...

Text file src/k8s.io/kubernetes/cluster/addons/calico-policy-controller/felixconfigurations-crd.yaml

Documentation: k8s.io/kubernetes/cluster/addons/calico-policy-controller

     1apiVersion: apiextensions.k8s.io/v1
     2kind: CustomResourceDefinition
     3metadata:
     4  labels:
     5    addonmanager.kubernetes.io/mode: Reconcile
     6  name: felixconfigurations.crd.projectcalico.org
     7spec:
     8  group: crd.projectcalico.org
     9  names:
    10    kind: FelixConfiguration
    11    listKind: FelixConfigurationList
    12    plural: felixconfigurations
    13    singular: felixconfiguration
    14  scope: Cluster
    15  versions:
    16  - name: v1
    17    schema:
    18      openAPIV3Schema:
    19        description: Felix Configuration contains the configuration for Felix.
    20        properties:
    21          apiVersion:
    22            description: 'APIVersion defines the versioned schema of this representation
    23              of an object. Servers should convert recognized schemas to the latest
    24              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    25            type: string
    26          kind:
    27            description: 'Kind is a string value representing the REST resource this
    28              object represents. Servers may infer this from the endpoint the client
    29              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    30            type: string
    31          metadata:
    32            type: object
    33          spec:
    34            description: FelixConfigurationSpec contains the values of the Felix configuration.
    35            properties:
    36              allowIPIPPacketsFromWorkloads:
    37                description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
    38                  will add a rule to drop IPIP encapsulated traffic from workloads
    39                  [Default: false]'
    40                type: boolean
    41              allowVXLANPacketsFromWorkloads:
    42                description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
    43                  will add a rule to drop VXLAN encapsulated traffic from workloads
    44                  [Default: false]'
    45                type: boolean
    46              awsSrcDstCheck:
    47                description: 'Set source-destination-check on AWS EC2 instances. Accepted
    48                  value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
    49                  DoNothing]'
    50                enum:
    51                - DoNothing
    52                - Enable
    53                - Disable
    54                type: string
    55              bpfConnectTimeLoadBalancingEnabled:
    56                description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
    57                  controls whether Felix installs the connection-time load balancer.  The
    58                  connect-time load balancer is required for the host to be able to
    59                  reach Kubernetes services and it improves the performance of pod-to-service
    60                  connections.  The only reason to disable it is for debugging purposes.  [Default:
    61                  true]'
    62                type: boolean
    63              bpfDataIfacePattern:
    64                description: 'BPFDataIfacePattern is a regular expression that controls
    65                  which interfaces Felix should attach BPF programs to in order to
    66                  catch traffic to/from the network.  This needs to match the interfaces
    67                  that Calico workload traffic flows over as well as any interfaces
    68                  that handle incoming traffic to nodeports and services from outside
    69                  the cluster.  It should not match the workload interfaces (usually
    70                  named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
    71                type: string
    72              bpfDisableUnprivileged:
    73                description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
    74                  sysctl to disable unprivileged use of BPF.  This ensures that unprivileged
    75                  users cannot access Calico''s BPF maps and cannot insert their own
    76                  BPF programs to interfere with Calico''s. [Default: true]'
    77                type: boolean
    78              bpfEnabled:
    79                description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
    80                  [Default: false]'
    81                type: boolean
    82              bpfExternalServiceMode:
    83                description: 'BPFExternalServiceMode in BPF mode, controls how connections
    84                  from outside the cluster to services (node ports and cluster IPs)
    85                  are forwarded to remote workloads.  If set to "Tunnel" then both
    86                  request and response traffic is tunneled to the remote node.  If
    87                  set to "DSR", the request traffic is tunneled but the response traffic
    88                  is sent directly from the remote node.  In "DSR" mode, the remote
    89                  node appears to use the IP of the ingress node; this requires a
    90                  permissive L2 network.  [Default: Tunnel]'
    91                type: string
    92              bpfKubeProxyEndpointSlicesEnabled:
    93                description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
    94                  whether Felix's embedded kube-proxy accepts EndpointSlices or not.
    95                type: boolean
    96              bpfKubeProxyIptablesCleanupEnabled:
    97                description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
    98                  mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
    99                  iptables chains.  Should only be enabled if kube-proxy is not running.  [Default:
   100                  true]'
   101                type: boolean
   102              bpfKubeProxyMinSyncPeriod:
   103                description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
   104                  minimum time between updates to the dataplane for Felix''s embedded
   105                  kube-proxy.  Lower values give reduced set-up latency.  Higher values
   106                  reduce Felix CPU usage by batching up more work.  [Default: 1s]'
   107                type: string
   108              bpfLogLevel:
   109                description: 'BPFLogLevel controls the log level of the BPF programs
   110                  when in BPF dataplane mode.  One of "Off", "Info", or "Debug".  The
   111                  logs are emitted to the BPF trace pipe, accessible with the command
   112                  `tc exec bpf debug`. [Default: Off].'
   113                type: string
   114              chainInsertMode:
   115                description: 'ChainInsertMode controls whether Felix hooks the kernel’s
   116                  top-level iptables chains by inserting a rule at the top of the
   117                  chain or by appending a rule at the bottom. insert is the safe default
   118                  since it prevents Calico’s rules from being bypassed. If you switch
   119                  to append mode, be sure that the other rules in the chains signal
   120                  acceptance by falling through to the Calico rules, otherwise the
   121                  Calico policy will be bypassed. [Default: insert]'
   122                type: string
   123              dataplaneDriver:
   124                type: string
   125              debugDisableLogDropping:
   126                type: boolean
   127              debugMemoryProfilePath:
   128                type: string
   129              debugSimulateCalcGraphHangAfter:
   130                type: string
   131              debugSimulateDataplaneHangAfter:
   132                type: string
   133              defaultEndpointToHostAction:
   134                description: 'DefaultEndpointToHostAction controls what happens to
   135                  traffic that goes from a workload endpoint to the host itself (after
   136                  the traffic hits the endpoint egress policy). By default Calico
   137                  blocks traffic from workload endpoints to the host itself with an
   138                  iptables “DROP” action. If you want to allow some or all traffic
   139                  from endpoint to host, set this parameter to RETURN or ACCEPT. Use
   140                  RETURN if you have your own rules in the iptables “INPUT” chain;
   141                  Calico will insert its rules at the top of that chain, then “RETURN”
   142                  packets to the “INPUT” chain once it has completed processing workload
   143                  endpoint egress policy. Use ACCEPT to unconditionally accept packets
   144                  from workloads after processing workload endpoint egress policy.
   145                  [Default: Drop]'
   146                type: string
   147              deviceRouteProtocol:
   148                description: This defines the route protocol added to programmed device
   149                  routes, by default this will be RTPROT_BOOT when left blank.
   150                type: integer
   151              deviceRouteSourceAddress:
   152                description: This is the source address to use on programmed device
   153                  routes. By default the source address is left blank, leaving the
   154                  kernel to choose the source address used.
   155                type: string
   156              disableConntrackInvalidCheck:
   157                type: boolean
   158              endpointReportingDelay:
   159                type: string
   160              endpointReportingEnabled:
   161                type: boolean
   162              externalNodesList:
   163                description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
   164                  which may source tunnel traffic and have the tunneled traffic be
   165                  accepted at calico nodes.
   166                items:
   167                  type: string
   168                type: array
   169              failsafeInboundHostPorts:
   170                description: 'FailsafeInboundHostPorts is a comma-delimited list of
   171                  UDP/TCP ports that Felix will allow incoming traffic to host endpoints
   172                  on irrespective of the security policy. This is useful to avoid
   173                  accidentally cutting off a host with incorrect configuration. Each
   174                  port should be specified as tcp:<port-number> or udp:<port-number>.
   175                  For back-compatibility, if the protocol is not specified, it defaults
   176                  to “tcp”. To disable all inbound host ports, use the value none.
