6
kind: PodDisruptionBudget
8
name: calico-kube-controllers
11
k8s-app: calico-kube-controllers
16
k8s-app: calico-kube-controllers
22
name: calico-kube-controllers
23
namespace: kube-system
30
namespace: kube-system
36
name: calico-cni-plugin
37
namespace: kube-system
45
namespace: kube-system
48
typha_service_name: "none"
50
calico_backend: "bird"
59
cni_network_config: |-
61
"name": "k8s-pod-network",
62
"cniVersion": "0.3.1",
67
"log_file_path": "/var/log/calico/cni/cni.log",
68
"datastore_type": "kubernetes",
69
"nodename": "__KUBERNETES_NODE_NAME__",
78
"kubeconfig": "__KUBECONFIG_FILEPATH__"
84
"capabilities": {"portMappings": true}88
"capabilities": {"bandwidth": true}94
apiVersion: apiextensions.k8s.io/v1
95
kind: CustomResourceDefinition
97
name: bgpconfigurations.crd.projectcalico.org
99
group: crd.projectcalico.org
101
kind: BGPConfiguration
102
listKind: BGPConfigurationList
103
plural: bgpconfigurations
104
singular: bgpconfiguration
105
preserveUnknownFields: false
111
description: BGPConfiguration contains the configuration for any BGP routing.
114
description: 'APIVersion defines the versioned schema of this representation
115
of an object. Servers should convert recognized schemas to the latest
116
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
119
description: 'Kind is a string value representing the REST resource this
120
object represents. Servers may infer this from the endpoint the client
121
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
126
description: BGPConfigurationSpec contains the values of the BGP configuration.
129
description: 'ASNumber is the default AS number used by a node. [Default:
134
description: BindMode indicates whether to listen for BGP connections
135
on all addresses (None) or only on the node's canonical IP address
136
Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
137
for BGP connections on all addresses.
140
description: Communities is a list of BGP community values and their
141
arbitrary names for tagging routes.
143
description: Community contains standard or large community value
147
description: Name given to community value.
150
description: Value must be of format `aa:nn` or `aa:nn:mm`.
151
For standard community use `aa:nn` format, where `aa` and
152
`nn` are 16 bit number. For large community use `aa:nn:mm`
153
format, where `aa`, `nn` and `mm` are 32 bit number. Where,
154
`aa` is an AS Number, `nn` and `mm` are per-AS identifier.
155
pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
160
description: IgnoredInterfaces indicates the network interfaces that
161
needs to be excluded when reading device routes.
166
description: ListenPort is the port where BGP protocol should listen.
172
description: 'LogSeverityScreen is the log severity above which logs
173
are sent to the stdout. [Default: INFO]'
175
nodeMeshMaxRestartTime:
176
description: Time to allow for software restart for node-to-mesh peerings. When
177
specified, this is configured as the graceful restart timeout. When
178
not specified, the BIRD default of 120s is used. This field can
179
only be set on the default BGPConfiguration instance and requires
180
that NodeMesh is enabled
183
description: Optional BGP password for full node-to-mesh peerings.
184
This field can only be set on the default BGPConfiguration instance
185
and requires that NodeMesh is enabled
188
description: Selects a key of a secret in the node pod's namespace.
191
description: The key of the secret to select from. Must be
195
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
196
TODO: Add other useful fields. apiVersion, kind, uid?'
199
description: Specify whether the Secret or its key must be
206
nodeToNodeMeshEnabled:
207
description: 'NodeToNodeMeshEnabled sets whether full node to node
208
BGP mesh is enabled. [Default: true]'
210
prefixAdvertisements:
211
description: PrefixAdvertisements contains per-prefix advertisement
214
description: PrefixAdvertisement configures advertisement properties
215
for the specified CIDR.
218
description: CIDR for which properties should be advertised.
221
description: Communities can be list of either community names
222
already defined in `Specs.Communities` or community value
223
of format `aa:nn` or `aa:nn:mm`. For standard community use
224
`aa:nn` format, where `aa` and `nn` are 16 bit number. For
225
large community use `aa:nn:mm` format, where `aa`, `nn` and
226
`mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
227
`mm` are per-AS identifier.
234
description: ServiceClusterIPs are the CIDR blocks from which service
235
cluster IPs are allocated. If specified, Calico will advertise these
236
blocks, as well as any cluster IPs within them.
238
description: ServiceClusterIPBlock represents a single allowed ClusterIP
246
description: ServiceExternalIPs are the CIDR blocks for Kubernetes
247
Service External IPs. Kubernetes Service ExternalIPs will only be
248
advertised if they are within one of these blocks.
250
description: ServiceExternalIPBlock represents a single allowed
251
External IP CIDR block.
257
serviceLoadBalancerIPs:
258
description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
259
Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
260
IPs will only be advertised if they are within one of these blocks.
262
description: ServiceLoadBalancerIPBlock represents a single allowed
263
LoadBalancer IP CIDR block.
281
apiVersion: apiextensions.k8s.io/v1
282
kind: CustomResourceDefinition
285
controller-gen.kubebuilder.io/version: (devel)
286
creationTimestamp: null
287
name: bgpfilters.crd.projectcalico.org
289
group: crd.projectcalico.org
292
listKind: BGPFilterList
302
description: 'APIVersion defines the versioned schema of this representation
303
of an object. Servers should convert recognized schemas to the latest
304
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
307
description: 'Kind is a string value representing the REST resource this
308
object represents. Servers may infer this from the endpoint the client
309
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
314
description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of
318
description: The ordered set of IPv4 BGPFilter rules acting on exporting
321
description: BGPFilterRuleV4 defines a BGP filter rule consisting
322
a single IPv4 CIDR block and a filter action for this CIDR.
339
description: The ordered set of IPv6 BGPFilter rules acting on exporting
342
description: BGPFilterRuleV6 defines a BGP filter rule consisting
343
a single IPv6 CIDR block and a filter action for this CIDR.
360
description: The ordered set of IPv4 BGPFilter rules acting on importing
363
description: BGPFilterRuleV4 defines a BGP filter rule consisting
364
a single IPv4 CIDR block and a filter action for this CIDR.
381
description: The ordered set of IPv6 BGPFilter rules acting on importing
384
description: BGPFilterRuleV6 defines a BGP filter rule consisting
385
a single IPv6 CIDR block and a filter action for this CIDR.
413
apiVersion: apiextensions.k8s.io/v1
414
kind: CustomResourceDefinition
416
name: bgppeers.crd.projectcalico.org
418
group: crd.projectcalico.org
421
listKind: BGPPeerList
424
preserveUnknownFields: false
432
description: 'APIVersion defines the versioned schema of this representation
433
of an object. Servers should convert recognized schemas to the latest
434
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
437
description: 'Kind is a string value representing the REST resource this
438
object represents. Servers may infer this from the endpoint the client
439
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
444
description: BGPPeerSpec contains the specification for a BGPPeer resource.
447
description: The AS Number of the peer.
451
description: The ordered set of BGPFilters applied on this BGP peer.
456
description: Option to keep the original nexthop field when routes
457
are sent to a BGP Peer. Setting "true" configures the selected BGP
458
Peers node to use the "next hop keep;" instead of "next hop self;"(default)
459
in the specific branch of the Node on "bird.cfg".
462
description: Time to allow for software restart. When specified,
463
this is configured as the graceful restart timeout. When not specified,
464
the BIRD default of 120s is used.
467
description: The node name identifying the Calico node instance that
468
is targeted by this peer. If this is not set, and no nodeSelector
469
is specified, then this BGP peer selects all nodes in the cluster.
472
description: Selector for the nodes that should have this peering. When
473
this is set, the Node field must be empty.
475
numAllowedLocalASNumbers:
476
description: Maximum number of local AS numbers that are allowed in
477
the AS path for received routes. This removes BGP loop prevention
478
and should only be used if absolutely necesssary.
482
description: Optional BGP password for the peerings generated by this
486
description: Selects a key of a secret in the node pod's namespace.
489
description: The key of the secret to select from. Must be
493
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
494
TODO: Add other useful fields. apiVersion, kind, uid?'
497
description: Specify whether the Secret or its key must be
505
description: The IP address of the peer followed by an optional port
506
number to peer with. If port number is given, format should be `[<IPv6>]:port`
507
or `<IPv4>:<port>` for IPv4. If optional port number is not set,
508
and this peer IP and ASNumber belongs to a calico/node with ListenPort
509
set in BGPConfiguration, then we use that port to peer.
512
description: Selector for the remote nodes to peer with. When this
513
is set, the PeerIP and ASNumber fields must be empty. For each
514
peering between the local node and selected remote nodes, we configure
515
an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
516
and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
517
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
518
or the global default if that is not set.
521
description: Add an exact, i.e. /32, static route toward peer IP in
522
order to prevent route flapping. ReachableBy contains the address
523
of the gateway which peer can be reached by.
526
description: Specifies whether and how to configure a source address
527
for the peerings generated by this BGPPeer resource. Default value
528
"UseNodeIP" means to configure the node IP as the source address. "None"
529
means not to configure a source address.
532
description: TTLSecurity enables the generalized TTL security mechanism
533
(GTSM) which protects against spoofed packets by ignoring received
534
packets with a smaller than expected TTL value. The provided value
535
is the number of hops (edges) between the peers.
549
apiVersion: apiextensions.k8s.io/v1
550
kind: CustomResourceDefinition
552
name: blockaffinities.crd.projectcalico.org
554
group: crd.projectcalico.org
557
listKind: BlockAffinityList
558
plural: blockaffinities
559
singular: blockaffinity
560
preserveUnknownFields: false
568
description: 'APIVersion defines the versioned schema of this representation
569
of an object. Servers should convert recognized schemas to the latest
570
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
573
description: 'Kind is a string value representing the REST resource this
574
object represents. Servers may infer this from the endpoint the client
575
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
580
description: BlockAffinitySpec contains the specification for a BlockAffinity
586
description: Deleted indicates that this block affinity is being deleted.
587
This field is a string for compatibility with older releases that
588
mistakenly treat this field as a string.
611
apiVersion: apiextensions.k8s.io/v1
612
kind: CustomResourceDefinition
615
controller-gen.kubebuilder.io/version: (devel)
616
creationTimestamp: null
617
name: caliconodestatuses.crd.projectcalico.org
619
group: crd.projectcalico.org
621
kind: CalicoNodeStatus
622
listKind: CalicoNodeStatusList
623
plural: caliconodestatuses
624
singular: caliconodestatus
625
preserveUnknownFields: false
633
description: 'APIVersion defines the versioned schema of this representation
634
of an object. Servers should convert recognized schemas to the latest
635
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
638
description: 'Kind is a string value representing the REST resource this
639
object represents. Servers may infer this from the endpoint the client
640
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
645
description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
649
description: Classes declares the types of information to monitor
650
for this calico/node, and allows for selective status reporting
651
about certain subsets of information.
656
description: The node name identifies the Calico node instance for
660
description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
661
should be updated. Set to 0 to disable CalicoNodeStatus refresh.
662
Maximum update period is one day.
667
description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
668
No validation needed for status since it is updated by Calico.
671
description: Agent holds agent status on the node.
674
description: BIRDV4 represents the latest observed status of bird4.
677
description: LastBootTime holds the value of lastBootTime
678
from bird.ctl output.
680
lastReconfigurationTime:
681
description: LastReconfigurationTime holds the value of lastReconfigTime
682
from bird.ctl output.
685
description: Router ID used by bird.
688
description: The state of the BGP Daemon.
691
description: Version of the BGP daemon
695
description: BIRDV6 represents the latest observed status of bird6.
698
description: LastBootTime holds the value of lastBootTime
699
from bird.ctl output.
701
lastReconfigurationTime:
702
description: LastReconfigurationTime holds the value of lastReconfigTime
703
from bird.ctl output.
706
description: Router ID used by bird.
709
description: The state of the BGP Daemon.
712
description: Version of the BGP daemon
717
description: BGP holds node BGP status.
720
description: The total number of IPv4 established bgp sessions.
723
description: The total number of IPv6 established bgp sessions.
725
numberNotEstablishedV4:
726
description: The total number of IPv4 non-established bgp sessions.
728
numberNotEstablishedV6:
729
description: The total number of IPv6 non-established bgp sessions.
732
description: PeersV4 represents IPv4 BGP peers status on the node.
734
description: CalicoNodePeer contains the status of BGP peers
738
description: IP address of the peer whose condition we are
742
description: Since the state or reason last changed.
745
description: State is the BGP session state.
748
description: Type indicates whether this peer is configured
749
via the node-to-node mesh, or via en explicit global or
750
per-node BGPPeer object.
755
description: PeersV6 represents IPv6 BGP peers status on the node.
757
description: CalicoNodePeer contains the status of BGP peers
761
description: IP address of the peer whose condition we are
765
description: Since the state or reason last changed.
768
description: State is the BGP session state.
771
description: Type indicates whether this peer is configured
772
via the node-to-node mesh, or via en explicit global or
773
per-node BGPPeer object.
778
- numberEstablishedV4
779
- numberEstablishedV6
780
- numberNotEstablishedV4
781
- numberNotEstablishedV6
784
description: LastUpdated is a timestamp representing the server time
785
when CalicoNodeStatus object last updated. It is represented in
786
RFC3339 form and is in UTC.
791
description: Routes reports routes known to the Calico BGP daemon
795
description: RoutesV4 represents IPv4 routes on the node.
797
description: CalicoNodeRoute contains the status of BGP routes
801
description: Destination of the route.
804
description: Gateway for the destination.
807
description: Interface for the destination
810
description: LearnedFrom contains information regarding
811
where this route originated.
814
description: If sourceType is NodeMesh or BGPPeer, IP
815
address of the router that sent us this route.
818
description: Type of the source where a route is learned
823
description: Type indicates if the route is being used for
829
description: RoutesV6 represents IPv6 routes on the node.
831
description: CalicoNodeRoute contains the status of BGP routes
835
description: Destination of the route.
838
description: Gateway for the destination.
841
description: Interface for the destination
844
description: LearnedFrom contains information regarding
845
where this route originated.
848
description: If sourceType is NodeMesh or BGPPeer, IP
849
address of the router that sent us this route.
852
description: Type of the source where a route is learned
857
description: Type indicates if the route is being used for
875
apiVersion: apiextensions.k8s.io/v1
876
kind: CustomResourceDefinition
878
name: clusterinformations.crd.projectcalico.org
880
group: crd.projectcalico.org
882
kind: ClusterInformation
883
listKind: ClusterInformationList
884
plural: clusterinformations
885
singular: clusterinformation
886
preserveUnknownFields: false
892
description: ClusterInformation contains the cluster specific information.
895
description: 'APIVersion defines the versioned schema of this representation
896
of an object. Servers should convert recognized schemas to the latest
897
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
900
description: 'Kind is a string value representing the REST resource this
901
object represents. Servers may infer this from the endpoint the client
902
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
907
description: ClusterInformationSpec contains the values of describing
911
description: CalicoVersion is the version of Calico that the cluster
915
description: ClusterGUID is the GUID of the cluster
918
description: ClusterType describes the type of the cluster
921
description: DatastoreReady is used during significant datastore migrations
922
to signal to components such as Felix that it should wait before
923
accessing the datastore.
926
description: Variant declares which variant of Calico should be active.
940
apiVersion: apiextensions.k8s.io/v1
941
kind: CustomResourceDefinition
943
name: felixconfigurations.crd.projectcalico.org
945
group: crd.projectcalico.org
947
kind: FelixConfiguration
948
listKind: FelixConfigurationList
949
plural: felixconfigurations
950
singular: felixconfiguration
951
preserveUnknownFields: false
957
description: Felix Configuration contains the configuration for Felix.
960
description: 'APIVersion defines the versioned schema of this representation
961
of an object. Servers should convert recognized schemas to the latest
962
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
965
description: 'Kind is a string value representing the REST resource this
966
object represents. Servers may infer this from the endpoint the client
967
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
972
description: FelixConfigurationSpec contains the values of the Felix configuration.
974
allowIPIPPacketsFromWorkloads:
975
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
976
will add a rule to drop IPIP encapsulated traffic from workloads
979
allowVXLANPacketsFromWorkloads:
980
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
981
will add a rule to drop VXLAN encapsulated traffic from workloads
985
description: 'Set source-destination-check on AWS EC2 instances. Accepted
986
value must be one of "DoNothing", "Enable" or "Disable". [Default:
994
description: 'BPFCTLBLogFilter specifies, what is logged by connect
995
time load balancer when BPFLogLevel is debug. Currently has to be
996
specified as ''all'' when BPFLogFilters is set to see CTLB logs.
997
[Default: unset - means logs are emitted when BPFLogLevel id debug
998
and BPFLogFilters not set.]'
1000
bpfConnectTimeLoadBalancing:
1001
description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
1002
whether Felix installs the connect-time load balancer. The connect-time
1003
load balancer is required for the host to be able to reach Kubernetes
1004
services and it improves the performance of pod-to-service connections.When
1005
set to TCP, connect time load balancing is available only for services
1006
with TCP ports. [Default: TCP]'
1012
bpfConnectTimeLoadBalancingEnabled:
1013
description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
1014
controls whether Felix installs the connection-time load balancer. The
1015
connect-time load balancer is required for the host to be able to
1016
reach Kubernetes services and it improves the performance of pod-to-service
1017
connections. The only reason to disable it is for debugging purposes.
1018
This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
1022
description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
1023
from DSR. That is, clients in those CIDRs will accesses nodeports
1024
as if BPFExternalServiceMode was set to Tunnel.
1028
bpfDataIfacePattern:
1029
description: BPFDataIfacePattern is a regular expression that controls
1030
which interfaces Felix should attach BPF programs to in order to
1031
catch traffic to/from the network. This needs to match the interfaces
1032
that Calico workload traffic flows over as well as any interfaces
1033
that handle incoming traffic to nodeports and services from outside
1034
the cluster. It should not match the workload interfaces (usually
1037
bpfDisableGROForIfaces:
1038
description: BPFDisableGROForIfaces is a regular expression that controls
1039
which interfaces Felix should disable the Generic Receive Offload
1040
[GRO] option. It should not match the workload interfaces (usually
1043
bpfDisableUnprivileged:
1044
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
1045
sysctl to disable unprivileged use of BPF. This ensures that unprivileged
1046
users cannot access Calico''s BPF maps and cannot insert their own
1047
BPF programs to interfere with Calico''s. [Default: true]'
1050
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
1054
description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
1055
with BPF programs regardless of what is the per-interfaces or global
1056
setting. Possible values are Disabled, Strict or Loose. [Default:
1058
pattern: ^(?i)(Disabled|Strict|Loose)?$
1060
bpfExtToServiceConnmark:
1061
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
1062
mark that is set on connections from an external client to a local
1063
service. This mark allows us to control how packets of that connection
1064
are routed within the host and how is routing interpreted by RPF
1065
check. [Default: 0]'
1067
bpfExternalServiceMode:
1068
description: 'BPFExternalServiceMode in BPF mode, controls how connections
1069
from outside the cluster to services (node ports and cluster IPs)
1070
are forwarded to remote workloads. If set to "Tunnel" then both
1071
request and response traffic is tunneled to the remote node. If
1072
set to "DSR", the request traffic is tunneled but the response traffic
1073
is sent directly from the remote node. In "DSR" mode, the remote
1074
node appears to use the IP of the ingress node; this requires a
1075
permissive L2 network. [Default: Tunnel]'
1076
pattern: ^(?i)(Tunnel|DSR)?$
1078
bpfForceTrackPacketsFromIfaces:
1079
description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
1080
from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
1081
traffic from those interfaces to be tracked by Linux conntrack. Should
1082
only be used for interfaces that are not used for the Calico fabric. For
1083
example, a docker bridge device for non-Calico-networked containers.
1088
bpfHostConntrackBypass:
1089
description: 'BPFHostConntrackBypass Controls whether to bypass Linux
1090
conntrack in BPF mode for workloads and services. [Default: true
1091
- bypass Linux conntrack]'
1093
bpfHostNetworkedNATWithoutCTLB:
1094
description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
1095
whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
1096
determines the CTLB behavior. [Default: Enabled]'
1101
bpfKubeProxyEndpointSlicesEnabled:
1102
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
1103
whether Felix's embedded kube-proxy accepts EndpointSlices or not.
1105
bpfKubeProxyIptablesCleanupEnabled:
1106
description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
1107
mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
1108
iptables chains. Should only be enabled if kube-proxy is not running. [Default:
1111
bpfKubeProxyMinSyncPeriod:
1112
description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
1113
minimum time between updates to the dataplane for Felix''s embedded
1114
kube-proxy. Lower values give reduced set-up latency. Higher values
1115
reduce Felix CPU usage by batching up more work. [Default: 1s]'
1116
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1119
description: BPFL3IfacePattern is a regular expression that allows
1120
to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
1121
in addition to BPFDataIfacePattern. That is, tunnel interfaces not
1122
created by Calico, that Calico workload traffic flows over as well
1123
as any interfaces that handle incoming traffic to nodeports and
1124
services from outside the cluster.
1127
additionalProperties:
1129
description: "BPFLogFilters is a map of key=values where the value
1130
is a pcap filter expression and the key is an interface name with
1131
'all' denoting all interfaces, 'weps' all workload endpoints and
1132
'heps' all host endpoints. \n When specified as an env var, it accepts
1133
a comma-separated list of key=values. [Default: unset - means all
1134
debug logs are emitted]"
1137
description: 'BPFLogLevel controls the log level of the BPF programs
1138
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
1139
logs are emitted to the BPF trace pipe, accessible with the command
1140
`tc exec bpf debug`. [Default: Off].'
1141
pattern: ^(?i)(Off|Info|Debug)?$
1143
bpfMapSizeConntrack:
1144
description: 'BPFMapSizeConntrack sets the size for the conntrack
1145
map. This map must be large enough to hold an entry for each active
1146
connection. Warning: changing the size of the conntrack map can
1150
description: BPFMapSizeIPSets sets the size for ipsets map. The IP
1151
sets map must be large enough to hold an entry for each endpoint
1152
matched by every selector in the source/destination matches in network
1153
policy. Selectors such as "all()" can result in large numbers of
1154
entries (one entry per endpoint in that case).
1157
description: BPFMapSizeIfState sets the size for ifstate map. The
1158
ifstate map must be large enough to hold an entry for each device
1159
(host + workloads) on a host.
1161
bpfMapSizeNATAffinity:
1163
bpfMapSizeNATBackend:
1164
description: BPFMapSizeNATBackend sets the size for nat back end map.
1165
This is the total number of endpoints. This is mostly more than
1166
the size of the number of services.
1168
bpfMapSizeNATFrontend:
1169
description: BPFMapSizeNATFrontend sets the size for nat front end
1170
map. FrontendMap should be large enough to hold an entry for each
1171
nodeport, external IP and each port in each service.
1174
description: BPFMapSizeRoute sets the size for the routes map. The
1175
routes map should be large enough to hold one entry per workload
1176
and a handful of entries per host (enough to cover its own IPs and
1183
description: 'BPFPSNATPorts sets the range from which we randomly
1184
pick a port if there is a source port collision. This should be
1185
within the ephemeral range as defined by RFC 6056 (1024–65535) and
1186
preferably outside the ephemeral ranges used by common operating
1187
systems. Linux uses 32768–60999, while others mostly use the IANA
1188
defined range 49152–65535. It is not necessarily a problem if this
1189
range overlaps with the operating systems. Both ends of the range
1190
are inclusive. [Default: 20000:29999]'
1192
x-kubernetes-int-or-string: true
1193
bpfPolicyDebugEnabled:
1194
description: BPFPolicyDebugEnabled when true, Felix records detailed
1195
information about the BPF policy programs, which can be examined
1196
with the calico-bpf command-line tool.
1199
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
1200
top-level iptables chains by inserting a rule at the top of the
1201
chain or by appending a rule at the bottom. insert is the safe default
1202
since it prevents Calico''s rules from being bypassed. If you switch
1203
to append mode, be sure that the other rules in the chains signal
1204
acceptance by falling through to the Calico rules, otherwise the
1205
Calico policy will be bypassed. [Default: insert]'
1206
pattern: ^(?i)(insert|append)?$
1209
description: DataplaneDriver filename of the external dataplane driver
1210
to use. Only used if UseInternalDataplaneDriver is set to false.
1212
dataplaneWatchdogTimeout:
1213
description: "DataplaneWatchdogTimeout is the readiness/liveness timeout
1214
used for Felix's (internal) dataplane driver. Increase this value
1215
if you experience spurious non-ready or non-live events when Felix
1216
is under heavy load. Decrease the value to get felix to report non-live
1217
or non-ready more quickly. [Default: 90s] \n Deprecated: replaced
1218
by the generic HealthTimeoutOverrides."
1220
debugDisableLogDropping:
1222
debugMemoryProfilePath:
1224
debugSimulateCalcGraphHangAfter:
1225
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1227
debugSimulateDataplaneHangAfter:
1228
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1230
defaultEndpointToHostAction:
1231
description: 'DefaultEndpointToHostAction controls what happens to
1232
traffic that goes from a workload endpoint to the host itself (after
1233
the traffic hits the endpoint egress policy). By default Calico
1234
blocks traffic from workload endpoints to the host itself with an
1235
iptables "DROP" action. If you want to allow some or all traffic
1236
from endpoint to host, set this parameter to RETURN or ACCEPT. Use
1237
RETURN if you have your own rules in the iptables "INPUT" chain;
1238
Calico will insert its rules at the top of that chain, then "RETURN"
1239
packets to the "INPUT" chain once it has completed processing workload
1240
endpoint egress policy. Use ACCEPT to unconditionally accept packets
1241
from workloads after processing workload endpoint egress policy.
1243
pattern: ^(?i)(Drop|Accept|Return)?$
1245
deviceRouteProtocol:
1246
description: This defines the route protocol added to programmed device
1247
routes, by default this will be RTPROT_BOOT when left blank.
1249
deviceRouteSourceAddress:
1250
description: This is the IPv4 source address to use on programmed
1251
device routes. By default the source address is left blank, leaving
1252
the kernel to choose the source address used.
1254
deviceRouteSourceAddressIPv6:
1255
description: This is the IPv6 source address to use on programmed
1256
device routes. By default the source address is left blank, leaving
1257
the kernel to choose the source address used.
1259
disableConntrackInvalidCheck:
1261
endpointReportingDelay:
1262
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1264
endpointReportingEnabled:
1267
description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
1268
which may source tunnel traffic and have the tunneled traffic be
1269
accepted at calico nodes.
1273
failsafeInboundHostPorts:
1274
description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
1275
and CIDRs that Felix will allow incoming traffic to host endpoints
1276
on irrespective of the security policy. This is useful to avoid
1277
accidentally cutting off a host with incorrect configuration. For
1278
back-compatibility, if the protocol is not specified, it defaults
1279
to "tcp". If a CIDR is not specified, it will allow traffic from
1280
all addresses. To disable all inbound host ports, use the value
1281
none. The default value allows ssh access and DHCP. [Default: tcp:22,
1282
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
1284
description: ProtoPort is combination of protocol, port, and CIDR.
1285
Protocol and port must be specified.
1298
failsafeOutboundHostPorts:
1299
description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
1300
and CIDRs that Felix will allow outgoing traffic from host endpoints
1301
to irrespective of the security policy. This is useful to avoid
1302
accidentally cutting off a host with incorrect configuration. For
1303
back-compatibility, if the protocol is not specified, it defaults
1304
to "tcp". If a CIDR is not specified, it will allow traffic from
1305
all addresses. To disable all outbound host ports, use the value
1306
none. The default value opens etcd''s standard ports to ensure that
1307
Felix does not get cut off from etcd as well as allowing DHCP and
1308
DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
1309
tcp:6667, udp:53, udp:67]'
1311
description: ProtoPort is combination of protocol, port, and CIDR.
1312
Protocol and port must be specified.
1325
featureDetectOverride:
1326
description: FeatureDetectOverride is used to override feature detection
1327
based on auto-detected platform capabilities. Values are specified
1328
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
1329
or "false" will force the feature, empty or omitted values are auto-detected.
1330
pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
1333
description: FeatureGates is used to enable or disable tech-preview
1334
Calico features. Values are specified in a comma separated list
1335
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
1336
This is used to enable features that are not fully production ready.
1337
pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
1340
description: FloatingIPs configures whether or not Felix will program
1341
non-OpenStack floating IP addresses. (OpenStack-derived floating
1342
IPs are always programmed, regardless of this setting.)
1348
description: 'GenericXDPEnabled enables Generic XDP so network cards
1349
that don''t support XDP offload or driver modes can use XDP. This
1350
is not recommended since it doesn''t provide better performance
1351
than iptables. [Default: false]'
1359
healthTimeoutOverrides:
1360
description: HealthTimeoutOverrides allows the internal watchdog timeouts
1361
of individual subcomponents to be overridden. This is useful for
1362
working around "false positive" liveness timeouts that can occur
1363
in particularly stressful workloads or if CPU is constrained. For
1364
a list of active subcomponents, see Felix's logs.
1377
description: 'InterfaceExclude is a comma-separated list of interfaces
1378
that Felix should exclude when monitoring for host endpoints. The
1379
default value ensures that Felix ignores Kubernetes'' IPVS dummy
1380
interface, which is used internally by kube-proxy. If you want to
1381
exclude multiple interface names using a single value, the list
1382
supports regular expressions. For regular expressions you must wrap
1383
the value with ''/''. For example having values ''/^kube/,veth1''
1384
will exclude all interfaces that begin with ''kube'' and also the
1385
interface ''veth1''. [Default: kube-ipvs0]'
1388
description: 'InterfacePrefix is the interface name prefix that identifies
1389
workload endpoints and so distinguishes them from host endpoint
1390
interfaces. Note: in environments other than bare metal, the orchestrators
1391
configure this appropriately. For example our Kubernetes and Docker
1392
integrations set the ''cali'' value, and our OpenStack integration
1393
sets the ''tap'' value. [Default: cali]'
1395
interfaceRefreshInterval:
1396
description: InterfaceRefreshInterval is the period at which Felix
1397
rescans local interfaces to verify their state. The rescan can be
1398
disabled by setting the interval to 0.
1399
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1402
description: 'IPIPEnabled overrides whether Felix should configure
1403
an IPIP interface on the host. Optional as Felix determines this
1404
based on the existing IP pools. [Default: nil (unset)]'
1407
description: 'IPIPMTU is the MTU to set on the tunnel device. See
1408
Configuring MTU [Default: 1440]'
1410
ipsetsRefreshInterval:
1411
description: 'IpsetsRefreshInterval is the period at which Felix re-checks
1412
all iptables state to ensure that no other process has accidentally
1413
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
1415
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1418
description: IptablesBackend specifies which backend of iptables will
1419
be used. The default is Auto.
1420
pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
1422
iptablesFilterAllowAction:
1423
pattern: ^(?i)(Accept|Return)?$
1425
iptablesFilterDenyAction:
1426
description: IptablesFilterDenyAction controls what happens to traffic
1427
that is denied by network policy. By default Calico blocks traffic
1428
with an iptables "DROP" action. If you want to use "REJECT" action
1429
instead you can configure it in here.
1430
pattern: ^(?i)(Drop|Reject)?$
1432
iptablesLockFilePath:
1433
description: 'IptablesLockFilePath is the location of the iptables
1434
lock file. You may need to change this if the lock file is not in
1435
its standard location (for example if you have mapped it into Felix''s
1436
container at a different path). [Default: /run/xtables.lock]'
1438
iptablesLockProbeInterval:
1439
description: 'IptablesLockProbeInterval is the time that Felix will
1440
wait between attempts to acquire the iptables lock if it is not
1441
available. Lower values make Felix more responsive when the lock
1442
is contended, but use more CPU. [Default: 50ms]'
1443
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1445
iptablesLockTimeout:
1446
description: 'IptablesLockTimeout is the time that Felix will wait
1447
for the iptables lock, or 0, to disable. To use this feature, Felix
1448
must share the iptables lock file with all other processes that
1449
also take the lock. When running Felix inside a container, this
1450
requires the /run directory of the host to be mounted into the calico/node
1451
or calico/felix container. [Default: 0s disabled]'
1452
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1454
iptablesMangleAllowAction:
1455
pattern: ^(?i)(Accept|Return)?$
1458
description: 'IptablesMarkMask is the mask that Felix selects its
1459
IPTables Mark bits from. Should be a 32 bit hexadecimal number with
1460
at least 8 bits set, none of which clash with any other mark bits
1461
in use on the system. [Default: 0xff000000]'
1464
iptablesNATOutgoingInterfaceFilter:
1466
iptablesPostWriteCheckInterval:
1467
description: 'IptablesPostWriteCheckInterval is the period after Felix
1468
has done a write to the dataplane that it schedules an extra read
1469
back in order to check the write was not clobbered by another process.
1470
This should only occur if another application on the system doesn''t
1471
respect the iptables lock. [Default: 1s]'
1472
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1474
iptablesRefreshInterval:
1475
description: 'IptablesRefreshInterval is the period at which Felix
1476
re-checks the IP sets in the dataplane to ensure that no other process
1477
has accidentally broken Calico''s rules. Set to 0 to disable IP
1478
sets refresh. Note: the default for this value is lower than the
1479
other refresh intervals as a workaround for a Linux kernel bug that
1480
was fixed in kernel version 4.11. If you are using v4.11 or greater
1481
you may want to set this to, a higher value to reduce Felix CPU
1482
usage. [Default: 10s]'
1483
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1486
description: IPv6Support controls whether Felix enables support for
1487
IPv6 (if supported by the in-use dataplane).
1490
description: 'KubeNodePortRanges holds list of port ranges used for
1491
service node ports. Only used if felix detects kube-proxy running
1492
in ipvs mode. Felix uses these ranges to separate host and workload
1493
traffic. [Default: 30000:32767].'
1499
x-kubernetes-int-or-string: true
1501
logDebugFilenameRegex:
1502
description: LogDebugFilenameRegex controls which source code files
1503
have their Debug log output included in the logs. Only logs from
1504
files with names that match the given regular expression are included. The
1505
filter only applies to Debug level logs.
1508
description: 'LogFilePath is the full path to the Felix log. Set to
1509
none to disable file logging. [Default: /var/log/calico/felix.log]'
1512
description: 'LogPrefix is the log prefix that Felix uses when rendering
1513
LOG rules. [Default: calico-packet]'
1516
description: 'LogSeverityFile is the log severity above which logs
1517
are sent to the log file. [Default: Info]'
1518
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
1521
description: 'LogSeverityScreen is the log severity above which logs
1522
are sent to the stdout. [Default: Info]'
1523
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
1526
description: 'LogSeveritySys is the log severity above which logs
1527
are sent to the syslog. Set to None for no logging to syslog. [Default:
1529
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
1534
description: 'MetadataAddr is the IP address or domain name of the
1535
server that can answer VM queries for cloud-init metadata. In OpenStack,
1536
this corresponds to the machine running nova-api (or in Ubuntu,
1537
nova-api-metadata). A value of none (case insensitive) means that
1538
Felix should not set up any NAT rule for the metadata path. [Default:
1542
description: 'MetadataPort is the port of the metadata server. This,
1543
combined with global.MetadataAddr (if not ''None''), is used to
1544
set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
1545
In most cases this should not need to be changed [Default: 8775].'
1548
description: MTUIfacePattern is a regular expression that controls
1549
which interfaces Felix should scan in order to calculate the host's
1550
MTU. This should not match workload interfaces (usually named cali...).
1553
description: NATOutgoingAddress specifies an address to use when performing
1554
source NAT for traffic in a natOutgoing pool that is leaving the
1555
network. By default the address used is an address on the interface
1556
the traffic is leaving on (ie it uses the iptables MASQUERADE target)
1562
description: NATPortRange specifies the range of ports that is used
1563
for port mapping when doing outgoing NAT. When unset the default
1564
behavior of the network stack is used.
1566
x-kubernetes-int-or-string: true
1568
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1571
description: 'OpenstackRegion is the name of the region that a particular
1572
Felix belongs to. In a multi-region Calico/OpenStack deployment,
1573
this must be configured somehow for each Felix (here in the datamodel,
1574
or in felix.cfg or the environment on each compute node), and must
1575
match the [calico] openstack_region value configured in neutron.conf
1576
on each node. [Default: Empty]'
1578
policySyncPathPrefix:
1579
description: 'PolicySyncPathPrefix is used to by Felix to communicate
1580
policy changes to external services, like Application layer policy.
1583
prometheusGoMetricsEnabled:
1584
description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
1585
collection, which the Prometheus client does by default, when set
1586
to false. This reduces the number of metrics reported, reducing
1587
Prometheus load. [Default: true]'
1589
prometheusMetricsEnabled:
1590
description: 'PrometheusMetricsEnabled enables the Prometheus metrics
1591
server in Felix if set to true. [Default: false]'
1593
prometheusMetricsHost:
1594
description: 'PrometheusMetricsHost is the host that the Prometheus
1595
metrics server should bind to. [Default: empty]'
1597
prometheusMetricsPort:
1598
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
1599
metrics server should bind to. [Default: 9091]'
1601
prometheusProcessMetricsEnabled:
1602
description: 'PrometheusProcessMetricsEnabled disables process metrics
1603
collection, which the Prometheus client does by default, when set
1604
to false. This reduces the number of metrics reported, reducing
1605
Prometheus load. [Default: true]'
1607
prometheusWireGuardMetricsEnabled:
1608
description: 'PrometheusWireGuardMetricsEnabled disables wireguard
1609
metrics collection, which the Prometheus client does by default,
1610
when set to false. This reduces the number of metrics reported,
1611
reducing Prometheus load. [Default: true]'
1613
removeExternalRoutes:
1614
description: Whether or not to remove device routes that have not
1615
been programmed by Felix. Disabling this will allow external applications
1616
to also add device routes. This is enabled by default which means
1617
we will remove externally added routes.
1620
description: 'ReportingInterval is the interval at which Felix reports
1621
its status into the datastore or 0 to disable. Must be non-zero
1622
in OpenStack deployments. [Default: 30s]'
1623
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1626
description: 'ReportingTTL is the time-to-live setting for process-wide
1627
status reports. [Default: 90s]'
1628
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1630
routeRefreshInterval:
1631
description: 'RouteRefreshInterval is the period at which Felix re-checks
1632
the routes in the dataplane to ensure that no other process has
1633
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
1635
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1638
description: 'RouteSource configures where Felix gets its routing
1639
information. - WorkloadIPs: use workload endpoints to construct
1640
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
1641
pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
1644
description: RouteSyncDisabled will disable all operations performed
1645
on the route table. Set to true to run in network-policy mode only.
1648
description: Deprecated in favor of RouteTableRanges. Calico programs
1649
additional Linux route tables for various purposes. RouteTableRange
1650
specifies the indices of the route tables that Calico should use.
1661
description: Calico programs additional Linux route tables for various
1662
purposes. RouteTableRanges specifies a set of table index ranges
1663
that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
1675
serviceLoopPrevention:
1676
description: 'When service IP advertisement is enabled, prevent routing
1677
loops to service IPs that are not in use, by dropping or rejecting
1678
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
1679
in which case such routing loops continue to be allowed. [Default:
1681
pattern: ^(?i)(Drop|Reject|Disabled)?$
1683
sidecarAccelerationEnabled:
1684
description: 'SidecarAccelerationEnabled enables experimental sidecar
1685
acceleration [Default: false]'
1687
usageReportingEnabled:
1688
description: 'UsageReportingEnabled reports anonymous Calico version
1689
number and cluster size to projectcalico.org. Logs warnings returned
1690
by the usage server. For example, if a significant security vulnerability
1691
has been discovered in the version of Calico being used. [Default:
1694
usageReportingInitialDelay:
1695
description: 'UsageReportingInitialDelay controls the minimum delay
1696
before Felix makes a report. [Default: 300s]'
1697
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1699
usageReportingInterval:
1700
description: 'UsageReportingInterval controls the interval at which
1701
Felix makes reports. [Default: 86400s]'
1702
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1704
useInternalDataplaneDriver:
1705
description: UseInternalDataplaneDriver, if true, Felix will use its
1706
internal dataplane programming logic. If false, it will launch
1707
an external dataplane driver and communicate with it over protobuf.
1710
description: 'VXLANEnabled overrides whether Felix should create the
1711
VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
1712
determines this based on the existing IP pools. [Default: nil (unset)]'
1715
description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
1716
device. See Configuring MTU [Default: 1410]'
1719
description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
1720
device. See Configuring MTU [Default: 1390]'
1726
windowsManageFirewallRules:
1727
description: 'WindowsManageFirewallRules configures whether or not
1728
Felix will program Windows Firewall rules. (to allow inbound access
1729
to its own metrics ports) [Default: Disabled]'
1735
description: 'WireguardEnabled controls whether Wireguard is enabled
1736
for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
1740
description: 'WireguardEnabledV6 controls whether Wireguard is enabled
1741
for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
1744
wireguardHostEncryptionEnabled:
1745
description: 'WireguardHostEncryptionEnabled controls whether Wireguard
1746
host-to-host encryption is enabled. [Default: false]'
1748
wireguardInterfaceName:
1749
description: 'WireguardInterfaceName specifies the name to use for
1750
the IPv4 Wireguard interface. [Default: wireguard.cali]'
1752
wireguardInterfaceNameV6:
1753
description: 'WireguardInterfaceNameV6 specifies the name to use for
1754
the IPv6 Wireguard interface. [Default: wg-v6.cali]'
1757
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
1758
option. Set 0 to disable. [Default: 0]'
1759
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1761
wireguardListeningPort:
1762
description: 'WireguardListeningPort controls the listening port used
1763
by IPv4 Wireguard. [Default: 51820]'
1765
wireguardListeningPortV6:
1766
description: 'WireguardListeningPortV6 controls the listening port
1767
used by IPv6 Wireguard. [Default: 51821]'
1770
description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
1771
interface. See Configuring MTU [Default: 1440]'
1774
description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
1775
interface. See Configuring MTU [Default: 1420]'
1777
wireguardRoutingRulePriority:
1778
description: 'WireguardRoutingRulePriority controls the priority value
1779
to use for the Wireguard routing rule. [Default: 99]'
1781
workloadSourceSpoofing:
1782
description: WorkloadSourceSpoofing controls whether pods can use
1783
the allowedSourcePrefixes annotation to send traffic with a source
1784
IP address that is not theirs. This is disabled by default. When
1785
set to "Any", pods can request any prefix.
1786
pattern: ^(?i)(Disabled|Any)?$
1789
description: 'XDPEnabled enables XDP acceleration for suitable untracked
1790
incoming deny rules. [Default: true]'
1793
description: 'XDPRefreshInterval is the period at which Felix re-checks
1794
all XDP state to ensure that no other process has accidentally broken
1795
Calico''s BPF maps or attached programs. Set to 0 to disable XDP
1796
refresh. [Default: 90s]'
1797
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
1811
apiVersion: apiextensions.k8s.io/v1
1812
kind: CustomResourceDefinition
1814
name: globalnetworkpolicies.crd.projectcalico.org
1816
group: crd.projectcalico.org
1818
kind: GlobalNetworkPolicy
1819
listKind: GlobalNetworkPolicyList
1820
plural: globalnetworkpolicies
1821
singular: globalnetworkpolicy
1822
preserveUnknownFields: false
1830
description: 'APIVersion defines the versioned schema of this representation
1831
of an object. Servers should convert recognized schemas to the latest
1832
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
1835
description: 'Kind is a string value representing the REST resource this
1836
object represents. Servers may infer this from the endpoint the client
1837
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
1844
description: ApplyOnForward indicates to apply the rules in this policy
1848
description: DoNotTrack indicates whether packets matched by the rules
1849
in this policy should go through the data plane's connection tracking,
1850
such as Linux conntrack. If True, the rules in this policy are
1851
applied before any data plane connection tracking, and packets allowed
1852
by this policy are marked as not to be tracked.
1855
description: The ordered set of egress rules. Each rule contains
1856
a set of packet match criteria and a corresponding action to apply.
1858
description: "A Rule encapsulates a set of match criteria and an
1859
action. Both selector-based security Policy and security Profiles
1860
reference rules - separated out as a list of rules for both ingress
1861
and egress packet matching. \n Each positive match criteria has
1862
a negated version, prefixed with \"Not\". All the match criteria
1863
within a rule must be satisfied for a packet to match. A single
1864
rule can contain the positive and negative version of a match
1865
and both must be satisfied for the rule to match."
1870
description: Destination contains the match criteria that apply
1871
to destination entity.
1874
description: "NamespaceSelector is an optional field that
1875
contains a selector expression. Only traffic that originates
1876
from (or terminates at) endpoints within the selected
1877
namespaces will be matched. When both NamespaceSelector
1878
and another selector are defined on the same rule, then
1879
only workload endpoints that are matched by both selectors
1880
will be selected by the rule. \n For NetworkPolicy, an
1881
empty NamespaceSelector implies that the Selector is limited
1882
to selecting only workload endpoints in the same namespace
1883
as the NetworkPolicy. \n For NetworkPolicy, `global()`
1884
NamespaceSelector implies that the Selector is limited
1885
to selecting only GlobalNetworkSet or HostEndpoint. \n
1886
For GlobalNetworkPolicy, an empty NamespaceSelector implies
1887
the Selector applies to workload endpoints across all
1891
description: Nets is an optional field that restricts the
1892
rule to only apply to traffic that originates from (or
1893
terminates at) IP addresses in any of the given subnets.
1898
description: NotNets is the negated version of the Nets
1904
description: NotPorts is the negated version of the Ports
1905
field. Since only some protocols have ports, if any ports
1906
are specified it requires the Protocol match in the Rule
1907
to be set to "TCP" or "UDP".
1913
x-kubernetes-int-or-string: true
1916
description: NotSelector is the negated version of the Selector
1917
field. See Selector field for subtleties with negated
1921
description: "Ports is an optional field that restricts
1922
the rule to only apply to traffic that has a source (destination)
1923
port that matches one of these ranges/values. This value
1924
is a list of integers or strings that represent ranges
1925
of ports. \n Since only some protocols have ports, if
1926
any ports are specified it requires the Protocol match
1927
in the Rule to be set to \"TCP\" or \"UDP\"."
1933
x-kubernetes-int-or-string: true
1936
description: "Selector is an optional field that contains
1937
a selector expression (see Policy for sample syntax).
1938
\ Only traffic that originates from (terminates at) endpoints
1939
matching the selector will be matched. \n Note that: in
1940
addition to the negated version of the Selector (see NotSelector
1941
below), the selector expression syntax itself supports
1942
negation. The two types of negation are subtly different.
1943
One negates the set of matched endpoints, the other negates
1944
the whole match: \n \tSelector = \"!has(my_label)\" matches
1945
packets that are from other Calico-controlled \tendpoints
1946
that do not have the label \"my_label\". \n \tNotSelector
1947
= \"has(my_label)\" matches packets that are not from
1948
Calico-controlled \tendpoints that do have the label \"my_label\".
1949
\n The effect is that the latter will accept packets from
1950
non-Calico sources whereas the former is limited to packets
1951
from Calico-controlled endpoints."
1954
description: ServiceAccounts is an optional field that restricts
1955
the rule to only apply to traffic that originates from
1956
(or terminates at) a pod running as a matching service
1960
description: Names is an optional field that restricts
1961
the rule to only apply to traffic that originates
1962
from (or terminates at) a pod running as a service
1963
account whose name is in the list.
1968
description: Selector is an optional field that restricts
1969
the rule to only apply to traffic that originates
1970
from (or terminates at) a pod running as a service
1971
account that matches the given label selector. If
1972
both Names and Selector are specified then they are
1977
description: "Services is an optional field that contains
1978
options for matching Kubernetes Services. If specified,
1979
only traffic that originates from or terminates at endpoints
1980
within the selected service(s) will be matched, and only
1981
to/from each endpoint's port. \n Services cannot be specified
1982
on the same rule as Selector, NotSelector, NamespaceSelector,
1983
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
1984
can only be specified with Services on ingress rules."
1987
description: Name specifies the name of a Kubernetes
1991
description: Namespace specifies the namespace of the
1992
given Service. If left empty, the rule will match
1993
within this policy's namespace.
1998
description: HTTP contains match criteria that apply to HTTP
2002
description: Methods is an optional field that restricts
2003
the rule to apply only to HTTP requests that use one of
2004
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2005
methods are OR'd together.
2010
description: 'Paths is an optional field that restricts
2011
the rule to apply to HTTP requests that use one of the
2012
listed HTTP Paths. Multiple paths are OR''d together.
2013
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2014
ONLY specify either a `exact` or a `prefix` match. The
2015
validator will check for it.'
2017
description: 'HTTPPath specifies an HTTP path to match.
2018
It may be either of the form: exact: <path>: which matches
2019
the path exactly or prefix: <path-prefix>: which matches
2030
description: ICMP is an optional field that restricts the rule
2031
to apply to a specific type and code of ICMP traffic. This
2032
should only be specified if the Protocol field is set to "ICMP"
2036
description: Match on a specific ICMP code. If specified,
2037
the Type value must also be specified. This is a technical
2038
limitation imposed by the kernel's iptables firewall,
2039
which Calico uses to enforce the rule.
2042
description: Match on a specific ICMP type. For example
2043
a value of 8 refers to ICMP Echo Request (i.e. pings).
2047
description: IPVersion is an optional field that restricts the
2048
rule to only match a specific IP version.
2051
description: Metadata contains additional information for this
2055
additionalProperties:
2057
description: Annotations is a set of key value pairs that
2058
give extra information about the rule
2062
description: NotICMP is the negated version of the ICMP field.
2065
description: Match on a specific ICMP code. If specified,
2066
the Type value must also be specified. This is a technical
2067
limitation imposed by the kernel's iptables firewall,
2068
which Calico uses to enforce the rule.
2071
description: Match on a specific ICMP type. For example
2072
a value of 8 refers to ICMP Echo Request (i.e. pings).
2079
description: NotProtocol is the negated version of the Protocol
2082
x-kubernetes-int-or-string: true
2087
description: "Protocol is an optional field that restricts the
2088
rule to only apply to traffic of a specific IP protocol. Required
2089
if any of the EntityRules contain Ports (because ports only
2090
apply to certain protocols). \n Must be one of these string
2091
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2092
\"UDPLite\" or an integer in the range 1-255."
2094
x-kubernetes-int-or-string: true
2096
description: Source contains the match criteria that apply to
2100
description: "NamespaceSelector is an optional field that
2101
contains a selector expression. Only traffic that originates
2102
from (or terminates at) endpoints within the selected
2103
namespaces will be matched. When both NamespaceSelector
2104
and another selector are defined on the same rule, then
2105
only workload endpoints that are matched by both selectors
2106
will be selected by the rule. \n For NetworkPolicy, an
2107
empty NamespaceSelector implies that the Selector is limited
2108
to selecting only workload endpoints in the same namespace
2109
as the NetworkPolicy. \n For NetworkPolicy, `global()`
2110
NamespaceSelector implies that the Selector is limited
2111
to selecting only GlobalNetworkSet or HostEndpoint. \n
2112
For GlobalNetworkPolicy, an empty NamespaceSelector implies
2113
the Selector applies to workload endpoints across all
2117
description: Nets is an optional field that restricts the
2118
rule to only apply to traffic that originates from (or
2119
terminates at) IP addresses in any of the given subnets.
2124
description: NotNets is the negated version of the Nets
2130
description: NotPorts is the negated version of the Ports
2131
field. Since only some protocols have ports, if any ports
2132
are specified it requires the Protocol match in the Rule
2133
to be set to "TCP" or "UDP".
2139
x-kubernetes-int-or-string: true
2142
description: NotSelector is the negated version of the Selector
2143
field. See Selector field for subtleties with negated
2147
description: "Ports is an optional field that restricts
2148
the rule to only apply to traffic that has a source (destination)
2149
port that matches one of these ranges/values. This value
2150
is a list of integers or strings that represent ranges
2151
of ports. \n Since only some protocols have ports, if
2152
any ports are specified it requires the Protocol match
2153
in the Rule to be set to \"TCP\" or \"UDP\"."
2159
x-kubernetes-int-or-string: true
2162
description: "Selector is an optional field that contains
2163
a selector expression (see Policy for sample syntax).
2164
\ Only traffic that originates from (terminates at) endpoints
2165
matching the selector will be matched. \n Note that: in
2166
addition to the negated version of the Selector (see NotSelector
2167
below), the selector expression syntax itself supports
2168
negation. The two types of negation are subtly different.
2169
One negates the set of matched endpoints, the other negates
2170
the whole match: \n \tSelector = \"!has(my_label)\" matches
2171
packets that are from other Calico-controlled \tendpoints
2172
that do not have the label \"my_label\". \n \tNotSelector
2173
= \"has(my_label)\" matches packets that are not from
2174
Calico-controlled \tendpoints that do have the label \"my_label\".
2175
\n The effect is that the latter will accept packets from
2176
non-Calico sources whereas the former is limited to packets
2177
from Calico-controlled endpoints."
2180
description: ServiceAccounts is an optional field that restricts
2181
the rule to only apply to traffic that originates from
2182
(or terminates at) a pod running as a matching service
2186
description: Names is an optional field that restricts
2187
the rule to only apply to traffic that originates
2188
from (or terminates at) a pod running as a service
2189
account whose name is in the list.
2194
description: Selector is an optional field that restricts
2195
the rule to only apply to traffic that originates
2196
from (or terminates at) a pod running as a service
2197
account that matches the given label selector. If
2198
both Names and Selector are specified then they are
2203
description: "Services is an optional field that contains
2204
options for matching Kubernetes Services. If specified,
2205
only traffic that originates from or terminates at endpoints
2206
within the selected service(s) will be matched, and only
2207
to/from each endpoint's port. \n Services cannot be specified
2208
on the same rule as Selector, NotSelector, NamespaceSelector,
2209
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2210
can only be specified with Services on ingress rules."
2213
description: Name specifies the name of a Kubernetes
2217
description: Namespace specifies the namespace of the
2218
given Service. If left empty, the rule will match
2219
within this policy's namespace.
2228
description: The ordered set of ingress rules. Each rule contains
2229
a set of packet match criteria and a corresponding action to apply.
2231
description: "A Rule encapsulates a set of match criteria and an
2232
action. Both selector-based security Policy and security Profiles
2233
reference rules - separated out as a list of rules for both ingress
2234
and egress packet matching. \n Each positive match criteria has
2235
a negated version, prefixed with \"Not\". All the match criteria
2236
within a rule must be satisfied for a packet to match. A single
2237
rule can contain the positive and negative version of a match
2238
and both must be satisfied for the rule to match."
2243
description: Destination contains the match criteria that apply
2244
to destination entity.
2247
description: "NamespaceSelector is an optional field that
2248
contains a selector expression. Only traffic that originates
2249
from (or terminates at) endpoints within the selected
2250
namespaces will be matched. When both NamespaceSelector
2251
and another selector are defined on the same rule, then
2252
only workload endpoints that are matched by both selectors
2253
will be selected by the rule. \n For NetworkPolicy, an
2254
empty NamespaceSelector implies that the Selector is limited
2255
to selecting only workload endpoints in the same namespace
2256
as the NetworkPolicy. \n For NetworkPolicy, `global()`
2257
NamespaceSelector implies that the Selector is limited
2258
to selecting only GlobalNetworkSet or HostEndpoint. \n
2259
For GlobalNetworkPolicy, an empty NamespaceSelector implies
2260
the Selector applies to workload endpoints across all
2264
description: Nets is an optional field that restricts the
2265
rule to only apply to traffic that originates from (or
2266
terminates at) IP addresses in any of the given subnets.
2271
description: NotNets is the negated version of the Nets
2277
description: NotPorts is the negated version of the Ports
2278
field. Since only some protocols have ports, if any ports
2279
are specified it requires the Protocol match in the Rule
2280
to be set to "TCP" or "UDP".
2286
x-kubernetes-int-or-string: true
2289
description: NotSelector is the negated version of the Selector
2290
field. See Selector field for subtleties with negated
2294
description: "Ports is an optional field that restricts
2295
the rule to only apply to traffic that has a source (destination)
2296
port that matches one of these ranges/values. This value
2297
is a list of integers or strings that represent ranges
2298
of ports. \n Since only some protocols have ports, if
2299
any ports are specified it requires the Protocol match
2300
in the Rule to be set to \"TCP\" or \"UDP\"."
2306
x-kubernetes-int-or-string: true
2309
description: "Selector is an optional field that contains
2310
a selector expression (see Policy for sample syntax).
2311
\ Only traffic that originates from (terminates at) endpoints
2312
matching the selector will be matched. \n Note that: in
2313
addition to the negated version of the Selector (see NotSelector
2314
below), the selector expression syntax itself supports
2315
negation. The two types of negation are subtly different.
2316
One negates the set of matched endpoints, the other negates
2317
the whole match: \n \tSelector = \"!has(my_label)\" matches
2318
packets that are from other Calico-controlled \tendpoints
2319
that do not have the label \"my_label\". \n \tNotSelector
2320
= \"has(my_label)\" matches packets that are not from
2321
Calico-controlled \tendpoints that do have the label \"my_label\".
2322
\n The effect is that the latter will accept packets from
2323
non-Calico sources whereas the former is limited to packets
2324
from Calico-controlled endpoints."
2327
description: ServiceAccounts is an optional field that restricts
2328
the rule to only apply to traffic that originates from
2329
(or terminates at) a pod running as a matching service
2333
description: Names is an optional field that restricts
2334
the rule to only apply to traffic that originates
2335
from (or terminates at) a pod running as a service
2336
account whose name is in the list.
2341
description: Selector is an optional field that restricts
2342
the rule to only apply to traffic that originates
2343
from (or terminates at) a pod running as a service
2344
account that matches the given label selector. If
2345
both Names and Selector are specified then they are
2350
description: "Services is an optional field that contains
2351
options for matching Kubernetes Services. If specified,
2352
only traffic that originates from or terminates at endpoints
2353
within the selected service(s) will be matched, and only
2354
to/from each endpoint's port. \n Services cannot be specified
2355
on the same rule as Selector, NotSelector, NamespaceSelector,
2356
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2357
can only be specified with Services on ingress rules."
2360
description: Name specifies the name of a Kubernetes
2364
description: Namespace specifies the namespace of the
2365
given Service. If left empty, the rule will match
2366
within this policy's namespace.
2371
description: HTTP contains match criteria that apply to HTTP
2375
description: Methods is an optional field that restricts
2376
the rule to apply only to HTTP requests that use one of
2377
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2378
methods are OR'd together.
2383
description: 'Paths is an optional field that restricts
2384
the rule to apply to HTTP requests that use one of the
2385
listed HTTP Paths. Multiple paths are OR''d together.
2386
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2387
ONLY specify either a `exact` or a `prefix` match. The
2388
validator will check for it.'
2390
description: 'HTTPPath specifies an HTTP path to match.
2391
It may be either of the form: exact: <path>: which matches
2392
the path exactly or prefix: <path-prefix>: which matches
2403
description: ICMP is an optional field that restricts the rule
2404
to apply to a specific type and code of ICMP traffic. This
2405
should only be specified if the Protocol field is set to "ICMP"
2409
description: Match on a specific ICMP code. If specified,
2410
the Type value must also be specified. This is a technical
2411
limitation imposed by the kernel's iptables firewall,
2412
which Calico uses to enforce the rule.
2415
description: Match on a specific ICMP type. For example
2416
a value of 8 refers to ICMP Echo Request (i.e. pings).
2420
description: IPVersion is an optional field that restricts the
2421
rule to only match a specific IP version.
2424
description: Metadata contains additional information for this
2428
additionalProperties:
2430
description: Annotations is a set of key value pairs that
2431
give extra information about the rule
2435
description: NotICMP is the negated version of the ICMP field.
2438
description: Match on a specific ICMP code. If specified,
2439
the Type value must also be specified. This is a technical
2440
limitation imposed by the kernel's iptables firewall,
2441
which Calico uses to enforce the rule.
2444
description: Match on a specific ICMP type. For example
2445
a value of 8 refers to ICMP Echo Request (i.e. pings).
2452
description: NotProtocol is the negated version of the Protocol
2455
x-kubernetes-int-or-string: true
2460
description: "Protocol is an optional field that restricts the
2461
rule to only apply to traffic of a specific IP protocol. Required
2462
if any of the EntityRules contain Ports (because ports only
2463
apply to certain protocols). \n Must be one of these string
2464
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2465
\"UDPLite\" or an integer in the range 1-255."
2467
x-kubernetes-int-or-string: true
2469
description: Source contains the match criteria that apply to
2473
description: "NamespaceSelector is an optional field that
2474
contains a selector expression. Only traffic that originates
2475
from (or terminates at) endpoints within the selected
2476
namespaces will be matched. When both NamespaceSelector
2477
and another selector are defined on the same rule, then
2478
only workload endpoints that are matched by both selectors
2479
will be selected by the rule. \n For NetworkPolicy, an
2480
empty NamespaceSelector implies that the Selector is limited
2481
to selecting only workload endpoints in the same namespace
2482
as the NetworkPolicy. \n For NetworkPolicy, `global()`
2483
NamespaceSelector implies that the Selector is limited
2484
to selecting only GlobalNetworkSet or HostEndpoint. \n
2485
For GlobalNetworkPolicy, an empty NamespaceSelector implies
2486
the Selector applies to workload endpoints across all
2490
description: Nets is an optional field that restricts the
2491
rule to only apply to traffic that originates from (or
2492
terminates at) IP addresses in any of the given subnets.
2497
description: NotNets is the negated version of the Nets
2503
description: NotPorts is the negated version of the Ports
2504
field. Since only some protocols have ports, if any ports
2505
are specified it requires the Protocol match in the Rule
2506
to be set to "TCP" or "UDP".
2512
x-kubernetes-int-or-string: true
2515
description: NotSelector is the negated version of the Selector
2516
field. See Selector field for subtleties with negated
2520
description: "Ports is an optional field that restricts
2521
the rule to only apply to traffic that has a source (destination)
2522
port that matches one of these ranges/values. This value
2523
is a list of integers or strings that represent ranges
2524
of ports. \n Since only some protocols have ports, if
2525
any ports are specified it requires the Protocol match
2526
in the Rule to be set to \"TCP\" or \"UDP\"."
2532
x-kubernetes-int-or-string: true
2535
description: "Selector is an optional field that contains
2536
a selector expression (see Policy for sample syntax).
2537
\ Only traffic that originates from (terminates at) endpoints
2538
matching the selector will be matched. \n Note that: in
2539
addition to the negated version of the Selector (see NotSelector
2540
below), the selector expression syntax itself supports
2541
negation. The two types of negation are subtly different.
2542
One negates the set of matched endpoints, the other negates
2543
the whole match: \n \tSelector = \"!has(my_label)\" matches
2544
packets that are from other Calico-controlled \tendpoints
2545
that do not have the label \"my_label\". \n \tNotSelector
2546
= \"has(my_label)\" matches packets that are not from
2547
Calico-controlled \tendpoints that do have the label \"my_label\".
2548
\n The effect is that the latter will accept packets from
2549
non-Calico sources whereas the former is limited to packets
2550
from Calico-controlled endpoints."
2553
description: ServiceAccounts is an optional field that restricts
2554
the rule to only apply to traffic that originates from
2555
(or terminates at) a pod running as a matching service
2559
description: Names is an optional field that restricts
2560
the rule to only apply to traffic that originates
2561
from (or terminates at) a pod running as a service
2562
account whose name is in the list.
2567
description: Selector is an optional field that restricts
2568
the rule to only apply to traffic that originates
2569
from (or terminates at) a pod running as a service
2570
account that matches the given label selector. If
2571
both Names and Selector are specified then they are
2576
description: "Services is an optional field that contains
2577
options for matching Kubernetes Services. If specified,
2578
only traffic that originates from or terminates at endpoints
2579
within the selected service(s) will be matched, and only
2580
to/from each endpoint's port. \n Services cannot be specified
2581
on the same rule as Selector, NotSelector, NamespaceSelector,
2582
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
2583
can only be specified with Services on ingress rules."
2586
description: Name specifies the name of a Kubernetes
2590
description: Namespace specifies the namespace of the
2591
given Service. If left empty, the rule will match
2592
within this policy's namespace.
2601
description: NamespaceSelector is an optional field for an expression
2602
used to select a pod based on namespaces.
2605
description: Order is an optional field that specifies the order in
2606
which the policy is applied. Policies with higher "order" are applied
2607
after those with lower order. If the order is omitted, it may be
2608
considered to be "infinite" - i.e. the policy will be applied last. Policies
2609
with identical order will be applied in alphanumerical order based
2610
on the Policy "Name".
2613
description: "PerformanceHints contains a list of hints to Calico's
2614
policy engine to help process the policy more efficiently. Hints
2615
never change the enforcement behaviour of the policy. \n Currently,
2616
the only available hint is \"AssumeNeededOnEveryNode\". When that
2617
hint is set on a policy, Felix will act as if the policy matches
2618
a local endpoint even if it does not. This is useful for \"preloading\"
2619
any large static policies that are known to be used on every node.
2620
If the policy is _not_ used on a particular node then the work done
2621
to preload the policy (and to maintain it) is wasted."
2626
description: PreDNAT indicates to apply the rules in this policy before
2630
description: "The selector is an expression used to pick pick out
2631
the endpoints that the policy should be applied to. \n Selector
2632
expressions follow this syntax: \n \tlabel == \"string_literal\"
2633
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
2634
\ -> not equal; also matches if label is not present \tlabel in
2635
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is2636
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",2637
... } -> true if the value of label X is not one of \"a\", \"b\",
2638
\"c\" \thas(label_name) -> True if that label is present \t! expr
2639
-> negation of expr \texpr && expr -> Short-circuit and \texpr
2640
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
2641
or the empty selector -> matches all endpoints. \n Label names are
2642
allowed to contain alphanumerics, -, _ and /. String literals are
2643
more permissive but they do not support escape characters. \n Examples
2644
(with made-up labels): \n \ttype == \"webserver\" && deployment
2645
== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=2646
\"dev\" \t! has(label_name)"
2648
serviceAccountSelector:
2649
description: ServiceAccountSelector is an optional field for an expression
2650
used to select a pod based on service accounts.
2653
description: "Types indicates whether this policy applies to ingress,
2654
or to egress, or to both. When not explicitly specified (and so
2655
the value on creation is empty or nil), Calico defaults Types according
2656
to what Ingress and Egress rules are present in the policy. The
2657
default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
2658
(including the case where there are also no Ingress rules) \n
2659
- [ PolicyTypeEgress ], if there are Egress rules but no Ingress
2660
rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
2661
both Ingress and Egress rules. \n When the policy is read back again,
2662
Types will always be one of these values, never empty or nil."
2664
description: PolicyType enumerates the possible values of the PolicySpec
2680
apiVersion: apiextensions.k8s.io/v1
2681
kind: CustomResourceDefinition
2683
name: globalnetworksets.crd.projectcalico.org
2685
group: crd.projectcalico.org
2687
kind: GlobalNetworkSet
2688
listKind: GlobalNetworkSetList
2689
plural: globalnetworksets
2690
singular: globalnetworkset
2691
preserveUnknownFields: false
2697
description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
2698
that share labels to allow rules to refer to them via selectors. The labels
2699
of GlobalNetworkSet are not namespaced.
2702
description: 'APIVersion defines the versioned schema of this representation
2703
of an object. Servers should convert recognized schemas to the latest
2704
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2707
description: 'Kind is a string value representing the REST resource this
2708
object represents. Servers may infer this from the endpoint the client
2709
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2714
description: GlobalNetworkSetSpec contains the specification for a NetworkSet
2718
description: The list of IP networks that belong to this set.
2734
apiVersion: apiextensions.k8s.io/v1
2735
kind: CustomResourceDefinition
2737
name: hostendpoints.crd.projectcalico.org
2739
group: crd.projectcalico.org
2742
listKind: HostEndpointList
2743
plural: hostendpoints
2744
singular: hostendpoint
2745
preserveUnknownFields: false
2753
description: 'APIVersion defines the versioned schema of this representation
2754
of an object. Servers should convert recognized schemas to the latest
2755
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2758
description: 'Kind is a string value representing the REST resource this
2759
object represents. Servers may infer this from the endpoint the client
2760
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2765
description: HostEndpointSpec contains the specification for a HostEndpoint
2769
description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
2770
If \"InterfaceName\" is not present, Calico will look for an interface
2771
matching any of the IPs in the list and apply policy to that. Note:
2772
\tWhen using the selector match criteria in an ingress or egress
2773
security Policy \tor Profile, Calico converts the selector into
2774
a set of IP addresses. For host \tendpoints, the ExpectedIPs field
2775
is used for that purpose. (If only the interface \tname is specified,
2776
Calico does not learn the IPs of the interface for use in match
2782
description: "Either \"*\", or the name of a specific Linux interface
2783
to apply policy to; or empty. \"*\" indicates that this HostEndpoint
2784
governs all traffic to, from or through the default network namespace
2785
of the host named by the \"Node\" field; entering and leaving that
2786
namespace via any interface, including those from/to non-host-networked
2787
local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
2788
only governs traffic that enters or leaves the host through the
2789
specific interface named by InterfaceName, or - when InterfaceName
2790
is empty - through the specific interface that has one of the IPs
2791
in ExpectedIPs. Therefore, when InterfaceName is empty, at least
2792
one expected IP must be specified. Only external interfaces (such
2793
as \"eth0\") are supported here; it isn't possible for a HostEndpoint
2794
to protect traffic through a specific local workload interface.
2795
\n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
2796
initially just pre-DNAT policy. Please check Calico documentation
2797
for the latest position."
2800
description: The node name identifying the Calico node instance.
2803
description: Ports contains the endpoint's named ports, which may
2804
be referenced in security policy rules.
2816
x-kubernetes-int-or-string: true
2824
description: A list of identifiers of security Profile objects that
2825
apply to this endpoint. Each profile is applied in the order that
2826
they appear in this list. Profile rules are applied after the selector-based
2843
apiVersion: apiextensions.k8s.io/v1
2844
kind: CustomResourceDefinition
2846
name: ipamblocks.crd.projectcalico.org
2848
group: crd.projectcalico.org
2851
listKind: IPAMBlockList
2854
preserveUnknownFields: false
2862
description: 'APIVersion defines the versioned schema of this representation
2863
of an object. Servers should convert recognized schemas to the latest
2864
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2867
description: 'Kind is a string value representing the REST resource this
2868
object represents. Servers may infer this from the endpoint the client
2869
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2874
description: IPAMBlockSpec contains the specification for an IPAMBlock
2878
description: Affinity of the block, if this block has one. If set,
2879
it will be of the form "host:<hostname>". If not set, this block
2880
is not affine to a host.
2883
description: Array of allocations in-use within this block. nil entries
2884
mean the allocation is free. For non-nil entries at index i, the
2885
index is the ordinal of the allocation within this block and the
2886
value is the index of the associated attributes in the Attributes
2895
description: Attributes is an array of arbitrary metadata associated
2896
with allocations in the block. To find attributes for a given allocation,
2897
use the value of the allocation's entry in the Allocations array
2898
as the index of the element in this array.
