From 9014aa38d328992ffde3e437ea041376b16a486b Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 5 Mar 2023 10:43:57 +0100 Subject: [PATCH] Update calico to version 3.25.0 --- ...ctcalico.org-CustomResourceDefinition.yaml | 6 ++ ...ctcalico.org-CustomResourceDefinition.yaml | 11 ++++ .../calico-kube-controllers-Deployment.yaml | 2 +- templates/calico-node-DaemonSet.yaml | 8 +-- templates/calicoctl-Pod.yaml | 2 +- templates/calicoctl-ServiceAccount.yaml | 2 +- ...ctcalico.org-CustomResourceDefinition.yaml | 59 +++++++++++++++---- 7 files changed, 70 insertions(+), 20 deletions(-) diff --git a/templates/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index e03fc90..8eb1faa 100644 --- a/templates/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -64,6 +64,12 @@ spec: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 diff --git a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml index 7f6ca5b..63a7b7f 100644 --- a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -101,12 +101,23 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true diff --git a/templates/calico-kube-controllers-Deployment.yaml b/templates/calico-kube-controllers-Deployment.yaml index 42104ea..a7a5df2 100644 --- a/templates/calico-kube-controllers-Deployment.yaml +++ b/templates/calico-kube-controllers-Deployment.yaml @@ -36,7 +36,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/templates/calico-node-DaemonSet.yaml b/templates/calico-node-DaemonSet.yaml index a56afc2..685289c 100644 --- a/templates/calico-node-DaemonSet.yaml +++ b/templates/calico-node-DaemonSet.yaml @@ -44,7 +44,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -72,7 +72,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -115,7 +115,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -141,7 +141,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: diff --git a/templates/calicoctl-Pod.yaml b/templates/calicoctl-Pod.yaml index 3dc89f5..20ab376 100644 --- a/templates/calicoctl-Pod.yaml +++ b/templates/calicoctl-Pod.yaml @@ -11,7 +11,7 @@ spec: serviceAccountName: calicoctl containers: - name: calicoctl - image: calico/ctl:v3.24.5 + image: calico/ctl:v3.25.0 command: - /calicoctl args: diff --git a/templates/calicoctl-ServiceAccount.yaml b/templates/calicoctl-ServiceAccount.yaml index a20307b..9e7c8f3 100644 --- a/templates/calicoctl-ServiceAccount.yaml +++ b/templates/calicoctl-ServiceAccount.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:v3.24.5 +# calico/ctl:v3.25.0 apiVersion: v1 kind: ServiceAccount diff --git a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index fc8f592..0f8b1a0 100644 --- a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -80,9 +80,10 @@ spec: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -122,6 +123,14 @@ spec: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -197,11 +206,12 @@ spec: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -305,15 +315,21 @@ spec: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -330,6 +346,23 @@ spec: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -371,7 +404,7 @@ spec: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string