   177                  The default value allows ssh access and DHCP. [Default: tcp:22,
   178                  udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
   179                items:
   180                  description: ProtoPort is combination of protocol and port, both
   181                    must be specified.
   182                  properties:
   183                    port:
   184                      type: integer
   185                    protocol:
   186                      type: string
   187                  required:
   188                  - port
   189                  - protocol
   190                  type: object
   191                type: array
   192              failsafeOutboundHostPorts:
   193                description: 'FailsafeOutboundHostPorts is a comma-delimited list
   194                  of UDP/TCP ports that Felix will allow outgoing traffic from host
   195                  endpoints to irrespective of the security policy. This is useful
   196                  to avoid accidentally cutting off a host with incorrect configuration.
   197                  Each port should be specified as tcp:<port-number> or udp:<port-number>.
   198                  For back-compatibility, if the protocol is not specified, it defaults
   199                  to “tcp”. To disable all outbound host ports, use the value none.
   200                  The default value opens etcd’s standard ports to ensure that Felix
   201                  does not get cut off from etcd as well as allowing DHCP and DNS.
   202                  [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
   203                  udp:53, udp:67]'
   204                items:
   205                  description: ProtoPort is combination of protocol and port, both
   206                    must be specified.
   207                  properties:
   208                    port:
   209                      type: integer
   210                    protocol:
   211                      type: string
   212                  required:
   213                  - port
   214                  - protocol
   215                  type: object
   216                type: array
   217              featureDetectOverride:
   218                description: FeatureDetectOverride is used to override the feature
   219                  detection. Values are specified in a comma separated list with no
   220                  spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
   221                  "true" or "false" will force the feature, empty or omitted values
   222                  are auto-detected.
   223                type: string
   224              genericXDPEnabled:
   225                description: 'GenericXDPEnabled enables Generic XDP so network cards
   226                  that don''t support XDP offload or driver modes can use XDP. This
   227                  is not recommended since it doesn''t provide better performance
   228                  than iptables. [Default: false]'
   229                type: boolean
   230              healthEnabled:
   231                type: boolean
   232              healthHost:
   233                type: string
   234              healthPort:
   235                type: integer
   236              interfaceExclude:
   237                description: 'InterfaceExclude is a comma-separated list of interfaces
   238                  that Felix should exclude when monitoring for host endpoints. The
   239                  default value ensures that Felix ignores Kubernetes'' IPVS dummy
   240                  interface, which is used internally by kube-proxy. If you want to
   241                  exclude multiple interface names using a single value, the list
   242                  supports regular expressions. For regular expressions you must wrap
   243                  the value with ''/''. For example having values ''/^kube/,veth1''
   244                  will exclude all interfaces that begin with ''kube'' and also the
   245                  interface ''veth1''. [Default: kube-ipvs0]'
   246                type: string
   247              interfacePrefix:
   248                description: 'InterfacePrefix is the interface name prefix that identifies
   249                  workload endpoints and so distinguishes them from host endpoint
   250                  interfaces. Note: in environments other than bare metal, the orchestrators
   251                  configure this appropriately. For example our Kubernetes and Docker
   252                  integrations set the ‘cali’ value, and our OpenStack integration
   253                  sets the ‘tap’ value. [Default: cali]'
   254                type: string
   255              interfaceRefreshInterval:
   256                description: InterfaceRefreshInterval is the period at which Felix
   257                  rescans local interfaces to verify their state. The rescan can be
   258                  disabled by setting the interval to 0.
   259                type: string
   260              ipipEnabled:
   261                type: boolean
   262              ipipMTU:
   263                description: 'IPIPMTU is the MTU to set on the tunnel device. See
   264                  Configuring MTU [Default: 1440]'
   265                type: integer
   266              ipsetsRefreshInterval:
   267                description: 'IpsetsRefreshInterval is the period at which Felix re-checks
   268                  all iptables state to ensure that no other process has accidentally
   269                  broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:
   270                  90s]'
   271                type: string
   272              iptablesBackend:
   273                description: IptablesBackend specifies which backend of iptables will
   274                  be used. The default is legacy.
