1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 labels:
5 addonmanager.kubernetes.io/mode: Reconcile
6 name: felixconfigurations.crd.projectcalico.org
7spec:
8 group: crd.projectcalico.org
9 names:
10 kind: FelixConfiguration
11 listKind: FelixConfigurationList
12 plural: felixconfigurations
13 singular: felixconfiguration
14 scope: Cluster
15 versions:
16 - name: v1
17 schema:
18 openAPIV3Schema:
19 description: Felix Configuration contains the configuration for Felix.
20 properties:
21 apiVersion:
22 description: 'APIVersion defines the versioned schema of this representation
23 of an object. Servers should convert recognized schemas to the latest
24 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
25 type: string
26 kind:
27 description: 'Kind is a string value representing the REST resource this
28 object represents. Servers may infer this from the endpoint the client
29 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
30 type: string
31 metadata:
32 type: object
33 spec:
34 description: FelixConfigurationSpec contains the values of the Felix configuration.
35 properties:
36 allowIPIPPacketsFromWorkloads:
37 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
38 will add a rule to drop IPIP encapsulated traffic from workloads
39 [Default: false]'
40 type: boolean
41 allowVXLANPacketsFromWorkloads:
42 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
43 will add a rule to drop VXLAN encapsulated traffic from workloads
44 [Default: false]'
45 type: boolean
46 awsSrcDstCheck:
47 description: 'Set source-destination-check on AWS EC2 instances. Accepted
48 value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
49 DoNothing]'
50 enum:
51 - DoNothing
52 - Enable
53 - Disable
54 type: string
55 bpfConnectTimeLoadBalancingEnabled:
56 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
57 controls whether Felix installs the connection-time load balancer. The
58 connect-time load balancer is required for the host to be able to
59 reach Kubernetes services and it improves the performance of pod-to-service
60 connections. The only reason to disable it is for debugging purposes. [Default:
61 true]'
62 type: boolean
63 bpfDataIfacePattern:
64 description: 'BPFDataIfacePattern is a regular expression that controls
65 which interfaces Felix should attach BPF programs to in order to
66 catch traffic to/from the network. This needs to match the interfaces
67 that Calico workload traffic flows over as well as any interfaces
68 that handle incoming traffic to nodeports and services from outside
69 the cluster. It should not match the workload interfaces (usually
70 named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
71 type: string
72 bpfDisableUnprivileged:
73 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
74 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
75 users cannot access Calico''s BPF maps and cannot insert their own
76 BPF programs to interfere with Calico''s. [Default: true]'
77 type: boolean
78 bpfEnabled:
79 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
80 [Default: false]'
81 type: boolean
82 bpfExternalServiceMode:
83 description: 'BPFExternalServiceMode in BPF mode, controls how connections
84 from outside the cluster to services (node ports and cluster IPs)
85 are forwarded to remote workloads. If set to "Tunnel" then both
86 request and response traffic is tunneled to the remote node. If
87 set to "DSR", the request traffic is tunneled but the response traffic
88 is sent directly from the remote node. In "DSR" mode, the remote
89 node appears to use the IP of the ingress node; this requires a
90 permissive L2 network. [Default: Tunnel]'
91 type: string
92 bpfKubeProxyEndpointSlicesEnabled:
93 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
94 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
95 type: boolean
96 bpfKubeProxyIptablesCleanupEnabled:
97 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
98 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
99 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
100 true]'
101 type: boolean
102 bpfKubeProxyMinSyncPeriod:
103 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
104 minimum time between updates to the dataplane for Felix''s embedded
105 kube-proxy. Lower values give reduced set-up latency. Higher values
106 reduce Felix CPU usage by batching up more work. [Default: 1s]'
107 type: string
108 bpfLogLevel:
109 description: 'BPFLogLevel controls the log level of the BPF programs
110 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
111 logs are emitted to the BPF trace pipe, accessible with the command
112 `tc exec bpf debug`. [Default: Off].'
113 type: string
114 chainInsertMode:
115 description: 'ChainInsertMode controls whether Felix hooks the kernel’s
116 top-level iptables chains by inserting a rule at the top of the
117 chain or by appending a rule at the bottom. insert is the safe default
118 since it prevents Calico’s rules from being bypassed. If you switch
119 to append mode, be sure that the other rules in the chains signal
120 acceptance by falling through to the Calico rules, otherwise the
121 Calico policy will be bypassed. [Default: insert]'
122 type: string
123 dataplaneDriver:
124 type: string
125 debugDisableLogDropping:
126 type: boolean
127 debugMemoryProfilePath:
128 type: string
129 debugSimulateCalcGraphHangAfter:
130 type: string
131 debugSimulateDataplaneHangAfter:
132 type: string
133 defaultEndpointToHostAction:
134 description: 'DefaultEndpointToHostAction controls what happens to
135 traffic that goes from a workload endpoint to the host itself (after
136 the traffic hits the endpoint egress policy). By default Calico
137 blocks traffic from workload endpoints to the host itself with an
138 iptables “DROP” action. If you want to allow some or all traffic
139 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
140 RETURN if you have your own rules in the iptables “INPUT” chain;
141 Calico will insert its rules at the top of that chain, then “RETURN”
142 packets to the “INPUT” chain once it has completed processing workload
143 endpoint egress policy. Use ACCEPT to unconditionally accept packets
144 from workloads after processing workload endpoint egress policy.
145 [Default: Drop]'
146 type: string
147 deviceRouteProtocol:
148 description: This defines the route protocol added to programmed device
149 routes, by default this will be RTPROT_BOOT when left blank.
150 type: integer
151 deviceRouteSourceAddress:
152 description: This is the source address to use on programmed device
153 routes. By default the source address is left blank, leaving the
154 kernel to choose the source address used.
155 type: string
156 disableConntrackInvalidCheck:
157 type: boolean
158 endpointReportingDelay:
159 type: string
160 endpointReportingEnabled:
161 type: boolean
162 externalNodesList:
163 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
164 which may source tunnel traffic and have the tunneled traffic be
165 accepted at calico nodes.
166 items:
167 type: string
168 type: array
169 failsafeInboundHostPorts:
170 description: 'FailsafeInboundHostPorts is a comma-delimited list of
171 UDP/TCP ports that Felix will allow incoming traffic to host endpoints
172 on irrespective of the security policy. This is useful to avoid
173 accidentally cutting off a host with incorrect configuration. Each
174 port should be specified as tcp:<port-number> or udp:<port-number>.
175 For back-compatibility, if the protocol is not specified, it defaults
176 to “tcp”. To disable all inbound host ports, use the value none.
177 The default value allows ssh access and DHCP. [Default: tcp:22,
178 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
179 items:
180 description: ProtoPort is combination of protocol and port, both
181 must be specified.
182 properties:
183 port:
184 type: integer
185 protocol:
186 type: string
187 required:
188 - port
189 - protocol
190 type: object
191 type: array
192 failsafeOutboundHostPorts:
193 description: 'FailsafeOutboundHostPorts is a comma-delimited list
194 of UDP/TCP ports that Felix will allow outgoing traffic from host
195 endpoints to irrespective of the security policy. This is useful
196 to avoid accidentally cutting off a host with incorrect configuration.
197 Each port should be specified as tcp:<port-number> or udp:<port-number>.
198 For back-compatibility, if the protocol is not specified, it defaults
199 to “tcp”. To disable all outbound host ports, use the value none.
200 The default value opens etcd’s standard ports to ensure that Felix
201 does not get cut off from etcd as well as allowing DHCP and DNS.
202 [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
203 udp:53, udp:67]'
204 items:
205 description: ProtoPort is combination of protocol and port, both
206 must be specified.
207 properties:
208 port:
209 type: integer
210 protocol:
211 type: string
212 required:
213 - port
214 - protocol
215 type: object
216 type: array
217 featureDetectOverride:
218 description: FeatureDetectOverride is used to override the feature
219 detection. Values are specified in a comma separated list with no
220 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
221 "true" or "false" will force the feature, empty or omitted values
222 are auto-detected.
