This commit is contained in:
parent
e73c39a71d
commit
74c392523d
20 changed files with 81 additions and 88 deletions
|
|
@ -1,9 +1,6 @@
|
|||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: (devel)
|
||||
creationTimestamp: null
|
||||
name: felixconfigurations.crd.projectcalico.org
|
||||
spec:
|
||||
group: crd.projectcalico.org
|
||||
|
|
@ -62,13 +59,13 @@ spec:
|
|||
true]'
|
||||
type: boolean
|
||||
bpfDataIfacePattern:
|
||||
description: 'BPFDataIfacePattern is a regular expression that controls
|
||||
description: BPFDataIfacePattern is a regular expression that controls
|
||||
which interfaces Felix should attach BPF programs to in order to
|
||||
catch traffic to/from the network. This needs to match the interfaces
|
||||
that Calico workload traffic flows over as well as any interfaces
|
||||
that handle incoming traffic to nodeports and services from outside
|
||||
the cluster. It should not match the workload interfaces (usually
|
||||
named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
|
||||
named cali...).
|
||||
type: string
|
||||
bpfDisableUnprivileged:
|
||||
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
|
||||
|
|
@ -113,10 +110,10 @@ spec:
|
|||
`tc exec bpf debug`. [Default: Off].'
|
||||
type: string
|
||||
chainInsertMode:
|
||||
description: 'ChainInsertMode controls whether Felix hooks the kernel’s
|
||||
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
|
||||
top-level iptables chains by inserting a rule at the top of the
|
||||
chain or by appending a rule at the bottom. insert is the safe default
|
||||
since it prevents Calico’s rules from being bypassed. If you switch
|
||||
since it prevents Calico''s rules from being bypassed. If you switch
|
||||
to append mode, be sure that the other rules in the chains signal
|
||||
acceptance by falling through to the Calico rules, otherwise the
|
||||
Calico policy will be bypassed. [Default: insert]'
|
||||
|
|
@ -198,7 +195,7 @@ spec:
|
|||
Each port should be specified as tcp:<port-number> or udp:<port-number>.
|
||||
For back-compatibility, if the protocol is not specified, it defaults
|
||||
to “tcp”. To disable all outbound host ports, use the value none.
|
||||
The default value opens etcd’s standard ports to ensure that Felix
|
||||
The default value opens etcd''s standard ports to ensure that Felix
|
||||
does not get cut off from etcd as well as allowing DHCP and DNS.
|
||||
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
|
||||
udp:53, udp:67]'
|
||||
|
|
@ -250,8 +247,8 @@ spec:
|
|||
workload endpoints and so distinguishes them from host endpoint
|
||||
interfaces. Note: in environments other than bare metal, the orchestrators
|
||||
configure this appropriately. For example our Kubernetes and Docker
|
||||
integrations set the ‘cali’ value, and our OpenStack integration
|
||||
sets the ‘tap’ value. [Default: cali]'
|
||||
integrations set the ''cali'' value, and our OpenStack integration
|
||||
sets the ''tap'' value. [Default: cali]'
|
||||
type: string
|
||||
interfaceRefreshInterval:
|
||||
description: InterfaceRefreshInterval is the period at which Felix
|
||||
|
|
@ -267,7 +264,7 @@ spec:
|
|||
ipsetsRefreshInterval:
|
||||
description: 'IpsetsRefreshInterval is the period at which Felix re-checks
|
||||
all iptables state to ensure that no other process has accidentally
|
||||
broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:
|
||||
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
|
||||
90s]'
|
||||
type: string
|
||||
iptablesBackend:
|
||||
|
|
@ -279,7 +276,7 @@ spec:
|
|||
iptablesLockFilePath:
|
||||
description: 'IptablesLockFilePath is the location of the iptables
|
||||
lock file. You may need to change this if the lock file is not in
|
||||
its standard location (for example if you have mapped it into Felix’s
|
||||
its standard location (for example if you have mapped it into Felix''s
|
||||
container at a different path). [Default: /run/xtables.lock]'
|
||||
type: string
|
||||
iptablesLockProbeInterval:
|
||||
|
|
@ -311,16 +308,16 @@ spec:
|
|||
description: 'IptablesPostWriteCheckInterval is the period after Felix
|
||||
has done a write to the dataplane that it schedules an extra read
|
||||
back in order to check the write was not clobbered by another process.
|
||||
This should only occur if another application on the system doesn’t
|
||||
This should only occur if another application on the system doesn''t
|
||||
respect the iptables lock. [Default: 1s]'
|
||||
type: string
|
||||
iptablesRefreshInterval:
|
||||
description: 'IptablesRefreshInterval is the period at which Felix
|
||||
re-checks the IP sets in the dataplane to ensure that no other process
|
||||
has accidentally broken Calico’s rules. Set to 0 to disable IP sets
|
||||
refresh. Note: the default for this value is lower than the other
|
||||
refresh intervals as a workaround for a Linux kernel bug that was
|
||||
fixed in kernel version 4.11. If you are using v4.11 or greater
|
||||
has accidentally broken Calico''s rules. Set to 0 to disable IP
|
||||
sets refresh. Note: the default for this value is lower than the
|
||||
other refresh intervals as a workaround for a Linux kernel bug that
|
||||
was fixed in kernel version 4.11. If you are using v4.11 or greater
|
||||
you may want to set this to, a higher value to reduce Felix CPU
|
||||
usage. [Default: 10s]'
|
||||
type: string
|
||||
|
|
@ -371,10 +368,15 @@ spec:
|
|||
type: string
|
||||
metadataPort:
|
||||
description: 'MetadataPort is the port of the metadata server. This,
|
||||
combined with global.MetadataAddr (if not ‘None’), is used to set
|
||||
up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
|
||||
combined with global.MetadataAddr (if not ''None''), is used to
|
||||
set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
|
||||
In most cases this should not need to be changed [Default: 8775].'
|
||||
type: integer
|
||||
mtuIfacePattern:
|
||||
description: MTUIfacePattern is a regular expression that controls
|
||||
which interfaces Felix should scan in order to calculate the host's
|
||||
MTU. This should not match workload interfaces (usually named cali...).
|
||||
type: string
|
||||
natOutgoingAddress:
|
||||
description: NATOutgoingAddress specifies an address to use when performing
|
||||
source NAT for traffic in a natOutgoing pool that is leaving the
|
||||
|
|
@ -445,9 +447,9 @@ spec:
|
|||
status reports. [Default: 90s]'
|
||||
type: string
|
||||
routeRefreshInterval:
|
||||
description: 'RouterefreshInterval is the period at which Felix re-checks
|
||||
description: 'RouteRefreshInterval is the period at which Felix re-checks
|
||||
the routes in the dataplane to ensure that no other process has
|
||||
accidentally broken Calico’s rules. Set to 0 to disable route refresh.
|
||||
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
|
||||
[Default: 90s]'
|
||||
type: string
|
||||
routeSource:
|
||||
|
|
@ -468,6 +470,13 @@ spec:
|
|||
- max
|
||||
- min
|
||||
type: object
|
||||
serviceLoopPrevention:
|
||||
description: 'When service IP advertisement is enabled, prevent routing
|
||||
loops to service IPs that are not in use, by dropping or rejecting
|
||||
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
|
||||
in which case such routing loops continue to be allowed. [Default:
|
||||
Drop]'
|
||||
type: string
|
||||
sidecarAccelerationEnabled:
|
||||
description: 'SidecarAccelerationEnabled enables experimental sidecar
|
||||
acceleration [Default: false]'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue