From e2bb4a7cb898b09c1913c4339211d23b19c2e167 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Tue, 23 Feb 2021 16:31:44 +0100 Subject: [PATCH] Update from upstream --- ...ctcalico.org-CustomResourceDefinition.yaml | 12 +++++++++++ ...ctcalico.org-CustomResourceDefinition.yaml | 6 ++++++ .../calico-kube-controllers-ClusterRole.yaml | 1 + files/calico-kube-controllers-Deployment.yaml | 2 +- files/calico-node-DaemonSet.yaml | 8 ++++---- ...ctcalico.org-CustomResourceDefinition.yaml | 12 +++++------ ...ctcalico.org-CustomResourceDefinition.yaml | 20 +++++++++---------- ...ctcalico.org-CustomResourceDefinition.yaml | 2 +- ...ctcalico.org-CustomResourceDefinition.yaml | 9 +++++++++ ...ctcalico.org-CustomResourceDefinition.yaml | 20 +++++++++---------- 10 files changed, 60 insertions(+), 32 deletions(-) diff --git a/files/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index cf207e8..c2233e9 100644 --- a/files/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -119,6 +119,18 @@ spec: type: string type: object type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array type: object type: object served: true diff --git a/files/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml index ac8d002..822fd0b 100644 --- a/files/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -88,6 +88,12 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string type: object type: object served: true diff --git a/files/calico-kube-controllers-ClusterRole.yaml b/files/calico-kube-controllers-ClusterRole.yaml index b905b40..f051d13 100644 --- a/files/calico-kube-controllers-ClusterRole.yaml +++ b/files/calico-kube-controllers-ClusterRole.yaml @@ -38,6 +38,7 @@ rules: - create - update - delete + - watch # kube-controllers manages hostendpoints. - apiGroups: ["crd.projectcalico.org"] resources: diff --git a/files/calico-kube-controllers-Deployment.yaml b/files/calico-kube-controllers-Deployment.yaml index f42a0a6..0fac11e 100644 --- a/files/calico-kube-controllers-Deployment.yaml +++ b/files/calico-kube-controllers-Deployment.yaml @@ -34,7 +34,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.17.3 + image: docker.io/calico/kube-controllers:v3.18.0 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/files/calico-node-DaemonSet.yaml b/files/calico-node-DaemonSet.yaml index 6b86c4b..a8df48d 100644 --- a/files/calico-node-DaemonSet.yaml +++ b/files/calico-node-DaemonSet.yaml @@ -44,7 +44,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.17.3 + image: docker.io/calico/cni:v3.18.0 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -71,7 +71,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.17.3 + image: docker.io/calico/cni:v3.18.0 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -112,7 +112,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: docker.io/calico/pod2daemon-flexvol:v3.17.3 + image: docker.io/calico/pod2daemon-flexvol:v3.18.0 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -123,7 +123,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.17.3 + image: docker.io/calico/node:v3.18.0 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. diff --git a/files/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index 220e34f..7f3e5de 100644 --- a/files/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -133,11 +133,11 @@ spec: traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an - iptables “DROP” action. If you want to allow some or all traffic + iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables “INPUT” chain; - Calico will insert its rules at the top of that chain, then “RETURN” - packets to the “INPUT” chain once it has completed processing workload + RETURN if you have your own rules in the iptables "INPUT" chain; + Calico will insert its rules at the top of that chain, then "RETURN" + packets to the "INPUT" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' @@ -171,7 +171,7 @@ spec: accidentally cutting off a host with incorrect configuration. Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all inbound host ports, use the value none. + to "tcp". To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' items: @@ -194,7 +194,7 @@ spec: to avoid accidentally cutting off a host with incorrect configuration. Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all outbound host ports, use the value none. + to "tcp". To disable all outbound host ports, use the value none. The default value opens etcd''s standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, diff --git a/files/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml index dc90b0a..170c725 100644 --- a/files/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -48,7 +48,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -131,9 +131,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -336,9 +336,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -379,7 +379,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -462,9 +462,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -667,9 +667,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." diff --git a/files/hostendpoints.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/hostendpoints.crd.projectcalico.org-CustomResourceDefinition.yaml index 551f83f..74474b6 100644 --- a/files/hostendpoints.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/hostendpoints.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -56,7 +56,7 @@ spec: is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such - as “eth0”) are supported here; it isn't possible for a HostEndpoint + as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation diff --git a/files/kubecontrollersconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/kubecontrollersconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml index 9c9243f..9bc1987 100644 --- a/files/kubecontrollersconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/kubecontrollersconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -106,6 +106,10 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer required: - controllers type: object @@ -206,6 +210,11 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer required: - controllers type: object diff --git a/files/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml b/files/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml index f555792..860c654 100644 --- a/files/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml +++ b/files/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml @@ -37,7 +37,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -120,9 +120,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -325,9 +325,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -368,7 +368,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -451,9 +451,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -656,9 +656,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints."