From 2a0d4a21797534c6c52265ac5c638a63f63df781 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Thu, 18 Jul 2024 17:34:18 +0000
Subject: [PATCH] Moar refactoring and cleanups - common directory for ansible
---
cesnet-central/playbooks/cvmfs.yaml | 78 +-
cesnet-central/playbooks/ephemeral.yaml | 43 +
cesnet-central/playbooks/files/calico.yaml | 5136 +----------------
cesnet-central/playbooks/files/etc | 1 +
cesnet-central/playbooks/files/usr | 1 +
cesnet-central/playbooks/notebooks.yaml | 155 +-
cesnet-central/playbooks/squid.yaml | 50 +-
.../playbooks/templates/etc/exports | 3 +-
.../playbooks/templates/etc/mailutils.conf | 4 +-
cesnet-central/playbooks/templates/etc/squid | 1 +
cesnet-central/playbooks/upgrade.yaml | 93 +-
cesnet-mcc/playbooks/cvmfs.yaml | 2 +-
cesnet-mcc/playbooks/files/calico.yaml | 2 +-
cesnet-mcc/playbooks/files/etc | 2 +-
cesnet-mcc/playbooks/files/usr | 2 +-
cesnet-mcc/playbooks/k8s.yaml | 2 +-
cesnet-mcc/playbooks/squid.yaml | 2 +-
cesnet-mcc/playbooks/templates/etc/exports | 3 +-
.../playbooks/templates/etc/mailutils.conf | 2 +-
cesnet-mcc/playbooks/templates/etc/squid | 2 +-
cesnet-mcc/playbooks/upgrade.yaml | 2 +-
common/playbooks/cvmfs.yaml | 77 +
common/playbooks/files/calico.yaml | 5135 ++++++++++++++++
.../files/etc/ansible/facts.d/helm_repos.fact | 0
.../files/etc/profile.d/k8s-cheats.sh | 0
.../files/usr/local/bin/k8s-pods-cleaner.sh | 0
.../files/usr/local/bin/xfs-quotas.sh | 0
{cesnet-central => common}/playbooks/k8s.yaml | 0
common/playbooks/notebooks.yaml | 154 +
common/playbooks/squid.yaml | 49 +
.../templates/etc/exports.inventory_hostname | 2 +
common/playbooks/templates/etc/exports.ipv4 | 2 +
common/playbooks/templates/etc/exports.ipv46 | 2 +
common/playbooks/templates/etc/mailutils.conf | 3 +
.../etc/squid/conf.d/allcluster.conf | 0
common/playbooks/upgrade.yaml | 92 +
common/terraform/vars.tf | 64 +
staging1/playbooks/cvmfs.yaml | 2 +-
staging1/playbooks/files/calico.yaml | 2 +-
staging1/playbooks/files/etc | 2 +-
staging1/playbooks/files/usr | 2 +-
staging1/playbooks/k8s.yaml | 2 +-
staging1/playbooks/squid.yaml | 2 +-
staging1/playbooks/templates/etc/exports | 3 +-
.../playbooks/templates/etc/mailutils.conf | 2 +-
staging1/playbooks/templates/etc/squid | 1 +
.../etc/squid/conf.d/allcluster.conf | 1 -
staging1/playbooks/upgrade.yaml | 2 +-
testing/playbooks/cvmfs.yaml | 2 +-
testing/playbooks/files/calico.yaml | 2 +-
testing/playbooks/files/etc | 2 +-
testing/playbooks/files/usr | 2 +-
testing/playbooks/k8s.yaml | 2 +-
testing/playbooks/notebooks.yaml | 2 +-
testing/playbooks/squid.yaml | 2 +-
testing/playbooks/templates/etc/exports | 3 +-
.../playbooks/templates/etc/mailutils.conf | 2 +-
testing/playbooks/templates/etc/squid | 2 +-
58 files changed, 5663 insertions(+), 5545 deletions(-)
mode change 100644 => 120000 cesnet-central/playbooks/cvmfs.yaml
create mode 100644 cesnet-central/playbooks/ephemeral.yaml
mode change 100644 => 120000 cesnet-central/playbooks/files/calico.yaml
create mode 120000 cesnet-central/playbooks/files/etc
create mode 120000 cesnet-central/playbooks/files/usr
mode change 100644 => 120000 cesnet-central/playbooks/notebooks.yaml
mode change 100644 => 120000 cesnet-central/playbooks/squid.yaml
mode change 100644 => 120000 cesnet-central/playbooks/templates/etc/exports
mode change 100644 => 120000 cesnet-central/playbooks/templates/etc/mailutils.conf
create mode 120000 cesnet-central/playbooks/templates/etc/squid
mode change 100644 => 120000 cesnet-central/playbooks/upgrade.yaml
mode change 100644 => 120000 cesnet-mcc/playbooks/templates/etc/exports
create mode 100644 common/playbooks/cvmfs.yaml
create mode 100644 common/playbooks/files/calico.yaml
rename {cesnet-central => common}/playbooks/files/etc/ansible/facts.d/helm_repos.fact (100%)
rename {cesnet-central => common}/playbooks/files/etc/profile.d/k8s-cheats.sh (100%)
rename {cesnet-central => common}/playbooks/files/usr/local/bin/k8s-pods-cleaner.sh (100%)
rename {cesnet-central => common}/playbooks/files/usr/local/bin/xfs-quotas.sh (100%)
rename {cesnet-central => common}/playbooks/k8s.yaml (100%)
create mode 100644 common/playbooks/notebooks.yaml
create mode 100644 common/playbooks/squid.yaml
create mode 100644 common/playbooks/templates/etc/exports.inventory_hostname
create mode 100644 common/playbooks/templates/etc/exports.ipv4
create mode 100644 common/playbooks/templates/etc/exports.ipv46
create mode 100644 common/playbooks/templates/etc/mailutils.conf
rename {cesnet-central => common}/playbooks/templates/etc/squid/conf.d/allcluster.conf (100%)
create mode 100644 common/playbooks/upgrade.yaml
create mode 100644 common/terraform/vars.tf
mode change 100644 => 120000 staging1/playbooks/templates/etc/exports
create mode 120000 staging1/playbooks/templates/etc/squid
delete mode 120000 staging1/playbooks/templates/etc/squid/conf.d/allcluster.conf
mode change 100644 => 120000 testing/playbooks/templates/etc/exports
diff --git a/cesnet-central/playbooks/cvmfs.yaml b/cesnet-central/playbooks/cvmfs.yaml
deleted file mode 100644
index 26eb1a8..0000000
--- a/cesnet-central/playbooks/cvmfs.yaml
+++ /dev/null
@@ -1,77 +0,0 @@
----
-- name: CVMFS deployment
- hosts: ingress, nfs, worker, gpu
- vars:
- # EGI repositories: gridpp.egi.eu eosc.egi.eu pheno.egi.eu mice.egi.eu ghost.egi.eu wenmr.egi.eu neugrid.egi.eu auger.egi.eu dirac.egi.eu galdyn.egi.eu seadatanet.egi.eu ligo.egi.eu supernemo.egi.eu pravda.egi.eu chipster.egi.eu hyperk.egi.eu snoplus.egi.eu km3net.egi.eu t2k.egi.eu na62.egi.eu biomed.egi.eu eiscat.egi.eu comet.egi.eu notebooks.egi.eu
- cvmfs_repositories:
- - cvmfs-config.cern.ch # required
- - atlas.cern.ch
- - cms.cern.ch
- - grid.cern.ch
- - auger.egi.eu
- - biomed.egi.eu
- - dirac.egi.eu
- - eiscat.egi.eu
- - notebooks.egi.eu
- become: true
- tasks:
- - name: Check cvmfs apt repository
- command:
- cmd: dpkg-query -W cvmfs-release
- register: cvmfs_release_check_deb
- failed_when: cvmfs_release_check_deb.rc > 1
- changed_when: false
- # Avoid occasional network failures (partially)
- - name: Set cvmfs apt repository proxy cache
- copy:
- dest: /etc/apt/apt.conf.d/99cvmfs-proxy
- mode: 0644
- content: |
- Acquire::http::Proxy {
- cvmrepo.web.cern.ch "http://{{ groups['ingress'][0] | ansible.utils.ipwrap }}:3128";
- };
- - name: Install and setup cvmfs apt repository
- vars:
- f: cvmfs-release-latest_all.deb
- when: cvmfs_release_check_deb.rc | default(0) == 1
- block:
- - name: Download cvmfs-release latest package
- get_url:
- url: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/{{ f }}
- dest: /tmp/{{ f }}
- mode: 0644
- - name: Install cvmfs-release latest package
- apt:
- deb: /tmp/{{ f }}
- - name: Update apt cache with cvmfs apt repository
- apt:
- update_cache: true
- - name: Install cvmfs
- package:
- name: cvmfs
- state: present
- - name: Config cvmfs
- copy:
- dest: /etc/cvmfs/default.local
- mode: 0644
- content: |
- CVMFS_HTTP_PROXY=http://{{ groups['ingress'][0] | ansible.utils.ipwrap }}:3128
- - name: Setup and mount cvmfs repository {{ item }}
- ansible.posix.mount:
- path: /cvmfs/{{ item }}
- src: "{{ item }}"
- fstype: cvmfs
- opts: defaults,_netdev,nodev,x-systemd.requires-mounts-for=/cvmfs/config-egi.egi.eu
- state: mounted
- with_items: "{{ cvmfs_repositories }}"
- - name: Check updatedb.conf existence
- stat:
- path: /etc/updatedb.conf
- register: register_updatedb
- - name: Tune updatedb.conf - ensure /cvmfs in PRUNEPATHS
- lineinfile:
- path: /etc/updatedb.conf
- backrefs: true
- regex: '^(\s*PRUNEPATHS\s*=\s*)"(.*?)\s*(/cvmfs\s*)?"\s*$'
- line: '\1"\2 /cvmfs"'
- when: register_updatedb.stat.exists
diff --git a/cesnet-central/playbooks/cvmfs.yaml b/cesnet-central/playbooks/cvmfs.yaml
new file mode 120000
index 0000000..2e82cca
--- /dev/null
+++ b/cesnet-central/playbooks/cvmfs.yaml
@@ -0,0 +1 @@
+../../common/playbooks/cvmfs.yaml
\ No newline at end of file
diff --git a/cesnet-central/playbooks/ephemeral.yaml b/cesnet-central/playbooks/ephemeral.yaml
new file mode 100644
index 0000000..87dcb15
--- /dev/null
+++ b/cesnet-central/playbooks/ephemeral.yaml
@@ -0,0 +1,43 @@
+---
+- name: K8s customization
+ hosts: master
+ become: true
+ tasks:
+ - name: Git clone local-path-provisioner
+ git:
+ repo: https://github.com/rancher/local-path-provisioner.git
+ dest: "/root/git-local-path-provisioner"
+ clone: yes
+ update: no
+ version: v0.0.26
+ - name: Local path provisioner configuration
+ copy:
+ dest: /tmp/local-path-provisioner.yaml
+ mode: 0644
+ content: |
+ storageClass:
+ defaultClass: false
+ defaultVolumeType: hostPath
+ name: local-path
+ nodePathMap:
+ - node: DEFAULT_PATH_FOR_NON_LISTED_NODES
+ paths:
+ - /scratch
+ - name: Local path provisioner deployment
+ vars:
+ config: >-
+ --namespace local-path-storage
+ -f /tmp/local-path-provisioner.yaml
+ local-path-storage
+ /root/git-local-path-provisioner/deploy/chart/local-path-provisioner/
+ shell: |-
+ helm status --namespace local-path-storage local-path-storage
+ if [ $? -ne 0 ]; then
+ helm install {{ config }}
+ else
+ helm upgrade {{ config }}
+ fi
+ environment:
+ KUBECONFIG: /etc/kubernetes/admin.conf
+ PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
+ when: true
diff --git a/cesnet-central/playbooks/files/calico.yaml b/cesnet-central/playbooks/files/calico.yaml
deleted file mode 100644
index 7f4cb47..0000000
--- a/cesnet-central/playbooks/files/calico.yaml
+++ /dev/null
@@ -1,5135 +0,0 @@
----
-# Source: calico/templates/calico-kube-controllers.yaml
-# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
-
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
- name: calico-kube-controllers
- namespace: kube-system
- labels:
- k8s-app: calico-kube-controllers
-spec:
- maxUnavailable: 1
- selector:
- matchLabels:
- k8s-app: calico-kube-controllers
----
-# Source: calico/templates/calico-kube-controllers.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: calico-kube-controllers
- namespace: kube-system
----
-# Source: calico/templates/calico-node.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: calico-node
- namespace: kube-system
----
-# Source: calico/templates/calico-node.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: calico-cni-plugin
- namespace: kube-system
----
-# Source: calico/templates/calico-config.yaml
-# This ConfigMap is used to configure a self-hosted Calico installation.
-kind: ConfigMap
-apiVersion: v1
-metadata:
- name: calico-config
- namespace: kube-system
-data:
- # Typha is disabled.
- typha_service_name: "none"
- # Configure the backend to use.
- calico_backend: "bird"
-
- # Configure the MTU to use for workload interfaces and tunnels.
- # By default, MTU is auto-detected, and explicitly setting this field should not be required.
- # You can override auto-detection by providing a non-zero value.
- veth_mtu: "0"
-
- # The CNI network configuration to install on each node. The special
- # values in this config will be automatically populated.
- cni_network_config: |-
- {
- "name": "k8s-pod-network",
- "cniVersion": "0.3.1",
- "plugins": [
- {
- "type": "calico",
- "log_level": "info",
- "log_file_path": "/var/log/calico/cni/cni.log",
- "datastore_type": "kubernetes",
- "nodename": "__KUBERNETES_NODE_NAME__",
- "mtu": __CNI_MTU__,
- "ipam": {
- "type": "calico-ipam"
- },
- "policy": {
- "type": "k8s"
- },
- "kubernetes": {
- "kubeconfig": "__KUBECONFIG_FILEPATH__"
- }
- },
- {
- "type": "portmap",
- "snat": true,
- "capabilities": {"portMappings": true}
- },
- {
- "type": "bandwidth",
- "capabilities": {"bandwidth": true}
- }
- ]
- }
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: bgpconfigurations.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: BGPConfiguration
- listKind: BGPConfigurationList
- plural: bgpconfigurations
- singular: bgpconfiguration
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- description: BGPConfiguration contains the configuration for any BGP routing.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: BGPConfigurationSpec contains the values of the BGP configuration.
- properties:
- asNumber:
- description: 'ASNumber is the default AS number used by a node. [Default:
- 64512]'
- format: int32
- type: integer
- bindMode:
- description: BindMode indicates whether to listen for BGP connections
- on all addresses (None) or only on the node's canonical IP address
- Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
- for BGP connections on all addresses.
- type: string
- communities:
- description: Communities is a list of BGP community values and their
- arbitrary names for tagging routes.
- items:
- description: Community contains standard or large community value
- and its name.
- properties:
- name:
- description: Name given to community value.
- type: string
- value:
- description: Value must be of format `aa:nn` or `aa:nn:mm`.
- For standard community use `aa:nn` format, where `aa` and
- `nn` are 16 bit number. For large community use `aa:nn:mm`
- format, where `aa`, `nn` and `mm` are 32 bit number. Where,
- `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
- pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
- type: string
- type: object
- type: array
- ignoredInterfaces:
- description: IgnoredInterfaces indicates the network interfaces that
- needs to be excluded when reading device routes.
- items:
- type: string
- type: array
- listenPort:
- description: ListenPort is the port where BGP protocol should listen.
- Defaults to 179
- maximum: 65535
- minimum: 1
- type: integer
- logSeverityScreen:
- description: 'LogSeverityScreen is the log severity above which logs
- are sent to the stdout. [Default: INFO]'
- type: string
- nodeMeshMaxRestartTime:
- description: Time to allow for software restart for node-to-mesh peerings. When
- specified, this is configured as the graceful restart timeout. When
- not specified, the BIRD default of 120s is used. This field can
- only be set on the default BGPConfiguration instance and requires
- that NodeMesh is enabled
- type: string
- nodeMeshPassword:
- description: Optional BGP password for full node-to-mesh peerings.
- This field can only be set on the default BGPConfiguration instance
- and requires that NodeMesh is enabled
- properties:
- secretKeyRef:
- description: Selects a key of a secret in the node pod's namespace.
- properties:
- key:
- description: The key of the secret to select from. Must be
- a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- optional:
- description: Specify whether the Secret or its key must be
- defined
- type: boolean
- required:
- - key
- type: object
- type: object
- nodeToNodeMeshEnabled:
- description: 'NodeToNodeMeshEnabled sets whether full node to node
- BGP mesh is enabled. [Default: true]'
- type: boolean
- prefixAdvertisements:
- description: PrefixAdvertisements contains per-prefix advertisement
- configuration.
- items:
- description: PrefixAdvertisement configures advertisement properties
- for the specified CIDR.
- properties:
- cidr:
- description: CIDR for which properties should be advertised.
- type: string
- communities:
- description: Communities can be list of either community names
- already defined in `Specs.Communities` or community value
- of format `aa:nn` or `aa:nn:mm`. For standard community use
- `aa:nn` format, where `aa` and `nn` are 16 bit number. For
- large community use `aa:nn:mm` format, where `aa`, `nn` and
- `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
- `mm` are per-AS identifier.
- items:
- type: string
- type: array
- type: object
- type: array
- serviceClusterIPs:
- description: ServiceClusterIPs are the CIDR blocks from which service
- cluster IPs are allocated. If specified, Calico will advertise these
- blocks, as well as any cluster IPs within them.
- items:
- description: ServiceClusterIPBlock represents a single allowed ClusterIP
- CIDR block.
- properties:
- cidr:
- type: string
- type: object
- type: array
- serviceExternalIPs:
- description: ServiceExternalIPs are the CIDR blocks for Kubernetes
- Service External IPs. Kubernetes Service ExternalIPs will only be
- advertised if they are within one of these blocks.
- items:
- description: ServiceExternalIPBlock represents a single allowed
- External IP CIDR block.
- properties:
- cidr:
- type: string
- type: object
- type: array
- serviceLoadBalancerIPs:
- description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
- Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
- IPs will only be advertised if they are within one of these blocks.
- items:
- description: ServiceLoadBalancerIPBlock represents a single allowed
- LoadBalancer IP CIDR block.
- properties:
- cidr:
- type: string
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: (devel)
- creationTimestamp: null
- name: bgpfilters.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: BGPFilter
- listKind: BGPFilterList
- plural: bgpfilters
- singular: bgpfilter
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of
- the BGP Filter.
- properties:
- exportV4:
- description: The ordered set of IPv4 BGPFilter rules acting on exporting
- routes to a peer.
- items:
- description: BGPFilterRuleV4 defines a BGP filter rule consisting
- a single IPv4 CIDR block and a filter action for this CIDR.
- properties:
- action:
- type: string
- cidr:
- type: string
- interface:
- type: string
- matchOperator:
- type: string
- source:
- type: string
- required:
- - action
- type: object
- type: array
- exportV6:
- description: The ordered set of IPv6 BGPFilter rules acting on exporting
- routes to a peer.
- items:
- description: BGPFilterRuleV6 defines a BGP filter rule consisting
- a single IPv6 CIDR block and a filter action for this CIDR.
- properties:
- action:
- type: string
- cidr:
- type: string
- interface:
- type: string
- matchOperator:
- type: string
- source:
- type: string
- required:
- - action
- type: object
- type: array
- importV4:
- description: The ordered set of IPv4 BGPFilter rules acting on importing
- routes from a peer.
- items:
- description: BGPFilterRuleV4 defines a BGP filter rule consisting
- a single IPv4 CIDR block and a filter action for this CIDR.
- properties:
- action:
- type: string
- cidr:
- type: string
- interface:
- type: string
- matchOperator:
- type: string
- source:
- type: string
- required:
- - action
- type: object
- type: array
- importV6:
- description: The ordered set of IPv6 BGPFilter rules acting on importing
- routes from a peer.
- items:
- description: BGPFilterRuleV6 defines a BGP filter rule consisting
- a single IPv6 CIDR block and a filter action for this CIDR.
- properties:
- action:
- type: string
- cidr:
- type: string
- interface:
- type: string
- matchOperator:
- type: string
- source:
- type: string
- required:
- - action
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: bgppeers.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: BGPPeer
- listKind: BGPPeerList
- plural: bgppeers
- singular: bgppeer
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: BGPPeerSpec contains the specification for a BGPPeer resource.
- properties:
- asNumber:
- description: The AS Number of the peer.
- format: int32
- type: integer
- filters:
- description: The ordered set of BGPFilters applied on this BGP peer.
- items:
- type: string
- type: array
- keepOriginalNextHop:
- description: Option to keep the original nexthop field when routes
- are sent to a BGP Peer. Setting "true" configures the selected BGP
- Peers node to use the "next hop keep;" instead of "next hop self;"(default)
- in the specific branch of the Node on "bird.cfg".
- type: boolean
- maxRestartTime:
- description: Time to allow for software restart. When specified,
- this is configured as the graceful restart timeout. When not specified,
- the BIRD default of 120s is used.
- type: string
- node:
- description: The node name identifying the Calico node instance that
- is targeted by this peer. If this is not set, and no nodeSelector
- is specified, then this BGP peer selects all nodes in the cluster.
- type: string
- nodeSelector:
- description: Selector for the nodes that should have this peering. When
- this is set, the Node field must be empty.
- type: string
- numAllowedLocalASNumbers:
- description: Maximum number of local AS numbers that are allowed in
- the AS path for received routes. This removes BGP loop prevention
- and should only be used if absolutely necessary.
- format: int32
- type: integer
- password:
- description: Optional BGP password for the peerings generated by this
- BGPPeer resource.
- properties:
- secretKeyRef:
- description: Selects a key of a secret in the node pod's namespace.
- properties:
- key:
- description: The key of the secret to select from. Must be
- a valid secret key.
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion, kind, uid?'
- type: string
- optional:
- description: Specify whether the Secret or its key must be
- defined
- type: boolean
- required:
- - key
- type: object
- type: object
- peerIP:
- description: The IP address of the peer followed by an optional port
- number to peer with. If port number is given, format should be `[<IPv6>]:port`
- or `<IPv4>:<port>` for IPv4. If optional port number is not set,
- and this peer IP and ASNumber belongs to a calico/node with ListenPort
- set in BGPConfiguration, then we use that port to peer.
- type: string
- peerSelector:
- description: Selector for the remote nodes to peer with. When this
- is set, the PeerIP and ASNumber fields must be empty. For each
- peering between the local node and selected remote nodes, we configure
- an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
- and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
- remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
- or the global default if that is not set.
- type: string
- reachableBy:
- description: Add an exact, i.e. /32, static route toward peer IP in
- order to prevent route flapping. ReachableBy contains the address
- of the gateway which peer can be reached by.
- type: string
- sourceAddress:
- description: Specifies whether and how to configure a source address
- for the peerings generated by this BGPPeer resource. Default value
- "UseNodeIP" means to configure the node IP as the source address. "None"
- means not to configure a source address.
- type: string
- ttlSecurity:
- description: TTLSecurity enables the generalized TTL security mechanism
- (GTSM) which protects against spoofed packets by ignoring received
- packets with a smaller than expected TTL value. The provided value
- is the number of hops (edges) between the peers.
- type: integer
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: blockaffinities.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: BlockAffinity
- listKind: BlockAffinityList
- plural: blockaffinities
- singular: blockaffinity
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: BlockAffinitySpec contains the specification for a BlockAffinity
- resource.
- properties:
- cidr:
- type: string
- deleted:
- description: Deleted indicates that this block affinity is being deleted.
- This field is a string for compatibility with older releases that
- mistakenly treat this field as a string.
- type: string
- node:
- type: string
- state:
- type: string
- required:
- - cidr
- - deleted
- - node
- - state
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: (devel)
- creationTimestamp: null
- name: caliconodestatuses.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: CalicoNodeStatus
- listKind: CalicoNodeStatusList
- plural: caliconodestatuses
- singular: caliconodestatus
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
- resource.
- properties:
- classes:
- description: Classes declares the types of information to monitor
- for this calico/node, and allows for selective status reporting
- about certain subsets of information.
- items:
- type: string
- type: array
- node:
- description: The node name identifies the Calico node instance for
- node status.
- type: string
- updatePeriodSeconds:
- description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
- should be updated. Set to 0 to disable CalicoNodeStatus refresh.
- Maximum update period is one day.
- format: int32
- type: integer
- type: object
- status:
- description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
- No validation needed for status since it is updated by Calico.
- properties:
- agent:
- description: Agent holds agent status on the node.
- properties:
- birdV4:
- description: BIRDV4 represents the latest observed status of bird4.
- properties:
- lastBootTime:
- description: LastBootTime holds the value of lastBootTime
- from bird.ctl output.
- type: string
- lastReconfigurationTime:
- description: LastReconfigurationTime holds the value of lastReconfigTime
- from bird.ctl output.
- type: string
- routerID:
- description: Router ID used by bird.
- type: string
- state:
- description: The state of the BGP Daemon.
- type: string
- version:
- description: Version of the BGP daemon
- type: string
- type: object
- birdV6:
- description: BIRDV6 represents the latest observed status of bird6.
- properties:
- lastBootTime:
- description: LastBootTime holds the value of lastBootTime
- from bird.ctl output.
- type: string
- lastReconfigurationTime:
- description: LastReconfigurationTime holds the value of lastReconfigTime
- from bird.ctl output.
- type: string
- routerID:
- description: Router ID used by bird.
- type: string
- state:
- description: The state of the BGP Daemon.
- type: string
- version:
- description: Version of the BGP daemon
- type: string
- type: object
- type: object
- bgp:
- description: BGP holds node BGP status.
- properties:
- numberEstablishedV4:
- description: The total number of IPv4 established bgp sessions.
- type: integer
- numberEstablishedV6:
- description: The total number of IPv6 established bgp sessions.
- type: integer
- numberNotEstablishedV4:
- description: The total number of IPv4 non-established bgp sessions.
- type: integer
- numberNotEstablishedV6:
- description: The total number of IPv6 non-established bgp sessions.
- type: integer
- peersV4:
- description: PeersV4 represents IPv4 BGP peers status on the node.
- items:
- description: CalicoNodePeer contains the status of BGP peers
- on the node.
- properties:
- peerIP:
- description: IP address of the peer whose condition we are
- reporting.
- type: string
- since:
- description: Since the state or reason last changed.
- type: string
- state:
- description: State is the BGP session state.
- type: string
- type:
- description: Type indicates whether this peer is configured
- via the node-to-node mesh, or via en explicit global or
- per-node BGPPeer object.
- type: string
- type: object
- type: array
- peersV6:
- description: PeersV6 represents IPv6 BGP peers status on the node.
- items:
- description: CalicoNodePeer contains the status of BGP peers
- on the node.
- properties:
- peerIP:
- description: IP address of the peer whose condition we are
- reporting.
- type: string
- since:
- description: Since the state or reason last changed.
- type: string
- state:
- description: State is the BGP session state.
- type: string
- type:
- description: Type indicates whether this peer is configured
- via the node-to-node mesh, or via en explicit global or
- per-node BGPPeer object.
- type: string
- type: object
- type: array
- required:
- - numberEstablishedV4
- - numberEstablishedV6
- - numberNotEstablishedV4
- - numberNotEstablishedV6
- type: object
- lastUpdated:
- description: LastUpdated is a timestamp representing the server time
- when CalicoNodeStatus object last updated. It is represented in
- RFC3339 form and is in UTC.
- format: date-time
- nullable: true
- type: string
- routes:
- description: Routes reports routes known to the Calico BGP daemon
- on the node.
- properties:
- routesV4:
- description: RoutesV4 represents IPv4 routes on the node.
- items:
- description: CalicoNodeRoute contains the status of BGP routes
- on the node.
- properties:
- destination:
- description: Destination of the route.
- type: string
- gateway:
- description: Gateway for the destination.
- type: string
- interface:
- description: Interface for the destination
- type: string
- learnedFrom:
- description: LearnedFrom contains information regarding
- where this route originated.
- properties:
- peerIP:
- description: If sourceType is NodeMesh or BGPPeer, IP
- address of the router that sent us this route.
- type: string
- sourceType:
- description: Type of the source where a route is learned
- from.
- type: string
- type: object
- type:
- description: Type indicates if the route is being used for
- forwarding or not.
- type: string
- type: object
- type: array
- routesV6:
- description: RoutesV6 represents IPv6 routes on the node.
- items:
- description: CalicoNodeRoute contains the status of BGP routes
- on the node.
- properties:
- destination:
- description: Destination of the route.
- type: string
- gateway:
- description: Gateway for the destination.
- type: string
- interface:
- description: Interface for the destination
- type: string
- learnedFrom:
- description: LearnedFrom contains information regarding
- where this route originated.
- properties:
- peerIP:
- description: If sourceType is NodeMesh or BGPPeer, IP
- address of the router that sent us this route.
- type: string
- sourceType:
- description: Type of the source where a route is learned
- from.
- type: string
- type: object
- type:
- description: Type indicates if the route is being used for
- forwarding or not.
- type: string
- type: object
- type: array
- type: object
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: clusterinformations.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: ClusterInformation
- listKind: ClusterInformationList
- plural: clusterinformations
- singular: clusterinformation
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- description: ClusterInformation contains the cluster specific information.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: ClusterInformationSpec contains the values of describing
- the cluster.
- properties:
- calicoVersion:
- description: CalicoVersion is the version of Calico that the cluster
- is running
- type: string
- clusterGUID:
- description: ClusterGUID is the GUID of the cluster
- type: string
- clusterType:
- description: ClusterType describes the type of the cluster
- type: string
- datastoreReady:
- description: DatastoreReady is used during significant datastore migrations
- to signal to components such as Felix that it should wait before
- accessing the datastore.
- type: boolean
- variant:
- description: Variant declares which variant of Calico should be active.
- type: string
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: felixconfigurations.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: FelixConfiguration
- listKind: FelixConfigurationList
- plural: felixconfigurations
- singular: felixconfiguration
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- description: Felix Configuration contains the configuration for Felix.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: FelixConfigurationSpec contains the values of the Felix configuration.
- properties:
- allowIPIPPacketsFromWorkloads:
- description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
- will add a rule to drop IPIP encapsulated traffic from workloads
- [Default: false]'
- type: boolean
- allowVXLANPacketsFromWorkloads:
- description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
- will add a rule to drop VXLAN encapsulated traffic from workloads
- [Default: false]'
- type: boolean
- awsSrcDstCheck:
- description: 'Set source-destination-check on AWS EC2 instances. Accepted
- value must be one of "DoNothing", "Enable" or "Disable". [Default:
- DoNothing]'
- enum:
- - DoNothing
- - Enable
- - Disable
- type: string
- bpfCTLBLogFilter:
- description: 'BPFCTLBLogFilter specifies, what is logged by connect
- time load balancer when BPFLogLevel is debug. Currently has to be
- specified as ''all'' when BPFLogFilters is set to see CTLB logs.
- [Default: unset - means logs are emitted when BPFLogLevel id debug
- and BPFLogFilters not set.]'
- type: string
- bpfConnectTimeLoadBalancing:
- description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
- whether Felix installs the connect-time load balancer. The connect-time
- load balancer is required for the host to be able to reach Kubernetes
- services and it improves the performance of pod-to-service connections.When
- set to TCP, connect time load balancing is available only for services
- with TCP ports. [Default: TCP]'
- enum:
- - TCP
- - Enabled
- - Disabled
- type: string
- bpfConnectTimeLoadBalancingEnabled:
- description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
- controls whether Felix installs the connection-time load balancer. The
- connect-time load balancer is required for the host to be able to
- reach Kubernetes services and it improves the performance of pod-to-service
- connections. The only reason to disable it is for debugging purposes.
