From d2ece5e6054d96e271662aa066e30682149c0f0b Mon Sep 17 00:00:00 2001 From: pixiake Date: Fri, 1 Jul 2022 07:46:24 +0800 Subject: [PATCH] Upgrade calico and set the default veth_mtu to 0 Signed-off-by: pixiake --- apis/kubekey/v1alpha2/default.go | 4 +- docs/config-example.md | 2 +- .../network/templates/calico_v1.16+.go | 724 ++++++++++++++++-- 3 files changed, 648 insertions(+), 82 deletions(-) diff --git a/apis/kubekey/v1alpha2/default.go b/apis/kubekey/v1alpha2/default.go index 04d241119..1b6a805a6 100644 --- a/apis/kubekey/v1alpha2/default.go +++ b/apis/kubekey/v1alpha2/default.go @@ -46,7 +46,7 @@ const ( DefaultRuncVersion = "v1.1.1" DefaultCrictlVersion = "v1.24.0" DefaultKubeVersion = "v1.23.7" - DefaultCalicoVersion = "v3.20.0" + DefaultCalicoVersion = "v3.23.2" DefaultFlannelVersion = "v0.12.0" DefaultCniVersion = "v0.9.1" DefaultCiliumVersion = "v1.8.3" @@ -60,7 +60,7 @@ const ( DefaultNodeCidrMaskSize = 24 DefaultIPIPMode = "Always" DefaultVXLANMode = "Never" - DefaultVethMTU = 1440 + DefaultVethMTU = 0 DefaultBackendMode = "vxlan" DefaultProxyMode = "ipvs" DefaultCrioEndpoint = "unix:///var/run/crio/crio.sock" diff --git a/docs/config-example.md b/docs/config-example.md index e4be41bbd..446a8b6c0 100644 --- a/docs/config-example.md +++ b/docs/config-example.md @@ -63,7 +63,7 @@ spec: calico: ipipMode: Always # IPIP Mode to use for the IPv4 POOL created at start up. If set to a value other than Never, vxlanMode should be set to "Never". [Always | CrossSubnet | Never] [Default: Always] vxlanMode: Never # VXLAN Mode to use for the IPv4 POOL created at start up. If set to a value other than Never, ipipMode should be set to "Never". [Always | CrossSubnet | Never] [Default: Never] - vethMTU: 1440 # The maximum transmission unit (MTU) setting determines the largest packet size that can be transmitted through your network. [Default: 1440] + vethMTU: 0 # The maximum transmission unit (MTU) setting determines the largest packet size that can be transmitted through your network. By default, MTU is auto-detected. [Default: 0] kubePodsCIDR: 10.233.64.0/18 kubeServiceCIDR: 10.233.0.0/18 registry: diff --git a/pkg/plugins/network/templates/calico_v1.16+.go b/pkg/plugins/network/templates/calico_v1.16+.go index de7730778..b585d62fb 100644 --- a/pkg/plugins/network/templates/calico_v1.16+.go +++ b/pkg/plugins/network/templates/calico_v1.16+.go @@ -119,6 +119,12 @@ spec: 64512]' format: int32 type: integer + bindMode: + description: BindMode indicates whether to listen for BGP connections + on all addresses (None) or only on the node's canonical IP address + Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen + for BGP connections on all addresses. + type: string communities: description: Communities is a list of BGP community values and their arbitrary names for tagging routes. @@ -130,11 +136,11 @@ spec: description: Name given to community value. type: string value: - description: Value must be of format +aa:nn+ or +aa:nn:mm+. - For standard community use +aa:nn+ format, where +aa+ and - +nn+ are 16 bit number. For large community use +aa:nn:mm+ - format, where +aa+, +nn+ and +mm+ are 32 bit number. Where, - +aa+ is an AS Number, +nn+ and +mm+ are per-AS identifier. + description: Value must be of format aa:nn or aa:nn:mm. + For standard community use aa:nn format, where aa and + nn are 16 bit number. For large community use aa:nn:mm + format, where aa, nn and mm are 32 bit number. Where, + aa is an AS Number, nn and mm are per-AS identifier. pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ type: string type: object @@ -149,6 +155,37 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: INFO]' type: string + nodeMeshMaxRestartTime: + description: Time to allow for software restart for node-to-mesh peerings. When + specified, this is configured as the graceful restart timeout. When + not specified, the BIRD default of 120s is used. This field can + only be set on the default BGPConfiguration instance and requires + that NodeMesh is enabled + type: string + nodeMeshPassword: + description: Optional BGP password for full node-to-mesh peerings. + This field can only be set on the default BGPConfiguration instance + and requires that NodeMesh is enabled + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object nodeToNodeMeshEnabled: description: 'NodeToNodeMeshEnabled sets whether full node to node BGP mesh is enabled. [Default: true]' @@ -165,12 +202,12 @@ spec: type: string communities: description: Communities can be list of either community names - already defined in +Specs.Communities+ or community value - of format +aa:nn+ or +aa:nn:mm+. For standard community use - +aa:nn+ format, where +aa+ and +nn+ are 16 bit number. For - large community use +aa:nn:mm+ format, where +aa+, +nn+ and - +mm+ are 32 bit number. Where,+aa+ is an AS Number, +nn+ and - +mm+ are per-AS identifier. + already defined in Specs.Communities or community value + of format aa:nn or aa:nn:mm. For standard community use + aa:nn format, where aa and nn are 16 bit number. For + large community use aa:nn:mm format, where aa, nn and + mm are 32 bit number. Where,aa is an AS Number, nn and + mm are per-AS identifier. items: type: string type: array @@ -267,8 +304,8 @@ spec: in the specific branch of the Node on "bird.cfg". type: boolean maxRestartTime: - description: Time to allow for software restart. When specified, this - is configured as the graceful restart timeout. When not specified, + description: Time to allow for software restart. When specified, + this is configured as the graceful restart timeout. When not specified, the BIRD default of 120s is used. type: string node: @@ -280,6 +317,12 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + numAllowedLocalASNumbers: + description: Maximum number of local AS numbers that are allowed in + the AS path for received routes. This removes BGP loop prevention + and should only be used if absolutely necesssary. + format: int32 + type: integer password: description: Optional BGP password for the peerings generated by this BGPPeer resource. @@ -305,8 +348,8 @@ spec: type: object peerIP: description: The IP address of the peer followed by an optional port - number to peer with. If port number is given, format should be +[]:port+ - or +:+ for IPv4. If optional port number is not set, + number to peer with. If port number is given, format should be []:port + or : for IPv4. If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node with ListenPort set in BGPConfiguration, then we use that port to peer. type: string @@ -397,6 +440,269 @@ status: conditions: [] storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: caliconodestatuses.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: CalicoNodeStatus + listKind: CalicoNodeStatusList + plural: caliconodestatuses + singular: caliconodestatus + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus + resource. + properties: + classes: + description: Classes declares the types of information to monitor + for this calico/node, and allows for selective status reporting + about certain subsets of information. + items: + type: string + type: array + node: + description: The node name identifies the Calico node instance for + node status. + type: string + updatePeriodSeconds: + description: UpdatePeriodSeconds is the period at which CalicoNodeStatus + should be updated. Set to 0 to disable CalicoNodeStatus refresh. + Maximum update period is one day. + format: int32 + type: integer + type: object + status: + description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. + No validation needed for status since it is updated by Calico. + properties: + agent: + description: Agent holds agent status on the node. + properties: + birdV4: + description: BIRDV4 represents the latest observed status of bird4. + properties: + lastBootTime: + description: LastBootTime holds the value of lastBootTime + from bird.ctl output. + type: string + lastReconfigurationTime: + description: LastReconfigurationTime holds the value of lastReconfigTime + from bird.ctl output. + type: string + routerID: + description: Router ID used by bird. + type: string + state: + description: The state of the BGP Daemon. + type: string + version: + description: Version of the BGP daemon + type: string + type: object + birdV6: + description: BIRDV6 represents the latest observed status of bird6. + properties: + lastBootTime: + description: LastBootTime holds the value of lastBootTime + from bird.ctl output. + type: string + lastReconfigurationTime: + description: LastReconfigurationTime holds the value of lastReconfigTime + from bird.ctl output. + type: string + routerID: + description: Router ID used by bird. + type: string + state: + description: The state of the BGP Daemon. + type: string + version: + description: Version of the BGP daemon + type: string + type: object + type: object + bgp: + description: BGP holds node BGP status. + properties: + numberEstablishedV4: + description: The total number of IPv4 established bgp sessions. + type: integer + numberEstablishedV6: + description: The total number of IPv6 established bgp sessions. + type: integer + numberNotEstablishedV4: + description: The total number of IPv4 non-established bgp sessions. + type: integer + numberNotEstablishedV6: + description: The total number of IPv6 non-established bgp sessions. + type: integer + peersV4: + description: PeersV4 represents IPv4 BGP peers status on the node. + items: + description: CalicoNodePeer contains the status of BGP peers + on the node. + properties: + peerIP: + description: IP address of the peer whose condition we are + reporting. + type: string + since: + description: Since the state or reason last changed. + type: string + state: + description: State is the BGP session state. + type: string + type: + description: Type indicates whether this peer is configured + via the node-to-node mesh, or via en explicit global or + per-node BGPPeer object. + type: string + type: object + type: array + peersV6: + description: PeersV6 represents IPv6 BGP peers status on the node. + items: + description: CalicoNodePeer contains the status of BGP peers + on the node. + properties: + peerIP: + description: IP address of the peer whose condition we are + reporting. + type: string + since: + description: Since the state or reason last changed. + type: string + state: + description: State is the BGP session state. + type: string + type: + description: Type indicates whether this peer is configured + via the node-to-node mesh, or via en explicit global or + per-node BGPPeer object. + type: string + type: object + type: array + required: + - numberEstablishedV4 + - numberEstablishedV6 + - numberNotEstablishedV4 + - numberNotEstablishedV6 + type: object + lastUpdated: + description: LastUpdated is a timestamp representing the server time + when CalicoNodeStatus object last updated. It is represented in + RFC3339 form and is in UTC. + format: date-time + nullable: true + type: string + routes: + description: Routes reports routes known to the Calico BGP daemon + on the node. + properties: + routesV4: + description: RoutesV4 represents IPv4 routes on the node. + items: + description: CalicoNodeRoute contains the status of BGP routes + on the node. + properties: + destination: + description: Destination of the route. + type: string + gateway: + description: Gateway for the destination. + type: string + interface: + description: Interface for the destination + type: string + learnedFrom: + description: LearnedFrom contains information regarding + where this route originated. + properties: + peerIP: + description: If sourceType is NodeMesh or BGPPeer, IP + address of the router that sent us this route. + type: string + sourceType: + description: Type of the source where a route is learned + from. + type: string + type: object + type: + description: Type indicates if the route is being used for + forwarding or not. + type: string + type: object + type: array + routesV6: + description: RoutesV6 represents IPv6 routes on the node. + items: + description: CalicoNodeRoute contains the status of BGP routes + on the node. + properties: + destination: + description: Destination of the route. + type: string + gateway: + description: Gateway for the destination. + type: string + interface: + description: Interface for the destination + type: string + learnedFrom: + description: LearnedFrom contains information regarding + where this route originated. + properties: + peerIP: + description: If sourceType is NodeMesh or BGPPeer, IP + address of the router that sent us this route. + type: string + sourceType: + description: Type of the source where a route is learned + from. + type: string + type: object + type: + description: Type indicates if the route is being used for + forwarding or not. + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -507,7 +813,7 @@ spec: type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted - value must be one of "DoNothing", "Enabled" or "Disabled". [Default: + value must be one of "DoNothing", "Enable" or "Disable". [Default: DoNothing]' enum: - DoNothing @@ -541,6 +847,18 @@ spec: description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]' type: boolean + bpfEnforceRPF: + description: 'BPFEnforceRPF enforce strict RPF on all interfaces with + BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled or Strict. [Default: Strict]' + type: string + bpfExtToServiceConnmark: + description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit + mark that is set on connections from an external client to a local + service. This mark allows us to control how packets of that connection + are routed within the host and how is routing intepreted by RPF + check. [Default: 0]' + type: integer bpfExternalServiceMode: description: 'BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) @@ -551,14 +869,6 @@ spec: node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]' type: string - bpfExtToServiceConnmark: - description: 'BPFExtToServiceConnmark in BPF mode, controls a - 32bit mark that is set on connections from an external client to - a local service. This mark allows us to control how packets of - that connection are routed within the host and how is routing - intepreted by RPF check. [Default: 0]' - type: integer - bpfKubeProxyEndpointSlicesEnabled: description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not. @@ -579,8 +889,53 @@ spec: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The logs are emitted to the BPF trace pipe, accessible with the command - +tc exec bpf debug+. [Default: Off].' + tc exec bpf debug. [Default: Off].' type: string + bpfMapSizeConntrack: + description: 'BPFMapSizeConntrack sets the size for the conntrack + map. This map must be large enough to hold an entry for each active + connection. Warning: changing the size of the conntrack map can + cause disruption.' + type: integer + bpfMapSizeIPSets: + description: BPFMapSizeIPSets sets the size for ipsets map. The IP + sets map must be large enough to hold an entry for each endpoint + matched by every selector in the source/destination matches in network + policy. Selectors such as "all()" can result in large numbers of + entries (one entry per endpoint in that case). + type: integer + bpfMapSizeNATAffinity: + type: integer + bpfMapSizeNATBackend: + description: BPFMapSizeNATBackend sets the size for nat back end map. + This is the total number of endpoints. This is mostly more than + the size of the number of services. + type: integer + bpfMapSizeNATFrontend: + description: BPFMapSizeNATFrontend sets the size for nat front end + map. FrontendMap should be large enough to hold an entry for each + nodeport, external IP and each port in each service. + type: integer + bpfMapSizeRoute: + description: BPFMapSizeRoute sets the size for the routes map. The + routes map should be large enough to hold one entry per workload + and a handful of entries per host (enough to cover its own IPs and + tunnel IPs). + type: integer + bpfPSNATPorts: + anyOf: + - type: integer + - type: string + description: 'BPFPSNATPorts sets the range from which we randomly + pick a port if there is a source port collision. This should be + within the ephemeral range as defined by RFC 6056 (1024–65535) and + preferably outside the ephemeral ranges used by common operating + systems. Linux uses 32768–60999, while others mostly use the IANA + defined range 49152–65535. It is not necessarily a problem if this + range overlaps with the operating systems. Both ends of the range + are inclusive. [Default: 20000:29999]' + pattern: ^.* + x-kubernetes-int-or-string: true chainInsertMode: description: 'ChainInsertMode controls whether Felix hooks the kernel''s top-level iptables chains by inserting a rule at the top of the @@ -591,6 +946,15 @@ spec: Calico policy will be bypassed. [Default: insert]' type: string dataplaneDriver: + description: DataplaneDriver filename of the external dataplane driver + to use. Only used if UseInternalDataplaneDriver is set to false. + type: string + dataplaneWatchdogTimeout: + description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix''s (internal) dataplane driver. Increase this value + if you experience spurious non-ready or non-live events when Felix + is under heavy load. Decrease the value to get felix to report non-live + or non-ready more quickly. [Default: 90s]' type: string debugDisableLogDropping: type: boolean @@ -619,9 +983,14 @@ spec: routes, by default this will be RTPROT_BOOT when left blank. type: integer deviceRouteSourceAddress: - description: This is the source address to use on programmed device - routes. By default the source address is left blank, leaving the - kernel to choose the source address used. + description: This is the IPv4 source address to use on programmed + device routes. By default the source address is left blank, leaving + the kernel to choose the source address used. + type: string + deviceRouteSourceAddressIPv6: + description: This is the IPv6 source address to use on programmed + device routes. By default the source address is left blank, leaving + the kernel to choose the source address used. type: string disableConntrackInvalidCheck: type: boolean @@ -695,6 +1064,14 @@ spec: "true" or "false" will force the feature, empty or omitted values are auto-detected. type: string + floatingIPs: + default: Disabled + description: FloatingIPs configures whether or not Felix will program + floating IP addresses. + enum: + - Enabled + - Disabled + type: string genericXDPEnabled: description: 'GenericXDPEnabled enables Generic XDP so network cards that don''t support XDP offload or driver modes can use XDP. This @@ -732,6 +1109,9 @@ spec: disabled by setting the interval to 0. type: string ipipEnabled: + description: 'IPIPEnabled overrides whether Felix should configure + an IPIP interface on the host. Optional as Felix determines this + based on the existing IP pools. [Default: nil (unset)]' type: boolean ipipMTU: description: 'IPIPMTU is the MTU to set on the tunnel device. See @@ -798,6 +1178,8 @@ spec: usage. [Default: 10s]' type: string ipv6Support: + description: IPv6Support controls whether Felix enables support for + IPv6 (if supported by the in-use dataplane). type: boolean kubeNodePortRanges: description: 'KubeNodePortRanges holds list of port ranges used for @@ -811,6 +1193,12 @@ spec: pattern: ^.