Update calico to version 3.27.0

2023-12-22 07:38:58 +01:00 · 2023-12-22 07:38:58 +01:00 · aa136636cc
commit aa136636cc
parent 7be2148dc5
9 changed files with 148 additions and 17 deletions
--- a/bin/update.sh
+++ b/bin/update.sh
@ -1,5 +1,5 @@
 #!/bin/bash
-CALICO_VERSION="3.26.4"
+CALICO_VERSION="3.27.0"
 #BASEURL=https://docs.projectcalico.org/manifests
 #BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests
 BASEURL="https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests"
--- a/templates/bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -46,12 +46,14 @@ spec:
                      type: string
                    cidr:
                      type: string
                    interface:
                      type: string
                    matchOperator:
                      type: string
                    source:
                      type: string
                  required:
                  - action
                  - cidr
                  - matchOperator
                  type: object
                type: array
              exportV6:
@ -65,12 +67,14 @@ spec:
                      type: string
                    cidr:
                      type: string
                    interface:
                      type: string
                    matchOperator:
                      type: string
                    source:
                      type: string
                  required:
                  - action
                  - cidr
                  - matchOperator
                  type: object
                type: array
              importV4:
@ -84,12 +88,14 @@ spec:
                      type: string
                    cidr:
                      type: string
                    interface:
                      type: string
                    matchOperator:
                      type: string
                    source:
                      type: string
                  required:
                  - action
                  - cidr
                  - matchOperator
                  type: object
                type: array
              importV6:
@ -103,12 +109,14 @@ spec:
                      type: string
                    cidr:
                      type: string
                    interface:
                      type: string
                    matchOperator:
                      type: string
                    source:
                      type: string
                  required:
                  - action
                  - cidr
                  - matchOperator
                  type: object
                type: array
            type: object
--- a/templates/calico-kube-controllers-Deployment.yaml
+++ b/templates/calico-kube-controllers-Deployment.yaml
@ -36,7 +36,7 @@ spec:
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.26.4
+          image: docker.io/calico/kube-controllers:v3.27.0
          imagePullPolicy: IfNotPresent
          env:
            # Choose which controllers to run.
--- a/templates/calico-node-DaemonSet.yaml
+++ b/templates/calico-node-DaemonSet.yaml
@ -44,7 +44,7 @@ spec:
        # It can be deleted if this is a fresh installation, or if you have already
        # upgraded to use calico-ipam.
        - name: upgrade-ipam
-          image: docker.io/calico/cni:v3.26.4
+          image: docker.io/calico/cni:v3.27.0
          imagePullPolicy: IfNotPresent
          command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
          envFrom:
@ -72,7 +72,7 @@ spec:
        # This container installs the CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
-          image: docker.io/calico/cni:v3.26.4
+          image: docker.io/calico/cni:v3.27.0
          imagePullPolicy: IfNotPresent
          command: ["/opt/cni/bin/install"]
          envFrom:
@ -115,7 +115,7 @@ spec:
        # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
        # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
        - name: "mount-bpffs"
-          image: docker.io/calico/node:v3.26.4
+          image: docker.io/calico/node:v3.27.0
          imagePullPolicy: IfNotPresent
          command: ["calico-node", "-init", "-best-effort"]
          volumeMounts:
@ -141,7 +141,7 @@ spec:
        # container programs network policy and routes on each
        # host.
        - name: calico-node
-          image: docker.io/calico/node:v3.26.4
+          image: docker.io/calico/node:v3.27.0
          imagePullPolicy: IfNotPresent
          envFrom:
          - configMapRef:
--- a/templates/calicoctl-Pod.yaml
+++ b/templates/calicoctl-Pod.yaml
@ -11,7 +11,7 @@ spec:
  serviceAccountName: calicoctl
  containers:
  - name: calicoctl
-    image: calico/ctl:v3.26.4
+    image: calico/ctl:v3.27.0
    command:
      - /calicoctl
    args:
--- a/templates/calicoctl-ServiceAccount.yaml
+++ b/templates/calicoctl-ServiceAccount.yaml
@ -1,7 +1,7 @@
 # Calico Version master
 # https://projectcalico.docs.tigera.io/releases#master
 # This manifest includes the following component versions:
-#   calico/ctl:v3.26.4
+#   calico/ctl:v3.27.0
 apiVersion: v1
 kind: ServiceAccount
--- a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -52,12 +52,32 @@ spec:
                - Enable
                - Disable
                type: string
              bpfCTLBLogFilter:
                description: 'BPFCTLBLogFilter specifies, what is logged by connect
                  time load balancer when BPFLogLevel is debug. Currently has to be
                  specified as ''all'' when BPFLogFilters is set to see CTLB logs.
                  [Default: unset - means logs are emitted when BPFLogLevel id debug
                  and BPFLogFilters not set.]'
                type: string
              bpfConnectTimeLoadBalancing:
                description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
                  whether Felix installs the connect-time load balancer. The connect-time
                  load balancer is required for the host to be able to reach Kubernetes
                  services and it improves the performance of pod-to-service connections.When
                  set to TCP, connect time load balancing is available only for services
                  with TCP ports. [Default: TCP]'
                enum:
                - TCP
                - Enabled
                - Disabled
                type: string
              bpfConnectTimeLoadBalancingEnabled:
                description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
                  controls whether Felix installs the connection-time load balancer.  The
                  connect-time load balancer is required for the host to be able to
                  reach Kubernetes services and it improves the performance of pod-to-service
-                  connections.  The only reason to disable it is for debugging purposes.  [Default:
+                  connections.  The only reason to disable it is for debugging purposes.
                  This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
                  true]'
                type: boolean
              bpfDSROptoutCIDRs:
@ -76,6 +96,12 @@ spec:
                  the cluster.  It should not match the workload interfaces (usually
                  named cali...).
                type: string
              bpfDisableGROForIfaces:
                description: BPFDisableGROForIfaces is a regular expression that controls
                  which interfaces Felix should disable the Generic Receive Offload
                  [GRO] option.  It should not match the workload interfaces (usually
                  named cali...).
                type: string
              bpfDisableUnprivileged:
                description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
                  sysctl to disable unprivileged use of BPF.  This ensures that unprivileged
@ -91,6 +117,7 @@ spec:
                  with BPF programs regardless of what is the per-interfaces or global
                  setting. Possible values are Disabled, Strict or Loose. [Default:
                  Loose]'
                pattern: ^(?i)(Disabled|Strict|Loose)?$
                type: string
              bpfExtToServiceConnmark:
                description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
@ -108,12 +135,31 @@ spec:
                  is sent directly from the remote node.  In "DSR" mode, the remote
                  node appears to use the IP of the ingress node; this requires a
                  permissive L2 network.  [Default: Tunnel]'
                pattern: ^(?i)(Tunnel|DSR)?$
                type: string
              bpfForceTrackPacketsFromIfaces:
                description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
                  from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
                  traffic from those interfaces to be tracked by Linux conntrack.  Should
                  only be used for interfaces that are not used for the Calico fabric.  For
                  example, a docker bridge device for non-Calico-networked containers.
                  [Default: docker+]'
                items:
                  type: string
                type: array
              bpfHostConntrackBypass:
                description: 'BPFHostConntrackBypass Controls whether to bypass Linux
                  conntrack in BPF mode for workloads and services. [Default: true
                  - bypass Linux conntrack]'
                type: boolean
              bpfHostNetworkedNATWithoutCTLB:
                description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
                  whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
                  determines the CTLB behavior. [Default: Enabled]'
                enum:
                - Enabled
                - Disabled
                type: string
              bpfKubeProxyEndpointSlicesEnabled:
                description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
                  whether Felix's embedded kube-proxy accepts EndpointSlices or not.
@ -129,6 +175,7 @@ spec:
                  minimum time between updates to the dataplane for Felix''s embedded
                  kube-proxy.  Lower values give reduced set-up latency.  Higher values
                  reduce Felix CPU usage by batching up more work.  [Default: 1s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              bpfL3IfacePattern:
                description: BPFL3IfacePattern is a regular expression that allows
@ -138,11 +185,22 @@ spec:
                  as any interfaces that handle incoming traffic to nodeports and
                  services from outside the cluster.
                type: string
              bpfLogFilters:
                additionalProperties:
                  type: string
                description: "BPFLogFilters is a map of key=values where the value
                  is a pcap filter expression and the key is an interface name with
                  'all' denoting all interfaces, 'weps' all workload endpoints and
                  'heps' all host endpoints. \n When specified as an env var, it accepts
                  a comma-separated list of key=values. [Default: unset - means all
                  debug logs are emitted]"
                type: object
              bpfLogLevel:
                description: 'BPFLogLevel controls the log level of the BPF programs
                  when in BPF dataplane mode.  One of "Off", "Info", or "Debug".  The
                  logs are emitted to the BPF trace pipe, accessible with the command
                  `tc exec bpf debug`. [Default: Off].'
                pattern: ^(?i)(Off|Info|Debug)?$
                type: string
              bpfMapSizeConntrack:
                description: 'BPFMapSizeConntrack sets the size for the conntrack
@ -207,6 +265,7 @@ spec:
                  to append mode, be sure that the other rules in the chains signal
                  acceptance by falling through to the Calico rules, otherwise the
                  Calico policy will be bypassed. [Default: insert]'
                pattern: ^(?i)(insert|append)?$
                type: string
              dataplaneDriver:
                description: DataplaneDriver filename of the external dataplane driver
@ -225,8 +284,10 @@ spec:
              debugMemoryProfilePath:
                type: string
              debugSimulateCalcGraphHangAfter:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              debugSimulateDataplaneHangAfter:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              defaultEndpointToHostAction:
                description: 'DefaultEndpointToHostAction controls what happens to
@ -241,6 +302,7 @@ spec:
                  endpoint egress policy. Use ACCEPT to unconditionally accept packets
                  from workloads after processing workload endpoint egress policy.