223 type: string
224 genericXDPEnabled:
225 description: 'GenericXDPEnabled enables Generic XDP so network cards
226 that don''t support XDP offload or driver modes can use XDP. This
227 is not recommended since it doesn''t provide better performance
228 than iptables. [Default: false]'
229 type: boolean
230 healthEnabled:
231 type: boolean
232 healthHost:
233 type: string
234 healthPort:
235 type: integer
236 interfaceExclude:
237 description: 'InterfaceExclude is a comma-separated list of interfaces
238 that Felix should exclude when monitoring for host endpoints. The
239 default value ensures that Felix ignores Kubernetes'' IPVS dummy
240 interface, which is used internally by kube-proxy. If you want to
241 exclude multiple interface names using a single value, the list
242 supports regular expressions. For regular expressions you must wrap
243 the value with ''/''. For example having values ''/^kube/,veth1''
244 will exclude all interfaces that begin with ''kube'' and also the
245 interface ''veth1''. [Default: kube-ipvs0]'
246 type: string
247 interfacePrefix:
248 description: 'InterfacePrefix is the interface name prefix that identifies
249 workload endpoints and so distinguishes them from host endpoint
250 interfaces. Note: in environments other than bare metal, the orchestrators
251 configure this appropriately. For example our Kubernetes and Docker
252 integrations set the ‘cali’ value, and our OpenStack integration
253 sets the ‘tap’ value. [Default: cali]'
254 type: string
255 interfaceRefreshInterval:
256 description: InterfaceRefreshInterval is the period at which Felix
257 rescans local interfaces to verify their state. The rescan can be
258 disabled by setting the interval to 0.
259 type: string
260 ipipEnabled:
261 type: boolean
262 ipipMTU:
263 description: 'IPIPMTU is the MTU to set on the tunnel device. See
264 Configuring MTU [Default: 1440]'
265 type: integer
266 ipsetsRefreshInterval:
267 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
268 all iptables state to ensure that no other process has accidentally
269 broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:
270 90s]'
271 type: string
272 iptablesBackend:
273 description: IptablesBackend specifies which backend of iptables will
274 be used. The default is legacy.
275 type: string
276 iptablesFilterAllowAction:
277 type: string
278 iptablesLockFilePath:
279 description: 'IptablesLockFilePath is the location of the iptables
280 lock file. You may need to change this if the lock file is not in
281 its standard location (for example if you have mapped it into Felix’s
282 container at a different path). [Default: /run/xtables.lock]'
283 type: string
284 iptablesLockProbeInterval:
285 description: 'IptablesLockProbeInterval is the time that Felix will
286 wait between attempts to acquire the iptables lock if it is not
287 available. Lower values make Felix more responsive when the lock
288 is contended, but use more CPU. [Default: 50ms]'
289 type: string
290 iptablesLockTimeout:
291 description: 'IptablesLockTimeout is the time that Felix will wait
292 for the iptables lock, or 0, to disable. To use this feature, Felix
293 must share the iptables lock file with all other processes that
294 also take the lock. When running Felix inside a container, this
295 requires the /run directory of the host to be mounted into the calico/node
296 or calico/felix container. [Default: 0s disabled]'
297 type: string
298 iptablesMangleAllowAction:
299 type: string
300 iptablesMarkMask:
301 description: 'IptablesMarkMask is the mask that Felix selects its
302 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
303 at least 8 bits set, none of which clash with any other mark bits
304 in use on the system. [Default: 0xff000000]'
305 format: int32
306 type: integer
307 iptablesNATOutgoingInterfaceFilter:
308 type: string
309 iptablesPostWriteCheckInterval:
310 description: 'IptablesPostWriteCheckInterval is the period after Felix
311 has done a write to the dataplane that it schedules an extra read
312 back in order to check the write was not clobbered by another process.
313 This should only occur if another application on the system doesn’t
314 respect the iptables lock. [Default: 1s]'
315 type: string
316 iptablesRefreshInterval:
317 description: 'IptablesRefreshInterval is the period at which Felix
318 re-checks the IP sets in the dataplane to ensure that no other process
319 has accidentally broken Calico’s rules. Set to 0 to disable IP sets
320 refresh. Note: the default for this value is lower than the other
321 refresh intervals as a workaround for a Linux kernel bug that was
322 fixed in kernel version 4.11. If you are using v4.11 or greater
323 you may want to set this to, a higher value to reduce Felix CPU
324 usage. [Default: 10s]'
325 type: string
326 ipv6Support:
327 type: boolean
328 kubeNodePortRanges:
329 description: 'KubeNodePortRanges holds list of port ranges used for
330 service node ports. Only used if felix detects kube-proxy running
331 in ipvs mode. Felix uses these ranges to separate host and workload
332 traffic. [Default: 30000:32767].'
333 items:
334 anyOf:
335 - type: integer
336 - type: string
337 pattern: ^.*
338 x-kubernetes-int-or-string: true
339 type: array
340 logFilePath:
341 description: 'LogFilePath is the full path to the Felix log. Set to
342 none to disable file logging. [Default: /var/log/calico/felix.log]'
343 type: string
344 logPrefix:
345 description: 'LogPrefix is the log prefix that Felix uses when rendering
346 LOG rules. [Default: calico-packet]'
347 type: string
348 logSeverityFile:
349 description: 'LogSeverityFile is the log severity above which logs
350 are sent to the log file. [Default: Info]'
351 type: string
352 logSeverityScreen:
353 description: 'LogSeverityScreen is the log severity above which logs
354 are sent to the stdout. [Default: Info]'
355 type: string
356 logSeveritySys:
357 description: 'LogSeveritySys is the log severity above which logs
358 are sent to the syslog. Set to None for no logging to syslog. [Default:
359 Info]'
360 type: string
361 maxIpsetSize:
362 type: integer
363 metadataAddr:
364 description: 'MetadataAddr is the IP address or domain name of the
365 server that can answer VM queries for cloud-init metadata. In OpenStack,
366 this corresponds to the machine running nova-api (or in Ubuntu,
367 nova-api-metadata). A value of none (case insensitive) means that
368 Felix should not set up any NAT rule for the metadata path. [Default:
369 127.0.0.1]'
370 type: string
371 metadataPort:
372 description: 'MetadataPort is the port of the metadata server. This,
373 combined with global.MetadataAddr (if not ‘None’), is used to set
374 up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
375 In most cases this should not need to be changed [Default: 8775].'
376 type: integer
377 natOutgoingAddress:
378 description: NATOutgoingAddress specifies an address to use when performing
379 source NAT for traffic in a natOutgoing pool that is leaving the
380 network. By default the address used is an address on the interface
381 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
382 type: string
383 natPortRange:
384 anyOf:
385 - type: integer
386 - type: string
387 description: NATPortRange specifies the range of ports that is used
388 for port mapping when doing outgoing NAT. When unset the default
389 behavior of the network stack is used.
390 pattern: ^.*
391 x-kubernetes-int-or-string: true
392 netlinkTimeout:
393 type: string
394 openstackRegion:
395 description: 'OpenstackRegion is the name of the region that a particular
396 Felix belongs to. In a multi-region Calico/OpenStack deployment,
397 this must be configured somehow for each Felix (here in the datamodel,
398 or in felix.cfg or the environment on each compute node), and must
399 match the [calico] openstack_region value configured in neutron.conf
400 on each node. [Default: Empty]'
401 type: string
402 policySyncPathPrefix:
403 description: 'PolicySyncPathPrefix is used to by Felix to communicate
404 policy changes to external services, like Application layer policy.
405 [Default: Empty]'
406 type: string
407 prometheusGoMetricsEnabled:
408 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
409 collection, which the Prometheus client does by default, when set
410 to false. This reduces the number of metrics reported, reducing
411 Prometheus load. [Default: true]'
412 type: boolean
413 prometheusMetricsEnabled:
414 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
415 server in Felix if set to true. [Default: false]'
416 type: boolean
417 prometheusMetricsHost:
418 description: 'PrometheusMetricsHost is the host that the Prometheus
419 metrics server should bind to. [Default: empty]'
420 type: string
421 prometheusMetricsPort:
422 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
423 metrics server should bind to. [Default: 9091]'
424 type: integer
425 prometheusProcessMetricsEnabled:
426 description: 'PrometheusProcessMetricsEnabled disables process metrics
427 collection, which the Prometheus client does by default, when set
428 to false. This reduces the number of metrics reported, reducing
429 Prometheus load. [Default: true]'
430 type: boolean
431 removeExternalRoutes:
432 description: Whether or not to remove device routes that have not
433 been programmed by Felix. Disabling this will allow external applications
434 to also add device routes. This is enabled by default which means
435 we will remove externally added routes.
