diff --git a/common/playbooks/files/calico.yaml b/common/playbooks/files/calico.yaml
index f7f29804bb864089795ed8c970f201999fbcf116..81e294d54f7bfd32d7da546166c3cdc636c296a5 100644
--- a/common/playbooks/files/calico.yaml
+++ b/common/playbooks/files/calico.yaml
@@ -329,6 +329,19 @@ spec:
type: string
matchOperator:
type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ type: object
source:
type: string
required:
@@ -350,6 +363,19 @@ spec:
type: string
matchOperator:
type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ type: object
source:
type: string
required:
@@ -371,6 +397,19 @@ spec:
type: string
matchOperator:
type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 32
+ minimum: 0
+ type: integer
+ type: object
source:
type: string
required:
@@ -392,6 +431,19 @@ spec:
type: string
matchOperator:
type: string
+ prefixLength:
+ properties:
+ max:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ min:
+ format: int32
+ maximum: 128
+ minimum: 0
+ type: integer
+ type: object
source:
type: string
required:
@@ -1203,6 +1255,17 @@ spec:
information about the BPF policy programs, which can be examined
with the calico-bpf command-line tool.
type: boolean
+ bpfRedirectToPeer:
+ description: 'BPFRedirectToPeer controls which whether it is allowed
+ to forward straight to the peer side of the workload devices. It
+ is allowed for any host L2 devices by default (L2Only), but it breaks
+ TCP dump on the host side of workload device as it bypasses it on
+ ingress. Value of Enabled also allows redirection from L3 host devices
+ like IPIP tunnel or Wireguard directly to the peer side of the workload''s
+ device. This makes redirection faster, however, it breaks tools
+ like tcpdump on the peer side. Use Enabled with caution. [Default:
+ L2Only]'
+ type: string
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
@@ -1297,15 +1360,17 @@ spec:
type: string
type: array
failsafeInboundHostPorts:
- description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
- and CIDRs that Felix will allow incoming traffic to host endpoints
- on irrespective of the security policy. This is useful to avoid
- accidentally cutting off a host with incorrect configuration. For
- back-compatibility, if the protocol is not specified, it defaults
- to "tcp". If a CIDR is not specified, it will allow traffic from
- all addresses. To disable all inbound host ports, use the value
- none. The default value allows ssh access and DHCP. [Default: tcp:22,
- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
+ description: 'FailsafeInboundHostPorts is a list of PortProto struct
+ objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow
+ incoming traffic to host endpoints on irrespective of the security
+ policy. This is useful to avoid accidentally cutting off a host
+ with incorrect configuration. For backwards compatibility, if the
+ protocol is not specified, it defaults to "tcp". If a CIDR is not
+ specified, it will allow traffic from all addresses. To disable
+ all inbound host ports, use the value "[]". The default value allows
+ ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: tcp:22,
+ udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666,
+ tcp:6667 ]'
items:
description: ProtoPort is combination of protocol, port, and CIDR.
Protocol and port must be specified.
@@ -1322,17 +1387,18 @@ spec:
type: object
type: array
failsafeOutboundHostPorts:
- description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
- and CIDRs that Felix will allow outgoing traffic from host endpoints
- to irrespective of the security policy. This is useful to avoid
- accidentally cutting off a host with incorrect configuration. For
- back-compatibility, if the protocol is not specified, it defaults
- to "tcp". If a CIDR is not specified, it will allow traffic from
- all addresses. To disable all outbound host ports, use the value
- none. The default value opens etcd''s standard ports to ensure that
- Felix does not get cut off from etcd as well as allowing DHCP and
- DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
- tcp:6667, udp:53, udp:67]'
+ description: 'FailsafeOutboundHostPorts is a list of List of PortProto
+ struct objects including UDP/TCP/SCTP ports and CIDRs that Felix
+ will allow outgoing traffic from host endpoints to irrespective
+ of the security policy. This is useful to avoid accidentally cutting
+ off a host with incorrect configuration. For backwards compatibility,
+ if the protocol is not specified, it defaults to "tcp". If a CIDR
+ is not specified, it will allow traffic from all addresses. To disable
+ all outbound host ports, use the value "[]". The default value opens
+ etcd''s standard ports to ensure that Felix does not get cut off
+ from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes
+ API. [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473,
+ tcp:6443, tcp:6666, tcp:6667 ]'
items:
description: ProtoPort is combination of protocol, port, and CIDR.
