status. 985 properties: 986 numberEstablishedV4: 987 description: The total number of IPv4 established bgp sessions. 988 type: integer 989 numberEstablishedV6: 990 description: The total number of IPv6 established bgp sessions. 991 type: integer 992 numberNotEstablishedV4: 993 description: The total number of IPv4 non-established bgp sessions. 994 type: integer 995 numberNotEstablishedV6: 996 description: The total number of IPv6 non-established bgp sessions. 997 type: integer 998 peersV4: 999 description: PeersV4 represents IPv4 BGP peers status on the node. 1000 items: 1001 description: CalicoNodePeer contains the status of BGP peers 1002 on the node. 1003 properties: 1004 peerIP: 1005 description: IP address of the peer whose condition we are 1006 reporting. 1007 type: string 1008 since: 1009 description: Since the state or reason last changed. 1010 type: string 1011 state: 1012 description: State is the BGP session state. 1013 type: string 1014 type: 1015 description: Type indicates whether this peer is configured 1016 via the node-to-node mesh, or via en explicit global or 1017 per-node BGPPeer object. 1018 type: string 1019 type: object 1020 type: array 1021 peersV6: 1022 description: PeersV6 represents IPv6 BGP peers status on the node. 1023 items: 1024 description: CalicoNodePeer contains the status of BGP peers 1025 on the node. 1026 properties: 1027 peerIP: 1028 description: IP address of the peer whose condition we are 1029 reporting. 1030 type: string 1031 since: 1032 description: Since the state or reason last changed. 1033 type: string 1034 state: 1035 description: State is the BGP session state. 1036 type: string 1037 type: 1038 description: Type indicates whether this peer is configured 1039 via the node-to-node mesh, or via en explicit global or 1040 per-node BGPPeer object. 1041 type: string 1042 type: object 1043 type: array 1044 required: 1045 - numberEstablishedV4 1046 - numberEstablishedV6 1047 - numberNotEstablishedV4 1048 - numberNotEstablishedV6 1049 type: object 1050 lastUpdated: 1051 description: LastUpdated is a timestamp representing the server time 1052 when CalicoNodeStatus object last updated. It is represented in 1053 RFC3339 form and is in UTC. 1054 format: date-time 1055 nullable: true 1056 type: string 1057 routes: 1058 description: Routes reports routes known to the Calico BGP daemon 1059 on the node. 1060 properties: 1061 routesV4: 1062 description: RoutesV4 represents IPv4 routes on the node. 1063 items: 1064 description: CalicoNodeRoute contains the status of BGP routes 1065 on the node. 1066 properties: 1067 destination: 1068 description: Destination of the route. 1069 type: string 1070 gateway: 1071 description: Gateway for the destination. 1072 type: string 1073 interface: 1074 description: Interface for the destination 1075 type: string 1076 learnedFrom: 1077 description: LearnedFrom contains information regarding 1078 where this route originated. 1079 properties: 1080 peerIP: 1081 description: If sourceType is NodeMesh or BGPPeer, IP 1082 address of the router that sent us this route. 1083 type: string 1084 sourceType: 1085 description: Type of the source where a route is learned 1086 from. 1087 type: string 1088 type: object 1089 type: 1090 description: Type indicates if the route is being used for 1091 forwarding or not. 1092 type: string 1093 type: object 1094 type: array 1095 routesV6: 1096 description: RoutesV6 represents IPv6 routes on the node. 1097 items: 1098 description: CalicoNodeRoute contains the status of BGP routes 1099 on the node. 1100 properties: 1101 destination: 1102 description: Destination of the route. 1103 type: string 1104 gateway: 1105 description: Gateway for the destination. 1106 type: string 1107 interface: 1108 description: Interface for the destination 1109 type: string 1110 learnedFrom: 1111 description: LearnedFrom contains information regarding 1112 where this route originated. 1113 properties: 1114 peerIP: 1115 description: If sourceType is NodeMesh or BGPPeer, IP 1116 address of the router that sent us this route. 1117 type: string 1118 sourceType: 1119 description: Type of the source where a route is learned 1120 from. 1121 type: string 1122 type: object 1123 type: 1124 description: Type indicates if the route is being used for 1125 forwarding or not. 1126 type: string 1127 type: object 1128 type: array 1129 type: object 1130 type: object 1131 type: object 1132 served: true 1133 storage: true 1134 status: 1135 acceptedNames: 1136 kind: "" 1137 plural: "" 1138 conditions: [] 1139 storedVersions: [] 1140 --- 1141 apiVersion: apiextensions.k8s.io/v1 1142 kind: CustomResourceDefinition 1143 metadata: 1144 name: clusterinformations.crd.projectcalico.org 1145 spec: 1146 group: crd.projectcalico.org 1147 names: 1148 kind: ClusterInformation 1149 listKind: ClusterInformationList 1150 plural: clusterinformations 1151 singular: clusterinformation 1152 preserveUnknownFields: false 1153 scope: Cluster 1154 versions: 1155 - name: v1 1156 schema: 1157 openAPIV3Schema: 1158 description: ClusterInformation contains the cluster specific information. 1159 properties: 1160 apiVersion: 1161 description: 'APIVersion defines the versioned schema of this representation 1162 of an object. Servers should convert recognized schemas to the latest 1163 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1164 type: string 1165 kind: 1166 description: 'Kind is a string value representing the REST resource this 1167 object represents. Servers may infer this from the endpoint the client 1168 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1169 type: string 1170 metadata: 1171 type: object 1172 spec: 1173 description: ClusterInformationSpec contains the values of describing 1174 the cluster. 1175 properties: 1176 calicoVersion: 1177 description: CalicoVersion is the version of Calico that the cluster 1178 is running 1179 type: string 1180 clusterGUID: 1181 description: ClusterGUID is the GUID of the cluster 1182 type: string 1183 clusterType: 1184 description: ClusterType describes the type of the cluster 1185 type: string 1186 datastoreReady: 1187 description: DatastoreReady is used during significant datastore migrations 1188 to signal to components such as Felix that it should wait before 1189 accessing the datastore. 1190 type: boolean 1191 variant: 1192 description: Variant declares which variant of Calico should be active. 1193 type: string 1194 type: object 1195 type: object 1196 served: true 1197 storage: true 1198 status: 1199 acceptedNames: 1200 kind: "" 1201 plural: "" 1202 conditions: [] 1203 storedVersions: [] 1204 --- 1205 apiVersion: apiextensions.k8s.io/v1 1206 kind: CustomResourceDefinition 1207 metadata: 1208 name: felixconfigurations.crd.projectcalico.org 1209 spec: 1210 group: crd.projectcalico.org 1211 names: 1212 kind: FelixConfiguration 1213 listKind: FelixConfigurationList 1214 plural: felixconfigurations 1215 singular: felixconfiguration 1216 preserveUnknownFields: false 1217 scope: Cluster 1218 versions: 1219 - name: v1 1220 schema: 1221 openAPIV3Schema: 1222 description: Felix Configuration contains the configuration for Felix. 1223 properties: 1224 apiVersion: 1225 description: 'APIVersion defines the versioned schema of this representation 1226 of an object. Servers should convert recognized schemas to the latest 1227 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 1228 type: string 1229 kind: 1230 description: 'Kind is a string value representing the REST resource this 1231 object represents. Servers may infer this from the endpoint the client 1232 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 1233 type: string 1234 metadata: 1235 type: object 1236 spec: 1237 description: FelixConfigurationSpec contains the values of the Felix configuration. 1238 properties: 1239 allowIPIPPacketsFromWorkloads: 1240 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix 1241 will add a rule to drop IPIP encapsulated traffic from workloads 1242 [Default: false]' 1243 type: boolean 1244 allowVXLANPacketsFromWorkloads: 1245 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix 1246 will add a rule to drop VXLAN encapsulated traffic from workloads 1247 [Default: false]' 1248 type: boolean 1249 awsSrcDstCheck: 1250 description: 'Set source-destination-check on AWS EC2 instances. Accepted 1251 value must be one of "DoNothing", "Enable" or "Disable". [Default: 1252 DoNothing]' 1253 enum: 1254 - DoNothing 1255 - Enable 1256 - Disable 1257 type: string 1258 bpfConnectTimeLoadBalancingEnabled: 1259 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, 1260 controls whether Felix installs the connection-time load balancer. The 1261 connect-time load balancer is required for the host to be able to 1262 reach Kubernetes services and it improves the performance of pod-to-service 1263 connections. The only reason to disable it is for debugging purposes. [Default: 1264 true]' 1265 type: boolean 1266 bpfDSROptoutCIDRs: 1267 description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded 1268 from DSR. That is, clients in those CIDRs will accesses nodeports 1269 as if BPFExternalServiceMode was set to Tunnel. 1270 items: 1271 type: string 1272 type: array 1273 bpfDataIfacePattern: 1274 description: BPFDataIfacePattern is a regular expression that controls 1275 which interfaces Felix should attach BPF programs to in order to 1276 catch traffic to/from the network. This needs to match the interfaces 1277 that Calico workload traffic flows over as well as any interfaces 1278 that handle incoming traffic to nodeports and services from outside 1279 the cluster. It should not match the workload interfaces (usually 1280 named cali...). 1281 type: string 1282 bpfDisableUnprivileged: 1283 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled 1284 sysctl to disable unprivileged use of BPF. This ensures that unprivileged 1285 users cannot access Calico''s BPF maps and cannot insert their own 1286 BPF programs to interfere with Calico''s. [Default: true]' 1287 type: boolean 1288 bpfEnabled: 1289 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. 1290 [Default: false]' 1291 type: boolean 1292 bpfEnforceRPF: 1293 description: 'BPFEnforceRPF enforce strict RPF on all host interfaces 1294 with BPF programs regardless of what is the per-interfaces or global 1295 setting. Possible values are Disabled, Strict or Loose. [Default: 1296 Loose]' 1297 type: string 1298 bpfExtToServiceConnmark: 1299 description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit 1300 mark that is set on connections from an external client to a local 1301 service. This mark allows us to control how packets of that connection 1302 are routed within the host and how is routing interpreted by RPF 1303 check. [Default: 0]' 1304 type: integer 1305 bpfExternalServiceMode: 1306 description: 'BPFExternalServiceMode in BPF mode, controls how connections 1307 from outside the cluster to services (node ports and cluster IPs) 1308 are forwarded to remote workloads. If set to "Tunnel" then both 1309 request and response traffic is tunneled to the remote node. If 1310 set to "DSR", the request traffic is tunneled but the response traffic 1311 is sent directly from the remote node. In "DSR" mode, the remote 1312 node appears to use the IP of the ingress node; this requires a 1313 permissive L2 network. [Default: Tunnel]' 1314 type: string 1315 bpfHostConntrackBypass: 1316 description: 'BPFHostConntrackBypass Controls whether to bypass Linux 1317 conntrack in BPF mode for workloads and services. [Default: true 1318 - bypass Linux conntrack]' 1319 type: boolean 1320 bpfKubeProxyEndpointSlicesEnabled: 1321 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls 1322 whether Felix's embedded kube-proxy accepts EndpointSlices or not. 1323 type: boolean 1324 bpfKubeProxyIptablesCleanupEnabled: 1325 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF 1326 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s 1327 iptables chains. Should only be enabled if kube-proxy is not running. [Default: 1328 true]' 1329 type: boolean 1330 bpfKubeProxyMinSyncPeriod: 1331 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the 1332 minimum time between updates to the dataplane for Felix''s embedded 1333 kube-proxy. Lower values give reduced set-up latency. Higher values 1334 reduce Felix CPU usage by batching up more work. [Default: 1s]' 1335 type: string 1336 bpfL3IfacePattern: 1337 description: BPFL3IfacePattern is a regular expression that allows 1338 to list tunnel devices like wireguard or vxlan (i.e., L3 devices) 1339 in addition to BPFDataIfacePattern. That is, tunnel interfaces not 1340 created by Calico, that Calico workload traffic flows over as well 1341 as any interfaces that handle incoming traffic to nodeports and 1342 services from outside the cluster. 1343 type: string 1344 bpfLogLevel: 1345 description: 'BPFLogLevel controls the log level of the BPF programs 1346 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The 1347 logs are emitted to the BPF trace pipe, accessible with the command 1348 `tc exec bpf debug`. [Default: Off].' 1349 type: string 1350 bpfMapSizeConntrack: 1351 description: 'BPFMapSizeConntrack sets the size for the conntrack 1352 map. This map must be large enough to hold an entry for each active 1353 connection. Warning: changing the size of the conntrack map can 1354 cause disruption.' 1355 type: integer 1356 bpfMapSizeIPSets: 1357 description: BPFMapSizeIPSets sets the size for ipsets map. The IP 1358 sets map must be large enough to hold an entry for each endpoint 1359 matched by every selector in the source/destination matches in network 1360 policy. Selectors such as "all()" can result in large numbers of 1361 entries (one entry per endpoint in that case). 1362 type: integer 1363 bpfMapSizeIfState: 1364 description: BPFMapSizeIfState sets the size for ifstate map. The 1365 ifstate map must be large enough to hold an entry for each device 1366 (host + workloads) on a host. 1367 type: integer 1368 bpfMapSizeNATAffinity: 1369 type: integer 1370 bpfMapSizeNATBackend: 1371 description: BPFMapSizeNATBackend sets the size for nat back end map. 1372 This is the total number of endpoints. This is mostly more than 1373 the size of the number of services. 1374 type: integer 1375 bpfMapSizeNATFrontend: 1376 description: BPFMapSizeNATFrontend sets the size for nat front end 1377 map. FrontendMap should be large enough to hold an entry for each 1378 nodeport, external IP and each port in each service. 1379 type: integer 1380 bpfMapSizeRoute: 1381 description: BPFMapSizeRoute sets the size for the routes map. The 1382 routes map should be large enough to hold one entry per workload 1383 and a handful of entries per host (enough to cover its own IPs and 1384 tunnel IPs). 1385 type: integer 1386 bpfPSNATPorts: 1387 anyOf: 1388 - type: integer 1389 - type: string 1390 description: 'BPFPSNATPorts sets the range from which we randomly 1391 pick a port if there is a source port collision. This should be 1392 within the ephemeral range as defined by RFC 6056 (1024–65535) and 1393 preferably outside the ephemeral ranges used by common operating 1394 systems. Linux uses 32768–60999, while others mostly use the IANA 1395 defined range 49152–65535. It is not necessarily a problem if this 1396 range overlaps with the operating systems. Both ends of the range 1397 are inclusive. [Default: 20000:29999]' 1398 pattern: ^.* 1399 x-kubernetes-int-or-string: true 1400 bpfPolicyDebugEnabled: 1401 description: BPFPolicyDebugEnabled when true, Felix records detailed 1402 information about the BPF policy programs, which can be examined 1403 with the calico-bpf command-line tool. 1404 type: boolean 1405 chainInsertMode: 1406 description: 'ChainInsertMode controls whether Felix hooks the kernel''s 1407 top-level iptables chains by inserting a rule at the top of the 1408 chain or by appending a rule at the bottom. insert is the safe default 1409 since it prevents Calico''s rules from being bypassed. If you switch 1410 to append mode, be sure that the other rules in the chains signal 1411 acceptance by falling through to the Calico rules, otherwise the 1412 Calico policy will be bypassed. [Default: insert]' 1413 type: string 1414 dataplaneDriver: 1415 description: DataplaneDriver filename of the external dataplane driver 1416 to use. Only used if UseInternalDataplaneDriver is set to false. 1417 type: string 1418 dataplaneWatchdogTimeout: 1419 description: "DataplaneWatchdogTimeout is the readiness/liveness timeout 1420 used for Felix's (internal) dataplane driver. Increase this value 1421 if you experience spurious non-ready or non-live events when Felix 1422 is under heavy load. Decrease the value to get felix to report non-live 1423 or non-ready more quickly. [Default: 90s] \n Deprecated: replaced 1424 by the generic HealthTimeoutOverrides." 1425 type: string 1426 debugDisableLogDropping: 1427 type: boolean 1428 debugMemoryProfilePath: 1429 type: string 1430 debugSimulateCalcGraphHangAfter: 1431 type: string 1432 debugSimulateDataplaneHangAfter: 1433 type: string 1434 defaultEndpointToHostAction: 1435 description: 'DefaultEndpointToHostAction controls what happens to 1436 traffic that goes from a workload endpoint to the host itself (after 1437 the traffic hits the endpoint egress policy). By default Calico 1438 blocks traffic from workload endpoints to the host itself with an 1439 iptables "DROP" action. If you want to allow some or all traffic 1440 from endpoint to host, set this parameter to RETURN or ACCEPT. Use 1441 RETURN if you have your own rules in the iptables "INPUT" chain; 1442 Calico will insert its rules at the top of that chain, then "RETURN" 1443 packets to the "INPUT" chain once it has completed processing workload 1444 endpoint egress policy. Use ACCEPT to unconditionally accept packets 1445 from workloads after processing workload endpoint egress policy. 1446 [Default: Drop]' 1447 type: string 1448 deviceRouteProtocol: 1449 description: This defines the route protocol added to programmed device 1450 routes, by default this will be RTPROT_BOOT when left blank. 1451 type: integer 1452 deviceRouteSourceAddress: 1453 description: This is the IPv4 source address to use on programmed 1454 device routes. By default the source address is left blank, leaving 1455 the kernel to choose the source address used. 1456 type: string 1457 deviceRouteSourceAddressIPv6: 1458 description: This is the IPv6 source address to use on programmed 1459 device routes. By default the source address is left blank, leaving 1460 the kernel to choose the source address used. 1461 type: string 1462 disableConntrackInvalidCheck: 1463 type: boolean 1464 endpointReportingDelay: 1465 type: string 1466 endpointReportingEnabled: 1467 type: boolean 1468 externalNodesList: 1469 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes 1470 which may source tunnel traffic and have the tunneled traffic be 1471 accepted at calico nodes. 1472 items: 1473 type: string 1474 type: array 1475 failsafeInboundHostPorts: 1476 description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports 1477 and CIDRs that Felix will allow incoming traffic to host endpoints 1478 on irrespective of the security policy. This is useful to avoid 1479 accidentally cutting off a host with incorrect configuration. For 1480 back-compatibility, if the protocol is not specified, it defaults 1481 to "tcp". If a CIDR is not specified, it will allow traffic from 1482 all addresses. To disable all inbound host ports, use the value 1483 none. The default value allows ssh access and DHCP. [Default: tcp:22, 1484 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' 1485 items: 1486 description: ProtoPort is combination of protocol, port, and CIDR. 1487 Protocol and port must be specified. 1488 properties: 1489 net: 1490 type: string 1491 port: 1492 type: integer 1493 protocol: 1494 type: string 1495 required: 1496 - port 1497 - protocol 1498 type: object 1499 type: array 1500 failsafeOutboundHostPorts: 1501 description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports 1502 and CIDRs that Felix will allow outgoing traffic from host endpoints 1503 to irrespective of the security policy. This is useful to avoid 1504 accidentally cutting off a host with incorrect configuration. For 1505 back-compatibility, if the protocol is not specified, it defaults 1506 to "tcp". If a CIDR is not specified, it will allow traffic from 1507 all addresses. To disable all outbound host ports, use the value 1508 none. The default value opens etcd''s standard ports to ensure that 1509 Felix does not get cut off from etcd as well as allowing DHCP and 1510 DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, 1511 tcp:6667, udp:53, udp:67]' 1512 items: 1513 description: ProtoPort is combination of protocol, port, and CIDR. 1514 Protocol and port must be specified. 1515 properties: 1516 net: 1517 type: string 1518 port: 1519 type: integer 1520 protocol: 1521 type: string 1522 required: 1523 - port 1524 - protocol 1525 type: object 1526 type: array 1527 featureDetectOverride: 1528 description: FeatureDetectOverride is used to override feature detection 1529 based on auto-detected platform capabilities. Values are specified 1530 in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" 1531 or "false" will force the feature, empty or omitted values are auto-detected. 1532 type: string 1533 featureGates: 1534 description: FeatureGates is used to enable or disable tech-preview 1535 Calico features. Values are specified in a comma separated list 1536 with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". 1537 This is used to enable features that are not fully production ready. 1538 type: string 1539 floatingIPs: 1540 description: FloatingIPs configures whether or not Felix will program 1541 non-OpenStack floating IP addresses. (OpenStack-derived floating 1542 IPs are always programmed, regardless of this setting.) 1543 enum: 1544 - Enabled 1545 - Disabled 1546 type: string 1547 genericXDPEnabled: 1548 description: 'GenericXDPEnabled enables Generic XDP so network cards 1549 that don''t support XDP offload or driver modes can use XDP. This 1550 is not recommended since it doesn''t provide better performance 1551 than iptables. [Default: false]' 1552 type: boolean 1553 healthEnabled: 1554 type: boolean 1555 healthHost: 1556 type: string 1557 healthPort: 1558 type: integer 1559 healthTimeoutOverrides: 1560 description: HealthTimeoutOverrides allows the internal watchdog timeouts 1561 of individual subcomponents to be overridden. This is useful for 1562 working around "false positive" liveness timeouts that can occur 1563 in particularly stressful workloads or if CPU is constrained. For 1564 a list of active subcomponents, see Felix's logs. 1565 items: 1566 properties: 1567 name: 1568 type: string 1569 timeout: 1570 type: string 1571 required: 1572 - name 1573 - timeout 1574 type: object 1575 type: array 1576 interfaceExclude: 1577 description: 'InterfaceExclude is a comma-separated list of interfaces 1578 that Felix should exclude when monitoring for host endpoints. The 1579 default value ensures that Felix ignores Kubernetes'' IPVS dummy 1580 interface, which is used internally by kube-proxy. If you want to 1581 exclude multiple interface names using a single value, the list 1582 supports regular expressions. For regular expressions you must wrap 1583 the value with ''/''. For example having values ''/^kube/,veth1'' 1584 will exclude all interfaces that begin with ''kube'' and also the 1585 interface ''veth1''. [Default: kube-ipvs0]' 1586 type: string 1587 interfacePrefix: 1588 description: 'InterfacePrefix is the interface name prefix that identifies 1589 workload endpoints and so distinguishes them from host endpoint 1590 interfaces. Note: in environments other than bare metal, the orchestrators 1591 configure this appropriately. For example our Kubernetes and Docker 1592 integrations set the ''cali'' value, and our OpenStack integration 1593 sets the ''tap'' value. [Default: cali]' 1594 type: string 1595 interfaceRefreshInterval: 1596 description: InterfaceRefreshInterval is the period at which Felix 1597 rescans local interfaces to verify their state. The rescan can be 1598 disabled by setting the interval to 0. 1599 type: string 1600 ipipEnabled: 1601 description: 'IPIPEnabled overrides whether Felix should configure 1602 an IPIP interface on the host. Optional as Felix determines this 1603 based on the existing IP pools. [Default: nil (unset)]' 1604 type: boolean 1605 ipipMTU: 1606 description: 'IPIPMTU is the MTU to set on the tunnel device. See 1607 Configuring MTU [Default: 1440]' 1608 type: integer 1609 ipsetsRefreshInterval: 1610 description: 'IpsetsRefreshInterval is the period at which Felix re-checks 1611 all iptables state to ensure that no other process has accidentally 1612 broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 1613 90s]' 1614 type: string 1615 iptablesBackend: 1616 description: IptablesBackend specifies which backend of iptables will 1617 be used. The default is Auto. 1618 type: string 1619 iptablesFilterAllowAction: 1620 type: string 1621 iptablesFilterDenyAction: 1622 description: IptablesFilterDenyAction controls what happens to traffic 1623 that is denied by network policy. By default Calico blocks traffic 1624 with an iptables "DROP" action. If you want to use "REJECT" action 1625 instead you can configure it in here. 1626 type: string 1627 iptablesLockFilePath: 1628 description: 'IptablesLockFilePath is the location of the iptables 1629 lock file. You may need to change this if the lock file is not in 1630 its standard location (for example if you have mapped it into Felix''s 1631 container at a different path). [Default: /run/xtables.lock]' 1632 type: string 1633 iptablesLockProbeInterval: 1634 description: 'IptablesLockProbeInterval is the time that Felix will 1635 wait between attempts to acquire the iptables lock if it is not 1636 available. Lower values make Felix more responsive when the lock 1637 is contended, but use more CPU. [Default: 50ms]' 1638 type: string 1639 iptablesLockTimeout: 1640 description: 'IptablesLockTimeout is the time that Felix will wait 1641 for the iptables lock, or 0, to disable. To use this feature, Felix 1642 must share the iptables lock file with all other processes that 1643 also take the lock. When running Felix inside a container, this 1644 requires the /run directory of the host to be mounted into the calico/node 1645 or calico/felix container. [Default: 0s disabled]' 1646 type: string 1647 iptablesMangleAllowAction: 1648 type: string 1649 iptablesMarkMask: 1650 description: 'IptablesMarkMask is the mask that Felix selects its 1651 IPTables Mark bits from. Should be a 32 bit hexadecimal number with 1652 at least 8 bits set, none of which clash with any other mark bits 1653 in use on the system. [Default: 0xff000000]' 1654 format: int32 1655 type: integer 1656 iptablesNATOutgoingInterfaceFilter: 1657 type: string 1658 iptablesPostWriteCheckInterval: 1659 description: 'IptablesPostWriteCheckInterval is the period after Felix 1660 has done a write to the dataplane that it schedules an extra read 1661 back in order to check the write was not clobbered by another process. 1662 This should only occur if another application on the system doesn''t 1663 respect the iptables lock. [Default: 1s]' 1664 type: string 1665 iptablesRefreshInterval: 1666 description: 'IptablesRefreshInterval is the period at which Felix 1667 re-checks the IP sets in the dataplane to ensure that no other process 1668 has accidentally broken Calico''s rules. Set to 0 to disable IP 1669 sets refresh. Note: the default for this value is lower than the 1670 other refresh intervals as a workaround for a Linux kernel bug that 1671 was fixed in kernel version 4.11. If you are using v4.11 or greater 1672 you may want to set this to, a higher value to reduce Felix CPU 1673 usage. [Default: 10s]' 1674 type: string 1675 ipv6Support: 1676 description: IPv6Support controls whether Felix enables support for 1677 IPv6 (if supported by the in-use dataplane). 1678 type: boolean 1679 kubeNodePortRanges: 1680 description: 'KubeNodePortRanges holds list of port ranges used for 1681 service node ports. Only used if felix detects kube-proxy running 1682 in ipvs mode. Felix uses these ranges to separate host and workload 1683 traffic. [Default: 30000:32767].' 1684 items: 1685 anyOf: 1686 - type: integer 1687 - type: string 1688 pattern: ^.* 1689 x-kubernetes-int-or-string: true 1690 type: array 1691 logDebugFilenameRegex: 1692 description: LogDebugFilenameRegex controls which source code files 1693 have their Debug log output included in the logs. Only logs from 1694 files with names that match the given regular expression are included. The 1695 filter only applies to Debug level logs. 1696 type: string 1697 logFilePath: 1698 description: 'LogFilePath is the full path to the Felix log. Set to 1699 none to disable file logging. [Default: /var/log/calico/felix.log]' 1700 type: string 1701 logPrefix: 1702 description: 'LogPrefix is the log prefix that Felix uses when rendering 1703 LOG rules. [Default: calico-packet]' 1704 type: string 1705 logSeverityFile: 1706 description: 'LogSeverityFile is the log severity above which logs 1707 are sent to the log file. [Default: Info]' 1708 type: string 1709 logSeverityScreen: 1710 description: 'LogSeverityScreen is the log severity above which logs 1711 are sent to the stdout. [Default: Info]' 1712 type: string 1713 logSeveritySys: 1714 description: 'LogSeveritySys is the log severity above which logs 1715 are sent to the syslog. Set to None for no logging to syslog. [Default: 1716 Info]' 1717 type: string 1718 maxIpsetSize: 1719 type: integer 1720 metadataAddr: 1721 description: 'MetadataAddr is the IP address or domain name of the 1722 server that can answer VM queries for cloud-init metadata. In OpenStack, 1723 this corresponds to the machine running nova-api (or in Ubuntu, 1724 nova-api-metadata). A value of none (case insensitive) means that 1725 Felix should not set up any NAT rule for the metadata path. [Default: 1726 127.0.0.1]' 1727 type: string 1728 metadataPort: 1729 description: 'MetadataPort is the port of the metadata server. This, 1730 combined with global.MetadataAddr (if not ''None''), is used to 1731 set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. 1732 In most cases this should not need to be changed [Default: 8775].' 1733 type: integer 1734 mtuIfacePattern: 1735 description: MTUIfacePattern is a regular expression that controls 1736 which interfaces Felix should scan in order to calculate the host's 1737 MTU. This should not match workload interfaces (usually named cali...). 1738 type: string 1739 natOutgoingAddress: 1740 description: NATOutgoingAddress specifies an address to use when performing 1741 source NAT for traffic in a natOutgoing pool that is leaving the 1742 network. By default the address used is an address on the interface 1743 the traffic is leaving on (ie it uses the iptables MASQUERADE target) 1744 type: string 1745 natPortRange: 1746 anyOf: 1747 - type: integer 1748 - type: string 1749 description: NATPortRange specifies the range of ports that is used 1750 for port mapping when doing outgoing NAT. When unset the default 1751 behavior of the network stack is used. 1752 pattern: ^.* 1753 x-kubernetes-int-or-string: true 1754 netlinkTimeout: 1755 type: string 1756 openstackRegion: 1757 description: 'OpenstackRegion is the name of the region that a particular 1758 Felix belongs to. In a multi-region Calico/OpenStack deployment, 1759 this must be configured somehow for each Felix (here in the datamodel, 1760 or in felix.cfg or the environment on each compute node), and must 1761 match the [calico] openstack_region value configured in neutron.conf 1762 on each node. [Default: Empty]' 1763 type: string 1764 policySyncPathPrefix: 1765 description: 'PolicySyncPathPrefix is used to by Felix to communicate 1766 policy changes to external services, like Application layer policy. 1767 [Default: Empty]' 1768 type: string 1769 prometheusGoMetricsEnabled: 1770 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics 1771 collection, which the Prometheus client does by default, when set 1772 to false. This reduces the number of metrics reported, reducing 1773 Prometheus load. [Default: true]' 1774 type: boolean 1775 prometheusMetricsEnabled: 1776 description: 'PrometheusMetricsEnabled enables the Prometheus metrics 1777 server in Felix if set to true. [Default: false]' 1778 type: boolean 1779 prometheusMetricsHost: 1780 description: 'PrometheusMetricsHost is the host that the Prometheus 1781 metrics server should bind to. [Default: empty]' 1782 type: string 1783 prometheusMetricsPort: 1784 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 1785 metrics server should bind to. [Default: 9091]' 1786 type: integer 1787 prometheusProcessMetricsEnabled: 1788 description: 'PrometheusProcessMetricsEnabled disables process metrics 1789 collection, which the Prometheus client does by default, when set 1790 to false. This reduces the number of metrics reported, reducing 1791 Prometheus load. [Default: true]' 1792 type: boolean 1793 prometheusWireGuardMetricsEnabled: 1794 description: 'PrometheusWireGuardMetricsEnabled disables wireguard 1795 metrics collection, which the Prometheus client does by default, 1796 when set to false. This reduces the number of metrics reported, 1797 reducing Prometheus load. [Default: true]' 1798 type: boolean 1799 removeExternalRoutes: 1800 description: Whether or not to remove device routes that have not 1801 been programmed by Felix. Disabling this will allow external applications 1802 to also add device routes. This is enabled by default which means 1803 we will remove externally added routes. 1804 type: boolean 1805 reportingInterval: 1806 description: 'ReportingInterval is the interval at which Felix reports 1807 its status into the datastore or 0 to disable. Must be non-zero 1808 in OpenStack deployments. [Default: 30s]' 1809 type: string 1810 reportingTTL: 1811 description: 'ReportingTTL is the time-to-live setting for process-wide 1812 status reports. [Default: 90s]' 1813 type: string 1814 routeRefreshInterval: 1815 description: 'RouteRefreshInterval is the period at which Felix re-checks 1816 the routes in the dataplane to ensure that no other process has 1817 accidentally broken Calico''s rules. Set to 0 to disable route refresh. 1818 [Default: 90s]' 1819 type: string 1820 routeSource: 1821 description: 'RouteSource configures where Felix gets its routing 1822 information. - WorkloadIPs: use workload endpoints to construct 1823 routes. - CalicoIPAM: the default - use IPAM data to construct routes.' 1824 type: string 1825 routeSyncDisabled: 1826 description: RouteSyncDisabled will disable all operations performed 1827 on the route table. Set to true to run in network-policy mode only. 1828 type: boolean 1829 routeTableRange: 1830 description: Deprecated in favor of RouteTableRanges. Calico programs 1831 additional Linux route tables for various purposes. RouteTableRange 1832 specifies the indices of the route tables that Calico should use. 1833 properties: 1834 max: 1835 type: integer 1836 min: 1837 type: integer 1838 required: 1839 - max 1840 - min 1841 type: object 1842 routeTableRanges: 1843 description: Calico programs additional Linux route tables for various 1844 purposes. RouteTableRanges specifies a set of table index ranges 1845 that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`. 1846 items: 1847 properties: 1848 max: 1849 type: integer 1850 min: 1851 type: integer 1852 required: 1853 - max 1854 - min 1855 type: object 1856 type: array 1857 serviceLoopPrevention: 1858 description: 'When service IP advertisement is enabled, prevent routing 1859 loops to service IPs that are not in use, by dropping or rejecting 1860 packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", 1861 in which case such routing loops continue to be allowed. [Default: 1862 Drop]' 1863 type: string 1864 sidecarAccelerationEnabled: 1865 description: 'SidecarAccelerationEnabled enables experimental sidecar 1866 acceleration [Default: false]' 1867 type: boolean 1868 usageReportingEnabled: 1869 description: 'UsageReportingEnabled reports anonymous Calico version 1870 number and cluster size to projectcalico.org. Logs warnings returned 1871 by the usage server. For example, if a significant security vulnerability 1872 has been discovered in the version of Calico being used. [Default: 1873 true]' 1874 type: boolean 1875 usageReportingInitialDelay: 1876 description: 'UsageReportingInitialDelay controls the minimum delay 1877 before Felix makes a report. [Default: 300s]' 1878 type: string 1879 usageReportingInterval: 1880 description: 'UsageReportingInterval controls the interval at which 1881 Felix makes reports. [Default: 86400s]' 1882 type: string 1883 useInternalDataplaneDriver: 1884 description: UseInternalDataplaneDriver, if true, Felix will use its 1885 internal dataplane programming logic. If false, it will launch 1886 an external dataplane driver and communicate with it over protobuf. 1887 type: boolean 1888 vxlanEnabled: 1889 description: 'VXLANEnabled overrides whether Felix should create the 1890 VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix 1891 determines this based on the existing IP pools. [Default: nil (unset)]' 1892 type: boolean 1893 vxlanMTU: 1894 description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel 1895 device. See Configuring MTU [Default: 1410]' 1896 type: integer 1897 vxlanMTUV6: 1898 description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel 1899 device. See Configuring MTU [Default: 1390]' 1900 type: integer 1901 vxlanPort: 1902 type: integer 1903 vxlanVNI: 1904 type: integer 1905 wireguardEnabled: 1906 description: 'WireguardEnabled controls whether Wireguard is enabled 1907 for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). 1908 [Default: false]' 1909 type: boolean 1910 wireguardEnabledV6: 1911 description: 'WireguardEnabledV6 controls whether Wireguard is enabled 1912 for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). 1913 [Default: false]' 1914 type: boolean 1915 wireguardHostEncryptionEnabled: 1916 description: 'WireguardHostEncryptionEnabled controls whether Wireguard 1917 host-to-host encryption is enabled. [Default: false]' 1918 type: boolean 1919 wireguardInterfaceName: 1920 description: 'WireguardInterfaceName specifies the name to use for 1921 the IPv4 Wireguard interface. [Default: wireguard.cali]' 1922 type: string 1923 wireguardInterfaceNameV6: 1924 description: 'WireguardInterfaceNameV6 specifies the name to use for 1925 the IPv6 Wireguard interface. [Default: wg-v6.cali]' 1926 type: string 1927 wireguardKeepAlive: 1928 description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive 1929 option. Set 0 to disable. [Default: 0]' 1930 type: string 1931 wireguardListeningPort: 1932 description: 'WireguardListeningPort controls the listening port used 1933 by IPv4 Wireguard. [Default: 51820]' 1934 type: integer 1935 wireguardListeningPortV6: 1936 description: 'WireguardListeningPortV6 controls the listening port 1937 used by IPv6 Wireguard. [Default: 51821]' 1938 type: integer 1939 wireguardMTU: 1940 description: 'WireguardMTU controls the MTU on the IPv4 Wireguard 1941 interface. See Configuring MTU [Default: 1440]' 1942 type: integer 1943 wireguardMTUV6: 1944 description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard 1945 interface. See Configuring MTU [Default: 1420]' 1946 type: integer 1947 wireguardRoutingRulePriority: 1948 description: 'WireguardRoutingRulePriority controls the priority value 1949 to use for the Wireguard routing rule. [Default: 99]' 1950 type: integer 1951 workloadSourceSpoofing: 1952 description: WorkloadSourceSpoofing controls whether pods can use 1953 the allowedSourcePrefixes annotation to send traffic with a source 1954 IP address that is not theirs. This is disabled by default. When 1955 set to "Any", pods can request any prefix. 1956 type: string 1957 xdpEnabled: 1958 description: 'XDPEnabled enables XDP acceleration for suitable untracked 1959 incoming deny rules. [Default: true]' 1960 type: boolean 1961 xdpRefreshInterval: 1962 description: 'XDPRefreshInterval is the period at which Felix re-checks 1963 all XDP state to ensure that no other process has accidentally broken 1964 Calico''s BPF maps or attached programs. Set to 0 to disable XDP 1965 refresh. [Default: 90s]' 1966 type: string 1967 type: object 1968 type: object 1969 served: true 1970 storage: true 1971 status: 1972 acceptedNames: 1973 kind: "" 1974 plural: "" 1975 conditions: [] 1976 storedVersions: [] 1977 --- 1978 apiVersion: apiextensions.k8s.io/v1 1979 kind: CustomResourceDefinition 1980 metadata: 1981 name: globalnetworkpolicies.crd.projectcalico.org 1982 spec: 1983 group: crd.projectcalico.org 1984 names: 1985 kind: GlobalNetworkPolicy 1986 listKind: GlobalNetworkPolicyList 1987 plural: globalnetworkpolicies 1988 singular: globalnetworkpolicy 1989 preserveUnknownFields: false 1990 scope: Cluster 1991 versions: 1992 - name: v1 1993 schema: 1994 openAPIV3Schema: 1995 properties: 1996 apiVersion: 1997 description: 'APIVersion defines the versioned schema of this representation 1998 of an object. Servers should convert recognized schemas to the latest 1999 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2000 type: string 2001 kind: 2002 description: 'Kind is a string value representing the REST resource this 2003 object represents. Servers may infer this from the endpoint the client 2004 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2005 type: string 2006 metadata: 2007 type: object 2008 spec: 2009 properties: 2010 applyOnForward: 2011 description: ApplyOnForward indicates to apply the rules in this policy 2012 on forward traffic. 2013 type: boolean 2014 doNotTrack: 2015 description: DoNotTrack indicates whether packets matched by the rules 2016 in this policy should go through the data plane's connection tracking, 2017 such as Linux conntrack. If True, the rules in this policy are 2018 applied before any data plane connection tracking, and packets allowed 2019 by this policy are marked as not to be tracked. 2020 type: boolean 2021 egress: 2022 description: The ordered set of egress rules. Each rule contains 2023 a set of packet match criteria and a corresponding action to apply. 2024 items: 2025 description: "A Rule encapsulates a set of match criteria and an 2026 action. Both selector-based security Policy and security Profiles 2027 reference rules - separated out as a list of rules for both ingress 2028 and egress packet matching. \n Each positive match criteria has 2029 a negated version, prefixed with \"Not\". All the match criteria 2030 within a rule must be satisfied for a packet to match. A single 2031 rule can contain the positive and negative version of a match 2032 and both must be satisfied for the rule to match." 2033 properties: 2034 action: 2035 type: string 2036 destination: 2037 description: Destination contains the match criteria that apply 2038 to destination entity. 2039 properties: 2040 namespaceSelector: 2041 description: "NamespaceSelector is an optional field that 2042 contains a selector expression. Only traffic that originates 2043 from (or terminates at) endpoints within the selected 2044 namespaces will be matched. When both NamespaceSelector 2045 and another selector are defined on the same rule, then 2046 only workload endpoints that are matched by both selectors 2047 will be selected by the rule. \n For NetworkPolicy, an 2048 empty NamespaceSelector implies that the Selector is limited 2049 to selecting only workload endpoints in the same namespace 2050 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2051 NamespaceSelector implies that the Selector is limited 2052 to selecting only GlobalNetworkSet or HostEndpoint. \n 2053 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2054 the Selector applies to workload endpoints across all 2055 namespaces." 2056 type: string 2057 nets: 2058 description: Nets is an optional field that restricts the 2059 rule to only apply to traffic that originates from (or 2060 terminates at) IP addresses in any of the given subnets. 2061 items: 2062 type: string 2063 type: array 2064 notNets: 2065 description: NotNets is the negated version of the Nets 2066 field. 2067 items: 2068 type: string 2069 type: array 2070 notPorts: 2071 description: NotPorts is the negated version of the Ports 2072 field. Since only some protocols have ports, if any ports 2073 are specified it requires the Protocol match in the Rule 2074 to be set to "TCP" or "UDP". 2075 items: 2076 anyOf: 2077 - type: integer 2078 - type: string 2079 pattern: ^.* 2080 x-kubernetes-int-or-string: true 2081 type: array 2082 notSelector: 2083 description: NotSelector is the negated version of the Selector 2084 field. See Selector field for subtleties with negated 2085 selectors. 2086 type: string 2087 ports: 2088 description: "Ports is an optional field that restricts 2089 the rule to only apply to traffic that has a source (destination) 2090 port that matches one of these ranges/values. This value 2091 is a list of integers or strings that represent ranges 2092 of ports. \n Since only some protocols have ports, if 2093 any ports are specified it requires the Protocol match 2094 in the Rule to be set to \"TCP\" or \"UDP\"." 2095 items: 2096 anyOf: 2097 - type: integer 2098 - type: string 2099 pattern: ^.* 2100 x-kubernetes-int-or-string: true 2101 type: array 2102 selector: 2103 description: "Selector is an optional field that contains 2104 a selector expression (see Policy for sample syntax). 2105 \ Only traffic that originates from (terminates at) endpoints 2106 matching the selector will be matched. \n Note that: in 2107 addition to the negated version of the Selector (see NotSelector 2108 below), the selector expression syntax itself supports 2109 negation. The two types of negation are subtly different. 2110 One negates the set of matched endpoints, the other negates 2111 the whole match: \n \tSelector = \"!has(my_label)\" matches 2112 packets that are from other Calico-controlled \tendpoints 2113 that do not have the label \"my_label\". \n \tNotSelector 2114 = \"has(my_label)\" matches packets that are not from 2115 Calico-controlled \tendpoints that do have the label \"my_label\". 2116 \n The effect is that the latter will accept packets from 2117 non-Calico sources whereas the former is limited to packets 2118 from Calico-controlled endpoints." 2119 type: string 2120 serviceAccounts: 2121 description: ServiceAccounts is an optional field that restricts 2122 the rule to only apply to traffic that originates from 2123 (or terminates at) a pod running as a matching service 2124 account. 2125 properties: 2126 names: 2127 description: Names is an optional field that restricts 2128 the rule to only apply to traffic that originates 2129 from (or terminates at) a pod running as a service 2130 account whose name is in the list. 2131 items: 2132 type: string 2133 type: array 2134 selector: 2135 description: Selector is an optional field that restricts 2136 the rule to only apply to traffic that originates 2137 from (or terminates at) a pod running as a service 2138 account that matches the given label selector. If 2139 both Names and Selector are specified then they are 2140 AND'ed. 2141 type: string 2142 type: object 2143 services: 2144 description: "Services is an optional field that contains 2145 options for matching Kubernetes Services. If specified, 2146 only traffic that originates from or terminates at endpoints 2147 within the selected service(s) will be matched, and only 2148 to/from each endpoint's port. \n Services cannot be specified 2149 on the same rule as Selector, NotSelector, NamespaceSelector, 2150 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2151 can only be specified with Services on ingress rules." 2152 properties: 2153 name: 2154 description: Name specifies the name of a Kubernetes 2155 Service to match. 2156 type: string 2157 namespace: 2158 description: Namespace specifies the namespace of the 2159 given Service. If left empty, the rule will match 2160 within this policy's namespace. 2161 type: string 2162 type: object 2163 type: object 2164 http: 2165 description: HTTP contains match criteria that apply to HTTP 2166 requests. 2167 properties: 2168 methods: 2169 description: Methods is an optional field that restricts 2170 the rule to apply only to HTTP requests that use one of 2171 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2172 methods are OR'd together. 2173 items: 2174 type: string 2175 type: array 2176 paths: 2177 description: 'Paths is an optional field that restricts 2178 the rule to apply to HTTP requests that use one of the 2179 listed HTTP Paths. Multiple paths are OR''d together. 2180 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2181 ONLY specify either a `exact` or a `prefix` match. The 2182 validator will check for it.' 2183 items: 2184 description: 'HTTPPath specifies an HTTP path to match. 2185 It may be either of the form: exact: <path>: which matches 2186 the path exactly or prefix: <path-prefix>: which matches 2187 the path prefix' 2188 properties: 2189 exact: 2190 type: string 2191 prefix: 2192 type: string 2193 type: object 2194 type: array 2195 type: object 2196 icmp: 2197 description: ICMP is an optional field that restricts the rule 2198 to apply to a specific type and code of ICMP traffic. This 2199 should only be specified if the Protocol field is set to "ICMP" 2200 or "ICMPv6". 2201 properties: 2202 code: 2203 description: Match on a specific ICMP code. If specified, 2204 the Type value must also be specified. This is a technical 2205 limitation imposed by the kernel's iptables firewall, 2206 which Calico uses to enforce the rule. 2207 type: integer 2208 type: 2209 description: Match on a specific ICMP type. For example 2210 a value of 8 refers to ICMP Echo Request (i.e. pings). 2211 type: integer 2212 type: object 2213 ipVersion: 2214 description: IPVersion is an optional field that restricts the 2215 rule to only match a specific IP version. 2216 type: integer 2217 metadata: 2218 description: Metadata contains additional information for this 2219 rule 2220 properties: 2221 annotations: 2222 additionalProperties: 2223 type: string 2224 description: Annotations is a set of key value pairs that 2225 give extra information about the rule 2226 type: object 2227 type: object 2228 notICMP: 2229 description: NotICMP is the negated version of the ICMP field. 2230 properties: 2231 code: 2232 description: Match on a specific ICMP code. If specified, 2233 the Type value must also be specified. This is a technical 2234 limitation imposed by the kernel's iptables firewall, 2235 which Calico uses to enforce the rule. 2236 type: integer 2237 type: 2238 description: Match on a specific ICMP type. For example 2239 a value of 8 refers to ICMP Echo Request (i.e. pings). 2240 type: integer 2241 type: object 2242 notProtocol: 2243 anyOf: 2244 - type: integer 2245 - type: string 2246 description: NotProtocol is the negated version of the Protocol 2247 field. 2248 pattern: ^.* 2249 x-kubernetes-int-or-string: true 2250 protocol: 2251 anyOf: 2252 - type: integer 2253 - type: string 2254 description: "Protocol is an optional field that restricts the 2255 rule to only apply to traffic of a specific IP protocol. Required 2256 if any of the EntityRules contain Ports (because ports only 2257 apply to certain protocols). \n Must be one of these string 2258 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2259 \"UDPLite\" or an integer in the range 1-255." 2260 pattern: ^.* 2261 x-kubernetes-int-or-string: true 2262 source: 2263 description: Source contains the match criteria that apply to 2264 source entity. 2265 properties: 2266 namespaceSelector: 2267 description: "NamespaceSelector is an optional field that 2268 contains a selector expression. Only traffic that originates 2269 from (or terminates at) endpoints within the selected 2270 namespaces will be matched. When both NamespaceSelector 2271 and another selector are defined on the same rule, then 2272 only workload endpoints that are matched by both selectors 2273 will be selected by the rule. \n For NetworkPolicy, an 2274 empty NamespaceSelector implies that the Selector is limited 2275 to selecting only workload endpoints in the same namespace 2276 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2277 NamespaceSelector implies that the Selector is limited 2278 to selecting only GlobalNetworkSet or HostEndpoint. \n 2279 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2280 the Selector applies to workload endpoints across all 2281 namespaces." 2282 type: string 2283 nets: 2284 description: Nets is an optional field that restricts the 2285 rule to only apply to traffic that originates from (or 2286 terminates at) IP addresses in any of the given subnets. 2287 items: 2288 type: string 2289 type: array 2290 notNets: 2291 description: NotNets is the negated version of the Nets 2292 field. 2293 items: 2294 type: string 2295 type: array 2296 notPorts: 2297 description: NotPorts is the negated version of the Ports 2298 field. Since only some protocols have ports, if any ports 2299 are specified it requires the Protocol match in the Rule 2300 to be set to "TCP" or "UDP". 2301 items: 2302 anyOf: 2303 - type: integer 2304 - type: string 2305 pattern: ^.* 2306 x-kubernetes-int-or-string: true 2307 type: array 2308 notSelector: 2309 description: NotSelector is the negated version of the Selector 2310 field. See Selector field for subtleties with negated 2311 selectors. 2312 type: string 2313 ports: 2314 description: "Ports is an optional field that restricts 2315 the rule to only apply to traffic that has a source (destination) 2316 port that matches one of these ranges/values. This value 2317 is a list of integers or strings that represent ranges 2318 of ports. \n Since only some protocols have ports, if 2319 any ports are specified it requires the Protocol match 2320 in the Rule to be set to \"TCP\" or \"UDP\"." 2321 items: 2322 anyOf: 2323 - type: integer 2324 - type: string 2325 pattern: ^.* 2326 x-kubernetes-int-or-string: true 2327 type: array 2328 selector: 2329 description: "Selector is an optional field that contains 2330 a selector expression (see Policy for sample syntax). 2331 \ Only traffic that originates from (terminates at) endpoints 2332 matching the selector will be matched. \n Note that: in 2333 addition to the negated version of the Selector (see NotSelector 2334 below), the selector expression syntax itself supports 2335 negation. The two types of negation are subtly different. 2336 One negates the set of matched endpoints, the other negates 2337 the whole match: \n \tSelector = \"!has(my_label)\" matches 2338 packets that are from other Calico-controlled \tendpoints 2339 that do not have the label \"my_label\". \n \tNotSelector 2340 = \"has(my_label)\" matches packets that are not from 2341 Calico-controlled \tendpoints that do have the label \"my_label\". 2342 \n The effect is that the latter will accept packets from 2343 non-Calico sources whereas the former is limited to packets 2344 from Calico-controlled endpoints." 2345 type: string 2346 serviceAccounts: 2347 description: ServiceAccounts is an optional field that restricts 2348 the rule to only apply to traffic that originates from 2349 (or terminates at) a pod running as a matching service 2350 account. 2351 properties: 2352 names: 2353 description: Names is an optional field that restricts 2354 the rule to only apply to traffic that originates 2355 from (or terminates at) a pod running as a service 2356 account whose name is in the list. 2357 items: 2358 type: string 2359 type: array 2360 selector: 2361 description: Selector is an optional field that restricts 2362 the rule to only apply to traffic that originates 2363 from (or terminates at) a pod running as a service 2364 account that matches the given label selector. If 2365 both Names and Selector are specified then they are 2366 AND'ed. 2367 type: string 2368 type: object 2369 services: 2370 description: "Services is an optional field that contains 2371 options for matching Kubernetes Services. If specified, 2372 only traffic that originates from or terminates at endpoints 2373 within the selected service(s) will be matched, and only 2374 to/from each endpoint's port. \n Services cannot be specified 2375 on the same rule as Selector, NotSelector, NamespaceSelector, 2376 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2377 can only be specified with Services on ingress rules." 2378 properties: 2379 name: 2380 description: Name specifies the name of a Kubernetes 2381 Service to match. 2382 type: string 2383 namespace: 2384 description: Namespace specifies the namespace of the 2385 given Service. If left empty, the rule will match 2386 within this policy's namespace. 