- This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
- true]'
- type: boolean
- bpfDSROptoutCIDRs:
- description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
- from DSR. That is, clients in those CIDRs will accesses nodeports
- as if BPFExternalServiceMode was set to Tunnel.
- items:
- type: string
- type: array
- bpfDataIfacePattern:
- description: BPFDataIfacePattern is a regular expression that controls
- which interfaces Felix should attach BPF programs to in order to
- catch traffic to/from the network. This needs to match the interfaces
- that Calico workload traffic flows over as well as any interfaces
- that handle incoming traffic to nodeports and services from outside
- the cluster. It should not match the workload interfaces (usually
- named cali...).
- type: string
- bpfDisableGROForIfaces:
- description: BPFDisableGROForIfaces is a regular expression that controls
- which interfaces Felix should disable the Generic Receive Offload
- [GRO] option. It should not match the workload interfaces (usually
- named cali...).
- type: string
- bpfDisableUnprivileged:
- description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
- sysctl to disable unprivileged use of BPF. This ensures that unprivileged
- users cannot access Calico''s BPF maps and cannot insert their own
- BPF programs to interfere with Calico''s. [Default: true]'
- type: boolean
- bpfEnabled:
- description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
- [Default: false]'
- type: boolean
- bpfEnforceRPF:
- description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
- with BPF programs regardless of what is the per-interfaces or global
- setting. Possible values are Disabled, Strict or Loose. [Default:
- Loose]'
- pattern: ^(?i)(Disabled|Strict|Loose)?$
- type: string
- bpfExcludeCIDRsFromNAT:
- description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
- be excluded from NAT resolution so that host can handle them. A
- typical usecase is node local DNS cache.
- items:
- type: string
- type: array
- bpfExtToServiceConnmark:
- description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
- mark that is set on connections from an external client to a local
- service. This mark allows us to control how packets of that connection
- are routed within the host and how is routing interpreted by RPF
- check. [Default: 0]'
- type: integer
- bpfExternalServiceMode:
- description: 'BPFExternalServiceMode in BPF mode, controls how connections
- from outside the cluster to services (node ports and cluster IPs)
- are forwarded to remote workloads. If set to "Tunnel" then both
- request and response traffic is tunneled to the remote node. If
- set to "DSR", the request traffic is tunneled but the response traffic
- is sent directly from the remote node. In "DSR" mode, the remote
- node appears to use the IP of the ingress node; this requires a
- permissive L2 network. [Default: Tunnel]'
- pattern: ^(?i)(Tunnel|DSR)?$
- type: string
- bpfForceTrackPacketsFromIfaces:
- description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
- from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
- traffic from those interfaces to be tracked by Linux conntrack. Should
- only be used for interfaces that are not used for the Calico fabric. For
- example, a docker bridge device for non-Calico-networked containers.
- [Default: docker+]'
- items:
- type: string
- type: array
- bpfHostConntrackBypass:
- description: 'BPFHostConntrackBypass Controls whether to bypass Linux
- conntrack in BPF mode for workloads and services. [Default: true
- - bypass Linux conntrack]'
- type: boolean
- bpfHostNetworkedNATWithoutCTLB:
- description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
- whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
- determines the CTLB behavior. [Default: Enabled]'
- enum:
- - Enabled
- - Disabled
- type: string
- bpfKubeProxyEndpointSlicesEnabled:
- description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
- no effect. BPF kube-proxy always accepts endpoint slices. This option
- will be removed in the next release.
- type: boolean
- bpfKubeProxyIptablesCleanupEnabled:
- description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
- mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
- iptables chains. Should only be enabled if kube-proxy is not running. [Default:
- true]'
- type: boolean
- bpfKubeProxyMinSyncPeriod:
- description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
- minimum time between updates to the dataplane for Felix''s embedded
- kube-proxy. Lower values give reduced set-up latency. Higher values
- reduce Felix CPU usage by batching up more work. [Default: 1s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- bpfL3IfacePattern:
- description: BPFL3IfacePattern is a regular expression that allows
- to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
- in addition to BPFDataIfacePattern. That is, tunnel interfaces not
- created by Calico, that Calico workload traffic flows over as well
- as any interfaces that handle incoming traffic to nodeports and
- services from outside the cluster.
- type: string
- bpfLogFilters:
- additionalProperties:
- type: string
- description: "BPFLogFilters is a map of key=values where the value
- is a pcap filter expression and the key is an interface name with
- 'all' denoting all interfaces, 'weps' all workload endpoints and
- 'heps' all host endpoints. \n When specified as an env var, it accepts
- a comma-separated list of key=values. [Default: unset - means all
- debug logs are emitted]"
- type: object
- bpfLogLevel:
- description: 'BPFLogLevel controls the log level of the BPF programs
- when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
- logs are emitted to the BPF trace pipe, accessible with the command
- `tc exec bpf debug`. [Default: Off].'
- pattern: ^(?i)(Off|Info|Debug)?$
- type: string
- bpfMapSizeConntrack:
- description: 'BPFMapSizeConntrack sets the size for the conntrack
- map. This map must be large enough to hold an entry for each active
- connection. Warning: changing the size of the conntrack map can
- cause disruption.'
- type: integer
- bpfMapSizeIPSets:
- description: BPFMapSizeIPSets sets the size for ipsets map. The IP
- sets map must be large enough to hold an entry for each endpoint
- matched by every selector in the source/destination matches in network
- policy. Selectors such as "all()" can result in large numbers of
- entries (one entry per endpoint in that case).
- type: integer
- bpfMapSizeIfState:
- description: BPFMapSizeIfState sets the size for ifstate map. The
- ifstate map must be large enough to hold an entry for each device
- (host + workloads) on a host.
- type: integer
- bpfMapSizeNATAffinity:
- type: integer
- bpfMapSizeNATBackend:
- description: BPFMapSizeNATBackend sets the size for nat back end map.
- This is the total number of endpoints. This is mostly more than
- the size of the number of services.
- type: integer
- bpfMapSizeNATFrontend:
- description: BPFMapSizeNATFrontend sets the size for nat front end
- map. FrontendMap should be large enough to hold an entry for each
- nodeport, external IP and each port in each service.
- type: integer
- bpfMapSizeRoute:
- description: BPFMapSizeRoute sets the size for the routes map. The
- routes map should be large enough to hold one entry per workload
- and a handful of entries per host (enough to cover its own IPs and
- tunnel IPs).
- type: integer
- bpfPSNATPorts:
- anyOf:
- - type: integer
- - type: string
- description: 'BPFPSNATPorts sets the range from which we randomly
- pick a port if there is a source port collision. This should be
- within the ephemeral range as defined by RFC 6056 (1024–65535) and
- preferably outside the ephemeral ranges used by common operating
- systems. Linux uses 32768–60999, while others mostly use the IANA
- defined range 49152–65535. It is not necessarily a problem if this
- range overlaps with the operating systems. Both ends of the range
- are inclusive. [Default: 20000:29999]'
- pattern: ^.*
- x-kubernetes-int-or-string: true
- bpfPolicyDebugEnabled:
- description: BPFPolicyDebugEnabled when true, Felix records detailed
- information about the BPF policy programs, which can be examined
- with the calico-bpf command-line tool.
- type: boolean
- chainInsertMode:
- description: 'ChainInsertMode controls whether Felix hooks the kernel''s
- top-level iptables chains by inserting a rule at the top of the
- chain or by appending a rule at the bottom. insert is the safe default
- since it prevents Calico''s rules from being bypassed. If you switch
- to append mode, be sure that the other rules in the chains signal
- acceptance by falling through to the Calico rules, otherwise the
- Calico policy will be bypassed. [Default: insert]'
- pattern: ^(?i)(insert|append)?$
- type: string
- dataplaneDriver:
- description: DataplaneDriver filename of the external dataplane driver
- to use. Only used if UseInternalDataplaneDriver is set to false.
- type: string
- dataplaneWatchdogTimeout:
- description: "DataplaneWatchdogTimeout is the readiness/liveness timeout
- used for Felix's (internal) dataplane driver. Increase this value
- if you experience spurious non-ready or non-live events when Felix
- is under heavy load. Decrease the value to get felix to report non-live
- or non-ready more quickly. [Default: 90s] \n Deprecated: replaced
- by the generic HealthTimeoutOverrides."
- type: string
- debugDisableLogDropping:
- type: boolean
- debugHost:
- description: DebugHost is the host IP or hostname to bind the debug
- port to. Only used if DebugPort is set. [Default:localhost]
- type: string
- debugMemoryProfilePath:
- type: string
- debugPort:
- description: DebugPort if set, enables Felix's debug HTTP port, which
- allows memory and CPU profiles to be retrieved. The debug port
- is not secure, it should not be exposed to the internet.
- type: integer
- debugSimulateCalcGraphHangAfter:
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- debugSimulateDataplaneApplyDelay:
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- debugSimulateDataplaneHangAfter:
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- defaultEndpointToHostAction:
- description: 'DefaultEndpointToHostAction controls what happens to
- traffic that goes from a workload endpoint to the host itself (after
- the traffic hits the endpoint egress policy). By default Calico
- blocks traffic from workload endpoints to the host itself with an
- iptables "DROP" action. If you want to allow some or all traffic
- from endpoint to host, set this parameter to RETURN or ACCEPT. Use
- RETURN if you have your own rules in the iptables "INPUT" chain;
- Calico will insert its rules at the top of that chain, then "RETURN"
- packets to the "INPUT" chain once it has completed processing workload
- endpoint egress policy. Use ACCEPT to unconditionally accept packets
- from workloads after processing workload endpoint egress policy.
- [Default: Drop]'
- pattern: ^(?i)(Drop|Accept|Return)?$
- type: string
- deviceRouteProtocol:
- description: This defines the route protocol added to programmed device
- routes, by default this will be RTPROT_BOOT when left blank.
- type: integer
- deviceRouteSourceAddress:
- description: This is the IPv4 source address to use on programmed
- device routes. By default the source address is left blank, leaving
- the kernel to choose the source address used.
- type: string
- deviceRouteSourceAddressIPv6:
- description: This is the IPv6 source address to use on programmed
- device routes. By default the source address is left blank, leaving
- the kernel to choose the source address used.
- type: string
- disableConntrackInvalidCheck:
- type: boolean
- endpointReportingDelay:
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- endpointReportingEnabled:
- type: boolean
- endpointStatusPathPrefix:
- description: "EndpointStatusPathPrefix is the path to the directory
- where endpoint status will be written. Endpoint status file reporting
- is disabled if field is left empty. \n Chosen directory should match
- the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
- type: string
- externalNodesList:
- description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
- which may source tunnel traffic and have the tunneled traffic be
- accepted at calico nodes.
- items:
- type: string
- type: array
- failsafeInboundHostPorts:
- description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
- and CIDRs that Felix will allow incoming traffic to host endpoints
- on irrespective of the security policy. This is useful to avoid
- accidentally cutting off a host with incorrect configuration. For
- back-compatibility, if the protocol is not specified, it defaults
- to "tcp". If a CIDR is not specified, it will allow traffic from
- all addresses. To disable all inbound host ports, use the value
- none. The default value allows ssh access and DHCP. [Default: tcp:22,
- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
- items:
- description: ProtoPort is combination of protocol, port, and CIDR.
- Protocol and port must be specified.
- properties:
- net:
- type: string
- port:
- type: integer
- protocol:
- type: string
- required:
- - port
- - protocol
- type: object
- type: array
- failsafeOutboundHostPorts:
- description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
- and CIDRs that Felix will allow outgoing traffic from host endpoints
- to irrespective of the security policy. This is useful to avoid
- accidentally cutting off a host with incorrect configuration. For
- back-compatibility, if the protocol is not specified, it defaults
- to "tcp". If a CIDR is not specified, it will allow traffic from
- all addresses. To disable all outbound host ports, use the value
- none. The default value opens etcd''s standard ports to ensure that
- Felix does not get cut off from etcd as well as allowing DHCP and
- DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
- tcp:6667, udp:53, udp:67]'
- items:
- description: ProtoPort is combination of protocol, port, and CIDR.
- Protocol and port must be specified.
- properties:
- net:
- type: string
- port:
- type: integer
- protocol:
- type: string
- required:
- - port
- - protocol
- type: object
- type: array
- featureDetectOverride:
- description: FeatureDetectOverride is used to override feature detection
- based on auto-detected platform capabilities. Values are specified
- in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
- or "false" will force the feature, empty or omitted values are auto-detected.
- pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
- type: string
- featureGates:
- description: FeatureGates is used to enable or disable tech-preview
- Calico features. Values are specified in a comma separated list
- with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
- This is used to enable features that are not fully production ready.
- pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
- type: string
- floatingIPs:
- description: FloatingIPs configures whether or not Felix will program
- non-OpenStack floating IP addresses. (OpenStack-derived floating
- IPs are always programmed, regardless of this setting.)
- enum:
- - Enabled
- - Disabled
- type: string
- genericXDPEnabled:
- description: 'GenericXDPEnabled enables Generic XDP so network cards
- that don''t support XDP offload or driver modes can use XDP. This
- is not recommended since it doesn''t provide better performance
- than iptables. [Default: false]'
- type: boolean
- healthEnabled:
- type: boolean
- healthHost:
- type: string
- healthPort:
- type: integer
- healthTimeoutOverrides:
- description: HealthTimeoutOverrides allows the internal watchdog timeouts
- of individual subcomponents to be overridden. This is useful for
- working around "false positive" liveness timeouts that can occur
- in particularly stressful workloads or if CPU is constrained. For
- a list of active subcomponents, see Felix's logs.
- items:
- properties:
- name:
- type: string
- timeout:
- type: string
- required:
- - name
- - timeout
- type: object
- type: array
- interfaceExclude:
- description: 'InterfaceExclude is a comma-separated list of interfaces
- that Felix should exclude when monitoring for host endpoints. The
- default value ensures that Felix ignores Kubernetes'' IPVS dummy
- interface, which is used internally by kube-proxy. If you want to
- exclude multiple interface names using a single value, the list
- supports regular expressions. For regular expressions you must wrap
- the value with ''/''. For example having values ''/^kube/,veth1''
- will exclude all interfaces that begin with ''kube'' and also the
- interface ''veth1''. [Default: kube-ipvs0]'
- type: string
- interfacePrefix:
- description: 'InterfacePrefix is the interface name prefix that identifies
- workload endpoints and so distinguishes them from host endpoint
- interfaces. Note: in environments other than bare metal, the orchestrators
- configure this appropriately. For example our Kubernetes and Docker
- integrations set the ''cali'' value, and our OpenStack integration
- sets the ''tap'' value. [Default: cali]'
- type: string
- interfaceRefreshInterval:
- description: InterfaceRefreshInterval is the period at which Felix
- rescans local interfaces to verify their state. The rescan can be
- disabled by setting the interval to 0.
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- ipipEnabled:
- description: 'IPIPEnabled overrides whether Felix should configure
- an IPIP interface on the host. Optional as Felix determines this
- based on the existing IP pools. [Default: nil (unset)]'
- type: boolean
- ipipMTU:
- description: 'IPIPMTU is the MTU to set on the tunnel device. See
- Configuring MTU [Default: 1440]'
- type: integer
- ipsetsRefreshInterval:
- description: 'IpsetsRefreshInterval is the period at which Felix re-checks
- all iptables state to ensure that no other process has accidentally
- broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
- 90s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- iptablesBackend:
- description: IptablesBackend specifies which backend of iptables will
- be used. The default is Auto.
- pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
- type: string
- iptablesFilterAllowAction:
- pattern: ^(?i)(Accept|Return)?$
- type: string
- iptablesFilterDenyAction:
- description: IptablesFilterDenyAction controls what happens to traffic
- that is denied by network policy. By default Calico blocks traffic
- with an iptables "DROP" action. If you want to use "REJECT" action
- instead you can configure it in here.
- pattern: ^(?i)(Drop|Reject)?$
- type: string
- iptablesLockFilePath:
- description: 'IptablesLockFilePath is the location of the iptables
- lock file. You may need to change this if the lock file is not in
- its standard location (for example if you have mapped it into Felix''s
- container at a different path). [Default: /run/xtables.lock]'
- type: string
- iptablesLockProbeInterval:
- description: 'IptablesLockProbeInterval is the time that Felix will
- wait between attempts to acquire the iptables lock if it is not
- available. Lower values make Felix more responsive when the lock
- is contended, but use more CPU. [Default: 50ms]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- iptablesLockTimeout:
- description: 'IptablesLockTimeout is the time that Felix will wait
- for the iptables lock, or 0, to disable. To use this feature, Felix
- must share the iptables lock file with all other processes that
- also take the lock. When running Felix inside a container, this
- requires the /run directory of the host to be mounted into the calico/node
- or calico/felix container. [Default: 0s disabled]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- iptablesMangleAllowAction:
- pattern: ^(?i)(Accept|Return)?$
- type: string
- iptablesMarkMask:
- description: 'IptablesMarkMask is the mask that Felix selects its
- IPTables Mark bits from. Should be a 32 bit hexadecimal number with
- at least 8 bits set, none of which clash with any other mark bits
- in use on the system. [Default: 0xff000000]'
- format: int32
- type: integer
- iptablesNATOutgoingInterfaceFilter:
- type: string
- iptablesPostWriteCheckInterval:
- description: 'IptablesPostWriteCheckInterval is the period after Felix
- has done a write to the dataplane that it schedules an extra read
- back in order to check the write was not clobbered by another process.
- This should only occur if another application on the system doesn''t
- respect the iptables lock. [Default: 1s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- iptablesRefreshInterval:
- description: 'IptablesRefreshInterval is the period at which Felix
- re-checks the IP sets in the dataplane to ensure that no other process
- has accidentally broken Calico''s rules. Set to 0 to disable IP
- sets refresh. Note: the default for this value is lower than the
- other refresh intervals as a workaround for a Linux kernel bug that
- was fixed in kernel version 4.11. If you are using v4.11 or greater
- you may want to set this to, a higher value to reduce Felix CPU
- usage. [Default: 10s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- ipv6Support:
- description: IPv6Support controls whether Felix enables support for
- IPv6 (if supported by the in-use dataplane).
- type: boolean
- kubeNodePortRanges:
- description: 'KubeNodePortRanges holds list of port ranges used for
- service node ports. Only used if felix detects kube-proxy running
- in ipvs mode. Felix uses these ranges to separate host and workload
- traffic. [Default: 30000:32767].'
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- logDebugFilenameRegex:
- description: LogDebugFilenameRegex controls which source code files
- have their Debug log output included in the logs. Only logs from
- files with names that match the given regular expression are included. The
- filter only applies to Debug level logs.
- type: string
- logFilePath:
- description: 'LogFilePath is the full path to the Felix log. Set to
- none to disable file logging. [Default: /var/log/calico/felix.log]'
- type: string
- logPrefix:
- description: 'LogPrefix is the log prefix that Felix uses when rendering
- LOG rules. [Default: calico-packet]'
- type: string
- logSeverityFile:
- description: 'LogSeverityFile is the log severity above which logs
- are sent to the log file. [Default: Info]'
- pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
- type: string
- logSeverityScreen:
- description: 'LogSeverityScreen is the log severity above which logs
- are sent to the stdout. [Default: Info]'
- pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
- type: string
- logSeveritySys:
- description: 'LogSeveritySys is the log severity above which logs
- are sent to the syslog. Set to None for no logging to syslog. [Default:
- Info]'
- pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
- type: string
- maxIpsetSize:
- type: integer
- metadataAddr:
- description: 'MetadataAddr is the IP address or domain name of the
- server that can answer VM queries for cloud-init metadata. In OpenStack,
- this corresponds to the machine running nova-api (or in Ubuntu,
- nova-api-metadata). A value of none (case-insensitive) means that
- Felix should not set up any NAT rule for the metadata path. [Default:
- 127.0.0.1]'
- type: string
- metadataPort:
- description: 'MetadataPort is the port of the metadata server. This,
- combined with global.MetadataAddr (if not ''None''), is used to
- set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
- In most cases this should not need to be changed [Default: 8775].'
- type: integer
- mtuIfacePattern:
- description: MTUIfacePattern is a regular expression that controls
- which interfaces Felix should scan in order to calculate the host's
- MTU. This should not match workload interfaces (usually named cali...).
- type: string
- natOutgoingAddress:
- description: NATOutgoingAddress specifies an address to use when performing
- source NAT for traffic in a natOutgoing pool that is leaving the
- network. By default the address used is an address on the interface
- the traffic is leaving on (ie it uses the iptables MASQUERADE target)
- type: string
- natPortRange:
- anyOf:
- - type: integer
- - type: string
- description: NATPortRange specifies the range of ports that is used
- for port mapping when doing outgoing NAT. When unset the default
- behavior of the network stack is used.
- pattern: ^.*
- x-kubernetes-int-or-string: true
- netlinkTimeout:
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- openstackRegion:
- description: 'OpenstackRegion is the name of the region that a particular
- Felix belongs to. In a multi-region Calico/OpenStack deployment,
- this must be configured somehow for each Felix (here in the datamodel,
- or in felix.cfg or the environment on each compute node), and must
- match the [calico] openstack_region value configured in neutron.conf
- on each node. [Default: Empty]'
- type: string
- policySyncPathPrefix:
- description: 'PolicySyncPathPrefix is used to by Felix to communicate
- policy changes to external services, like Application layer policy.
- [Default: Empty]'
- type: string
- prometheusGoMetricsEnabled:
- description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
- collection, which the Prometheus client does by default, when set
- to false. This reduces the number of metrics reported, reducing
- Prometheus load. [Default: true]'
- type: boolean
- prometheusMetricsEnabled:
- description: 'PrometheusMetricsEnabled enables the Prometheus metrics
- server in Felix if set to true. [Default: false]'
- type: boolean
- prometheusMetricsHost:
- description: 'PrometheusMetricsHost is the host that the Prometheus
- metrics server should bind to. [Default: empty]'
- type: string
- prometheusMetricsPort:
- description: 'PrometheusMetricsPort is the TCP port that the Prometheus
- metrics server should bind to. [Default: 9091]'
- type: integer
- prometheusProcessMetricsEnabled:
- description: 'PrometheusProcessMetricsEnabled disables process metrics
- collection, which the Prometheus client does by default, when set
- to false. This reduces the number of metrics reported, reducing
- Prometheus load. [Default: true]'
- type: boolean
- prometheusWireGuardMetricsEnabled:
- description: 'PrometheusWireGuardMetricsEnabled disables wireguard
- metrics collection, which the Prometheus client does by default,
- when set to false. This reduces the number of metrics reported,
- reducing Prometheus load. [Default: true]'
- type: boolean
- removeExternalRoutes:
- description: Whether or not to remove device routes that have not
- been programmed by Felix. Disabling this will allow external applications
- to also add device routes. This is enabled by default which means
- we will remove externally added routes.
- type: boolean
- reportingInterval:
- description: 'ReportingInterval is the interval at which Felix reports
- its status into the datastore or 0 to disable. Must be non-zero
- in OpenStack deployments. [Default: 30s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- reportingTTL:
- description: 'ReportingTTL is the time-to-live setting for process-wide
- status reports. [Default: 90s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- routeRefreshInterval:
- description: 'RouteRefreshInterval is the period at which Felix re-checks
- the routes in the dataplane to ensure that no other process has
- accidentally broken Calico''s rules. Set to 0 to disable route refresh.
- [Default: 90s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- routeSource:
- description: 'RouteSource configures where Felix gets its routing
- information. - WorkloadIPs: use workload endpoints to construct
- routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
- pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
- type: string
- routeSyncDisabled:
- description: RouteSyncDisabled will disable all operations performed
- on the route table. Set to true to run in network-policy mode only.
- type: boolean
- routeTableRange:
- description: Deprecated in favor of RouteTableRanges. Calico programs
- additional Linux route tables for various purposes. RouteTableRange
- specifies the indices of the route tables that Calico should use.
- properties:
- max:
- type: integer
- min:
- type: integer
- required:
- - max
- - min
- type: object
- routeTableRanges:
- description: Calico programs additional Linux route tables for various
- purposes. RouteTableRanges specifies a set of table index ranges
- that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
- items:
- properties:
- max:
- type: integer
- min:
- type: integer
- required:
- - max
- - min
- type: object
- type: array
- serviceLoopPrevention:
- description: 'When service IP advertisement is enabled, prevent routing
- loops to service IPs that are not in use, by dropping or rejecting
- packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
- in which case such routing loops continue to be allowed. [Default:
- Drop]'
- pattern: ^(?i)(Drop|Reject|Disabled)?$
- type: string
- sidecarAccelerationEnabled:
- description: 'SidecarAccelerationEnabled enables experimental sidecar
- acceleration [Default: false]'
- type: boolean
- usageReportingEnabled:
- description: 'UsageReportingEnabled reports anonymous Calico version
- number and cluster size to projectcalico.org. Logs warnings returned
- by the usage server. For example, if a significant security vulnerability
- has been discovered in the version of Calico being used. [Default:
- true]'
- type: boolean
- usageReportingInitialDelay:
- description: 'UsageReportingInitialDelay controls the minimum delay
- before Felix makes a report. [Default: 300s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- usageReportingInterval:
- description: 'UsageReportingInterval controls the interval at which
- Felix makes reports. [Default: 86400s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- useInternalDataplaneDriver:
- description: UseInternalDataplaneDriver, if true, Felix will use its
- internal dataplane programming logic. If false, it will launch
- an external dataplane driver and communicate with it over protobuf.
- type: boolean
- vxlanEnabled:
- description: 'VXLANEnabled overrides whether Felix should create the
- VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
- determines this based on the existing IP pools. [Default: nil (unset)]'
- type: boolean
- vxlanMTU:
- description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
- device. See Configuring MTU [Default: 1410]'
- type: integer
- vxlanMTUV6:
- description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
- device. See Configuring MTU [Default: 1390]'
- type: integer
- vxlanPort:
- type: integer
- vxlanVNI:
- type: integer
- windowsManageFirewallRules:
- description: 'WindowsManageFirewallRules configures whether or not
- Felix will program Windows Firewall rules. (to allow inbound access
- to its own metrics ports) [Default: Disabled]'
- enum:
- - Enabled
- - Disabled
- type: string
- wireguardEnabled:
- description: 'WireguardEnabled controls whether Wireguard is enabled
- for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
- [Default: false]'
- type: boolean
- wireguardEnabledV6:
- description: 'WireguardEnabledV6 controls whether Wireguard is enabled
- for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
- [Default: false]'
- type: boolean
- wireguardHostEncryptionEnabled:
- description: 'WireguardHostEncryptionEnabled controls whether Wireguard
- host-to-host encryption is enabled. [Default: false]'
- type: boolean
- wireguardInterfaceName:
- description: 'WireguardInterfaceName specifies the name to use for
- the IPv4 Wireguard interface. [Default: wireguard.cali]'
- type: string
- wireguardInterfaceNameV6:
- description: 'WireguardInterfaceNameV6 specifies the name to use for
- the IPv6 Wireguard interface. [Default: wg-v6.cali]'
- type: string
- wireguardKeepAlive:
- description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
- option. Set 0 to disable. [Default: 0]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- wireguardListeningPort:
- description: 'WireguardListeningPort controls the listening port used
- by IPv4 Wireguard. [Default: 51820]'
- type: integer
- wireguardListeningPortV6:
- description: 'WireguardListeningPortV6 controls the listening port
- used by IPv6 Wireguard. [Default: 51821]'
- type: integer
- wireguardMTU:
- description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
- interface. See Configuring MTU [Default: 1440]'
- type: integer
- wireguardMTUV6:
- description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
- interface. See Configuring MTU [Default: 1420]'
- type: integer
- wireguardRoutingRulePriority:
- description: 'WireguardRoutingRulePriority controls the priority value
- to use for the Wireguard routing rule. [Default: 99]'
- type: integer
- workloadSourceSpoofing:
- description: WorkloadSourceSpoofing controls whether pods can use
- the allowedSourcePrefixes annotation to send traffic with a source
- IP address that is not theirs. This is disabled by default. When
- set to "Any", pods can request any prefix.
- pattern: ^(?i)(Disabled|Any)?$
- type: string
- xdpEnabled:
- description: 'XDPEnabled enables XDP acceleration for suitable untracked
- incoming deny rules. [Default: true]'
- type: boolean
- xdpRefreshInterval:
- description: 'XDPRefreshInterval is the period at which Felix re-checks
- all XDP state to ensure that no other process has accidentally broken
- Calico''s BPF maps or attached programs. Set to 0 to disable XDP
- refresh. [Default: 90s]'
- pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
- type: string
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: globalnetworkpolicies.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: GlobalNetworkPolicy
- listKind: GlobalNetworkPolicyList
- plural: globalnetworkpolicies
- singular: globalnetworkpolicy
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- applyOnForward:
- description: ApplyOnForward indicates to apply the rules in this policy
- on forward traffic.
- type: boolean
- doNotTrack:
- description: DoNotTrack indicates whether packets matched by the rules
- in this policy should go through the data plane's connection tracking,
- such as Linux conntrack. If True, the rules in this policy are
- applied before any data plane connection tracking, and packets allowed
- by this policy are marked as not to be tracked.
- type: boolean
- egress:
- description: The ordered set of egress rules. Each rule contains
- a set of packet match criteria and a corresponding action to apply.
- items:
- description: "A Rule encapsulates a set of match criteria and an
- action. Both selector-based security Policy and security Profiles
- reference rules - separated out as a list of rules for both ingress
- and egress packet matching. \n Each positive match criteria has
- a negated version, prefixed with \"Not\". All the match criteria
- within a rule must be satisfied for a packet to match. A single
- rule can contain the positive and negative version of a match
- and both must be satisfied for the rule to match."
- properties:
- action:
- type: string
- destination:
- description: Destination contains the match criteria that apply
- to destination entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- http:
- description: HTTP contains match criteria that apply to HTTP
- requests.
- properties:
- methods:
- description: Methods is an optional field that restricts
- the rule to apply only to HTTP requests that use one of
- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
- methods are OR'd together.
- items:
- type: string
- type: array
- paths:
- description: 'Paths is an optional field that restricts
- the rule to apply to HTTP requests that use one of the
- listed HTTP Paths. Multiple paths are OR''d together.
- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
- ONLY specify either a `exact` or a `prefix` match. The
- validator will check for it.'
- items:
- description: 'HTTPPath specifies an HTTP path to match.
- It may be either of the form: exact: <path>: which matches
- the path exactly or prefix: <path-prefix>: which matches
- the path prefix'
- properties:
- exact:
- type: string
- prefix:
- type: string
- type: object
- type: array
- type: object
- icmp:
- description: ICMP is an optional field that restricts the rule
- to apply to a specific type and code of ICMP traffic. This
- should only be specified if the Protocol field is set to "ICMP"
- or "ICMPv6".
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- ipVersion:
- description: IPVersion is an optional field that restricts the
- rule to only match a specific IP version.
- type: integer
- metadata:
- description: Metadata contains additional information for this
- rule
- properties:
- annotations:
- additionalProperties:
- type: string
- description: Annotations is a set of key value pairs that
- give extra information about the rule
- type: object
- type: object
- notICMP:
- description: NotICMP is the negated version of the ICMP field.
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- notProtocol:
- anyOf:
- - type: integer
- - type: string
- description: NotProtocol is the negated version of the Protocol
- field.
- pattern: ^.*
- x-kubernetes-int-or-string: true
- protocol:
- anyOf:
- - type: integer
- - type: string
- description: "Protocol is an optional field that restricts the
- rule to only apply to traffic of a specific IP protocol. Required
- if any of the EntityRules contain Ports (because ports only
- apply to certain protocols). \n Must be one of these string
- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
- \"UDPLite\" or an integer in the range 1-255."
- pattern: ^.*
- x-kubernetes-int-or-string: true
- source:
- description: Source contains the match criteria that apply to
- source entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- required:
- - action
- type: object
- type: array
- ingress:
- description: The ordered set of ingress rules. Each rule contains
- a set of packet match criteria and a corresponding action to apply.
- items:
- description: "A Rule encapsulates a set of match criteria and an
- action. Both selector-based security Policy and security Profiles
- reference rules - separated out as a list of rules for both ingress
- and egress packet matching. \n Each positive match criteria has
- a negated version, prefixed with \"Not\". All the match criteria
- within a rule must be satisfied for a packet to match. A single
- rule can contain the positive and negative version of a match
- and both must be satisfied for the rule to match."
- properties:
- action:
- type: string
- destination:
- description: Destination contains the match criteria that apply
- to destination entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- http:
- description: HTTP contains match criteria that apply to HTTP
- requests.
- properties:
- methods:
- description: Methods is an optional field that restricts
- the rule to apply only to HTTP requests that use one of
- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
- methods are OR'd together.
- items:
- type: string
- type: array
- paths:
- description: 'Paths is an optional field that restricts
- the rule to apply to HTTP requests that use one of the
- listed HTTP Paths. Multiple paths are OR''d together.
- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
- ONLY specify either a `exact` or a `prefix` match. The
- validator will check for it.'
- items:
- description: 'HTTPPath specifies an HTTP path to match.
- It may be either of the form: exact: <path>: which matches
- the path exactly or prefix: <path-prefix>: which matches
- the path prefix'
- properties:
- exact:
- type: string
- prefix:
- type: string
- type: object
- type: array
- type: object
- icmp:
- description: ICMP is an optional field that restricts the rule
- to apply to a specific type and code of ICMP traffic. This
- should only be specified if the Protocol field is set to "ICMP"
- or "ICMPv6".
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- ipVersion:
- description: IPVersion is an optional field that restricts the
- rule to only match a specific IP version.
- type: integer
- metadata:
- description: Metadata contains additional information for this
- rule
- properties:
- annotations:
- additionalProperties:
- type: string
- description: Annotations is a set of key value pairs that
- give extra information about the rule
- type: object
- type: object
- notICMP:
- description: NotICMP is the negated version of the ICMP field.
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- notProtocol:
- anyOf:
- - type: integer
- - type: string
- description: NotProtocol is the negated version of the Protocol
- field.
- pattern: ^.*
- x-kubernetes-int-or-string: true
- protocol:
- anyOf:
- - type: integer
- - type: string
- description: "Protocol is an optional field that restricts the
- rule to only apply to traffic of a specific IP protocol. Required
- if any of the EntityRules contain Ports (because ports only
- apply to certain protocols). \n Must be one of these string
- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
- \"UDPLite\" or an integer in the range 1-255."
- pattern: ^.*
- x-kubernetes-int-or-string: true
- source:
- description: Source contains the match criteria that apply to
- source entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- required:
- - action
- type: object
- type: array
- namespaceSelector:
- description: NamespaceSelector is an optional field for an expression
- used to select a pod based on namespaces.
- type: string
- order:
- description: Order is an optional field that specifies the order in
- which the policy is applied. Policies with higher "order" are applied
- after those with lower order. If the order is omitted, it may be
- considered to be "infinite" - i.e. the policy will be applied last. Policies
- with identical order will be applied in alphanumerical order based
- on the Policy "Name".
- type: number
- performanceHints:
- description: "PerformanceHints contains a list of hints to Calico's
- policy engine to help process the policy more efficiently. Hints
- never change the enforcement behaviour of the policy. \n Currently,
- the only available hint is \"AssumeNeededOnEveryNode\". When that
- hint is set on a policy, Felix will act as if the policy matches
- a local endpoint even if it does not. This is useful for \"preloading\"
- any large static policies that are known to be used on every node.
- If the policy is _not_ used on a particular node then the work done
- to preload the policy (and to maintain it) is wasted."
- items:
- type: string
- type: array
- preDNAT:
- description: PreDNAT indicates to apply the rules in this policy before
- any DNAT.
- type: boolean
- selector:
- description: "The selector is an expression used to pick out the endpoints
- that the policy should be applied to. \n Selector expressions follow
- this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
- my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
- equal; also matches if label is not present \tlabel in { \"a\",
- \"b\", \"c\", ... } -> true if the value of label X is one of
- \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
- \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
- \thas(label_name) -> True if that label is present \t! expr ->
- negation of expr \texpr && expr -> Short-circuit and \texpr ||
- expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
- or the empty selector -> matches all endpoints. \n Label names are
- allowed to contain alphanumerics, -, _ and /. String literals are
- more permissive but they do not support escape characters. \n Examples
- (with made-up labels): \n \ttype == \"webserver\" && deployment
- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
- \"dev\" \t! has(label_name)"
- type: string
- serviceAccountSelector:
- description: ServiceAccountSelector is an optional field for an expression
- used to select a pod based on service accounts.
- type: string
- types:
- description: "Types indicates whether this policy applies to ingress,
- or to egress, or to both. When not explicitly specified (and so
- the value on creation is empty or nil), Calico defaults Types according
- to what Ingress and Egress rules are present in the policy. The
- default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
- (including the case where there are also no Ingress rules) \n
- - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
- rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
- both Ingress and Egress rules. \n When the policy is read back again,
- Types will always be one of these values, never empty or nil."
- items:
- description: PolicyType enumerates the possible values of the PolicySpec
- Types field.
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: globalnetworksets.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: GlobalNetworkSet
- listKind: GlobalNetworkSetList
- plural: globalnetworksets
- singular: globalnetworkset
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
- that share labels to allow rules to refer to them via selectors. The labels
- of GlobalNetworkSet are not namespaced.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: GlobalNetworkSetSpec contains the specification for a NetworkSet
- resource.
- properties:
- nets:
- description: The list of IP networks that belong to this set.
- items:
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: hostendpoints.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: HostEndpoint
- listKind: HostEndpointList
- plural: hostendpoints
- singular: hostendpoint
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: HostEndpointSpec contains the specification for a HostEndpoint
- resource.
- properties:
- expectedIPs:
- description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
- If \"InterfaceName\" is not present, Calico will look for an interface
- matching any of the IPs in the list and apply policy to that. Note:
- \tWhen using the selector match criteria in an ingress or egress
- security Policy \tor Profile, Calico converts the selector into
- a set of IP addresses. For host \tendpoints, the ExpectedIPs field
- is used for that purpose. (If only the interface \tname is specified,
- Calico does not learn the IPs of the interface for use in match
- \tcriteria.)"
- items:
- type: string
- type: array
- interfaceName:
- description: "Either \"*\", or the name of a specific Linux interface
- to apply policy to; or empty. \"*\" indicates that this HostEndpoint
- governs all traffic to, from or through the default network namespace
- of the host named by the \"Node\" field; entering and leaving that
- namespace via any interface, including those from/to non-host-networked
- local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
- only governs traffic that enters or leaves the host through the
- specific interface named by InterfaceName, or - when InterfaceName
- is empty - through the specific interface that has one of the IPs
- in ExpectedIPs. Therefore, when InterfaceName is empty, at least
- one expected IP must be specified. Only external interfaces (such
- as \"eth0\") are supported here; it isn't possible for a HostEndpoint
- to protect traffic through a specific local workload interface.
- \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
- initially just pre-DNAT policy. Please check Calico documentation
- for the latest position."
- type: string
- node:
- description: The node name identifying the Calico node instance.
- type: string
- ports:
- description: Ports contains the endpoint's named ports, which may
- be referenced in security policy rules.
- items:
- properties:
- name:
- type: string
- port:
- type: integer
- protocol:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- required:
- - name
- - port
- - protocol
- type: object
- type: array
- profiles:
- description: A list of identifiers of security Profile objects that
- apply to this endpoint. Each profile is applied in the order that
- they appear in this list. Profile rules are applied after the selector-based
- security policy.
- items:
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: ipamblocks.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: IPAMBlock
- listKind: IPAMBlockList
- plural: ipamblocks
- singular: ipamblock
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IPAMBlockSpec contains the specification for an IPAMBlock
- resource.
- properties:
- affinity:
- description: Affinity of the block, if this block has one. If set,
- it will be of the form "host:<hostname>". If not set, this block
- is not affine to a host.
- type: string
- allocations:
- description: Array of allocations in-use within this block. nil entries
- mean the allocation is free. For non-nil entries at index i, the
- index is the ordinal of the allocation within this block and the
- value is the index of the associated attributes in the Attributes
- array.
- items:
- type: integer
- # TODO: This nullable is manually added in. We should update controller-gen
- # to handle []*int properly itself.
- nullable: true
- type: array
- attributes:
- description: Attributes is an array of arbitrary metadata associated
- with allocations in the block. To find attributes for a given allocation,
- use the value of the allocation's entry in the Allocations array
- as the index of the element in this array.
- items:
- properties:
- handle_id:
- type: string
- secondary:
- additionalProperties:
- type: string
- type: object
- type: object
- type: array
- cidr:
- description: The block's CIDR.
- type: string
- deleted:
- description: Deleted is an internal boolean used to workaround a limitation
- in the Kubernetes API whereby deletion will not return a conflict
- error if the block has been updated. It should not be set manually.
- type: boolean
- sequenceNumber:
- default: 0
- description: We store a sequence number that is updated each time
- the block is written. Each allocation will also store the sequence
- number of the block at the time of its creation. When releasing
- an IP, passing the sequence number associated with the allocation
- allows us to protect against a race condition and ensure the IP
- hasn't been released and re-allocated since the release request.
- format: int64
- type: integer
- sequenceNumberForAllocation:
- additionalProperties:
- format: int64
- type: integer
- description: Map of allocated ordinal within the block to sequence
- number of the block at the time of allocation. Kubernetes does not
- allow numerical keys for maps, so the key is cast to a string.
- type: object
- strictAffinity:
- description: StrictAffinity on the IPAMBlock is deprecated and no
- longer used by the code. Use IPAMConfig StrictAffinity instead.
- type: boolean
- unallocated:
- description: Unallocated is an ordered list of allocations which are
- free in the block.
- items:
- type: integer
- type: array
- required:
- - allocations
- - attributes
- - cidr
- - strictAffinity
- - unallocated
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: ipamconfigs.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: IPAMConfig
- listKind: IPAMConfigList
- plural: ipamconfigs
- singular: ipamconfig
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IPAMConfigSpec contains the specification for an IPAMConfig
- resource.
- properties:
- autoAllocateBlocks:
- type: boolean
- maxBlocksPerHost:
- description: MaxBlocksPerHost, if non-zero, is the max number of blocks
- that can be affine to each host.
- maximum: 2147483647
- minimum: 0
- type: integer
- strictAffinity:
- type: boolean
- required:
- - autoAllocateBlocks
- - strictAffinity
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: ipamhandles.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: IPAMHandle
- listKind: IPAMHandleList
- plural: ipamhandles
- singular: ipamhandle
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IPAMHandleSpec contains the specification for an IPAMHandle
- resource.
- properties:
- block:
- additionalProperties:
- type: integer
- type: object
- deleted:
- type: boolean
- handleID:
- type: string
- required:
- - block
- - handleID
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: ippools.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: IPPool
- listKind: IPPoolList
- plural: ippools
- singular: ippool
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IPPoolSpec contains the specification for an IPPool resource.
- properties:
- allowedUses:
- description: AllowedUse controls what the IP pool will be used for. If
- not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
- items:
- type: string
- type: array
- blockSize:
- description: The block size to use for IP address assignments from
- this pool. Defaults to 26 for IPv4 and 122 for IPv6.
- type: integer
- cidr:
- description: The pool CIDR.
- type: string
- disableBGPExport:
- description: 'Disable exporting routes from this IP Pool''s CIDR over
- BGP. [Default: false]'
- type: boolean
- disabled:
- description: When disabled is true, Calico IPAM will not assign addresses
- from this pool.
- type: boolean
- ipip:
- description: 'Deprecated: this field is only used for APIv1 backwards
- compatibility. Setting this field is not allowed, this field is
- for internal use only.'
- properties:
- enabled:
- description: When enabled is true, ipip tunneling will be used
- to deliver packets to destinations within this pool.
- type: boolean
- mode:
- description: The IPIP mode. This can be one of "always" or "cross-subnet". A
- mode of "always" will also use IPIP tunneling for routing to
- destination IP addresses within this pool. A mode of "cross-subnet"
- will only use IPIP tunneling when the destination node is on
- a different subnet to the originating node. The default value
- (if not specified) is "always".
- type: string
- type: object
- ipipMode:
- description: Contains configuration for IPIP tunneling for this pool.
- If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
- is disabled).
- type: string
- nat-outgoing:
- description: 'Deprecated: this field is only used for APIv1 backwards
- compatibility. Setting this field is not allowed, this field is
- for internal use only.'
- type: boolean
- natOutgoing:
- description: When natOutgoing is true, packets sent from Calico networked
- containers in this pool to destinations outside of this pool will
- be masqueraded.
- type: boolean
- nodeSelector:
- description: Allows IPPool to allocate for a specific node by label
- selector.
- type: string
- vxlanMode:
- description: Contains configuration for VXLAN tunneling for this pool.
- If not specified, then this is defaulted to "Never" (i.e. VXLAN
- tunneling is disabled).
- type: string
- required:
- - cidr
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: (devel)
- creationTimestamp: null
- name: ipreservations.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: IPReservation
- listKind: IPReservationList
- plural: ipreservations
- singular: ipreservation
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: IPReservationSpec contains the specification for an IPReservation
- resource.
- properties:
- reservedCIDRs:
- description: ReservedCIDRs is a list of CIDRs and/or IP addresses
- that Calico IPAM will exclude from new allocations.
- items:
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: kubecontrollersconfigurations.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: KubeControllersConfiguration
- listKind: KubeControllersConfigurationList
- plural: kubecontrollersconfigurations
- singular: kubecontrollersconfiguration
- preserveUnknownFields: false
- scope: Cluster
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: KubeControllersConfigurationSpec contains the values of the
- Kubernetes controllers configuration.
- properties:
- controllers:
- description: Controllers enables and configures individual Kubernetes
- controllers
- properties:
- namespace:
- description: Namespace enables and configures the namespace controller.
- Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform reconciliation
- with the Calico datastore. [Default: 5m]'
- type: string
- type: object
- node:
- description: Node enables and configures the node controller.
- Enabled by default, set to nil to disable.
- properties:
- hostEndpoint:
- description: HostEndpoint controls syncing nodes to host endpoints.
- Disabled by default, set to nil to disable.
- properties:
- autoCreate:
- description: 'AutoCreate enables automatic creation of
- host endpoints for every node. [Default: Disabled]'
- type: string
- type: object
- leakGracePeriod:
- description: 'LeakGracePeriod is the period used by the controller
- to determine if an IP address has been leaked. Set to 0
- to disable IP garbage collection. [Default: 15m]'
- type: string
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform reconciliation
- with the Calico datastore. [Default: 5m]'
- type: string
- syncLabels:
- description: 'SyncLabels controls whether to copy Kubernetes
- node labels to Calico nodes. [Default: Enabled]'
- type: string
- type: object
- policy:
- description: Policy enables and configures the policy controller.
- Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform reconciliation
- with the Calico datastore. [Default: 5m]'
- type: string
- type: object
- serviceAccount:
- description: ServiceAccount enables and configures the service
- account controller. Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform reconciliation
- with the Calico datastore. [Default: 5m]'
- type: string
- type: object
- workloadEndpoint:
- description: WorkloadEndpoint enables and configures the workload
- endpoint controller. Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform reconciliation
- with the Calico datastore. [Default: 5m]'
- type: string
- type: object
- type: object
- debugProfilePort:
- description: DebugProfilePort configures the port to serve memory
- and cpu profiles on. If not specified, profiling is disabled.
- format: int32
- type: integer
- etcdV3CompactionPeriod:
- description: 'EtcdV3CompactionPeriod is the period between etcdv3
- compaction requests. Set to 0 to disable. [Default: 10m]'
- type: string
- healthChecks:
- description: 'HealthChecks enables or disables support for health
- checks [Default: Enabled]'
- type: string
- logSeverityScreen:
- description: 'LogSeverityScreen is the log severity above which logs
- are sent to the stdout. [Default: Info]'
- type: string
- prometheusMetricsPort:
- description: 'PrometheusMetricsPort is the TCP port that the Prometheus
- metrics server should bind to. Set to 0 to disable. [Default: 9094]'
- type: integer
- required:
- - controllers
- type: object
- status:
- description: KubeControllersConfigurationStatus represents the status
- of the configuration. It's useful for admins to be able to see the actual
- config that was applied, which can be modified by environment variables
- on the kube-controllers process.
- properties:
- environmentVars:
- additionalProperties:
- type: string
- description: EnvironmentVars contains the environment variables on
- the kube-controllers that influenced the RunningConfig.
- type: object
- runningConfig:
- description: RunningConfig contains the effective config that is running
- in the kube-controllers pod, after merging the API resource with
- any environment variables.
- properties:
- controllers:
- description: Controllers enables and configures individual Kubernetes
- controllers
- properties:
- namespace:
- description: Namespace enables and configures the namespace
- controller. Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform
- reconciliation with the Calico datastore. [Default:
- 5m]'
- type: string
- type: object
- node:
- description: Node enables and configures the node controller.
- Enabled by default, set to nil to disable.
- properties:
- hostEndpoint:
- description: HostEndpoint controls syncing nodes to host
- endpoints. Disabled by default, set to nil to disable.
- properties:
- autoCreate:
- description: 'AutoCreate enables automatic creation
- of host endpoints for every node. [Default: Disabled]'
- type: string
- type: object
- leakGracePeriod:
- description: 'LeakGracePeriod is the period used by the
- controller to determine if an IP address has been leaked.
- Set to 0 to disable IP garbage collection. [Default:
- 15m]'
- type: string
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform
- reconciliation with the Calico datastore. [Default:
- 5m]'
- type: string
- syncLabels:
- description: 'SyncLabels controls whether to copy Kubernetes
- node labels to Calico nodes. [Default: Enabled]'
- type: string
- type: object
- policy:
- description: Policy enables and configures the policy controller.
- Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform
- reconciliation with the Calico datastore. [Default:
- 5m]'
- type: string
- type: object
- serviceAccount:
- description: ServiceAccount enables and configures the service
- account controller. Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform
- reconciliation with the Calico datastore. [Default:
- 5m]'
- type: string
- type: object
- workloadEndpoint:
- description: WorkloadEndpoint enables and configures the workload
- endpoint controller. Enabled by default, set to nil to disable.
- properties:
- reconcilerPeriod:
- description: 'ReconcilerPeriod is the period to perform
- reconciliation with the Calico datastore. [Default:
- 5m]'
- type: string
- type: object
- type: object
- debugProfilePort:
- description: DebugProfilePort configures the port to serve memory
- and cpu profiles on. If not specified, profiling is disabled.
- format: int32
- type: integer
- etcdV3CompactionPeriod:
- description: 'EtcdV3CompactionPeriod is the period between etcdv3
- compaction requests. Set to 0 to disable. [Default: 10m]'
- type: string
- healthChecks:
- description: 'HealthChecks enables or disables support for health
- checks [Default: Enabled]'
- type: string
- logSeverityScreen:
- description: 'LogSeverityScreen is the log severity above which
- logs are sent to the stdout. [Default: Info]'
- type: string
- prometheusMetricsPort:
- description: 'PrometheusMetricsPort is the TCP port that the Prometheus
- metrics server should bind to. Set to 0 to disable. [Default:
- 9094]'
- type: integer
- required:
- - controllers
- type: object
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: networkpolicies.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: NetworkPolicy
- listKind: NetworkPolicyList
- plural: networkpolicies
- singular: networkpolicy
- preserveUnknownFields: false
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- properties:
- egress:
- description: The ordered set of egress rules. Each rule contains
- a set of packet match criteria and a corresponding action to apply.
- items:
- description: "A Rule encapsulates a set of match criteria and an
- action. Both selector-based security Policy and security Profiles
- reference rules - separated out as a list of rules for both ingress
- and egress packet matching. \n Each positive match criteria has
- a negated version, prefixed with \"Not\". All the match criteria
- within a rule must be satisfied for a packet to match. A single
- rule can contain the positive and negative version of a match
- and both must be satisfied for the rule to match."
- properties:
- action:
- type: string
- destination:
- description: Destination contains the match criteria that apply
- to destination entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- http:
- description: HTTP contains match criteria that apply to HTTP
- requests.
- properties:
- methods:
- description: Methods is an optional field that restricts
- the rule to apply only to HTTP requests that use one of
- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
- methods are OR'd together.
- items:
- type: string
- type: array
- paths:
- description: 'Paths is an optional field that restricts
- the rule to apply to HTTP requests that use one of the
- listed HTTP Paths. Multiple paths are OR''d together.
- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
- ONLY specify either a `exact` or a `prefix` match. The
- validator will check for it.'
- items:
- description: 'HTTPPath specifies an HTTP path to match.
- It may be either of the form: exact: <path>: which matches
- the path exactly or prefix: <path-prefix>: which matches
- the path prefix'
- properties:
- exact:
- type: string
- prefix:
- type: string
- type: object
- type: array
- type: object
- icmp:
- description: ICMP is an optional field that restricts the rule
- to apply to a specific type and code of ICMP traffic. This
- should only be specified if the Protocol field is set to "ICMP"
- or "ICMPv6".
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- ipVersion:
- description: IPVersion is an optional field that restricts the
- rule to only match a specific IP version.
- type: integer
- metadata:
- description: Metadata contains additional information for this
- rule
- properties:
- annotations:
- additionalProperties:
- type: string
- description: Annotations is a set of key value pairs that
- give extra information about the rule
- type: object
- type: object
- notICMP:
- description: NotICMP is the negated version of the ICMP field.
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- notProtocol:
- anyOf:
- - type: integer
- - type: string
- description: NotProtocol is the negated version of the Protocol
- field.
- pattern: ^.*
- x-kubernetes-int-or-string: true
- protocol:
- anyOf:
- - type: integer
- - type: string
- description: "Protocol is an optional field that restricts the
- rule to only apply to traffic of a specific IP protocol. Required
- if any of the EntityRules contain Ports (because ports only
- apply to certain protocols). \n Must be one of these string
- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
- \"UDPLite\" or an integer in the range 1-255."
- pattern: ^.*
- x-kubernetes-int-or-string: true
- source:
- description: Source contains the match criteria that apply to
- source entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- required:
- - action
- type: object
- type: array
- ingress:
- description: The ordered set of ingress rules. Each rule contains
- a set of packet match criteria and a corresponding action to apply.
- items:
- description: "A Rule encapsulates a set of match criteria and an
- action. Both selector-based security Policy and security Profiles
- reference rules - separated out as a list of rules for both ingress
- and egress packet matching. \n Each positive match criteria has
- a negated version, prefixed with \"Not\". All the match criteria
- within a rule must be satisfied for a packet to match. A single
- rule can contain the positive and negative version of a match
- and both must be satisfied for the rule to match."
- properties:
- action:
- type: string
- destination:
- description: Destination contains the match criteria that apply
- to destination entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- http:
- description: HTTP contains match criteria that apply to HTTP
- requests.
- properties:
- methods:
- description: Methods is an optional field that restricts
- the rule to apply only to HTTP requests that use one of
- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
- methods are OR'd together.
- items:
- type: string
- type: array
- paths:
- description: 'Paths is an optional field that restricts
- the rule to apply to HTTP requests that use one of the
- listed HTTP Paths. Multiple paths are OR''d together.
- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
- ONLY specify either a `exact` or a `prefix` match. The
- validator will check for it.'
- items:
- description: 'HTTPPath specifies an HTTP path to match.
- It may be either of the form: exact: <path>: which matches
- the path exactly or prefix: <path-prefix>: which matches
- the path prefix'
- properties:
- exact:
- type: string
- prefix:
- type: string
- type: object
- type: array
- type: object
- icmp:
- description: ICMP is an optional field that restricts the rule
- to apply to a specific type and code of ICMP traffic. This
- should only be specified if the Protocol field is set to "ICMP"
- or "ICMPv6".
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- ipVersion:
- description: IPVersion is an optional field that restricts the
- rule to only match a specific IP version.
- type: integer
- metadata:
- description: Metadata contains additional information for this
- rule
- properties:
- annotations:
- additionalProperties:
- type: string
- description: Annotations is a set of key value pairs that
- give extra information about the rule
- type: object
- type: object
- notICMP:
- description: NotICMP is the negated version of the ICMP field.
- properties:
- code:
- description: Match on a specific ICMP code. If specified,
- the Type value must also be specified. This is a technical
- limitation imposed by the kernel's iptables firewall,
- which Calico uses to enforce the rule.
- type: integer
- type:
- description: Match on a specific ICMP type. For example
- a value of 8 refers to ICMP Echo Request (i.e. pings).
- type: integer
- type: object
- notProtocol:
- anyOf:
- - type: integer
- - type: string
- description: NotProtocol is the negated version of the Protocol
- field.
- pattern: ^.*
- x-kubernetes-int-or-string: true
- protocol:
- anyOf:
- - type: integer
- - type: string
- description: "Protocol is an optional field that restricts the
- rule to only apply to traffic of a specific IP protocol. Required
- if any of the EntityRules contain Ports (because ports only
- apply to certain protocols). \n Must be one of these string
- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
- \"UDPLite\" or an integer in the range 1-255."
- pattern: ^.*
- x-kubernetes-int-or-string: true
- source:
- description: Source contains the match criteria that apply to
- source entity.
- properties:
- namespaceSelector:
- description: "NamespaceSelector is an optional field that
- contains a selector expression. Only traffic that originates
- from (or terminates at) endpoints within the selected
- namespaces will be matched. When both NamespaceSelector
- and another selector are defined on the same rule, then
- only workload endpoints that are matched by both selectors
- will be selected by the rule. \n For NetworkPolicy, an
- empty NamespaceSelector implies that the Selector is limited
- to selecting only workload endpoints in the same namespace
- as the NetworkPolicy. \n For NetworkPolicy, `global()`
- NamespaceSelector implies that the Selector is limited
- to selecting only GlobalNetworkSet or HostEndpoint. \n
- For GlobalNetworkPolicy, an empty NamespaceSelector implies
- the Selector applies to workload endpoints across all
- namespaces."
- type: string
- nets:
- description: Nets is an optional field that restricts the
- rule to only apply to traffic that originates from (or
- terminates at) IP addresses in any of the given subnets.
- items:
- type: string
- type: array
- notNets:
- description: NotNets is the negated version of the Nets
- field.
- items:
- type: string
- type: array
- notPorts:
- description: NotPorts is the negated version of the Ports
- field. Since only some protocols have ports, if any ports
- are specified it requires the Protocol match in the Rule
- to be set to "TCP" or "UDP".
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- notSelector:
- description: NotSelector is the negated version of the Selector
- field. See Selector field for subtleties with negated
- selectors.
- type: string
- ports:
- description: "Ports is an optional field that restricts
- the rule to only apply to traffic that has a source (destination)
- port that matches one of these ranges/values. This value
- is a list of integers or strings that represent ranges
- of ports. \n Since only some protocols have ports, if
- any ports are specified it requires the Protocol match
- in the Rule to be set to \"TCP\" or \"UDP\"."
- items:
- anyOf:
- - type: integer
- - type: string
- pattern: ^.*
- x-kubernetes-int-or-string: true
- type: array
- selector:
- description: "Selector is an optional field that contains
- a selector expression (see Policy for sample syntax).
- \ Only traffic that originates from (terminates at) endpoints
- matching the selector will be matched. \n Note that: in
- addition to the negated version of the Selector (see NotSelector
- below), the selector expression syntax itself supports
- negation. The two types of negation are subtly different.
- One negates the set of matched endpoints, the other negates
- the whole match: \n \tSelector = \"!has(my_label)\" matches
- packets that are from other Calico-controlled \tendpoints
- that do not have the label \"my_label\". \n \tNotSelector
- = \"has(my_label)\" matches packets that are not from
- Calico-controlled \tendpoints that do have the label \"my_label\".
- \n The effect is that the latter will accept packets from
- non-Calico sources whereas the former is limited to packets
- from Calico-controlled endpoints."
- type: string
- serviceAccounts:
- description: ServiceAccounts is an optional field that restricts
- the rule to only apply to traffic that originates from
- (or terminates at) a pod running as a matching service
- account.
- properties:
- names:
- description: Names is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account whose name is in the list.
- items:
- type: string
- type: array
- selector:
- description: Selector is an optional field that restricts
- the rule to only apply to traffic that originates
- from (or terminates at) a pod running as a service
- account that matches the given label selector. If
- both Names and Selector are specified then they are
- AND'ed.
- type: string
- type: object
- services:
- description: "Services is an optional field that contains
- options for matching Kubernetes Services. If specified,
- only traffic that originates from or terminates at endpoints
- within the selected service(s) will be matched, and only
- to/from each endpoint's port. \n Services cannot be specified
- on the same rule as Selector, NotSelector, NamespaceSelector,
- Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
- can only be specified with Services on ingress rules."
- properties:
- name:
- description: Name specifies the name of a Kubernetes
- Service to match.
- type: string
- namespace:
- description: Namespace specifies the namespace of the
- given Service. If left empty, the rule will match
- within this policy's namespace.
- type: string
- type: object
- type: object
- required:
- - action
- type: object
- type: array
- order:
- description: Order is an optional field that specifies the order in
- which the policy is applied. Policies with higher "order" are applied
- after those with lower order. If the order is omitted, it may be
- considered to be "infinite" - i.e. the policy will be applied last. Policies
- with identical order will be applied in alphanumerical order based
- on the Policy "Name".
- type: number
- performanceHints:
- description: "PerformanceHints contains a list of hints to Calico's
- policy engine to help process the policy more efficiently. Hints
- never change the enforcement behaviour of the policy. \n Currently,
- the only available hint is \"AssumeNeededOnEveryNode\". When that
- hint is set on a policy, Felix will act as if the policy matches
- a local endpoint even if it does not. This is useful for \"preloading\"
- any large static policies that are known to be used on every node.
- If the policy is _not_ used on a particular node then the work done
- to preload the policy (and to maintain it) is wasted."
- items:
- type: string
- type: array
- selector:
- description: "The selector is an expression used to pick out the endpoints
- that the policy should be applied to. \n Selector expressions follow
- this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
- my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
- equal; also matches if label is not present \tlabel in { \"a\",
- \"b\", \"c\", ... } -> true if the value of label X is one of
- \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
- \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
- \thas(label_name) -> True if that label is present \t! expr ->
- negation of expr \texpr && expr -> Short-circuit and \texpr ||
- expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
- or the empty selector -> matches all endpoints. \n Label names are
- allowed to contain alphanumerics, -, _ and /. String literals are
- more permissive but they do not support escape characters. \n Examples
- (with made-up labels): \n \ttype == \"webserver\" && deployment
- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
- \"dev\" \t! has(label_name)"
- type: string
- serviceAccountSelector:
- description: ServiceAccountSelector is an optional field for an expression
- used to select a pod based on service accounts.
- type: string
- types:
- description: "Types indicates whether this policy applies to ingress,
- or to egress, or to both. When not explicitly specified (and so
- the value on creation is empty or nil), Calico defaults Types according
- to what Ingress and Egress are present in the policy. The default
- is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
- the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
- ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
- PolicyTypeEgress ], if there are both Ingress and Egress rules.
- \n When the policy is read back again, Types will always be one
- of these values, never empty or nil."
- items:
- description: PolicyType enumerates the possible values of the PolicySpec
- Types field.
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/kdd-crds.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- name: networksets.crd.projectcalico.org
-spec:
- group: crd.projectcalico.org
- names:
- kind: NetworkSet
- listKind: NetworkSetList
- plural: networksets
- singular: networkset
- preserveUnknownFields: false
- scope: Namespaced
- versions:
- - name: v1
- schema:
- openAPIV3Schema:
- description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: NetworkSetSpec contains the specification for a NetworkSet
- resource.
- properties:
- nets:
- description: The list of IP networks that belong to this set.
- items:
- type: string
- type: array
- type: object
- type: object
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-# Source: calico/templates/calico-kube-controllers-rbac.yaml
-# Include a clusterrole for the kube-controllers component,
-# and bind it to the calico-kube-controllers serviceaccount.
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: calico-kube-controllers
-rules:
- # Nodes are watched to monitor for deletions.
- - apiGroups: [""]
- resources:
- - nodes
- verbs:
- - watch
- - list
- - get
- # Pods are watched to check for existence as part of IPAM controller.
- - apiGroups: [""]
- resources:
- - pods
- verbs:
- - get
- - list
- - watch
- # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - ipreservations
- verbs:
- - list
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - blockaffinities
- - ipamblocks
- - ipamhandles
- verbs:
- - get
- - list
- - create
- - update
- - delete
- - watch
- # Pools are watched to maintain a mapping of blocks to IP pools.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - ippools
- verbs:
- - list
- - watch
- # kube-controllers manages hostendpoints.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - hostendpoints
- verbs:
- - get
- - list
- - create
- - update
- - delete
- # Needs access to update clusterinformations.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - clusterinformations
- verbs:
- - get
- - list
- - create
- - update
- - watch
- # KubeControllersConfiguration is where it gets its config
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - kubecontrollersconfigurations
- verbs:
- # read its own config
- - get
- # create a default if none exists
- - create
- # update status
- - update
- # watch for changes
- - watch
----
-# Source: calico/templates/calico-node-rbac.yaml
-# Include a clusterrole for the calico-node DaemonSet,
-# and bind it to the calico-node serviceaccount.
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: calico-node
-rules:
- # Used for creating service account tokens to be used by the CNI plugin
- - apiGroups: [""]
- resources:
- - serviceaccounts/token
- resourceNames:
- - calico-cni-plugin
- verbs:
- - create
- # The CNI plugin needs to get pods, nodes, and namespaces.
- - apiGroups: [""]
- resources:
- - pods
- - nodes
- - namespaces
- verbs:
- - get
- # EndpointSlices are used for Service-based network policy rule
- # enforcement.
- - apiGroups: ["discovery.k8s.io"]
- resources:
- - endpointslices
- verbs:
- - watch
- - list
- - apiGroups: [""]
- resources:
- - endpoints
- - services
- verbs:
- # Used to discover service IPs for advertisement.
- - watch
- - list
- # Used to discover Typhas.
- - get
- # Pod CIDR auto-detection on kubeadm needs access to config maps.
- - apiGroups: [""]
- resources:
- - configmaps
- verbs:
- - get
- - apiGroups: [""]
- resources:
- - nodes/status
- verbs:
- # Needed for clearing NodeNetworkUnavailable flag.
- - patch
- # Calico stores some configuration information in node annotations.
- - update
- # Watch for changes to Kubernetes NetworkPolicies.
- - apiGroups: ["networking.k8s.io"]
- resources:
- - networkpolicies
- verbs:
- - watch
- - list
- # Used by Calico for policy information.
- - apiGroups: [""]
- resources:
- - pods
- - namespaces
- - serviceaccounts
- verbs:
- - list
- - watch
- # The CNI plugin patches pods/status.
- - apiGroups: [""]
- resources:
- - pods/status
- verbs:
- - patch
- # Calico monitors various CRDs for config.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - globalfelixconfigs
- - felixconfigurations
- - bgppeers
- - bgpfilters
- - globalbgpconfigs
- - bgpconfigurations
- - ippools
- - ipreservations
- - ipamblocks
- - globalnetworkpolicies
- - globalnetworksets
- - networkpolicies
- - networksets
- - clusterinformations
- - hostendpoints
- - blockaffinities
- - caliconodestatuses
- verbs:
- - get
- - list
- - watch
- # Calico must create and update some CRDs on startup.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - ippools
- - felixconfigurations
- - clusterinformations
- verbs:
- - create
- - update
- # Calico must update some CRDs.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - caliconodestatuses
- verbs:
- - update
- # Calico stores some configuration information on the node.
- - apiGroups: [""]
- resources:
- - nodes
- verbs:
- - get
- - list
- - watch
- # These permissions are only required for upgrade from v2.6, and can
- # be removed after upgrade or on fresh installations.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - bgpconfigurations
- - bgppeers
- verbs:
- - create
- - update
- # These permissions are required for Calico CNI to perform IPAM allocations.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - blockaffinities
- - ipamblocks
- - ipamhandles
- verbs:
- - get
- - list
- - create
- - update
- - delete
- # The CNI plugin and calico/node need to be able to create a default
- # IPAMConfiguration
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - ipamconfigs
- verbs:
- - get
- - create
- # Block affinities must also be watchable by confd for route aggregation.
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - blockaffinities
- verbs:
- - watch
- # The Calico IPAM migration needs to get daemonsets. These permissions can be
- # removed if not upgrading from an installation using host-local IPAM.
- - apiGroups: ["apps"]
- resources:
- - daemonsets
- verbs:
- - get
----
-# Source: calico/templates/calico-node-rbac.yaml
-# CNI cluster role
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: calico-cni-plugin
-rules:
- - apiGroups: [""]
- resources:
- - pods
- - nodes
- - namespaces
- verbs:
- - get
- - apiGroups: [""]
- resources:
- - pods/status
- verbs:
- - patch
- - apiGroups: ["crd.projectcalico.org"]
- resources:
- - blockaffinities
- - ipamblocks
- - ipamhandles
- - clusterinformations
- - ippools
- - ipreservations
- - ipamconfigs
- verbs:
- - get
- - list
- - create
- - update
- - delete
----
-# Source: calico/templates/calico-kube-controllers-rbac.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: calico-kube-controllers
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-kube-controllers
-subjects:
-- kind: ServiceAccount
- name: calico-kube-controllers
- namespace: kube-system
----
-# Source: calico/templates/calico-node-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: calico-node
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-node
-subjects:
-- kind: ServiceAccount
- name: calico-node
- namespace: kube-system
----
-# Source: calico/templates/calico-node-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: calico-cni-plugin
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-cni-plugin
-subjects:
-- kind: ServiceAccount
- name: calico-cni-plugin
- namespace: kube-system
----
-# Source: calico/templates/calico-node.yaml
-# This manifest installs the calico-node container, as well
-# as the CNI plugins and network config on
-# each master and worker node in a Kubernetes cluster.
-kind: DaemonSet
-apiVersion: apps/v1
-metadata:
- name: calico-node
- namespace: kube-system
- labels:
- k8s-app: calico-node
-spec:
- selector:
- matchLabels:
- k8s-app: calico-node
- updateStrategy:
- type: RollingUpdate
- rollingUpdate:
- maxUnavailable: 1
- template:
- metadata:
- labels:
- k8s-app: calico-node
- spec:
- nodeSelector:
- kubernetes.io/os: linux
- hostNetwork: true
- tolerations:
- # Make sure calico-node gets scheduled on all nodes.
- - effect: NoSchedule
- operator: Exists
- # Mark the pod as a critical add-on for rescheduling.
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoExecute
- operator: Exists
- serviceAccountName: calico-node
- # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
- # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
- terminationGracePeriodSeconds: 0
- priorityClassName: system-node-critical
- initContainers:
- # This container performs upgrade from host-local IPAM to calico-ipam.
- # It can be deleted if this is a fresh installation, or if you have already
- # upgraded to use calico-ipam.
- - name: upgrade-ipam
- image: docker.io/calico/cni:v3.28.0
- imagePullPolicy: IfNotPresent
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
- envFrom:
- - configMapRef:
- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
- name: kubernetes-services-endpoint
- optional: true
- env:
- - name: KUBERNETES_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: CALICO_NETWORKING_BACKEND
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: calico_backend
- volumeMounts:
- - mountPath: /var/lib/cni/networks
- name: host-local-net-dir
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- securityContext:
- privileged: true
- # This container installs the CNI binaries
- # and CNI network config file on each node.
- - name: install-cni
- image: docker.io/calico/cni:v3.28.0
- imagePullPolicy: IfNotPresent
- command: ["/opt/cni/bin/install"]
- envFrom:
- - configMapRef:
- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
- name: kubernetes-services-endpoint
- optional: true
- env:
- # Name of the CNI config file to create.
- - name: CNI_CONF_NAME
- value: "10-calico.conflist"
- # The CNI network config to install on each node.
- - name: CNI_NETWORK_CONFIG
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: cni_network_config
- # Set the hostname based on the k8s node name.
- - name: KUBERNETES_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- # CNI MTU Config variable
- - name: CNI_MTU
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: veth_mtu
- # Prevents the container from sleeping forever.
- - name: SLEEP
- value: "false"
- volumeMounts:
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- - mountPath: /host/etc/cni/net.d
- name: cni-net-dir
- securityContext:
- privileged: true
- # This init container mounts the necessary filesystems needed by the BPF data plane
- # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
- # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
- - name: "mount-bpffs"
- image: docker.io/calico/node:v3.28.0
- imagePullPolicy: IfNotPresent
- command: ["calico-node", "-init", "-best-effort"]
- volumeMounts:
- - mountPath: /sys/fs
- name: sys-fs
- # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
- # so that it outlives the init container.
- mountPropagation: Bidirectional
- - mountPath: /var/run/calico
- name: var-run-calico
- # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
- # so that it outlives the init container.
- mountPropagation: Bidirectional
- # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
- # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
- - mountPath: /nodeproc
- name: nodeproc
- readOnly: true
- securityContext:
- privileged: true
- containers:
- # Runs calico-node container on each Kubernetes node. This
- # container programs network policy and routes on each
- # host.
- - name: calico-node
- image: docker.io/calico/node:v3.28.0
- imagePullPolicy: IfNotPresent
- envFrom:
- - configMapRef:
- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
- name: kubernetes-services-endpoint
- optional: true
- env:
- # Use Kubernetes API as the backing datastore.
- - name: DATASTORE_TYPE
- value: "kubernetes"
- # Wait for the datastore.
- - name: WAIT_FOR_DATASTORE
- value: "true"
- # Set based on the k8s node name.
- - name: NODENAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- # Choose the backend to use.
- - name: CALICO_NETWORKING_BACKEND
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: calico_backend
- # Cluster type to identify the deployment type
- - name: CLUSTER_TYPE
- value: "k8s,bgp"
- # Auto-detect the BGP IP address.
- - name: IP
- value: "autodetect"
- # Enable IPIP
- - name: CALICO_IPV4POOL_IPIP
- value: "Always"
- # Enable or Disable VXLAN on the default IP pool.
- - name: CALICO_IPV4POOL_VXLAN
- value: "Never"
- # Enable or Disable VXLAN on the default IPv6 IP pool.
- - name: CALICO_IPV6POOL_VXLAN
- value: "Never"
- # Set MTU for tunnel device used if ipip is enabled
- - name: FELIX_IPINIPMTU
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: veth_mtu
- # Set MTU for the VXLAN tunnel device.
- - name: FELIX_VXLANMTU
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: veth_mtu
- # Set MTU for the Wireguard tunnel device.
- - name: FELIX_WIREGUARDMTU
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: veth_mtu
- # The default IPv4 pool to create on startup if none exists. Pod IPs will be
- # chosen from this range. Changing this value after installation will have
- # no effect. This should fall within `--cluster-cidr`.
- # - name: CALICO_IPV4POOL_CIDR
- # value: "192.168.0.0/16"
- # Disable file logging so `kubectl logs` works.
- - name: CALICO_DISABLE_FILE_LOGGING
- value: "true"
- # Set Felix endpoint to host default action to ACCEPT.
- - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
- value: "ACCEPT"
- # Disable IPv6 on Kubernetes.
- - name: FELIX_IPV6SUPPORT
- value: "false"
- - name: FELIX_HEALTHENABLED
- value: "true"
- securityContext:
- privileged: true
- resources:
- requests:
- cpu: 250m
- lifecycle:
- preStop:
- exec:
- command:
- - /bin/calico-node
- - -shutdown
- livenessProbe:
- exec:
- command:
- - /bin/calico-node
- - -felix-live
- - -bird-live
- periodSeconds: 10
- initialDelaySeconds: 10
- failureThreshold: 6
- timeoutSeconds: 10
- readinessProbe:
- exec:
- command:
- - /bin/calico-node
- - -felix-ready
- - -bird-ready
- periodSeconds: 10
- timeoutSeconds: 10
- volumeMounts:
- # For maintaining CNI plugin API credentials.
- - mountPath: /host/etc/cni/net.d
- name: cni-net-dir
- readOnly: false
- - mountPath: /lib/modules
- name: lib-modules
- readOnly: true
- - mountPath: /run/xtables.lock
- name: xtables-lock
- readOnly: false
- - mountPath: /var/run/calico
- name: var-run-calico
- readOnly: false
- - mountPath: /var/lib/calico
- name: var-lib-calico
- readOnly: false
- - name: policysync
- mountPath: /var/run/nodeagent
- # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
- # parent directory.
- - name: bpffs
- mountPath: /sys/fs/bpf
- - name: cni-log-dir
- mountPath: /var/log/calico/cni
- readOnly: true
- volumes:
- # Used by calico-node.
- - name: lib-modules
- hostPath:
- path: /lib/modules
- - name: var-run-calico
- hostPath:
- path: /var/run/calico
- - name: var-lib-calico
- hostPath:
- path: /var/lib/calico
- - name: xtables-lock
- hostPath:
- path: /run/xtables.lock
- type: FileOrCreate
- - name: sys-fs
- hostPath:
- path: /sys/fs/
- type: DirectoryOrCreate
- - name: bpffs
- hostPath:
- path: /sys/fs/bpf
- type: Directory
- # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
- - name: nodeproc
- hostPath:
- path: /proc
- # Used to install CNI.
- - name: cni-bin-dir
- hostPath:
- path: /opt/cni/bin
- - name: cni-net-dir
- hostPath:
- path: /etc/cni/net.d
- # Used to access CNI logs.
- - name: cni-log-dir
- hostPath:
- path: /var/log/calico/cni
- # Mount in the directory for host-local IPAM allocations. This is
- # used when upgrading from host-local to calico-ipam, and can be removed
- # if not using the upgrade-ipam init container.
- - name: host-local-net-dir
- hostPath:
- path: /var/lib/cni/networks
- # Used to create per-pod Unix Domain Sockets
- - name: policysync
- hostPath:
- type: DirectoryOrCreate
- path: /var/run/nodeagent
----
-# Source: calico/templates/calico-kube-controllers.yaml
-# See https://github.com/projectcalico/kube-controllers
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: calico-kube-controllers
- namespace: kube-system
- labels:
- k8s-app: calico-kube-controllers
-spec:
- # The controllers can only have a single active instance.
- replicas: 1
- selector:
- matchLabels:
- k8s-app: calico-kube-controllers
- strategy:
- type: Recreate
- template:
- metadata:
- name: calico-kube-controllers
- namespace: kube-system
- labels:
- k8s-app: calico-kube-controllers
- spec:
- nodeSelector:
- kubernetes.io/os: linux
- tolerations:
- # Mark the pod as a critical add-on for rescheduling.
- - key: CriticalAddonsOnly
- operator: Exists
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- - key: node-role.kubernetes.io/control-plane
- effect: NoSchedule
- serviceAccountName: calico-kube-controllers
- priorityClassName: system-cluster-critical
- containers:
- - name: calico-kube-controllers
- image: docker.io/calico/kube-controllers:v3.28.0
- imagePullPolicy: IfNotPresent
- env:
- # Choose which controllers to run.
- - name: ENABLED_CONTROLLERS
- value: node
- - name: DATASTORE_TYPE
- value: kubernetes
- livenessProbe:
- exec:
- command:
- - /usr/bin/check-status
- - -l
- periodSeconds: 10
- initialDelaySeconds: 10
- failureThreshold: 6
- timeoutSeconds: 10
- readinessProbe:
- exec:
- command:
- - /usr/bin/check-status
- - -r
- periodSeconds: 10
diff --git a/cesnet-central/playbooks/files/calico.yaml b/cesnet-central/playbooks/files/calico.yaml
new file mode 120000
index 0000000..732c864
--- /dev/null
+++ b/cesnet-central/playbooks/files/calico.yaml
@@ -0,0 +1 @@
+../../../common/playbooks/files/calico.yaml
\ No newline at end of file
diff --git a/cesnet-central/playbooks/files/etc b/cesnet-central/playbooks/files/etc
new file mode 120000
index 0000000..ed53b87
--- /dev/null
+++ b/cesnet-central/playbooks/files/etc
@@ -0,0 +1 @@
+../../../common/playbooks/files/etc
\ No newline at end of file
diff --git a/cesnet-central/playbooks/files/usr b/cesnet-central/playbooks/files/usr
new file mode 120000
index 0000000..b034223
--- /dev/null
+++ b/cesnet-central/playbooks/files/usr
@@ -0,0 +1 @@
+../../../common/playbooks/files/usr
\ No newline at end of file
diff --git a/cesnet-central/playbooks/notebooks.yaml b/cesnet-central/playbooks/notebooks.yaml
deleted file mode 100644
index 0c432cd..0000000
--- a/cesnet-central/playbooks/notebooks.yaml
+++ /dev/null
@@ -1,154 +0,0 @@
----
-- name: Notebooks deployments
- hosts: master
- become: true
- tasks:
- - name: Configure helm repo
- shell: |-
- helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
- helm repo add eginotebooks https://egi-federation.github.io/egi-notebooks-chart/
- helm repo update
- when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list or
- 'eginotebooks' not in ansible_local.helm_repos | map(attribute='name') | list"
- - name: Get Secrets from Vault for notebooks
- vars:
- name: "{{ item | basename | splitext | first }}"
- set_fact:
- secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
- token_validate=false)}) }}"
- with_fileglob:
- - "../deployments/*.yaml"
- - name: Debug Deployments Secrets
- debug:
- msg: "{{ item.key }} = {{ item.value }}"
- loop: "{{ secrets | dict2items }}"
- - name: Copy config file to master
- vars:
- name: "{{ item | basename | splitext | first }}"
- secret: "{{ secrets[name] }}"
- template:
- src: "{{ item }}"
- dest: "/tmp/{{ item | basename }}"
- mode: 0600
- with_fileglob:
- - "../deployments/*.yaml"
- - name: Deploy/upgrade notebook instance
- vars:
- name: "{{ item | basename | splitext | first }}"
- version: "3.2.1" # app 4.0.2 (2023-11-27)
- monitor_version: "0.3.1"
- shell: |-
- helm status --namespace {{ name }} {{ name }}
- if [ $? -ne 0 ]; then
- helm install --create-namespace --namespace {{ name }} \
- -f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
- {{ name }} jupyterhub/jupyterhub
- else
- helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
- --namespace {{ name }} {{ name }} jupyterhub/jupyterhub
- fi
- helm status --namespace {{ name }} {{ name }}-monitor
- if [ $? -ne 0 ]; then
- helm install --namespace {{ name }} \
- -f /tmp/{{ item | basename }} --version {{ monitor_version }} \
- {{ name }}-monitor eginotebooks/notebooks-monitor
- else
- helm upgrade --version {{ monitor_version }} \
- -f /tmp/{{ item | basename }} --namespace {{ name }} \
- {{ name }}-monitor eginotebooks/notebooks-monitor
- fi
- environment:
- KUBECONFIG: /etc/kubernetes/admin.conf
- PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
- when: true
- with_fileglob:
- - "../deployments/*.yaml"
-
- - name: Configure secrets management for the hub
- vars:
- name: "{{ item | basename | splitext | first }}"
- shell: |-
- kubectl apply -f - << EOF
- ---
- kind: Role
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: hub-secrets
- namespace: {{ name }}
- rules:
- - apiGroups: [""] # "" indicates the core API group
- resources: ["secrets"]
- verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
- ---
- kind: RoleBinding
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: hub-secrets
- namespace: {{ name }}
- subjects:
- - kind: ServiceAccount
- name: hub
- namespace: {{ name }}
- roleRef:
- kind: Role
- name: hub-secrets
- apiGroup: rbac.authorization.k8s.io
- EOF
- environment:
- KUBECONFIG: /etc/kubernetes/admin.conf
- PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
- when: true
- with_fileglob:
- - "../deployments/*.yaml"
- # do the extra bits of configuration
- # here we should have all the namespaces, pre-requirements in place
- # XXX: this won't remove things that are delete from the directory
- - name: Copy extra configuration files
- copy:
- src: "{{ item }}"
- dest: "/tmp/{{ item | basename }}"
- mode: 0600
- with_fileglob:
- - "../extra/*.yaml"
- - name: Extra configuration
- command: |-
- kubectl apply -f /tmp/{{ item | basename }}
- environment:
- KUBECONFIG: /etc/kubernetes/admin.conf
- with_fileglob:
- - "../extra/*.yaml"
- when: true
- # Workaround for pods stuck in "Terminating" state
- - name: K8s pods cleaner script
- copy:
- dest: /usr/local/bin/k8s-pods-cleaner.sh
- src: files/usr/local/bin/k8s-pods-cleaner.sh
- mode: preserve
- # Workaround for pods stuck in "Terminating" state
- - name: Regular cleanup of failed user notebooks pods
- vars:
- name: "{{ item | basename | splitext | first }}"
- cron:
- cron_file: "notebooks-{{ name }}-cleaner"
- name: "Notebooks {{ name }} cleanup"
- minute: "*"
- hour: "*"
- job: "KUBECONFIG=$HOME/.kube/config /usr/local/bin/k8s-pods-cleaner.sh '{{ name }}' --yes >/dev/null 2>&1"
- user: egi
- with_fileglob:
- - "../deployments/*.yaml"
-- hosts: nfs
- become: true
- tasks:
- - name: Quota settings
- vars:
- name: "{{ item | basename | splitext | first }}"
- cron:
- cron_file: notebook-quotas
- name: "{{ name }} quotas"
- minute: "0"
- hour: "*/2"
- job: "/usr/local/bin/xfs-quotas.sh --include ^/exports/{{ name }}- --exclude ^/exports/{{ name }}-hub-db-dir-"
- user: root
- with_fileglob:
- - "../deployments/*.yaml"
diff --git a/cesnet-central/playbooks/notebooks.yaml b/cesnet-central/playbooks/notebooks.yaml
new file mode 120000
index 0000000..3f1a33f
--- /dev/null
+++ b/cesnet-central/playbooks/notebooks.yaml
@@ -0,0 +1 @@
+../../common/playbooks/notebooks.yaml
\ No newline at end of file
diff --git a/cesnet-central/playbooks/squid.yaml b/cesnet-central/playbooks/squid.yaml
deleted file mode 100644
index 8b2a996..0000000
--- a/cesnet-central/playbooks/squid.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
----
-- name: Gather facts on all nodes
- hosts: allnodes
- become: true
- tasks:
- - name: Gather facts on the node
- debug:
- msg: "IPv4: {{ ansible_default_ipv4.address | default('') }}, IPv6: {{ ansible_default_ipv6.address | default('') }}"
-- name: Squid proxy deployment
- hosts: ingress[0]
- become: true
- tasks:
- - name: Install squid
- package:
- name: squid
- # full-fledge restart needed to build cache
- notify: Restart squid
- # https://cvmfs.readthedocs.io/en/stable/cpt-squid.html
- - name: Configure squid
- lineinfile:
- regexp: '^\s*{{ item.key }}\s+.*'
- line: "{{ item.key }} {{ item.value }}"
- path: /etc/squid/squid.conf
- loop: "{{ config | dict2items }}"
- vars:
- config:
- collapsed_forwarding: "on"
- minimum_expiry_time: 0
- maximum_object_size: 1024 MB
- cache_mem: 128 MB
- maximum_object_size_in_memory: 128 KB
- cache_dir: ufs /var/spool/squid 81920 16 256
- notify: Reload squid
- - name: Configure squid - ACL allcluster
- template:
- src: templates/etc/squid/conf.d/allcluster.conf
- dest: /etc/squid/conf.d/allcluster.conf
- mode: 0644
- notify: Reload squid
-
- handlers:
- - name: Restart squid
- service:
- name: squid
- state: restarted
- - name: Reload squid
- service:
- name: squid
- state: reloaded
diff --git a/cesnet-central/playbooks/squid.yaml b/cesnet-central/playbooks/squid.yaml
new file mode 120000
index 0000000..114c327
--- /dev/null
+++ b/cesnet-central/playbooks/squid.yaml
@@ -0,0 +1 @@
+../../common/playbooks/squid.yaml
\ No newline at end of file
diff --git a/cesnet-central/playbooks/templates/etc/exports b/cesnet-central/playbooks/templates/etc/exports
deleted file mode 100644
index dfc08fc..0000000
--- a/cesnet-central/playbooks/templates/etc/exports
+++ /dev/null
@@ -1,2 +0,0 @@
-# export the NFS directory to all the cluster members
-/exports {% for host in groups['allnodes'] -%}{{ host }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/cesnet-central/playbooks/templates/etc/exports b/cesnet-central/playbooks/templates/etc/exports
new file mode 120000
index 0000000..ba5695c
--- /dev/null
+++ b/cesnet-central/playbooks/templates/etc/exports
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/exports.inventory_hostname
\ No newline at end of file
diff --git a/cesnet-central/playbooks/templates/etc/mailutils.conf b/cesnet-central/playbooks/templates/etc/mailutils.conf
deleted file mode 100644
index 9e38faa..0000000
--- a/cesnet-central/playbooks/templates/etc/mailutils.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-address {
- email-domain {{ fromdomain }};
-};
diff --git a/cesnet-central/playbooks/templates/etc/mailutils.conf b/cesnet-central/playbooks/templates/etc/mailutils.conf
new file mode 120000
index 0000000..dbd8a1f
--- /dev/null
+++ b/cesnet-central/playbooks/templates/etc/mailutils.conf
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
diff --git a/cesnet-central/playbooks/templates/etc/squid b/cesnet-central/playbooks/templates/etc/squid
new file mode 120000
index 0000000..352b598
--- /dev/null
+++ b/cesnet-central/playbooks/templates/etc/squid
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/squid
\ No newline at end of file
diff --git a/cesnet-central/playbooks/upgrade.yaml b/cesnet-central/playbooks/upgrade.yaml
deleted file mode 100644
index 2c76219..0000000
--- a/cesnet-central/playbooks/upgrade.yaml
+++ /dev/null
@@ -1,92 +0,0 @@
----
-#
-# Upgrade kubernetes cluster
-#
-# https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/
-#
-# Usage example:
-#
-# VERSION=1.30.2
-# ansible-playbook playbooks/upgrade.yaml --extra-vars "version=$VERSION"
-#
-- name: Upgrade and hold kubeadm package
- hosts: master,ingress,nfs,worker,gpu
- become: true
- tasks:
- - name: New k8s repository
- copy:
- dest: /etc/apt/sources.list.d/pkgs_k8s_io_core_stable_v1_30_deb.list
- content: deb https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /
- mode: 0644
- - name: Upgrade packages
- apt:
- name: kubeadm={{ version }}*
- state: present
- force: true
- update_cache: true
- - name: Hold packages
- dpkg_selections:
- name: "{{ item }}"
- selection: hold
- loop:
- - kubeadm
-
-- name: Upgrade k8s master
- hosts: master
- become: true
- tasks:
- - name: Upgrade kubeadm
- command: |
- kubeadm upgrade apply --yes v{{ version }}
- when: true
-
-- name: Upgrade k8s nodes
- hosts: ingress,nfs,worker,gpu
- become: true
- tasks:
- - name: Upgrade kubeadm
- command: |
- kubeadm upgrade node
- when: true
-
-- name: Upgrade and hold packages
- hosts: master,ingress,nfs,worker,gpu
- become: true
- tasks:
- - name: Upgrade packages
- apt:
- name: kubectl={{ version }}*, kubelet={{ version }}*
- state: present
- force: true
- update_cache: true
- - name: Hold packages
- dpkg_selections:
- name: "{{ item }}"
- selection: hold
- loop:
- - kubectl
- - kubelet
- - name: Restart kubelet
- systemd:
- state: restarted
- name: kubelet
- - name: Cleanup old k8s repository
- file:
- path: /etc/apt/sources.list.d/pkgs_k8s_io_core_stable_v1_29_deb.list
- state: absent
-
-
-# pinned by grycap.kubernetes
-# - name: Upgrade networking
-# hosts: master
-# become: true
-# tasks:
-# - name: Upgrade weave
-# shell: |
-# set -o pipefail
-# kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
-# environment:
-# KUBECONFIG: /etc/kubernetes/admin.conf
-# args:
-# executable: /bin/bash
-# when: true
diff --git a/cesnet-central/playbooks/upgrade.yaml b/cesnet-central/playbooks/upgrade.yaml
new file mode 120000
index 0000000..0f9e3f4
--- /dev/null
+++ b/cesnet-central/playbooks/upgrade.yaml
@@ -0,0 +1 @@
+../../common/playbooks/upgrade.yaml
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/cvmfs.yaml b/cesnet-mcc/playbooks/cvmfs.yaml
index b5dcdf0..2e82cca 120000
--- a/cesnet-mcc/playbooks/cvmfs.yaml
+++ b/cesnet-mcc/playbooks/cvmfs.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/cvmfs.yaml
\ No newline at end of file
+../../common/playbooks/cvmfs.yaml
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/files/calico.yaml b/cesnet-mcc/playbooks/files/calico.yaml
index 3d2b787..732c864 120000
--- a/cesnet-mcc/playbooks/files/calico.yaml
+++ b/cesnet-mcc/playbooks/files/calico.yaml
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/calico.yaml
\ No newline at end of file
+../../../common/playbooks/files/calico.yaml
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/files/etc b/cesnet-mcc/playbooks/files/etc
index 0246be9..ed53b87 120000
--- a/cesnet-mcc/playbooks/files/etc
+++ b/cesnet-mcc/playbooks/files/etc
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/etc
\ No newline at end of file
+../../../common/playbooks/files/etc
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/files/usr b/cesnet-mcc/playbooks/files/usr
index 47d6e90..b034223 120000
--- a/cesnet-mcc/playbooks/files/usr
+++ b/cesnet-mcc/playbooks/files/usr
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/usr
\ No newline at end of file
+../../../common/playbooks/files/usr
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/k8s.yaml b/cesnet-mcc/playbooks/k8s.yaml
index 5e18112..117aed6 120000
--- a/cesnet-mcc/playbooks/k8s.yaml
+++ b/cesnet-mcc/playbooks/k8s.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/k8s.yaml
\ No newline at end of file
+../../common/playbooks/k8s.yaml
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/squid.yaml b/cesnet-mcc/playbooks/squid.yaml
index 408847e..114c327 120000
--- a/cesnet-mcc/playbooks/squid.yaml
+++ b/cesnet-mcc/playbooks/squid.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/squid.yaml
\ No newline at end of file
+../../common/playbooks/squid.yaml
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/templates/etc/exports b/cesnet-mcc/playbooks/templates/etc/exports
deleted file mode 100644
index d00f3ed..0000000
--- a/cesnet-mcc/playbooks/templates/etc/exports
+++ /dev/null
@@ -1,2 +0,0 @@
-# export the NFS directory to all the cluster members
-/exports {% for host in groups['allnodes'] -%}{{ hostvars[host].ansible_default_ipv4.address }}(rw,async,no_root_squash,no_subtree_check) {{ hostvars[host].ansible_default_ipv6.address }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/cesnet-mcc/playbooks/templates/etc/exports b/cesnet-mcc/playbooks/templates/etc/exports
new file mode 120000
index 0000000..3ef288e
--- /dev/null
+++ b/cesnet-mcc/playbooks/templates/etc/exports
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/exports.ipv46
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/templates/etc/mailutils.conf b/cesnet-mcc/playbooks/templates/etc/mailutils.conf
index c67eb7d..dbd8a1f 120000
--- a/cesnet-mcc/playbooks/templates/etc/mailutils.conf
+++ b/cesnet-mcc/playbooks/templates/etc/mailutils.conf
@@ -1 +1 @@
-../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
+../../../../common/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/templates/etc/squid b/cesnet-mcc/playbooks/templates/etc/squid
index a7a265f..352b598 120000
--- a/cesnet-mcc/playbooks/templates/etc/squid
+++ b/cesnet-mcc/playbooks/templates/etc/squid
@@ -1 +1 @@
-../../../../cesnet-central/playbooks/templates/etc/squid
\ No newline at end of file
+../../../../common/playbooks/templates/etc/squid
\ No newline at end of file
diff --git a/cesnet-mcc/playbooks/upgrade.yaml b/cesnet-mcc/playbooks/upgrade.yaml
index 3a00425..0f9e3f4 120000
--- a/cesnet-mcc/playbooks/upgrade.yaml
+++ b/cesnet-mcc/playbooks/upgrade.yaml
@@ -1 +1 @@
-/home/valtri/notebooks-operations.eosc/cesnet-central/playbooks/upgrade.yaml
\ No newline at end of file
+../../common/playbooks/upgrade.yaml
\ No newline at end of file
diff --git a/common/playbooks/cvmfs.yaml b/common/playbooks/cvmfs.yaml
new file mode 100644
index 0000000..26eb1a8
--- /dev/null
+++ b/common/playbooks/cvmfs.yaml
@@ -0,0 +1,77 @@
+---
+- name: CVMFS deployment
+ hosts: ingress, nfs, worker, gpu
+ vars:
+ # EGI repositories: gridpp.egi.eu eosc.egi.eu pheno.egi.eu mice.egi.eu ghost.egi.eu wenmr.egi.eu neugrid.egi.eu auger.egi.eu dirac.egi.eu galdyn.egi.eu seadatanet.egi.eu ligo.egi.eu supernemo.egi.eu pravda.egi.eu chipster.egi.eu hyperk.egi.eu snoplus.egi.eu km3net.egi.eu t2k.egi.eu na62.egi.eu biomed.egi.eu eiscat.egi.eu comet.egi.eu notebooks.egi.eu
+ cvmfs_repositories:
+ - cvmfs-config.cern.ch # required
+ - atlas.cern.ch
+ - cms.cern.ch
+ - grid.cern.ch
+ - auger.egi.eu
+ - biomed.egi.eu
+ - dirac.egi.eu
+ - eiscat.egi.eu
+ - notebooks.egi.eu
+ become: true
+ tasks:
+ - name: Check cvmfs apt repository
+ command:
+ cmd: dpkg-query -W cvmfs-release
+ register: cvmfs_release_check_deb
+ failed_when: cvmfs_release_check_deb.rc > 1
+ changed_when: false
+ # Avoid occasional network failures (partially)
+ - name: Set cvmfs apt repository proxy cache
+ copy:
+ dest: /etc/apt/apt.conf.d/99cvmfs-proxy
+ mode: 0644
+ content: |
+ Acquire::http::Proxy {
+ cvmrepo.web.cern.ch "http://{{ groups['ingress'][0] | ansible.utils.ipwrap }}:3128";
+ };
+ - name: Install and setup cvmfs apt repository
+ vars:
+ f: cvmfs-release-latest_all.deb
+ when: cvmfs_release_check_deb.rc | default(0) == 1
+ block:
+ - name: Download cvmfs-release latest package
+ get_url:
+ url: https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/{{ f }}
+ dest: /tmp/{{ f }}
+ mode: 0644
+ - name: Install cvmfs-release latest package
+ apt:
+ deb: /tmp/{{ f }}
+ - name: Update apt cache with cvmfs apt repository
+ apt:
+ update_cache: true
+ - name: Install cvmfs
+ package:
+ name: cvmfs
+ state: present
+ - name: Config cvmfs
+ copy:
+ dest: /etc/cvmfs/default.local
+ mode: 0644
+ content: |
+ CVMFS_HTTP_PROXY=http://{{ groups['ingress'][0] | ansible.utils.ipwrap }}:3128
+ - name: Setup and mount cvmfs repository {{ item }}
+ ansible.posix.mount:
+ path: /cvmfs/{{ item }}
+ src: "{{ item }}"
+ fstype: cvmfs
+ opts: defaults,_netdev,nodev,x-systemd.requires-mounts-for=/cvmfs/config-egi.egi.eu
+ state: mounted
+ with_items: "{{ cvmfs_repositories }}"
+ - name: Check updatedb.conf existence
+ stat:
+ path: /etc/updatedb.conf
+ register: register_updatedb
+ - name: Tune updatedb.conf - ensure /cvmfs in PRUNEPATHS
+ lineinfile:
+ path: /etc/updatedb.conf
+ backrefs: true
+ regex: '^(\s*PRUNEPATHS\s*=\s*)"(.*?)\s*(/cvmfs\s*)?"\s*$'
+ line: '\1"\2 /cvmfs"'
+ when: register_updatedb.stat.exists
diff --git a/common/playbooks/files/calico.yaml b/common/playbooks/files/calico.yaml
new file mode 100644
index 0000000..7f4cb47
--- /dev/null
+++ b/common/playbooks/files/calico.yaml
@@ -0,0 +1,5135 @@
+---
+# Source: calico/templates/calico-kube-controllers.yaml
+# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
+
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: calico-kube-controllers
+ namespace: kube-system
+ labels:
+ k8s-app: calico-kube-controllers
+spec:
+ maxUnavailable: 1
+ selector:
+ matchLabels:
+ k8s-app: calico-kube-controllers
+---
+# Source: calico/templates/calico-kube-controllers.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-kube-controllers
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-node
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-cni-plugin
+ namespace: kube-system
+---
+# Source: calico/templates/calico-config.yaml
+# This ConfigMap is used to configure a self-hosted Calico installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ name: calico-config
+ namespace: kube-system
+data:
+ # Typha is disabled.
+ typha_service_name: "none"
+ # Configure the backend to use.
+ calico_backend: "bird"
+
+ # Configure the MTU to use for workload interfaces and tunnels.
+ # By default, MTU is auto-detected, and explicitly setting this field should not be required.
+ # You can override auto-detection by providing a non-zero value.
+ veth_mtu: "0"
+
+ # The CNI network configuration to install on each node. The special
+ # values in this config will be automatically populated.
+ cni_network_config: |-
+ {
+ "name": "k8s-pod-network",
+ "cniVersion": "0.3.1",
+ "plugins": [
+ {
+ "type": "calico",
+ "log_level": "info",
+ "log_file_path": "/var/log/calico/cni/cni.log",
+ "datastore_type": "kubernetes",
+ "nodename": "__KUBERNETES_NODE_NAME__",
+ "mtu": __CNI_MTU__,
+ "ipam": {
+ "type": "calico-ipam"
+ },
+ "policy": {
+ "type": "k8s"
+ },
+ "kubernetes": {
+ "kubeconfig": "__KUBECONFIG_FILEPATH__"
+ }
+ },
+ {
+ "type": "portmap",
+ "snat": true,
+ "capabilities": {"portMappings": true}
+ },
+ {
+ "type": "bandwidth",
+ "capabilities": {"bandwidth": true}
+ }
+ ]
+ }
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: bgpconfigurations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BGPConfiguration
+ listKind: BGPConfigurationList
+ plural: bgpconfigurations
+ singular: bgpconfiguration
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: BGPConfiguration contains the configuration for any BGP routing.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BGPConfigurationSpec contains the values of the BGP configuration.
+ properties:
+ asNumber:
+ description: 'ASNumber is the default AS number used by a node. [Default:
+ 64512]'
+ format: int32
+ type: integer
+ bindMode:
+ description: BindMode indicates whether to listen for BGP connections
+ on all addresses (None) or only on the node's canonical IP address
+ Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
+ for BGP connections on all addresses.
+ type: string
+ communities:
+ description: Communities is a list of BGP community values and their
+ arbitrary names for tagging routes.
+ items:
+ description: Community contains standard or large community value
+ and its name.
+ properties:
+ name:
+ description: Name given to community value.
+ type: string
+ value:
+ description: Value must be of format `aa:nn` or `aa:nn:mm`.
+ For standard community use `aa:nn` format, where `aa` and
+ `nn` are 16 bit number. For large community use `aa:nn:mm`
+ format, where `aa`, `nn` and `mm` are 32 bit number. Where,
+ `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
+ pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
+ type: string
+ type: object
+ type: array
+ ignoredInterfaces:
+ description: IgnoredInterfaces indicates the network interfaces that
+ needs to be excluded when reading device routes.
+ items:
+ type: string
+ type: array
+ listenPort:
+ description: ListenPort is the port where BGP protocol should listen.
+ Defaults to 179
+ maximum: 65535
+ minimum: 1
+ type: integer
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which logs
+ are sent to the stdout. [Default: INFO]'
+ type: string
+ nodeMeshMaxRestartTime:
+ description: Time to allow for software restart for node-to-mesh peerings. When
+ specified, this is configured as the graceful restart timeout. When
+ not specified, the BIRD default of 120s is used. This field can
+ only be set on the default BGPConfiguration instance and requires
+ that NodeMesh is enabled
+ type: string
+ nodeMeshPassword:
+ description: Optional BGP password for full node-to-mesh peerings.
+ This field can only be set on the default BGPConfiguration instance
+ and requires that NodeMesh is enabled
+ properties:
+ secretKeyRef:
+ description: Selects a key of a secret in the node pod's namespace.
+ properties:
+ key:
+ description: The key of the secret to select from. Must be
+ a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ optional:
+ description: Specify whether the Secret or its key must be
+ defined
+ type: boolean
+ required:
+ - key
+ type: object
+ type: object
+ nodeToNodeMeshEnabled:
+ description: 'NodeToNodeMeshEnabled sets whether full node to node
+ BGP mesh is enabled. [Default: true]'
+ type: boolean
+ prefixAdvertisements:
+ description: PrefixAdvertisements contains per-prefix advertisement
+ configuration.
+ items:
+ description: PrefixAdvertisement configures advertisement properties
+ for the specified CIDR.
+ properties:
+ cidr:
+ description: CIDR for which properties should be advertised.
+ type: string
+ communities:
+ description: Communities can be list of either community names
+ already defined in `Specs.Communities` or community value
+ of format `aa:nn` or `aa:nn:mm`. For standard community use
+ `aa:nn` format, where `aa` and `nn` are 16 bit number. For
+ large community use `aa:nn:mm` format, where `aa`, `nn` and
+ `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
+ `mm` are per-AS identifier.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ serviceClusterIPs:
+ description: ServiceClusterIPs are the CIDR blocks from which service
+ cluster IPs are allocated. If specified, Calico will advertise these
+ blocks, as well as any cluster IPs within them.
+ items:
+ description: ServiceClusterIPBlock represents a single allowed ClusterIP
+ CIDR block.
+ properties:
+ cidr:
+ type: string
+ type: object
+ type: array
+ serviceExternalIPs:
+ description: ServiceExternalIPs are the CIDR blocks for Kubernetes
+ Service External IPs. Kubernetes Service ExternalIPs will only be
+ advertised if they are within one of these blocks.
+ items:
+ description: ServiceExternalIPBlock represents a single allowed
+ External IP CIDR block.
+ properties:
+ cidr:
+ type: string
+ type: object
+ type: array
+ serviceLoadBalancerIPs:
+ description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
+ Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
+ IPs will only be advertised if they are within one of these blocks.
+ items:
+ description: ServiceLoadBalancerIPBlock represents a single allowed
+ LoadBalancer IP CIDR block.
+ properties:
+ cidr:
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ creationTimestamp: null
+ name: bgpfilters.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BGPFilter
+ listKind: BGPFilterList
+ plural: bgpfilters
+ singular: bgpfilter
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of
+ the BGP Filter.
+ properties:
+ exportV4:
+ description: The ordered set of IPv4 BGPFilter rules acting on exporting
+ routes to a peer.
+ items:
+ description: BGPFilterRuleV4 defines a BGP filter rule consisting
+ a single IPv4 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ exportV6:
+ description: The ordered set of IPv6 BGPFilter rules acting on exporting
+ routes to a peer.
+ items:
+ description: BGPFilterRuleV6 defines a BGP filter rule consisting
+ a single IPv6 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ importV4:
+ description: The ordered set of IPv4 BGPFilter rules acting on importing
+ routes from a peer.
+ items:
+ description: BGPFilterRuleV4 defines a BGP filter rule consisting
+ a single IPv4 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ importV6:
+ description: The ordered set of IPv6 BGPFilter rules acting on importing
+ routes from a peer.
+ items:
+ description: BGPFilterRuleV6 defines a BGP filter rule consisting
+ a single IPv6 CIDR block and a filter action for this CIDR.
+ properties:
+ action:
+ type: string
+ cidr:
+ type: string
+ interface:
+ type: string
+ matchOperator:
+ type: string
+ source:
+ type: string
+ required:
+ - action
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: bgppeers.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BGPPeer
+ listKind: BGPPeerList
+ plural: bgppeers
+ singular: bgppeer
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BGPPeerSpec contains the specification for a BGPPeer resource.
+ properties:
+ asNumber:
+ description: The AS Number of the peer.
+ format: int32
+ type: integer
+ filters:
+ description: The ordered set of BGPFilters applied on this BGP peer.
+ items:
+ type: string
+ type: array
+ keepOriginalNextHop:
+ description: Option to keep the original nexthop field when routes
+ are sent to a BGP Peer. Setting "true" configures the selected BGP
+ Peers node to use the "next hop keep;" instead of "next hop self;"(default)
+ in the specific branch of the Node on "bird.cfg".
+ type: boolean
+ maxRestartTime:
+ description: Time to allow for software restart. When specified,
+ this is configured as the graceful restart timeout. When not specified,
+ the BIRD default of 120s is used.
+ type: string
+ node:
+ description: The node name identifying the Calico node instance that
+ is targeted by this peer. If this is not set, and no nodeSelector
+ is specified, then this BGP peer selects all nodes in the cluster.
+ type: string
+ nodeSelector:
+ description: Selector for the nodes that should have this peering. When
+ this is set, the Node field must be empty.
+ type: string
+ numAllowedLocalASNumbers:
+ description: Maximum number of local AS numbers that are allowed in
+ the AS path for received routes. This removes BGP loop prevention
+ and should only be used if absolutely necessary.
+ format: int32
+ type: integer
+ password:
+ description: Optional BGP password for the peerings generated by this
+ BGPPeer resource.
+ properties:
+ secretKeyRef:
+ description: Selects a key of a secret in the node pod's namespace.
+ properties:
+ key:
+ description: The key of the secret to select from. Must be
+ a valid secret key.
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ TODO: Add other useful fields. apiVersion, kind, uid?'
+ type: string
+ optional:
+ description: Specify whether the Secret or its key must be
+ defined
+ type: boolean
+ required:
+ - key
+ type: object
+ type: object
+ peerIP:
+ description: The IP address of the peer followed by an optional port
+ number to peer with. If port number is given, format should be `[<IPv6>]:port`
+ or `<IPv4>:<port>` for IPv4. If optional port number is not set,
+ and this peer IP and ASNumber belongs to a calico/node with ListenPort
+ set in BGPConfiguration, then we use that port to peer.
+ type: string
+ peerSelector:
+ description: Selector for the remote nodes to peer with. When this
+ is set, the PeerIP and ASNumber fields must be empty. For each
+ peering between the local node and selected remote nodes, we configure
+ an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
+ and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
+ remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
+ or the global default if that is not set.
+ type: string
+ reachableBy:
+ description: Add an exact, i.e. /32, static route toward peer IP in
+ order to prevent route flapping. ReachableBy contains the address
+ of the gateway which peer can be reached by.
+ type: string
+ sourceAddress:
+ description: Specifies whether and how to configure a source address
+ for the peerings generated by this BGPPeer resource. Default value
+ "UseNodeIP" means to configure the node IP as the source address. "None"
+ means not to configure a source address.
+ type: string
+ ttlSecurity:
+ description: TTLSecurity enables the generalized TTL security mechanism
+ (GTSM) which protects against spoofed packets by ignoring received
+ packets with a smaller than expected TTL value. The provided value
+ is the number of hops (edges) between the peers.
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: blockaffinities.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: BlockAffinity
+ listKind: BlockAffinityList
+ plural: blockaffinities
+ singular: blockaffinity
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: BlockAffinitySpec contains the specification for a BlockAffinity
+ resource.
+ properties:
+ cidr:
+ type: string
+ deleted:
+ description: Deleted indicates that this block affinity is being deleted.
+ This field is a string for compatibility with older releases that
+ mistakenly treat this field as a string.
+ type: string
+ node:
+ type: string
+ state:
+ type: string
+ required:
+ - cidr
+ - deleted
+ - node
+ - state
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ creationTimestamp: null
+ name: caliconodestatuses.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: CalicoNodeStatus
+ listKind: CalicoNodeStatusList
+ plural: caliconodestatuses
+ singular: caliconodestatus
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus
+ resource.
+ properties:
+ classes:
+ description: Classes declares the types of information to monitor
+ for this calico/node, and allows for selective status reporting
+ about certain subsets of information.
+ items:
+ type: string
+ type: array
+ node:
+ description: The node name identifies the Calico node instance for
+ node status.
+ type: string
+ updatePeriodSeconds:
+ description: UpdatePeriodSeconds is the period at which CalicoNodeStatus
+ should be updated. Set to 0 to disable CalicoNodeStatus refresh.
+ Maximum update period is one day.
+ format: int32
+ type: integer
+ type: object
+ status:
+ description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
+ No validation needed for status since it is updated by Calico.
+ properties:
+ agent:
+ description: Agent holds agent status on the node.
+ properties:
+ birdV4:
+ description: BIRDV4 represents the latest observed status of bird4.
+ properties:
+ lastBootTime:
+ description: LastBootTime holds the value of lastBootTime
+ from bird.ctl output.
+ type: string
+ lastReconfigurationTime:
+ description: LastReconfigurationTime holds the value of lastReconfigTime
+ from bird.ctl output.
+ type: string
+ routerID:
+ description: Router ID used by bird.
+ type: string
+ state:
+ description: The state of the BGP Daemon.
+ type: string
+ version:
+ description: Version of the BGP daemon
+ type: string
+ type: object
+ birdV6:
+ description: BIRDV6 represents the latest observed status of bird6.
+ properties:
+ lastBootTime:
+ description: LastBootTime holds the value of lastBootTime
+ from bird.ctl output.
+ type: string
+ lastReconfigurationTime:
+ description: LastReconfigurationTime holds the value of lastReconfigTime
+ from bird.ctl output.
+ type: string
+ routerID:
+ description: Router ID used by bird.
+ type: string
+ state:
+ description: The state of the BGP Daemon.
+ type: string
+ version:
+ description: Version of the BGP daemon
+ type: string
+ type: object
+ type: object
+ bgp:
+ description: BGP holds node BGP status.
+ properties:
+ numberEstablishedV4:
+ description: The total number of IPv4 established bgp sessions.
+ type: integer
+ numberEstablishedV6:
+ description: The total number of IPv6 established bgp sessions.
+ type: integer
+ numberNotEstablishedV4:
+ description: The total number of IPv4 non-established bgp sessions.
+ type: integer
+ numberNotEstablishedV6:
+ description: The total number of IPv6 non-established bgp sessions.
+ type: integer
+ peersV4:
+ description: PeersV4 represents IPv4 BGP peers status on the node.
+ items:
+ description: CalicoNodePeer contains the status of BGP peers
+ on the node.
+ properties:
+ peerIP:
+ description: IP address of the peer whose condition we are
+ reporting.
+ type: string
+ since:
+ description: Since the state or reason last changed.
+ type: string
+ state:
+ description: State is the BGP session state.
+ type: string
+ type:
+ description: Type indicates whether this peer is configured
+ via the node-to-node mesh, or via en explicit global or
+ per-node BGPPeer object.
+ type: string
+ type: object
+ type: array
+ peersV6:
+ description: PeersV6 represents IPv6 BGP peers status on the node.
+ items:
+ description: CalicoNodePeer contains the status of BGP peers
+ on the node.
+ properties:
+ peerIP:
+ description: IP address of the peer whose condition we are
+ reporting.
+ type: string
+ since:
+ description: Since the state or reason last changed.
+ type: string
+ state:
+ description: State is the BGP session state.
+ type: string
+ type:
+ description: Type indicates whether this peer is configured
+ via the node-to-node mesh, or via en explicit global or
+ per-node BGPPeer object.
+ type: string
+ type: object
+ type: array
+ required:
+ - numberEstablishedV4
+ - numberEstablishedV6
+ - numberNotEstablishedV4
+ - numberNotEstablishedV6
+ type: object
+ lastUpdated:
+ description: LastUpdated is a timestamp representing the server time
+ when CalicoNodeStatus object last updated. It is represented in
+ RFC3339 form and is in UTC.
+ format: date-time
+ nullable: true
+ type: string
+ routes:
+ description: Routes reports routes known to the Calico BGP daemon
+ on the node.
+ properties:
+ routesV4:
+ description: RoutesV4 represents IPv4 routes on the node.
+ items:
+ description: CalicoNodeRoute contains the status of BGP routes
+ on the node.
+ properties:
+ destination:
+ description: Destination of the route.
+ type: string
+ gateway:
+ description: Gateway for the destination.
+ type: string
+ interface:
+ description: Interface for the destination
+ type: string
+ learnedFrom:
+ description: LearnedFrom contains information regarding
+ where this route originated.
+ properties:
+ peerIP:
+ description: If sourceType is NodeMesh or BGPPeer, IP
+ address of the router that sent us this route.
+ type: string
+ sourceType:
+ description: Type of the source where a route is learned
+ from.
+ type: string
+ type: object
+ type:
+ description: Type indicates if the route is being used for
+ forwarding or not.
+ type: string
+ type: object
+ type: array
+ routesV6:
+ description: RoutesV6 represents IPv6 routes on the node.
+ items:
+ description: CalicoNodeRoute contains the status of BGP routes
+ on the node.
+ properties:
+ destination:
+ description: Destination of the route.
+ type: string
+ gateway:
+ description: Gateway for the destination.
+ type: string
+ interface:
+ description: Interface for the destination
+ type: string
+ learnedFrom:
+ description: LearnedFrom contains information regarding
+ where this route originated.
+ properties:
+ peerIP:
+ description: If sourceType is NodeMesh or BGPPeer, IP
+ address of the router that sent us this route.
+ type: string
+ sourceType:
+ description: Type of the source where a route is learned
+ from.
+ type: string
+ type: object
+ type:
+ description: Type indicates if the route is being used for
+ forwarding or not.
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: clusterinformations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: ClusterInformation
+ listKind: ClusterInformationList
+ plural: clusterinformations
+ singular: clusterinformation
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: ClusterInformation contains the cluster specific information.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ClusterInformationSpec contains the values of describing
+ the cluster.
+ properties:
+ calicoVersion:
+ description: CalicoVersion is the version of Calico that the cluster
+ is running
+ type: string
+ clusterGUID:
+ description: ClusterGUID is the GUID of the cluster
+ type: string
+ clusterType:
+ description: ClusterType describes the type of the cluster
+ type: string
+ datastoreReady:
+ description: DatastoreReady is used during significant datastore migrations
+ to signal to components such as Felix that it should wait before
+ accessing the datastore.
+ type: boolean
+ variant:
+ description: Variant declares which variant of Calico should be active.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: felixconfigurations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: FelixConfiguration
+ listKind: FelixConfigurationList
+ plural: felixconfigurations
+ singular: felixconfiguration
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: Felix Configuration contains the configuration for Felix.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FelixConfigurationSpec contains the values of the Felix configuration.
+ properties:
+ allowIPIPPacketsFromWorkloads:
+ description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
+ will add a rule to drop IPIP encapsulated traffic from workloads
+ [Default: false]'
+ type: boolean
+ allowVXLANPacketsFromWorkloads:
+ description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
+ will add a rule to drop VXLAN encapsulated traffic from workloads
+ [Default: false]'
+ type: boolean
+ awsSrcDstCheck:
+ description: 'Set source-destination-check on AWS EC2 instances. Accepted
+ value must be one of "DoNothing", "Enable" or "Disable". [Default:
+ DoNothing]'
+ enum:
+ - DoNothing
+ - Enable
+ - Disable
+ type: string
+ bpfCTLBLogFilter:
+ description: 'BPFCTLBLogFilter specifies, what is logged by connect
+ time load balancer when BPFLogLevel is debug. Currently has to be
+ specified as ''all'' when BPFLogFilters is set to see CTLB logs.
+ [Default: unset - means logs are emitted when BPFLogLevel id debug
+ and BPFLogFilters not set.]'
+ type: string
+ bpfConnectTimeLoadBalancing:
+ description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
+ whether Felix installs the connect-time load balancer. The connect-time
+ load balancer is required for the host to be able to reach Kubernetes
+ services and it improves the performance of pod-to-service connections.When
+ set to TCP, connect time load balancing is available only for services
+ with TCP ports. [Default: TCP]'
+ enum:
+ - TCP
+ - Enabled
+ - Disabled
+ type: string
+ bpfConnectTimeLoadBalancingEnabled:
+ description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
+ controls whether Felix installs the connection-time load balancer. The
+ connect-time load balancer is required for the host to be able to
+ reach Kubernetes services and it improves the performance of pod-to-service
+ connections. The only reason to disable it is for debugging purposes.
+ This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
+ true]'
+ type: boolean
+ bpfDSROptoutCIDRs:
+ description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
+ from DSR. That is, clients in those CIDRs will accesses nodeports
+ as if BPFExternalServiceMode was set to Tunnel.
+ items:
+ type: string
+ type: array
+ bpfDataIfacePattern:
+ description: BPFDataIfacePattern is a regular expression that controls
+ which interfaces Felix should attach BPF programs to in order to
+ catch traffic to/from the network. This needs to match the interfaces
+ that Calico workload traffic flows over as well as any interfaces
+ that handle incoming traffic to nodeports and services from outside
+ the cluster. It should not match the workload interfaces (usually
+ named cali...).
+ type: string
+ bpfDisableGROForIfaces:
+ description: BPFDisableGROForIfaces is a regular expression that controls
+ which interfaces Felix should disable the Generic Receive Offload
+ [GRO] option. It should not match the workload interfaces (usually
+ named cali...).
+ type: string
+ bpfDisableUnprivileged:
+ description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
+ sysctl to disable unprivileged use of BPF. This ensures that unprivileged
+ users cannot access Calico''s BPF maps and cannot insert their own
+ BPF programs to interfere with Calico''s. [Default: true]'
+ type: boolean
+ bpfEnabled:
+ description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
+ [Default: false]'
+ type: boolean
+ bpfEnforceRPF:
+ description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
+ with BPF programs regardless of what is the per-interfaces or global
+ setting. Possible values are Disabled, Strict or Loose. [Default:
+ Loose]'
+ pattern: ^(?i)(Disabled|Strict|Loose)?$
+ type: string
+ bpfExcludeCIDRsFromNAT:
+ description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
+ be excluded from NAT resolution so that host can handle them. A
+ typical usecase is node local DNS cache.
+ items:
+ type: string
+ type: array
+ bpfExtToServiceConnmark:
+ description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
+ mark that is set on connections from an external client to a local
+ service. This mark allows us to control how packets of that connection
+ are routed within the host and how is routing interpreted by RPF
+ check. [Default: 0]'
+ type: integer
+ bpfExternalServiceMode:
+ description: 'BPFExternalServiceMode in BPF mode, controls how connections
+ from outside the cluster to services (node ports and cluster IPs)
+ are forwarded to remote workloads. If set to "Tunnel" then both
+ request and response traffic is tunneled to the remote node. If
+ set to "DSR", the request traffic is tunneled but the response traffic
+ is sent directly from the remote node. In "DSR" mode, the remote
+ node appears to use the IP of the ingress node; this requires a
+ permissive L2 network. [Default: Tunnel]'
+ pattern: ^(?i)(Tunnel|DSR)?$
+ type: string
+ bpfForceTrackPacketsFromIfaces:
+ description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
+ from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
+ traffic from those interfaces to be tracked by Linux conntrack. Should
+ only be used for interfaces that are not used for the Calico fabric. For
+ example, a docker bridge device for non-Calico-networked containers.
+ [Default: docker+]'
+ items:
+ type: string
+ type: array
+ bpfHostConntrackBypass:
+ description: 'BPFHostConntrackBypass Controls whether to bypass Linux
+ conntrack in BPF mode for workloads and services. [Default: true
+ - bypass Linux conntrack]'
+ type: boolean
+ bpfHostNetworkedNATWithoutCTLB:
+ description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
+ whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
+ determines the CTLB behavior. [Default: Enabled]'
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ bpfKubeProxyEndpointSlicesEnabled:
+ description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
+ no effect. BPF kube-proxy always accepts endpoint slices. This option
+ will be removed in the next release.
+ type: boolean
+ bpfKubeProxyIptablesCleanupEnabled:
+ description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
+ mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
+ iptables chains. Should only be enabled if kube-proxy is not running. [Default:
+ true]'
+ type: boolean
+ bpfKubeProxyMinSyncPeriod:
+ description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
+ minimum time between updates to the dataplane for Felix''s embedded
+ kube-proxy. Lower values give reduced set-up latency. Higher values
+ reduce Felix CPU usage by batching up more work. [Default: 1s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ bpfL3IfacePattern:
+ description: BPFL3IfacePattern is a regular expression that allows
+ to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
+ in addition to BPFDataIfacePattern. That is, tunnel interfaces not
+ created by Calico, that Calico workload traffic flows over as well
+ as any interfaces that handle incoming traffic to nodeports and
+ services from outside the cluster.
+ type: string
+ bpfLogFilters:
+ additionalProperties:
+ type: string
+ description: "BPFLogFilters is a map of key=values where the value
+ is a pcap filter expression and the key is an interface name with
+ 'all' denoting all interfaces, 'weps' all workload endpoints and
+ 'heps' all host endpoints. \n When specified as an env var, it accepts
+ a comma-separated list of key=values. [Default: unset - means all
+ debug logs are emitted]"
+ type: object
+ bpfLogLevel:
+ description: 'BPFLogLevel controls the log level of the BPF programs
+ when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
+ logs are emitted to the BPF trace pipe, accessible with the command
+ `tc exec bpf debug`. [Default: Off].'
+ pattern: ^(?i)(Off|Info|Debug)?$
+ type: string
+ bpfMapSizeConntrack:
+ description: 'BPFMapSizeConntrack sets the size for the conntrack
+ map. This map must be large enough to hold an entry for each active
+ connection. Warning: changing the size of the conntrack map can
+ cause disruption.'
+ type: integer
+ bpfMapSizeIPSets:
+ description: BPFMapSizeIPSets sets the size for ipsets map. The IP
+ sets map must be large enough to hold an entry for each endpoint
+ matched by every selector in the source/destination matches in network
+ policy. Selectors such as "all()" can result in large numbers of
+ entries (one entry per endpoint in that case).
+ type: integer
+ bpfMapSizeIfState:
+ description: BPFMapSizeIfState sets the size for ifstate map. The
+ ifstate map must be large enough to hold an entry for each device
+ (host + workloads) on a host.
+ type: integer
+ bpfMapSizeNATAffinity:
+ type: integer
+ bpfMapSizeNATBackend:
+ description: BPFMapSizeNATBackend sets the size for nat back end map.
+ This is the total number of endpoints. This is mostly more than
+ the size of the number of services.