Protocol and port must be specified.
@@ -1376,6 +1442,35 @@ spec:
is not recommended since it doesn''t provide better performance
than iptables. [Default: false]'
type: boolean
+ goGCThreshold:
+ description: "GoGCThreshold Sets the Go runtime's garbage collection
+ threshold. I.e. the percentage that the heap is allowed to grow
+ before garbage collection is triggered. In general, doubling the
+ value halves the CPU time spent doing GC, but it also doubles peak
+ GC memory overhead. A special value of -1 can be used to disable
+ GC entirely; this should only be used in conjunction with the GoMemoryLimitMB
+ setting. \n This setting is overridden by the GOGC environment variable.
+ \n [Default: 40]"
+ type: integer
+ goMaxProcs:
+ description: "GoMaxProcs sets the maximum number of CPUs that the
+ Go runtime will use concurrently. A value of -1 means \"use the
+ system default\"; typically the number of real CPUs on the system.
+ \n this setting is overridden by the GOMAXPROCS environment variable.
+ \n [Default: -1]"
+ type: integer
+ goMemoryLimitMB:
+ description: "GoMemoryLimitMB sets a (soft) memory limit for the Go
+ runtime in MB. The Go runtime will try to keep its memory usage
+ under the limit by triggering GC as needed. To avoid thrashing,
+ it will exceed the limit if GC starts to take more than 50% of the
+ process's CPU time. A value of -1 disables the memory limit. \n
+ Note that the memory limit, if used, must be considerably less than
+ any hard resource limit set at the container or pod level. This
+ is because felix is not the only process that must run in the container
+ or pod. \n This setting is overridden by the GOMEMLIMIT environment
+ variable. \n [Default: -1]"
+ type: integer
healthEnabled:
type: boolean
healthHost:
@@ -1424,6 +1519,15 @@ spec:
disabled by setting the interval to 0.
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
+ ipForwarding:
+ description: 'IPForwarding controls whether Felix sets the host sysctls
+ to enable IP forwarding. IP forwarding is required when using Calico
+ for workload networking. This should only be disabled on hosts
+ where Calico is used for host protection. [Default: Enabled]'
+ enum:
+ - Enabled
+ - Disabled
+ type: string
ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
an IPIP interface on the host. Optional as Felix determines this
@@ -1555,6 +1659,9 @@ spec:
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
maxIpsetSize:
+ description: MaxIpsetSize is the maximum number of IP addresses that
+ can be stored in an IP set. Not applicable if using the nftables
+ backend.
type: integer
metadataAddr:
description: 'MetadataAddr is the IP address or domain name of the
@@ -1593,6 +1700,34 @@ spec:
netlinkTimeout:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
+ nftablesFilterAllowAction:
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ nftablesFilterDenyAction:
+ description: FilterDenyAction controls what happens to traffic that
+ is denied by network policy. By default Calico blocks traffic with
+ a "drop" action. If you want to use a "reject" action instead you
+ can configure it here.
+ pattern: ^(?i)(Drop|Reject)?$
+ type: string
+ nftablesMangleAllowAction:
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ nftablesMarkMask:
+ description: 'MarkMask is the mask that Felix selects its nftables
+ Mark bits from. Should be a 32 bit hexadecimal number with at least
+ 8 bits set, none of which clash with any other mark bits in use
+ on the system. [Default: 0xffff0000]'
+ format: int32
+ type: integer
+ nftablesMode:
+ description: 'NFTablesMode configures nftables support in Felix. [Default:
+ Disabled]'
+ type: string
+ nftablesRefreshInterval:
+ description: 'NftablesRefreshInterval controls the interval at which
+ Felix periodically refreshes the nftables rules. [Default: 90s]'
+ type: string
openstackRegion:
description: 'OpenstackRegion is the name of the region that a particular
Felix belongs to. In a multi-region Calico/OpenStack deployment,
@@ -2630,10 +2765,10 @@ spec:
order:
description: Order is an optional field that specifies the order in
which the policy is applied. Policies with higher "order" are applied
- after those with lower order. If the order is omitted, it may be
- considered to be "infinite" - i.e. the policy will be applied last. Policies
- with identical order will be applied in alphanumerical order based
- on the Policy "Name".
+ after those with lower order within the same tier. If the order
+ is omitted, it may be considered to be "infinite" - i.e. the policy
+ will be applied last. Policies with identical order will be applied
+ in alphanumerical order based on the Policy "Name" within the tier.
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
@@ -2675,6 +2810,14 @@ spec:
description: ServiceAccountSelector is an optional field for an expression
used to select a pod based on service accounts.
type: string
+ tier:
+ description: The name of the tier that this policy belongs to. If
+ this is omitted, the default tier (name is "default") is assumed. The
+ specified tier must exist in order to create security policies within
+ the tier, the "default" tier is created automatically if it does
+ not exist, this means for deployments requiring only a single Tier,
+ the tier name may be omitted on all policy management requests.
+ type: string
types:
description: "Types indicates whether this policy applies to ingress,
or to egress, or to both. When not explicitly specified (and so
@@ -4302,10 +4445,10 @@ spec:
order:
description: Order is an optional field that specifies the order in
which the policy is applied. Policies with higher "order" are applied
- after those with lower order. If the order is omitted, it may be
- considered to be "infinite" - i.e. the policy will be applied last. Policies
- with identical order will be applied in alphanumerical order based
- on the Policy "Name".
+ after those with lower order within the same tier. If the order
+ is omitted, it may be considered to be "infinite" - i.e. the policy
+ will be applied last. Policies with identical order will be applied
+ in alphanumerical order based on the Policy "Name" within the tier.
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
@@ -4343,6 +4486,14 @@ spec:
description: ServiceAccountSelector is an optional field for an expression
used to select a pod based on service accounts.
type: string
+ tier:
+ description: The name of the tier that this policy belongs to. If
+ this is omitted, the default tier (name is "default") is assumed. The
+ specified tier must exist in order to create security policies within
+ the tier, the "default" tier is created automatically if it does
+ not exist, this means for deployments requiring only a single Tier,
+ the tier name may be omitted on all policy management requests.
+ type: string
types:
description: "Types indicates whether this policy applies to ingress,
or to egress, or to both. When not explicitly specified (and so
@@ -4422,6 +4573,1154 @@ status:
conditions: []
storedVersions: []
---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ creationTimestamp: null
+ name: tiers.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: Tier
+ listKind: TierList
+ plural: tiers
+ singular: tier
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: TierSpec contains the specification for a security policy
+ tier resource.
+ properties:
+ defaultAction:
+ description: 'DefaultAction specifies the action applied to workloads
+ selected by a policy in the tier, but not rule matched the workload''s
+ traffic. [Default: Deny]'
+ enum:
+ - Pass
+ - Deny
+ type: string
+ order:
+ description: Order is an optional field that specifies the order in
+ which the tier is applied. Tiers with higher "order" are applied
+ after those with lower order. If the order is omitted, it may be
+ considered to be "infinite" - i.e. the tier will be applied last. Tiers
+ with identical order will be applied in alphanumerical order based
+ on the Tier "Name".