2387 type: string 2388 type: object 2389 type: object 2390 required: 2391 - action 2392 type: object 2393 type: array 2394 ingress: 2395 description: The ordered set of ingress rules. Each rule contains 2396 a set of packet match criteria and a corresponding action to apply. 2397 items: 2398 description: "A Rule encapsulates a set of match criteria and an 2399 action. Both selector-based security Policy and security Profiles 2400 reference rules - separated out as a list of rules for both ingress 2401 and egress packet matching. \n Each positive match criteria has 2402 a negated version, prefixed with \"Not\". All the match criteria 2403 within a rule must be satisfied for a packet to match. A single 2404 rule can contain the positive and negative version of a match 2405 and both must be satisfied for the rule to match." 2406 properties: 2407 action: 2408 type: string 2409 destination: 2410 description: Destination contains the match criteria that apply 2411 to destination entity. 2412 properties: 2413 namespaceSelector: 2414 description: "NamespaceSelector is an optional field that 2415 contains a selector expression. Only traffic that originates 2416 from (or terminates at) endpoints within the selected 2417 namespaces will be matched. When both NamespaceSelector 2418 and another selector are defined on the same rule, then 2419 only workload endpoints that are matched by both selectors 2420 will be selected by the rule. \n For NetworkPolicy, an 2421 empty NamespaceSelector implies that the Selector is limited 2422 to selecting only workload endpoints in the same namespace 2423 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2424 NamespaceSelector implies that the Selector is limited 2425 to selecting only GlobalNetworkSet or HostEndpoint. \n 2426 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2427 the Selector applies to workload endpoints across all 2428 namespaces." 2429 type: string 2430 nets: 2431 description: Nets is an optional field that restricts the 2432 rule to only apply to traffic that originates from (or 2433 terminates at) IP addresses in any of the given subnets. 2434 items: 2435 type: string 2436 type: array 2437 notNets: 2438 description: NotNets is the negated version of the Nets 2439 field. 2440 items: 2441 type: string 2442 type: array 2443 notPorts: 2444 description: NotPorts is the negated version of the Ports 2445 field. Since only some protocols have ports, if any ports 2446 are specified it requires the Protocol match in the Rule 2447 to be set to "TCP" or "UDP". 2448 items: 2449 anyOf: 2450 - type: integer 2451 - type: string 2452 pattern: ^.* 2453 x-kubernetes-int-or-string: true 2454 type: array 2455 notSelector: 2456 description: NotSelector is the negated version of the Selector 2457 field. See Selector field for subtleties with negated 2458 selectors. 2459 type: string 2460 ports: 2461 description: "Ports is an optional field that restricts 2462 the rule to only apply to traffic that has a source (destination) 2463 port that matches one of these ranges/values. This value 2464 is a list of integers or strings that represent ranges 2465 of ports. \n Since only some protocols have ports, if 2466 any ports are specified it requires the Protocol match 2467 in the Rule to be set to \"TCP\" or \"UDP\"." 2468 items: 2469 anyOf: 2470 - type: integer 2471 - type: string 2472 pattern: ^.* 2473 x-kubernetes-int-or-string: true 2474 type: array 2475 selector: 2476 description: "Selector is an optional field that contains 2477 a selector expression (see Policy for sample syntax). 2478 \ Only traffic that originates from (terminates at) endpoints 2479 matching the selector will be matched. \n Note that: in 2480 addition to the negated version of the Selector (see NotSelector 2481 below), the selector expression syntax itself supports 2482 negation. The two types of negation are subtly different. 2483 One negates the set of matched endpoints, the other negates 2484 the whole match: \n \tSelector = \"!has(my_label)\" matches 2485 packets that are from other Calico-controlled \tendpoints 2486 that do not have the label \"my_label\". \n \tNotSelector 2487 = \"has(my_label)\" matches packets that are not from 2488 Calico-controlled \tendpoints that do have the label \"my_label\". 2489 \n The effect is that the latter will accept packets from 2490 non-Calico sources whereas the former is limited to packets 2491 from Calico-controlled endpoints." 2492 type: string 2493 serviceAccounts: 2494 description: ServiceAccounts is an optional field that restricts 2495 the rule to only apply to traffic that originates from 2496 (or terminates at) a pod running as a matching service 2497 account. 2498 properties: 2499 names: 2500 description: Names is an optional field that restricts 2501 the rule to only apply to traffic that originates 2502 from (or terminates at) a pod running as a service 2503 account whose name is in the list. 2504 items: 2505 type: string 2506 type: array 2507 selector: 2508 description: Selector is an optional field that restricts 2509 the rule to only apply to traffic that originates 2510 from (or terminates at) a pod running as a service 2511 account that matches the given label selector. If 2512 both Names and Selector are specified then they are 2513 AND'ed. 2514 type: string 2515 type: object 2516 services: 2517 description: "Services is an optional field that contains 2518 options for matching Kubernetes Services. If specified, 2519 only traffic that originates from or terminates at endpoints 2520 within the selected service(s) will be matched, and only 2521 to/from each endpoint's port. \n Services cannot be specified 2522 on the same rule as Selector, NotSelector, NamespaceSelector, 2523 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2524 can only be specified with Services on ingress rules." 2525 properties: 2526 name: 2527 description: Name specifies the name of a Kubernetes 2528 Service to match. 2529 type: string 2530 namespace: 2531 description: Namespace specifies the namespace of the 2532 given Service. If left empty, the rule will match 2533 within this policy's namespace. 2534 type: string 2535 type: object 2536 type: object 2537 http: 2538 description: HTTP contains match criteria that apply to HTTP 2539 requests. 2540 properties: 2541 methods: 2542 description: Methods is an optional field that restricts 2543 the rule to apply only to HTTP requests that use one of 2544 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 2545 methods are OR'd together. 2546 items: 2547 type: string 2548 type: array 2549 paths: 2550 description: 'Paths is an optional field that restricts 2551 the rule to apply to HTTP requests that use one of the 2552 listed HTTP Paths. Multiple paths are OR''d together. 2553 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 2554 ONLY specify either a `exact` or a `prefix` match. The 2555 validator will check for it.' 2556 items: 2557 description: 'HTTPPath specifies an HTTP path to match. 2558 It may be either of the form: exact: <path>: which matches 2559 the path exactly or prefix: <path-prefix>: which matches 2560 the path prefix' 2561 properties: 2562 exact: 2563 type: string 2564 prefix: 2565 type: string 2566 type: object 2567 type: array 2568 type: object 2569 icmp: 2570 description: ICMP is an optional field that restricts the rule 2571 to apply to a specific type and code of ICMP traffic. This 2572 should only be specified if the Protocol field is set to "ICMP" 2573 or "ICMPv6". 2574 properties: 2575 code: 2576 description: Match on a specific ICMP code. If specified, 2577 the Type value must also be specified. This is a technical 2578 limitation imposed by the kernel's iptables firewall, 2579 which Calico uses to enforce the rule. 2580 type: integer 2581 type: 2582 description: Match on a specific ICMP type. For example 2583 a value of 8 refers to ICMP Echo Request (i.e. pings). 2584 type: integer 2585 type: object 2586 ipVersion: 2587 description: IPVersion is an optional field that restricts the 2588 rule to only match a specific IP version. 2589 type: integer 2590 metadata: 2591 description: Metadata contains additional information for this 2592 rule 2593 properties: 2594 annotations: 2595 additionalProperties: 2596 type: string 2597 description: Annotations is a set of key value pairs that 2598 give extra information about the rule 2599 type: object 2600 type: object 2601 notICMP: 2602 description: NotICMP is the negated version of the ICMP field. 2603 properties: 2604 code: 2605 description: Match on a specific ICMP code. If specified, 2606 the Type value must also be specified. This is a technical 2607 limitation imposed by the kernel's iptables firewall, 2608 which Calico uses to enforce the rule. 2609 type: integer 2610 type: 2611 description: Match on a specific ICMP type. For example 2612 a value of 8 refers to ICMP Echo Request (i.e. pings). 2613 type: integer 2614 type: object 2615 notProtocol: 2616 anyOf: 2617 - type: integer 2618 - type: string 2619 description: NotProtocol is the negated version of the Protocol 2620 field. 2621 pattern: ^.* 2622 x-kubernetes-int-or-string: true 2623 protocol: 2624 anyOf: 2625 - type: integer 2626 - type: string 2627 description: "Protocol is an optional field that restricts the 2628 rule to only apply to traffic of a specific IP protocol. Required 2629 if any of the EntityRules contain Ports (because ports only 2630 apply to certain protocols). \n Must be one of these string 2631 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 2632 \"UDPLite\" or an integer in the range 1-255." 2633 pattern: ^.* 2634 x-kubernetes-int-or-string: true 2635 source: 2636 description: Source contains the match criteria that apply to 2637 source entity. 2638 properties: 2639 namespaceSelector: 2640 description: "NamespaceSelector is an optional field that 2641 contains a selector expression. Only traffic that originates 2642 from (or terminates at) endpoints within the selected 2643 namespaces will be matched. When both NamespaceSelector 2644 and another selector are defined on the same rule, then 2645 only workload endpoints that are matched by both selectors 2646 will be selected by the rule. \n For NetworkPolicy, an 2647 empty NamespaceSelector implies that the Selector is limited 2648 to selecting only workload endpoints in the same namespace 2649 as the NetworkPolicy. \n For NetworkPolicy, `global()` 2650 NamespaceSelector implies that the Selector is limited 2651 to selecting only GlobalNetworkSet or HostEndpoint. \n 2652 For GlobalNetworkPolicy, an empty NamespaceSelector implies 2653 the Selector applies to workload endpoints across all 2654 namespaces." 2655 type: string 2656 nets: 2657 description: Nets is an optional field that restricts the 2658 rule to only apply to traffic that originates from (or 2659 terminates at) IP addresses in any of the given subnets. 2660 items: 2661 type: string 2662 type: array 2663 notNets: 2664 description: NotNets is the negated version of the Nets 2665 field. 2666 items: 2667 type: string 2668 type: array 2669 notPorts: 2670 description: NotPorts is the negated version of the Ports 2671 field. Since only some protocols have ports, if any ports 2672 are specified it requires the Protocol match in the Rule 2673 to be set to "TCP" or "UDP". 2674 items: 2675 anyOf: 2676 - type: integer 2677 - type: string 2678 pattern: ^.* 2679 x-kubernetes-int-or-string: true 2680 type: array 2681 notSelector: 2682 description: NotSelector is the negated version of the Selector 2683 field. See Selector field for subtleties with negated 2684 selectors. 2685 type: string 2686 ports: 2687 description: "Ports is an optional field that restricts 2688 the rule to only apply to traffic that has a source (destination) 2689 port that matches one of these ranges/values. This value 2690 is a list of integers or strings that represent ranges 2691 of ports. \n Since only some protocols have ports, if 2692 any ports are specified it requires the Protocol match 2693 in the Rule to be set to \"TCP\" or \"UDP\"." 2694 items: 2695 anyOf: 2696 - type: integer 2697 - type: string 2698 pattern: ^.* 2699 x-kubernetes-int-or-string: true 2700 type: array 2701 selector: 2702 description: "Selector is an optional field that contains 2703 a selector expression (see Policy for sample syntax). 2704 \ Only traffic that originates from (terminates at) endpoints 2705 matching the selector will be matched. \n Note that: in 2706 addition to the negated version of the Selector (see NotSelector 2707 below), the selector expression syntax itself supports 2708 negation. The two types of negation are subtly different. 2709 One negates the set of matched endpoints, the other negates 2710 the whole match: \n \tSelector = \"!has(my_label)\" matches 2711 packets that are from other Calico-controlled \tendpoints 2712 that do not have the label \"my_label\". \n \tNotSelector 2713 = \"has(my_label)\" matches packets that are not from 2714 Calico-controlled \tendpoints that do have the label \"my_label\". 2715 \n The effect is that the latter will accept packets from 2716 non-Calico sources whereas the former is limited to packets 2717 from Calico-controlled endpoints." 2718 type: string 2719 serviceAccounts: 2720 description: ServiceAccounts is an optional field that restricts 2721 the rule to only apply to traffic that originates from 2722 (or terminates at) a pod running as a matching service 2723 account. 2724 properties: 2725 names: 2726 description: Names is an optional field that restricts 2727 the rule to only apply to traffic that originates 2728 from (or terminates at) a pod running as a service 2729 account whose name is in the list. 2730 items: 2731 type: string 2732 type: array 2733 selector: 2734 description: Selector is an optional field that restricts 2735 the rule to only apply to traffic that originates 2736 from (or terminates at) a pod running as a service 2737 account that matches the given label selector. If 2738 both Names and Selector are specified then they are 2739 AND'ed. 2740 type: string 2741 type: object 2742 services: 2743 description: "Services is an optional field that contains 2744 options for matching Kubernetes Services. If specified, 2745 only traffic that originates from or terminates at endpoints 2746 within the selected service(s) will be matched, and only 2747 to/from each endpoint's port. \n Services cannot be specified 2748 on the same rule as Selector, NotSelector, NamespaceSelector, 2749 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 2750 can only be specified with Services on ingress rules." 2751 properties: 2752 name: 2753 description: Name specifies the name of a Kubernetes 2754 Service to match. 2755 type: string 2756 namespace: 2757 description: Namespace specifies the namespace of the 2758 given Service. If left empty, the rule will match 2759 within this policy's namespace. 2760 type: string 2761 type: object 2762 type: object 2763 required: 2764 - action 2765 type: object 2766 type: array 2767 namespaceSelector: 2768 description: NamespaceSelector is an optional field for an expression 2769 used to select a pod based on namespaces. 2770 type: string 2771 order: 2772 description: Order is an optional field that specifies the order in 2773 which the policy is applied. Policies with higher "order" are applied 2774 after those with lower order. If the order is omitted, it may be 2775 considered to be "infinite" - i.e. the policy will be applied last. Policies 2776 with identical order will be applied in alphanumerical order based 2777 on the Policy "Name". 2778 type: number 2779 preDNAT: 2780 description: PreDNAT indicates to apply the rules in this policy before 2781 any DNAT. 2782 type: boolean 2783 selector: 2784 description: "The selector is an expression used to pick pick out 2785 the endpoints that the policy should be applied to. \n Selector 2786 expressions follow this syntax: \n \tlabel == \"string_literal\" 2787 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 2788 \ -> not equal; also matches if label is not present \tlabel in 2789 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 2790 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 2791 ... } -> true if the value of label X is not one of \"a\", \"b\", 2792 \"c\" \thas(label_name) -> True if that label is present \t! expr 2793 -> negation of expr \texpr && expr -> Short-circuit and \texpr 2794 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 2795 or the empty selector -> matches all endpoints. \n Label names are 2796 allowed to contain alphanumerics, -, _ and /. String literals are 2797 more permissive but they do not support escape characters. \n Examples 2798 (with made-up labels): \n \ttype == \"webserver\" && deployment 2799 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 2800 \"dev\" \t! has(label_name)" 2801 type: string 2802 serviceAccountSelector: 2803 description: ServiceAccountSelector is an optional field for an expression 2804 used to select a pod based on service accounts. 2805 type: string 2806 types: 2807 description: "Types indicates whether this policy applies to ingress, 2808 or to egress, or to both. When not explicitly specified (and so 2809 the value on creation is empty or nil), Calico defaults Types according 2810 to what Ingress and Egress rules are present in the policy. The 2811 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 2812 (including the case where there are also no Ingress rules) \n 2813 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 2814 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 2815 both Ingress and Egress rules. \n When the policy is read back again, 2816 Types will always be one of these values, never empty or nil." 2817 items: 2818 description: PolicyType enumerates the possible values of the PolicySpec 2819 Types field. 2820 type: string 2821 type: array 2822 type: object 2823 type: object 2824 served: true 2825 storage: true 2826 status: 2827 acceptedNames: 2828 kind: "" 2829 plural: "" 2830 conditions: [] 2831 storedVersions: [] 2832 --- 2833 apiVersion: apiextensions.k8s.io/v1 2834 kind: CustomResourceDefinition 2835 metadata: 2836 name: globalnetworksets.crd.projectcalico.org 2837 spec: 2838 group: crd.projectcalico.org 2839 names: 2840 kind: GlobalNetworkSet 2841 listKind: GlobalNetworkSetList 2842 plural: globalnetworksets 2843 singular: globalnetworkset 2844 preserveUnknownFields: false 2845 scope: Cluster 2846 versions: 2847 - name: v1 2848 schema: 2849 openAPIV3Schema: 2850 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs 2851 that share labels to allow rules to refer to them via selectors. The labels 2852 of GlobalNetworkSet are not namespaced. 