adrien/ansible-role-k8s-calico
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Compare commits

base: adrien:v3.22.0
Branches Tags
adrien:master
adrien:v3.22.0
adrien:v3.21.4
...
compare: adrien:master
Branches Tags
adrien:master
adrien:v3.22.0
adrien:v3.21.4

26 commits
v3.22.0 ... master

Author SHA1 Message Date
Adrien Reslinger
fdddb7cb01
Update calico to version 3.28.2 2024-09-19 08:07:57 +02:00
Adrien Reslinger
c5492688f3
Update calico to version 3.28.1 2024-07-31 10:34:29 +02:00
Adrien Reslinger
d6f17858ce
Update calico to version 3.28.0 2024-05-12 13:01:23 +02:00
Adrien Reslinger
7548f12db8
Update calico to version 3.27.3 2024-04-18 12:48:30 +02:00
Adrien Reslinger
e8f939d1bf
Update calico to version 3.27.2 2024-03-13 18:56:50 +01:00
Adrien Reslinger
aa136636cc
Update calico to version 3.27.0 2023-12-22 07:38:58 +01:00
Adrien Reslinger
7be2148dc5
Update calico to version 3.26.4 2023-11-17 11:23:06 +01:00
Adrien Reslinger
72a741a877
Update calico to version 3.26.3 2023-10-11 09:26:15 +02:00
Adrien Reslinger
4b612b5781
Update calico to version 3.26.2 2023-10-06 16:02:42 +02:00
Adrien Reslinger
b46c587720
Update calico to version 3.26.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-06-18 12:53:04 +02:00
Adrien Reslinger
d13e3b73a5
Update calico to version 3.26.0
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-06-02 11:17:37 +02:00
Adrien Reslinger
9014aa38d3
Update calico to version 3.25.0 2023-03-05 10:43:57 +01:00
Adrien Reslinger
d03105916a
Update to version v3.24.5
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone Build is passing
Details
2022-11-09 09:56:11 +01:00
Adrien Reslinger
0af1683bb9
Update calico to version v3.24.4
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
2022-11-04 10:40:48 +01:00
Adrien Reslinger
849ab98b2d
Update calico to version v3.24.3
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-10-23 13:23:09 +02:00
Adrien Reslinger
4974a904f2
Update calico to version 3.24.2
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-10-19 10:25:25 +02:00
Adrien Reslinger
58be01b10d
Update calico to version v3.24.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-08-31 10:58:57 +02:00
Adrien Reslinger
0de1caead0
Update calico to version 3.24.0
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-08-20 11:58:01 +02:00
Adrien Reslinger
8e4129387e
Fix lint error
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-07-22 22:50:06 +02:00
Adrien Reslinger
bdb51bda99
Fix lint errors
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2022-07-22 22:08:15 +02:00
Adrien Reslinger
11d4f5396d
Update to version v3.23.3
Some checks reported errors
continuous-integration/drone/push Build encountered an error
Details
2022-07-20 01:32:06 +02:00
Adrien Reslinger
2c33e36392
Update calico to version v3.23.2
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-06-25 11:34:11 +02:00
Adrien Reslinger
b90996045b
Update calico to version v3.23.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-05-18 07:29:16 +02:00
Adrien Reslinger
a1b71d54ec
Update to version v3.23.0
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-05-11 21:33:11 +02:00
Adrien Reslinger
4bd2267e77
Update to version v3.22.2
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-04-14 21:27:02 +02:00
Adrien Reslinger
2fde4c4fc5
Update calico to version 3.22.1
All checks were successful
continuous-integration/drone/push Build is passing
Details
2022-03-04 08:27:01 +01:00
37 changed files with 864 additions and 150 deletions
Download patch file Download diff file Expand all files Collapse all files

4
bin/update.sh
View file

@ -1,6 +1,8 @@
#!/bin/bash
BASEURL=https://docs.projectcalico.org/manifests
CALICO_VERSION="3.28.2"
#BASEURL=https://docs.projectcalico.org/manifests
#BASEURL=https://docs.projectcalico.org/archive/v3.18/manifests
BASEURL="https://raw.githubusercontent.com/projectcalico/calico/v${CALICO_VERSION}/manifests"
curl "${BASEURL}"/calico.yaml -O
kubernetes-split-yaml calico.yaml > generated.log
mv generated/*.yaml templates/

6
meta/main.yml
View file

@ -6,6 +6,6 @@ galaxy_info:
galaxy_tags: []
license: GPL2
platforms:
- name: kubernetes
version:
- all
- name: kubernetes
version:
- all

60
tasks/main.yml
View file

@ -1,39 +1,39 @@
---
- name: calico setup
block:
- name: Include vars
include_vars: "calico-files.yaml"
- name: Include vars
ansible.builtin.include_vars: "calico-files.yaml"
- name: calico install
k8s:
state: present
context: "{{ my_context }}"
merge_type: merge
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items:
- "{{ calico_files }}"
register: calico_changed
- name: calico install
kubernetes.core.k8s:
state: present
context: "{{ my_context }}"
merge_type: merge
resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items:
- "{{ calico_files }}"
register: calico_changed
- name: delete pods calicoctl
k8s:
state: absent
context: "{{ my_context }}"
kind: Pod
name: calicoctl
namespace: kube-system
# when:
# - calico_changed is changed
- name: delete pods calicoctl
kubernetes.core.k8s:
state: absent
context: "{{ my_context }}"
kind: Pod
name: calicoctl
namespace: kube-system
# when:
# - calico_changed is changed
#
# - name: calicoctl install
# k8s:
# state: present
# context: "{{ my_context }}"
# apply: yes
# resource_definition: "{{ lookup('file', item) | from_yaml }}"
# with_items:
# - "{{ calicoctl_files }}"
# when:
# - calico_changed is changed
# - name: calicoctl install
# kubernetes.core.k8s:
# state: present
# context: "{{ my_context }}"
# apply: true
# resource_definition: "{{ lookup('file', item) | from_yaml }}"
# with_items:
# - "{{ calicoctl_files }}"
# when:
# - calico_changed is changed
when:

46
templates/bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,5 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -11,6 +10,7 @@ spec:
listKind: BGPConfigurationList
plural: bgpconfigurations
singular: bgpconfiguration
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -38,6 +38,12 @@ spec:
64512]'
format: int32
type: integer
bindMode:
description: BindMode indicates whether to listen for BGP connections
on all addresses (None) or only on the node's canonical IP address
Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
for BGP connections on all addresses.
type: string
communities:
description: Communities is a list of BGP community values and their
arbitrary names for tagging routes.
@ -58,6 +64,12 @@ spec:
type: string
type: object
type: array
ignoredInterfaces:
description: IgnoredInterfaces indicates the network interfaces that
needs to be excluded when reading device routes.
items:
type: string
type: array
listenPort:
description: ListenPort is the port where BGP protocol should listen.
Defaults to 179
@ -68,6 +80,37 @@ spec:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: INFO]'
type: string
nodeMeshMaxRestartTime:
description: Time to allow for software restart for node-to-mesh peerings. When
specified, this is configured as the graceful restart timeout. When
not specified, the BIRD default of 120s is used. This field can
only be set on the default BGPConfiguration instance and requires
that NodeMesh is enabled
type: string
nodeMeshPassword:
description: Optional BGP password for full node-to-mesh peerings.
This field can only be set on the default BGPConfiguration instance
and requires that NodeMesh is enabled
properties:
secretKeyRef:
description: Selects a key of a secret in the node pod's namespace.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be
defined
type: boolean
required:
- key
type: object
type: object
nodeToNodeMeshEnabled:
description: 'NodeToNodeMeshEnabled sets whether full node to node
BGP mesh is enabled. [Default: true]'
@ -141,4 +184,3 @@ status:
plural: ""
conditions: []
storedVersions: []

131
templates/bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml Normal file
View file

@ -0,0 +1,131 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: bgpfilters.crd.projectcalico.org
spec:
group: crd.projectcalico.org
names:
kind: BGPFilter
listKind: BGPFilterList
plural: bgpfilters
singular: bgpfilter
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of
the BGP Filter.
properties:
exportV4:
description: The ordered set of IPv4 BGPFilter rules acting on exporting
routes to a peer.
items:
description: BGPFilterRuleV4 defines a BGP filter rule consisting
a single IPv4 CIDR block and a filter action for this CIDR.
properties:
action:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
type: object
type: array
exportV6:
description: The ordered set of IPv6 BGPFilter rules acting on exporting
routes to a peer.
items:
description: BGPFilterRuleV6 defines a BGP filter rule consisting
a single IPv6 CIDR block and a filter action for this CIDR.
properties:
action:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
type: object
type: array
importV4:
description: The ordered set of IPv4 BGPFilter rules acting on importing
routes from a peer.
items:
description: BGPFilterRuleV4 defines a BGP filter rule consisting
a single IPv4 CIDR block and a filter action for this CIDR.
properties:
action:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
type: object
type: array
importV6:
description: The ordered set of IPv6 BGPFilter rules acting on importing
routes from a peer.
items:
description: BGPFilterRuleV6 defines a BGP filter rule consisting
a single IPv6 CIDR block and a filter action for this CIDR.
properties:
action:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
type: object
type: array
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

25
templates/bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: BGPPeerList
plural: bgppeers
singular: bgppeer
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -34,6 +36,11 @@ spec:
description: The AS Number of the peer.
format: int32
type: integer
filters:
description: The ordered set of BGPFilters applied on this BGP peer.
items:
type: string
type: array
keepOriginalNextHop:
description: Option to keep the original nexthop field when routes
are sent to a BGP Peer. Setting "true" configures the selected BGP
@ -54,6 +61,12 @@ spec:
description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty.
type: string
numAllowedLocalASNumbers:
description: Maximum number of local AS numbers that are allowed in
the AS path for received routes. This removes BGP loop prevention
and should only be used if absolutely necessary.
format: int32
type: integer
password:
description: Optional BGP password for the peerings generated by this
BGPPeer resource.
@ -93,12 +106,23 @@ spec:
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
reachableBy:
description: Add an exact, i.e. /32, static route toward peer IP in
order to prevent route flapping. ReachableBy contains the address
of the gateway which peer can be reached by.
type: string
sourceAddress:
description: Specifies whether and how to configure a source address
for the peerings generated by this BGPPeer resource. Default value
"UseNodeIP" means to configure the node IP as the source address. "None"
means not to configure a source address.
type: string
ttlSecurity:
description: TTLSecurity enables the generalized TTL security mechanism
(GTSM) which protects against spoofed packets by ignoring received
packets with a smaller than expected TTL value. The provided value
is the number of hops (edges) between the peers.
type: integer
type: object
type: object
served: true
@ -109,4 +133,3 @@ status:
plural: ""
conditions: []
storedVersions: []

3
templates/blockaffinities.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: BlockAffinityList
plural: blockaffinities
singular: blockaffinity
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -57,4 +59,3 @@ status:
plural: ""
conditions: []
storedVersions: []

34
templates/calico-cni-plugin-ClusterRole.yaml Normal file
View file

@ -0,0 +1,34 @@
# Source: calico/templates/calico-node-rbac.yaml
# CNI cluster role
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-cni-plugin
rules:
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
- apiGroups: [""]
resources:
- pods/status
verbs:
- patch
- apiGroups: ["crd.projectcalico.org"]
resources:
- blockaffinities
- ipamblocks
- ipamhandles
- clusterinformations
- ippools
- ipreservations
- ipamconfigs
verbs:
- get
- list
- create
- update
- delete

13
templates/calico-cni-plugin-ClusterRoleBinding.yaml Normal file
View file

@ -0,0 +1,13 @@
# Source: calico/templates/calico-node-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-cni-plugin
subjects:
- kind: ServiceAccount
name: calico-cni-plugin
namespace: kube-system

6
templates/calico-cni-plugin-ServiceAccount.yaml Normal file
View file

@ -0,0 +1,6 @@
# Source: calico/templates/calico-node.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-cni-plugin
namespace: kube-system

1
templates/calico-config-ConfigMap.yaml
View file

@ -51,4 +51,3 @@ data:
}
]
}

13
templates/calico-kube-controllers-ClusterRole.yaml
View file

@ -1,5 +1,4 @@
# Source: calico/templates/calico-kube-controllers-rbac.yaml
# Include a clusterrole for the kube-controllers component,
# and bind it to the calico-kube-controllers serviceaccount.
kind: ClusterRole
@ -23,10 +22,9 @@ rules:
- get
- list
- watch
# IPAM resources are manipulated when nodes are deleted.
# IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
- ipreservations
verbs:
- list
@ -42,6 +40,13 @@ rules:
- update
- delete
- watch
# Pools are watched to maintain a mapping of blocks to IP pools.
- apiGroups: ["crd.projectcalico.org"]
resources:
- ippools
verbs:
- list
- watch
# kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"]
resources:
@ -58,8 +63,10 @@ rules:
- clusterinformations
verbs:
- get
- list
- create
- update
- watch
# KubeControllersConfiguration is where it gets its config
- apiGroups: ["crd.projectcalico.org"]
resources:

1
templates/calico-kube-controllers-ClusterRoleBinding.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/calico-kube-controllers-rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:

6
templates/calico-kube-controllers-Deployment.yaml
View file

@ -30,11 +30,14 @@ spec:
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
serviceAccountName: calico-kube-controllers
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
image: docker.io/calico/kube-controllers:v3.22.0
image: docker.io/calico/kube-controllers:v3.28.2
imagePullPolicy: IfNotPresent
env:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
@ -56,4 +59,3 @@ spec:
- /usr/bin/check-status
- -r
periodSeconds: 10

5
templates/calico-kube-controllers-PodDisruptionBudget.yaml
View file

@ -1,7 +1,7 @@
# Source: calico/templates/calico-kube-controllers.yaml
# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
apiVersion: policy/v1beta1
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: calico-kube-controllers
@ -13,4 +13,3 @@ spec:
selector:
matchLabels:
k8s-app: calico-kube-controllers

3
templates/calico-kube-controllers-ServiceAccount.yaml
View file

@ -1,7 +1,6 @@
# Source: calico/templates/calico-kube-controllers.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
namespace: kube-system

17
templates/calico-node-ClusterRole.yaml
View file

@ -6,6 +6,14 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-node
rules:
# Used for creating service account tokens to be used by the CNI plugin
- apiGroups: [""]
resources:
- serviceaccounts/token
resourceNames:
- calico-cni-plugin
verbs:
- create
# The CNI plugin needs to get pods, nodes, and namespaces.
- apiGroups: [""]
resources:
@ -20,7 +28,7 @@ rules:
resources:
- endpointslices
verbs:
- watch
- watch
- list
- apiGroups: [""]
resources:
@ -74,6 +82,7 @@ rules:
- globalfelixconfigs
- felixconfigurations
- bgppeers
- bgpfilters
- globalbgpconfigs
- bgpconfigurations
- ippools
@ -101,7 +110,7 @@ rules:
- create
- update
# Calico must update some CRDs.
- apiGroups: [ "crd.projectcalico.org" ]
- apiGroups: ["crd.projectcalico.org"]
resources:
- caliconodestatuses
verbs:
@ -135,11 +144,14 @@ rules:
- create
- update
- delete
# The CNI plugin and calico/node need to be able to create a default
# IPAMConfiguration
- apiGroups: ["crd.projectcalico.org"]
resources:
- ipamconfigs
verbs:
- get
- create
# Block affinities must also be watchable by confd for route aggregation.
- apiGroups: ["crd.projectcalico.org"]
resources:
@ -153,4 +165,3 @@ rules:
- daemonsets
verbs:
- get

2
templates/calico-node-ClusterRoleBinding.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/calico-node-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -10,4 +11,3 @@ subjects:
- kind: ServiceAccount
name: calico-node
namespace: kube-system

65
templates/calico-node-DaemonSet.yaml
View file

@ -44,7 +44,8 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
image: docker.io/calico/cni:v3.22.0
image: docker.io/calico/cni:v3.28.2
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
- configMapRef:
@ -71,7 +72,8 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
image: docker.io/calico/cni:v3.22.0
image: docker.io/calico/cni:v3.28.2
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/install"]
envFrom:
- configMapRef:
@ -109,13 +111,29 @@ spec:
name: cni-net-dir
securityContext:
privileged: true
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API.
- name: flexvol-driver
image: docker.io/calico/pod2daemon-flexvol:v3.22.0
# This init container mounts the necessary filesystems needed by the BPF data plane
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
image: docker.io/calico/node:v3.28.2
imagePullPolicy: IfNotPresent
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
- name: flexvol-driver-host
mountPath: /host/driver
- mountPath: /sys/fs
name: sys-fs
# Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
- mountPath: /var/run/calico
name: var-run-calico
# Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
# so that it outlives the init container.
mountPropagation: Bidirectional
# Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
# executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
- mountPath: /nodeproc
name: nodeproc
readOnly: true
securityContext:
privileged: true
containers:
@ -123,7 +141,8 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
image: docker.io/calico/node:v3.22.0
image: docker.io/calico/node:v3.28.2
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -159,6 +178,9 @@ spec:
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
value: "Always"
# Enable or Disable VXLAN on the default IPv6 IP pool.
- name: CALICO_IPV6POOL_VXLAN
value: "Never"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
valueFrom:
@ -249,11 +271,8 @@ spec:
mountPath: /var/run/nodeagent
# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
# parent directory.
- name: sysfs
mountPath: /sys/fs/
# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
# If the host is known to mount that filesystem already then Bidirectional can be omitted.
mountPropagation: Bidirectional
- name: bpffs
mountPath: /sys/fs/bpf
- name: cni-log-dir
mountPath: /var/log/calico/cni
readOnly: true
@ -265,21 +284,32 @@ spec:
- name: var-run-calico
hostPath:
path: /var/run/calico
type: DirectoryOrCreate
- name: var-lib-calico
hostPath:
path: /var/lib/calico
type: DirectoryOrCreate
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
- name: sysfs
- name: sys-fs
hostPath:
path: /sys/fs/
type: DirectoryOrCreate
- name: bpffs
hostPath:
path: /sys/fs/bpf
type: Directory
# mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
- name: nodeproc
hostPath:
path: /proc
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
type: DirectoryOrCreate
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
@ -298,8 +328,3 @@ spec:
hostPath:
type: DirectoryOrCreate
path: /var/run/nodeagent
# Used to install Flex Volume Driver
- name: flexvol-driver-host
hostPath:
type: DirectoryOrCreate
path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds

3
templates/calico-node-ServiceAccount.yaml
View file

@ -1,7 +1,6 @@
# Source: calico/templates/calico-node.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-node
namespace: kube-system

4
templates/calicoctl-Pod.yaml
View file

@ -11,9 +11,9 @@ spec:
serviceAccountName: calicoctl
containers:
- name: calicoctl
image: calico/ctl:v3.22.0
image: calico/ctl:v3.28.2
command:
- /calicoctl
- calicoctl
args:
- version
- --poll=1m

