diff --git a/bin/update.sh b/bin/update.sh index 659c569..b79fd35 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -1,6 +1,8 @@ #!/bin/bash -BASEURL=https://docs.projectcalico.org/manifests +CALICO_VERSION="3.26.0" +#BASEURL=https://docs.projectcalico.org/manifests #BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests +BASEURL="https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests" curl "${BASEURL}"/calico.yaml -O kubernetes-split-yaml calico.yaml > generated.log mv generated/*.yaml templates/ diff --git a/templates/bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml new file mode 100644 index 0000000..da2828e --- /dev/null +++ b/templates/bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -0,0 +1,123 @@ +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + matchOperator: + type: string + required: + - action + - cidr + - matchOperator + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml index 63a7b7f..742cf79 100644 --- a/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -36,6 +36,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP diff --git a/templates/calico-cni-plugin-ClusterRole.yaml b/templates/calico-cni-plugin-ClusterRole.yaml new file mode 100644 index 0000000..45e79e9 --- /dev/null +++ b/templates/calico-cni-plugin-ClusterRole.yaml @@ -0,0 +1,34 @@ +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete diff --git a/templates/calico-cni-plugin-ClusterRoleBinding.yaml b/templates/calico-cni-plugin-ClusterRoleBinding.yaml new file mode 100644 index 0000000..496974c --- /dev/null +++ b/templates/calico-cni-plugin-ClusterRoleBinding.yaml @@ -0,0 +1,13 @@ +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system diff --git a/templates/calico-cni-plugin-ServiceAccount.yaml b/templates/calico-cni-plugin-ServiceAccount.yaml new file mode 100644 index 0000000..0c644c2 --- /dev/null +++ b/templates/calico-cni-plugin-ServiceAccount.yaml @@ -0,0 +1,6 @@ +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system diff --git a/templates/calico-kube-controllers-Deployment.yaml b/templates/calico-kube-controllers-Deployment.yaml index a7a5df2..8ed9635 100644 --- a/templates/calico-kube-controllers-Deployment.yaml +++ b/templates/calico-kube-controllers-Deployment.yaml @@ -36,7 +36,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.25.0 + image: docker.io/calico/kube-controllers:v3.26.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/templates/calico-node-ClusterRole.yaml b/templates/calico-node-ClusterRole.yaml index 6b0cc0f..42e5ed1 100644 --- a/templates/calico-node-ClusterRole.yaml +++ b/templates/calico-node-ClusterRole.yaml @@ -11,7 +11,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -28,7 +28,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -82,6 +82,7 @@ rules: - globalfelixconfigs - felixconfigurations - bgppeers + - bgpfilters - globalbgpconfigs - bgpconfigurations - ippools diff --git a/templates/calico-node-DaemonSet.yaml b/templates/calico-node-DaemonSet.yaml index 685289c..c4669d2 100644 --- a/templates/calico-node-DaemonSet.yaml +++ b/templates/calico-node-DaemonSet.yaml @@ -44,7 +44,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.25.0 + image: docker.io/calico/cni:v3.26.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -72,7 +72,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.25.0 + image: docker.io/calico/cni:v3.26.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -115,7 +115,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.25.0 + image: docker.io/calico/node:v3.26.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -141,7 +141,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.25.0 + image: docker.io/calico/node:v3.26.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: diff --git a/templates/calicoctl-Pod.yaml b/templates/calicoctl-Pod.yaml index 20ab376..8bb07db 100644 --- a/templates/calicoctl-Pod.yaml +++ b/templates/calicoctl-Pod.yaml @@ -11,7 +11,7 @@ spec: serviceAccountName: calicoctl containers: - name: calicoctl - image: calico/ctl:v3.25.0 + image: calico/ctl:v3.26.0 command: - /calicoctl args: diff --git a/templates/calicoctl-ServiceAccount.yaml b/templates/calicoctl-ServiceAccount.yaml index 9e7c8f3..724c08e 100644 --- a/templates/calicoctl-ServiceAccount.yaml +++ b/templates/calicoctl-ServiceAccount.yaml @@ -1,7 +1,7 @@ # Calico Version master # https://projectcalico.docs.tigera.io/releases#master # This manifest includes the following component versions: -# calico/ctl:v3.25.0 +# calico/ctl:v3.26.0 apiVersion: v1 kind: ServiceAccount diff --git a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index 0f8b1a0..9788cd9 100644 --- a/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -60,6 +60,13 @@ spec: connections. The only reason to disable it is for debugging purposes. [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -83,7 +90,7 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -348,7 +355,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -408,6 +415,12 @@ spec: type: string iptablesFilterAllowAction: type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in diff --git a/vars/calico-files.yaml b/vars/calico-files.yaml index 1e6e1c6..3aa2380 100644 --- a/vars/calico-files.yaml +++ b/vars/calico-files.yaml @@ -3,8 +3,10 @@ calico_files: - "calico-kube-controllers-PodDisruptionBudget.yaml" - "calico-kube-controllers-ServiceAccount.yaml" - "calico-node-ServiceAccount.yaml" + - "calico-cni-plugin-ServiceAccount.yaml" - "calico-config-ConfigMap.yaml" - "bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml" + - "bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml" - "bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml" - "blockaffinities.crd.projectcalico.org-CustomResourceDefinition.yaml" - "caliconodestatuses.crd.projectcalico.org-CustomResourceDefinition.yaml" @@ -23,8 +25,10 @@ calico_files: - "networksets.crd.projectcalico.org-CustomResourceDefinition.yaml" - "calico-kube-controllers-ClusterRole.yaml" - "calico-node-ClusterRole.yaml" + - "calico-cni-plugin-ClusterRole.yaml" - "calico-kube-controllers-ClusterRoleBinding.yaml" - "calico-node-ClusterRoleBinding.yaml" + - "calico-cni-plugin-ClusterRoleBinding.yaml" - "calico-node-DaemonSet.yaml" - "calico-kube-controllers-Deployment.yaml"