2853 properties: 2854 apiVersion: 2855 description: 'APIVersion defines the versioned schema of this representation 2856 of an object. Servers should convert recognized schemas to the latest 2857 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2858 type: string 2859 kind: 2860 description: 'Kind is a string value representing the REST resource this 2861 object represents. Servers may infer this from the endpoint the client 2862 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2863 type: string 2864 metadata: 2865 type: object 2866 spec: 2867 description: GlobalNetworkSetSpec contains the specification for a NetworkSet 2868 resource. 2869 properties: 2870 nets: 2871 description: The list of IP networks that belong to this set. 2872 items: 2873 type: string 2874 type: array 2875 type: object 2876 type: object 2877 served: true 2878 storage: true 2879 status: 2880 acceptedNames: 2881 kind: "" 2882 plural: "" 2883 conditions: [] 2884 storedVersions: [] 2885 --- 2886 apiVersion: apiextensions.k8s.io/v1 2887 kind: CustomResourceDefinition 2888 metadata: 2889 name: hostendpoints.crd.projectcalico.org 2890 spec: 2891 group: crd.projectcalico.org 2892 names: 2893 kind: HostEndpoint 2894 listKind: HostEndpointList 2895 plural: hostendpoints 2896 singular: hostendpoint 2897 preserveUnknownFields: false 2898 scope: Cluster 2899 versions: 2900 - name: v1 2901 schema: 2902 openAPIV3Schema: 2903 properties: 2904 apiVersion: 2905 description: 'APIVersion defines the versioned schema of this representation 2906 of an object. Servers should convert recognized schemas to the latest 2907 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 2908 type: string 2909 kind: 2910 description: 'Kind is a string value representing the REST resource this 2911 object represents. Servers may infer this from the endpoint the client 2912 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 2913 type: string 2914 metadata: 2915 type: object 2916 spec: 2917 description: HostEndpointSpec contains the specification for a HostEndpoint 2918 resource. 2919 properties: 2920 expectedIPs: 2921 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. 2922 If \"InterfaceName\" is not present, Calico will look for an interface 2923 matching any of the IPs in the list and apply policy to that. Note: 2924 \tWhen using the selector match criteria in an ingress or egress 2925 security Policy \tor Profile, Calico converts the selector into 2926 a set of IP addresses. For host \tendpoints, the ExpectedIPs field 2927 is used for that purpose. (If only the interface \tname is specified, 2928 Calico does not learn the IPs of the interface for use in match 2929 \tcriteria.)" 2930 items: 2931 type: string 2932 type: array 2933 interfaceName: 2934 description: "Either \"*\", or the name of a specific Linux interface 2935 to apply policy to; or empty. \"*\" indicates that this HostEndpoint 2936 governs all traffic to, from or through the default network namespace 2937 of the host named by the \"Node\" field; entering and leaving that 2938 namespace via any interface, including those from/to non-host-networked 2939 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint 2940 only governs traffic that enters or leaves the host through the 2941 specific interface named by InterfaceName, or - when InterfaceName 2942 is empty - through the specific interface that has one of the IPs 2943 in ExpectedIPs. Therefore, when InterfaceName is empty, at least 2944 one expected IP must be specified. Only external interfaces (such 2945 as \"eth0\") are supported here; it isn't possible for a HostEndpoint 2946 to protect traffic through a specific local workload interface. 2947 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; 2948 initially just pre-DNAT policy. Please check Calico documentation 2949 for the latest position." 2950 type: string 2951 node: 2952 description: The node name identifying the Calico node instance. 2953 type: string 2954 ports: 2955 description: Ports contains the endpoint's named ports, which may 2956 be referenced in security policy rules. 2957 items: 2958 properties: 2959 name: 2960 type: string 2961 port: 2962 type: integer 2963 protocol: 2964 anyOf: 2965 - type: integer 2966 - type: string 2967 pattern: ^.* 2968 x-kubernetes-int-or-string: true 2969 required: 2970 - name 2971 - port 2972 - protocol 2973 type: object 2974 type: array 2975 profiles: 2976 description: A list of identifiers of security Profile objects that 2977 apply to this endpoint. Each profile is applied in the order that 2978 they appear in this list. Profile rules are applied after the selector-based 2979 security policy. 2980 items: 2981 type: string 2982 type: array 2983 type: object 2984 type: object 2985 served: true 2986 storage: true 2987 status: 2988 acceptedNames: 2989 kind: "" 2990 plural: "" 2991 conditions: [] 2992 storedVersions: [] 2993 --- 2994 apiVersion: apiextensions.k8s.io/v1 2995 kind: CustomResourceDefinition 2996 metadata: 2997 name: ipamblocks.crd.projectcalico.org 2998 spec: 2999 group: crd.projectcalico.org 3000 names: 3001 kind: IPAMBlock 3002 listKind: IPAMBlockList 3003 plural: ipamblocks 3004 singular: ipamblock 3005 preserveUnknownFields: false 3006 scope: Cluster 3007 versions: 3008 - name: v1 3009 schema: 3010 openAPIV3Schema: 3011 properties: 3012 apiVersion: 3013 description: 'APIVersion defines the versioned schema of this representation 3014 of an object. Servers should convert recognized schemas to the latest 3015 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3016 type: string 3017 kind: 3018 description: 'Kind is a string value representing the REST resource this 3019 object represents. Servers may infer this from the endpoint the client 3020 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3021 type: string 3022 metadata: 3023 type: object 3024 spec: 3025 description: IPAMBlockSpec contains the specification for an IPAMBlock 3026 resource. 3027 properties: 3028 affinity: 3029 description: Affinity of the block, if this block has one. If set, 3030 it will be of the form "host:<hostname>". If not set, this block 3031 is not affine to a host. 3032 type: string 3033 allocations: 3034 description: Array of allocations in-use within this block. nil entries 3035 mean the allocation is free. For non-nil entries at index i, the 3036 index is the ordinal of the allocation within this block and the 3037 value is the index of the associated attributes in the Attributes 3038 array. 3039 items: 3040 nullable: true 3041 type: integer 3042 type: array 3043 attributes: 3044 description: Attributes is an array of arbitrary metadata associated 3045 with allocations in the block. To find attributes for a given allocation, 3046 use the value of the allocation's entry in the Allocations array 3047 as the index of the element in this array. 3048 items: 3049 properties: 3050 handle_id: 3051 type: string 3052 secondary: 3053 additionalProperties: 3054 type: string 3055 type: object 3056 type: object 3057 type: array 3058 cidr: 3059 description: The block's CIDR. 3060 type: string 3061 deleted: 3062 description: Deleted is an internal boolean used to workaround a limitation 3063 in the Kubernetes API whereby deletion will not return a conflict 3064 error if the block has been updated. It should not be set manually. 3065 type: boolean 3066 sequenceNumber: 3067 default: 0 3068 description: We store a sequence number that is updated each time 3069 the block is written. Each allocation will also store the sequence 3070 number of the block at the time of its creation. When releasing 3071 an IP, passing the sequence number associated with the allocation 3072 allows us to protect against a race condition and ensure the IP 3073 hasn't been released and re-allocated since the release request. 3074 format: int64 3075 type: integer 3076 sequenceNumberForAllocation: 3077 additionalProperties: 3078 format: int64 3079 type: integer 3080 description: Map of allocated ordinal within the block to sequence 3081 number of the block at the time of allocation. Kubernetes does not 3082 allow numerical keys for maps, so the key is cast to a string. 3083 type: object 3084 strictAffinity: 3085 description: StrictAffinity on the IPAMBlock is deprecated and no 3086 longer used by the code. Use IPAMConfig StrictAffinity instead. 3087 type: boolean 3088 unallocated: 3089 description: Unallocated is an ordered list of allocations which are 3090 free in the block. 3091 items: 3092 type: integer 3093 type: array 3094 required: 3095 - allocations 3096 - attributes 3097 - cidr 3098 - strictAffinity 3099 - unallocated 3100 type: object 3101 type: object 3102 served: true 3103 storage: true 3104 status: 3105 acceptedNames: 3106 kind: "" 3107 plural: "" 3108 conditions: [] 3109 storedVersions: [] 3110 --- 3111 apiVersion: apiextensions.k8s.io/v1 3112 kind: CustomResourceDefinition 3113 metadata: 3114 name: ipamconfigs.crd.projectcalico.org 3115 spec: 3116 group: crd.projectcalico.org 3117 names: 3118 kind: IPAMConfig 3119 listKind: IPAMConfigList 3120 plural: ipamconfigs 3121 singular: ipamconfig 3122 preserveUnknownFields: false 3123 scope: Cluster 3124 versions: 3125 - name: v1 3126 schema: 3127 openAPIV3Schema: 3128 properties: 3129 apiVersion: 3130 description: 'APIVersion defines the versioned schema of this representation 3131 of an object. Servers should convert recognized schemas to the latest 3132 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3133 type: string 3134 kind: 3135 description: 'Kind is a string value representing the REST resource this 3136 object represents. Servers may infer this from the endpoint the client 3137 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3138 type: string 3139 metadata: 3140 type: object 3141 spec: 3142 description: IPAMConfigSpec contains the specification for an IPAMConfig 3143 resource. 3144 properties: 3145 autoAllocateBlocks: 3146 type: boolean 3147 maxBlocksPerHost: 3148 description: MaxBlocksPerHost, if non-zero, is the max number of blocks 3149 that can be affine to each host. 3150 maximum: 2147483647 3151 minimum: 0 3152 type: integer 3153 strictAffinity: 3154 type: boolean 3155 required: 3156 - autoAllocateBlocks 3157 - strictAffinity 3158 type: object 3159 type: object 3160 served: true 3161 storage: true 3162 status: 3163 acceptedNames: 3164 kind: "" 3165 plural: "" 3166 conditions: [] 3167 storedVersions: [] 3168 --- 3169 apiVersion: apiextensions.k8s.io/v1 3170 kind: CustomResourceDefinition 3171 metadata: 3172 name: ipamhandles.crd.projectcalico.org 3173 spec: 3174 group: crd.projectcalico.org 3175 names: 3176 kind: IPAMHandle 3177 listKind: IPAMHandleList 3178 plural: ipamhandles 3179 singular: ipamhandle 3180 preserveUnknownFields: false 3181 scope: Cluster 3182 versions: 3183 - name: v1 3184 schema: 3185 openAPIV3Schema: 3186 properties: 3187 apiVersion: 3188 description: 'APIVersion defines the versioned schema of this representation 3189 of an object. Servers should convert recognized schemas to the latest 3190 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3191 type: string 3192 kind: 3193 description: 'Kind is a string value representing the REST resource this 3194 object represents. Servers may infer this from the endpoint the client 3195 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3196 type: string 3197 metadata: 3198 type: object 3199 spec: 3200 description: IPAMHandleSpec contains the specification for an IPAMHandle 3201 resource. 3202 properties: 3203 block: 3204 additionalProperties: 3205 type: integer 3206 type: object 3207 deleted: 3208 type: boolean 3209 handleID: 3210 type: string 3211 required: 3212 - block 3213 - handleID 3214 type: object 3215 type: object 3216 served: true 3217 storage: true 3218 status: 3219 acceptedNames: 3220 kind: "" 3221 plural: "" 3222 conditions: [] 3223 storedVersions: [] 3224 --- 3225 apiVersion: apiextensions.k8s.io/v1 3226 kind: CustomResourceDefinition 3227 metadata: 3228 name: ippools.crd.projectcalico.org 3229 spec: 3230 group: crd.projectcalico.org 3231 names: 3232 kind: IPPool 3233 listKind: IPPoolList 3234 plural: ippools 3235 singular: ippool 3236 preserveUnknownFields: false 3237 scope: Cluster 3238 versions: 3239 - name: v1 3240 schema: 3241 openAPIV3Schema: 3242 properties: 3243 apiVersion: 3244 description: 'APIVersion defines the versioned schema of this representation 3245 of an object. Servers should convert recognized schemas to the latest 3246 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3247 type: string 3248 kind: 3249 description: 'Kind is a string value representing the REST resource this 3250 object represents. Servers may infer this from the endpoint the client 3251 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3252 type: string 3253 metadata: 3254 type: object 3255 spec: 3256 description: IPPoolSpec contains the specification for an IPPool resource. 3257 properties: 3258 allowedUses: 3259 description: AllowedUse controls what the IP pool will be used for. If 3260 not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility 3261 items: 3262 type: string 3263 type: array 3264 blockSize: 3265 description: The block size to use for IP address assignments from 3266 this pool. Defaults to 26 for IPv4 and 122 for IPv6. 3267 type: integer 3268 cidr: 3269 description: The pool CIDR. 3270 type: string 3271 disableBGPExport: 3272 description: 'Disable exporting routes from this IP Pool''s CIDR over 3273 BGP. [Default: false]' 3274 type: boolean 3275 disabled: 3276 description: When disabled is true, Calico IPAM will not assign addresses 3277 from this pool. 3278 type: boolean 3279 ipip: 3280 description: 'Deprecated: this field is only used for APIv1 backwards 3281 compatibility. Setting this field is not allowed, this field is 3282 for internal use only.' 3283 properties: 3284 enabled: 3285 description: When enabled is true, ipip tunneling will be used 3286 to deliver packets to destinations within this pool. 3287 type: boolean 3288 mode: 3289 description: The IPIP mode. This can be one of "always" or "cross-subnet". A 3290 mode of "always" will also use IPIP tunneling for routing to 3291 destination IP addresses within this pool. A mode of "cross-subnet" 3292 will only use IPIP tunneling when the destination node is on 3293 a different subnet to the originating node. The default value 3294 (if not specified) is "always". 3295 type: string 3296 type: object 3297 ipipMode: 3298 description: Contains configuration for IPIP tunneling for this pool. 3299 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling 3300 is disabled). 3301 type: string 3302 nat-outgoing: 3303 description: 'Deprecated: this field is only used for APIv1 backwards 3304 compatibility. Setting this field is not allowed, this field is 3305 for internal use only.' 3306 type: boolean 3307 natOutgoing: 3308 description: When natOutgoing is true, packets sent from Calico networked 3309 containers in this pool to destinations outside of this pool will 3310 be masqueraded. 3311 type: boolean 3312 nodeSelector: 3313 description: Allows IPPool to allocate for a specific node by label 3314 selector. 3315 type: string 3316 vxlanMode: 3317 description: Contains configuration for VXLAN tunneling for this pool. 3318 If not specified, then this is defaulted to "Never" (i.e. VXLAN 3319 tunneling is disabled). 3320 type: string 3321 required: 3322 - cidr 3323 type: object 3324 type: object 3325 served: true 3326 storage: true 3327 status: 3328 acceptedNames: 3329 kind: "" 3330 plural: "" 3331 conditions: [] 3332 storedVersions: [] 3333 --- 3334 apiVersion: apiextensions.k8s.io/v1 3335 kind: CustomResourceDefinition 3336 metadata: 3337 annotations: 3338 controller-gen.kubebuilder.io/version: (devel) 3339 creationTimestamp: null 3340 name: ipreservations.crd.projectcalico.org 3341 spec: 3342 group: crd.projectcalico.org 3343 names: 3344 kind: IPReservation 3345 listKind: IPReservationList 3346 plural: ipreservations 3347 singular: ipreservation 3348 preserveUnknownFields: false 3349 scope: Cluster 3350 versions: 3351 - name: v1 3352 schema: 3353 openAPIV3Schema: 3354 properties: 3355 apiVersion: 3356 description: 'APIVersion defines the versioned schema of this representation 3357 of an object. Servers should convert recognized schemas to the latest 3358 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3359 type: string 3360 kind: 3361 description: 'Kind is a string value representing the REST resource this 3362 object represents. Servers may infer this from the endpoint the client 3363 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3364 type: string 3365 metadata: 3366 type: object 3367 spec: 3368 description: IPReservationSpec contains the specification for an IPReservation 3369 resource. 3370 properties: 3371 reservedCIDRs: 3372 description: ReservedCIDRs is a list of CIDRs and/or IP addresses 3373 that Calico IPAM will exclude from new allocations. 3374 items: 3375 type: string 3376 type: array 3377 type: object 3378 type: object 3379 served: true 3380 storage: true 3381 status: 3382 acceptedNames: 3383 kind: "" 3384 plural: "" 3385 conditions: [] 3386 storedVersions: [] 3387 --- 3388 apiVersion: apiextensions.k8s.io/v1 3389 kind: CustomResourceDefinition 3390 metadata: 3391 name: kubecontrollersconfigurations.crd.projectcalico.org 3392 spec: 3393 group: crd.projectcalico.org 3394 names: 3395 kind: KubeControllersConfiguration 3396 listKind: KubeControllersConfigurationList 3397 plural: kubecontrollersconfigurations 3398 singular: kubecontrollersconfiguration 3399 preserveUnknownFields: false 3400 scope: Cluster 3401 versions: 3402 - name: v1 3403 schema: 3404 openAPIV3Schema: 3405 properties: 3406 apiVersion: 3407 description: 'APIVersion defines the versioned schema of this representation 3408 of an object. Servers should convert recognized schemas to the latest 3409 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3410 type: string 3411 kind: 3412 description: 'Kind is a string value representing the REST resource this 3413 object represents. Servers may infer this from the endpoint the client 3414 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3415 type: string 3416 metadata: 3417 type: object 3418 spec: 3419 description: KubeControllersConfigurationSpec contains the values of the 3420 Kubernetes controllers configuration. 3421 properties: 3422 controllers: 3423 description: Controllers enables and configures individual Kubernetes 3424 controllers 3425 properties: 3426 namespace: 3427 description: Namespace enables and configures the namespace controller. 3428 Enabled by default, set to nil to disable. 3429 properties: 3430 reconcilerPeriod: 3431 description: 'ReconcilerPeriod is the period to perform reconciliation 3432 with the Calico datastore. [Default: 5m]' 3433 type: string 3434 type: object 3435 node: 3436 description: Node enables and configures the node controller. 3437 Enabled by default, set to nil to disable. 3438 properties: 3439 hostEndpoint: 3440 description: HostEndpoint controls syncing nodes to host endpoints. 3441 Disabled by default, set to nil to disable. 