+ type: number
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30
+ policy.networking.k8s.io/bundle-version: v0.1.1
+ policy.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ name: adminnetworkpolicies.policy.networking.k8s.io
+spec:
+ group: policy.networking.k8s.io
+ names:
+ kind: AdminNetworkPolicy
+ listKind: AdminNetworkPolicyList
+ plural: adminnetworkpolicies
+ shortNames:
+ - anp
+ singular: adminnetworkpolicy
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.priority
+ name: Priority
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ AdminNetworkPolicy is a cluster level resource that is part of the
+ AdminNetworkPolicy API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Specification of the desired behavior of AdminNetworkPolicy.
+ properties:
+ egress:
+ description: |-
+ Egress is the list of Egress rules to be applied to the selected pods.
+ A total of 100 rules will be allowed in each ANP instance.
+ The relative precedence of egress rules within a single ANP object (all of
+ which share the priority) will be determined by the order in which the rule
+ is written. Thus, a rule that appears at the top of the egress rules
+ would take the highest precedence.
+ ANPs with no egress rules do not affect egress traffic.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyEgressRule describes an action to take on a particular
+ set of traffic originating from pods selected by a AdminNetworkPolicy's
+ Subject field.
+ <network-policy-api:experimental:validation>
+ properties:
+ action:
+ description: |-
+ Action specifies the effect this rule will have on matching traffic.
+ Currently the following actions are supported:
+ Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
+ Deny: denies the selected traffic
+ Pass: instructs the selected traffic to skip any remaining ANP rules, and
+ then pass execution to any NetworkPolicies that select the pod.
+ If the pod is not selected by any NetworkPolicies then execution
+ is passed to any BaselineAdminNetworkPolicies that select the pod.
+
+
+ Support: Core
+ enum:
+ - Allow
+ - Deny
+ - Pass
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this rule, that may be no more than 100 characters
+ in length. This field should be used by the implementation to help
+ improve observability, readability and error-reporting for any applied
+ AdminNetworkPolicies.
+
+
+ Support: Core
+ maxLength: 100
+ type: string
+ ports:
+ description: |-
+ Ports allows for matching traffic based on port and protocols.
+ This field is a list of destination ports for the outgoing egress traffic.
+ If Ports is not set then the rule does not filter traffic via port.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyPort describes how to select network ports on pod(s).
+ Exactly one field must be set.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namedPort:
+ description: |-
+ NamedPort selects a port on a pod(s) based on name.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ type: string
+ portNumber:
+ description: |-
+ Port selects a port on a pod(s) based on number.
+
+
+ Support: Core
+ properties:
+ port:
+ description: |-
+ Number defines a network port value.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ portRange:
+ description: |-
+ PortRange selects a port range on a pod(s) based on provided start and end
+ values.
+
+
+ Support: Core
+ properties:
+ end:
+ description: |-
+ End defines a network port that is the end of a port range, the End value
+ must be greater than Start.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ start:
+ description: |-
+ Start defines a network port that is the start of a port range, the Start
+ value must be less than End.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: object
+ maxItems: 100
+ type: array
+ to:
+ description: |-
+ To is the List of destinations whose traffic this rule applies to.
+ If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
+ traffic then the specified action is applied.
+ This field must be defined and contain at least one item.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
+ Exactly one of the selector pointers must be set for a given peer. If a
+ consumer observes none of its fields are set, they must assume an unknown
+ option has been specified and fail closed.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: |-
+ Namespaces defines a way to select all pods within a set of Namespaces.
+ Note that host-networked pods are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ networks:
+ description: |-
+ Networks defines a way to select peers via CIDR blocks.
+ This is intended for representing entities that live outside the cluster,
+ which can't be selected by pods, namespaces and nodes peers, but note
+ that cluster-internal traffic will be checked against the rule as
+ well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
+ or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
+ add a rule that Passes all pod traffic before the Networks rule.
+
+
+ Each item in Networks should be provided in the CIDR format and should be
+ IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
+
+
+ Networks can have upto 25 CIDRs specified.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ items:
+ description: |-
+ CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
+ This string must be validated by implementations using net.ParseCIDR
+ TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available.
+ maxLength: 43
+ type: string
+ x-kubernetes-validations:
+ - message: CIDR must be either an IPv4 or IPv6 address.
+ IPv4 address embedded in IPv6 addresses are not
+ supported
+ rule: self.contains(':') != self.contains('.')
+ maxItems: 25
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ nodes:
+ description: |-
+ Nodes defines a way to select a set of nodes in
+ the cluster. This field follows standard label selector
+ semantics; if present but empty, it selects all Nodes.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: |-
+ Pods defines a way to select a set of pods in
+ a set of namespaces. Note that host-networked pods
+ are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ required:
+ - action
+ - to
+ type: object
+ x-kubernetes-validations:
+ - message: networks/nodes peer cannot be set with namedPorts since
+ there are no namedPorts for networks/nodes
+ rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes))
+ && has(self.ports) && self.ports.exists(port, has(port.namedPort)))'
+ maxItems: 100
+ type: array
+ ingress:
+ description: |-
+ Ingress is the list of Ingress rules to be applied to the selected pods.
+ A total of 100 rules will be allowed in each ANP instance.
+ The relative precedence of ingress rules within a single ANP object (all of
+ which share the priority) will be determined by the order in which the rule
+ is written. Thus, a rule that appears at the top of the ingress rules
+ would take the highest precedence.
+ ANPs with no ingress rules do not affect ingress traffic.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyIngressRule describes an action to take on a particular
+ set of traffic destined for pods selected by an AdminNetworkPolicy's
+ Subject field.
+ properties:
+ action:
+ description: |-
+ Action specifies the effect this rule will have on matching traffic.
+ Currently the following actions are supported:
+ Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
+ Deny: denies the selected traffic
+ Pass: instructs the selected traffic to skip any remaining ANP rules, and
+ then pass execution to any NetworkPolicies that select the pod.
+ If the pod is not selected by any NetworkPolicies then execution
+ is passed to any BaselineAdminNetworkPolicies that select the pod.
+
+
+ Support: Core
+ enum:
+ - Allow
+ - Deny
+ - Pass
+ type: string
+ from:
+ description: |-
+ From is the list of sources whose traffic this rule applies to.
+ If any AdminNetworkPolicyIngressPeer matches the source of incoming
+ traffic then the specified action is applied.
+ This field must be defined and contain at least one item.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
+ Exactly one of the selector pointers must be set for a given peer. If a
+ consumer observes none of its fields are set, they must assume an unknown
+ option has been specified and fail closed.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: |-
+ Namespaces defines a way to select all pods within a set of Namespaces.
+ Note that host-networked pods are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: |-
+ Pods defines a way to select a set of pods in
+ a set of namespaces. Note that host-networked pods
+ are not included in this type of peer.
+
+
+ Support: Core
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ maxItems: 100
+ minItems: 1
+ type: array
+ name:
+ description: |-
+ Name is an identifier for this rule, that may be no more than 100 characters
+ in length. This field should be used by the implementation to help
+ improve observability, readability and error-reporting for any applied
+ AdminNetworkPolicies.
+
+
+ Support: Core
+ maxLength: 100
+ type: string
+ ports:
+ description: |-
+ Ports allows for matching traffic based on port and protocols.
+ This field is a list of ports which should be matched on
+ the pods selected for this policy i.e the subject of the policy.
+ So it matches on the destination port for the ingress traffic.
+ If Ports is not set then the rule does not filter traffic via port.
+
+
+ Support: Core
+ items:
+ description: |-
+ AdminNetworkPolicyPort describes how to select network ports on pod(s).
+ Exactly one field must be set.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namedPort:
+ description: |-
+ NamedPort selects a port on a pod(s) based on name.
+
+
+ Support: Extended
+
+
+ <network-policy-api:experimental>
+ type: string
+ portNumber:
+ description: |-
+ Port selects a port on a pod(s) based on number.
+
+
+ Support: Core
+ properties:
+ port:
+ description: |-
+ Number defines a network port value.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ portRange:
+ description: |-
+ PortRange selects a port range on a pod(s) based on provided start and end
+ values.
+
+
+ Support: Core
+ properties:
+ end:
+ description: |-
+ End defines a network port that is the end of a port range, the End value
+ must be greater than Start.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ protocol:
+ default: TCP
+ description: |-
+ Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
+ match. If not specified, this field defaults to TCP.
+
+
+ Support: Core
+ type: string
+ start:
+ description: |-
+ Start defines a network port that is the start of a port range, the Start
+ value must be less than End.
+
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ type: object
+ maxItems: 100
+ type: array
+ required:
+ - action
+ - from
+ type: object
+ maxItems: 100
+ type: array
+ priority:
+ description: |-
+ Priority is a value from 0 to 1000. Rules with lower priority values have
+ higher precedence, and are checked before rules with higher priority values.
+ All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or
+ BaselineAdminNetworkPolicy rules
+ The behavior is undefined if two ANP objects have same priority.
+
+
+ Support: Core
+ format: int32
+ maximum: 1000
+ minimum: 0
+ type: integer
+ subject:
+ description: |-
+ Subject defines the pods to which this AdminNetworkPolicy applies.
+ Note that host-networked pods are not included in subject selection.
+
+
+ Support: Core
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ namespaces:
+ description: Namespaces is used to select pods via namespace selectors.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ pods:
+ description: Pods is used to select pods via namespace AND pod
+ selectors.
+ properties:
+ namespaceSelector:
+ description: |-
+ NamespaceSelector follows standard label selector semantics; if empty,
+ it selects all Namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ PodSelector is used to explicitly select pods within a namespace; if empty,
+ it selects all Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - namespaceSelector
+ - podSelector
+ type: object
+ type: object
+ required:
+ - priority
+ - subject
+ type: object
+ status:
+ description: Status is the status to be reported by the implementation.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - conditions
+ type: object
+ required:
+ - metadata
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
# Source: calico/templates/calico-kube-controllers-rbac.yaml
# Include a clusterrole for the kube-controllers component,
# and bind it to the calico-kube-controllers serviceaccount.
@@ -4457,6 +5756,7 @@ rules:
- blockaffinities
- ipamblocks
- ipamhandles
+ - tiers
verbs:
- get
- list
@@ -4568,6 +5868,13 @@ rules:
verbs:
- watch
- list
+ # Watch for changes to Kubernetes AdminNetworkPolicies.
+ - apiGroups: ["policy.networking.k8s.io"]
+ resources:
+ - adminnetworkpolicies
+ verbs:
+ - watch
+ - list
# Used by Calico for policy information.
- apiGroups: [""]
resources:
@@ -4603,6 +5910,7 @@ rules:
- hostendpoints
- blockaffinities
- caliconodestatuses
+ - tiers
verbs:
- get
- list
@@ -4787,6 +6095,9 @@ spec:
- effect: NoExecute
operator: Exists
serviceAccountName: calico-node
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
@@ -4796,7 +6107,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam.
- name: upgrade-ipam
- image: docker.io/calico/cni:v3.28.1
+ image: docker.io/calico/cni:v3.29.0
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom:
@@ -4824,7 +6135,7 @@ spec:
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
- image: docker.io/calico/cni:v3.28.1
+ image: docker.io/calico/cni:v3.29.0
imagePullPolicy: IfNotPresent
command: ["/opt/cni/bin/install"]
envFrom:
@@ -4867,7 +6178,7 @@ spec:
# i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
# in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- name: "mount-bpffs"
- image: docker.io/calico/node:v3.28.1
+ image: docker.io/calico/node:v3.29.0
imagePullPolicy: IfNotPresent
command: ["calico-node", "-init", "-best-effort"]
volumeMounts:
@@ -4893,7 +6204,7 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
- image: docker.io/calico/node:v3.28.1
+ image: docker.io/calico/node:v3.29.0
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
@@ -5110,10 +6421,13 @@ spec:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
serviceAccountName: calico-kube-controllers
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
priorityClassName: system-cluster-critical
containers:
- name: calico-kube-controllers
- image: docker.io/calico/kube-controllers:v3.28.1
+ image: docker.io/calico/kube-controllers:v3.29.0
imagePullPolicy: IfNotPresent
env:
# Choose which controllers to run.
@@ -5136,3 +6450,5 @@ spec:
- /usr/bin/check-status
- -r
periodSeconds: 10
+ securityContext:
+ runAsNonRoot: true
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 99bac06f26c931e1884a2773d8556a5d7302ab18..c7befa0f1d74c89956eb095995263bedbdaedb65 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -161,10 +161,10 @@
# kube_nvidia_device_plugin_version: "v0.12.2"
# kube_nvidia_driver_version: "515" # "525"
kube_nvidia_support: true
- kube_version: 1.31.0
+ kube_version: 1.31.2
kube_network: 'none' # custom network installation
kube_install_helm: true
- kube_install_helm_version: 'v3.15.4'
+ kube_install_helm_version: 'v3.16.2'
kube_install_metrics: true
tasks:
- name: Create kubectl config dir
@@ -189,7 +189,7 @@
- name: K8s network deployment
hosts: master
vars:
- calicoctl_version: 3.28.1
+ calicoctl_version: 3.29.0
tasks:
- name: Calico config
copy:
@@ -224,7 +224,7 @@
# must be IPv4 address or hostname
kube_server: "{{ hostvars[groups['master'][0]].kube_server | default(groups['master'][0]) }}"
kube_type_of_node: wn
- kube_version: 1.31.0
+ kube_version: 1.31.2
kubelet_extra_args: '--volume-stats-agg-period 0'
tasks:
- name: Overlay2 mountpoint workaround to docker.service unit
@@ -360,7 +360,7 @@
when: "'ingress-nginx' not in ansible_local.helm_repos | map(attribute='name') | list"
- name: Ingress
vars:
- version: 4.11.2 # app 1.11.2
+ version: 4.11.3 # app 1.11.3
config: >-
--set controller.service.type=NodePort
--set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
@@ -381,7 +381,7 @@
when: true
- name: Cert-manager
vars:
- version: 1.15.3
+ version: 1.16
config: >-
--version={{ version }}
--set ingressShim.defaultIssuerName=letsencrypt-prod
@@ -495,7 +495,7 @@
description: "Disk is almost full {{ '{{ $value | printf \"%.2f\" }}' }}% (limit {{ limit_disk_warn }}%)"
- name: Prometheus
vars:
- version: 25.27.0 # app v2.54.1
+ version: 25.29.0 # app v2.55.0
config: >-
--version={{ version }}
-f /tmp/prometheus.yaml
@@ -545,7 +545,7 @@
enabled: true
- name: Grafana
vars:
- version: 8.5.8 # app 11.2.2-security-01
+ version: 8.5.12 # app 11.3.0
config: >-
--version={{ version }}
-f /tmp/grafana.yaml
diff --git a/common/playbooks/upgrade.yaml b/common/playbooks/upgrade.yaml
index f15382ef6840efa015a357195d145be67f182fbc..5d90518c01e4a4ba767689236feaa86cb8c0965b 100644
--- a/common/playbooks/upgrade.yaml
+++ b/common/playbooks/upgrade.yaml
@@ -6,7 +6,7 @@
#
# Usage example:
#
-# VERSION=1.31.0
+# VERSION=1.31.2
# ansible-playbook playbooks/upgrade.yaml --extra-vars "version=$VERSION"
#
- name: Upgrade and hold kubeadm package