This commit is contained in:
parent
6f178af19b
commit
e2bb4a7cb8
GPG key ID:
DA7B27055C66D6DE
10 changed files with 60 additions and 32 deletions
|
|
@ -119,6 +119,18 @@ spec:
|
|||
type: string
|
||||
type: object
|
||||
type: array
|
||||
serviceLoadBalancerIPs:
|
||||
description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
|
||||
Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
|
||||
IPs will only be advertised if they are within one of these blocks.
|
||||
items:
|
||||
description: ServiceLoadBalancerIPBlock represents a single allowed
|
||||
LoadBalancer IP CIDR block.
|
||||
properties:
|
||||
cidr:
|
||||
type: string
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
|
|
|
|||
|
|
@ -88,6 +88,12 @@ spec:
|
|||
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
|
||||
or the global default if that is not set.
|
||||
type: string
|
||||
sourceAddress:
|
||||
description: Specifies whether and how to configure a source address
|
||||
for the peerings generated by this BGPPeer resource. Default value
|
||||
"UseNodeIP" means to configure the node IP as the source address. "None"
|
||||
means not to configure a source address.
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ rules:
|
|||
- create
|
||||
- update
|
||||
- delete
|
||||
- watch
|
||||
# kube-controllers manages hostendpoints.
|
||||
- apiGroups: ["crd.projectcalico.org"]
|
||||
resources:
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ spec:
|
|||
priorityClassName: system-cluster-critical
|
||||
containers:
|
||||
- name: calico-kube-controllers
|
||||
image: docker.io/calico/kube-controllers:v3.17.3
|
||||
image: docker.io/calico/kube-controllers:v3.18.0
|
||||
env:
|
||||
# Choose which controllers to run.
|
||||
- name: ENABLED_CONTROLLERS
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ spec:
|
|||
# It can be deleted if this is a fresh installation, or if you have already
|
||||
# upgraded to use calico-ipam.
|
||||
- name: upgrade-ipam
|
||||
image: docker.io/calico/cni:v3.17.3
|
||||
image: docker.io/calico/cni:v3.18.0
|
||||
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
|
|
@ -71,7 +71,7 @@ spec:
|
|||
# This container installs the CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
image: docker.io/calico/cni:v3.17.3
|
||||
image: docker.io/calico/cni:v3.18.0
|
||||
command: ["/opt/cni/bin/install"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
|
|
@ -112,7 +112,7 @@ spec:
|
|||
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
|
||||
# to communicate with Felix over the Policy Sync API.
|
||||
- name: flexvol-driver
|
||||
image: docker.io/calico/pod2daemon-flexvol:v3.17.3
|
||||
image: docker.io/calico/pod2daemon-flexvol:v3.18.0
|
||||
volumeMounts:
|
||||
- name: flexvol-driver-host
|
||||
mountPath: /host/driver
|
||||
|
|
@ -123,7 +123,7 @@ spec:
|
|||
# container programs network policy and routes on each
|
||||
# host.
|
||||
- name: calico-node
|
||||
image: docker.io/calico/node:v3.17.3
|
||||
image: docker.io/calico/node:v3.18.0
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
|
||||
|
|
|
|||
|
|
@ -133,11 +133,11 @@ spec:
|
|||
traffic that goes from a workload endpoint to the host itself (after
|
||||
the traffic hits the endpoint egress policy). By default Calico
|
||||
blocks traffic from workload endpoints to the host itself with an
|
||||
iptables “DROP” action. If you want to allow some or all traffic
|
||||
iptables "DROP" action. If you want to allow some or all traffic
|
||||
from endpoint to host, set this parameter to RETURN or ACCEPT. Use
|
||||
RETURN if you have your own rules in the iptables “INPUT” chain;
|
||||
Calico will insert its rules at the top of that chain, then “RETURN”
|
||||
packets to the “INPUT” chain once it has completed processing workload
|
||||
RETURN if you have your own rules in the iptables "INPUT" chain;
|
||||
Calico will insert its rules at the top of that chain, then "RETURN"
|
||||
packets to the "INPUT" chain once it has completed processing workload
|
||||
endpoint egress policy. Use ACCEPT to unconditionally accept packets
|
||||
from workloads after processing workload endpoint egress policy.
|
||||
[Default: Drop]'
|
||||
|
|
@ -171,7 +171,7 @@ spec:
|
|||
accidentally cutting off a host with incorrect configuration. Each
|
||||
port should be specified as tcp:<port-number> or udp:<port-number>.
|
||||
For back-compatibility, if the protocol is not specified, it defaults
|
||||
to “tcp”. To disable all inbound host ports, use the value none.
|
||||
to "tcp". To disable all inbound host ports, use the value none.
|
||||
The default value allows ssh access and DHCP. [Default: tcp:22,
|
||||
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
|
||||
items:
|
||||
|
|
@ -194,7 +194,7 @@ spec:
|
|||
to avoid accidentally cutting off a host with incorrect configuration.