+ type: integer
+ bpfMapSizeNATFrontend:
+ description: BPFMapSizeNATFrontend sets the size for nat front end
+ map. FrontendMap should be large enough to hold an entry for each
+ nodeport, external IP and each port in each service.
+ type: integer
+ bpfMapSizeRoute:
+ description: BPFMapSizeRoute sets the size for the routes map. The
+ routes map should be large enough to hold one entry per workload
+ and a handful of entries per host (enough to cover its own IPs and
+ tunnel IPs).
+ type: integer
+ bpfPSNATPorts:
+ anyOf:
+ - type: integer
+ - type: string
+ description: 'BPFPSNATPorts sets the range from which we randomly
+ pick a port if there is a source port collision. This should be
+ within the ephemeral range as defined by RFC 6056 (1024–65535) and
+ preferably outside the ephemeral ranges used by common operating
+ systems. Linux uses 32768–60999, while others mostly use the IANA
+ defined range 49152–65535. It is not necessarily a problem if this
+ range overlaps with the operating systems. Both ends of the range
+ are inclusive. [Default: 20000:29999]'
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ bpfPolicyDebugEnabled:
+ description: BPFPolicyDebugEnabled when true, Felix records detailed
+ information about the BPF policy programs, which can be examined
+ with the calico-bpf command-line tool.
+ type: boolean
+ chainInsertMode:
+ description: 'ChainInsertMode controls whether Felix hooks the kernel''s
+ top-level iptables chains by inserting a rule at the top of the
+ chain or by appending a rule at the bottom. insert is the safe default
+ since it prevents Calico''s rules from being bypassed. If you switch
+ to append mode, be sure that the other rules in the chains signal
+ acceptance by falling through to the Calico rules, otherwise the
+ Calico policy will be bypassed. [Default: insert]'
+ pattern: ^(?i)(insert|append)?$
+ type: string
+ dataplaneDriver:
+ description: DataplaneDriver filename of the external dataplane driver
+ to use. Only used if UseInternalDataplaneDriver is set to false.
+ type: string
+ dataplaneWatchdogTimeout:
+ description: "DataplaneWatchdogTimeout is the readiness/liveness timeout
+ used for Felix's (internal) dataplane driver. Increase this value
+ if you experience spurious non-ready or non-live events when Felix
+ is under heavy load. Decrease the value to get felix to report non-live
+ or non-ready more quickly. [Default: 90s] \n Deprecated: replaced
+ by the generic HealthTimeoutOverrides."
+ type: string
+ debugDisableLogDropping:
+ type: boolean
+ debugHost:
+ description: DebugHost is the host IP or hostname to bind the debug
+ port to. Only used if DebugPort is set. [Default:localhost]
+ type: string
+ debugMemoryProfilePath:
+ type: string
+ debugPort:
+ description: DebugPort if set, enables Felix's debug HTTP port, which
+ allows memory and CPU profiles to be retrieved. The debug port
+ is not secure, it should not be exposed to the internet.
+ type: integer
+ debugSimulateCalcGraphHangAfter:
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ debugSimulateDataplaneApplyDelay:
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ debugSimulateDataplaneHangAfter:
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ defaultEndpointToHostAction:
+ description: 'DefaultEndpointToHostAction controls what happens to
+ traffic that goes from a workload endpoint to the host itself (after
+ the traffic hits the endpoint egress policy). By default Calico
+ blocks traffic from workload endpoints to the host itself with an
+ iptables "DROP" action. If you want to allow some or all traffic
+ from endpoint to host, set this parameter to RETURN or ACCEPT. Use
+ RETURN if you have your own rules in the iptables "INPUT" chain;
+ Calico will insert its rules at the top of that chain, then "RETURN"
+ packets to the "INPUT" chain once it has completed processing workload
+ endpoint egress policy. Use ACCEPT to unconditionally accept packets
+ from workloads after processing workload endpoint egress policy.
+ [Default: Drop]'
+ pattern: ^(?i)(Drop|Accept|Return)?$
+ type: string
+ deviceRouteProtocol:
+ description: This defines the route protocol added to programmed device
+ routes, by default this will be RTPROT_BOOT when left blank.
+ type: integer
+ deviceRouteSourceAddress:
+ description: This is the IPv4 source address to use on programmed
+ device routes. By default the source address is left blank, leaving
+ the kernel to choose the source address used.
+ type: string
+ deviceRouteSourceAddressIPv6:
+ description: This is the IPv6 source address to use on programmed
+ device routes. By default the source address is left blank, leaving
+ the kernel to choose the source address used.
+ type: string
+ disableConntrackInvalidCheck:
+ type: boolean
+ endpointReportingDelay:
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ endpointReportingEnabled:
+ type: boolean
+ endpointStatusPathPrefix:
+ description: "EndpointStatusPathPrefix is the path to the directory
+ where endpoint status will be written. Endpoint status file reporting
+ is disabled if field is left empty. \n Chosen directory should match
+ the directory used by the CNI for PodStartupDelay. [Default: \"\"]"
+ type: string
+ externalNodesList:
+ description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
+ which may source tunnel traffic and have the tunneled traffic be
+ accepted at calico nodes.
+ items:
+ type: string
+ type: array
+ failsafeInboundHostPorts:
+ description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
+ and CIDRs that Felix will allow incoming traffic to host endpoints
+ on irrespective of the security policy. This is useful to avoid
+ accidentally cutting off a host with incorrect configuration. For
+ back-compatibility, if the protocol is not specified, it defaults
+ to "tcp". If a CIDR is not specified, it will allow traffic from
+ all addresses. To disable all inbound host ports, use the value
+ none. The default value allows ssh access and DHCP. [Default: tcp:22,
+ udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
+ items:
+ description: ProtoPort is combination of protocol, port, and CIDR.
+ Protocol and port must be specified.
+ properties:
+ net:
+ type: string
+ port:
+ type: integer
+ protocol:
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ type: array
+ failsafeOutboundHostPorts:
+ description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
+ and CIDRs that Felix will allow outgoing traffic from host endpoints
+ to irrespective of the security policy. This is useful to avoid
+ accidentally cutting off a host with incorrect configuration. For
+ back-compatibility, if the protocol is not specified, it defaults
+ to "tcp". If a CIDR is not specified, it will allow traffic from
+ all addresses. To disable all outbound host ports, use the value
+ none. The default value opens etcd''s standard ports to ensure that
+ Felix does not get cut off from etcd as well as allowing DHCP and
+ DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
+ tcp:6667, udp:53, udp:67]'
+ items:
+ description: ProtoPort is combination of protocol, port, and CIDR.
+ Protocol and port must be specified.
+ properties:
+ net:
+ type: string
+ port:
+ type: integer
+ protocol:
+ type: string
+ required:
+ - port
+ - protocol
+ type: object
+ type: array
+ featureDetectOverride:
+ description: FeatureDetectOverride is used to override feature detection
+ based on auto-detected platform capabilities. Values are specified
+ in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
+ or "false" will force the feature, empty or omitted values are auto-detected.
+ pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
+ type: string
+ featureGates:
+ description: FeatureGates is used to enable or disable tech-preview
+ Calico features. Values are specified in a comma separated list
+ with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
+ This is used to enable features that are not fully production ready.
+ pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
+ type: string
+ floatingIPs:
+ description: FloatingIPs configures whether or not Felix will program
+ non-OpenStack floating IP addresses. (OpenStack-derived floating
+ IPs are always programmed, regardless of this setting.)
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ genericXDPEnabled:
+ description: 'GenericXDPEnabled enables Generic XDP so network cards
+ that don''t support XDP offload or driver modes can use XDP. This
+ is not recommended since it doesn''t provide better performance
+ than iptables. [Default: false]'
+ type: boolean
+ healthEnabled:
+ type: boolean
+ healthHost:
+ type: string
+ healthPort:
+ type: integer
+ healthTimeoutOverrides:
+ description: HealthTimeoutOverrides allows the internal watchdog timeouts
+ of individual subcomponents to be overridden. This is useful for
+ working around "false positive" liveness timeouts that can occur
+ in particularly stressful workloads or if CPU is constrained. For
+ a list of active subcomponents, see Felix's logs.
+ items:
+ properties:
+ name:
+ type: string
+ timeout:
+ type: string
+ required:
+ - name
+ - timeout
+ type: object
+ type: array
+ interfaceExclude:
+ description: 'InterfaceExclude is a comma-separated list of interfaces
+ that Felix should exclude when monitoring for host endpoints. The
+ default value ensures that Felix ignores Kubernetes'' IPVS dummy
+ interface, which is used internally by kube-proxy. If you want to
+ exclude multiple interface names using a single value, the list
+ supports regular expressions. For regular expressions you must wrap
+ the value with ''/''. For example having values ''/^kube/,veth1''
+ will exclude all interfaces that begin with ''kube'' and also the
+ interface ''veth1''. [Default: kube-ipvs0]'
+ type: string
+ interfacePrefix:
+ description: 'InterfacePrefix is the interface name prefix that identifies
+ workload endpoints and so distinguishes them from host endpoint
+ interfaces. Note: in environments other than bare metal, the orchestrators
+ configure this appropriately. For example our Kubernetes and Docker
+ integrations set the ''cali'' value, and our OpenStack integration
+ sets the ''tap'' value. [Default: cali]'
+ type: string
+ interfaceRefreshInterval:
+ description: InterfaceRefreshInterval is the period at which Felix
+ rescans local interfaces to verify their state. The rescan can be
+ disabled by setting the interval to 0.
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ ipipEnabled:
+ description: 'IPIPEnabled overrides whether Felix should configure
+ an IPIP interface on the host. Optional as Felix determines this
+ based on the existing IP pools. [Default: nil (unset)]'
+ type: boolean
+ ipipMTU:
+ description: 'IPIPMTU is the MTU to set on the tunnel device. See
+ Configuring MTU [Default: 1440]'
+ type: integer
+ ipsetsRefreshInterval:
+ description: 'IpsetsRefreshInterval is the period at which Felix re-checks
+ all iptables state to ensure that no other process has accidentally
+ broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
+ 90s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesBackend:
+ description: IptablesBackend specifies which backend of iptables will
+ be used. The default is Auto.
+ pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
+ type: string
+ iptablesFilterAllowAction:
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ iptablesFilterDenyAction:
+ description: IptablesFilterDenyAction controls what happens to traffic
+ that is denied by network policy. By default Calico blocks traffic
+ with an iptables "DROP" action. If you want to use "REJECT" action
+ instead you can configure it in here.
+ pattern: ^(?i)(Drop|Reject)?$
+ type: string
+ iptablesLockFilePath:
+ description: 'IptablesLockFilePath is the location of the iptables
+ lock file. You may need to change this if the lock file is not in
+ its standard location (for example if you have mapped it into Felix''s
+ container at a different path). [Default: /run/xtables.lock]'
+ type: string
+ iptablesLockProbeInterval:
+ description: 'IptablesLockProbeInterval is the time that Felix will
+ wait between attempts to acquire the iptables lock if it is not
+ available. Lower values make Felix more responsive when the lock
+ is contended, but use more CPU. [Default: 50ms]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesLockTimeout:
+ description: 'IptablesLockTimeout is the time that Felix will wait
+ for the iptables lock, or 0, to disable. To use this feature, Felix
+ must share the iptables lock file with all other processes that
+ also take the lock. When running Felix inside a container, this
+ requires the /run directory of the host to be mounted into the calico/node
+ or calico/felix container. [Default: 0s disabled]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesMangleAllowAction:
+ pattern: ^(?i)(Accept|Return)?$
+ type: string
+ iptablesMarkMask:
+ description: 'IptablesMarkMask is the mask that Felix selects its
+ IPTables Mark bits from. Should be a 32 bit hexadecimal number with
+ at least 8 bits set, none of which clash with any other mark bits
+ in use on the system. [Default: 0xff000000]'
+ format: int32
+ type: integer
+ iptablesNATOutgoingInterfaceFilter:
+ type: string
+ iptablesPostWriteCheckInterval:
+ description: 'IptablesPostWriteCheckInterval is the period after Felix
+ has done a write to the dataplane that it schedules an extra read
+ back in order to check the write was not clobbered by another process.
+ This should only occur if another application on the system doesn''t
+ respect the iptables lock. [Default: 1s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ iptablesRefreshInterval:
+ description: 'IptablesRefreshInterval is the period at which Felix
+ re-checks the IP sets in the dataplane to ensure that no other process
+ has accidentally broken Calico''s rules. Set to 0 to disable IP
+ sets refresh. Note: the default for this value is lower than the
+ other refresh intervals as a workaround for a Linux kernel bug that
+ was fixed in kernel version 4.11. If you are using v4.11 or greater
+ you may want to set this to, a higher value to reduce Felix CPU
+ usage. [Default: 10s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ ipv6Support:
+ description: IPv6Support controls whether Felix enables support for
+ IPv6 (if supported by the in-use dataplane).
+ type: boolean
+ kubeNodePortRanges:
+ description: 'KubeNodePortRanges holds list of port ranges used for
+ service node ports. Only used if felix detects kube-proxy running
+ in ipvs mode. Felix uses these ranges to separate host and workload
+ traffic. [Default: 30000:32767].'
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ logDebugFilenameRegex:
+ description: LogDebugFilenameRegex controls which source code files
+ have their Debug log output included in the logs. Only logs from
+ files with names that match the given regular expression are included. The
+ filter only applies to Debug level logs.
+ type: string
+ logFilePath:
+ description: 'LogFilePath is the full path to the Felix log. Set to
+ none to disable file logging. [Default: /var/log/calico/felix.log]'
+ type: string
+ logPrefix:
+ description: 'LogPrefix is the log prefix that Felix uses when rendering
+ LOG rules. [Default: calico-packet]'
+ type: string
+ logSeverityFile:
+ description: 'LogSeverityFile is the log severity above which logs
+ are sent to the log file. [Default: Info]'
+ pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which logs
+ are sent to the stdout. [Default: Info]'
+ pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
+ type: string
+ logSeveritySys:
+ description: 'LogSeveritySys is the log severity above which logs
+ are sent to the syslog. Set to None for no logging to syslog. [Default:
+ Info]'
+ pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
+ type: string
+ maxIpsetSize:
+ type: integer
+ metadataAddr:
+ description: 'MetadataAddr is the IP address or domain name of the
+ server that can answer VM queries for cloud-init metadata. In OpenStack,
+ this corresponds to the machine running nova-api (or in Ubuntu,
+ nova-api-metadata). A value of none (case-insensitive) means that
+ Felix should not set up any NAT rule for the metadata path. [Default:
+ 127.0.0.1]'
+ type: string
+ metadataPort:
+ description: 'MetadataPort is the port of the metadata server. This,
+ combined with global.MetadataAddr (if not ''None''), is used to
+ set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
+ In most cases this should not need to be changed [Default: 8775].'
+ type: integer
+ mtuIfacePattern:
+ description: MTUIfacePattern is a regular expression that controls
+ which interfaces Felix should scan in order to calculate the host's
+ MTU. This should not match workload interfaces (usually named cali...).
+ type: string
+ natOutgoingAddress:
+ description: NATOutgoingAddress specifies an address to use when performing
+ source NAT for traffic in a natOutgoing pool that is leaving the
+ network. By default the address used is an address on the interface
+ the traffic is leaving on (ie it uses the iptables MASQUERADE target)
+ type: string
+ natPortRange:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NATPortRange specifies the range of ports that is used
+ for port mapping when doing outgoing NAT. When unset the default
+ behavior of the network stack is used.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ netlinkTimeout:
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ openstackRegion:
+ description: 'OpenstackRegion is the name of the region that a particular
+ Felix belongs to. In a multi-region Calico/OpenStack deployment,
+ this must be configured somehow for each Felix (here in the datamodel,
+ or in felix.cfg or the environment on each compute node), and must
+ match the [calico] openstack_region value configured in neutron.conf
+ on each node. [Default: Empty]'
+ type: string
+ policySyncPathPrefix:
+ description: 'PolicySyncPathPrefix is used to by Felix to communicate
+ policy changes to external services, like Application layer policy.
+ [Default: Empty]'
+ type: string
+ prometheusGoMetricsEnabled:
+ description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
+ collection, which the Prometheus client does by default, when set
+ to false. This reduces the number of metrics reported, reducing
+ Prometheus load. [Default: true]'
+ type: boolean
+ prometheusMetricsEnabled:
+ description: 'PrometheusMetricsEnabled enables the Prometheus metrics
+ server in Felix if set to true. [Default: false]'
+ type: boolean
+ prometheusMetricsHost:
+ description: 'PrometheusMetricsHost is the host that the Prometheus
+ metrics server should bind to. [Default: empty]'
+ type: string
+ prometheusMetricsPort:
+ description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+ metrics server should bind to. [Default: 9091]'
+ type: integer
+ prometheusProcessMetricsEnabled:
+ description: 'PrometheusProcessMetricsEnabled disables process metrics
+ collection, which the Prometheus client does by default, when set
+ to false. This reduces the number of metrics reported, reducing
+ Prometheus load. [Default: true]'
+ type: boolean
+ prometheusWireGuardMetricsEnabled:
+ description: 'PrometheusWireGuardMetricsEnabled disables wireguard
+ metrics collection, which the Prometheus client does by default,
+ when set to false. This reduces the number of metrics reported,
+ reducing Prometheus load. [Default: true]'
+ type: boolean
+ removeExternalRoutes:
+ description: Whether or not to remove device routes that have not
+ been programmed by Felix. Disabling this will allow external applications
+ to also add device routes. This is enabled by default which means
+ we will remove externally added routes.
+ type: boolean
+ reportingInterval:
+ description: 'ReportingInterval is the interval at which Felix reports
+ its status into the datastore or 0 to disable. Must be non-zero
+ in OpenStack deployments. [Default: 30s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ reportingTTL:
+ description: 'ReportingTTL is the time-to-live setting for process-wide
+ status reports. [Default: 90s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ routeRefreshInterval:
+ description: 'RouteRefreshInterval is the period at which Felix re-checks
+ the routes in the dataplane to ensure that no other process has
+ accidentally broken Calico''s rules. Set to 0 to disable route refresh.
+ [Default: 90s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ routeSource:
+ description: 'RouteSource configures where Felix gets its routing
+ information. - WorkloadIPs: use workload endpoints to construct
+ routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
+ pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
+ type: string
+ routeSyncDisabled:
+ description: RouteSyncDisabled will disable all operations performed
+ on the route table. Set to true to run in network-policy mode only.
+ type: boolean
+ routeTableRange:
+ description: Deprecated in favor of RouteTableRanges. Calico programs
+ additional Linux route tables for various purposes. RouteTableRange
+ specifies the indices of the route tables that Calico should use.
+ properties:
+ max:
+ type: integer
+ min:
+ type: integer
+ required:
+ - max
+ - min
+ type: object
+ routeTableRanges:
+ description: Calico programs additional Linux route tables for various
+ purposes. RouteTableRanges specifies a set of table index ranges
+ that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
+ items:
+ properties:
+ max:
+ type: integer
+ min:
+ type: integer
+ required:
+ - max
+ - min
+ type: object
+ type: array
+ serviceLoopPrevention:
+ description: 'When service IP advertisement is enabled, prevent routing
+ loops to service IPs that are not in use, by dropping or rejecting
+ packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
+ in which case such routing loops continue to be allowed. [Default:
+ Drop]'
+ pattern: ^(?i)(Drop|Reject|Disabled)?$
+ type: string
+ sidecarAccelerationEnabled:
+ description: 'SidecarAccelerationEnabled enables experimental sidecar
+ acceleration [Default: false]'
+ type: boolean
+ usageReportingEnabled:
+ description: 'UsageReportingEnabled reports anonymous Calico version
+ number and cluster size to projectcalico.org. Logs warnings returned
+ by the usage server. For example, if a significant security vulnerability
+ has been discovered in the version of Calico being used. [Default:
+ true]'
+ type: boolean
+ usageReportingInitialDelay:
+ description: 'UsageReportingInitialDelay controls the minimum delay
+ before Felix makes a report. [Default: 300s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ usageReportingInterval:
+ description: 'UsageReportingInterval controls the interval at which
+ Felix makes reports. [Default: 86400s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ useInternalDataplaneDriver:
+ description: UseInternalDataplaneDriver, if true, Felix will use its
+ internal dataplane programming logic. If false, it will launch
+ an external dataplane driver and communicate with it over protobuf.
+ type: boolean
+ vxlanEnabled:
+ description: 'VXLANEnabled overrides whether Felix should create the
+ VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
+ determines this based on the existing IP pools. [Default: nil (unset)]'
+ type: boolean
+ vxlanMTU:
+ description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
+ device. See Configuring MTU [Default: 1410]'
+ type: integer
+ vxlanMTUV6:
+ description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
+ device. See Configuring MTU [Default: 1390]'
+ type: integer
+ vxlanPort:
+ type: integer
+ vxlanVNI:
+ type: integer
+ windowsManageFirewallRules:
+ description: 'WindowsManageFirewallRules configures whether or not
+ Felix will program Windows Firewall rules. (to allow inbound access
+ to its own metrics ports) [Default: Disabled]'
+ enum:
+ - Enabled
+ - Disabled
+ type: string
+ wireguardEnabled:
+ description: 'WireguardEnabled controls whether Wireguard is enabled
+ for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
+ [Default: false]'
+ type: boolean
+ wireguardEnabledV6:
+ description: 'WireguardEnabledV6 controls whether Wireguard is enabled
+ for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).
+ [Default: false]'
+ type: boolean
+ wireguardHostEncryptionEnabled:
+ description: 'WireguardHostEncryptionEnabled controls whether Wireguard
+ host-to-host encryption is enabled. [Default: false]'
+ type: boolean
+ wireguardInterfaceName:
+ description: 'WireguardInterfaceName specifies the name to use for
+ the IPv4 Wireguard interface. [Default: wireguard.cali]'
+ type: string
+ wireguardInterfaceNameV6:
+ description: 'WireguardInterfaceNameV6 specifies the name to use for
+ the IPv6 Wireguard interface. [Default: wg-v6.cali]'
+ type: string
+ wireguardKeepAlive:
+ description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
+ option. Set 0 to disable. [Default: 0]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ wireguardListeningPort:
+ description: 'WireguardListeningPort controls the listening port used
+ by IPv4 Wireguard. [Default: 51820]'
+ type: integer
+ wireguardListeningPortV6:
+ description: 'WireguardListeningPortV6 controls the listening port
+ used by IPv6 Wireguard. [Default: 51821]'
+ type: integer
+ wireguardMTU:
+ description: 'WireguardMTU controls the MTU on the IPv4 Wireguard
+ interface. See Configuring MTU [Default: 1440]'
+ type: integer
+ wireguardMTUV6:
+ description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard
+ interface. See Configuring MTU [Default: 1420]'
+ type: integer
+ wireguardRoutingRulePriority:
+ description: 'WireguardRoutingRulePriority controls the priority value
+ to use for the Wireguard routing rule. [Default: 99]'
+ type: integer
+ workloadSourceSpoofing:
+ description: WorkloadSourceSpoofing controls whether pods can use
+ the allowedSourcePrefixes annotation to send traffic with a source
+ IP address that is not theirs. This is disabled by default. When
+ set to "Any", pods can request any prefix.
+ pattern: ^(?i)(Disabled|Any)?$
+ type: string
+ xdpEnabled:
+ description: 'XDPEnabled enables XDP acceleration for suitable untracked
+ incoming deny rules. [Default: true]'
+ type: boolean
+ xdpRefreshInterval:
+ description: 'XDPRefreshInterval is the period at which Felix re-checks
+ all XDP state to ensure that no other process has accidentally broken
+ Calico''s BPF maps or attached programs. Set to 0 to disable XDP
+ refresh. [Default: 90s]'
+ pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: globalnetworkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: GlobalNetworkPolicy
+ listKind: GlobalNetworkPolicyList
+ plural: globalnetworkpolicies
+ singular: globalnetworkpolicy
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ applyOnForward:
+ description: ApplyOnForward indicates to apply the rules in this policy
+ on forward traffic.
+ type: boolean
+ doNotTrack:
+ description: DoNotTrack indicates whether packets matched by the rules
+ in this policy should go through the data plane's connection tracking,
+ such as Linux conntrack. If True, the rules in this policy are
+ applied before any data plane connection tracking, and packets allowed
+ by this policy are marked as not to be tracked.
+ type: boolean
+ egress:
+ description: The ordered set of egress rules. Each rule contains
+ a set of packet match criteria and a corresponding action to apply.
+ items:
+ description: "A Rule encapsulates a set of match criteria and an
+ action. Both selector-based security Policy and security Profiles
+ reference rules - separated out as a list of rules for both ingress
+ and egress packet matching. \n Each positive match criteria has
+ a negated version, prefixed with \"Not\". All the match criteria
+ within a rule must be satisfied for a packet to match. A single
+ rule can contain the positive and negative version of a match
+ and both must be satisfied for the rule to match."
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: Methods is an optional field that restricts
+ the rule to apply only to HTTP requests that use one of
+ the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+ methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: 'Paths is an optional field that restricts
+ the rule to apply to HTTP requests that use one of the
+ listed HTTP Paths. Multiple paths are OR''d together.
+ e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+ ONLY specify either a `exact` or a `prefix` match. The
+ validator will check for it.'
+ items:
+ description: 'HTTPPath specifies an HTTP path to match.
+ It may be either of the form: exact: <path>: which matches
+ the path exactly or prefix: <path-prefix>: which matches
+ the path prefix'
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: ICMP is an optional field that restricts the rule
+ to apply to a specific type and code of ICMP traffic. This
+ should only be specified if the Protocol field is set to "ICMP"
+ or "ICMPv6".
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: IPVersion is an optional field that restricts the
+ rule to only match a specific IP version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: "Protocol is an optional field that restricts the
+ rule to only apply to traffic of a specific IP protocol. Required
+ if any of the EntityRules contain Ports (because ports only
+ apply to certain protocols). \n Must be one of these string
+ values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+ \"UDPLite\" or an integer in the range 1-255."
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ ingress:
+ description: The ordered set of ingress rules. Each rule contains
+ a set of packet match criteria and a corresponding action to apply.
+ items:
+ description: "A Rule encapsulates a set of match criteria and an
+ action. Both selector-based security Policy and security Profiles
+ reference rules - separated out as a list of rules for both ingress
+ and egress packet matching. \n Each positive match criteria has
+ a negated version, prefixed with \"Not\". All the match criteria
+ within a rule must be satisfied for a packet to match. A single
+ rule can contain the positive and negative version of a match
+ and both must be satisfied for the rule to match."
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: Methods is an optional field that restricts
+ the rule to apply only to HTTP requests that use one of
+ the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+ methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: 'Paths is an optional field that restricts
+ the rule to apply to HTTP requests that use one of the
+ listed HTTP Paths. Multiple paths are OR''d together.
+ e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+ ONLY specify either a `exact` or a `prefix` match. The
+ validator will check for it.'
+ items:
+ description: 'HTTPPath specifies an HTTP path to match.
+ It may be either of the form: exact: <path>: which matches
+ the path exactly or prefix: <path-prefix>: which matches
+ the path prefix'
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: ICMP is an optional field that restricts the rule
+ to apply to a specific type and code of ICMP traffic. This
+ should only be specified if the Protocol field is set to "ICMP"
+ or "ICMPv6".
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: IPVersion is an optional field that restricts the
+ rule to only match a specific IP version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: "Protocol is an optional field that restricts the
+ rule to only apply to traffic of a specific IP protocol. Required
+ if any of the EntityRules contain Ports (because ports only
+ apply to certain protocols). \n Must be one of these string
+ values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+ \"UDPLite\" or an integer in the range 1-255."
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ namespaceSelector:
+ description: NamespaceSelector is an optional field for an expression
+ used to select a pod based on namespaces.
+ type: string
+ order:
+ description: Order is an optional field that specifies the order in
+ which the policy is applied. Policies with higher "order" are applied
+ after those with lower order. If the order is omitted, it may be
+ considered to be "infinite" - i.e. the policy will be applied last. Policies
+ with identical order will be applied in alphanumerical order based
+ on the Policy "Name".
+ type: number
+ performanceHints:
+ description: "PerformanceHints contains a list of hints to Calico's
+ policy engine to help process the policy more efficiently. Hints
+ never change the enforcement behaviour of the policy. \n Currently,
+ the only available hint is \"AssumeNeededOnEveryNode\". When that
+ hint is set on a policy, Felix will act as if the policy matches
+ a local endpoint even if it does not. This is useful for \"preloading\"
+ any large static policies that are known to be used on every node.
+ If the policy is _not_ used on a particular node then the work done
+ to preload the policy (and to maintain it) is wasted."
+ items:
+ type: string
+ type: array
+ preDNAT:
+ description: PreDNAT indicates to apply the rules in this policy before
+ any DNAT.
+ type: boolean
+ selector:
+ description: "The selector is an expression used to pick out the endpoints
+ that the policy should be applied to. \n Selector expressions follow
+ this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
+ my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
+ equal; also matches if label is not present \tlabel in { \"a\",
+ \"b\", \"c\", ... } -> true if the value of label X is one of
+ \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
+ \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
+ \thas(label_name) -> True if that label is present \t! expr ->
+ negation of expr \texpr && expr -> Short-circuit and \texpr ||
+ expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+ or the empty selector -> matches all endpoints. \n Label names are
+ allowed to contain alphanumerics, -, _ and /. String literals are
+ more permissive but they do not support escape characters. \n Examples
+ (with made-up labels): \n \ttype == \"webserver\" && deployment
+ == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
+ \"dev\" \t! has(label_name)"
+ type: string
+ serviceAccountSelector:
+ description: ServiceAccountSelector is an optional field for an expression
+ used to select a pod based on service accounts.
+ type: string
+ types:
+ description: "Types indicates whether this policy applies to ingress,
+ or to egress, or to both. When not explicitly specified (and so
+ the value on creation is empty or nil), Calico defaults Types according
+ to what Ingress and Egress rules are present in the policy. The
+ default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
+ (including the case where there are also no Ingress rules) \n
+ - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
+ rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
+ both Ingress and Egress rules. \n When the policy is read back again,
+ Types will always be one of these values, never empty or nil."
+ items:
+ description: PolicyType enumerates the possible values of the PolicySpec
+ Types field.
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: globalnetworksets.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: GlobalNetworkSet
+ listKind: GlobalNetworkSetList
+ plural: globalnetworksets
+ singular: globalnetworkset
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
+ that share labels to allow rules to refer to them via selectors. The labels
+ of GlobalNetworkSet are not namespaced.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: GlobalNetworkSetSpec contains the specification for a NetworkSet
+ resource.
+ properties:
+ nets:
+ description: The list of IP networks that belong to this set.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: hostendpoints.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: HostEndpoint
+ listKind: HostEndpointList
+ plural: hostendpoints
+ singular: hostendpoint
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: HostEndpointSpec contains the specification for a HostEndpoint
+ resource.
+ properties:
+ expectedIPs:
+ description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
+ If \"InterfaceName\" is not present, Calico will look for an interface
+ matching any of the IPs in the list and apply policy to that. Note:
+ \tWhen using the selector match criteria in an ingress or egress
+ security Policy \tor Profile, Calico converts the selector into
+ a set of IP addresses. For host \tendpoints, the ExpectedIPs field
+ is used for that purpose. (If only the interface \tname is specified,
+ Calico does not learn the IPs of the interface for use in match
+ \tcriteria.)"