6
templates/calicoctl-ServiceAccount.yaml
View file

@ -1,7 +1,7 @@
# Calico Version v3.22.0
# https://projectcalico.docs.tigera.io/releases#v3.22.0
# Calico Version master
# https://projectcalico.docs.tigera.io/releases#master
# This manifest includes the following component versions:
# calico/ctl:v3.22.0
# calico/ctl:v3.28.2
apiVersion: v1
kind: ServiceAccount

3
templates/caliconodestatuses.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -12,6 +13,7 @@ spec:
listKind: CalicoNodeStatusList
plural: caliconodestatuses
singular: caliconodestatus
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -259,4 +261,3 @@ status:
plural: ""
conditions: []
storedVersions: []

3
templates/clusterinformations.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: ClusterInformationList
plural: clusterinformations
singular: clusterinformation
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -60,4 +62,3 @@ status:
plural: ""
conditions: []
storedVersions: []

374
templates/felixconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: FelixConfigurationList
plural: felixconfigurations
singular: felixconfiguration
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -50,14 +52,41 @@ spec:
- Enable
- Disable
type: string
bpfCTLBLogFilter:
description: 'BPFCTLBLogFilter specifies, what is logged by connect
time load balancer when BPFLogLevel is debug. Currently has to be
specified as ''all'' when BPFLogFilters is set to see CTLB logs.
[Default: unset - means logs are emitted when BPFLogLevel id debug
and BPFLogFilters not set.]'
type: string
bpfConnectTimeLoadBalancing:
description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
whether Felix installs the connect-time load balancer. The connect-time
load balancer is required for the host to be able to reach Kubernetes
services and it improves the performance of pod-to-service connections.When
set to TCP, connect time load balancing is available only for services
with TCP ports. [Default: TCP]'
enum:
- TCP
- Enabled
- Disabled
type: string
bpfConnectTimeLoadBalancingEnabled:
description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
controls whether Felix installs the connection-time load balancer. The
connect-time load balancer is required for the host to be able to
reach Kubernetes services and it improves the performance of pod-to-service
connections. The only reason to disable it is for debugging purposes. [Default:
connections. The only reason to disable it is for debugging purposes.
This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
true]'
type: boolean
bpfDSROptoutCIDRs:
description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
from DSR. That is, clients in those CIDRs will accesses nodeports
as if BPFExternalServiceMode was set to Tunnel.
items:
type: string
type: array
bpfDataIfacePattern:
description: BPFDataIfacePattern is a regular expression that controls
which interfaces Felix should attach BPF programs to in order to
@ -67,6 +96,12 @@ spec:
the cluster. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableGROForIfaces:
description: BPFDisableGROForIfaces is a regular expression that controls
which interfaces Felix should disable the Generic Receive Offload
[GRO] option. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableUnprivileged:
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
sysctl to disable unprivileged use of BPF. This ensures that unprivileged
@ -77,11 +112,25 @@ spec:
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]'
type: boolean
bpfEnforceRPF:
description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
with BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled, Strict or Loose. [Default:
Loose]'
pattern: ^(?i)(Disabled|Strict|Loose)?$
type: string
bpfExcludeCIDRsFromNAT:
description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
be excluded from NAT resolution so that host can handle them. A
typical usecase is node local DNS cache.
items:
type: string
type: array
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local
service. This mark allows us to control how packets of that connection
are routed within the host and how is routing intepreted by RPF
are routed within the host and how is routing interpreted by RPF
check. [Default: 0]'
type: integer
bpfExternalServiceMode:
@ -93,10 +142,35 @@ spec:
is sent directly from the remote node. In "DSR" mode, the remote
node appears to use the IP of the ingress node; this requires a
permissive L2 network. [Default: Tunnel]'
pattern: ^(?i)(Tunnel|DSR)?$
type: string
bpfForceTrackPacketsFromIfaces:
description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
traffic from those interfaces to be tracked by Linux conntrack. Should
only be used for interfaces that are not used for the Calico fabric. For
example, a docker bridge device for non-Calico-networked containers.
[Default: docker+]'
items:
type: string
type: array
bpfHostConntrackBypass:
description: 'BPFHostConntrackBypass Controls whether to bypass Linux
conntrack in BPF mode for workloads and services. [Default: true
- bypass Linux conntrack]'
type: boolean
bpfHostNetworkedNATWithoutCTLB:
description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
determines the CTLB behavior. [Default: Enabled]'
enum:
- Enabled
- Disabled
type: string
bpfKubeProxyEndpointSlicesEnabled:
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
whether Felix's embedded kube-proxy accepts EndpointSlices or not.
description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
no effect. BPF kube-proxy always accepts endpoint slices. This option
will be removed in the next release.
type: boolean
bpfKubeProxyIptablesCleanupEnabled:
description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
@ -109,13 +183,88 @@ spec:
minimum time between updates to the dataplane for Felix''s embedded
kube-proxy. Lower values give reduced set-up latency. Higher values
reduce Felix CPU usage by batching up more work. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
bpfL3IfacePattern:
description: BPFL3IfacePattern is a regular expression that allows
to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
in addition to BPFDataIfacePattern. That is, tunnel interfaces not
created by Calico, that Calico workload traffic flows over as well
as any interfaces that handle incoming traffic to nodeports and
services from outside the cluster.
type: string
bpfLogFilters:
additionalProperties:
type: string
description: "BPFLogFilters is a map of key=values where the value
is a pcap filter expression and the key is an interface name with
'all' denoting all interfaces, 'weps' all workload endpoints and
'heps' all host endpoints. \n When specified as an env var, it accepts
a comma-separated list of key=values. [Default: unset - means all
debug logs are emitted]"
type: object
bpfLogLevel:
description: 'BPFLogLevel controls the log level of the BPF programs
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].'
pattern: ^(?i)(Off|Info|Debug)?$
type: string
bpfMapSizeConntrack:
description: 'BPFMapSizeConntrack sets the size for the conntrack
map. This map must be large enough to hold an entry for each active
connection. Warning: changing the size of the conntrack map can
cause disruption.'
type: integer
bpfMapSizeIPSets:
description: BPFMapSizeIPSets sets the size for ipsets map. The IP
sets map must be large enough to hold an entry for each endpoint
matched by every selector in the source/destination matches in network
policy. Selectors such as "all()" can result in large numbers of
entries (one entry per endpoint in that case).
type: integer
bpfMapSizeIfState:
description: BPFMapSizeIfState sets the size for ifstate map. The
ifstate map must be large enough to hold an entry for each device
(host + workloads) on a host.
type: integer
bpfMapSizeNATAffinity:
type: integer
bpfMapSizeNATBackend:
description: BPFMapSizeNATBackend sets the size for nat back end map.
This is the total number of endpoints. This is mostly more than
the size of the number of services.
type: integer
bpfMapSizeNATFrontend:
description: BPFMapSizeNATFrontend sets the size for nat front end
map. FrontendMap should be large enough to hold an entry for each
nodeport, external IP and each port in each service.
type: integer
bpfMapSizeRoute:
description: BPFMapSizeRoute sets the size for the routes map. The
routes map should be large enough to hold one entry per workload
and a handful of entries per host (enough to cover its own IPs and
tunnel IPs).
type: integer
bpfPSNATPorts:
anyOf:
- type: integer
- type: string
description: 'BPFPSNATPorts sets the range from which we randomly
pick a port if there is a source port collision. This should be
within the ephemeral range as defined by RFC 6056 (102465535) and
preferably outside the ephemeral ranges used by common operating
systems. Linux uses 3276860999, while others mostly use the IANA
defined range 4915265535. It is not necessarily a problem if this
range overlaps with the operating systems. Both ends of the range
are inclusive. [Default: 20000:29999]'
pattern: ^.*
x-kubernetes-int-or-string: true
bpfPolicyDebugEnabled:
description: BPFPolicyDebugEnabled when true, Felix records detailed
information about the BPF policy programs, which can be examined
with the calico-bpf command-line tool.
type: boolean
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
@ -124,16 +273,41 @@ spec:
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
pattern: ^(?i)(insert|append)?$
type: string
dataplaneDriver:
description: DataplaneDriver filename of the external dataplane driver
to use. Only used if UseInternalDataplaneDriver is set to false.
type: string
dataplaneWatchdogTimeout:
description: "DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix's (internal) dataplane driver. Increase this value
if you experience spurious non-ready or non-live events when Felix
is under heavy load. Decrease the value to get felix to report non-live
or non-ready more quickly. [Default: 90s] \n Deprecated: replaced
by the generic HealthTimeoutOverrides."
type: string
debugDisableLogDropping:
type: boolean
debugHost:
description: DebugHost is the host IP or hostname to bind the debug
port to. Only used if DebugPort is set. [Default:localhost]
type: string
debugMemoryProfilePath:
type: string
debugPort:
description: DebugPort if set, enables Felix's debug HTTP port, which
allows memory and CPU profiles to be retrieved. The debug port
is not secure, it should not be exposed to the internet.
type: integer
debugSimulateCalcGraphHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneApplyDelay:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
defaultEndpointToHostAction:
description: 'DefaultEndpointToHostAction controls what happens to
@ -148,22 +322,35 @@ spec:
endpoint egress policy. Use ACCEPT to unconditionally accept packets
from workloads after processing workload endpoint egress policy.
[Default: Drop]'
pattern: ^(?i)(Drop|Accept|Return)?$
type: string
deviceRouteProtocol:
description: This defines the route protocol added to programmed device
routes, by default this will be RTPROT_BOOT when left blank.
type: integer
deviceRouteSourceAddress:
description: This is the source address to use on programmed device
routes. By default the source address is left blank, leaving the
kernel to choose the source address used.
description: This is the IPv4 source address to use on programmed
device routes. By default the source address is left blank, leaving
the kernel to choose the source address used.
type: string
deviceRouteSourceAddressIPv6:
description: This is the IPv6 source address to use on programmed
device routes. By default the source address is left blank, leaving
the kernel to choose the source address used.
type: string
disableConntrackInvalidCheck:
type: boolean
endpointReportingDelay:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
endpointReportingEnabled:
type: boolean
endpointStatusPathPrefix:
description: "EndpointStatusPathPrefix is the path to the directory
where endpoint status will be written. Endpoint status file reporting
is disabled if field is left empty. \n Chosen directory should match
the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
type: string
externalNodesList:
description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
which may source tunnel traffic and have the tunneled traffic be
@ -224,11 +411,26 @@ spec:
type: object
type: array
featureDetectOverride:
description: FeatureDetectOverride is used to override the feature
detection. Values are specified in a comma separated list with no
spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
"true" or "false" will force the feature, empty or omitted values
are auto-detected.
description: FeatureDetectOverride is used to override feature detection
based on auto-detected platform capabilities. Values are specified
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
or "false" will force the feature, empty or omitted values are auto-detected.
pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
type: string
featureGates:
description: FeatureGates is used to enable or disable tech-preview
Calico features. Values are specified in a comma separated list
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
This is used to enable features that are not fully production ready.
pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
type: string
floatingIPs:
description: FloatingIPs configures whether or not Felix will program
non-OpenStack floating IP addresses. (OpenStack-derived floating
IPs are always programmed, regardless of this setting.)
enum:
- Enabled
- Disabled
type: string
genericXDPEnabled:
description: 'GenericXDPEnabled enables Generic XDP so network cards
@ -242,6 +444,23 @@ spec:
type: string
healthPort:
type: integer
healthTimeoutOverrides:
description: HealthTimeoutOverrides allows the internal watchdog timeouts
of individual subcomponents to be overridden. This is useful for
working around "false positive" liveness timeouts that can occur
in particularly stressful workloads or if CPU is constrained. For
a list of active subcomponents, see Felix's logs.
items:
properties:
name:
type: string
timeout:
type: string
required:
- name
- timeout
type: object
type: array
interfaceExclude:
description: 'InterfaceExclude is a comma-separated list of interfaces
that Felix should exclude when monitoring for host endpoints. The
@ -265,8 +484,12 @@ spec:
description: InterfaceRefreshInterval is the period at which Felix
rescans local interfaces to verify their state. The rescan can be
disabled by setting the interval to 0.
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
an IPIP interface on the host. Optional as Felix determines this
based on the existing IP pools. [Default: nil (unset)]'
type: boolean
ipipMTU:
description: 'IPIPMTU is the MTU to set on the tunnel device. See
@ -277,12 +500,22 @@ spec:
all iptables state to ensure that no other process has accidentally
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesBackend:
description: IptablesBackend specifies which backend of iptables will
be used. The default is legacy.
be used. The default is Auto.
pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
type: string
iptablesFilterAllowAction:
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesFilterDenyAction:
description: IptablesFilterDenyAction controls what happens to traffic
that is denied by network policy. By default Calico blocks traffic
with an iptables "DROP" action. If you want to use "REJECT" action
instead you can configure it in here.
pattern: ^(?i)(Drop|Reject)?$
type: string
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
@ -295,6 +528,7 @@ spec:
wait between attempts to acquire the iptables lock if it is not
available. Lower values make Felix more responsive when the lock
is contended, but use more CPU. [Default: 50ms]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesLockTimeout:
description: 'IptablesLockTimeout is the time that Felix will wait
@ -303,8 +537,10 @@ spec:
also take the lock. When running Felix inside a container, this
requires the /run directory of the host to be mounted into the calico/node
or calico/felix container. [Default: 0s disabled]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesMangleAllowAction:
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesMarkMask:
description: 'IptablesMarkMask is the mask that Felix selects its
@ -321,6 +557,7 @@ spec:
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesn''t
respect the iptables lock. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
@ -331,8 +568,11 @@ spec:
was fixed in kernel version 4.11. If you are using v4.11 or greater
you may want to set this to, a higher value to reduce Felix CPU
usage. [Default: 10s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipv6Support:
description: IPv6Support controls whether Felix enables support for
IPv6 (if supported by the in-use dataplane).
type: boolean
kubeNodePortRanges:
description: 'KubeNodePortRanges holds list of port ranges used for
@ -346,6 +586,12 @@ spec:
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
logDebugFilenameRegex:
description: LogDebugFilenameRegex controls which source code files
have their Debug log output included in the logs. Only logs from
files with names that match the given regular expression are included. The
filter only applies to Debug level logs.
type: string
logFilePath:
description: 'LogFilePath is the full path to the Felix log. Set to
none to disable file logging. [Default: /var/log/calico/felix.log]'
@ -357,15 +603,18 @@ spec:
logSeverityFile:
description: 'LogSeverityFile is the log severity above which logs
are sent to the log file. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeverityScreen:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeveritySys:
description: 'LogSeveritySys is the log severity above which logs
are sent to the syslog. Set to None for no logging to syslog. [Default:
Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
maxIpsetSize:
type: integer
@ -373,7 +622,7 @@ spec:
description: 'MetadataAddr is the IP address or domain name of the
server that can answer VM queries for cloud-init metadata. In OpenStack,
this corresponds to the machine running nova-api (or in Ubuntu,
nova-api-metadata). A value of none (case insensitive) means that
nova-api-metadata). A value of none (case-insensitive) means that
Felix should not set up any NAT rule for the metadata path. [Default:
127.0.0.1]'
type: string
@ -404,6 +653,7 @@ spec:
pattern: ^.*
x-kubernetes-int-or-string: true
netlinkTimeout:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
openstackRegion:
description: 'OpenstackRegion is the name of the region that a particular
@ -458,26 +708,34 @@ spec:
description: 'ReportingInterval is the interval at which Felix reports
its status into the datastore or 0 to disable. Must be non-zero
in OpenStack deployments. [Default: 30s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
reportingTTL:
description: 'ReportingTTL is the time-to-live setting for process-wide
status reports. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeRefreshInterval:
description: 'RouteRefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
[Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeSource:
description: 'RouteSource configures where Felix gets its routing
information. - WorkloadIPs: use workload endpoints to construct
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
type: string
routeSyncDisabled:
description: RouteSyncDisabled will disable all operations performed
on the route table. Set to true to run in network-policy mode only.
type: boolean
routeTableRange:
description: Calico programs additional Linux route tables for various
purposes. RouteTableRange specifies the indices of the route tables
that Calico should use.
description: Deprecated in favor of RouteTableRanges. Calico programs
additional Linux route tables for various purposes. RouteTableRange
specifies the indices of the route tables that Calico should use.
properties:
max:
type: integer
@ -487,12 +745,28 @@ spec:
- max
- min
type: object
routeTableRanges:
description: Calico programs additional Linux route tables for various
purposes. RouteTableRanges specifies a set of table index ranges
that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
items:
properties:
max:
type: integer
min:
type: integer
required:
- max
- min
type: object
type: array
serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
in which case such routing loops continue to be allowed. [Default:
Drop]'
pattern: ^(?i)(Drop|Reject|Disabled)?$
type: string
sidecarAccelerationEnabled:
description: 'SidecarAccelerationEnabled enables experimental sidecar
@ -508,25 +782,51 @@ spec:
usageReportingInitialDelay:
description: 'UsageReportingInitialDelay controls the minimum delay
before Felix makes a report. [Default: 300s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
usageReportingInterval:
description: 'UsageReportingInterval controls the interval at which
Felix makes reports. [Default: 86400s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
useInternalDataplaneDriver:
description: UseInternalDataplaneDriver, if true, Felix will use its
internal dataplane programming logic. If false, it will launch
an external dataplane driver and communicate with it over protobuf.
type: boolean
vxlanEnabled:
description: 'VXLANEnabled overrides whether Felix should create the
VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
determines this based on the existing IP pools. [Default: nil (unset)]'
type: boolean
vxlanMTU:
description: 'VXLANMTU is the MTU to set on the tunnel device. See
Configuring MTU [Default: 1440]'
description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
device. See Configuring MTU [Default: 1410]'
type: integer
vxlanMTUV6:
description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
device. See Configuring MTU [Default: 1390]'
type: integer
vxlanPort:
type: integer
vxlanVNI:
type: integer
windowsManageFirewallRules:
description: 'WindowsManageFirewallRules configures whether or not
Felix will program Windows Firewall rules. (to allow inbound access
to its own metrics ports) [Default: Disabled]'
enum:
- Enabled
- Disabled
type: string
wireguardEnabled:
description: 'WireguardEnabled controls whether Wireguard is enabled.
description: 'WireguardEnabled controls whether Wireguard is enabled
for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
[Default: false]'
type: boolean
wireguardEnabledV6:
description: 'WireguardEnabledV6 controls whether Wireguard is enabled
for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
[Default: false]'
type: boolean
wireguardHostEncryptionEnabled:
@ -535,20 +835,44 @@ spec:
type: boolean
wireguardInterfaceName:
description: 'WireguardInterfaceName specifies the name to use for
the Wireguard interface. [Default: wg.calico]'
the IPv4 Wireguard interface. [Default: wireguard.cali]'
type: string
wireguardInterfaceNameV6:
description: 'WireguardInterfaceNameV6 specifies the name to use for
the IPv6 Wireguard interface. [Default: wg-v6.cali]'
type: string
wireguardKeepAlive:
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
option. Set 0 to disable. [Default: 0]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used
by Wireguard. [Default: 51820]'
by IPv4 Wireguard. [Default: 51820]'
type: integer
wireguardListeningPortV6:
description: 'WireguardListeningPortV6 controls the listening port
used by IPv6 Wireguard. [Default: 51821]'
type: integer
wireguardMTU:
description: 'WireguardMTU controls the MTU on the Wireguard interface.
See Configuring MTU [Default: 1420]'
description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
interface. See Configuring MTU [Default: 1440]'
type: integer
wireguardMTUV6:
description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
interface. See Configuring MTU [Default: 1420]'
type: integer
wireguardRoutingRulePriority:
description: 'WireguardRoutingRulePriority controls the priority value
to use for the Wireguard routing rule. [Default: 99]'
type: integer
workloadSourceSpoofing:
description: WorkloadSourceSpoofing controls whether pods can use
the allowedSourcePrefixes annotation to send traffic with a source
IP address that is not theirs. This is disabled by default. When
set to "Any", pods can request any prefix.
pattern: ^(?i)(Disabled|Any)?$
type: string
xdpEnabled:
description: 'XDPEnabled enables XDP acceleration for suitable untracked
incoming deny rules. [Default: true]'
@ -558,6 +882,7 @@ spec:
all XDP state to ensure that no other process has accidentally broken
Calico''s BPF maps or attached programs. Set to 0 to disable XDP
refresh. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
type: object
type: object
@ -569,4 +894,3 @@ status:
plural: ""
conditions: []
storedVersions: []