* x-kubernetes-int-or-string: true type: array + logDebugFilenameRegex: + description: LogDebugFilenameRegex controls which source code files + have their Debug log output included in the logs. Only logs from + files with names that match the given regular expression are included. The + filter only applies to Debug level logs. + type: string logFilePath: description: 'LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]' @@ -907,6 +1295,12 @@ spec: to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]' type: boolean + prometheusWireGuardMetricsEnabled: + description: 'PrometheusWireGuardMetricsEnabled disables wireguard + metrics collection, which the Prometheus client does by default, + when set to false. This reduces the number of metrics reported, + reducing Prometheus load. [Default: true]' + type: boolean removeExternalRoutes: description: Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external applications @@ -934,9 +1328,9 @@ spec: routes. - CalicoIPAM: the default - use IPAM data to construct routes.' type: string routeTableRange: - description: Calico programs additional Linux route tables for various - purposes. RouteTableRange specifies the indices of the route tables - that Calico should use. + description: Deprecated in favor of RouteTableRanges. Calico programs + additional Linux route tables for various purposes. RouteTableRange + specifies the indices of the route tables that Calico should use. properties: max: type: integer @@ -946,6 +1340,21 @@ spec: - max - min type: object + routeTableRanges: + description: Calico programs additional Linux route tables for various + purposes. RouteTableRanges specifies a set of table index ranges + that Calico should use. DeprecatesRouteTableRange, overrides RouteTableRange. + items: + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + type: array serviceLoopPrevention: description: 'When service IP advertisement is enabled, prevent routing loops to service IPs that are not in use, by dropping or rejecting @@ -973,12 +1382,22 @@ spec: Felix makes reports. [Default: 86400s]' type: string useInternalDataplaneDriver: + description: UseInternalDataplaneDriver, if true, Felix will use its + internal dataplane programming logic. If false, it will launch + an external dataplane driver and communicate with it over protobuf. type: boolean vxlanEnabled: + description: 'VXLANEnabled overrides whether Felix should create the + VXLAN tunnel device for VXLAN networking. Optional as Felix determines + this based on the existing IP pools. [Default: nil (unset)]' type: boolean vxlanMTU: - description: 'VXLANMTU is the MTU to set on the tunnel device. See - Configuring MTU [Default: 1440]' + description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel + device. See Configuring MTU [Default: 1410]' + type: integer + vxlanMTUV6: + description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel + device. See Configuring MTU [Default: 1390]' type: integer vxlanPort: type: integer @@ -988,10 +1407,18 @@ spec: description: 'WireguardEnabled controls whether Wireguard is enabled. [Default: false]' type: boolean + wireguardHostEncryptionEnabled: + description: 'WireguardHostEncryptionEnabled controls whether Wireguard + host-to-host encryption is enabled. [Default: false]' + type: boolean wireguardInterfaceName: description: 'WireguardInterfaceName specifies the name to use for the Wireguard interface. [Default: wg.calico]' type: string + wireguardKeepAlive: + description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive + option. Set 0 to disable. [Default: 0]' + type: string wireguardListeningPort: description: 'WireguardListeningPort controls the listening port used by Wireguard. [Default: 51820]' @@ -1004,6 +1431,12 @@ spec: description: 'WireguardRoutingRulePriority controls the priority value to use for the Wireguard routing rule. [Default: 99]' type: integer + workloadSourceSpoofing: + description: WorkloadSourceSpoofing controls whether pods can use + the allowedSourcePrefixes annotation to send traffic with a source + IP address that is not theirs. This is disabled by default. When + set to "Any", pods can request any prefix. + type: string xdpEnabled: description: 'XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]' @@ -1097,7 +1530,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -1197,8 +1630,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -1228,7 +1661,7 @@ spec: the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR''d together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a +exact+ or a +prefix+ match. The + ONLY specify either a exact or a prefix match. The validator will check for it.' items: description: 'HTTPPath specifies an HTTP path to match. @@ -1323,7 +1756,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -1423,8 +1856,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -1470,7 +1903,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -1570,8 +2003,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -1601,7 +2034,7 @@ spec: the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR''d together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a +exact+ or a +prefix+ match. The + ONLY specify either a exact or a prefix match. The validator will check for it.' items: description: 'HTTPPath specifies an HTTP path to match. @@ -1696,7 +2129,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -1796,8 +2229,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -2076,8 +2509,16 @@ spec: resource. properties: affinity: + description: Affinity of the block, if this block has one. If set, + it will be of the form "host:". If not set, this block + is not affine to a host. type: string allocations: + description: Array of allocations in-use within this block. nil entries + mean the allocation is free. For non-nil entries at index i, the + index is the ordinal of the allocation within this block and the + value is the index of the associated attributes in the Attributes + array. items: type: integer # TODO: This nullable is manually added in. We should update controller-gen @@ -2085,6 +2526,10 @@ spec: nullable: true type: array attributes: + description: Attributes is an array of arbitrary metadata associated + with allocations in the block. To find attributes for a given allocation, + use the value of the allocation's entry in the Allocations array + as the index of the element in this array. items: properties: handle_id: @@ -2096,12 +2541,38 @@ spec: type: object type: array cidr: + description: The block's CIDR. type: string deleted: + description: Deleted is an internal boolean used to workaround a limitation + in the Kubernetes API whereby deletion will not return a conflict + error if the block has been updated. It should not be set manually. type: boolean + sequenceNumber: + default: 0 + description: We store a sequence number that is updated each time + the block is written. Each allocation will also store the sequence + number of the block at the time of its creation. When releasing + an IP, passing the sequence number associated with the allocation + allows us to protect against a race condition and ensure the IP + hasn't been released and re-allocated since the release request. + format: int64 + type: integer + sequenceNumberForAllocation: + additionalProperties: + format: int64 + type: integer + description: Map of allocated ordinal within the block to sequence + number of the block at the time of allocation. Kubernetes does not + allow numerical keys for maps, so the key is cast to a string. + type: object strictAffinity: + description: StrictAffinity on the IPAMBlock is deprecated and no + longer used by the code. Use IPAMConfig StrictAffinity instead. type: boolean unallocated: + description: Unallocated is an ordered list of allocations which are + free in the block. items: type: integer type: array @@ -2267,13 +2738,23 @@ spec: spec: description: IPPoolSpec contains the specification for an IPPool resource. properties: + allowedUses: + description: AllowedUse controls what the IP pool will be used for. If + not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility + items: + type: string + type: array blockSize: description: The block size to use for IP address assignments from - this pool. Defaults to 26 for IPv4 and 112 for IPv6. + this pool. Defaults to 26 for IPv4 and 122 for IPv6. type: integer cidr: description: The pool CIDR. type: string + disableBGPExport: + description: 'Disable exporting routes from this IP Pool''s CIDR over + BGP. [Default: false]' + type: boolean disabled: description: When disabled is true, Calico IPAM will not assign addresses from this pool. @@ -2333,6 +2814,60 @@ status: conditions: [] storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: ipreservations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPReservation + listKind: IPReservationList + plural: ipreservations + singular: ipreservation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPReservationSpec contains the specification for an IPReservation + resource. + properties: + reservedCIDRs: + description: ReservedCIDRs is a list of CIDRs and/or IP addresses + that Calico IPAM will exclude from new allocations. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2435,6 +2970,11 @@ spec: type: string type: object type: object + debugProfilePort: + description: DebugProfilePort configures the port to serve memory + and cpu profiles on. If not specified, profiling is disabled. + format: int32 + type: integer etcdV3CompactionPeriod: description: 'EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]' @@ -2545,6 +3085,11 @@ spec: type: string type: object type: object + debugProfilePort: + description: DebugProfilePort configures the port to serve memory + and cpu profiles on. If not specified, profiling is disabled. + format: int32 + type: integer etcdV3CompactionPeriod: description: 'EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]' @@ -2637,7 +3182,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -2737,8 +3282,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -2768,7 +3313,7 @@ spec: the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR''d together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a +exact+ or a +prefix+ match. The + ONLY specify either a exact or a prefix match. The validator will check for it.' items: description: 'HTTPPath specifies an HTTP path to match. @@ -2863,7 +3408,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -2963,8 +3508,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -3010,7 +3555,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -3110,8 +3655,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -3141,7 +3686,7 @@ spec: the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR''d together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a +exact+ or a +prefix+ match. The + ONLY specify either a exact or a prefix match. The validator will check for it.' items: description: 'HTTPPath specifies an HTTP path to match. @@ -3236,7 +3781,7 @@ spec: will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace - as the NetworkPolicy. \n For NetworkPolicy, +global()+ + as the NetworkPolicy. \n For NetworkPolicy, global() NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies @@ -3336,8 +3881,8 @@ spec: within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, - Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n - Only valid on egress rules." + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." properties: name: description: Name specifies the name of a Kubernetes @@ -3490,10 +4035,10 @@ rules: - get - list - watch - # IPAM resources are manipulated when nodes are deleted. + # IPAM resources are manipulated in response to node and block updates, as well as periodic triggers. - apiGroups: ["crd.projectcalico.org"] resources: - - ippools + - ipreservations verbs: - list - apiGroups: ["crd.projectcalico.org"] @@ -3508,6 +4053,13 @@ rules: - update - delete - watch + # Pools are watched to maintain a mapping of blocks to IP pools. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + verbs: + - list + - watch # kube-controllers manages hostendpoints. - apiGroups: ["crd.projectcalico.org"] resources: @@ -3524,8 +4076,10 @@ rules: - clusterinformations verbs: - get + - list - create - update + - watch # KubeControllersConfiguration is where it gets its config - apiGroups: ["crd.projectcalico.org"] resources: @@ -3625,6 +4179,14 @@ rules: - pods/status verbs: - patch + # Used for creating service account tokens to be used by the CNI plugin + - apiGroups: [""] + resources: + - serviceaccounts/token + resourceNames: + - calico-node + verbs: + - create # Calico monitors various CRDs for config. - apiGroups: ["crd.projectcalico.org"] resources: @@ -3634,6 +4196,7 @@ rules: - globalbgpconfigs - bgpconfigurations - ippools + - ipreservations - ipamblocks - globalnetworkpolicies - globalnetworksets @@ -3642,6 +4205,7 @@ rules: - clusterinformations - hostendpoints - blockaffinities + - caliconodestatuses verbs: - get - list @@ -3655,6 +4219,12 @@ rules: verbs: - create - update + # Calico must update some CRDs. + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - caliconodestatuses + verbs: + - update # Calico stores some configuration information on the node. - apiGroups: [""] resources: @@ -3969,15 +4539,6 @@ spec: name: cni-net-dir securityContext: privileged: true - # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes - # to communicate with Felix over the Policy Sync API. - - name: flexvol-driver - image: {{ .CalicoFlexvolImage }} - volumeMounts: - - name: flexvol-driver-host - mountPath: /host/driver - securityContext: - privileged: true containers: # Runs calico-node container on each Kubernetes node. This # container programs network policy and routes on each @@ -4033,6 +4594,9 @@ spec: # Enable or Disable VXLAN on the default IP pool. - name: CALICO_IPV4POOL_VXLAN value: "{{ .VXLANMode }}" + # Enable or Disable VXLAN on the default IPv6 IP pool. + - name: CALICO_IPV6POOL_VXLAN + value: "Never" # Set MTU for tunnel device used if ipip is enabled - name: FELIX_IPINIPMTU valueFrom: @@ -4073,6 +4637,12 @@ spec: resources: requests: cpu: 250m + lifecycle: + preStop: + exec: + command: + - /bin/calico-node + - -shutdown livenessProbe: exec: command: @@ -4165,11 +4735,6 @@ spec: hostPath: type: DirectoryOrCreate path: /var/run/nodeagent - # Used to install Flex Volume Driver - - name: flexvol-driver-host - hostPath: - type: DirectoryOrCreate - path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds --- apiVersion: v1 @@ -4250,7 +4815,7 @@ metadata: # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: calico-kube-controllers @@ -4269,4 +4834,5 @@ spec: --- # Source: calico/templates/configure-canal.yaml + `)))