+ items:
+ type: string
+ type: array
+ interfaceName:
+ description: "Either \"*\", or the name of a specific Linux interface
+ to apply policy to; or empty. \"*\" indicates that this HostEndpoint
+ governs all traffic to, from or through the default network namespace
+ of the host named by the \"Node\" field; entering and leaving that
+ namespace via any interface, including those from/to non-host-networked
+ local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
+ only governs traffic that enters or leaves the host through the
+ specific interface named by InterfaceName, or - when InterfaceName
+ is empty - through the specific interface that has one of the IPs
+ in ExpectedIPs. Therefore, when InterfaceName is empty, at least
+ one expected IP must be specified. Only external interfaces (such
+ as \"eth0\") are supported here; it isn't possible for a HostEndpoint
+ to protect traffic through a specific local workload interface.
+ \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
+ initially just pre-DNAT policy. Please check Calico documentation
+ for the latest position."
+ type: string
+ node:
+ description: The node name identifying the Calico node instance.
+ type: string
+ ports:
+ description: Ports contains the endpoint's named ports, which may
+ be referenced in security policy rules.
+ items:
+ properties:
+ name:
+ type: string
+ port:
+ type: integer
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ required:
+ - name
+ - port
+ - protocol
+ type: object
+ type: array
+ profiles:
+ description: A list of identifiers of security Profile objects that
+ apply to this endpoint. Each profile is applied in the order that
+ they appear in this list. Profile rules are applied after the selector-based
+ security policy.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ipamblocks.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPAMBlock
+ listKind: IPAMBlockList
+ plural: ipamblocks
+ singular: ipamblock
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPAMBlockSpec contains the specification for an IPAMBlock
+ resource.
+ properties:
+ affinity:
+ description: Affinity of the block, if this block has one. If set,
+ it will be of the form "host:<hostname>". If not set, this block
+ is not affine to a host.
+ type: string
+ allocations:
+ description: Array of allocations in-use within this block. nil entries
+ mean the allocation is free. For non-nil entries at index i, the
+ index is the ordinal of the allocation within this block and the
+ value is the index of the associated attributes in the Attributes
+ array.
+ items:
+ type: integer
+ # TODO: This nullable is manually added in. We should update controller-gen
+ # to handle []*int properly itself.
+ nullable: true
+ type: array
+ attributes:
+ description: Attributes is an array of arbitrary metadata associated
+ with allocations in the block. To find attributes for a given allocation,
+ use the value of the allocation's entry in the Allocations array
+ as the index of the element in this array.
+ items:
+ properties:
+ handle_id:
+ type: string
+ secondary:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: array
+ cidr:
+ description: The block's CIDR.
+ type: string
+ deleted:
+ description: Deleted is an internal boolean used to workaround a limitation
+ in the Kubernetes API whereby deletion will not return a conflict
+ error if the block has been updated. It should not be set manually.
+ type: boolean
+ sequenceNumber:
+ default: 0
+ description: We store a sequence number that is updated each time
+ the block is written. Each allocation will also store the sequence
+ number of the block at the time of its creation. When releasing
+ an IP, passing the sequence number associated with the allocation
+ allows us to protect against a race condition and ensure the IP
+ hasn't been released and re-allocated since the release request.
+ format: int64
+ type: integer
+ sequenceNumberForAllocation:
+ additionalProperties:
+ format: int64
+ type: integer
+ description: Map of allocated ordinal within the block to sequence
+ number of the block at the time of allocation. Kubernetes does not
+ allow numerical keys for maps, so the key is cast to a string.
+ type: object
+ strictAffinity:
+ description: StrictAffinity on the IPAMBlock is deprecated and no
+ longer used by the code. Use IPAMConfig StrictAffinity instead.
+ type: boolean
+ unallocated:
+ description: Unallocated is an ordered list of allocations which are
+ free in the block.
+ items:
+ type: integer
+ type: array
+ required:
+ - allocations
+ - attributes
+ - cidr
+ - strictAffinity
+ - unallocated
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ipamconfigs.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPAMConfig
+ listKind: IPAMConfigList
+ plural: ipamconfigs
+ singular: ipamconfig
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPAMConfigSpec contains the specification for an IPAMConfig
+ resource.
+ properties:
+ autoAllocateBlocks:
+ type: boolean
+ maxBlocksPerHost:
+ description: MaxBlocksPerHost, if non-zero, is the max number of blocks
+ that can be affine to each host.
+ maximum: 2147483647
+ minimum: 0
+ type: integer
+ strictAffinity:
+ type: boolean
+ required:
+ - autoAllocateBlocks
+ - strictAffinity
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ipamhandles.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPAMHandle
+ listKind: IPAMHandleList
+ plural: ipamhandles
+ singular: ipamhandle
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPAMHandleSpec contains the specification for an IPAMHandle
+ resource.
+ properties:
+ block:
+ additionalProperties:
+ type: integer
+ type: object
+ deleted:
+ type: boolean
+ handleID:
+ type: string
+ required:
+ - block
+ - handleID
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: ippools.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPPool
+ listKind: IPPoolList
+ plural: ippools
+ singular: ippool
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPPoolSpec contains the specification for an IPPool resource.
+ properties:
+ allowedUses:
+ description: AllowedUse controls what the IP pool will be used for. If
+ not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility
+ items:
+ type: string
+ type: array
+ blockSize:
+ description: The block size to use for IP address assignments from
+ this pool. Defaults to 26 for IPv4 and 122 for IPv6.
+ type: integer
+ cidr:
+ description: The pool CIDR.
+ type: string
+ disableBGPExport:
+ description: 'Disable exporting routes from this IP Pool''s CIDR over
+ BGP. [Default: false]'
+ type: boolean
+ disabled:
+ description: When disabled is true, Calico IPAM will not assign addresses
+ from this pool.
+ type: boolean
+ ipip:
+ description: 'Deprecated: this field is only used for APIv1 backwards
+ compatibility. Setting this field is not allowed, this field is
+ for internal use only.'
+ properties:
+ enabled:
+ description: When enabled is true, ipip tunneling will be used
+ to deliver packets to destinations within this pool.
+ type: boolean
+ mode:
+ description: The IPIP mode. This can be one of "always" or "cross-subnet". A
+ mode of "always" will also use IPIP tunneling for routing to
+ destination IP addresses within this pool. A mode of "cross-subnet"
+ will only use IPIP tunneling when the destination node is on
+ a different subnet to the originating node. The default value
+ (if not specified) is "always".
+ type: string
+ type: object
+ ipipMode:
+ description: Contains configuration for IPIP tunneling for this pool.
+ If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
+ is disabled).
+ type: string
+ nat-outgoing:
+ description: 'Deprecated: this field is only used for APIv1 backwards
+ compatibility. Setting this field is not allowed, this field is
+ for internal use only.'
+ type: boolean
+ natOutgoing:
+ description: When natOutgoing is true, packets sent from Calico networked
+ containers in this pool to destinations outside of this pool will
+ be masqueraded.
+ type: boolean
+ nodeSelector:
+ description: Allows IPPool to allocate for a specific node by label
+ selector.
+ type: string
+ vxlanMode:
+ description: Contains configuration for VXLAN tunneling for this pool.
+ If not specified, then this is defaulted to "Never" (i.e. VXLAN
+ tunneling is disabled).
+ type: string
+ required:
+ - cidr
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ creationTimestamp: null
+ name: ipreservations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: IPReservation
+ listKind: IPReservationList
+ plural: ipreservations
+ singular: ipreservation
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: IPReservationSpec contains the specification for an IPReservation
+ resource.
+ properties:
+ reservedCIDRs:
+ description: ReservedCIDRs is a list of CIDRs and/or IP addresses
+ that Calico IPAM will exclude from new allocations.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: kubecontrollersconfigurations.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: KubeControllersConfiguration
+ listKind: KubeControllersConfigurationList
+ plural: kubecontrollersconfigurations
+ singular: kubecontrollersconfiguration
+ preserveUnknownFields: false
+ scope: Cluster
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: KubeControllersConfigurationSpec contains the values of the
+ Kubernetes controllers configuration.
+ properties:
+ controllers:
+ description: Controllers enables and configures individual Kubernetes
+ controllers
+ properties:
+ namespace:
+ description: Namespace enables and configures the namespace controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ node:
+ description: Node enables and configures the node controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ hostEndpoint:
+ description: HostEndpoint controls syncing nodes to host endpoints.
+ Disabled by default, set to nil to disable.
+ properties:
+ autoCreate:
+ description: 'AutoCreate enables automatic creation of
+ host endpoints for every node. [Default: Disabled]'
+ type: string
+ type: object
+ leakGracePeriod:
+ description: 'LeakGracePeriod is the period used by the controller
+ to determine if an IP address has been leaked. Set to 0
+ to disable IP garbage collection. [Default: 15m]'
+ type: string
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ syncLabels:
+ description: 'SyncLabels controls whether to copy Kubernetes
+ node labels to Calico nodes. [Default: Enabled]'
+ type: string
+ type: object
+ policy:
+ description: Policy enables and configures the policy controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ serviceAccount:
+ description: ServiceAccount enables and configures the service
+ account controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ workloadEndpoint:
+ description: WorkloadEndpoint enables and configures the workload
+ endpoint controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform reconciliation
+ with the Calico datastore. [Default: 5m]'
+ type: string
+ type: object
+ type: object
+ debugProfilePort:
+ description: DebugProfilePort configures the port to serve memory
+ and cpu profiles on. If not specified, profiling is disabled.
+ format: int32
+ type: integer
+ etcdV3CompactionPeriod:
+ description: 'EtcdV3CompactionPeriod is the period between etcdv3
+ compaction requests. Set to 0 to disable. [Default: 10m]'
+ type: string
+ healthChecks:
+ description: 'HealthChecks enables or disables support for health
+ checks [Default: Enabled]'
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which logs
+ are sent to the stdout. [Default: Info]'
+ type: string
+ prometheusMetricsPort:
+ description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+ metrics server should bind to. Set to 0 to disable. [Default: 9094]'
+ type: integer
+ required:
+ - controllers
+ type: object
+ status:
+ description: KubeControllersConfigurationStatus represents the status
+ of the configuration. It's useful for admins to be able to see the actual
+ config that was applied, which can be modified by environment variables
+ on the kube-controllers process.
+ properties:
+ environmentVars:
+ additionalProperties:
+ type: string
+ description: EnvironmentVars contains the environment variables on
+ the kube-controllers that influenced the RunningConfig.
+ type: object
+ runningConfig:
+ description: RunningConfig contains the effective config that is running
+ in the kube-controllers pod, after merging the API resource with
+ any environment variables.
+ properties:
+ controllers:
+ description: Controllers enables and configures individual Kubernetes
+ controllers
+ properties:
+ namespace:
+ description: Namespace enables and configures the namespace
+ controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ node:
+ description: Node enables and configures the node controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ hostEndpoint:
+ description: HostEndpoint controls syncing nodes to host
+ endpoints. Disabled by default, set to nil to disable.
+ properties:
+ autoCreate:
+ description: 'AutoCreate enables automatic creation
+ of host endpoints for every node. [Default: Disabled]'
+ type: string
+ type: object
+ leakGracePeriod:
+ description: 'LeakGracePeriod is the period used by the
+ controller to determine if an IP address has been leaked.
+ Set to 0 to disable IP garbage collection. [Default:
+ 15m]'
+ type: string
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ syncLabels:
+ description: 'SyncLabels controls whether to copy Kubernetes
+ node labels to Calico nodes. [Default: Enabled]'
+ type: string
+ type: object
+ policy:
+ description: Policy enables and configures the policy controller.
+ Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ serviceAccount:
+ description: ServiceAccount enables and configures the service
+ account controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ workloadEndpoint:
+ description: WorkloadEndpoint enables and configures the workload
+ endpoint controller. Enabled by default, set to nil to disable.
+ properties:
+ reconcilerPeriod:
+ description: 'ReconcilerPeriod is the period to perform
+ reconciliation with the Calico datastore. [Default:
+ 5m]'
+ type: string
+ type: object
+ type: object
+ debugProfilePort:
+ description: DebugProfilePort configures the port to serve memory
+ and cpu profiles on. If not specified, profiling is disabled.
+ format: int32
+ type: integer
+ etcdV3CompactionPeriod:
+ description: 'EtcdV3CompactionPeriod is the period between etcdv3
+ compaction requests. Set to 0 to disable. [Default: 10m]'
+ type: string
+ healthChecks:
+ description: 'HealthChecks enables or disables support for health
+ checks [Default: Enabled]'
+ type: string
+ logSeverityScreen:
+ description: 'LogSeverityScreen is the log severity above which
+ logs are sent to the stdout. [Default: Info]'
+ type: string
+ prometheusMetricsPort:
+ description: 'PrometheusMetricsPort is the TCP port that the Prometheus
+ metrics server should bind to. Set to 0 to disable. [Default:
+ 9094]'
+ type: integer
+ required:
+ - controllers
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networkpolicies.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: NetworkPolicy
+ listKind: NetworkPolicyList
+ plural: networkpolicies
+ singular: networkpolicy
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ egress:
+ description: The ordered set of egress rules. Each rule contains
+ a set of packet match criteria and a corresponding action to apply.
+ items:
+ description: "A Rule encapsulates a set of match criteria and an
+ action. Both selector-based security Policy and security Profiles
+ reference rules - separated out as a list of rules for both ingress
+ and egress packet matching. \n Each positive match criteria has
+ a negated version, prefixed with \"Not\". All the match criteria
+ within a rule must be satisfied for a packet to match. A single
+ rule can contain the positive and negative version of a match
+ and both must be satisfied for the rule to match."
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: Methods is an optional field that restricts
+ the rule to apply only to HTTP requests that use one of
+ the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+ methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: 'Paths is an optional field that restricts
+ the rule to apply to HTTP requests that use one of the
+ listed HTTP Paths. Multiple paths are OR''d together.
+ e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+ ONLY specify either a `exact` or a `prefix` match. The
+ validator will check for it.'
+ items:
+ description: 'HTTPPath specifies an HTTP path to match.
+ It may be either of the form: exact: <path>: which matches
+ the path exactly or prefix: <path-prefix>: which matches
+ the path prefix'
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: ICMP is an optional field that restricts the rule
+ to apply to a specific type and code of ICMP traffic. This
+ should only be specified if the Protocol field is set to "ICMP"
+ or "ICMPv6".
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: IPVersion is an optional field that restricts the
+ rule to only match a specific IP version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: "Protocol is an optional field that restricts the
+ rule to only apply to traffic of a specific IP protocol. Required
+ if any of the EntityRules contain Ports (because ports only
+ apply to certain protocols). \n Must be one of these string
+ values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+ \"UDPLite\" or an integer in the range 1-255."
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ ingress:
+ description: The ordered set of ingress rules. Each rule contains
+ a set of packet match criteria and a corresponding action to apply.
+ items:
+ description: "A Rule encapsulates a set of match criteria and an
+ action. Both selector-based security Policy and security Profiles
+ reference rules - separated out as a list of rules for both ingress
+ and egress packet matching. \n Each positive match criteria has
+ a negated version, prefixed with \"Not\". All the match criteria
+ within a rule must be satisfied for a packet to match. A single
+ rule can contain the positive and negative version of a match
+ and both must be satisfied for the rule to match."
+ properties:
+ action:
+ type: string
+ destination:
+ description: Destination contains the match criteria that apply
+ to destination entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ http:
+ description: HTTP contains match criteria that apply to HTTP
+ requests.
+ properties:
+ methods:
+ description: Methods is an optional field that restricts
+ the rule to apply only to HTTP requests that use one of
+ the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
+ methods are OR'd together.
+ items:
+ type: string
+ type: array
+ paths:
+ description: 'Paths is an optional field that restricts
+ the rule to apply to HTTP requests that use one of the
+ listed HTTP Paths. Multiple paths are OR''d together.
+ e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
+ ONLY specify either a `exact` or a `prefix` match. The
+ validator will check for it.'
+ items:
+ description: 'HTTPPath specifies an HTTP path to match.
+ It may be either of the form: exact: <path>: which matches
+ the path exactly or prefix: <path-prefix>: which matches
+ the path prefix'
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ type: object
+ type: array
+ type: object
+ icmp:
+ description: ICMP is an optional field that restricts the rule
+ to apply to a specific type and code of ICMP traffic. This
+ should only be specified if the Protocol field is set to "ICMP"
+ or "ICMPv6".
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ ipVersion:
+ description: IPVersion is an optional field that restricts the
+ rule to only match a specific IP version.
+ type: integer
+ metadata:
+ description: Metadata contains additional information for this
+ rule
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a set of key value pairs that
+ give extra information about the rule
+ type: object
+ type: object
+ notICMP:
+ description: NotICMP is the negated version of the ICMP field.
+ properties:
+ code:
+ description: Match on a specific ICMP code. If specified,
+ the Type value must also be specified. This is a technical
+ limitation imposed by the kernel's iptables firewall,
+ which Calico uses to enforce the rule.
+ type: integer
+ type:
+ description: Match on a specific ICMP type. For example
+ a value of 8 refers to ICMP Echo Request (i.e. pings).
+ type: integer
+ type: object
+ notProtocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: NotProtocol is the negated version of the Protocol
+ field.
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ protocol:
+ anyOf:
+ - type: integer
+ - type: string
+ description: "Protocol is an optional field that restricts the
+ rule to only apply to traffic of a specific IP protocol. Required
+ if any of the EntityRules contain Ports (because ports only
+ apply to certain protocols). \n Must be one of these string
+ values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
+ \"UDPLite\" or an integer in the range 1-255."
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ source:
+ description: Source contains the match criteria that apply to
+ source entity.
+ properties:
+ namespaceSelector:
+ description: "NamespaceSelector is an optional field that
+ contains a selector expression. Only traffic that originates
+ from (or terminates at) endpoints within the selected
+ namespaces will be matched. When both NamespaceSelector
+ and another selector are defined on the same rule, then
+ only workload endpoints that are matched by both selectors
+ will be selected by the rule. \n For NetworkPolicy, an
+ empty NamespaceSelector implies that the Selector is limited
+ to selecting only workload endpoints in the same namespace
+ as the NetworkPolicy. \n For NetworkPolicy, `global()`
+ NamespaceSelector implies that the Selector is limited
+ to selecting only GlobalNetworkSet or HostEndpoint. \n
+ For GlobalNetworkPolicy, an empty NamespaceSelector implies
+ the Selector applies to workload endpoints across all
+ namespaces."
+ type: string
+ nets:
+ description: Nets is an optional field that restricts the
+ rule to only apply to traffic that originates from (or
+ terminates at) IP addresses in any of the given subnets.
+ items:
+ type: string
+ type: array
+ notNets:
+ description: NotNets is the negated version of the Nets
+ field.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: NotPorts is the negated version of the Ports
+ field. Since only some protocols have ports, if any ports
+ are specified it requires the Protocol match in the Rule
+ to be set to "TCP" or "UDP".
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ notSelector:
+ description: NotSelector is the negated version of the Selector
+ field. See Selector field for subtleties with negated
+ selectors.
+ type: string
+ ports:
+ description: "Ports is an optional field that restricts
+ the rule to only apply to traffic that has a source (destination)
+ port that matches one of these ranges/values. This value
+ is a list of integers or strings that represent ranges
+ of ports. \n Since only some protocols have ports, if
+ any ports are specified it requires the Protocol match
+ in the Rule to be set to \"TCP\" or \"UDP\"."
+ items:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^.*
+ x-kubernetes-int-or-string: true
+ type: array
+ selector:
+ description: "Selector is an optional field that contains
+ a selector expression (see Policy for sample syntax).
+ \ Only traffic that originates from (terminates at) endpoints
+ matching the selector will be matched. \n Note that: in
+ addition to the negated version of the Selector (see NotSelector
+ below), the selector expression syntax itself supports
+ negation. The two types of negation are subtly different.
+ One negates the set of matched endpoints, the other negates
+ the whole match: \n \tSelector = \"!has(my_label)\" matches
+ packets that are from other Calico-controlled \tendpoints
+ that do not have the label \"my_label\". \n \tNotSelector
+ = \"has(my_label)\" matches packets that are not from
+ Calico-controlled \tendpoints that do have the label \"my_label\".
+ \n The effect is that the latter will accept packets from
+ non-Calico sources whereas the former is limited to packets
+ from Calico-controlled endpoints."
+ type: string
+ serviceAccounts:
+ description: ServiceAccounts is an optional field that restricts
+ the rule to only apply to traffic that originates from
+ (or terminates at) a pod running as a matching service
+ account.
+ properties:
+ names:
+ description: Names is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account whose name is in the list.
+ items:
+ type: string
+ type: array
+ selector:
+ description: Selector is an optional field that restricts
+ the rule to only apply to traffic that originates
+ from (or terminates at) a pod running as a service
+ account that matches the given label selector. If
+ both Names and Selector are specified then they are
+ AND'ed.
+ type: string
+ type: object
+ services:
+ description: "Services is an optional field that contains
+ options for matching Kubernetes Services. If specified,
+ only traffic that originates from or terminates at endpoints
+ within the selected service(s) will be matched, and only
+ to/from each endpoint's port. \n Services cannot be specified
+ on the same rule as Selector, NotSelector, NamespaceSelector,
+ Nets, NotNets or ServiceAccounts. \n Ports and NotPorts
+ can only be specified with Services on ingress rules."
+ properties:
+ name:
+ description: Name specifies the name of a Kubernetes
+ Service to match.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace of the
+ given Service. If left empty, the rule will match
+ within this policy's namespace.
+ type: string
+ type: object
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ order:
+ description: Order is an optional field that specifies the order in
+ which the policy is applied. Policies with higher "order" are applied
+ after those with lower order. If the order is omitted, it may be
+ considered to be "infinite" - i.e. the policy will be applied last. Policies
+ with identical order will be applied in alphanumerical order based
+ on the Policy "Name".
+ type: number
+ performanceHints:
+ description: "PerformanceHints contains a list of hints to Calico's
+ policy engine to help process the policy more efficiently. Hints
+ never change the enforcement behaviour of the policy. \n Currently,
+ the only available hint is \"AssumeNeededOnEveryNode\". When that
+ hint is set on a policy, Felix will act as if the policy matches
+ a local endpoint even if it does not. This is useful for \"preloading\"
+ any large static policies that are known to be used on every node.
+ If the policy is _not_ used on a particular node then the work done
+ to preload the policy (and to maintain it) is wasted."
+ items:
+ type: string
+ type: array
+ selector:
+ description: "The selector is an expression used to pick out the endpoints
+ that the policy should be applied to. \n Selector expressions follow
+ this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g.
+ my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
+ equal; also matches if label is not present \tlabel in { \"a\",
+ \"b\", \"c\", ... } -> true if the value of label X is one of
+ \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... }
+ \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"
+ \thas(label_name) -> True if that label is present \t! expr ->
+ negation of expr \texpr && expr -> Short-circuit and \texpr ||
+ expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
+ or the empty selector -> matches all endpoints. \n Label names are
+ allowed to contain alphanumerics, -, _ and /. String literals are
+ more permissive but they do not support escape characters. \n Examples
+ (with made-up labels): \n \ttype == \"webserver\" && deployment
+ == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
+ \"dev\" \t! has(label_name)"
+ type: string
+ serviceAccountSelector:
+ description: ServiceAccountSelector is an optional field for an expression
+ used to select a pod based on service accounts.
+ type: string
+ types:
+ description: "Types indicates whether this policy applies to ingress,
+ or to egress, or to both. When not explicitly specified (and so
+ the value on creation is empty or nil), Calico defaults Types according
+ to what Ingress and Egress are present in the policy. The default
+ is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
+ the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
+ ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
+ PolicyTypeEgress ], if there are both Ingress and Egress rules.
+ \n When the policy is read back again, Types will always be one
+ of these values, never empty or nil."
+ items:
+ description: PolicyType enumerates the possible values of the PolicySpec
+ Types field.
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/kdd-crds.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: networksets.crd.projectcalico.org
+spec:
+ group: crd.projectcalico.org
+ names:
+ kind: NetworkSet
+ listKind: NetworkSetList
+ plural: networksets
+ singular: networkset
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: NetworkSetSpec contains the specification for a NetworkSet
+ resource.
+ properties:
+ nets:
+ description: The list of IP networks that belong to this set.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+# Source: calico/templates/calico-kube-controllers-rbac.yaml
+# Include a clusterrole for the kube-controllers component,
+# and bind it to the calico-kube-controllers serviceaccount.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: calico-kube-controllers
+rules:
+ # Nodes are watched to monitor for deletions.
+ - apiGroups: [""]
+ resources:
+ - nodes
+ verbs:
+ - watch
+ - list
+ - get
+ # Pods are watched to check for existence as part of IPAM controller.
+ - apiGroups: [""]
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - ipreservations
+ verbs:
+ - list
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - blockaffinities
+ - ipamblocks
+ - ipamhandles
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ - watch
+ # Pools are watched to maintain a mapping of blocks to IP pools.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - ippools
+ verbs:
+ - list
+ - watch
+ # kube-controllers manages hostendpoints.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - hostendpoints
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ # Needs access to update clusterinformations.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - clusterinformations
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - watch
+ # KubeControllersConfiguration is where it gets its config
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - kubecontrollersconfigurations
+ verbs:
+ # read its own config
+ - get
+ # create a default if none exists
+ - create
+ # update status
+ - update
+ # watch for changes
+ - watch
+---
+# Source: calico/templates/calico-node-rbac.yaml
+# Include a clusterrole for the calico-node DaemonSet,
+# and bind it to the calico-node serviceaccount.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: calico-node
+rules:
+ # Used for creating service account tokens to be used by the CNI plugin
+ - apiGroups: [""]
+ resources:
+ - serviceaccounts/token
+ resourceNames:
+ - calico-cni-plugin
+ verbs:
+ - create
+ # The CNI plugin needs to get pods, nodes, and namespaces.
+ - apiGroups: [""]
+ resources:
+ - pods
+ - nodes
+ - namespaces
+ verbs:
+ - get
+ # EndpointSlices are used for Service-based network policy rule
+ # enforcement.
+ - apiGroups: ["discovery.k8s.io"]
+ resources:
+ - endpointslices
+ verbs:
+ - watch
+ - list
+ - apiGroups: [""]
+ resources:
+ - endpoints
+ - services
+ verbs:
+ # Used to discover service IPs for advertisement.
+ - watch
+ - list
+ # Used to discover Typhas.
+ - get
+ # Pod CIDR auto-detection on kubeadm needs access to config maps.
+ - apiGroups: [""]
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - apiGroups: [""]
+ resources:
+ - nodes/status
+ verbs:
+ # Needed for clearing NodeNetworkUnavailable flag.
+ - patch
+ # Calico stores some configuration information in node annotations.
+ - update
+ # Watch for changes to Kubernetes NetworkPolicies.
+ - apiGroups: ["networking.k8s.io"]
+ resources:
+ - networkpolicies
+ verbs:
+ - watch
+ - list
+ # Used by Calico for policy information.
+ - apiGroups: [""]
+ resources:
+ - pods
+ - namespaces
+ - serviceaccounts
+ verbs:
+ - list
+ - watch
+ # The CNI plugin patches pods/status.
+ - apiGroups: [""]
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ # Calico monitors various CRDs for config.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - globalfelixconfigs
+ - felixconfigurations
+ - bgppeers
+ - bgpfilters
+ - globalbgpconfigs
+ - bgpconfigurations
+ - ippools
+ - ipreservations
+ - ipamblocks
+ - globalnetworkpolicies
+ - globalnetworksets
+ - networkpolicies
+ - networksets
+ - clusterinformations
+ - hostendpoints
+ - blockaffinities
+ - caliconodestatuses
+ verbs:
+ - get
+ - list
+ - watch
+ # Calico must create and update some CRDs on startup.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - ippools
+ - felixconfigurations
+ - clusterinformations
+ verbs:
+ - create
+ - update
+ # Calico must update some CRDs.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - caliconodestatuses
+ verbs:
+ - update
+ # Calico stores some configuration information on the node.
+ - apiGroups: [""]
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
+ # These permissions are only required for upgrade from v2.6, and can
+ # be removed after upgrade or on fresh installations.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - bgpconfigurations
+ - bgppeers
+ verbs:
+ - create
+ - update
+ # These permissions are required for Calico CNI to perform IPAM allocations.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - blockaffinities
+ - ipamblocks
+ - ipamhandles
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+ # The CNI plugin and calico/node need to be able to create a default
+ # IPAMConfiguration
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - ipamconfigs
+ verbs:
+ - get
+ - create
+ # Block affinities must also be watchable by confd for route aggregation.
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - blockaffinities
+ verbs:
+ - watch
+ # The Calico IPAM migration needs to get daemonsets. These permissions can be
+ # removed if not upgrading from an installation using host-local IPAM.
+ - apiGroups: ["apps"]
+ resources:
+ - daemonsets
+ verbs:
+ - get
+---
+# Source: calico/templates/calico-node-rbac.yaml
+# CNI cluster role
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: calico-cni-plugin
+rules:
+ - apiGroups: [""]
+ resources:
+ - pods
+ - nodes
+ - namespaces
+ verbs:
+ - get
+ - apiGroups: [""]
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - blockaffinities
+ - ipamblocks
+ - ipamhandles
+ - clusterinformations
+ - ippools
+ - ipreservations
+ - ipamconfigs
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+---
+# Source: calico/templates/calico-kube-controllers-rbac.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: calico-kube-controllers
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+ name: calico-kube-controllers
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: calico-node
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-node
+subjects:
+- kind: ServiceAccount
+ name: calico-node
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: calico-cni-plugin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-cni-plugin
+subjects:
+- kind: ServiceAccount
+ name: calico-cni-plugin
+ namespace: kube-system
+---
+# Source: calico/templates/calico-node.yaml
+# This manifest installs the calico-node container, as well
+# as the CNI plugins and network config on
+# each master and worker node in a Kubernetes cluster.
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+ name: calico-node
+ namespace: kube-system
+ labels:
+ k8s-app: calico-node
+spec:
+ selector:
+ matchLabels:
+ k8s-app: calico-node
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 1
+ template:
+ metadata:
+ labels:
+ k8s-app: calico-node
+ spec:
+ nodeSelector:
+ kubernetes.io/os: linux
+ hostNetwork: true
+ tolerations:
+ # Make sure calico-node gets scheduled on all nodes.
+ - effect: NoSchedule
+ operator: Exists
+ # Mark the pod as a critical add-on for rescheduling.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoExecute
+ operator: Exists
+ serviceAccountName: calico-node
+ # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+ # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+ terminationGracePeriodSeconds: 0
+ priorityClassName: system-node-critical
+ initContainers:
+ # This container performs upgrade from host-local IPAM to calico-ipam.
+ # It can be deleted if this is a fresh installation, or if you have already
+ # upgraded to use calico-ipam.
+ - name: upgrade-ipam
+ image: docker.io/calico/cni:v3.28.0
+ imagePullPolicy: IfNotPresent
+ command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
+ envFrom:
+ - configMapRef:
+ # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
+ name: kubernetes-services-endpoint
+ optional: true
+ env:
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: CALICO_NETWORKING_BACKEND
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: calico_backend
+ volumeMounts:
+ - mountPath: /var/lib/cni/networks
+ name: host-local-net-dir
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ securityContext:
+ privileged: true
+ # This container installs the CNI binaries
+ # and CNI network config file on each node.
+ - name: install-cni
+ image: docker.io/calico/cni:v3.28.0
+ imagePullPolicy: IfNotPresent
+ command: ["/opt/cni/bin/install"]
+ envFrom:
+ - configMapRef:
+ # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
+ name: kubernetes-services-endpoint
+ optional: true
+ env:
+ # Name of the CNI config file to create.
+ - name: CNI_CONF_NAME
+ value: "10-calico.conflist"
+ # The CNI network config to install on each node.
+ - name: CNI_NETWORK_CONFIG
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: cni_network_config
+ # Set the hostname based on the k8s node name.
+ - name: KUBERNETES_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # CNI MTU Config variable
+ - name: CNI_MTU
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: veth_mtu
+ # Prevents the container from sleeping forever.