   275                type: string
   276              iptablesFilterAllowAction:
   277                type: string
   278              iptablesLockFilePath:
   279                description: 'IptablesLockFilePath is the location of the iptables
   280                  lock file. You may need to change this if the lock file is not in
   281                  its standard location (for example if you have mapped it into Felix’s
   282                  container at a different path). [Default: /run/xtables.lock]'
   283                type: string
   284              iptablesLockProbeInterval:
   285                description: 'IptablesLockProbeInterval is the time that Felix will
   286                  wait between attempts to acquire the iptables lock if it is not
   287                  available. Lower values make Felix more responsive when the lock
   288                  is contended, but use more CPU. [Default: 50ms]'
   289                type: string
   290              iptablesLockTimeout:
   291                description: 'IptablesLockTimeout is the time that Felix will wait
   292                  for the iptables lock, or 0, to disable. To use this feature, Felix
   293                  must share the iptables lock file with all other processes that
   294                  also take the lock. When running Felix inside a container, this
   295                  requires the /run directory of the host to be mounted into the calico/node
   296                  or calico/felix container. [Default: 0s disabled]'
   297                type: string
   298              iptablesMangleAllowAction:
   299                type: string
   300              iptablesMarkMask:
   301                description: 'IptablesMarkMask is the mask that Felix selects its
   302                  IPTables Mark bits from. Should be a 32 bit hexadecimal number with
   303                  at least 8 bits set, none of which clash with any other mark bits
   304                  in use on the system. [Default: 0xff000000]'
   305                format: int32
   306                type: integer
   307              iptablesNATOutgoingInterfaceFilter:
   308                type: string
   309              iptablesPostWriteCheckInterval:
   310                description: 'IptablesPostWriteCheckInterval is the period after Felix
   311                  has done a write to the dataplane that it schedules an extra read
   312                  back in order to check the write was not clobbered by another process.
   313                  This should only occur if another application on the system doesn’t
   314                  respect the iptables lock. [Default: 1s]'
   315                type: string
   316              iptablesRefreshInterval:
   317                description: 'IptablesRefreshInterval is the period at which Felix
   318                  re-checks the IP sets in the dataplane to ensure that no other process
   319                  has accidentally broken Calico’s rules. Set to 0 to disable IP sets
   320                  refresh. Note: the default for this value is lower than the other
   321                  refresh intervals as a workaround for a Linux kernel bug that was
   322                  fixed in kernel version 4.11. If you are using v4.11 or greater
   323                  you may want to set this to, a higher value to reduce Felix CPU
   324                  usage. [Default: 10s]'
   325                type: string
   326              ipv6Support:
   327                type: boolean
   328              kubeNodePortRanges:
   329                description: 'KubeNodePortRanges holds list of port ranges used for
   330                  service node ports. Only used if felix detects kube-proxy running
   331                  in ipvs mode. Felix uses these ranges to separate host and workload
   332                  traffic. [Default: 30000:32767].'