3442 properties: 3443 autoCreate: 3444 description: 'AutoCreate enables automatic creation of 3445 host endpoints for every node. [Default: Disabled]' 3446 type: string 3447 type: object 3448 leakGracePeriod: 3449 description: 'LeakGracePeriod is the period used by the controller 3450 to determine if an IP address has been leaked. Set to 0 3451 to disable IP garbage collection. [Default: 15m]' 3452 type: string 3453 reconcilerPeriod: 3454 description: 'ReconcilerPeriod is the period to perform reconciliation 3455 with the Calico datastore. [Default: 5m]' 3456 type: string 3457 syncLabels: 3458 description: 'SyncLabels controls whether to copy Kubernetes 3459 node labels to Calico nodes. [Default: Enabled]' 3460 type: string 3461 type: object 3462 policy: 3463 description: Policy enables and configures the policy controller. 3464 Enabled by default, set to nil to disable. 3465 properties: 3466 reconcilerPeriod: 3467 description: 'ReconcilerPeriod is the period to perform reconciliation 3468 with the Calico datastore. [Default: 5m]' 3469 type: string 3470 type: object 3471 serviceAccount: 3472 description: ServiceAccount enables and configures the service 3473 account controller. Enabled by default, set to nil to disable. 3474 properties: 3475 reconcilerPeriod: 3476 description: 'ReconcilerPeriod is the period to perform reconciliation 3477 with the Calico datastore. [Default: 5m]' 3478 type: string 3479 type: object 3480 workloadEndpoint: 3481 description: WorkloadEndpoint enables and configures the workload 3482 endpoint controller. Enabled by default, set to nil to disable. 3483 properties: 3484 reconcilerPeriod: 3485 description: 'ReconcilerPeriod is the period to perform reconciliation 3486 with the Calico datastore. [Default: 5m]' 3487 type: string 3488 type: object 3489 type: object 3490 debugProfilePort: 3491 description: DebugProfilePort configures the port to serve memory 3492 and cpu profiles on. If not specified, profiling is disabled. 3493 format: int32 3494 type: integer 3495 etcdV3CompactionPeriod: 3496 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3497 compaction requests. Set to 0 to disable. [Default: 10m]' 3498 type: string 3499 healthChecks: 3500 description: 'HealthChecks enables or disables support for health 3501 checks [Default: Enabled]' 3502 type: string 3503 logSeverityScreen: 3504 description: 'LogSeverityScreen is the log severity above which logs 3505 are sent to the stdout. [Default: Info]' 3506 type: string 3507 prometheusMetricsPort: 3508 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3509 metrics server should bind to. Set to 0 to disable. [Default: 9094]' 3510 type: integer 3511 required: 3512 - controllers 3513 type: object 3514 status: 3515 description: KubeControllersConfigurationStatus represents the status 3516 of the configuration. It's useful for admins to be able to see the actual 3517 config that was applied, which can be modified by environment variables 3518 on the kube-controllers process. 3519 properties: 3520 environmentVars: 3521 additionalProperties: 3522 type: string 3523 description: EnvironmentVars contains the environment variables on 3524 the kube-controllers that influenced the RunningConfig. 3525 type: object 3526 runningConfig: 3527 description: RunningConfig contains the effective config that is running 3528 in the kube-controllers pod, after merging the API resource with 3529 any environment variables. 3530 properties: 3531 controllers: 3532 description: Controllers enables and configures individual Kubernetes 3533 controllers 3534 properties: 3535 namespace: 3536 description: Namespace enables and configures the namespace 3537 controller. Enabled by default, set to nil to disable. 3538 properties: 3539 reconcilerPeriod: 3540 description: 'ReconcilerPeriod is the period to perform 3541 reconciliation with the Calico datastore. [Default: 3542 5m]' 3543 type: string 3544 type: object 3545 node: 3546 description: Node enables and configures the node controller. 3547 Enabled by default, set to nil to disable. 3548 properties: 3549 hostEndpoint: 3550 description: HostEndpoint controls syncing nodes to host 3551 endpoints. Disabled by default, set to nil to disable. 3552 properties: 3553 autoCreate: 3554 description: 'AutoCreate enables automatic creation 3555 of host endpoints for every node. [Default: Disabled]' 3556 type: string 3557 type: object 3558 leakGracePeriod: 3559 description: 'LeakGracePeriod is the period used by the 3560 controller to determine if an IP address has been leaked. 3561 Set to 0 to disable IP garbage collection. [Default: 3562 15m]' 3563 type: string 3564 reconcilerPeriod: 3565 description: 'ReconcilerPeriod is the period to perform 3566 reconciliation with the Calico datastore. [Default: 3567 5m]' 3568 type: string 3569 syncLabels: 3570 description: 'SyncLabels controls whether to copy Kubernetes 3571 node labels to Calico nodes. [Default: Enabled]' 3572 type: string 3573 type: object 3574 policy: 3575 description: Policy enables and configures the policy controller. 3576 Enabled by default, set to nil to disable. 3577 properties: 3578 reconcilerPeriod: 3579 description: 'ReconcilerPeriod is the period to perform 3580 reconciliation with the Calico datastore. [Default: 3581 5m]' 3582 type: string 3583 type: object 3584 serviceAccount: 3585 description: ServiceAccount enables and configures the service 3586 account controller. Enabled by default, set to nil to disable. 3587 properties: 3588 reconcilerPeriod: 3589 description: 'ReconcilerPeriod is the period to perform 3590 reconciliation with the Calico datastore. [Default: 3591 5m]' 3592 type: string 3593 type: object 3594 workloadEndpoint: 3595 description: WorkloadEndpoint enables and configures the workload 3596 endpoint controller. Enabled by default, set to nil to disable. 3597 properties: 3598 reconcilerPeriod: 3599 description: 'ReconcilerPeriod is the period to perform 3600 reconciliation with the Calico datastore. [Default: 3601 5m]' 3602 type: string 3603 type: object 3604 type: object 3605 debugProfilePort: 3606 description: DebugProfilePort configures the port to serve memory 3607 and cpu profiles on. If not specified, profiling is disabled. 3608 format: int32 3609 type: integer 3610 etcdV3CompactionPeriod: 3611 description: 'EtcdV3CompactionPeriod is the period between etcdv3 3612 compaction requests. Set to 0 to disable. [Default: 10m]' 3613 type: string 3614 healthChecks: 3615 description: 'HealthChecks enables or disables support for health 3616 checks [Default: Enabled]' 3617 type: string 3618 logSeverityScreen: 3619 description: 'LogSeverityScreen is the log severity above which 3620 logs are sent to the stdout. [Default: Info]' 3621 type: string 3622 prometheusMetricsPort: 3623 description: 'PrometheusMetricsPort is the TCP port that the Prometheus 3624 metrics server should bind to. Set to 0 to disable. [Default: 3625 9094]' 3626 type: integer 3627 required: 3628 - controllers 3629 type: object 3630 type: object 3631 type: object 3632 served: true 3633 storage: true 3634 status: 3635 acceptedNames: 3636 kind: "" 3637 plural: "" 3638 conditions: [] 3639 storedVersions: [] 3640 --- 3641 apiVersion: apiextensions.k8s.io/v1 3642 kind: CustomResourceDefinition 3643 metadata: 3644 name: networkpolicies.crd.projectcalico.org 3645 spec: 3646 group: crd.projectcalico.org 3647 names: 3648 kind: NetworkPolicy 3649 listKind: NetworkPolicyList 3650 plural: networkpolicies 3651 singular: networkpolicy 3652 preserveUnknownFields: false 3653 scope: Namespaced 3654 versions: 3655 - name: v1 3656 schema: 3657 openAPIV3Schema: 3658 properties: 3659 apiVersion: 3660 description: 'APIVersion defines the versioned schema of this representation 3661 of an object. Servers should convert recognized schemas to the latest 3662 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 3663 type: string 3664 kind: 3665 description: 'Kind is a string value representing the REST resource this 3666 object represents. Servers may infer this from the endpoint the client 3667 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 3668 type: string 3669 metadata: 3670 type: object 3671 spec: 3672 properties: 3673 egress: 3674 description: The ordered set of egress rules. Each rule contains 3675 a set of packet match criteria and a corresponding action to apply. 3676 items: 3677 description: "A Rule encapsulates a set of match criteria and an 3678 action. Both selector-based security Policy and security Profiles 3679 reference rules - separated out as a list of rules for both ingress 3680 and egress packet matching. \n Each positive match criteria has 3681 a negated version, prefixed with \"Not\". All the match criteria 3682 within a rule must be satisfied for a packet to match. A single 3683 rule can contain the positive and negative version of a match 3684 and both must be satisfied for the rule to match." 3685 properties: 3686 action: 3687 type: string 3688 destination: 3689 description: Destination contains the match criteria that apply 3690 to destination entity. 3691 properties: 3692 namespaceSelector: 3693 description: "NamespaceSelector is an optional field that 3694 contains a selector expression. Only traffic that originates 3695 from (or terminates at) endpoints within the selected 3696 namespaces will be matched. When both NamespaceSelector 3697 and another selector are defined on the same rule, then 3698 only workload endpoints that are matched by both selectors 3699 will be selected by the rule. \n For NetworkPolicy, an 3700 empty NamespaceSelector implies that the Selector is limited 3701 to selecting only workload endpoints in the same namespace 3702 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3703 NamespaceSelector implies that the Selector is limited 3704 to selecting only GlobalNetworkSet or HostEndpoint. \n 3705 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3706 the Selector applies to workload endpoints across all 3707 namespaces." 3708 type: string 3709 nets: 3710 description: Nets is an optional field that restricts the 3711 rule to only apply to traffic that originates from (or 3712 terminates at) IP addresses in any of the given subnets. 3713 items: 3714 type: string 3715 type: array 3716 notNets: 3717 description: NotNets is the negated version of the Nets 3718 field. 3719 items: 3720 type: string 3721 type: array 3722 notPorts: 3723 description: NotPorts is the negated version of the Ports 3724 field. Since only some protocols have ports, if any ports 3725 are specified it requires the Protocol match in the Rule 3726 to be set to "TCP" or "UDP". 3727 items: 3728 anyOf: 3729 - type: integer 3730 - type: string 3731 pattern: ^.* 3732 x-kubernetes-int-or-string: true 3733 type: array 3734 notSelector: 3735 description: NotSelector is the negated version of the Selector 3736 field. See Selector field for subtleties with negated 3737 selectors. 3738 type: string 3739 ports: 3740 description: "Ports is an optional field that restricts 3741 the rule to only apply to traffic that has a source (destination) 3742 port that matches one of these ranges/values. This value 3743 is a list of integers or strings that represent ranges 3744 of ports. \n Since only some protocols have ports, if 3745 any ports are specified it requires the Protocol match 3746 in the Rule to be set to \"TCP\" or \"UDP\"." 3747 items: 3748 anyOf: 3749 - type: integer 3750 - type: string 3751 pattern: ^.* 3752 x-kubernetes-int-or-string: true 3753 type: array 3754 selector: 3755 description: "Selector is an optional field that contains 3756 a selector expression (see Policy for sample syntax). 3757 \ Only traffic that originates from (terminates at) endpoints 3758 matching the selector will be matched. \n Note that: in 3759 addition to the negated version of the Selector (see NotSelector 3760 below), the selector expression syntax itself supports 3761 negation. The two types of negation are subtly different. 3762 One negates the set of matched endpoints, the other negates 3763 the whole match: \n \tSelector = \"!has(my_label)\" matches 3764 packets that are from other Calico-controlled \tendpoints 3765 that do not have the label \"my_label\". \n \tNotSelector 3766 = \"has(my_label)\" matches packets that are not from 3767 Calico-controlled \tendpoints that do have the label \"my_label\". 3768 \n The effect is that the latter will accept packets from 3769 non-Calico sources whereas the former is limited to packets 3770 from Calico-controlled endpoints." 3771 type: string 3772 serviceAccounts: 3773 description: ServiceAccounts is an optional field that restricts 3774 the rule to only apply to traffic that originates from 3775 (or terminates at) a pod running as a matching service 3776 account. 3777 properties: 3778 names: 3779 description: Names is an optional field that restricts 3780 the rule to only apply to traffic that originates 3781 from (or terminates at) a pod running as a service 3782 account whose name is in the list. 3783 items: 3784 type: string 3785 type: array 3786 selector: 3787 description: Selector is an optional field that restricts 3788 the rule to only apply to traffic that originates 3789 from (or terminates at) a pod running as a service 3790 account that matches the given label selector. If 3791 both Names and Selector are specified then they are 3792 AND'ed. 3793 type: string 3794 type: object 3795 services: 3796 description: "Services is an optional field that contains 3797 options for matching Kubernetes Services. If specified, 3798 only traffic that originates from or terminates at endpoints 3799 within the selected service(s) will be matched, and only 3800 to/from each endpoint's port. \n Services cannot be specified 3801 on the same rule as Selector, NotSelector, NamespaceSelector, 3802 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 3803 can only be specified with Services on ingress rules." 3804 properties: 3805 name: 3806 description: Name specifies the name of a Kubernetes 3807 Service to match. 3808 type: string 3809 namespace: 3810 description: Namespace specifies the namespace of the 3811 given Service. If left empty, the rule will match 3812 within this policy's namespace. 3813 type: string 3814 type: object 3815 type: object 3816 http: 3817 description: HTTP contains match criteria that apply to HTTP 3818 requests. 3819 properties: 3820 methods: 3821 description: Methods is an optional field that restricts 3822 the rule to apply only to HTTP requests that use one of 3823 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 3824 methods are OR'd together. 3825 items: 3826 type: string 3827 type: array 3828 paths: 3829 description: 'Paths is an optional field that restricts 3830 the rule to apply to HTTP requests that use one of the 3831 listed HTTP Paths. Multiple paths are OR''d together. 3832 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 3833 ONLY specify either a `exact` or a `prefix` match. The 3834 validator will check for it.' 3835 items: 3836 description: 'HTTPPath specifies an HTTP path to match. 3837 It may be either of the form: exact: <path>: which matches 3838 the path exactly or prefix: <path-prefix>: which matches 3839 the path prefix' 3840 properties: 3841 exact: 3842 type: string 3843 prefix: 3844 type: string 3845 type: object 3846 type: array 3847 type: object 3848 icmp: 3849 description: ICMP is an optional field that restricts the rule 3850 to apply to a specific type and code of ICMP traffic. This 3851 should only be specified if the Protocol field is set to "ICMP" 3852 or "ICMPv6". 3853 properties: 3854 code: 3855 description: Match on a specific ICMP code. If specified, 3856 the Type value must also be specified. This is a technical 3857 limitation imposed by the kernel's iptables firewall, 3858 which Calico uses to enforce the rule. 3859 type: integer 3860 type: 3861 description: Match on a specific ICMP type. For example 3862 a value of 8 refers to ICMP Echo Request (i.e. pings). 3863 type: integer 3864 type: object 3865 ipVersion: 3866 description: IPVersion is an optional field that restricts the 3867 rule to only match a specific IP version. 3868 type: integer 3869 metadata: 3870 description: Metadata contains additional information for this 3871 rule 3872 properties: 3873 annotations: 3874 additionalProperties: 3875 type: string 3876 description: Annotations is a set of key value pairs that 3877 give extra information about the rule 3878 type: object 3879 type: object 3880 notICMP: 3881 description: NotICMP is the negated version of the ICMP field. 3882 properties: 3883 code: 3884 description: Match on a specific ICMP code. If specified, 3885 the Type value must also be specified. This is a technical 3886 limitation imposed by the kernel's iptables firewall, 3887 which Calico uses to enforce the rule. 3888 type: integer 3889 type: 3890 description: Match on a specific ICMP type. For example 3891 a value of 8 refers to ICMP Echo Request (i.e. pings). 3892 type: integer 3893 type: object 3894 notProtocol: 3895 anyOf: 3896 - type: integer 3897 - type: string 3898 description: NotProtocol is the negated version of the Protocol 3899 field. 3900 pattern: ^.* 3901 x-kubernetes-int-or-string: true 3902 protocol: 3903 anyOf: 3904 - type: integer 3905 - type: string 3906 description: "Protocol is an optional field that restricts the 3907 rule to only apply to traffic of a specific IP protocol. Required 3908 if any of the EntityRules contain Ports (because ports only 3909 apply to certain protocols). \n Must be one of these string 3910 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 3911 \"UDPLite\" or an integer in the range 1-255." 3912 pattern: ^.* 3913 x-kubernetes-int-or-string: true 3914 source: 3915 description: Source contains the match criteria that apply to 3916 source entity. 3917 properties: 3918 namespaceSelector: 3919 description: "NamespaceSelector is an optional field that 3920 contains a selector expression. Only traffic that originates 3921 from (or terminates at) endpoints within the selected 3922 namespaces will be matched. When both NamespaceSelector 3923 and another selector are defined on the same rule, then 3924 only workload endpoints that are matched by both selectors 3925 will be selected by the rule. \n For NetworkPolicy, an 3926 empty NamespaceSelector implies that the Selector is limited 3927 to selecting only workload endpoints in the same namespace 3928 as the NetworkPolicy. \n For NetworkPolicy, `global()` 3929 NamespaceSelector implies that the Selector is limited 3930 to selecting only GlobalNetworkSet or HostEndpoint. \n 3931 For GlobalNetworkPolicy, an empty NamespaceSelector implies 3932 the Selector applies to workload endpoints across all 3933 namespaces." 3934 type: string 3935 nets: 3936 description: Nets is an optional field that restricts the 3937 rule to only apply to traffic that originates from (or 3938 terminates at) IP addresses in any of the given subnets. 3939 items: 3940 type: string 3941 type: array 3942 notNets: 3943 description: NotNets is the negated version of the Nets 3944 field. 3945 items: 3946 type: string 3947 type: array 3948 notPorts: 3949 description: NotPorts is the negated version of the Ports 3950 field. Since only some protocols have ports, if any ports 3951 are specified it requires the Protocol match in the Rule 3952 to be set to "TCP" or "UDP". 3953 items: 3954 anyOf: 3955 - type: integer 3956 - type: string 3957 pattern: ^.* 3958 x-kubernetes-int-or-string: true 3959 type: array 3960 notSelector: 3961 description: NotSelector is the negated version of the Selector 3962 field. See Selector field for subtleties with negated 3963 selectors. 3964 type: string 3965 ports: 3966 description: "Ports is an optional field that restricts 3967 the rule to only apply to traffic that has a source (destination) 3968 port that matches one of these ranges/values. This value 3969 is a list of integers or strings that represent ranges 3970 of ports. \n Since only some protocols have ports, if 3971 any ports are specified it requires the Protocol match 3972 in the Rule to be set to \"TCP\" or \"UDP\"." 3973 items: 3974 anyOf: 3975 - type: integer 3976 - type: string 3977 pattern: ^.* 3978 x-kubernetes-int-or-string: true 3979 type: array 3980 selector: 3981 description: "Selector is an optional field that contains 3982 a selector expression (see Policy for sample syntax). 3983 \ Only traffic that originates from (terminates at) endpoints 3984 matching the selector will be matched. \n Note that: in 3985 addition to the negated version of the Selector (see NotSelector 3986 below), the selector expression syntax itself supports 3987 negation. The two types of negation are subtly different. 3988 One negates the set of matched endpoints, the other negates 3989 the whole match: \n \tSelector = \"!has(my_label)\" matches 3990 packets that are from other Calico-controlled \tendpoints 3991 that do not have the label \"my_label\". \n \tNotSelector 3992 = \"has(my_label)\" matches packets that are not from 3993 Calico-controlled \tendpoints that do have the label \"my_label\". 3994 \n The effect is that the latter will accept packets from 3995 non-Calico sources whereas the former is limited to packets 3996 from Calico-controlled endpoints." 3997 type: string 3998 serviceAccounts: 3999 description: ServiceAccounts is an optional field that restricts 4000 the rule to only apply to traffic that originates from 4001 (or terminates at) a pod running as a matching service 4002 account. 4003 properties: 4004 names: 4005 description: Names is an optional field that restricts 4006 the rule to only apply to traffic that originates 4007 from (or terminates at) a pod running as a service 4008 account whose name is in the list. 4009 items: 4010 type: string 4011 type: array 4012 selector: 4013 description: Selector is an optional field that restricts 4014 the rule to only apply to traffic that originates 4015 from (or terminates at) a pod running as a service 4016 account that matches the given label selector. If 4017 both Names and Selector are specified then they are 4018 AND'ed. 4019 type: string 4020 type: object 4021 services: 4022 description: "Services is an optional field that contains 4023 options for matching Kubernetes Services. If specified, 4024 only traffic that originates from or terminates at endpoints 4025 within the selected service(s) will be matched, and only 4026 to/from each endpoint's port. \n Services cannot be specified 4027 on the same rule as Selector, NotSelector, NamespaceSelector, 4028 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4029 can only be specified with Services on ingress rules." 4030 properties: 4031 name: 4032 description: Name specifies the name of a Kubernetes 4033 Service to match. 4034 type: string 4035 namespace: 4036 description: Namespace specifies the namespace of the 4037 given Service. If left empty, the rule will match 4038 within this policy's namespace. 4039 type: string 4040 type: object 4041 type: object 4042 required: 4043 - action 4044 type: object 4045 type: array 4046 ingress: 4047 description: The ordered set of ingress rules. Each rule contains 4048 a set of packet match criteria and a corresponding action to apply. 4049 items: 4050 description: "A Rule encapsulates a set of match criteria and an 4051 action. Both selector-based security Policy and security Profiles 4052 reference rules - separated out as a list of rules for both ingress 4053 and egress packet matching. \n Each positive match criteria has 4054 a negated version, prefixed with \"Not\". All the match criteria 4055 within a rule must be satisfied for a packet to match. A single 4056 rule can contain the positive and negative version of a match 4057 and both must be satisfied for the rule to match." 4058 properties: 4059 action: 4060 type: string 4061 destination: 4062 description: Destination contains the match criteria that apply 4063 to destination entity. 4064 properties: 4065 namespaceSelector: 4066 description: "NamespaceSelector is an optional field that 4067 contains a selector expression. Only traffic that originates 4068 from (or terminates at) endpoints within the selected 4069 namespaces will be matched. When both NamespaceSelector 4070 and another selector are defined on the same rule, then 4071 only workload endpoints that are matched by both selectors 4072 will be selected by the rule. \n For NetworkPolicy, an 4073 empty NamespaceSelector implies that the Selector is limited 4074 to selecting only workload endpoints in the same namespace 4075 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4076 NamespaceSelector implies that the Selector is limited 4077 to selecting only GlobalNetworkSet or HostEndpoint. \n 4078 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4079 the Selector applies to workload endpoints across all 4080 namespaces." 4081 type: string 4082 nets: 4083 description: Nets is an optional field that restricts the 4084 rule to only apply to traffic that originates from (or 4085 terminates at) IP addresses in any of the given subnets. 4086 items: 4087 type: string 4088 type: array 4089 notNets: 4090 description: NotNets is the negated version of the Nets 4091 field. 4092 items: 4093 type: string 4094 type: array 4095 notPorts: 4096 description: NotPorts is the negated version of the Ports 4097 field. Since only some protocols have ports, if any ports 4098 are specified it requires the Protocol match in the Rule 4099 to be set to "TCP" or "UDP". 4100 items: 4101 anyOf: 4102 - type: integer 4103 - type: string 4104 pattern: ^.* 4105 x-kubernetes-int-or-string: true 4106 type: array 4107 notSelector: 4108 description: NotSelector is the negated version of the Selector 4109 field. See Selector field for subtleties with negated 4110 selectors. 4111 type: string 4112 ports: 4113 description: "Ports is an optional field that restricts 4114 the rule to only apply to traffic that has a source (destination) 4115 port that matches one of these ranges/values. This value 4116 is a list of integers or strings that represent ranges 4117 of ports. \n Since only some protocols have ports, if 4118 any ports are specified it requires the Protocol match 4119 in the Rule to be set to \"TCP\" or \"UDP\"." 4120 items: 4121 anyOf: 4122 - type: integer 4123 - type: string 4124 pattern: ^.* 4125 x-kubernetes-int-or-string: true 4126 type: array 4127 selector: 4128 description: "Selector is an optional field that contains 4129 a selector expression (see Policy for sample syntax). 4130 \ Only traffic that originates from (terminates at) endpoints 4131 matching the selector will be matched. \n Note that: in 4132 addition to the negated version of the Selector (see NotSelector 4133 below), the selector expression syntax itself supports 4134 negation. The two types of negation are subtly different. 4135 One negates the set of matched endpoints, the other negates 4136 the whole match: \n \tSelector = \"!has(my_label)\" matches 4137 packets that are from other Calico-controlled \tendpoints 4138 that do not have the label \"my_label\". \n \tNotSelector 4139 = \"has(my_label)\" matches packets that are not from 4140 Calico-controlled \tendpoints that do have the label \"my_label\". 4141 \n The effect is that the latter will accept packets from 4142 non-Calico sources whereas the former is limited to packets 4143 from Calico-controlled endpoints." 4144 type: string 4145 serviceAccounts: 4146 description: ServiceAccounts is an optional field that restricts 4147 the rule to only apply to traffic that originates from 4148 (or terminates at) a pod running as a matching service 4149 account. 4150 properties: 4151 names: 4152 description: Names is an optional field that restricts 4153 the rule to only apply to traffic that originates 4154 from (or terminates at) a pod running as a service 4155 account whose name is in the list. 4156 items: 4157 type: string 4158 type: array 4159 selector: 4160 description: Selector is an optional field that restricts 4161 the rule to only apply to traffic that originates 4162 from (or terminates at) a pod running as a service 4163 account that matches the given label selector. If 4164 both Names and Selector are specified then they are 4165 AND'ed. 4166 type: string 4167 type: object 4168 services: 4169 description: "Services is an optional field that contains 4170 options for matching Kubernetes Services. If specified, 4171 only traffic that originates from or terminates at endpoints 4172 within the selected service(s) will be matched, and only 4173 to/from each endpoint's port. \n Services cannot be specified 4174 on the same rule as Selector, NotSelector, NamespaceSelector, 4175 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4176 can only be specified with Services on ingress rules." 4177 properties: 4178 name: 4179 description: Name specifies the name of a Kubernetes 4180 Service to match. 4181 type: string 4182 namespace: 4183 description: Namespace specifies the namespace of the 4184 given Service. If left empty, the rule will match 4185 within this policy's namespace. 4186 type: string 4187 type: object 4188 type: object 4189 http: 4190 description: HTTP contains match criteria that apply to HTTP 4191 requests. 4192 properties: 4193 methods: 4194 description: Methods is an optional field that restricts 4195 the rule to apply only to HTTP requests that use one of 4196 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 4197 methods are OR'd together. 4198 items: 4199 type: string 4200 type: array 4201 paths: 4202 description: 'Paths is an optional field that restricts 4203 the rule to apply to HTTP requests that use one of the 4204 listed HTTP Paths. Multiple paths are OR''d together. 4205 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 4206 ONLY specify either a `exact` or a `prefix` match. The 4207 validator will check for it.' 4208 items: 4209 description: 'HTTPPath specifies an HTTP path to match. 4210 It may be either of the form: exact: <path>: which matches 4211 the path exactly or prefix: <path-prefix>: which matches 4212 the path prefix' 4213 properties: 4214 exact: 4215 type: string 4216 prefix: 4217 type: string 4218 type: object 4219 type: array 4220 type: object 4221 icmp: 4222 description: ICMP is an optional field that restricts the rule 4223 to apply to a specific type and code of ICMP traffic. This 4224 should only be specified if the Protocol field is set to "ICMP" 4225 or "ICMPv6". 4226 properties: 4227 code: 4228 description: Match on a specific ICMP code. If specified, 4229 the Type value must also be specified. This is a technical 4230 limitation imposed by the kernel's iptables firewall, 4231 which Calico uses to enforce the rule. 4232 type: integer 4233 type: 4234 description: Match on a specific ICMP type. For example 4235 a value of 8 refers to ICMP Echo Request (i.e. pings). 4236 type: integer 4237 type: object 4238 ipVersion: 4239 description: IPVersion is an optional field that restricts the 4240 rule to only match a specific IP version. 4241 type: integer 4242 metadata: 4243 description: Metadata contains additional information for this 4244 rule 4245 properties: 4246 annotations: 4247 additionalProperties: 4248 type: string 4249 description: Annotations is a set of key value pairs that 4250 give extra information about the rule 4251 type: object 4252 type: object 4253 notICMP: 4254 description: NotICMP is the negated version of the ICMP field. 4255 properties: 4256 code: 4257 description: Match on a specific ICMP code. If specified, 4258 the Type value must also be specified. This is a technical 4259 limitation imposed by the kernel's iptables firewall, 4260 which Calico uses to enforce the rule. 4261 type: integer 4262 type: 4263 description: Match on a specific ICMP type. For example 4264 a value of 8 refers to ICMP Echo Request (i.e. pings). 4265 type: integer 4266 type: object 4267 notProtocol: 4268 anyOf: 4269 - type: integer 4270 - type: string 4271 description: NotProtocol is the negated version of the Protocol 4272 field. 4273 pattern: ^.* 4274 x-kubernetes-int-or-string: true 4275 protocol: 4276 anyOf: 4277 - type: integer 4278 - type: string 4279 description: "Protocol is an optional field that restricts the 4280 rule to only apply to traffic of a specific IP protocol. Required 4281 if any of the EntityRules contain Ports (because ports only 4282 apply to certain protocols). \n Must be one of these string 4283 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 4284 \"UDPLite\" or an integer in the range 1-255." 4285 pattern: ^.* 4286 x-kubernetes-int-or-string: true 4287 source: 4288 description: Source contains the match criteria that apply to 4289 source entity. 4290 properties: 4291 namespaceSelector: 4292 description: "NamespaceSelector is an optional field that 4293 contains a selector expression. Only traffic that originates 4294 from (or terminates at) endpoints within the selected 4295 namespaces will be matched. When both NamespaceSelector 4296 and another selector are defined on the same rule, then 4297 only workload endpoints that are matched by both selectors 4298 will be selected by the rule. \n For NetworkPolicy, an 4299 empty NamespaceSelector implies that the Selector is limited 4300 to selecting only workload endpoints in the same namespace 4301 as the NetworkPolicy. \n For NetworkPolicy, `global()` 4302 NamespaceSelector implies that the Selector is limited 4303 to selecting only GlobalNetworkSet or HostEndpoint. \n 4304 For GlobalNetworkPolicy, an empty NamespaceSelector implies 4305 the Selector applies to workload endpoints across all 4306 namespaces." 4307 type: string 4308 nets: 4309 description: Nets is an optional field that restricts the 4310 rule to only apply to traffic that originates from (or 4311 terminates at) IP addresses in any of the given subnets. 4312 items: 4313 type: string 4314 type: array 4315 notNets: 4316 description: NotNets is the negated version of the Nets 4317 field. 4318 items: 4319 type: string 4320 type: array 4321 notPorts: 4322 description: NotPorts is the negated version of the Ports 4323 field. Since only some protocols have ports, if any ports 4324 are specified it requires the Protocol match in the Rule 4325 to be set to "TCP" or "UDP". 4326 items: 4327 anyOf: 4328 - type: integer 4329 - type: string 4330 pattern: ^.* 4331 x-kubernetes-int-or-string: true 4332 type: array 4333 notSelector: 4334 description: NotSelector is the negated version of the Selector 4335 field. See Selector field for subtleties with negated 4336 selectors. 4337 type: string 4338 ports: 4339 description: "Ports is an optional field that restricts 4340 the rule to only apply to traffic that has a source (destination) 4341 port that matches one of these ranges/values. This value 4342 is a list of integers or strings that represent ranges 4343 of ports. \n Since only some protocols have ports, if 4344 any ports are specified it requires the Protocol match 4345 in the Rule to be set to \"TCP\" or \"UDP\"." 4346 items: 4347 anyOf: 4348 - type: integer 4349 - type: string 4350 pattern: ^.* 4351 x-kubernetes-int-or-string: true 4352 type: array 4353 selector: 4354 description: "Selector is an optional field that contains 4355 a selector expression (see Policy for sample syntax). 4356 \ Only traffic that originates from (terminates at) endpoints 4357 matching the selector will be matched. \n Note that: in 4358 addition to the negated version of the Selector (see NotSelector 4359 below), the selector expression syntax itself supports 4360 negation. The two types of negation are subtly different. 4361 One negates the set of matched endpoints, the other negates 4362 the whole match: \n \tSelector = \"!has(my_label)\" matches 4363 packets that are from other Calico-controlled \tendpoints 4364 that do not have the label \"my_label\". \n \tNotSelector 4365 = \"has(my_label)\" matches packets that are not from 4366 Calico-controlled \tendpoints that do have the label \"my_label\". 4367 \n The effect is that the latter will accept packets from 4368 non-Calico sources whereas the former is limited to packets 4369 from Calico-controlled endpoints." 4370 type: string 4371 serviceAccounts: 4372 description: ServiceAccounts is an optional field that restricts 4373 the rule to only apply to traffic that originates from 4374 (or terminates at) a pod running as a matching service 4375 account. 4376 properties: 4377 names: 4378 description: Names is an optional field that restricts 4379 the rule to only apply to traffic that originates 4380 from (or terminates at) a pod running as a service 4381 account whose name is in the list. 4382 items: 4383 type: string 4384 type: array 4385 selector: 4386 description: Selector is an optional field that restricts 4387 the rule to only apply to traffic that originates 4388 from (or terminates at) a pod running as a service 4389 account that matches the given label selector. If 4390 both Names and Selector are specified then they are 4391 AND'ed. 4392 type: string 4393 type: object 4394 services: 4395 description: "Services is an optional field that contains 4396 options for matching Kubernetes Services. If specified, 4397 only traffic that originates from or terminates at endpoints 4398 within the selected service(s) will be matched, and only 4399 to/from each endpoint's port. \n Services cannot be specified 4400 on the same rule as Selector, NotSelector, NamespaceSelector, 4401 Nets, NotNets or ServiceAccounts. \n Ports and NotPorts 4402 can only be specified with Services on ingress rules." 4403 properties: 4404 name: 4405 description: Name specifies the name of a Kubernetes 4406 Service to match. 4407 type: string 4408 namespace: 4409 description: Namespace specifies the namespace of the 4410 given Service. If left empty, the rule will match 4411 within this policy's namespace. 4412 type: string 4413 type: object 4414 type: object 4415 required: 4416 - action 4417 type: object 4418 type: array 4419 order: 4420 description: Order is an optional field that specifies the order in 4421 which the policy is applied. Policies with higher "order" are applied 4422 after those with lower order. If the order is omitted, it may be 4423 considered to be "infinite" - i.e. the policy will be applied last. Policies 4424 with identical order will be applied in alphanumerical order based 4425 on the Policy "Name". 