                  [Default: Drop]'
                pattern: ^(?i)(Drop|Accept|Return)?$
                type: string
              deviceRouteProtocol:
                description: This defines the route protocol added to programmed device
@ -259,6 +321,7 @@ spec:
              disableConntrackInvalidCheck:
                type: boolean
              endpointReportingDelay:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              endpointReportingEnabled:
                type: boolean
@ -326,12 +389,14 @@ spec:
                  based on auto-detected platform capabilities.  Values are specified
                  in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".  "true"
                  or "false" will force the feature, empty or omitted values are auto-detected.
                pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
                type: string
              featureGates:
                description: FeatureGates is used to enable or disable tech-preview
                  Calico features. Values are specified in a comma separated list
                  with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
                  This is used to enable features that are not fully production ready.
                pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
                type: string
              floatingIPs:
                description: FloatingIPs configures whether or not Felix will program
@ -393,6 +458,7 @@ spec:
                description: InterfaceRefreshInterval is the period at which Felix
                  rescans local interfaces to verify their state. The rescan can be
                  disabled by setting the interval to 0.
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              ipipEnabled:
                description: 'IPIPEnabled overrides whether Felix should configure
@ -408,18 +474,22 @@ spec:
                  all iptables state to ensure that no other process has accidentally
                  broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
                  90s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              iptablesBackend:
                description: IptablesBackend specifies which backend of iptables will
                  be used. The default is Auto.
                pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
                type: string
              iptablesFilterAllowAction:
                pattern: ^(?i)(Accept|Return)?$
                type: string
              iptablesFilterDenyAction:
                description: IptablesFilterDenyAction controls what happens to traffic
                  that is denied by network policy. By default Calico blocks traffic
                  with an iptables "DROP" action. If you want to use "REJECT" action
                  instead you can configure it in here.
                pattern: ^(?i)(Drop|Reject)?$
                type: string
              iptablesLockFilePath:
                description: 'IptablesLockFilePath is the location of the iptables
@ -432,6 +502,7 @@ spec:
                  wait between attempts to acquire the iptables lock if it is not
                  available. Lower values make Felix more responsive when the lock
                  is contended, but use more CPU. [Default: 50ms]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              iptablesLockTimeout:
                description: 'IptablesLockTimeout is the time that Felix will wait
@ -440,8 +511,10 @@ spec:
                  also take the lock. When running Felix inside a container, this
                  requires the /run directory of the host to be mounted into the calico/node
                  or calico/felix container. [Default: 0s disabled]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              iptablesMangleAllowAction:
                pattern: ^(?i)(Accept|Return)?$
                type: string
              iptablesMarkMask:
                description: 'IptablesMarkMask is the mask that Felix selects its
@ -458,6 +531,7 @@ spec:
                  back in order to check the write was not clobbered by another process.
                  This should only occur if another application on the system doesn''t
                  respect the iptables lock. [Default: 1s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              iptablesRefreshInterval:
                description: 'IptablesRefreshInterval is the period at which Felix
@ -468,6 +542,7 @@ spec:
                  was fixed in kernel version 4.11. If you are using v4.11 or greater
                  you may want to set this to, a higher value to reduce Felix CPU
                  usage. [Default: 10s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              ipv6Support:
                description: IPv6Support controls whether Felix enables support for
@ -502,15 +577,18 @@ spec:
              logSeverityFile:
                description: 'LogSeverityFile is the log severity above which logs
                  are sent to the log file. [Default: Info]'
                pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
                type: string
              logSeverityScreen:
                description: 'LogSeverityScreen is the log severity above which logs
                  are sent to the stdout. [Default: Info]'
                pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
                type: string
              logSeveritySys:
                description: 'LogSeveritySys is the log severity above which logs
                  are sent to the syslog. Set to None for no logging to syslog. [Default:
                  Info]'
                pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
                type: string
              maxIpsetSize:
                type: integer
@ -549,6 +627,7 @@ spec:
                pattern: ^.*
                x-kubernetes-int-or-string: true
              netlinkTimeout:
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              openstackRegion:
                description: 'OpenstackRegion is the name of the region that a particular
@ -603,21 +682,25 @@ spec:
                description: 'ReportingInterval is the interval at which Felix reports
                  its status into the datastore or 0 to disable. Must be non-zero
                  in OpenStack deployments. [Default: 30s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              reportingTTL:
                description: 'ReportingTTL is the time-to-live setting for process-wide
                  status reports. [Default: 90s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              routeRefreshInterval:
                description: 'RouteRefreshInterval is the period at which Felix re-checks
                  the routes in the dataplane to ensure that no other process has
                  accidentally broken Calico''s rules. Set to 0 to disable route refresh.