|
||||
Each port should be specified as tcp:<port-number> or udp:<port-number>.
|
||||
For back-compatibility, if the protocol is not specified, it defaults
|
||||
to “tcp”. To disable all outbound host ports, use the value none.
|
||||
to "tcp". To disable all outbound host ports, use the value none.
|
||||
The default value opens etcd''s standard ports to ensure that Felix
|
||||
does not get cut off from etcd as well as allowing DHCP and DNS.
|
||||
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ spec:
|
|||
action. Both selector-based security Policy and security Profiles
|
||||
reference rules - separated out as a list of rules for both ingress
|
||||
and egress packet matching. \n Each positive match criteria has
|
||||
a negated version, prefixed with ”Not”. All the match criteria
|
||||
a negated version, prefixed with \"Not\". All the match criteria
|
||||
within a rule must be satisfied for a packet to match. A single
|
||||
rule can contain the positive and negative version of a match
|
||||
and both must be satisfied for the rule to match."
|
||||
|
|
@ -131,9 +131,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
@ -336,9 +336,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
@ -379,7 +379,7 @@ spec:
|
|||
action. Both selector-based security Policy and security Profiles
|
||||
reference rules - separated out as a list of rules for both ingress
|
||||
and egress packet matching. \n Each positive match criteria has
|
||||
a negated version, prefixed with ”Not”. All the match criteria
|
||||
a negated version, prefixed with \"Not\". All the match criteria
|
||||
within a rule must be satisfied for a packet to match. A single
|
||||
rule can contain the positive and negative version of a match
|
||||
and both must be satisfied for the rule to match."
|
||||
|
|
@ -462,9 +462,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
@ -667,9 +667,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ spec:
|
|||
is empty - through the specific interface that has one of the IPs
|
||||
in ExpectedIPs. Therefore, when InterfaceName is empty, at least
|
||||
one expected IP must be specified. Only external interfaces (such
|
||||
as “eth0”) are supported here; it isn't possible for a HostEndpoint
|
||||
as \"eth0\") are supported here; it isn't possible for a HostEndpoint
|
||||
to protect traffic through a specific local workload interface.
|
||||
\n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
|
||||
initially just pre-DNAT policy. Please check Calico documentation
|
||||
|
|
|
|||
|
|
@ -106,6 +106,10 @@ spec:
|
|||
description: 'LogSeverityScreen is the log severity above which logs
|
||||
are sent to the stdout. [Default: Info]'
|
||||
type: string
|
||||
prometheusMetricsPort:
|
||||
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
|
||||
metrics server should bind to. Set to 0 to disable. [Default: 9094]'
|
||||
type: integer
|
||||
required:
|
||||
- controllers
|
||||
type: object
|
||||
|
|
@ -206,6 +210,11 @@ spec:
|
|||
description: 'LogSeverityScreen is the log severity above which
|
||||
logs are sent to the stdout. [Default: Info]'
|
||||
type: string
|
||||
prometheusMetricsPort:
|
||||
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
|
||||
metrics server should bind to. Set to 0 to disable. [Default:
|
||||
9094]'
|
||||
type: integer
|
||||
required:
|
||||
- controllers
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ spec:
|
|||
action. Both selector-based security Policy and security Profiles
|
||||
reference rules - separated out as a list of rules for both ingress
|
||||
and egress packet matching. \n Each positive match criteria has
|
||||
a negated version, prefixed with ”Not”. All the match criteria
|
||||
a negated version, prefixed with \"Not\". All the match criteria
|
||||
within a rule must be satisfied for a packet to match. A single
|
||||
rule can contain the positive and negative version of a match
|
||||
and both must be satisfied for the rule to match."
|
||||
|
|
@ -120,9 +120,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
@ -325,9 +325,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
@ -368,7 +368,7 @@ spec:
|
|||
action. Both selector-based security Policy and security Profiles
|
||||
reference rules - separated out as a list of rules for both ingress
|
||||
and egress packet matching. \n Each positive match criteria has
|
||||
a negated version, prefixed with ”Not”. All the match criteria
|
||||
a negated version, prefixed with \"Not\". All the match criteria
|
||||
within a rule must be satisfied for a packet to match. A single
|
||||
rule can contain the positive and negative version of a match
|
||||
and both must be satisfied for the rule to match."
|
||||
|
|
@ -451,9 +451,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
@ -656,9 +656,9 @@ spec:
|
|||
One negates the set of matched endpoints, the other negates
|
||||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||||
packets that are from other Calico-controlled \tendpoints
|
||||
that do not have the label “my_label”. \n \tNotSelector
|
||||
that do not have the label \"my_label\". \n \tNotSelector
|
||||
= \"has(my_label)\" matches packets that are not from
|
||||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||||
Calico-controlled \tendpoints that do have the label \"my_label\".
|
||||
\n The effect is that the latter will accept packets from
|
||||
non-Calico sources whereas the former is limited to packets
|
||||
from Calico-controlled endpoints."
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue