├── network
    ├── none.yml
    ├── flannel.yml
    └── calico.yml
├── tools
    ├── ns
    │   ├── ns1
    │   ├── ns
    │   ├── ns2
    │   └── ns0
    └── iftype
├── .gitignore
├── .travis.yml
├── join
├── install
├── vagrant
    ├── single
    │   └── Vagrantfile
    └── twin
    │   └── Vagrantfile
├── init
├── README.en.md
└── README.md


/network/none.yml:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/tools/ns/ns1:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
4 | 
5 | ./ns0 | sort -k 1n | uniq -w 20


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | vagrant/single/*
 2 | vagrant/twin/*
 3 | .vagrant/*
 4 | *.log
 5 | 
 6 | # direnv.net configs
 7 | .envrc
 8 | 
 9 | # temporary configs
10 | /Vagrantfile
11 | .kubeconfig
12 | 
13 | # editor temporary files
14 | *.swp
15 | *~
16 | 


--------------------------------------------------------------------------------
/tools/ns/ns:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # credits to
4 | # https://unix.stackexchange.com/questions/505112/how-do-i-find-all-interfaces-that-have-been-configured-in-linux-including-those/505978#505978
5 | 
6 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
7 | 
8 | ./ns1 | ./ns2


--------------------------------------------------------------------------------
/tools/ns/ns2:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
 4 | 
 5 | echo -n 'INIT NETWORK: ' ; stat -L -c %i /proc/1/ns/net
 6 | echo ''
 7 | 
 8 | while read -r inode reference; do
 9 |     echo "network $inode"
10 |     if nsenter --net="$reference" ip -br address show 2>/dev/null; then
11 |         echo ''
12 |     fi
13 | done


--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
 1 | dist: xenial
 2 | language: generic
 3 | addons:
 4 |   apt:
 5 |     packages:
 6 |       - iproute2
 7 | install:
 8 |   - sudo ./install
 9 | script:
10 |   - sudo ./init $(ip r | grep '^default' | grep -o 'dev .*' | cut -d' '  -f2)
11 |   - KUBECONFIG=/etc/kubernetes/admin.conf sudo kubectl apply -f network/$NETWORK.yml
12 | env:
13 |   - NETWORK="flannel"
14 |   - NETWORK="calico"


--------------------------------------------------------------------------------
/tools/ns/ns0:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
 4 | 
 5 | lsns -n -u -t net -o NS,PATH | while read inode path; do printf '%20u %s\n' $inode "$path"; done
 6 | 
 7 | awk '$3 == "nsfs" { print $2 }' /proc/mounts | while read -r mount; do
 8 |         stat -c '%20i %n' "$mount"
 9 | done
10 | 
11 | find /proc/ -mindepth 1 -maxdepth 1 -name '[1-9]*' | while read -r procpid; do
12 |         find $procpid/fd -mindepth 1 | while read -r procfd; do
13 |                 if [ "$(stat -f -c %T $procfd)" = nsfs ]; then
14 |                         stat -L -c '%20i %n' $procfd
15 |                 fi
16 |         done
17 | done 2>/dev/null


--------------------------------------------------------------------------------
/join:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
 4 | 
 5 | if [ -z "$1" ] || [ -z "$2" ]; then
 6 |   echo "Usage: $0 <interface> <endpoint>, eg $0 eth0 192.168.56.110:6443"
 7 |   echo "Interfaces found (UP only):"
 8 |   ip a | grep --color=never UP
 9 | 
10 |   exit 255;
11 | fi
12 | 
13 | IP=$(ip -4 addr show $1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
14 | 
15 | if [ -z "$IP" ]; then
16 |   echo "No IPv4 found on $1" 1>&2;
17 |   exit 1;
18 | fi
19 | 
20 | cat << EOF > /etc/default/kubelet
21 | KUBELET_EXTRA_ARGS="--node-ip=$IP"
22 | EOF
23 | 
24 | kubeadm join $2 --token abcdef.k1s0static0token --discovery-token-unsafe-skip-ca-verification
25 | 


--------------------------------------------------------------------------------
/tools/iftype:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Credits to
 4 | # https://unix.stackexchange.com/questions/272850/how-to-determine-the-logical-type-of-a-linux-network-device
 5 | 
 6 | # Arguments: $1: Interface ('grep'-regexp).
 7 | 
 8 | # Static list of types (from `ip link help`):
 9 | TYPES=(bond bond_slave bridge dummy gre gretap ifb ip6gre ip6gretap ip6tnl ipip ipoib ipvlan macvlan macvtap nlmon sit vcan veth vlan vti vxlan tun tap)
10 | 
11 | iface="$1"
12 | 
13 | for type in "${TYPES[@]}"; do
14 |   ip link show type "${type}" | grep -E '^[0-9]+:' | cut -d ':' -f 2 | sed 's|^[[:space:]]*||' | while read _if; do
15 |     echo "${_if}:${type}"
16 |   done | grep "^${iface}"
17 | done
18 | 
19 | 


--------------------------------------------------------------------------------
/install:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
 4 | 
 5 | VERSION="${1:-1.25.5-00}"
 6 | 
 7 | apt-get update
 8 | 
 9 | apt-get install -qy containerd gnupg2 apt-transport-https curl
10 | 
11 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
12 | echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list
13 | 
14 | apt-get update
15 | 
16 | apt-get install -qy kubelet=${VERSION} kubeadm=${VERSION} kubectl=${VERSION} kubernetes-cni
17 | apt-mark hold kubelet kubeadm kubectl
18 | 
19 | swapoff -a
20 | sed -i 's/\(.*swap.*\)/#\1/g' /etc/fstab
21 | 
22 | modprobe br_netfilter
23 | echo "br_netfilter" | tee /etc/modules-load.d/br_netfilter.conf
24 | 
25 | echo "net.ipv4.ip_forward = 1" | tee /etc/sysctl.d/9999-k8s.conf
26 | echo "net.bridge.bridge-nf-call-iptables = 1" | tee -a tee /etc/sysctl.d/9999-k8s.conf
27 | sysctl --system
28 | 


--------------------------------------------------------------------------------
/vagrant/single/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | $network = ENV["NETWORK"] || "flannel"
 5 | 
 6 | $ip = "192.168.33.110"
 7 | 
 8 | $script = <<SCRIPT
 9 | apt-get update
10 | apt-get install -qy git
11 | 
12 | git clone https://github.com/maniaque/k1s.git
13 | 
14 | cd k1s
15 | 
16 | ./install
17 | 
18 | ./init $(ip a | grep "#{$ip}" | grep -o \"[^ ]\\+$\")
19 | 
20 | KUBECONFIG=/etc/kubernetes/admin.conf kubectl apply -f network/"#{$network}".yml
21 | 
22 | rm -rf ~/.kube
23 | SCRIPT
24 | 
25 | $message = <<MESSAGE
26 | Done! Please run
27 | 
28 | vagrant ssh -c 'cat /home/vagrant/.kube/config' > ~/.kube/config
29 | 
30 | to get config file of your cluster, or use "vagrant ssh" and kubectl
31 | MESSAGE
32 | 
33 | Vagrant.configure("2") do |config|
34 |   config.vm.box = "ubuntu/focal64"
35 | 
36 |   config.vm.define "k1s" do |i|
37 |     i.vm.hostname = "k1s"
38 |     i.vm.network "private_network", ip: $ip
39 |   end
40 | 
41 |   config.vm.provider "virtualbox" do |vb|
42 |     vb.memory = "2048"
43 |     vb.name = "k1s"
44 |     vb.cpus = 2
45 |   end
46 | 
47 |   config.vm.provision "shell", inline: $script
48 |   config.vm.post_up_message = $message
49 | end
50 | 


--------------------------------------------------------------------------------
/init:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then echo "root required" 1>&2; exit 1; fi
 4 | 
 5 | if [ -z "$1" ]; then
 6 |   echo "Usage: $0 <interface>"
 7 |   echo "Interfaces found (UP only):"
 8 |   ip a | grep --color=never UP
 9 |   exit 255;
10 | fi
11 | 
12 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
13 | USER=$SUDO_USER
14 | KUBE=$(eval echo "~$USER")/.kube
15 | POD_CIDR=10.244.0.0/16
16 | 
17 | IP=$(ip -4 addr show $1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
18 | 
19 | if [ -z "$IP" ]; then
20 |   echo "No IPv4 found on $1" 1>&2;
21 |   exit 1;
22 | fi
23 | 
24 | # generate network settings
25 | 
26 | # flannel
27 | sed -i s/{{interface}}/$1/g $DIR/network/flannel.yml
28 | sed -i -e "s?{{pod_cidr}}?$POD_CIDR?g" $DIR/network/flannel.yml
29 | 
30 | # calico
31 | sed -i -e "s?{{pod_cidr}}?$POD_CIDR?g" $DIR/network/calico.yml
32 | 
33 | # check for second run
34 | ADMINCONF="/etc/kubernetes/admin.conf"
35 | if [ -f "$ADMINCONF" ]; then
36 |   echo "$ADMINCONF exists, init already done";
37 |   exit 0;
38 | fi
39 | 
40 | # NOTE: We need --pod-network-cidr=<...> for any networking plugin to function
41 | 
42 | kubeadm init \
43 | --apiserver-advertise-address=$IP \
44 | --pod-network-cidr=$POD_CIDR \
45 | --ignore-preflight-errors=NumCPU \
46 | --token=abcdef.k1s0static0token
47 | 
48 | if [ $? -ne 0 ]; then
49 |   echo "kubeadm not found or failed" 1>&2;
50 |   exit 2;
51 | fi
52 | 
53 | KUBECONFIG=/etc/kubernetes/admin.conf kubectl taint nodes --all node-role.kubernetes.io/control-plane-
54 | rm -rf $HOME/.kube
55 | 
56 | # append IP address to kubeletet configuration
57 | cat << EOF > /etc/default/kubelet
58 | KUBELET_EXTRA_ARGS="--node-ip=$IP"
59 | EOF
60 | 
61 | systemctl restart kubelet
62 | 
63 | # copy and chown config to access cluster
64 | mkdir -p $KUBE
65 | cp -i /etc/kubernetes/admin.conf $KUBE/config
66 | chown -R $USER:$(id -gn $USER) $KUBE
67 | 


--------------------------------------------------------------------------------
/vagrant/twin/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | NAME_MASTER="k1s-master"
 5 | NAME_NODE="k1s-node"
 6 | 
 7 | $network = ENV["NETWORK"] || "flannel"
 8 | $version = ENV["VERSION"] || "1.25.5-00"
 9 | 
10 | $ip_master = "192.168.33.110"
11 | $ip_node = "192.168.33.120"
12 | 
13 | $provision_common = <<SCRIPT
14 | apt-get update
15 | apt-get install -qy git
16 | 
17 | git clone https://github.com/maniaque/k1s.git
18 | SCRIPT
19 | 
20 | $provision_master = <<SCRIPT
21 | cd k1s
22 | 
23 | ./install #{$version}
24 | 
25 | ./init $(ip a | grep "#{$ip_master}" | grep -o \"[^ ]\\+$\")
26 | 
27 | KUBECONFIG=/etc/kubernetes/admin.conf kubectl apply -f network/"#{$network}".yml
28 | 
29 | rm -rf ~/.kube
30 | SCRIPT
31 | 
32 | $provision_node = <<SCRIPT
33 | cd k1s
34 | 
35 | ./install #{$version}
36 | 
37 | ./join $(ip a | grep "#{$ip_node}" | grep -o \"[^ ]\\+$\") #{$ip_master}:6443
38 | 
39 | echo 'Done! Joined.'
40 | SCRIPT
41 | 
42 | $provision_message = <<SCRIPT
43 | echo 'Done! Please run'
44 | echo "vagrant ssh #{NAME_MASTER} -c 'cat /home/vagrant/.kube/config' > ~/.kube/config"
45 | echo 'to get config file of your cluster, or use "vagrant ssh" and kubectl'
46 | SCRIPT
47 | 
48 | Vagrant.configure("2") do |config|
49 |   config.vm.box = "ubuntu/focal64"
50 | 
51 |   config.vm.define NAME_MASTER do |master|
52 |     master.vm.hostname = NAME_MASTER
53 |     master.vm.network "private_network", ip: $ip_master
54 | 
55 |     master.vm.provider "virtualbox" do |vb|
56 |       vb.memory = "4096"
57 |       vb.name = NAME_MASTER
58 |       vb.cpus = 2
59 |     end
60 | 
61 |     master.vm.provision "shell", inline: $provision_master
62 |   end
63 | 
64 |   config.vm.define NAME_NODE do |node|
65 |     node.vm.hostname = NAME_NODE
66 |     node.vm.network "private_network", ip: $ip_node
67 | 
68 |     node.vm.provider "virtualbox" do |vb|
69 |       vb.memory = "4096"
70 |       vb.name = NAME_NODE
71 |       vb.cpus = 2
72 |     end
73 | 
74 |     node.vm.provision "shell", inline: $provision_node
75 |     node.vm.provision "shell", inline: $provision_message
76 |   end
77 | 
78 |   config.vm.provision "shell", inline: $provision_common
79 | end
80 | 


--------------------------------------------------------------------------------
/README.en.md:
--------------------------------------------------------------------------------
 1 | ## What is it?
 2 | This is a bunch of scripts to fire up small Kubernetes cluster with Calico or Flannel networking.
 3 | 
 4 | Suggested environment:
 5 | * virtual machine (VirtualBox or something like)
 6 | * Ubuntu 20.04
 7 | 
 8 | Each virtual machine is implied to have two network adapters:
 9 | * NAT (for Internet access)
10 | * Host-only adapter (to communicate betweed nodes and host machine)
11 | 
12 | This is not a requirement! If a virtual machine could have Internet access and LAN on the same adapter (NAT Network in VirtualBox), this would be fine.
13 | 
14 | ## Using Vagrant
15 | 
16 | You can run the cluster on Linux as described below or use Vagrant:
17 | 
18 | * `vagrant/single` - single node kubernetes cluster in Vagrant
19 | * `vagrant/twin` - two node kubernetes cluster in Vagrant (master + worker)
20 | 
21 | ## Creating cluster
22 | 
23 | 1. Install required packages and hold versions:
24 | 
25 | `sudo ./install`
26 | 
27 | 2. Create the cluster itself. As the only argument we need is interface name (usually Host-only interface):
28 | * Kubernetes API server will listen on it
29 | * node to node communication will happen through it
30 | 
31 | To see interface names just start it without parameters:
32 | 
33 | `sudo ./init`
34 | 
35 | To create cluster run it with interface name parameter:
36 | 
37 | `sudo ./init enp0s8`
38 | 
39 | **Script will automatically copy kubectl config file to `~/.kube/config`. If you have any important configuration there, please, back it up first.**
40 | 
41 | 3. Cluster creation script will prepare all required manifests for network plugins. All you have to do is to select which one you like more:
42 | 
43 | ### Flannel
44 | 
45 | `kubectl apply -f network/flannel.yml`
46 | 
47 | ### Calico
48 | 
49 | `kubectl apply -f network/calico.yml`
50 | 
51 | ## Joining a node
52 | 
53 | 1. Install required packages and hold versions:
54 | 
55 | `sudo ./install`
56 | 
57 | 2. To join a node you have to run `./join` with two parameters:
58 | * name of the interface for node to node communication
59 | * endpoint of Kubernetes API server
60 | 
61 | To see interface names start it without parameters:
62 | 
63 | `sudo ./join`
64 | 
65 | To join just start it with parameters:
66 | 
67 | `sudo ./join enp0s8 192.168.56.110:6443`
68 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [English version](README.en.md) is also available.
 2 | 
 3 | ## Что это?
 4 | Набор скриптов для того, чтобы быстро поднять простенький кластер Kubernetes.
 5 | Cеть может быть Flannel или Calico, на выбор.
 6 | 
 7 | Окружение:
 8 | * виртуальная машина (VirtualBox, но сойдет любой способ)
 9 | * Ubuntu 20.04
10 | 
11 | Подразумевается, что у каждой виртуальной машины есть два сетевых интерфейса:
12 | * NAT (для доступа в Internet)
13 | * Host-only (для общения с другими машинами и нашей хостовой машиной)
14 | 
15 | Можно использовать и один интерфейс, если машины могут видеть на нем друг друга и иметь доступ в интернет (NAT Network в Virtual Box).
16 | 
17 | ## Использование Vagrant
18 | 
19 | Кластер можно запустить на Linux как указано ниже, либо воспользоваться Vagrant для запуска.
20 | 
21 | * `vagrant/single` - однонодовый кластер kubernetes в Vagrant
22 | * `vagrant/twin` - двухнодовый кластер kubernetes в Vagrant (master + worker)
23 | 
24 | 
25 | ## Создание кластера
26 | 
27 | 1. Устанавливаем необходимые пакеты и закрепляем их версии
28 | 
29 | `sudo ./install`
30 | 
31 | 2. Создаем кластер. В качестве аргумента нужно передать имя интерфейса (обычно это Host-only):
32 | * на нем будет слушать Kubernetes API server
33 | * он будет использоваться для общения между нодами
34 | 
35 | Чтобы посмотреть работающие интерфейсы, просто запускаем без параметров
36 | 
37 | `sudo ./init`
38 | 
39 | Чтобы инициализировать кластер, запускаем с параметром:
40 | 
41 | `sudo ./init enp0s8`
42 | 
43 | **На этой стадии конфигурационный файл для kubectl будет скопирован в `~/.kube/config`, поэтому если в этом файле есть что-то важное, сохраните его.**
44 | 
45 | 3. Предыдущая стадия подготовит манифесты сетевых плагинов, нужно просто выбрать, какой из них установить.
46 | 
47 | ### Для Flannel
48 | 
49 | `kubectl apply -f network/flannel.yml`
50 | 
51 | ### Для Calico
52 | 
53 | `kubectl apply -f network/calico.yml`
54 | 
55 | 
56 | ## Присоединение ноды
57 | 
58 | 1. Устанавливаем необходимые пакеты и закрепляем их версии
59 | 
60 | `sudo ./install`
61 | 
62 | 2. Чтобы присоединить ноду к кластеру нужно вызвать скрипт `./join` и передать ему два параметра:
63 | * имя интерфейса для общения между нодами
64 | * endpoint, на котором слушает Kubernetes API server
65 | 
66 | Чтобы посмотреть работающие интерфейсы, просто запускаем без параметров
67 | 
68 | `sudo ./join`
69 | 
70 | Чтобы присоединиться, запускаем с параметрами:
71 | 
72 | `sudo ./join enp0s8 192.168.56.110:6443`
73 | 


--------------------------------------------------------------------------------
/network/flannel.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | kind: Namespace
  3 | apiVersion: v1
  4 | metadata:
  5 |   name: kube-flannel
  6 |   labels:
  7 |     pod-security.kubernetes.io/enforce: privileged
  8 | ---
  9 | kind: ClusterRole
 10 | apiVersion: rbac.authorization.k8s.io/v1
 11 | metadata:
 12 |   name: flannel
 13 | rules:
 14 | - apiGroups:
 15 |   - ""
 16 |   resources:
 17 |   - pods
 18 |   verbs:
 19 |   - get
 20 | - apiGroups:
 21 |   - ""
 22 |   resources:
 23 |   - nodes
 24 |   verbs:
 25 |   - get
 26 |   - list
 27 |   - watch
 28 | - apiGroups:
 29 |   - ""
 30 |   resources:
 31 |   - nodes/status
 32 |   verbs:
 33 |   - patch
 34 | ---
 35 | kind: ClusterRoleBinding
 36 | apiVersion: rbac.authorization.k8s.io/v1
 37 | metadata:
 38 |   name: flannel
 39 | roleRef:
 40 |   apiGroup: rbac.authorization.k8s.io
 41 |   kind: ClusterRole
 42 |   name: flannel
 43 | subjects:
 44 | - kind: ServiceAccount
 45 |   name: flannel
 46 |   namespace: kube-flannel
 47 | ---
 48 | apiVersion: v1
 49 | kind: ServiceAccount
 50 | metadata:
 51 |   name: flannel
 52 |   namespace: kube-flannel
 53 | ---
 54 | kind: ConfigMap
 55 | apiVersion: v1
 56 | metadata:
 57 |   name: kube-flannel-cfg
 58 |   namespace: kube-flannel
 59 |   labels:
 60 |     tier: node
 61 |     app: flannel
 62 | data:
 63 |   cni-conf.json: |
 64 |     {
 65 |       "name": "cbr0",
 66 |       "cniVersion": "0.3.1",
 67 |       "plugins": [
 68 |         {
 69 |           "type": "flannel",
 70 |           "delegate": {
 71 |             "hairpinMode": true,
 72 |             "isDefaultGateway": true
 73 |           }
 74 |         },
 75 |         {
 76 |           "type": "portmap",
 77 |           "capabilities": {
 78 |             "portMappings": true
 79 |           }
 80 |         }
 81 |       ]
 82 |     }
 83 |   net-conf.json: |
 84 |     {
 85 |       "Network": "{{pod_cidr}}",
 86 |       "Backend": {
 87 |         "Type": "vxlan"
 88 |       }
 89 |     }
 90 | ---
 91 | apiVersion: apps/v1
 92 | kind: DaemonSet
 93 | metadata:
 94 |   name: kube-flannel-ds
 95 |   namespace: kube-flannel
 96 |   labels:
 97 |     tier: node
 98 |     app: flannel
 99 | spec:
100 |   selector:
101 |     matchLabels:
102 |       app: flannel
103 |   template:
104 |     metadata:
105 |       labels:
106 |         tier: node
107 |         app: flannel
108 |     spec:
109 |       affinity:
110 |         nodeAffinity:
111 |           requiredDuringSchedulingIgnoredDuringExecution:
112 |             nodeSelectorTerms:
113 |             - matchExpressions:
114 |               - key: kubernetes.io/os
115 |                 operator: In
116 |                 values:
117 |                 - linux
118 |       hostNetwork: true
119 |       priorityClassName: system-node-critical
120 |       tolerations:
121 |       - operator: Exists
122 |         effect: NoSchedule
123 |       serviceAccountName: flannel
124 |       initContainers:
125 |       - name: install-cni-plugin
126 |        #image: flannelcni/flannel-cni-plugin:v1.1.0 for ppc64le and mips64le (dockerhub limitations may apply)
127 |         image: docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0
128 |         command:
129 |         - cp
130 |         args:
131 |         - -f
132 |         - /flannel
133 |         - /opt/cni/bin/flannel
134 |         volumeMounts:
135 |         - name: cni-plugin
136 |           mountPath: /opt/cni/bin
137 |       - name: install-cni
138 |        #image: flannelcni/flannel:v0.20.2 for ppc64le and mips64le (dockerhub limitations may apply)
139 |         image: docker.io/rancher/mirrored-flannelcni-flannel:v0.20.2
140 |         command:
141 |         - cp
142 |         args:
143 |         - -f
144 |         - /etc/kube-flannel/cni-conf.json
145 |         - /etc/cni/net.d/10-flannel.conflist
146 |         volumeMounts:
147 |         - name: cni
148 |           mountPath: /etc/cni/net.d
149 |         - name: flannel-cfg
150 |           mountPath: /etc/kube-flannel/
151 |       containers:
152 |       - name: kube-flannel
153 |        #image: flannelcni/flannel:v0.20.2 for ppc64le and mips64le (dockerhub limitations may apply)
154 |         image: docker.io/rancher/mirrored-flannelcni-flannel:v0.20.2
155 |         command:
156 |         - /opt/bin/flanneld
157 |         args:
158 |         - --ip-masq
159 |         - --kube-subnet-mgr
160 |         - --iface={{interface}}
161 |         resources:
162 |           requests:
163 |             cpu: "100m"
164 |             memory: "50Mi"
165 |           limits:
166 |             cpu: "100m"
167 |             memory: "50Mi"
168 |         securityContext:
169 |           privileged: false
170 |           capabilities:
171 |             add: ["NET_ADMIN", "NET_RAW"]
172 |         env:
173 |         - name: POD_NAME
174 |           valueFrom:
175 |             fieldRef:
176 |               fieldPath: metadata.name
177 |         - name: POD_NAMESPACE
178 |           valueFrom:
179 |             fieldRef:
180 |               fieldPath: metadata.namespace
181 |         - name: EVENT_QUEUE_DEPTH
182 |           value: "5000"
183 |         volumeMounts:
184 |         - name: run
185 |           mountPath: /run/flannel
186 |         - name: flannel-cfg
187 |           mountPath: /etc/kube-flannel/
188 |         - name: xtables-lock
189 |           mountPath: /run/xtables.lock
190 |       volumes:
191 |       - name: run
192 |         hostPath:
193 |           path: /run/flannel
194 |       - name: cni-plugin
195 |         hostPath:
196 |           path: /opt/cni/bin
197 |       - name: cni
198 |         hostPath:
199 |           path: /etc/cni/net.d
200 |       - name: flannel-cfg
201 |         configMap:
202 |           name: kube-flannel-cfg
203 |       - name: xtables-lock
204 |         hostPath:
205 |           path: /run/xtables.lock
206 |           type: FileOrCreate
207 | 


--------------------------------------------------------------------------------
/network/calico.yml:
--------------------------------------------------------------------------------
   1 | ---
   2 | # Source: calico/templates/calico-config.yaml
   3 | # This ConfigMap is used to configure a self-hosted Calico installation.
   4 | kind: ConfigMap
   5 | apiVersion: v1
   6 | metadata:
   7 |   name: calico-config
   8 |   namespace: kube-system
   9 | data:
  10 |   # Typha is disabled.
  11 |   typha_service_name: "none"
  12 |   # Configure the backend to use.
  13 |   calico_backend: "bird"
  14 |   # Configure the MTU to use for workload interfaces and tunnels.
  15 |   # - If Wireguard is enabled, set to your network MTU - 60
  16 |   # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
  17 |   # - Otherwise, if IPIP is enabled, set to your network MTU - 20
  18 |   # - Otherwise, if not using any encapsulation, set to your network MTU.
  19 |   veth_mtu: "1440"
  20 | 
  21 |   # The CNI network configuration to install on each node. The special
  22 |   # values in this config will be automatically populated.
  23 |   cni_network_config: |-
  24 |     {
  25 |       "name": "k8s-pod-network",
  26 |       "cniVersion": "0.3.1",
  27 |       "plugins": [
  28 |         {
  29 |           "type": "calico",
  30 |           "log_level": "info",
  31 |           "log_file_path": "/var/log/calico/cni/cni.log",
  32 |           "datastore_type": "kubernetes",
  33 |           "nodename": "__KUBERNETES_NODE_NAME__",
  34 |           "mtu": __CNI_MTU__,
  35 |           "ipam": {
  36 |               "type": "calico-ipam"
  37 |           },
  38 |           "policy": {
  39 |               "type": "k8s"
  40 |           },
  41 |           "kubernetes": {
  42 |               "kubeconfig": "__KUBECONFIG_FILEPATH__"
  43 |           }
  44 |         },
  45 |         {
  46 |           "type": "portmap",
  47 |           "snat": true,
  48 |           "capabilities": {"portMappings": true}
  49 |         },
  50 |         {
  51 |           "type": "bandwidth",
  52 |           "capabilities": {"bandwidth": true}
  53 |         }
  54 |       ]
  55 |     }
  56 | 
  57 | ---
  58 | # Source: calico/templates/kdd-crds.yaml
  59 | 
  60 | 
  61 | ---
  62 | apiVersion: apiextensions.k8s.io/v1
  63 | kind: CustomResourceDefinition
  64 | metadata:
  65 |   annotations:
  66 |     controller-gen.kubebuilder.io/version: (devel)
  67 |   creationTimestamp: null
  68 |   name: bgpconfigurations.crd.projectcalico.org
  69 | spec:
  70 |   group: crd.projectcalico.org
  71 |   names:
  72 |     kind: BGPConfiguration
  73 |     listKind: BGPConfigurationList
  74 |     plural: bgpconfigurations
  75 |     singular: bgpconfiguration
  76 |   scope: Cluster
  77 |   versions:
  78 |   - name: v1
  79 |     schema:
  80 |       openAPIV3Schema:
  81 |         description: BGPConfiguration contains the configuration for any BGP routing.
  82 |         properties:
  83 |           apiVersion:
  84 |             description: 'APIVersion defines the versioned schema of this representation
  85 |               of an object. Servers should convert recognized schemas to the latest
  86 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  87 |             type: string
  88 |           kind:
  89 |             description: 'Kind is a string value representing the REST resource this
  90 |               object represents. Servers may infer this from the endpoint the client
  91 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  92 |             type: string
  93 |           metadata:
  94 |             type: object
  95 |           spec:
  96 |             description: BGPConfigurationSpec contains the values of the BGP configuration.
  97 |             properties:
  98 |               asNumber:
  99 |                 description: 'ASNumber is the default AS number used by a node. [Default:
 100 |                   64512]'
 101 |                 format: int32
 102 |                 type: integer
 103 |               communities:
 104 |                 description: Communities is a list of BGP community values and their
 105 |                   arbitrary names for tagging routes.
 106 |                 items:
 107 |                   description: Community contains standard or large community value
 108 |                     and its name.
 109 |                   properties:
 110 |                     name:
 111 |                       description: Name given to community value.
 112 |                       type: string
 113 |                     value:
 114 |                       description: Value must be of format `aa:nn` or `aa:nn:mm`.
 115 |                         For standard community use `aa:nn` format, where `aa` and
 116 |                         `nn` are 16 bit number. For large community use `aa:nn:mm`
 117 |                         format, where `aa`, `nn` and `mm` are 32 bit number. Where,
 118 |                         `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
 119 |                       pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
 120 |                       type: string
 121 |                   type: object
 122 |                 type: array
 123 |               listenPort:
 124 |                 description: ListenPort is the port where BGP protocol should listen.
 125 |                   Defaults to 179
 126 |                 maximum: 65535
 127 |                 minimum: 1
 128 |                 type: integer
 129 |               logSeverityScreen:
 130 |                 description: 'LogSeverityScreen is the log severity above which logs
 131 |                   are sent to the stdout. [Default: INFO]'
 132 |                 type: string
 133 |               nodeToNodeMeshEnabled:
 134 |                 description: 'NodeToNodeMeshEnabled sets whether full node to node
 135 |                   BGP mesh is enabled. [Default: true]'
 136 |                 type: boolean
 137 |               prefixAdvertisements:
 138 |                 description: PrefixAdvertisements contains per-prefix advertisement
 139 |                   configuration.
 140 |                 items:
 141 |                   description: PrefixAdvertisement configures advertisement properties
 142 |                     for the specified CIDR.
 143 |                   properties:
 144 |                     cidr:
 145 |                       description: CIDR for which properties should be advertised.
 146 |                       type: string
 147 |                     communities:
 148 |                       description: Communities can be list of either community names
 149 |                         already defined in `Specs.Communities` or community value
 150 |                         of format `aa:nn` or `aa:nn:mm`. For standard community use
 151 |                         `aa:nn` format, where `aa` and `nn` are 16 bit number. For
 152 |                         large community use `aa:nn:mm` format, where `aa`, `nn` and
 153 |                         `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
 154 |                         `mm` are per-AS identifier.
 155 |                       items:
 156 |                         type: string
 157 |                       type: array
 158 |                   type: object
 159 |                 type: array
 160 |               serviceClusterIPs:
 161 |                 description: ServiceClusterIPs are the CIDR blocks from which service
 162 |                   cluster IPs are allocated. If specified, Calico will advertise these
 163 |                   blocks, as well as any cluster IPs within them.
 164 |                 items:
 165 |                   description: ServiceClusterIPBlock represents a single allowed ClusterIP
 166 |                     CIDR block.
 167 |                   properties:
 168 |                     cidr:
 169 |                       type: string
 170 |                   type: object
 171 |                 type: array
 172 |               serviceExternalIPs:
 173 |                 description: ServiceExternalIPs are the CIDR blocks for Kubernetes
 174 |                   Service External IPs. Kubernetes Service ExternalIPs will only be
 175 |                   advertised if they are within one of these blocks.
 176 |                 items:
 177 |                   description: ServiceExternalIPBlock represents a single allowed
 178 |                     External IP CIDR block.
 179 |                   properties:
 180 |                     cidr:
 181 |                       type: string
 182 |                   type: object
 183 |                 type: array
 184 |             type: object
 185 |         type: object
 186 |     served: true
 187 |     storage: true
 188 | status:
 189 |   acceptedNames:
 190 |     kind: ""
 191 |     plural: ""
 192 |   conditions: []
 193 |   storedVersions: []
 194 | 
 195 | ---
 196 | 
 197 | ---
 198 | apiVersion: apiextensions.k8s.io/v1
 199 | kind: CustomResourceDefinition
 200 | metadata:
 201 |   annotations:
 202 |     controller-gen.kubebuilder.io/version: (devel)
 203 |   creationTimestamp: null
 204 |   name: bgppeers.crd.projectcalico.org
 205 | spec:
 206 |   group: crd.projectcalico.org
 207 |   names:
 208 |     kind: BGPPeer
 209 |     listKind: BGPPeerList
 210 |     plural: bgppeers
 211 |     singular: bgppeer
 212 |   scope: Cluster
 213 |   versions:
 214 |   - name: v1
 215 |     schema:
 216 |       openAPIV3Schema:
 217 |         properties:
 218 |           apiVersion:
 219 |             description: 'APIVersion defines the versioned schema of this representation
 220 |               of an object. Servers should convert recognized schemas to the latest
 221 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
 222 |             type: string
 223 |           kind:
 224 |             description: 'Kind is a string value representing the REST resource this
 225 |               object represents. Servers may infer this from the endpoint the client
 226 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
 227 |             type: string
 228 |           metadata:
 229 |             type: object
 230 |           spec:
 231 |             description: BGPPeerSpec contains the specification for a BGPPeer resource.
 232 |             properties:
 233 |               asNumber:
 234 |                 description: The AS Number of the peer.
 235 |                 format: int32
 236 |                 type: integer
 237 |               keepOriginalNextHop:
 238 |                 description: Option to keep the original nexthop field when routes
 239 |                   are sent to a BGP Peer. Setting "true" configures the selected BGP
 240 |                   Peers node to use the "next hop keep;" instead of "next hop self;"(default)
 241 |                   in the specific branch of the Node on "bird.cfg".
 242 |                 type: boolean
 243 |               node:
 244 |                 description: The node name identifying the Calico node instance that
 245 |                   is peering with this peer. If this is not set, this represents a
 246 |                   global peer, i.e. a peer that peers with every node in the deployment.
 247 |                 type: string
 248 |               nodeSelector:
 249 |                 description: Selector for the nodes that should have this peering.  When
 250 |                   this is set, the Node field must be empty.
 251 |                 type: string
 252 |               password:
 253 |                 description: Optional BGP password for the peerings generated by this
 254 |                   BGPPeer resource.
 255 |                 properties:
 256 |                   secretKeyRef:
 257 |                     description: Selects a key of a secret in the node pod's namespace.
 258 |                     properties:
 259 |                       key:
 260 |                         description: The key of the secret to select from.  Must be
 261 |                           a valid secret key.
 262 |                         type: string
 263 |                       name:
 264 |                         description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
 265 |                           TODO: Add other useful fields. apiVersion, kind, uid?'
 266 |                         type: string
 267 |                       optional:
 268 |                         description: Specify whether the Secret or its key must be
 269 |                           defined
 270 |                         type: boolean
 271 |                     required:
 272 |                     - key
 273 |                     type: object
 274 |                 type: object
 275 |               peerIP:
 276 |                 description: The IP address of the peer followed by an optional port
 277 |                   number to peer with. If port number is given, format should be `[<IPv6>]:port`
 278 |                   or `<IPv4>:<port>` for IPv4. If optional port number is not set,
 279 |                   and this peer IP and ASNumber belongs to a calico/node with ListenPort
 280 |                   set in BGPConfiguration, then we use that port to peer.
 281 |                 type: string
 282 |               peerSelector:
 283 |                 description: Selector for the remote nodes to peer with.  When this
 284 |                   is set, the PeerIP and ASNumber fields must be empty.  For each
 285 |                   peering between the local node and selected remote nodes, we configure
 286 |                   an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
 287 |                   and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified.  The
 288 |                   remote AS number comes from the remote node’s NodeBGPSpec.ASNumber,
 289 |                   or the global default if that is not set.
 290 |                 type: string
 291 |             required:
 292 |             - asNumber
 293 |             - peerIP
 294 |             type: object
 295 |         type: object
 296 |     served: true
 297 |     storage: true
 298 | status:
 299 |   acceptedNames:
 300 |     kind: ""
 301 |     plural: ""
 302 |   conditions: []
 303 |   storedVersions: []
 304 | 
 305 | ---
 306 | 
 307 | ---
 308 | apiVersion: apiextensions.k8s.io/v1
 309 | kind: CustomResourceDefinition
 310 | metadata:
 311 |   annotations:
 312 |     controller-gen.kubebuilder.io/version: (devel)
 313 |   creationTimestamp: null
 314 |   name: blockaffinities.crd.projectcalico.org
 315 | spec:
 316 |   group: crd.projectcalico.org
 317 |   names:
 318 |     kind: BlockAffinity
 319 |     listKind: BlockAffinityList
 320 |     plural: blockaffinities
 321 |     singular: blockaffinity
 322 |   scope: Cluster
 323 |   versions:
 324 |   - name: v1
 325 |     schema:
 326 |       openAPIV3Schema:
 327 |         properties:
 328 |           apiVersion:
 329 |             description: 'APIVersion defines the versioned schema of this representation
 330 |               of an object. Servers should convert recognized schemas to the latest
 331 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
 332 |             type: string
 333 |           kind:
 334 |             description: 'Kind is a string value representing the REST resource this
 335 |               object represents. Servers may infer this from the endpoint the client
 336 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
 337 |             type: string
 338 |           metadata:
 339 |             type: object
 340 |           spec:
 341 |             description: BlockAffinitySpec contains the specification for a BlockAffinity
 342 |               resource.
 343 |             properties:
 344 |               cidr:
 345 |                 type: string
 346 |               deleted:
 347 |                 description: Deleted indicates that this block affinity is being deleted.
 348 |                   This field is a string for compatibility with older releases that
 349 |                   mistakenly treat this field as a string.
 350 |                 type: string
 351 |               node:
 352 |                 type: string
 353 |               state:
 354 |                 type: string
 355 |             required:
 356 |             - cidr
 357 |             - deleted
 358 |             - node
 359 |             - state
 360 |             type: object
 361 |         type: object
 362 |     served: true
 363 |     storage: true
 364 | status:
 365 |   acceptedNames:
 366 |     kind: ""
 367 |     plural: ""
 368 |   conditions: []
 369 |   storedVersions: []
 370 | 
 371 | ---
 372 | 
 373 | ---
 374 | apiVersion: apiextensions.k8s.io/v1
 375 | kind: CustomResourceDefinition
 376 | metadata:
 377 |   annotations:
 378 |     controller-gen.kubebuilder.io/version: (devel)
 379 |   creationTimestamp: null
 380 |   name: clusterinformations.crd.projectcalico.org
 381 | spec:
 382 |   group: crd.projectcalico.org
 383 |   names:
 384 |     kind: ClusterInformation
 385 |     listKind: ClusterInformationList
 386 |     plural: clusterinformations
 387 |     singular: clusterinformation
 388 |   scope: Cluster
 389 |   versions:
 390 |   - name: v1
 391 |     schema:
 392 |       openAPIV3Schema:
 393 |         description: ClusterInformation contains the cluster specific information.
 394 |         properties:
 395 |           apiVersion:
 396 |             description: 'APIVersion defines the versioned schema of this representation
 397 |               of an object. Servers should convert recognized schemas to the latest
 398 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
 399 |             type: string
 400 |           kind:
 401 |             description: 'Kind is a string value representing the REST resource this
 402 |               object represents. Servers may infer this from the endpoint the client
 403 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
 404 |             type: string
 405 |           metadata:
 406 |             type: object
 407 |           spec:
 408 |             description: ClusterInformationSpec contains the values of describing
 409 |               the cluster.
 410 |             properties:
 411 |               calicoVersion:
 412 |                 description: CalicoVersion is the version of Calico that the cluster
 413 |                   is running
 414 |                 type: string
 415 |               clusterGUID:
 416 |                 description: ClusterGUID is the GUID of the cluster
 417 |                 type: string
 418 |               clusterType:
 419 |                 description: ClusterType describes the type of the cluster
 420 |                 type: string
 421 |               datastoreReady:
 422 |                 description: DatastoreReady is used during significant datastore migrations
 423 |                   to signal to components such as Felix that it should wait before
 424 |                   accessing the datastore.
 425 |                 type: boolean
 426 |               variant:
 427 |                 description: Variant declares which variant of Calico should be active.
 428 |                 type: string
 429 |             type: object
 430 |         type: object
 431 |     served: true
 432 |     storage: true
 433 | status:
 434 |   acceptedNames:
 435 |     kind: ""
 436 |     plural: ""
 437 |   conditions: []
 438 |   storedVersions: []
 439 | 
 440 | ---
 441 | 
 442 | ---
 443 | apiVersion: apiextensions.k8s.io/v1
 444 | kind: CustomResourceDefinition
 445 | metadata:
 446 |   annotations:
 447 |     controller-gen.kubebuilder.io/version: (devel)
 448 |   creationTimestamp: null
 449 |   name: felixconfigurations.crd.projectcalico.org
 450 | spec:
 451 |   group: crd.projectcalico.org
 452 |   names:
 453 |     kind: FelixConfiguration
 454 |     listKind: FelixConfigurationList
 455 |     plural: felixconfigurations
 456 |     singular: felixconfiguration
 457 |   scope: Cluster
 458 |   versions:
 459 |   - name: v1
 460 |     schema:
 461 |       openAPIV3Schema:
 462 |         description: Felix Configuration contains the configuration for Felix.
 463 |         properties:
 464 |           apiVersion:
 465 |             description: 'APIVersion defines the versioned schema of this representation
 466 |               of an object. Servers should convert recognized schemas to the latest
 467 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
 468 |             type: string
 469 |           kind:
 470 |             description: 'Kind is a string value representing the REST resource this
 471 |               object represents. Servers may infer this from the endpoint the client
 472 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
 473 |             type: string
 474 |           metadata:
 475 |             type: object
 476 |           spec:
 477 |             description: FelixConfigurationSpec contains the values of the Felix configuration.
 478 |             properties:
 479 |               allowIPIPPacketsFromWorkloads:
 480 |                 description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
 481 |                   will add a rule to drop IPIP encapsulated traffic from workloads
 482 |                   [Default: false]'
 483 |                 type: boolean
 484 |               allowVXLANPacketsFromWorkloads:
 485 |                 description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
 486 |                   will add a rule to drop VXLAN encapsulated traffic from workloads
 487 |                   [Default: false]'
 488 |                 type: boolean
 489 |               awsSrcDstCheck:
 490 |                 description: 'Set source-destination-check on AWS EC2 instances. Accepted
 491 |                   value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
 492 |                   DoNothing]'
 493 |                 enum:
 494 |                 - DoNothing
 495 |                 - Enable
 496 |                 - Disable
 497 |                 type: string
 498 |               bpfConnectTimeLoadBalancingEnabled:
 499 |                 description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
 500 |                   controls whether Felix installs the connection-time load balancer.  The
 501 |                   connect-time load balancer is required for the host to be able to
 502 |                   reach Kubernetes services and it improves the performance of pod-to-service
 503 |                   connections.  The only reason to disable it is for debugging purposes.  [Default:
 504 |                   true]'
 505 |                 type: boolean
 506 |               bpfDataIfacePattern:
 507 |                 description: 'BPFDataIfacePattern is a regular expression that controls
 508 |                   which interfaces Felix should attach BPF programs to in order to
 509 |                   catch traffic to/from the network.  This needs to match the interfaces
 510 |                   that Calico workload traffic flows over as well as any interfaces
 511 |                   that handle incoming traffic to nodeports and services from outside
 512 |                   the cluster.  It should not match the workload interfaces (usually
 513 |                   named cali...). [Default: ^(en.*|eth.*|tunl0$)]'
 514 |                 type: string
 515 |               bpfDisableUnprivileged:
 516 |                 description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
 517 |                   sysctl to disable unprivileged use of BPF.  This ensures that unprivileged
 518 |                   users cannot access Calico''s BPF maps and cannot insert their own
 519 |                   BPF programs to interfere with Calico''s. [Default: true]'
 520 |                 type: boolean
 521 |               bpfEnabled:
 522 |                 description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
 523 |                   [Default: false]'
 524 |                 type: boolean
 525 |               bpfExternalServiceMode:
 526 |                 description: 'BPFExternalServiceMode in BPF mode, controls how connections
 527 |                   from outside the cluster to services (node ports and cluster IPs)
 528 |                   are forwarded to remote workloads.  If set to "Tunnel" then both
 529 |                   request and response traffic is tunneled to the remote node.  If
 530 |                   set to "DSR", the request traffic is tunneled but the response traffic
 531 |                   is sent directly from the remote node.  In "DSR" mode, the remote
 532 |                   node appears to use the IP of the ingress node; this requires a
 533 |                   permissive L2 network.  [Default: Tunnel]'
 534 |                 type: string
 535 |               bpfKubeProxyEndpointSlicesEnabled:
 536 |                 description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
 537 |                   whether Felix's embedded kube-proxy accepts EndpointSlices or not.
 538 |                 type: boolean
 539 |               bpfKubeProxyIptablesCleanupEnabled:
 540 |                 description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
 541 |                   mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
 542 |                   iptables chains.  Should only be enabled if kube-proxy is not running.  [Default:
 543 |                   true]'
 544 |                 type: boolean
 545 |               bpfKubeProxyMinSyncPeriod:
 546 |                 description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
 547 |                   minimum time between updates to the dataplane for Felix''s embedded
 548 |                   kube-proxy.  Lower values give reduced set-up latency.  Higher values
 549 |                   reduce Felix CPU usage by batching up more work.  [Default: 1s]'
 550 |                 type: string
 551 |               bpfLogLevel:
 552 |                 description: 'BPFLogLevel controls the log level of the BPF programs
 553 |                   when in BPF dataplane mode.  One of "Off", "Info", or "Debug".  The
 554 |                   logs are emitted to the BPF trace pipe, accessible with the command
 555 |                   `tc exec bpf debug`. [Default: Off].'
 556 |                 type: string
 557 |               chainInsertMode:
 558 |                 description: 'ChainInsertMode controls whether Felix hooks the kernel’s
 559 |                   top-level iptables chains by inserting a rule at the top of the
 560 |                   chain or by appending a rule at the bottom. insert is the safe default
 561 |                   since it prevents Calico’s rules from being bypassed. If you switch
 562 |                   to append mode, be sure that the other rules in the chains signal
 563 |                   acceptance by falling through to the Calico rules, otherwise the
 564 |                   Calico policy will be bypassed. [Default: insert]'
 565 |                 type: string
 566 |               dataplaneDriver:
 567 |                 type: string
 568 |               debugDisableLogDropping:
 569 |                 type: boolean
 570 |               debugMemoryProfilePath:
 571 |                 type: string
 572 |               debugSimulateCalcGraphHangAfter:
 573 |                 type: string
 574 |               debugSimulateDataplaneHangAfter:
 575 |                 type: string
 576 |               defaultEndpointToHostAction:
 577 |                 description: 'DefaultEndpointToHostAction controls what happens to
 578 |                   traffic that goes from a workload endpoint to the host itself (after
 579 |                   the traffic hits the endpoint egress policy). By default Calico
 580 |                   blocks traffic from workload endpoints to the host itself with an
 581 |                   iptables “DROP” action. If you want to allow some or all traffic
 582 |                   from endpoint to host, set this parameter to RETURN or ACCEPT. Use
 583 |                   RETURN if you have your own rules in the iptables “INPUT” chain;
 584 |                   Calico will insert its rules at the top of that chain, then “RETURN”
 585 |                   packets to the “INPUT” chain once it has completed processing workload
 586 |                   endpoint egress policy. Use ACCEPT to unconditionally accept packets
 587 |                   from workloads after processing workload endpoint egress policy.
 588 |                   [Default: Drop]'
 589 |                 type: string
 590 |               deviceRouteProtocol:
 591 |                 description: This defines the route protocol added to programmed device
 592 |                   routes, by default this will be RTPROT_BOOT when left blank.
 593 |                 type: integer
 594 |               deviceRouteSourceAddress:
 595 |                 description: This is the source address to use on programmed device
 596 |                   routes. By default the source address is left blank, leaving the
 597 |                   kernel to choose the source address used.
 598 |                 type: string
 599 |               disableConntrackInvalidCheck:
 600 |                 type: boolean
 601 |               endpointReportingDelay:
 602 |                 type: string
 603 |               endpointReportingEnabled:
 604 |                 type: boolean
 605 |               externalNodesList:
 606 |                 description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
 607 |                   which may source tunnel traffic and have the tunneled traffic be
 608 |                   accepted at calico nodes.
 609 |                 items:
 610 |                   type: string
 611 |                 type: array
 612 |               failsafeInboundHostPorts:
 613 |                 description: 'FailsafeInboundHostPorts is a comma-delimited list of
 614 |                   UDP/TCP ports that Felix will allow incoming traffic to host endpoints
 615 |                   on irrespective of the security policy. This is useful to avoid
 616 |                   accidentally cutting off a host with incorrect configuration. Each
 617 |                   port should be specified as tcp:<port-number> or udp:<port-number>.
 618 |                   For back-compatibility, if the protocol is not specified, it defaults
 619 |                   to “tcp”. To disable all inbound host ports, use the value none.
 620 |                   The default value allows ssh access and DHCP. [Default: tcp:22,
 621 |                   udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
 622 |                 items:
 623 |                   description: ProtoPort is combination of protocol and port, both
 624 |                     must be specified.
 625 |                   properties:
 626 |                     port:
 627 |                       type: integer
 628 |                     protocol:
 629 |                       type: string
 630 |                   required:
 631 |                   - port
 632 |                   - protocol
 633 |                   type: object
 634 |                 type: array
 635 |               failsafeOutboundHostPorts:
 636 |                 description: 'FailsafeOutboundHostPorts is a comma-delimited list
 637 |                   of UDP/TCP ports that Felix will allow outgoing traffic from host
 638 |                   endpoints to irrespective of the security policy. This is useful
 639 |                   to avoid accidentally cutting off a host with incorrect configuration.
 640 |                   Each port should be specified as tcp:<port-number> or udp:<port-number>.
 641 |                   For back-compatibility, if the protocol is not specified, it defaults
 642 |                   to “tcp”. To disable all outbound host ports, use the value none.
 643 |                   The default value opens etcd’s standard ports to ensure that Felix
 644 |                   does not get cut off from etcd as well as allowing DHCP and DNS.
 645 |                   [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
 646 |                   udp:53, udp:67]'
 647 |                 items:
 648 |                   description: ProtoPort is combination of protocol and port, both
 649 |                     must be specified.
 650 |                   properties:
 651 |                     port:
 652 |                       type: integer
 653 |                     protocol:
 654 |                       type: string
 655 |                   required:
 656 |                   - port
 657 |                   - protocol
 658 |                   type: object
 659 |                 type: array
 660 |               featureDetectOverride:
 661 |                 description: FeatureDetectOverride is used to override the feature
 662 |                   detection. Values are specified in a comma separated list with no
 663 |                   spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
 664 |                   "true" or "false" will force the feature, empty or omitted values
 665 |                   are auto-detected.
 666 |                 type: string
 667 |               genericXDPEnabled:
 668 |                 description: 'GenericXDPEnabled enables Generic XDP so network cards
 669 |                   that don''t support XDP offload or driver modes can use XDP. This
 670 |                   is not recommended since it doesn''t provide better performance
 671 |                   than iptables. [Default: false]'
 672 |                 type: boolean
 673 |               healthEnabled:
 674 |                 type: boolean
 675 |               healthHost:
 676 |                 type: string
 677 |               healthPort:
 678 |                 type: integer
 679 |               interfaceExclude:
 680 |                 description: 'InterfaceExclude is a comma-separated list of interfaces
 681 |                   that Felix should exclude when monitoring for host endpoints. The
 682 |                   default value ensures that Felix ignores Kubernetes'' IPVS dummy
 683 |                   interface, which is used internally by kube-proxy. If you want to
 684 |                   exclude multiple interface names using a single value, the list
 685 |                   supports regular expressions. For regular expressions you must wrap
 686 |                   the value with ''/''. For example having values ''/^kube/,veth1''
 687 |                   will exclude all interfaces that begin with ''kube'' and also the
 688 |                   interface ''veth1''. [Default: kube-ipvs0]'
 689 |                 type: string
 690 |               interfacePrefix:
 691 |                 description: 'InterfacePrefix is the interface name prefix that identifies
 692 |                   workload endpoints and so distinguishes them from host endpoint
 693 |                   interfaces. Note: in environments other than bare metal, the orchestrators
 694 |                   configure this appropriately. For example our Kubernetes and Docker
 695 |                   integrations set the ‘cali’ value, and our OpenStack integration
 696 |                   sets the ‘tap’ value. [Default: cali]'
 697 |                 type: string
 698 |               interfaceRefreshInterval:
 699 |                 description: InterfaceRefreshInterval is the period at which Felix
 700 |                   rescans local interfaces to verify their state. The rescan can be
 701 |                   disabled by setting the interval to 0.
 702 |                 type: string
 703 |               ipipEnabled:
 704 |                 type: boolean
 705 |               ipipMTU:
 706 |                 description: 'IPIPMTU is the MTU to set on the tunnel device. See
 707 |                   Configuring MTU [Default: 1440]'
 708 |                 type: integer
 709 |               ipsetsRefreshInterval:
 710 |                 description: 'IpsetsRefreshInterval is the period at which Felix re-checks
 711 |                   all iptables state to ensure that no other process has accidentally
 712 |                   broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:
 713 |                   90s]'
 714 |                 type: string
 715 |               iptablesBackend:
 716 |                 description: IptablesBackend specifies which backend of iptables will
 717 |                   be used. The default is legacy.
 718 |                 type: string
 719 |               iptablesFilterAllowAction:
 720 |                 type: string
 721 |               iptablesLockFilePath:
 722 |                 description: 'IptablesLockFilePath is the location of the iptables
 723 |                   lock file. You may need to change this if the lock file is not in
 724 |                   its standard location (for example if you have mapped it into Felix’s
 725 |                   container at a different path). [Default: /run/xtables.lock]'
 726 |                 type: string
 727 |               iptablesLockProbeInterval:
 728 |                 description: 'IptablesLockProbeInterval is the time that Felix will
 729 |                   wait between attempts to acquire the iptables lock if it is not
 730 |                   available. Lower values make Felix more responsive when the lock
 731 |                   is contended, but use more CPU. [Default: 50ms]'
 732 |                 type: string
 733 |               iptablesLockTimeout:
 734 |                 description: 'IptablesLockTimeout is the time that Felix will wait
 735 |                   for the iptables lock, or 0, to disable. To use this feature, Felix
 736 |                   must share the iptables lock file with all other processes that
 737 |                   also take the lock. When running Felix inside a container, this
 738 |                   requires the /run directory of the host to be mounted into the calico/node
 739 |                   or calico/felix container. [Default: 0s disabled]'
 740 |                 type: string
 741 |               iptablesMangleAllowAction:
 742 |                 type: string
 743 |               iptablesMarkMask:
 744 |                 description: 'IptablesMarkMask is the mask that Felix selects its
 745 |                   IPTables Mark bits from. Should be a 32 bit hexadecimal number with
 746 |                   at least 8 bits set, none of which clash with any other mark bits
 747 |                   in use on the system. [Default: 0xff000000]'
 748 |                 format: int32
 749 |                 type: integer
 750 |               iptablesNATOutgoingInterfaceFilter:
 751 |                 type: string
 752 |               iptablesPostWriteCheckInterval:
 753 |                 description: 'IptablesPostWriteCheckInterval is the period after Felix
 754 |                   has done a write to the dataplane that it schedules an extra read
 755 |                   back in order to check the write was not clobbered by another process.
 756 |                   This should only occur if another application on the system doesn’t
 757 |                   respect the iptables lock. [Default: 1s]'
 758 |                 type: string
 759 |               iptablesRefreshInterval:
 760 |                 description: 'IptablesRefreshInterval is the period at which Felix
 761 |                   re-checks the IP sets in the dataplane to ensure that no other process
 762 |                   has accidentally broken Calico’s rules. Set to 0 to disable IP sets
 763 |                   refresh. Note: the default for this value is lower than the other
 764 |                   refresh intervals as a workaround for a Linux kernel bug that was
 765 |                   fixed in kernel version 4.11. If you are using v4.11 or greater
 766 |                   you may want to set this to, a higher value to reduce Felix CPU
 767 |                   usage. [Default: 10s]'
 768 |                 type: string
 769 |               ipv6Support:
 770 |                 type: boolean
 771 |               kubeNodePortRanges:
 772 |                 description: 'KubeNodePortRanges holds list of port ranges used for
 773 |                   service node ports. Only used if felix detects kube-proxy running
 774 |                   in ipvs mode. Felix uses these ranges to separate host and workload
 775 |                   traffic. [Default: 30000:32767].'
 776 |                 items:
 777 |                   anyOf:
 778 |                   - type: integer
 779 |                   - type: string
 780 |                   pattern: ^.*
 781 |                   x-kubernetes-int-or-string: true
 782 |                 type: array
 783 |               logFilePath:
 784 |                 description: 'LogFilePath is the full path to the Felix log. Set to
 785 |                   none to disable file logging. [Default: /var/log/calico/felix.log]'
 786 |                 type: string
 787 |               logPrefix:
 788 |                 description: 'LogPrefix is the log prefix that Felix uses when rendering
 789 |                   LOG rules. [Default: calico-packet]'
 790 |                 type: string
 791 |               logSeverityFile:
 792 |                 description: 'LogSeverityFile is the log severity above which logs
 793 |                   are sent to the log file. [Default: Info]'
 794 |                 type: string
 795 |               logSeverityScreen:
 796 |                 description: 'LogSeverityScreen is the log severity above which logs
 797 |                   are sent to the stdout. [Default: Info]'
 798 |                 type: string
 799 |               logSeveritySys:
 800 |                 description: 'LogSeveritySys is the log severity above which logs
 801 |                   are sent to the syslog. Set to None for no logging to syslog. [Default:
 802 |                   Info]'
 803 |                 type: string
 804 |               maxIpsetSize:
 805 |                 type: integer
 806 |               metadataAddr:
 807 |                 description: 'MetadataAddr is the IP address or domain name of the
 808 |                   server that can answer VM queries for cloud-init metadata. In OpenStack,
 809 |                   this corresponds to the machine running nova-api (or in Ubuntu,
 810 |                   nova-api-metadata). A value of none (case insensitive) means that
 811 |                   Felix should not set up any NAT rule for the metadata path. [Default:
 812 |                   127.0.0.1]'
 813 |                 type: string
 814 |               metadataPort:
 815 |                 description: 'MetadataPort is the port of the metadata server. This,
 816 |                   combined with global.MetadataAddr (if not ‘None’), is used to set
 817 |                   up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
 818 |                   In most cases this should not need to be changed [Default: 8775].'
 819 |                 type: integer
 820 |               natOutgoingAddress:
 821 |                 description: NATOutgoingAddress specifies an address to use when performing
 822 |                   source NAT for traffic in a natOutgoing pool that is leaving the
 823 |                   network. By default the address used is an address on the interface
 824 |                   the traffic is leaving on (ie it uses the iptables MASQUERADE target)
 825 |                 type: string
 826 |               natPortRange:
 827 |                 anyOf:
 828 |                 - type: integer
 829 |                 - type: string
 830 |                 description: NATPortRange specifies the range of ports that is used
 831 |                   for port mapping when doing outgoing NAT. When unset the default
 832 |                   behavior of the network stack is used.
 833 |                 pattern: ^.*
 834 |                 x-kubernetes-int-or-string: true
 835 |               netlinkTimeout:
 836 |                 type: string
 837 |               openstackRegion:
 838 |                 description: 'OpenstackRegion is the name of the region that a particular
 839 |                   Felix belongs to. In a multi-region Calico/OpenStack deployment,
 840 |                   this must be configured somehow for each Felix (here in the datamodel,
 841 |                   or in felix.cfg or the environment on each compute node), and must
 842 |                   match the [calico] openstack_region value configured in neutron.conf
 843 |                   on each node. [Default: Empty]'
 844 |                 type: string
 845 |               policySyncPathPrefix:
 846 |                 description: 'PolicySyncPathPrefix is used to by Felix to communicate
 847 |                   policy changes to external services, like Application layer policy.
 848 |                   [Default: Empty]'
 849 |                 type: string
 850 |               prometheusGoMetricsEnabled:
 851 |                 description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
 852 |                   collection, which the Prometheus client does by default, when set
 853 |                   to false. This reduces the number of metrics reported, reducing
 854 |                   Prometheus load. [Default: true]'
 855 |                 type: boolean
 856 |               prometheusMetricsEnabled:
 857 |                 description: 'PrometheusMetricsEnabled enables the Prometheus metrics
 858 |                   server in Felix if set to true. [Default: false]'
 859 |                 type: boolean
 860 |               prometheusMetricsHost:
 861 |                 description: 'PrometheusMetricsHost is the host that the Prometheus
 862 |                   metrics server should bind to. [Default: empty]'
 863 |                 type: string
 864 |               prometheusMetricsPort:
 865 |                 description: 'PrometheusMetricsPort is the TCP port that the Prometheus
 866 |                   metrics server should bind to. [Default: 9091]'
 867 |                 type: integer
 868 |               prometheusProcessMetricsEnabled:
 869 |                 description: 'PrometheusProcessMetricsEnabled disables process metrics
 870 |                   collection, which the Prometheus client does by default, when set
 871 |                   to false. This reduces the number of metrics reported, reducing
 872 |                   Prometheus load. [Default: true]'
 873 |                 type: boolean
 874 |               removeExternalRoutes:
 875 |                 description: Whether or not to remove device routes that have not
 876 |                   been programmed by Felix. Disabling this will allow external applications
 877 |                   to also add device routes. This is enabled by default which means
 878 |                   we will remove externally added routes.
 879 |                 type: boolean
 880 |               reportingInterval:
 881 |                 description: 'ReportingInterval is the interval at which Felix reports
 882 |                   its status into the datastore or 0 to disable. Must be non-zero
 883 |                   in OpenStack deployments. [Default: 30s]'
 884 |                 type: string
 885 |               reportingTTL:
 886 |                 description: 'ReportingTTL is the time-to-live setting for process-wide
 887 |                   status reports. [Default: 90s]'
 888 |                 type: string
 889 |               routeRefreshInterval:
 890 |                 description: 'RouterefreshInterval is the period at which Felix re-checks
 891 |                   the routes in the dataplane to ensure that no other process has
 892 |                   accidentally broken Calico’s rules. Set to 0 to disable route refresh.
 893 |                   [Default: 90s]'
 894 |                 type: string
 895 |               routeSource:
 896 |                 description: 'RouteSource configures where Felix gets its routing
 897 |                   information. - WorkloadIPs: use workload endpoints to construct
 898 |                   routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
 899 |                 type: string
 900 |               routeTableRange:
 901 |                 description: Calico programs additional Linux route tables for various
 902 |                   purposes.  RouteTableRange specifies the indices of the route tables
 903 |                   that Calico should use.
 904 |                 properties:
 905 |                   max:
 906 |                     type: integer
 907 |                   min:
 908 |                     type: integer
 909 |                 required:
 910 |                 - max
 911 |                 - min
 912 |                 type: object
 913 |               sidecarAccelerationEnabled:
 914 |                 description: 'SidecarAccelerationEnabled enables experimental sidecar
 915 |                   acceleration [Default: false]'
 916 |                 type: boolean
 917 |               usageReportingEnabled:
 918 |                 description: 'UsageReportingEnabled reports anonymous Calico version
 919 |                   number and cluster size to projectcalico.org. Logs warnings returned
 920 |                   by the usage server. For example, if a significant security vulnerability
 921 |                   has been discovered in the version of Calico being used. [Default:
 922 |                   true]'
 923 |                 type: boolean
 924 |               usageReportingInitialDelay:
 925 |                 description: 'UsageReportingInitialDelay controls the minimum delay
 926 |                   before Felix makes a report. [Default: 300s]'
 927 |                 type: string
 928 |               usageReportingInterval:
 929 |                 description: 'UsageReportingInterval controls the interval at which
 930 |                   Felix makes reports. [Default: 86400s]'
 931 |                 type: string
 932 |               useInternalDataplaneDriver:
 933 |                 type: boolean
 934 |               vxlanEnabled:
 935 |                 type: boolean
 936 |               vxlanMTU:
 937 |                 description: 'VXLANMTU is the MTU to set on the tunnel device. See
 938 |                   Configuring MTU [Default: 1440]'
 939 |                 type: integer
 940 |               vxlanPort:
 941 |                 type: integer
 942 |               vxlanVNI:
 943 |                 type: integer
 944 |               wireguardEnabled:
 945 |                 description: 'WireguardEnabled controls whether Wireguard is enabled.
 946 |                   [Default: false]'
 947 |                 type: boolean
 948 |               wireguardInterfaceName:
 949 |                 description: 'WireguardInterfaceName specifies the name to use for
 950 |                   the Wireguard interface. [Default: wg.calico]'
 951 |                 type: string
 952 |               wireguardListeningPort:
 953 |                 description: 'WireguardListeningPort controls the listening port used
 954 |                   by Wireguard. [Default: 51820]'
 955 |                 type: integer
 956 |               wireguardMTU:
 957 |                 description: 'WireguardMTU controls the MTU on the Wireguard interface.
 958 |                   See Configuring MTU [Default: 1420]'
 959 |                 type: integer
 960 |               wireguardRoutingRulePriority:
 961 |                 description: 'WireguardRoutingRulePriority controls the priority value
 962 |                   to use for the Wireguard routing rule. [Default: 99]'
 963 |                 type: integer
 964 |               xdpEnabled:
 965 |                 description: 'XDPEnabled enables XDP acceleration for suitable untracked
 966 |                   incoming deny rules. [Default: true]'
 967 |                 type: boolean
 968 |               xdpRefreshInterval:
 969 |                 description: 'XDPRefreshInterval is the period at which Felix re-checks
 970 |                   all XDP state to ensure that no other process has accidentally broken
 971 |                   Calico''s BPF maps or attached programs. Set to 0 to disable XDP
 972 |                   refresh. [Default: 90s]'
 973 |                 type: string
 974 |             type: object
 975 |         type: object
 976 |     served: true
 977 |     storage: true
 978 | status:
 979 |   acceptedNames:
 980 |     kind: ""
 981 |     plural: ""
 982 |   conditions: []
 983 |   storedVersions: []
 984 | 
 985 | ---
 986 | 
 987 | ---
 988 | apiVersion: apiextensions.k8s.io/v1
 989 | kind: CustomResourceDefinition
 990 | metadata:
 991 |   annotations:
 992 |     controller-gen.kubebuilder.io/version: (devel)
 993 |   creationTimestamp: null
 994 |   name: globalnetworkpolicies.crd.projectcalico.org
 995 | spec:
 996 |   group: crd.projectcalico.org
 997 |   names:
 998 |     kind: GlobalNetworkPolicy
 999 |     listKind: GlobalNetworkPolicyList
1000 |     plural: globalnetworkpolicies
1001 |     singular: globalnetworkpolicy
1002 |   scope: Cluster
1003 |   versions:
1004 |   - name: v1
1005 |     schema:
1006 |       openAPIV3Schema:
1007 |         properties:
1008 |           apiVersion:
1009 |             description: 'APIVersion defines the versioned schema of this representation
1010 |               of an object. Servers should convert recognized schemas to the latest
1011 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1012 |             type: string
1013 |           kind:
1014 |             description: 'Kind is a string value representing the REST resource this
1015 |               object represents. Servers may infer this from the endpoint the client
1016 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1017 |             type: string
1018 |           metadata:
1019 |             type: object
1020 |           spec:
1021 |             properties:
1022 |               applyOnForward:
1023 |                 description: ApplyOnForward indicates to apply the rules in this policy
1024 |                   on forward traffic.
1025 |                 type: boolean
1026 |               doNotTrack:
1027 |                 description: DoNotTrack indicates whether packets matched by the rules
1028 |                   in this policy should go through the data plane's connection tracking,
1029 |                   such as Linux conntrack.  If True, the rules in this policy are
1030 |                   applied before any data plane connection tracking, and packets allowed
1031 |                   by this policy are marked as not to be tracked.
1032 |                 type: boolean
1033 |               egress:
1034 |                 description: The ordered set of egress rules.  Each rule contains
1035 |                   a set of packet match criteria and a corresponding action to apply.
1036 |                 items:
1037 |                   description: "A Rule encapsulates a set of match criteria and an
1038 |                     action.  Both selector-based security Policy and security Profiles
1039 |                     reference rules - separated out as a list of rules for both ingress
1040 |                     and egress packet matching. \n Each positive match criteria has
1041 |                     a negated version, prefixed with ”Not”. All the match criteria
1042 |                     within a rule must be satisfied for a packet to match. A single
1043 |                     rule can contain the positive and negative version of a match
1044 |                     and both must be satisfied for the rule to match."
1045 |                   properties:
1046 |                     action:
1047 |                       type: string
1048 |                     destination:
1049 |                       description: Destination contains the match criteria that apply
1050 |                         to destination entity.
1051 |                       properties:
1052 |                         namespaceSelector:
1053 |                           description: "NamespaceSelector is an optional field that
1054 |                             contains a selector expression. Only traffic that originates
1055 |                             from (or terminates at) endpoints within the selected
1056 |                             namespaces will be matched. When both NamespaceSelector
1057 |                             and Selector are defined on the same rule, then only workload
1058 |                             endpoints that are matched by both selectors will be selected
1059 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1060 |                             implies that the Selector is limited to selecting only
1061 |                             workload endpoints in the same namespace as the NetworkPolicy.
1062 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
1063 |                             that the Selector is limited to selecting only GlobalNetworkSet
1064 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1065 |                             NamespaceSelector implies the Selector applies to workload
1066 |                             endpoints across all namespaces."
1067 |                           type: string
1068 |                         nets:
1069 |                           description: Nets is an optional field that restricts the
1070 |                             rule to only apply to traffic that originates from (or
1071 |                             terminates at) IP addresses in any of the given subnets.
1072 |                           items:
1073 |                             type: string
1074 |                           type: array
1075 |                         notNets:
1076 |                           description: NotNets is the negated version of the Nets
1077 |                             field.
1078 |                           items:
1079 |                             type: string
1080 |                           type: array
1081 |                         notPorts:
1082 |                           description: NotPorts is the negated version of the Ports
1083 |                             field. Since only some protocols have ports, if any ports
1084 |                             are specified it requires the Protocol match in the Rule
1085 |                             to be set to "TCP" or "UDP".
1086 |                           items:
1087 |                             anyOf:
1088 |                             - type: integer
1089 |                             - type: string
1090 |                             pattern: ^.*
1091 |                             x-kubernetes-int-or-string: true
1092 |                           type: array
1093 |                         notSelector:
1094 |                           description: NotSelector is the negated version of the Selector
1095 |                             field.  See Selector field for subtleties with negated
1096 |                             selectors.
1097 |                           type: string
1098 |                         ports:
1099 |                           description: "Ports is an optional field that restricts
1100 |                             the rule to only apply to traffic that has a source (destination)
1101 |                             port that matches one of these ranges/values. This value
1102 |                             is a list of integers or strings that represent ranges
1103 |                             of ports. \n Since only some protocols have ports, if
1104 |                             any ports are specified it requires the Protocol match
1105 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
1106 |                           items:
1107 |                             anyOf:
1108 |                             - type: integer
1109 |                             - type: string
1110 |                             pattern: ^.*
1111 |                             x-kubernetes-int-or-string: true
1112 |                           type: array
1113 |                         selector:
1114 |                           description: "Selector is an optional field that contains
1115 |                             a selector expression (see Policy for sample syntax).
1116 |                             \ Only traffic that originates from (terminates at) endpoints
1117 |                             matching the selector will be matched. \n Note that: in
1118 |                             addition to the negated version of the Selector (see NotSelector
1119 |                             below), the selector expression syntax itself supports
1120 |                             negation.  The two types of negation are subtly different.
1121 |                             One negates the set of matched endpoints, the other negates
1122 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
1123 |                             packets that are from other Calico-controlled \tendpoints
1124 |                             that do not have the label “my_label”. \n \tNotSelector
1125 |                             = \"has(my_label)\" matches packets that are not from
1126 |                             Calico-controlled \tendpoints that do have the label “my_label”.
1127 |                             \n The effect is that the latter will accept packets from
1128 |                             non-Calico sources whereas the former is limited to packets
1129 |                             from Calico-controlled endpoints."
1130 |                           type: string
1131 |                         serviceAccounts:
1132 |                           description: ServiceAccounts is an optional field that restricts
1133 |                             the rule to only apply to traffic that originates from
1134 |                             (or terminates at) a pod running as a matching service
1135 |                             account.
1136 |                           properties:
1137 |                             names:
1138 |                               description: Names is an optional field that restricts
1139 |                                 the rule to only apply to traffic that originates
1140 |                                 from (or terminates at) a pod running as a service
1141 |                                 account whose name is in the list.
1142 |                               items:
1143 |                                 type: string
1144 |                               type: array
1145 |                             selector:
1146 |                               description: Selector is an optional field that restricts
1147 |                                 the rule to only apply to traffic that originates
1148 |                                 from (or terminates at) a pod running as a service
1149 |                                 account that matches the given label selector. If
1150 |                                 both Names and Selector are specified then they are
1151 |                                 AND'ed.
1152 |                               type: string
1153 |                           type: object
1154 |                       type: object
1155 |                     http:
1156 |                       description: HTTP contains match criteria that apply to HTTP
1157 |                         requests.
1158 |                       properties:
1159 |                         methods:
1160 |                           description: Methods is an optional field that restricts
1161 |                             the rule to apply only to HTTP requests that use one of
1162 |                             the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1163 |                             methods are OR'd together.
1164 |                           items:
1165 |                             type: string
1166 |                           type: array
1167 |                         paths:
1168 |                           description: 'Paths is an optional field that restricts
1169 |                             the rule to apply to HTTP requests that use one of the
1170 |                             listed HTTP Paths. Multiple paths are OR''d together.
1171 |                             e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1172 |                             ONLY specify either a `exact` or a `prefix` match. The
1173 |                             validator will check for it.'
1174 |                           items:
1175 |                             description: 'HTTPPath specifies an HTTP path to match.
1176 |                               It may be either of the form: exact: <path>: which matches
1177 |                               the path exactly or prefix: <path-prefix>: which matches
1178 |                               the path prefix'
1179 |                             properties:
1180 |                               exact:
1181 |                                 type: string
1182 |                               prefix:
1183 |                                 type: string
1184 |                             type: object
1185 |                           type: array
1186 |                       type: object
1187 |                     icmp:
1188 |                       description: ICMP is an optional field that restricts the rule
1189 |                         to apply to a specific type and code of ICMP traffic.  This
1190 |                         should only be specified if the Protocol field is set to "ICMP"
1191 |                         or "ICMPv6".
1192 |                       properties:
1193 |                         code:
1194 |                           description: Match on a specific ICMP code.  If specified,
1195 |                             the Type value must also be specified. This is a technical
1196 |                             limitation imposed by the kernel’s iptables firewall,
1197 |                             which Calico uses to enforce the rule.
1198 |                           type: integer
1199 |                         type:
1200 |                           description: Match on a specific ICMP type.  For example
1201 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
1202 |                           type: integer
1203 |                       type: object
1204 |                     ipVersion:
1205 |                       description: IPVersion is an optional field that restricts the
1206 |                         rule to only match a specific IP version.
1207 |                       type: integer
1208 |                     metadata:
1209 |                       description: Metadata contains additional information for this
1210 |                         rule
1211 |                       properties:
1212 |                         annotations:
1213 |                           additionalProperties:
1214 |                             type: string
1215 |                           description: Annotations is a set of key value pairs that
1216 |                             give extra information about the rule
1217 |                           type: object
1218 |                       type: object
1219 |                     notICMP:
1220 |                       description: NotICMP is the negated version of the ICMP field.
1221 |                       properties:
1222 |                         code:
1223 |                           description: Match on a specific ICMP code.  If specified,
1224 |                             the Type value must also be specified. This is a technical
1225 |                             limitation imposed by the kernel’s iptables firewall,
1226 |                             which Calico uses to enforce the rule.
1227 |                           type: integer
1228 |                         type:
1229 |                           description: Match on a specific ICMP type.  For example
1230 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
1231 |                           type: integer
1232 |                       type: object
1233 |                     notProtocol:
1234 |                       anyOf:
1235 |                       - type: integer
1236 |                       - type: string
1237 |                       description: NotProtocol is the negated version of the Protocol
1238 |                         field.
1239 |                       pattern: ^.*
1240 |                       x-kubernetes-int-or-string: true
1241 |                     protocol:
1242 |                       anyOf:
1243 |                       - type: integer
1244 |                       - type: string
1245 |                       description: "Protocol is an optional field that restricts the
1246 |                         rule to only apply to traffic of a specific IP protocol. Required
1247 |                         if any of the EntityRules contain Ports (because ports only
1248 |                         apply to certain protocols). \n Must be one of these string
1249 |                         values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1250 |                         \"UDPLite\" or an integer in the range 1-255."
1251 |                       pattern: ^.*
1252 |                       x-kubernetes-int-or-string: true
1253 |                     source:
1254 |                       description: Source contains the match criteria that apply to
1255 |                         source entity.
1256 |                       properties:
1257 |                         namespaceSelector:
1258 |                           description: "NamespaceSelector is an optional field that
1259 |                             contains a selector expression. Only traffic that originates
1260 |                             from (or terminates at) endpoints within the selected
1261 |                             namespaces will be matched. When both NamespaceSelector
1262 |                             and Selector are defined on the same rule, then only workload
1263 |                             endpoints that are matched by both selectors will be selected
1264 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1265 |                             implies that the Selector is limited to selecting only
1266 |                             workload endpoints in the same namespace as the NetworkPolicy.
1267 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
1268 |                             that the Selector is limited to selecting only GlobalNetworkSet
1269 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1270 |                             NamespaceSelector implies the Selector applies to workload
1271 |                             endpoints across all namespaces."
1272 |                           type: string
1273 |                         nets:
1274 |                           description: Nets is an optional field that restricts the
1275 |                             rule to only apply to traffic that originates from (or
1276 |                             terminates at) IP addresses in any of the given subnets.
1277 |                           items:
1278 |                             type: string
1279 |                           type: array
1280 |                         notNets:
1281 |                           description: NotNets is the negated version of the Nets
1282 |                             field.
1283 |                           items:
1284 |                             type: string
1285 |                           type: array
1286 |                         notPorts:
1287 |                           description: NotPorts is the negated version of the Ports
1288 |                             field. Since only some protocols have ports, if any ports
1289 |                             are specified it requires the Protocol match in the Rule
1290 |                             to be set to "TCP" or "UDP".
1291 |                           items:
1292 |                             anyOf:
1293 |                             - type: integer
1294 |                             - type: string
1295 |                             pattern: ^.*
1296 |                             x-kubernetes-int-or-string: true
1297 |                           type: array
1298 |                         notSelector:
1299 |                           description: NotSelector is the negated version of the Selector
1300 |                             field.  See Selector field for subtleties with negated
1301 |                             selectors.
1302 |                           type: string
1303 |                         ports:
1304 |                           description: "Ports is an optional field that restricts
1305 |                             the rule to only apply to traffic that has a source (destination)
1306 |                             port that matches one of these ranges/values. This value
1307 |                             is a list of integers or strings that represent ranges
1308 |                             of ports. \n Since only some protocols have ports, if
1309 |                             any ports are specified it requires the Protocol match
1310 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
1311 |                           items:
1312 |                             anyOf:
1313 |                             - type: integer
1314 |                             - type: string
1315 |                             pattern: ^.*
1316 |                             x-kubernetes-int-or-string: true
1317 |                           type: array
1318 |                         selector:
1319 |                           description: "Selector is an optional field that contains
1320 |                             a selector expression (see Policy for sample syntax).
1321 |                             \ Only traffic that originates from (terminates at) endpoints
1322 |                             matching the selector will be matched. \n Note that: in
1323 |                             addition to the negated version of the Selector (see NotSelector
1324 |                             below), the selector expression syntax itself supports
1325 |                             negation.  The two types of negation are subtly different.
1326 |                             One negates the set of matched endpoints, the other negates
1327 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
1328 |                             packets that are from other Calico-controlled \tendpoints
1329 |                             that do not have the label “my_label”. \n \tNotSelector
1330 |                             = \"has(my_label)\" matches packets that are not from
1331 |                             Calico-controlled \tendpoints that do have the label “my_label”.
1332 |                             \n The effect is that the latter will accept packets from
1333 |                             non-Calico sources whereas the former is limited to packets
1334 |                             from Calico-controlled endpoints."
1335 |                           type: string
1336 |                         serviceAccounts:
1337 |                           description: ServiceAccounts is an optional field that restricts
1338 |                             the rule to only apply to traffic that originates from
1339 |                             (or terminates at) a pod running as a matching service
1340 |                             account.
1341 |                           properties:
1342 |                             names:
1343 |                               description: Names is an optional field that restricts
1344 |                                 the rule to only apply to traffic that originates
1345 |                                 from (or terminates at) a pod running as a service
1346 |                                 account whose name is in the list.
1347 |                               items:
1348 |                                 type: string
1349 |                               type: array
1350 |                             selector:
1351 |                               description: Selector is an optional field that restricts
1352 |                                 the rule to only apply to traffic that originates
1353 |                                 from (or terminates at) a pod running as a service
1354 |                                 account that matches the given label selector. If
1355 |                                 both Names and Selector are specified then they are
1356 |                                 AND'ed.
1357 |                               type: string
1358 |                           type: object
1359 |                       type: object
1360 |                   required:
1361 |                   - action
1362 |                   type: object
1363 |                 type: array
1364 |               ingress:
1365 |                 description: The ordered set of ingress rules.  Each rule contains
1366 |                   a set of packet match criteria and a corresponding action to apply.
1367 |                 items:
1368 |                   description: "A Rule encapsulates a set of match criteria and an
1369 |                     action.  Both selector-based security Policy and security Profiles
1370 |                     reference rules - separated out as a list of rules for both ingress
1371 |                     and egress packet matching. \n Each positive match criteria has
1372 |                     a negated version, prefixed with ”Not”. All the match criteria
1373 |                     within a rule must be satisfied for a packet to match. A single
1374 |                     rule can contain the positive and negative version of a match
1375 |                     and both must be satisfied for the rule to match."
1376 |                   properties:
1377 |                     action:
1378 |                       type: string
1379 |                     destination:
1380 |                       description: Destination contains the match criteria that apply
1381 |                         to destination entity.
1382 |                       properties:
1383 |                         namespaceSelector:
1384 |                           description: "NamespaceSelector is an optional field that
1385 |                             contains a selector expression. Only traffic that originates
1386 |                             from (or terminates at) endpoints within the selected
1387 |                             namespaces will be matched. When both NamespaceSelector
1388 |                             and Selector are defined on the same rule, then only workload
1389 |                             endpoints that are matched by both selectors will be selected
1390 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1391 |                             implies that the Selector is limited to selecting only
1392 |                             workload endpoints in the same namespace as the NetworkPolicy.
1393 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
1394 |                             that the Selector is limited to selecting only GlobalNetworkSet
1395 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1396 |                             NamespaceSelector implies the Selector applies to workload
1397 |                             endpoints across all namespaces."
1398 |                           type: string
1399 |                         nets:
1400 |                           description: Nets is an optional field that restricts the
1401 |                             rule to only apply to traffic that originates from (or
1402 |                             terminates at) IP addresses in any of the given subnets.
1403 |                           items:
1404 |                             type: string
1405 |                           type: array
1406 |                         notNets:
1407 |                           description: NotNets is the negated version of the Nets
1408 |                             field.
1409 |                           items:
1410 |                             type: string
1411 |                           type: array
1412 |                         notPorts:
1413 |                           description: NotPorts is the negated version of the Ports
1414 |                             field. Since only some protocols have ports, if any ports
1415 |                             are specified it requires the Protocol match in the Rule
1416 |                             to be set to "TCP" or "UDP".
1417 |                           items:
1418 |                             anyOf:
1419 |                             - type: integer
1420 |                             - type: string
1421 |                             pattern: ^.*
1422 |                             x-kubernetes-int-or-string: true
1423 |                           type: array
1424 |                         notSelector:
1425 |                           description: NotSelector is the negated version of the Selector
1426 |                             field.  See Selector field for subtleties with negated
1427 |                             selectors.
1428 |                           type: string
1429 |                         ports:
1430 |                           description: "Ports is an optional field that restricts
1431 |                             the rule to only apply to traffic that has a source (destination)
1432 |                             port that matches one of these ranges/values. This value
1433 |                             is a list of integers or strings that represent ranges
1434 |                             of ports. \n Since only some protocols have ports, if
1435 |                             any ports are specified it requires the Protocol match
1436 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
1437 |                           items:
1438 |                             anyOf:
1439 |                             - type: integer
1440 |                             - type: string
1441 |                             pattern: ^.*
1442 |                             x-kubernetes-int-or-string: true
1443 |                           type: array
1444 |                         selector:
1445 |                           description: "Selector is an optional field that contains
1446 |                             a selector expression (see Policy for sample syntax).
1447 |                             \ Only traffic that originates from (terminates at) endpoints
1448 |                             matching the selector will be matched. \n Note that: in
1449 |                             addition to the negated version of the Selector (see NotSelector
1450 |                             below), the selector expression syntax itself supports
1451 |                             negation.  The two types of negation are subtly different.
1452 |                             One negates the set of matched endpoints, the other negates
1453 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
1454 |                             packets that are from other Calico-controlled \tendpoints
1455 |                             that do not have the label “my_label”. \n \tNotSelector
1456 |                             = \"has(my_label)\" matches packets that are not from
1457 |                             Calico-controlled \tendpoints that do have the label “my_label”.
1458 |                             \n The effect is that the latter will accept packets from
1459 |                             non-Calico sources whereas the former is limited to packets
1460 |                             from Calico-controlled endpoints."
1461 |                           type: string
1462 |                         serviceAccounts:
1463 |                           description: ServiceAccounts is an optional field that restricts
1464 |                             the rule to only apply to traffic that originates from
1465 |                             (or terminates at) a pod running as a matching service
1466 |                             account.
1467 |                           properties:
1468 |                             names:
1469 |                               description: Names is an optional field that restricts
1470 |                                 the rule to only apply to traffic that originates
1471 |                                 from (or terminates at) a pod running as a service
1472 |                                 account whose name is in the list.
1473 |                               items:
1474 |                                 type: string
1475 |                               type: array
1476 |                             selector:
1477 |                               description: Selector is an optional field that restricts
1478 |                                 the rule to only apply to traffic that originates
1479 |                                 from (or terminates at) a pod running as a service
1480 |                                 account that matches the given label selector. If
1481 |                                 both Names and Selector are specified then they are
1482 |                                 AND'ed.
1483 |                               type: string
1484 |                           type: object
1485 |                       type: object
1486 |                     http:
1487 |                       description: HTTP contains match criteria that apply to HTTP
1488 |                         requests.
1489 |                       properties:
1490 |                         methods:
1491 |                           description: Methods is an optional field that restricts
1492 |                             the rule to apply only to HTTP requests that use one of
1493 |                             the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
1494 |                             methods are OR'd together.
1495 |                           items:
1496 |                             type: string
1497 |                           type: array
1498 |                         paths:
1499 |                           description: 'Paths is an optional field that restricts
1500 |                             the rule to apply to HTTP requests that use one of the
1501 |                             listed HTTP Paths. Multiple paths are OR''d together.
1502 |                             e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
1503 |                             ONLY specify either a `exact` or a `prefix` match. The
1504 |                             validator will check for it.'
1505 |                           items:
1506 |                             description: 'HTTPPath specifies an HTTP path to match.
1507 |                               It may be either of the form: exact: <path>: which matches
1508 |                               the path exactly or prefix: <path-prefix>: which matches
1509 |                               the path prefix'
1510 |                             properties:
1511 |                               exact:
1512 |                                 type: string
1513 |                               prefix:
1514 |                                 type: string
1515 |                             type: object
1516 |                           type: array
1517 |                       type: object
1518 |                     icmp:
1519 |                       description: ICMP is an optional field that restricts the rule
1520 |                         to apply to a specific type and code of ICMP traffic.  This
1521 |                         should only be specified if the Protocol field is set to "ICMP"
1522 |                         or "ICMPv6".
1523 |                       properties:
1524 |                         code:
1525 |                           description: Match on a specific ICMP code.  If specified,
1526 |                             the Type value must also be specified. This is a technical
1527 |                             limitation imposed by the kernel’s iptables firewall,
1528 |                             which Calico uses to enforce the rule.
1529 |                           type: integer
1530 |                         type:
1531 |                           description: Match on a specific ICMP type.  For example
1532 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
1533 |                           type: integer
1534 |                       type: object
1535 |                     ipVersion:
1536 |                       description: IPVersion is an optional field that restricts the
1537 |                         rule to only match a specific IP version.
1538 |                       type: integer
1539 |                     metadata:
1540 |                       description: Metadata contains additional information for this
1541 |                         rule
1542 |                       properties:
1543 |                         annotations:
1544 |                           additionalProperties:
1545 |                             type: string
1546 |                           description: Annotations is a set of key value pairs that
1547 |                             give extra information about the rule
1548 |                           type: object
1549 |                       type: object
1550 |                     notICMP:
1551 |                       description: NotICMP is the negated version of the ICMP field.
1552 |                       properties:
1553 |                         code:
1554 |                           description: Match on a specific ICMP code.  If specified,
1555 |                             the Type value must also be specified. This is a technical
1556 |                             limitation imposed by the kernel’s iptables firewall,
1557 |                             which Calico uses to enforce the rule.
1558 |                           type: integer
1559 |                         type:
1560 |                           description: Match on a specific ICMP type.  For example
1561 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
1562 |                           type: integer
1563 |                       type: object
1564 |                     notProtocol:
1565 |                       anyOf:
1566 |                       - type: integer
1567 |                       - type: string
1568 |                       description: NotProtocol is the negated version of the Protocol
1569 |                         field.
1570 |                       pattern: ^.*
1571 |                       x-kubernetes-int-or-string: true
1572 |                     protocol:
1573 |                       anyOf:
1574 |                       - type: integer
1575 |                       - type: string
1576 |                       description: "Protocol is an optional field that restricts the
1577 |                         rule to only apply to traffic of a specific IP protocol. Required
1578 |                         if any of the EntityRules contain Ports (because ports only
1579 |                         apply to certain protocols). \n Must be one of these string
1580 |                         values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
1581 |                         \"UDPLite\" or an integer in the range 1-255."
1582 |                       pattern: ^.*
1583 |                       x-kubernetes-int-or-string: true
1584 |                     source:
1585 |                       description: Source contains the match criteria that apply to
1586 |                         source entity.
1587 |                       properties:
1588 |                         namespaceSelector:
1589 |                           description: "NamespaceSelector is an optional field that
1590 |                             contains a selector expression. Only traffic that originates
1591 |                             from (or terminates at) endpoints within the selected
1592 |                             namespaces will be matched. When both NamespaceSelector
1593 |                             and Selector are defined on the same rule, then only workload
1594 |                             endpoints that are matched by both selectors will be selected
1595 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
1596 |                             implies that the Selector is limited to selecting only
1597 |                             workload endpoints in the same namespace as the NetworkPolicy.
1598 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
1599 |                             that the Selector is limited to selecting only GlobalNetworkSet
1600 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
1601 |                             NamespaceSelector implies the Selector applies to workload
1602 |                             endpoints across all namespaces."
1603 |                           type: string
1604 |                         nets:
1605 |                           description: Nets is an optional field that restricts the
1606 |                             rule to only apply to traffic that originates from (or
1607 |                             terminates at) IP addresses in any of the given subnets.
1608 |                           items:
1609 |                             type: string
1610 |                           type: array
1611 |                         notNets:
1612 |                           description: NotNets is the negated version of the Nets
1613 |                             field.
1614 |                           items:
1615 |                             type: string
1616 |                           type: array
1617 |                         notPorts:
1618 |                           description: NotPorts is the negated version of the Ports
1619 |                             field. Since only some protocols have ports, if any ports
1620 |                             are specified it requires the Protocol match in the Rule
1621 |                             to be set to "TCP" or "UDP".
1622 |                           items:
1623 |                             anyOf:
1624 |                             - type: integer
1625 |                             - type: string
1626 |                             pattern: ^.*
1627 |                             x-kubernetes-int-or-string: true
1628 |                           type: array
1629 |                         notSelector:
1630 |                           description: NotSelector is the negated version of the Selector
1631 |                             field.  See Selector field for subtleties with negated
1632 |                             selectors.
1633 |                           type: string
1634 |                         ports:
1635 |                           description: "Ports is an optional field that restricts
1636 |                             the rule to only apply to traffic that has a source (destination)
1637 |                             port that matches one of these ranges/values. This value
1638 |                             is a list of integers or strings that represent ranges
1639 |                             of ports. \n Since only some protocols have ports, if
1640 |                             any ports are specified it requires the Protocol match
1641 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
1642 |                           items:
1643 |                             anyOf:
1644 |                             - type: integer
1645 |                             - type: string
1646 |                             pattern: ^.*
1647 |                             x-kubernetes-int-or-string: true
1648 |                           type: array
1649 |                         selector:
1650 |                           description: "Selector is an optional field that contains
1651 |                             a selector expression (see Policy for sample syntax).
1652 |                             \ Only traffic that originates from (terminates at) endpoints
1653 |                             matching the selector will be matched. \n Note that: in
1654 |                             addition to the negated version of the Selector (see NotSelector
1655 |                             below), the selector expression syntax itself supports
1656 |                             negation.  The two types of negation are subtly different.
1657 |                             One negates the set of matched endpoints, the other negates
1658 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
1659 |                             packets that are from other Calico-controlled \tendpoints
1660 |                             that do not have the label “my_label”. \n \tNotSelector
1661 |                             = \"has(my_label)\" matches packets that are not from
1662 |                             Calico-controlled \tendpoints that do have the label “my_label”.
1663 |                             \n The effect is that the latter will accept packets from
1664 |                             non-Calico sources whereas the former is limited to packets
1665 |                             from Calico-controlled endpoints."
1666 |                           type: string
1667 |                         serviceAccounts:
1668 |                           description: ServiceAccounts is an optional field that restricts
1669 |                             the rule to only apply to traffic that originates from
1670 |                             (or terminates at) a pod running as a matching service
1671 |                             account.
1672 |                           properties:
1673 |                             names:
1674 |                               description: Names is an optional field that restricts
1675 |                                 the rule to only apply to traffic that originates
1676 |                                 from (or terminates at) a pod running as a service
1677 |                                 account whose name is in the list.
1678 |                               items:
1679 |                                 type: string
1680 |                               type: array
1681 |                             selector:
1682 |                               description: Selector is an optional field that restricts
1683 |                                 the rule to only apply to traffic that originates
1684 |                                 from (or terminates at) a pod running as a service
1685 |                                 account that matches the given label selector. If
1686 |                                 both Names and Selector are specified then they are
1687 |                                 AND'ed.
1688 |                               type: string
1689 |                           type: object
1690 |                       type: object
1691 |                   required:
1692 |                   - action
1693 |                   type: object
1694 |                 type: array
1695 |               namespaceSelector:
1696 |                 description: NamespaceSelector is an optional field for an expression
1697 |                   used to select a pod based on namespaces.
1698 |                 type: string
1699 |               order:
1700 |                 description: Order is an optional field that specifies the order in
1701 |                   which the policy is applied. Policies with higher "order" are applied
1702 |                   after those with lower order.  If the order is omitted, it may be
1703 |                   considered to be "infinite" - i.e. the policy will be applied last.  Policies
1704 |                   with identical order will be applied in alphanumerical order based
1705 |                   on the Policy "Name".
1706 |                 type: number
1707 |               preDNAT:
1708 |                 description: PreDNAT indicates to apply the rules in this policy before
1709 |                   any DNAT.
1710 |                 type: boolean
1711 |               selector:
1712 |                 description: "The selector is an expression used to pick pick out
1713 |                   the endpoints that the policy should be applied to. \n Selector
1714 |                   expressions follow this syntax: \n \tlabel == \"string_literal\"
1715 |                   \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
1716 |                   \  ->  not equal; also matches if label is not present \tlabel in
1717 |                   { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
1718 |                   one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
1719 |                   ... }  ->  true if the value of label X is not one of \"a\", \"b\",
1720 |                   \"c\" \thas(label_name)  -> True if that label is present \t! expr
1721 |                   -> negation of expr \texpr && expr  -> Short-circuit and \texpr
1722 |                   || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
1723 |                   or the empty selector -> matches all endpoints. \n Label names are
1724 |                   allowed to contain alphanumerics, -, _ and /. String literals are
1725 |                   more permissive but they do not support escape characters. \n Examples
1726 |                   (with made-up labels): \n \ttype == \"webserver\" && deployment
1727 |                   == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
1728 |                   \"dev\" \t! has(label_name)"
1729 |                 type: string
1730 |               serviceAccountSelector:
1731 |                 description: ServiceAccountSelector is an optional field for an expression
1732 |                   used to select a pod based on service accounts.
1733 |                 type: string
1734 |               types:
1735 |                 description: "Types indicates whether this policy applies to ingress,
1736 |                   or to egress, or to both.  When not explicitly specified (and so
1737 |                   the value on creation is empty or nil), Calico defaults Types according
1738 |                   to what Ingress and Egress rules are present in the policy.  The
1739 |                   default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
1740 |                   (including the case where there are   also no Ingress rules) \n
1741 |                   - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
1742 |                   rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
1743 |                   both Ingress and Egress rules. \n When the policy is read back again,
1744 |                   Types will always be one of these values, never empty or nil."
1745 |                 items:
1746 |                   description: PolicyType enumerates the possible values of the PolicySpec
1747 |                     Types field.
1748 |                   type: string
1749 |                 type: array
1750 |             type: object
1751 |         type: object
1752 |     served: true
1753 |     storage: true
1754 | status:
1755 |   acceptedNames:
1756 |     kind: ""
1757 |     plural: ""
1758 |   conditions: []
1759 |   storedVersions: []
1760 | 
1761 | ---
1762 | 
1763 | ---
1764 | apiVersion: apiextensions.k8s.io/v1
1765 | kind: CustomResourceDefinition
1766 | metadata:
1767 |   annotations:
1768 |     controller-gen.kubebuilder.io/version: (devel)
1769 |   creationTimestamp: null
1770 |   name: globalnetworksets.crd.projectcalico.org
1771 | spec:
1772 |   group: crd.projectcalico.org
1773 |   names:
1774 |     kind: GlobalNetworkSet
1775 |     listKind: GlobalNetworkSetList
1776 |     plural: globalnetworksets
1777 |     singular: globalnetworkset
1778 |   scope: Cluster
1779 |   versions:
1780 |   - name: v1
1781 |     schema:
1782 |       openAPIV3Schema:
1783 |         description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
1784 |           that share labels to allow rules to refer to them via selectors.  The labels
1785 |           of GlobalNetworkSet are not namespaced.
1786 |         properties:
1787 |           apiVersion:
1788 |             description: 'APIVersion defines the versioned schema of this representation
1789 |               of an object. Servers should convert recognized schemas to the latest
1790 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1791 |             type: string
1792 |           kind:
1793 |             description: 'Kind is a string value representing the REST resource this
1794 |               object represents. Servers may infer this from the endpoint the client
1795 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1796 |             type: string
1797 |           metadata:
1798 |             type: object
1799 |           spec:
1800 |             description: GlobalNetworkSetSpec contains the specification for a NetworkSet
1801 |               resource.
1802 |             properties:
1803 |               nets:
1804 |                 description: The list of IP networks that belong to this set.
1805 |                 items:
1806 |                   type: string
1807 |                 type: array
1808 |             type: object
1809 |         type: object
1810 |     served: true
1811 |     storage: true
1812 | status:
1813 |   acceptedNames:
1814 |     kind: ""
1815 |     plural: ""
1816 |   conditions: []
1817 |   storedVersions: []
1818 | 
1819 | ---
1820 | 
1821 | ---
1822 | apiVersion: apiextensions.k8s.io/v1
1823 | kind: CustomResourceDefinition
1824 | metadata:
1825 |   annotations:
1826 |     controller-gen.kubebuilder.io/version: (devel)
1827 |   creationTimestamp: null
1828 |   name: hostendpoints.crd.projectcalico.org
1829 | spec:
1830 |   group: crd.projectcalico.org
1831 |   names:
1832 |     kind: HostEndpoint
1833 |     listKind: HostEndpointList
1834 |     plural: hostendpoints
1835 |     singular: hostendpoint
1836 |   scope: Cluster
1837 |   versions:
1838 |   - name: v1
1839 |     schema:
1840 |       openAPIV3Schema:
1841 |         properties:
1842 |           apiVersion:
1843 |             description: 'APIVersion defines the versioned schema of this representation
1844 |               of an object. Servers should convert recognized schemas to the latest
1845 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1846 |             type: string
1847 |           kind:
1848 |             description: 'Kind is a string value representing the REST resource this
1849 |               object represents. Servers may infer this from the endpoint the client
1850 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1851 |             type: string
1852 |           metadata:
1853 |             type: object
1854 |           spec:
1855 |             description: HostEndpointSpec contains the specification for a HostEndpoint
1856 |               resource.
1857 |             properties:
1858 |               expectedIPs:
1859 |                 description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
1860 |                   If \"InterfaceName\" is not present, Calico will look for an interface
1861 |                   matching any of the IPs in the list and apply policy to that. Note:
1862 |                   \tWhen using the selector match criteria in an ingress or egress
1863 |                   security Policy \tor Profile, Calico converts the selector into
1864 |                   a set of IP addresses. For host \tendpoints, the ExpectedIPs field
1865 |                   is used for that purpose. (If only the interface \tname is specified,
1866 |                   Calico does not learn the IPs of the interface for use in match
1867 |                   \tcriteria.)"
1868 |                 items:
1869 |                   type: string
1870 |                 type: array
1871 |               interfaceName:
1872 |                 description: "Either \"*\", or the name of a specific Linux interface
1873 |                   to apply policy to; or empty.  \"*\" indicates that this HostEndpoint
1874 |                   governs all traffic to, from or through the default network namespace
1875 |                   of the host named by the \"Node\" field; entering and leaving that
1876 |                   namespace via any interface, including those from/to non-host-networked
1877 |                   local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
1878 |                   only governs traffic that enters or leaves the host through the
1879 |                   specific interface named by InterfaceName, or - when InterfaceName
1880 |                   is empty - through the specific interface that has one of the IPs
1881 |                   in ExpectedIPs. Therefore, when InterfaceName is empty, at least
1882 |                   one expected IP must be specified.  Only external interfaces (such
1883 |                   as “eth0”) are supported here; it isn't possible for a HostEndpoint
1884 |                   to protect traffic through a specific local workload interface.
1885 |                   \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
1886 |                   initially just pre-DNAT policy.  Please check Calico documentation
1887 |                   for the latest position."
1888 |                 type: string
1889 |               node:
1890 |                 description: The node name identifying the Calico node instance.
1891 |                 type: string
1892 |               ports:
1893 |                 description: Ports contains the endpoint's named ports, which may
1894 |                   be referenced in security policy rules.
1895 |                 items:
1896 |                   properties:
1897 |                     name:
1898 |                       type: string
1899 |                     port:
1900 |                       type: integer
1901 |                     protocol:
1902 |                       anyOf:
1903 |                       - type: integer
1904 |                       - type: string
1905 |                       pattern: ^.*
1906 |                       x-kubernetes-int-or-string: true
1907 |                   required:
1908 |                   - name
1909 |                   - port
1910 |                   - protocol
1911 |                   type: object
1912 |                 type: array
1913 |               profiles:
1914 |                 description: A list of identifiers of security Profile objects that
1915 |                   apply to this endpoint. Each profile is applied in the order that
1916 |                   they appear in this list.  Profile rules are applied after the selector-based
1917 |                   security policy.
1918 |                 items:
1919 |                   type: string
1920 |                 type: array
1921 |             type: object
1922 |         type: object
1923 |     served: true
1924 |     storage: true
1925 | status:
1926 |   acceptedNames:
1927 |     kind: ""
1928 |     plural: ""
1929 |   conditions: []
1930 |   storedVersions: []
1931 | 
1932 | ---
1933 | 
1934 | ---
1935 | apiVersion: apiextensions.k8s.io/v1
1936 | kind: CustomResourceDefinition
1937 | metadata:
1938 |   annotations:
1939 |     controller-gen.kubebuilder.io/version: (devel)
1940 |   creationTimestamp: null
1941 |   name: ipamblocks.crd.projectcalico.org
1942 | spec:
1943 |   group: crd.projectcalico.org
1944 |   names:
1945 |     kind: IPAMBlock
1946 |     listKind: IPAMBlockList
1947 |     plural: ipamblocks
1948 |     singular: ipamblock
1949 |   scope: Cluster
1950 |   versions:
1951 |   - name: v1
1952 |     schema:
1953 |       openAPIV3Schema:
1954 |         properties:
1955 |           apiVersion:
1956 |             description: 'APIVersion defines the versioned schema of this representation
1957 |               of an object. Servers should convert recognized schemas to the latest
1958 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
1959 |             type: string
1960 |           kind:
1961 |             description: 'Kind is a string value representing the REST resource this
1962 |               object represents. Servers may infer this from the endpoint the client
1963 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
1964 |             type: string
1965 |           metadata:
1966 |             type: object
1967 |           spec:
1968 |             description: IPAMBlockSpec contains the specification for an IPAMBlock
1969 |               resource.
1970 |             properties:
1971 |               affinity:
1972 |                 type: string
1973 |               allocations:
1974 |                 items:
1975 |                   type: integer
1976 |                   # TODO: This nullable is manually added in. We should update controller-gen
1977 |                   # to handle []*int properly itself.
1978 |                   nullable: true
1979 |                 type: array
1980 |               attributes:
1981 |                 items:
1982 |                   properties:
1983 |                     handle_id:
1984 |                       type: string
1985 |                     secondary:
1986 |                       additionalProperties:
1987 |                         type: string
1988 |                       type: object
1989 |                   type: object
1990 |                 type: array
1991 |               cidr:
1992 |                 type: string
1993 |               deleted:
1994 |                 type: boolean
1995 |               strictAffinity:
1996 |                 type: boolean
1997 |               unallocated:
1998 |                 items:
1999 |                   type: integer
2000 |                 type: array
2001 |             required:
2002 |             - allocations
2003 |             - attributes
2004 |             - cidr
2005 |             - deleted
2006 |             - strictAffinity
2007 |             - unallocated
2008 |             type: object
2009 |         type: object
2010 |     served: true
2011 |     storage: true
2012 | status:
2013 |   acceptedNames:
2014 |     kind: ""
2015 |     plural: ""
2016 |   conditions: []
2017 |   storedVersions: []
2018 | 
2019 | ---
2020 | 
2021 | ---
2022 | apiVersion: apiextensions.k8s.io/v1
2023 | kind: CustomResourceDefinition
2024 | metadata:
2025 |   annotations:
2026 |     controller-gen.kubebuilder.io/version: (devel)
2027 |   creationTimestamp: null
2028 |   name: ipamconfigs.crd.projectcalico.org
2029 | spec:
2030 |   group: crd.projectcalico.org
2031 |   names:
2032 |     kind: IPAMConfig
2033 |     listKind: IPAMConfigList
2034 |     plural: ipamconfigs
2035 |     singular: ipamconfig
2036 |   scope: Cluster
2037 |   versions:
2038 |   - name: v1
2039 |     schema:
2040 |       openAPIV3Schema:
2041 |         properties:
2042 |           apiVersion:
2043 |             description: 'APIVersion defines the versioned schema of this representation
2044 |               of an object. Servers should convert recognized schemas to the latest
2045 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2046 |             type: string
2047 |           kind:
2048 |             description: 'Kind is a string value representing the REST resource this
2049 |               object represents. Servers may infer this from the endpoint the client
2050 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2051 |             type: string
2052 |           metadata:
2053 |             type: object
2054 |           spec:
2055 |             description: IPAMConfigSpec contains the specification for an IPAMConfig
2056 |               resource.
2057 |             properties:
2058 |               autoAllocateBlocks:
2059 |                 type: boolean
2060 |               strictAffinity:
2061 |                 type: boolean
2062 |             required:
2063 |             - autoAllocateBlocks
2064 |             - strictAffinity
2065 |             type: object
2066 |         type: object
2067 |     served: true
2068 |     storage: true
2069 | status:
2070 |   acceptedNames:
2071 |     kind: ""
2072 |     plural: ""
2073 |   conditions: []
2074 |   storedVersions: []
2075 | 
2076 | ---
2077 | 
2078 | ---
2079 | apiVersion: apiextensions.k8s.io/v1
2080 | kind: CustomResourceDefinition
2081 | metadata:
2082 |   annotations:
2083 |     controller-gen.kubebuilder.io/version: (devel)
2084 |   creationTimestamp: null
2085 |   name: ipamhandles.crd.projectcalico.org
2086 | spec:
2087 |   group: crd.projectcalico.org
2088 |   names:
2089 |     kind: IPAMHandle
2090 |     listKind: IPAMHandleList
2091 |     plural: ipamhandles
2092 |     singular: ipamhandle
2093 |   scope: Cluster
2094 |   versions:
2095 |   - name: v1
2096 |     schema:
2097 |       openAPIV3Schema:
2098 |         properties:
2099 |           apiVersion:
2100 |             description: 'APIVersion defines the versioned schema of this representation
2101 |               of an object. Servers should convert recognized schemas to the latest
2102 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2103 |             type: string
2104 |           kind:
2105 |             description: 'Kind is a string value representing the REST resource this
2106 |               object represents. Servers may infer this from the endpoint the client
2107 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2108 |             type: string
2109 |           metadata:
2110 |             type: object
2111 |           spec:
2112 |             description: IPAMHandleSpec contains the specification for an IPAMHandle
2113 |               resource.
2114 |             properties:
2115 |               block:
2116 |                 additionalProperties:
2117 |                   type: integer
2118 |                 type: object
2119 |               handleID:
2120 |                 type: string
2121 |             required:
2122 |             - block
2123 |             - handleID
2124 |             type: object
2125 |         type: object
2126 |     served: true
2127 |     storage: true
2128 | status:
2129 |   acceptedNames:
2130 |     kind: ""
2131 |     plural: ""
2132 |   conditions: []
2133 |   storedVersions: []
2134 | 
2135 | ---
2136 | 
2137 | ---
2138 | apiVersion: apiextensions.k8s.io/v1
2139 | kind: CustomResourceDefinition
2140 | metadata:
2141 |   annotations:
2142 |     controller-gen.kubebuilder.io/version: (devel)
2143 |   creationTimestamp: null
2144 |   name: ippools.crd.projectcalico.org
2145 | spec:
2146 |   group: crd.projectcalico.org
2147 |   names:
2148 |     kind: IPPool
2149 |     listKind: IPPoolList
2150 |     plural: ippools
2151 |     singular: ippool
2152 |   scope: Cluster
2153 |   versions:
2154 |   - name: v1
2155 |     schema:
2156 |       openAPIV3Schema:
2157 |         properties:
2158 |           apiVersion:
2159 |             description: 'APIVersion defines the versioned schema of this representation
2160 |               of an object. Servers should convert recognized schemas to the latest
2161 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2162 |             type: string
2163 |           kind:
2164 |             description: 'Kind is a string value representing the REST resource this
2165 |               object represents. Servers may infer this from the endpoint the client
2166 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2167 |             type: string
2168 |           metadata:
2169 |             type: object
2170 |           spec:
2171 |             description: IPPoolSpec contains the specification for an IPPool resource.
2172 |             properties:
2173 |               blockSize:
2174 |                 description: The block size to use for IP address assignments from
2175 |                   this pool. Defaults to 26 for IPv4 and 112 for IPv6.
2176 |                 type: integer
2177 |               cidr:
2178 |                 description: The pool CIDR.
2179 |                 type: string
2180 |               disabled:
2181 |                 description: When disabled is true, Calico IPAM will not assign addresses
2182 |                   from this pool.
2183 |                 type: boolean
2184 |               ipip:
2185 |                 description: 'Deprecated: this field is only used for APIv1 backwards
2186 |                   compatibility. Setting this field is not allowed, this field is
2187 |                   for internal use only.'
2188 |                 properties:
2189 |                   enabled:
2190 |                     description: When enabled is true, ipip tunneling will be used
2191 |                       to deliver packets to destinations within this pool.
2192 |                     type: boolean
2193 |                   mode:
2194 |                     description: The IPIP mode.  This can be one of "always" or "cross-subnet".  A
2195 |                       mode of "always" will also use IPIP tunneling for routing to
2196 |                       destination IP addresses within this pool.  A mode of "cross-subnet"
2197 |                       will only use IPIP tunneling when the destination node is on
2198 |                       a different subnet to the originating node.  The default value
2199 |                       (if not specified) is "always".
2200 |                     type: string
2201 |                 type: object
2202 |               ipipMode:
2203 |                 description: Contains configuration for IPIP tunneling for this pool.
2204 |                   If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
2205 |                   is disabled).
2206 |                 type: string
2207 |               nat-outgoing:
2208 |                 description: 'Deprecated: this field is only used for APIv1 backwards
2209 |                   compatibility. Setting this field is not allowed, this field is
2210 |                   for internal use only.'
2211 |                 type: boolean
2212 |               natOutgoing:
2213 |                 description: When nat-outgoing is true, packets sent from Calico networked
2214 |                   containers in this pool to destinations outside of this pool will
2215 |                   be masqueraded.
2216 |                 type: boolean
2217 |               nodeSelector:
2218 |                 description: Allows IPPool to allocate for a specific node by label
2219 |                   selector.
2220 |                 type: string
2221 |               vxlanMode:
2222 |                 description: Contains configuration for VXLAN tunneling for this pool.
2223 |                   If not specified, then this is defaulted to "Never" (i.e. VXLAN
2224 |                   tunneling is disabled).
2225 |                 type: string
2226 |             required:
2227 |             - cidr
2228 |             type: object
2229 |         type: object
2230 |     served: true
2231 |     storage: true
2232 | status:
2233 |   acceptedNames:
2234 |     kind: ""
2235 |     plural: ""
2236 |   conditions: []
2237 |   storedVersions: []
2238 | 
2239 | ---
2240 | 
2241 | ---
2242 | apiVersion: apiextensions.k8s.io/v1
2243 | kind: CustomResourceDefinition
2244 | metadata:
2245 |   annotations:
2246 |     controller-gen.kubebuilder.io/version: (devel)
2247 |   creationTimestamp: null
2248 |   name: kubecontrollersconfigurations.crd.projectcalico.org
2249 | spec:
2250 |   group: crd.projectcalico.org
2251 |   names:
2252 |     kind: KubeControllersConfiguration
2253 |     listKind: KubeControllersConfigurationList
2254 |     plural: kubecontrollersconfigurations
2255 |     singular: kubecontrollersconfiguration
2256 |   scope: Cluster
2257 |   versions:
2258 |   - name: v1
2259 |     schema:
2260 |       openAPIV3Schema:
2261 |         properties:
2262 |           apiVersion:
2263 |             description: 'APIVersion defines the versioned schema of this representation
2264 |               of an object. Servers should convert recognized schemas to the latest
2265 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2266 |             type: string
2267 |           kind:
2268 |             description: 'Kind is a string value representing the REST resource this
2269 |               object represents. Servers may infer this from the endpoint the client
2270 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2271 |             type: string
2272 |           metadata:
2273 |             type: object
2274 |           spec:
2275 |             description: KubeControllersConfigurationSpec contains the values of the
2276 |               Kubernetes controllers configuration.
2277 |             properties:
2278 |               controllers:
2279 |                 description: Controllers enables and configures individual Kubernetes
2280 |                   controllers
2281 |                 properties:
2282 |                   namespace:
2283 |                     description: Namespace enables and configures the namespace controller.
2284 |                       Enabled by default, set to nil to disable.
2285 |                     properties:
2286 |                       reconcilerPeriod:
2287 |                         description: 'ReconcilerPeriod is the period to perform reconciliation
2288 |                           with the Calico datastore. [Default: 5m]'
2289 |                         type: string
2290 |                     type: object
2291 |                   node:
2292 |                     description: Node enables and configures the node controller.
2293 |                       Enabled by default, set to nil to disable.
2294 |                     properties:
2295 |                       hostEndpoint:
2296 |                         description: HostEndpoint controls syncing nodes to host endpoints.
2297 |                           Disabled by default, set to nil to disable.
2298 |                         properties:
2299 |                           autoCreate:
2300 |                             description: 'AutoCreate enables automatic creation of
2301 |                               host endpoints for every node. [Default: Disabled]'
2302 |                             type: string
2303 |                         type: object
2304 |                       reconcilerPeriod:
2305 |                         description: 'ReconcilerPeriod is the period to perform reconciliation
2306 |                           with the Calico datastore. [Default: 5m]'
2307 |                         type: string
2308 |                       syncLabels:
2309 |                         description: 'SyncLabels controls whether to copy Kubernetes
2310 |                           node labels to Calico nodes. [Default: Enabled]'
2311 |                         type: string
2312 |                     type: object
2313 |                   policy:
2314 |                     description: Policy enables and configures the policy controller.
2315 |                       Enabled by default, set to nil to disable.
2316 |                     properties:
2317 |                       reconcilerPeriod:
2318 |                         description: 'ReconcilerPeriod is the period to perform reconciliation
2319 |                           with the Calico datastore. [Default: 5m]'
2320 |                         type: string
2321 |                     type: object
2322 |                   serviceAccount:
2323 |                     description: ServiceAccount enables and configures the service
2324 |                       account controller. Enabled by default, set to nil to disable.
2325 |                     properties:
2326 |                       reconcilerPeriod:
2327 |                         description: 'ReconcilerPeriod is the period to perform reconciliation
2328 |                           with the Calico datastore. [Default: 5m]'
2329 |                         type: string
2330 |                     type: object
2331 |                   workloadEndpoint:
2332 |                     description: WorkloadEndpoint enables and configures the workload
2333 |                       endpoint controller. Enabled by default, set to nil to disable.
2334 |                     properties:
2335 |                       reconcilerPeriod:
2336 |                         description: 'ReconcilerPeriod is the period to perform reconciliation
2337 |                           with the Calico datastore. [Default: 5m]'
2338 |                         type: string
2339 |                     type: object
2340 |                 type: object
2341 |               etcdV3CompactionPeriod:
2342 |                 description: 'EtcdV3CompactionPeriod is the period between etcdv3
2343 |                   compaction requests. Set to 0 to disable. [Default: 10m]'
2344 |                 type: string
2345 |               healthChecks:
2346 |                 description: 'HealthChecks enables or disables support for health
2347 |                   checks [Default: Enabled]'
2348 |                 type: string
2349 |               logSeverityScreen:
2350 |                 description: 'LogSeverityScreen is the log severity above which logs
2351 |                   are sent to the stdout. [Default: Info]'
2352 |                 type: string
2353 |             required:
2354 |             - controllers
2355 |             type: object
2356 |           status:
2357 |             description: KubeControllersConfigurationStatus represents the status
2358 |               of the configuration. It's useful for admins to be able to see the actual
2359 |               config that was applied, which can be modified by environment variables
2360 |               on the kube-controllers process.
2361 |             properties:
2362 |               environmentVars:
2363 |                 additionalProperties:
2364 |                   type: string
2365 |                 description: EnvironmentVars contains the environment variables on
2366 |                   the kube-controllers that influenced the RunningConfig.
2367 |                 type: object
2368 |               runningConfig:
2369 |                 description: RunningConfig contains the effective config that is running
2370 |                   in the kube-controllers pod, after merging the API resource with
2371 |                   any environment variables.
2372 |                 properties:
2373 |                   controllers:
2374 |                     description: Controllers enables and configures individual Kubernetes
2375 |                       controllers
2376 |                     properties:
2377 |                       namespace:
2378 |                         description: Namespace enables and configures the namespace
2379 |                           controller. Enabled by default, set to nil to disable.
2380 |                         properties:
2381 |                           reconcilerPeriod:
2382 |                             description: 'ReconcilerPeriod is the period to perform
2383 |                               reconciliation with the Calico datastore. [Default:
2384 |                               5m]'
2385 |                             type: string
2386 |                         type: object
2387 |                       node:
2388 |                         description: Node enables and configures the node controller.
2389 |                           Enabled by default, set to nil to disable.
2390 |                         properties:
2391 |                           hostEndpoint:
2392 |                             description: HostEndpoint controls syncing nodes to host
2393 |                               endpoints. Disabled by default, set to nil to disable.
2394 |                             properties:
2395 |                               autoCreate:
2396 |                                 description: 'AutoCreate enables automatic creation
2397 |                                   of host endpoints for every node. [Default: Disabled]'
2398 |                                 type: string
2399 |                             type: object
2400 |                           reconcilerPeriod:
2401 |                             description: 'ReconcilerPeriod is the period to perform
2402 |                               reconciliation with the Calico datastore. [Default:
2403 |                               5m]'
2404 |                             type: string
2405 |                           syncLabels:
2406 |                             description: 'SyncLabels controls whether to copy Kubernetes
2407 |                               node labels to Calico nodes. [Default: Enabled]'
2408 |                             type: string
2409 |                         type: object
2410 |                       policy:
2411 |                         description: Policy enables and configures the policy controller.
2412 |                           Enabled by default, set to nil to disable.
2413 |                         properties:
2414 |                           reconcilerPeriod:
2415 |                             description: 'ReconcilerPeriod is the period to perform
2416 |                               reconciliation with the Calico datastore. [Default:
2417 |                               5m]'
2418 |                             type: string
2419 |                         type: object
2420 |                       serviceAccount:
2421 |                         description: ServiceAccount enables and configures the service
2422 |                           account controller. Enabled by default, set to nil to disable.
2423 |                         properties:
2424 |                           reconcilerPeriod:
2425 |                             description: 'ReconcilerPeriod is the period to perform
2426 |                               reconciliation with the Calico datastore. [Default:
2427 |                               5m]'
2428 |                             type: string
2429 |                         type: object
2430 |                       workloadEndpoint:
2431 |                         description: WorkloadEndpoint enables and configures the workload
2432 |                           endpoint controller. Enabled by default, set to nil to disable.
2433 |                         properties:
2434 |                           reconcilerPeriod:
2435 |                             description: 'ReconcilerPeriod is the period to perform
2436 |                               reconciliation with the Calico datastore. [Default:
2437 |                               5m]'
2438 |                             type: string
2439 |                         type: object
2440 |                     type: object
2441 |                   etcdV3CompactionPeriod:
2442 |                     description: 'EtcdV3CompactionPeriod is the period between etcdv3
2443 |                       compaction requests. Set to 0 to disable. [Default: 10m]'
2444 |                     type: string
2445 |                   healthChecks:
2446 |                     description: 'HealthChecks enables or disables support for health
2447 |                       checks [Default: Enabled]'
2448 |                     type: string
2449 |                   logSeverityScreen:
2450 |                     description: 'LogSeverityScreen is the log severity above which
2451 |                       logs are sent to the stdout. [Default: Info]'
2452 |                     type: string
2453 |                 required:
2454 |                 - controllers
2455 |                 type: object
2456 |             type: object
2457 |         type: object
2458 |     served: true
2459 |     storage: true
2460 | status:
2461 |   acceptedNames:
2462 |     kind: ""
2463 |     plural: ""
2464 |   conditions: []
2465 |   storedVersions: []
2466 | 
2467 | ---
2468 | 
2469 | ---
2470 | apiVersion: apiextensions.k8s.io/v1
2471 | kind: CustomResourceDefinition
2472 | metadata:
2473 |   annotations:
2474 |     controller-gen.kubebuilder.io/version: (devel)
2475 |   creationTimestamp: null
2476 |   name: networkpolicies.crd.projectcalico.org
2477 | spec:
2478 |   group: crd.projectcalico.org
2479 |   names:
2480 |     kind: NetworkPolicy
2481 |     listKind: NetworkPolicyList
2482 |     plural: networkpolicies
2483 |     singular: networkpolicy
2484 |   scope: Namespaced
2485 |   versions:
2486 |   - name: v1
2487 |     schema:
2488 |       openAPIV3Schema:
2489 |         properties:
2490 |           apiVersion:
2491 |             description: 'APIVersion defines the versioned schema of this representation
2492 |               of an object. Servers should convert recognized schemas to the latest
2493 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2494 |             type: string
2495 |           kind:
2496 |             description: 'Kind is a string value representing the REST resource this
2497 |               object represents. Servers may infer this from the endpoint the client
2498 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2499 |             type: string
2500 |           metadata:
2501 |             type: object
2502 |           spec:
2503 |             properties:
2504 |               egress:
2505 |                 description: The ordered set of egress rules.  Each rule contains
2506 |                   a set of packet match criteria and a corresponding action to apply.
2507 |                 items:
2508 |                   description: "A Rule encapsulates a set of match criteria and an
2509 |                     action.  Both selector-based security Policy and security Profiles
2510 |                     reference rules - separated out as a list of rules for both ingress
2511 |                     and egress packet matching. \n Each positive match criteria has
2512 |                     a negated version, prefixed with ”Not”. All the match criteria
2513 |                     within a rule must be satisfied for a packet to match. A single
2514 |                     rule can contain the positive and negative version of a match
2515 |                     and both must be satisfied for the rule to match."
2516 |                   properties:
2517 |                     action:
2518 |                       type: string
2519 |                     destination:
2520 |                       description: Destination contains the match criteria that apply
2521 |                         to destination entity.
2522 |                       properties:
2523 |                         namespaceSelector:
2524 |                           description: "NamespaceSelector is an optional field that
2525 |                             contains a selector expression. Only traffic that originates
2526 |                             from (or terminates at) endpoints within the selected
2527 |                             namespaces will be matched. When both NamespaceSelector
2528 |                             and Selector are defined on the same rule, then only workload
2529 |                             endpoints that are matched by both selectors will be selected
2530 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2531 |                             implies that the Selector is limited to selecting only
2532 |                             workload endpoints in the same namespace as the NetworkPolicy.
2533 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
2534 |                             that the Selector is limited to selecting only GlobalNetworkSet
2535 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2536 |                             NamespaceSelector implies the Selector applies to workload
2537 |                             endpoints across all namespaces."
2538 |                           type: string
2539 |                         nets:
2540 |                           description: Nets is an optional field that restricts the
2541 |                             rule to only apply to traffic that originates from (or
2542 |                             terminates at) IP addresses in any of the given subnets.
2543 |                           items:
2544 |                             type: string
2545 |                           type: array
2546 |                         notNets:
2547 |                           description: NotNets is the negated version of the Nets
2548 |                             field.
2549 |                           items:
2550 |                             type: string
2551 |                           type: array
2552 |                         notPorts:
2553 |                           description: NotPorts is the negated version of the Ports
2554 |                             field. Since only some protocols have ports, if any ports
2555 |                             are specified it requires the Protocol match in the Rule
2556 |                             to be set to "TCP" or "UDP".
2557 |                           items:
2558 |                             anyOf:
2559 |                             - type: integer
2560 |                             - type: string
2561 |                             pattern: ^.*
2562 |                             x-kubernetes-int-or-string: true
2563 |                           type: array
2564 |                         notSelector:
2565 |                           description: NotSelector is the negated version of the Selector
2566 |                             field.  See Selector field for subtleties with negated
2567 |                             selectors.
2568 |                           type: string
2569 |                         ports:
2570 |                           description: "Ports is an optional field that restricts
2571 |                             the rule to only apply to traffic that has a source (destination)
2572 |                             port that matches one of these ranges/values. This value
2573 |                             is a list of integers or strings that represent ranges
2574 |                             of ports. \n Since only some protocols have ports, if
2575 |                             any ports are specified it requires the Protocol match
2576 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
2577 |                           items:
2578 |                             anyOf:
2579 |                             - type: integer
2580 |                             - type: string
2581 |                             pattern: ^.*
2582 |                             x-kubernetes-int-or-string: true
2583 |                           type: array
2584 |                         selector:
2585 |                           description: "Selector is an optional field that contains
2586 |                             a selector expression (see Policy for sample syntax).
2587 |                             \ Only traffic that originates from (terminates at) endpoints
2588 |                             matching the selector will be matched. \n Note that: in
2589 |                             addition to the negated version of the Selector (see NotSelector
2590 |                             below), the selector expression syntax itself supports
2591 |                             negation.  The two types of negation are subtly different.
2592 |                             One negates the set of matched endpoints, the other negates
2593 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
2594 |                             packets that are from other Calico-controlled \tendpoints
2595 |                             that do not have the label “my_label”. \n \tNotSelector
2596 |                             = \"has(my_label)\" matches packets that are not from
2597 |                             Calico-controlled \tendpoints that do have the label “my_label”.
2598 |                             \n The effect is that the latter will accept packets from
2599 |                             non-Calico sources whereas the former is limited to packets
2600 |                             from Calico-controlled endpoints."
2601 |                           type: string
2602 |                         serviceAccounts:
2603 |                           description: ServiceAccounts is an optional field that restricts
2604 |                             the rule to only apply to traffic that originates from
2605 |                             (or terminates at) a pod running as a matching service
2606 |                             account.
2607 |                           properties:
2608 |                             names:
2609 |                               description: Names is an optional field that restricts
2610 |                                 the rule to only apply to traffic that originates
2611 |                                 from (or terminates at) a pod running as a service
2612 |                                 account whose name is in the list.
2613 |                               items:
2614 |                                 type: string
2615 |                               type: array
2616 |                             selector:
2617 |                               description: Selector is an optional field that restricts
2618 |                                 the rule to only apply to traffic that originates
2619 |                                 from (or terminates at) a pod running as a service
2620 |                                 account that matches the given label selector. If
2621 |                                 both Names and Selector are specified then they are
2622 |                                 AND'ed.
2623 |                               type: string
2624 |                           type: object
2625 |                       type: object
2626 |                     http:
2627 |                       description: HTTP contains match criteria that apply to HTTP
2628 |                         requests.
2629 |                       properties:
2630 |                         methods:
2631 |                           description: Methods is an optional field that restricts
2632 |                             the rule to apply only to HTTP requests that use one of
2633 |                             the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2634 |                             methods are OR'd together.
2635 |                           items:
2636 |                             type: string
2637 |                           type: array
2638 |                         paths:
2639 |                           description: 'Paths is an optional field that restricts
2640 |                             the rule to apply to HTTP requests that use one of the
2641 |                             listed HTTP Paths. Multiple paths are OR''d together.
2642 |                             e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2643 |                             ONLY specify either a `exact` or a `prefix` match. The
2644 |                             validator will check for it.'
2645 |                           items:
2646 |                             description: 'HTTPPath specifies an HTTP path to match.
2647 |                               It may be either of the form: exact: <path>: which matches
2648 |                               the path exactly or prefix: <path-prefix>: which matches
2649 |                               the path prefix'
2650 |                             properties:
2651 |                               exact:
2652 |                                 type: string
2653 |                               prefix:
2654 |                                 type: string
2655 |                             type: object
2656 |                           type: array
2657 |                       type: object
2658 |                     icmp:
2659 |                       description: ICMP is an optional field that restricts the rule
2660 |                         to apply to a specific type and code of ICMP traffic.  This
2661 |                         should only be specified if the Protocol field is set to "ICMP"
2662 |                         or "ICMPv6".
2663 |                       properties:
2664 |                         code:
2665 |                           description: Match on a specific ICMP code.  If specified,
2666 |                             the Type value must also be specified. This is a technical
2667 |                             limitation imposed by the kernel’s iptables firewall,
2668 |                             which Calico uses to enforce the rule.
2669 |                           type: integer
2670 |                         type:
2671 |                           description: Match on a specific ICMP type.  For example
2672 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
2673 |                           type: integer
2674 |                       type: object
2675 |                     ipVersion:
2676 |                       description: IPVersion is an optional field that restricts the
2677 |                         rule to only match a specific IP version.
2678 |                       type: integer
2679 |                     metadata:
2680 |                       description: Metadata contains additional information for this
2681 |                         rule
2682 |                       properties:
2683 |                         annotations:
2684 |                           additionalProperties:
2685 |                             type: string
2686 |                           description: Annotations is a set of key value pairs that
2687 |                             give extra information about the rule
2688 |                           type: object
2689 |                       type: object
2690 |                     notICMP:
2691 |                       description: NotICMP is the negated version of the ICMP field.
2692 |                       properties:
2693 |                         code:
2694 |                           description: Match on a specific ICMP code.  If specified,
2695 |                             the Type value must also be specified. This is a technical
2696 |                             limitation imposed by the kernel’s iptables firewall,
2697 |                             which Calico uses to enforce the rule.
2698 |                           type: integer
2699 |                         type:
2700 |                           description: Match on a specific ICMP type.  For example
2701 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
2702 |                           type: integer
2703 |                       type: object
2704 |                     notProtocol:
2705 |                       anyOf:
2706 |                       - type: integer
2707 |                       - type: string
2708 |                       description: NotProtocol is the negated version of the Protocol
2709 |                         field.
2710 |                       pattern: ^.*
2711 |                       x-kubernetes-int-or-string: true
2712 |                     protocol:
2713 |                       anyOf:
2714 |                       - type: integer
2715 |                       - type: string
2716 |                       description: "Protocol is an optional field that restricts the
2717 |                         rule to only apply to traffic of a specific IP protocol. Required
2718 |                         if any of the EntityRules contain Ports (because ports only
2719 |                         apply to certain protocols). \n Must be one of these string
2720 |                         values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
2721 |                         \"UDPLite\" or an integer in the range 1-255."
2722 |                       pattern: ^.*
2723 |                       x-kubernetes-int-or-string: true
2724 |                     source:
2725 |                       description: Source contains the match criteria that apply to
2726 |                         source entity.
2727 |                       properties:
2728 |                         namespaceSelector:
2729 |                           description: "NamespaceSelector is an optional field that
2730 |                             contains a selector expression. Only traffic that originates
2731 |                             from (or terminates at) endpoints within the selected
2732 |                             namespaces will be matched. When both NamespaceSelector
2733 |                             and Selector are defined on the same rule, then only workload
2734 |                             endpoints that are matched by both selectors will be selected
2735 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2736 |                             implies that the Selector is limited to selecting only
2737 |                             workload endpoints in the same namespace as the NetworkPolicy.
2738 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
2739 |                             that the Selector is limited to selecting only GlobalNetworkSet
2740 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2741 |                             NamespaceSelector implies the Selector applies to workload
2742 |                             endpoints across all namespaces."
2743 |                           type: string
2744 |                         nets:
2745 |                           description: Nets is an optional field that restricts the
2746 |                             rule to only apply to traffic that originates from (or
2747 |                             terminates at) IP addresses in any of the given subnets.
2748 |                           items:
2749 |                             type: string
2750 |                           type: array
2751 |                         notNets:
2752 |                           description: NotNets is the negated version of the Nets
2753 |                             field.
2754 |                           items:
2755 |                             type: string
2756 |                           type: array
2757 |                         notPorts:
2758 |                           description: NotPorts is the negated version of the Ports
2759 |                             field. Since only some protocols have ports, if any ports
2760 |                             are specified it requires the Protocol match in the Rule
2761 |                             to be set to "TCP" or "UDP".
2762 |                           items:
2763 |                             anyOf:
2764 |                             - type: integer
2765 |                             - type: string
2766 |                             pattern: ^.*
2767 |                             x-kubernetes-int-or-string: true
2768 |                           type: array
2769 |                         notSelector:
2770 |                           description: NotSelector is the negated version of the Selector
2771 |                             field.  See Selector field for subtleties with negated
2772 |                             selectors.
2773 |                           type: string
2774 |                         ports:
2775 |                           description: "Ports is an optional field that restricts
2776 |                             the rule to only apply to traffic that has a source (destination)
2777 |                             port that matches one of these ranges/values. This value
2778 |                             is a list of integers or strings that represent ranges
2779 |                             of ports. \n Since only some protocols have ports, if
2780 |                             any ports are specified it requires the Protocol match
2781 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
2782 |                           items:
2783 |                             anyOf:
2784 |                             - type: integer
2785 |                             - type: string
2786 |                             pattern: ^.*
2787 |                             x-kubernetes-int-or-string: true
2788 |                           type: array
2789 |                         selector:
2790 |                           description: "Selector is an optional field that contains
2791 |                             a selector expression (see Policy for sample syntax).
2792 |                             \ Only traffic that originates from (terminates at) endpoints
2793 |                             matching the selector will be matched. \n Note that: in
2794 |                             addition to the negated version of the Selector (see NotSelector
2795 |                             below), the selector expression syntax itself supports
2796 |                             negation.  The two types of negation are subtly different.
2797 |                             One negates the set of matched endpoints, the other negates
2798 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
2799 |                             packets that are from other Calico-controlled \tendpoints
2800 |                             that do not have the label “my_label”. \n \tNotSelector
2801 |                             = \"has(my_label)\" matches packets that are not from
2802 |                             Calico-controlled \tendpoints that do have the label “my_label”.
2803 |                             \n The effect is that the latter will accept packets from
2804 |                             non-Calico sources whereas the former is limited to packets
2805 |                             from Calico-controlled endpoints."
2806 |                           type: string
2807 |                         serviceAccounts:
2808 |                           description: ServiceAccounts is an optional field that restricts
2809 |                             the rule to only apply to traffic that originates from
2810 |                             (or terminates at) a pod running as a matching service
2811 |                             account.
2812 |                           properties:
2813 |                             names:
2814 |                               description: Names is an optional field that restricts
2815 |                                 the rule to only apply to traffic that originates
2816 |                                 from (or terminates at) a pod running as a service
2817 |                                 account whose name is in the list.
2818 |                               items:
2819 |                                 type: string
2820 |                               type: array
2821 |                             selector:
2822 |                               description: Selector is an optional field that restricts
2823 |                                 the rule to only apply to traffic that originates
2824 |                                 from (or terminates at) a pod running as a service
2825 |                                 account that matches the given label selector. If
2826 |                                 both Names and Selector are specified then they are
2827 |                                 AND'ed.
2828 |                               type: string
2829 |                           type: object
2830 |                       type: object
2831 |                   required:
2832 |                   - action
2833 |                   type: object
2834 |                 type: array
2835 |               ingress:
2836 |                 description: The ordered set of ingress rules.  Each rule contains
2837 |                   a set of packet match criteria and a corresponding action to apply.
2838 |                 items:
2839 |                   description: "A Rule encapsulates a set of match criteria and an
2840 |                     action.  Both selector-based security Policy and security Profiles
2841 |                     reference rules - separated out as a list of rules for both ingress
2842 |                     and egress packet matching. \n Each positive match criteria has
2843 |                     a negated version, prefixed with ”Not”. All the match criteria
2844 |                     within a rule must be satisfied for a packet to match. A single
2845 |                     rule can contain the positive and negative version of a match
2846 |                     and both must be satisfied for the rule to match."
2847 |                   properties:
2848 |                     action:
2849 |                       type: string
2850 |                     destination:
2851 |                       description: Destination contains the match criteria that apply
2852 |                         to destination entity.
2853 |                       properties:
2854 |                         namespaceSelector:
2855 |                           description: "NamespaceSelector is an optional field that
2856 |                             contains a selector expression. Only traffic that originates
2857 |                             from (or terminates at) endpoints within the selected
2858 |                             namespaces will be matched. When both NamespaceSelector
2859 |                             and Selector are defined on the same rule, then only workload
2860 |                             endpoints that are matched by both selectors will be selected
2861 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
2862 |                             implies that the Selector is limited to selecting only
2863 |                             workload endpoints in the same namespace as the NetworkPolicy.
2864 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
2865 |                             that the Selector is limited to selecting only GlobalNetworkSet
2866 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
2867 |                             NamespaceSelector implies the Selector applies to workload
2868 |                             endpoints across all namespaces."
2869 |                           type: string
2870 |                         nets:
2871 |                           description: Nets is an optional field that restricts the
2872 |                             rule to only apply to traffic that originates from (or
2873 |                             terminates at) IP addresses in any of the given subnets.
2874 |                           items:
2875 |                             type: string
2876 |                           type: array
2877 |                         notNets:
2878 |                           description: NotNets is the negated version of the Nets
2879 |                             field.
2880 |                           items:
2881 |                             type: string
2882 |                           type: array
2883 |                         notPorts:
2884 |                           description: NotPorts is the negated version of the Ports
2885 |                             field. Since only some protocols have ports, if any ports
2886 |                             are specified it requires the Protocol match in the Rule
2887 |                             to be set to "TCP" or "UDP".
2888 |                           items:
2889 |                             anyOf:
2890 |                             - type: integer
2891 |                             - type: string
2892 |                             pattern: ^.*
2893 |                             x-kubernetes-int-or-string: true
2894 |                           type: array
2895 |                         notSelector:
2896 |                           description: NotSelector is the negated version of the Selector
2897 |                             field.  See Selector field for subtleties with negated
2898 |                             selectors.
2899 |                           type: string
2900 |                         ports:
2901 |                           description: "Ports is an optional field that restricts
2902 |                             the rule to only apply to traffic that has a source (destination)
2903 |                             port that matches one of these ranges/values. This value
2904 |                             is a list of integers or strings that represent ranges
2905 |                             of ports. \n Since only some protocols have ports, if
2906 |                             any ports are specified it requires the Protocol match
2907 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
2908 |                           items:
2909 |                             anyOf:
2910 |                             - type: integer
2911 |                             - type: string
2912 |                             pattern: ^.*
2913 |                             x-kubernetes-int-or-string: true
2914 |                           type: array
2915 |                         selector:
2916 |                           description: "Selector is an optional field that contains
2917 |                             a selector expression (see Policy for sample syntax).
2918 |                             \ Only traffic that originates from (terminates at) endpoints
2919 |                             matching the selector will be matched. \n Note that: in
2920 |                             addition to the negated version of the Selector (see NotSelector
2921 |                             below), the selector expression syntax itself supports
2922 |                             negation.  The two types of negation are subtly different.
2923 |                             One negates the set of matched endpoints, the other negates
2924 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
2925 |                             packets that are from other Calico-controlled \tendpoints
2926 |                             that do not have the label “my_label”. \n \tNotSelector
2927 |                             = \"has(my_label)\" matches packets that are not from
2928 |                             Calico-controlled \tendpoints that do have the label “my_label”.
2929 |                             \n The effect is that the latter will accept packets from
2930 |                             non-Calico sources whereas the former is limited to packets
2931 |                             from Calico-controlled endpoints."
2932 |                           type: string
2933 |                         serviceAccounts:
2934 |                           description: ServiceAccounts is an optional field that restricts
2935 |                             the rule to only apply to traffic that originates from
2936 |                             (or terminates at) a pod running as a matching service
2937 |                             account.
2938 |                           properties:
2939 |                             names:
2940 |                               description: Names is an optional field that restricts
2941 |                                 the rule to only apply to traffic that originates
2942 |                                 from (or terminates at) a pod running as a service
2943 |                                 account whose name is in the list.
2944 |                               items:
2945 |                                 type: string
2946 |                               type: array
2947 |                             selector:
2948 |                               description: Selector is an optional field that restricts
2949 |                                 the rule to only apply to traffic that originates
2950 |                                 from (or terminates at) a pod running as a service
2951 |                                 account that matches the given label selector. If
2952 |                                 both Names and Selector are specified then they are
2953 |                                 AND'ed.
2954 |                               type: string
2955 |                           type: object
2956 |                       type: object
2957 |                     http:
2958 |                       description: HTTP contains match criteria that apply to HTTP
2959 |                         requests.
2960 |                       properties:
2961 |                         methods:
2962 |                           description: Methods is an optional field that restricts
2963 |                             the rule to apply only to HTTP requests that use one of
2964 |                             the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
2965 |                             methods are OR'd together.
2966 |                           items:
2967 |                             type: string
2968 |                           type: array
2969 |                         paths:
2970 |                           description: 'Paths is an optional field that restricts
2971 |                             the rule to apply to HTTP requests that use one of the
2972 |                             listed HTTP Paths. Multiple paths are OR''d together.
2973 |                             e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
2974 |                             ONLY specify either a `exact` or a `prefix` match. The
2975 |                             validator will check for it.'
2976 |                           items:
2977 |                             description: 'HTTPPath specifies an HTTP path to match.
2978 |                               It may be either of the form: exact: <path>: which matches
2979 |                               the path exactly or prefix: <path-prefix>: which matches
2980 |                               the path prefix'
2981 |                             properties:
2982 |                               exact:
2983 |                                 type: string
2984 |                               prefix:
2985 |                                 type: string
2986 |                             type: object
2987 |                           type: array
2988 |                       type: object
2989 |                     icmp:
2990 |                       description: ICMP is an optional field that restricts the rule
2991 |                         to apply to a specific type and code of ICMP traffic.  This
2992 |                         should only be specified if the Protocol field is set to "ICMP"
2993 |                         or "ICMPv6".
2994 |                       properties:
2995 |                         code:
2996 |                           description: Match on a specific ICMP code.  If specified,
2997 |                             the Type value must also be specified. This is a technical
2998 |                             limitation imposed by the kernel’s iptables firewall,
2999 |                             which Calico uses to enforce the rule.
3000 |                           type: integer
3001 |                         type:
3002 |                           description: Match on a specific ICMP type.  For example
3003 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
3004 |                           type: integer
3005 |                       type: object
3006 |                     ipVersion:
3007 |                       description: IPVersion is an optional field that restricts the
3008 |                         rule to only match a specific IP version.
3009 |                       type: integer
3010 |                     metadata:
3011 |                       description: Metadata contains additional information for this
3012 |                         rule
3013 |                       properties:
3014 |                         annotations:
3015 |                           additionalProperties:
3016 |                             type: string
3017 |                           description: Annotations is a set of key value pairs that
3018 |                             give extra information about the rule
3019 |                           type: object
3020 |                       type: object
3021 |                     notICMP:
3022 |                       description: NotICMP is the negated version of the ICMP field.
3023 |                       properties:
3024 |                         code:
3025 |                           description: Match on a specific ICMP code.  If specified,
3026 |                             the Type value must also be specified. This is a technical
3027 |                             limitation imposed by the kernel’s iptables firewall,
3028 |                             which Calico uses to enforce the rule.
3029 |                           type: integer
3030 |                         type:
3031 |                           description: Match on a specific ICMP type.  For example
3032 |                             a value of 8 refers to ICMP Echo Request (i.e. pings).
3033 |                           type: integer
3034 |                       type: object
3035 |                     notProtocol:
3036 |                       anyOf:
3037 |                       - type: integer
3038 |                       - type: string
3039 |                       description: NotProtocol is the negated version of the Protocol
3040 |                         field.
3041 |                       pattern: ^.*
3042 |                       x-kubernetes-int-or-string: true
3043 |                     protocol:
3044 |                       anyOf:
3045 |                       - type: integer
3046 |                       - type: string
3047 |                       description: "Protocol is an optional field that restricts the
3048 |                         rule to only apply to traffic of a specific IP protocol. Required
3049 |                         if any of the EntityRules contain Ports (because ports only
3050 |                         apply to certain protocols). \n Must be one of these string
3051 |                         values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
3052 |                         \"UDPLite\" or an integer in the range 1-255."
3053 |                       pattern: ^.*
3054 |                       x-kubernetes-int-or-string: true
3055 |                     source:
3056 |                       description: Source contains the match criteria that apply to
3057 |                         source entity.
3058 |                       properties:
3059 |                         namespaceSelector:
3060 |                           description: "NamespaceSelector is an optional field that
3061 |                             contains a selector expression. Only traffic that originates
3062 |                             from (or terminates at) endpoints within the selected
3063 |                             namespaces will be matched. When both NamespaceSelector
3064 |                             and Selector are defined on the same rule, then only workload
3065 |                             endpoints that are matched by both selectors will be selected
3066 |                             by the rule. \n For NetworkPolicy, an empty NamespaceSelector
3067 |                             implies that the Selector is limited to selecting only
3068 |                             workload endpoints in the same namespace as the NetworkPolicy.
3069 |                             \n For NetworkPolicy, `global()` NamespaceSelector implies
3070 |                             that the Selector is limited to selecting only GlobalNetworkSet
3071 |                             or HostEndpoint. \n For GlobalNetworkPolicy, an empty
3072 |                             NamespaceSelector implies the Selector applies to workload
3073 |                             endpoints across all namespaces."
3074 |                           type: string
3075 |                         nets:
3076 |                           description: Nets is an optional field that restricts the
3077 |                             rule to only apply to traffic that originates from (or
3078 |                             terminates at) IP addresses in any of the given subnets.
3079 |                           items:
3080 |                             type: string
3081 |                           type: array
3082 |                         notNets:
3083 |                           description: NotNets is the negated version of the Nets
3084 |                             field.
3085 |                           items:
3086 |                             type: string
3087 |                           type: array
3088 |                         notPorts:
3089 |                           description: NotPorts is the negated version of the Ports
3090 |                             field. Since only some protocols have ports, if any ports
3091 |                             are specified it requires the Protocol match in the Rule
3092 |                             to be set to "TCP" or "UDP".
3093 |                           items:
3094 |                             anyOf:
3095 |                             - type: integer
3096 |                             - type: string
3097 |                             pattern: ^.*
3098 |                             x-kubernetes-int-or-string: true
3099 |                           type: array
3100 |                         notSelector:
3101 |                           description: NotSelector is the negated version of the Selector
3102 |                             field.  See Selector field for subtleties with negated
3103 |                             selectors.
3104 |                           type: string
3105 |                         ports:
3106 |                           description: "Ports is an optional field that restricts
3107 |                             the rule to only apply to traffic that has a source (destination)
3108 |                             port that matches one of these ranges/values. This value
3109 |                             is a list of integers or strings that represent ranges
3110 |                             of ports. \n Since only some protocols have ports, if
3111 |                             any ports are specified it requires the Protocol match
3112 |                             in the Rule to be set to \"TCP\" or \"UDP\"."
3113 |                           items:
3114 |                             anyOf:
3115 |                             - type: integer
3116 |                             - type: string
3117 |                             pattern: ^.*
3118 |                             x-kubernetes-int-or-string: true
3119 |                           type: array
3120 |                         selector:
3121 |                           description: "Selector is an optional field that contains
3122 |                             a selector expression (see Policy for sample syntax).
3123 |                             \ Only traffic that originates from (terminates at) endpoints
3124 |                             matching the selector will be matched. \n Note that: in
3125 |                             addition to the negated version of the Selector (see NotSelector
3126 |                             below), the selector expression syntax itself supports
3127 |                             negation.  The two types of negation are subtly different.
3128 |                             One negates the set of matched endpoints, the other negates
3129 |                             the whole match: \n \tSelector = \"!has(my_label)\" matches
3130 |                             packets that are from other Calico-controlled \tendpoints
3131 |                             that do not have the label “my_label”. \n \tNotSelector
3132 |                             = \"has(my_label)\" matches packets that are not from
3133 |                             Calico-controlled \tendpoints that do have the label “my_label”.
3134 |                             \n The effect is that the latter will accept packets from
3135 |                             non-Calico sources whereas the former is limited to packets
3136 |                             from Calico-controlled endpoints."
3137 |                           type: string
3138 |                         serviceAccounts:
3139 |                           description: ServiceAccounts is an optional field that restricts
3140 |                             the rule to only apply to traffic that originates from
3141 |                             (or terminates at) a pod running as a matching service
3142 |                             account.
3143 |                           properties:
3144 |                             names:
3145 |                               description: Names is an optional field that restricts
3146 |                                 the rule to only apply to traffic that originates
3147 |                                 from (or terminates at) a pod running as a service
3148 |                                 account whose name is in the list.
3149 |                               items:
3150 |                                 type: string
3151 |                               type: array
3152 |                             selector:
3153 |                               description: Selector is an optional field that restricts
3154 |                                 the rule to only apply to traffic that originates
3155 |                                 from (or terminates at) a pod running as a service
3156 |                                 account that matches the given label selector. If
3157 |                                 both Names and Selector are specified then they are
3158 |                                 AND'ed.
3159 |                               type: string
3160 |                           type: object
3161 |                       type: object
3162 |                   required:
3163 |                   - action
3164 |                   type: object
3165 |                 type: array
3166 |               order:
3167 |                 description: Order is an optional field that specifies the order in
3168 |                   which the policy is applied. Policies with higher "order" are applied
3169 |                   after those with lower order.  If the order is omitted, it may be
3170 |                   considered to be "infinite" - i.e. the policy will be applied last.  Policies
3171 |                   with identical order will be applied in alphanumerical order based
3172 |                   on the Policy "Name".
3173 |                 type: number
3174 |               selector:
3175 |                 description: "The selector is an expression used to pick pick out
3176 |                   the endpoints that the policy should be applied to. \n Selector
3177 |                   expressions follow this syntax: \n \tlabel == \"string_literal\"
3178 |                   \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
3179 |                   \  ->  not equal; also matches if label is not present \tlabel in
3180 |                   { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
3181 |                   one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
3182 |                   ... }  ->  true if the value of label X is not one of \"a\", \"b\",
3183 |                   \"c\" \thas(label_name)  -> True if that label is present \t! expr
3184 |                   -> negation of expr \texpr && expr  -> Short-circuit and \texpr
3185 |                   || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
3186 |                   or the empty selector -> matches all endpoints. \n Label names are
3187 |                   allowed to contain alphanumerics, -, _ and /. String literals are
3188 |                   more permissive but they do not support escape characters. \n Examples
3189 |                   (with made-up labels): \n \ttype == \"webserver\" && deployment
3190 |                   == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
3191 |                   \"dev\" \t! has(label_name)"
3192 |                 type: string
3193 |               serviceAccountSelector:
3194 |                 description: ServiceAccountSelector is an optional field for an expression
3195 |                   used to select a pod based on service accounts.
3196 |                 type: string
3197 |               types:
3198 |                 description: "Types indicates whether this policy applies to ingress,
3199 |                   or to egress, or to both.  When not explicitly specified (and so
3200 |                   the value on creation is empty or nil), Calico defaults Types according
3201 |                   to what Ingress and Egress are present in the policy.  The default
3202 |                   is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
3203 |                   the case where there are   also no Ingress rules) \n - [ PolicyTypeEgress
3204 |                   ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
3205 |                   PolicyTypeEgress ], if there are both Ingress and Egress rules.
3206 |                   \n When the policy is read back again, Types will always be one
3207 |                   of these values, never empty or nil."
3208 |                 items:
3209 |                   description: PolicyType enumerates the possible values of the PolicySpec
3210 |                     Types field.
3211 |                   type: string
3212 |                 type: array
3213 |             type: object
3214 |         type: object
3215 |     served: true
3216 |     storage: true
3217 | status:
3218 |   acceptedNames:
3219 |     kind: ""
3220 |     plural: ""
3221 |   conditions: []
3222 |   storedVersions: []
3223 | 
3224 | ---
3225 | 
3226 | ---
3227 | apiVersion: apiextensions.k8s.io/v1
3228 | kind: CustomResourceDefinition
3229 | metadata:
3230 |   annotations:
3231 |     controller-gen.kubebuilder.io/version: (devel)
3232 |   creationTimestamp: null
3233 |   name: networksets.crd.projectcalico.org
3234 | spec:
3235 |   group: crd.projectcalico.org
3236 |   names:
3237 |     kind: NetworkSet
3238 |     listKind: NetworkSetList
3239 |     plural: networksets
3240 |     singular: networkset
3241 |   scope: Namespaced
3242 |   versions:
3243 |   - name: v1
3244 |     schema:
3245 |       openAPIV3Schema:
3246 |         description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
3247 |         properties:
3248 |           apiVersion:
3249 |             description: 'APIVersion defines the versioned schema of this representation
3250 |               of an object. Servers should convert recognized schemas to the latest
3251 |               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
3252 |             type: string
3253 |           kind:
3254 |             description: 'Kind is a string value representing the REST resource this
3255 |               object represents. Servers may infer this from the endpoint the client
3256 |               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
3257 |             type: string
3258 |           metadata:
3259 |             type: object
3260 |           spec:
3261 |             description: NetworkSetSpec contains the specification for a NetworkSet
3262 |               resource.
3263 |             properties:
3264 |               nets:
3265 |                 description: The list of IP networks that belong to this set.
3266 |                 items:
3267 |                   type: string
3268 |                 type: array
3269 |             type: object
3270 |         type: object
3271 |     served: true
3272 |     storage: true
3273 | status:
3274 |   acceptedNames:
3275 |     kind: ""
3276 |     plural: ""
3277 |   conditions: []
3278 |   storedVersions: []
3279 | 
3280 | ---
3281 | ---
3282 | # Source: calico/templates/calico-kube-controllers-rbac.yaml
3283 | 
3284 | # Include a clusterrole for the kube-controllers component,
3285 | # and bind it to the calico-kube-controllers serviceaccount.
3286 | kind: ClusterRole
3287 | apiVersion: rbac.authorization.k8s.io/v1
3288 | metadata:
3289 |   name: calico-kube-controllers
3290 | rules:
3291 |   # Nodes are watched to monitor for deletions.
3292 |   - apiGroups: [""]
3293 |     resources:
3294 |       - nodes
3295 |     verbs:
3296 |       - watch
3297 |       - list
3298 |       - get
3299 |   # Pods are queried to check for existence.
3300 |   - apiGroups: [""]
3301 |     resources:
3302 |       - pods
3303 |     verbs:
3304 |       - get
3305 |   # IPAM resources are manipulated when nodes are deleted.
3306 |   - apiGroups: ["crd.projectcalico.org"]
3307 |     resources:
3308 |       - ippools
3309 |     verbs:
3310 |       - list
3311 |   - apiGroups: ["crd.projectcalico.org"]
3312 |     resources:
3313 |       - blockaffinities
3314 |       - ipamblocks
3315 |       - ipamhandles
3316 |     verbs:
3317 |       - get
3318 |       - list
3319 |       - create
3320 |       - update
3321 |       - delete
3322 |   # kube-controllers manages hostendpoints.
3323 |   - apiGroups: ["crd.projectcalico.org"]
3324 |     resources:
3325 |       - hostendpoints
3326 |     verbs:
3327 |       - get
3328 |       - list
3329 |       - create
3330 |       - update
3331 |       - delete
3332 |   # Needs access to update clusterinformations.
3333 |   - apiGroups: ["crd.projectcalico.org"]
3334 |     resources:
3335 |       - clusterinformations
3336 |     verbs:
3337 |       - get
3338 |       - create
3339 |       - update
3340 |   # KubeControllersConfiguration is where it gets its config
3341 |   - apiGroups: ["crd.projectcalico.org"]
3342 |     resources:
3343 |       - kubecontrollersconfigurations
3344 |     verbs:
3345 |       # read its own config
3346 |       - get
3347 |       # create a default if none exists
3348 |       - create
3349 |       # update status
3350 |       - update
3351 |       # watch for changes
3352 |       - watch
3353 | ---
3354 | kind: ClusterRoleBinding
3355 | apiVersion: rbac.authorization.k8s.io/v1
3356 | metadata:
3357 |   name: calico-kube-controllers
3358 | roleRef:
3359 |   apiGroup: rbac.authorization.k8s.io
3360 |   kind: ClusterRole
3361 |   name: calico-kube-controllers
3362 | subjects:
3363 | - kind: ServiceAccount
3364 |   name: calico-kube-controllers
3365 |   namespace: kube-system
3366 | ---
3367 | 
3368 | ---
3369 | # Source: calico/templates/calico-node-rbac.yaml
3370 | # Include a clusterrole for the calico-node DaemonSet,
3371 | # and bind it to the calico-node serviceaccount.
3372 | kind: ClusterRole
3373 | apiVersion: rbac.authorization.k8s.io/v1
3374 | metadata:
3375 |   name: calico-node
3376 | rules:
3377 |   # The CNI plugin needs to get pods, nodes, and namespaces.
3378 |   - apiGroups: [""]
3379 |     resources:
3380 |       - pods
3381 |       - nodes
3382 |       - namespaces
3383 |     verbs:
3384 |       - get
3385 |   - apiGroups: [""]
3386 |     resources:
3387 |       - endpoints
3388 |       - services
3389 |     verbs:
3390 |       # Used to discover service IPs for advertisement.
3391 |       - watch
3392 |       - list
3393 |       # Used to discover Typhas.
3394 |       - get
3395 |   # Pod CIDR auto-detection on kubeadm needs access to config maps.
3396 |   - apiGroups: [""]
3397 |     resources:
3398 |       - configmaps
3399 |     verbs:
3400 |       - get
3401 |   - apiGroups: [""]
3402 |     resources:
3403 |       - nodes/status
3404 |     verbs:
3405 |       # Needed for clearing NodeNetworkUnavailable flag.
3406 |       - patch
3407 |       # Calico stores some configuration information in node annotations.
3408 |       - update
3409 |   # Watch for changes to Kubernetes NetworkPolicies.
3410 |   - apiGroups: ["networking.k8s.io"]
3411 |     resources:
3412 |       - networkpolicies
3413 |     verbs:
3414 |       - watch
3415 |       - list
3416 |   # Used by Calico for policy information.
3417 |   - apiGroups: [""]
3418 |     resources:
3419 |       - pods
3420 |       - namespaces
3421 |       - serviceaccounts
3422 |     verbs:
3423 |       - list
3424 |       - watch
3425 |   # The CNI plugin patches pods/status.
3426 |   - apiGroups: [""]
3427 |     resources:
3428 |       - pods/status
3429 |     verbs:
3430 |       - patch
3431 |   # Calico monitors various CRDs for config.
3432 |   - apiGroups: ["crd.projectcalico.org"]
3433 |     resources:
3434 |       - globalfelixconfigs
3435 |       - felixconfigurations
3436 |       - bgppeers
3437 |       - globalbgpconfigs
3438 |       - bgpconfigurations
3439 |       - ippools
3440 |       - ipamblocks
3441 |       - globalnetworkpolicies
3442 |       - globalnetworksets
3443 |       - networkpolicies
3444 |       - networksets
3445 |       - clusterinformations
3446 |       - hostendpoints
3447 |       - blockaffinities
3448 |     verbs:
3449 |       - get
3450 |       - list
3451 |       - watch
3452 |   # Calico must create and update some CRDs on startup.
3453 |   - apiGroups: ["crd.projectcalico.org"]
3454 |     resources:
3455 |       - ippools
3456 |       - felixconfigurations
3457 |       - clusterinformations
3458 |     verbs:
3459 |       - create
3460 |       - update
3461 |   # Calico stores some configuration information on the node.
3462 |   - apiGroups: [""]
3463 |     resources:
3464 |       - nodes
3465 |     verbs:
3466 |       - get
3467 |       - list
3468 |       - watch
3469 |   # These permissions are only required for upgrade from v2.6, and can
3470 |   # be removed after upgrade or on fresh installations.
3471 |   - apiGroups: ["crd.projectcalico.org"]
3472 |     resources:
3473 |       - bgpconfigurations
3474 |       - bgppeers
3475 |     verbs:
3476 |       - create
3477 |       - update
3478 |   # These permissions are required for Calico CNI to perform IPAM allocations.
3479 |   - apiGroups: ["crd.projectcalico.org"]
3480 |     resources:
3481 |       - blockaffinities
3482 |       - ipamblocks
3483 |       - ipamhandles
3484 |     verbs:
3485 |       - get
3486 |       - list
3487 |       - create
3488 |       - update
3489 |       - delete
3490 |   - apiGroups: ["crd.projectcalico.org"]
3491 |     resources:
3492 |       - ipamconfigs
3493 |     verbs:
3494 |       - get
3495 |   # Block affinities must also be watchable by confd for route aggregation.
3496 |   - apiGroups: ["crd.projectcalico.org"]
3497 |     resources:
3498 |       - blockaffinities
3499 |     verbs:
3500 |       - watch
3501 |   # The Calico IPAM migration needs to get daemonsets. These permissions can be
3502 |   # removed if not upgrading from an installation using host-local IPAM.
3503 |   - apiGroups: ["apps"]
3504 |     resources:
3505 |       - daemonsets
3506 |     verbs:
3507 |       - get
3508 | 
3509 | ---
3510 | apiVersion: rbac.authorization.k8s.io/v1
3511 | kind: ClusterRoleBinding
3512 | metadata:
3513 |   name: calico-node
3514 | roleRef:
3515 |   apiGroup: rbac.authorization.k8s.io
3516 |   kind: ClusterRole
3517 |   name: calico-node
3518 | subjects:
3519 | - kind: ServiceAccount
3520 |   name: calico-node
3521 |   namespace: kube-system
3522 | 
3523 | ---
3524 | # Source: calico/templates/calico-node.yaml
3525 | # This manifest installs the calico-node container, as well
3526 | # as the CNI plugins and network config on
3527 | # each master and worker node in a Kubernetes cluster.
3528 | kind: DaemonSet
3529 | apiVersion: apps/v1
3530 | metadata:
3531 |   name: calico-node
3532 |   namespace: kube-system
3533 |   labels:
3534 |     k8s-app: calico-node
3535 | spec:
3536 |   selector:
3537 |     matchLabels:
3538 |       k8s-app: calico-node
3539 |   updateStrategy:
3540 |     type: RollingUpdate
3541 |     rollingUpdate:
3542 |       maxUnavailable: 1
3543 |   template:
3544 |     metadata:
3545 |       labels:
3546 |         k8s-app: calico-node
3547 |     spec:
3548 |       nodeSelector:
3549 |         kubernetes.io/os: linux
3550 |       hostNetwork: true
3551 |       tolerations:
3552 |         # Make sure calico-node gets scheduled on all nodes.
3553 |         - effect: NoSchedule
3554 |           operator: Exists
3555 |         # Mark the pod as a critical add-on for rescheduling.
3556 |         - key: CriticalAddonsOnly
3557 |           operator: Exists
3558 |         - effect: NoExecute
3559 |           operator: Exists
3560 |       serviceAccountName: calico-node
3561 |       # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
3562 |       # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
3563 |       terminationGracePeriodSeconds: 0
3564 |       priorityClassName: system-node-critical
3565 |       initContainers:
3566 |         # This container performs upgrade from host-local IPAM to calico-ipam.
3567 |         # It can be deleted if this is a fresh installation, or if you have already
3568 |         # upgraded to use calico-ipam.
3569 |         - name: upgrade-ipam
3570 |           image: calico/cni:v3.16.4
3571 |           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
3572 |           envFrom:
3573 |           - configMapRef:
3574 |               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3575 |               name: kubernetes-services-endpoint
3576 |               optional: true
3577 |           env:
3578 |             - name: KUBERNETES_NODE_NAME
3579 |               valueFrom:
3580 |                 fieldRef:
3581 |                   fieldPath: spec.nodeName
3582 |             - name: CALICO_NETWORKING_BACKEND
3583 |               valueFrom:
3584 |                 configMapKeyRef:
3585 |                   name: calico-config
3586 |                   key: calico_backend
3587 |           volumeMounts:
3588 |             - mountPath: /var/lib/cni/networks
3589 |               name: host-local-net-dir
3590 |             - mountPath: /host/opt/cni/bin
3591 |               name: cni-bin-dir
3592 |           securityContext:
3593 |             privileged: true
3594 |         # This container installs the CNI binaries
3595 |         # and CNI network config file on each node.
3596 |         - name: install-cni
3597 |           image: calico/cni:v3.16.4
3598 |           command: ["/opt/cni/bin/install"]
3599 |           envFrom:
3600 |           - configMapRef:
3601 |               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3602 |               name: kubernetes-services-endpoint
3603 |               optional: true
3604 |           env:
3605 |             # Name of the CNI config file to create.
3606 |             - name: CNI_CONF_NAME
3607 |               value: "10-calico.conflist"
3608 |             # The CNI network config to install on each node.
3609 |             - name: CNI_NETWORK_CONFIG
3610 |               valueFrom:
3611 |                 configMapKeyRef:
3612 |                   name: calico-config
3613 |                   key: cni_network_config
3614 |             # Set the hostname based on the k8s node name.
3615 |             - name: KUBERNETES_NODE_NAME
3616 |               valueFrom:
3617 |                 fieldRef:
3618 |                   fieldPath: spec.nodeName
3619 |             # CNI MTU Config variable
3620 |             - name: CNI_MTU
3621 |               valueFrom:
3622 |                 configMapKeyRef:
3623 |                   name: calico-config
3624 |                   key: veth_mtu
3625 |             # Prevents the container from sleeping forever.
3626 |             - name: SLEEP
3627 |               value: "false"
3628 |           volumeMounts:
3629 |             - mountPath: /host/opt/cni/bin
3630 |               name: cni-bin-dir
3631 |             - mountPath: /host/etc/cni/net.d
3632 |               name: cni-net-dir
3633 |           securityContext:
3634 |             privileged: true
3635 |         # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
3636 |         # to communicate with Felix over the Policy Sync API.
3637 |         - name: flexvol-driver
3638 |           image: calico/pod2daemon-flexvol:v3.16.4
3639 |           volumeMounts:
3640 |           - name: flexvol-driver-host
3641 |             mountPath: /host/driver
3642 |           securityContext:
3643 |             privileged: true
3644 |       containers:
3645 |         # Runs calico-node container on each Kubernetes node. This
3646 |         # container programs network policy and routes on each
3647 |         # host.
3648 |         - name: calico-node
3649 |           image: calico/node:v3.16.4
3650 |           envFrom:
3651 |           - configMapRef:
3652 |               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
3653 |               name: kubernetes-services-endpoint
3654 |               optional: true
3655 |           env:
3656 |             # Use Kubernetes API as the backing datastore.
3657 |             - name: DATASTORE_TYPE
3658 |               value: "kubernetes"
3659 |             # Wait for the datastore.
3660 |             - name: WAIT_FOR_DATASTORE
3661 |               value: "true"
3662 |             # Set based on the k8s node name.
3663 |             - name: NODENAME
3664 |               valueFrom:
3665 |                 fieldRef:
3666 |                   fieldPath: spec.nodeName
3667 |             # Choose the backend to use.
3668 |             - name: CALICO_NETWORKING_BACKEND
3669 |               valueFrom:
3670 |                 configMapKeyRef:
3671 |                   name: calico-config
3672 |                   key: calico_backend
3673 |             # Cluster type to identify the deployment type
3674 |             - name: CLUSTER_TYPE
3675 |               value: "k8s,bgp"
3676 |             # Auto-detect the BGP IP address.
3677 |             - name: IP
3678 |               value: "autodetect"
3679 |             # Enable IPIP
3680 |             - name: CALICO_IPV4POOL_IPIP
3681 |               value: "Always"
3682 |             # Enable or Disable VXLAN on the default IP pool.
3683 |             - name: CALICO_IPV4POOL_VXLAN
3684 |               value: "Never"
3685 |             # Set MTU for tunnel device used if ipip is enabled
3686 |             - name: FELIX_IPINIPMTU
3687 |               valueFrom:
3688 |                 configMapKeyRef:
3689 |                   name: calico-config
3690 |                   key: veth_mtu
3691 |             # Set MTU for the VXLAN tunnel device.
3692 |             - name: FELIX_VXLANMTU
3693 |               valueFrom:
3694 |                 configMapKeyRef:
3695 |                   name: calico-config
3696 |                   key: veth_mtu
3697 |             # Set MTU for the Wireguard tunnel device.
3698 |             - name: FELIX_WIREGUARDMTU
3699 |               valueFrom:
3700 |                 configMapKeyRef:
3701 |                   name: calico-config
3702 |                   key: veth_mtu
3703 |             # The default IPv4 pool to create on startup if none exists. Pod IPs will be
3704 |             # chosen from this range. Changing this value after installation will have
3705 |             # no effect. This should fall within `--cluster-cidr`.
3706 |             - name: CALICO_IPV4POOL_CIDR
3707 |               value: "{{pod_cidr}}"
3708 |             # Disable file logging so `kubectl logs` works.
3709 |             - name: CALICO_DISABLE_FILE_LOGGING
3710 |               value: "true"
3711 |             # Set Felix endpoint to host default action to ACCEPT.
3712 |             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
3713 |               value: "ACCEPT"
3714 |             # Disable IPv6 on Kubernetes.
3715 |             - name: FELIX_IPV6SUPPORT
3716 |               value: "false"
3717 |             # Set Felix logging to "info"
3718 |             - name: FELIX_LOGSEVERITYSCREEN
3719 |               value: "info"
3720 |             - name: FELIX_HEALTHENABLED
3721 |               value: "true"
3722 |           securityContext:
3723 |             privileged: true
3724 |           resources:
3725 |             requests:
3726 |               cpu: 250m
3727 |           livenessProbe:
3728 |             exec:
3729 |               command:
3730 |               - /bin/calico-node
3731 |               - -felix-live
3732 |               - -bird-live
3733 |             periodSeconds: 10
3734 |             initialDelaySeconds: 10
3735 |             failureThreshold: 6
3736 |           readinessProbe:
3737 |             exec:
3738 |               command:
3739 |               - /bin/calico-node
3740 |               - -felix-ready
3741 |               - -bird-ready
3742 |             periodSeconds: 10
3743 |           volumeMounts:
3744 |             - mountPath: /lib/modules
3745 |               name: lib-modules
3746 |               readOnly: true
3747 |             - mountPath: /run/xtables.lock
3748 |               name: xtables-lock
3749 |               readOnly: false
3750 |             - mountPath: /var/run/calico
3751 |               name: var-run-calico
3752 |               readOnly: false
3753 |             - mountPath: /var/lib/calico
3754 |               name: var-lib-calico
3755 |               readOnly: false
3756 |             - name: policysync
3757 |               mountPath: /var/run/nodeagent
3758 |             # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
3759 |             # parent directory.
3760 |             - name: sysfs
3761 |               mountPath: /sys/fs/
3762 |               # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
3763 |               # If the host is known to mount that filesystem already then Bidirectional can be omitted.
3764 |               mountPropagation: Bidirectional
3765 |       volumes:
3766 |         # Used by calico-node.
3767 |         - name: lib-modules
3768 |           hostPath:
3769 |             path: /lib/modules
3770 |         - name: var-run-calico
3771 |           hostPath:
3772 |             path: /var/run/calico
3773 |         - name: var-lib-calico
3774 |           hostPath:
3775 |             path: /var/lib/calico
3776 |         - name: xtables-lock
3777 |           hostPath:
3778 |             path: /run/xtables.lock
3779 |             type: FileOrCreate
3780 |         - name: sysfs
3781 |           hostPath:
3782 |             path: /sys/fs/
3783 |             type: DirectoryOrCreate
3784 |         # Used to install CNI.
3785 |         - name: cni-bin-dir
3786 |           hostPath:
3787 |             path: /opt/cni/bin
3788 |         - name: cni-net-dir
3789 |           hostPath:
3790 |             path: /etc/cni/net.d
3791 |         # Mount in the directory for host-local IPAM allocations. This is
3792 |         # used when upgrading from host-local to calico-ipam, and can be removed
3793 |         # if not using the upgrade-ipam init container.
3794 |         - name: host-local-net-dir
3795 |           hostPath:
3796 |             path: /var/lib/cni/networks
3797 |         # Used to create per-pod Unix Domain Sockets
3798 |         - name: policysync
3799 |           hostPath:
3800 |             type: DirectoryOrCreate
3801 |             path: /var/run/nodeagent
3802 |         # Used to install Flex Volume Driver
3803 |         - name: flexvol-driver-host
3804 |           hostPath:
3805 |             type: DirectoryOrCreate
3806 |             path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
3807 | ---
3808 | 
3809 | apiVersion: v1
3810 | kind: ServiceAccount
3811 | metadata:
3812 |   name: calico-node
3813 |   namespace: kube-system
3814 | 
3815 | ---
3816 | # Source: calico/templates/calico-kube-controllers.yaml
3817 | # See https://github.com/projectcalico/kube-controllers
3818 | apiVersion: apps/v1
3819 | kind: Deployment
3820 | metadata:
3821 |   name: calico-kube-controllers
3822 |   namespace: kube-system
3823 |   labels:
3824 |     k8s-app: calico-kube-controllers
3825 | spec:
3826 |   # The controllers can only have a single active instance.
3827 |   replicas: 1
3828 |   selector:
3829 |     matchLabels:
3830 |       k8s-app: calico-kube-controllers
3831 |   strategy:
3832 |     type: Recreate
3833 |   template:
3834 |     metadata:
3835 |       name: calico-kube-controllers
3836 |       namespace: kube-system
3837 |       labels:
3838 |         k8s-app: calico-kube-controllers
3839 |     spec:
3840 |       nodeSelector:
3841 |         kubernetes.io/os: linux
3842 |       tolerations:
3843 |         # Mark the pod as a critical add-on for rescheduling.
3844 |         - key: CriticalAddonsOnly
3845 |           operator: Exists
3846 |         - key: node-role.kubernetes.io/master
3847 |           effect: NoSchedule
3848 |       serviceAccountName: calico-kube-controllers
3849 |       priorityClassName: system-cluster-critical
3850 |       containers:
3851 |         - name: calico-kube-controllers
3852 |           image: calico/kube-controllers:v3.16.4
3853 |           env:
3854 |             # Choose which controllers to run.
3855 |             - name: ENABLED_CONTROLLERS
3856 |               value: node
3857 |             - name: DATASTORE_TYPE
3858 |               value: kubernetes
3859 |           readinessProbe:
3860 |             exec:
3861 |               command:
3862 |               - /usr/bin/check-status
3863 |               - -r
3864 | 
3865 | ---
3866 | 
3867 | apiVersion: v1
3868 | kind: ServiceAccount
3869 | metadata:
3870 |   name: calico-kube-controllers
3871 |   namespace: kube-system
3872 | 
3873 | ---
3874 | # Source: calico/templates/calico-etcd-secrets.yaml
3875 | 
3876 | ---
3877 | # Source: calico/templates/calico-typha.yaml
3878 | 
3879 | ---
3880 | # Source: calico/templates/configure-canal.yaml
3881 | 
3882 | 
3883 | 


--------------------------------------------------------------------------------