                  [Default: 90s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              routeSource:
                description: 'RouteSource configures where Felix gets its routing
                  information. - WorkloadIPs: use workload endpoints to construct
                  routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
                pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
                type: string
              routeSyncDisabled:
                description: RouteSyncDisabled will disable all operations performed
@ -657,6 +740,7 @@ spec:
                  packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
                  in which case such routing loops continue to be allowed. [Default:
                  Drop]'
                pattern: ^(?i)(Drop|Reject|Disabled)?$
                type: string
              sidecarAccelerationEnabled:
                description: 'SidecarAccelerationEnabled enables experimental sidecar
@ -672,10 +756,12 @@ spec:
              usageReportingInitialDelay:
                description: 'UsageReportingInitialDelay controls the minimum delay
                  before Felix makes a report. [Default: 300s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              usageReportingInterval:
                description: 'UsageReportingInterval controls the interval at which
                  Felix makes reports. [Default: 86400s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              useInternalDataplaneDriver:
                description: UseInternalDataplaneDriver, if true, Felix will use its
@ -699,6 +785,14 @@ spec:
                type: integer
              vxlanVNI:
                type: integer
              windowsManageFirewallRules:
                description: 'WindowsManageFirewallRules configures whether or not
                  Felix will program Windows Firewall rules. (to allow inbound access
                  to its own metrics ports) [Default: Disabled]'
                enum:
                - Enabled
                - Disabled
                type: string
              wireguardEnabled:
                description: 'WireguardEnabled controls whether Wireguard is enabled
                  for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
@ -724,6 +818,7 @@ spec:
              wireguardKeepAlive:
                description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
                  option. Set 0 to disable. [Default: 0]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
              wireguardListeningPort:
                description: 'WireguardListeningPort controls the listening port used
@ -750,6 +845,7 @@ spec:
                  the allowedSourcePrefixes annotation to send traffic with a source
                  IP address that is not theirs. This is disabled by default. When
                  set to "Any", pods can request any prefix.
                pattern: ^(?i)(Disabled|Any)?$
                type: string
              xdpEnabled:
                description: 'XDPEnabled enables XDP acceleration for suitable untracked
@ -760,6 +856,7 @@ spec:
                  all XDP state to ensure that no other process has accidentally broken
                  Calico''s BPF maps or attached programs. Set to 0 to disable XDP
                  refresh. [Default: 90s]'
                pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
                type: string
            type: object
        type: object
--- a/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -800,6 +800,19 @@ spec:
                  with identical order will be applied in alphanumerical order based
                  on the Policy "Name".
                type: number
              performanceHints:
                description: "PerformanceHints contains a list of hints to Calico's
                  policy engine to help process the policy more efficiently.  Hints
                  never change the enforcement behaviour of the policy. \n Currently,
                  the only available hint is \"AssumeNeededOnEveryNode\".  When that
                  hint is set on a policy, Felix will act as if the policy matches
                  a local endpoint even if it does not. This is useful for \"preloading\"
                  any large static policies that are known to be used on every node.
                  If the policy is _not_ used on a particular node then the work done
                  to preload the policy (and to maintain it) is wasted."
                items:
                  type: string
                type: array
              preDNAT:
                description: PreDNAT indicates to apply the rules in this policy before
                  any DNAT.
--- a/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
+++ b/templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
@ -785,6 +785,19 @@ spec:
                  with identical order will be applied in alphanumerical order based
                  on the Policy "Name".
                type: number
              performanceHints:
                description: "PerformanceHints contains a list of hints to Calico's
                  policy engine to help process the policy more efficiently.  Hints
                  never change the enforcement behaviour of the policy. \n Currently,
                  the only available hint is \"AssumeNeededOnEveryNode\".  When that
                  hint is set on a policy, Felix will act as if the policy matches
                  a local endpoint even if it does not. This is useful for \"preloading\"
                  any large static policies that are known to be used on every node.
                  If the policy is _not_ used on a particular node then the work done
                  to preload the policy (and to maintain it) is wasted."
                items:
                  type: string
                type: array
              selector:
                description: "The selector is an expression used to pick pick out
                  the endpoints that the policy should be applied to. \n Selector