38
templates/globalnetworkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: GlobalNetworkPolicyList
plural: globalnetworkpolicies
singular: globalnetworkpolicy
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -798,22 +800,35 @@ spec:
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
policy engine to help process the policy more efficiently. Hints
never change the enforcement behaviour of the policy. \n Currently,
the only available hint is \"AssumeNeededOnEveryNode\". When that
hint is set on a policy, Felix will act as if the policy matches
a local endpoint even if it does not. This is useful for \"preloading\"
any large static policies that are known to be used on every node.
If the policy is _not_ used on a particular node then the work done
to preload the policy (and to maintain it) is wasted."
items:
type: string
type: array
preDNAT:
description: PreDNAT indicates to apply the rules in this policy before
any DNAT.
type: boolean
selector:
description: "The selector is an expression used to pick pick out
the endpoints that the policy should be applied to. \n Selector
expressions follow this syntax: \n \tlabel == \"string_literal\"
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
\ -> not equal; also matches if label is not present \tlabel in
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
... } -> true if the value of label X is not one of \"a\", \"b\",
\"c\" \thas(label_name) -> True if that label is present \t! expr
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
description: "The selector is an expression used to pick out the endpoints
that the policy should be applied to. \n Selector expressions follow
this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
equal; also matches if label is not present \tlabel in { \"a\",
\"b\", \"c\", ... } -> true if the value of label X is one of
\"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
\ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
\thas(label_name) -> True if that label is present \t! expr ->
negation of expr \texpr && expr -> Short-circuit and \texpr ||
expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
or the empty selector -> matches all endpoints. \n Label names are
allowed to contain alphanumerics, -, _ and /. String literals are
more permissive but they do not support escape characters. \n Examples
@ -851,4 +866,3 @@ status:
plural: ""
conditions: []
storedVersions: []

