2 # Reference:https://docs.projectcalico.org/archive/v3.16/manifests/calico.yaml
3 # Source: calico/templates/calico-config.yaml
4 # This ConfigMap is used to configure a self-hosted Calico installation.
12 typha_service_name: "none"
13 # Configure the backend to use.
14 calico_backend: "bird"
15 # Configure the MTU to use for workload interfaces and tunnels.
16 # - If Wireguard is enabled, set to your network MTU - 60
17 # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
18 # - Otherwise, if IPIP is enabled, set to your network MTU - 20
19 # - Otherwise, if not using any encapsulation, set to your network MTU.
22 # The CNI network configuration to install on each node. The special
23 # values in this config will be automatically populated.
24 cni_network_config: |-
26 "name": "k8s-pod-network",
27 "cniVersion": "0.3.1",
32 "log_file_path": "/var/log/calico/cni/cni.log",
33 "datastore_type": "kubernetes",
34 "nodename": "__KUBERNETES_NODE_NAME__",
43 "kubeconfig": "__KUBECONFIG_FILEPATH__"
49 "capabilities": {"portMappings": true}
53 "capabilities": {"bandwidth": true}
59 # Source: calico/templates/kdd-crds.yaml
63 apiVersion: apiextensions.k8s.io/v1
64 kind: CustomResourceDefinition
67 controller-gen.kubebuilder.io/version: (devel)
68 creationTimestamp: null
69 name: bgpconfigurations.crd.projectcalico.org
71 group: crd.projectcalico.org
73 kind: BGPConfiguration
74 listKind: BGPConfigurationList
75 plural: bgpconfigurations
76 singular: bgpconfiguration
82 description: BGPConfiguration contains the configuration for any BGP routing.
85 description: 'APIVersion defines the versioned schema of this representation
86 of an object. Servers should convert recognized schemas to the latest
87 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
90 description: 'Kind is a string value representing the REST resource this
91 object represents. Servers may infer this from the endpoint the client
92 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
97 description: BGPConfigurationSpec contains the values of the BGP configuration.
100 description: 'ASNumber is the default AS number used by a node. [Default:
105 description: Communities is a list of BGP community values and their
106 arbitrary names for tagging routes.
108 description: Community contains standard or large community value
112 description: Name given to community value.
115 description: Value must be of format `aa:nn` or `aa:nn:mm`.
116 For standard community use `aa:nn` format, where `aa` and
117 `nn` are 16 bit number. For large community use `aa:nn:mm`
118 format, where `aa`, `nn` and `mm` are 32 bit number. Where,
119 `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
120 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
125 description: ListenPort is the port where BGP protocol should listen.
131 description: 'LogSeverityScreen is the log severity above which logs
132 are sent to the stdout. [Default: INFO]'
134 nodeToNodeMeshEnabled:
135 description: 'NodeToNodeMeshEnabled sets whether full node to node
136 BGP mesh is enabled. [Default: true]'
138 prefixAdvertisements:
139 description: PrefixAdvertisements contains per-prefix advertisement
142 description: PrefixAdvertisement configures advertisement properties
143 for the specified CIDR.
146 description: CIDR for which properties should be advertised.
149 description: Communities can be list of either community names
150 already defined in `Specs.Communities` or community value
151 of format `aa:nn` or `aa:nn:mm`. For standard community use
152 `aa:nn` format, where `aa` and `nn` are 16 bit number. For
153 large community use `aa:nn:mm` format, where `aa`, `nn` and
154 `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
155 `mm` are per-AS identifier.
162 description: ServiceClusterIPs are the CIDR blocks from which service
163 cluster IPs are allocated. If specified, Calico will advertise these
164 blocks, as well as any cluster IPs within them.
166 description: ServiceClusterIPBlock represents a single allowed ClusterIP
174 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
175 Service External IPs. Kubernetes Service ExternalIPs will only be
176 advertised if they are within one of these blocks.
178 description: ServiceExternalIPBlock represents a single allowed
179 External IP CIDR block.
199 apiVersion: apiextensions.k8s.io/v1
200 kind: CustomResourceDefinition
203 controller-gen.kubebuilder.io/version: (devel)
204 creationTimestamp: null
205 name: bgppeers.crd.projectcalico.org
207 group: crd.projectcalico.org
210 listKind: BGPPeerList
220 description: 'APIVersion defines the versioned schema of this representation
221 of an object. Servers should convert recognized schemas to the latest
222 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
225 description: 'Kind is a string value representing the REST resource this
226 object represents. Servers may infer this from the endpoint the client
227 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
232 description: BGPPeerSpec contains the specification for a BGPPeer resource.
235 description: The AS Number of the peer.
239 description: Option to keep the original nexthop field when routes
240 are sent to a BGP Peer. Setting "true" configures the selected BGP
241 Peers node to use the "next hop keep;" instead of "next hop self;"(default)
242 in the specific branch of the Node on "bird.cfg".
245 description: The node name identifying the Calico node instance that
246 is peering with this peer. If this is not set, this represents a
247 global peer, i.e. a peer that peers with every node in the deployment.
250 description: Selector for the nodes that should have this peering. When
251 this is set, the Node field must be empty.
254 description: The IP address of the peer followed by an optional port
255 number to peer with. If port number is given, format should be `[<IPv6>]:port`
256 or `<IPv4>:<port>` for IPv4. If optional port number is not set,
257 and this peer IP and ASNumber belongs to a calico/node with ListenPort
258 set in BGPConfiguration, then we use that port to peer.
261 description: Selector for the remote nodes to peer with. When this
262 is set, the PeerIP and ASNumber fields must be empty. For each
263 peering between the local node and selected remote nodes, we configure
264 an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
265 and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
266 remote AS number comes from the remote node’s NodeBGPSpec.ASNumber,
267 or the global default if that is not set.
286 apiVersion: apiextensions.k8s.io/v1
287 kind: CustomResourceDefinition
290 controller-gen.kubebuilder.io/version: (devel)
291 creationTimestamp: null
292 name: blockaffinities.crd.projectcalico.org
294 group: crd.projectcalico.org
297 listKind: BlockAffinityList
298 plural: blockaffinities
299 singular: blockaffinity
307 description: 'APIVersion defines the versioned schema of this representation
308 of an object. Servers should convert recognized schemas to the latest
309 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
312 description: 'Kind is a string value representing the REST resource this
313 object represents. Servers may infer this from the endpoint the client
314 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
319 description: BlockAffinitySpec contains the specification for a BlockAffinity
325 description: Deleted indicates that this block affinity is being deleted.
326 This field is a string for compatibility with older releases that
327 mistakenly treat this field as a string.
352 apiVersion: apiextensions.k8s.io/v1
353 kind: CustomResourceDefinition
356 controller-gen.kubebuilder.io/version: (devel)
357 creationTimestamp: null
358 name: clusterinformations.crd.projectcalico.org
360 group: crd.projectcalico.org
362 kind: ClusterInformation
363 listKind: ClusterInformationList
364 plural: clusterinformations
365 singular: clusterinformation
371 description: ClusterInformation contains the cluster specific information.
374 description: 'APIVersion defines the versioned schema of this representation
375 of an object. Servers should convert recognized schemas to the latest
376 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
379 description: 'Kind is a string value representing the REST resource this
380 object represents. Servers may infer this from the endpoint the client
381 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
386 description: ClusterInformationSpec contains the values of describing
390 description: CalicoVersion is the version of Calico that the cluster
394 description: ClusterGUID is the GUID of the cluster
397 description: ClusterType describes the type of the cluster
400 description: DatastoreReady is used during significant datastore migrations
401 to signal to components such as Felix that it should wait before
402 accessing the datastore.
405 description: Variant declares which variant of Calico should be active.
421 apiVersion: apiextensions.k8s.io/v1
422 kind: CustomResourceDefinition
425 controller-gen.kubebuilder.io/version: (devel)
426 creationTimestamp: null
427 name: felixconfigurations.crd.projectcalico.org
429 group: crd.projectcalico.org
431 kind: FelixConfiguration
432 listKind: FelixConfigurationList
433 plural: felixconfigurations
434 singular: felixconfiguration
440 description: Felix Configuration contains the configuration for Felix.
443 description: 'APIVersion defines the versioned schema of this representation
444 of an object. Servers should convert recognized schemas to the latest
445 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
448 description: 'Kind is a string value representing the REST resource this
449 object represents. Servers may infer this from the endpoint the client
450 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
455 description: FelixConfigurationSpec contains the values of the Felix configuration.
457 allowIPIPPacketsFromWorkloads:
458 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
459 will add a rule to drop IPIP encapsulated traffic from workloads
462 allowVXLANPacketsFromWorkloads:
463 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
464 will add a rule to drop VXLAN encapsulated traffic from workloads
468 description: 'Set source-destination-check on AWS EC2 instances. Accepted
469 value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
476 bpfConnectTimeLoadBalancingEnabled:
477 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
478 controls whether Felix installs the connection-time load balancer. The
479 connect-time load balancer is required for the host to be able to
480 reach Kubernetes services and it improves the performance of pod-to-service
481 connections. The only reason to disable it is for debugging purposes. [Default:
485 description: 'BPFDataIfacePattern is a regular expression that controls
486 which interfaces Felix should attach BPF programs to in order to
487 catch traffic to/from the network. This needs to match the interfaces
488 that Calico workload traffic flows over as well as any interfaces
489 that handle incoming traffic to nodeports and services from outside
490 the cluster. It should not match the workload interfaces (usually
491 named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
493 bpfDisableUnprivileged:
494 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
495 sysctl to disable unprivileged use of BPF. This ensures that unprivileged
496 users cannot access Calico''s BPF maps and cannot insert their own
497 BPF programs to interfere with Calico''s. [Default: true]'
500 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
503 bpfExternalServiceMode:
504 description: 'BPFExternalServiceMode in BPF mode, controls how connections
505 from outside the cluster to services (node ports and cluster IPs)
506 are forwarded to remote workloads. If set to "Tunnel" then both
507 request and response traffic is tunneled to the remote node. If
508 set to "DSR", the request traffic is tunneled but the response traffic
509 is sent directly from the remote node. In "DSR" mode, the remote
510 node appears to use the IP of the ingress node; this requires a
511 permissive L2 network. [Default: Tunnel]'
513 bpfKubeProxyEndpointSlicesEnabled:
514 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
515 whether Felix's embedded kube-proxy accepts EndpointSlices or not.
517 bpfKubeProxyIptablesCleanupEnabled:
518 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
519 mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
520 iptables chains. Should only be enabled if kube-proxy is not running. [Default:
523 bpfKubeProxyMinSyncPeriod:
524 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
525 minimum time between updates to the dataplane for Felix''s embedded
526 kube-proxy. Lower values give reduced set-up latency. Higher values
527 reduce Felix CPU usage by batching up more work. [Default: 1s]'
530 description: 'BPFLogLevel controls the log level of the BPF programs
531 when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
532 logs are emitted to the BPF trace pipe, accessible with the command
533 `tc exec bpf debug`. [Default: Off].'
536 description: 'ChainInsertMode controls whether Felix hooks the kernel’s
537 top-level iptables chains by inserting a rule at the top of the
538 chain or by appending a rule at the bottom. insert is the safe default
539 since it prevents Calico’s rules from being bypassed. If you switch
540 to append mode, be sure that the other rules in the chains signal
541 acceptance by falling through to the Calico rules, otherwise the
542 Calico policy will be bypassed. [Default: insert]'
546 debugDisableLogDropping:
548 debugMemoryProfilePath:
550 debugSimulateCalcGraphHangAfter:
552 debugSimulateDataplaneHangAfter:
554 defaultEndpointToHostAction:
555 description: 'DefaultEndpointToHostAction controls what happens to
556 traffic that goes from a workload endpoint to the host itself (after
557 the traffic hits the endpoint egress policy). By default Calico
558 blocks traffic from workload endpoints to the host itself with an
559 iptables “DROP” action. If you want to allow some or all traffic
560 from endpoint to host, set this parameter to RETURN or ACCEPT. Use
561 RETURN if you have your own rules in the iptables “INPUT” chain;
562 Calico will insert its rules at the top of that chain, then “RETURN”
563 packets to the “INPUT” chain once it has completed processing workload
564 endpoint egress policy. Use ACCEPT to unconditionally accept packets
565 from workloads after processing workload endpoint egress policy.
569 description: This defines the route protocol added to programmed device
570 routes, by default this will be RTPROT_BOOT when left blank.
572 deviceRouteSourceAddress:
573 description: This is the source address to use on programmed device
574 routes. By default the source address is left blank, leaving the
575 kernel to choose the source address used.
577 disableConntrackInvalidCheck:
579 endpointReportingDelay:
581 endpointReportingEnabled:
584 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
585 which may source tunnel traffic and have the tunneled traffic be
586 accepted at calico nodes.
590 failsafeInboundHostPorts:
591 description: 'FailsafeInboundHostPorts is a comma-delimited list of
592 UDP/TCP ports that Felix will allow incoming traffic to host endpoints
593 on irrespective of the security policy. This is useful to avoid
594 accidentally cutting off a host with incorrect configuration. Each
595 port should be specified as tcp:<port-number> or udp:<port-number>.
596 For back-compatibility, if the protocol is not specified, it defaults
597 to “tcp”. To disable all inbound host ports, use the value none.
598 The default value allows ssh access and DHCP. [Default: tcp:22,
599 udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
601 description: ProtoPort is combination of protocol and port, both
613 failsafeOutboundHostPorts:
614 description: 'FailsafeOutboundHostPorts is a comma-delimited list
615 of UDP/TCP ports that Felix will allow outgoing traffic from host
616 endpoints to irrespective of the security policy. This is useful
617 to avoid accidentally cutting off a host with incorrect configuration.
618 Each port should be specified as tcp:<port-number> or udp:<port-number>.
619 For back-compatibility, if the protocol is not specified, it defaults
620 to “tcp”. To disable all outbound host ports, use the value none.
621 The default value opens etcd’s standard ports to ensure that Felix
622 does not get cut off from etcd as well as allowing DHCP and DNS.
623 [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
626 description: ProtoPort is combination of protocol and port, both
638 featureDetectOverride:
639 description: FeatureDetectOverride is used to override the feature
640 detection. Values are specified in a comma separated list with no
641 spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
642 "true" or "false" will force the feature, empty or omitted values
646 description: 'GenericXDPEnabled enables Generic XDP so network cards
647 that don''t support XDP offload or driver modes can use XDP. This
648 is not recommended since it doesn''t provide better performance
649 than iptables. [Default: false]'
658 description: 'InterfaceExclude is a comma-separated list of interfaces
659 that Felix should exclude when monitoring for host endpoints. The
660 default value ensures that Felix ignores Kubernetes'' IPVS dummy
661 interface, which is used internally by kube-proxy. If you want to
662 exclude multiple interface names using a single value, the list
663 supports regular expressions. For regular expressions you must wrap
664 the value with ''/''. For example having values ''/^kube/,veth1''
665 will exclude all interfaces that begin with ''kube'' and also the
666 interface ''veth1''. [Default: kube-ipvs0]'
669 description: 'InterfacePrefix is the interface name prefix that identifies
670 workload endpoints and so distinguishes them from host endpoint
671 interfaces. Note: in environments other than bare metal, the orchestrators
672 configure this appropriately. For example our Kubernetes and Docker
673 integrations set the ‘cali’ value, and our OpenStack integration
674 sets the ‘tap’ value. [Default: cali]'
676 interfaceRefreshInterval:
677 description: InterfaceRefreshInterval is the period at which Felix
678 rescans local interfaces to verify their state. The rescan can be
679 disabled by setting the interval to 0.
684 description: 'IPIPMTU is the MTU to set on the tunnel device. See
685 Configuring MTU [Default: 1440]'
687 ipsetsRefreshInterval:
688 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
689 all iptables state to ensure that no other process has accidentally
690 broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:
694 description: IptablesBackend specifies which backend of iptables will
695 be used. The default is legacy.
697 iptablesFilterAllowAction:
699 iptablesLockFilePath:
700 description: 'IptablesLockFilePath is the location of the iptables
701 lock file. You may need to change this if the lock file is not in
702 its standard location (for example if you have mapped it into Felix’s
703 container at a different path). [Default: /run/xtables.lock]'
705 iptablesLockProbeInterval:
706 description: 'IptablesLockProbeInterval is the time that Felix will
707 wait between attempts to acquire the iptables lock if it is not
708 available. Lower values make Felix more responsive when the lock
709 is contended, but use more CPU. [Default: 50ms]'
712 description: 'IptablesLockTimeout is the time that Felix will wait
713 for the iptables lock, or 0, to disable. To use this feature, Felix
714 must share the iptables lock file with all other processes that
715 also take the lock. When running Felix inside a container, this
716 requires the /run directory of the host to be mounted into the calico/node
717 or calico/felix container. [Default: 0s disabled]'
719 iptablesMangleAllowAction:
722 description: 'IptablesMarkMask is the mask that Felix selects its
723 IPTables Mark bits from. Should be a 32 bit hexadecimal number with
724 at least 8 bits set, none of which clash with any other mark bits
725 in use on the system. [Default: 0xff000000]'
728 iptablesNATOutgoingInterfaceFilter:
730 iptablesPostWriteCheckInterval:
731 description: 'IptablesPostWriteCheckInterval is the period after Felix
732 has done a write to the dataplane that it schedules an extra read
733 back in order to check the write was not clobbered by another process.
734 This should only occur if another application on the system doesn’t
735 respect the iptables lock. [Default: 1s]'
737 iptablesRefreshInterval:
738 description: 'IptablesRefreshInterval is the period at which Felix
739 re-checks the IP sets in the dataplane to ensure that no other process
740 has accidentally broken Calico’s rules. Set to 0 to disable IP sets
741 refresh. Note: the default for this value is lower than the other
742 refresh intervals as a workaround for a Linux kernel bug that was
743 fixed in kernel version 4.11. If you are using v4.11 or greater
744 you may want to set this to, a higher value to reduce Felix CPU
745 usage. [Default: 10s]'
750 description: 'KubeNodePortRanges holds list of port ranges used for
751 service node ports. Only used if felix detects kube-proxy running
752 in ipvs mode. Felix uses these ranges to separate host and workload
753 traffic. [Default: 30000:32767].'
759 x-kubernetes-int-or-string: true
762 description: 'LogFilePath is the full path to the Felix log. Set to
763 none to disable file logging. [Default: /var/log/calico/felix.log]'
766 description: 'LogPrefix is the log prefix that Felix uses when rendering
767 LOG rules. [Default: calico-packet]'
770 description: 'LogSeverityFile is the log severity above which logs
771 are sent to the log file. [Default: Info]'
774 description: 'LogSeverityScreen is the log severity above which logs
775 are sent to the stdout. [Default: Info]'
778 description: 'LogSeveritySys is the log severity above which logs
779 are sent to the syslog. Set to None for no logging to syslog. [Default:
785 description: 'MetadataAddr is the IP address or domain name of the
786 server that can answer VM queries for cloud-init metadata. In OpenStack,
787 this corresponds to the machine running nova-api (or in Ubuntu,
788 nova-api-metadata). A value of none (case insensitive) means that
789 Felix should not set up any NAT rule for the metadata path. [Default:
793 description: 'MetadataPort is the port of the metadata server. This,
794 combined with global.MetadataAddr (if not ‘None’), is used to set
795 up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
796 In most cases this should not need to be changed [Default: 8775].'
799 description: NATOutgoingAddress specifies an address to use when performing
800 source NAT for traffic in a natOutgoing pool that is leaving the
801 network. By default the address used is an address on the interface
802 the traffic is leaving on (ie it uses the iptables MASQUERADE target)
808 description: NATPortRange specifies the range of ports that is used
809 for port mapping when doing outgoing NAT. When unset the default
810 behavior of the network stack is used.
812 x-kubernetes-int-or-string: true
816 description: 'OpenstackRegion is the name of the region that a particular
817 Felix belongs to. In a multi-region Calico/OpenStack deployment,
818 this must be configured somehow for each Felix (here in the datamodel,
819 or in felix.cfg or the environment on each compute node), and must
820 match the [calico] openstack_region value configured in neutron.conf
821 on each node. [Default: Empty]'
823 policySyncPathPrefix:
824 description: 'PolicySyncPathPrefix is used to by Felix to communicate
825 policy changes to external services, like Application layer policy.
828 prometheusGoMetricsEnabled:
829 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
830 collection, which the Prometheus client does by default, when set
831 to false. This reduces the number of metrics reported, reducing
832 Prometheus load. [Default: true]'
834 prometheusMetricsEnabled:
835 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
836 server in Felix if set to true. [Default: false]'
838 prometheusMetricsHost:
839 description: 'PrometheusMetricsHost is the host that the Prometheus
840 metrics server should bind to. [Default: empty]'
842 prometheusMetricsPort:
843 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
844 metrics server should bind to. [Default: 9091]'
846 prometheusProcessMetricsEnabled:
847 description: 'PrometheusProcessMetricsEnabled disables process metrics
848 collection, which the Prometheus client does by default, when set
849 to false. This reduces the number of metrics reported, reducing
850 Prometheus load. [Default: true]'
852 removeExternalRoutes:
853 description: Whether or not to remove device routes that have not
854 been programmed by Felix. Disabling this will allow external applications
855 to also add device routes. This is enabled by default which means
856 we will remove externally added routes.
859 description: 'ReportingInterval is the interval at which Felix reports
860 its status into the datastore or 0 to disable. Must be non-zero
861 in OpenStack deployments. [Default: 30s]'
864 description: 'ReportingTTL is the time-to-live setting for process-wide
865 status reports. [Default: 90s]'
867 routeRefreshInterval:
868 description: 'RouterefreshInterval is the period at which Felix re-checks
869 the routes in the dataplane to ensure that no other process has
870 accidentally broken Calico’s rules. Set to 0 to disable route refresh.
874 description: 'RouteSource configures where Felix gets its routing
875 information. - WorkloadIPs: use workload endpoints to construct
876 routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
879 description: Calico programs additional Linux route tables for various
880 purposes. RouteTableRange specifies the indices of the route tables
881 that Calico should use.
891 sidecarAccelerationEnabled:
892 description: 'SidecarAccelerationEnabled enables experimental sidecar
893 acceleration [Default: false]'
895 usageReportingEnabled:
896 description: 'UsageReportingEnabled reports anonymous Calico version
897 number and cluster size to projectcalico.org. Logs warnings returned
898 by the usage server. For example, if a significant security vulnerability
899 has been discovered in the version of Calico being used. [Default:
902 usageReportingInitialDelay:
903 description: 'UsageReportingInitialDelay controls the minimum delay
904 before Felix makes a report. [Default: 300s]'
906 usageReportingInterval:
907 description: 'UsageReportingInterval controls the interval at which
908 Felix makes reports. [Default: 86400s]'
910 useInternalDataplaneDriver:
915 description: 'VXLANMTU is the MTU to set on the tunnel device. See
916 Configuring MTU [Default: 1440]'
923 description: 'WireguardEnabled controls whether Wireguard is enabled.
926 wireguardInterfaceName:
927 description: 'WireguardInterfaceName specifies the name to use for
928 the Wireguard interface. [Default: wg.calico]'
930 wireguardListeningPort:
931 description: 'WireguardListeningPort controls the listening port used
932 by Wireguard. [Default: 51820]'
935 description: 'WireguardMTU controls the MTU on the Wireguard interface.
936 See Configuring MTU [Default: 1420]'
938 wireguardRoutingRulePriority:
939 description: 'WireguardRoutingRulePriority controls the priority value
940 to use for the Wireguard routing rule. [Default: 99]'
943 description: 'XDPEnabled enables XDP acceleration for suitable untracked
944 incoming deny rules. [Default: true]'
947 description: 'XDPRefreshInterval is the period at which Felix re-checks
948 all XDP state to ensure that no other process has accidentally broken
949 Calico''s BPF maps or attached programs. Set to 0 to disable XDP
950 refresh. [Default: 90s]'
966 apiVersion: apiextensions.k8s.io/v1
967 kind: CustomResourceDefinition
970 controller-gen.kubebuilder.io/version: (devel)
971 creationTimestamp: null
972 name: globalnetworkpolicies.crd.projectcalico.org
974 group: crd.projectcalico.org
976 kind: GlobalNetworkPolicy
977 listKind: GlobalNetworkPolicyList
978 plural: globalnetworkpolicies
979 singular: globalnetworkpolicy
987 description: 'APIVersion defines the versioned schema of this representation
988 of an object. Servers should convert recognized schemas to the latest
989 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
992 description: 'Kind is a string value representing the REST resource this
993 object represents. Servers may infer this from the endpoint the client
994 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1001 description: ApplyOnForward indicates to apply the rules in this policy
1005 description: DoNotTrack indicates whether packets matched by the rules
1006 in this policy should go through the data plane's connection tracking,
1007 such as Linux conntrack. If True, the rules in this policy are
1008 applied before any data plane connection tracking, and packets allowed
1009 by this policy are marked as not to be tracked.
1012 description: The ordered set of egress rules. Each rule contains
1013 a set of packet match criteria and a corresponding action to apply.
1015 description: "A Rule encapsulates a set of match criteria and an
1016 action. Both selector-based security Policy and security Profiles
1017 reference rules - separated out as a list of rules for both ingress
1018 and egress packet matching. \n Each positive match criteria has
1019 a negated version, prefixed with ”Not”. All the match criteria
1020 within a rule must be satisfied for a packet to match. A single
1021 rule can contain the positive and negative version of a match
1022 and both must be satisfied for the rule to match."
1027 description: Destination contains the match criteria that apply
1028 to destination entity.
1031 description: "NamespaceSelector is an optional field that
1032 contains a selector expression. Only traffic that originates
1033 from (or terminates at) endpoints within the selected
1034 namespaces will be matched. When both NamespaceSelector
1035 and Selector are defined on the same rule, then only workload
1036 endpoints that are matched by both selectors will be selected
1037 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1038 implies that the Selector is limited to selecting only
1039 workload endpoints in the same namespace as the NetworkPolicy.
1040 \n For NetworkPolicy, `global()` NamespaceSelector implies
1041 that the Selector is limited to selecting only GlobalNetworkSet
1042 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1043 NamespaceSelector implies the Selector applies to workload
1044 endpoints across all namespaces."
1047 description: Nets is an optional field that restricts the
1048 rule to only apply to traffic that originates from (or
1049 terminates at) IP addresses in any of the given subnets.
1054 description: NotNets is the negated version of the Nets
1060 description: NotPorts is the negated version of the Ports
1061 field. Since only some protocols have ports, if any ports
1062 are specified it requires the Protocol match in the Rule
1063 to be set to "TCP" or "UDP".
1069 x-kubernetes-int-or-string: true
1072 description: NotSelector is the negated version of the Selector
1073 field. See Selector field for subtleties with negated
1077 description: "Ports is an optional field that restricts
1078 the rule to only apply to traffic that has a source (destination)
1079 port that matches one of these ranges/values. This value
1080 is a list of integers or strings that represent ranges
1081 of ports. \n Since only some protocols have ports, if
1082 any ports are specified it requires the Protocol match
1083 in the Rule to be set to \"TCP\" or \"UDP\"."
1089 x-kubernetes-int-or-string: true
1092 description: "Selector is an optional field that contains
1093 a selector expression (see Policy for sample syntax).
1094 \ Only traffic that originates from (terminates at) endpoints
1095 matching the selector will be matched. \n Note that: in
1096 addition to the negated version of the Selector (see NotSelector
1097 below), the selector expression syntax itself supports
1098 negation. The two types of negation are subtly different.
1099 One negates the set of matched endpoints, the other negates
1100 the whole match: \n \tSelector = \"!has(my_label)\" matches
1101 packets that are from other Calico-controlled \tendpoints
1102 that do not have the label “my_label”. \n \tNotSelector
1103 = \"has(my_label)\" matches packets that are not from
1104 Calico-controlled \tendpoints that do have the label “my_label”.
1105 \n The effect is that the latter will accept packets from
1106 non-Calico sources whereas the former is limited to packets
1107 from Calico-controlled endpoints."
1110 description: ServiceAccounts is an optional field that restricts
1111 the rule to only apply to traffic that originates from
1112 (or terminates at) a pod running as a matching service
1116 description: Names is an optional field that restricts
1117 the rule to only apply to traffic that originates
1118 from (or terminates at) a pod running as a service
1119 account whose name is in the list.
1124 description: Selector is an optional field that restricts
1125 the rule to only apply to traffic that originates
1126 from (or terminates at) a pod running as a service
1127 account that matches the given label selector. If
1128 both Names and Selector are specified then they are
1134 description: HTTP contains match criteria that apply to HTTP
1138 description: Methods is an optional field that restricts
1139 the rule to apply only to HTTP requests that use one of
1140 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1141 methods are OR'd together.
1146 description: 'Paths is an optional field that restricts
1147 the rule to apply to HTTP requests that use one of the
1148 listed HTTP Paths. Multiple paths are OR''d together.
1149 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1150 ONLY specify either a `exact` or a `prefix` match. The
1151 validator will check for it.'
1153 description: 'HTTPPath specifies an HTTP path to match.
1154 It may be either of the form: exact: <path>: which matches
1155 the path exactly or prefix: <path-prefix>: which matches
1166 description: ICMP is an optional field that restricts the rule
1167 to apply to a specific type and code of ICMP traffic. This
1168 should only be specified if the Protocol field is set to "ICMP"
1172 description: Match on a specific ICMP code. If specified,
1173 the Type value must also be specified. This is a technical
1174 limitation imposed by the kernel’s iptables firewall,
1175 which Calico uses to enforce the rule.
1178 description: Match on a specific ICMP type. For example
1179 a value of 8 refers to ICMP Echo Request (i.e. pings).
1183 description: IPVersion is an optional field that restricts the
1184 rule to only match a specific IP version.
1187 description: Metadata contains additional information for this
1191 additionalProperties:
1193 description: Annotations is a set of key value pairs that
1194 give extra information about the rule
1198 description: NotICMP is the negated version of the ICMP field.
1201 description: Match on a specific ICMP code. If specified,
1202 the Type value must also be specified. This is a technical
1203 limitation imposed by the kernel’s iptables firewall,
1204 which Calico uses to enforce the rule.
1207 description: Match on a specific ICMP type. For example
1208 a value of 8 refers to ICMP Echo Request (i.e. pings).
1215 description: NotProtocol is the negated version of the Protocol
1218 x-kubernetes-int-or-string: true
1223 description: "Protocol is an optional field that restricts the
1224 rule to only apply to traffic of a specific IP protocol. Required
1225 if any of the EntityRules contain Ports (because ports only
1226 apply to certain protocols). \n Must be one of these string
1227 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1228 \"UDPLite\" or an integer in the range 1-255."
1230 x-kubernetes-int-or-string: true
1232 description: Source contains the match criteria that apply to
1236 description: "NamespaceSelector is an optional field that
1237 contains a selector expression. Only traffic that originates
1238 from (or terminates at) endpoints within the selected
1239 namespaces will be matched. When both NamespaceSelector
1240 and Selector are defined on the same rule, then only workload
1241 endpoints that are matched by both selectors will be selected
1242 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1243 implies that the Selector is limited to selecting only
1244 workload endpoints in the same namespace as the NetworkPolicy.
1245 \n For NetworkPolicy, `global()` NamespaceSelector implies
1246 that the Selector is limited to selecting only GlobalNetworkSet
1247 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1248 NamespaceSelector implies the Selector applies to workload
1249 endpoints across all namespaces."
1252 description: Nets is an optional field that restricts the
1253 rule to only apply to traffic that originates from (or
1254 terminates at) IP addresses in any of the given subnets.
1259 description: NotNets is the negated version of the Nets
1265 description: NotPorts is the negated version of the Ports
1266 field. Since only some protocols have ports, if any ports
1267 are specified it requires the Protocol match in the Rule
1268 to be set to "TCP" or "UDP".
1274 x-kubernetes-int-or-string: true
1277 description: NotSelector is the negated version of the Selector
1278 field. See Selector field for subtleties with negated
1282 description: "Ports is an optional field that restricts
1283 the rule to only apply to traffic that has a source (destination)
1284 port that matches one of these ranges/values. This value
1285 is a list of integers or strings that represent ranges
1286 of ports. \n Since only some protocols have ports, if
1287 any ports are specified it requires the Protocol match
1288 in the Rule to be set to \"TCP\" or \"UDP\"."
1294 x-kubernetes-int-or-string: true
1297 description: "Selector is an optional field that contains
1298 a selector expression (see Policy for sample syntax).
1299 \ Only traffic that originates from (terminates at) endpoints
1300 matching the selector will be matched. \n Note that: in
1301 addition to the negated version of the Selector (see NotSelector
1302 below), the selector expression syntax itself supports
1303 negation. The two types of negation are subtly different.
1304 One negates the set of matched endpoints, the other negates
1305 the whole match: \n \tSelector = \"!has(my_label)\" matches
1306 packets that are from other Calico-controlled \tendpoints
1307 that do not have the label “my_label”. \n \tNotSelector
1308 = \"has(my_label)\" matches packets that are not from
1309 Calico-controlled \tendpoints that do have the label “my_label”.
1310 \n The effect is that the latter will accept packets from
1311 non-Calico sources whereas the former is limited to packets
1312 from Calico-controlled endpoints."
1315 description: ServiceAccounts is an optional field that restricts
1316 the rule to only apply to traffic that originates from
1317 (or terminates at) a pod running as a matching service
1321 description: Names is an optional field that restricts
1322 the rule to only apply to traffic that originates
1323 from (or terminates at) a pod running as a service
1324 account whose name is in the list.
1329 description: Selector is an optional field that restricts
1330 the rule to only apply to traffic that originates
1331 from (or terminates at) a pod running as a service
1332 account that matches the given label selector. If
1333 both Names and Selector are specified then they are
1343 description: The ordered set of ingress rules. Each rule contains
1344 a set of packet match criteria and a corresponding action to apply.
1346 description: "A Rule encapsulates a set of match criteria and an
1347 action. Both selector-based security Policy and security Profiles
1348 reference rules - separated out as a list of rules for both ingress
1349 and egress packet matching. \n Each positive match criteria has
1350 a negated version, prefixed with ”Not”. All the match criteria
1351 within a rule must be satisfied for a packet to match. A single
1352 rule can contain the positive and negative version of a match
1353 and both must be satisfied for the rule to match."
1358 description: Destination contains the match criteria that apply
1359 to destination entity.
1362 description: "NamespaceSelector is an optional field that
1363 contains a selector expression. Only traffic that originates
1364 from (or terminates at) endpoints within the selected
1365 namespaces will be matched. When both NamespaceSelector
1366 and Selector are defined on the same rule, then only workload
1367 endpoints that are matched by both selectors will be selected
1368 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1369 implies that the Selector is limited to selecting only
1370 workload endpoints in the same namespace as the NetworkPolicy.
1371 \n For NetworkPolicy, `global()` NamespaceSelector implies
1372 that the Selector is limited to selecting only GlobalNetworkSet
1373 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1374 NamespaceSelector implies the Selector applies to workload
1375 endpoints across all namespaces."
1378 description: Nets is an optional field that restricts the
1379 rule to only apply to traffic that originates from (or
1380 terminates at) IP addresses in any of the given subnets.
1385 description: NotNets is the negated version of the Nets
1391 description: NotPorts is the negated version of the Ports
1392 field. Since only some protocols have ports, if any ports
1393 are specified it requires the Protocol match in the Rule
1394 to be set to "TCP" or "UDP".
1400 x-kubernetes-int-or-string: true
1403 description: NotSelector is the negated version of the Selector
1404 field. See Selector field for subtleties with negated
1408 description: "Ports is an optional field that restricts
1409 the rule to only apply to traffic that has a source (destination)
1410 port that matches one of these ranges/values. This value
1411 is a list of integers or strings that represent ranges
1412 of ports. \n Since only some protocols have ports, if
1413 any ports are specified it requires the Protocol match
1414 in the Rule to be set to \"TCP\" or \"UDP\"."
1420 x-kubernetes-int-or-string: true
1423 description: "Selector is an optional field that contains
1424 a selector expression (see Policy for sample syntax).
1425 \ Only traffic that originates from (terminates at) endpoints
1426 matching the selector will be matched. \n Note that: in
1427 addition to the negated version of the Selector (see NotSelector
1428 below), the selector expression syntax itself supports
1429 negation. The two types of negation are subtly different.
1430 One negates the set of matched endpoints, the other negates
1431 the whole match: \n \tSelector = \"!has(my_label)\" matches
1432 packets that are from other Calico-controlled \tendpoints
1433 that do not have the label “my_label”. \n \tNotSelector
1434 = \"has(my_label)\" matches packets that are not from
1435 Calico-controlled \tendpoints that do have the label “my_label”.
1436 \n The effect is that the latter will accept packets from
1437 non-Calico sources whereas the former is limited to packets
1438 from Calico-controlled endpoints."
1441 description: ServiceAccounts is an optional field that restricts
1442 the rule to only apply to traffic that originates from
1443 (or terminates at) a pod running as a matching service
1447 description: Names is an optional field that restricts
1448 the rule to only apply to traffic that originates
1449 from (or terminates at) a pod running as a service
1450 account whose name is in the list.
1455 description: Selector is an optional field that restricts
1456 the rule to only apply to traffic that originates
1457 from (or terminates at) a pod running as a service
1458 account that matches the given label selector. If
1459 both Names and Selector are specified then they are
1465 description: HTTP contains match criteria that apply to HTTP
1469 description: Methods is an optional field that restricts
1470 the rule to apply only to HTTP requests that use one of
1471 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1472 methods are OR'd together.
1477 description: 'Paths is an optional field that restricts
1478 the rule to apply to HTTP requests that use one of the
1479 listed HTTP Paths. Multiple paths are OR''d together.
1480 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1481 ONLY specify either a `exact` or a `prefix` match. The
1482 validator will check for it.'
1484 description: 'HTTPPath specifies an HTTP path to match.
1485 It may be either of the form: exact: <path>: which matches
1486 the path exactly or prefix: <path-prefix>: which matches
1497 description: ICMP is an optional field that restricts the rule
1498 to apply to a specific type and code of ICMP traffic. This
1499 should only be specified if the Protocol field is set to "ICMP"
1503 description: Match on a specific ICMP code. If specified,
1504 the Type value must also be specified. This is a technical
1505 limitation imposed by the kernel’s iptables firewall,
1506 which Calico uses to enforce the rule.
1509 description: Match on a specific ICMP type. For example
1510 a value of 8 refers to ICMP Echo Request (i.e. pings).
1514 description: IPVersion is an optional field that restricts the
1515 rule to only match a specific IP version.
1518 description: Metadata contains additional information for this
1522 additionalProperties:
1524 description: Annotations is a set of key value pairs that
1525 give extra information about the rule
1529 description: NotICMP is the negated version of the ICMP field.
1532 description: Match on a specific ICMP code. If specified,
1533 the Type value must also be specified. This is a technical
1534 limitation imposed by the kernel’s iptables firewall,
1535 which Calico uses to enforce the rule.
1538 description: Match on a specific ICMP type. For example
1539 a value of 8 refers to ICMP Echo Request (i.e. pings).
1546 description: NotProtocol is the negated version of the Protocol
1549 x-kubernetes-int-or-string: true
1554 description: "Protocol is an optional field that restricts the
1555 rule to only apply to traffic of a specific IP protocol. Required
1556 if any of the EntityRules contain Ports (because ports only
1557 apply to certain protocols). \n Must be one of these string
1558 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1559 \"UDPLite\" or an integer in the range 1-255."
1561 x-kubernetes-int-or-string: true
1563 description: Source contains the match criteria that apply to
1567 description: "NamespaceSelector is an optional field that
1568 contains a selector expression. Only traffic that originates
1569 from (or terminates at) endpoints within the selected
1570 namespaces will be matched. When both NamespaceSelector
1571 and Selector are defined on the same rule, then only workload
1572 endpoints that are matched by both selectors will be selected
1573 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1574 implies that the Selector is limited to selecting only
1575 workload endpoints in the same namespace as the NetworkPolicy.
1576 \n For NetworkPolicy, `global()` NamespaceSelector implies
1577 that the Selector is limited to selecting only GlobalNetworkSet
1578 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1579 NamespaceSelector implies the Selector applies to workload
1580 endpoints across all namespaces."
1583 description: Nets is an optional field that restricts the
1584 rule to only apply to traffic that originates from (or
1585 terminates at) IP addresses in any of the given subnets.
1590 description: NotNets is the negated version of the Nets
1596 description: NotPorts is the negated version of the Ports
1597 field. Since only some protocols have ports, if any ports
1598 are specified it requires the Protocol match in the Rule
1599 to be set to "TCP" or "UDP".
1605 x-kubernetes-int-or-string: true
1608 description: NotSelector is the negated version of the Selector
1609 field. See Selector field for subtleties with negated
1613 description: "Ports is an optional field that restricts
1614 the rule to only apply to traffic that has a source (destination)
1615 port that matches one of these ranges/values. This value
1616 is a list of integers or strings that represent ranges
1617 of ports. \n Since only some protocols have ports, if
1618 any ports are specified it requires the Protocol match
1619 in the Rule to be set to \"TCP\" or \"UDP\"."
1625 x-kubernetes-int-or-string: true
1628 description: "Selector is an optional field that contains
1629 a selector expression (see Policy for sample syntax).
1630 \ Only traffic that originates from (terminates at) endpoints
1631 matching the selector will be matched. \n Note that: in
1632 addition to the negated version of the Selector (see NotSelector
1633 below), the selector expression syntax itself supports
1634 negation. The two types of negation are subtly different.
1635 One negates the set of matched endpoints, the other negates
1636 the whole match: \n \tSelector = \"!has(my_label)\" matches
1637 packets that are from other Calico-controlled \tendpoints
1638 that do not have the label “my_label”. \n \tNotSelector
1639 = \"has(my_label)\" matches packets that are not from
1640 Calico-controlled \tendpoints that do have the label “my_label”.
1641 \n The effect is that the latter will accept packets from
1642 non-Calico sources whereas the former is limited to packets
1643 from Calico-controlled endpoints."
1646 description: ServiceAccounts is an optional field that restricts
1647 the rule to only apply to traffic that originates from
1648 (or terminates at) a pod running as a matching service
1652 description: Names is an optional field that restricts
1653 the rule to only apply to traffic that originates
1654 from (or terminates at) a pod running as a service
1655 account whose name is in the list.
1660 description: Selector is an optional field that restricts
1661 the rule to only apply to traffic that originates
1662 from (or terminates at) a pod running as a service
1663 account that matches the given label selector. If
1664 both Names and Selector are specified then they are
1674 description: NamespaceSelector is an optional field for an expression
1675 used to select a pod based on namespaces.
1678 description: Order is an optional field that specifies the order in
1679 which the policy is applied. Policies with higher "order" are applied
1680 after those with lower order. If the order is omitted, it may be
1681 considered to be "infinite" - i.e. the policy will be applied last. Policies
1682 with identical order will be applied in alphanumerical order based
1683 on the Policy "Name".
1686 description: PreDNAT indicates to apply the rules in this policy before
1690 description: "The selector is an expression used to pick pick out
1691 the endpoints that the policy should be applied to. \n Selector
1692 expressions follow this syntax: \n \tlabel == \"string_literal\"
1693 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
1694 \ -> not equal; also matches if label is not present \tlabel in
1695 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
1696 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
1697 ... } -> true if the value of label X is not one of \"a\", \"b\",
1698 \"c\" \thas(label_name) -> True if that label is present \t! expr
1699 -> negation of expr \texpr && expr -> Short-circuit and \texpr
1700 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
1701 or the empty selector -> matches all endpoints. \n Label names are
1702 allowed to contain alphanumerics, -, _ and /. String literals are
1703 more permissive but they do not support escape characters. \n Examples
1704 (with made-up labels): \n \ttype == \"webserver\" && deployment
1705 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
1706 \"dev\" \t! has(label_name)"
1708 serviceAccountSelector:
1709 description: ServiceAccountSelector is an optional field for an expression
1710 used to select a pod based on service accounts.
1713 description: "Types indicates whether this policy applies to ingress,
1714 or to egress, or to both. When not explicitly specified (and so
1715 the value on creation is empty or nil), Calico defaults Types according
1716 to what Ingress and Egress rules are present in the policy. The
1717 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
1718 (including the case where there are also no Ingress rules) \n
1719 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
1720 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
1721 both Ingress and Egress rules. \n When the policy is read back again,
1722 Types will always be one of these values, never empty or nil."
1724 description: PolicyType enumerates the possible values of the PolicySpec
1742 apiVersion: apiextensions.k8s.io/v1
1743 kind: CustomResourceDefinition
1746 controller-gen.kubebuilder.io/version: (devel)
1747 creationTimestamp: null
1748 name: globalnetworksets.crd.projectcalico.org
1750 group: crd.projectcalico.org
1752 kind: GlobalNetworkSet
1753 listKind: GlobalNetworkSetList
1754 plural: globalnetworksets
1755 singular: globalnetworkset
1761 description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
1762 that share labels to allow rules to refer to them via selectors. The labels
1763 of GlobalNetworkSet are not namespaced.
1766 description: 'APIVersion defines the versioned schema of this representation
1767 of an object. Servers should convert recognized schemas to the latest
1768 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1771 description: 'Kind is a string value representing the REST resource this
1772 object represents. Servers may infer this from the endpoint the client
1773 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1778 description: GlobalNetworkSetSpec contains the specification for a NetworkSet
1782 description: The list of IP networks that belong to this set.
1800 apiVersion: apiextensions.k8s.io/v1
1801 kind: CustomResourceDefinition
1804 controller-gen.kubebuilder.io/version: (devel)
1805 creationTimestamp: null
1806 name: hostendpoints.crd.projectcalico.org
1808 group: crd.projectcalico.org
1811 listKind: HostEndpointList
1812 plural: hostendpoints
1813 singular: hostendpoint
1821 description: 'APIVersion defines the versioned schema of this representation
1822 of an object. Servers should convert recognized schemas to the latest
1823 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1826 description: 'Kind is a string value representing the REST resource this
1827 object represents. Servers may infer this from the endpoint the client
1828 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1833 description: HostEndpointSpec contains the specification for a HostEndpoint
1837 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
1838 If \"InterfaceName\" is not present, Calico will look for an interface
1839 matching any of the IPs in the list and apply policy to that. Note:
1840 \tWhen using the selector match criteria in an ingress or egress
1841 security Policy \tor Profile, Calico converts the selector into
1842 a set of IP addresses. For host \tendpoints, the ExpectedIPs field
1843 is used for that purpose. (If only the interface \tname is specified,
1844 Calico does not learn the IPs of the interface for use in match
1850 description: "Either \"*\", or the name of a specific Linux interface
1851 to apply policy to; or empty. \"*\" indicates that this HostEndpoint
1852 governs all traffic to, from or through the default network namespace
1853 of the host named by the \"Node\" field; entering and leaving that
1854 namespace via any interface, including those from/to non-host-networked
1855 local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
1856 only governs traffic that enters or leaves the host through the
1857 specific interface named by InterfaceName, or - when InterfaceName
1858 is empty - through the specific interface that has one of the IPs
1859 in ExpectedIPs. Therefore, when InterfaceName is empty, at least
1860 one expected IP must be specified. Only external interfaces (such
1861 as “eth0”) are supported here; it isn't possible for a HostEndpoint
1862 to protect traffic through a specific local workload interface.
1863 \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
1864 initially just pre-DNAT policy. Please check Calico documentation
1865 for the latest position."
1868 description: The node name identifying the Calico node instance.
1871 description: Ports contains the endpoint's named ports, which may
1872 be referenced in security policy rules.
1884 x-kubernetes-int-or-string: true
1892 description: A list of identifiers of security Profile objects that
1893 apply to this endpoint. Each profile is applied in the order that
1894 they appear in this list. Profile rules are applied after the selector-based
1913 apiVersion: apiextensions.k8s.io/v1
1914 kind: CustomResourceDefinition
1917 controller-gen.kubebuilder.io/version: (devel)
1918 creationTimestamp: null
1919 name: ipamblocks.crd.projectcalico.org
1921 group: crd.projectcalico.org
1924 listKind: IPAMBlockList
1934 description: 'APIVersion defines the versioned schema of this representation
1935 of an object. Servers should convert recognized schemas to the latest
1936 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1939 description: 'Kind is a string value representing the REST resource this
1940 object represents. Servers may infer this from the endpoint the client
1941 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1946 description: IPAMBlockSpec contains the specification for an IPAMBlock
1954 # TODO: This nullable is manually added in. We should update controller-gen
1955 # to handle []*int properly itself.
1964 additionalProperties:
2000 apiVersion: apiextensions.k8s.io/v1
2001 kind: CustomResourceDefinition
2004 controller-gen.kubebuilder.io/version: (devel)
2005 creationTimestamp: null
2006 name: ipamconfigs.crd.projectcalico.org
2008 group: crd.projectcalico.org
2011 listKind: IPAMConfigList
2013 singular: ipamconfig
2021 description: 'APIVersion defines the versioned schema of this representation
2022 of an object. Servers should convert recognized schemas to the latest
2023 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2026 description: 'Kind is a string value representing the REST resource this
2027 object represents. Servers may infer this from the endpoint the client
2028 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2033 description: IPAMConfigSpec contains the specification for an IPAMConfig
2041 - autoAllocateBlocks
2057 apiVersion: apiextensions.k8s.io/v1
2058 kind: CustomResourceDefinition
2061 controller-gen.kubebuilder.io/version: (devel)
2062 creationTimestamp: null
2063 name: ipamhandles.crd.projectcalico.org
2065 group: crd.projectcalico.org
2068 listKind: IPAMHandleList
2070 singular: ipamhandle
2078 description: 'APIVersion defines the versioned schema of this representation
2079 of an object. Servers should convert recognized schemas to the latest
2080 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2083 description: 'Kind is a string value representing the REST resource this
2084 object represents. Servers may infer this from the endpoint the client
2085 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2090 description: IPAMHandleSpec contains the specification for an IPAMHandle
2094 additionalProperties:
2116 apiVersion: apiextensions.k8s.io/v1
2117 kind: CustomResourceDefinition
2120 controller-gen.kubebuilder.io/version: (devel)
2121 creationTimestamp: null
2122 name: ippools.crd.projectcalico.org
2124 group: crd.projectcalico.org
2127 listKind: IPPoolList
2137 description: 'APIVersion defines the versioned schema of this representation
2138 of an object. Servers should convert recognized schemas to the latest
2139 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2142 description: 'Kind is a string value representing the REST resource this
2143 object represents. Servers may infer this from the endpoint the client
2144 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2149 description: IPPoolSpec contains the specification for an IPPool resource.
2152 description: The block size to use for IP address assignments from
2153 this pool. Defaults to 26 for IPv4 and 112 for IPv6.
2156 description: The pool CIDR.
2159 description: When disabled is true, Calico IPAM will not assign addresses
2163 description: 'Deprecated: this field is only used for APIv1 backwards
2164 compatibility. Setting this field is not allowed, this field is
2165 for internal use only.'
2168 description: When enabled is true, ipip tunneling will be used
2169 to deliver packets to destinations within this pool.
2172 description: The IPIP mode. This can be one of "always" or "cross-subnet". A
2173 mode of "always" will also use IPIP tunneling for routing to
2174 destination IP addresses within this pool. A mode of "cross-subnet"
2175 will only use IPIP tunneling when the destination node is on
2176 a different subnet to the originating node. The default value
2177 (if not specified) is "always".
2181 description: Contains configuration for IPIP tunneling for this pool.
2182 If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2186 description: 'Deprecated: this field is only used for APIv1 backwards
2187 compatibility. Setting this field is not allowed, this field is
2188 for internal use only.'
2191 description: When nat-outgoing is true, packets sent from Calico networked
2192 containers in this pool to destinations outside of this pool will
2196 description: Allows IPPool to allocate for a specific node by label
2200 description: Contains configuration for VXLAN tunneling for this pool.
2201 If not specified, then this is defaulted to "Never" (i.e. VXLAN
2202 tunneling is disabled).
2220 apiVersion: apiextensions.k8s.io/v1
2221 kind: CustomResourceDefinition
2224 controller-gen.kubebuilder.io/version: (devel)
2225 creationTimestamp: null
2226 name: kubecontrollersconfigurations.crd.projectcalico.org
2228 group: crd.projectcalico.org
2230 kind: KubeControllersConfiguration
2231 listKind: KubeControllersConfigurationList
2232 plural: kubecontrollersconfigurations
2233 singular: kubecontrollersconfiguration
2241 description: 'APIVersion defines the versioned schema of this representation
2242 of an object. Servers should convert recognized schemas to the latest
2243 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2246 description: 'Kind is a string value representing the REST resource this
2247 object represents. Servers may infer this from the endpoint the client
2248 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2253 description: KubeControllersConfigurationSpec contains the values of the
2254 Kubernetes controllers configuration.
2257 description: Controllers enables and configures individual Kubernetes
2261 description: Namespace enables and configures the namespace controller.
2262 Enabled by default, set to nil to disable.
2265 description: 'ReconcilerPeriod is the period to perform reconciliation
2266 with the Calico datastore. [Default: 5m]'
2270 description: Node enables and configures the node controller.
2271 Enabled by default, set to nil to disable.
2274 description: HostEndpoint controls syncing nodes to host endpoints.
2275 Disabled by default, set to nil to disable.
2278 description: 'AutoCreate enables automatic creation of
2279 host endpoints for every node. [Default: Disabled]'
2283 description: 'ReconcilerPeriod is the period to perform reconciliation
2284 with the Calico datastore. [Default: 5m]'
2287 description: 'SyncLabels controls whether to copy Kubernetes
2288 node labels to Calico nodes. [Default: Enabled]'
2292 description: Policy enables and configures the policy controller.
2293 Enabled by default, set to nil to disable.
2296 description: 'ReconcilerPeriod is the period to perform reconciliation
2297 with the Calico datastore. [Default: 5m]'
2301 description: ServiceAccount enables and configures the service
2302 account controller. Enabled by default, set to nil to disable.
2305 description: 'ReconcilerPeriod is the period to perform reconciliation
2306 with the Calico datastore. [Default: 5m]'
2310 description: WorkloadEndpoint enables and configures the workload
2311 endpoint controller. Enabled by default, set to nil to disable.
2314 description: 'ReconcilerPeriod is the period to perform reconciliation
2315 with the Calico datastore. [Default: 5m]'
2319 etcdV3CompactionPeriod:
2320 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2321 compaction requests. Set to 0 to disable. [Default: 10m]'
2324 description: 'HealthChecks enables or disables support for health
2325 checks [Default: Enabled]'
2328 description: 'LogSeverityScreen is the log severity above which logs
2329 are sent to the stdout. [Default: Info]'
2335 description: KubeControllersConfigurationStatus represents the status
2336 of the configuration. It's useful for admins to be able to see the actual
2337 config that was applied, which can be modified by environment variables
2338 on the kube-controllers process.
2341 additionalProperties:
2343 description: EnvironmentVars contains the environment variables on
2344 the kube-controllers that influenced the RunningConfig.
2347 description: RunningConfig contains the effective config that is running
2348 in the kube-controllers pod, after merging the API resource with
2349 any environment variables.
2352 description: Controllers enables and configures individual Kubernetes
2356 description: Namespace enables and configures the namespace
2357 controller. Enabled by default, set to nil to disable.
2360 description: 'ReconcilerPeriod is the period to perform
2361 reconciliation with the Calico datastore. [Default:
2366 description: Node enables and configures the node controller.
2367 Enabled by default, set to nil to disable.
2370 description: HostEndpoint controls syncing nodes to host
2371 endpoints. Disabled by default, set to nil to disable.
2374 description: 'AutoCreate enables automatic creation
2375 of host endpoints for every node. [Default: Disabled]'
2379 description: 'ReconcilerPeriod is the period to perform
2380 reconciliation with the Calico datastore. [Default:
2384 description: 'SyncLabels controls whether to copy Kubernetes
2385 node labels to Calico nodes. [Default: Enabled]'
2389 description: Policy enables and configures the policy controller.
2390 Enabled by default, set to nil to disable.
2393 description: 'ReconcilerPeriod is the period to perform
2394 reconciliation with the Calico datastore. [Default:
2399 description: ServiceAccount enables and configures the service
2400 account controller. Enabled by default, set to nil to disable.
2403 description: 'ReconcilerPeriod is the period to perform
2404 reconciliation with the Calico datastore. [Default:
2409 description: WorkloadEndpoint enables and configures the workload
2410 endpoint controller. Enabled by default, set to nil to disable.
2413 description: 'ReconcilerPeriod is the period to perform
2414 reconciliation with the Calico datastore. [Default:
2419 etcdV3CompactionPeriod:
2420 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2421 compaction requests. Set to 0 to disable. [Default: 10m]'
2424 description: 'HealthChecks enables or disables support for health
2425 checks [Default: Enabled]'
2428 description: 'LogSeverityScreen is the log severity above which
2429 logs are sent to the stdout. [Default: Info]'
2448 apiVersion: apiextensions.k8s.io/v1
2449 kind: CustomResourceDefinition
2452 controller-gen.kubebuilder.io/version: (devel)
2453 creationTimestamp: null
2454 name: networkpolicies.crd.projectcalico.org
2456 group: crd.projectcalico.org
2459 listKind: NetworkPolicyList
2460 plural: networkpolicies
2461 singular: networkpolicy
2469 description: 'APIVersion defines the versioned schema of this representation
2470 of an object. Servers should convert recognized schemas to the latest
2471 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2474 description: 'Kind is a string value representing the REST resource this
2475 object represents. Servers may infer this from the endpoint the client
2476 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2483 description: The ordered set of egress rules. Each rule contains
2484 a set of packet match criteria and a corresponding action to apply.
2486 description: "A Rule encapsulates a set of match criteria and an
2487 action. Both selector-based security Policy and security Profiles
2488 reference rules - separated out as a list of rules for both ingress
2489 and egress packet matching. \n Each positive match criteria has
2490 a negated version, prefixed with ”Not”. All the match criteria
2491 within a rule must be satisfied for a packet to match. A single
2492 rule can contain the positive and negative version of a match
2493 and both must be satisfied for the rule to match."
2498 description: Destination contains the match criteria that apply
2499 to destination entity.
2502 description: "NamespaceSelector is an optional field that
2503 contains a selector expression. Only traffic that originates
2504 from (or terminates at) endpoints within the selected
2505 namespaces will be matched. When both NamespaceSelector
2506 and Selector are defined on the same rule, then only workload
2507 endpoints that are matched by both selectors will be selected
2508 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2509 implies that the Selector is limited to selecting only
2510 workload endpoints in the same namespace as the NetworkPolicy.
2511 \n For NetworkPolicy, `global()` NamespaceSelector implies
2512 that the Selector is limited to selecting only GlobalNetworkSet
2513 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2514 NamespaceSelector implies the Selector applies to workload
2515 endpoints across all namespaces."
2518 description: Nets is an optional field that restricts the
2519 rule to only apply to traffic that originates from (or
2520 terminates at) IP addresses in any of the given subnets.
2525 description: NotNets is the negated version of the Nets
2531 description: NotPorts is the negated version of the Ports
2532 field. Since only some protocols have ports, if any ports
2533 are specified it requires the Protocol match in the Rule
2534 to be set to "TCP" or "UDP".
2540 x-kubernetes-int-or-string: true
2543 description: NotSelector is the negated version of the Selector
2544 field. See Selector field for subtleties with negated
2548 description: "Ports is an optional field that restricts
2549 the rule to only apply to traffic that has a source (destination)
2550 port that matches one of these ranges/values. This value
2551 is a list of integers or strings that represent ranges
2552 of ports. \n Since only some protocols have ports, if
2553 any ports are specified it requires the Protocol match
2554 in the Rule to be set to \"TCP\" or \"UDP\"."
2560 x-kubernetes-int-or-string: true
2563 description: "Selector is an optional field that contains
2564 a selector expression (see Policy for sample syntax).
2565 \ Only traffic that originates from (terminates at) endpoints
2566 matching the selector will be matched. \n Note that: in
2567 addition to the negated version of the Selector (see NotSelector
2568 below), the selector expression syntax itself supports
2569 negation. The two types of negation are subtly different.
2570 One negates the set of matched endpoints, the other negates
2571 the whole match: \n \tSelector = \"!has(my_label)\" matches
2572 packets that are from other Calico-controlled \tendpoints
2573 that do not have the label “my_label”. \n \tNotSelector
2574 = \"has(my_label)\" matches packets that are not from
2575 Calico-controlled \tendpoints that do have the label “my_label”.
2576 \n The effect is that the latter will accept packets from
2577 non-Calico sources whereas the former is limited to packets
2578 from Calico-controlled endpoints."
2581 description: ServiceAccounts is an optional field that restricts
2582 the rule to only apply to traffic that originates from
2583 (or terminates at) a pod running as a matching service
2587 description: Names is an optional field that restricts
2588 the rule to only apply to traffic that originates
2589 from (or terminates at) a pod running as a service
2590 account whose name is in the list.
2595 description: Selector is an optional field that restricts
2596 the rule to only apply to traffic that originates
2597 from (or terminates at) a pod running as a service
2598 account that matches the given label selector. If
2599 both Names and Selector are specified then they are
2605 description: HTTP contains match criteria that apply to HTTP
2609 description: Methods is an optional field that restricts
2610 the rule to apply only to HTTP requests that use one of
2611 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2612 methods are OR'd together.
2617 description: 'Paths is an optional field that restricts
2618 the rule to apply to HTTP requests that use one of the
2619 listed HTTP Paths. Multiple paths are OR''d together.
2620 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2621 ONLY specify either a `exact` or a `prefix` match. The
2622 validator will check for it.'
2624 description: 'HTTPPath specifies an HTTP path to match.
2625 It may be either of the form: exact: <path>: which matches
2626 the path exactly or prefix: <path-prefix>: which matches
2637 description: ICMP is an optional field that restricts the rule
2638 to apply to a specific type and code of ICMP traffic. This
2639 should only be specified if the Protocol field is set to "ICMP"
2643 description: Match on a specific ICMP code. If specified,
2644 the Type value must also be specified. This is a technical
2645 limitation imposed by the kernel’s iptables firewall,
2646 which Calico uses to enforce the rule.
2649 description: Match on a specific ICMP type. For example
2650 a value of 8 refers to ICMP Echo Request (i.e. pings).
2654 description: IPVersion is an optional field that restricts the
2655 rule to only match a specific IP version.
2658 description: Metadata contains additional information for this
2662 additionalProperties:
2664 description: Annotations is a set of key value pairs that
2665 give extra information about the rule
2669 description: NotICMP is the negated version of the ICMP field.
2672 description: Match on a specific ICMP code. If specified,
2673 the Type value must also be specified. This is a technical
2674 limitation imposed by the kernel’s iptables firewall,
2675 which Calico uses to enforce the rule.
2678 description: Match on a specific ICMP type. For example
2679 a value of 8 refers to ICMP Echo Request (i.e. pings).
2686 description: NotProtocol is the negated version of the Protocol
2689 x-kubernetes-int-or-string: true
2694 description: "Protocol is an optional field that restricts the
2695 rule to only apply to traffic of a specific IP protocol. Required
2696 if any of the EntityRules contain Ports (because ports only
2697 apply to certain protocols). \n Must be one of these string
2698 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2699 \"UDPLite\" or an integer in the range 1-255."
2701 x-kubernetes-int-or-string: true
2703 description: Source contains the match criteria that apply to
2707 description: "NamespaceSelector is an optional field that
2708 contains a selector expression. Only traffic that originates
2709 from (or terminates at) endpoints within the selected
2710 namespaces will be matched. When both NamespaceSelector
2711 and Selector are defined on the same rule, then only workload
2712 endpoints that are matched by both selectors will be selected
2713 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2714 implies that the Selector is limited to selecting only
2715 workload endpoints in the same namespace as the NetworkPolicy.
2716 \n For NetworkPolicy, `global()` NamespaceSelector implies
2717 that the Selector is limited to selecting only GlobalNetworkSet
2718 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2719 NamespaceSelector implies the Selector applies to workload
2720 endpoints across all namespaces."
2723 description: Nets is an optional field that restricts the
2724 rule to only apply to traffic that originates from (or
2725 terminates at) IP addresses in any of the given subnets.
2730 description: NotNets is the negated version of the Nets
2736 description: NotPorts is the negated version of the Ports
2737 field. Since only some protocols have ports, if any ports
2738 are specified it requires the Protocol match in the Rule
2739 to be set to "TCP" or "UDP".
2745 x-kubernetes-int-or-string: true
2748 description: NotSelector is the negated version of the Selector
2749 field. See Selector field for subtleties with negated
2753 description: "Ports is an optional field that restricts
2754 the rule to only apply to traffic that has a source (destination)
2755 port that matches one of these ranges/values. This value
2756 is a list of integers or strings that represent ranges
2757 of ports. \n Since only some protocols have ports, if
2758 any ports are specified it requires the Protocol match
2759 in the Rule to be set to \"TCP\" or \"UDP\"."
2765 x-kubernetes-int-or-string: true
2768 description: "Selector is an optional field that contains
2769 a selector expression (see Policy for sample syntax).
2770 \ Only traffic that originates from (terminates at) endpoints
2771 matching the selector will be matched. \n Note that: in
2772 addition to the negated version of the Selector (see NotSelector
2773 below), the selector expression syntax itself supports
2774 negation. The two types of negation are subtly different.
2775 One negates the set of matched endpoints, the other negates
2776 the whole match: \n \tSelector = \"!has(my_label)\" matches
2777 packets that are from other Calico-controlled \tendpoints
2778 that do not have the label “my_label”. \n \tNotSelector
2779 = \"has(my_label)\" matches packets that are not from
2780 Calico-controlled \tendpoints that do have the label “my_label”.
2781 \n The effect is that the latter will accept packets from
2782 non-Calico sources whereas the former is limited to packets
2783 from Calico-controlled endpoints."
2786 description: ServiceAccounts is an optional field that restricts
2787 the rule to only apply to traffic that originates from
2788 (or terminates at) a pod running as a matching service
2792 description: Names is an optional field that restricts
2793 the rule to only apply to traffic that originates
2794 from (or terminates at) a pod running as a service
2795 account whose name is in the list.
2800 description: Selector is an optional field that restricts
2801 the rule to only apply to traffic that originates
2802 from (or terminates at) a pod running as a service
2803 account that matches the given label selector. If
2804 both Names and Selector are specified then they are
2814 description: The ordered set of ingress rules. Each rule contains
2815 a set of packet match criteria and a corresponding action to apply.
2817 description: "A Rule encapsulates a set of match criteria and an
2818 action. Both selector-based security Policy and security Profiles
2819 reference rules - separated out as a list of rules for both ingress
2820 and egress packet matching. \n Each positive match criteria has
2821 a negated version, prefixed with ”Not”. All the match criteria
2822 within a rule must be satisfied for a packet to match. A single
2823 rule can contain the positive and negative version of a match
2824 and both must be satisfied for the rule to match."
2829 description: Destination contains the match criteria that apply
2830 to destination entity.
2833 description: "NamespaceSelector is an optional field that
2834 contains a selector expression. Only traffic that originates
2835 from (or terminates at) endpoints within the selected
2836 namespaces will be matched. When both NamespaceSelector
2837 and Selector are defined on the same rule, then only workload
2838 endpoints that are matched by both selectors will be selected
2839 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2840 implies that the Selector is limited to selecting only
2841 workload endpoints in the same namespace as the NetworkPolicy.
2842 \n For NetworkPolicy, `global()` NamespaceSelector implies
2843 that the Selector is limited to selecting only GlobalNetworkSet
2844 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2845 NamespaceSelector implies the Selector applies to workload
2846 endpoints across all namespaces."
2849 description: Nets is an optional field that restricts the
2850 rule to only apply to traffic that originates from (or
2851 terminates at) IP addresses in any of the given subnets.
2856 description: NotNets is the negated version of the Nets
2862 description: NotPorts is the negated version of the Ports
2863 field. Since only some protocols have ports, if any ports
2864 are specified it requires the Protocol match in the Rule
2865 to be set to "TCP" or "UDP".
2871 x-kubernetes-int-or-string: true
2874 description: NotSelector is the negated version of the Selector
2875 field. See Selector field for subtleties with negated
2879 description: "Ports is an optional field that restricts
2880 the rule to only apply to traffic that has a source (destination)
2881 port that matches one of these ranges/values. This value
2882 is a list of integers or strings that represent ranges
2883 of ports. \n Since only some protocols have ports, if
2884 any ports are specified it requires the Protocol match
2885 in the Rule to be set to \"TCP\" or \"UDP\"."
2891 x-kubernetes-int-or-string: true
2894 description: "Selector is an optional field that contains
2895 a selector expression (see Policy for sample syntax).
2896 \ Only traffic that originates from (terminates at) endpoints
2897 matching the selector will be matched. \n Note that: in
2898 addition to the negated version of the Selector (see NotSelector
2899 below), the selector expression syntax itself supports
2900 negation. The two types of negation are subtly different.
2901 One negates the set of matched endpoints, the other negates
2902 the whole match: \n \tSelector = \"!has(my_label)\" matches
2903 packets that are from other Calico-controlled \tendpoints
2904 that do not have the label “my_label”. \n \tNotSelector
2905 = \"has(my_label)\" matches packets that are not from
2906 Calico-controlled \tendpoints that do have the label “my_label”.
2907 \n The effect is that the latter will accept packets from
2908 non-Calico sources whereas the former is limited to packets
2909 from Calico-controlled endpoints."
2912 description: ServiceAccounts is an optional field that restricts
2913 the rule to only apply to traffic that originates from
2914 (or terminates at) a pod running as a matching service
2918 description: Names is an optional field that restricts
2919 the rule to only apply to traffic that originates
2920 from (or terminates at) a pod running as a service
2921 account whose name is in the list.
2926 description: Selector is an optional field that restricts
2927 the rule to only apply to traffic that originates
2928 from (or terminates at) a pod running as a service
2929 account that matches the given label selector. If
2930 both Names and Selector are specified then they are
2936 description: HTTP contains match criteria that apply to HTTP
2940 description: Methods is an optional field that restricts
2941 the rule to apply only to HTTP requests that use one of
2942 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2943 methods are OR'd together.
2948 description: 'Paths is an optional field that restricts
2949 the rule to apply to HTTP requests that use one of the
2950 listed HTTP Paths. Multiple paths are OR''d together.
2951 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2952 ONLY specify either a `exact` or a `prefix` match. The
2953 validator will check for it.'
2955 description: 'HTTPPath specifies an HTTP path to match.
2956 It may be either of the form: exact: <path>: which matches
2957 the path exactly or prefix: <path-prefix>: which matches
2968 description: ICMP is an optional field that restricts the rule
2969 to apply to a specific type and code of ICMP traffic. This
2970 should only be specified if the Protocol field is set to "ICMP"
2974 description: Match on a specific ICMP code. If specified,
2975 the Type value must also be specified. This is a technical
2976 limitation imposed by the kernel’s iptables firewall,
2977 which Calico uses to enforce the rule.
2980 description: Match on a specific ICMP type. For example
2981 a value of 8 refers to ICMP Echo Request (i.e. pings).
2985 description: IPVersion is an optional field that restricts the
2986 rule to only match a specific IP version.
2989 description: Metadata contains additional information for this
2993 additionalProperties:
2995 description: Annotations is a set of key value pairs that
2996 give extra information about the rule
3000 description: NotICMP is the negated version of the ICMP field.
3003 description: Match on a specific ICMP code. If specified,
3004 the Type value must also be specified. This is a technical
3005 limitation imposed by the kernel’s iptables firewall,
3006 which Calico uses to enforce the rule.
3009 description: Match on a specific ICMP type. For example
3010 a value of 8 refers to ICMP Echo Request (i.e. pings).
3017 description: NotProtocol is the negated version of the Protocol
3020 x-kubernetes-int-or-string: true
3025 description: "Protocol is an optional field that restricts the
3026 rule to only apply to traffic of a specific IP protocol. Required
3027 if any of the EntityRules contain Ports (because ports only
3028 apply to certain protocols). \n Must be one of these string
3029 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3030 \"UDPLite\" or an integer in the range 1-255."
3032 x-kubernetes-int-or-string: true
3034 description: Source contains the match criteria that apply to
3038 description: "NamespaceSelector is an optional field that
3039 contains a selector expression. Only traffic that originates
3040 from (or terminates at) endpoints within the selected
3041 namespaces will be matched. When both NamespaceSelector
3042 and Selector are defined on the same rule, then only workload
3043 endpoints that are matched by both selectors will be selected
3044 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
3045 implies that the Selector is limited to selecting only
3046 workload endpoints in the same namespace as the NetworkPolicy.
3047 \n For NetworkPolicy, `global()` NamespaceSelector implies
3048 that the Selector is limited to selecting only GlobalNetworkSet
3049 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
3050 NamespaceSelector implies the Selector applies to workload
3051 endpoints across all namespaces."
3054 description: Nets is an optional field that restricts the
3055 rule to only apply to traffic that originates from (or
3056 terminates at) IP addresses in any of the given subnets.
3061 description: NotNets is the negated version of the Nets
3067 description: NotPorts is the negated version of the Ports
3068 field. Since only some protocols have ports, if any ports
3069 are specified it requires the Protocol match in the Rule
3070 to be set to "TCP" or "UDP".
3076 x-kubernetes-int-or-string: true
3079 description: NotSelector is the negated version of the Selector
3080 field. See Selector field for subtleties with negated
3084 description: "Ports is an optional field that restricts
3085 the rule to only apply to traffic that has a source (destination)
3086 port that matches one of these ranges/values. This value
3087 is a list of integers or strings that represent ranges
3088 of ports. \n Since only some protocols have ports, if
3089 any ports are specified it requires the Protocol match
3090 in the Rule to be set to \"TCP\" or \"UDP\"."
3096 x-kubernetes-int-or-string: true
3099 description: "Selector is an optional field that contains
3100 a selector expression (see Policy for sample syntax).
3101 \ Only traffic that originates from (terminates at) endpoints
3102 matching the selector will be matched. \n Note that: in
3103 addition to the negated version of the Selector (see NotSelector
3104 below), the selector expression syntax itself supports
3105 negation. The two types of negation are subtly different.
3106 One negates the set of matched endpoints, the other negates
3107 the whole match: \n \tSelector = \"!has(my_label)\" matches
3108 packets that are from other Calico-controlled \tendpoints
3109 that do not have the label “my_label”. \n \tNotSelector
3110 = \"has(my_label)\" matches packets that are not from
3111 Calico-controlled \tendpoints that do have the label “my_label”.
3112 \n The effect is that the latter will accept packets from
3113 non-Calico sources whereas the former is limited to packets
3114 from Calico-controlled endpoints."
3117 description: ServiceAccounts is an optional field that restricts
3118 the rule to only apply to traffic that originates from
3119 (or terminates at) a pod running as a matching service
3123 description: Names is an optional field that restricts
3124 the rule to only apply to traffic that originates
3125 from (or terminates at) a pod running as a service
3126 account whose name is in the list.
3131 description: Selector is an optional field that restricts
3132 the rule to only apply to traffic that originates
3133 from (or terminates at) a pod running as a service
3134 account that matches the given label selector. If
3135 both Names and Selector are specified then they are
3145 description: Order is an optional field that specifies the order in
3146 which the policy is applied. Policies with higher "order" are applied
3147 after those with lower order. If the order is omitted, it may be
3148 considered to be "infinite" - i.e. the policy will be applied last. Policies
3149 with identical order will be applied in alphanumerical order based
3150 on the Policy "Name".
3153 description: "The selector is an expression used to pick pick out
3154 the endpoints that the policy should be applied to. \n Selector
3155 expressions follow this syntax: \n \tlabel == \"string_literal\"
3156 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3157 \ -> not equal; also matches if label is not present \tlabel in
3158 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
3159 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3160 ... } -> true if the value of label X is not one of \"a\", \"b\",
3161 \"c\" \thas(label_name) -> True if that label is present \t! expr
3162 -> negation of expr \texpr && expr -> Short-circuit and \texpr
3163 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3164 or the empty selector -> matches all endpoints. \n Label names are
3165 allowed to contain alphanumerics, -, _ and /. String literals are
3166 more permissive but they do not support escape characters. \n Examples
3167 (with made-up labels): \n \ttype == \"webserver\" && deployment
3168 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3169 \"dev\" \t! has(label_name)"
3171 serviceAccountSelector:
3172 description: ServiceAccountSelector is an optional field for an expression
3173 used to select a pod based on service accounts.
3176 description: "Types indicates whether this policy applies to ingress,
3177 or to egress, or to both. When not explicitly specified (and so
3178 the value on creation is empty or nil), Calico defaults Types according
3179 to what Ingress and Egress are present in the policy. The default
3180 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3181 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
3182 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3183 PolicyTypeEgress ], if there are both Ingress and Egress rules.
3184 \n When the policy is read back again, Types will always be one
3185 of these values, never empty or nil."
3187 description: PolicyType enumerates the possible values of the PolicySpec
3205 apiVersion: apiextensions.k8s.io/v1
3206 kind: CustomResourceDefinition
3209 controller-gen.kubebuilder.io/version: (devel)
3210 creationTimestamp: null
3211 name: networksets.crd.projectcalico.org
3213 group: crd.projectcalico.org
3216 listKind: NetworkSetList
3218 singular: networkset
3224 description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3227 description: 'APIVersion defines the versioned schema of this representation
3228 of an object. Servers should convert recognized schemas to the latest
3229 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3232 description: 'Kind is a string value representing the REST resource this
3233 object represents. Servers may infer this from the endpoint the client
3234 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3239 description: NetworkSetSpec contains the specification for a NetworkSet
3243 description: The list of IP networks that belong to this set.
3260 # Source: calico/templates/calico-kube-controllers-rbac.yaml
3262 # Include a clusterrole for the kube-controllers component,
3263 # and bind it to the calico-kube-controllers serviceaccount.
3265 apiVersion: rbac.authorization.k8s.io/v1
3267 name: calico-kube-controllers
3269 # Nodes are watched to monitor for deletions.
3277 # Pods are queried to check for existence.
3283 # IPAM resources are manipulated when nodes are deleted.
3284 - apiGroups: ["crd.projectcalico.org"]
3289 - apiGroups: ["crd.projectcalico.org"]
3300 # kube-controllers manages hostendpoints.
3301 - apiGroups: ["crd.projectcalico.org"]
3310 # Needs access to update clusterinformations.
3311 - apiGroups: ["crd.projectcalico.org"]
3313 - clusterinformations
3318 # KubeControllersConfiguration is where it gets its config
3319 - apiGroups: ["crd.projectcalico.org"]
3321 - kubecontrollersconfigurations
3323 # read its own config
3325 # create a default if none exists
3332 kind: ClusterRoleBinding
3333 apiVersion: rbac.authorization.k8s.io/v1
3335 name: calico-kube-controllers
3337 apiGroup: rbac.authorization.k8s.io
3339 name: calico-kube-controllers
3341 - kind: ServiceAccount
3342 name: calico-kube-controllers
3343 namespace: kube-system
3347 # Source: calico/templates/calico-node-rbac.yaml
3348 # Include a clusterrole for the calico-node DaemonSet,
3349 # and bind it to the calico-node serviceaccount.
3351 apiVersion: rbac.authorization.k8s.io/v1
3355 # The CNI plugin needs to get pods, nodes, and namespaces.
3368 # Used to discover service IPs for advertisement.
3371 # Used to discover Typhas.
3373 # Pod CIDR auto-detection on kubeadm needs access to config maps.
3383 # Needed for clearing NodeNetworkUnavailable flag.
3385 # Calico stores some configuration information in node annotations.
3387 # Watch for changes to Kubernetes NetworkPolicies.
3388 - apiGroups: ["networking.k8s.io"]
3394 # Used by Calico for policy information.
3403 # The CNI plugin patches pods/status.
3409 # Calico monitors various CRDs for config.
3410 - apiGroups: ["crd.projectcalico.org"]
3412 - globalfelixconfigs
3413 - felixconfigurations
3419 - globalnetworkpolicies
3423 - clusterinformations
3430 # Calico must create and update some CRDs on startup.
3431 - apiGroups: ["crd.projectcalico.org"]
3434 - felixconfigurations
3435 - clusterinformations
3439 # Calico stores some configuration information on the node.
3447 # These permissions are only required for upgrade from v2.6, and can
3448 # be removed after upgrade or on fresh installations.
3449 - apiGroups: ["crd.projectcalico.org"]
3456 # These permissions are required for Calico CNI to perform IPAM allocations.
3457 - apiGroups: ["crd.projectcalico.org"]
3468 - apiGroups: ["crd.projectcalico.org"]
3473 # Block affinities must also be watchable by confd for route aggregation.
3474 - apiGroups: ["crd.projectcalico.org"]
3479 # The Calico IPAM migration needs to get daemonsets. These permissions can be
3480 # removed if not upgrading from an installation using host-local IPAM.
3481 - apiGroups: ["apps"]
3488 apiVersion: rbac.authorization.k8s.io/v1
3489 kind: ClusterRoleBinding
3493 apiGroup: rbac.authorization.k8s.io
3497 - kind: ServiceAccount
3499 namespace: kube-system
3502 # Source: calico/templates/calico-node.yaml
3503 # This manifest installs the calico-node container, as well
3504 # as the CNI plugins and network config on
3505 # each master and worker node in a Kubernetes cluster.
3510 namespace: kube-system
3512 k8s-app: calico-node
3516 k8s-app: calico-node
3524 k8s-app: calico-node
3527 kubernetes.io/os: linux
3530 # Make sure calico-node gets scheduled on all nodes.
3531 - effect: NoSchedule
3533 # Mark the pod as a critical add-on for rescheduling.
3534 - key: CriticalAddonsOnly
3538 serviceAccountName: calico-node
3539 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
3540 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
3541 terminationGracePeriodSeconds: 0
3542 priorityClassName: system-node-critical
3544 # This container performs upgrade from host-local IPAM to calico-ipam.
3545 # It can be deleted if this is a fresh installation, or if you have already
3546 # upgraded to use calico-ipam.
3547 - name: upgrade-ipam
3548 image: calico/cni:v3.16.1
3549 command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
3552 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3553 name: kubernetes-services-endpoint
3556 - name: KUBERNETES_NODE_NAME
3559 fieldPath: spec.nodeName
3560 - name: CALICO_NETWORKING_BACKEND
3566 - mountPath: /var/lib/cni/networks
3567 name: host-local-net-dir
3568 - mountPath: /host/opt/cni/bin
3572 # This container installs the CNI binaries
3573 # and CNI network config file on each node.
3575 image: calico/cni:v3.16.1
3576 command: ["/opt/cni/bin/install"]
3579 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3580 name: kubernetes-services-endpoint
3583 # Name of the CNI config file to create.
3584 - name: CNI_CONF_NAME
3585 value: "10-calico.conflist"
3586 # The CNI network config to install on each node.
3587 - name: CNI_NETWORK_CONFIG
3591 key: cni_network_config
3592 # Set the hostname based on the k8s node name.
3593 - name: KUBERNETES_NODE_NAME
3596 fieldPath: spec.nodeName
3597 # CNI MTU Config variable
3603 # Prevents the container from sleeping forever.
3607 - mountPath: /host/opt/cni/bin
3609 - mountPath: /host/etc/cni/net.d
3613 # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
3614 # to communicate with Felix over the Policy Sync API.
3615 - name: flexvol-driver
3616 image: calico/pod2daemon-flexvol:v3.16.1
3618 - name: flexvol-driver-host
3619 mountPath: /host/driver
3623 # Runs calico-node container on each Kubernetes node. This
3624 # container programs network policy and routes on each
3627 image: calico/node:v3.16.1
3630 # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3631 name: kubernetes-services-endpoint
3634 # Use Kubernetes API as the backing datastore.
3635 - name: DATASTORE_TYPE
3637 # Wait for the datastore.
3638 - name: WAIT_FOR_DATASTORE
3640 # Set based on the k8s node name.
3644 fieldPath: spec.nodeName
3645 # Choose the backend to use.
3646 - name: CALICO_NETWORKING_BACKEND
3651 # Cluster type to identify the deployment type
3652 - name: CLUSTER_TYPE
3654 # Auto-detect the BGP IP address.
3658 - name: CALICO_IPV4POOL_IPIP
3660 # Enable or Disable VXLAN on the default IP pool.
3661 - name: CALICO_IPV4POOL_VXLAN
3663 # Set MTU for tunnel device used if ipip is enabled
3664 - name: FELIX_IPINIPMTU
3669 # Set MTU for the VXLAN tunnel device.
3670 - name: FELIX_VXLANMTU
3675 # Set MTU for the Wireguard tunnel device.
3676 - name: FELIX_WIREGUARDMTU
3681 # The default IPv4 pool to create on startup if none exists. Pod IPs will be
3682 # chosen from this range. Changing this value after installation will have
3683 # no effect. This should fall within `--cluster-cidr`.
3684 # - name: CALICO_IPV4POOL_CIDR
3685 # value: "192.168.0.0/16"
3686 # Disable file logging so `kubectl logs` works.
3687 - name: CALICO_DISABLE_FILE_LOGGING
3689 # Set Felix endpoint to host default action to ACCEPT.
3690 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
3692 # Disable IPv6 on Kubernetes.
3693 - name: FELIX_IPV6SUPPORT
3695 # Set Felix logging to "info"
3696 - name: FELIX_LOGSEVERITYSCREEN
3698 - name: FELIX_HEALTHENABLED
3712 initialDelaySeconds: 10
3722 - mountPath: /lib/modules
3725 - mountPath: /run/xtables.lock
3728 - mountPath: /var/run/calico
3729 name: var-run-calico
3731 - mountPath: /var/lib/calico
3732 name: var-lib-calico
3735 mountPath: /var/run/nodeagent
3736 # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
3740 # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
3741 # If the host is known to mount that filesystem already then Bidirectional can be omitted.
3742 mountPropagation: Bidirectional
3744 # Used by calico-node.
3748 - name: var-run-calico
3750 path: /var/run/calico
3751 - name: var-lib-calico
3753 path: /var/lib/calico
3754 - name: xtables-lock
3756 path: /run/xtables.lock
3761 type: DirectoryOrCreate
3762 # Used to install CNI.
3768 path: /etc/cni/net.d
3769 # Mount in the directory for host-local IPAM allocations. This is
3770 # used when upgrading from host-local to calico-ipam, and can be removed
3771 # if not using the upgrade-ipam init container.
3772 - name: host-local-net-dir
3774 path: /var/lib/cni/networks
3775 # Used to create per-pod Unix Domain Sockets
3778 type: DirectoryOrCreate
3779 path: /var/run/nodeagent
3780 # Used to install Flex Volume Driver
3781 - name: flexvol-driver-host
3783 type: DirectoryOrCreate
3784 path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
3788 kind: ServiceAccount
3791 namespace: kube-system
3794 # Source: calico/templates/calico-kube-controllers.yaml
3795 # See https://github.com/projectcalico/kube-controllers
3799 name: calico-kube-controllers
3800 namespace: kube-system
3802 k8s-app: calico-kube-controllers
3804 # The controllers can only have a single active instance.
3808 k8s-app: calico-kube-controllers
3813 name: calico-kube-controllers
3814 namespace: kube-system
3816 k8s-app: calico-kube-controllers
3819 kubernetes.io/os: linux
3821 # Mark the pod as a critical add-on for rescheduling.
3822 - key: CriticalAddonsOnly
3824 - key: node-role.kubernetes.io/master
3826 serviceAccountName: calico-kube-controllers
3827 priorityClassName: system-cluster-critical
3829 - name: calico-kube-controllers
3830 image: calico/kube-controllers:v3.16.1
3832 # Choose which controllers to run.
3833 - name: ENABLED_CONTROLLERS
3835 - name: DATASTORE_TYPE
3840 - /usr/bin/check-status
3846 kind: ServiceAccount
3848 name: calico-kube-controllers
3849 namespace: kube-system
3852 # Source: calico/templates/calico-etcd-secrets.yaml
3855 # Source: calico/templates/calico-typha.yaml
3858 # Source: calico/templates/configure-canal.yaml
Code Review / ovn4nfv-k8s-plugin.git / blob