+ - name: SLEEP
+ value: "false"
+ volumeMounts:
+ - mountPath: /host/opt/cni/bin
+ name: cni-bin-dir
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ securityContext:
+ privileged: true
+ # This init container mounts the necessary filesystems needed by the BPF data plane
+ # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
+ # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
+ - name: "mount-bpffs"
+ image: docker.io/calico/node:v3.28.0
+ imagePullPolicy: IfNotPresent
+ command: ["calico-node", "-init", "-best-effort"]
+ volumeMounts:
+ - mountPath: /sys/fs
+ name: sys-fs
+ # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host
+ # so that it outlives the init container.
+ mountPropagation: Bidirectional
+ - mountPath: /var/run/calico
+ name: var-run-calico
+ # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host
+ # so that it outlives the init container.
+ mountPropagation: Bidirectional
+ # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary,
+ # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly.
+ - mountPath: /nodeproc
+ name: nodeproc
+ readOnly: true
+ securityContext:
+ privileged: true
+ containers:
+ # Runs calico-node container on each Kubernetes node. This
+ # container programs network policy and routes on each
+ # host.
+ - name: calico-node
+ image: docker.io/calico/node:v3.28.0
+ imagePullPolicy: IfNotPresent
+ envFrom:
+ - configMapRef:
+ # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
+ name: kubernetes-services-endpoint
+ optional: true
+ env:
+ # Use Kubernetes API as the backing datastore.
+ - name: DATASTORE_TYPE
+ value: "kubernetes"
+ # Wait for the datastore.
+ - name: WAIT_FOR_DATASTORE
+ value: "true"
+ # Set based on the k8s node name.
+ - name: NODENAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # Choose the backend to use.
+ - name: CALICO_NETWORKING_BACKEND
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: calico_backend
+ # Cluster type to identify the deployment type
+ - name: CLUSTER_TYPE
+ value: "k8s,bgp"
+ # Auto-detect the BGP IP address.
+ - name: IP
+ value: "autodetect"
+ # Enable IPIP
+ - name: CALICO_IPV4POOL_IPIP
+ value: "Always"
+ # Enable or Disable VXLAN on the default IP pool.
+ - name: CALICO_IPV4POOL_VXLAN
+ value: "Never"
+ # Enable or Disable VXLAN on the default IPv6 IP pool.
+ - name: CALICO_IPV6POOL_VXLAN
+ value: "Never"
+ # Set MTU for tunnel device used if ipip is enabled
+ - name: FELIX_IPINIPMTU
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: veth_mtu
+ # Set MTU for the VXLAN tunnel device.
+ - name: FELIX_VXLANMTU
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: veth_mtu
+ # Set MTU for the Wireguard tunnel device.
+ - name: FELIX_WIREGUARDMTU
+ valueFrom:
+ configMapKeyRef:
+ name: calico-config
+ key: veth_mtu
+ # The default IPv4 pool to create on startup if none exists. Pod IPs will be
+ # chosen from this range. Changing this value after installation will have
+ # no effect. This should fall within `--cluster-cidr`.
+ # - name: CALICO_IPV4POOL_CIDR
+ # value: "192.168.0.0/16"
+ # Disable file logging so `kubectl logs` works.
+ - name: CALICO_DISABLE_FILE_LOGGING
+ value: "true"
+ # Set Felix endpoint to host default action to ACCEPT.
+ - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+ value: "ACCEPT"
+ # Disable IPv6 on Kubernetes.
+ - name: FELIX_IPV6SUPPORT
+ value: "false"
+ - name: FELIX_HEALTHENABLED
+ value: "true"
+ securityContext:
+ privileged: true
+ resources:
+ requests:
+ cpu: 250m
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - /bin/calico-node
+ - -shutdown
+ livenessProbe:
+ exec:
+ command:
+ - /bin/calico-node
+ - -felix-live
+ - -bird-live
+ periodSeconds: 10
+ initialDelaySeconds: 10
+ failureThreshold: 6
+ timeoutSeconds: 10
+ readinessProbe:
+ exec:
+ command:
+ - /bin/calico-node
+ - -felix-ready
+ - -bird-ready
+ periodSeconds: 10
+ timeoutSeconds: 10
+ volumeMounts:
+ # For maintaining CNI plugin API credentials.
+ - mountPath: /host/etc/cni/net.d
+ name: cni-net-dir
+ readOnly: false
+ - mountPath: /lib/modules
+ name: lib-modules
+ readOnly: true
+ - mountPath: /run/xtables.lock
+ name: xtables-lock
+ readOnly: false
+ - mountPath: /var/run/calico
+ name: var-run-calico
+ readOnly: false
+ - mountPath: /var/lib/calico
+ name: var-lib-calico
+ readOnly: false
+ - name: policysync
+ mountPath: /var/run/nodeagent
+ # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
+ # parent directory.
+ - name: bpffs
+ mountPath: /sys/fs/bpf
+ - name: cni-log-dir
+ mountPath: /var/log/calico/cni
+ readOnly: true
+ volumes:
+ # Used by calico-node.
+ - name: lib-modules
+ hostPath:
+ path: /lib/modules
+ - name: var-run-calico
+ hostPath:
+ path: /var/run/calico
+ - name: var-lib-calico
+ hostPath:
+ path: /var/lib/calico
+ - name: xtables-lock
+ hostPath:
+ path: /run/xtables.lock
+ type: FileOrCreate
+ - name: sys-fs
+ hostPath:
+ path: /sys/fs/
+ type: DirectoryOrCreate
+ - name: bpffs
+ hostPath:
+ path: /sys/fs/bpf
+ type: Directory
+ # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs.
+ - name: nodeproc
+ hostPath:
+ path: /proc
+ # Used to install CNI.
+ - name: cni-bin-dir
+ hostPath:
+ path: /opt/cni/bin
+ - name: cni-net-dir
+ hostPath:
+ path: /etc/cni/net.d
+ # Used to access CNI logs.
+ - name: cni-log-dir
+ hostPath:
+ path: /var/log/calico/cni
+ # Mount in the directory for host-local IPAM allocations. This is
+ # used when upgrading from host-local to calico-ipam, and can be removed
+ # if not using the upgrade-ipam init container.
+ - name: host-local-net-dir
+ hostPath:
+ path: /var/lib/cni/networks
+ # Used to create per-pod Unix Domain Sockets
+ - name: policysync
+ hostPath:
+ type: DirectoryOrCreate
+ path: /var/run/nodeagent
+---
+# Source: calico/templates/calico-kube-controllers.yaml
+# See https://github.com/projectcalico/kube-controllers
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: calico-kube-controllers
+ namespace: kube-system
+ labels:
+ k8s-app: calico-kube-controllers
+spec:
+ # The controllers can only have a single active instance.
+ replicas: 1
+ selector:
+ matchLabels:
+ k8s-app: calico-kube-controllers
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ name: calico-kube-controllers
+ namespace: kube-system
+ labels:
+ k8s-app: calico-kube-controllers
+ spec:
+ nodeSelector:
+ kubernetes.io/os: linux
+ tolerations:
+ # Mark the pod as a critical add-on for rescheduling.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ - key: node-role.kubernetes.io/control-plane
+ effect: NoSchedule
+ serviceAccountName: calico-kube-controllers
+ priorityClassName: system-cluster-critical
+ containers:
+ - name: calico-kube-controllers
+ image: docker.io/calico/kube-controllers:v3.28.0
+ imagePullPolicy: IfNotPresent
+ env:
+ # Choose which controllers to run.
+ - name: ENABLED_CONTROLLERS
+ value: node
+ - name: DATASTORE_TYPE
+ value: kubernetes
+ livenessProbe:
+ exec:
+ command:
+ - /usr/bin/check-status
+ - -l
+ periodSeconds: 10
+ initialDelaySeconds: 10
+ failureThreshold: 6
+ timeoutSeconds: 10
+ readinessProbe:
+ exec:
+ command:
+ - /usr/bin/check-status
+ - -r
+ periodSeconds: 10
diff --git a/cesnet-central/playbooks/files/etc/ansible/facts.d/helm_repos.fact b/common/playbooks/files/etc/ansible/facts.d/helm_repos.fact
similarity index 100%
rename from cesnet-central/playbooks/files/etc/ansible/facts.d/helm_repos.fact
rename to common/playbooks/files/etc/ansible/facts.d/helm_repos.fact
diff --git a/cesnet-central/playbooks/files/etc/profile.d/k8s-cheats.sh b/common/playbooks/files/etc/profile.d/k8s-cheats.sh
similarity index 100%
rename from cesnet-central/playbooks/files/etc/profile.d/k8s-cheats.sh
rename to common/playbooks/files/etc/profile.d/k8s-cheats.sh
diff --git a/cesnet-central/playbooks/files/usr/local/bin/k8s-pods-cleaner.sh b/common/playbooks/files/usr/local/bin/k8s-pods-cleaner.sh
similarity index 100%
rename from cesnet-central/playbooks/files/usr/local/bin/k8s-pods-cleaner.sh
rename to common/playbooks/files/usr/local/bin/k8s-pods-cleaner.sh
diff --git a/cesnet-central/playbooks/files/usr/local/bin/xfs-quotas.sh b/common/playbooks/files/usr/local/bin/xfs-quotas.sh
similarity index 100%
rename from cesnet-central/playbooks/files/usr/local/bin/xfs-quotas.sh
rename to common/playbooks/files/usr/local/bin/xfs-quotas.sh
diff --git a/cesnet-central/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
similarity index 100%
rename from cesnet-central/playbooks/k8s.yaml
rename to common/playbooks/k8s.yaml
diff --git a/common/playbooks/notebooks.yaml b/common/playbooks/notebooks.yaml
new file mode 100644
index 0000000..0c432cd
--- /dev/null
+++ b/common/playbooks/notebooks.yaml
@@ -0,0 +1,154 @@
+---
+- name: Notebooks deployments
+ hosts: master
+ become: true
+ tasks:
+ - name: Configure helm repo
+ shell: |-
+ helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
+ helm repo add eginotebooks https://egi-federation.github.io/egi-notebooks-chart/
+ helm repo update
+ when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list or
+ 'eginotebooks' not in ansible_local.helm_repos | map(attribute='name') | list"
+ - name: Get Secrets from Vault for notebooks
+ vars:
+ name: "{{ item | basename | splitext | first }}"
+ set_fact:
+ secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
+ token_validate=false)}) }}"
+ with_fileglob:
+ - "../deployments/*.yaml"
+ - name: Debug Deployments Secrets
+ debug:
+ msg: "{{ item.key }} = {{ item.value }}"
+ loop: "{{ secrets | dict2items }}"
+ - name: Copy config file to master
+ vars:
+ name: "{{ item | basename | splitext | first }}"
+ secret: "{{ secrets[name] }}"
+ template:
+ src: "{{ item }}"
+ dest: "/tmp/{{ item | basename }}"
+ mode: 0600
+ with_fileglob:
+ - "../deployments/*.yaml"
+ - name: Deploy/upgrade notebook instance
+ vars:
+ name: "{{ item | basename | splitext | first }}"
+ version: "3.2.1" # app 4.0.2 (2023-11-27)
+ monitor_version: "0.3.1"
+ shell: |-
+ helm status --namespace {{ name }} {{ name }}
+ if [ $? -ne 0 ]; then
+ helm install --create-namespace --namespace {{ name }} \
+ -f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
+ {{ name }} jupyterhub/jupyterhub
+ else
+ helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
+ --namespace {{ name }} {{ name }} jupyterhub/jupyterhub
+ fi
+ helm status --namespace {{ name }} {{ name }}-monitor
+ if [ $? -ne 0 ]; then
+ helm install --namespace {{ name }} \
+ -f /tmp/{{ item | basename }} --version {{ monitor_version }} \
+ {{ name }}-monitor eginotebooks/notebooks-monitor
+ else
+ helm upgrade --version {{ monitor_version }} \
+ -f /tmp/{{ item | basename }} --namespace {{ name }} \
+ {{ name }}-monitor eginotebooks/notebooks-monitor
+ fi
+ environment:
+ KUBECONFIG: /etc/kubernetes/admin.conf
+ PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
+ when: true
+ with_fileglob:
+ - "../deployments/*.yaml"
+
+ - name: Configure secrets management for the hub
+ vars:
+ name: "{{ item | basename | splitext | first }}"
+ shell: |-
+ kubectl apply -f - << EOF
+ ---
+ kind: Role
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+ name: hub-secrets
+ namespace: {{ name }}
+ rules:
+ - apiGroups: [""] # "" indicates the core API group
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
+ ---
+ kind: RoleBinding
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+ name: hub-secrets
+ namespace: {{ name }}
+ subjects:
+ - kind: ServiceAccount
+ name: hub
+ namespace: {{ name }}
+ roleRef:
+ kind: Role
+ name: hub-secrets
+ apiGroup: rbac.authorization.k8s.io
+ EOF
+ environment:
+ KUBECONFIG: /etc/kubernetes/admin.conf
+ PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
+ when: true
+ with_fileglob:
+ - "../deployments/*.yaml"
+ # do the extra bits of configuration
+ # here we should have all the namespaces, pre-requirements in place
+ # XXX: this won't remove things that are delete from the directory
+ - name: Copy extra configuration files
+ copy:
+ src: "{{ item }}"
+ dest: "/tmp/{{ item | basename }}"
+ mode: 0600
+ with_fileglob:
+ - "../extra/*.yaml"
+ - name: Extra configuration
+ command: |-
+ kubectl apply -f /tmp/{{ item | basename }}
+ environment:
+ KUBECONFIG: /etc/kubernetes/admin.conf
+ with_fileglob:
+ - "../extra/*.yaml"
+ when: true
+ # Workaround for pods stuck in "Terminating" state
+ - name: K8s pods cleaner script
+ copy:
+ dest: /usr/local/bin/k8s-pods-cleaner.sh
+ src: files/usr/local/bin/k8s-pods-cleaner.sh
+ mode: preserve
+ # Workaround for pods stuck in "Terminating" state
+ - name: Regular cleanup of failed user notebooks pods
+ vars:
+ name: "{{ item | basename | splitext | first }}"
+ cron:
+ cron_file: "notebooks-{{ name }}-cleaner"
+ name: "Notebooks {{ name }} cleanup"
+ minute: "*"
+ hour: "*"
+ job: "KUBECONFIG=$HOME/.kube/config /usr/local/bin/k8s-pods-cleaner.sh '{{ name }}' --yes >/dev/null 2>&1"
+ user: egi
+ with_fileglob:
+ - "../deployments/*.yaml"
+- hosts: nfs
+ become: true
+ tasks:
+ - name: Quota settings
+ vars:
+ name: "{{ item | basename | splitext | first }}"
+ cron:
+ cron_file: notebook-quotas
+ name: "{{ name }} quotas"
+ minute: "0"
+ hour: "*/2"
+ job: "/usr/local/bin/xfs-quotas.sh --include ^/exports/{{ name }}- --exclude ^/exports/{{ name }}-hub-db-dir-"
+ user: root
+ with_fileglob:
+ - "../deployments/*.yaml"
diff --git a/common/playbooks/squid.yaml b/common/playbooks/squid.yaml
new file mode 100644
index 0000000..8b2a996
--- /dev/null
+++ b/common/playbooks/squid.yaml
@@ -0,0 +1,49 @@
+---
+- name: Gather facts on all nodes
+ hosts: allnodes
+ become: true
+ tasks:
+ - name: Gather facts on the node
+ debug:
+ msg: "IPv4: {{ ansible_default_ipv4.address | default('') }}, IPv6: {{ ansible_default_ipv6.address | default('') }}"
+- name: Squid proxy deployment
+ hosts: ingress[0]
+ become: true
+ tasks:
+ - name: Install squid
+ package:
+ name: squid
+ # full-fledge restart needed to build cache
+ notify: Restart squid
+ # https://cvmfs.readthedocs.io/en/stable/cpt-squid.html
+ - name: Configure squid
+ lineinfile:
+ regexp: '^\s*{{ item.key }}\s+.*'
+ line: "{{ item.key }} {{ item.value }}"
+ path: /etc/squid/squid.conf
+ loop: "{{ config | dict2items }}"
+ vars:
+ config:
+ collapsed_forwarding: "on"
+ minimum_expiry_time: 0
+ maximum_object_size: 1024 MB
+ cache_mem: 128 MB
+ maximum_object_size_in_memory: 128 KB
+ cache_dir: ufs /var/spool/squid 81920 16 256
+ notify: Reload squid
+ - name: Configure squid - ACL allcluster
+ template:
+ src: templates/etc/squid/conf.d/allcluster.conf
+ dest: /etc/squid/conf.d/allcluster.conf
+ mode: 0644
+ notify: Reload squid
+
+ handlers:
+ - name: Restart squid
+ service:
+ name: squid
+ state: restarted
+ - name: Reload squid
+ service:
+ name: squid
+ state: reloaded
diff --git a/common/playbooks/templates/etc/exports.inventory_hostname b/common/playbooks/templates/etc/exports.inventory_hostname
new file mode 100644
index 0000000..dfc08fc
--- /dev/null
+++ b/common/playbooks/templates/etc/exports.inventory_hostname
@@ -0,0 +1,2 @@
+# export the NFS directory to all the cluster members
+/exports {% for host in groups['allnodes'] -%}{{ host }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/common/playbooks/templates/etc/exports.ipv4 b/common/playbooks/templates/etc/exports.ipv4
new file mode 100644
index 0000000..ef76917
--- /dev/null
+++ b/common/playbooks/templates/etc/exports.ipv4
@@ -0,0 +1,2 @@
+# export the NFS directory to all the cluster members
+/exports {% for host in groups['allnodes'] -%}{{ hostvars[host].ansible_default_ipv4.address }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/common/playbooks/templates/etc/exports.ipv46 b/common/playbooks/templates/etc/exports.ipv46
new file mode 100644
index 0000000..d00f3ed
--- /dev/null
+++ b/common/playbooks/templates/etc/exports.ipv46
@@ -0,0 +1,2 @@
+# export the NFS directory to all the cluster members
+/exports {% for host in groups['allnodes'] -%}{{ hostvars[host].ansible_default_ipv4.address }}(rw,async,no_root_squash,no_subtree_check) {{ hostvars[host].ansible_default_ipv6.address }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/common/playbooks/templates/etc/mailutils.conf b/common/playbooks/templates/etc/mailutils.conf
new file mode 100644
index 0000000..9e38faa
--- /dev/null
+++ b/common/playbooks/templates/etc/mailutils.conf
@@ -0,0 +1,3 @@
+address {
+ email-domain {{ fromdomain }};
+};
diff --git a/cesnet-central/playbooks/templates/etc/squid/conf.d/allcluster.conf b/common/playbooks/templates/etc/squid/conf.d/allcluster.conf
similarity index 100%
rename from cesnet-central/playbooks/templates/etc/squid/conf.d/allcluster.conf
rename to common/playbooks/templates/etc/squid/conf.d/allcluster.conf
diff --git a/common/playbooks/upgrade.yaml b/common/playbooks/upgrade.yaml
new file mode 100644
index 0000000..2c76219
--- /dev/null
+++ b/common/playbooks/upgrade.yaml
@@ -0,0 +1,92 @@
+---
+#
+# Upgrade kubernetes cluster
+#
+# https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/
+#
+# Usage example:
+#
+# VERSION=1.30.2
+# ansible-playbook playbooks/upgrade.yaml --extra-vars "version=$VERSION"
+#
+- name: Upgrade and hold kubeadm package
+ hosts: master,ingress,nfs,worker,gpu
+ become: true
+ tasks:
+ - name: New k8s repository
+ copy:
+ dest: /etc/apt/sources.list.d/pkgs_k8s_io_core_stable_v1_30_deb.list
+ content: deb https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /
+ mode: 0644
+ - name: Upgrade packages
+ apt:
+ name: kubeadm={{ version }}*
+ state: present
+ force: true
+ update_cache: true
+ - name: Hold packages
+ dpkg_selections:
+ name: "{{ item }}"
+ selection: hold
+ loop:
+ - kubeadm
+
+- name: Upgrade k8s master
+ hosts: master
+ become: true
+ tasks:
+ - name: Upgrade kubeadm
+ command: |
+ kubeadm upgrade apply --yes v{{ version }}
+ when: true
+
+- name: Upgrade k8s nodes
+ hosts: ingress,nfs,worker,gpu
+ become: true
+ tasks:
+ - name: Upgrade kubeadm
+ command: |
+ kubeadm upgrade node
+ when: true
+
+- name: Upgrade and hold packages
+ hosts: master,ingress,nfs,worker,gpu
+ become: true
+ tasks:
+ - name: Upgrade packages
+ apt:
+ name: kubectl={{ version }}*, kubelet={{ version }}*
+ state: present
+ force: true
+ update_cache: true
+ - name: Hold packages
+ dpkg_selections:
+ name: "{{ item }}"
+ selection: hold
+ loop:
+ - kubectl
+ - kubelet
+ - name: Restart kubelet
+ systemd:
+ state: restarted
+ name: kubelet
+ - name: Cleanup old k8s repository
+ file:
+ path: /etc/apt/sources.list.d/pkgs_k8s_io_core_stable_v1_29_deb.list
+ state: absent
+
+
+# pinned by grycap.kubernetes
+# - name: Upgrade networking
+# hosts: master
+# become: true
+# tasks:
+# - name: Upgrade weave
+# shell: |
+# set -o pipefail
+# kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
+# environment:
+# KUBECONFIG: /etc/kubernetes/admin.conf
+# args:
+# executable: /bin/bash
+# when: true
diff --git a/common/terraform/vars.tf b/common/terraform/vars.tf
new file mode 100644
index 0000000..25f0b32
--- /dev/null
+++ b/common/terraform/vars.tf
@@ -0,0 +1,64 @@
+variable "ip_pool" {
+ type = string
+ description = "The name of the public IP pool for the servers"
+}
+
+variable "net_name" {
+ type = string
+ description = "The name of the IPv4 network"
+}
+
+variable "net6_name" {
+ type = string
+ description = "The name of the IPv6 network"
+}
+
+variable "site_name" {
+ type = string
+ description = "Site identifier for internal host names"
+}
+
+variable "gpu_flavor_name" {
+ type = string
+ description = "Name of the GPU flavor"
+}
+
+variable "master_flavor_name" {
+ type = string
+ description = "Name of the master flavor"
+}
+
+variable "worker_flavor_name" {
+ type = string
+ description = "Name of the worker flavor"
+}
+
+variable "extra_workers" {
+ type = number
+ description = "Number of extra workers to create"
+}
+
+variable "gpu_workers" {
+ type = number
+ description = "Number of GPU workers to create"
+}
+
+variable "docker_volumes_size" {
+ type = number
+ description = "Size of volumes for docker (GB)"
+}
+
+variable "nfs_volume_size" {
+ type = number
+ description = "Size of volume for NFS server (GB)"
+}
+
+variable "scratch_volumes_size" {
+ type = number
+ description = "Size of volume for ephemeral volumes (GB)"
+}
+
+variable "squid_volume_size" {
+ type = number
+ description = "Size of volume for squid proxy, CVMFS cache (GB)"
+}
diff --git a/staging1/playbooks/cvmfs.yaml b/staging1/playbooks/cvmfs.yaml
index b5dcdf0..2e82cca 120000
--- a/staging1/playbooks/cvmfs.yaml
+++ b/staging1/playbooks/cvmfs.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/cvmfs.yaml
\ No newline at end of file
+../../common/playbooks/cvmfs.yaml
\ No newline at end of file
diff --git a/staging1/playbooks/files/calico.yaml b/staging1/playbooks/files/calico.yaml
index 3d2b787..732c864 120000
--- a/staging1/playbooks/files/calico.yaml
+++ b/staging1/playbooks/files/calico.yaml
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/calico.yaml
\ No newline at end of file
+../../../common/playbooks/files/calico.yaml
\ No newline at end of file
diff --git a/staging1/playbooks/files/etc b/staging1/playbooks/files/etc
index 0246be9..ed53b87 120000
--- a/staging1/playbooks/files/etc
+++ b/staging1/playbooks/files/etc
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/etc
\ No newline at end of file
+../../../common/playbooks/files/etc
\ No newline at end of file
diff --git a/staging1/playbooks/files/usr b/staging1/playbooks/files/usr
index 47d6e90..b034223 120000
--- a/staging1/playbooks/files/usr
+++ b/staging1/playbooks/files/usr
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/usr
\ No newline at end of file
+../../../common/playbooks/files/usr
\ No newline at end of file
diff --git a/staging1/playbooks/k8s.yaml b/staging1/playbooks/k8s.yaml
index 5e18112..117aed6 120000
--- a/staging1/playbooks/k8s.yaml
+++ b/staging1/playbooks/k8s.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/k8s.yaml
\ No newline at end of file
+../../common/playbooks/k8s.yaml
\ No newline at end of file
diff --git a/staging1/playbooks/squid.yaml b/staging1/playbooks/squid.yaml
index 408847e..114c327 120000
--- a/staging1/playbooks/squid.yaml
+++ b/staging1/playbooks/squid.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/squid.yaml
\ No newline at end of file
+../../common/playbooks/squid.yaml
\ No newline at end of file
diff --git a/staging1/playbooks/templates/etc/exports b/staging1/playbooks/templates/etc/exports
deleted file mode 100644
index ef76917..0000000
--- a/staging1/playbooks/templates/etc/exports
+++ /dev/null
@@ -1,2 +0,0 @@
-# export the NFS directory to all the cluster members
-/exports {% for host in groups['allnodes'] -%}{{ hostvars[host].ansible_default_ipv4.address }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/staging1/playbooks/templates/etc/exports b/staging1/playbooks/templates/etc/exports
new file mode 120000
index 0000000..a743a02
--- /dev/null
+++ b/staging1/playbooks/templates/etc/exports
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/exports.ipv4
\ No newline at end of file
diff --git a/staging1/playbooks/templates/etc/mailutils.conf b/staging1/playbooks/templates/etc/mailutils.conf
index c67eb7d..dbd8a1f 120000
--- a/staging1/playbooks/templates/etc/mailutils.conf
+++ b/staging1/playbooks/templates/etc/mailutils.conf
@@ -1 +1 @@
-../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
+../../../../common/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
diff --git a/staging1/playbooks/templates/etc/squid b/staging1/playbooks/templates/etc/squid
new file mode 120000
index 0000000..352b598
--- /dev/null
+++ b/staging1/playbooks/templates/etc/squid
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/squid
\ No newline at end of file
diff --git a/staging1/playbooks/templates/etc/squid/conf.d/allcluster.conf b/staging1/playbooks/templates/etc/squid/conf.d/allcluster.conf
deleted file mode 120000
index 3ac6e9a..0000000
--- a/staging1/playbooks/templates/etc/squid/conf.d/allcluster.conf
+++ /dev/null
@@ -1 +0,0 @@
-../../../../../../cesnet-central/playbooks/templates/etc/squid/conf.d/allcluster.conf
\ No newline at end of file
diff --git a/staging1/playbooks/upgrade.yaml b/staging1/playbooks/upgrade.yaml
index 3a00425..0f9e3f4 120000
--- a/staging1/playbooks/upgrade.yaml
+++ b/staging1/playbooks/upgrade.yaml
@@ -1 +1 @@
-/home/valtri/notebooks-operations.eosc/cesnet-central/playbooks/upgrade.yaml
\ No newline at end of file
+../../common/playbooks/upgrade.yaml
\ No newline at end of file
diff --git a/testing/playbooks/cvmfs.yaml b/testing/playbooks/cvmfs.yaml
index b5dcdf0..2e82cca 120000
--- a/testing/playbooks/cvmfs.yaml
+++ b/testing/playbooks/cvmfs.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/cvmfs.yaml
\ No newline at end of file
+../../common/playbooks/cvmfs.yaml
\ No newline at end of file
diff --git a/testing/playbooks/files/calico.yaml b/testing/playbooks/files/calico.yaml
index 3d2b787..732c864 120000
--- a/testing/playbooks/files/calico.yaml
+++ b/testing/playbooks/files/calico.yaml
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/calico.yaml
\ No newline at end of file
+../../../common/playbooks/files/calico.yaml
\ No newline at end of file
diff --git a/testing/playbooks/files/etc b/testing/playbooks/files/etc
index 0246be9..ed53b87 120000
--- a/testing/playbooks/files/etc
+++ b/testing/playbooks/files/etc
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/etc
\ No newline at end of file
+../../../common/playbooks/files/etc
\ No newline at end of file
diff --git a/testing/playbooks/files/usr b/testing/playbooks/files/usr
index 47d6e90..b034223 120000
--- a/testing/playbooks/files/usr
+++ b/testing/playbooks/files/usr
@@ -1 +1 @@
-../../../cesnet-central/playbooks/files/usr
\ No newline at end of file
+../../../common/playbooks/files/usr
\ No newline at end of file
diff --git a/testing/playbooks/k8s.yaml b/testing/playbooks/k8s.yaml
index 5e18112..117aed6 120000
--- a/testing/playbooks/k8s.yaml
+++ b/testing/playbooks/k8s.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/k8s.yaml
\ No newline at end of file
+../../common/playbooks/k8s.yaml
\ No newline at end of file
diff --git a/testing/playbooks/notebooks.yaml b/testing/playbooks/notebooks.yaml
index 7c6d7a3..3f1a33f 120000
--- a/testing/playbooks/notebooks.yaml
+++ b/testing/playbooks/notebooks.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/notebooks.yaml
\ No newline at end of file
+../../common/playbooks/notebooks.yaml
\ No newline at end of file
diff --git a/testing/playbooks/squid.yaml b/testing/playbooks/squid.yaml
index 408847e..114c327 120000
--- a/testing/playbooks/squid.yaml
+++ b/testing/playbooks/squid.yaml
@@ -1 +1 @@
-../../cesnet-central/playbooks/squid.yaml
\ No newline at end of file
+../../common/playbooks/squid.yaml
\ No newline at end of file
diff --git a/testing/playbooks/templates/etc/exports b/testing/playbooks/templates/etc/exports
deleted file mode 100644
index d00f3ed..0000000
--- a/testing/playbooks/templates/etc/exports
+++ /dev/null
@@ -1,2 +0,0 @@
-# export the NFS directory to all the cluster members
-/exports {% for host in groups['allnodes'] -%}{{ hostvars[host].ansible_default_ipv4.address }}(rw,async,no_root_squash,no_subtree_check) {{ hostvars[host].ansible_default_ipv6.address }}(rw,async,no_root_squash,no_subtree_check) {% endfor -%}
diff --git a/testing/playbooks/templates/etc/exports b/testing/playbooks/templates/etc/exports
new file mode 120000
index 0000000..3ef288e
--- /dev/null
+++ b/testing/playbooks/templates/etc/exports
@@ -0,0 +1 @@
+../../../../common/playbooks/templates/etc/exports.ipv46
\ No newline at end of file
diff --git a/testing/playbooks/templates/etc/mailutils.conf b/testing/playbooks/templates/etc/mailutils.conf
index c67eb7d..dbd8a1f 120000
--- a/testing/playbooks/templates/etc/mailutils.conf
+++ b/testing/playbooks/templates/etc/mailutils.conf
@@ -1 +1 @@
-../../../../cesnet-central/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
+../../../../common/playbooks/templates/etc/mailutils.conf
\ No newline at end of file
diff --git a/testing/playbooks/templates/etc/squid b/testing/playbooks/templates/etc/squid
index a7a265f..352b598 120000
--- a/testing/playbooks/templates/etc/squid
+++ b/testing/playbooks/templates/etc/squid
@@ -1 +1 @@
-../../../../cesnet-central/playbooks/templates/etc/squid
\ No newline at end of file
+../../../../common/playbooks/templates/etc/squid
\ No newline at end of file
--
GitLab