436 type: boolean
437 reportingInterval:
438 description: 'ReportingInterval is the interval at which Felix reports
439 its status into the datastore or 0 to disable. Must be non-zero
440 in OpenStack deployments. [Default: 30s]'
441 type: string
442 reportingTTL:
443 description: 'ReportingTTL is the time-to-live setting for process-wide
444 status reports. [Default: 90s]'
445 type: string
446 routeRefreshInterval:
447 description: 'RouterefreshInterval is the period at which Felix re-checks
448 the routes in the dataplane to ensure that no other process has
449 accidentally broken Calico’s rules. Set to 0 to disable route refresh.
450 [Default: 90s]'
451 type: string
452 routeSource:
453 description: 'RouteSource configures where Felix gets its routing
454 information. - WorkloadIPs: use workload endpoints to construct
455 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
456 type: string
457 routeTableRange:
458 description: Calico programs additional Linux route tables for various
459 purposes. RouteTableRange specifies the indices of the route tables
460 that Calico should use.
461 properties:
462 max:
463 type: integer
464 min:
465 type: integer
466 required:
467 - max
468 - min
469 type: object
470 sidecarAccelerationEnabled:
471 description: 'SidecarAccelerationEnabled enables experimental sidecar
472 acceleration [Default: false]'
473 type: boolean
474 usageReportingEnabled:
475 description: 'UsageReportingEnabled reports anonymous Calico version
476 number and cluster size to projectcalico.org. Logs warnings returned
477 by the usage server. For example, if a significant security vulnerability
478 has been discovered in the version of Calico being used. [Default:
479 true]'
480 type: boolean
481 usageReportingInitialDelay:
482 description: 'UsageReportingInitialDelay controls the minimum delay
483 before Felix makes a report. [Default: 300s]'
484 type: string
485 usageReportingInterval:
486 description: 'UsageReportingInterval controls the interval at which
487 Felix makes reports. [Default: 86400s]'
488 type: string
489 useInternalDataplaneDriver:
490 type: boolean
491 vxlanEnabled:
492 type: boolean
493 vxlanMTU:
494 description: 'VXLANMTU is the MTU to set on the tunnel device. See
495 Configuring MTU [Default: 1440]'
496 type: integer
497 vxlanPort:
498 type: integer
499 vxlanVNI:
500 type: integer
501 wireguardEnabled:
502 description: 'WireguardEnabled controls whether Wireguard is enabled.
503 [Default: false]'
504 type: boolean
505 wireguardInterfaceName:
506 description: 'WireguardInterfaceName specifies the name to use for
507 the Wireguard interface. [Default: wg.calico]'
508 type: string
509 wireguardListeningPort:
510 description: 'WireguardListeningPort controls the listening port used
511 by Wireguard. [Default: 51820]'
512 type: integer
513 wireguardMTU:
514 description: 'WireguardMTU controls the MTU on the Wireguard interface.
515 See Configuring MTU [Default: 1420]'
516 type: integer
517 wireguardRoutingRulePriority:
518 description: 'WireguardRoutingRulePriority controls the priority value
519 to use for the Wireguard routing rule. [Default: 99]'
520 type: integer
521 xdpEnabled:
522 description: 'XDPEnabled enables XDP acceleration for suitable untracked
523 incoming deny rules. [Default: true]'
524 type: boolean
525 xdpRefreshInterval:
526 description: 'XDPRefreshInterval is the period at which Felix re-checks
527 all XDP state to ensure that no other process has accidentally broken
528 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
529 refresh. [Default: 90s]'
530 type: string
531 type: object
532 type: object
533 served: true
534 storage: true
535status:
536 acceptedNames:
537 kind: ""
538 plural: ""
539 conditions: []
540 storedVersions: []
View as plain text