   333                items:
   334                  anyOf:
   335                  - type: integer
   336                  - type: string
   337                  pattern: ^.*
   338                  x-kubernetes-int-or-string: true
   339                type: array
   340              logFilePath:
   341                description: 'LogFilePath is the full path to the Felix log. Set to
   342                  none to disable file logging. [Default: /var/log/calico/felix.log]'
   343                type: string
   344              logPrefix:
   345                description: 'LogPrefix is the log prefix that Felix uses when rendering
   346                  LOG rules. [Default: calico-packet]'
   347                type: string
   348              logSeverityFile:
   349                description: 'LogSeverityFile is the log severity above which logs
   350                  are sent to the log file. [Default: Info]'
   351                type: string
   352              logSeverityScreen:
   353                description: 'LogSeverityScreen is the log severity above which logs
   354                  are sent to the stdout. [Default: Info]'
   355                type: string
   356              logSeveritySys:
   357                description: 'LogSeveritySys is the log severity above which logs
   358                  are sent to the syslog. Set to None for no logging to syslog. [Default:
   359                  Info]'
   360                type: string
   361              maxIpsetSize:
   362                type: integer
   363              metadataAddr:
   364                description: 'MetadataAddr is the IP address or domain name of the
   365                  server that can answer VM queries for cloud-init metadata. In OpenStack,
   366                  this corresponds to the machine running nova-api (or in Ubuntu,
   367                  nova-api-metadata). A value of none (case insensitive) means that
   368                  Felix should not set up any NAT rule for the metadata path. [Default:
   369                  127.0.0.1]'
   370                type: string
   371              metadataPort:
   372                description: 'MetadataPort is the port of the metadata server. This,
   373                  combined with global.MetadataAddr (if not ‘None’), is used to set
   374                  up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
   375                  In most cases this should not need to be changed [Default: 8775].'
   376                type: integer
   377              natOutgoingAddress:
   378                description: NATOutgoingAddress specifies an address to use when performing
   379                  source NAT for traffic in a natOutgoing pool that is leaving the
   380                  network. By default the address used is an address on the interface
   381                  the traffic is leaving on (ie it uses the iptables MASQUERADE target)
   382                type: string
   383              natPortRange:
   384                anyOf:
   385                - type: integer
   386                - type: string
   387                description: NATPortRange specifies the range of ports that is used
   388                  for port mapping when doing outgoing NAT. When unset the default
   389                  behavior of the network stack is used.
   390                pattern: ^.*
   391                x-kubernetes-int-or-string: true
   392              netlinkTimeout:
   393                type: string
   394              openstackRegion:
   395                description: 'OpenstackRegion is the name of the region that a particular
   396                  Felix belongs to. In a multi-region Calico/OpenStack deployment,
   397                  this must be configured somehow for each Felix (here in the datamodel,
   398                  or in felix.cfg or the environment on each compute node), and must
   399                  match the [calico] openstack_region value configured in neutron.conf
   400                  on each node. [Default: Empty]'
   401                type: string
   402              policySyncPathPrefix:
   403                description: 'PolicySyncPathPrefix is used to by Felix to communicate
   404                  policy changes to external services, like Application layer policy.
   405                  [Default: Empty]'
   406                type: string
   407              prometheusGoMetricsEnabled:
   408                description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
   409                  collection, which the Prometheus client does by default, when set
   410                  to false. This reduces the number of metrics reported, reducing
   411                  Prometheus load. [Default: true]'
   412                type: boolean
   413              prometheusMetricsEnabled:
   414                description: 'PrometheusMetricsEnabled enables the Prometheus metrics
   415                  server in Felix if set to true. [Default: false]'
   416                type: boolean
   417              prometheusMetricsHost:
   418                description: 'PrometheusMetricsHost is the host that the Prometheus
   419                  metrics server should bind to. [Default: empty]'
   420                type: string
   421              prometheusMetricsPort:
   422                description: 'PrometheusMetricsPort is the TCP port that the Prometheus
   423                  metrics server should bind to. [Default: 9091]'
   424                type: integer
   425              prometheusProcessMetricsEnabled:
   426                description: 'PrometheusProcessMetricsEnabled disables process metrics
   427                  collection, which the Prometheus client does by default, when set
   428                  to false. This reduces the number of metrics reported, reducing
   429                  Prometheus load. [Default: true]'
   430                type: boolean
   431              removeExternalRoutes:
   432                description: Whether or not to remove device routes that have not
   433                  been programmed by Felix. Disabling this will allow external applications
   434                  to also add device routes. This is enabled by default which means
   435                  we will remove externally added routes.