3
templates/globalnetworksets.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: GlobalNetworkSetList
plural: globalnetworksets
singular: globalnetworkset
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -49,4 +51,3 @@ status:
plural: ""
conditions: []
storedVersions: []

3
templates/hostendpoints.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: HostEndpointList
plural: hostendpoints
singular: hostendpoint
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -104,4 +106,3 @@ status:
plural: ""
conditions: []
storedVersions: []

41
templates/ipamblocks.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: IPAMBlockList
plural: ipamblocks
singular: ipamblock
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -32,8 +34,16 @@ spec:
resource.
properties:
affinity:
description: Affinity of the block, if this block has one. If set,
it will be of the form "host:<hostname>". If not set, this block
is not affine to a host.
type: string
allocations:
description: Array of allocations in-use within this block. nil entries
mean the allocation is free. For non-nil entries at index i, the
index is the ordinal of the allocation within this block and the
value is the index of the associated attributes in the Attributes
array.
items:
type: integer
# TODO: This nullable is manually added in. We should update controller-gen
@ -41,6 +51,10 @@ spec:
nullable: true
type: array
attributes:
description: Attributes is an array of arbitrary metadata associated
with allocations in the block. To find attributes for a given allocation,
use the value of the allocation's entry in the Allocations array
as the index of the element in this array.
items:
properties:
handle_id:
@ -52,12 +66,38 @@ spec:
type: object
type: array
cidr:
description: The block's CIDR.
type: string
deleted:
description: Deleted is an internal boolean used to workaround a limitation
in the Kubernetes API whereby deletion will not return a conflict
error if the block has been updated. It should not be set manually.
type: boolean
sequenceNumber:
default: 0
description: We store a sequence number that is updated each time
the block is written. Each allocation will also store the sequence
number of the block at the time of its creation. When releasing
an IP, passing the sequence number associated with the allocation
allows us to protect against a race condition and ensure the IP
hasn't been released and re-allocated since the release request.
format: int64
type: integer
sequenceNumberForAllocation:
additionalProperties:
format: int64
type: integer
description: Map of allocated ordinal within the block to sequence
number of the block at the time of allocation. Kubernetes does not
allow numerical keys for maps, so the key is cast to a string.
type: object
strictAffinity:
description: StrictAffinity on the IPAMBlock is deprecated and no
longer used by the code. Use IPAMConfig StrictAffinity instead.
type: boolean
unallocated:
description: Unallocated is an ordered list of allocations which are
free in the block.
items:
type: integer
type: array
@ -77,4 +117,3 @@ status:
plural: ""
conditions: []
storedVersions: []

5
templates/ipamconfigs.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: IPAMConfigList
plural: ipamconfigs
singular: ipamconfig
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -36,6 +38,8 @@ spec:
maxBlocksPerHost:
description: MaxBlocksPerHost, if non-zero, is the max number of blocks
that can be affine to each host.
maximum: 2147483647
minimum: 0
type: integer
strictAffinity:
type: boolean
@ -52,4 +56,3 @@ status:
plural: ""
conditions: []
storedVersions: []

3
templates/ipamhandles.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: IPAMHandleList
plural: ipamhandles
singular: ipamhandle
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -52,4 +54,3 @@ status:
plural: ""
conditions: []
storedVersions: []