4426 type: number 4427 selector: 4428 description: "The selector is an expression used to pick pick out 4429 the endpoints that the policy should be applied to. \n Selector 4430 expressions follow this syntax: \n \tlabel == \"string_literal\" 4431 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 4432 \ -> not equal; also matches if label is not present \tlabel in 4433 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 4434 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 4435 ... } -> true if the value of label X is not one of \"a\", \"b\", 4436 \"c\" \thas(label_name) -> True if that label is present \t! expr 4437 -> negation of expr \texpr && expr -> Short-circuit and \texpr 4438 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 4439 or the empty selector -> matches all endpoints. \n Label names are 4440 allowed to contain alphanumerics, -, _ and /. String literals are 4441 more permissive but they do not support escape characters. \n Examples 4442 (with made-up labels): \n \ttype == \"webserver\" && deployment 4443 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 4444 \"dev\" \t! has(label_name)" 4445 type: string 4446 serviceAccountSelector: 4447 description: ServiceAccountSelector is an optional field for an expression 4448 used to select a pod based on service accounts. 4449 type: string 4450 types: 4451 description: "Types indicates whether this policy applies to ingress, 4452 or to egress, or to both. When not explicitly specified (and so 4453 the value on creation is empty or nil), Calico defaults Types according 4454 to what Ingress and Egress are present in the policy. The default 4455 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 4456 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 4457 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 4458 PolicyTypeEgress ], if there are both Ingress and Egress rules. 4459 \n When the policy is read back again, Types will always be one 4460 of these values, never empty or nil." 4461 items: 4462 description: PolicyType enumerates the possible values of the PolicySpec 4463 Types field. 4464 type: string 4465 type: array 4466 type: object 4467 type: object 4468 served: true 4469 storage: true 4470 status: 4471 acceptedNames: 4472 kind: "" 4473 plural: "" 4474 conditions: [] 4475 storedVersions: [] 4476 --- 4477 apiVersion: apiextensions.k8s.io/v1 4478 kind: CustomResourceDefinition 4479 metadata: 4480 name: networksets.crd.projectcalico.org 4481 spec: 4482 group: crd.projectcalico.org 4483 names: 4484 kind: NetworkSet 4485 listKind: NetworkSetList 4486 plural: networksets 4487 singular: networkset 4488 preserveUnknownFields: false 4489 scope: Namespaced 4490 versions: 4491 - name: v1 4492 schema: 4493 openAPIV3Schema: 4494 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. 4495 properties: 4496 apiVersion: 4497 description: 'APIVersion defines the versioned schema of this representation 4498 of an object. Servers should convert recognized schemas to the latest 4499 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 4500 type: string 4501 kind: 4502 description: 'Kind is a string value representing the REST resource this 4503 object represents. Servers may infer this from the endpoint the client 4504 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 4505 type: string 4506 metadata: 4507 type: object 4508 spec: 4509 description: NetworkSetSpec contains the specification for a NetworkSet 4510 resource. 4511 properties: 4512 nets: 4513 description: The list of IP networks that belong to this set. 4514 items: 4515 type: string 4516 type: array 4517 type: object 4518 type: object 4519 served: true 4520 storage: true 4521 status: 4522 acceptedNames: 4523 kind: "" 4524 plural: "" 4525 conditions: [] 4526 storedVersions: [] 4527 --- 4528 apiVersion: v1 4529 kind: ServiceAccount 4530 metadata: 4531 name: calico-cni-plugin 4532 namespace: kube-system 4533 --- 4534 apiVersion: v1 4535 kind: ServiceAccount 4536 metadata: 4537 name: calico-kube-controllers 4538 namespace: kube-system 4539 --- 4540 apiVersion: v1 4541 kind: ServiceAccount 4542 metadata: 4543 name: calico-node 4544 namespace: kube-system 4545 --- 4546 apiVersion: rbac.authorization.k8s.io/v1 4547 kind: ClusterRole 4548 metadata: 4549 name: calico-cni-plugin 4550 rules: 4551 - apiGroups: 4552 - "" 4553 resources: 4554 - pods 4555 - nodes 4556 - namespaces 4557 verbs: 4558 - get 4559 - apiGroups: 4560 - "" 4561 resources: 4562 - pods/status 4563 verbs: 4564 - patch 4565 - apiGroups: 4566 - crd.projectcalico.org 4567 resources: 4568 - blockaffinities 4569 - ipamblocks 4570 - ipamhandles 4571 - clusterinformations 4572 - ippools 4573 - ipreservations 4574 - ipamconfigs 4575 verbs: 4576 - get 4577 - list 4578 - create 4579 - update 4580 - delete 4581 --- 4582 apiVersion: rbac.authorization.k8s.io/v1 4583 kind: ClusterRole 4584 metadata: 4585 name: calico-kube-controllers 4586 rules: 4587 - apiGroups: 4588 - "" 4589 resources: 4590 - nodes 4591 verbs: 4592 - watch 4593 - list 4594 - get 4595 - apiGroups: 4596 - "" 4597 resources: 4598 - pods 4599 verbs: 4600 - get 4601 - list 4602 - watch 4603 - apiGroups: 4604 - crd.projectcalico.org 4605 resources: 4606 - ipreservations 4607 verbs: 4608 - list 4609 - apiGroups: 4610 - crd.projectcalico.org 4611 resources: 4612 - blockaffinities 4613 - ipamblocks 4614 - ipamhandles 4615 verbs: 4616 - get 4617 - list 4618 - create 4619 - update 4620 - delete 4621 - watch 4622 - apiGroups: 4623 - crd.projectcalico.org 4624 resources: 4625 - ippools 4626 verbs: 4627 - list 4628 - watch 4629 - apiGroups: 4630 - crd.projectcalico.org 4631 resources: 4632 - hostendpoints 4633 verbs: 4634 - get 4635 - list 4636 - create 4637 - update 4638 - delete 4639 - apiGroups: 4640 - crd.projectcalico.org 4641 resources: 4642 - clusterinformations 4643 verbs: 4644 - get 4645 - list 4646 - create 4647 - update 4648 - watch 4649 - apiGroups: 4650 - crd.projectcalico.org 4651 resources: 4652 - kubecontrollersconfigurations 4653 verbs: 4654 - get 4655 - create 4656 - update 4657 - watch 4658 --- 4659 apiVersion: rbac.authorization.k8s.io/v1 4660 kind: ClusterRole 4661 metadata: 4662 name: calico-node 4663 rules: 4664 - apiGroups: 4665 - "" 4666 resourceNames: 4667 - calico-cni-plugin 4668 resources: 4669 - serviceaccounts/token 4670 verbs: 4671 - create 4672 - apiGroups: 4673 - "" 4674 resources: 4675 - pods 4676 - nodes 4677 - namespaces 4678 verbs: 4679 - get 4680 - apiGroups: 4681 - discovery.k8s.io 4682 resources: 4683 - endpointslices 4684 verbs: 4685 - watch 4686 - list 4687 - apiGroups: 4688 - "" 4689 resources: 4690 - endpoints 4691 - services 4692 verbs: 4693 - watch 4694 - list 4695 - get 4696 - apiGroups: 4697 - "" 4698 resources: 4699 - configmaps 4700 verbs: 4701 - get 4702 - apiGroups: 4703 - "" 4704 resources: 4705 - nodes/status 4706 verbs: 4707 - patch 4708 - update 4709 - apiGroups: 4710 - networking.k8s.io 4711 resources: 4712 - networkpolicies 4713 verbs: 4714 - watch 4715 - list 4716 - apiGroups: 4717 - "" 4718 resources: 4719 - pods 4720 - namespaces 4721 - serviceaccounts 4722 verbs: 4723 - list 4724 - watch 4725 - apiGroups: 4726 - "" 4727 resources: 4728 - pods/status 4729 verbs: 4730 - patch 4731 - apiGroups: 4732 - crd.projectcalico.org 4733 resources: 4734 - globalfelixconfigs 4735 - felixconfigurations 4736 - bgppeers 4737 - bgpfilters 4738 - globalbgpconfigs 4739 - bgpconfigurations 4740 - ippools 4741 - ipreservations 4742 - ipamblocks 4743 - globalnetworkpolicies 4744 - globalnetworksets 4745 - networkpolicies 4746 - networksets 4747 - clusterinformations 4748 - hostendpoints 4749 - blockaffinities 4750 - caliconodestatuses 4751 verbs: 4752 - get 4753 - list 4754 - watch 4755 - apiGroups: 4756 - crd.projectcalico.org 4757 resources: 4758 - ippools 4759 - felixconfigurations 4760 - clusterinformations 4761 verbs: 4762 - create 4763 - update 4764 - apiGroups: 4765 - crd.projectcalico.org 4766 resources: 4767 - caliconodestatuses 4768 verbs: 4769 - update 4770 - apiGroups: 4771 - "" 4772 resources: 4773 - nodes 4774 verbs: 4775 - get 4776 - list 4777 - watch 4778 - apiGroups: 4779 - crd.projectcalico.org 4780 resources: 4781 - bgpconfigurations 4782 - bgppeers 4783 verbs: 4784 - create 4785 - update 4786 - apiGroups: 4787 - crd.projectcalico.org 4788 resources: 4789 - blockaffinities 4790 - ipamblocks 4791 - ipamhandles 4792 verbs: 4793 - get 4794 - list 4795 - create 4796 - update 4797 - delete 4798 - apiGroups: 4799 - crd.projectcalico.org 4800 resources: 4801 - ipamconfigs 4802 verbs: 4803 - get 4804 - create 4805 - apiGroups: 4806 - crd.projectcalico.org 4807 resources: 4808 - blockaffinities 4809 verbs: 4810 - watch 4811 - apiGroups: 4812 - apps 4813 resources: 4814 - daemonsets 4815 verbs: 4816 - get 4817 --- 4818 apiVersion: rbac.authorization.k8s.io/v1 4819 kind: ClusterRoleBinding 4820 metadata: 4821 name: calico-cni-plugin 4822 roleRef: 4823 apiGroup: rbac.authorization.k8s.io 4824 kind: ClusterRole 4825 name: calico-cni-plugin 4826 subjects: 4827 - kind: ServiceAccount 4828 name: calico-cni-plugin 4829 namespace: kube-system 4830 --- 4831 apiVersion: rbac.authorization.k8s.io/v1 4832 kind: ClusterRoleBinding 4833 metadata: 4834 name: calico-kube-controllers 4835 roleRef: 4836 apiGroup: rbac.authorization.k8s.io 4837 kind: ClusterRole 4838 name: calico-kube-controllers 4839 subjects: 4840 - kind: ServiceAccount 4841 name: calico-kube-controllers 4842 namespace: kube-system 4843 --- 4844 apiVersion: rbac.authorization.k8s.io/v1 4845 kind: ClusterRoleBinding 4846 metadata: 4847 name: calico-node 4848 roleRef: 4849 apiGroup: rbac.authorization.k8s.io 4850 kind: ClusterRole 4851 name: calico-node 4852 subjects: 4853 - kind: ServiceAccount 4854 name: calico-node 4855 namespace: kube-system 4856 --- 4857 apiVersion: v1 4858 data: 4859 calico_backend: vxlan 4860 cni_network_config: |- 4861 { 4862 "name": "k8s-pod-network", 4863 "cniVersion": "0.3.1", 4864 "plugins": [ 4865 { 4866 "type": "calico", 4867 "log_level": "info", 4868 "log_file_path": "/var/log/calico/cni/cni.log", 4869 "datastore_type": "kubernetes", 4870 "nodename": "__KUBERNETES_NODE_NAME__", 4871 "mtu": __CNI_MTU__, 4872 "ipam": { 4873 "type": "calico-ipam" 4874 }, 4875 "policy": { 4876 "type": "k8s" 4877 }, 4878 "kubernetes": { 4879 "kubeconfig": "__KUBECONFIG_FILEPATH__" 4880 } 4881 }, 4882 { 4883 "type": "portmap", 4884 "snat": true, 4885 "capabilities": {"portMappings": true} 4886 }, 4887 { 4888 "type": "bandwidth", 4889 "capabilities": {"bandwidth": true} 4890 } 4891 ] 4892 } 4893 typha_service_name: none 4894 veth_mtu: "1350" 4895 kind: ConfigMap 4896 metadata: 4897 name: calico-config 4898 namespace: kube-system 4899 --- 4900 apiVersion: apps/v1 4901 kind: Deployment 4902 metadata: 4903 labels: 4904 k8s-app: calico-kube-controllers 4905 name: calico-kube-controllers 4906 namespace: kube-system 4907 spec: 4908 replicas: 1 4909 selector: 4910 matchLabels: 4911 k8s-app: calico-kube-controllers 4912 strategy: 4913 type: Recreate 4914 template: 4915 metadata: 4916 labels: 4917 k8s-app: calico-kube-controllers 4918 name: calico-kube-controllers 4919 namespace: kube-system 4920 spec: 4921 containers: 4922 - env: 4923 - name: ENABLED_CONTROLLERS 4924 value: node 4925 - name: DATASTORE_TYPE 4926 value: kubernetes 4927 image: docker.io/calico/kube-controllers:v3.26.1 4928 imagePullPolicy: IfNotPresent 4929 livenessProbe: 4930 exec: 4931 command: 4932 - /usr/bin/check-status 4933 - -l 4934 failureThreshold: 6 4935 initialDelaySeconds: 10 4936 periodSeconds: 10 4937 timeoutSeconds: 10 4938 name: calico-kube-controllers 4939 readinessProbe: 4940 exec: 4941 command: 4942 - /usr/bin/check-status 4943 - -r 4944 periodSeconds: 10 4945 nodeSelector: 4946 kubernetes.io/os: linux 4947 priorityClassName: system-cluster-critical 4948 serviceAccountName: calico-kube-controllers 4949 tolerations: 4950 - key: CriticalAddonsOnly 4951 operator: Exists 4952 - effect: NoSchedule 4953 key: node-role.kubernetes.io/master 4954 - effect: NoSchedule 4955 key: node-role.kubernetes.io/control-plane 4956 --- 4957 apiVersion: policy/v1 4958 kind: PodDisruptionBudget 4959 metadata: 4960 labels: 4961 k8s-app: calico-kube-controllers 4962 name: calico-kube-controllers 4963 namespace: kube-system 4964 spec: 4965 maxUnavailable: 1 4966 selector: 4967 matchLabels: 4968 k8s-app: calico-kube-controllers 4969 --- 4970 apiVersion: apps/v1 4971 kind: DaemonSet 4972 metadata: 4973 labels: 4974 k8s-app: calico-node 4975 name: calico-node 4976 namespace: kube-system 4977 spec: 4978 selector: 4979 matchLabels: 4980 k8s-app: calico-node 4981 template: 4982 metadata: 4983 labels: 4984 k8s-app: calico-node 4985 spec: 4986 containers: 4987 - env: 4988 - name: FELIX_FEATUREDETECTOVERRIDE 4989 value: ChecksumOffloadBroken=true 4990 - name: CALICO_IPV4POOL_VXLAN 4991 value: Always 4992 - name: DATASTORE_TYPE 4993 value: kubernetes 4994 - name: WAIT_FOR_DATASTORE 4995 value: "true" 4996 - name: NODENAME 4997 valueFrom: 4998 fieldRef: 4999 fieldPath: spec.nodeName 5000 - name: CALICO_NETWORKING_BACKEND 5001 valueFrom: 5002 configMapKeyRef: 5003 key: calico_backend 5004 name: calico-config 5005 - name: CLUSTER_TYPE 5006 value: k8s,bgp 5007 - name: IP 5008 value: autodetect 5009 - name: CALICO_IPV4POOL_IPIP 5010 value: Never 5011 - name: CALICO_IPV6POOL_VXLAN 5012 value: CrossSubnet 5013 - name: FELIX_IPINIPMTU 5014 valueFrom: 5015 configMapKeyRef: 5016 key: veth_mtu 5017 name: calico-config 5018 - name: FELIX_VXLANMTU 5019 valueFrom: 5020 configMapKeyRef: 5021 key: veth_mtu 5022 name: calico-config 5023 - name: FELIX_WIREGUARDMTU 5024 valueFrom: 5025 configMapKeyRef: 5026 key: veth_mtu 5027 name: calico-config 5028 - name: CALICO_DISABLE_FILE_LOGGING 5029 value: "true" 5030 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION 5031 value: ACCEPT 5032 - name: FELIX_IPV6SUPPORT 5033 value: "false" 5034 - name: FELIX_HEALTHENABLED 5035 value: "true" 5036 envFrom: 5037 - configMapRef: 5038 name: kubernetes-services-endpoint 5039 optional: true 5040 image: docker.io/calico/node:v3.26.1 5041 imagePullPolicy: IfNotPresent 5042 lifecycle: 5043 preStop: 5044 exec: 5045 command: 5046 - /bin/calico-node 5047 - -shutdown 5048 livenessProbe: 5049 exec: 5050 command: 5051 - /bin/calico-node 5052 - -felix-live 5053 failureThreshold: 6 5054 initialDelaySeconds: 10 5055 periodSeconds: 10 5056 timeoutSeconds: 10 5057 name: calico-node 5058 readinessProbe: 5059 exec: 5060 command: 5061 - /bin/calico-node 5062 - -felix-ready 5063 periodSeconds: 10 5064 timeoutSeconds: 10 5065 resources: 5066 requests: 5067 cpu: 250m 5068 securityContext: 5069 privileged: true 5070 volumeMounts: 5071 - mountPath: /host/etc/cni/net.d 5072 name: cni-net-dir 5073 readOnly: false 5074 - mountPath: /lib/modules 5075 name: lib-modules 5076 readOnly: true 5077 - mountPath: /run/xtables.lock 5078 name: xtables-lock 5079 readOnly: false 5080 - mountPath: /var/run/calico 5081 name: var-run-calico 5082 readOnly: false 5083 - mountPath: /var/lib/calico 5084 name: var-lib-calico 5085 readOnly: false 5086 - mountPath: /var/run/nodeagent 5087 name: policysync 5088 - mountPath: /sys/fs/bpf 5089 name: bpffs 5090 - mountPath: /var/log/calico/cni 5091 name: cni-log-dir 5092 readOnly: true 5093 hostNetwork: true 5094 initContainers: 5095 - command: 5096 - /opt/cni/bin/calico-ipam 5097 - -upgrade 5098 env: 5099 - name: KUBERNETES_NODE_NAME 5100 valueFrom: 5101 fieldRef: 5102 fieldPath: spec.nodeName 5103 - name: CALICO_NETWORKING_BACKEND 5104 valueFrom: 5105 configMapKeyRef: 5106 key: calico_backend 5107 name: calico-config 5108 envFrom: 5109 - configMapRef: 5110 name: kubernetes-services-endpoint 5111 optional: true 5112 image: docker.io/calico/cni:v3.26.1 5113 imagePullPolicy: IfNotPresent 5114 name: upgrade-ipam 5115 securityContext: 5116 privileged: true 5117 volumeMounts: 5118 - mountPath: /var/lib/cni/networks 5119 name: host-local-net-dir 5120 - mountPath: /host/opt/cni/bin 5121 name: cni-bin-dir 5122 - command: 5123 - /opt/cni/bin/install 5124 env: 5125 - name: CNI_CONF_NAME 5126 value: 10-calico.conflist 5127 - name: CNI_NETWORK_CONFIG 5128 valueFrom: 5129 configMapKeyRef: 5130 key: cni_network_config 5131 name: calico-config 5132 - name: KUBERNETES_NODE_NAME 5133 valueFrom: 5134 fieldRef: 5135 fieldPath: spec.nodeName 5136 - name: CNI_MTU 5137 valueFrom: 5138 configMapKeyRef: 5139 key: veth_mtu 5140 name: calico-config 5141 - name: SLEEP 5142 value: "false" 5143 envFrom: 5144 - configMapRef: 5145 name: kubernetes-services-endpoint 5146 optional: true 5147 image: docker.io/calico/cni:v3.26.1 5148 imagePullPolicy: IfNotPresent 5149 name: install-cni 5150 securityContext: 5151 privileged: true 5152 volumeMounts: 5153 - mountPath: /host/opt/cni/bin 5154 name: cni-bin-dir 5155 - mountPath: /host/etc/cni/net.d 5156 name: cni-net-dir 5157 - command: 5158 - calico-node 5159 - -init 5160 - -best-effort 5161 image: docker.io/calico/node:v3.26.1 5162 imagePullPolicy: IfNotPresent 5163 name: mount-bpffs 5164 securityContext: 5165 privileged: true 5166 volumeMounts: 5167 - mountPath: /sys/fs 5168 mountPropagation: Bidirectional 5169 name: sys-fs 5170 - mountPath: /var/run/calico 5171 mountPropagation: Bidirectional 5172 name: var-run-calico 5173 - mountPath: /nodeproc 5174 name: nodeproc 5175 readOnly: true 5176 nodeSelector: 5177 kubernetes.io/os: linux 5178 priorityClassName: system-node-critical 5179 serviceAccountName: calico-node 5180 terminationGracePeriodSeconds: 0 5181 tolerations: 5182 - effect: NoSchedule 5183 operator: Exists 5184 - key: CriticalAddonsOnly 5185 operator: Exists 5186 - effect: NoExecute 5187 operator: Exists 5188 volumes: 5189 - hostPath: 5190 path: /lib/modules 5191 name: lib-modules 5192 - hostPath: 5193 path: /var/run/calico 5194 name: var-run-calico 5195 - hostPath: 5196 path: /var/lib/calico 5197 name: var-lib-calico 5198 - hostPath: 5199 path: /run/xtables.lock 5200 type: FileOrCreate 5201 name: xtables-lock 5202 - hostPath: 5203 path: /sys/fs/ 5204 type: DirectoryOrCreate 5205 name: sys-fs 5206 - hostPath: 5207 path: /sys/fs/bpf 5208 type: Directory 5209 name: bpffs 5210 - hostPath: 5211 path: /proc 5212 name: nodeproc 5213 - hostPath: 5214 path: /opt/cni/bin 5215 name: cni-bin-dir 5216 - hostPath: 5217 path: /etc/cni/net.d 5218 name: cni-net-dir 5219 - hostPath: 5220 path: /var/log/calico/cni 5221 name: cni-log-dir 5222 - hostPath: 5223 path: /var/lib/cni/networks 5224 name: host-local-net-dir 5225 - hostPath: 5226 path: /var/run/nodeagent 5227 type: DirectoryOrCreate 5228 name: policysync 5229 updateStrategy: 5230 rollingUpdate: 5231 maxUnavailable: 1 5232 type: RollingUpdate 5233 kind: ConfigMap 5234 metadata: 5235 annotations: 5236 note: generated 5237 labels: 5238 type: generated 5239 name: cni-${CLUSTER_NAME}-calico 5240 namespace: default