calico网卡未就绪
https://blog.csdn.net/u011327801/article/details/100579803
正常:
[root@master ~]# kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-77c4b7448-9nrx2 1/1 Running 0 26m
kube-system calico-node-mc7s7 1/1 Running 0 26m
kube-system calico-node-p8rm7 1/1 Running 0 21m
kube-system calico-node-wwtkl 1/1 Running 0 21m
kube-system coredns-9d85f5447-ht4c4 1/1 Running 0 35m
kube-system coredns-9d85f5447-wvjlb 1/1 Running 0 35m
kube-system etcd-master 1/1 Running 0 35m
kube-system kube-apiserver-master 1/1 Running 0 35m
kube-system kube-controller-manager-master 1/1 Running 0 35m
kube-system kube-proxy-hgmjw 1/1 Running 1 21m
kube-system kube-proxy-skc2k 1/1 Running 1 35m
kube-system kube-proxy-zsnxv 1/1 Running 1 21m
kube-system kube-scheduler-master 1/1 Running 0 35m
[root@master ~]#
[root@master ~]# ping 192.168.31.91
PING 192.168.31.91 (192.168.31.91) 56(84) bytes of data.
64 bytes from 192.168.31.91: icmp_seq=1 ttl=64 time=0.729 ms
64 bytes from 192.168.31.91: icmp_seq=2 ttl=64 time=0.859 ms
^C
—- 192.168.31.91 ping statistics —-
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.729/0.794/0.859/0.065 ms
[root@master ~]# ping 192.168.31.92
PING 192.168.31.92 (192.168.31.92) 56(84) bytes of data.
64 bytes from 192.168.31.92: icmp_seq=1 ttl=64 time=0.389 ms
64 bytes from 192.168.31.92: icmp_seq=2 ttl=64 time=0.932 ms
64 bytes from 192.168.31.92: icmp_seq=3 ttl=64 time=2.06 ms
64 bytes from 192.168.31.92: icmp_seq=4 ttl=64 time=0.768 ms
^C
—- 192.168.31.92 ping statistics —-
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.389/1.038/2.065/0.625 ms
[root@master ~]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP master:https rr
-> master:sun-sr-https Masq 1 5 0
TCP master:domain rr
-> 192.168.219.65:domain Masq 1 0 0
-> 192.168.219.67:domain Masq 1 0 0
TCP master:9153 rr
-> 192.168.219.65:9153 Masq 1 0 0
-> 192.168.219.67:9153 Masq 1 0 0
UDP master:domain rr
-> 192.168.219.65:domain Masq 1 0 0
-> 192.168.219.67:domain Masq 1 0 0
[root@master ~]#
[root@master ~]# ip route show
default via 192.168.31.1 dev eth0 proto static metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.90 metric 100
192.168.140.64/26 via 192.168.31.92 dev tunl0 proto bird onlink
192.168.196.128/26 via 192.168.31.91 dev tunl0 proto bird onlink
blackhole 192.168.219.64/26 proto bird
192.168.219.65 dev calia1377bfae06 scope link
192.168.219.66 dev cali3fffe2ec811 scope link
192.168.219.67 dev cali57bd4ccf5ee scope link
[root@master ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.31.1 0.0.0.0 UG 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.31.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.140.64 192.168.31.92 255.255.255.192 UG 0 0 0 tunl0
192.168.196.128 192.168.31.91 255.255.255.192 UG 0 0 0 tunl0
192.168.219.64 0.0.0.0 255.255.255.192 U 0 0 0 *
192.168.219.65 0.0.0.0 255.255.255.255 UH 0 0 0 calia1377bfae06
192.168.219.66 0.0.0.0 255.255.255.255 UH 0 0 0 cali3fffe2ec811
192.168.219.67 0.0.0.0 255.255.255.255 UH 0 0 0 cali57bd4ccf5ee
[root@master ~]#
异常:
[root@master ~]# kubectl get po -n kube-systemNAME READY STATUS RESTARTS AGEcalico-kube-controllers-77c4b7448-9nrx2 1/1 Running 14 67dcalico-node-mc7s7 0/1 Running 15 67dcalico-node-p8rm7 1/1 Running 9 67dcalico-node-wwtkl 1/1 Running 9 67dcoredns-66bff467f8-2bsdr 0/1 Running 0 11mcoredns-66bff467f8-5gsjh 0/1 Running 0 11mcoredns-9d85f5447-wvjlb 1/1 Running 14 67detcd-master 1/1 Running 6 12dkube-apiserver-master 1/1 Running 0 12mkube-controller-manager-master 1/1 Running 0 12mkube-proxy-69xfs 1/1 Running 0 11mkube-proxy-fxwgp 1/1 Running 0 11mkube-proxy-kgfbx 1/1 Running 0 11mkube-scheduler-master 1/1 Running 0 12m
Events:Type Reason Age From Message---- ------ ---- ---- -------Warning Unhealthy 13m (x1279 over 3h51m) kubelet, master (combined from similar events): Readiness probe failed: calico/node is not ready: BIRD is not ready: BGP not established with 192.168.31.91,192.168.31.922020-04-12 11:59:28.313 [INFO][42895] health.go 156: Number of node(s) with BGP peering established = 0
/*调整calicao 网络插件的网卡发现机制,修改IP_AUTODETECTION_METHOD对应的value值。官方提供的yaml文件中,ip识别策略(IPDETECTMETHOD)没有配置,即默认为first-found,这会导致一个网络异常的ip作为nodeIP被注册,从而影响node-to-node mesh。我们可以修改成can-reach或者interface的策略,尝试连接某一个Ready的node的IP,以此选择出正确的IP。*/// calico.yaml 文件添加以下二行- name: IP_AUTODETECTION_METHODvalue: "interface=ens.*" # ens 根据实际网卡开头配置// 配置如下- name: CLUSTER_TYPEvalue: "k8s,bgp"- name: IP_AUTODETECTION_METHODvalue: "interface=ens.*"#或者 value: "interface=ens160"# Auto-detect the BGP IP address.- name: IPvalue: "autodetect"# Enable IPIP- name: CALICO_IPV4POOL_IPIPvalue: "Always"
[root@master ~]# kubectl get pod -ANAMESPACE NAME READY STATUS RESTARTS AGEkube-system calico-kube-controllers-77c4b7448-9nrx2 1/1 Running 14 67dkube-system calico-node-dvmcz 1/1 Running 0 17skube-system calico-node-w6lfn 1/1 Running 0 30skube-system calico-node-z5db9 0/1 Running 0 8skube-system coredns-66bff467f8-2bsdr 0/1 Running 0 17mkube-system coredns-66bff467f8-5gsjh 0/1 Running 0 17mkube-system coredns-9d85f5447-wvjlb 1/1 Running 14 67dkube-system etcd-master 1/1 Running 6 12dkube-system kube-apiserver-master 1/1 Running 0 17mkube-system kube-controller-manager-master 1/1 Running 0 17mkube-system kube-proxy-69xfs 1/1 Running 0 16mkube-system kube-proxy-fxwgp 1/1 Running 0 16mkube-system kube-proxy-kgfbx 1/1 Running 0 16mkube-system kube-scheduler-master 1/1 Running 0 17m
---# Source: calico/templates/calico-config.yaml# This ConfigMap is used to configure a self-hosted Calico installation.kind: ConfigMapapiVersion: v1metadata:name: calico-confignamespace: kube-systemdata:# Typha is disabled.typha_service_name: "none"# Configure the backend to use.calico_backend: "bird"# Configure the MTU to use for workload interfaces and tunnels.# By default, MTU is auto-detected, and explicitly setting this field should not be required.# You can override auto-detection by providing a non-zero value.veth_mtu: "0"# The CNI network configuration to install on each node. The special# values in this config will be automatically populated.cni_network_config: |-{"name": "k8s-pod-network","cniVersion": "0.3.1","plugins": [{"type": "calico","log_level": "info","log_file_path": "/var/log/calico/cni/cni.log","datastore_type": "kubernetes","nodename": "__KUBERNETES_NODE_NAME__","mtu": __CNI_MTU__,"ipam": {"type": "calico-ipam"},"policy": {"type": "k8s"},"kubernetes": {"kubeconfig": "__KUBECONFIG_FILEPATH__"}},{"type": "portmap","snat": true,"capabilities": {"portMappings": true}},{"type": "bandwidth","capabilities": {"bandwidth": true}}]}---# Source: calico/templates/kdd-crds.yamlapiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: bgpconfigurations.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: BGPConfigurationlistKind: BGPConfigurationListplural: bgpconfigurationssingular: bgpconfigurationscope: Clusterversions:- name: v1schema:openAPIV3Schema:description: BGPConfiguration contains the configuration for any BGP routing.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: BGPConfigurationSpec contains the values of the BGP configuration.properties:asNumber:description: 'ASNumber is the default AS number used by a node. [Default:64512]'format: int32type: integercommunities:description: Communities is a list of BGP community values and theirarbitrary names for tagging routes.items:description: Community contains standard or large community valueand its name.properties:name:description: Name given to community value.type: stringvalue:description: Value must be of format `aa:nn` or `aa:nn:mm`.For standard community use `aa:nn` format, where `aa` and`nn` are 16 bit number. For large community use `aa:nn:mm`format, where `aa`, `nn` and `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier.pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$type: stringtype: objecttype: arraylistenPort:description: ListenPort is the port where BGP protocol should listen.Defaults to 179maximum: 65535minimum: 1type: integerlogSeverityScreen:description: 'LogSeverityScreen is the log severity above which logsare sent to the stdout. [Default: INFO]'type: stringnodeToNodeMeshEnabled:description: 'NodeToNodeMeshEnabled sets whether full node to nodeBGP mesh is enabled. [Default: true]'type: booleanprefixAdvertisements:description: PrefixAdvertisements contains per-prefix advertisementconfiguration.items:description: PrefixAdvertisement configures advertisement propertiesfor the specified CIDR.properties:cidr:description: CIDR for which properties should be advertised.type: stringcommunities:description: Communities can be list of either community namesalready defined in `Specs.Communities` or community valueof format `aa:nn` or `aa:nn:mm`. For standard community use`aa:nn` format, where `aa` and `nn` are 16 bit number. Forlarge community use `aa:nn:mm` format, where `aa`, `nn` and`mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and`mm` are per-AS identifier.items:type: stringtype: arraytype: objecttype: arrayserviceClusterIPs:description: ServiceClusterIPs are the CIDR blocks from which servicecluster IPs are allocated. If specified, Calico will advertise theseblocks, as well as any cluster IPs within them.items:description: ServiceClusterIPBlock represents a single allowed ClusterIPCIDR block.properties:cidr:type: stringtype: objecttype: arrayserviceExternalIPs:description: ServiceExternalIPs are the CIDR blocks for KubernetesService External IPs. Kubernetes Service ExternalIPs will only beadvertised if they are within one of these blocks.items:description: ServiceExternalIPBlock represents a single allowedExternal IP CIDR block.properties:cidr:type: stringtype: objecttype: arrayserviceLoadBalancerIPs:description: ServiceLoadBalancerIPs are the CIDR blocks for KubernetesService LoadBalancer IPs. Kubernetes Service status.LoadBalancer.IngressIPs will only be advertised if they are within one of these blocks.items:description: ServiceLoadBalancerIPBlock represents a single allowedLoadBalancer IP CIDR block.properties:cidr:type: stringtype: objecttype: arraytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: bgppeers.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: BGPPeerlistKind: BGPPeerListplural: bgppeerssingular: bgppeerscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: BGPPeerSpec contains the specification for a BGPPeer resource.properties:asNumber:description: The AS Number of the peer.format: int32type: integerkeepOriginalNextHop:description: Option to keep the original nexthop field when routesare sent to a BGP Peer. Setting "true" configures the selected BGPPeers node to use the "next hop keep;" instead of "next hop self;"(default)in the specific branch of the Node on "bird.cfg".type: booleannode:description: The node name identifying the Calico node instance thatis targeted by this peer. If this is not set, and no nodeSelectoris specified, then this BGP peer selects all nodes in the cluster.type: stringnodeSelector:description: Selector for the nodes that should have this peering. Whenthis is set, the Node field must be empty.type: stringpassword:description: Optional BGP password for the peerings generated by thisBGPPeer resource.properties:secretKeyRef:description: Selects a key of a secret in the node pod's namespace.properties:key:description: The key of the secret to select from. Must bea valid secret key.type: stringname:description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#namesTODO: Add other useful fields. apiVersion, kind, uid?'type: stringoptional:description: Specify whether the Secret or its key must bedefinedtype: booleanrequired:- keytype: objecttype: objectpeerIP:description: The IP address of the peer followed by an optional portnumber to peer with. If port number is given, format should be `[<IPv6>]:port`or `<IPv4>:<port>` for IPv4. If optional port number is not set,and this peer IP and ASNumber belongs to a calico/node with ListenPortset in BGPConfiguration, then we use that port to peer.type: stringpeerSelector:description: Selector for the remote nodes to peer with. When thisis set, the PeerIP and ASNumber fields must be empty. For eachpeering between the local node and selected remote nodes, we configurean IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. Theremote AS number comes from the remote node's NodeBGPSpec.ASNumber,or the global default if that is not set.type: stringsourceAddress:description: Specifies whether and how to configure a source addressfor the peerings generated by this BGPPeer resource. Default value"UseNodeIP" means to configure the node IP as the source address. "None"means not to configure a source address.type: stringtype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: blockaffinities.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: BlockAffinitylistKind: BlockAffinityListplural: blockaffinitiessingular: blockaffinityscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: BlockAffinitySpec contains the specification for a BlockAffinityresource.properties:cidr:type: stringdeleted:description: Deleted indicates that this block affinity is being deleted.This field is a string for compatibility with older releases thatmistakenly treat this field as a string.type: stringnode:type: stringstate:type: stringrequired:- cidr- deleted- node- statetype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: clusterinformations.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: ClusterInformationlistKind: ClusterInformationListplural: clusterinformationssingular: clusterinformationscope: Clusterversions:- name: v1schema:openAPIV3Schema:description: ClusterInformation contains the cluster specific information.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ClusterInformationSpec contains the values of describingthe cluster.properties:calicoVersion:description: CalicoVersion is the version of Calico that the clusteris runningtype: stringclusterGUID:description: ClusterGUID is the GUID of the clustertype: stringclusterType:description: ClusterType describes the type of the clustertype: stringdatastoreReady:description: DatastoreReady is used during significant datastore migrationsto signal to components such as Felix that it should wait beforeaccessing the datastore.type: booleanvariant:description: Variant declares which variant of Calico should be active.type: stringtype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: felixconfigurations.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: FelixConfigurationlistKind: FelixConfigurationListplural: felixconfigurationssingular: felixconfigurationscope: Clusterversions:- name: v1schema:openAPIV3Schema:description: Felix Configuration contains the configuration for Felix.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: FelixConfigurationSpec contains the values of the Felix configuration.properties:allowIPIPPacketsFromWorkloads:description: 'AllowIPIPPacketsFromWorkloads controls whether Felixwill add a rule to drop IPIP encapsulated traffic from workloads[Default: false]'type: booleanallowVXLANPacketsFromWorkloads:description: 'AllowVXLANPacketsFromWorkloads controls whether Felixwill add a rule to drop VXLAN encapsulated traffic from workloads[Default: false]'type: booleanawsSrcDstCheck:description: 'Set source-destination-check on AWS EC2 instances. Acceptedvalue must be one of "DoNothing", "Enabled" or "Disabled". [Default:DoNothing]'enum:- DoNothing- Enable- Disabletype: stringbpfConnectTimeLoadBalancingEnabled:description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,controls whether Felix installs the connection-time load balancer. Theconnect-time load balancer is required for the host to be able toreach Kubernetes services and it improves the performance of pod-to-serviceconnections. The only reason to disable it is for debugging purposes. [Default:true]'type: booleanbpfDataIfacePattern:description: BPFDataIfacePattern is a regular expression that controlswhich interfaces Felix should attach BPF programs to in order tocatch traffic to/from the network. This needs to match the interfacesthat Calico workload traffic flows over as well as any interfacesthat handle incoming traffic to nodeports and services from outsidethe cluster. It should not match the workload interfaces (usuallynamed cali...).type: stringbpfDisableUnprivileged:description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabledsysctl to disable unprivileged use of BPF. This ensures that unprivilegedusers cannot access Calico''s BPF maps and cannot insert their ownBPF programs to interfere with Calico''s. [Default: true]'type: booleanbpfEnabled:description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.[Default: false]'type: booleanbpfExternalServiceMode:description: 'BPFExternalServiceMode in BPF mode, controls how connectionsfrom outside the cluster to services (node ports and cluster IPs)are forwarded to remote workloads. If set to "Tunnel" then bothrequest and response traffic is tunneled to the remote node. Ifset to "DSR", the request traffic is tunneled but the response trafficis sent directly from the remote node. In "DSR" mode, the remotenode appears to use the IP of the ingress node; this requires apermissive L2 network. [Default: Tunnel]'type: stringbpfKubeProxyEndpointSlicesEnabled:description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controlswhether Felix's embedded kube-proxy accepts EndpointSlices or not.type: booleanbpfKubeProxyIptablesCleanupEnabled:description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPFmode, Felix will proactively clean up the upstream Kubernetes kube-proxy''siptables chains. Should only be enabled if kube-proxy is not running. [Default:true]'type: booleanbpfKubeProxyMinSyncPeriod:description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls theminimum time between updates to the dataplane for Felix''s embeddedkube-proxy. Lower values give reduced set-up latency. Higher valuesreduce Felix CPU usage by batching up more work. [Default: 1s]'type: stringbpfLogLevel:description: 'BPFLogLevel controls the log level of the BPF programswhen in BPF dataplane mode. One of "Off", "Info", or "Debug". Thelogs are emitted to the BPF trace pipe, accessible with the command`tc exec bpf debug`. [Default: Off].'type: stringchainInsertMode:description: 'ChainInsertMode controls whether Felix hooks the kernel''stop-level iptables chains by inserting a rule at the top of thechain or by appending a rule at the bottom. insert is the safe defaultsince it prevents Calico''s rules from being bypassed. If you switchto append mode, be sure that the other rules in the chains signalacceptance by falling through to the Calico rules, otherwise theCalico policy will be bypassed. [Default: insert]'type: stringdataplaneDriver:type: stringdebugDisableLogDropping:type: booleandebugMemoryProfilePath:type: stringdebugSimulateCalcGraphHangAfter:type: stringdebugSimulateDataplaneHangAfter:type: stringdefaultEndpointToHostAction:description: 'DefaultEndpointToHostAction controls what happens totraffic that goes from a workload endpoint to the host itself (afterthe traffic hits the endpoint egress policy). By default Calicoblocks traffic from workload endpoints to the host itself with aniptables "DROP" action. If you want to allow some or all trafficfrom endpoint to host, set this parameter to RETURN or ACCEPT. UseRETURN if you have your own rules in the iptables "INPUT" chain;Calico will insert its rules at the top of that chain, then "RETURN"packets to the "INPUT" chain once it has completed processing workloadendpoint egress policy. Use ACCEPT to unconditionally accept packetsfrom workloads after processing workload endpoint egress policy.[Default: Drop]'type: stringdeviceRouteProtocol:description: This defines the route protocol added to programmed deviceroutes, by default this will be RTPROT_BOOT when left blank.type: integerdeviceRouteSourceAddress:description: This is the source address to use on programmed deviceroutes. By default the source address is left blank, leaving thekernel to choose the source address used.type: stringdisableConntrackInvalidCheck:type: booleanendpointReportingDelay:type: stringendpointReportingEnabled:type: booleanexternalNodesList:description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodeswhich may source tunnel traffic and have the tunneled traffic beaccepted at calico nodes.items:type: stringtype: arrayfailsafeInboundHostPorts:description: 'FailsafeInboundHostPorts is a comma-delimited list ofUDP/TCP ports that Felix will allow incoming traffic to host endpointson irrespective of the security policy. This is useful to avoidaccidentally cutting off a host with incorrect configuration. Eachport should be specified as tcp:<port-number> or udp:<port-number>.For back-compatibility, if the protocol is not specified, it defaultsto "tcp". To disable all inbound host ports, use the value none.The default value allows ssh access and DHCP. [Default: tcp:22,udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'items:description: ProtoPort is combination of protocol and port, bothmust be specified.properties:port:type: integerprotocol:type: stringrequired:- port- protocoltype: objecttype: arrayfailsafeOutboundHostPorts:description: 'FailsafeOutboundHostPorts is a comma-delimited listof UDP/TCP ports that Felix will allow outgoing traffic from hostendpoints to irrespective of the security policy. This is usefulto avoid accidentally cutting off a host with incorrect configuration.Each port should be specified as tcp:<port-number> or udp:<port-number>.For back-compatibility, if the protocol is not specified, it defaultsto "tcp". To disable all outbound host ports, use the value none.The default value opens etcd''s standard ports to ensure that Felixdoes not get cut off from etcd as well as allowing DHCP and DNS.[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,udp:53, udp:67]'items:description: ProtoPort is combination of protocol and port, bothmust be specified.properties:port:type: integerprotocol:type: stringrequired:- port- protocoltype: objecttype: arrayfeatureDetectOverride:description: FeatureDetectOverride is used to override the featuredetection. Values are specified in a comma separated list with nospaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock="."true" or "false" will force the feature, empty or omitted valuesare auto-detected.type: stringgenericXDPEnabled:description: 'GenericXDPEnabled enables Generic XDP so network cardsthat don''t support XDP offload or driver modes can use XDP. Thisis not recommended since it doesn''t provide better performancethan iptables. [Default: false]'type: booleanhealthEnabled:type: booleanhealthHost:type: stringhealthPort:type: integerinterfaceExclude:description: 'InterfaceExclude is a comma-separated list of interfacesthat Felix should exclude when monitoring for host endpoints. Thedefault value ensures that Felix ignores Kubernetes'' IPVS dummyinterface, which is used internally by kube-proxy. If you want toexclude multiple interface names using a single value, the listsupports regular expressions. For regular expressions you must wrapthe value with ''/''. For example having values ''/^kube/,veth1''will exclude all interfaces that begin with ''kube'' and also theinterface ''veth1''. [Default: kube-ipvs0]'type: stringinterfacePrefix:description: 'InterfacePrefix is the interface name prefix that identifiesworkload endpoints and so distinguishes them from host endpointinterfaces. Note: in environments other than bare metal, the orchestratorsconfigure this appropriately. For example our Kubernetes and Dockerintegrations set the ''cali'' value, and our OpenStack integrationsets the ''tap'' value. [Default: cali]'type: stringinterfaceRefreshInterval:description: InterfaceRefreshInterval is the period at which Felixrescans local interfaces to verify their state. The rescan can bedisabled by setting the interval to 0.type: stringipipEnabled:type: booleanipipMTU:description: 'IPIPMTU is the MTU to set on the tunnel device. SeeConfiguring MTU [Default: 1440]'type: integeripsetsRefreshInterval:description: 'IpsetsRefreshInterval is the period at which Felix re-checksall iptables state to ensure that no other process has accidentallybroken Calico''s rules. Set to 0 to disable iptables refresh. [Default:90s]'type: stringiptablesBackend:description: IptablesBackend specifies which backend of iptables willbe used. The default is legacy.type: stringiptablesFilterAllowAction:type: stringiptablesLockFilePath:description: 'IptablesLockFilePath is the location of the iptableslock file. You may need to change this if the lock file is not inits standard location (for example if you have mapped it into Felix''scontainer at a different path). [Default: /run/xtables.lock]'type: stringiptablesLockProbeInterval:description: 'IptablesLockProbeInterval is the time that Felix willwait between attempts to acquire the iptables lock if it is notavailable. Lower values make Felix more responsive when the lockis contended, but use more CPU. [Default: 50ms]'type: stringiptablesLockTimeout:description: 'IptablesLockTimeout is the time that Felix will waitfor the iptables lock, or 0, to disable. To use this feature, Felixmust share the iptables lock file with all other processes thatalso take the lock. When running Felix inside a container, thisrequires the /run directory of the host to be mounted into the calico/nodeor calico/felix container. [Default: 0s disabled]'type: stringiptablesMangleAllowAction:type: stringiptablesMarkMask:description: 'IptablesMarkMask is the mask that Felix selects itsIPTables Mark bits from. Should be a 32 bit hexadecimal number withat least 8 bits set, none of which clash with any other mark bitsin use on the system. [Default: 0xff000000]'format: int32type: integeriptablesNATOutgoingInterfaceFilter:type: stringiptablesPostWriteCheckInterval:description: 'IptablesPostWriteCheckInterval is the period after Felixhas done a write to the dataplane that it schedules an extra readback in order to check the write was not clobbered by another process.This should only occur if another application on the system doesn''trespect the iptables lock. [Default: 1s]'type: stringiptablesRefreshInterval:description: 'IptablesRefreshInterval is the period at which Felixre-checks the IP sets in the dataplane to ensure that no other processhas accidentally broken Calico''s rules. Set to 0 to disable IPsets refresh. Note: the default for this value is lower than theother refresh intervals as a workaround for a Linux kernel bug thatwas fixed in kernel version 4.11. If you are using v4.11 or greateryou may want to set this to, a higher value to reduce Felix CPUusage. [Default: 10s]'type: stringipv6Support:type: booleankubeNodePortRanges:description: 'KubeNodePortRanges holds list of port ranges used forservice node ports. Only used if felix detects kube-proxy runningin ipvs mode. Felix uses these ranges to separate host and workloadtraffic. [Default: 30000:32767].'items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraylogFilePath:description: 'LogFilePath is the full path to the Felix log. Set tonone to disable file logging. [Default: /var/log/calico/felix.log]'type: stringlogPrefix:description: 'LogPrefix is the log prefix that Felix uses when renderingLOG rules. [Default: calico-packet]'type: stringlogSeverityFile:description: 'LogSeverityFile is the log severity above which logsare sent to the log file. [Default: Info]'type: stringlogSeverityScreen:description: 'LogSeverityScreen is the log severity above which logsare sent to the stdout. [Default: Info]'type: stringlogSeveritySys:description: 'LogSeveritySys is the log severity above which logsare sent to the syslog. Set to None for no logging to syslog. [Default:Info]'type: stringmaxIpsetSize:type: integermetadataAddr:description: 'MetadataAddr is the IP address or domain name of theserver that can answer VM queries for cloud-init metadata. In OpenStack,this corresponds to the machine running nova-api (or in Ubuntu,nova-api-metadata). A value of none (case insensitive) means thatFelix should not set up any NAT rule for the metadata path. [Default:127.0.0.1]'type: stringmetadataPort:description: 'MetadataPort is the port of the metadata server. This,combined with global.MetadataAddr (if not ''None''), is used toset up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.In most cases this should not need to be changed [Default: 8775].'type: integermtuIfacePattern:description: MTUIfacePattern is a regular expression that controlswhich interfaces Felix should scan in order to calculate the host'sMTU. This should not match workload interfaces (usually named cali...).type: stringnatOutgoingAddress:description: NATOutgoingAddress specifies an address to use when performingsource NAT for traffic in a natOutgoing pool that is leaving thenetwork. By default the address used is an address on the interfacethe traffic is leaving on (ie it uses the iptables MASQUERADE target)type: stringnatPortRange:anyOf:- type: integer- type: stringdescription: NATPortRange specifies the range of ports that is usedfor port mapping when doing outgoing NAT. When unset the defaultbehavior of the network stack is used.pattern: ^.*x-kubernetes-int-or-string: truenetlinkTimeout:type: stringopenstackRegion:description: 'OpenstackRegion is the name of the region that a particularFelix belongs to. In a multi-region Calico/OpenStack deployment,this must be configured somehow for each Felix (here in the datamodel,or in felix.cfg or the environment on each compute node), and mustmatch the [calico] openstack_region value configured in neutron.confon each node. [Default: Empty]'type: stringpolicySyncPathPrefix:description: 'PolicySyncPathPrefix is used to by Felix to communicatepolicy changes to external services, like Application layer policy.[Default: Empty]'type: stringprometheusGoMetricsEnabled:description: 'PrometheusGoMetricsEnabled disables Go runtime metricscollection, which the Prometheus client does by default, when setto false. This reduces the number of metrics reported, reducingPrometheus load. [Default: true]'type: booleanprometheusMetricsEnabled:description: 'PrometheusMetricsEnabled enables the Prometheus metricsserver in Felix if set to true. [Default: false]'type: booleanprometheusMetricsHost:description: 'PrometheusMetricsHost is the host that the Prometheusmetrics server should bind to. [Default: empty]'type: stringprometheusMetricsPort:description: 'PrometheusMetricsPort is the TCP port that the Prometheusmetrics server should bind to. [Default: 9091]'type: integerprometheusProcessMetricsEnabled:description: 'PrometheusProcessMetricsEnabled disables process metricscollection, which the Prometheus client does by default, when setto false. This reduces the number of metrics reported, reducingPrometheus load. [Default: true]'type: booleanremoveExternalRoutes:description: Whether or not to remove device routes that have notbeen programmed by Felix. Disabling this will allow external applicationsto also add device routes. This is enabled by default which meanswe will remove externally added routes.type: booleanreportingInterval:description: 'ReportingInterval is the interval at which Felix reportsits status into the datastore or 0 to disable. Must be non-zeroin OpenStack deployments. [Default: 30s]'type: stringreportingTTL:description: 'ReportingTTL is the time-to-live setting for process-widestatus reports. [Default: 90s]'type: stringrouteRefreshInterval:description: 'RouteRefreshInterval is the period at which Felix re-checksthe routes in the dataplane to ensure that no other process hasaccidentally broken Calico''s rules. Set to 0 to disable route refresh.[Default: 90s]'type: stringrouteSource:description: 'RouteSource configures where Felix gets its routinginformation. - WorkloadIPs: use workload endpoints to constructroutes. - CalicoIPAM: the default - use IPAM data to construct routes.'type: stringrouteTableRange:description: Calico programs additional Linux route tables for variouspurposes. RouteTableRange specifies the indices of the route tablesthat Calico should use.properties:max:type: integermin:type: integerrequired:- max- mintype: objectserviceLoopPrevention:description: 'When service IP advertisement is enabled, prevent routingloops to service IPs that are not in use, by dropping or rejectingpackets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",in which case such routing loops continue to be allowed. [Default:Drop]'type: stringsidecarAccelerationEnabled:description: 'SidecarAccelerationEnabled enables experimental sidecaracceleration [Default: false]'type: booleanusageReportingEnabled:description: 'UsageReportingEnabled reports anonymous Calico versionnumber and cluster size to projectcalico.org. Logs warnings returnedby the usage server. For example, if a significant security vulnerabilityhas been discovered in the version of Calico being used. [Default:true]'type: booleanusageReportingInitialDelay:description: 'UsageReportingInitialDelay controls the minimum delaybefore Felix makes a report. [Default: 300s]'type: stringusageReportingInterval:description: 'UsageReportingInterval controls the interval at whichFelix makes reports. [Default: 86400s]'type: stringuseInternalDataplaneDriver:type: booleanvxlanEnabled:type: booleanvxlanMTU:description: 'VXLANMTU is the MTU to set on the tunnel device. SeeConfiguring MTU [Default: 1440]'type: integervxlanPort:type: integervxlanVNI:type: integerwireguardEnabled:description: 'WireguardEnabled controls whether Wireguard is enabled.[Default: false]'type: booleanwireguardInterfaceName:description: 'WireguardInterfaceName specifies the name to use forthe Wireguard interface. [Default: wg.calico]'type: stringwireguardListeningPort:description: 'WireguardListeningPort controls the listening port usedby Wireguard. [Default: 51820]'type: integerwireguardMTU:description: 'WireguardMTU controls the MTU on the Wireguard interface.See Configuring MTU [Default: 1420]'type: integerwireguardRoutingRulePriority:description: 'WireguardRoutingRulePriority controls the priority valueto use for the Wireguard routing rule. [Default: 99]'type: integerxdpEnabled:description: 'XDPEnabled enables XDP acceleration for suitable untrackedincoming deny rules. [Default: true]'type: booleanxdpRefreshInterval:description: 'XDPRefreshInterval is the period at which Felix re-checksall XDP state to ensure that no other process has accidentally brokenCalico''s BPF maps or attached programs. Set to 0 to disable XDPrefresh. [Default: 90s]'type: stringtype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: globalnetworkpolicies.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: GlobalNetworkPolicylistKind: GlobalNetworkPolicyListplural: globalnetworkpoliciessingular: globalnetworkpolicyscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:properties:applyOnForward:description: ApplyOnForward indicates to apply the rules in this policyon forward traffic.type: booleandoNotTrack:description: DoNotTrack indicates whether packets matched by the rulesin this policy should go through the data plane's connection tracking,such as Linux conntrack. If True, the rules in this policy areapplied before any data plane connection tracking, and packets allowedby this policy are marked as not to be tracked.type: booleanegress:description: The ordered set of egress rules. Each rule containsa set of packet match criteria and a corresponding action to apply.items:description: "A Rule encapsulates a set of match criteria and anaction. Both selector-based security Policy and security Profilesreference rules - separated out as a list of rules for both ingressand egress packet matching. \n Each positive match criteria hasa negated version, prefixed with \"Not\". All the match criteriawithin a rule must be satisfied for a packet to match. A singlerule can contain the positive and negative version of a matchand both must be satisfied for the rule to match."properties:action:type: stringdestination:description: Destination contains the match criteria that applyto destination entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objecthttp:description: HTTP contains match criteria that apply to HTTPrequests.properties:methods:description: Methods is an optional field that restrictsthe rule to apply only to HTTP requests that use one ofthe listed HTTP Methods (e.g. GET, PUT, etc.) Multiplemethods are OR'd together.items:type: stringtype: arraypaths:description: 'Paths is an optional field that restrictsthe rule to apply to HTTP requests that use one of thelisted HTTP Paths. Multiple paths are OR''d together.e.g: - exact: /foo - prefix: /bar NOTE: Each entry mayONLY specify either a `exact` or a `prefix` match. Thevalidator will check for it.'items:description: 'HTTPPath specifies an HTTP path to match.It may be either of the form: exact: <path>: which matchesthe path exactly or prefix: <path-prefix>: which matchesthe path prefix'properties:exact:type: stringprefix:type: stringtype: objecttype: arraytype: objecticmp:description: ICMP is an optional field that restricts the ruleto apply to a specific type and code of ICMP traffic. Thisshould only be specified if the Protocol field is set to "ICMP"or "ICMPv6".properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectipVersion:description: IPVersion is an optional field that restricts therule to only match a specific IP version.type: integermetadata:description: Metadata contains additional information for thisruleproperties:annotations:additionalProperties:type: stringdescription: Annotations is a set of key value pairs thatgive extra information about the ruletype: objecttype: objectnotICMP:description: NotICMP is the negated version of the ICMP field.properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectnotProtocol:anyOf:- type: integer- type: stringdescription: NotProtocol is the negated version of the Protocolfield.pattern: ^.*x-kubernetes-int-or-string: trueprotocol:anyOf:- type: integer- type: stringdescription: "Protocol is an optional field that restricts therule to only apply to traffic of a specific IP protocol. Requiredif any of the EntityRules contain Ports (because ports onlyapply to certain protocols). \n Must be one of these stringvalues: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",\"UDPLite\" or an integer in the range 1-255."pattern: ^.*x-kubernetes-int-or-string: truesource:description: Source contains the match criteria that apply tosource entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objectrequired:- actiontype: objecttype: arrayingress:description: The ordered set of ingress rules. Each rule containsa set of packet match criteria and a corresponding action to apply.items:description: "A Rule encapsulates a set of match criteria and anaction. Both selector-based security Policy and security Profilesreference rules - separated out as a list of rules for both ingressand egress packet matching. \n Each positive match criteria hasa negated version, prefixed with \"Not\". All the match criteriawithin a rule must be satisfied for a packet to match. A singlerule can contain the positive and negative version of a matchand both must be satisfied for the rule to match."properties:action:type: stringdestination:description: Destination contains the match criteria that applyto destination entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objecthttp:description: HTTP contains match criteria that apply to HTTPrequests.properties:methods:description: Methods is an optional field that restrictsthe rule to apply only to HTTP requests that use one ofthe listed HTTP Methods (e.g. GET, PUT, etc.) Multiplemethods are OR'd together.items:type: stringtype: arraypaths:description: 'Paths is an optional field that restrictsthe rule to apply to HTTP requests that use one of thelisted HTTP Paths. Multiple paths are OR''d together.e.g: - exact: /foo - prefix: /bar NOTE: Each entry mayONLY specify either a `exact` or a `prefix` match. Thevalidator will check for it.'items:description: 'HTTPPath specifies an HTTP path to match.It may be either of the form: exact: <path>: which matchesthe path exactly or prefix: <path-prefix>: which matchesthe path prefix'properties:exact:type: stringprefix:type: stringtype: objecttype: arraytype: objecticmp:description: ICMP is an optional field that restricts the ruleto apply to a specific type and code of ICMP traffic. Thisshould only be specified if the Protocol field is set to "ICMP"or "ICMPv6".properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectipVersion:description: IPVersion is an optional field that restricts therule to only match a specific IP version.type: integermetadata:description: Metadata contains additional information for thisruleproperties:annotations:additionalProperties:type: stringdescription: Annotations is a set of key value pairs thatgive extra information about the ruletype: objecttype: objectnotICMP:description: NotICMP is the negated version of the ICMP field.properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectnotProtocol:anyOf:- type: integer- type: stringdescription: NotProtocol is the negated version of the Protocolfield.pattern: ^.*x-kubernetes-int-or-string: trueprotocol:anyOf:- type: integer- type: stringdescription: "Protocol is an optional field that restricts therule to only apply to traffic of a specific IP protocol. Requiredif any of the EntityRules contain Ports (because ports onlyapply to certain protocols). \n Must be one of these stringvalues: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",\"UDPLite\" or an integer in the range 1-255."pattern: ^.*x-kubernetes-int-or-string: truesource:description: Source contains the match criteria that apply tosource entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objectrequired:- actiontype: objecttype: arraynamespaceSelector:description: NamespaceSelector is an optional field for an expressionused to select a pod based on namespaces.type: stringorder:description: Order is an optional field that specifies the order inwhich the policy is applied. Policies with higher "order" are appliedafter those with lower order. If the order is omitted, it may beconsidered to be "infinite" - i.e. the policy will be applied last. Policieswith identical order will be applied in alphanumerical order basedon the Policy "Name".type: numberpreDNAT:description: PreDNAT indicates to apply the rules in this policy beforeany DNAT.type: booleanselector:description: "The selector is an expression used to pick pick outthe endpoints that the policy should be applied to. \n Selectorexpressions follow this syntax: \n \tlabel == \"string_literal\"\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"\ -> not equal; also matches if label is not present \tlabel in{ \"a\", \"b\", \"c\", ... } -> true if the value of label X isone of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",... } -> true if the value of label X is not one of \"a\", \"b\",\"c\" \thas(label_name) -> True if that label is present \t! expr-> negation of expr \texpr && expr -> Short-circuit and \texpr|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()or the empty selector -> matches all endpoints. \n Label names areallowed to contain alphanumerics, -, _ and /. String literals aremore permissive but they do not support escape characters. \n Examples(with made-up labels): \n \ttype == \"webserver\" && deployment== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=\"dev\" \t! has(label_name)"type: stringserviceAccountSelector:description: ServiceAccountSelector is an optional field for an expressionused to select a pod based on service accounts.type: stringtypes:description: "Types indicates whether this policy applies to ingress,or to egress, or to both. When not explicitly specified (and sothe value on creation is empty or nil), Calico defaults Types accordingto what Ingress and Egress rules are present in the policy. Thedefault is: \n - [ PolicyTypeIngress ], if there are no Egress rules(including the case where there are also no Ingress rules) \n- [ PolicyTypeEgress ], if there are Egress rules but no Ingressrules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there areboth Ingress and Egress rules. \n When the policy is read back again,Types will always be one of these values, never empty or nil."items:description: PolicyType enumerates the possible values of the PolicySpecTypes field.type: stringtype: arraytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: globalnetworksets.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: GlobalNetworkSetlistKind: GlobalNetworkSetListplural: globalnetworksetssingular: globalnetworksetscope: Clusterversions:- name: v1schema:openAPIV3Schema:description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRsthat share labels to allow rules to refer to them via selectors. The labelsof GlobalNetworkSet are not namespaced.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: GlobalNetworkSetSpec contains the specification for a NetworkSetresource.properties:nets:description: The list of IP networks that belong to this set.items:type: stringtype: arraytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: hostendpoints.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: HostEndpointlistKind: HostEndpointListplural: hostendpointssingular: hostendpointscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: HostEndpointSpec contains the specification for a HostEndpointresource.properties:expectedIPs:description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.If \"InterfaceName\" is not present, Calico will look for an interfacematching any of the IPs in the list and apply policy to that. Note:\tWhen using the selector match criteria in an ingress or egresssecurity Policy \tor Profile, Calico converts the selector intoa set of IP addresses. For host \tendpoints, the ExpectedIPs fieldis used for that purpose. (If only the interface \tname is specified,Calico does not learn the IPs of the interface for use in match\tcriteria.)"items:type: stringtype: arrayinterfaceName:description: "Either \"*\", or the name of a specific Linux interfaceto apply policy to; or empty. \"*\" indicates that this HostEndpointgoverns all traffic to, from or through the default network namespaceof the host named by the \"Node\" field; entering and leaving thatnamespace via any interface, including those from/to non-host-networkedlocal workloads. \n If InterfaceName is not \"*\", this HostEndpointonly governs traffic that enters or leaves the host through thespecific interface named by InterfaceName, or - when InterfaceNameis empty - through the specific interface that has one of the IPsin ExpectedIPs. Therefore, when InterfaceName is empty, at leastone expected IP must be specified. Only external interfaces (suchas \"eth0\") are supported here; it isn't possible for a HostEndpointto protect traffic through a specific local workload interface.\n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;initially just pre-DNAT policy. Please check Calico documentationfor the latest position."type: stringnode:description: The node name identifying the Calico node instance.type: stringports:description: Ports contains the endpoint's named ports, which maybe referenced in security policy rules.items:properties:name:type: stringport:type: integerprotocol:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truerequired:- name- port- protocoltype: objecttype: arrayprofiles:description: A list of identifiers of security Profile objects thatapply to this endpoint. Each profile is applied in the order thatthey appear in this list. Profile rules are applied after the selector-basedsecurity policy.items:type: stringtype: arraytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: ipamblocks.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: IPAMBlocklistKind: IPAMBlockListplural: ipamblockssingular: ipamblockscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IPAMBlockSpec contains the specification for an IPAMBlockresource.properties:affinity:type: stringallocations:items:type: integer# TODO: This nullable is manually added in. We should update controller-gen# to handle []*int properly itself.nullable: truetype: arrayattributes:items:properties:handle_id:type: stringsecondary:additionalProperties:type: stringtype: objecttype: objecttype: arraycidr:type: stringdeleted:type: booleanstrictAffinity:type: booleanunallocated:items:type: integertype: arrayrequired:- allocations- attributes- cidr- strictAffinity- unallocatedtype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: ipamconfigs.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: IPAMConfiglistKind: IPAMConfigListplural: ipamconfigssingular: ipamconfigscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IPAMConfigSpec contains the specification for an IPAMConfigresource.properties:autoAllocateBlocks:type: booleanmaxBlocksPerHost:description: MaxBlocksPerHost, if non-zero, is the max number of blocksthat can be affine to each host.type: integerstrictAffinity:type: booleanrequired:- autoAllocateBlocks- strictAffinitytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: ipamhandles.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: IPAMHandlelistKind: IPAMHandleListplural: ipamhandlessingular: ipamhandlescope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IPAMHandleSpec contains the specification for an IPAMHandleresource.properties:block:additionalProperties:type: integertype: objectdeleted:type: booleanhandleID:type: stringrequired:- block- handleIDtype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: ippools.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: IPPoollistKind: IPPoolListplural: ippoolssingular: ippoolscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IPPoolSpec contains the specification for an IPPool resource.properties:blockSize:description: The block size to use for IP address assignments fromthis pool. Defaults to 26 for IPv4 and 112 for IPv6.type: integercidr:description: The pool CIDR.type: stringdisabled:description: When disabled is true, Calico IPAM will not assign addressesfrom this pool.type: booleanipip:description: 'Deprecated: this field is only used for APIv1 backwardscompatibility. Setting this field is not allowed, this field isfor internal use only.'properties:enabled:description: When enabled is true, ipip tunneling will be usedto deliver packets to destinations within this pool.type: booleanmode:description: The IPIP mode. This can be one of "always" or "cross-subnet". Amode of "always" will also use IPIP tunneling for routing todestination IP addresses within this pool. A mode of "cross-subnet"will only use IPIP tunneling when the destination node is ona different subnet to the originating node. The default value(if not specified) is "always".type: stringtype: objectipipMode:description: Contains configuration for IPIP tunneling for this pool.If not specified, then this is defaulted to "Never" (i.e. IPIP tunnelingis disabled).type: stringnat-outgoing:description: 'Deprecated: this field is only used for APIv1 backwardscompatibility. Setting this field is not allowed, this field isfor internal use only.'type: booleannatOutgoing:description: When nat-outgoing is true, packets sent from Calico networkedcontainers in this pool to destinations outside of this pool willbe masqueraded.type: booleannodeSelector:description: Allows IPPool to allocate for a specific node by labelselector.type: stringvxlanMode:description: Contains configuration for VXLAN tunneling for this pool.If not specified, then this is defaulted to "Never" (i.e. VXLANtunneling is disabled).type: stringrequired:- cidrtype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: kubecontrollersconfigurations.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: KubeControllersConfigurationlistKind: KubeControllersConfigurationListplural: kubecontrollersconfigurationssingular: kubecontrollersconfigurationscope: Clusterversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: KubeControllersConfigurationSpec contains the values of theKubernetes controllers configuration.properties:controllers:description: Controllers enables and configures individual Kubernetescontrollersproperties:namespace:description: Namespace enables and configures the namespace controller.Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to perform reconciliationwith the Calico datastore. [Default: 5m]'type: stringtype: objectnode:description: Node enables and configures the node controller.Enabled by default, set to nil to disable.properties:hostEndpoint:description: HostEndpoint controls syncing nodes to host endpoints.Disabled by default, set to nil to disable.properties:autoCreate:description: 'AutoCreate enables automatic creation ofhost endpoints for every node. [Default: Disabled]'type: stringtype: objectreconcilerPeriod:description: 'ReconcilerPeriod is the period to perform reconciliationwith the Calico datastore. [Default: 5m]'type: stringsyncLabels:description: 'SyncLabels controls whether to copy Kubernetesnode labels to Calico nodes. [Default: Enabled]'type: stringtype: objectpolicy:description: Policy enables and configures the policy controller.Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to perform reconciliationwith the Calico datastore. [Default: 5m]'type: stringtype: objectserviceAccount:description: ServiceAccount enables and configures the serviceaccount controller. Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to perform reconciliationwith the Calico datastore. [Default: 5m]'type: stringtype: objectworkloadEndpoint:description: WorkloadEndpoint enables and configures the workloadendpoint controller. Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to perform reconciliationwith the Calico datastore. [Default: 5m]'type: stringtype: objecttype: objectetcdV3CompactionPeriod:description: 'EtcdV3CompactionPeriod is the period between etcdv3compaction requests. Set to 0 to disable. [Default: 10m]'type: stringhealthChecks:description: 'HealthChecks enables or disables support for healthchecks [Default: Enabled]'type: stringlogSeverityScreen:description: 'LogSeverityScreen is the log severity above which logsare sent to the stdout. [Default: Info]'type: stringprometheusMetricsPort:description: 'PrometheusMetricsPort is the TCP port that the Prometheusmetrics server should bind to. Set to 0 to disable. [Default: 9094]'type: integerrequired:- controllerstype: objectstatus:description: KubeControllersConfigurationStatus represents the statusof the configuration. It's useful for admins to be able to see the actualconfig that was applied, which can be modified by environment variableson the kube-controllers process.properties:environmentVars:additionalProperties:type: stringdescription: EnvironmentVars contains the environment variables onthe kube-controllers that influenced the RunningConfig.type: objectrunningConfig:description: RunningConfig contains the effective config that is runningin the kube-controllers pod, after merging the API resource withany environment variables.properties:controllers:description: Controllers enables and configures individual Kubernetescontrollersproperties:namespace:description: Namespace enables and configures the namespacecontroller. Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to performreconciliation with the Calico datastore. [Default:5m]'type: stringtype: objectnode:description: Node enables and configures the node controller.Enabled by default, set to nil to disable.properties:hostEndpoint:description: HostEndpoint controls syncing nodes to hostendpoints. Disabled by default, set to nil to disable.properties:autoCreate:description: 'AutoCreate enables automatic creationof host endpoints for every node. [Default: Disabled]'type: stringtype: objectreconcilerPeriod:description: 'ReconcilerPeriod is the period to performreconciliation with the Calico datastore. [Default:5m]'type: stringsyncLabels:description: 'SyncLabels controls whether to copy Kubernetesnode labels to Calico nodes. [Default: Enabled]'type: stringtype: objectpolicy:description: Policy enables and configures the policy controller.Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to performreconciliation with the Calico datastore. [Default:5m]'type: stringtype: objectserviceAccount:description: ServiceAccount enables and configures the serviceaccount controller. Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to performreconciliation with the Calico datastore. [Default:5m]'type: stringtype: objectworkloadEndpoint:description: WorkloadEndpoint enables and configures the workloadendpoint controller. Enabled by default, set to nil to disable.properties:reconcilerPeriod:description: 'ReconcilerPeriod is the period to performreconciliation with the Calico datastore. [Default:5m]'type: stringtype: objecttype: objectetcdV3CompactionPeriod:description: 'EtcdV3CompactionPeriod is the period between etcdv3compaction requests. Set to 0 to disable. [Default: 10m]'type: stringhealthChecks:description: 'HealthChecks enables or disables support for healthchecks [Default: Enabled]'type: stringlogSeverityScreen:description: 'LogSeverityScreen is the log severity above whichlogs are sent to the stdout. [Default: Info]'type: stringprometheusMetricsPort:description: 'PrometheusMetricsPort is the TCP port that the Prometheusmetrics server should bind to. Set to 0 to disable. [Default:9094]'type: integerrequired:- controllerstype: objecttype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: networkpolicies.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: NetworkPolicylistKind: NetworkPolicyListplural: networkpoliciessingular: networkpolicyscope: Namespacedversions:- name: v1schema:openAPIV3Schema:properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:properties:egress:description: The ordered set of egress rules. Each rule containsa set of packet match criteria and a corresponding action to apply.items:description: "A Rule encapsulates a set of match criteria and anaction. Both selector-based security Policy and security Profilesreference rules - separated out as a list of rules for both ingressand egress packet matching. \n Each positive match criteria hasa negated version, prefixed with \"Not\". All the match criteriawithin a rule must be satisfied for a packet to match. A singlerule can contain the positive and negative version of a matchand both must be satisfied for the rule to match."properties:action:type: stringdestination:description: Destination contains the match criteria that applyto destination entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objecthttp:description: HTTP contains match criteria that apply to HTTPrequests.properties:methods:description: Methods is an optional field that restrictsthe rule to apply only to HTTP requests that use one ofthe listed HTTP Methods (e.g. GET, PUT, etc.) Multiplemethods are OR'd together.items:type: stringtype: arraypaths:description: 'Paths is an optional field that restrictsthe rule to apply to HTTP requests that use one of thelisted HTTP Paths. Multiple paths are OR''d together.e.g: - exact: /foo - prefix: /bar NOTE: Each entry mayONLY specify either a `exact` or a `prefix` match. Thevalidator will check for it.'items:description: 'HTTPPath specifies an HTTP path to match.It may be either of the form: exact: <path>: which matchesthe path exactly or prefix: <path-prefix>: which matchesthe path prefix'properties:exact:type: stringprefix:type: stringtype: objecttype: arraytype: objecticmp:description: ICMP is an optional field that restricts the ruleto apply to a specific type and code of ICMP traffic. Thisshould only be specified if the Protocol field is set to "ICMP"or "ICMPv6".properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectipVersion:description: IPVersion is an optional field that restricts therule to only match a specific IP version.type: integermetadata:description: Metadata contains additional information for thisruleproperties:annotations:additionalProperties:type: stringdescription: Annotations is a set of key value pairs thatgive extra information about the ruletype: objecttype: objectnotICMP:description: NotICMP is the negated version of the ICMP field.properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectnotProtocol:anyOf:- type: integer- type: stringdescription: NotProtocol is the negated version of the Protocolfield.pattern: ^.*x-kubernetes-int-or-string: trueprotocol:anyOf:- type: integer- type: stringdescription: "Protocol is an optional field that restricts therule to only apply to traffic of a specific IP protocol. Requiredif any of the EntityRules contain Ports (because ports onlyapply to certain protocols). \n Must be one of these stringvalues: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",\"UDPLite\" or an integer in the range 1-255."pattern: ^.*x-kubernetes-int-or-string: truesource:description: Source contains the match criteria that apply tosource entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objectrequired:- actiontype: objecttype: arrayingress:description: The ordered set of ingress rules. Each rule containsa set of packet match criteria and a corresponding action to apply.items:description: "A Rule encapsulates a set of match criteria and anaction. Both selector-based security Policy and security Profilesreference rules - separated out as a list of rules for both ingressand egress packet matching. \n Each positive match criteria hasa negated version, prefixed with \"Not\". All the match criteriawithin a rule must be satisfied for a packet to match. A singlerule can contain the positive and negative version of a matchand both must be satisfied for the rule to match."properties:action:type: stringdestination:description: Destination contains the match criteria that applyto destination entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objecthttp:description: HTTP contains match criteria that apply to HTTPrequests.properties:methods:description: Methods is an optional field that restrictsthe rule to apply only to HTTP requests that use one ofthe listed HTTP Methods (e.g. GET, PUT, etc.) Multiplemethods are OR'd together.items:type: stringtype: arraypaths:description: 'Paths is an optional field that restrictsthe rule to apply to HTTP requests that use one of thelisted HTTP Paths. Multiple paths are OR''d together.e.g: - exact: /foo - prefix: /bar NOTE: Each entry mayONLY specify either a `exact` or a `prefix` match. Thevalidator will check for it.'items:description: 'HTTPPath specifies an HTTP path to match.It may be either of the form: exact: <path>: which matchesthe path exactly or prefix: <path-prefix>: which matchesthe path prefix'properties:exact:type: stringprefix:type: stringtype: objecttype: arraytype: objecticmp:description: ICMP is an optional field that restricts the ruleto apply to a specific type and code of ICMP traffic. Thisshould only be specified if the Protocol field is set to "ICMP"or "ICMPv6".properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectipVersion:description: IPVersion is an optional field that restricts therule to only match a specific IP version.type: integermetadata:description: Metadata contains additional information for thisruleproperties:annotations:additionalProperties:type: stringdescription: Annotations is a set of key value pairs thatgive extra information about the ruletype: objecttype: objectnotICMP:description: NotICMP is the negated version of the ICMP field.properties:code:description: Match on a specific ICMP code. If specified,the Type value must also be specified. This is a technicallimitation imposed by the kernel's iptables firewall,which Calico uses to enforce the rule.type: integertype:description: Match on a specific ICMP type. For examplea value of 8 refers to ICMP Echo Request (i.e. pings).type: integertype: objectnotProtocol:anyOf:- type: integer- type: stringdescription: NotProtocol is the negated version of the Protocolfield.pattern: ^.*x-kubernetes-int-or-string: trueprotocol:anyOf:- type: integer- type: stringdescription: "Protocol is an optional field that restricts therule to only apply to traffic of a specific IP protocol. Requiredif any of the EntityRules contain Ports (because ports onlyapply to certain protocols). \n Must be one of these stringvalues: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",\"UDPLite\" or an integer in the range 1-255."pattern: ^.*x-kubernetes-int-or-string: truesource:description: Source contains the match criteria that apply tosource entity.properties:namespaceSelector:description: "NamespaceSelector is an optional field thatcontains a selector expression. Only traffic that originatesfrom (or terminates at) endpoints within the selectednamespaces will be matched. When both NamespaceSelectorand Selector are defined on the same rule, then only workloadendpoints that are matched by both selectors will be selectedby the rule. \n For NetworkPolicy, an empty NamespaceSelectorimplies that the Selector is limited to selecting onlyworkload endpoints in the same namespace as the NetworkPolicy.\n For NetworkPolicy, `global()` NamespaceSelector impliesthat the Selector is limited to selecting only GlobalNetworkSetor HostEndpoint. \n For GlobalNetworkPolicy, an emptyNamespaceSelector implies the Selector applies to workloadendpoints across all namespaces."type: stringnets:description: Nets is an optional field that restricts therule to only apply to traffic that originates from (orterminates at) IP addresses in any of the given subnets.items:type: stringtype: arraynotNets:description: NotNets is the negated version of the Netsfield.items:type: stringtype: arraynotPorts:description: NotPorts is the negated version of the Portsfield. Since only some protocols have ports, if any portsare specified it requires the Protocol match in the Ruleto be set to "TCP" or "UDP".items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arraynotSelector:description: NotSelector is the negated version of the Selectorfield. See Selector field for subtleties with negatedselectors.type: stringports:description: "Ports is an optional field that restrictsthe rule to only apply to traffic that has a source (destination)port that matches one of these ranges/values. This valueis a list of integers or strings that represent rangesof ports. \n Since only some protocols have ports, ifany ports are specified it requires the Protocol matchin the Rule to be set to \"TCP\" or \"UDP\"."items:anyOf:- type: integer- type: stringpattern: ^.*x-kubernetes-int-or-string: truetype: arrayselector:description: "Selector is an optional field that containsa selector expression (see Policy for sample syntax).\ Only traffic that originates from (terminates at) endpointsmatching the selector will be matched. \n Note that: inaddition to the negated version of the Selector (see NotSelectorbelow), the selector expression syntax itself supportsnegation. The two types of negation are subtly different.One negates the set of matched endpoints, the other negatesthe whole match: \n \tSelector = \"!has(my_label)\" matchespackets that are from other Calico-controlled \tendpointsthat do not have the label \"my_label\". \n \tNotSelector= \"has(my_label)\" matches packets that are not fromCalico-controlled \tendpoints that do have the label \"my_label\".\n The effect is that the latter will accept packets fromnon-Calico sources whereas the former is limited to packetsfrom Calico-controlled endpoints."type: stringserviceAccounts:description: ServiceAccounts is an optional field that restrictsthe rule to only apply to traffic that originates from(or terminates at) a pod running as a matching serviceaccount.properties:names:description: Names is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount whose name is in the list.items:type: stringtype: arrayselector:description: Selector is an optional field that restrictsthe rule to only apply to traffic that originatesfrom (or terminates at) a pod running as a serviceaccount that matches the given label selector. Ifboth Names and Selector are specified then they areAND'ed.type: stringtype: objecttype: objectrequired:- actiontype: objecttype: arrayorder:description: Order is an optional field that specifies the order inwhich the policy is applied. Policies with higher "order" are appliedafter those with lower order. If the order is omitted, it may beconsidered to be "infinite" - i.e. the policy will be applied last. Policieswith identical order will be applied in alphanumerical order basedon the Policy "Name".type: numberselector:description: "The selector is an expression used to pick pick outthe endpoints that the policy should be applied to. \n Selectorexpressions follow this syntax: \n \tlabel == \"string_literal\"\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"\ -> not equal; also matches if label is not present \tlabel in{ \"a\", \"b\", \"c\", ... } -> true if the value of label X isone of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",... } -> true if the value of label X is not one of \"a\", \"b\",\"c\" \thas(label_name) -> True if that label is present \t! expr-> negation of expr \texpr && expr -> Short-circuit and \texpr|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()or the empty selector -> matches all endpoints. \n Label names areallowed to contain alphanumerics, -, _ and /. String literals aremore permissive but they do not support escape characters. \n Examples(with made-up labels): \n \ttype == \"webserver\" && deployment== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=\"dev\" \t! has(label_name)"type: stringserviceAccountSelector:description: ServiceAccountSelector is an optional field for an expressionused to select a pod based on service accounts.type: stringtypes:description: "Types indicates whether this policy applies to ingress,or to egress, or to both. When not explicitly specified (and sothe value on creation is empty or nil), Calico defaults Types accordingto what Ingress and Egress are present in the policy. The defaultis: \n - [ PolicyTypeIngress ], if there are no Egress rules (includingthe case where there are also no Ingress rules) \n - [ PolicyTypeEgress], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,PolicyTypeEgress ], if there are both Ingress and Egress rules.\n When the policy is read back again, Types will always be oneof these values, never empty or nil."items:description: PolicyType enumerates the possible values of the PolicySpecTypes field.type: stringtype: arraytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:name: networksets.crd.projectcalico.orgspec:group: crd.projectcalico.orgnames:kind: NetworkSetlistKind: NetworkSetListplural: networksetssingular: networksetscope: Namespacedversions:- name: v1schema:openAPIV3Schema:description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: NetworkSetSpec contains the specification for a NetworkSetresource.properties:nets:description: The list of IP networks that belong to this set.items:type: stringtype: arraytype: objecttype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []------# Source: calico/templates/calico-kube-controllers-rbac.yaml# Include a clusterrole for the kube-controllers component,# and bind it to the calico-kube-controllers serviceaccount.kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: calico-kube-controllersrules:# Nodes are watched to monitor for deletions.- apiGroups: [""]resources:- nodesverbs:- watch- list- get# Pods are queried to check for existence.- apiGroups: [""]resources:- podsverbs:- get# IPAM resources are manipulated when nodes are deleted.- apiGroups: ["crd.projectcalico.org"]resources:- ippoolsverbs:- list- apiGroups: ["crd.projectcalico.org"]resources:- blockaffinities- ipamblocks- ipamhandlesverbs:- get- list- create- update- delete- watch# kube-controllers manages hostendpoints.- apiGroups: ["crd.projectcalico.org"]resources:- hostendpointsverbs:- get- list- create- update- delete# Needs access to update clusterinformations.- apiGroups: ["crd.projectcalico.org"]resources:- clusterinformationsverbs:- get- create- update# KubeControllersConfiguration is where it gets its config- apiGroups: ["crd.projectcalico.org"]resources:- kubecontrollersconfigurationsverbs:# read its own config- get# create a default if none exists- create# update status- update# watch for changes- watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: calico-kube-controllersroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: calico-kube-controllerssubjects:- kind: ServiceAccountname: calico-kube-controllersnamespace: kube-system------# Source: calico/templates/calico-node-rbac.yaml# Include a clusterrole for the calico-node DaemonSet,# and bind it to the calico-node serviceaccount.kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: calico-noderules:# The CNI plugin needs to get pods, nodes, and namespaces.- apiGroups: [""]resources:- pods- nodes- namespacesverbs:- get- apiGroups: [""]resources:- endpoints- servicesverbs:# Used to discover service IPs for advertisement.- watch- list# Used to discover Typhas.- get# Pod CIDR auto-detection on kubeadm needs access to config maps.- apiGroups: [""]resources:- configmapsverbs:- get- apiGroups: [""]resources:- nodes/statusverbs:# Needed for clearing NodeNetworkUnavailable flag.- patch# Calico stores some configuration information in node annotations.- update# Watch for changes to Kubernetes NetworkPolicies.- apiGroups: ["networking.k8s.io"]resources:- networkpoliciesverbs:- watch- list# Used by Calico for policy information.- apiGroups: [""]resources:- pods- namespaces- serviceaccountsverbs:- list- watch# The CNI plugin patches pods/status.