calico网卡未就绪

    https://blog.csdn.net/u011327801/article/details/100579803
    正常:

    [root@master ~]# kubectl get pod -A
    NAMESPACE NAME READY STATUS RESTARTS AGE
    kube-system calico-kube-controllers-77c4b7448-9nrx2 1/1 Running 0 26m
    kube-system calico-node-mc7s7 1/1 Running 0 26m
    kube-system calico-node-p8rm7 1/1 Running 0 21m
    kube-system calico-node-wwtkl 1/1 Running 0 21m
    kube-system coredns-9d85f5447-ht4c4 1/1 Running 0 35m
    kube-system coredns-9d85f5447-wvjlb 1/1 Running 0 35m
    kube-system etcd-master 1/1 Running 0 35m
    kube-system kube-apiserver-master 1/1 Running 0 35m
    kube-system kube-controller-manager-master 1/1 Running 0 35m
    kube-system kube-proxy-hgmjw 1/1 Running 1 21m
    kube-system kube-proxy-skc2k 1/1 Running 1 35m
    kube-system kube-proxy-zsnxv 1/1 Running 1 21m
    kube-system kube-scheduler-master 1/1 Running 0 35m
    [root@master ~]#
    [root@master ~]# ping 192.168.31.91
    PING 192.168.31.91 (192.168.31.91) 56(84) bytes of data.
    64 bytes from 192.168.31.91: icmp_seq=1 ttl=64 time=0.729 ms
    64 bytes from 192.168.31.91: icmp_seq=2 ttl=64 time=0.859 ms
    ^C
    —- 192.168.31.91 ping statistics —-
    2 packets transmitted, 2 received, 0% packet loss, time 1000ms
    rtt min/avg/max/mdev = 0.729/0.794/0.859/0.065 ms
    [root@master ~]# ping 192.168.31.92
    PING 192.168.31.92 (192.168.31.92) 56(84) bytes of data.
    64 bytes from 192.168.31.92: icmp_seq=1 ttl=64 time=0.389 ms
    64 bytes from 192.168.31.92: icmp_seq=2 ttl=64 time=0.932 ms
    64 bytes from 192.168.31.92: icmp_seq=3 ttl=64 time=2.06 ms
    64 bytes from 192.168.31.92: icmp_seq=4 ttl=64 time=0.768 ms
    ^C
    —- 192.168.31.92 ping statistics —-
    4 packets transmitted, 4 received, 0% packet loss, time 3001ms
    rtt min/avg/max/mdev = 0.389/1.038/2.065/0.625 ms
    [root@master ~]# ipvsadm -L
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
    -> RemoteAddress:Port Forward Weight ActiveConn InActConn
    TCP master:https rr
    -> master:sun-sr-https Masq 1 5 0
    TCP master:domain rr
    -> 192.168.219.65:domain Masq 1 0 0
    -> 192.168.219.67:domain Masq 1 0 0
    TCP master:9153 rr
    -> 192.168.219.65:9153 Masq 1 0 0
    -> 192.168.219.67:9153 Masq 1 0 0
    UDP master:domain rr
    -> 192.168.219.65:domain Masq 1 0 0
    -> 192.168.219.67:domain Masq 1 0 0
    [root@master ~]#
    [root@master ~]# ip route show
    default via 192.168.31.1 dev eth0 proto static metric 100
    172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
    192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.90 metric 100
    192.168.140.64/26 via 192.168.31.92 dev tunl0 proto bird onlink
    192.168.196.128/26 via 192.168.31.91 dev tunl0 proto bird onlink
    blackhole 192.168.219.64/26 proto bird
    192.168.219.65 dev calia1377bfae06 scope link
    192.168.219.66 dev cali3fffe2ec811 scope link
    192.168.219.67 dev cali57bd4ccf5ee scope link
    [root@master ~]# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.31.1 0.0.0.0 UG 100 0 0 eth0
    172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
    192.168.31.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
    192.168.140.64 192.168.31.92 255.255.255.192 UG 0 0 0 tunl0
    192.168.196.128 192.168.31.91 255.255.255.192 UG 0 0 0 tunl0
    192.168.219.64 0.0.0.0 255.255.255.192 U 0 0 0 *
    192.168.219.65 0.0.0.0 255.255.255.255 UH 0 0 0 calia1377bfae06
    192.168.219.66 0.0.0.0 255.255.255.255 UH 0 0 0 cali3fffe2ec811
    192.168.219.67 0.0.0.0 255.255.255.255 UH 0 0 0 cali57bd4ccf5ee
    [root@master ~]#

    异常:

    1. [root@master ~]# kubectl get po -n kube-system
    2. NAME READY STATUS RESTARTS AGE
    3. calico-kube-controllers-77c4b7448-9nrx2 1/1 Running 14 67d
    4. calico-node-mc7s7 0/1 Running 15 67d
    5. calico-node-p8rm7 1/1 Running 9 67d
    6. calico-node-wwtkl 1/1 Running 9 67d
    7. coredns-66bff467f8-2bsdr 0/1 Running 0 11m
    8. coredns-66bff467f8-5gsjh 0/1 Running 0 11m
    9. coredns-9d85f5447-wvjlb 1/1 Running 14 67d
    10. etcd-master 1/1 Running 6 12d
    11. kube-apiserver-master 1/1 Running 0 12m
    12. kube-controller-manager-master 1/1 Running 0 12m
    13. kube-proxy-69xfs 1/1 Running 0 11m
    14. kube-proxy-fxwgp 1/1 Running 0 11m
    15. kube-proxy-kgfbx 1/1 Running 0 11m
    16. kube-scheduler-master 1/1 Running 0 12m
    1. Events:
    2. Type Reason Age From Message
    3. ---- ------ ---- ---- -------
    4. Warning Unhealthy 13m (x1279 over 3h51m) kubelet, master (combined from similar events): Readiness probe failed: calico/node is not ready: BIRD is not ready: BGP not established with 192.168.31.91,192.168.31.922020-04-12 11:59:28.313 [INFO][42895] health.go 156: Number of node(s) with BGP peering established = 0
    1. /*
    2. 调整calicao 网络插件的网卡发现机制,修改IP_AUTODETECTION_METHOD对应的value值。官方提供的yaml文件中,ip识别策略(IPDETECTMETHOD)没有配置,即默认为first-found,这会导致一个网络异常的ip作为nodeIP被注册,从而影响node-to-node mesh。我们可以修改成can-reach或者interface的策略,尝试连接某一个Ready的node的IP,以此选择出正确的IP。
    3. */
    4. // calico.yaml 文件添加以下二行
    5. - name: IP_AUTODETECTION_METHOD
    6. value: "interface=ens.*" # ens 根据实际网卡开头配置
    7. // 配置如下
    8. - name: CLUSTER_TYPE
    9. value: "k8s,bgp"
    10. - name: IP_AUTODETECTION_METHOD
    11. value: "interface=ens.*"
    12. #或者 value: "interface=ens160"
    13. # Auto-detect the BGP IP address.
    14. - name: IP
    15. value: "autodetect"
    16. # Enable IPIP
    17. - name: CALICO_IPV4POOL_IPIP
    18. value: "Always"
    1. [root@master ~]# kubectl get pod -A
    2. NAMESPACE NAME READY STATUS RESTARTS AGE
    3. kube-system calico-kube-controllers-77c4b7448-9nrx2 1/1 Running 14 67d
    4. kube-system calico-node-dvmcz 1/1 Running 0 17s
    5. kube-system calico-node-w6lfn 1/1 Running 0 30s
    6. kube-system calico-node-z5db9 0/1 Running 0 8s
    7. kube-system coredns-66bff467f8-2bsdr 0/1 Running 0 17m
    8. kube-system coredns-66bff467f8-5gsjh 0/1 Running 0 17m
    9. kube-system coredns-9d85f5447-wvjlb 1/1 Running 14 67d
    10. kube-system etcd-master 1/1 Running 6 12d
    11. kube-system kube-apiserver-master 1/1 Running 0 17m
    12. kube-system kube-controller-manager-master 1/1 Running 0 17m
    13. kube-system kube-proxy-69xfs 1/1 Running 0 16m
    14. kube-system kube-proxy-fxwgp 1/1 Running 0 16m
    15. kube-system kube-proxy-kgfbx 1/1 Running 0 16m
    16. kube-system kube-scheduler-master 1/1 Running 0 17m
    1. ---
    2. # Source: calico/templates/calico-config.yaml
    3. # This ConfigMap is used to configure a self-hosted Calico installation.
    4. kind: ConfigMap
    5. apiVersion: v1
    6. metadata:
    7. name: calico-config
    8. namespace: kube-system
    9. data:
    10. # Typha is disabled.
    11. typha_service_name: "none"
    12. # Configure the backend to use.
    13. calico_backend: "bird"
    14. # Configure the MTU to use for workload interfaces and tunnels.
    15. # By default, MTU is auto-detected, and explicitly setting this field should not be required.
    16. # You can override auto-detection by providing a non-zero value.
    17. veth_mtu: "0"
    18. # The CNI network configuration to install on each node. The special
    19. # values in this config will be automatically populated.
    20. cni_network_config: |-
    21. {
    22. "name": "k8s-pod-network",
    23. "cniVersion": "0.3.1",
    24. "plugins": [
    25. {
    26. "type": "calico",
    27. "log_level": "info",
    28. "log_file_path": "/var/log/calico/cni/cni.log",
    29. "datastore_type": "kubernetes",
    30. "nodename": "__KUBERNETES_NODE_NAME__",
    31. "mtu": __CNI_MTU__,
    32. "ipam": {
    33. "type": "calico-ipam"
    34. },
    35. "policy": {
    36. "type": "k8s"
    37. },
    38. "kubernetes": {
    39. "kubeconfig": "__KUBECONFIG_FILEPATH__"
    40. }
    41. },
    42. {
    43. "type": "portmap",
    44. "snat": true,
    45. "capabilities": {"portMappings": true}
    46. },
    47. {
    48. "type": "bandwidth",
    49. "capabilities": {"bandwidth": true}
    50. }
    51. ]
    52. }
    53. ---
    54. # Source: calico/templates/kdd-crds.yaml
    55. apiVersion: apiextensions.k8s.io/v1
    56. kind: CustomResourceDefinition
    57. metadata:
    58. name: bgpconfigurations.crd.projectcalico.org
    59. spec:
    60. group: crd.projectcalico.org
    61. names:
    62. kind: BGPConfiguration
    63. listKind: BGPConfigurationList
    64. plural: bgpconfigurations
    65. singular: bgpconfiguration
    66. scope: Cluster
    67. versions:
    68. - name: v1
    69. schema:
    70. openAPIV3Schema:
    71. description: BGPConfiguration contains the configuration for any BGP routing.
    72. properties:
    73. apiVersion:
    74. description: 'APIVersion defines the versioned schema of this representation
    75. of an object. Servers should convert recognized schemas to the latest
    76. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    77. type: string
    78. kind:
    79. description: 'Kind is a string value representing the REST resource this
    80. object represents. Servers may infer this from the endpoint the client
    81. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    82. type: string
    83. metadata:
    84. type: object
    85. spec:
    86. description: BGPConfigurationSpec contains the values of the BGP configuration.
    87. properties:
    88. asNumber:
    89. description: 'ASNumber is the default AS number used by a node. [Default:
    90. 64512]'
    91. format: int32
    92. type: integer
    93. communities:
    94. description: Communities is a list of BGP community values and their
    95. arbitrary names for tagging routes.
    96. items:
    97. description: Community contains standard or large community value
    98. and its name.
    99. properties:
    100. name:
    101. description: Name given to community value.
    102. type: string
    103. value:
    104. description: Value must be of format `aa:nn` or `aa:nn:mm`.
    105. For standard community use `aa:nn` format, where `aa` and
    106. `nn` are 16 bit number. For large community use `aa:nn:mm`
    107. format, where `aa`, `nn` and `mm` are 32 bit number. Where,
    108. `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
    109. pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
    110. type: string
    111. type: object
    112. type: array
    113. listenPort:
    114. description: ListenPort is the port where BGP protocol should listen.
    115. Defaults to 179
    116. maximum: 65535
    117. minimum: 1
    118. type: integer
    119. logSeverityScreen:
    120. description: 'LogSeverityScreen is the log severity above which logs
    121. are sent to the stdout. [Default: INFO]'
    122. type: string
    123. nodeToNodeMeshEnabled:
    124. description: 'NodeToNodeMeshEnabled sets whether full node to node
    125. BGP mesh is enabled. [Default: true]'
    126. type: boolean
    127. prefixAdvertisements:
    128. description: PrefixAdvertisements contains per-prefix advertisement
    129. configuration.
    130. items:
    131. description: PrefixAdvertisement configures advertisement properties
    132. for the specified CIDR.
    133. properties:
    134. cidr:
    135. description: CIDR for which properties should be advertised.
    136. type: string
    137. communities:
    138. description: Communities can be list of either community names
    139. already defined in `Specs.Communities` or community value
    140. of format `aa:nn` or `aa:nn:mm`. For standard community use
    141. `aa:nn` format, where `aa` and `nn` are 16 bit number. For
    142. large community use `aa:nn:mm` format, where `aa`, `nn` and
    143. `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
    144. `mm` are per-AS identifier.
    145. items:
    146. type: string
    147. type: array
    148. type: object
    149. type: array
    150. serviceClusterIPs:
    151. description: ServiceClusterIPs are the CIDR blocks from which service
    152. cluster IPs are allocated. If specified, Calico will advertise these
    153. blocks, as well as any cluster IPs within them.
    154. items:
    155. description: ServiceClusterIPBlock represents a single allowed ClusterIP
    156. CIDR block.
    157. properties:
    158. cidr:
    159. type: string
    160. type: object
    161. type: array
    162. serviceExternalIPs:
    163. description: ServiceExternalIPs are the CIDR blocks for Kubernetes
    164. Service External IPs. Kubernetes Service ExternalIPs will only be
    165. advertised if they are within one of these blocks.
    166. items:
    167. description: ServiceExternalIPBlock represents a single allowed
    168. External IP CIDR block.
    169. properties:
    170. cidr:
    171. type: string
    172. type: object
    173. type: array
    174. serviceLoadBalancerIPs:
    175. description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
    176. Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
    177. IPs will only be advertised if they are within one of these blocks.
    178. items:
    179. description: ServiceLoadBalancerIPBlock represents a single allowed
    180. LoadBalancer IP CIDR block.
    181. properties:
    182. cidr:
    183. type: string
    184. type: object
    185. type: array
    186. type: object
    187. type: object
    188. served: true
    189. storage: true
    190. status:
    191. acceptedNames:
    192. kind: ""
    193. plural: ""
    194. conditions: []
    195. storedVersions: []
    196. ---
    197. apiVersion: apiextensions.k8s.io/v1
    198. kind: CustomResourceDefinition
    199. metadata:
    200. name: bgppeers.crd.projectcalico.org
    201. spec:
    202. group: crd.projectcalico.org
    203. names:
    204. kind: BGPPeer
    205. listKind: BGPPeerList
    206. plural: bgppeers
    207. singular: bgppeer
    208. scope: Cluster
    209. versions:
    210. - name: v1
    211. schema:
    212. openAPIV3Schema:
    213. properties:
    214. apiVersion:
    215. description: 'APIVersion defines the versioned schema of this representation
    216. of an object. Servers should convert recognized schemas to the latest
    217. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    218. type: string
    219. kind:
    220. description: 'Kind is a string value representing the REST resource this
    221. object represents. Servers may infer this from the endpoint the client
    222. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    223. type: string
    224. metadata:
    225. type: object
    226. spec:
    227. description: BGPPeerSpec contains the specification for a BGPPeer resource.
    228. properties:
    229. asNumber:
    230. description: The AS Number of the peer.
    231. format: int32
    232. type: integer
    233. keepOriginalNextHop:
    234. description: Option to keep the original nexthop field when routes
    235. are sent to a BGP Peer. Setting "true" configures the selected BGP
    236. Peers node to use the "next hop keep;" instead of "next hop self;"(default)
    237. in the specific branch of the Node on "bird.cfg".
    238. type: boolean
    239. node:
    240. description: The node name identifying the Calico node instance that
    241. is targeted by this peer. If this is not set, and no nodeSelector
    242. is specified, then this BGP peer selects all nodes in the cluster.
    243. type: string
    244. nodeSelector:
    245. description: Selector for the nodes that should have this peering. When
    246. this is set, the Node field must be empty.
    247. type: string
    248. password:
    249. description: Optional BGP password for the peerings generated by this
    250. BGPPeer resource.
    251. properties:
    252. secretKeyRef:
    253. description: Selects a key of a secret in the node pod's namespace.
    254. properties:
    255. key:
    256. description: The key of the secret to select from. Must be
    257. a valid secret key.
    258. type: string
    259. name:
    260. description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
    261. TODO: Add other useful fields. apiVersion, kind, uid?'
    262. type: string
    263. optional:
    264. description: Specify whether the Secret or its key must be
    265. defined
    266. type: boolean
    267. required:
    268. - key
    269. type: object
    270. type: object
    271. peerIP:
    272. description: The IP address of the peer followed by an optional port
    273. number to peer with. If port number is given, format should be `[<IPv6>]:port`
    274. or `<IPv4>:<port>` for IPv4. If optional port number is not set,
    275. and this peer IP and ASNumber belongs to a calico/node with ListenPort
    276. set in BGPConfiguration, then we use that port to peer.
    277. type: string
    278. peerSelector:
    279. description: Selector for the remote nodes to peer with. When this
    280. is set, the PeerIP and ASNumber fields must be empty. For each
    281. peering between the local node and selected remote nodes, we configure
    282. an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
    283. and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
    284. remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
    285. or the global default if that is not set.
    286. type: string
    287. sourceAddress:
    288. description: Specifies whether and how to configure a source address
    289. for the peerings generated by this BGPPeer resource. Default value
    290. "UseNodeIP" means to configure the node IP as the source address. "None"
    291. means not to configure a source address.
    292. type: string
    293. type: object
    294. type: object
    295. served: true
    296. storage: true
    297. status:
    298. acceptedNames:
    299. kind: ""
    300. plural: ""
    301. conditions: []
    302. storedVersions: []
    303. ---
    304. apiVersion: apiextensions.k8s.io/v1
    305. kind: CustomResourceDefinition
    306. metadata:
    307. name: blockaffinities.crd.projectcalico.org
    308. spec:
    309. group: crd.projectcalico.org
    310. names:
    311. kind: BlockAffinity
    312. listKind: BlockAffinityList
    313. plural: blockaffinities
    314. singular: blockaffinity
    315. scope: Cluster
    316. versions:
    317. - name: v1
    318. schema:
    319. openAPIV3Schema:
    320. properties:
    321. apiVersion:
    322. description: 'APIVersion defines the versioned schema of this representation
    323. of an object. Servers should convert recognized schemas to the latest
    324. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    325. type: string
    326. kind:
    327. description: 'Kind is a string value representing the REST resource this
    328. object represents. Servers may infer this from the endpoint the client
    329. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    330. type: string
    331. metadata:
    332. type: object
    333. spec:
    334. description: BlockAffinitySpec contains the specification for a BlockAffinity
    335. resource.
    336. properties:
    337. cidr:
    338. type: string
    339. deleted:
    340. description: Deleted indicates that this block affinity is being deleted.
    341. This field is a string for compatibility with older releases that
    342. mistakenly treat this field as a string.
    343. type: string
    344. node:
    345. type: string
    346. state:
    347. type: string
    348. required:
    349. - cidr
    350. - deleted
    351. - node
    352. - state
    353. type: object
    354. type: object
    355. served: true
    356. storage: true
    357. status:
    358. acceptedNames:
    359. kind: ""
    360. plural: ""
    361. conditions: []
    362. storedVersions: []
    363. ---
    364. apiVersion: apiextensions.k8s.io/v1
    365. kind: CustomResourceDefinition
    366. metadata:
    367. name: clusterinformations.crd.projectcalico.org
    368. spec:
    369. group: crd.projectcalico.org
    370. names:
    371. kind: ClusterInformation
    372. listKind: ClusterInformationList
    373. plural: clusterinformations
    374. singular: clusterinformation
    375. scope: Cluster
    376. versions:
    377. - name: v1
    378. schema:
    379. openAPIV3Schema:
    380. description: ClusterInformation contains the cluster specific information.
    381. properties:
    382. apiVersion:
    383. description: 'APIVersion defines the versioned schema of this representation
    384. of an object. Servers should convert recognized schemas to the latest
    385. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    386. type: string
    387. kind:
    388. description: 'Kind is a string value representing the REST resource this
    389. object represents. Servers may infer this from the endpoint the client
    390. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    391. type: string
    392. metadata:
    393. type: object
    394. spec:
    395. description: ClusterInformationSpec contains the values of describing
    396. the cluster.
    397. properties:
    398. calicoVersion:
    399. description: CalicoVersion is the version of Calico that the cluster
    400. is running
    401. type: string
    402. clusterGUID:
    403. description: ClusterGUID is the GUID of the cluster
    404. type: string
    405. clusterType:
    406. description: ClusterType describes the type of the cluster
    407. type: string
    408. datastoreReady:
    409. description: DatastoreReady is used during significant datastore migrations
    410. to signal to components such as Felix that it should wait before
    411. accessing the datastore.
    412. type: boolean
    413. variant:
    414. description: Variant declares which variant of Calico should be active.
    415. type: string
    416. type: object
    417. type: object
    418. served: true
    419. storage: true
    420. status:
    421. acceptedNames:
    422. kind: ""
    423. plural: ""
    424. conditions: []
    425. storedVersions: []
    426. ---
    427. apiVersion: apiextensions.k8s.io/v1
    428. kind: CustomResourceDefinition
    429. metadata:
    430. name: felixconfigurations.crd.projectcalico.org
    431. spec:
    432. group: crd.projectcalico.org
    433. names:
    434. kind: FelixConfiguration
    435. listKind: FelixConfigurationList
    436. plural: felixconfigurations
    437. singular: felixconfiguration
    438. scope: Cluster
    439. versions:
    440. - name: v1
    441. schema:
    442. openAPIV3Schema:
    443. description: Felix Configuration contains the configuration for Felix.
    444. properties:
    445. apiVersion:
    446. description: 'APIVersion defines the versioned schema of this representation
    447. of an object. Servers should convert recognized schemas to the latest
    448. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    449. type: string
    450. kind:
    451. description: 'Kind is a string value representing the REST resource this
    452. object represents. Servers may infer this from the endpoint the client
    453. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    454. type: string
    455. metadata:
    456. type: object
    457. spec:
    458. description: FelixConfigurationSpec contains the values of the Felix configuration.
    459. properties:
    460. allowIPIPPacketsFromWorkloads:
    461. description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
    462. will add a rule to drop IPIP encapsulated traffic from workloads
    463. [Default: false]'
    464. type: boolean
    465. allowVXLANPacketsFromWorkloads:
    466. description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
    467. will add a rule to drop VXLAN encapsulated traffic from workloads
    468. [Default: false]'
    469. type: boolean
    470. awsSrcDstCheck:
    471. description: 'Set source-destination-check on AWS EC2 instances. Accepted
    472. value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
    473. DoNothing]'
    474. enum:
    475. - DoNothing
    476. - Enable
    477. - Disable
    478. type: string
    479. bpfConnectTimeLoadBalancingEnabled:
    480. description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
    481. controls whether Felix installs the connection-time load balancer. The
    482. connect-time load balancer is required for the host to be able to
    483. reach Kubernetes services and it improves the performance of pod-to-service
    484. connections. The only reason to disable it is for debugging purposes. [Default:
    485. true]'
    486. type: boolean
    487. bpfDataIfacePattern:
    488. description: BPFDataIfacePattern is a regular expression that controls
    489. which interfaces Felix should attach BPF programs to in order to
    490. catch traffic to/from the network. This needs to match the interfaces
    491. that Calico workload traffic flows over as well as any interfaces
    492. that handle incoming traffic to nodeports and services from outside
    493. the cluster. It should not match the workload interfaces (usually
    494. named cali...).
    495. type: string
    496. bpfDisableUnprivileged:
    497. description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
    498. sysctl to disable unprivileged use of BPF. This ensures that unprivileged
    499. users cannot access Calico''s BPF maps and cannot insert their own
    500. BPF programs to interfere with Calico''s. [Default: true]'
    501. type: boolean
    502. bpfEnabled:
    503. description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
    504. [Default: false]'
    505. type: boolean
    506. bpfExternalServiceMode:
    507. description: 'BPFExternalServiceMode in BPF mode, controls how connections
    508. from outside the cluster to services (node ports and cluster IPs)
    509. are forwarded to remote workloads. If set to "Tunnel" then both
    510. request and response traffic is tunneled to the remote node. If
    511. set to "DSR", the request traffic is tunneled but the response traffic
    512. is sent directly from the remote node. In "DSR" mode, the remote
    513. node appears to use the IP of the ingress node; this requires a
    514. permissive L2 network. [Default: Tunnel]'
    515. type: string
    516. bpfKubeProxyEndpointSlicesEnabled:
    517. description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
    518. whether Felix's embedded kube-proxy accepts EndpointSlices or not.
    519. type: boolean
    520. bpfKubeProxyIptablesCleanupEnabled:
    521. description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
    522. mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
    523. iptables chains. Should only be enabled if kube-proxy is not running. [Default:
    524. true]'
    525. type: boolean
    526. bpfKubeProxyMinSyncPeriod:
    527. description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
    528. minimum time between updates to the dataplane for Felix''s embedded
    529. kube-proxy. Lower values give reduced set-up latency. Higher values
    530. reduce Felix CPU usage by batching up more work. [Default: 1s]'
    531. type: string
    532. bpfLogLevel:
    533. description: 'BPFLogLevel controls the log level of the BPF programs
    534. when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
    535. logs are emitted to the BPF trace pipe, accessible with the command
    536. `tc exec bpf debug`. [Default: Off].'
    537. type: string
    538. chainInsertMode:
    539. description: 'ChainInsertMode controls whether Felix hooks the kernel''s
    540. top-level iptables chains by inserting a rule at the top of the
    541. chain or by appending a rule at the bottom. insert is the safe default
    542. since it prevents Calico''s rules from being bypassed. If you switch
    543. to append mode, be sure that the other rules in the chains signal
    544. acceptance by falling through to the Calico rules, otherwise the
    545. Calico policy will be bypassed. [Default: insert]'
    546. type: string
    547. dataplaneDriver:
    548. type: string
    549. debugDisableLogDropping:
    550. type: boolean
    551. debugMemoryProfilePath:
    552. type: string
    553. debugSimulateCalcGraphHangAfter:
    554. type: string
    555. debugSimulateDataplaneHangAfter:
    556. type: string
    557. defaultEndpointToHostAction:
    558. description: 'DefaultEndpointToHostAction controls what happens to
    559. traffic that goes from a workload endpoint to the host itself (after
    560. the traffic hits the endpoint egress policy). By default Calico
    561. blocks traffic from workload endpoints to the host itself with an
    562. iptables "DROP" action. If you want to allow some or all traffic
    563. from endpoint to host, set this parameter to RETURN or ACCEPT. Use
    564. RETURN if you have your own rules in the iptables "INPUT" chain;
    565. Calico will insert its rules at the top of that chain, then "RETURN"
    566. packets to the "INPUT" chain once it has completed processing workload
    567. endpoint egress policy. Use ACCEPT to unconditionally accept packets
    568. from workloads after processing workload endpoint egress policy.
    569. [Default: Drop]'
    570. type: string
    571. deviceRouteProtocol:
    572. description: This defines the route protocol added to programmed device
    573. routes, by default this will be RTPROT_BOOT when left blank.
    574. type: integer
    575. deviceRouteSourceAddress:
    576. description: This is the source address to use on programmed device
    577. routes. By default the source address is left blank, leaving the
    578. kernel to choose the source address used.
    579. type: string
    580. disableConntrackInvalidCheck:
    581. type: boolean
    582. endpointReportingDelay:
    583. type: string
    584. endpointReportingEnabled:
    585. type: boolean
    586. externalNodesList:
    587. description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
    588. which may source tunnel traffic and have the tunneled traffic be
    589. accepted at calico nodes.
    590. items:
    591. type: string
    592. type: array
    593. failsafeInboundHostPorts:
    594. description: 'FailsafeInboundHostPorts is a comma-delimited list of
    595. UDP/TCP ports that Felix will allow incoming traffic to host endpoints
    596. on irrespective of the security policy. This is useful to avoid
    597. accidentally cutting off a host with incorrect configuration. Each
    598. port should be specified as tcp:<port-number> or udp:<port-number>.
    599. For back-compatibility, if the protocol is not specified, it defaults
    600. to "tcp". To disable all inbound host ports, use the value none.
    601. The default value allows ssh access and DHCP. [Default: tcp:22,
    602. udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
    603. items:
    604. description: ProtoPort is combination of protocol and port, both
    605. must be specified.
    606. properties:
    607. port:
    608. type: integer
    609. protocol:
    610. type: string
    611. required:
    612. - port
    613. - protocol
    614. type: object
    615. type: array
    616. failsafeOutboundHostPorts:
    617. description: 'FailsafeOutboundHostPorts is a comma-delimited list
    618. of UDP/TCP ports that Felix will allow outgoing traffic from host
    619. endpoints to irrespective of the security policy. This is useful
    620. to avoid accidentally cutting off a host with incorrect configuration.
    621. Each port should be specified as tcp:<port-number> or udp:<port-number>.
    622. For back-compatibility, if the protocol is not specified, it defaults
    623. to "tcp". To disable all outbound host ports, use the value none.
    624. The default value opens etcd''s standard ports to ensure that Felix
    625. does not get cut off from etcd as well as allowing DHCP and DNS.
    626. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
    627. udp:53, udp:67]'
    628. items:
    629. description: ProtoPort is combination of protocol and port, both
    630. must be specified.
    631. properties:
    632. port:
    633. type: integer
    634. protocol:
    635. type: string
    636. required:
    637. - port
    638. - protocol
    639. type: object
    640. type: array
    641. featureDetectOverride:
    642. description: FeatureDetectOverride is used to override the feature
    643. detection. Values are specified in a comma separated list with no
    644. spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
    645. "true" or "false" will force the feature, empty or omitted values
    646. are auto-detected.
    647. type: string
    648. genericXDPEnabled:
    649. description: 'GenericXDPEnabled enables Generic XDP so network cards
    650. that don''t support XDP offload or driver modes can use XDP. This
    651. is not recommended since it doesn''t provide better performance
    652. than iptables. [Default: false]'
    653. type: boolean
    654. healthEnabled:
    655. type: boolean
    656. healthHost:
    657. type: string
    658. healthPort:
    659. type: integer
    660. interfaceExclude:
    661. description: 'InterfaceExclude is a comma-separated list of interfaces
    662. that Felix should exclude when monitoring for host endpoints. The
    663. default value ensures that Felix ignores Kubernetes'' IPVS dummy
    664. interface, which is used internally by kube-proxy. If you want to
    665. exclude multiple interface names using a single value, the list
    666. supports regular expressions. For regular expressions you must wrap
    667. the value with ''/''. For example having values ''/^kube/,veth1''
    668. will exclude all interfaces that begin with ''kube'' and also the
    669. interface ''veth1''. [Default: kube-ipvs0]'
    670. type: string
    671. interfacePrefix:
    672. description: 'InterfacePrefix is the interface name prefix that identifies
    673. workload endpoints and so distinguishes them from host endpoint
    674. interfaces. Note: in environments other than bare metal, the orchestrators
    675. configure this appropriately. For example our Kubernetes and Docker
    676. integrations set the ''cali'' value, and our OpenStack integration
    677. sets the ''tap'' value. [Default: cali]'
    678. type: string
    679. interfaceRefreshInterval:
    680. description: InterfaceRefreshInterval is the period at which Felix
    681. rescans local interfaces to verify their state. The rescan can be
    682. disabled by setting the interval to 0.
    683. type: string
    684. ipipEnabled:
    685. type: boolean
    686. ipipMTU:
    687. description: 'IPIPMTU is the MTU to set on the tunnel device. See
    688. Configuring MTU [Default: 1440]'
    689. type: integer
    690. ipsetsRefreshInterval:
    691. description: 'IpsetsRefreshInterval is the period at which Felix re-checks
    692. all iptables state to ensure that no other process has accidentally
    693. broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
    694. 90s]'
    695. type: string
    696. iptablesBackend:
    697. description: IptablesBackend specifies which backend of iptables will
    698. be used. The default is legacy.
    699. type: string
    700. iptablesFilterAllowAction:
    701. type: string
    702. iptablesLockFilePath:
    703. description: 'IptablesLockFilePath is the location of the iptables
    704. lock file. You may need to change this if the lock file is not in
    705. its standard location (for example if you have mapped it into Felix''s
    706. container at a different path). [Default: /run/xtables.lock]'
    707. type: string
    708. iptablesLockProbeInterval:
    709. description: 'IptablesLockProbeInterval is the time that Felix will
    710. wait between attempts to acquire the iptables lock if it is not
    711. available. Lower values make Felix more responsive when the lock
    712. is contended, but use more CPU. [Default: 50ms]'
    713. type: string
    714. iptablesLockTimeout:
    715. description: 'IptablesLockTimeout is the time that Felix will wait
    716. for the iptables lock, or 0, to disable. To use this feature, Felix
    717. must share the iptables lock file with all other processes that
    718. also take the lock. When running Felix inside a container, this
    719. requires the /run directory of the host to be mounted into the calico/node
    720. or calico/felix container. [Default: 0s disabled]'
    721. type: string
    722. iptablesMangleAllowAction:
    723. type: string
    724. iptablesMarkMask:
    725. description: 'IptablesMarkMask is the mask that Felix selects its
    726. IPTables Mark bits from. Should be a 32 bit hexadecimal number with
    727. at least 8 bits set, none of which clash with any other mark bits
    728. in use on the system. [Default: 0xff000000]'
    729. format: int32
    730. type: integer
    731. iptablesNATOutgoingInterfaceFilter:
    732. type: string
    733. iptablesPostWriteCheckInterval:
    734. description: 'IptablesPostWriteCheckInterval is the period after Felix
    735. has done a write to the dataplane that it schedules an extra read
    736. back in order to check the write was not clobbered by another process.
    737. This should only occur if another application on the system doesn''t
    738. respect the iptables lock. [Default: 1s]'
    739. type: string
    740. iptablesRefreshInterval:
    741. description: 'IptablesRefreshInterval is the period at which Felix
    742. re-checks the IP sets in the dataplane to ensure that no other process
    743. has accidentally broken Calico''s rules. Set to 0 to disable IP
    744. sets refresh. Note: the default for this value is lower than the
    745. other refresh intervals as a workaround for a Linux kernel bug that
    746. was fixed in kernel version 4.11. If you are using v4.11 or greater
    747. you may want to set this to, a higher value to reduce Felix CPU
    748. usage. [Default: 10s]'
    749. type: string
    750. ipv6Support:
    751. type: boolean
    752. kubeNodePortRanges:
    753. description: 'KubeNodePortRanges holds list of port ranges used for
    754. service node ports. Only used if felix detects kube-proxy running
    755. in ipvs mode. Felix uses these ranges to separate host and workload
    756. traffic. [Default: 30000:32767].'
    757. items:
    758. anyOf:
    759. - type: integer
    760. - type: string
    761. pattern: ^.*
    762. x-kubernetes-int-or-string: true
    763. type: array
    764. logFilePath:
    765. description: 'LogFilePath is the full path to the Felix log. Set to
    766. none to disable file logging. [Default: /var/log/calico/felix.log]'
    767. type: string
    768. logPrefix:
    769. description: 'LogPrefix is the log prefix that Felix uses when rendering
    770. LOG rules. [Default: calico-packet]'
    771. type: string
    772. logSeverityFile:
    773. description: 'LogSeverityFile is the log severity above which logs
    774. are sent to the log file. [Default: Info]'
    775. type: string
    776. logSeverityScreen:
    777. description: 'LogSeverityScreen is the log severity above which logs
    778. are sent to the stdout. [Default: Info]'
    779. type: string
    780. logSeveritySys:
    781. description: 'LogSeveritySys is the log severity above which logs
    782. are sent to the syslog. Set to None for no logging to syslog. [Default:
    783. Info]'
    784. type: string
    785. maxIpsetSize:
    786. type: integer
    787. metadataAddr:
    788. description: 'MetadataAddr is the IP address or domain name of the
    789. server that can answer VM queries for cloud-init metadata. In OpenStack,
    790. this corresponds to the machine running nova-api (or in Ubuntu,
    791. nova-api-metadata). A value of none (case insensitive) means that
    792. Felix should not set up any NAT rule for the metadata path. [Default:
    793. 127.0.0.1]'
    794. type: string
    795. metadataPort:
    796. description: 'MetadataPort is the port of the metadata server. This,
    797. combined with global.MetadataAddr (if not ''None''), is used to
    798. set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
    799. In most cases this should not need to be changed [Default: 8775].'
    800. type: integer
    801. mtuIfacePattern:
    802. description: MTUIfacePattern is a regular expression that controls
    803. which interfaces Felix should scan in order to calculate the host's
    804. MTU. This should not match workload interfaces (usually named cali...).
    805. type: string
    806. natOutgoingAddress:
    807. description: NATOutgoingAddress specifies an address to use when performing
    808. source NAT for traffic in a natOutgoing pool that is leaving the
    809. network. By default the address used is an address on the interface
    810. the traffic is leaving on (ie it uses the iptables MASQUERADE target)
    811. type: string
    812. natPortRange:
    813. anyOf:
    814. - type: integer
    815. - type: string
    816. description: NATPortRange specifies the range of ports that is used
    817. for port mapping when doing outgoing NAT. When unset the default
    818. behavior of the network stack is used.
    819. pattern: ^.*
    820. x-kubernetes-int-or-string: true
    821. netlinkTimeout:
    822. type: string
    823. openstackRegion:
    824. description: 'OpenstackRegion is the name of the region that a particular
    825. Felix belongs to. In a multi-region Calico/OpenStack deployment,
    826. this must be configured somehow for each Felix (here in the datamodel,
    827. or in felix.cfg or the environment on each compute node), and must
    828. match the [calico] openstack_region value configured in neutron.conf
    829. on each node. [Default: Empty]'
    830. type: string
    831. policySyncPathPrefix:
    832. description: 'PolicySyncPathPrefix is used to by Felix to communicate
    833. policy changes to external services, like Application layer policy.
    834. [Default: Empty]'
    835. type: string
    836. prometheusGoMetricsEnabled:
    837. description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
    838. collection, which the Prometheus client does by default, when set
    839. to false. This reduces the number of metrics reported, reducing
    840. Prometheus load. [Default: true]'
    841. type: boolean
    842. prometheusMetricsEnabled:
    843. description: 'PrometheusMetricsEnabled enables the Prometheus metrics
    844. server in Felix if set to true. [Default: false]'
    845. type: boolean
    846. prometheusMetricsHost:
    847. description: 'PrometheusMetricsHost is the host that the Prometheus
    848. metrics server should bind to. [Default: empty]'
    849. type: string
    850. prometheusMetricsPort:
    851. description: 'PrometheusMetricsPort is the TCP port that the Prometheus
    852. metrics server should bind to. [Default: 9091]'
    853. type: integer
    854. prometheusProcessMetricsEnabled:
    855. description: 'PrometheusProcessMetricsEnabled disables process metrics
    856. collection, which the Prometheus client does by default, when set
    857. to false. This reduces the number of metrics reported, reducing
    858. Prometheus load. [Default: true]'
    859. type: boolean
    860. removeExternalRoutes:
    861. description: Whether or not to remove device routes that have not
    862. been programmed by Felix. Disabling this will allow external applications
    863. to also add device routes. This is enabled by default which means
    864. we will remove externally added routes.
    865. type: boolean
    866. reportingInterval:
    867. description: 'ReportingInterval is the interval at which Felix reports
    868. its status into the datastore or 0 to disable. Must be non-zero
    869. in OpenStack deployments. [Default: 30s]'
    870. type: string
    871. reportingTTL:
    872. description: 'ReportingTTL is the time-to-live setting for process-wide
    873. status reports. [Default: 90s]'
    874. type: string
    875. routeRefreshInterval:
    876. description: 'RouteRefreshInterval is the period at which Felix re-checks
    877. the routes in the dataplane to ensure that no other process has
    878. accidentally broken Calico''s rules. Set to 0 to disable route refresh.
    879. [Default: 90s]'
    880. type: string
    881. routeSource:
    882. description: 'RouteSource configures where Felix gets its routing
    883. information. - WorkloadIPs: use workload endpoints to construct
    884. routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
    885. type: string
    886. routeTableRange:
    887. description: Calico programs additional Linux route tables for various
    888. purposes. RouteTableRange specifies the indices of the route tables
    889. that Calico should use.
    890. properties:
    891. max:
    892. type: integer
    893. min:
    894. type: integer
    895. required:
    896. - max
    897. - min
    898. type: object
    899. serviceLoopPrevention:
    900. description: 'When service IP advertisement is enabled, prevent routing
    901. loops to service IPs that are not in use, by dropping or rejecting
    902. packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
    903. in which case such routing loops continue to be allowed. [Default:
    904. Drop]'
    905. type: string
    906. sidecarAccelerationEnabled:
    907. description: 'SidecarAccelerationEnabled enables experimental sidecar
    908. acceleration [Default: false]'
    909. type: boolean
    910. usageReportingEnabled:
    911. description: 'UsageReportingEnabled reports anonymous Calico version
    912. number and cluster size to projectcalico.org. Logs warnings returned
    913. by the usage server. For example, if a significant security vulnerability
    914. has been discovered in the version of Calico being used. [Default:
    915. true]'
    916. type: boolean
    917. usageReportingInitialDelay:
    918. description: 'UsageReportingInitialDelay controls the minimum delay
    919. before Felix makes a report. [Default: 300s]'
    920. type: string
    921. usageReportingInterval:
    922. description: 'UsageReportingInterval controls the interval at which
    923. Felix makes reports. [Default: 86400s]'
    924. type: string
    925. useInternalDataplaneDriver:
    926. type: boolean
    927. vxlanEnabled:
    928. type: boolean
    929. vxlanMTU:
    930. description: 'VXLANMTU is the MTU to set on the tunnel device. See
    931. Configuring MTU [Default: 1440]'
    932. type: integer
    933. vxlanPort:
    934. type: integer
    935. vxlanVNI:
    936. type: integer
    937. wireguardEnabled:
    938. description: 'WireguardEnabled controls whether Wireguard is enabled.
    939. [Default: false]'
    940. type: boolean
    941. wireguardInterfaceName:
    942. description: 'WireguardInterfaceName specifies the name to use for
    943. the Wireguard interface. [Default: wg.calico]'
    944. type: string
    945. wireguardListeningPort:
    946. description: 'WireguardListeningPort controls the listening port used
    947. by Wireguard. [Default: 51820]'
    948. type: integer
    949. wireguardMTU:
    950. description: 'WireguardMTU controls the MTU on the Wireguard interface.
    951. See Configuring MTU [Default: 1420]'
    952. type: integer
    953. wireguardRoutingRulePriority:
    954. description: 'WireguardRoutingRulePriority controls the priority value
    955. to use for the Wireguard routing rule. [Default: 99]'
    956. type: integer
    957. xdpEnabled:
    958. description: 'XDPEnabled enables XDP acceleration for suitable untracked
    959. incoming deny rules. [Default: true]'
    960. type: boolean
    961. xdpRefreshInterval:
    962. description: 'XDPRefreshInterval is the period at which Felix re-checks
    963. all XDP state to ensure that no other process has accidentally broken
    964. Calico''s BPF maps or attached programs. Set to 0 to disable XDP
    965. refresh. [Default: 90s]'
    966. type: string
    967. type: object
    968. type: object
    969. served: true
    970. storage: true
    971. status:
    972. acceptedNames:
    973. kind: ""
    974. plural: ""
    975. conditions: []
    976. storedVersions: []
    977. ---
    978. apiVersion: apiextensions.k8s.io/v1
    979. kind: CustomResourceDefinition
    980. metadata:
    981. name: globalnetworkpolicies.crd.projectcalico.org
    982. spec:
    983. group: crd.projectcalico.org
    984. names:
    985. kind: GlobalNetworkPolicy
    986. listKind: GlobalNetworkPolicyList
    987. plural: globalnetworkpolicies
    988. singular: globalnetworkpolicy
    989. scope: Cluster
    990. versions:
    991. - name: v1
    992. schema:
    993. openAPIV3Schema:
    994. properties:
    995. apiVersion:
    996. description: 'APIVersion defines the versioned schema of this representation
    997. of an object. Servers should convert recognized schemas to the latest
    998. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    999. type: string
    1000. kind:
    1001. description: 'Kind is a string value representing the REST resource this
    1002. object represents. Servers may infer this from the endpoint the client
    1003. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    1004. type: string
    1005. metadata:
    1006. type: object
    1007. spec:
    1008. properties:
    1009. applyOnForward:
    1010. description: ApplyOnForward indicates to apply the rules in this policy
    1011. on forward traffic.
    1012. type: boolean
    1013. doNotTrack:
    1014. description: DoNotTrack indicates whether packets matched by the rules
    1015. in this policy should go through the data plane's connection tracking,
    1016. such as Linux conntrack. If True, the rules in this policy are
    1017. applied before any data plane connection tracking, and packets allowed
    1018. by this policy are marked as not to be tracked.
    1019. type: boolean
    1020. egress:
    1021. description: The ordered set of egress rules. Each rule contains
    1022. a set of packet match criteria and a corresponding action to apply.
    1023. items:
    1024. description: "A Rule encapsulates a set of match criteria and an
    1025. action. Both selector-based security Policy and security Profiles
    1026. reference rules - separated out as a list of rules for both ingress
    1027. and egress packet matching. \n Each positive match criteria has
    1028. a negated version, prefixed with \"Not\". All the match criteria
    1029. within a rule must be satisfied for a packet to match. A single
    1030. rule can contain the positive and negative version of a match
    1031. and both must be satisfied for the rule to match."
    1032. properties:
    1033. action:
    1034. type: string
    1035. destination:
    1036. description: Destination contains the match criteria that apply
    1037. to destination entity.
    1038. properties:
    1039. namespaceSelector:
    1040. description: "NamespaceSelector is an optional field that
    1041. contains a selector expression. Only traffic that originates
    1042. from (or terminates at) endpoints within the selected
    1043. namespaces will be matched. When both NamespaceSelector
    1044. and Selector are defined on the same rule, then only workload
    1045. endpoints that are matched by both selectors will be selected
    1046. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    1047. implies that the Selector is limited to selecting only
    1048. workload endpoints in the same namespace as the NetworkPolicy.
    1049. \n For NetworkPolicy, `global()` NamespaceSelector implies
    1050. that the Selector is limited to selecting only GlobalNetworkSet
    1051. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    1052. NamespaceSelector implies the Selector applies to workload
    1053. endpoints across all namespaces."
    1054. type: string
    1055. nets:
    1056. description: Nets is an optional field that restricts the
    1057. rule to only apply to traffic that originates from (or
    1058. terminates at) IP addresses in any of the given subnets.
    1059. items:
    1060. type: string
    1061. type: array
    1062. notNets:
    1063. description: NotNets is the negated version of the Nets
    1064. field.
    1065. items:
    1066. type: string
    1067. type: array
    1068. notPorts:
    1069. description: NotPorts is the negated version of the Ports
    1070. field. Since only some protocols have ports, if any ports
    1071. are specified it requires the Protocol match in the Rule
    1072. to be set to "TCP" or "UDP".
    1073. items:
    1074. anyOf:
    1075. - type: integer
    1076. - type: string
    1077. pattern: ^.*
    1078. x-kubernetes-int-or-string: true
    1079. type: array
    1080. notSelector:
    1081. description: NotSelector is the negated version of the Selector
    1082. field. See Selector field for subtleties with negated
    1083. selectors.
    1084. type: string
    1085. ports:
    1086. description: "Ports is an optional field that restricts
    1087. the rule to only apply to traffic that has a source (destination)
    1088. port that matches one of these ranges/values. This value
    1089. is a list of integers or strings that represent ranges
    1090. of ports. \n Since only some protocols have ports, if
    1091. any ports are specified it requires the Protocol match
    1092. in the Rule to be set to \"TCP\" or \"UDP\"."
    1093. items:
    1094. anyOf:
    1095. - type: integer
    1096. - type: string
    1097. pattern: ^.*
    1098. x-kubernetes-int-or-string: true
    1099. type: array
    1100. selector:
    1101. description: "Selector is an optional field that contains
    1102. a selector expression (see Policy for sample syntax).
    1103. \ Only traffic that originates from (terminates at) endpoints
    1104. matching the selector will be matched. \n Note that: in
    1105. addition to the negated version of the Selector (see NotSelector
    1106. below), the selector expression syntax itself supports
    1107. negation. The two types of negation are subtly different.
    1108. One negates the set of matched endpoints, the other negates
    1109. the whole match: \n \tSelector = \"!has(my_label)\" matches
    1110. packets that are from other Calico-controlled \tendpoints
    1111. that do not have the label \"my_label\". \n \tNotSelector
    1112. = \"has(my_label)\" matches packets that are not from
    1113. Calico-controlled \tendpoints that do have the label \"my_label\".
    1114. \n The effect is that the latter will accept packets from
    1115. non-Calico sources whereas the former is limited to packets
    1116. from Calico-controlled endpoints."
    1117. type: string
    1118. serviceAccounts:
    1119. description: ServiceAccounts is an optional field that restricts
    1120. the rule to only apply to traffic that originates from
    1121. (or terminates at) a pod running as a matching service
    1122. account.
    1123. properties:
    1124. names:
    1125. description: Names is an optional field that restricts
    1126. the rule to only apply to traffic that originates
    1127. from (or terminates at) a pod running as a service
    1128. account whose name is in the list.
    1129. items:
    1130. type: string
    1131. type: array
    1132. selector:
    1133. description: Selector is an optional field that restricts
    1134. the rule to only apply to traffic that originates
    1135. from (or terminates at) a pod running as a service
    1136. account that matches the given label selector. If
    1137. both Names and Selector are specified then they are
    1138. AND'ed.
    1139. type: string
    1140. type: object
    1141. type: object
    1142. http:
    1143. description: HTTP contains match criteria that apply to HTTP
    1144. requests.
    1145. properties:
    1146. methods:
    1147. description: Methods is an optional field that restricts
    1148. the rule to apply only to HTTP requests that use one of
    1149. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
    1150. methods are OR'd together.
    1151. items:
    1152. type: string
    1153. type: array
    1154. paths:
    1155. description: 'Paths is an optional field that restricts
    1156. the rule to apply to HTTP requests that use one of the
    1157. listed HTTP Paths. Multiple paths are OR''d together.
    1158. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
    1159. ONLY specify either a `exact` or a `prefix` match. The
    1160. validator will check for it.'
    1161. items:
    1162. description: 'HTTPPath specifies an HTTP path to match.
    1163. It may be either of the form: exact: <path>: which matches
    1164. the path exactly or prefix: <path-prefix>: which matches
    1165. the path prefix'
    1166. properties:
    1167. exact:
    1168. type: string
    1169. prefix:
    1170. type: string
    1171. type: object
    1172. type: array
    1173. type: object
    1174. icmp:
    1175. description: ICMP is an optional field that restricts the rule
    1176. to apply to a specific type and code of ICMP traffic. This
    1177. should only be specified if the Protocol field is set to "ICMP"
    1178. or "ICMPv6".
    1179. properties:
    1180. code:
    1181. description: Match on a specific ICMP code. If specified,
    1182. the Type value must also be specified. This is a technical
    1183. limitation imposed by the kernel's iptables firewall,
    1184. which Calico uses to enforce the rule.
    1185. type: integer
    1186. type:
    1187. description: Match on a specific ICMP type. For example
    1188. a value of 8 refers to ICMP Echo Request (i.e. pings).
    1189. type: integer
    1190. type: object
    1191. ipVersion:
    1192. description: IPVersion is an optional field that restricts the
    1193. rule to only match a specific IP version.
    1194. type: integer
    1195. metadata:
    1196. description: Metadata contains additional information for this
    1197. rule
    1198. properties:
    1199. annotations:
    1200. additionalProperties:
    1201. type: string
    1202. description: Annotations is a set of key value pairs that
    1203. give extra information about the rule
    1204. type: object
    1205. type: object
    1206. notICMP:
    1207. description: NotICMP is the negated version of the ICMP field.
    1208. properties:
    1209. code:
    1210. description: Match on a specific ICMP code. If specified,
    1211. the Type value must also be specified. This is a technical
    1212. limitation imposed by the kernel's iptables firewall,
    1213. which Calico uses to enforce the rule.
    1214. type: integer
    1215. type:
    1216. description: Match on a specific ICMP type. For example
    1217. a value of 8 refers to ICMP Echo Request (i.e. pings).
    1218. type: integer
    1219. type: object
    1220. notProtocol:
    1221. anyOf:
    1222. - type: integer
    1223. - type: string
    1224. description: NotProtocol is the negated version of the Protocol
    1225. field.
    1226. pattern: ^.*
    1227. x-kubernetes-int-or-string: true
    1228. protocol:
    1229. anyOf:
    1230. - type: integer
    1231. - type: string
    1232. description: "Protocol is an optional field that restricts the
    1233. rule to only apply to traffic of a specific IP protocol. Required
    1234. if any of the EntityRules contain Ports (because ports only
    1235. apply to certain protocols). \n Must be one of these string
    1236. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
    1237. \"UDPLite\" or an integer in the range 1-255."
    1238. pattern: ^.*
    1239. x-kubernetes-int-or-string: true
    1240. source:
    1241. description: Source contains the match criteria that apply to
    1242. source entity.
    1243. properties:
    1244. namespaceSelector:
    1245. description: "NamespaceSelector is an optional field that
    1246. contains a selector expression. Only traffic that originates
    1247. from (or terminates at) endpoints within the selected
    1248. namespaces will be matched. When both NamespaceSelector
    1249. and Selector are defined on the same rule, then only workload
    1250. endpoints that are matched by both selectors will be selected
    1251. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    1252. implies that the Selector is limited to selecting only
    1253. workload endpoints in the same namespace as the NetworkPolicy.
    1254. \n For NetworkPolicy, `global()` NamespaceSelector implies
    1255. that the Selector is limited to selecting only GlobalNetworkSet
    1256. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    1257. NamespaceSelector implies the Selector applies to workload
    1258. endpoints across all namespaces."
    1259. type: string
    1260. nets:
    1261. description: Nets is an optional field that restricts the
    1262. rule to only apply to traffic that originates from (or
    1263. terminates at) IP addresses in any of the given subnets.
    1264. items:
    1265. type: string
    1266. type: array
    1267. notNets:
    1268. description: NotNets is the negated version of the Nets
    1269. field.
    1270. items:
    1271. type: string
    1272. type: array
    1273. notPorts:
    1274. description: NotPorts is the negated version of the Ports
    1275. field. Since only some protocols have ports, if any ports
    1276. are specified it requires the Protocol match in the Rule
    1277. to be set to "TCP" or "UDP".
    1278. items:
    1279. anyOf:
    1280. - type: integer
    1281. - type: string
    1282. pattern: ^.*
    1283. x-kubernetes-int-or-string: true
    1284. type: array
    1285. notSelector:
    1286. description: NotSelector is the negated version of the Selector
    1287. field. See Selector field for subtleties with negated
    1288. selectors.
    1289. type: string
    1290. ports:
    1291. description: "Ports is an optional field that restricts
    1292. the rule to only apply to traffic that has a source (destination)
    1293. port that matches one of these ranges/values. This value
    1294. is a list of integers or strings that represent ranges
    1295. of ports. \n Since only some protocols have ports, if
    1296. any ports are specified it requires the Protocol match
    1297. in the Rule to be set to \"TCP\" or \"UDP\"."
    1298. items:
    1299. anyOf:
    1300. - type: integer
    1301. - type: string
    1302. pattern: ^.*
    1303. x-kubernetes-int-or-string: true
    1304. type: array
    1305. selector:
    1306. description: "Selector is an optional field that contains
    1307. a selector expression (see Policy for sample syntax).
    1308. \ Only traffic that originates from (terminates at) endpoints
    1309. matching the selector will be matched. \n Note that: in
    1310. addition to the negated version of the Selector (see NotSelector
    1311. below), the selector expression syntax itself supports
    1312. negation. The two types of negation are subtly different.
    1313. One negates the set of matched endpoints, the other negates
    1314. the whole match: \n \tSelector = \"!has(my_label)\" matches
    1315. packets that are from other Calico-controlled \tendpoints
    1316. that do not have the label \"my_label\". \n \tNotSelector
    1317. = \"has(my_label)\" matches packets that are not from
    1318. Calico-controlled \tendpoints that do have the label \"my_label\".
    1319. \n The effect is that the latter will accept packets from
    1320. non-Calico sources whereas the former is limited to packets
    1321. from Calico-controlled endpoints."
    1322. type: string
    1323. serviceAccounts:
    1324. description: ServiceAccounts is an optional field that restricts
    1325. the rule to only apply to traffic that originates from
    1326. (or terminates at) a pod running as a matching service
    1327. account.
    1328. properties:
    1329. names:
    1330. description: Names is an optional field that restricts
    1331. the rule to only apply to traffic that originates
    1332. from (or terminates at) a pod running as a service
    1333. account whose name is in the list.
    1334. items:
    1335. type: string
    1336. type: array
    1337. selector:
    1338. description: Selector is an optional field that restricts
    1339. the rule to only apply to traffic that originates
    1340. from (or terminates at) a pod running as a service
    1341. account that matches the given label selector. If
    1342. both Names and Selector are specified then they are
    1343. AND'ed.
    1344. type: string
    1345. type: object
    1346. type: object
    1347. required:
    1348. - action
    1349. type: object
    1350. type: array
    1351. ingress:
    1352. description: The ordered set of ingress rules. Each rule contains
    1353. a set of packet match criteria and a corresponding action to apply.
    1354. items:
    1355. description: "A Rule encapsulates a set of match criteria and an
    1356. action. Both selector-based security Policy and security Profiles
    1357. reference rules - separated out as a list of rules for both ingress
    1358. and egress packet matching. \n Each positive match criteria has
    1359. a negated version, prefixed with \"Not\". All the match criteria
    1360. within a rule must be satisfied for a packet to match. A single
    1361. rule can contain the positive and negative version of a match
    1362. and both must be satisfied for the rule to match."
    1363. properties:
    1364. action:
    1365. type: string
    1366. destination:
    1367. description: Destination contains the match criteria that apply
    1368. to destination entity.
    1369. properties:
    1370. namespaceSelector:
    1371. description: "NamespaceSelector is an optional field that
    1372. contains a selector expression. Only traffic that originates
    1373. from (or terminates at) endpoints within the selected
    1374. namespaces will be matched. When both NamespaceSelector
    1375. and Selector are defined on the same rule, then only workload
    1376. endpoints that are matched by both selectors will be selected
    1377. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    1378. implies that the Selector is limited to selecting only
    1379. workload endpoints in the same namespace as the NetworkPolicy.
    1380. \n For NetworkPolicy, `global()` NamespaceSelector implies
    1381. that the Selector is limited to selecting only GlobalNetworkSet
    1382. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    1383. NamespaceSelector implies the Selector applies to workload
    1384. endpoints across all namespaces."
    1385. type: string
    1386. nets:
    1387. description: Nets is an optional field that restricts the
    1388. rule to only apply to traffic that originates from (or
    1389. terminates at) IP addresses in any of the given subnets.
    1390. items:
    1391. type: string
    1392. type: array
    1393. notNets:
    1394. description: NotNets is the negated version of the Nets
    1395. field.
    1396. items:
    1397. type: string
    1398. type: array
    1399. notPorts:
    1400. description: NotPorts is the negated version of the Ports
    1401. field. Since only some protocols have ports, if any ports
    1402. are specified it requires the Protocol match in the Rule
    1403. to be set to "TCP" or "UDP".
    1404. items:
    1405. anyOf:
    1406. - type: integer
    1407. - type: string
    1408. pattern: ^.*
    1409. x-kubernetes-int-or-string: true
    1410. type: array
    1411. notSelector:
    1412. description: NotSelector is the negated version of the Selector
    1413. field. See Selector field for subtleties with negated
    1414. selectors.
    1415. type: string
    1416. ports:
    1417. description: "Ports is an optional field that restricts
    1418. the rule to only apply to traffic that has a source (destination)
    1419. port that matches one of these ranges/values. This value
    1420. is a list of integers or strings that represent ranges
    1421. of ports. \n Since only some protocols have ports, if
    1422. any ports are specified it requires the Protocol match
    1423. in the Rule to be set to \"TCP\" or \"UDP\"."
    1424. items:
    1425. anyOf:
    1426. - type: integer
    1427. - type: string
    1428. pattern: ^.*
    1429. x-kubernetes-int-or-string: true
    1430. type: array
    1431. selector:
    1432. description: "Selector is an optional field that contains
    1433. a selector expression (see Policy for sample syntax).
    1434. \ Only traffic that originates from (terminates at) endpoints
    1435. matching the selector will be matched. \n Note that: in
    1436. addition to the negated version of the Selector (see NotSelector
    1437. below), the selector expression syntax itself supports
    1438. negation. The two types of negation are subtly different.
    1439. One negates the set of matched endpoints, the other negates
    1440. the whole match: \n \tSelector = \"!has(my_label)\" matches
    1441. packets that are from other Calico-controlled \tendpoints
    1442. that do not have the label \"my_label\". \n \tNotSelector
    1443. = \"has(my_label)\" matches packets that are not from
    1444. Calico-controlled \tendpoints that do have the label \"my_label\".
    1445. \n The effect is that the latter will accept packets from
    1446. non-Calico sources whereas the former is limited to packets
    1447. from Calico-controlled endpoints."
    1448. type: string
    1449. serviceAccounts:
    1450. description: ServiceAccounts is an optional field that restricts
    1451. the rule to only apply to traffic that originates from
    1452. (or terminates at) a pod running as a matching service
    1453. account.
    1454. properties:
    1455. names:
    1456. description: Names is an optional field that restricts
    1457. the rule to only apply to traffic that originates
    1458. from (or terminates at) a pod running as a service
    1459. account whose name is in the list.
    1460. items:
    1461. type: string
    1462. type: array
    1463. selector:
    1464. description: Selector is an optional field that restricts
    1465. the rule to only apply to traffic that originates
    1466. from (or terminates at) a pod running as a service
    1467. account that matches the given label selector. If
    1468. both Names and Selector are specified then they are
    1469. AND'ed.
    1470. type: string
    1471. type: object
    1472. type: object
    1473. http:
    1474. description: HTTP contains match criteria that apply to HTTP
    1475. requests.
    1476. properties:
    1477. methods:
    1478. description: Methods is an optional field that restricts
    1479. the rule to apply only to HTTP requests that use one of
    1480. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
    1481. methods are OR'd together.
    1482. items:
    1483. type: string
    1484. type: array
    1485. paths:
    1486. description: 'Paths is an optional field that restricts
    1487. the rule to apply to HTTP requests that use one of the
    1488. listed HTTP Paths. Multiple paths are OR''d together.
    1489. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
    1490. ONLY specify either a `exact` or a `prefix` match. The
    1491. validator will check for it.'
    1492. items:
    1493. description: 'HTTPPath specifies an HTTP path to match.
    1494. It may be either of the form: exact: <path>: which matches
    1495. the path exactly or prefix: <path-prefix>: which matches
    1496. the path prefix'
    1497. properties:
    1498. exact:
    1499. type: string
    1500. prefix:
    1501. type: string
    1502. type: object
    1503. type: array
    1504. type: object
    1505. icmp:
    1506. description: ICMP is an optional field that restricts the rule
    1507. to apply to a specific type and code of ICMP traffic. This
    1508. should only be specified if the Protocol field is set to "ICMP"
    1509. or "ICMPv6".
    1510. properties:
    1511. code:
    1512. description: Match on a specific ICMP code. If specified,
    1513. the Type value must also be specified. This is a technical
    1514. limitation imposed by the kernel's iptables firewall,
    1515. which Calico uses to enforce the rule.
    1516. type: integer
    1517. type:
    1518. description: Match on a specific ICMP type. For example
    1519. a value of 8 refers to ICMP Echo Request (i.e. pings).
    1520. type: integer
    1521. type: object
    1522. ipVersion:
    1523. description: IPVersion is an optional field that restricts the
    1524. rule to only match a specific IP version.
    1525. type: integer
    1526. metadata:
    1527. description: Metadata contains additional information for this
    1528. rule
    1529. properties:
    1530. annotations:
    1531. additionalProperties:
    1532. type: string
    1533. description: Annotations is a set of key value pairs that
    1534. give extra information about the rule
    1535. type: object
    1536. type: object
    1537. notICMP:
    1538. description: NotICMP is the negated version of the ICMP field.
    1539. properties:
    1540. code:
    1541. description: Match on a specific ICMP code. If specified,
    1542. the Type value must also be specified. This is a technical
    1543. limitation imposed by the kernel's iptables firewall,
    1544. which Calico uses to enforce the rule.
    1545. type: integer
    1546. type:
    1547. description: Match on a specific ICMP type. For example
    1548. a value of 8 refers to ICMP Echo Request (i.e. pings).
    1549. type: integer
    1550. type: object
    1551. notProtocol:
    1552. anyOf:
    1553. - type: integer
    1554. - type: string
    1555. description: NotProtocol is the negated version of the Protocol
    1556. field.
    1557. pattern: ^.*
    1558. x-kubernetes-int-or-string: true
    1559. protocol:
    1560. anyOf:
    1561. - type: integer
    1562. - type: string
    1563. description: "Protocol is an optional field that restricts the
    1564. rule to only apply to traffic of a specific IP protocol. Required
    1565. if any of the EntityRules contain Ports (because ports only
    1566. apply to certain protocols). \n Must be one of these string
    1567. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
    1568. \"UDPLite\" or an integer in the range 1-255."
    1569. pattern: ^.*
    1570. x-kubernetes-int-or-string: true
    1571. source:
    1572. description: Source contains the match criteria that apply to
    1573. source entity.
    1574. properties:
    1575. namespaceSelector:
    1576. description: "NamespaceSelector is an optional field that
    1577. contains a selector expression. Only traffic that originates
    1578. from (or terminates at) endpoints within the selected
    1579. namespaces will be matched. When both NamespaceSelector
    1580. and Selector are defined on the same rule, then only workload
    1581. endpoints that are matched by both selectors will be selected
    1582. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    1583. implies that the Selector is limited to selecting only
    1584. workload endpoints in the same namespace as the NetworkPolicy.
    1585. \n For NetworkPolicy, `global()` NamespaceSelector implies
    1586. that the Selector is limited to selecting only GlobalNetworkSet
    1587. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    1588. NamespaceSelector implies the Selector applies to workload
    1589. endpoints across all namespaces."
    1590. type: string
    1591. nets:
    1592. description: Nets is an optional field that restricts the
    1593. rule to only apply to traffic that originates from (or
    1594. terminates at) IP addresses in any of the given subnets.
    1595. items:
    1596. type: string
    1597. type: array
    1598. notNets:
    1599. description: NotNets is the negated version of the Nets
    1600. field.
    1601. items:
    1602. type: string
    1603. type: array
    1604. notPorts:
    1605. description: NotPorts is the negated version of the Ports
    1606. field. Since only some protocols have ports, if any ports
    1607. are specified it requires the Protocol match in the Rule
    1608. to be set to "TCP" or "UDP".
    1609. items:
    1610. anyOf:
    1611. - type: integer
    1612. - type: string
    1613. pattern: ^.*
    1614. x-kubernetes-int-or-string: true
    1615. type: array
    1616. notSelector:
    1617. description: NotSelector is the negated version of the Selector
    1618. field. See Selector field for subtleties with negated
    1619. selectors.
    1620. type: string
    1621. ports:
    1622. description: "Ports is an optional field that restricts
    1623. the rule to only apply to traffic that has a source (destination)
    1624. port that matches one of these ranges/values. This value
    1625. is a list of integers or strings that represent ranges
    1626. of ports. \n Since only some protocols have ports, if
    1627. any ports are specified it requires the Protocol match
    1628. in the Rule to be set to \"TCP\" or \"UDP\"."
    1629. items:
    1630. anyOf:
    1631. - type: integer
    1632. - type: string
    1633. pattern: ^.*
    1634. x-kubernetes-int-or-string: true
    1635. type: array
    1636. selector:
    1637. description: "Selector is an optional field that contains
    1638. a selector expression (see Policy for sample syntax).
    1639. \ Only traffic that originates from (terminates at) endpoints
    1640. matching the selector will be matched. \n Note that: in
    1641. addition to the negated version of the Selector (see NotSelector
    1642. below), the selector expression syntax itself supports
    1643. negation. The two types of negation are subtly different.
    1644. One negates the set of matched endpoints, the other negates
    1645. the whole match: \n \tSelector = \"!has(my_label)\" matches
    1646. packets that are from other Calico-controlled \tendpoints
    1647. that do not have the label \"my_label\". \n \tNotSelector
    1648. = \"has(my_label)\" matches packets that are not from
    1649. Calico-controlled \tendpoints that do have the label \"my_label\".
    1650. \n The effect is that the latter will accept packets from
    1651. non-Calico sources whereas the former is limited to packets
    1652. from Calico-controlled endpoints."
    1653. type: string
    1654. serviceAccounts:
    1655. description: ServiceAccounts is an optional field that restricts
    1656. the rule to only apply to traffic that originates from
    1657. (or terminates at) a pod running as a matching service
    1658. account.
    1659. properties:
    1660. names:
    1661. description: Names is an optional field that restricts
    1662. the rule to only apply to traffic that originates
    1663. from (or terminates at) a pod running as a service
    1664. account whose name is in the list.
    1665. items:
    1666. type: string
    1667. type: array
    1668. selector:
    1669. description: Selector is an optional field that restricts
    1670. the rule to only apply to traffic that originates
    1671. from (or terminates at) a pod running as a service
    1672. account that matches the given label selector. If
    1673. both Names and Selector are specified then they are
    1674. AND'ed.
    1675. type: string
    1676. type: object
    1677. type: object
    1678. required:
    1679. - action
    1680. type: object
    1681. type: array
    1682. namespaceSelector:
    1683. description: NamespaceSelector is an optional field for an expression
    1684. used to select a pod based on namespaces.
    1685. type: string
    1686. order:
    1687. description: Order is an optional field that specifies the order in
    1688. which the policy is applied. Policies with higher "order" are applied
    1689. after those with lower order. If the order is omitted, it may be
    1690. considered to be "infinite" - i.e. the policy will be applied last. Policies
    1691. with identical order will be applied in alphanumerical order based
    1692. on the Policy "Name".
    1693. type: number
    1694. preDNAT:
    1695. description: PreDNAT indicates to apply the rules in this policy before
    1696. any DNAT.
    1697. type: boolean
    1698. selector:
    1699. description: "The selector is an expression used to pick pick out
    1700. the endpoints that the policy should be applied to. \n Selector
    1701. expressions follow this syntax: \n \tlabel == \"string_literal\"
    1702. \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
    1703. \ -> not equal; also matches if label is not present \tlabel in
    1704. { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
    1705. one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
    1706. ... } -> true if the value of label X is not one of \"a\", \"b\",
    1707. \"c\" \thas(label_name) -> True if that label is present \t! expr
    1708. -> negation of expr \texpr && expr -> Short-circuit and \texpr
    1709. || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
    1710. or the empty selector -> matches all endpoints. \n Label names are
    1711. allowed to contain alphanumerics, -, _ and /. String literals are
    1712. more permissive but they do not support escape characters. \n Examples
    1713. (with made-up labels): \n \ttype == \"webserver\" && deployment
    1714. == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
    1715. \"dev\" \t! has(label_name)"
    1716. type: string
    1717. serviceAccountSelector:
    1718. description: ServiceAccountSelector is an optional field for an expression
    1719. used to select a pod based on service accounts.
    1720. type: string
    1721. types:
    1722. description: "Types indicates whether this policy applies to ingress,
    1723. or to egress, or to both. When not explicitly specified (and so
    1724. the value on creation is empty or nil), Calico defaults Types according
    1725. to what Ingress and Egress rules are present in the policy. The
    1726. default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
    1727. (including the case where there are also no Ingress rules) \n
    1728. - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
    1729. rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
    1730. both Ingress and Egress rules. \n When the policy is read back again,
    1731. Types will always be one of these values, never empty or nil."
    1732. items:
    1733. description: PolicyType enumerates the possible values of the PolicySpec
    1734. Types field.
    1735. type: string
    1736. type: array
    1737. type: object
    1738. type: object
    1739. served: true
    1740. storage: true
    1741. status:
    1742. acceptedNames:
    1743. kind: ""
    1744. plural: ""
    1745. conditions: []
    1746. storedVersions: []
    1747. ---
    1748. apiVersion: apiextensions.k8s.io/v1
    1749. kind: CustomResourceDefinition
    1750. metadata:
    1751. name: globalnetworksets.crd.projectcalico.org
    1752. spec:
    1753. group: crd.projectcalico.org
    1754. names:
    1755. kind: GlobalNetworkSet
    1756. listKind: GlobalNetworkSetList
    1757. plural: globalnetworksets
    1758. singular: globalnetworkset
    1759. scope: Cluster
    1760. versions:
    1761. - name: v1
    1762. schema:
    1763. openAPIV3Schema:
    1764. description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
    1765. that share labels to allow rules to refer to them via selectors. The labels
    1766. of GlobalNetworkSet are not namespaced.
    1767. properties:
    1768. apiVersion:
    1769. description: 'APIVersion defines the versioned schema of this representation
    1770. of an object. Servers should convert recognized schemas to the latest
    1771. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    1772. type: string
    1773. kind:
    1774. description: 'Kind is a string value representing the REST resource this
    1775. object represents. Servers may infer this from the endpoint the client
    1776. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    1777. type: string
    1778. metadata:
    1779. type: object
    1780. spec:
    1781. description: GlobalNetworkSetSpec contains the specification for a NetworkSet
    1782. resource.
    1783. properties:
    1784. nets:
    1785. description: The list of IP networks that belong to this set.
    1786. items:
    1787. type: string
    1788. type: array
    1789. type: object
    1790. type: object
    1791. served: true
    1792. storage: true
    1793. status:
    1794. acceptedNames:
    1795. kind: ""
    1796. plural: ""
    1797. conditions: []
    1798. storedVersions: []
    1799. ---
    1800. apiVersion: apiextensions.k8s.io/v1
    1801. kind: CustomResourceDefinition
    1802. metadata:
    1803. name: hostendpoints.crd.projectcalico.org
    1804. spec:
    1805. group: crd.projectcalico.org
    1806. names:
    1807. kind: HostEndpoint
    1808. listKind: HostEndpointList
    1809. plural: hostendpoints
    1810. singular: hostendpoint
    1811. scope: Cluster
    1812. versions:
    1813. - name: v1
    1814. schema:
    1815. openAPIV3Schema:
    1816. properties:
    1817. apiVersion:
    1818. description: 'APIVersion defines the versioned schema of this representation
    1819. of an object. Servers should convert recognized schemas to the latest
    1820. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    1821. type: string
    1822. kind:
    1823. description: 'Kind is a string value representing the REST resource this
    1824. object represents. Servers may infer this from the endpoint the client
    1825. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    1826. type: string
    1827. metadata:
    1828. type: object
    1829. spec:
    1830. description: HostEndpointSpec contains the specification for a HostEndpoint
    1831. resource.
    1832. properties:
    1833. expectedIPs:
    1834. description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
    1835. If \"InterfaceName\" is not present, Calico will look for an interface
    1836. matching any of the IPs in the list and apply policy to that. Note:
    1837. \tWhen using the selector match criteria in an ingress or egress
    1838. security Policy \tor Profile, Calico converts the selector into
    1839. a set of IP addresses. For host \tendpoints, the ExpectedIPs field
    1840. is used for that purpose. (If only the interface \tname is specified,
    1841. Calico does not learn the IPs of the interface for use in match
    1842. \tcriteria.)"
    1843. items:
    1844. type: string
    1845. type: array
    1846. interfaceName:
    1847. description: "Either \"*\", or the name of a specific Linux interface
    1848. to apply policy to; or empty. \"*\" indicates that this HostEndpoint
    1849. governs all traffic to, from or through the default network namespace
    1850. of the host named by the \"Node\" field; entering and leaving that
    1851. namespace via any interface, including those from/to non-host-networked
    1852. local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
    1853. only governs traffic that enters or leaves the host through the
    1854. specific interface named by InterfaceName, or - when InterfaceName
    1855. is empty - through the specific interface that has one of the IPs
    1856. in ExpectedIPs. Therefore, when InterfaceName is empty, at least
    1857. one expected IP must be specified. Only external interfaces (such
    1858. as \"eth0\") are supported here; it isn't possible for a HostEndpoint
    1859. to protect traffic through a specific local workload interface.
    1860. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
    1861. initially just pre-DNAT policy. Please check Calico documentation
    1862. for the latest position."
    1863. type: string
    1864. node:
    1865. description: The node name identifying the Calico node instance.
    1866. type: string
    1867. ports:
    1868. description: Ports contains the endpoint's named ports, which may
    1869. be referenced in security policy rules.
    1870. items:
    1871. properties:
    1872. name:
    1873. type: string
    1874. port:
    1875. type: integer
    1876. protocol:
    1877. anyOf:
    1878. - type: integer
    1879. - type: string
    1880. pattern: ^.*
    1881. x-kubernetes-int-or-string: true
    1882. required:
    1883. - name
    1884. - port
    1885. - protocol
    1886. type: object
    1887. type: array
    1888. profiles:
    1889. description: A list of identifiers of security Profile objects that
    1890. apply to this endpoint. Each profile is applied in the order that
    1891. they appear in this list. Profile rules are applied after the selector-based
    1892. security policy.
    1893. items:
    1894. type: string
    1895. type: array
    1896. type: object
    1897. type: object
    1898. served: true
    1899. storage: true
    1900. status:
    1901. acceptedNames:
    1902. kind: ""
    1903. plural: ""
    1904. conditions: []
    1905. storedVersions: []
    1906. ---
    1907. apiVersion: apiextensions.k8s.io/v1
    1908. kind: CustomResourceDefinition
    1909. metadata:
    1910. name: ipamblocks.crd.projectcalico.org
    1911. spec:
    1912. group: crd.projectcalico.org
    1913. names:
    1914. kind: IPAMBlock
    1915. listKind: IPAMBlockList
    1916. plural: ipamblocks
    1917. singular: ipamblock
    1918. scope: Cluster
    1919. versions:
    1920. - name: v1
    1921. schema:
    1922. openAPIV3Schema:
    1923. properties:
    1924. apiVersion:
    1925. description: 'APIVersion defines the versioned schema of this representation
    1926. of an object. Servers should convert recognized schemas to the latest
    1927. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    1928. type: string
    1929. kind:
    1930. description: 'Kind is a string value representing the REST resource this
    1931. object represents. Servers may infer this from the endpoint the client
    1932. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    1933. type: string
    1934. metadata:
    1935. type: object
    1936. spec:
    1937. description: IPAMBlockSpec contains the specification for an IPAMBlock
    1938. resource.
    1939. properties:
    1940. affinity:
    1941. type: string
    1942. allocations:
    1943. items:
    1944. type: integer
    1945. # TODO: This nullable is manually added in. We should update controller-gen
    1946. # to handle []*int properly itself.
    1947. nullable: true
    1948. type: array
    1949. attributes:
    1950. items:
    1951. properties:
    1952. handle_id:
    1953. type: string
    1954. secondary:
    1955. additionalProperties:
    1956. type: string
    1957. type: object
    1958. type: object
    1959. type: array
    1960. cidr:
    1961. type: string
    1962. deleted:
    1963. type: boolean
    1964. strictAffinity:
    1965. type: boolean
    1966. unallocated:
    1967. items:
    1968. type: integer
    1969. type: array
    1970. required:
    1971. - allocations
    1972. - attributes
    1973. - cidr
    1974. - strictAffinity
    1975. - unallocated
    1976. type: object
    1977. type: object
    1978. served: true
    1979. storage: true
    1980. status:
    1981. acceptedNames:
    1982. kind: ""
    1983. plural: ""
    1984. conditions: []
    1985. storedVersions: []
    1986. ---
    1987. apiVersion: apiextensions.k8s.io/v1
    1988. kind: CustomResourceDefinition
    1989. metadata:
    1990. name: ipamconfigs.crd.projectcalico.org
    1991. spec:
    1992. group: crd.projectcalico.org
    1993. names:
    1994. kind: IPAMConfig
    1995. listKind: IPAMConfigList
    1996. plural: ipamconfigs
    1997. singular: ipamconfig
    1998. scope: Cluster
    1999. versions:
    2000. - name: v1
    2001. schema:
    2002. openAPIV3Schema:
    2003. properties:
    2004. apiVersion:
    2005. description: 'APIVersion defines the versioned schema of this representation
    2006. of an object. Servers should convert recognized schemas to the latest
    2007. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    2008. type: string
    2009. kind:
    2010. description: 'Kind is a string value representing the REST resource this
    2011. object represents. Servers may infer this from the endpoint the client
    2012. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    2013. type: string
    2014. metadata:
    2015. type: object
    2016. spec:
    2017. description: IPAMConfigSpec contains the specification for an IPAMConfig
    2018. resource.
    2019. properties:
    2020. autoAllocateBlocks:
    2021. type: boolean
    2022. maxBlocksPerHost:
    2023. description: MaxBlocksPerHost, if non-zero, is the max number of blocks
    2024. that can be affine to each host.
    2025. type: integer
    2026. strictAffinity:
    2027. type: boolean
    2028. required:
    2029. - autoAllocateBlocks
    2030. - strictAffinity
    2031. type: object
    2032. type: object
    2033. served: true
    2034. storage: true
    2035. status:
    2036. acceptedNames:
    2037. kind: ""
    2038. plural: ""
    2039. conditions: []
    2040. storedVersions: []
    2041. ---
    2042. apiVersion: apiextensions.k8s.io/v1
    2043. kind: CustomResourceDefinition
    2044. metadata:
    2045. name: ipamhandles.crd.projectcalico.org
    2046. spec:
    2047. group: crd.projectcalico.org
    2048. names:
    2049. kind: IPAMHandle
    2050. listKind: IPAMHandleList
    2051. plural: ipamhandles
    2052. singular: ipamhandle
    2053. scope: Cluster
    2054. versions:
    2055. - name: v1
    2056. schema:
    2057. openAPIV3Schema:
    2058. properties:
    2059. apiVersion:
    2060. description: 'APIVersion defines the versioned schema of this representation
    2061. of an object. Servers should convert recognized schemas to the latest
    2062. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    2063. type: string
    2064. kind:
    2065. description: 'Kind is a string value representing the REST resource this
    2066. object represents. Servers may infer this from the endpoint the client
    2067. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    2068. type: string
    2069. metadata:
    2070. type: object
    2071. spec:
    2072. description: IPAMHandleSpec contains the specification for an IPAMHandle
    2073. resource.
    2074. properties:
    2075. block:
    2076. additionalProperties:
    2077. type: integer
    2078. type: object
    2079. deleted:
    2080. type: boolean
    2081. handleID:
    2082. type: string
    2083. required:
    2084. - block
    2085. - handleID
    2086. type: object
    2087. type: object
    2088. served: true
    2089. storage: true
    2090. status:
    2091. acceptedNames:
    2092. kind: ""
    2093. plural: ""
    2094. conditions: []
    2095. storedVersions: []
    2096. ---
    2097. apiVersion: apiextensions.k8s.io/v1
    2098. kind: CustomResourceDefinition
    2099. metadata:
    2100. name: ippools.crd.projectcalico.org
    2101. spec:
    2102. group: crd.projectcalico.org
    2103. names:
    2104. kind: IPPool
    2105. listKind: IPPoolList
    2106. plural: ippools
    2107. singular: ippool
    2108. scope: Cluster
    2109. versions:
    2110. - name: v1
    2111. schema:
    2112. openAPIV3Schema:
    2113. properties:
    2114. apiVersion:
    2115. description: 'APIVersion defines the versioned schema of this representation
    2116. of an object. Servers should convert recognized schemas to the latest
    2117. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    2118. type: string
    2119. kind:
    2120. description: 'Kind is a string value representing the REST resource this
    2121. object represents. Servers may infer this from the endpoint the client
    2122. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    2123. type: string
    2124. metadata:
    2125. type: object
    2126. spec:
    2127. description: IPPoolSpec contains the specification for an IPPool resource.
    2128. properties:
    2129. blockSize:
    2130. description: The block size to use for IP address assignments from
    2131. this pool. Defaults to 26 for IPv4 and 112 for IPv6.
    2132. type: integer
    2133. cidr:
    2134. description: The pool CIDR.
    2135. type: string
    2136. disabled:
    2137. description: When disabled is true, Calico IPAM will not assign addresses
    2138. from this pool.
    2139. type: boolean
    2140. ipip:
    2141. description: 'Deprecated: this field is only used for APIv1 backwards
    2142. compatibility. Setting this field is not allowed, this field is
    2143. for internal use only.'
    2144. properties:
    2145. enabled:
    2146. description: When enabled is true, ipip tunneling will be used
    2147. to deliver packets to destinations within this pool.
    2148. type: boolean
    2149. mode:
    2150. description: The IPIP mode. This can be one of "always" or "cross-subnet". A
    2151. mode of "always" will also use IPIP tunneling for routing to
    2152. destination IP addresses within this pool. A mode of "cross-subnet"
    2153. will only use IPIP tunneling when the destination node is on
    2154. a different subnet to the originating node. The default value
    2155. (if not specified) is "always".
    2156. type: string
    2157. type: object
    2158. ipipMode:
    2159. description: Contains configuration for IPIP tunneling for this pool.
    2160. If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
    2161. is disabled).
    2162. type: string
    2163. nat-outgoing:
    2164. description: 'Deprecated: this field is only used for APIv1 backwards
    2165. compatibility. Setting this field is not allowed, this field is
    2166. for internal use only.'
    2167. type: boolean
    2168. natOutgoing:
    2169. description: When nat-outgoing is true, packets sent from Calico networked
    2170. containers in this pool to destinations outside of this pool will
    2171. be masqueraded.
    2172. type: boolean
    2173. nodeSelector:
    2174. description: Allows IPPool to allocate for a specific node by label
    2175. selector.
    2176. type: string
    2177. vxlanMode:
    2178. description: Contains configuration for VXLAN tunneling for this pool.
    2179. If not specified, then this is defaulted to "Never" (i.e. VXLAN
    2180. tunneling is disabled).
    2181. type: string
    2182. required:
    2183. - cidr
    2184. type: object
    2185. type: object
    2186. served: true
    2187. storage: true
    2188. status:
    2189. acceptedNames:
    2190. kind: ""
    2191. plural: ""
    2192. conditions: []
    2193. storedVersions: []
    2194. ---
    2195. apiVersion: apiextensions.k8s.io/v1
    2196. kind: CustomResourceDefinition
    2197. metadata:
    2198. name: kubecontrollersconfigurations.crd.projectcalico.org
    2199. spec:
    2200. group: crd.projectcalico.org
    2201. names:
    2202. kind: KubeControllersConfiguration
    2203. listKind: KubeControllersConfigurationList
    2204. plural: kubecontrollersconfigurations
    2205. singular: kubecontrollersconfiguration
    2206. scope: Cluster
    2207. versions:
    2208. - name: v1
    2209. schema:
    2210. openAPIV3Schema:
    2211. properties:
    2212. apiVersion:
    2213. description: 'APIVersion defines the versioned schema of this representation
    2214. of an object. Servers should convert recognized schemas to the latest
    2215. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    2216. type: string
    2217. kind:
    2218. description: 'Kind is a string value representing the REST resource this
    2219. object represents. Servers may infer this from the endpoint the client
    2220. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    2221. type: string
    2222. metadata:
    2223. type: object
    2224. spec:
    2225. description: KubeControllersConfigurationSpec contains the values of the
    2226. Kubernetes controllers configuration.
    2227. properties:
    2228. controllers:
    2229. description: Controllers enables and configures individual Kubernetes
    2230. controllers
    2231. properties:
    2232. namespace:
    2233. description: Namespace enables and configures the namespace controller.
    2234. Enabled by default, set to nil to disable.
    2235. properties:
    2236. reconcilerPeriod:
    2237. description: 'ReconcilerPeriod is the period to perform reconciliation
    2238. with the Calico datastore. [Default: 5m]'
    2239. type: string
    2240. type: object
    2241. node:
    2242. description: Node enables and configures the node controller.
    2243. Enabled by default, set to nil to disable.
    2244. properties:
    2245. hostEndpoint:
    2246. description: HostEndpoint controls syncing nodes to host endpoints.
    2247. Disabled by default, set to nil to disable.
    2248. properties:
    2249. autoCreate:
    2250. description: 'AutoCreate enables automatic creation of
    2251. host endpoints for every node. [Default: Disabled]'
    2252. type: string
    2253. type: object
    2254. reconcilerPeriod:
    2255. description: 'ReconcilerPeriod is the period to perform reconciliation
    2256. with the Calico datastore. [Default: 5m]'
    2257. type: string
    2258. syncLabels:
    2259. description: 'SyncLabels controls whether to copy Kubernetes
    2260. node labels to Calico nodes. [Default: Enabled]'
    2261. type: string
    2262. type: object
    2263. policy:
    2264. description: Policy enables and configures the policy controller.
    2265. Enabled by default, set to nil to disable.
    2266. properties:
    2267. reconcilerPeriod:
    2268. description: 'ReconcilerPeriod is the period to perform reconciliation
    2269. with the Calico datastore. [Default: 5m]'
    2270. type: string
    2271. type: object
    2272. serviceAccount:
    2273. description: ServiceAccount enables and configures the service
    2274. account controller. Enabled by default, set to nil to disable.
    2275. properties:
    2276. reconcilerPeriod:
    2277. description: 'ReconcilerPeriod is the period to perform reconciliation
    2278. with the Calico datastore. [Default: 5m]'
    2279. type: string
    2280. type: object
    2281. workloadEndpoint:
    2282. description: WorkloadEndpoint enables and configures the workload
    2283. endpoint controller. Enabled by default, set to nil to disable.
    2284. properties:
    2285. reconcilerPeriod:
    2286. description: 'ReconcilerPeriod is the period to perform reconciliation
    2287. with the Calico datastore. [Default: 5m]'
    2288. type: string
    2289. type: object
    2290. type: object
    2291. etcdV3CompactionPeriod:
    2292. description: 'EtcdV3CompactionPeriod is the period between etcdv3
    2293. compaction requests. Set to 0 to disable. [Default: 10m]'
    2294. type: string
    2295. healthChecks:
    2296. description: 'HealthChecks enables or disables support for health
    2297. checks [Default: Enabled]'
    2298. type: string
    2299. logSeverityScreen:
    2300. description: 'LogSeverityScreen is the log severity above which logs
    2301. are sent to the stdout. [Default: Info]'
    2302. type: string
    2303. prometheusMetricsPort:
    2304. description: 'PrometheusMetricsPort is the TCP port that the Prometheus
    2305. metrics server should bind to. Set to 0 to disable. [Default: 9094]'
    2306. type: integer
    2307. required:
    2308. - controllers
    2309. type: object
    2310. status:
    2311. description: KubeControllersConfigurationStatus represents the status
    2312. of the configuration. It's useful for admins to be able to see the actual
    2313. config that was applied, which can be modified by environment variables
    2314. on the kube-controllers process.
    2315. properties:
    2316. environmentVars:
    2317. additionalProperties:
    2318. type: string
    2319. description: EnvironmentVars contains the environment variables on
    2320. the kube-controllers that influenced the RunningConfig.
    2321. type: object
    2322. runningConfig:
    2323. description: RunningConfig contains the effective config that is running
    2324. in the kube-controllers pod, after merging the API resource with
    2325. any environment variables.
    2326. properties:
    2327. controllers:
    2328. description: Controllers enables and configures individual Kubernetes
    2329. controllers
    2330. properties:
    2331. namespace:
    2332. description: Namespace enables and configures the namespace
    2333. controller. Enabled by default, set to nil to disable.
    2334. properties:
    2335. reconcilerPeriod:
    2336. description: 'ReconcilerPeriod is the period to perform
    2337. reconciliation with the Calico datastore. [Default:
    2338. 5m]'
    2339. type: string
    2340. type: object
    2341. node:
    2342. description: Node enables and configures the node controller.
    2343. Enabled by default, set to nil to disable.
    2344. properties:
    2345. hostEndpoint:
    2346. description: HostEndpoint controls syncing nodes to host
    2347. endpoints. Disabled by default, set to nil to disable.
    2348. properties:
    2349. autoCreate:
    2350. description: 'AutoCreate enables automatic creation
    2351. of host endpoints for every node. [Default: Disabled]'
    2352. type: string
    2353. type: object
    2354. reconcilerPeriod:
    2355. description: 'ReconcilerPeriod is the period to perform
    2356. reconciliation with the Calico datastore. [Default:
    2357. 5m]'
    2358. type: string
    2359. syncLabels:
    2360. description: 'SyncLabels controls whether to copy Kubernetes
    2361. node labels to Calico nodes. [Default: Enabled]'
    2362. type: string
    2363. type: object
    2364. policy:
    2365. description: Policy enables and configures the policy controller.
    2366. Enabled by default, set to nil to disable.
    2367. properties:
    2368. reconcilerPeriod:
    2369. description: 'ReconcilerPeriod is the period to perform
    2370. reconciliation with the Calico datastore. [Default:
    2371. 5m]'
    2372. type: string
    2373. type: object
    2374. serviceAccount:
    2375. description: ServiceAccount enables and configures the service
    2376. account controller. Enabled by default, set to nil to disable.
    2377. properties:
    2378. reconcilerPeriod:
    2379. description: 'ReconcilerPeriod is the period to perform
    2380. reconciliation with the Calico datastore. [Default:
    2381. 5m]'
    2382. type: string
    2383. type: object
    2384. workloadEndpoint:
    2385. description: WorkloadEndpoint enables and configures the workload
    2386. endpoint controller. Enabled by default, set to nil to disable.
    2387. properties:
    2388. reconcilerPeriod:
    2389. description: 'ReconcilerPeriod is the period to perform
    2390. reconciliation with the Calico datastore. [Default:
    2391. 5m]'
    2392. type: string
    2393. type: object
    2394. type: object
    2395. etcdV3CompactionPeriod:
    2396. description: 'EtcdV3CompactionPeriod is the period between etcdv3
    2397. compaction requests. Set to 0 to disable. [Default: 10m]'
    2398. type: string
    2399. healthChecks:
    2400. description: 'HealthChecks enables or disables support for health
    2401. checks [Default: Enabled]'
    2402. type: string
    2403. logSeverityScreen:
    2404. description: 'LogSeverityScreen is the log severity above which
    2405. logs are sent to the stdout. [Default: Info]'
    2406. type: string
    2407. prometheusMetricsPort:
    2408. description: 'PrometheusMetricsPort is the TCP port that the Prometheus
    2409. metrics server should bind to. Set to 0 to disable. [Default:
    2410. 9094]'
    2411. type: integer
    2412. required:
    2413. - controllers
    2414. type: object
    2415. type: object
    2416. type: object
    2417. served: true
    2418. storage: true
    2419. status:
    2420. acceptedNames:
    2421. kind: ""
    2422. plural: ""
    2423. conditions: []
    2424. storedVersions: []
    2425. ---
    2426. apiVersion: apiextensions.k8s.io/v1
    2427. kind: CustomResourceDefinition
    2428. metadata:
    2429. name: networkpolicies.crd.projectcalico.org
    2430. spec:
    2431. group: crd.projectcalico.org
    2432. names:
    2433. kind: NetworkPolicy
    2434. listKind: NetworkPolicyList
    2435. plural: networkpolicies
    2436. singular: networkpolicy
    2437. scope: Namespaced
    2438. versions:
    2439. - name: v1
    2440. schema:
    2441. openAPIV3Schema:
    2442. properties:
    2443. apiVersion:
    2444. description: 'APIVersion defines the versioned schema of this representation
    2445. of an object. Servers should convert recognized schemas to the latest
    2446. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    2447. type: string
    2448. kind:
    2449. description: 'Kind is a string value representing the REST resource this
    2450. object represents. Servers may infer this from the endpoint the client
    2451. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    2452. type: string
    2453. metadata:
    2454. type: object
    2455. spec:
    2456. properties:
    2457. egress:
    2458. description: The ordered set of egress rules. Each rule contains
    2459. a set of packet match criteria and a corresponding action to apply.
    2460. items:
    2461. description: "A Rule encapsulates a set of match criteria and an
    2462. action. Both selector-based security Policy and security Profiles
    2463. reference rules - separated out as a list of rules for both ingress
    2464. and egress packet matching. \n Each positive match criteria has
    2465. a negated version, prefixed with \"Not\". All the match criteria
    2466. within a rule must be satisfied for a packet to match. A single
    2467. rule can contain the positive and negative version of a match
    2468. and both must be satisfied for the rule to match."
    2469. properties:
    2470. action:
    2471. type: string
    2472. destination:
    2473. description: Destination contains the match criteria that apply
    2474. to destination entity.
    2475. properties:
    2476. namespaceSelector:
    2477. description: "NamespaceSelector is an optional field that
    2478. contains a selector expression. Only traffic that originates
    2479. from (or terminates at) endpoints within the selected
    2480. namespaces will be matched. When both NamespaceSelector
    2481. and Selector are defined on the same rule, then only workload
    2482. endpoints that are matched by both selectors will be selected
    2483. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    2484. implies that the Selector is limited to selecting only
    2485. workload endpoints in the same namespace as the NetworkPolicy.
    2486. \n For NetworkPolicy, `global()` NamespaceSelector implies
    2487. that the Selector is limited to selecting only GlobalNetworkSet
    2488. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    2489. NamespaceSelector implies the Selector applies to workload
    2490. endpoints across all namespaces."
    2491. type: string
    2492. nets:
    2493. description: Nets is an optional field that restricts the
    2494. rule to only apply to traffic that originates from (or
    2495. terminates at) IP addresses in any of the given subnets.
    2496. items:
    2497. type: string
    2498. type: array
    2499. notNets:
    2500. description: NotNets is the negated version of the Nets
    2501. field.
    2502. items:
    2503. type: string
    2504. type: array
    2505. notPorts:
    2506. description: NotPorts is the negated version of the Ports
    2507. field. Since only some protocols have ports, if any ports
    2508. are specified it requires the Protocol match in the Rule
    2509. to be set to "TCP" or "UDP".
    2510. items:
    2511. anyOf:
    2512. - type: integer
    2513. - type: string
    2514. pattern: ^.*
    2515. x-kubernetes-int-or-string: true
    2516. type: array
    2517. notSelector:
    2518. description: NotSelector is the negated version of the Selector
    2519. field. See Selector field for subtleties with negated
    2520. selectors.
    2521. type: string
    2522. ports:
    2523. description: "Ports is an optional field that restricts
    2524. the rule to only apply to traffic that has a source (destination)
    2525. port that matches one of these ranges/values. This value
    2526. is a list of integers or strings that represent ranges
    2527. of ports. \n Since only some protocols have ports, if
    2528. any ports are specified it requires the Protocol match
    2529. in the Rule to be set to \"TCP\" or \"UDP\"."
    2530. items:
    2531. anyOf:
    2532. - type: integer
    2533. - type: string
    2534. pattern: ^.*
    2535. x-kubernetes-int-or-string: true
    2536. type: array
    2537. selector:
    2538. description: "Selector is an optional field that contains
    2539. a selector expression (see Policy for sample syntax).
    2540. \ Only traffic that originates from (terminates at) endpoints
    2541. matching the selector will be matched. \n Note that: in
    2542. addition to the negated version of the Selector (see NotSelector
    2543. below), the selector expression syntax itself supports
    2544. negation. The two types of negation are subtly different.
    2545. One negates the set of matched endpoints, the other negates
    2546. the whole match: \n \tSelector = \"!has(my_label)\" matches
    2547. packets that are from other Calico-controlled \tendpoints
    2548. that do not have the label \"my_label\". \n \tNotSelector
    2549. = \"has(my_label)\" matches packets that are not from
    2550. Calico-controlled \tendpoints that do have the label \"my_label\".
    2551. \n The effect is that the latter will accept packets from
    2552. non-Calico sources whereas the former is limited to packets
    2553. from Calico-controlled endpoints."
    2554. type: string
    2555. serviceAccounts:
    2556. description: ServiceAccounts is an optional field that restricts
    2557. the rule to only apply to traffic that originates from
    2558. (or terminates at) a pod running as a matching service
    2559. account.
    2560. properties:
    2561. names:
    2562. description: Names is an optional field that restricts
    2563. the rule to only apply to traffic that originates
    2564. from (or terminates at) a pod running as a service
    2565. account whose name is in the list.
    2566. items:
    2567. type: string
    2568. type: array
    2569. selector:
    2570. description: Selector is an optional field that restricts
    2571. the rule to only apply to traffic that originates
    2572. from (or terminates at) a pod running as a service
    2573. account that matches the given label selector. If
    2574. both Names and Selector are specified then they are
    2575. AND'ed.
    2576. type: string
    2577. type: object
    2578. type: object
    2579. http:
    2580. description: HTTP contains match criteria that apply to HTTP
    2581. requests.
    2582. properties:
    2583. methods:
    2584. description: Methods is an optional field that restricts
    2585. the rule to apply only to HTTP requests that use one of
    2586. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
    2587. methods are OR'd together.
    2588. items:
    2589. type: string
    2590. type: array
    2591. paths:
    2592. description: 'Paths is an optional field that restricts
    2593. the rule to apply to HTTP requests that use one of the
    2594. listed HTTP Paths. Multiple paths are OR''d together.
    2595. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
    2596. ONLY specify either a `exact` or a `prefix` match. The
    2597. validator will check for it.'
    2598. items:
    2599. description: 'HTTPPath specifies an HTTP path to match.
    2600. It may be either of the form: exact: <path>: which matches
    2601. the path exactly or prefix: <path-prefix>: which matches
    2602. the path prefix'
    2603. properties:
    2604. exact:
    2605. type: string
    2606. prefix:
    2607. type: string
    2608. type: object
    2609. type: array
    2610. type: object
    2611. icmp:
    2612. description: ICMP is an optional field that restricts the rule
    2613. to apply to a specific type and code of ICMP traffic. This
    2614. should only be specified if the Protocol field is set to "ICMP"
    2615. or "ICMPv6".
    2616. properties:
    2617. code:
    2618. description: Match on a specific ICMP code. If specified,
    2619. the Type value must also be specified. This is a technical
    2620. limitation imposed by the kernel's iptables firewall,
    2621. which Calico uses to enforce the rule.
    2622. type: integer
    2623. type:
    2624. description: Match on a specific ICMP type. For example
    2625. a value of 8 refers to ICMP Echo Request (i.e. pings).
    2626. type: integer
    2627. type: object
    2628. ipVersion:
    2629. description: IPVersion is an optional field that restricts the
    2630. rule to only match a specific IP version.
    2631. type: integer
    2632. metadata:
    2633. description: Metadata contains additional information for this
    2634. rule
    2635. properties:
    2636. annotations:
    2637. additionalProperties:
    2638. type: string
    2639. description: Annotations is a set of key value pairs that
    2640. give extra information about the rule
    2641. type: object
    2642. type: object
    2643. notICMP:
    2644. description: NotICMP is the negated version of the ICMP field.
    2645. properties:
    2646. code:
    2647. description: Match on a specific ICMP code. If specified,
    2648. the Type value must also be specified. This is a technical
    2649. limitation imposed by the kernel's iptables firewall,
    2650. which Calico uses to enforce the rule.
    2651. type: integer
    2652. type:
    2653. description: Match on a specific ICMP type. For example
    2654. a value of 8 refers to ICMP Echo Request (i.e. pings).
    2655. type: integer
    2656. type: object
    2657. notProtocol:
    2658. anyOf:
    2659. - type: integer
    2660. - type: string
    2661. description: NotProtocol is the negated version of the Protocol
    2662. field.
    2663. pattern: ^.*
    2664. x-kubernetes-int-or-string: true
    2665. protocol:
    2666. anyOf:
    2667. - type: integer
    2668. - type: string
    2669. description: "Protocol is an optional field that restricts the
    2670. rule to only apply to traffic of a specific IP protocol. Required
    2671. if any of the EntityRules contain Ports (because ports only
    2672. apply to certain protocols). \n Must be one of these string
    2673. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
    2674. \"UDPLite\" or an integer in the range 1-255."
    2675. pattern: ^.*
    2676. x-kubernetes-int-or-string: true
    2677. source:
    2678. description: Source contains the match criteria that apply to
    2679. source entity.
    2680. properties:
    2681. namespaceSelector:
    2682. description: "NamespaceSelector is an optional field that
    2683. contains a selector expression. Only traffic that originates
    2684. from (or terminates at) endpoints within the selected
    2685. namespaces will be matched. When both NamespaceSelector
    2686. and Selector are defined on the same rule, then only workload
    2687. endpoints that are matched by both selectors will be selected
    2688. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    2689. implies that the Selector is limited to selecting only
    2690. workload endpoints in the same namespace as the NetworkPolicy.
    2691. \n For NetworkPolicy, `global()` NamespaceSelector implies
    2692. that the Selector is limited to selecting only GlobalNetworkSet
    2693. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    2694. NamespaceSelector implies the Selector applies to workload
    2695. endpoints across all namespaces."
    2696. type: string
    2697. nets:
    2698. description: Nets is an optional field that restricts the
    2699. rule to only apply to traffic that originates from (or
    2700. terminates at) IP addresses in any of the given subnets.
    2701. items:
    2702. type: string
    2703. type: array
    2704. notNets:
    2705. description: NotNets is the negated version of the Nets
    2706. field.
    2707. items:
    2708. type: string
    2709. type: array
    2710. notPorts:
    2711. description: NotPorts is the negated version of the Ports
    2712. field. Since only some protocols have ports, if any ports
    2713. are specified it requires the Protocol match in the Rule
    2714. to be set to "TCP" or "UDP".
    2715. items:
    2716. anyOf:
    2717. - type: integer
    2718. - type: string
    2719. pattern: ^.*
    2720. x-kubernetes-int-or-string: true
    2721. type: array
    2722. notSelector:
    2723. description: NotSelector is the negated version of the Selector
    2724. field. See Selector field for subtleties with negated
    2725. selectors.
    2726. type: string
    2727. ports:
    2728. description: "Ports is an optional field that restricts
    2729. the rule to only apply to traffic that has a source (destination)
    2730. port that matches one of these ranges/values. This value
    2731. is a list of integers or strings that represent ranges
    2732. of ports. \n Since only some protocols have ports, if
    2733. any ports are specified it requires the Protocol match
    2734. in the Rule to be set to \"TCP\" or \"UDP\"."
    2735. items:
    2736. anyOf:
    2737. - type: integer
    2738. - type: string
    2739. pattern: ^.*
    2740. x-kubernetes-int-or-string: true
    2741. type: array
    2742. selector:
    2743. description: "Selector is an optional field that contains
    2744. a selector expression (see Policy for sample syntax).
    2745. \ Only traffic that originates from (terminates at) endpoints
    2746. matching the selector will be matched. \n Note that: in
    2747. addition to the negated version of the Selector (see NotSelector
    2748. below), the selector expression syntax itself supports
    2749. negation. The two types of negation are subtly different.
    2750. One negates the set of matched endpoints, the other negates
    2751. the whole match: \n \tSelector = \"!has(my_label)\" matches
    2752. packets that are from other Calico-controlled \tendpoints
    2753. that do not have the label \"my_label\". \n \tNotSelector
    2754. = \"has(my_label)\" matches packets that are not from
    2755. Calico-controlled \tendpoints that do have the label \"my_label\".
    2756. \n The effect is that the latter will accept packets from
    2757. non-Calico sources whereas the former is limited to packets
    2758. from Calico-controlled endpoints."
    2759. type: string
    2760. serviceAccounts:
    2761. description: ServiceAccounts is an optional field that restricts
    2762. the rule to only apply to traffic that originates from
    2763. (or terminates at) a pod running as a matching service
    2764. account.
    2765. properties:
    2766. names:
    2767. description: Names is an optional field that restricts
    2768. the rule to only apply to traffic that originates
    2769. from (or terminates at) a pod running as a service
    2770. account whose name is in the list.
    2771. items:
    2772. type: string
    2773. type: array
    2774. selector:
    2775. description: Selector is an optional field that restricts
    2776. the rule to only apply to traffic that originates
    2777. from (or terminates at) a pod running as a service
    2778. account that matches the given label selector. If
    2779. both Names and Selector are specified then they are
    2780. AND'ed.
    2781. type: string
    2782. type: object
    2783. type: object
    2784. required:
    2785. - action
    2786. type: object
    2787. type: array
    2788. ingress:
    2789. description: The ordered set of ingress rules. Each rule contains
    2790. a set of packet match criteria and a corresponding action to apply.
    2791. items:
    2792. description: "A Rule encapsulates a set of match criteria and an
    2793. action. Both selector-based security Policy and security Profiles
    2794. reference rules - separated out as a list of rules for both ingress
    2795. and egress packet matching. \n Each positive match criteria has
    2796. a negated version, prefixed with \"Not\". All the match criteria
    2797. within a rule must be satisfied for a packet to match. A single
    2798. rule can contain the positive and negative version of a match
    2799. and both must be satisfied for the rule to match."
    2800. properties:
    2801. action:
    2802. type: string
    2803. destination:
    2804. description: Destination contains the match criteria that apply
    2805. to destination entity.
    2806. properties:
    2807. namespaceSelector:
    2808. description: "NamespaceSelector is an optional field that
    2809. contains a selector expression. Only traffic that originates
    2810. from (or terminates at) endpoints within the selected
    2811. namespaces will be matched. When both NamespaceSelector
    2812. and Selector are defined on the same rule, then only workload
    2813. endpoints that are matched by both selectors will be selected
    2814. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    2815. implies that the Selector is limited to selecting only
    2816. workload endpoints in the same namespace as the NetworkPolicy.
    2817. \n For NetworkPolicy, `global()` NamespaceSelector implies
    2818. that the Selector is limited to selecting only GlobalNetworkSet
    2819. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    2820. NamespaceSelector implies the Selector applies to workload
    2821. endpoints across all namespaces."
    2822. type: string
    2823. nets:
    2824. description: Nets is an optional field that restricts the
    2825. rule to only apply to traffic that originates from (or
    2826. terminates at) IP addresses in any of the given subnets.
    2827. items:
    2828. type: string
    2829. type: array
    2830. notNets:
    2831. description: NotNets is the negated version of the Nets
    2832. field.
    2833. items:
    2834. type: string
    2835. type: array
    2836. notPorts:
    2837. description: NotPorts is the negated version of the Ports
    2838. field. Since only some protocols have ports, if any ports
    2839. are specified it requires the Protocol match in the Rule
    2840. to be set to "TCP" or "UDP".
    2841. items:
    2842. anyOf:
    2843. - type: integer
    2844. - type: string
    2845. pattern: ^.*
    2846. x-kubernetes-int-or-string: true
    2847. type: array
    2848. notSelector:
    2849. description: NotSelector is the negated version of the Selector
    2850. field. See Selector field for subtleties with negated
    2851. selectors.
    2852. type: string
    2853. ports:
    2854. description: "Ports is an optional field that restricts
    2855. the rule to only apply to traffic that has a source (destination)
    2856. port that matches one of these ranges/values. This value
    2857. is a list of integers or strings that represent ranges
    2858. of ports. \n Since only some protocols have ports, if
    2859. any ports are specified it requires the Protocol match
    2860. in the Rule to be set to \"TCP\" or \"UDP\"."
    2861. items:
    2862. anyOf:
    2863. - type: integer
    2864. - type: string
    2865. pattern: ^.*
    2866. x-kubernetes-int-or-string: true
    2867. type: array
    2868. selector:
    2869. description: "Selector is an optional field that contains
    2870. a selector expression (see Policy for sample syntax).
    2871. \ Only traffic that originates from (terminates at) endpoints
    2872. matching the selector will be matched. \n Note that: in
    2873. addition to the negated version of the Selector (see NotSelector
    2874. below), the selector expression syntax itself supports
    2875. negation. The two types of negation are subtly different.
    2876. One negates the set of matched endpoints, the other negates
    2877. the whole match: \n \tSelector = \"!has(my_label)\" matches
    2878. packets that are from other Calico-controlled \tendpoints
    2879. that do not have the label \"my_label\". \n \tNotSelector
    2880. = \"has(my_label)\" matches packets that are not from
    2881. Calico-controlled \tendpoints that do have the label \"my_label\".
    2882. \n The effect is that the latter will accept packets from
    2883. non-Calico sources whereas the former is limited to packets
    2884. from Calico-controlled endpoints."
    2885. type: string
    2886. serviceAccounts:
    2887. description: ServiceAccounts is an optional field that restricts
    2888. the rule to only apply to traffic that originates from
    2889. (or terminates at) a pod running as a matching service
    2890. account.
    2891. properties:
    2892. names:
    2893. description: Names is an optional field that restricts
    2894. the rule to only apply to traffic that originates
    2895. from (or terminates at) a pod running as a service
    2896. account whose name is in the list.
    2897. items:
    2898. type: string
    2899. type: array
    2900. selector:
    2901. description: Selector is an optional field that restricts
    2902. the rule to only apply to traffic that originates
    2903. from (or terminates at) a pod running as a service
    2904. account that matches the given label selector. If
    2905. both Names and Selector are specified then they are
    2906. AND'ed.
    2907. type: string
    2908. type: object
    2909. type: object
    2910. http:
    2911. description: HTTP contains match criteria that apply to HTTP
    2912. requests.
    2913. properties:
    2914. methods:
    2915. description: Methods is an optional field that restricts
    2916. the rule to apply only to HTTP requests that use one of
    2917. the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
    2918. methods are OR'd together.
    2919. items:
    2920. type: string
    2921. type: array
    2922. paths:
    2923. description: 'Paths is an optional field that restricts
    2924. the rule to apply to HTTP requests that use one of the
    2925. listed HTTP Paths. Multiple paths are OR''d together.
    2926. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
    2927. ONLY specify either a `exact` or a `prefix` match. The
    2928. validator will check for it.'
    2929. items:
    2930. description: 'HTTPPath specifies an HTTP path to match.
    2931. It may be either of the form: exact: <path>: which matches
    2932. the path exactly or prefix: <path-prefix>: which matches
    2933. the path prefix'
    2934. properties:
    2935. exact:
    2936. type: string
    2937. prefix:
    2938. type: string
    2939. type: object
    2940. type: array
    2941. type: object
    2942. icmp:
    2943. description: ICMP is an optional field that restricts the rule
    2944. to apply to a specific type and code of ICMP traffic. This
    2945. should only be specified if the Protocol field is set to "ICMP"
    2946. or "ICMPv6".
    2947. properties:
    2948. code:
    2949. description: Match on a specific ICMP code. If specified,
    2950. the Type value must also be specified. This is a technical
    2951. limitation imposed by the kernel's iptables firewall,
    2952. which Calico uses to enforce the rule.
    2953. type: integer
    2954. type:
    2955. description: Match on a specific ICMP type. For example
    2956. a value of 8 refers to ICMP Echo Request (i.e. pings).
    2957. type: integer
    2958. type: object
    2959. ipVersion:
    2960. description: IPVersion is an optional field that restricts the
    2961. rule to only match a specific IP version.
    2962. type: integer
    2963. metadata:
    2964. description: Metadata contains additional information for this
    2965. rule
    2966. properties:
    2967. annotations:
    2968. additionalProperties:
    2969. type: string
    2970. description: Annotations is a set of key value pairs that
    2971. give extra information about the rule
    2972. type: object
    2973. type: object
    2974. notICMP:
    2975. description: NotICMP is the negated version of the ICMP field.
    2976. properties:
    2977. code:
    2978. description: Match on a specific ICMP code. If specified,
    2979. the Type value must also be specified. This is a technical
    2980. limitation imposed by the kernel's iptables firewall,
    2981. which Calico uses to enforce the rule.
    2982. type: integer
    2983. type:
    2984. description: Match on a specific ICMP type. For example
    2985. a value of 8 refers to ICMP Echo Request (i.e. pings).
    2986. type: integer
    2987. type: object
    2988. notProtocol:
    2989. anyOf:
    2990. - type: integer
    2991. - type: string
    2992. description: NotProtocol is the negated version of the Protocol
    2993. field.
    2994. pattern: ^.*
    2995. x-kubernetes-int-or-string: true
    2996. protocol:
    2997. anyOf:
    2998. - type: integer
    2999. - type: string
    3000. description: "Protocol is an optional field that restricts the
    3001. rule to only apply to traffic of a specific IP protocol. Required
    3002. if any of the EntityRules contain Ports (because ports only
    3003. apply to certain protocols). \n Must be one of these string
    3004. values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
    3005. \"UDPLite\" or an integer in the range 1-255."
    3006. pattern: ^.*
    3007. x-kubernetes-int-or-string: true
    3008. source:
    3009. description: Source contains the match criteria that apply to
    3010. source entity.
    3011. properties:
    3012. namespaceSelector:
    3013. description: "NamespaceSelector is an optional field that
    3014. contains a selector expression. Only traffic that originates
    3015. from (or terminates at) endpoints within the selected
    3016. namespaces will be matched. When both NamespaceSelector
    3017. and Selector are defined on the same rule, then only workload
    3018. endpoints that are matched by both selectors will be selected
    3019. by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    3020. implies that the Selector is limited to selecting only
    3021. workload endpoints in the same namespace as the NetworkPolicy.
    3022. \n For NetworkPolicy, `global()` NamespaceSelector implies
    3023. that the Selector is limited to selecting only GlobalNetworkSet
    3024. or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    3025. NamespaceSelector implies the Selector applies to workload
    3026. endpoints across all namespaces."
    3027. type: string
    3028. nets:
    3029. description: Nets is an optional field that restricts the
    3030. rule to only apply to traffic that originates from (or
    3031. terminates at) IP addresses in any of the given subnets.
    3032. items:
    3033. type: string
    3034. type: array
    3035. notNets:
    3036. description: NotNets is the negated version of the Nets
    3037. field.
    3038. items:
    3039. type: string
    3040. type: array
    3041. notPorts:
    3042. description: NotPorts is the negated version of the Ports
    3043. field. Since only some protocols have ports, if any ports
    3044. are specified it requires the Protocol match in the Rule
    3045. to be set to "TCP" or "UDP".
    3046. items:
    3047. anyOf:
    3048. - type: integer
    3049. - type: string
    3050. pattern: ^.*
    3051. x-kubernetes-int-or-string: true
    3052. type: array
    3053. notSelector:
    3054. description: NotSelector is the negated version of the Selector
    3055. field. See Selector field for subtleties with negated
    3056. selectors.
    3057. type: string
    3058. ports:
    3059. description: "Ports is an optional field that restricts
    3060. the rule to only apply to traffic that has a source (destination)
    3061. port that matches one of these ranges/values. This value
    3062. is a list of integers or strings that represent ranges
    3063. of ports. \n Since only some protocols have ports, if
    3064. any ports are specified it requires the Protocol match
    3065. in the Rule to be set to \"TCP\" or \"UDP\"."
    3066. items:
    3067. anyOf:
    3068. - type: integer
    3069. - type: string
    3070. pattern: ^.*
    3071. x-kubernetes-int-or-string: true
    3072. type: array
    3073. selector:
    3074. description: "Selector is an optional field that contains
    3075. a selector expression (see Policy for sample syntax).
    3076. \ Only traffic that originates from (terminates at) endpoints
    3077. matching the selector will be matched. \n Note that: in
    3078. addition to the negated version of the Selector (see NotSelector
    3079. below), the selector expression syntax itself supports
    3080. negation. The two types of negation are subtly different.
    3081. One negates the set of matched endpoints, the other negates
    3082. the whole match: \n \tSelector = \"!has(my_label)\" matches
    3083. packets that are from other Calico-controlled \tendpoints
    3084. that do not have the label \"my_label\". \n \tNotSelector
    3085. = \"has(my_label)\" matches packets that are not from
    3086. Calico-controlled \tendpoints that do have the label \"my_label\".
    3087. \n The effect is that the latter will accept packets from
    3088. non-Calico sources whereas the former is limited to packets
    3089. from Calico-controlled endpoints."
    3090. type: string
    3091. serviceAccounts:
    3092. description: ServiceAccounts is an optional field that restricts
    3093. the rule to only apply to traffic that originates from
    3094. (or terminates at) a pod running as a matching service
    3095. account.
    3096. properties:
    3097. names:
    3098. description: Names is an optional field that restricts
    3099. the rule to only apply to traffic that originates
    3100. from (or terminates at) a pod running as a service
    3101. account whose name is in the list.
    3102. items:
    3103. type: string
    3104. type: array
    3105. selector:
    3106. description: Selector is an optional field that restricts
    3107. the rule to only apply to traffic that originates
    3108. from (or terminates at) a pod running as a service
    3109. account that matches the given label selector. If
    3110. both Names and Selector are specified then they are
    3111. AND'ed.
    3112. type: string
    3113. type: object
    3114. type: object
    3115. required:
    3116. - action
    3117. type: object
    3118. type: array
    3119. order:
    3120. description: Order is an optional field that specifies the order in
    3121. which the policy is applied. Policies with higher "order" are applied
    3122. after those with lower order. If the order is omitted, it may be
    3123. considered to be "infinite" - i.e. the policy will be applied last. Policies
    3124. with identical order will be applied in alphanumerical order based
    3125. on the Policy "Name".
    3126. type: number
    3127. selector:
    3128. description: "The selector is an expression used to pick pick out
    3129. the endpoints that the policy should be applied to. \n Selector
    3130. expressions follow this syntax: \n \tlabel == \"string_literal\"
    3131. \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
    3132. \ -> not equal; also matches if label is not present \tlabel in
    3133. { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
    3134. one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
    3135. ... } -> true if the value of label X is not one of \"a\", \"b\",
    3136. \"c\" \thas(label_name) -> True if that label is present \t! expr
    3137. -> negation of expr \texpr && expr -> Short-circuit and \texpr
    3138. || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
    3139. or the empty selector -> matches all endpoints. \n Label names are
    3140. allowed to contain alphanumerics, -, _ and /. String literals are
    3141. more permissive but they do not support escape characters. \n Examples
    3142. (with made-up labels): \n \ttype == \"webserver\" && deployment
    3143. == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
    3144. \"dev\" \t! has(label_name)"
    3145. type: string
    3146. serviceAccountSelector:
    3147. description: ServiceAccountSelector is an optional field for an expression
    3148. used to select a pod based on service accounts.
    3149. type: string
    3150. types:
    3151. description: "Types indicates whether this policy applies to ingress,
    3152. or to egress, or to both. When not explicitly specified (and so
    3153. the value on creation is empty or nil), Calico defaults Types according
    3154. to what Ingress and Egress are present in the policy. The default
    3155. is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
    3156. the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
    3157. ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
    3158. PolicyTypeEgress ], if there are both Ingress and Egress rules.
    3159. \n When the policy is read back again, Types will always be one
    3160. of these values, never empty or nil."
    3161. items:
    3162. description: PolicyType enumerates the possible values of the PolicySpec
    3163. Types field.
    3164. type: string
    3165. type: array
    3166. type: object
    3167. type: object
    3168. served: true
    3169. storage: true
    3170. status:
    3171. acceptedNames:
    3172. kind: ""
    3173. plural: ""
    3174. conditions: []
    3175. storedVersions: []
    3176. ---
    3177. apiVersion: apiextensions.k8s.io/v1
    3178. kind: CustomResourceDefinition
    3179. metadata:
    3180. name: networksets.crd.projectcalico.org
    3181. spec:
    3182. group: crd.projectcalico.org
    3183. names:
    3184. kind: NetworkSet
    3185. listKind: NetworkSetList
    3186. plural: networksets
    3187. singular: networkset
    3188. scope: Namespaced
    3189. versions:
    3190. - name: v1
    3191. schema:
    3192. openAPIV3Schema:
    3193. description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
    3194. properties:
    3195. apiVersion:
    3196. description: 'APIVersion defines the versioned schema of this representation
    3197. of an object. Servers should convert recognized schemas to the latest
    3198. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    3199. type: string
    3200. kind:
    3201. description: 'Kind is a string value representing the REST resource this
    3202. object represents. Servers may infer this from the endpoint the client
    3203. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    3204. type: string
    3205. metadata:
    3206. type: object
    3207. spec:
    3208. description: NetworkSetSpec contains the specification for a NetworkSet
    3209. resource.
    3210. properties:
    3211. nets:
    3212. description: The list of IP networks that belong to this set.
    3213. items:
    3214. type: string
    3215. type: array
    3216. type: object
    3217. type: object
    3218. served: true
    3219. storage: true
    3220. status:
    3221. acceptedNames:
    3222. kind: ""
    3223. plural: ""
    3224. conditions: []
    3225. storedVersions: []
    3226. ---
    3227. ---
    3228. # Source: calico/templates/calico-kube-controllers-rbac.yaml
    3229. # Include a clusterrole for the kube-controllers component,
    3230. # and bind it to the calico-kube-controllers serviceaccount.
    3231. kind: ClusterRole
    3232. apiVersion: rbac.authorization.k8s.io/v1
    3233. metadata:
    3234. name: calico-kube-controllers
    3235. rules:
    3236. # Nodes are watched to monitor for deletions.
    3237. - apiGroups: [""]
    3238. resources:
    3239. - nodes
    3240. verbs:
    3241. - watch
    3242. - list
    3243. - get
    3244. # Pods are queried to check for existence.
    3245. - apiGroups: [""]
    3246. resources:
    3247. - pods
    3248. verbs:
    3249. - get
    3250. # IPAM resources are manipulated when nodes are deleted.
    3251. - apiGroups: ["crd.projectcalico.org"]
    3252. resources:
    3253. - ippools
    3254. verbs:
    3255. - list
    3256. - apiGroups: ["crd.projectcalico.org"]
    3257. resources:
    3258. - blockaffinities
    3259. - ipamblocks
    3260. - ipamhandles
    3261. verbs:
    3262. - get
    3263. - list
    3264. - create
    3265. - update
    3266. - delete
    3267. - watch
    3268. # kube-controllers manages hostendpoints.
    3269. - apiGroups: ["crd.projectcalico.org"]
    3270. resources:
    3271. - hostendpoints
    3272. verbs:
    3273. - get
    3274. - list
    3275. - create
    3276. - update
    3277. - delete
    3278. # Needs access to update clusterinformations.
    3279. - apiGroups: ["crd.projectcalico.org"]
    3280. resources:
    3281. - clusterinformations
    3282. verbs:
    3283. - get
    3284. - create
    3285. - update
    3286. # KubeControllersConfiguration is where it gets its config
    3287. - apiGroups: ["crd.projectcalico.org"]
    3288. resources:
    3289. - kubecontrollersconfigurations
    3290. verbs:
    3291. # read its own config
    3292. - get
    3293. # create a default if none exists
    3294. - create
    3295. # update status
    3296. - update
    3297. # watch for changes
    3298. - watch
    3299. ---
    3300. kind: ClusterRoleBinding
    3301. apiVersion: rbac.authorization.k8s.io/v1
    3302. metadata:
    3303. name: calico-kube-controllers
    3304. roleRef:
    3305. apiGroup: rbac.authorization.k8s.io
    3306. kind: ClusterRole
    3307. name: calico-kube-controllers
    3308. subjects:
    3309. - kind: ServiceAccount
    3310. name: calico-kube-controllers
    3311. namespace: kube-system
    3312. ---
    3313. ---
    3314. # Source: calico/templates/calico-node-rbac.yaml
    3315. # Include a clusterrole for the calico-node DaemonSet,
    3316. # and bind it to the calico-node serviceaccount.
    3317. kind: ClusterRole
    3318. apiVersion: rbac.authorization.k8s.io/v1
    3319. metadata:
    3320. name: calico-node
    3321. rules:
    3322. # The CNI plugin needs to get pods, nodes, and namespaces.
    3323. - apiGroups: [""]
    3324. resources:
    3325. - pods
    3326. - nodes
    3327. - namespaces
    3328. verbs:
    3329. - get
    3330. - apiGroups: [""]
    3331. resources:
    3332. - endpoints
    3333. - services
    3334. verbs:
    3335. # Used to discover service IPs for advertisement.
    3336. - watch
    3337. - list
    3338. # Used to discover Typhas.
    3339. - get
    3340. # Pod CIDR auto-detection on kubeadm needs access to config maps.
    3341. - apiGroups: [""]
    3342. resources:
    3343. - configmaps
    3344. verbs:
    3345. - get
    3346. - apiGroups: [""]
    3347. resources:
    3348. - nodes/status
    3349. verbs:
    3350. # Needed for clearing NodeNetworkUnavailable flag.
    3351. - patch
    3352. # Calico stores some configuration information in node annotations.
    3353. - update
    3354. # Watch for changes to Kubernetes NetworkPolicies.
    3355. - apiGroups: ["networking.k8s.io"]
    3356. resources:
    3357. - networkpolicies
    3358. verbs:
    3359. - watch
    3360. - list
    3361. # Used by Calico for policy information.
    3362. - apiGroups: [""]
    3363. resources:
    3364. - pods
    3365. - namespaces
    3366. - serviceaccounts
    3367. verbs:
    3368. - list
    3369. - watch
    3370. # The CNI plugin patches pods/status.
    3371. - apiGroups: [""]
    3372. resources:
    3373. - pods/status
    3374. verbs:
    3375. - patch
    3376. # Calico monitors various CRDs for config.
    3377. - apiGroups: ["crd.projectcalico.org"]
    3378. resources:
    3379. - globalfelixconfigs
    3380. - felixconfigurations
    3381. - bgppeers
    3382. - globalbgpconfigs
    3383. - bgpconfigurations
    3384. - ippools
    3385. - ipamblocks
    3386. - globalnetworkpolicies
    3387. - globalnetworksets
    3388. - networkpolicies
    3389. - networksets
    3390. - clusterinformations
    3391. - hostendpoints
    3392. - blockaffinities
    3393. verbs:
    3394. - get
    3395. - list
    3396. - watch
    3397. # Calico must create and update some CRDs on startup.
    3398. - apiGroups: ["crd.projectcalico.org"]
    3399. resources:
    3400. - ippools
    3401. - felixconfigurations
    3402. - clusterinformations
    3403. verbs:
    3404. - create
    3405. - update
    3406. # Calico stores some configuration information on the node.
    3407. - apiGroups: [""]
    3408. resources:
    3409. - nodes
    3410. verbs:
    3411. - get
    3412. - list
    3413. - watch
    3414. # These permissions are only required for upgrade from v2.6, and can
    3415. # be removed after upgrade or on fresh installations.
    3416. - apiGroups: ["crd.projectcalico.org"]
    3417. resources:
    3418. - bgpconfigurations
    3419. - bgppeers
    3420. verbs:
    3421. - create
    3422. - update
    3423. # These permissions are required for Calico CNI to perform IPAM allocations.
    3424. - apiGroups: ["crd.projectcalico.org"]
    3425. resources:
    3426. - blockaffinities
    3427. - ipamblocks
    3428. - ipamhandles
    3429. verbs:
    3430. - get
    3431. - list
    3432. - create
    3433. - update
    3434. - delete
    3435. - apiGroups: ["crd.projectcalico.org"]
    3436. resources:
    3437. - ipamconfigs
    3438. verbs:
    3439. - get
    3440. # Block affinities must also be watchable by confd for route aggregation.
    3441. - apiGroups: ["crd.projectcalico.org"]
    3442. resources:
    3443. - blockaffinities
    3444. verbs:
    3445. - watch
    3446. # The Calico IPAM migration needs to get daemonsets. These permissions can be
    3447. # removed if not upgrading from an installation using host-local IPAM.
    3448. - apiGroups: ["apps"]
    3449. resources:
    3450. - daemonsets
    3451. verbs:
    3452. - get
    3453. ---
    3454. apiVersion: rbac.authorization.k8s.io/v1
    3455. kind: ClusterRoleBinding
    3456. metadata:
    3457. name: calico-node
    3458. roleRef:
    3459. apiGroup: rbac.authorization.k8s.io
    3460. kind: ClusterRole
    3461. name: calico-node
    3462. subjects:
    3463. - kind: ServiceAccount
    3464. name: calico-node
    3465. namespace: kube-system
    3466. ---
    3467. # Source: calico/templates/calico-node.yaml
    3468. # This manifest installs the calico-node container, as well
    3469. # as the CNI plugins and network config on
    3470. # each master and worker node in a Kubernetes cluster.
    3471. kind: DaemonSet
    3472. apiVersion: apps/v1
    3473. metadata:
    3474. name: calico-node
    3475. namespace: kube-system
    3476. labels:
    3477. k8s-app: calico-node
    3478. spec:
    3479. selector:
    3480. matchLabels:
    3481. k8s-app: calico-node
    3482. updateStrategy:
    3483. type: RollingUpdate
    3484. rollingUpdate:
    3485. maxUnavailable: 1
    3486. template:
    3487. metadata:
    3488. labels:
    3489. k8s-app: calico-node
    3490. spec:
    3491. nodeSelector:
    3492. kubernetes.io/os: linux
    3493. hostNetwork: true
    3494. tolerations:
    3495. # Make sure calico-node gets scheduled on all nodes.
    3496. - effect: NoSchedule
    3497. operator: Exists
    3498. # Mark the pod as a critical add-on for rescheduling.
    3499. - key: CriticalAddonsOnly
    3500. operator: Exists
    3501. - effect: NoExecute
    3502. operator: Exists
    3503. serviceAccountName: calico-node
    3504. # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
    3505. # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
    3506. terminationGracePeriodSeconds: 0
    3507. priorityClassName: system-node-critical
    3508. initContainers:
    3509. # This container performs upgrade from host-local IPAM to calico-ipam.
    3510. # It can be deleted if this is a fresh installation, or if you have already
    3511. # upgraded to use calico-ipam.
    3512. - name: upgrade-ipam
    3513. image: docker.io/calico/cni:v3.18.0
    3514. command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
    3515. envFrom:
    3516. - configMapRef:
    3517. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
    3518. name: kubernetes-services-endpoint
    3519. optional: true
    3520. env:
    3521. - name: KUBERNETES_NODE_NAME
    3522. valueFrom:
    3523. fieldRef:
    3524. fieldPath: spec.nodeName
    3525. - name: CALICO_NETWORKING_BACKEND
    3526. valueFrom:
    3527. configMapKeyRef:
    3528. name: calico-config
    3529. key: calico_backend
    3530. volumeMounts:
    3531. - mountPath: /var/lib/cni/networks
    3532. name: host-local-net-dir
    3533. - mountPath: /host/opt/cni/bin
    3534. name: cni-bin-dir
    3535. securityContext:
    3536. privileged: true
    3537. # This container installs the CNI binaries
    3538. # and CNI network config file on each node.
    3539. - name: install-cni
    3540. image: docker.io/calico/cni:v3.18.0
    3541. command: ["/opt/cni/bin/install"]
    3542. envFrom:
    3543. - configMapRef:
    3544. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
    3545. name: kubernetes-services-endpoint
    3546. optional: true
    3547. env:
    3548. # Name of the CNI config file to create.
    3549. - name: CNI_CONF_NAME
    3550. value: "10-calico.conflist"
    3551. # The CNI network config to install on each node.
    3552. - name: CNI_NETWORK_CONFIG
    3553. valueFrom:
    3554. configMapKeyRef:
    3555. name: calico-config
    3556. key: cni_network_config
    3557. # Set the hostname based on the k8s node name.
    3558. - name: KUBERNETES_NODE_NAME
    3559. valueFrom:
    3560. fieldRef:
    3561. fieldPath: spec.nodeName
    3562. # CNI MTU Config variable
    3563. - name: CNI_MTU
    3564. valueFrom:
    3565. configMapKeyRef:
    3566. name: calico-config
    3567. key: veth_mtu
    3568. # Prevents the container from sleeping forever.
    3569. - name: SLEEP
    3570. value: "false"
    3571. volumeMounts:
    3572. - mountPath: /host/opt/cni/bin
    3573. name: cni-bin-dir
    3574. - mountPath: /host/etc/cni/net.d
    3575. name: cni-net-dir
    3576. securityContext:
    3577. privileged: true
    3578. # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
    3579. # to communicate with Felix over the Policy Sync API.
    3580. - name: flexvol-driver
    3581. image: docker.io/calico/pod2daemon-flexvol:v3.18.0
    3582. volumeMounts:
    3583. - name: flexvol-driver-host
    3584. mountPath: /host/driver
    3585. securityContext:
    3586. privileged: true
    3587. containers:
    3588. # Runs calico-node container on each Kubernetes node. This
    3589. # container programs network policy and routes on each
    3590. # host.
    3591. - name: calico-node
    3592. image: docker.io/calico/node:v3.18.0
    3593. envFrom:
    3594. - configMapRef:
    3595. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
    3596. name: kubernetes-services-endpoint
    3597. optional: true
    3598. env:
    3599. # Use Kubernetes API as the backing datastore.
    3600. - name: DATASTORE_TYPE
    3601. value: "kubernetes"
    3602. # Wait for the datastore.
    3603. - name: WAIT_FOR_DATASTORE
    3604. value: "true"
    3605. # Set based on the k8s node name.
    3606. - name: NODENAME
    3607. valueFrom:
    3608. fieldRef:
    3609. fieldPath: spec.nodeName
    3610. # Choose the backend to use.
    3611. - name: CALICO_NETWORKING_BACKEND
    3612. valueFrom:
    3613. configMapKeyRef:
    3614. name: calico-config
    3615. key: calico_backend
    3616. # Cluster type to identify the deployment type
    3617. - name: CLUSTER_TYPE
    3618. value: "k8s,bgp"
    3619. # Auto-detect the BGP IP address.
    3620. - name: IP
    3621. value: "autodetect"
    3622. # Enable IPIP
    3623. - name: CALICO_IPV4POOL_IPIP
    3624. value: "Always"
    3625. # Enable or Disable VXLAN on the default IP pool.
    3626. - name: CALICO_IPV4POOL_VXLAN
    3627. value: "Never"
    3628. # Set MTU for tunnel device used if ipip is enabled
    3629. - name: FELIX_IPINIPMTU
    3630. valueFrom:
    3631. configMapKeyRef:
    3632. name: calico-config
    3633. key: veth_mtu
    3634. # Set MTU for the VXLAN tunnel device.
    3635. - name: FELIX_VXLANMTU
    3636. valueFrom:
    3637. configMapKeyRef:
    3638. name: calico-config
    3639. key: veth_mtu
    3640. # Set MTU for the Wireguard tunnel device.
    3641. - name: FELIX_WIREGUARDMTU
    3642. valueFrom:
    3643. configMapKeyRef:
    3644. name: calico-config
    3645. key: veth_mtu
    3646. # The default IPv4 pool to create on startup if none exists. Pod IPs will be
    3647. # chosen from this range. Changing this value after installation will have
    3648. # no effect. This should fall within `--cluster-cidr`.
    3649. # - name: CALICO_IPV4POOL_CIDR
    3650. # value: "192.168.0.0/16"
    3651. # Disable file logging so `kubectl logs` works.
    3652. - name: CALICO_DISABLE_FILE_LOGGING
    3653. value: "true"
    3654. # Set Felix endpoint to host default action to ACCEPT.
    3655. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
    3656. value: "ACCEPT"
    3657. # Disable IPv6 on Kubernetes.
    3658. - name: FELIX_IPV6SUPPORT
    3659. value: "false"
    3660. # Set Felix logging to "info"
    3661. - name: FELIX_LOGSEVERITYSCREEN
    3662. value: "info"
    3663. - name: FELIX_HEALTHENABLED
    3664. value: "true"
    3665. securityContext:
    3666. privileged: true
    3667. resources:
    3668. requests:
    3669. cpu: 250m
    3670. livenessProbe:
    3671. exec:
    3672. command:
    3673. - /bin/calico-node
    3674. - -felix-live
    3675. - -bird-live
    3676. periodSeconds: 10
    3677. initialDelaySeconds: 10
    3678. failureThreshold: 6
    3679. readinessProbe:
    3680. exec:
    3681. command:
    3682. - /bin/calico-node
    3683. - -felix-ready
    3684. - -bird-ready
    3685. periodSeconds: 10
    3686. volumeMounts:
    3687. - mountPath: /lib/modules
    3688. name: lib-modules
    3689. readOnly: true
    3690. - mountPath: /run/xtables.lock
    3691. name: xtables-lock
    3692. readOnly: false
    3693. - mountPath: /var/run/calico
    3694. name: var-run-calico
    3695. readOnly: false
    3696. - mountPath: /var/lib/calico
    3697. name: var-lib-calico
    3698. readOnly: false
    3699. - name: policysync
    3700. mountPath: /var/run/nodeagent
    3701. # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
    3702. # parent directory.
    3703. - name: sysfs
    3704. mountPath: /sys/fs/
    3705. # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
    3706. # If the host is known to mount that filesystem already then Bidirectional can be omitted.
    3707. mountPropagation: Bidirectional
    3708. - name: cni-log-dir
    3709. mountPath: /var/log/calico/cni
    3710. readOnly: true
    3711. volumes:
    3712. # Used by calico-node.
    3713. - name: lib-modules
    3714. hostPath:
    3715. path: /lib/modules
    3716. - name: var-run-calico
    3717. hostPath:
    3718. path: /var/run/calico
    3719. - name: var-lib-calico
    3720. hostPath:
    3721. path: /var/lib/calico
    3722. - name: xtables-lock
    3723. hostPath:
    3724. path: /run/xtables.lock
    3725. type: FileOrCreate
    3726. - name: sysfs
    3727. hostPath:
    3728. path: /sys/fs/
    3729. type: DirectoryOrCreate
    3730. # Used to install CNI.
    3731. - name: cni-bin-dir
    3732. hostPath:
    3733. path: /opt/cni/bin
    3734. - name: cni-net-dir
    3735. hostPath:
    3736. path: /etc/cni/net.d
    3737. # Used to access CNI logs.
    3738. - name: cni-log-dir
    3739. hostPath:
    3740. path: /var/log/calico/cni
    3741. # Mount in the directory for host-local IPAM allocations. This is
    3742. # used when upgrading from host-local to calico-ipam, and can be removed
    3743. # if not using the upgrade-ipam init container.
    3744. - name: host-local-net-dir
    3745. hostPath:
    3746. path: /var/lib/cni/networks
    3747. # Used to create per-pod Unix Domain Sockets
    3748. - name: policysync
    3749. hostPath:
    3750. type: DirectoryOrCreate
    3751. path: /var/run/nodeagent
    3752. # Used to install Flex Volume Driver
    3753. - name: flexvol-driver-host
    3754. hostPath:
    3755. type: DirectoryOrCreate
    3756. path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
    3757. ---
    3758. apiVersion: v1
    3759. kind: ServiceAccount
    3760. metadata:
    3761. name: calico-node
    3762. namespace: kube-system
    3763. ---
    3764. # Source: calico/templates/calico-kube-controllers.yaml
    3765. # See https://github.com/projectcalico/kube-controllers
    3766. apiVersion: apps/v1
    3767. kind: Deployment
    3768. metadata:
    3769. name: calico-kube-controllers
    3770. namespace: kube-system
    3771. labels:
    3772. k8s-app: calico-kube-controllers
    3773. spec:
    3774. # The controllers can only have a single active instance.
    3775. replicas: 1
    3776. selector:
    3777. matchLabels:
    3778. k8s-app: calico-kube-controllers
    3779. strategy:
    3780. type: Recreate
    3781. template:
    3782. metadata:
    3783. name: calico-kube-controllers
    3784. namespace: kube-system
    3785. labels:
    3786. k8s-app: calico-kube-controllers
    3787. spec:
    3788. nodeSelector:
    3789. kubernetes.io/os: linux
    3790. tolerations:
    3791. # Mark the pod as a critical add-on for rescheduling.
    3792. - key: CriticalAddonsOnly
    3793. operator: Exists
    3794. - key: node-role.kubernetes.io/master
    3795. effect: NoSchedule
    3796. serviceAccountName: calico-kube-controllers
    3797. priorityClassName: system-cluster-critical
    3798. containers:
    3799. - name: calico-kube-controllers
    3800. image: docker.io/calico/kube-controllers:v3.18.0
    3801. env:
    3802. # Choose which controllers to run.
    3803. - name: ENABLED_CONTROLLERS
    3804. value: node
    3805. - name: DATASTORE_TYPE
    3806. value: kubernetes
    3807. readinessProbe:
    3808. exec:
    3809. command:
    3810. - /usr/bin/check-status
    3811. - -r
    3812. ---
    3813. apiVersion: v1
    3814. kind: ServiceAccount
    3815. metadata:
    3816. name: calico-kube-controllers
    3817. namespace: kube-system
    3818. ---
    3819. # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
    3820. apiVersion: policy/v1beta1
    3821. kind: PodDisruptionBudget
    3822. metadata:
    3823. name: calico-kube-controllers
    3824. namespace: kube-system
    3825. labels:
    3826. k8s-app: calico-kube-controllers
    3827. spec:
    3828. maxUnavailable: 1
    3829. selector:
    3830. matchLabels:
    3831. k8s-app: calico-kube-controllers
    3832. ---
    3833. # Source: calico/templates/calico-etcd-secrets.yaml
    3834. ---
    3835. # Source: calico/templates/calico-typha.yaml
    3836. ---
    3837. # Source: calico/templates/configure-canal.yaml

    image.png

    [root@master ~]# kubectl -n kube-system edit daemonsets.apps calico-node
    

    Warning FailedScheduling default-scheduler 0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn’t tolerate.

    去掉master节点上的污点

    kubectl taint nodes --all node-role.kubernetes.io/master-
    
    Warning  FailedScheduling  <unknown>  default-scheduler  0/1 nodes are available: 1 node(s) didn't match node selector