2904
additionalProperties:
2910
description: The block's CIDR.
2913
description: Deleted is an internal boolean used to workaround a limitation
2914
in the Kubernetes API whereby deletion will not return a conflict
2915
error if the block has been updated. It should not be set manually.
2919
description: We store a sequence number that is updated each time
2920
the block is written. Each allocation will also store the sequence
2921
number of the block at the time of its creation. When releasing
2922
an IP, passing the sequence number associated with the allocation
2923
allows us to protect against a race condition and ensure the IP
2924
hasn't been released and re-allocated since the release request.
2927
sequenceNumberForAllocation:
2928
additionalProperties:
2931
description: Map of allocated ordinal within the block to sequence
2932
number of the block at the time of allocation. Kubernetes does not
2933
allow numerical keys for maps, so the key is cast to a string.
2936
description: StrictAffinity on the IPAMBlock is deprecated and no
2937
longer used by the code. Use IPAMConfig StrictAffinity instead.
2940
description: Unallocated is an ordered list of allocations which are
2963
apiVersion: apiextensions.k8s.io/v1
2964
kind: CustomResourceDefinition
2966
name: ipamconfigs.crd.projectcalico.org
2968
group: crd.projectcalico.org
2971
listKind: IPAMConfigList
2973
singular: ipamconfig
2974
preserveUnknownFields: false
2982
description: 'APIVersion defines the versioned schema of this representation
2983
of an object. Servers should convert recognized schemas to the latest
2984
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2987
description: 'Kind is a string value representing the REST resource this
2988
object represents. Servers may infer this from the endpoint the client
2989
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
2994
description: IPAMConfigSpec contains the specification for an IPAMConfig
3000
description: MaxBlocksPerHost, if non-zero, is the max number of blocks
3001
that can be affine to each host.
3008
- autoAllocateBlocks
3022
apiVersion: apiextensions.k8s.io/v1
3023
kind: CustomResourceDefinition
3025
name: ipamhandles.crd.projectcalico.org
3027
group: crd.projectcalico.org
3030
listKind: IPAMHandleList
3032
singular: ipamhandle
3033
preserveUnknownFields: false
3041
description: 'APIVersion defines the versioned schema of this representation
3042
of an object. Servers should convert recognized schemas to the latest
3043
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3046
description: 'Kind is a string value representing the REST resource this
3047
object represents. Servers may infer this from the endpoint the client
3048
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3053
description: IPAMHandleSpec contains the specification for an IPAMHandle
3057
additionalProperties:
3079
apiVersion: apiextensions.k8s.io/v1
3080
kind: CustomResourceDefinition
3082
name: ippools.crd.projectcalico.org
3084
group: crd.projectcalico.org
3087
listKind: IPPoolList
3090
preserveUnknownFields: false
3098
description: 'APIVersion defines the versioned schema of this representation
3099
of an object. Servers should convert recognized schemas to the latest
3100
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3103
description: 'Kind is a string value representing the REST resource this
3104
object represents. Servers may infer this from the endpoint the client
3105
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3110
description: IPPoolSpec contains the specification for an IPPool resource.
3113
description: AllowedUse controls what the IP pool will be used for. If
3114
not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
3119
description: The block size to use for IP address assignments from
3120
this pool. Defaults to 26 for IPv4 and 122 for IPv6.
3123
description: The pool CIDR.
3126
description: 'Disable exporting routes from this IP Pool''s CIDR over
3127
BGP. [Default: false]'
3130
description: When disabled is true, Calico IPAM will not assign addresses
3134
description: 'Deprecated: this field is only used for APIv1 backwards
3135
compatibility. Setting this field is not allowed, this field is
3136
for internal use only.'
3139
description: When enabled is true, ipip tunneling will be used
3140
to deliver packets to destinations within this pool.
3143
description: The IPIP mode. This can be one of "always" or "cross-subnet". A
3144
mode of "always" will also use IPIP tunneling for routing to
3145
destination IP addresses within this pool. A mode of "cross-subnet"
3146
will only use IPIP tunneling when the destination node is on
3147
a different subnet to the originating node. The default value
3148
(if not specified) is "always".
3152
description: Contains configuration for IPIP tunneling for this pool.
3153
If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
3157
description: 'Deprecated: this field is only used for APIv1 backwards
3158
compatibility. Setting this field is not allowed, this field is
3159
for internal use only.'
3162
description: When natOutgoing is true, packets sent from Calico networked
3163
containers in this pool to destinations outside of this pool will
3167
description: Allows IPPool to allocate for a specific node by label
3171
description: Contains configuration for VXLAN tunneling for this pool.
3172
If not specified, then this is defaulted to "Never" (i.e. VXLAN
3173
tunneling is disabled).
3189
apiVersion: apiextensions.k8s.io/v1
3190
kind: CustomResourceDefinition
3193
controller-gen.kubebuilder.io/version: (devel)
3194
creationTimestamp: null
3195
name: ipreservations.crd.projectcalico.org
3197
group: crd.projectcalico.org
3200
listKind: IPReservationList
3201
plural: ipreservations
3202
singular: ipreservation
3203
preserveUnknownFields: false
3211
description: 'APIVersion defines the versioned schema of this representation
3212
of an object. Servers should convert recognized schemas to the latest
3213
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3216
description: 'Kind is a string value representing the REST resource this
3217
object represents. Servers may infer this from the endpoint the client
3218
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3223
description: IPReservationSpec contains the specification for an IPReservation
3227
description: ReservedCIDRs is a list of CIDRs and/or IP addresses
3228
that Calico IPAM will exclude from new allocations.
3244
apiVersion: apiextensions.k8s.io/v1
3245
kind: CustomResourceDefinition
3247
name: kubecontrollersconfigurations.crd.projectcalico.org
3249
group: crd.projectcalico.org
3251
kind: KubeControllersConfiguration
3252
listKind: KubeControllersConfigurationList
3253
plural: kubecontrollersconfigurations
3254
singular: kubecontrollersconfiguration
3255
preserveUnknownFields: false
3263
description: 'APIVersion defines the versioned schema of this representation
3264
of an object. Servers should convert recognized schemas to the latest
3265
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3268
description: 'Kind is a string value representing the REST resource this
3269
object represents. Servers may infer this from the endpoint the client
3270
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3275
description: KubeControllersConfigurationSpec contains the values of the
3276
Kubernetes controllers configuration.
3279
description: Controllers enables and configures individual Kubernetes
3283
description: Namespace enables and configures the namespace controller.
3284
Enabled by default, set to nil to disable.
3287
description: 'ReconcilerPeriod is the period to perform reconciliation
3288
with the Calico datastore. [Default: 5m]'
3292
description: Node enables and configures the node controller.
3293
Enabled by default, set to nil to disable.
3296
description: HostEndpoint controls syncing nodes to host endpoints.
3297
Disabled by default, set to nil to disable.
3300
description: 'AutoCreate enables automatic creation of
3301
host endpoints for every node. [Default: Disabled]'
3305
description: 'LeakGracePeriod is the period used by the controller
3306
to determine if an IP address has been leaked. Set to 0
3307
to disable IP garbage collection. [Default: 15m]'
3310
description: 'ReconcilerPeriod is the period to perform reconciliation
3311
with the Calico datastore. [Default: 5m]'
3314
description: 'SyncLabels controls whether to copy Kubernetes
3315
node labels to Calico nodes. [Default: Enabled]'
3319
description: Policy enables and configures the policy controller.
3320
Enabled by default, set to nil to disable.
3323
description: 'ReconcilerPeriod is the period to perform reconciliation
3324
with the Calico datastore. [Default: 5m]'
3328
description: ServiceAccount enables and configures the service
3329
account controller. Enabled by default, set to nil to disable.
3332
description: 'ReconcilerPeriod is the period to perform reconciliation
3333
with the Calico datastore. [Default: 5m]'
3337
description: WorkloadEndpoint enables and configures the workload
3338
endpoint controller. Enabled by default, set to nil to disable.
3341
description: 'ReconcilerPeriod is the period to perform reconciliation
3342
with the Calico datastore. [Default: 5m]'
3347
description: DebugProfilePort configures the port to serve memory
3348
and cpu profiles on. If not specified, profiling is disabled.
3351
etcdV3CompactionPeriod:
3352
description: 'EtcdV3CompactionPeriod is the period between etcdv3
3353
compaction requests. Set to 0 to disable. [Default: 10m]'
3356
description: 'HealthChecks enables or disables support for health
3357
checks [Default: Enabled]'
3360
description: 'LogSeverityScreen is the log severity above which logs
3361
are sent to the stdout. [Default: Info]'
3363
prometheusMetricsPort:
3364
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
3365
metrics server should bind to. Set to 0 to disable. [Default: 9094]'
3371
description: KubeControllersConfigurationStatus represents the status
3372
of the configuration. It's useful for admins to be able to see the actual
3373
config that was applied, which can be modified by environment variables
3374
on the kube-controllers process.
3377
additionalProperties:
3379
description: EnvironmentVars contains the environment variables on
3380
the kube-controllers that influenced the RunningConfig.
3383
description: RunningConfig contains the effective config that is running
3384
in the kube-controllers pod, after merging the API resource with
3385
any environment variables.
3388
description: Controllers enables and configures individual Kubernetes
3392
description: Namespace enables and configures the namespace
3393
controller. Enabled by default, set to nil to disable.
3396
description: 'ReconcilerPeriod is the period to perform
3397
reconciliation with the Calico datastore. [Default:
3402
description: Node enables and configures the node controller.
3403
Enabled by default, set to nil to disable.
3406
description: HostEndpoint controls syncing nodes to host
3407
endpoints. Disabled by default, set to nil to disable.
3410
description: 'AutoCreate enables automatic creation
3411
of host endpoints for every node. [Default: Disabled]'
3415
description: 'LeakGracePeriod is the period used by the
3416
controller to determine if an IP address has been leaked.
3417
Set to 0 to disable IP garbage collection. [Default:
3421
description: 'ReconcilerPeriod is the period to perform
3422
reconciliation with the Calico datastore. [Default:
3426
description: 'SyncLabels controls whether to copy Kubernetes
3427
node labels to Calico nodes. [Default: Enabled]'
3431
description: Policy enables and configures the policy controller.
3432
Enabled by default, set to nil to disable.
3435
description: 'ReconcilerPeriod is the period to perform
3436
reconciliation with the Calico datastore. [Default:
3441
description: ServiceAccount enables and configures the service
3442
account controller. Enabled by default, set to nil to disable.
3445
description: 'ReconcilerPeriod is the period to perform
3446
reconciliation with the Calico datastore. [Default:
3451
description: WorkloadEndpoint enables and configures the workload
3452
endpoint controller. Enabled by default, set to nil to disable.
3455
description: 'ReconcilerPeriod is the period to perform
3456
reconciliation with the Calico datastore. [Default:
3462
description: DebugProfilePort configures the port to serve memory
3463
and cpu profiles on. If not specified, profiling is disabled.
3466
etcdV3CompactionPeriod:
3467
description: 'EtcdV3CompactionPeriod is the period between etcdv3
3468
compaction requests. Set to 0 to disable. [Default: 10m]'
3471
description: 'HealthChecks enables or disables support for health
3472
checks [Default: Enabled]'
3475
description: 'LogSeverityScreen is the log severity above which
3476
logs are sent to the stdout. [Default: Info]'
3478
prometheusMetricsPort:
3479
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
3480
metrics server should bind to. Set to 0 to disable. [Default:
3498
apiVersion: apiextensions.k8s.io/v1
3499
kind: CustomResourceDefinition
3501
name: networkpolicies.crd.projectcalico.org
3503
group: crd.projectcalico.org
3506
listKind: NetworkPolicyList
3507
plural: networkpolicies
3508
singular: networkpolicy
3509
preserveUnknownFields: false
3517
description: 'APIVersion defines the versioned schema of this representation
3518
of an object. Servers should convert recognized schemas to the latest
3519
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3522
description: 'Kind is a string value representing the REST resource this
3523
object represents. Servers may infer this from the endpoint the client
3524
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
3531
description: The ordered set of egress rules. Each rule contains
3532
a set of packet match criteria and a corresponding action to apply.
3534
description: "A Rule encapsulates a set of match criteria and an
3535
action. Both selector-based security Policy and security Profiles
3536
reference rules - separated out as a list of rules for both ingress
3537
and egress packet matching. \n Each positive match criteria has
3538
a negated version, prefixed with \"Not\". All the match criteria
3539
within a rule must be satisfied for a packet to match. A single
3540
rule can contain the positive and negative version of a match
3541
and both must be satisfied for the rule to match."
3546
description: Destination contains the match criteria that apply
3547
to destination entity.
3550
description: "NamespaceSelector is an optional field that
3551
contains a selector expression. Only traffic that originates
3552
from (or terminates at) endpoints within the selected
3553
namespaces will be matched. When both NamespaceSelector
3554
and another selector are defined on the same rule, then
3555
only workload endpoints that are matched by both selectors
3556
will be selected by the rule. \n For NetworkPolicy, an
3557
empty NamespaceSelector implies that the Selector is limited
3558
to selecting only workload endpoints in the same namespace
3559
as the NetworkPolicy. \n For NetworkPolicy, `global()`
3560
NamespaceSelector implies that the Selector is limited
3561
to selecting only GlobalNetworkSet or HostEndpoint. \n
3562
For GlobalNetworkPolicy, an empty NamespaceSelector implies
3563
the Selector applies to workload endpoints across all
3567
description: Nets is an optional field that restricts the
3568
rule to only apply to traffic that originates from (or
3569
terminates at) IP addresses in any of the given subnets.
3574
description: NotNets is the negated version of the Nets
3580
description: NotPorts is the negated version of the Ports
3581
field. Since only some protocols have ports, if any ports
3582
are specified it requires the Protocol match in the Rule
3583
to be set to "TCP" or "UDP".
3589
x-kubernetes-int-or-string: true
3592
description: NotSelector is the negated version of the Selector
3593
field. See Selector field for subtleties with negated
3597
description: "Ports is an optional field that restricts
3598
the rule to only apply to traffic that has a source (destination)
3599
port that matches one of these ranges/values. This value
3600
is a list of integers or strings that represent ranges
3601
of ports. \n Since only some protocols have ports, if
3602
any ports are specified it requires the Protocol match
3603
in the Rule to be set to \"TCP\" or \"UDP\"."
3609
x-kubernetes-int-or-string: true
3612
description: "Selector is an optional field that contains
3613
a selector expression (see Policy for sample syntax).
3614
\ Only traffic that originates from (terminates at) endpoints
3615
matching the selector will be matched. \n Note that: in
3616
addition to the negated version of the Selector (see NotSelector
3617
below), the selector expression syntax itself supports
3618
negation. The two types of negation are subtly different.
3619
One negates the set of matched endpoints, the other negates
3620
the whole match: \n \tSelector = \"!has(my_label)\" matches
3621
packets that are from other Calico-controlled \tendpoints
3622
that do not have the label \"my_label\". \n \tNotSelector
3623
= \"has(my_label)\" matches packets that are not from
3624
Calico-controlled \tendpoints that do have the label \"my_label\".
3625
\n The effect is that the latter will accept packets from
3626
non-Calico sources whereas the former is limited to packets
3627
from Calico-controlled endpoints."
3630
description: ServiceAccounts is an optional field that restricts
3631
the rule to only apply to traffic that originates from
3632
(or terminates at) a pod running as a matching service
3636
description: Names is an optional field that restricts
3637
the rule to only apply to traffic that originates
3638
from (or terminates at) a pod running as a service
3639
account whose name is in the list.
3644
description: Selector is an optional field that restricts
3645
the rule to only apply to traffic that originates
3646
from (or terminates at) a pod running as a service
3647
account that matches the given label selector. If
3648
both Names and Selector are specified then they are
3653
description: "Services is an optional field that contains
3654
options for matching Kubernetes Services. If specified,
3655
only traffic that originates from or terminates at endpoints
3656
within the selected service(s) will be matched, and only
3657
to/from each endpoint's port. \n Services cannot be specified
3658
on the same rule as Selector, NotSelector, NamespaceSelector,
3659
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3660
can only be specified with Services on ingress rules."
3663
description: Name specifies the name of a Kubernetes
3667
description: Namespace specifies the namespace of the
3668
given Service. If left empty, the rule will match
3669
within this policy's namespace.
3674
description: HTTP contains match criteria that apply to HTTP
3678
description: Methods is an optional field that restricts
3679
the rule to apply only to HTTP requests that use one of
3680
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
3681
methods are OR'd together.
3686
description: 'Paths is an optional field that restricts
3687
the rule to apply to HTTP requests that use one of the
3688
listed HTTP Paths. Multiple paths are OR''d together.
3689
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
3690
ONLY specify either a `exact` or a `prefix` match. The
3691
validator will check for it.'
3693
description: 'HTTPPath specifies an HTTP path to match.
3694
It may be either of the form: exact: <path>: which matches
3695
the path exactly or prefix: <path-prefix>: which matches
3706
description: ICMP is an optional field that restricts the rule
3707
to apply to a specific type and code of ICMP traffic. This
3708
should only be specified if the Protocol field is set to "ICMP"
3712
description: Match on a specific ICMP code. If specified,
3713
the Type value must also be specified. This is a technical
3714
limitation imposed by the kernel's iptables firewall,
3715
which Calico uses to enforce the rule.
3718
description: Match on a specific ICMP type. For example
3719
a value of 8 refers to ICMP Echo Request (i.e. pings).
3723
description: IPVersion is an optional field that restricts the
3724
rule to only match a specific IP version.
3727
description: Metadata contains additional information for this
3731
additionalProperties:
3733
description: Annotations is a set of key value pairs that
3734
give extra information about the rule
3738
description: NotICMP is the negated version of the ICMP field.
3741
description: Match on a specific ICMP code. If specified,
3742
the Type value must also be specified. This is a technical
3743
limitation imposed by the kernel's iptables firewall,
3744
which Calico uses to enforce the rule.
3747
description: Match on a specific ICMP type. For example
3748
a value of 8 refers to ICMP Echo Request (i.e. pings).
3755
description: NotProtocol is the negated version of the Protocol
3758
x-kubernetes-int-or-string: true
3763
description: "Protocol is an optional field that restricts the
3764
rule to only apply to traffic of a specific IP protocol. Required
3765
if any of the EntityRules contain Ports (because ports only
3766
apply to certain protocols). \n Must be one of these string
3767
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3768
\"UDPLite\" or an integer in the range 1-255."
3770
x-kubernetes-int-or-string: true
3772
description: Source contains the match criteria that apply to
3776
description: "NamespaceSelector is an optional field that
3777
contains a selector expression. Only traffic that originates
3778
from (or terminates at) endpoints within the selected
3779
namespaces will be matched. When both NamespaceSelector
3780
and another selector are defined on the same rule, then
3781
only workload endpoints that are matched by both selectors
3782
will be selected by the rule. \n For NetworkPolicy, an
3783
empty NamespaceSelector implies that the Selector is limited
3784
to selecting only workload endpoints in the same namespace
3785
as the NetworkPolicy. \n For NetworkPolicy, `global()`
3786
NamespaceSelector implies that the Selector is limited
3787
to selecting only GlobalNetworkSet or HostEndpoint. \n
3788
For GlobalNetworkPolicy, an empty NamespaceSelector implies
3789
the Selector applies to workload endpoints across all
3793
description: Nets is an optional field that restricts the
3794
rule to only apply to traffic that originates from (or
3795
terminates at) IP addresses in any of the given subnets.
3800
description: NotNets is the negated version of the Nets
3806
description: NotPorts is the negated version of the Ports
3807
field. Since only some protocols have ports, if any ports
3808
are specified it requires the Protocol match in the Rule
3809
to be set to "TCP" or "UDP".
3815
x-kubernetes-int-or-string: true
3818
description: NotSelector is the negated version of the Selector
3819
field. See Selector field for subtleties with negated
3823
description: "Ports is an optional field that restricts
3824
the rule to only apply to traffic that has a source (destination)
3825
port that matches one of these ranges/values. This value
3826
is a list of integers or strings that represent ranges
3827
of ports. \n Since only some protocols have ports, if
3828
any ports are specified it requires the Protocol match
3829
in the Rule to be set to \"TCP\" or \"UDP\"."
3835
x-kubernetes-int-or-string: true
3838
description: "Selector is an optional field that contains
3839
a selector expression (see Policy for sample syntax).
3840
\ Only traffic that originates from (terminates at) endpoints
3841
matching the selector will be matched. \n Note that: in
3842
addition to the negated version of the Selector (see NotSelector
3843
below), the selector expression syntax itself supports
3844
negation. The two types of negation are subtly different.
3845
One negates the set of matched endpoints, the other negates
3846
the whole match: \n \tSelector = \"!has(my_label)\" matches
3847
packets that are from other Calico-controlled \tendpoints
3848
that do not have the label \"my_label\". \n \tNotSelector
3849
= \"has(my_label)\" matches packets that are not from
3850
Calico-controlled \tendpoints that do have the label \"my_label\".
3851
\n The effect is that the latter will accept packets from
3852
non-Calico sources whereas the former is limited to packets
3853
from Calico-controlled endpoints."
3856
description: ServiceAccounts is an optional field that restricts
3857
the rule to only apply to traffic that originates from
3858
(or terminates at) a pod running as a matching service
3862
description: Names is an optional field that restricts
3863
the rule to only apply to traffic that originates
3864
from (or terminates at) a pod running as a service
3865
account whose name is in the list.
3870
description: Selector is an optional field that restricts
3871
the rule to only apply to traffic that originates
3872
from (or terminates at) a pod running as a service
3873
account that matches the given label selector. If
3874
both Names and Selector are specified then they are
3879
description: "Services is an optional field that contains
3880
options for matching Kubernetes Services. If specified,
3881
only traffic that originates from or terminates at endpoints
3882
within the selected service(s) will be matched, and only
3883
to/from each endpoint's port. \n Services cannot be specified
3884
on the same rule as Selector, NotSelector, NamespaceSelector,
3885
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
3886
can only be specified with Services on ingress rules."
3889
description: Name specifies the name of a Kubernetes
3893
description: Namespace specifies the namespace of the
3894
given Service. If left empty, the rule will match
3895
within this policy's namespace.
3904
description: The ordered set of ingress rules. Each rule contains
3905
a set of packet match criteria and a corresponding action to apply.
3907
description: "A Rule encapsulates a set of match criteria and an
3908
action. Both selector-based security Policy and security Profiles
3909
reference rules - separated out as a list of rules for both ingress
3910
and egress packet matching. \n Each positive match criteria has
3911
a negated version, prefixed with \"Not\". All the match criteria
3912
within a rule must be satisfied for a packet to match. A single
3913
rule can contain the positive and negative version of a match
3914
and both must be satisfied for the rule to match."
3919
description: Destination contains the match criteria that apply
3920
to destination entity.
3923
description: "NamespaceSelector is an optional field that
3924
contains a selector expression. Only traffic that originates
3925
from (or terminates at) endpoints within the selected
3926
namespaces will be matched. When both NamespaceSelector
3927
and another selector are defined on the same rule, then
3928
only workload endpoints that are matched by both selectors
3929
will be selected by the rule. \n For NetworkPolicy, an
3930
empty NamespaceSelector implies that the Selector is limited
3931
to selecting only workload endpoints in the same namespace
3932
as the NetworkPolicy. \n For NetworkPolicy, `global()`
3933
NamespaceSelector implies that the Selector is limited
3934
to selecting only GlobalNetworkSet or HostEndpoint. \n
3935
For GlobalNetworkPolicy, an empty NamespaceSelector implies
3936
the Selector applies to workload endpoints across all
3940
description: Nets is an optional field that restricts the
3941
rule to only apply to traffic that originates from (or
3942
terminates at) IP addresses in any of the given subnets.
3947
description: NotNets is the negated version of the Nets
3953
description: NotPorts is the negated version of the Ports
3954
field. Since only some protocols have ports, if any ports
3955
are specified it requires the Protocol match in the Rule
3956
to be set to "TCP" or "UDP".
3962
x-kubernetes-int-or-string: true
3965
description: NotSelector is the negated version of the Selector
3966
field. See Selector field for subtleties with negated
3970
description: "Ports is an optional field that restricts
3971
the rule to only apply to traffic that has a source (destination)
3972
port that matches one of these ranges/values. This value
3973
is a list of integers or strings that represent ranges
3974
of ports. \n Since only some protocols have ports, if
3975
any ports are specified it requires the Protocol match
3976
in the Rule to be set to \"TCP\" or \"UDP\"."
3982
x-kubernetes-int-or-string: true
3985
description: "Selector is an optional field that contains
3986
a selector expression (see Policy for sample syntax).
3987
\ Only traffic that originates from (terminates at) endpoints
3988
matching the selector will be matched. \n Note that: in
3989
addition to the negated version of the Selector (see NotSelector
3990
below), the selector expression syntax itself supports
3991
negation. The two types of negation are subtly different.
3992
One negates the set of matched endpoints, the other negates
3993
the whole match: \n \tSelector = \"!has(my_label)\" matches
3994
packets that are from other Calico-controlled \tendpoints
3995
that do not have the label \"my_label\". \n \tNotSelector
3996
= \"has(my_label)\" matches packets that are not from
3997
Calico-controlled \tendpoints that do have the label \"my_label\".
3998
\n The effect is that the latter will accept packets from
3999
non-Calico sources whereas the former is limited to packets
4000
from Calico-controlled endpoints."
4003
description: ServiceAccounts is an optional field that restricts
4004
the rule to only apply to traffic that originates from
4005
(or terminates at) a pod running as a matching service
4009
description: Names is an optional field that restricts
4010
the rule to only apply to traffic that originates
4011
from (or terminates at) a pod running as a service
4012
account whose name is in the list.
4017
description: Selector is an optional field that restricts
4018
the rule to only apply to traffic that originates
4019
from (or terminates at) a pod running as a service
4020
account that matches the given label selector. If
4021
both Names and Selector are specified then they are
4026
description: "Services is an optional field that contains
4027
options for matching Kubernetes Services. If specified,
4028
only traffic that originates from or terminates at endpoints
4029
within the selected service(s) will be matched, and only
4030
to/from each endpoint's port. \n Services cannot be specified
4031
on the same rule as Selector, NotSelector, NamespaceSelector,
4032
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
4033
can only be specified with Services on ingress rules."
4036
description: Name specifies the name of a Kubernetes
4040
description: Namespace specifies the namespace of the
4041
given Service. If left empty, the rule will match
4042
within this policy's namespace.
4047
description: HTTP contains match criteria that apply to HTTP
4051
description: Methods is an optional field that restricts
4052
the rule to apply only to HTTP requests that use one of
4053
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
4054
methods are OR'd together.
4059
description: 'Paths is an optional field that restricts
4060
the rule to apply to HTTP requests that use one of the
4061
listed HTTP Paths. Multiple paths are OR''d together.
4062
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
4063
ONLY specify either a `exact` or a `prefix` match. The
4064
validator will check for it.'
4066
description: 'HTTPPath specifies an HTTP path to match.
4067
It may be either of the form: exact: <path>: which matches
4068
the path exactly or prefix: <path-prefix>: which matches
4079
description: ICMP is an optional field that restricts the rule
4080
to apply to a specific type and code of ICMP traffic. This
4081
should only be specified if the Protocol field is set to "ICMP"
4085
description: Match on a specific ICMP code. If specified,
4086
the Type value must also be specified. This is a technical
4087
limitation imposed by the kernel's iptables firewall,
4088
which Calico uses to enforce the rule.
4091
description: Match on a specific ICMP type. For example
4092
a value of 8 refers to ICMP Echo Request (i.e. pings).
4096
description: IPVersion is an optional field that restricts the
4097
rule to only match a specific IP version.
4100
description: Metadata contains additional information for this
4104
additionalProperties:
4106
description: Annotations is a set of key value pairs that
4107
give extra information about the rule
4111
description: NotICMP is the negated version of the ICMP field.
4114
description: Match on a specific ICMP code. If specified,
4115
the Type value must also be specified. This is a technical
4116
limitation imposed by the kernel's iptables firewall,
4117
which Calico uses to enforce the rule.
4120
description: Match on a specific ICMP type. For example
4121
a value of 8 refers to ICMP Echo Request (i.e. pings).
4128
description: NotProtocol is the negated version of the Protocol
4131
x-kubernetes-int-or-string: true
4136
description: "Protocol is an optional field that restricts the
4137
rule to only apply to traffic of a specific IP protocol. Required
4138
if any of the EntityRules contain Ports (because ports only
4139
apply to certain protocols). \n Must be one of these string
4140
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
4141
\"UDPLite\" or an integer in the range 1-255."
4143
x-kubernetes-int-or-string: true
4145
description: Source contains the match criteria that apply to
4149
description: "NamespaceSelector is an optional field that
4150
contains a selector expression. Only traffic that originates
4151
from (or terminates at) endpoints within the selected
4152
namespaces will be matched. When both NamespaceSelector
4153
and another selector are defined on the same rule, then
4154
only workload endpoints that are matched by both selectors
4155
will be selected by the rule. \n For NetworkPolicy, an
4156
empty NamespaceSelector implies that the Selector is limited
4157
to selecting only workload endpoints in the same namespace
4158
as the NetworkPolicy. \n For NetworkPolicy, `global()`
4159
NamespaceSelector implies that the Selector is limited
4160
to selecting only GlobalNetworkSet or HostEndpoint. \n
4161
For GlobalNetworkPolicy, an empty NamespaceSelector implies
4162
the Selector applies to workload endpoints across all
4166
description: Nets is an optional field that restricts the
4167
rule to only apply to traffic that originates from (or
4168
terminates at) IP addresses in any of the given subnets.
4173
description: NotNets is the negated version of the Nets
4179
description: NotPorts is the negated version of the Ports
4180
field. Since only some protocols have ports, if any ports
4181
are specified it requires the Protocol match in the Rule
4182
to be set to "TCP" or "UDP".
4188
x-kubernetes-int-or-string: true
4191
description: NotSelector is the negated version of the Selector
4192
field. See Selector field for subtleties with negated
4196
description: "Ports is an optional field that restricts
4197
the rule to only apply to traffic that has a source (destination)
4198
port that matches one of these ranges/values. This value
4199
is a list of integers or strings that represent ranges
4200
of ports. \n Since only some protocols have ports, if
4201
any ports are specified it requires the Protocol match
4202
in the Rule to be set to \"TCP\" or \"UDP\"."
4208
x-kubernetes-int-or-string: true
4211
description: "Selector is an optional field that contains
4212
a selector expression (see Policy for sample syntax).
4213
\ Only traffic that originates from (terminates at) endpoints
4214
matching the selector will be matched. \n Note that: in
4215
addition to the negated version of the Selector (see NotSelector
4216
below), the selector expression syntax itself supports
4217
negation. The two types of negation are subtly different.
4218
One negates the set of matched endpoints, the other negates
4219
the whole match: \n \tSelector = \"!has(my_label)\" matches
4220
packets that are from other Calico-controlled \tendpoints
4221
that do not have the label \"my_label\". \n \tNotSelector
4222
= \"has(my_label)\" matches packets that are not from
4223
Calico-controlled \tendpoints that do have the label \"my_label\".
4224
\n The effect is that the latter will accept packets from
4225
non-Calico sources whereas the former is limited to packets
4226
from Calico-controlled endpoints."
4229
description: ServiceAccounts is an optional field that restricts
4230
the rule to only apply to traffic that originates from
4231
(or terminates at) a pod running as a matching service
4235
description: Names is an optional field that restricts
4236
the rule to only apply to traffic that originates
4237
from (or terminates at) a pod running as a service
4238
account whose name is in the list.
4243
description: Selector is an optional field that restricts
4244
the rule to only apply to traffic that originates
4245
from (or terminates at) a pod running as a service
4246
account that matches the given label selector. If
4247
both Names and Selector are specified then they are
4252
description: "Services is an optional field that contains
4253
options for matching Kubernetes Services. If specified,
4254
only traffic that originates from or terminates at endpoints
4255
within the selected service(s) will be matched, and only
4256
to/from each endpoint's port. \n Services cannot be specified
4257
on the same rule as Selector, NotSelector, NamespaceSelector,
4258
Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
4259
can only be specified with Services on ingress rules."
4262
description: Name specifies the name of a Kubernetes
4266
description: Namespace specifies the namespace of the
4267
given Service. If left empty, the rule will match
4268
within this policy's namespace.
4277
description: Order is an optional field that specifies the order in
4278
which the policy is applied. Policies with higher "order" are applied
4279
after those with lower order. If the order is omitted, it may be
4280
considered to be "infinite" - i.e. the policy will be applied last. Policies
4281
with identical order will be applied in alphanumerical order based
4282
on the Policy "Name".
4285
description: "PerformanceHints contains a list of hints to Calico's
4286
policy engine to help process the policy more efficiently. Hints
4287
never change the enforcement behaviour of the policy. \n Currently,
4288
the only available hint is \"AssumeNeededOnEveryNode\". When that
4289
hint is set on a policy, Felix will act as if the policy matches
4290
a local endpoint even if it does not. This is useful for \"preloading\"
4291
any large static policies that are known to be used on every node.
4292
If the policy is _not_ used on a particular node then the work done
4293
to preload the policy (and to maintain it) is wasted."
4298
description: "The selector is an expression used to pick pick out
4299
the endpoints that the policy should be applied to. \n Selector
4300
expressions follow this syntax: \n \tlabel == \"string_literal\"
4301
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
4302
\ -> not equal; also matches if label is not present \tlabel in
4303
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is4304
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",4305
... } -> true if the value of label X is not one of \"a\", \"b\",
4306
\"c\" \thas(label_name) -> True if that label is present \t! expr
4307
-> negation of expr \texpr && expr -> Short-circuit and \texpr
4308
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
4309
or the empty selector -> matches all endpoints. \n Label names are
4310
allowed to contain alphanumerics, -, _ and /. String literals are
4311
more permissive but they do not support escape characters. \n Examples
4312
(with made-up labels): \n \ttype == \"webserver\" && deployment
4313
== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=4314
\"dev\" \t! has(label_name)"
4316
serviceAccountSelector:
4317
description: ServiceAccountSelector is an optional field for an expression
4318
used to select a pod based on service accounts.
4321
description: "Types indicates whether this policy applies to ingress,
4322
or to egress, or to both. When not explicitly specified (and so
4323
the value on creation is empty or nil), Calico defaults Types according
4324
to what Ingress and Egress are present in the policy. The default
4325
is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
4326
the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
4327
], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
4328
PolicyTypeEgress ], if there are both Ingress and Egress rules.
4329
\n When the policy is read back again, Types will always be one
4330
of these values, never empty or nil."
4332
description: PolicyType enumerates the possible values of the PolicySpec
4348
apiVersion: apiextensions.k8s.io/v1
4349
kind: CustomResourceDefinition
4351
name: networksets.crd.projectcalico.org
4353
group: crd.projectcalico.org
4356
listKind: NetworkSetList
4358
singular: networkset
4359
preserveUnknownFields: false
4365
description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
4368
description: 'APIVersion defines the versioned schema of this representation
4369
of an object. Servers should convert recognized schemas to the latest
4370
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
4373
description: 'Kind is a string value representing the REST resource this
4374
object represents. Servers may infer this from the endpoint the client
4375
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
4380
description: NetworkSetSpec contains the specification for a NetworkSet
4384
description: The list of IP networks that belong to this set.
4403
apiVersion: rbac.authorization.k8s.io/v1
4405
name: calico-kube-controllers
4424
- apiGroups: ["crd.projectcalico.org"]
4429
- apiGroups: ["crd.projectcalico.org"]
4442
- apiGroups: ["crd.projectcalico.org"]
4449
- apiGroups: ["crd.projectcalico.org"]
4459
- apiGroups: ["crd.projectcalico.org"]
4461
- clusterinformations
4469
- apiGroups: ["crd.projectcalico.org"]
4471
- kubecontrollersconfigurations
4486
apiVersion: rbac.authorization.k8s.io/v1
4493
- serviceaccounts/token
4508
- apiGroups: ["discovery.k8s.io"]
4539
- apiGroups: ["networking.k8s.io"]
4561
- apiGroups: ["crd.projectcalico.org"]
4563
- globalfelixconfigs
4564
- felixconfigurations
4572
- globalnetworkpolicies
4576
- clusterinformations
4579
- caliconodestatuses
4585
- apiGroups: ["crd.projectcalico.org"]
4588
- felixconfigurations
4589
- clusterinformations
4594
- apiGroups: [ "crd.projectcalico.org" ]
4596
- caliconodestatuses
4609
- apiGroups: ["crd.projectcalico.org"]
4617
- apiGroups: ["crd.projectcalico.org"]
4630
- apiGroups: ["crd.projectcalico.org"]
4637
- apiGroups: ["crd.projectcalico.org"]
4644
- apiGroups: ["apps"]
4653
apiVersion: rbac.authorization.k8s.io/v1
4655
name: calico-cni-plugin
4669
- apiGroups: ["crd.projectcalico.org"]
4674
- clusterinformations
4686
kind: ClusterRoleBinding
4687
apiVersion: rbac.authorization.k8s.io/v1
4689
name: calico-kube-controllers
4691
apiGroup: rbac.authorization.k8s.io
4693
name: calico-kube-controllers
4695
- kind: ServiceAccount
4696
name: calico-kube-controllers
4697
namespace: kube-system
4700
apiVersion: rbac.authorization.k8s.io/v1
4701
kind: ClusterRoleBinding
4705
apiGroup: rbac.authorization.k8s.io
4709
- kind: ServiceAccount
4711
namespace: kube-system
4714
apiVersion: rbac.authorization.k8s.io/v1
4715
kind: ClusterRoleBinding
4717
name: calico-cni-plugin
4719
apiGroup: rbac.authorization.k8s.io
4721
name: calico-cni-plugin
4723
- kind: ServiceAccount
4724
name: calico-cni-plugin
4725
namespace: kube-system
4735
namespace: kube-system
4737
k8s-app: calico-node
4741
k8s-app: calico-node
4749
k8s-app: calico-node
4752
kubernetes.io/os: linux
4756
- effect: NoSchedule
4759
- key: CriticalAddonsOnly
4763
serviceAccountName: calico-node
4766
terminationGracePeriodSeconds: 0
4767
priorityClassName: system-node-critical
4772
- name: upgrade-ipam
4773
image: gcr.io/istio-testing/calico/cni:v3.27.0
4774
imagePullPolicy: IfNotPresent
4775
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
4779
name: kubernetes-services-endpoint
4782
- name: KUBERNETES_NODE_NAME
4785
fieldPath: spec.nodeName
4786
- name: CALICO_NETWORKING_BACKEND
4792
- mountPath: /var/lib/cni/networks
4793
name: host-local-net-dir
4794
- mountPath: /host/opt/cni/bin
4801
image: gcr.io/istio-testing/calico/cni:v3.27.0
4802
imagePullPolicy: IfNotPresent
4803
command: ["/opt/cni/bin/install"]
4807
name: kubernetes-services-endpoint
4811
- name: CNI_CONF_NAME
4812
value: "10-calico.conflist"
4814
- name: CNI_NETWORK_CONFIG
4818
key: cni_network_config
4820
- name: KUBERNETES_NODE_NAME
4823
fieldPath: spec.nodeName
4834
- mountPath: /host/opt/cni/bin
4836
- mountPath: /host/etc/cni/net.d
4843
- name: "mount-bpffs"
4844
image: gcr.io/istio-testing/calico/node:v3.27.0
4845
imagePullPolicy: IfNotPresent
4846
command: ["calico-node", "-init", "-best-effort"]
4848
- mountPath: /sys/fs
4852
mountPropagation: Bidirectional
4853
- mountPath: /var/run/calico
4854
name: var-run-calico
4857
mountPropagation: Bidirectional
4860
- mountPath: /nodeproc
4870
image: gcr.io/istio-testing/calico/node:v3.27.0
4871
imagePullPolicy: IfNotPresent
4875
name: kubernetes-services-endpoint
4879
- name: DATASTORE_TYPE
4882
- name: WAIT_FOR_DATASTORE
4888
fieldPath: spec.nodeName
4890
- name: CALICO_NETWORKING_BACKEND
4896
- name: CLUSTER_TYPE
4902
- name: CALICO_IPV4POOL_IPIP
4905
- name: CALICO_IPV4POOL_VXLAN
4908
- name: CALICO_IPV6POOL_VXLAN
4911
- name: FELIX_IPINIPMTU
4917
- name: FELIX_VXLANMTU
4923
- name: FELIX_WIREGUARDMTU
4934
- name: CALICO_DISABLE_FILE_LOGGING
4937
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
4940
- name: FELIX_IPV6SUPPORT
4942
- name: FELIX_HEALTHENABLED
4962
initialDelaySeconds: 10
4975
- mountPath: /host/etc/cni/net.d
4978
- mountPath: /lib/modules
4981
- mountPath: /run/xtables.lock
4984
- mountPath: /var/run/calico
4985
name: var-run-calico
4987
- mountPath: /var/lib/calico
4988
name: var-lib-calico
4991
mountPath: /var/run/nodeagent
4995
mountPath: /sys/fs/bpf
4997
mountPath: /var/log/calico/cni
5004
- name: var-run-calico
5006
path: /var/run/calico
5007
- name: var-lib-calico
5009
path: /var/lib/calico
5010
- name: xtables-lock
5012
path: /run/xtables.lock
5017
type: DirectoryOrCreate
5032
path: /etc/cni/net.d
5036
path: /var/log/calico/cni
5040
- name: host-local-net-dir
5042
path: /var/lib/cni/networks
5046
type: DirectoryOrCreate
5047
path: /var/run/nodeagent
5054
name: calico-kube-controllers
5055
namespace: kube-system
5057
k8s-app: calico-kube-controllers
5063
k8s-app: calico-kube-controllers
5068
name: calico-kube-controllers
5069
namespace: kube-system
5071
k8s-app: calico-kube-controllers
5074
kubernetes.io/os: linux
5077
- key: CriticalAddonsOnly
5079
- key: node-role.kubernetes.io/master
5081
- key: node-role.kubernetes.io/control-plane
5083
serviceAccountName: calico-kube-controllers
5084
priorityClassName: system-cluster-critical
5086
- name: calico-kube-controllers
5087
image: gcr.io/istio-testing/calico/kube-controllers:v3.27.0
5088
imagePullPolicy: IfNotPresent
5091
- name: ENABLED_CONTROLLERS
5093
- name: DATASTORE_TYPE
5098
- /usr/bin/check-status
5101
initialDelaySeconds: 10
5107
- /usr/bin/check-status