- apiGroups: [""]resources:- pods/statusverbs:- patch# Calico monitors various CRDs for config.- apiGroups: ["crd.projectcalico.org"]resources:- globalfelixconfigs- felixconfigurations- bgppeers- globalbgpconfigs- bgpconfigurations- ippools- ipamblocks- globalnetworkpolicies- globalnetworksets- networkpolicies- networksets- clusterinformations- hostendpoints- blockaffinitiesverbs:- get- list- watch# Calico must create and update some CRDs on startup.- apiGroups: ["crd.projectcalico.org"]resources:- ippools- felixconfigurations- clusterinformationsverbs:- create- update# Calico stores some configuration information on the node.- apiGroups: [""]resources:- nodesverbs:- get- list- watch# These permissions are only required for upgrade from v2.6, and can# be removed after upgrade or on fresh installations.- apiGroups: ["crd.projectcalico.org"]resources:- bgpconfigurations- bgppeersverbs:- create- update# These permissions are required for Calico CNI to perform IPAM allocations.- apiGroups: ["crd.projectcalico.org"]resources:- blockaffinities- ipamblocks- ipamhandlesverbs:- get- list- create- update- delete- apiGroups: ["crd.projectcalico.org"]resources:- ipamconfigsverbs:- get# Block affinities must also be watchable by confd for route aggregation.- apiGroups: ["crd.projectcalico.org"]resources:- blockaffinitiesverbs:- watch# The Calico IPAM migration needs to get daemonsets. These permissions can be# removed if not upgrading from an installation using host-local IPAM.- apiGroups: ["apps"]resources:- daemonsetsverbs:- get---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: calico-noderoleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: calico-nodesubjects:- kind: ServiceAccountname: calico-nodenamespace: kube-system---# Source: calico/templates/calico-node.yaml# This manifest installs the calico-node container, as well# as the CNI plugins and network config on# each master and worker node in a Kubernetes cluster.kind: DaemonSetapiVersion: apps/v1metadata:name: calico-nodenamespace: kube-systemlabels:k8s-app: calico-nodespec:selector:matchLabels:k8s-app: calico-nodeupdateStrategy:type: RollingUpdaterollingUpdate:maxUnavailable: 1template:metadata:labels:k8s-app: calico-nodespec:nodeSelector:kubernetes.io/os: linuxhostNetwork: truetolerations:# Make sure calico-node gets scheduled on all nodes.- effect: NoScheduleoperator: Exists# Mark the pod as a critical add-on for rescheduling.- key: CriticalAddonsOnlyoperator: Exists- effect: NoExecuteoperator: ExistsserviceAccountName: calico-node# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.terminationGracePeriodSeconds: 0priorityClassName: system-node-criticalinitContainers:# This container performs upgrade from host-local IPAM to calico-ipam.# It can be deleted if this is a fresh installation, or if you have already# upgraded to use calico-ipam.- name: upgrade-ipamimage: docker.io/calico/cni:v3.18.0command: ["/opt/cni/bin/calico-ipam", "-upgrade"]envFrom:- configMapRef:# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.name: kubernetes-services-endpointoptional: trueenv:- name: KUBERNETES_NODE_NAMEvalueFrom:fieldRef:fieldPath: spec.nodeName- name: CALICO_NETWORKING_BACKENDvalueFrom:configMapKeyRef:name: calico-configkey: calico_backendvolumeMounts:- mountPath: /var/lib/cni/networksname: host-local-net-dir- mountPath: /host/opt/cni/binname: cni-bin-dirsecurityContext:privileged: true# This container installs the CNI binaries# and CNI network config file on each node.- name: install-cniimage: docker.io/calico/cni:v3.18.0command: ["/opt/cni/bin/install"]envFrom:- configMapRef:# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.name: kubernetes-services-endpointoptional: trueenv:# Name of the CNI config file to create.- name: CNI_CONF_NAMEvalue: "10-calico.conflist"# The CNI network config to install on each node.- name: CNI_NETWORK_CONFIGvalueFrom:configMapKeyRef:name: calico-configkey: cni_network_config# Set the hostname based on the k8s node name.- name: KUBERNETES_NODE_NAMEvalueFrom:fieldRef:fieldPath: spec.nodeName# CNI MTU Config variable- name: CNI_MTUvalueFrom:configMapKeyRef:name: calico-configkey: veth_mtu# Prevents the container from sleeping forever.- name: SLEEPvalue: "false"volumeMounts:- mountPath: /host/opt/cni/binname: cni-bin-dir- mountPath: /host/etc/cni/net.dname: cni-net-dirsecurityContext:privileged: true# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes# to communicate with Felix over the Policy Sync API.- name: flexvol-driverimage: docker.io/calico/pod2daemon-flexvol:v3.18.0volumeMounts:- name: flexvol-driver-hostmountPath: /host/driversecurityContext:privileged: truecontainers:# Runs calico-node container on each Kubernetes node. This# container programs network policy and routes on each# host.- name: calico-nodeimage: docker.io/calico/node:v3.18.0envFrom:- configMapRef:# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.name: kubernetes-services-endpointoptional: trueenv:# Use Kubernetes API as the backing datastore.- name: DATASTORE_TYPEvalue: "kubernetes"# Wait for the datastore.- name: WAIT_FOR_DATASTOREvalue: "true"# Set based on the k8s node name.- name: NODENAMEvalueFrom:fieldRef:fieldPath: spec.nodeName# Choose the backend to use.- name: CALICO_NETWORKING_BACKENDvalueFrom:configMapKeyRef:name: calico-configkey: calico_backend# Cluster type to identify the deployment type- name: CLUSTER_TYPEvalue: "k8s,bgp"# Auto-detect the BGP IP address.- name: IPvalue: "autodetect"# Enable IPIP- name: CALICO_IPV4POOL_IPIPvalue: "Always"# Enable or Disable VXLAN on the default IP pool.- name: CALICO_IPV4POOL_VXLANvalue: "Never"# Set MTU for tunnel device used if ipip is enabled- name: FELIX_IPINIPMTUvalueFrom:configMapKeyRef:name: calico-configkey: veth_mtu# Set MTU for the VXLAN tunnel device.- name: FELIX_VXLANMTUvalueFrom:configMapKeyRef:name: calico-configkey: veth_mtu# Set MTU for the Wireguard tunnel device.- name: FELIX_WIREGUARDMTUvalueFrom:configMapKeyRef:name: calico-configkey: veth_mtu# The default IPv4 pool to create on startup if none exists. Pod IPs will be# chosen from this range. Changing this value after installation will have# no effect. This should fall within `--cluster-cidr`.# - name: CALICO_IPV4POOL_CIDR# value: "192.168.0.0/16"# Disable file logging so `kubectl logs` works.- name: CALICO_DISABLE_FILE_LOGGINGvalue: "true"# Set Felix endpoint to host default action to ACCEPT.- name: FELIX_DEFAULTENDPOINTTOHOSTACTIONvalue: "ACCEPT"# Disable IPv6 on Kubernetes.- name: FELIX_IPV6SUPPORTvalue: "false"# Set Felix logging to "info"- name: FELIX_LOGSEVERITYSCREENvalue: "info"- name: FELIX_HEALTHENABLEDvalue: "true"securityContext:privileged: trueresources:requests:cpu: 250mlivenessProbe:exec:command:- /bin/calico-node- -felix-live- -bird-liveperiodSeconds: 10initialDelaySeconds: 10failureThreshold: 6readinessProbe:exec:command:- /bin/calico-node- -felix-ready- -bird-readyperiodSeconds: 10volumeMounts:- mountPath: /lib/modulesname: lib-modulesreadOnly: true- mountPath: /run/xtables.lockname: xtables-lockreadOnly: false- mountPath: /var/run/caliconame: var-run-calicoreadOnly: false- mountPath: /var/lib/caliconame: var-lib-calicoreadOnly: false- name: policysyncmountPath: /var/run/nodeagent# For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the# parent directory.- name: sysfsmountPath: /sys/fs/# Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.# If the host is known to mount that filesystem already then Bidirectional can be omitted.mountPropagation: Bidirectional- name: cni-log-dirmountPath: /var/log/calico/cnireadOnly: truevolumes:# Used by calico-node.- name: lib-moduleshostPath:path: /lib/modules- name: var-run-calicohostPath:path: /var/run/calico- name: var-lib-calicohostPath:path: /var/lib/calico- name: xtables-lockhostPath:path: /run/xtables.locktype: FileOrCreate- name: sysfshostPath:path: /sys/fs/type: DirectoryOrCreate# Used to install CNI.- name: cni-bin-dirhostPath:path: /opt/cni/bin- name: cni-net-dirhostPath:path: /etc/cni/net.d# Used to access CNI logs.- name: cni-log-dirhostPath:path: /var/log/calico/cni# Mount in the directory for host-local IPAM allocations. This is# used when upgrading from host-local to calico-ipam, and can be removed# if not using the upgrade-ipam init container.- name: host-local-net-dirhostPath:path: /var/lib/cni/networks# Used to create per-pod Unix Domain Sockets- name: policysynchostPath:type: DirectoryOrCreatepath: /var/run/nodeagent# Used to install Flex Volume Driver- name: flexvol-driver-hosthostPath:type: DirectoryOrCreatepath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds---apiVersion: v1kind: ServiceAccountmetadata:name: calico-nodenamespace: kube-system---# Source: calico/templates/calico-kube-controllers.yaml# See https://github.com/projectcalico/kube-controllersapiVersion: apps/v1kind: Deploymentmetadata:name: calico-kube-controllersnamespace: kube-systemlabels:k8s-app: calico-kube-controllersspec:# The controllers can only have a single active instance.replicas: 1selector:matchLabels:k8s-app: calico-kube-controllersstrategy:type: Recreatetemplate:metadata:name: calico-kube-controllersnamespace: kube-systemlabels:k8s-app: calico-kube-controllersspec:nodeSelector:kubernetes.io/os: linuxtolerations:# Mark the pod as a critical add-on for rescheduling.- key: CriticalAddonsOnlyoperator: Exists- key: node-role.kubernetes.io/mastereffect: NoScheduleserviceAccountName: calico-kube-controllerspriorityClassName: system-cluster-criticalcontainers:- name: calico-kube-controllersimage: docker.io/calico/kube-controllers:v3.18.0env:# Choose which controllers to run.- name: ENABLED_CONTROLLERSvalue: node- name: DATASTORE_TYPEvalue: kubernetesreadinessProbe:exec:command:- /usr/bin/check-status- -r---apiVersion: v1kind: ServiceAccountmetadata:name: calico-kube-controllersnamespace: kube-system---# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evictapiVersion: policy/v1beta1kind: PodDisruptionBudgetmetadata:name: calico-kube-controllersnamespace: kube-systemlabels:k8s-app: calico-kube-controllersspec:maxUnavailable: 1selector:matchLabels:k8s-app: calico-kube-controllers---# Source: calico/templates/calico-etcd-secrets.yaml---# Source: calico/templates/calico-typha.yaml---# Source: calico/templates/configure-canal.yaml
[root@master ~]# kubectl -n kube-system edit daemonsets.apps calico-node
Warning FailedScheduling
去掉master节点上的污点
kubectl taint nodes --all node-role.kubernetes.io/master-
Warning FailedScheduling <unknown> default-scheduler 0/1 nodes are available: 1 node(s) didn't match node selector
若有收获,就点个赞吧
0 人点赞