   436                type: boolean
   437              reportingInterval:
   438                description: 'ReportingInterval is the interval at which Felix reports
   439                  its status into the datastore or 0 to disable. Must be non-zero
   440                  in OpenStack deployments. [Default: 30s]'
   441                type: string
   442              reportingTTL:
   443                description: 'ReportingTTL is the time-to-live setting for process-wide
   444                  status reports. [Default: 90s]'
   445                type: string
   446              routeRefreshInterval:
   447                description: 'RouterefreshInterval is the period at which Felix re-checks
   448                  the routes in the dataplane to ensure that no other process has
   449                  accidentally broken Calico’s rules. Set to 0 to disable route refresh.
   450                  [Default: 90s]'
   451                type: string
   452              routeSource:
   453                description: 'RouteSource configures where Felix gets its routing
   454                  information. - WorkloadIPs: use workload endpoints to construct
   455                  routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
   456                type: string
   457              routeTableRange:
   458                description: Calico programs additional Linux route tables for various
   459                  purposes.  RouteTableRange specifies the indices of the route tables
   460                  that Calico should use.
   461                properties:
   462                  max:
   463                    type: integer
   464                  min:
   465                    type: integer
   466                required:
   467                - max
   468                - min
   469                type: object
   470              sidecarAccelerationEnabled:
   471                description: 'SidecarAccelerationEnabled enables experimental sidecar
   472                  acceleration [Default: false]'
   473                type: boolean
   474              usageReportingEnabled:
   475                description: 'UsageReportingEnabled reports anonymous Calico version
   476                  number and cluster size to projectcalico.org. Logs warnings returned
   477                  by the usage server. For example, if a significant security vulnerability
   478                  has been discovered in the version of Calico being used. [Default:
   479                  true]'
   480                type: boolean
   481              usageReportingInitialDelay:
   482                description: 'UsageReportingInitialDelay controls the minimum delay
   483                  before Felix makes a report. [Default: 300s]'
   484                type: string
   485              usageReportingInterval:
   486                description: 'UsageReportingInterval controls the interval at which
   487                  Felix makes reports. [Default: 86400s]'
   488                type: string
   489              useInternalDataplaneDriver:
   490                type: boolean
   491              vxlanEnabled:
   492                type: boolean
   493              vxlanMTU:
   494                description: 'VXLANMTU is the MTU to set on the tunnel device. See
   495                  Configuring MTU [Default: 1440]'
   496                type: integer
   497              vxlanPort:
   498                type: integer
   499              vxlanVNI:
   500                type: integer
   501              wireguardEnabled:
   502                description: 'WireguardEnabled controls whether Wireguard is enabled.
   503                  [Default: false]'
   504                type: boolean
   505              wireguardInterfaceName:
   506                description: 'WireguardInterfaceName specifies the name to use for
   507                  the Wireguard interface. [Default: wg.calico]'
   508                type: string
   509              wireguardListeningPort:
   510                description: 'WireguardListeningPort controls the listening port used
   511                  by Wireguard. [Default: 51820]'
   512                type: integer
   513              wireguardMTU:
   514                description: 'WireguardMTU controls the MTU on the Wireguard interface.
   515                  See Configuring MTU [Default: 1420]'
   516                type: integer
   517              wireguardRoutingRulePriority:
   518                description: 'WireguardRoutingRulePriority controls the priority value
   519                  to use for the Wireguard routing rule. [Default: 99]'
   520                type: integer
   521              xdpEnabled:
   522                description: 'XDPEnabled enables XDP acceleration for suitable untracked
   523                  incoming deny rules. [Default: true]'
   524                type: boolean
   525              xdpRefreshInterval:
   526                description: 'XDPRefreshInterval is the period at which Felix re-checks
   527                  all XDP state to ensure that no other process has accidentally broken
   528                  Calico''s BPF maps or attached programs. Set to 0 to disable XDP
   529                  refresh. [Default: 90s]'
   530                type: string
   531            type: object
   532        type: object
   533    served: true
   534    storage: true
   535status:
   536  acceptedNames:
   537    kind: ""
   538    plural: ""
   539  conditions: []
   540  storedVersions: []

View as plain text