15
templates/ippools.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: IPPoolList
plural: ippools
singular: ippool
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -38,19 +40,19 @@ spec:
type: array
blockSize:
description: The block size to use for IP address assignments from
this pool. Defaults to 26 for IPv4 and 112 for IPv6.
this pool. Defaults to 26 for IPv4 and 122 for IPv6.
type: integer
cidr:
description: The pool CIDR.
type: string
disableBGPExport:
description: 'Disable exporting routes from this IP Pool''s CIDR over
BGP. [Default: false]'
type: boolean
disabled:
description: When disabled is true, Calico IPAM will not assign addresses
from this pool.
type: boolean
disableBGPExport:
description: "Disable exporting routes from this IP Pool's CIDR over
BGP. [Default: false]"
type: boolean
ipip:
description: 'Deprecated: this field is only used for APIv1 backwards
compatibility. Setting this field is not allowed, this field is
@ -80,7 +82,7 @@ spec:
for internal use only.'
type: boolean
natOutgoing:
description: When nat-outgoing is true, packets sent from Calico networked
description: When natOutgoing is true, packets sent from Calico networked
containers in this pool to destinations outside of this pool will
be masqueraded.
type: boolean
@ -105,4 +107,3 @@ status:
plural: ""
conditions: []
storedVersions: []

6
templates/ipreservations.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,6 +1,10 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: ipreservations.crd.projectcalico.org
spec:
group: crd.projectcalico.org
@ -9,6 +13,7 @@ spec:
listKind: IPReservationList
plural: ipreservations
singular: ipreservation
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -47,4 +52,3 @@ status:
plural: ""
conditions: []
storedVersions: []

13
templates/kubecontrollersconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: KubeControllersConfigurationList
plural: kubecontrollersconfigurations
singular: kubecontrollersconfiguration
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
@ -99,6 +101,11 @@ spec:
type: string
type: object
type: object
debugProfilePort:
description: DebugProfilePort configures the port to serve memory
and cpu profiles on. If not specified, profiling is disabled.
format: int32
type: integer
etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]'
@ -209,6 +216,11 @@ spec:
type: string
type: object
type: object
debugProfilePort:
description: DebugProfilePort configures the port to serve memory
and cpu profiles on. If not specified, profiling is disabled.
format: int32
type: integer
etcdV3CompactionPeriod:
description: 'EtcdV3CompactionPeriod is the period between etcdv3
compaction requests. Set to 0 to disable. [Default: 10m]'
@ -239,4 +251,3 @@ status:
plural: ""
conditions: []
storedVersions: []

38
templates/networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: NetworkPolicyList
plural: networkpolicies
singular: networkpolicy
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1
@ -783,18 +785,31 @@ spec:
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
policy engine to help process the policy more efficiently. Hints
never change the enforcement behaviour of the policy. \n Currently,
the only available hint is \"AssumeNeededOnEveryNode\". When that
hint is set on a policy, Felix will act as if the policy matches
a local endpoint even if it does not. This is useful for \"preloading\"
any large static policies that are known to be used on every node.
If the policy is _not_ used on a particular node then the work done
to preload the policy (and to maintain it) is wasted."
items:
type: string
type: array
selector:
description: "The selector is an expression used to pick pick out
the endpoints that the policy should be applied to. \n Selector
expressions follow this syntax: \n \tlabel == \"string_literal\"
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
\ -> not equal; also matches if label is not present \tlabel in
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
... } -> true if the value of label X is not one of \"a\", \"b\",
\"c\" \thas(label_name) -> True if that label is present \t! expr
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
description: "The selector is an expression used to pick out the endpoints
that the policy should be applied to. \n Selector expressions follow
this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
equal; also matches if label is not present \tlabel in { \"a\",
\"b\", \"c\", ... } -> true if the value of label X is one of
\"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
\ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
\thas(label_name) -> True if that label is present \t! expr ->
negation of expr \texpr && expr -> Short-circuit and \texpr ||
expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
or the empty selector -> matches all endpoints. \n Label names are
allowed to contain alphanumerics, -, _ and /. String literals are
more permissive but they do not support escape characters. \n Examples
@ -832,4 +847,3 @@ status:
plural: ""
conditions: []
storedVersions: []

3
templates/networksets.crd.projectcalico.org-CustomResourceDefinition.yaml
View file

@ -1,3 +1,4 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
@ -9,6 +10,7 @@ spec:
listKind: NetworkSetList
plural: networksets
singular: networkset
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1
@ -47,4 +49,3 @@ status:
plural: ""
conditions: []
storedVersions: []

12
vars/calico-files.yaml
View file

@ -1,7 +1,12 @@
---
calico_files:
- "calico-kube-controllers-PodDisruptionBudget.yaml"
- "calico-kube-controllers-ServiceAccount.yaml"
- "calico-node-ServiceAccount.yaml"
- "calico-cni-plugin-ServiceAccount.yaml"
- "calico-config-ConfigMap.yaml"
- "bgpconfigurations.crd.projectcalico.org-CustomResourceDefinition.yaml"
- "bgpfilters.crd.projectcalico.org-CustomResourceDefinition.yaml"
- "bgppeers.crd.projectcalico.org-CustomResourceDefinition.yaml"
- "blockaffinities.crd.projectcalico.org-CustomResourceDefinition.yaml"
- "caliconodestatuses.crd.projectcalico.org-CustomResourceDefinition.yaml"
@ -19,14 +24,13 @@ calico_files:
- "networkpolicies.crd.projectcalico.org-CustomResourceDefinition.yaml"
- "networksets.crd.projectcalico.org-CustomResourceDefinition.yaml"
- "calico-kube-controllers-ClusterRole.yaml"
- "calico-kube-controllers-ClusterRoleBinding.yaml"
- "calico-node-ClusterRole.yaml"
- "calico-cni-plugin-ClusterRole.yaml"
- "calico-kube-controllers-ClusterRoleBinding.yaml"
- "calico-node-ClusterRoleBinding.yaml"
- "calico-cni-plugin-ClusterRoleBinding.yaml"
- "calico-node-DaemonSet.yaml"
- "calico-node-ServiceAccount.yaml"
- "calico-kube-controllers-Deployment.yaml"
- "calico-kube-controllers-ServiceAccount.yaml"
- "calico-kube-controllers-PodDisruptionBudget.yaml"
calicoctl_files:
- "calicoctl-ServiceAccount.yaml"